ProxySGAdvanced Secure Gateway 7.2.

x Security
Best Practices
Your ProxySGAdvanced Secure Gateway appliance examines much of the traffic that passes through
your network and attaches to other devices on your network; thus, it is very important to manage it
securely. This document describes best-effort security considerations for your ProxySGAdvanced
Secure Gateway deployment. Symantec recommends that you also consult your organization's security
requirements when deploying ProxySGAdvanced Secure Gateway appliances in your environment.

This document includes references to documentation available at MySymantec. See "Supporting

Documentation" on page 18 for additional information on these documents.

All command line interface (CLI) examples in this document are executed in configuration mode.
To enter config mode, issue the following commands:

>enable
Enable Password: password
#configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
#(config)

Physical Location and Networking

l Secure the physical location where the ProxySGAdvanced Secure Gateway appliance is
deployed.

Limit access to a few top-level administrators. When possible, make sure that their access is
monitored.

l Avoid deploying an ProxySGAdvanced Secure Gateway appliance with a direct

connection to the Internet.

When possible, deploy the appliance behind a firewall to protect it from Internet-based attacks.

l Configure management access to the ProxySGAdvanced Secure Gateway appliance.

Methods to control access include:

o (On applicable models) Restricting physical access to the system and requiring a PIN to
access the front panel. Use the following CLI commands:
#(config)security front-panel-pin PIN
ok
 Alternatively, refer to “Requiring a PIN for the Front Panel” in the SGOS Administration
Guide (7.2.x).
o Restricting the IP addresses that are permitted to connect to the CLI. Use the following
CLI commands:
#(config)security allowed-access add allowed_IP allowed_IP_mask
ok

Alternatively, refer to “Limiting Workstation Access” in the SGOS Administration Guide

(7.2.x).
o Requiring a password to secure the Setup Console. Refer to “Securing the Serial Port” in
the SGOS Administration Guide (7.2.x).

l Prepare your network infrastructure for the connections to and from your
ProxySGAdvanced Secure Gateway appliance.

Refer to the Appendix in "Accessing the Appliance" chapter in the SGOS Administration Guide
(7.2.x) for a list of ports used by the appliance.

l Disable unused network interfaces.

The appliance supports disabling and enabling specific adapters and VLAN IP addresses. Disable
the interfaces in the Management Console by selecting Configuration > Network > Adapters >
Interfaces. Alternatively, use the following CLI commands:
#(config)interface interface_number
#(config interface interface_number)disable
ok

All interfaces are enabled by default; thus, you can disable adapters that are not in use.

Administer and Monitor the Appliance

l Isolate the browser.

ProxySGAdvanced Secure Gateway administrators access the appliance's Management Console

through a web browser. For better security, do not allow the browser to access the Internet. This
ensures that no web applications can glean login information or other details used in the
connection to the Management Console.

l Limit the inactivity timeout.

Configure inactivity timeouts:

l For the CLI (default is 5 minutes):

Proxy > Configuration > Authentication > Console Access > Enforce CLI auto-logout

l For the Management Console (default is 15 minutes):

 Proxy > Configuration > Authentication > Console Access > Enforce Web auto-
logout
 Alternatively, use the following CLI commands:
#(config)security management web-timeout value_in_minutes
ok
#(config)security management cli-timeout value_in_minutes
ok

In addition, you can configure inactivity timeouts per authentication realm. Refer to "Managing
Users/Logging Out Users" in SGOS Administration Guide (7.2.x) for more information.

l Configure a more secure username and password policy for appliance administrators.

Provide the console username and password to only a select few administrators. This account
has additional privileges which bypass administrative authentication policy, so it should only be
used to correct problems with this policy or with associated authentication configuration. Create
separate accounts for all administrators either in a local authentication realm on the appliance or
on an external authentication server accessed via IWA or LDAP, and use these accounts for all
other system configuration and maintenance. Do not use the appliance’s default username of
admin for any administrator accounts.

Because the appliance does not enforce password complexity by default, Symantec recommends
that you specify that all passwords must be at least 14 characters in length. Use the following CLI
command
#(config)security password-min-len 14
Note: existing passwords are not automatically updated to meet this
new length
ok

l Limit use of SNMP protocol to SNMPv3 only.

o Symantec strongly recommends using only SNMPv3 for system activity reporting. Earlier
versions of SNMP do not support authentication or encryption of the messages, and even
send the community string as plaintext over the network. Enabling SNMPv1 and SNMPv2c
exposes system activity communication to third parties. Only SNMPv3 offers
authentication and encryption.

To disable SNMPv1 and SNMPv2vc, use the following CLI commands:

#(config)snmp
#(config snmp)protocol snmpv1 disable
ok
#(config snmp)protocol snmpv2c disable
ok

Refer to “Configuring SNMP Communities” in the SGOS Administration Guide (7.2.x) for
details about configuration.
o When configuring SNMPv3 users, select both Authentication and Privacy modes.

l Choose SHA over MD5 when choosing the secure hash for Authentication mode, as
this is the more secure of the available hashes.
 l Choose AES over DES when choosing the encryption algorithm for Privacy mode,
as this is the more secure of the available algorithms.
l Enhanced security of SNMPv3 is based on each user having authentication and
privacy passphrases.

Refer to “Configuring SNMP Users for SNMPv3” in the SGOS Administration Guide (7.2.x)
for details. Alternatively, use the following CLI commands:
#(config)snmp
#(config snmp)edit user user
#(config snmp user user)authenticaton passphrase passphrase
ok
#(config snmp user user)authentication mode sha
ok
#(config snmp user user)privacy passphrase passphrase
ok
#(config snmp user user)privacy mode aes
ok
 If you must create new community strings while unsecure SNMPv1 and/or
SNMPv2c are enabled, do not provide read-write Authorization level unless doing so
is unavoidable. Instead of giving the new community strings a non-trivial
Authorization level (such as read-only or read-write), consider defining Access
Control Lists to reduce the attack vector for malicious users. Refer to "Adding
Community Strings for SNMPv1 and SNMPv2c" in the SGOS Administration Guide
for details.

l Secure SSH connections.

The ProxySGAdvanced Secure Gateway appliance can accept management Secure Shell (SSH)
connections. Since SGOS 6.7.2, it It also has the ability to initiate SSH connections, for example,
when uploading access logs over SCPconnecting to FireEye AX appliances for sandboxing.
ProxySGAdvanced Secure Gateway administrators can manage passwords, keys, and ciphers to
secure SSH communication.

Symantec recommends the following for inbound connections on SSH console:

l Use public key-pair authentication instead of password authentication. The former is more
secure for several reasons (for example, it is not susceptible to phishing, has a lower risk of
human error, does not involve over-the-wire transfer).
l Use stronger ciphers and HMACs for communication. By default, the appliance ships with
five enabled ciphers and ten enabled HMACs. Enable additional ciphers and HMACs only if
necessary and disable them after use if the connection is temporary. Refer to “Managing
SSH Ciphers for Inbound Connections” and “Managing SSH HMACs for Inbound
Connections” in the SGOS Administration Guide (7.2.x) for details.

Symantec recommends the following for the outbound SSH client:

l To make an outbound connection, the appliance requires known host specification,

including a key pair for every host. If communication with a specific host is temporary,
delete it when it is no longer required. Refer to “Delete Known Hosts” in the SGOS
Administration Guide (7.2.x)
l Use stronger ciphers and HMACs for communication. By default, the appliance ships with
six enabled ciphers and ten enabled HMACs. Enable additional ciphers and HMACs only if
necessary and disable them after use if the connection is temporary. Refer to “Managing
SSH Ciphers for Outbound Connections” in the SGOS Administration Guide (7.2.x) for
details.
l The appliance allows you to prioritize ciphers and HMACs for outbound connections and a
conformant SSH server should honor this prioritization. The ciphers in the Available list are
listed in order of cipher strength. Symantec recommends that you replicate this order in the
Selected ciphers list.

After an upgrade or downgrade, the Selected list of ciphers and HMACs may change.
General rules are described in appropriate sections in the SGOS Administration Guide
(7.2.x).

l Secure communication with SSL device profiles.

By default, the ProxySGAdvanced Secure Gateway appliance ships with three predefined SSL
profiles for secure non-proxy communication. This communication includes peer-to-peer
 communication as well as communication with external services. The default profile can only be
edited, but you can create new profiles.

