In ProxySG Policy what is the difference between Deny and Force Deny?

book

Article ID: 166602

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When creating policy, you can configure the ProxySG to allow or deny certain traffic (based on, for example, IP address, destination URL/category or protocol). When denying traffic, you can configure the ProxySG to Deny or Force Deny traffic. The difference between these two actions is described below.

DENY

Traffic matching the specific rule in the layer will be denied. All further processing of rules in that layer will then stop. However, rules in other layers can subsequently allow the traffic.

In the policy trace below, the URL is denied in the first layer but allowed in the next layer. The final result will be to allow the request.

start transaction -------------------
  CPL Evaluation Trace: transaction ID=13328
           <Proxy>
    MATCH:     url.host=www.example.com DENY
           <Proxy>
    MATCH:     ALLOW
  connection: service.name=Explicit HTTP client.address=10.10.1.1 proxy.port=8080
  time: 2011-08-30 13:59:20 UTC
  GET http://www.example.com/
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0
    url.category: none
  application.name:
  application.operation:
  DSCP client outbound: 65
  DSCP server outbound: 65
stop transaction --------------------

FORCE DENY

Traffic matching the specific rule in the layer will be denied. All further processing of rules in that layer will then stop. Although rules in other layers will still be processed, no other rule in any other layer can subsequently allow the traffic.

In the policy trace below, the URL is forcibly denied in the first layer but allowed in the next layer. However, the final result will be to deny the request. 

start transaction -------------------
  CPL Evaluation Trace: transaction ID=12638
           <Proxy>
    MATCH:     url.host=www.example.com FORCE_DENY
           <Proxy>
    MATCH:     ALLOW
  connection: service.name=Explicit HTTP client.address=10.10.1.1 proxy.port=8080
  time: 2011-08-30 13:59:20 UTC
  GET http://www.example.com/
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0
  user: unauthenticated
  DENIED: Either 'force_deny' or 'force_exception' was matched in policy
    url.category: none
  application.name:
  application.operation:
  DSCP client outbound: 65
  DSCP server outbound: 65
stop transaction --------------------