Setting up Roaming Filtering

A roaming user (also known as a remote user) is someone who is connecting to the web from an IP address that is outside premises. It could be WiFi Hotspot or home network. 

To get to the roaming option – sign-in to Cloud Console

  • Click on Filter Management tab
  • Go to Filter Management à Overview
  • Click on edit to update the policy 
  • Then go to Endpoint à Custom à Roaming



This option only applicable with Web Security.

By default, the endpoint installed on the machine is internet connection independent. Which means, no matter which internet connection is being used on the machine, the policy will be applied based on the user which is logged in.

This option is only applicable, if your organization wants to filter the roaming users (remote users) only when they are inside premises and do not want to filter when they are outside premises or vice versa. In other words, users can access websites without any filtering being applied based on the network location(s).

Roaming option allows the Connection type to be changed when a network gateway change is detected.


  • In order enable roaming filtering, check mark the Roaming Enabled


  • The next option is to setup Default Connection
    • Default Connection has two options:

                            a) Direct Internet – no filtering applied

                            b) Cloud Filtering  web traffic gets filtered

If the gateway does not match any of the listed IP addresses in Gateway IP Addresses, then Endpoint will use the Default Connection specified (Cloud Filtering/Direct Internet).



  • List all the Gateway IP addresses for your organization under Gateway IP Address
When the endpoint matches the listed IP address(es), the connection will be opposite to the Default Connection value. 



Based in the setting listed above users will be only filtered when they are inside premises with gateway and will not filter outside premises. If you do want to filter the users when they are outside premises and not want to filter when they are inside premises, the Default Connection must be set to Cloud Filtering

If you want the users not to be filtered for a short-time, you may leave the Gateway IP Address empty and set the Default Connection must be set to Direct Internet

Related Article(s):

How to manually reload the policy on an endpoint?