Usage of request header presence or existence in policy evaluation

book

Article ID: 168322

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS SWG VA-100

Issue/Introduction

Using Content Policy Language(CPL) you want to determine whether specific request header is present on the incoming request to proxySG , ASG , SWG appliance.

Resolution

Use Content Policy Language (CPL) to determine whether a certain request header is present in incoming requests/downstream requests in on the ProxySG appliance and apply different policy if needed.
This could be useful in a proxy chaining deployment or where a load balancer is used before the ProxySG appliance, but there are other scenarios as well. The following example uses request header  X-Forwarded-For.

Sample 1


request.header.x-forwarded-for.exists=yes Allow


In this scenario the proxy checks whether the X-Forwarded-For header is present or not in incoming requests. If it is present, the request is allowed.

Sample 2


request.header.x-forwarded-for.exists=no url.domin=www.cnn.com Allow


In this scenario the proxy checks whether the X-Forwarded-For header is present or not in incoming requests. If it is not present and the requested URL is www.cnn.com, the request is allowed.

Similar policy actions can be performed for different policy options, such as authentication, caching, ICAP scanning, URL filtering, etc.

This CPL does not have a VPM object available. Use this CPL in the CPL layer within  VPM or in the local, forward, or central policy file. 

Only well known request header names can be used. See the list in the VPM.In the VPM, open a Web Access Layer and right click the Source column. Select Set New Request Header. Filter by Standard as below:

 




Note: See article TECH241575 to understand how to parse a request header as an IP address.

 

The ProxySG can also detect non-standard HTTP Request headers by using the x_header directive as shown below:

 

                request.x_header.Custom-Header.exists=no url.domin=www.cnn.com Allow

 

In this example, the header is called "Custom-Header".

 

Note: It doesn't matter that the header does not begin with "X-". As long as the header is not part of the well-known HTTP Request headers, this condition will apply.

Attachments