This is scenario where ProxySG , ASG , SWGVA makes a POST requests which is visible on firewall or on the default Gateway. But as per the policy (VPM/CPL) setup incoming client request matches with a deny rule and the client request was denied successfully.
ProxySG will show this kind of behavior under following conditions.
If both of these conditions are satisfied proxySG will make the outbound POST request to evaluate the response against that “response.header” object. As those objects also has a probability to get match as well . proxySG will not be able to evaluate a “response.header” rule until it makes the actual outbound POST request.
A packet capture in proxySG will appear as below
As it shows the post request came from client (10.167.0.138) to proxySG (10.169.3.139) was denied with a HTTP response 403 forbidden message. But ProxySG made the outbound request to OCS (220.127.116.11).
Information on policy evaluation order can be found here TECH242493
To make sure proxySG is not showing this kind of behavior (leaking POST request when its being denied in policy) following steps can be performed
"response.header"rule should be placed.
By this policy evaluation order will be changed and proxySG will stop making outbound POST when the explicit deny rule matches. Also it will function properly for "response.header" rule as it should.
Note- Solution explained above only applicable for SGOS 6.5.x If the SGOS version is 6.6.5.x or 6.7.x or higher also this can also be avoided with the use of "Web Request Layer" . More details can be found here TECH246261