How to write rules using CPL (with examples)


Article ID: 166537


Updated On:


ProxySG Software - SGOS


The Visual Policy manager (VPM) is an easy-to-learn tool for creating policy, particularly if you are familiar with firewall management interfaces; however, the VPM has limited control options for policy in comparison with writing content policy language (CPL). Some advantages of CPL are that it is simpler in code and easier to manage; thus, advanced users may prefer to use CPL. This FAQ is intended to give a quick introduction (with examples) on writing simple policies via CPL.

Just like in the VPM, CPL works based on different Layers. Each layer is formatted as  <Layer_type>. For example, the Web Access Layer’s equivalent is <proxy>. The Web Authentication Layer's equivalent is the same.

Note: The layer type is not case sensitive. <PROXY> and <proxy> are interchangeable.

Other commonly used types are:

  • <ssl> is the SSL Access Layer
  • <ssl-intercept> is the SSL Intercept Layer
  • <cache> is the Web Content Layer
  • <forward> is the Forwarding Layer

A policy consists mainly of two sections: Definitions and Rules. Definitions are used to define global variables which can be then called in rules by name. This helps in reducing the number of rules needed to make a policy work.



Refer to the following examples to learn how to format basic polices.

1. Policy to allow everyone access to the domain

  url.domain=”” Allow

2. Rule that allows access to the domains,, and in a definition. This example uses the name "CompanyAllowed". The following policy refers to the condition name.

define condition “CompanyAllowed”

  condition=“CompanyAllowed” Allow

3. Policy to allow but deny everything else.

<proxy> Allow

4) Policy to allow access to every website if the client IP address matches Deny the access for everyone else.

  client.address= Allow

5) Policy to deny the client IP address from accessing Allow everyone to go to in same layer.

  client.address= Deny Allow

6) Policy to bypass authentication and allow everyone who is going to

<proxy> authenticate(no) Allow

For more information on CPL, refer to the Content Policy Language Reference for your SGOS version available on Symantec Enterprise Security Support page.