Unexpected Policy in Policy Trace

Products

ProxySG Software - SGOS

Issue/Introduction

SGOS policy trace shows unexpected or unknown rules in each transaction in the policy trace file.

<[email protected]> [builtin-prolog:372] MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2) <[email protected] TRL_default_setting> [builtin-prolog:323] MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") <[email protected] TRL_default_setting> [builtin-prolog:329] MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)") <[email protected] TRL_default_setting> [builtin-prolog:335] MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)")

.

Assigned values of transaction variables:

dns.request.threat_risk.effective_level=(value undetermined)

url.threat_risk.effective_level=2

request.header.Referer.url.threat_risk.effective_level=2

server_url.threat_risk.effective_level=2

server.certificate.hostname.threat_risk.effective_level=(value undetermined)

bc_notify1=empty1

bc_notify2=empty2

Environment

ProxySG or ASG. "Proxy" represents both devices in this scenario.

Cause

The first part is called the prolog and epilog and this is where the proxy sets variables used in the policy evaluation. You may not see all of them in the transaction as the request may for example not trigger the Apparent Data Type variable or the malware scanning policy could be disabled. The variables depend upon the version of SGOS too.

The prolog is evaluated before the locally modifiable policy whilst epilog is evaluated after the locally modifiable policy. To check what are the prolog and epilog on your SGOS login to the CLI via SSH or serial console and run these commands:

en

conf t
show sources policy builtin-prolog

show sources policy builtin-epilog

Resolution

The bottom part of the output shows the values the variables got assigned during the policy evaluation. An example is the highlighted text which shows that since this device has the BCIS license it can use the risk level variables defined in the prolog and the request in this transaction got the risk level of 2.

From prolog file:

;================================================================================== ;Threat risk level override feature variable ;==================================================================================

define variable integer dns.request.threat_risk.effective_level define variable integer url.threat_risk.effective_level define variable integer request.header.Referer.url.threat_risk.effective_level define variable integer server_url.threat_risk.effective_level define variable integer server.certificate.hostname.threat_risk.effective_level

; start with the looked up value if numeric value exists server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)") ; cast the string values into default integer values if no numeric value exists variable.server_url.threat_risk.effective_level(5)