Use of wildcard characters when specifying IP address in Edge SWG policy
search cancel

Use of wildcard characters when specifying IP address in Edge SWG policy

book

Article ID: 165925

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

The ability to use wildcards when specifying IP addresses in policy was added in SGOS 6.5.2. This feature allows you to enter an asterisk (*) for any octet in an IPv4 address, as in the following examples:
 
*.*.1.1
*.1.1.*
*.*.1.* 

Example Use Case

 You are an administrator of a school district's distributed network. The network is very large and has numerous sub-networks in which similar devices are assigned IP addresses following a standard pattern. For example:
  • All instructor tablets are assigned IP addresses following a *.*.100.* pattern
  • All student computers are assigned IP addresses following a 203.0.*.0 pattern 
You want to be able to:
  • Allow all access on instructor tablets
  • Deny IM protocols on student computers
You want to apply policy based on device type, but the large number of devices means it is not feasible to define a separate rule for each one. In addition, you would have to update policy whenever a device is added to or removed from the network. Using IP address wildcards would be a more efficient way to write this policy. 

 

Resolution

Use IP Address Wildcards in Policy 

To apply the policies described above, write the following content policy language (CPL):

define condition InstantMsg
im.client=yes
end condition InstantMsg

<Proxy>
client.address=*.*.100.* allow
client.address=203.0.*.0 condition=InstantMsg deny

IP address wildcards are supported in several CPL conditions; refer to the Content Policy Language Reference for more information.

In the Visual Policy Manager (VPM), you can use IP address wildcards in some Source and Destination objects. If you add or edit an object that supports wildcards, the dialog displays a hint below the entry field.

For more information, refer to the Visual Policy Manager and Advanced Policy Tasks Reference.

Additional Information 

You can also use IP address wildcards in RDNS restrictions and in subnet definitions. For more information, refer to "restrict rdns" and "define subnet" in the Content Policy Language Reference.

For information on specifying an IP range in policy, see How so I specify a range of IP addresses in policy?.

Powered by Wolken Software