Application controls using POST method in UPE
search cancel

Application controls using POST method in UPE

book

Article ID: 377362

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

UPE environment. Sending emails needs to be blocked in the policy. Blocking "send email" operation with "deny" or allowing Email category while negating "send email" operation (where everything else is denied) does not block emails to be sent.

Environment

Cloud SWG with UPE (Universal Policy Enforcement) - so policies are managed via Management Center

Cause

This is applicable only to:

  • UPE
  • application controls that are using POST methods
  • deny action

If all the above conditions are true, simple "Deny" will not be sufficient to block the specific activity. In this case it needs to be blocked by "Force Deny" action.

Resolution

Below policy was setup to block sending emails using Gmail.

  • For the policy to allow access to the emails, but block sending operation this CPL policy may be used:

#if enforcement=universal

define condition gmail-readonly
  request.application.name=Gmail
end condition gmail-readonly

<Proxy>
condition=gmail-readonly request.application.operation="Send Email" FORCE_DENY

#endif

  • Alternatively, this VPM-based policy is working as well:

where:

    • there is Combined Destination of "Gmail" Application and "Send Email" Operation in Rule #1:

    • there is destination for just "Gmail" Application in Rule #2

 

Powered by Wolken Software