Professional Documents
Culture Documents
Improvement
This best practices document improves upon Symantec's previous content scanning recommendations for integrating Content
Analysis appliances with the Secure Web Gateway (SWG) solution, which includes ProxySG, Advanced Secure Gateway, and
SWG virtual appliances. These best practices provide a more secure and customizable policy model for bypassing content scan-
ning to lower risk and improve user experience, as well as ways to save resources by excluding low-risk/high-volume traffic.
Previous versions of documentation include policy examples based partly on weak selectors such as Content-Type and Con-
tent-Length HTTP headers and User-Agent headers. Rules using an unconditional bypass (for example, bypassing based
on only one of these elements) create a security concern, because an attacker that owns a client or server can fake all of these
elements and then bypass content scanning. These older documents are deprecated in favour of the current recommendations.
Different deployments have different requirements for security, performance, and user experience: although scanning all or most
of the traffic is desirable from a security perspective, full scanning policy puts more load on attached Content Analysis instances
and might impact the user experience. Furthermore, some applications such as stock tickers and streaming media comprise
never-ending streams, which must be excluded from scanning to work as expected.
For reference, deprecated content scanning recommendations consist of two core documents:
l Integrating Content Analysis with other Blue Coat Products: ProxySG and Malware Analysis
http://www.symantec.com/docs/DOC10466
In addition, details are available in KB articles such as TECH242686, which describes slowness/latency when turning on ICAP
scanning:
l http://www.symantec.com/docs/TECH242686
Although you can refer to the previous documents in conjunction with the current recommendations, Symantec's intention
is to remove them when a more comprehensive update of ProxySG - Content Analysis Policy Best Practices Improvement
is released.
request.application.group
HTTP Request Headers User-Agent request.header.User-Agent
HTTP Response Headers and Payload Apparent Data Type (True File Type) http.response.apparent_data_
type
Content-Type (MIME Type)
response.header.Content-Type
File Extension
response.header.content-
length.as_number
http.response.version
Client Protocol Detection Protocols such as streaming, https, streaming.client=yes
http, ftp
streaming.client=windows_
media, etc.
Content Analysis AV Scanning Beha- Maximum Individual File Size Content Analysis settings
vior Settings
Maximum Total Uncompressed Size Refer to the Content Analysis Admin-
istration Guide (2.2.x).
Maximum total # of Files in Archive
Exercise caution when using the following conditions, as they can be easily manipulated by an attacker. Symantec recom-
mends that you bypass only specific file extensions and MIME-Types with specific threat risk levels or those requested
from a specific URL host/domain/category.
Security Level/ Basic Security Medium Security High Security Minimum Required License
Policy Condition Types SGOS Version
Low Risk/High
Volume Apps
High Volume/Low
Risk Content:
YouTube, Vimeo,
Facebook
Web Application Group 3 Custom (such as Custom None/Custom-Defined SGOS 6.7.2 CASB Audit AppFeed
“Collaboration”
apps)
True File-Type JPG, GIF, PNG, None/Custom-Defined
TIF, ICO
Streaming Client 4 windows_media, real_media, quicktime, None/Custom-Defined SGOS 6.5
ms_smooth adobe_hds, apple_hls
URL Domains Custom defined: Stock Tickers, AV Signature Update Domains
Delete on abandonment Enabled
Security Level/ Basic Security Medium Security High Security Minimum Required License
Policy Condition Types SGOS Version
SGOS ICAP Settings
ICAP Trickling Enabled
ICAP Deferred Scanning Enabled
Content Analysis Thresholds
Maximum File Size > 100 MB > 500 MB Maximum (> 5GB)
Maximum Number of Files in 10,000 50,000 Maximum (100,000)
Archive
Maximum Total Uncompressed 1000 MB > 2048MB Maximum (> 5GB)
Size
Maximum Archive Layers 16 (default) 16 (default) Maximum (depends on engine;
40-100)
1 Rules based on URL Category and Web Application Name require a valid BCWF license or Intelligence Services Basic or Advanced Subscription, and SGOS 6.5.x.
2 Rules based on URL Threat Risk Level require an Intelligence Services Advanced Subscription and SGOS 6.6.x.
3 Rules based on URL Web Application Groups require a CASB Audit AppFeed subscription and SGOS 6.7.2.
4 Streaming Protocol Detection requires
SGOS 6.5.x and handoff enabled for the protocol used. To enable protocol handoff, edit the streaming protocol. Refer to "Limiting
Bandwidth" in the SGOS Administration Guide (6.7.x) for details.
8 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement
These policy templates are designed to bypass content scanning for low risk/high volume content, which is determined by
various detection mechanisms such as URL Threat Risk Levels, URL Category, URL, Web Application, Application Group,
and streaming detection and file types. The templates also provide a framework to customize these predefined conditions,
allowing you to add more entries to bypass traffic from content scanning. Each template includes installable CPL policy and
documentation comments.
Some conditions in the template require specific licenses or SGOS versions. See the “Minimum SGOS Version” and
“Required License” columns in "New Risk-Based Content Scanning Model" on page 6.
Refer to the following table to determine the template that is appropriate for your deployment. Download the appropriate file
in the Download Files section at http://www.symantec.com/docs/DOC10919.
If you have a CASB Audit AppFeed subscription, you can bypass scanning
based on more than 21,000 web applications and more than 200 web application
groups.
To view the policy correctly, open the template file with a source code editor such as Notepad ++.
Security Levels
The policy model contains three predefined security levels: Basic, Medium, and High. Each level is prefaced as follows:
Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 9
; ###########################
; # BASIC SECURITY PROFILE #
; ###########################
You can enable only one of the three security levels.
Conditions in the template are named with the convention condition-name_Level_security-level, such
as Web_Apps_No_ICAP_Level_Basic and Web_Apps_No_ICAP_Level_Medium. When customizing the tem-
plate, pay careful attention to the condition name to ensure you are modifying the correct policy.
By default, this feature is enabled by the Must-Scan-Destinations condition and policy action of OK. This ensures
that subsequent rules which would disable content scanning are not reached in policy evaluation.
The Must-Scan-Destinations condition includes a set of URL, URL Categories, Application Names, Application
Groups, and URL Threat Risk Levels; these are considered risky if the server URL has a high URL risk level, is cat-
egorized with a security category, or is categorized as an oft-abused web application to deliver parts of the attack kill chain
such as File Storage.
10 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement
2. Enable the appropriate security level (as determined using the risk-based model).
Uncomment the policy macro CPL line pertaining to the security level you want to use, and comment out the other
two. The respective policy lines are located after the initial README section. Refer to the following example of
policy with the medium security level enabled:
<cache>
;policy.ICAP_Content_Scan_Basic_Security
policy.ICAP_Content_Scan_Medium_Security
;policy.ICAP_Content_Scan_High_Security
This CPL only bypasses scanning for the selected traffic; it does not activate ICAP response scanning.
3. Adjust the definitions and rule set for the security level you want to use.
a. In a Web Content Layer, add a Content-Scanning object to enable ICAP response scanning:
b. Install the policy file in the local policy slot using the CLI command inline policy local. Alternatively,
install policy in a CPL Layer in the VPM.
8. Test the policy and refine it as needed. Then, deploy the policy to your production environment.
Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 11
(Recommended) Use Management Center to edit and deploy the policy. See "(Optional) Edit Policy in Management
Center" on the next page for details.
Do not configure setttings in Threat Protection > Malware Scanning. Doing so will override local policy.
12 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement
In addition, the Single Pane Layout in Management Center's Policy Editor color-codes CPL and numbers lines for improved
readability. The following example of CPL in a policy object shows comments in green and layer headings in blue.
For detailed information on creating and deploying policy using Management Center, refer to the Management Center Con-
figuration and Management Guide:
http://www.symantec.com/docs/DOC10660
Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 13
Appendix: Reference Information
Refer to the following topics for additional information:
Data Trickling
Patience pages provide a solution to appease users during relatively short delays in object scans, but are less effective
when delays are longer. Scanning relatively large objects, scanning objects over a smaller bandwidth pipe, or high loads on
servers might cause connection timeouts and disrupt the user experience. To prevent such timeouts, you can allow data
trickling (data transfer at a very slow rate) to occur. The appliance begins serving server content without waiting for the
ICAP scan result. To maintain security, the full object is not delivered until the results of the content scan are complete and
the object is determined to not be infected.
l trickle at start - The appliance trickles bytes to the client at the beginning of the scan.
l trickle at end - The appliance trickles bytes to the client near the end of the scan.
l patience page -The appliance provides a patience page to the user if scanning does not complete within the specified
interval.
l no feedback - The appliance does not deliver bytes to the client until scanning completes.
Symantec recommends trickling data at end. This mode provides the best user experience and is a more secure approach
than bypassing traffic entirely from content scanning.
