Why is the "unavailable" category not matching a negated category list?


Article ID: 167619


Updated On:


ProxySG Software - SGOS


Why is the "unavailable" category not matching a negated category list?
Policy trace shows negated category as "n/a" instead of "MATCH" when URL category is "unavailable"


The "unavailable" category, is a "System Category", which means that the ProxySG wants to categorize the URL, but an error occurred trying to categorize the URL.  There are a number of conditions that would cause "unavailable" to be returned.  Please refer to KB article 000014680 for further details.

Negated category matches may not work as expected when ‘unavailable’ is returned.

If the ProxySG categorizes foo.com and gets ( Porn, unavailable ), then
   Category=Porn          -> is true
   Category=!Games    -> is “n/a”

Why?  One way to think of this is that ‘unavailable’ means that categorization is broken, and the list the policy engine got is non-exhaustive.  The content filter database might have returned “Games”, but instead SGOS does not know, and thus does not make decisions based on incomplete data.

Thus Blue Coat always recommends explicit handling of "unavailable".  You can decide if you want to fail open or fail close for that specific case.  Therefore, create policy that explicitly calls for the "unavailable" category and either ALLOW or DENY access.