How can I find which policy rules are being used?
Article ID: 165841
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
You are dealing with a large installed policy for a ProxySG that has been in production for several years. Many policy gestures have been added over the years by different administrators and the resulting policy is complex. You want to simplify their policy by deleting unneeded policy or by consolidating existing rules.
Resolution
Use the Policy Coverage feature, which reports on the rules and objects that match user requests processed through the appliance’s current policy.
Policy Coverage displays all policy (Visual, Local, Central, and Forward) on the ProxySG appliance in Content Policy Language (CPL) format, just as it appears in show policy source CLI output.
In the example above, the number on the left indicates the number of times that rule matched a user request. The number on the right, in parentheses, indicates the number of times the condition in the rule has matched a user request. With this information, you can make informed decisions regarding which rules to delete and which rules or objects you can combine to optimize the existing policy.
To determine the frequency with which rules and objects match proxied requests for the current policy version, access Policy Coverage statistics as follows:
To determine the frequency with which rules and objects match proxied requests for the current policy version, access Policy Coverage statistics as follows:
• In the Management Console, select Statistics > Advanced > Policy > Show current policy coverage.
• Go directly to https://<ProxySG_IP_address>:8082/policy/coverage. In version 7.3.x and later, the URL is https://<ProxySG_IP_address>:8082/policy/current-coverage.
• Go directly to https://<ProxySG_IP_address>:8082/policy/coverage. In version 7.3.x and later, the URL is https://<ProxySG_IP_address>:8082/policy/current-coverage.
Starting in SGOS 7.3.x, you can view cumulative statistics that include coverage from previous policy versions:
• In the Management Console, select Statistics > Advanced > Policy > Show policy coverage.
• Go directly to https://<ProxySG_IP_address>:8082/policy/coverage.
To reset cumulative Policy Coverage statistics for all rules:
In versions prior to SGOS 7.3.x, Policy Coverage records statistics since the last time policy (Visual, Local, or Central) installation or since the last appliance reboot.
In SGOS 7.3.x and later, Policy Coverage records statistics since the last appliance reboot. Statistics are maintained across policy installations, including statistics for rules that are disabled or removed from the current policy version. When a rule is not present for six consecutive policy installations, the statistics for that rule are purged.
Notes:
• Policy Coverage is enabled by default. As of SGOS 6.5.5.4 the administrator now has the option of disabling this feature via the CLI. To disable the policy coverage use the article how-can-i-disable-policy-coverage.html
• The statistics are not persistent across reboots. With every reboot, the Policy Coverage counters reset to zero. In SGOS versions earlier than 7.3.x, the statistics do not persist across reboots or policy installations.
• Objects managed in the VPM appear below all rules in a 'definitions' section. When a rule containing one of these policy definitions matches a user request, all references to that definition increment whenever it appears in policy.
• When policy objects that consist of lists in a combined source or destination object report a match, Policy Coverage reports the match on the combined object. The specific elements in the combined object are not identified uniquely.
Feedback
Yes
No
Powered by
