Packets are leaving the ProxySG destined to a site I have specifically denied.

Solutions ID:    KB5132
Version:    2.0
Status:    Published
Published date:    05/25/2012
Updated:    10/31/2013

Problem Description

If you have explicitly denied an IP or host on your ProxySG it is still possible that the proxy will attempt to go retrieve information from that site. The ProxySG however will not deliver that content to a client. The reason for this is as follows:

If you request a site that has an embedded object that lies on the IP or host that you have blocked the SG will pipeline that original request and send packets to fetch objects from the blocked site even though it is denied on the ProxySG. Once the site is assembled in the pipeline request policy is executed and the object is denied and not sent to the client. However as stated, the ProxySG did go out and fetch that object. Another way to state this is, in a pipeline we do not process policy until after the complete site is fetched.


If you would like to stop this behavior you need to disable "Pipeline embedded objects in client request" option under in the ProxySG GUI under Proxy Settings -> HTTP Proxy -> Acceleration Profile. This is a global option.

If you want to stop this for only one site you need to use CPL to accomplish this. A deny rule in a cache layer will stop the packets from being sent out. For example:

url.address= exception(content_filter_denied)

Will stop the ProxySG from pipeline embedded objects for IP

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question