When you implement the Hybrid Cloud (also known as Common Policy or Auto-Policy Sync), your Web Security Service (ThreatPulse cloud) policy downloads and installs onto your existing on-premise ProxySG appliance for local policy evaluation.

While it is possible to overwrite certain cloud policy rules in the VPM or local CPL policy, the exception page returned to the user is always the same as the one defined in your Web Security Service portal.

To have your local ProxySG appliance return a different exception page than that of the cloud exception page, overwrite it with the following CPL.

Note: You cannot use the VPM because 'exception.format' is not an available object in the VPM editor.

The CPL condition exception.format() in the cloud policy overwrites exception(), which is used by the on-premise ProxySG appliance.

Option 1:
Step 1: Create a new CPL proxy layer

<proxy>
exception.format(default)

Option 2:
Step 1: Define your new exception page in any of the local policy files (local/central).  This is the one you want the local ProxySG appliance to display in replacement of your cloud exception page.

define string custom-exception-page
><html>
>Your custom exception page
></html>
end

<proxy>
url.domain=blocked-domain.com exception.format(exception-page) DENY