What is the difference between "default allow" and "default deny" policy


Article ID: 167309


Updated On:


ProxySG Software - SGOS


The default action defined on the ProxySG will be the action taken on a connection that did not match an 'allow' or 'deny' rule. Generally speaking, policies are built one of two ways and we will go over both approaches to building a policy.

This option is configured via   >   Management console  /  Policy  /  Policy options



Default action set to ALLOW

   Setting the default action to 'Allow' usually means a more open policy approach where rules are defined to block content. For example, content filtering rules will have a ''Deny" action for unwanted categories. This is a type of policy where everything is allowed BUT a certain list of sites and/or categories.

   This type of policy is generally easier to manage but at the same time, less secure because anything not specifically denied will be allowed.


Default action set to DENY

   This approach is similar to a firewall policy where everything is denied unless specifically allowed. This type of policy can be very secur but requires more administration. Administrator using a default deny policy will build rules where the destination will be acceptable URLs or categories and where the action will be set to "allow".


It is possible to nullify the default action with a "catch all" rule. Here is an example of a policy where the default action would never be applied


Single web access layer policy

Rule 1   :  Source : Any      Destination : (Unwanted categories)    Action : DENY

Rule 2   :  Source : Any      Destination : Any     Action : ALLOW

Default action set to DENY


In this example, connections matching the unwanted categories object would be denied. Anything NOT matching that would match rule 2 and would be allowed.  Since all the connections will match rule 1 or rule 2, the default policy to "Deny" would never apply. By having a catch all rule that says Any/Any/Allow, it doesn't matter what the default action is because every connection would match a rule.


The default action is only applied to connection that don't match an allow or deny rule.