You wish to understand the correct policy order to use when utilizing the Web Gateway SSL decryption proxy.
The correct way to configure the policies when using SSL decryption is to arrange them in the following order:
SSL Decryption Policy Configuration:
The SSL Decryption policy is essentially a filter to intercept and redirect all SSL traffic that needs to be decrypted, generally in order to send it to DLP. In general, it would be assumed that this traffic will not be blocked (unless a negative DLP response is returned).
Configuration options:
In the second scenario, if for example you want to run DLP on everyone’s Blog posts, but also on the Web mail of Sales, you would need two separate SSL decryption policies; one for Sales above a general policy for all. The Sales SSL policy would apply to Sales LDAP group only, and would ignore everything but Web Mail and Blogs, while the general SSL decryption policy would ignore everything but blogs. You could then apply whatever blocking policies you wish below the SSL policies to apply to the ignored traffic.
Remember that if you wish to intercept SSL traffic, you need to import the SWG root certificate on all machines that will be using the SSL proxy (see HOWTO54180 and HOWTO54181).
DLP Network Prevent configuration
Consult your DLP documentation for direction on implmenting DLP Network Prevent configuration. Symantec does recommend however that you choose to remove/replace the POST/PUT content RATHER THAN block the connection. This will prevent the user from seeing an inexplicable browser error or connection time out, and reduce the impact on the user experience while posting or uploading files.
Applies To
The Web Gateway is running in inline-proxy or proxy-only mode. The SSL decryption proxy has been configured.