The usage of policy substitution strings in regular expressions is not currently supported, (as of March 19th, 2014).

Substitution strings are used to customize access-logging, event log records, notify messages … etc, but they are not supported inside a regex.

For example:

 <proxy>

Request.header.cookie.regex=”$user” Allow

This rule will not match, even if the cookie contains the user-id, because proxy does not substitute then apply the regex.