When the Edge SWG(ProxySG) appliance's default policy is set to Deny, or if a specific URL category (such as social networking, news/media, audio/video) is blocked, allowing a single website doesn't work. You may experience issues such as the following:
The following is a partial policy trace for www.youtube.com:
Users experience the issue described above because the other OCS either matches with the appliance's default deny policy or the URL category is denied.
To capture policy trace and analyze effectively, refer to Article 166514.
To allow the single URL/website when the appliance has a default deny policy or the URL category is denied in policy:
Note:! This procedure uses www.youtube.com as an example.
A policy trace might show that a new URL (having a previously referred OCS) is referring another OCS. For example, the following partial policy trace shows a third OCS for www.youtube.com:
This third OCS must be allowed as well. Repeat the procedure above to allow the OCS, but in the Header Regex field, verify the referer header from the denied transaction in the policy trace. In this example, it is ytimg.
Note! This is applicable to any URL that is explicitly allowed in policy, and when the appliance has a default deny or URL category denied.