You have ProxySG or ASG device and the result of policy installation is an error "Late condition guards early action"

Error syntax:

Error: Late condition guards early action
Condition '{condition name}' vpm-cpl:xxxx
Action '{action name}' vpm-cpl:xxxx

Error for the sample CPL:

Error: Late condition guards early action
Condition 'user=username' vpm-cpl:29
Action 'authenticate(no)' vpm-cpl:30

This error applies regardless of which policy file you use: Local, Central, Forward or Visual Policy Manager (VPM). The reason behind this error could have many causes. In a nutshell it means that the proxy cannot compile the code as the action needs a condition that cannot be met.

In this KB article I will demonstrate this with this Content Policy Language (CPL) code:

; this is a layer
user=username allow ; this is rule 1
client.address=10.0.0.1 authenticate(no) ; this is rule 2

In this particular case the problem is that in CPL both the Web Access Layer (authorization) is the same as Web Authentication Layer (Authentication) and it is designated with "<proxy>" tag.

When we examine the two rules in the example, the first is of authorization type. We say that if the username is "username" the request will get the action of allow.

The second rule however says that a client with IP address 10.0.0.1 should not be authenticated which makes it an authentication rule.