Testing procedure for HRI Implementation.
search cancel

Testing procedure for HRI Implementation.


Article ID: 243153


Updated On:


Web Isolation Cloud


Testing procedure for HRI Implementation.


HRI Configuration from CLI

Policy Configurations:

CombinedDestination2 applies to the URLs configured to not be isolated.

CombinedDestination1 applies to the URLs configured to be isolated.

Test Results:

For the https://bbc.co.uk & https://support.broadcom.com URLs, we receive the "This page is not valid for High Risk Isolation" message, which is quite expected, as both URLs are not "uncategorized' and certainly not high-risk URLs. This test /result is really significant, as it shows that the HRI configurations are correct and that HRI works.

To further validate this, we were able to find Broadcom's test rating "Uncategorized" URL: http://uncategorized.dontrateme.com, and utilizing the same in policy and testing, we have the below.

With the http://uncategorized.dontrateme.com URL, we can see that it is uncategorized and accessible but not isolated. Again, this is expected because the risk level for this URL is "none", from the Proxy this implementation is done. So, the risk level isn't high, as required by the design of the HRI solution. See the below snippet, for reference. 

So, we certainly expect that with uncategorized URLs with high-risk levels 5 and above, isolation would happen successfully. Please for any suck URL(s) to be utilized in this implementation, ensure to test its/their categorization, from content filtering, and its/their risk level, from Threat Risk Level, on the Proxy where the implementation is done, to be correct,

Finally, from the health checks, we also confirm that isolation is active and running on the ProxySG appliance. See the below. See the highlighted service.


If the Web Isolation policy does not behave as expected, you can review the access log to check if requests are isolated. In the Management Console, select Configuration > Access Logging > Formats. Create a new log format or edit an existing one, and add the x-isolated access log field to it. If the policy includes the isolated= gesture, the access log will indicate yes or no as well as the protocol and URL for the transaction.

For other possible troubleshooting guidance, please refer to the reference Tech. Article with the URL below.