To determine why a user has access to a blocked site have the user go to the site and collect a policy trace from the ProxySG or ASG. Review the policy trace and see whether or not the blocking rules are matching or subsequent rules. Make changes to policy using the above information and repeat testing until the user is blocked.
There are many reasons a user may still have access to sites which should be blocked, such as the site includes a full path, but the site is also an HTTPS site. In which case, the ProxySG or ASG may allow the request if SSL interception is not enabled.
Another possible reason is that a subsequent policy layer allowed access even though a previous layer blocked the site. The general rule for policy is that the first rule of the last policy layer to match will be the final decider. To override this behavior, you can use the policy gesture "Force". See In ProxySG Policy what is the difference between Deny and Force Deny?
Subscribing will provide email updates when this Article is updated. Login is required.