ProxySG policy default of "allow" and no rules works differently than default of "deny" with a generic "allow" rule

book

Article ID: 166795

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

With the following two scenarios, some types of requests are handled differently even though the configurations appear to do the same thing:

Configuration 1
Default Proxy Policy: Allow
Policy Rules: None

Configuration 2
Default Proxy Policy: Allow (or deny)
Policy Rules: <any source> <any destination> <any service> <any time> Allow

The rule for configuration 2 may look like:
<proxy>
    Allow ;generic allow for all users

 

Resolution

With the two setup details above, some requests are handled differently.

In Configuration 1, a CONNECT request to a destination port other than 443 would be denied. This is the default configuration of the security settings on the ProxySG. The Configuration 1 policy is effectively stating, "Unless there are any rules or general designs to deny a request, allow it.".

In Configuration 2, a CONNECT request to a destination port other than 443 would be allowed. The reason for this difference is because of the addition of the "allow" rule. That rule is effectively stating "Even if general designs would normally deny a connection, allow it anyway".

Because the default configuration of the ProxySG is to deny CONNECT requests for any port other than the default SSL port 443, Configuration 1 denies those. But because the rule added to Configuration 2 has an explicitly called out Allow statement, that connection is allowed.