How to Avoid a Download/Compile Loop When Updating the Application Protection Policy Set
Last Updated December 11, 2017
When working with both tenant policy and local CPL policy, ProxySG administrators may unwittingly enter the same name for an object in both policy files. When this happens, policy compilation continues and functions as expected. From a syntax perspective, having the same object name in more than one policy file is not strictly illegal, though it's not best practice.
The exception to this is when the Application Protection Service (APS) updates. When the ProxySG appliance downloads an update to the APS rule set, it recompiles all policy. Upon discovery of duplicate objects with the same name, the installation of the APS update fails, and the download is restarted. This loop can continue indefinitely, and potentially drain system resources.
This only impacts ProxySG deployments that make use of the multi-tenant policy feature and the Application Protection Service.
Use unique object names for all policy sets. You may even find it beneficial to include an abbreviation for the policy type in the object name. For example, if you refer to a list of allowed URLs in the Local policy set, name it LOCAL_URL_Whitelist, instead of simply URL_Whitelist.
Avoiding duplication is the key to avoiding policy compilation errors.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.