List of Criteria
The Rule Builder allows you to create rules for your web policy on the user interface for Secure Web Gateway. A web policy rule includes criteria among its elements.
Here is a web policy rule that uses the URL categories criteria.
The following table lists and describes some of the more important criteria. Most of them are used to configure rules for filtering malware, URLs, and media types.
The list is sorted alphabetically.
| Criteria | Format | Description | Parameter |
|---|---|---|---|
| All server chain revocation statuses known | Boolean | If true, it is known of all server certificates in a certificate chain whether they have been revoked or not | Has parameter |
| All traffic | Used in a rule to let it apply to all traffic that is redirected to Secure Web Gateway No operator is then needed for the rule and no value either, but you still need to specify the rule processing cycle, for example, the request cycle. |
||
| Anonymize | String | String that is password-protected The string and password are configured as parameters of the criteria. |
Has parameter |
| Block headers has | Boolean | If true, the block headers include the header that is specified as parameter of the criteria | Has parameter |
| Body class ID | String | class ID of a web object sent as body with a request or response | |
| Body filename | String | Name of a file sent as the body of a request or response | |
| Body full filename | String | Full name of a file sent as the body of a request or response | |
| Body has mime header | Boolean | If true, the MIME type header that is specified as parameter of the criteria is sent with the body of a request of response | Has parameter |
| Body infected (GAM) | Boolean | If true, a file or other web object sent as body of a request or response, or as an embedded object, is infected by malware The scanning that detected the infection was performed by the Gateway Anti-Malware (GAM) engine. The parameters for running the GAM engine are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Body infected (ATD) | Boolean | If true, a file or other web object sent as body of a request or response, or as an embedded object, is infected by malware The scanning that detected the infection was performed by Advanced Threat Detection (ATD). The parameters for running ATD are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Body is corrupted | Boolean | If true, a web object sent as body of a request or response is corrupted | |
| Body is encrypted | Boolean | If true, a web object sent as body of a request or response is encrypted | |
| Body is multipart archive | Boolean | If true, a web object sent as body of a request or response is a multipart archive | |
| Body mime header has parameter | String | Parameter included in a MIME type header sent with the body of a request or response This header parameter is specified as parameter of the criteria. |
Has parameter |
| Body mime header has parameter value | String | Value of a parameter included in a MIME type header sent with the body of a request or response The value is specified as parameter of the criteria |
Has parameter |
| Body size | Number | Size of a web object sent as body of a request or response | |
| Certificate signature algorithm | String | Algorithm used to generate the signature of a certificate | |
| Client certificate requested | Boolean | If true, a client certificate is requested for the handshake that is performed when a secure connection is set up | |
| Client connection port | Number | Port of a connection between a client and Secure Web Gateway | |
| Client IP | String | IP address of a client that sent a request for web access | |
| Client location detected | Boolean | If true, the location of a client is known | |
| Client process name | String | Name of a client process | |
| Command categories | List of strings | List of categories for a command used under a protocol for web traffic | |
| Connection cycle | String | Cycle of rule processing on Secure Web Gateway There are the following cycles:
|
|
| Connection embedded object cycle | String | Embedded object cycle of rule processing on Secure Web Gateway | |
| Connection ID | String | ID of a connection between Secure Web Gateway and a client or web server | |
| Connection protocol | String | Protocol for web traffic followed on a connection between Secure Web Gateway and a client of web server, for example, HTTP, HTTPS, or FTP | |
| Connection protocol is IM | Boolean | If true, the protocol used on a connection is an Instant Messaging protocol | |
| Connection runtime | Number | Time (in seconds) that a connection between Secure Web Gateway and a client or web server has been running | |
| Connection variable | String | Value of a variable configured for a connection The variable name is specified as parameter of the criteria. |
Has parameter |
| Connection variable exists | Boolean | If true, the variable specified as parameter of the criteria is configured for a connection | Has parameter |
| Content length header | Number | Length of the content sent with a request or response as specified in a header | |
| Current archive nesting level | Number | Level of nesting that is currently reached when an archive is inspected For example, if an archive is processed that is immediately nested in a top-level archive, the second level is reached. |
