Negated category rules stop working after an upgrade to SGOS 6.5.7.6 or later

book

Article ID: 168713

calendar_today

Updated On:

Products

Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

You might notice that after upgrading to SGOS 6.5.7.6 from 6.5.7.5, SSL interception no longer works.The policy rule that stopped working is like the following:
 

<ssl-intercept>
    condition=!CombinedDestination2 ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(default)

define condition __CondList1CombinedDestination2
    condition=RequestURLCategory4
end

define condition RequestURLCategory4
    category=(Games, "Financial Services")
end


 

Cause

Blue Coat categories for YouTube changed in SGOS 6.5.7.6 to support YouTube API V3. To support the new API, you must generate and enter a server key. After upgrading SGOS, the event log shows the following message if the server key is not available. 

2015-07-15 11:10:20-00:00UTC "Categorization for YouTube now requires a server key. To continue using this feature, please set the server key." 0 500000:1 youtube.cpp:24
6.5.7.6


Because the lookup mode for YouTube is hard-coded to Always (in the Management Console, select Configuration > Content Filtering > General), URL categorization is always attempted but does not work. Due to unavailable
categories, the negate rule cannot be evaluated correctly.

In addition, a policy trace shows a message like the following:

url.category: [email protected];News/[email protected] Coat

 

Resolution

Generate and set the server key. See Set the server key for YouTube API v3 on the ProxySG appliance.
Alternatively, disable Blue Coat categories for YouTube as a provider.