Symantec recommends the following for SSL device profiles:

l By default, the appliance does not include weak ciphers in device SSL profiles. When
editing an existing profile or creating a new profile, do not add weak ciphers to the profile
configuration.
l When creating a new profile, limit the TLS protocol version to the strongest that is
supported by the remote SSL host.
l When creating a new profile, leave the peer verification option enabled. With peer
verification enabled, the appliance will perform a set of checks to ensure any received
certificates are both trusted (as determined by the CA certificates contained within the
specified CCL) and valid (that is, not expired).

l Enable all email and other alerts.

Direct emails and alerts to addresses and services that can be viewed by multiple administrators.

l Set maximum number of failed attempts for the local user database.

Configure a local user database so that each user account is automatically disabled if too many
failed login attempts occur within a specified period, which might indicate a brute-force password
attack on the ProxySGAdvanced Secure Gateway appliance. To modify security settings, use the
following CLI:
#(config)security local-user-list edit list_name
#(config local-user-list list_name)max-failed-attempts number_of_
attempts
ok
#(config local-user-list list_name)lockout-duration duration_in_
seconds
ok
#(config local-user-list list_name)reset-interval interval_in_seconds
ok

Make sure that your settings adhere to your corporate password security policy.

l Configure separate authentication realms for administrators and end users.

Configure different local realms for administrative and end-user (proxy) authentication. This
precaution ensures that administrators are not locked out in case of a brute-force password-
guessing attack by an end user attempting to authenticate to the proxy.

l Set failed attempts and other secure authentication parameters for external authentication
services.

Refer to the SGOS Administration Guide (7.2.x) for specific external authentication service setup.

l Use Content Security Policy for threat protection.

See "Use Security Policy" on page 13 for details.

l Use HTTPS for ICAP scanning (Secure ICAP).

 Symantec recommends securing ICAP communication when setting up Content Analysisif you
use an external ICAP service. Select Always use secure connections when setting up or
modifying the existing malware scanning service. Refer to “Selecting the Connection Security
Mode” in the SGOS Administration Guide (7.2.x).

l Secure access log uploads.

The ProxySGAdvanced Secure Gateway appliance offers various options to secure access log
transfer:

l Configure a secure upload client to keep data confidential. The appliance supports several
upload clients: Custom, HTTP, FTP, SCP, and Kafka. All the clients include the Use
secure connections (SSL) option. Symantec recommends enabling this option.
l Encrypt the access log to keep data confidential. Refer to “Encrypting the Access Log” in
the SGOS Administration Guide (7.2.x). If configuring a secure upload client is not
possible, Symantec recommends this feature instead.
l Sign the access log to ensure data integrity. Refer to “Digitally Signing Access Logs” in
SGOS Administration Guide (7.2.x).
l Secure policy downloads via remote URL.

The ProxySGAdvanced Secure Gateway appliance provides three methods for downloading and
installing policies: from a text editor, from a local file, and via a remote URL. If you update policy
via remote URL, Symantec recommends using the HTTPS protocol to protect the privacy and
integrity of the installed policy.

In the Management Console (Proxy > Configuration > Policy > Policy Files > Policy Files and
Proxy > Configuration > Policy > Policy Files > Visual Policy Files), specify a URL in the form
https://policy_file_path for the appropriate policy file type.
Alternatively, specify the URL using the CLI command:
#(config)policy policy_file-path url

In addition to the policy file types supported in the Management Console, the CLI allows you to
configure URLs for the landlord, tenant, and VPM classification policy files.

If you use a device profile other than the default SSL security profile for policy download,
follow the recommendations in "Secure communication with SSL device profiles." on
page 6.

l Use sandboxing services integrated with Content Analysis.

Symantec recommends using one of the following for improved detection abilities and reporting:

l Symantec Malware Analysis: Specify Malware Analysis appliances in the Management

Console (Sandboxing > Vendors > Blue Coat Malware Analysis > Servers).
l Symantec Cloud Sandbox: (Introduced in Advanced Secure Gateway 6.7.3) The Symantec
Cloud Sandbox service is subscription-based and requires no configuration other than
activating the license and enabling the service (Sandboxing > Settings).

For more information on sandboxing, refer to the Advanced Secure Gateway - Content Analysis
online help .
Securing the HTTPS Management Console
l Do not enable HTTP web management.

By default, only HTTPS web administration is enabled. Symantec recommends that you do not
enable the HTTP Management Console. If it is enabled, disable it following instructions in
“Creating a Management Service” in the SGOS Administration Guide (7.2.x).

l Introduce a separate entity certificate for the management port.

