When creating policy, you can configure the ProxySG to allow or deny certain traffic (based on, for example, IP address, destination URL/category or protocol). When denying traffic, you can configure the ProxySG to Deny or Force Deny traffic. The difference between these two actions is described below.
DENY
Traffic matching the specific rule in the layer will be denied. All further processing of rules in that layer will then stop. However, rules in other layers can subsequently allow the traffic.
In the policy trace below, the URL is denied in the first layer but allowed in the next layer. The final result will be to allow the request.
start transaction ------------------- CPL Evaluation Trace: transaction ID=13328 <Proxy> MATCH: url.host=www.example.com DENY <Proxy> MATCH: ALLOW connection: service.name=Explicit HTTP client.address=10.10.1.1 proxy.port=8080 time: 2011-08-30 13:59:20 UTC GET http://www.example.com/ User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0 url.category: none application.name: application.operation: DSCP client outbound: 65 DSCP server outbound: 65 stop transaction -------------------- |
FORCE DENY
Traffic matching the specific rule in the layer will be denied. All further processing of rules in that layer will then stop. Although rules in other layers will still be processed, no other rule in any other layer can subsequently allow the traffic.
In the policy trace below, the URL is forcibly denied in the first layer but allowed in the next layer. However, the final result will be to deny the request.
start transaction ------------------- CPL Evaluation Trace: transaction ID=12638 <Proxy> MATCH: url.host=www.example.com FORCE_DENY <Proxy> MATCH: ALLOW connection: service.name=Explicit HTTP client.address=10.10.1.1 proxy.port=8080 time: 2011-08-30 13:59:20 UTC GET http://www.example.com/ User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0 user: unauthenticated DENIED: Either 'force_deny' or 'force_exception' was matched in policy url.category: none application.name: application.operation: DSCP client outbound: 65 DSCP server outbound: 65 stop transaction -------------------- |