The policy discussed assumes that trickling at end is enabled and configured globally, as follows:
Alternatively, use the response.icap_feedback( ) CPL gesture to configure feedback options during scanning.
For details, refer to the Content Policy Language Reference (6.7.x) and Integrating Content Analysis 2.2 with other Blue
Coat Products.
Deferred Scanning
The deferred scanning feature helps to avoid network outages due to infinite streaming. Infinite streams are connections
such as webcams or Flash media (traffic over an HTTP connection) that conceivably have no end. Characteristics of infin-
ite streams may include no content length, slow data rate, and long response time. Because the object cannot be fully
downloaded, the ICAP content scan cannot start; however, the connection between the appliance and Content Analysis
remains open, causing a wastage of finite connection resources. With deferred scanning, ICAP requests that are unne-
cessarily holding up ICAP connections are detected and deferred until the full object has been received.
The default setting of any newly added ICAP response mode service is to activate deferred scanning at a threshold of
80%. Use 80% or a lower value (such as 50%) if many infinite/slow downloads are seen. The policy discussed assumes
that Deferred Scanning is enabled, as follows:
16 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement
For more details, refer to the Content Policy Language Reference (6.7.x) and Integrating Content Analysis 2.2 with other
Blue Coat Products.
Symantec recommends that you review the usage statistics of the attached Content Analysis instances before enabling
SSL interception on a proxy deployment with activated content scanning.
>enable
Enable Password: password
#show access-log format bcreportermain_v3
Settings:
Format name: bcreportermain_v3
Type elff "date time time-taken c-ip cs-username cs-auth-group x-
exception-id sc-filter-result cs-categories cs(Referer)
sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host
cs-uri-port cs-uri-path cs-uri-extension s-ip sc-bytes
cs-bytes x-virus-id x-bluecoatapplication-name x-bluecoat-applic-
ation-operation cs-threat-risk x-bluecoat-transaction-uuid
x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-
Metadata) rs-icap-status"
Multiple-header-policy log-last-header
The previous command is also available in configuration mode. To enter config mode, issue the following CLI:
#configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
#(config)
To set the log format for the specified log:
;ICAP Troubleshooting
access_log.log-name(yes)
ICAP Mirroring
; Sample Policy object for ICAP Mirroring
; ICAP mirroring presents a "detect-only" possibility without pre-
venting
; malicious content to be served to the client. This policy action
serves
; requested content directly to a user while simultaneously scanning
; that content via a configured ICAP external service
;<Cache>
; response.icap_mirror(yes) response.icap_service( cas1, fail-closed
)
;end
; Define Action
; define action strip_range_headers
; delete(request.header.Range)
Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 19
; end
; Policy Example
; <Proxy>
; action.strip_range_headers(yes)
20 | Secure Web Gateway - Content Analysis Policy Best Practices Improvement
Supporting Documentation
Title Overview Reference
SGOS Administration Reference information and procedures http://www.symantec.com/docs/DOC10459
Guide (6.7.x) to configure SGOS version 6.7.x. The
audience for this document is network
administrators who are responsible for
managing ProxySG appliances.
Content Policy Lan- Reference for writing CPL to specify http://www.symantec.com/docs/DOC10455
guage Reference policy rules for the ProxySG appliance.
(6.7.x)
Content Analysis Reference information and procedures http://www.symantec.com/docs/DOC10914
Administration and to configure Content Analysis 2.3.x.
Reference Guide
(2.3.x)
Integrating the Legacy documentation. http://www.symantec.com/docs/DOC10027
ProxySG and
ProxyAV Appliances
Integrating Content Ana- Legacy documentation. http://www.symantec.com/docs/DOC10466
lysis with other Blue
Coat Products:
ProxySG and Malware
Analysis
Management Center How to configure and use Symantec http://www.symantec.com/docs/DOC10660
Configuration and Man- Management Center to centrally man-
agement Guide age all of your Network Protection/ Web
(1.11.1.1) and Cloud Security/ Blue Coat devices.
Secure Web Gateway - Content Analysis Policy Best Practices Improvement | 21
Legal Notice
Copyright © 2018 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat,
and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners. This document is provided for informational pur-
poses only and is not intended as advertising. All warranties relating to the information in this document, either express or
implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change
without notice.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS
DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS,
TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE
SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND
MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY
STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE
THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE
REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO
YOU.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
www.symantec.com
2/16/2018