I have multiple policies within my proxy configuration. How do i know who gets hit first?
Proxy policies are evaluated in the sequences of Virtual Policy Manager (VPM) -> Local file -> Central file -> Forward file. This is the default policy evaluation sequence. The policy evaluation sequence can be changed from the default depending on your configuration.
To change policy evaluation sequence please do the following in the Management Console (https://<ip.address.of.proxysg>:/8082):
Configuration Tab > Policy > Policy Options > Policy Options > (Move up / Move down)
However, if there is a match in the last layer which is the Forward file, it will take priority over a policy that is similarly configured in the VPM, Local File or Central file. This provides a layer of flexibility, especially when troubleshooting because new policies can be added in latter layer with minimal disruption.
What about VPM? Policy Layers are proccessed from top to bottom. VPM are processed in the following sequences:
1. Admin Authentication
2. Admin Access
3. DNS Access
4. SOCKS Authentication
5. SSL Intercept
6. SSL Access
7. Web Authentication
8. Web Access
9. Web Content
If there are two similar layers with same configuration inside the VPM, the right hand side most gets priority.
Please see the following example to help explain the concept.
Here are some scenarios:
i: If a browser request comes in for www.google.com, policy will be evaluated in web access layer 1 and match with the Google deny rule. It then goes to the web access layer 2 and matches there and the deny is placed on it. Finally the request travels to the local policy and will hit there, also with a deny. Since this is the last rule that matched and it has a deny, access to Google will be denied in the local policy file. The local policy file will get hit because in the default policy sequence, the local policy file is evaluated after the VPM.
ii: If the local policy did not exist then the rule in the web access layer 2 would apply. If the local policy or web access layer 2 didn't exist, then the rule in the web access layer 1 would apply.