Negated category rules stop working after an upgrade to SGOS or later


Article ID: 168713


Updated On:


Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS


You might notice that after upgrading to SGOS from, SSL interception no longer works.The policy rule that stopped working is like the following:

    condition=!CombinedDestination2 ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(default)

define condition __CondList1CombinedDestination2

define condition RequestURLCategory4
    category=(Games, "Financial Services")



Blue Coat categories for YouTube changed in SGOS to support YouTube API V3. To support the new API, you must generate and enter a server key. After upgrading SGOS, the event log shows the following message if the server key is not available. 

2015-07-15 11:10:20-00:00UTC "Categorization for YouTube now requires a server key. To continue using this feature, please set the server key." 0 500000:1 youtube.cpp:24

Because the lookup mode for YouTube is hard-coded to Always (in the Management Console, select Configuration > Content Filtering > General), URL categorization is always attempted but does not work. Due to unavailable
categories, the negate rule cannot be evaluated correctly.

In addition, a policy trace shows a message like the following:

url.category: [email protected];News/[email protected] Coat



Generate and set the server key. See Set the server key for YouTube API v3 on the ProxySG appliance.
Alternatively, disable Blue Coat categories for YouTube as a provider.