Server Min Max SSL Version:

(Added in version 7.3.8) Sets the minimum and maximum versions of the SSL/TLS protocol to use for intercepted server connections. If the policy selection and OCS request multiple SSL/TLS versions, the appliance tries to negotiate the highest version that is shared between policy and server.

• Select Min, Max, or Min and Max.
• (Not applicable if setting only the maximum version) Specify the Minimum TLS Version:
  
  • Preserve: (Default behavior) Use the lowest server-offered version that the appliance supports when connecting upstream to the OCS.
  • Select: Use the selected SSL/TLS version as the minimum.
• (Not applicable if setting only the minimum version) Specify the Maximum TLS Version:
  • Preserve: (Default behavior) Use the highest server-offered version that the appliance supports when connecting upstream to the OCS.
  • Select: Use the selected SSL/TLS version as the maximum.

Set Client Keyring:

Select a keyring or keylist that can provide client certificates when requested:

• Do not send a client certificate: No keyring or keylist is selected.
• Send the client certificate in a keyring: Select a keyring from the Keyring list.
• Select the client certificate to send from a keylist: Select a keylist from the Keylist list. In the Selector field, type a substitution variable.
• Emulate the original client certificate: Select a keyring from the Issuer Keyring list.

All substitution variables are supported; however recommended substitution variables for the Selector include $(user), $(group), and $(server.address). For information on substitution variables, refer to “CPL Substitutions” in the Content Policy Language Reference.

Ref.:

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/visual-policy-manager/action-column-objects/set-server-min-max-ssl-version.html

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/visual-policy-manager/action-column-objects/set-client-keyring.html

The two action objects can be utilized in a "Combined Action" object. See the details and snippets below, a lab demonstration of the same..

From the policy coverage, see the below.

          2803: <ssl> [layer 18] [vpm-cpl:35]
         47346:     server.connection.client_keyring(XXXXXXXXXX-ProxySG-SubCA) server.connection.client_issuer_keyring(no) client.connection.min_ssl_version(TLSV1.2) client.connection.max_ssl_version(TLSV1.3) trace.request(yes) trace.destination("Trace1") 

Policy Coverage reports on the rules and objects that match user requests processed through the appliance’s current policy. Policy Coverage displays all policy (Visual, Local, Central, and Forward) on the ProxySG appliance in Content Policy Language (CPL) format, just as it appears in show policy source CLI output.

The highlighted rule, in the above snippet, is the SSL Access rule we have created and implemented for user web requests. The number on the left indicates the number of times that rule matched a user request. The number on the right, in parentheses, indicates the number of times the condition in the rule has matched a user request.

To determine the frequency with which rules and objects match proxied requests for the current policy version, access Policy Coverage statistics as follows: 

In the Management Console, select Administration > Policy Options > Policy coverage.  
Go directly to https://<ProxySG_IP_address>:8082/policy/coverage. In version 7.3.x and later, the URL is https://<ProxySG_IP_address>:8082/policy/current-coverage.

Ref.: https://knowledge.broadcom.com/external/article/165841/how-can-i-find-which-policy-rules-are-be.html

To further demonstrate the working of the policy, test web requests have been ran and  policy trace for the requests collected, and the rule match can be seen, for the SSL Access rule implemented, and clearly with the combination of the "Client Keyring" & "MinMaxSSLVersion", in a "Combined Action" object. See the transactions below, and with the policy match highlighted.

Transaction 1:

start transaction -------------------
transaction ID=xxxx type=https.forward-proxy
transaction handed off from: xxxxx
    POST https://www.xxxxxxx.com/log?format=json&hasfast=true&authuser=0

        <Proxy@always> [layer 10] [builtin-prolog:142]
 MATCH:         variable.bc_notify1(empty1) variable.bc_notify2(empty2) 

        <Proxy@always ASP_variable_initialization> [layer 11] [policy-services-prolog:163] [is base]
 MATCH:         variable.asp.exemption(false) 

        <Proxy@audit-properties Populate_asp_security_reason_so> [layer 43] [policy-services-epilog:92]
  miss:     variable.asp.security_reason_alog_field_request_so=!none

        <Proxy@audit-properties Populate_asp_security_reason_response> [layer 44] [policy-services-epilog:94]
  miss:     variable.asp.security_reason_alog_field_response=!none

        <ssl> [layer 18] [vpm-cpl:35]
 MATCH:         server.connection.client_keyring(XXXXXXXXXX-ProxySG-SubCA) server.connection.client_issuer_keyring(no) client.connection.min_ssl_version(TLSV1.2) client.connection.max_ssl_version(TLSV1.3) trace.request(yes) trace.destination("Trace1") 

