Specify a range of IP addresses in policy on Edge SWG (ProxySG)
search cancel

Specify a range of IP addresses in policy on Edge SWG (ProxySG)

book

Article ID: 166278

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The ability to specify IP address ranges in policy was added in SGOS 6.5.2. This feature allows you to enter a range as follows:
 
10.51.100.0-10.51.100.255

Example Use Case

You are an administrator of a retailer's distributed network. The network is very large and has numerous sub-networks, in which IP address ranges are non-contiguous and not easily defined by subnet/Classless Inter-Domain Routing (CIDR) notation. For example:
  • Demonstration devices in stores are assigned addresses within two ranges, 192.168.2.0 - 192.168.3.255 and 10.51.100.0 - 10.51.101.255
  • Employee devices are assigned addresses within the range 172.16.113.0 - 172.16.115.255
You want to be able to:
  • Deny access to YouTube on demonstration devices
  • Deny access if a virus is detected on employee devices
You want to apply policy based on the device user, but the large number of devices means it is not feasible to define a separate rule for each one. In addition, you would have to update policy whenever a device is added to or removed from the network. Using IP address ranges would be a more efficient way to write this policy. 

Resolution

Use IP Address Ranges in Policy

To apply the policies described above, write the following content policy language (CPL): 

define subnet Demo
192.168.2.0-192.168.3.255
172.16.100.0-172.16.101.255
end
 
<Proxy>
client.address=Demo url.regex="example" deny
client.address=10.0.113.0-10.0.115.255 virus_detected=yes deny
 
IP address ranges are supported in several CPL conditions; refer to the Content Policy Language Reference for more information. 
 
In the Visual Policy Manager (VPM), you can use IP address ranges in some Source and Destination objects. If you add or edit an object that supports address ranges, the dialog displays a hint below the entry field.

For more information, refer to the Visual Policy Manager and Advanced Policy Tasks Reference.

Additional Information 

You can specify IP address ranges in RDNS restrictions and in subnet definitions (as shown in the CPL above). For more information, refer to "restrict rdns" and "define subnet" in the Content Policy Language Reference.

For information on using IP address wildcards in policy, see How can I use wildcard characters when specifying IP addresses in policy?
Powered by Wolken Software