Secure Web Gateway (SWG) uses two types of policies.
An access policy and a per-request policy are both specified in a virtual server.
A per-request policy must specify the logic that determines how to process URL requests whether they are requests for web access (in a forward proxy configuration) or requests for internal resources (in a web access management configuration). How to make that determination is largely up to you.
To put SSL forward proxy bypass (specified in client and server SSL profiles) into effect, the per-request policy must ultimately determine whether to intercept or bypass the SSL traffic. If you plan to process SSL traffic, configure the policy to complete that processing first.
To put URL categorization into effect, the per-request policy must be configured to look up the URL category and assign the URL filter that allows or blocks URL requests.
To base processing of URL requests on a user group or user class, per-request policy items that look up a user group or user class read values stored in session variables. To ensure that the values are available, the access policy that creates the session must be configured with actions that populate the session variables.
After you create the per-request policy, use any of the remaining tasks to add items to it to build the per-request policy that you need.
The Response Analytics per-request policy item makes an HTTP request and waits for the HTTP response before it completes. As a result to function properly, any policy items that rely on the information in the HTTP request or that attempt to modify the HTTP request must always precede the Response Analytics item. Specifically, the Category Lookup and HTTP Headers items must not follow a Response Analytics item.
To ensure that SSL Bypass Set and SSL Intercept Set work correctly, do not place them in a per-request policy after any of these items:
For SSL bypass or SSL intercept actions, Secure Web Gateway (SWG) forwards the client hello directly to the server. The client and server then negotiate SSL parameters. This must occur before any per-request policy item inspects the SSL payload (HTTP data). Everything that the policy does before an SSL Bypass Set or SSL Intercept Set policy item must operate either on SSL data (certificate or client hello) or on session data (which is not part of SSL payload).
This example per-request policy bypasses all SSL traffic from users in the Directors group. For other users, the policy bypasses SSL traffic only if it falls into a category that raises privacy concerns, such as one in which financial data might be accessed. After a determination about whether to bypass or intercept SSL traffic is complete, the policy can then move from processing HTTPS data to processing the HTTP data in the SSL payload.
SSL bypass decision based on group membership and URL category
1 | For directors, do not intercept and inspect any SSL request. To bypass the traffic, use the SSL Bypass Set item. |
2 | To use Category Lookup to process HTTPS traffic, you must configure it to use SNI or Subject.CN input. |
3 | For users that are not in the Directors group, do not intercept and inspect SSL requests that contain private information. Bypass the traffic by inserting the SSL Bypass Set item. |
4 | After the policy completes HTTPS processing, you can start to process HTTP data. Continue with actions, such as URL Filter or Application Lookup, that inspect the SSL payload. The URL Filter item determines whether to allow or reject traffic. |
(For this example to be valid, both the server and client SSL profiles on the virtual server must enable SSL forward proxy and SSL forward proxy bypass; the client SSL profile must set the default bypass action to Intercept.)
Each URL Filter Assign item in this per-request policy example should specify a filter that is applicable to the user group.
URL filter based on group membership
This per-request policy example applies specific URL filters for weekends and weeknights, and restricts access during work hours based on user group.
Deny or allow access based on date and time and group membership
In this example per-request policy, a Category Lookup item obtains a list of categories and a response web page. If Category Lookup returns a value that specifies the response needs to be scanned to determine the appropriate category, Response Analytics runs.
Response Analytics scans the response for malicious embedded content and passes an analysis to the URL Filter Assign item. URL Filter Assign uses the analysis, if provided, and the specified filter to determine whether to allow the request.
Process of Response Analytics contributing analysis results to URL filter assign
In this per-request policy example, only recruiters are allowed to access URLs in the job search category. The policy also restricts access to entertainment sites during business hours.
Category-specific access restrictions
Application access control by application family, application name, and application filter
1 | A user-defined branch for the instant messaging application family. |
2 | A user-defined branch for a specific application. |
3 | The default fallback branch, on which an application filter is applied. Application Filter Assign needs the information provided by Application Lookup. |
This table lists per-request policy items that read session variables and lists the access policy items that populate the variables.
