Content rules
Overview
Each content rule specifies:
-
What To Look For? - a set of conditions to look for.
-
What To Do? - what action(s) to take when a web content or traffic meets the specified set of conditions, thus, the content rule is triggered. In other words, what action(s) to take when your content security policy is violated.
What To Do? consists of two types of actions: a principal action called Primary Action, followed by an additional action called What Else To Do?.
For example, within a content rule, you set a What To Look For? clause that checks for viruses in particular traffic. For What To Do?, your Primary Action might be to block the traffic. You can also add a What Else To Do? action to generate a notification to an administrator.
You can create content rules that suit your content security policy from a set of pre-configured adaptable templates. See Content rule templates for more information.
Content rules must be applied to
Peered Secure ICAP Gateway
It is possible to add and modify content rules which are licensed on any of the Gateways in a peer group. However,
For example, in a peer group, Peer A might be installed with a supplementary license feature for redaction, whereas Peer B is not. It is possible to add a Redact Text content rule to a policy route on Peer B, but redaction will not be applied to content processed by Peer B.
How content rules are applied
When Secure ICAP Gateway has selected the route to follow, it will check each configured content rule for that route and do one of the following:
-
If none of the content rules are true, it will perform the default action for the route, typically
-
If one of the content rules is true, it will perform the actions and stop applying further rules.
Example of content rules application
Consider the following content rules as they are applied to the Everyone to Web Mail & Chat route:
-
Any traffic passing through this route that does not match another route will be allowed unless one of the rules is true.
-
Any traffic passing through this route that contains a virus will cause content rule 1, Block Virus, to be triggered. The traffic will be blocked.
-
Any traffic passing through this route that contains encrypted files will cause content rule 2, Block Encrypted Data, to be triggered. The traffic will be blocked.
-
And so on until the end of the rules.
Efficient ordering of content rules
It is important that rules for a given route are configured in the right order. You need to consider the level of threat and machine processing time and resources. The greater the threat, the higher the rule should be on the rules table.
Consider the following content rules as they are applied to the Everyone to Web Mail & Chat route:
The first rule will scan the traffic looking for keywords as configured in the rule. However, there is little point in doing this because the second rule will block the traffic if a virus is detected.
A more efficient and safer order for this set of rules would be to place this rule after rules that deal with specific threats: