URL category-based flows with 'discard' or 'never-admit' policy

book

Article ID: 167578

calendar_today

Updated On:

Products

PacketShaper

Issue/Introduction

PacketShaper will allow web traffic while determining the URL category. This means that some content may pass through the PacketShaper before the configured policy is applied. Once the URL category is verified, PacketShaper will enforce the policy configured to the subsequent traffic flows.

Note that the policy application for category-based classes works most of the time when the URL is in the category cache.  When the URL must be looked up in WebPulse, the policy may not be successfully applied.

In addition, behavior for asymmetric redirect policies is non-deterministic for URL category-based classes since URL categorization is not part of packet processing. Therefore, when applying never-admit policies with the redirect option, be sure to apply the policy to the category classes in both directions (Inbound and Outbound).

Packet processing takes precedence over URL categorization. If the PacketShaper is overloaded, category requests may get queued, and some requests may be dropped; so it may miss some classification during heavy load.
 

 

Resolution

The following links provides an overview of WebPulse and URL categories:

https://origin-symwisedownload.symantec.com/resources/webguides/packetguide/11.9/index.htm#Topics/overviews/webpulse-overview.htm?Highlight=category based policies

https://origin-symwisedownload.symantec.com/resources/webguides/packetguide/11.9/index.htm#Topics/overviews/url-categories-overview.htm?Highlight=category based classes