Edge SWG (formerly ProxySG) Policy Condition to Test Appliance Name
search cancel

Edge SWG (formerly ProxySG) Policy Condition to Test Appliance Name

book

Article ID: 254731

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

As of SGOS 7.3.11.1 and later, you can now test the configured name of an appliance in policy. Depending on the name of the current appliance, the condition evaluates to either true or false. In both cases, at least some of the affected rules or layers are removed from the compiled policy to optimize policy evaluation (as long as # (config) policy optimize-tautology is enabled; it is enabled by default).

 

Resolution

If a rule or layer guard including this condition always evaluates to true, the compiled policy omits the condition from the rule or layer. If a rule or layer guard including this condition always evaluates to false, the compiled policy omits the rule or layer. You can verify the effective policy in the installed policy files and in the > show policy executable CLI output.

If # (config) policy optimize-tautology is enabled, you receive one of two messages when installing the policy:

  • "Optimizer: reducing constant false rule"
  • "Optimizer: reducing constant true rule"

Additional Information

The CPL (Content Policy) syntax is as follows:

appliance.name[.string_modifier][.case_sensitive|.case_insensitive]=pattern[,pattern2,..]

Where:

  • string_modifier: A supported string modifier:
    • exact ­– (Default) Match the string exactly.
    • prefix ­– Match the start of a string.
    • regex ­– Regular expression match; see Regex Reference .
    • substring ­– Match part of a string.
    • suffix ­– Match the end of a string.
  • case_sensitive: Perform a case-sensitive match.
  • case_insensitive: Perform a case-insensitive match.
  • pattern: Type-appropriate test expression, such as a quote-delimited string expression or a regular expression.

 

Policy Example

Consider the following policy that installed on an appliance named SGOS_1. 

In the following policy, the first rule evaluates to false and the second rule evaluates to true:

<Proxy "Requests for sites categorized as Sports or Games">  
  appliance.name="SGOS_3" category=(Sports, Games) deny
  appliance.name="SGOS_1" category=(Sports, Games) exception(content_filter_denied)

The compiled policy removes the rule for SGOS_3 and the appliance.name= condition in the second rule:

<Proxy "Requests for sites categorized as Sports or Games">   [layer 25] [vpm-cpl:3255]
    category=(Sports, Games) exception(content_filter_denied) 

 

 

 

 

Powered by Wolken Software