The late tag in a policy trace means that the ProxySG appliance reached a verdict on the connection before it could evaluate the policy rules that otherwise would have been evaluated later in the connection. The following paragraphs provide some examples for when policy is marked as late in a trace.
Late tag due to failed authentication If a request fails authentication (for example, because the user didn't provide credentials or the appliance could not validate them) and a policy rule tests a condition (such as the realm, user, group, etc.) in which a successful authentication has occurred, you might see the result late in the policy trace:
<Proxy> late: realm=iwa_myrealm
user: unauthenticated EXCEPTION(authentication_failed): Authentication failed either because credentials were not provided or they could not be validated
Late tag due to deny based on category Another example of why you might see late in your policy trace is if a request is denied based on the request category and a policy rule tests the type of files that the Origin Content Server (OCS) sends in response:
Multiple instances of late tag in trace The late tag might appear multiple times in a policy trace if the ProxySG appliance terminated the transaction early in the evaluation. In this case, all of the policy rules that were not evaluated are considered late.
Issue with the YouTube channel where some policies are not working or not applying
Reference to TECH249324 which addresses this issue.
Imported Document ID: 000030214
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe