Skip to main content
Skyhigh Security

List of Criteria

The Rule Builder allows you to create rules for your web policy on the user interface for Secure Web Gateway. A web policy rule includes criteria among its elements.

Here is a web policy rule that uses the URL categories criteria. 

clipboard_e8612ff1373376e22463758ed8191ed05.png

The following table lists and describes some of the more important criteria. Most of them are used to configure rules for filtering malware, URLs, and media types.

The list is sorted alphabetically.

Criteria Format Description Parameter
All server chain revocation statuses known Boolean If true, it is known of all server certificates in a certificate chain whether they have been revoked or not Has parameter
All traffic   Used in a rule to let it apply to all traffic that is redirected to Secure Web Gateway

No operator is then needed for the rule and no value either, but you still need to specify the rule processing cycle, for example, the request cycle.
 
Anonymize String String that is password-protected

The string and password are configured as parameters of the criteria. 
Has parameter
Block headers has Boolean If true, the block headers include the header that is specified as parameter of the criteria Has parameter
Body class ID String class ID of a web object sent as body with a request or response  
Body filename String Name of a file sent as the body of a request or response  
Body full filename String Full name of a file sent as the body of a request or response  
Body has mime header Boolean If true, the MIME type header that is specified as parameter of the criteria is sent with the body of a request of response Has parameter
Body infected (GAM) Boolean If true, a file or other web object sent as body of a request or response, or as an embedded object, is infected by malware

The scanning that detected the infection was performed by the Gateway Anti-Malware (GAM) engine.

The parameters for running the GAM engine are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Body infected (ATD) Boolean If true, a file or other web object sent as body of a request or response, or as an embedded object, is infected by malware

The scanning that detected the infection was performed by Advanced Threat Detection (ATD).

The parameters for running ATD are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Body is corrupted Boolean If true, a web object sent as body of a request or response is corrupted   
Body is encrypted Boolean If true, a web object sent as body of a request or response is encrypted   
Body is multipart archive Boolean If true, a web object sent as body of a request or response is a multipart archive  
Body mime header has parameter String Parameter included in a MIME type header sent with the body of a request or response

This header parameter is specified as parameter of the criteria.
Has parameter
Body mime header has parameter value String Value of a parameter included in a MIME type header sent with the body of a request or response

The value is specified as parameter of the criteria 
Has parameter
Body size Number Size of a web object sent as body of a request or response  
Certificate signature algorithm String Algorithm used to generate the signature of a certificate  
Client certificate requested Boolean If true, a client certificate is requested for the handshake that is performed when a secure connection is set up  
Client connection port Number Port of a connection between a client and Secure Web Gateway  
Client IP String IP address of a client that sent a request for web access  
Client location detected Boolean If true, the location of a client is known  
Client process name String Name of a client process  
Command categories List of strings List of categories for a command used under a protocol for web traffic  
Connection cycle String Cycle of rule processing on Secure Web Gateway

There are the following cycles:
  • Request
  • Response
  • Embedded object
 
Connection embedded object cycle String Embedded object cycle of rule processing on Secure Web Gateway  
Connection ID String ID of a connection between Secure Web Gateway and a client or web server  
Connection protocol String Protocol for web traffic followed on a connection between Secure Web Gateway and a client of web server, for example, HTTP, HTTPS, or FTP  
Connection protocol is IM Boolean If true, the protocol used on a connection is an Instant Messaging protocol  
Connection runtime Number Time (in seconds) that a connection between Secure Web Gateway and a client or web server has been running  
Connection variable String Value of a variable configured for a connection

The variable name is specified as parameter of the criteria.
Has parameter
Connection variable exists Boolean  If true, the variable specified as parameter of the criteria is configured for a connection Has parameter
Content length header Number Length of the content sent with a request or response as specified in a header  
Current archive nesting level Number Level of nesting that is currently reached when an archive is inspected

For example, if an archive is processed that is immediately nested in a top-level archive, the second level is reached.
 
Current time is in range Boolean If true, the current time is in the time range specified by the parameters of the criteria

The beginning and end of the time range are specified in GMT format.
Has parameter
Day of month is in range Boolean If true, the current day of the month is in the range specified by the parameters of the criteria Has parameter
Day of week is in range Boolean If true, the current day of the week is in the range specified by the parameters of the criteria Has parameter
Day of year is in range Boolean If true, the current day of the year is in the range specified by the parameters of the criteria Has parameter
Destination IP String IP address of a destination in the web that access is requested to  
Discarded host String Name of a host that has been discarded due to conflicting information found by Secure Web Gateway  
DNS lookup String IP address found for a host by a DNS lookup

