In a policy trace, what does the late tag mean?


Article ID: 169002


Updated On:


Data Center Security Monitoring Edition ProxySG Software - SGOS


In SGOS 6.6.x, the results of a policy trace might display a late tag for some policy rules. For example:

late: condition=__ConditionList1Internet_Everyone

The late tag in a policy trace means that the ProxySG appliance reached a verdict on the connection before it could evaluate the policy rules that otherwise would have been evaluated later in the connection. The following paragraphs provide some examples for when policy is marked as late in a trace.


Late tag due to failed authentication
If a request fails authentication (for example, because the user didn't provide credentials or the appliance could not validate them) and a policy rule tests a condition (such as the realm, user, group, etc.) in which a successful authentication has occurred, you might see the result late in the policy trace:

late: realm=iwa_myrealm
user: unauthenticated
EXCEPTION(authentication_failed): Authentication failed either because
credentials were not provided or they could not be validated

Late tag due to deny based on category
Another example of why you might see late in your policy trace is if a request is denied based on the request category and a policy rule tests the type of files that the Origin Content Server (OCS) sends in response:

miss: category=my_category deny
late: http.response.apparent_data_type=exe response.icap_service(AV_scan)

Multiple instances of late tag in trace
late tag might appear multiple times in a policy trace if the ProxySG appliance terminated the transaction early in the evaluation. In this case, all of the policy rules that were not evaluated are considered late.

Issue with the YouTube channel where some policies are not working or not applying​

Reference to TECH249324 which addresses this issue.