Default policy action is to block
Customer needs to allow access to category none sites, however when they add a site to a custom list and that site is categorized as category none policy on the proxy does not match the allow rule and falls through to the default deny rule.
This is expected behaviour. A rule matching for category "none" will only return true if the URL matches "none" for all enabled content-filters on the ProxySG, including policy defined categories. The reason for this is that 'none' isn't a real category but in fact a label for the absence of any category. As such, if a categorization match occurs in even just one of the enabled content-filter databases, this will void the label for all content-filter databases, so a policy rule aiming to match 'none' will not match.
By way of example if you have the following policy to allow certain categories, including category "none"
define condition AllowedCategories
end condition AllowedCategories
and you have another list (in this example the list just has one entry) and that site is categorized as "none" by Intelligence Services or BCWF
define category "CatNoneSite"
end category "CatNoneSite"
Note the category "CatNoneSite" definition doesn't even need to be called in policy for this to apply, the category exists and the proxy checks against it on seeing the site that the user is going to is in the list, it adds the category to the site thus invalidating category none
Policy trace with above policy applied
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
authentication status='not_attempted' authorization status='not_attempted'
DENIED: Default secure policy mode
url.category: [email protected];[email protected] Coat
ProxySG running 18.104.22.168 with Intelligence services enabled
Customer category defined, but does not need to be enabled in policy
The custom category can be in a local database or in a policy object
You will need to modify your policy to take into account this behaviour