Do not rely on the self-signed certificate provided by default. The appliance ships with a predefined
default keyring with a certificate serving as the entity certificate for management services, as well
as a Certificate Authority (CA) certificate for emulated SSL certificates. Before deploying the
ProxySGAdvanced Secure Gateway appliance, Symantec recommends that you create a new
entity certificate for management services with a signing algorithm and keys confirming your
corporate security policy. See “Creating a Keyring” in the SGOS Administration Guide (7.2.x) on
how to create new keyrings and import certificates.

l Use a more secure TLS version to harden the SSL connection.

By default, only TLSv1.1, TLSv1.2, and TLSv1.3 are enabled and supported. Symantec
recommends disabling TLSv1.1 and using the more secure TLSv1.2 or TLSv1.3.

l Use more secure cipher suites to harden the SSL connection.

By default, the HTTPS Management Console comes with 22 secure ciphers enabled. In addition,
four less secure ciphers are supported (ECDHE-RSA-RC4-SHA, DES-CBC3-SHA, RC4-SHA,
RC4-MD5) but not enabled. Symantec recommends that you do not enable the less secure
ciphers.

User-Defined Exception Pages

l Secure user-defined exception pages containing URLs.

An XSS vulnerability exists in versions earlier than 6.7.4.2 where attackers can inject malicious
code into user-defined exception pages. Version 6.7.4.2 includes a partial fix for this issue, but
additional configuration might be required. To secure user-defined exception pages, Symantec
recommends the following:

1. Upgrade to version 6.7.4.2 or later.

2. URLs can be used only in HTML element bodies. Do not insert the original request URL in
other contexts, such as HTML attribute values, JavaScript code, or CSS property values.

SSL Proxy Best Practices

l Use more secure TLS versions to harden the SSL connection.

By default, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 are all enabled for SSL proxy traffic.
The use of SSLv3 or TLSv1.0 is not recommended due to various vulnerabilities in these protocol
versions. SGOS 7.2.x and later use OpenSSL 1.1.1 which does not support SSLv2.

For best security, Symantec recommends using the following CPL gestures:
 <ssl>
client.connection.negotiated_ssl_version=(SSLV3,TLSv1) force_deny

<ssl>
server.connection.negotiated_ssl_version=(SSLV3,TLSv1) force_deny

Before disabling SSLv3 and TLSv1.0, verify that all clients and servers with traffic going
through the appliance support TLSv1.1 or later.

l Use more secure cipher suites to harden the SSL connection.

The appliance uses the first cipher suite offered by a client, even if it is a lower grade. For better
security, allow only cipher suites that meet your minimum acceptable level of security.

Symantec recommends using CPL such as the following to harden the list of cipher suites:
<ssl>
client.connection.negotiated_cipher.strength=(low,medium) force_
deny

<ssl>
server.connection.negotiated_cipher.strength=(low,medium) force_
deny

Denying all low and medium strength ciphers might prevent communication with older
clients or servers. If this occurs, review the allowed ciphers and adjust the previous policy
to enable appropriate ciphers for successful traffic flow.

In releases prior to SGOS 7.2.x, Symantec recommended the following policy, which is no longer
recommended because the listed cipher suites are no longer available:

If your policy contains the following CPL or reference to the deprecated low strength
ciphers, Symantec recommends removing the references. If the references are not
removed, policy will compile and a warning message will be issued.

<ssl>
client.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5, \
EXP-DES-CBC-SHA) force_deny

<ssl>
server.connection.negotiated_cipher=(EXP-RC4-MD5,EXP-RC2-CBC-MD5, \
EXP-DES-CBC-SHA) force_deny

For more information, see the "Behavior Changes Applicable to SGOS 7.2.x Upgrade/Downgrade"
topic in the SGOS Upgrade/Downgrade WebGuide.

Even with the recommended CPL gestures in policy, scanners scanning the SSL proxy
port might identify weak ciphers and/or vulnerable protocol versions. These false positives
arise due to how the appliance handles SSL negotiations. When scanning the port, the
 scanner targets the appliance as if it were an origin content server (OCS). The appliance
responds with a successful negotiation of the (potentially weak) cipher suite and
(potentially old) SSL/TLS version—even when it intends to reject the request—in order to
return the reason for the rejection to the client. In this case, no request information is ever
sent to the actual OCS using a weak cipher.

l Create a certificate signed by a trusted CA.

