The Visual Policy manager (VPM) is an easy-to-learn tool for creating policy, particularly if you are familiar with firewall management interfaces; however, the VPM has limited control options for policy in comparison with writing content policy language (CPL). Some advantages of CPL are that it is simpler in code and easier to manage; thus, advanced users may prefer to use CPL. This FAQ is intended to give a quick introduction (with examples) on writing simple policies via CPL.
Just like in the VPM, CPL works based on different Layers. Each layer is formatted as <Layer_type>. For example, the Web Access Layer’s equivalent is <proxy>. The Web Authentication Layer's equivalent is the same.
Note: The layer type is not case sensitive. <PROXY> and <proxy> are interchangeable.
Other commonly used types are:
<ssl> is the SSL Access Layer
<ssl-intercept> is the SSL Intercept Layer
<cache> is the Web Content Layer
<forward> is the Forwarding Layer
A policy consists mainly of two sections: Definitions and Rules. Definitions are used to define global variables which can be then called in rules by name. This helps in reducing the number of rules needed to make a policy work.
Refer to the following examples to learn how to format basic polices.
1. Policy to allow everyone access to the domain google.com:
<proxy> url.domain=”google.com” Allow
2. Rule that allows access to the domains google.com, yahoo.com, and facebook.com in a definition. This example uses the name "CompanyAllowed". The following policy refers to the condition name.
define condition “CompanyAllowed” url.domain=google.com url.domain=yahoo.com url.domain=facebook.com end
<proxy> condition=“CompanyAllowed” Allow
3. Policy to allow google.com but deny everything else.
<proxy> url.domain=google.com Allow Deny
4) Policy to allow access to every website if the client IP address matches 10.10.10.10. Deny the access for everyone else.
<proxy> client.address=10.10.10.10 Allow Deny
5) Policy to deny the client IP address 10.10.10.10 from accessing google.com. Allow everyone to go to facebook.com in same layer.