|
| Current time is in range | Boolean | If true, the current time is in the time range specified by the parameters of the criteria The beginning and end of the time range are specified in GMT format. |
Has parameter |
| Day of month is in range | Boolean | If true, the current day of the month is in the range specified by the parameters of the criteria | Has parameter |
| Day of week is in range | Boolean | If true, the current day of the week is in the range specified by the parameters of the criteria | Has parameter |
| Day of year is in range | Boolean | If true, the current day of the year is in the range specified by the parameters of the criteria | Has parameter |
| Destination IP | String | IP address of a destination in the web that access is requested to | |
| Discarded host | String | Name of a host that has been discarded due to conflicting information found by Secure Web Gateway | |
| DNS lookup | String | IP address found for a host by a DNS lookup The name of the host is specified as parameter of the criteria |
Has parameter |
| Domain | String | Name of a domain in a URL sent with a request | |
| Domain suffix | String | Suffix of a domain name in a URL sent with a request | |
| Empty string | Boolean | If true, the parameter specified by its name as parameter of the criteria, has no value | Has parameter |
| Ensured media types | List of strings | List of media types that a requested web object belongs to with a high probability | |
| File extension | String | Extension of the name of a file sent with a request or response | |
| File name | String | Name of a file sent with a request or response | |
| First line of request | String | First line of a request sent to Secure Web Gateway | |
| Get all matching | List of strings | List of values for a header that match a Regex term The name of the header and the Regex term are specified as parameters of the criteria. |
Has parameter |
| Get any matching | String | Value for a header that matches a Regex term The name of the header and the Regex term are specified as parameters of the criteria. |
Has parameter |
| Get body uncompressed size | Number | Size of the content extracted from an archive or other composite web object sent as body with a request or response |
|
| Get cookie | String | Value of a cookie The name of the cookie is specified as parameter of the criteria. |
Has parameter |
| Get hash of the body | String | Hash value for a web object sent as body with a request or response The name of the hash type, for example, md5 or sha1, is specified as parameter of the criteria. |
Has parameter |
| Get header | String | Value of a header The name of the header is specified as parameter of the criteria. |
Has parameter |
| Get JSON string member | String | Value for a member of a JSON instance The name of the JSON instance and the member are specified as parameters of the criteria. |
Has parameter |
| Get keys of header | List of strings | List of keys found in a header of a request or response | |
| Get media type from header | String | Media type of a web object sent with a request or response The media type is found by evaluating the Content-Type header of the request or response. |
|
| Get original URL | String | URL originally sent with a request that has been redirected to Secure Web Gateway | |
| Get server certificate sha1 | String | Digest generated for a server certificate using the sha1 algorithm | |
| Get server certificate sha256 | String | Digest generated for a server certificate using the sha1 algorithm | |
| Get sha1 hash of the body | String | Hash value generated for the body sent with a request or response | |
| Get SSL server cipher | String | Algorithm used to generate ciphers for web traffic sent on a secure connection, for example, rsa or sha256 | |
| Has header | Boolean | If true, a request or response has the header that is specified in string format as parameter of the criteria | Has parameter |
| Has matching header | Boolean | If true, the value of a header sent with a request or response matches a Regex term The name of the header and the Regex term are specified as parameters of the criteria |
Has parameter |
| Has request header | Boolean | If true, a request is sent with the header specified as parameter of the criteria | Has parameter |
| Has response header | Boolean | If true, a response is sent with the header specified as parameter of the criteria | Has parameter |
| Host | String | Name of a host in a URL sent with a request | |
| Host is subdomain | Boolean | If true, the host name in the URL sent with a request is the name of a host that is a subdomain of a domain in a list The list is specified in vector format as parameter of the criteria. |
Has parameter |
| Hour | Number | Current hour | |
| HTTP command name | String | Name of a command sent under the HTTP protocol, for example, GET or POST | |
| HTTP status code | Number | Code indicating the status of a HTTP command that is executed | |
| In the cloud | Boolean | If true, web traffic originating from cloud users is currently processed by Secure Web Gateway | |
| Initial trigger | String | Cycle of rule processing initially performed during the current transaction | |