Do not rely on the self-signed certificate provided by default. Before deploying your
ProxySGAdvanced Secure Gateway appliance, Symantec recommends that you create a new
SSL interception keyring and replace the built-in self-signed certificate with one signed by a CA
conforming to your PKI and your security policy. Follow instructions in “Create a CA-Signed
Certificate” in the First Steps Deployment Guide to generate a CSR and issue the appropriate
certificate.

l Do not disable server certificate validation.

In a forward proxy deployment, server certificate validation is enabled by default. The following
certificate parameters are validated: expiration, untrusted issuer, revocation and—in a non-
tunneling case—hostname mismatch. Symantec recommends that you do not write policy that
disables server certificate validation.

Refer to "SSL Proxy Best Practices” in SSL Proxy Deployment Guide for descriptions of
various specialized scenarios and how to handle them.

Reverse Proxy Best Practices

The Reverse Proxy WebGuide provides guidance for various deployment scenarios and best practices.
Symantec recommends following the instructions in the webguide and taking the following additional
steps:

l Disable unused services.

In a reverse proxy deployment, the appliance IP address is usually visible to the Internet; thus, it is
important to enable only the proxy services that are in use. Every enabled proxy service port will
be visible to external scanners.

l Use more secure TLS versions to harden the SSL communication for the HTTPS Reverse
Proxy service.

Symantec recommends disabling TLSv1.0 due to various vulnerabilities in that protocol version.

l Downstream connection: By default, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 are

enabled for accepting downstream connections by the HTTPS Reverse Proxy service. To
disable TLSv1.0 in the HTTPS reverse proxy service, refer to “Creating an HTTPS
Reverse Proxy Service” in the SGOS Administration Guide (7.2.x).

l Upstream connection: If HTTPS is used for upstream connections to the OCS, disable
TLSv1.0 through SSL Client settings. Refer to “Editing an SSL Client” in the SGOS
Administration Guide (7.2.x). Alternatively, use the following CLI commands:
 #(config)ssl
#(config ssl)edit ssl-client default
#(config ssl default)protocol tlsv1.1 tlsv1.2 tlsv1.3
ok

l Use more secure cipher suites to harden the SSL communication for the HTTPS Reverse
Proxy service.

As with SSL device profiles, the appliance by default does not include weak ciphers in the default
SSL client. When editing an existing SSL client or creating a new one, Symantec recommends
that you do not add weak ciphers to the profile configuration. If weak ciphers were previously
enabled, disable them through SSL Client settings. Refer to “Changing the Cipher Suite of the SSL
CLI” in the SGOS Administration Guide (7.2.x). Alternatively, use the following CLI commands:
#(config)ssl
#(config ssl)edit ssl-client default
#(config ssl default)cipher-suite

Cipher# Use Description Strength

------- --- --------------------------- --------
1 yes ECDHE-RSA-AES256-SHA384 High
2 yes ECDHE-RSA-AES128-SHA256 High
3 yes ECDHE-RSA-AES256-GCM-SHA384 High
…
Select cipher numbers to use, separated by commas:

l Enable client certificate validation.

For mutual authentication, enable client certificate validation using either of two methods:

l Implicitly, when creating/editing the HTTP Reverse Proxy service. Refer to “Creating an
HTTPS Reverse Proxy Service” in the SGOS Administration Guide (7.2.x).

l Explicitly, using the following CPL:

<ssl>
client.certificate.validate(yes)

Web Application Firewall Best Practices

The Web Application Firewall Solutions Guide provides guidance for various deployment scenarios and
best practices. Symantec recommends following the instructions in the webguide and taking the
following additional steps:

l Implement all of steps in "Reverse Proxy Best Practices " on the previous page.

l Make sure that your Application Protection subscription is updated. Use the following CLI:
#(config)application-protection
#(config application-protection)view
Version: 20170126
Notify Only: Enabled
License Type: Demo
 Licensed Until: Sun, 08 Jul 2018 00:00:00 UTC
Service: Enabled
Download method: Direct
Last successful download:
New version 20171025 is available. Initiate a manual download to
update to this new version.

