search cancel

Late condition guards early action

book

Article ID: 173456

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You have ProxySG or ASG device and the result of policy installation is an error "Late condition guards early action"

Error syntax:

Error: Late condition guards early action
Condition '{condition name}' vpm-cpl:xxxx
Action '{action name}' vpm-cpl:xxxx

Error for the sample CPL:

Error: Late condition guards early action
Condition 'user=username' vpm-cpl:29
Action 'authenticate(no)' vpm-cpl:30

 

 

Cause

In this particular case the problem is that in CPL both the Web Access Layer (authorization) is the same as Web Authentication Layer (Authentication) and it is designated with "<proxy>" tag.

When we examine the two rules in the example, the first is of authorization type. We say that if the username is "username" the request will get the action of allow.

The second rule however says that a client with IP address 1.1.1.1 should not be authenticated which makes it an authentication rule.

 

 

 

 

Environment

This error applies regardless of which policy file you use: Local, Central, Forward or Visual Policy Manager (VPM). The reason behind this error could have many causes. In a nutshell it means that the proxy cannot compile the code as the action needs a condition that cannot be met.

 

In this KB article I will demonstrate this with this Content Policy Language (CPL) code:

; this is a layer
user=username allow ; this is rule 1
client.address=1.1.1.1 authenticate(no) ; this is rule 2

Resolution

In VPM it is impossible as authorization rules can only be created in Web Access layer and authentication rules can only be created in Web Authentication layer.

The CPL is meant for advanced users who must know that the two must never be placed in the same layer in CPL.

The solution is to place the second rule in it's own layer.

<proxy authorization>; this is authentication layer
user=username allow ; t
his is rule 1

<proxy authentication>; this is authorization layer
client.address=1.1.1.1 authenticate(no) ; this is rule 1

And here is evidence of successful installation.

NOTE: The strings "Authentication" and "Authorization" in the proxy layer definition can be used but are not mandatory and were only used for demonstration purposes.

Attachments