I have multiple policies within my proxy configuration. How do i know which policy layers are processed first / in what order are the layers processed?

Proxy policies are evaluated in the sequences of Virtual Policy Manager (VPM) file -> Local file -> Central file -> Forward file.

• VPM file
• Local file
• Central file
• Forward file

This is the default policy evaluation sequence. The policy evaluation sequence can be changed from the default depending on your device configuration.

To change policy evaluation sequence please do the following in the Management Console (https://<proxy-ip>:8082):

Configuration Tab > Policy > Policy Options > Policy Options > (Move up / Move down)

However, if there is a match in the last layer which is the Forward file, it will take priority over a policy that is similarly configured in the VPM, Local File or Central file. This provides a layer of flexibility, especially when troubleshooting because new policies can be added in latter layer with minimal disruption.

What about policy processing in the VPM file?

Policy Layers are processed from top to bottom in the Web VPM (left to right in the legacy Java VPM applet).

VPM layers are processed in the following sequences:

1. Admin Authentication
2. Admin Access
3. DNS Access
4. SOCKS Authentication
5. SSL Intercept
6. SSL Access
7. Web Authentication
8. Web Access
9. Web Content
10. Forwarding

If there are two similar layers with same configuration inside the VPM, the right hand side most gets priority.

Please see the following example to help explain the concept.

• Web Access layer 1 denies access to www.example.com.
• Web Access layer 2 denies access to www.example.com.
• Local Policy that denies access to  www.example.com.

Here are some scenarios:

• If a browser request comes in for www.example.com, policy will be evaluated in web access layer 1 and match with the Example deny rule.  It then goes to the web access layer 2 and matches there and the deny is placed on it.  Finally the request evaluation moves to the local policy and will hit there, also with a deny.  Since this is the last rule that matched and it has a deny, access to Example will be denied in the local policy file.  The local policy file will get hit because in the default policy sequence, the local policy file is evaluated after the VPM.
• If  the local policy did not exist then the rule in the web access layer 2 would apply. If the local policy or web access layer 2 didn't exist, then the rule in the web access layer 1 would apply.