The default action defined on the ProxySG will be the action taken on a connection that did not match an 'allow' or 'deny' rule. Generally speaking, policies are built one of two ways and we will go over both approaches to building a policy.
This option is configured via > Management console / Policy / Policy options
Setting the default action to 'Allow' usually means a more open policy approach where rules are defined to block content. For example, content filtering rules will have a ''Deny" action for unwanted categories. This is a type of policy where everything is allowed BUT a certain list of sites and/or categories.
This type of policy is generally easier to manage but at the same time, less secure because anything not specifically denied will be allowed.
This approach is similar to a firewall policy where everything is denied unless specifically allowed. This type of policy can be very secur but requires more administration. Administrator using a default deny policy will build rules where the destination will be acceptable URLs or categories and where the action will be set to "allow".
Single web access layer policy
Rule 1 : Source : Any Destination : (Unwanted categories) Action : DENY
Rule 2 : Source : Any Destination : Any Action : ALLOW
Default action set to DENY
In this example, connections matching the unwanted categories object would be denied. Anything NOT matching that would match rule 2 and would be allowed. Since all the connections will match rule 1 or rule 2, the default policy to "Deny" would never apply. By having a catch all rule that says Any/Any/Allow, it doesn't matter what the default action is because every connection would match a rule.
The default action is only applied to connection that don't match an allow or deny rule.