The Visual Policy manager (VPM) is an easy-to-learn tool for creating policy, particularly if you are familiar with firewall management interfaces; however, the VPM has limited control options for policy in comparison with writing content policy language (CPL). Some advantages of CPL are that it is simpler to code and easier to manage; thus, advanced users may prefer to use CPL. This FAQ is intended to give a quick introduction (with examples) on writing simple policies via CPL.
Just like in the VPM, CPL works based on different Layers. Each layer is formatted as <Layer_type>. For example, the Web Access Layer’s equivalent is <proxy>. The Web Authentication Layer's equivalent is the same.
Note: The layer type is not case sensitive. <PROXY> and <proxy> are interchangeable.
Other commonly used types are:
A policy consists mainly of two sections: Definitions and Rules. Definitions are used to define global variables which can be then called in rules by name. This helps in reducing the number of rules needed to make a policy work.
Refer to the following examples to learn how to format basic policies.
1. Policy to allow everyone access to the domain google.com:
<proxy>
url.domain=”google.com” Allow
2. Rule that allows access to the domains google.com, yahoo.com, and facebook.com in a definition. This example uses the name "CompanyAllowed". The following policy refers to the condition name.
define condition “CompanyAllowed”
url.domain=google.com
url.domain=yahoo.com
url.domain=facebook.com
end
<proxy>
condition=“CompanyAllowed” Allow
3. Policy to allow google.com but deny everything else.
<proxy>
url.domain=google.com Allow
Deny
4) Policy to allow access to every website if the client IP address matches 10.10.10.10. Deny the access for everyone else.
<proxy>
client.address=10.10.10.10 Allow
Deny
5) Policy to deny the client IP address 10.10.10.10 from accessing google.com. Allow everyone to go to facebook.com in same layer.
<proxy>
client.address=10.10.10.10 url.domain=google.com Deny
url.domain=facebook.com Allow
6) Policy to bypass authentication and allow everyone who is going to yahoo.com.
<proxy>
url.domain=yahoo.com authenticate(no) Allow
For more information on CPL, refer to the Content Policy Language Reference for your SGOS version available on Symantec Enterprise Security Support page.