The name of the host is specified as parameter of the criteria
Has parameter
Domain String Name of a domain in a URL sent with a request   
Domain suffix String Suffix of a domain name in a URL sent with a request  
Empty string Boolean If true, the parameter specified by its name as parameter of the criteria, has no value  Has parameter
Ensured media types List of strings List of media types that a requested web object belongs to with a high probability  
File extension String Extension of the name of a file sent with a request or response  
File name String Name of a file sent with a request or response  
First line of request String First line of a request sent to Secure Web Gateway  
Get all matching List of strings List of values for a header that match a Regex term

The name of the header and the Regex term are specified as parameters of the criteria.
Has parameter
Get any matching String Value for a header that matches a Regex term

The name of the header and the Regex term are specified as parameters of the criteria.
Has parameter
Get body uncompressed size Number  Size of the content extracted from an archive or other composite web object sent as body with a request or response 
 
 
Get cookie String Value of a cookie

The name of the cookie is specified as parameter of the criteria.
Has parameter
Get hash of the body String Hash value for a web object sent as body with a request or response

The name of the hash type, for example, md5 or sha1, is specified as parameter of the criteria.
Has parameter
Get header String Value of a header

The name of the header is specified as parameter of the criteria.
Has parameter
Get JSON string member String Value for a member of a JSON instance

The name of the JSON instance and the member are specified as parameters of the criteria.
Has parameter
Get keys of header List of strings List of keys found in a header of a request or response  
Get media type from header String Media type of a web object sent with a request or response

The media type is found by evaluating the Content-Type header of the request or response.
 
Get original URL String URL originally sent with a request that has been redirected to Secure Web Gateway   
Get server certificate sha1 String Digest generated for a server certificate using the sha1 algorithm  
Get server certificate sha256 String Digest generated for a server certificate using the sha1 algorithm  
Get sha1 hash of the body String Hash value generated for the body sent with a request or response  
Get SSL server cipher String Algorithm used to generate ciphers for web traffic sent on a secure connection, for example, rsa or sha256   
Has header Boolean If true, a request or response has the header that is specified in string format as parameter of the criteria Has parameter
Has matching header Boolean If true, the value of a header sent with a request or response matches a Regex term

The name of the header and the Regex term are specified as parameters of the criteria
Has parameter
Has request header Boolean If true, a request is sent with the header specified as parameter of the criteria Has parameter
Has response header Boolean If true, a response is sent with the header specified as parameter of the criteria Has parameter
Host String Name of a host in a URL sent with a request  
Host is subdomain Boolean If true, the host name in the URL sent with a request is the name of a host that is a subdomain of a domain in a list

The list is specified in vector format as parameter of the criteria.
Has parameter
Hour  Number Current hour  
HTTP command name String Name of a command sent under the HTTP protocol, for example, GET or POST  
HTTP status code Number Code indicating the status of a HTTP command that is executed  
In the cloud Boolean If true, web traffic originating from cloud users is currently processed by Secure Web Gateway  
Initial trigger String Cycle of rule processing initially performed during the current transaction  
IP list by ID List of strings IP addresses in the list with the ID specified as parameter of the criteria Has parameter
IP list by name List of strings IP addresses in the list with the name specified as parameter of the criteria Has parameter
Is authentication server request Boolean If true, the destination of a request is an authentication server  
Is body contains pattern Boolean If true, the body sent with a request or response includes the pattern specified as parameter of the criteria at the position that is also specified as parameter

The position is specified as a number. The pattern is specified as a string.
Has parameter
Is body has access permission restriction Boolean If true, there is a restriction to accessing the body that is sent with a request or response

There is a restriction, for example, if the body is a PDF file. 
 
Is body modified Boolean If true, the body sent with a request or response has been modified  
Is body reputation bad Boolean If true, the reputation score for a body sent with a request or response is low

The reputation score is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Is body reputation good Boolean If true, the reputation score for a body sent with a request or response is high

The reputation score is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria
Has parameter
Is body reputation known Boolean If true, the reputation score for a body sent with a request or response is known

The reputation score is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Is body supported by a opener Boolean If true, data can be extracted from the body if needed by an opener on Secure Web Gateway  
Is certificate available for host Boolean If true, a certificate is available for connecting to a host on a secure connection

The name of the host is specified as parameter of the criteria. The parameters for using the certificate are configured in a setting, which is also specified as parameter of the criteria.
Has parameter
Is GRE tunnel connection Boolean If true, web traffic is protected by sending it to {{swebg} through a GRE tunnel  
Is HTTP tunnel enabled Boolean If true, an HTTP tunnel was configured as part of setting up Secure Web Gateway  
Is ICAP client ReqMode Boolean If true, a response that is received on Secure Web Gateway has been sent by an ICAP server responding to a request in ReqMod mode

