How to write rules using CPL (with examples)

book

Article ID: 166537

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The Visual Policy manager (VPM) is an easy-to-learn tool for creating policy, particularly if you are familiar with firewall management interfaces; however, the VPM has limited control options for policy in comparison with writing content policy language (CPL). Some advantages of CPL are that it is simpler in code and easier to manage; thus, advanced users may prefer to use CPL. This FAQ is intended to give a quick introduction (with examples) on writing simple policies via CPL.

Just like in the VPM, CPL works based on different Layers. Each layer is formatted as  <Layer_type>. For example, the Web Access Layer’s equivalent is <proxy>. The Web Authentication Layer's equivalent is the same.

Note: The layer type is not case sensitive. <PROXY> and <proxy> are interchangeable.

Other commonly used types are:

  • <ssl> is the SSL Access Layer
  • <ssl-intercept> is the SSL Intercept Layer
  • <cache> is the Web Content Layer
  • <forward> is the Forwarding Layer

A policy consists mainly of two sections: Definitions and Rules. Definitions are used to define global variables which can be then called in rules by name. This helps in reducing the number of rules needed to make a policy work.

Resolution

Examples

Refer to the following examples to learn how to format basic polices.

1. Policy to allow everyone access to the domain google.com:

<proxy>
  url.domain=”google.com” Allow


2. Rule that allows access to the domains google.com, yahoo.com, and facebook.com in a definition. This example uses the name "CompanyAllowed". The following policy refers to the condition name.

define condition “CompanyAllowed”
  url.domain=google.com
  url.domain=yahoo.com
  url.domain=facebook.com
end

<proxy>
  condition=“CompanyAllowed” Allow


3. Policy to allow google.com but deny everything else.

<proxy>
  url.domain=google.com Allow
  Deny


4) Policy to allow access to every website if the client IP address matches 10.10.10.10. Deny the access for everyone else.

<proxy>
  client.address=10.10.10.10 Allow
  Deny


5) Policy to deny the client IP address 10.10.10.10 from accessing google.com. Allow everyone to go to facebook.com in same layer.

<proxy>
  client.address=10.10.10.10 url.domain=google.com Deny
  url.domain=facebook.com Allow



6) Policy to bypass authentication and allow everyone who is going to yahoo.com.

<proxy>
  url.domain=yahoo.com authenticate(no) Allow



For more information on CPL, refer to the Content Policy Language Reference for your SGOS version available on Symantec Enterprise Security Support page.