Access being denied to category none site even thought category none is allowed.

book

Article ID: 184878

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Default policy action is to block

Customer needs to allow access to category none sites, however when they add a site to a custom list and that site is categorized as category none policy on the proxy does not match the allow rule and falls through to the default deny rule.

Cause

This is expected behaviour. A rule matching for category "none" will only return true if the URL matches "none" for all enabled content-filters on the ProxySG, including policy defined categories. The reason for this is that 'none' isn't a real category but in fact a label for the absence of any category. As such, if a categorization match occurs in even just one of the enabled content-filter databases, this will void the label for all content-filter databases, so a policy rule aiming to match 'none' will not match.

 

By way of example if you have the following policy to allow certain categories, including category "none"

define condition AllowedCategories
    url.category=("Health","News","Reference","Shopping","none")
end condition AllowedCategories

and you have another list (in this example the list just has one entry) and that site is categorized as "none" by Intelligence Services or BCWF

define category "CatNoneSite"
    uncategorized.dontrateme.com
end category "CatNoneSite"

 

Note the category "CatNoneSite" definition doesn't even need to be called in policy for this to apply, the category exists and the proxy checks against it on seeing the site that the user is going to is in the list, it adds the category to the site thus invalidating category none

Policy trace with above policy applied

GET https://uncategorized.dontrateme.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
DENIED: Default secure policy mode
  url.category: [email protected];[email protected] Coat

Environment

ProxySG running 6.7.4.9 with Intelligence services enabled

Customer category defined, but does not need to be enabled in policy

The custom category can be in a local database or in a policy object

Resolution

You will need to modify your policy to take into account this behaviour