Access being denied to category none site even thought category none is allowed.


Article ID: 184878


Updated On:


ProxySG Software - SGOS


Default policy action is to block

Customer needs to allow access to category none sites, however when they add a site to a custom list and that site is categorized as category none policy on the proxy does not match the allow rule and falls through to the default deny rule.


This is expected behaviour. A rule matching for category "none" will only return true if the URL matches "none" for all enabled content-filters on the ProxySG, including policy defined categories. The reason for this is that 'none' isn't a real category but in fact a label for the absence of any category. As such, if a categorization match occurs in even just one of the enabled content-filter databases, this will void the label for all content-filter databases, so a policy rule aiming to match 'none' will not match.


By way of example if you have the following policy to allow certain categories, including category "none"

define condition AllowedCategories
end condition AllowedCategories

and you have another list (in this example the list just has one entry) and that site is categorized as "none" by Intelligence Services or BCWF

define category "CatNoneSite"
end category "CatNoneSite"


Note the category "CatNoneSite" definition doesn't even need to be called in policy for this to apply, the category exists and the proxy checks against it on seeing the site that the user is going to is in the list, it adds the category to the site thus invalidating category none

Policy trace with above policy applied

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
DENIED: Default secure policy mode
  url.category: [email protected];[email protected] Coat


ProxySG running with Intelligence services enabled

Customer category defined, but does not need to be enabled in policy

The custom category can be in a local database or in a policy object


You will need to modify your policy to take into account this behaviour