When creating policy, configure the ProxySG or Edge SWG to allow or deny traffic based on criteria such as IP address, destination URL, category, or protocol. When denying traffic, choose between Deny or Force Deny. This article explains the evaluation logic for each, specifically how they interact with subsequent layers and negated objects.

• ProxySG (All versions)
• Edge SWG (All versions)
• Advanced Secure Gateway (All versions)

DENY Traffic matching a rule with a Deny action is blocked for that specific rule and layer.

• Policy evaluation for that layer stops immediately.
• Important: Subsequent layers can still override this decision. If a later layer contains an Allow rule that matches the same traffic, the traffic will ultimately be permitted.

Example Trace (Allowed by later layer):

MATCH: url.host=www.example.com DENY 
MATCH: ALLOW 
Final Verdict: ALLOW

FORCE DENY Traffic matching a Force Deny action is blocked across the entire policy.

• Policy evaluation for the current layer stops immediately.
• While subsequent layers are still processed (to evaluate logs or other variables), no rule in any other layer can override the Force Deny.
• This is the recommended action for "Catch-all" rules where an absolute block is required.

Example Trace (Blocked despite later Allow):

MATCH: url.host=www.example.com FORCE_DENY 
MATCH: ALLOW 
Verdict: DENIED (Either 'force_deny' or 'force_exception' was matched in policy)

Interaction with Negated Objects When a subnet or URL is negated (excluded) from a combined object, traffic from that source will result in a "No Match" for the rule using that object. Evaluation will continue to the next rule. If the next rule is a Force Deny catch-all, the negated traffic will be blocked.

• To speaks with a customer representative or a Support Engineer see Contact Support. Scroll to the bottom of the page and click on your respective region.
• How to download diagnostic logs manually