| IP list by ID | List of strings | IP addresses in the list with the ID specified as parameter of the criteria | Has parameter |
| IP list by name | List of strings | IP addresses in the list with the name specified as parameter of the criteria | Has parameter |
| Is authentication server request | Boolean | If true, the destination of a request is an authentication server | |
| Is body contains pattern | Boolean | If true, the body sent with a request or response includes the pattern specified as parameter of the criteria at the position that is also specified as parameter The position is specified as a number. The pattern is specified as a string. |
Has parameter |
| Is body has access permission restriction | Boolean | If true, there is a restriction to accessing the body that is sent with a request or response There is a restriction, for example, if the body is a PDF file. |
|
| Is body modified | Boolean | If true, the body sent with a request or response has been modified | |
| Is body reputation bad | Boolean | If true, the reputation score for a body sent with a request or response is low The reputation score is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Is body reputation good | Boolean | If true, the reputation score for a body sent with a request or response is high The reputation score is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria |
Has parameter |
| Is body reputation known | Boolean | If true, the reputation score for a body sent with a request or response is known The reputation score is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Is body supported by a opener | Boolean | If true, data can be extracted from the body if needed by an opener on Secure Web Gateway | |
| Is certificate available for host | Boolean | If true, a certificate is available for connecting to a host on a secure connection The name of the host is specified as parameter of the criteria. The parameters for using the certificate are configured in a setting, which is also specified as parameter of the criteria. |
Has parameter |
| Is GRE tunnel connection | Boolean | If true, web traffic is protected by sending it to {{swebg} through a GRE tunnel | |
| Is HTTP tunnel enabled | Boolean | If true, an HTTP tunnel was configured as part of setting up Secure Web Gateway | |
| Is ICAP client ReqMode | Boolean | If true, a response that is received on Secure Web Gateway has been sent by an ICAP server responding to a request in ReqMod mode The parameters for communication with the ICAP server are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Is ICAP server changes HTTP state | Boolean | If true, an ICAP server has changed the state of a request sent under the HTTP protocol The parameters for communication with the ICAP server are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Is IPsec connection | Boolean | If true, web traffic is protected by sending it to Secure Web Gateway through an IPsec tunnel | |
| Is media type archive | Boolean | If true, a web object sent with a request or response is an archive | |
| Is media type audio | Boolean | If true, a web object sent with a request or response is of the audio media type | |
| Is media type composite object | Boolean | If true, a web object sent with a request or response is a composite object | |
| Is media type database | Boolean | If true, a web object sent with a request or response is a database | |
| Is media type document | Boolean | If true, a web object sent with a request or response is of document | |
| Is media type executable | Boolean | If true, a web object sent with a request or response is an executable | |
| Is media type image | Boolean | If true, a web object sent with a request or response is an image | |
| Is media type magic byte mismatch | Boolean | If true, the magic bytes of a web object have been evaluated and found not to match the media type specified in the header | |
| Is media type text | Boolean | If true, a web object sent with a request or response is of the text media type | |
| Is media type video | Boolean | If true, a web object sent with a request or response is of the video media type | |
| Is regular expression list exists | Boolean | If true, the list of regular expressions with the name specified as parameter of the criteria exists | Has parameter |
| Is stream | Boolean | If true, a web object sent with a request or response is streaming media | |
| Is upload | Boolean | If true, an upload is requested for a web object | |
| Kerberos protection level | Number | Level of the protection ensured when using the Kerberos authentication method When this method is used to authenticate cloud users, the level is 0. |
|
| Language of extracted body text | String | Language of a text that has been extracted from a web object sent as body of a request or response The language is specified in ISO-639-1 code. |
|
| List of all archive member names | List of strings | List with the names of all web objects that are members of an archive sent with a request or response | |
| Malware probability | Number | Probability that a file or other web object is malware-infected specified as number To find this probability, the web object was scanned by the Gateway Anti-Malware (GAM) engine. |
Has parameter |