The parameters for communication with the ICAP server are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Is ICAP server changes HTTP state Boolean If true, an ICAP server has changed the state of a request sent under the HTTP protocol

The parameters for communication with the ICAP server are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Is IPsec connection Boolean If true, web traffic is protected by sending it to Secure Web Gateway through an IPsec tunnel  
Is media type archive Boolean If true, a web object sent with a request or response is an archive  
Is media type audio Boolean If true, a web object sent with a request or response is of the audio media type  
Is media type composite object Boolean If true, a web object sent with a request or response is a composite object  
Is media type database Boolean If true, a web object sent with a request or response is a database  
Is media type document Boolean If true, a web object sent with a request or response is of document  
Is media type executable Boolean If true, a web object sent with a request or response is an executable  
Is media type image Boolean If true, a web object sent with a request or response is an image  
Is media type magic byte mismatch Boolean If true, the magic bytes of a web object have been evaluated and found not to match the media type specified in the header  
Is media type text Boolean If true, a web object sent with a request or response is of the text media type  
Is media type video Boolean If true, a web object sent with a request or response is of the video media type  
Is regular expression list exists Boolean If true, the list of regular expressions with the name specified as parameter of the criteria exists Has parameter
Is stream Boolean If true, a web object sent with a request or response is streaming media  
Is upload Boolean If true, an upload is requested for a web object  
Kerberos protection level Number Level of the protection ensured when using the Kerberos authentication method

When this method is used to authenticate cloud users, the level is 0.
 
Language of extracted body text String Language of a text that has been extracted from a web object sent as body of a request or response

The language is specified in ISO-639-1 code.
 
List of all archive member names List of strings List with the names of all web objects that are members of an archive sent with a request or response  
Malware probability Number  Probability that a file or other web object is malware-infected specified as number

To find this probability, the web object was scanned by the Gateway Anti-Malware (GAM) engine. 
Has parameter
Media type from header String Media type found for a file or other web object by evaluating information specified in the header of a request or response  
Media types from extension List of strings List of media types found for a file or other web object by evaluating the file name extension  
Minute Number  Current minute  
Non ensured media types List of strings List of media types found for a file or other web object with a low probability  
Number of media types Number Number of media types found for a file or other web object

Only ensured media types are counted here.
 
Port Number Port number of a port in a URL sent with a request  
Second Number Current second  
Self-signed cert Boolean If true, a server certificate is self-signed  
Server certificate String Certificate for a server used when setting up a secure connection  
Server certificate CN equals host Boolean If true, the Common Name in a server certificate is the same as the name of the host that takes the server role  
Server certificate CN matches host Boolean If true, the Common Name in a server certificate matches the name of the host that takes the server role

The host name is specified by a wildcard term. 
 
Server certificate expires Number Time (number of days) remaining until a server certificate expires  
Server certificate has wildcards Boolean If true, a server certificate includes wildcard terms  
Server certificate SAN matches host Boolean If true, the SAN extension of a server certificate matches the name extension of the host that takes the server role

The host name is specified by a wildcard term.
 
Server chain first known is trusted Boolean If true, the first known certificate authority (CA) in a server certificate within a chain of server certificates is trusted

The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria. 
Has parameter
Server chain complete Boolean  If true, a chain of server certificates ends with a root certificate authority (CA) that is self-signed

The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Server chain contains expired Boolean If true, a chain of server certificates includes a certificate that has expired

The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Server chain contains revoked Boolean If true, a chain of server certificates includes a certificate that has been revoked

The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Server chain contains violation Boolean If true, a chain of server certificates includes a certificate that violates the regulations for certificates

The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Server chain contains known CA Boolean If true, a chain of server certificates includes a certificate authority that is known

The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Server chain issuers List of strings List of the certificate authorities (CAs) that issued the certificates in a chain of server certificates and the chain

The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria.
Has parameter
Server chain signature algorithms List of strings List of the algorithms used for generating the signatures in the certificates within a chain of server certificates

The parameters for the certificate chain are configured in a setting, which is specified as parameter of the criteria.
 
Server CN name String Common Name (CN) in a server certificate  
Server host and certificate  String Host name and certificate for a server  
Server key exchange bits  Number Number of bits used for exchanging the key for a certificate with a server  
Stream probability Number Probability that the media type of a web object is streaming media specified as number  
String list ends with Boolean If true, a string that is specified as parameter of the criteria ends with another string that is also specified as parameter

It is not considered whether the characters in the strings are upper case or lower case. 
Has parameter
String length Number Length of the string that is specified as parameter of the criteria Has parameter
String list by ID Number List of strings in the list with the ID that is specified as parameter of the criteria Has parameter
String list by name List of strings List of strings in the list with the name that is specified as parameter of the criteria Has parameter
String list starts with Boolean If true, a string that is specified as parameter of the criteria starts with another string that is also specified as parameter

It is not considered whether the characters in the strings are upper case or lower case.
 