Per-request policy item | Session variable | Access policy item |
---|---|---|
AD Group Lookup | session.ad.last.attr.primaryGroupID | AD Query |
LDAP Group Lookup | session.ldap.last.attr.memberOf | LDAP Query |
LocalDB Group Lookup |
session.localdb.groups
Note: This session variable is a default in the expression for LocalDB
Group Lookup; any session variable in the expression must match the session variable
used in the Local Database action in the access policy.
|
Local Database |
RADIUS Class Lookup | session.radius.last.attr.class | RADIUS Auth |
The table specifies Secure Web Gateway (SWG) support for per-request policy items in an APM® and LTM®reverse proxy configuration.
Per-request policy item | Supported with APM and LTM in reverse proxy |
---|---|
Protocol Lookup | No |
SSL Intercept Set | No |
SSL Bypass Set | No |
Response Analytics | No |
Application Lookup | No |
Application Filter Assign | No |
Category Lookup | Yes, provided that the input type is not subject.cn |
URL Filter Assign | Yes |
HTTP Headers | Yes |
Logging | Yes |
Dynamic Date Time | Yes |
AD Group Lookup | Yes |
LDAP Group Lookup | Yes |
LocalDB Group Lookup | Yes |
RADIUS Class Lookup | Yes |
The Apply Access Policy link has not effect on a per-request policy. Conversely, updates made to a per-request policy do not affect the state of the Apply Access Policy link.
Unless a per-request policy includes and executes a Category Lookup item, URL request event logging does not occur.
Macros are not supported for per-request policies.
Safe Search is a search engine feature that can prevent offensive content and images from showing up in search results. Safe Search can also protect video searches on Google, Bing, and Yahoo search engines.
Safe Search can be enabled in a per-request policy using the Category Lookup item. Secure Web Gateway (SWG) with Safe Search enabled supports these search engines: Ask, Bing, DuckDuckGo, Google, Lycos, and Yahoo. Some search engines, such as Google and Yahoo, use SSL by default; in this case, Safe Search works only when SWG is configured with SSL forward proxy.
Per-flow variables exist only while a per-request policy runs. The table lists per-flow variables and their values.
Name | Value |
---|---|
perflow.agent_ending.result | 0 (success) or 1 (failure). |
perflow.application_lookup.result.families | Comma-separated list of application families. |
perflow.application_filter_lookup.result.action | 0 (reject) or 1 (allow). |
perflow.application_lookup.result.effective_application | Name of the application that is ultimately used. |
perflow.application_lookup.result.effective_family | Name of the application family that is ultimately used. |
perflow.application_lookup.result.names | Comma-separated list of application names. |
perflow.application_lookup.result.primary_application | Name of the application that SWG determines is the primary one. |
perflow.application_lookup.result.primary_family | Name of the application family that SWG determines is the primary one. (An application might fit into more than one application family.) |
perflow.bypass_lookup.result.ssl | 0 (http) or 1 (https). |
perflow.category_lookup.failure | 0 (success) or 1 (server failure). |
perflow.category_lookup.result.categories | Comma-separated list of categories. |
perflow.category_lookup.result.customcategory | Unique number that identifies a custom category; used internally. |
perflow.category_lookup.result.effective_category | Name of the category that is ultimately used. |
perflow.category_lookup.result.filter_name | Name of the URL filter. |
perflow.category_lookup.result.hostname | Host name retrieved from SSL input. |
perflow.category_lookup.result.numcategories | Integer. Total number of categories in the comma-separated list of categories. |
perflow.category_lookup.result.primarycategory | Name of the category that SWG determines is the primary one. (A URL might fit into more than one category, such as news and sports.) |
perflow.category_lookup.result.url | Requested URL. |
perflow.protocol_lookup.result | http or https. Defaults to https. |
perflow.response_analytics.failure | 0 (success) or 1 (server failure). |
perflow.session.id | Session id. |
perflow.ssl_bypass_set | 0 (bypass) or 1 (intercept). SSL Bypass Set and SSL Intercept Set items update this value. |
perflow.ssl.bypass_default | 0 (bypass) or 1 (intercept). Specified in the client SSL profile, used when SSL Bypass Set and SSL Intercept Set items not included in per-request policy. |
perflow.urlfilter_lookup.result.action | 0 (reject) or 1 (allow). |
perflow.username | User name. |
When configuring a per-request policy, a few access policy items are available for inclusion in the policy. Most per-request policy items are unique to a per-request policy.