        <Proxy> [layer 19] [vpm-cpl:39]
 MATCH:         authenticate.force(no) 

        <Proxy> [layer 20] [vpm-cpl:43]
 MATCH:         ALLOW category=("Audio/Video Clips", Business/Economy, "Chat (IM)/SMS", "Cloud Infrastructure", "Computer/Information Security", "Dynamic DNS Host", Education, Email, Entertainment, "File Storage/Sharing", Finance, "Generative AI", Government/Legal, Health, Informational, "Internet Telephony", "Job Search/Careers", "Media Sharing", News, "Office/Business Applications", "Peer-to-Peer (P2P)", "Radio/Audio Streams", Religion, "Search Engines/Portals", "Society/Daily Living", "Software Downloads", "TV/Video Streams", Technology/Internet, Travel) authenticated=yes 

        <Proxy> [layer 21] [vpm-cpl:48]
 MATCH:         client.address= trace.request(yes) trace.destination("Trace1") 

  miss: <ssl Isolation_integration_ssl_cert> [layer 51] [policy-services-epilog:681] isolated=yes

Assigned values of transaction variables:
        dns.request.threat_risk.effective_level=(value undetermined)
        url.threat_risk.effective_level=1
        request.header.Referer.url.threat_risk.effective_level=1
        server_url.threat_risk.effective_level=1
        server.certificate.hostname.threat_risk.effective_level=(value undetermined)
        bc_notify1=empty1
        bc_notify2=empty2

connection: service.name=Explicit HTTP client.address=x.x.x.x (effective address=) proxy.port=8080 source.port=64092 dest.port=8080 client.interface=0:0.1 routing-domain=default
  location-id=0 access_type=unknown
time: 2024-01-18 16:59:54 UTC
POST https://www.xxxxxx.com/log?format=json&hasfast=true&authuser=0
rewritten URL(s):
  cache_url=https://www.xxxxxx.com/log?format=json&hasfast=true&authuser=0&bcsi_scan_f454a9c809b1f5c5=HN2klxAaDNMjIeOueUivXxWiNVgBAAAA/ykAAA==
origin server next-hop IP address=x.x.x.x
Content-Length: 227039
Referer: https://chat.xxxxxxxx.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
user: name="XXXXXXXXXX\xxxxxxxx" realm=XXXXXXXXXX
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='xxxxxxxx'
supplier.ip: x.x.x.x
supplier.country: United States
supplier.failures: -
verdict: ALLOWED
  url.category: none@Policy;none@IWF;Search Engines/Portals@Blue Coat
    category groups: Business Related@Blue Coat;Information Related@Blue Coat
    total categorization time: 0
    static categorization time: 0
  request.header.Referer.url.category: none@Policy;none@IWF;Chat (IM)/SMS@Blue Coat
    category groups: Communication@Blue Coat;Non-Productive@Blue Coat
    total categorization time: 0
    static categorization time: 0
  server.certficate.hostname.category: none@Policy;none@IWF;Search Engines/Portals@Blue Coat
    category groups: Business Related@Blue Coat;Information Related@Blue Coat
    total categorization time: 0
    static categorization time: 0
server.response.code: 200
client.response.code: 200
client.request.version:  HTTP/2
server.response.version: HTTP/2
application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65
set response header 'Cache-Control'
  value='private, proxy-revalidate'
ICAP RESPMOD Scan Summary: 
  Error code: none

Total time added: 3 ms
Total latency to first byte: 3 ms
   Request latency: 1 ms
  OCS connect time: 0 ms
  Response latency (first byte): 2 ms
   Response latency (last byte): 2 ms
stop transaction --------------------

Transaction 2:

start transaction -------------------
transaction ID=10757 type=tcp.health-check
    unknown tcp://x.x.x.x:443/

        <Forward@serv-conn TRL_default_setting_server_url> [layer 8] [builtin-prolog:106]
  miss:     server_url.threat_risk.level=0..10
 MATCH:         variable.server_url.threat_risk.effective_level(5) 

        <ssl> [layer 18] [vpm-cpl:35]
 MATCH:         server.connection.client_keyring(XXXXXXXXXX-ProxySG-SubCA) server.connection.client_issuer_keyring(no) client.connection.min_ssl_version(TLSV1.2) client.connection.max_ssl_version(TLSV1.3) trace.request(yes) trace.destination("Trace1") 

  miss: <ssl Isolation_integration_ssl_cert> [layer 51] [policy-services-epilog:681] isolated=yes