If the output does not indicate an outdated database or other download issue, you do not have to
initiate a new download. In the example above, the database is out-of-date. Download a new
database using the following CLI:
#(config application-protection)download get-now force
Time: Thu, 18 Jan 2018 14:58:28 UTC
Downloaded from:
https://subscription.es.bluecoat.com/application-protection/database

Alternatively, refer to “Verifying the Database Download” in the SGOS Administration Guide
(7.2.x).

Use Security Policy

Two pre-configured policies, Access Security Policy and Content Security Policy, are available in this
release. These policies are configured through the web Visual Policy Manager (VPM) and require minimal
manual input and deployment time. Use this feature to implement best-practices security coverage out of
the box, and to facilitate setup, deployment, and testing of policies.

This feature provides the following benefits over manually writing policy:

l Implementation time; effect is immediately apparent and especially useful in evaluation

deployments and mid-sized organizations.
l Applies security policy to protect users first, allowing you to customize your policy with more
complex rules as you learn how to use VPM/CPL.
l Incorporates existing best practices published by Symantec leveraging URL Threat Risk Levels,
URL categories, and content scanning recommendations.
l Offloads managing and updating of policy to Symantec (via the Policy Services subscription on
SGOS).

The underlying policy definitions required for this feature are delivered through the Policy Services
subscription. Both Access and Content Security policies are disabled by default.

For more information on this feature, refer to the ProxySG Web Visual Policy Manager Reference (7.x)
and the "Using Policy Services" chapter in the SGOS Administration Guide (7.x).

l Activate Access Security policy.

The following example shows options for an initial Access Security policy activation in the web
VPM:
 After adding the policy layer, select one of the three security levels:

l Recommended: Offers the recommended level of security by blocking sites with risky
categories, high threat risk levels, and executable downloads from unrated and risky
destinations.
l Strong: Includes the Recommended security protection, plus additional categories and
threat risk levels.
l Maximum: Includes the Strong security protection, plus additional categories and threat
risk levels. This protection level may result in a higher level of false positives, requiring
some custom policy overrides for users that require access to ambiguous sites.

Once activated, the policy is in effect and starts blocking dangerous transactions based on the
selected level. Two action modes determine whether a request will be blocked or monitored:

l Block: The transaction is denied and the client receives an exception page (force_
exception)
l Monitor: The transaction is not denied. Instead, the policy populates the x-bluecoat-
access-security-policy-action and x-bluecoat-access-security-
policy-reason fields in the access log.

Refer to these log fields to help validate the policy in complex environments where the outright
deployment in block mode is not considered acceptable, and an additional phase of monitoring the
real-world results is desired.

The operation of Security Policy depends on the selected level. In detection coverage, each level
is the superset of the previous level.

Refer to https://www.symantec.com/docs/TECH254470 for a summary of the requests that are

blocked or monitored at each protection level.

l Identify Access Security policy exceptions.

When a transaction is blocked due to Access Security policy, an exception such as the following
exception occurs:
 The exception includes basic actionable information about the blocked transaction.

l Activate Content Security Policy.

The following example shows options for an initial Content Security policy activation in the web
VPM:
 After adding the policy layer, select one of the three security levels:

l Recommended: Offers the best balance between security and performance.

l Strong: Includes the Recommended security protection, plus additional scanning for
images and includes scanning for additional web applications.
l Maximum: Includes the Strong security protection, plus additional scanning for all
destinations .

The Prioritized ICAP Fail-Over List accepts a prioritized list of ICAP services or groups, where
the first healthy service or group in the list is chosen for content analysis. ICAP servers and
ICAP service groups (for load balancing to multiple ICAP servers) must be created through the
Management Console or CLI first before they are selected here.

Refer to https://www.symantec.com/docs/TECH254471 for a summary of security and

performance at each protection level, as well as what is bypassed at each level.

l Override Content Security Policy.

 You can override the global protection level for Content Security Policy. In the web VPM, add a
Web Content Layer and configure a Set Content Security Scanning action object.

l Create exemptions to reduce false positives.

To help reduce false positives, you can add exemption rules to specific policy layers.

Security Policy Type Policy Layer for Exemption Rule Action Object

Access Security Web Access Layer Exempt From Access Security

Content Security Web Content Layer Set Content Security Scanning

For example, a specific user or user group can be exempted. Using exemption rules has no effect
on policy while Security Policy is disabled.

