Packets are leaving the ProxySG destined to a site I have specifically denied.

<< Back to Knowledge Search



If you have explicitly denied an IP or host on your ProxySG it is still possible that the proxy will attempt to go retrieve information from that site. The ProxySG however will not deliver that content to a client. The reason for this is as follows:

If you request a site that has an embedded object that lies on the IP or host that you have blocked the SG will pipeline that original request and send packets to fetch objects from the blocked site even though it is denied on the ProxySG. Once the site is assembled in the pipeline request policy is executed and the object is denied and not sent to the client. However as stated, the ProxySG did go out and fetch that object. Another way to state this is, in a pipeline we do not process policy until after the complete site is fetched.


If you would like to stop this behavior you need to disable "Pipeline embedded objects in client request" option under in the ProxySG GUI under Proxy Settings -> HTTP Proxy -> Acceleration Profile. This is a global option.

If you want to stop this for only one site you need to use CPL to accomplish this. A deny rule in a cache layer will stop the packets from being sent out. For example:

url.address= exception(content_filter_denied)

Will stop the ProxySG from pipeline embedded objects for IP

Additional Information
Bug Number
InQuira Doc IdKB5132

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 5, SGOS 6
Article Number      000012504
Was this helpful?
Previous MonthNext Month