When controlling access to a website (or a category) you can specify the action you want the ProxySG to execute upon matching this rule. You can set it to "Deny", you can "Deny (Content Filter)" or you can set the SG to "Return Exception". When you return an exception page, you can choose between the built-in exception pages or a user-defined exception page.

One of the pre-defined exceptions is called "silent_denied". You would like to know what this effectively does.

The "silent_denied" exception is a bit of a special case when it comes to exceptions.

Normally we would return an HTML page with the exception message. However, the "silent_denied" exception is not actually an HTML page. What this exception does is that it immediately sends a RST (reset) packet back to the client. Effectively this is the most efficient way, though browsers will normally return an error message (something like "The connection was reset while the page was loading" - this differs from browser to browser).

The fact that the browser returns an error message means that it's not really silent for the user but by sending a RST, we are effectively silently blocking the page as there is no error message that we return (no data is more silent than a blank page).

If you want a transparent and silent deny, you may want to create a custom exception which returns a blank page and reference this exception in your policy.