You are dealing with a large installed policy for a ProxySG that has been in production for several years. Many policy gestures have been added over the years by different admininstrators and the resulting policy is complex. You want to simplify their policy by deleting unneeded policy or by consolidating existing rules.

SGOS 6.4 includes a new feature called Policy Coverage.
 
Policy Coverage reports on the rules and objects that match user requests processed through the ProxySG's current policy. 
 
View the Policy Coverage page to determine the frequency with which rules and objects match proxied requests.  This page can be accessed via the ProxySG Management Console.  Go to Statistics tab > Advanced > Policy  > View Current Policy Coverage.  It can also be accessed directly by browsing to https://<ProxySG IP>:8082/policy/coverage.  The Policy Coverage page displays all policy (Visual, Local, Central and Forward) on the ProxySG in Content Policy Language (CPL) format, just as it appears when running 'show policy' from the ProxySG Command Line Interface or Show Current Policy from the advanced statistics page.

The following is an example of a standard visual policy configuration: 

That policy appears as follows on the Policy Coverage page:

In the example above, the number on the left indicates the number of times that rule matched a user request.  The number on the right, in parentheses indicates the number of times the condition in the rule has matched a user request  The values that appear on this page have been gathered since the last time policy, (Visual, Local, or Central) was installed, or  since the proxy was last restarted.  With this information, you can make informed decisions regarding which rules to delete and which rules or objects can be combined to optimize the existing policy.  

Notes:

  • This function is enabled by default and cannot be disabled.  Proxy Resources do not increase significantly as a result.
  • The statistics gathered are not persistent across reboots or policy installations.  Each time either of these functions are performed, the Policy Coverage counters are reset to zero.
  • Objects that are managed in Visual policy appear below all rules in a 'definitions' section.  When a rule containing one of these policy definitions matches a user request, all references to that definition increment in every place it appears in policy.  
  • Policy objects that consist of lists in a combined source or destination object report that a match was identified, but only on the whole object.  The specific element in the combined object will not be identified uniquely.
Source: Note
Description: Starting SGOS6.5.5.4 a command line was added to be able to control the policy coverage
policy coverage  ---> to enable the policy coverage
policy no coverage  ----> to disable the policy coverage
Imported Document ID: 000009825
Legacy ID: KB5215

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation