Solutions

Why is the "unavailable" category not matching a negated category list?

Solutions ID:    KB3270
Version:    1.0
Status:    Published
Published date:    08/13/2009
 

Problem Description

Why is the "unavailable" category not matching a negated category list?
Policy trace shows negated category as "n/a" instead of "MATCH" when URL category is "unavailable"

Resolution

The "unavailable" category, is a "System Category", which means that the ProxySG wants to categorize the URL, but an error occurred trying to categorize the URL.  There are a number of conditions that would cause "unavailable" to be returned.  Please refer to KB article KB1154 for further details.

Negated category matches may not work as expected when ‘unavailable’ is returned.

If the ProxySG categorizes foo.com and gets ( Porn, unavailable ), then
   Category=Porn          -> is true
   Category=!Games    -> is “n/a”

Why?  One way to think of this is that ‘unavailable’ means that categorization is broken, and the list the policy engine got is non-exhaustive.  The content filter database might have returned “Games”, but instead SGOS does not know, and thus does not make decisions based on incomplete data.

Thus Blue Coat always recommends explicit handling of "unavailable".  You can decide if you want to fail open or fail close for that specific case.  Therefore, create policy that explicitly calls for the "unavailable" category and either ALLOW or DENY access.
 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question