SWG has opener Boolean If true, content inside a file that was sent with a request or response can be extracted using an opener on Secure Web Gateway   
Time is in range Boolean If true, the current time is in the time range specified by the parameters of the criteria

For the beginning and end of the time range, the hour, minutes, and seconds are specified.
Has parameter
TLS client context is applied Boolean  If true, the client context settings are applied to a connection where web traffic is going on under the TLS protocol  
Transparent TLS connection Boolean If true, a connection set up for web traffic going on under the TLS protocol is transparent  
Trigger  String Current cycle of rule processing, for example, request or response cycle    
Unix epoche Number Current time specified as number of seconds that have elapsed since the beginning of the Unix epoche   
URL String URL sent with a request  
URL as string String URL sent with a request  
URL as string in raw format String URL sent with a request provided in raw format  
URL categories List of categories List of the categories that a URL sent with a request falls into

The list of categories is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria.
Has parameter
URL categorization by cloud lookup Boolean If true, the categories for a URL were retrieved from the Global Threat Intelligence (GTI) service

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria.
Has parameter
URL categorization by cloud lookup done Boolean If true, the categories for the URL sent with the last request were retrieved from the Global Threat Intelligence (GTI) service

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria.
Has parameter
URL categorized by DCC Boolean If true, the categories for a URL were retrieved by the Dynamic Content Classifier (DCC)

The parameters for running the DCC are configured in a setting, which is specified as parameter of the criteria. 
Has parameter
URL categorized by forward DNS Boolean If true, a forward DNS lookup has been performed to find the categories for a URL

The parameters for performing a reverse lookup are configured in a setting, which is specified as parameter of the criteria.
Has parameter
URL categorized by reverse DNS Boolean If true, a reverse DNS lookup has been performed to find the categories for a URL

The parameters for performing a reverse lookup are configured in a setting, which is specified as parameter of the criteria.
Has parameter
URL geo location String Geographic location of a website

This is the location specified in the URL that was sent with a request to access the website. 
 
URL has minimal risk Boolean If true, the risk level for a URL is minimal

The risk level is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria.
Has parameter
URL has parameter Boolean If true, a URL sent with a request includes the parameter that is specified as parameter of the criteria Has parameter
URL has unverified risk Boolean If true the risk level for a URL could not be verified

The risk level is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria.
Has parameter
URL is high risk Boolean If true, the risk level for a URL is high

The risk level is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria. 
Has parameter
URL is medium risk Boolean If true, the risk level for a URL is medium 

The risk level is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria.
Has parameter
URL parameter String Value of a parameter in a URL sent with a request

The parameter is specified by its name as parameter of the criteria.
Has parameter
URL parameter list List of strings List of the parameters in a URL that was sent with a request  
URL parameter String Parameters in a URL sent with a request provided as string  
URL path String Path of a URL sent with a request  
URL protocol String Protocol specified in a URL that is sent with a request  
URL reputation Number Reputation score for a URL specified as number

The reputation score is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria
Has parameter
URL reputation string String Reputation score for a URL converted into string format

The reputation score is retrieved from the Global Threat Intelligence (GTI) service.

The parameters for running the GTI service are configured in a setting, which is specified as parameter of the criteria
Has parameter
User-defined bool String Boolean term that you created on your own

The term is specified as parameter of the criteria.
Has parameter
User-defined IP range list String Name of a list of IP addresses that you created on your own

The name is specified as parameter of the criteria.
Has parameter
User-defined number Number Number that you created on your own

The number is specified as parameter of the criteria.
Has parameter
User-defined string String String that you created on your own

The string is specified as parameter of the criteria
Has parameter
User-defined category list String Name of a list of URL categories that you created on your own

The name is specified as parameter of the criteria.
Has parameter
User agent String User agent of the browser used to request web access  
User groups List of strings List of user groups that a user who sent a request for web access belongs to  
Username String Name of an authenticated user who sent a request for web access
 
 
Virus names (GAM) List of strings List of names of the viruses that a web object is infected with

The scanning that detected the viruses was performed by the Gateway Anti-Malware (GAM) engine.
Has parameter 
Virus names (ATD) List of strings List of names of the viruses that a web object is infected with

The scanning that detected the viruses was performed by the Advanced Threat Detection (ATD).
Has parameter
Year  Number  Current year specified using four digits, for example, 2023  
Year (2 digits) Number Current year specified using two digits, for example, 23  
 
 
  • Was this article helpful?