A Protocol Lookup item determines whether the protocol of the request is HTTP or HTTPS. It provides two default branches: HTTPS and fallback. Use the Protocol Lookup item early in a per-request policy to process HTTPS traffic before processing HTTP traffic.
The SSL Bypass Set item provides a read-only element, Action, that specifies the Bypass option.
An AD Group Lookup item can branch based on Active Directory group. The item provides one default advanced branch rule expression, expr { [mcget {session.ad.last.attr.primaryGroupID}] == 100 }, as an example.
A branch rule expression can include any populated session variable, such as session.ad.last.attr.primaryGroupID, session.ad.last.attrmemberOf, session.ad.last.attr.lastLogon, session.ad.last.attr.groupType, session.ad.last.attr.member, and so on. As an example, expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=Administrators" is a valid expression.
An LDAP Group Lookup item compares a specified string against the session.ldap.last.attr.memberOf session variable. The specified string is configurable in a branch rule. The default simple branch rule expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN ; the values MY_GROUP, USERS, MY_DOMAIN, must be replaced with values used in the LDAP group configuration at the user site.
A per-request policy LocalDB Group Lookup item compares a specified string against a specified session variable.
The string is specified in a branch rule of the LocalDB Group Lookup item. The default simple branch rule expression is User is a member of MY_GROUP. The default advanced rule expression is expression is expr { [mcget {session.localdb.groups}] contains "MY_GROUP" }. In either the simple or the advanced rule, the variable, MY_GROUP, must be replaced with a valid group name.
The session variable must initially be specified and populated by a Local Database action in the access policy. A Local Database action reads groups from a local database instance into a user-specified session variable. It can be session.localdb.groups (used by default in the LocalDB Group Lookup advanced rule expression) or any other name. The same session variable name must be used in the Local Database action and the LocalDB Group Lookup advanced rule expression.
The RADIUS Class Lookup access policy item compares a user-specified class name against the session.radius.last.attr.class session variable. The specified class name is configurable in a branch rule.
The default simple branch rule expression is RADIUS Class attribute contains MY_CLASS . The variable MY_CLASS must be replaced with the name of an actual class.
The Dynamic Date Time action enables branching based on the day, date, or time on the server. It provides two default branch rules:
The Dynamic Date Time action provides these conditions for defining branch rules.
The SSL Intercept Set item provides a read-only element, Action, that specifies the Intercept option.
The Logging action can be used in an access policy or in a per-request policy. In an access policy, the Logging action adds logging for session variables to the access policy. In a per-request policy, the Logging action can add logging for both session variables and per flow variables to the per-request policy.
This action is useful for tracing the variables that are created for a specific category, or in a specific branch.
The Logging action provides these configuration elements and options:
The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.
An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.
Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.
A Category Lookup item looks up URL categories for a request and obtains a web response page.
The Category Lookup item provides these elements and options.
A Response Analytics item inspects a web response page for malicious embedded contents. Response Analytics must be preceded by a Category Lookup item because it obtains a web response page.
Response Analytics provides these elements and options.
A URL Filter Assign item determines whether to block or allow a request. A Category Lookup item must precede URL Filter Assign to provide categories. The URL Filter Assign item looks up the filter action for each category found for the request. If any filter action is set as Block, the request is blocked. The URL filter item also uses the analysis from the Response Analytics item, if used, to determine whether to block or allow the request.
A URL Filter Assign item provides the URL Filter element, a list of filters from which to select.
An Application Lookup item obtains the name of the application that is being requested and looks up the application family that matches it. By default, this item has a fallback branch only.
Application Lookup can be used to branch by application family or by application name; branch rules are required to do this. If an Application Filter Assign item is included in the per-request policy, an Application Lookup must complete before it.
An Application Filter Assign item matches an application or application family against an application filter. Application Filter Assign provides one configuration element. The Application Filter element specifies the application filter to use in determining whether to block access to an application or allow it. The Application Filter Assign item exits on the Allow branch if the filter action specifies allow. Otherwise, Application Filter Assign exits on the fallback branch.
An HTTP Headers action supports modifying an outgoing HTTP request to a back-end server. The action supports manipulation of HTTP and cookie headers being sent to back-end servers.
The HTTP Headers item provides these configuration options and elements.
An entry in the HTTP Header Modify table includes these elements.
An entry in the HTTP Cookie Modify table includes these elements.
An ending provides a result for a per-request policy branch. An ending for a per-request policy branch is one of two types.