VPM generates 'Late condition guards early action' when a username source is used in conjunction with a host rewrite action


Article ID: 167125


Updated On:


ProxySG Software - SGOS


It does not matter whether the conflicting conditions/actions are from different rules - what matters is that they are in the same layer.

For example, the VPM policy below will result in a 'late condition guards early action' error :

User-added image

User-added image

This happens because the Rewrite action in the VPM uses 'url.host' as a parameter. 'url.host' and 'url' have different semantics, and thus different checkpoints in the policy. 'url.host' is associated with the HTTP request's host while 'url' is meant for the whole URL. They have different checkpoints from that of the user condition in the policy.

The order of the checkpoints are: host, user identity, and url. Since user identity is later than host, we get the "Late condition guards early action" error. 'url.host' cannot be modified after the user identity has been obtained via the Web Authentication Layer.

To address this, we can use the CPL to rewrite the URL instead of 'url.host'. For example :

define action RewriteH
  rewrite( url, "(.*)packeteer(.*)", "$(1)bluecoat$(2)" )