When building the exemption, you must consider policy timing. For example, if an
exemption is based on response type and Access Security Policy blocks the transaction at
an earlier time because the request is classified as a security category or high URL Threat
Risk Level, the exemption will not apply.
 Supporting Documentation
Before implementing the best practices described in this document, and as needed to maintain your
deployment, refer to the following documents available at MySymantec.

For proxy-related information, refer to the equivalent version of SGOS documentation. For content
analysis-related information, refer to the appropriate version (as noted in Advanced Secure Gateway
release notes) of Content Analysis documentation.

SGOS:

https://support.symantec.com/content/unifiedweb/en_US/Documentation.html?prodRefKey=1145522

Content Analysis:

https://support.symantec.com/content/unifiedweb/en_US/Documentation.html?prodRefKey=1145459

Document Overview
Advanced Secure Gateway - Content Instructions and information on administering the
Analysis online help Advanced Secure Gateway appliance's Content
Analysis features.
 To access Content Analysis online help,
click the Help (?) button on any tab (other than
Proxy) in the Advanced Secure Gateway web
interface.
SGOS Upgrade/Downgrade Guide Steps for upgrading or downgrading SGOS. Also covers
behavior changes and policy deprecations.
https://www.symantec.com/docs/DOC9794
SGOS Administration Guide Detailed information for configuring and managing the
ProxySG appliance.
https://www.symantec.com/docs/DOC11607
Command Line Interface Reference Commands available in the ProxySG appliance CLI and
how to use them to perform configuration and
https://www.symantec.com/docs/DOC11609
management tasks.
ProxySG Web Visual Policy Manager How to create and implement policy in the ProxySG
WebGuide appliance's web-based Visual Policy Manager,
including layer interactions, object descriptions, and
https://www.symantec.com/docs/DOC11610
advanced tasks.
Legacy Visual Policy Manager Reference How to create and implement policy in the ProxySG
appliance's legacy Visual Policy Manager.
https://www.symantec.com/docs/DOC11611
Content Policy Language Reference CPL gestures available for writing the policy by which
the ProxySG appliance evaluates web requests.
https://www.symantec.com/docs/DOC11608
Required ports, protocols, and services for Basic configurations, and some commonly used
the ProxySG appliance options, for ports and protocols.

https://www.symantec.com/docs/INFO5294
Document Overview
First Steps Deployment Guide How to get a ProxySG up and running in a Secure Web
Gateway (SWG) deployment.
http://www.symantec.com/docs/DOC10940
SSL Proxy Deployment Guide Best practices for deploying the SSL proxy. The SSL
proxy improves visibility into SSL traffic, allowing
http://www.symantec.com/docs/DOC10325
security policies and logging to be applied to encrypted
requests and responses, and can enhance performance
by caching encrypted data.

Reverse Proxy WebGuide How to deploy a ProxySG appliance as a front-end for

Internet-based users to access secure application,
http://www.symantec.com/docs/DOC9782
content, and web servers.
Web Application Firewall Solutions Guide How to configure Symantec WAF solution to protect
your web servers, accelerate web content, and simplify
http://www.symantec.com/docs/DOC10451
operation.
Secure Web Gateway - Content Analysis Provides a secure and customizable policy model for
Policy Best Practices Improvement bypassing content scanning to improve the user
experience where needed or save resources by
http://www.symantec.com/docs/DOC10920
excluding low-risk/high-volume traffic. This document
identifies weak policy conditions and is intended to
reduce risk by using different sets of policy conditions.
SGOS 7.2.x Documentation Full list of documentation published for SGOS 7.2.x.

https://www.symantec.com/docs/DOC11612
SGOS Release Notes Changes, issues, fixes, and limitations pertaining to
SGOS releases. Also includes any related security
SGOS Release Notes are available on the
advisory (SA) fixes.
Downloads page. Log in to MySymantec
with your MySymantec credentials to access
the release image and release notes.

Provide Feedback

Send any questions or comments about documentation: [email protected]

 Legal Notice
Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark
Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or
its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All
warranties relating to the information in this document, either express or implied, are disclaimed to the
maximum extent allowed by law. The information in this document is subject to change without notice.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE
LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR
USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION
IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS,
TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS
DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,
REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT
REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE
LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE
RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY
BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT
AFTER DELIVERY TO YOU.

Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

www.symantec.com

4/1/2020