Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Rule Set Prerequisites

Some rule sets have prerequisites that must be met before they can be fully configured and ready for use in your web policy.

Rule set Prerequisites
Activity Control

This rule set gives you fine-grained control over the cloud services in the Service Catalog, allowing you to select which activities you want blocked instead of blocking entire services. For example, you can select Box from the Service Catalog, then select download and upload activities for blocking, while allowing edit and post activities. Before you can configure these rules, you must add cloud services from the Service Catalog.


  • Add a cloud service from the Service Catalog
Advanced Threat Defense This rule set sends web objects to Gateway ATD for in-depth static and dynamic analysis according to the rules that you configure. For example, you can allow some media types to skip ATD processing, while requiring other media types to be processed by ATD.


  1. Install and run the Advanced Threat Defense software.
  2. Verify that Skyhigh Web Security Gateway Service can connect to your Advanced Threat Defense instance.
    Required settings:
    • User name and password that WGCS uses to authenticate and connect to Gateway ATD
    • Host name or IP address and port number of the server hosting Gateway ATD
  3. Add a CA certificate.
Application Blocking This rule set blocks access to configured groups of cloud services called Service Groups. Before you can add Service Groups to this rule set, you must create them.


  1. From the Skyhigh CASB navigation bar, select Governance | Service Groups.
  2. Create one or more Service Groups.
Certificate Verification

This rule set verifies certificates according to certificate verification rules that you customize for your organization. For example, you can configure the certificate verification process to be more or less restrictive. For the certificate verification rules to take effect, you must first provide at least one CA certificate.


  • Add a CA certificate
DLP Dictionary

This rule set blocks the transfer of sensitive information outside your organization according to the DLP dictionary rules that you configure. For this rule set to work for your organization, you must customize the default DLP Dictionary.


  • Customize the default DLP Dictionary

This rule set sends files to DLP ICAP servers according to the rules that you configure. For example, you can send all files or send only the file types that you specify. For the DLP ICAP server rules to take effect, you must configure at least one DLP ICAP server.


  1. Install the DLP ICAP server.
  2. Verify that WGCS can connect to the server instance.
    Required settings:
    • Host name or IP address
    • Port number 1344
Next Hop Proxy

This rule set forwards web traffic to proxy servers according to the next hop proxy rules that you configure. For example, you can forward all traffic or forward only risky traffic. For the next hop proxy rules to take effect, you must configure at least one proxy server. Adding more than one proxy server enables round robin load balancing.


  • Add a proxy server
    Required settings: host name or IP address, port number
Tenant Restriction

This rule set blocks users from accessing sanctioned cloud services through their personal accounts, while allowing access to these services through the accounts that you configure. To configure each tenant restriction rule, you need these application-specific details.


  • Amazon Web Services (AWS) — Allowed AWS Account IDs
  • Box — Allowed Box subdomains and allowed user email address domains
    • Box subdomain: If your Box domain name is, your subdomain is forestry.
    • Email domain:
  • Dropbox — Allowed Dropbox Team IDs
  • Google — Allowed user email address domains
  • Microsoft Office 365 — Directory ID of your Azure Active Directory instance and allowed user email address domains
  • Slack — Allowed Slack Team IDs
YouTube Control

This rule set filters YouTube traffic according to the rules you configure. For example, you can block traffic by title or category and allow or block traffic by channel. WGCS filters traffic by checking the metadata sent with a video stream over the YouTube API. Before you can configure the YouTube rules, you must provide your YouTube API key.


  • Get a YouTube API key through Google APIs


  • Was this article helpful?