Assigned values of transaction variables:
        dns.request.threat_risk.effective_level=(value undetermined)
        url.threat_risk.effective_level=(value undetermined)
        request.header.Referer.url.threat_risk.effective_level=(value undetermined)
        server_url.threat_risk.effective_level=5
        server.certificate.hostname.threat_risk.effective_level=(value undetermined)
       

connection: service.name=health-check client.address=x.x.x.x (effective address=x.x.x.x) proxy.port=0 source.port=0 dest.port=0 client.interface=255:255.0 routing-domain=
  location-id=0 access_type=unknown
time: 2024-01-18 16:59:57 UTC
unknown tcp://y.y.y.y:443/
origin server next-hop IP address=x.x.x.x
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
user: authenticated=false authorized=true relative username=''
supplier.ip: x.x.x.x
supplier.country: United States
supplier.failures: -
verdict: ALLOWED
  url.category: none
    category groups: none
    total categorization time: 0
    static categorization time: 0
    dynamic categorization was suppressed by configuration
application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65

Transaction timing: total-transaction-time 4 ms
  Checkpoint timings:
    server-out: start 1 elapsed 0 ms
    stop-transaction: start 4 elapsed 0 ms
    Total Policy evaluation time: 0 ms
  url_categorization complete time: 0
stop transaction --------------------

Transaction 3:

start transaction -------------------
transaction ID=10764 type=http.proxy
    CONNECT tcp://meet.xxxxxxxx.com:443/

        <Proxy@always> [layer 10] [builtin-prolog:142]
 MATCH:         variable.bc_notify1(empty1) variable.bc_notify2(empty2) 

        <Proxy@always ASP_variable_initialization> [layer 11] [policy-services-prolog:163] [is base]
 MATCH:         variable.asp.exemption(false) 

        <Cache@always CSP_variable_initialization> [layer 12] [policy-services-prolog:176] [is base]
 MATCH:         variable.csp.content_exemption(false) variable.csp.respmod_icap_overridden(false) 

        <Cache@trans CSP_variable_initialization> [layer 12] [policy-services-prolog:176] [has base@[always]]
 MATCH:         variable.csp.protection_level_decision("$(config.customer.csp.protection_level)") 

        <Proxy@req-url2 TRL_default_setting_url> [layer 6] [builtin-prolog:94]
 MATCH:         url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)") 

        <Proxy@req-url2 ASP_variable_initialization> [layer 11] [policy-services-prolog:163] [has base@[always]]
 MATCH:         variable.asp.request_violated(false) variable.asp.reason_request(none) variable.asp.security_reason_alog_field_request(none) 

        <Proxy@req-url2 ASP_Security_Eval> [layer 33] [policy-services-epilog:18] [is base]
 MATCH:   [Rule]    variable.asp.exemption=false 
 MATCH:         policy.ASP_Strong_Security@req-url2  ; Optimizer: constant true

        <Proxy@req-hdrs TRL_default_setting_referer> [layer 7] [builtin-prolog:100]
   n/a:     request.header.Referer.url.threat_risk.level=0..10
 MATCH:         variable.request.header.Referer.url.threat_risk.effective_level(5) 

        <Proxy@client-ea-property> [layer 25] [central:56]
 MATCH:         client.effective_address.request("$(request.x_header.X-PolicyTester-IP)") 

        <Proxy@auth-property> [layer 19] [vpm-cpl:39]
 MATCH:         authenticate(XXXXXXXXXX) authenticate.mode(auto) 

        <Proxy@service-req ASP_DSP_request> [layer 34] [policy-services-epilog:27]
  miss:     variable.asp.request_violated=true

        <Proxy@isolation-properties Initialize_isolation_var> [layer 13] [policy-services-prolog:725]
 MATCH:         variable.isolation.add_user("$(x-isolation-add-user)") variable.isolation.add_group("$(x-isolation-add-groups)") variable.isolation.add_xff("$(x-isolation-add-xff)") 
  miss:     variable.asp.security_reason_alog_field_request_so=!none

        <Proxy@audit-properties Populate_asp_security_reason_response> [layer 44] [policy-services-epilog:94]
  miss:     variable.asp.security_reason_alog_field_response=!none

        <ssl> [layer 18] [vpm-cpl:35]
 MATCH:         server.connection.client_keyring(XXXXXXXXXX-ProxySG-SubCA) server.connection.client_issuer_keyring(no) client.connection.min_ssl_version(TLSV1.2) client.connection.max_ssl_version(TLSV1.3) trace.request(yes) trace.destination("Trace1") 