| Media type from header | String | Media type found for a file or other web object by evaluating information specified in the header of a request or response | |
| Media types from extension | List of strings | List of media types found for a file or other web object by evaluating the file name extension | |
| Minute | Number | Current minute | |
| Non ensured media types | List of strings | List of media types found for a file or other web object with a low probability | |
| Number of media types | Number | Number of media types found for a file or other web object Only ensured media types are counted here. |
|
| Port | Number | Port number of a port in a URL sent with a request | |
| Second | Number | Current second | |
| Self-signed cert | Boolean | If true, a server certificate is self-signed | |
| Server certificate | String | Certificate for a server used when setting up a secure connection | |
| Server certificate CN equals host | Boolean | If true, the Common Name in a server certificate is the same as the name of the host that takes the server role | |
| Server certificate CN matches host | Boolean | If true, the Common Name in a server certificate matches the name of the host that takes the server role The host name is specified by a wildcard term. |
|
| Server certificate expires | Number | Time (number of days) remaining until a server certificate expires | |
| Server certificate has wildcards | Boolean | If true, a server certificate includes wildcard terms | |
| Server certificate SAN matches host | Boolean | If true, the SAN extension of a server certificate matches the name extension of the host that takes the server role The host name is specified by a wildcard term. |
|
| Server chain first known is trusted | Boolean | If true, the first known certificate authority (CA) in a server certificate within a chain of server certificates is trusted The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Server chain complete | Boolean | If true, a chain of server certificates ends with a root certificate authority (CA) that is self-signed The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Server chain contains expired | Boolean | If true, a chain of server certificates includes a certificate that has expired The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Server chain contains revoked | Boolean | If true, a chain of server certificates includes a certificate that has been revoked The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Server chain contains violation | Boolean | If true, a chain of server certificates includes a certificate that violates the regulations for certificates The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Server chain contains known CA | Boolean | If true, a chain of server certificates includes a certificate authority that is known The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Server chain issuers | List of strings | List of the certificate authorities (CAs) that issued the certificates in a chain of server certificates and the chain The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| Server chain signature algorithms | List of strings | List of the algorithms used for generating the signatures in the certificates within a chain of server certificates The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. |
|
| Server CN name | String | Common Name (CN) in a server certificate | |
| Server host and certificate | String | Host name and certificate for a server | |
| Server key exchange bits | Number | Number of bits used for exchanging the key for a certificate with a server | |
| Service | String | Cloud service | |
| Stream probability | Number | Probability that the media type of a web object is streaming media specified as number | |
| String list ends with | Boolean | If true, a string that is specified as parameter of the criteria ends with another string that is also specified as parameter It is not considered whether the characters in the strings are upper case or lower case. |
Has parameter |
| String length | Number | Length of the string that is specified as parameter of the criteria | Has parameter |
| String list by ID | Number | List of strings in the list with the ID that is specified as parameter of the criteria | Has parameter |
| String list by name | List of strings | List of strings in the list with the name that is specified as parameter of the criteria | Has parameter |
| String list starts with | Boolean | If true, a string that is specified as parameter of the criteria starts with another string that is also specified as parameter It is not considered whether the characters in the strings are upper case or lower case. |
|
| SWG has opener | Boolean | If true, content inside a file that was sent with a request or response can be extracted using an opener on Secure Web Gateway | |
| Time is in range | Boolean | If true, the current time is in the time range specified by the parameters of the criteria For the beginning and end of the time range, the hour, minutes, and seconds are specified. |
Has parameter |
| TLS client context is applied | Boolean | If true, the client context settings are applied to a connection where web traffic is going on under the TLS protocol | |
