There are two kinds of approaches to building a ProxySG content filtering policy.
- The "Firewall" approach - Everythign is denied unless explicitly allowed
- The "Filter" approach - Everything is allowed unless explicitly denied
There are pros and cons to both approaches. The "Firewall" approach is the most secure and offers the most control, but is the likeliest to block requests that you will want to allow, so this approach requires more attention. The "Filter" approach is much less likely to cause legitimate applications from being denied, but at the same time is also the likeliest to allow unwanted connections through the proxy.
Because of the growing complexity of websites, off site hosting of images and other content, Blue Coat strongly recommends using the "Filter" approach. It allows for control without the overhead required by a "Firewall' type policy.
We will discuss both approaches in this knowledge base article. Both methods start the same way :
1. Downloading a Content-Filtering database
In this examile, we are downloading the BCWF database. Enter the username and password bound to your content filtering database license, and click "Download Now". You can check the download status by clicking on "View Download Status". Before continuing to Step 2, please wait for your download to finish so that categories are available from the picklist.
2. Setting up the default policy
Under Policy / General, you will find the option for the default policy action.
If you want to use the "Firewall" approach, select "Deny". If you prefer the more simple filtering approach, leave the option to "Allow". What this option does is set the behavior of the proxy *if* no rules were a match where the action was set to either allow or deny a connection.
3. Building up the policy (for this example, no prior policy was configured)
Under Policy / Visual Policy manager, click "Launch". At this point a new window will open with the Visual Policy Manager, also called the VPM.
Open the "Policy" menu, and clikc on "Add web access layer". You should then see a new policy layer with a blank rule like below
Right-Click on the "Any" in the destination column, and then click "Set...", then "New...", and finally "Request URL category..."
You can rename the object from it's default name to something more significant, and then expand the content filtering database you purchased and you will see a list of categories as per the screenshot below
For the "Firewall" approach, you will pick from this list categories that you wish to allow.
For the "Filtering" approach, you will pick from this list categories you wish to deny.
Once you are done, click "OK", and then "OK" again
For the "Firewall" approach, since those are categories we will want to allow, right-click the "Deny" object and then click on "Allow"
For the "Filtering" approach, leave the action to "Deny"
4. Adding more rules (optional)
You can click on "Add rule" to create more filtering rules in this layer. For example, you can create a rule to allow or deny a specific URL by first adding a rule, then right-clicking on the destination object, then "Set...", "New...", "Request URL...". This is usefull when you want to allow or deny a very spicic URL
As a good practice, placing very specific rules closer to the top provides better results. This is because once a rule has been matched in a layer, the rest of the rules in that same layer will not be evaluated. If there are 10 rules in a layer and rule #4 matched the connection, the policy evaluation will jump to the next layer and not look at runes 5 through 10 of that same layer.
Also, always keep in mind that if more than one rule matches a connection, and those rules contained a mix of allow and deny actions, the action of the last rule to match is going to override all other rules. If layer 1 allows a connection, and layer 3 denies it, the connection will be denied. Actions that are not contratictory will all be applied (authenticate, allow, force cache) for example are actions that don't overwrite one another, and ultimately all those actions will be performed by the proxy
5. Installing the policy
Click on "Install policy" and that's it, the filtering policy is now applied.
If you opted for a firewall method, anything goign through the proxy that didn't match the allow rule or rules you created will be denied
If on the other hand you opted for the "Filtering" policy, everything going through the proxy will be allowed, except the categories that matches the rule you created.