        <Proxy> [layer 19] [vpm-cpl:39]
 MATCH:         authenticate.force(no) 

        <Proxy> [layer 20] [vpm-cpl:43]
  miss:     category=("Audio/Video Clips", Business/Economy, "Chat (IM)/SMS", "Cloud Infrastructure", "Computer/Information Security", "Dynamic DNS Host", Education, Email, Entertainment, "File Storage/Sharing", Finance, "Generative AI", Government/Legal, Health, Informational, "Internet Telephony", "Job Search/Careers", "Media Sharing", News, "Office/Business Applications", "Peer-to-Peer (P2P)", "Radio/Audio Streams", Religion, "Search Engines/Portals", "Society/Daily Living", "Software Downloads", "TV/Video Streams", Technology/Internet, Travel)
 MATCH:         DENY 

        <Proxy> [layer 21] [vpm-cpl:48]
 MATCH:         client.address= trace.request(yes) trace.destination("Trace1") 

        <Proxy> [layer 22] [central:6]
  miss:     url.domain=/cb670c993724f476/exception_javascript.js
  miss:     url.domain=/cb670c993724f476/exception_stylesheet.css

        <Proxy> [layer 23] [central:24]
  miss:     url.domain=//advertisment.XXXXXXXXXX.com/
  miss:     url.domain=//testxxxxxx.com/
  miss:     url.port=80

        <Proxy> [layer 24] [central:36]
  miss:     request.x_header.X-ThreatPulse-Info="ThreatPulseInfo"
  miss:     request.x_header.X-ThreatPulse-Info.exists=yes
  miss:     client.address=!x.0.0.0/16

        <Proxy> [layer 31] [central:84]
  miss:     request.x_header.X-PolicyTester.exists=yes

        <Proxy> [layer 32] [central:100]
  miss:     request.x_header.X-PolicyTester-Info="bulk"
  miss:     request.x_header.X-PolicyTester-Info="single"
  miss:     request.x_header.X-PolicyTester-Info.exists=yes

        <Proxy ASP_DSP_SO> [layer 35] [policy-services-epilog:31]
  miss:     variable.asp.request_so_violated=true

        <Proxy ASP_DSP_active_content> [layer 37] [policy-services-epilog:39]
  miss:     variable.asp.strip_active_content=true

  miss: <ssl Isolation_integration_ssl_cert> [layer 51] [policy-services-epilog:681] isolated=yes

Assigned values of transaction variables:
        dns.request.threat_risk.effective_level=(value undetermined)
        url.threat_risk.effective_level=1
        request.header.Referer.url.threat_risk.effective_level=5
        server_url.threat_risk.effective_level=1
        server.certificate.hostname.threat_risk.effective_level=(value undetermined)
        bc_notify1=empty1
        bc_notify2=empty2

connection: service.name=Explicit HTTP client.address= (effective address=) proxy.port=8080 source.port=64097 dest.port=8080 client.interface=0:0.1 routing-domain=default
  location-id=0 access_type=unknown
time: 2024-01-18 17:00:03 UTC
CONNECT tcp://yyyy.xxxxxx.com:443/
  DNS lookup was unrestricted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
user: name="XXXXXXXXXX\xxxxxxxx" realm=XXXXXXXXXX
authentication start 1 elapsed 0 ms
authorization start 1 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='xxxxxxxx'
supplier.ip: 
supplier.country: None
supplier.failures: -
verdict: ALLOWED (handed off)
  url.category: none@Policy;none@IWF;Online Meetings@Blue Coat
    category groups: Communication@Blue Coat;Non-Productive@Blue Coat
    total categorization time: 1
    static categorization time: 1
server.response.code: 0
client.response.code: 200
client.request.version:  HTTP/1.1
server.response.version: 
application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65
bytes received from client: 2843
bytes sent to server      : 0
bytes received from server: 0
bytes sent to client      : 39

Transaction timing: total-transaction-time 2 ms
  Checkpoint timings:
    new-connection: start 1 elapsed 0 ms
    client-in: start 1 elapsed 0 ms
    access-logging: start 2 elapsed 0 ms
    stop-transaction: start 2 elapsed 0 ms
    Total Policy evaluation time: 0 ms
  url_categorization complete time: 1
  client connection: first-response-byte 0 last-response-byte 2
  access-logging: precompute_fields: 0 ms, logging: 0 ms
stop transaction --------------------