Policy Layers description and Policy Tracing introduction.
search cancel

Policy Layers description and Policy Tracing introduction.


Article ID: 170934


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


The purpose of this article is to provide a brief description of each Policy Layer within the VPM and an explanation of the contents of different policy traces that can be taken.


Admin authentication layer: Determines how administrators accessing Edge SWG (ProxySG) Appliance must authenticate. This is not to be confused with the Web Authentication, Admin Authentication is only used for authenticating to the Edge SWG (ProxySG) for Management purposes and not for users browsing through the proxy. A policy trace in this layer can help you see the rules that the user is matching when passing the proxy for management (in port 8082 by default).

Admin Access Layer: Determines who can access the appliance to perform administration tasks and the level of privilege they have on the device (Read or Read/Write). A policy trace might be required in this layer when there is an issue with management privileges.

Admin login banner Layer (Added in version Configure a notice and consent Banner, which appears before a user, can access the Management Console.
DNS Access Layer: The Edge SWG (ProxySG) can act as a primary or secondary DNS server for users and this layer is used to configure this feature.

SOCKS Authentication Layer: Determines the method of authentication for accessing the proxy through the SOCKS protocol. This only applies to traffic that is intercepted by the SOCKS proxy service (port 1080 by default).

SSL Intercept layer: Determines whether HTTPS traffic is decrypted or not. When facing issues with HTTPS sites, it is strongly encouraged to create a policy trace with this layer.

SSL Access layer: Determines the allow/deny actions for HTTPS traffic based on parameters located in the SSL handshake.

Web Authentication layer: Determines whether clients that are going through the proxy Web must authenticate or not.

Web Access Layer:  Determines what clients can and cannot access on the Web and Specifies any restrictions that apply to HTTP traffic and decrypted HTTPS traffic.

Web Content Layer: Determines caching behavior, such as verification and Content Analysis redirection.

Web Request Layer: Determines if a transaction is denied at the request stage without accessing the origin server.

Forwarding Layer: Determines forwarding hosts and methods.

CPL layer: Allows you to compose Content Policy Language directly into the VPM. This CPL code can also be installed in other Policy Files such as the Local or Central policy files.

Policy Tracing and layer coverage:

The objective of a policy trace is to keep track of the traffic that goes through the proxy. For more information on how to create and read a policy trace, refer to article Use policy tracing to debug access denied errors or website accessibility issues

The traffic that gets tracked depends on the layer where the track object is created, and this is not as intuitive as it may seem. For example, when we create a Track object in a Web Access Layer, apart from Web Access traffic, the trace will also contain the rules that are located in the following layers:

-Web Authentication
-Web Content
-Web Request
-SSL Access
-SOCKS Authentication
-CPL Layers (including the ones in other Policy Files)

It’s important to note that SSL Interception rules can only be tracked by creating a track object in an SSL Interception Layer. The same applies to the rest of layers (such as Admin authentication or Admin Access layers).