| Transparent TLS connection | Boolean | If true, a connection set up for web traffic going on under the TLS protocol is transparent | |
| Trigger | String | Current cycle of rule processing, for example, request or response cycle | |
| Unix epoche | Number | Current time specified as number of seconds that have elapsed since the beginning of the Unix epoche | |
| URL | String | URL sent with a request | |
| URL as string | String | URL sent with a request | |
| URL as string in raw format | String | URL sent with a request provided in raw format | |
| URL categories | List of categories | List of the categories that a URL sent with a request falls into The list of categories is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL categorization by cloud lookup | Boolean | If true, the categories for a URL were retrieved from the Global Threat Intelligence (GTI) service The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL categorization by cloud lookup done | Boolean | If true, the categories for the URL sent with the last request were retrieved from the Global Threat Intelligence (GTI) service The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL categorized by DCC | Boolean | If true, the categories for a URL were retrieved by the Dynamic Content Classifier (DCC) The parameters for running the DCC are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL categorized by forward DNS | Boolean | If true, a forward DNS lookup has been performed to find the categories for a URL The parameters for performing a reverse lookup are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL categorized by reverse DNS | Boolean | If true, a reverse DNS lookup has been performed to find the categories for a URL The parameters for performing a reverse lookup are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL geo location | String | Geographic location of a website This is the location specified in the URL that was sent with a request to access the website. |
|
| URL has minimal risk | Boolean | If true, the risk level for a URL is minimal The risk level is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL has parameter | Boolean | If true, a URL sent with a request includes the parameter that is specified as parameter of the criteria | Has parameter |
| URL has unverified risk | Boolean | If true the risk level for a URL could not be verified The risk level is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL is high risk | Boolean | If true, the risk level for a URL is high The risk level is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL is medium risk | Boolean | If true, the risk level for a URL is medium The risk level is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. |
Has parameter |
| URL parameter | String | Value of a parameter in a URL sent with a request The parameter is specified by its name as parameter of the criteria. |
Has parameter |
| URL parameter list | List of strings | List of the parameters in a URL that was sent with a request | |
| URL parameter | String | Parameters in a URL sent with a request provided as string | |
| URL path | String | Path of a URL sent with a request | |
| URL protocol | String | Protocol specified in a URL that is sent with a request | |
| URL reputation | Number | Reputation score for a URL specified as number The reputation score is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria |
Has parameter |
| URL reputation string | String | Reputation score for a URL converted into string format The reputation score is retrieved from the Global Threat Intelligence (GTI) service. The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria |
Has parameter |
| User-defined bool | String | Boolean term that you created on your own The term is specified as parameter of the criteria. |
Has parameter |
| User-defined IP range list | String | Name of a list of IP addresses that you created on your own The name is specified as parameter of the criteria. |
Has parameter |
| User-defined number | Number | Number that you created on your own The number is specified as parameter of the criteria. |
Has parameter |
| User-defined string | String | String that you created on your own The string is specified as parameter of the criteria |
Has parameter |
| User-defined category list | String | Name of a list of URL categories that you created on your own The name is specified as parameter of the criteria. |
Has parameter |
| User agent | String | User agent of the browser used to request web access | |
| User groups | List of strings | List of user groups that a user who sent a request for web access belongs to | |
| Username | String | Name of an authenticated user who sent a request for web access |
|
| Virus names (GAM) | List of strings | List of names of the viruses that a web object is infected with The scanning that detected the viruses was performed by the Gateway Anti-Malware (GAM) engine. |
Has parameter |
| Virus names (ATD) | List of strings | List of names of the viruses that a web object is infected with The scanning that detected the viruses was performed by the Advanced Threat Detection (ATD). |
Has parameter |
| Year | Number | Current year specified using four digits, for example, 2023 | |
| Year (2 digits) | Number | Current year specified using two digits, for example, 23 |