While examining a policy trace, the result of supplier.country=() is reported as a timeout instead of "Deny".

An example of the message in policy trace evaluation:   supplier.failures: "98.138.253.109|United States|timeout"

If you use the supplier.country=() condition with a "deny" action, the policy trace mechanism incorrectly reports a "deny" as a timeout.

Symantec recommends that you use the  " supplier.allowed_countries[....countries... ] (deny) "  condition and action for policy decisions to deny access to a list of countries or a single country.

This policy must be located inside a CPL Layer or Local Policy file.

These steps describe the process of migrating the Geolocation Policy from the VPM Layer to the CPL Layer, or Local Policy file.

1. Generate the CPL Version of the VPM Policy for Geo-location and save it to a text (.txt) file.
2. Delete the VPM Policy for the Geolocation Policy from the VPM Layer.
3. From the saved CPL version of the Geolocation policy, copy the countries you have listed and move them in the next step.
4. Use the exact condition "supplier.allowed_countries[ ]" in place of the supplier country policy then paste the countries inside the [ ] from step 3, followed by a "(deny)" for the deny action
5. Install the policy in the Local Policy File or in a CPL Layer in the VPM.

For example, the resultant policy will look like:

<Proxy>
    supplier.allowed_countries[AF, AZ, BG, BY, CG, CI, CM, CU, CY, CZ, DJ, ER, HT, IQ, IR, KP, LB, LK, LR, LT, LV, LY, MK, PA, PK, RO, VN, YE](deny) 

Replace the countries between the square brackets [ ] with the countries you wish to block.

Symantec is aware of this issue and will update this document when a solution becomes available. It is not necessary to log a support case on this issue.

Subscribe to this article to be notified of any updates.

Related Documents: supplier.allowed_countries, supplier.country