There are times when a site will be denied even when there is a rule to allow it.
For example:
Source= Group_1----->Destination=maps.google.com----->Action=Allow
There are times when some of the objects are pulled from other servers. In other words, if you are allowing maps.google.com and denying access to maps.gstatic.com, the the content on the page may not load because some of the objects on the maps.google.com page are actually hosted from maps.gstatic.com.
Allowing the website alone may not be enough to allow all of the content to be displayed on a page since different
servers may be supplying the objects to fill out the page. To remedy this issue, allowing a site based on the Referer
header should address the issue.
For example, creating a second rule with a combined source object through VPM that contains the referer should fix the issue:
Source=Combined Source Object (Group_1 and Referer: maps.google.com)----->Destination=Any----->Action=Allow
Example policy trace:
miss : condition=__GROUP7
miss : condition=__GROUP8
miss : condition=__GROUP9
miss : condition=__GROUP25
MATCH: ALLOW condition=__GROUP16 url.domain=//maps.google.com/
MATCH: ALLOW condition="Sample Management Maps"
MATCH: client.address=X.X.X.X trace.request(yes) trace.rules(all) trace.destination(Test)
connection: service.name=HTTP client.address=X.X.X.X proxy.port=80
time: 2010-03-11 21:03:37 UTC
GET
Referer: http://maps.google.com/
miss : condition=__GROUP7
miss : condition=__GROUP8
miss : condition=__GROUP9
miss : condition=__GROUP25
miss : url.domain=//maps.google.com/
miss : condition="__CondList1Sample Mgmt & Shipping Categories"
miss : condition="__CondList1fuzzy General Exceptions"
MATCH: exception(content_filter_denied)
MATCH: ALLOW condition="Sample Management Maps"
MATCH: client.address=X.X.X.X trace.request(yes) trace.rules(all) trace.destination(Test)
connection: service.name=HTTP client.address=X.X.X.X proxy.port=80
time: 2010-03-11 21:03:38 UTC
GET
Referer: http://maps.google.com/
user: name="ABUTEST\sample" realm=FUZZY
To create a Referer Header Object, perform the following steps within the Visual Policy Manager:
You can then use this object by itself as the source in the rule or add it to a Combined Source Object as suggested above. After setting any other criterion needed in the rule to fit your needs, you will need to install policy for the changes to take effect.
Note: After configuring policy to allow a specified referer as described above, (if configured correctly) all requests with a referer header consisting of the specified domain will be allowed. However, be advised that there are some third-party hosting domains that refer to content hosted by other domains. For example: maps.gstatic.com could potentially display content that is hosted by another third-party domain. This means that the referer header on subsequent requests may contain a domain other than what is specified in policy. For this reason, the use of referer header objects in policy may not always be effective without creating additional objects for the subsequent referers. Furthermore, referers have a potential of being dynamic. Therefore, the effectiveness of this policy cannot be guaranteed.