Full_Isolation — Sample Routine
The Full_Isolation
routine is for isolating a user's browser during web usage. When a browser is isolated, only images of web content are forwarded to it, not the original content, in order to ensure it is protected against web threats.
Isolating a browser in this way is also known as Remote Browser Isolation (RBI). This routine includes a complex rule for applying the full mode of browser isolation. Other rules are provided for determining when full isolation is not to be applied and what is allowed while it is applied, for example, file upload or download.
Reviewing this routine in the code view and reading what is explained here about it, should improve your understanding of how an individual routine works.
You can access the code view for this routine from the Web Policy — Full Isolation page, which belongs to the Browser Isolation branch of the policy tree.
Initial part
This part of the routine includes the usual ROUTINE term, routine name, processing cycles during which the routine is run, and enabling information.
ROUTINE Full_Isolation ON (Web.Request, Web.Response) [enabled="false"]
This routine is not enabled by default.
Variable setting
About 40 variables and other items are set in this part for use later in the routine. Most of them are set for one of the following purposes:
- Specifying the criteria on which full isolation should be applied
It could be applied, for example, only when a user requests access to a domain that is in a list.
BOOLEAN isolateByDomain = TRUE
When isolation is performed in this way, it is specified which list is used here. It is also specified how this list relates to the list for isolating by domain that is in the list catalog of Skyhigh Security Service Edge.
MWG.SmartMatchList alwaysIsolatedDomains = Domainstoalwaysisolate3
- Specifying where full isolation should not be applied
It might not be applied, for example, when a user requests access to a website with a URL that is in a list.
The list with the URLs and the corresponding list in the catalog are also specified.
BOOLEAN bypassByURL = TRUE MWG.SmartMatchList urlBypassList = FullIsolationDomainsexemptfromisolation3
- Specifying what should be allowed while full browser isolation is applied
For example, uploading files to domains, might be allowed, except for those that are in a list. The relevant list and the corresponding catalog list are also specified.
BOOLEAN permitUploadByDomain = TRUE UCE.FileTransferControlList permitUploadExceptions = Uploadspermittedexceptforthese3
These variables can also be set using options on the normal user interface.
IF-THEN statements
This part includes two rather complex and six less complex IF-THEN statements (rules).
- There is a complex rule for applying the full isolation mode of browser isolation.
- Another complex rule handles permissions to use the clipboard when full isolation is applied.
- Five rules are about not applying full isolation depending on criteria such as URLs, URL categories, and IP addresses.
- One rule is for finding out whether a different type of browser isolation is already being applied when a user requests web access. Full isolation is then not applied.
The rule that applies full isolation is explained here in more detail:
- Applying full isolation — This rule is the key rule in this routine. It is rather complex and includes also code for handling file uploads and downloads during the isolation, along with code for handling license expiration.
To perform the isolation itself, the rule calls another routine, which is not explained here.
CALL "RBI_Isolation"
The complete code for this rule looks like this:
IF startIsolation THEN { RBI.ApplyFullIsolationSettings (blockOnLicenseExceeded, cookiesOnLocalMachine, copyLocalMachine, pasteLocalMachine, maxClipboardPasteSize, maxClipboardCopySize) // Isolated File Upload Control IF permitUploadByDomain THEN { RBI.SetUploadFileControlPermit (permitUploadExceptions) } ELSE { RBI.SetUploadFileControlBlock (denyUploadExceptions) } // Isolated File Download Control IF permitDownloadByDomain THEN { RBI.SetDownloadFileControlPermit (permitDownloadExceptions) } ELSE { RBI.SetDownloadFileControlBlock (denyDownloadExceptions) } CALL "RBI_Isolation" IF blockOnLicenseExceeded AND RBI.MustBeIsolated THEN { MWG.Block (RBI_No_Session, "Full Browser Isolation cannot be used", "Full Browser Isolation") } }
Code elements are used as follows here.
- If you omit the two embedded IF-THEN statements that handle file upload and download during the isolation, as well as the embedded statement about license expiration, a basic statement for handling the isolation proper is left over. It reads like this:
IF startIsolation THEN { RBI.ApplyFullIsolationSettings (blockOnLicenseExceeded, cookiesOnLocalMachine, copyLocalMachine, pasteLocalMachine, maxClipboardPasteSize, maxClipboardCopySize) CALL "RBI_Isolation" }
- In the IF clause of this basic statement, the startIsolation variable is evaluated, which is set before the overall statement for applying full isolation is processed.
BOOLEAN startIsolation = isolateAll OR (isolateByDomain AND MWG.Url.SmartMatch (alwaysIsolatedDomains)) OR (isolateByRegex AND alwaysIsolatedRegexList.Matches (MWG.Url.Host)) OR (isolateByIPRange AND Net.IsInRangeList (MWG.DestinationIP, alwaysIsolatedIPRanges)) OR (isolateByCategory AND MWG.UrlCategories (MWG.LAST_USED_config).Overlaps (alwaysIsolatedCategories)) OR (isolateUncategorized AND MWG.UrlCategories (MWG.LAST_USED_config).Size == 0)
The value of startIsolation
varies according to how the range for applying full isolation has been set.
For example, this range might have been set to isolating the user's browser for all that the user wants to access in the web, which can be done by setting the isolateAll variable in the variable setting part of this routine accordingly.
isolateALL = TRUE
If this range is not set to everything in the web, but limited to particular domains or destinations with particular IP addresses or depending on other criteria, startIsolation
is set to the respective value.
A function is also used then to find out if the domain or IP address, or whatever it is, is in a list.
For example, for applying full isolation to particular domains, the value for startIsolation
is:
isolateByDomain AND MWG.Url.SmartMatch (alwaysIsolatedDomains)
- If a range for applying full isolation can be determined by evaluating
startIsolation
, the condition for actually starting it is met. What is included in the THEN clause of the basic statement is executed, which means the routine for applying full isolation itself is called.
Before this routine is called, a procedure hands over settings for this isolation, for example, regarding what should be allowed while it is applied.
RBI.ApplyFullIsolationSettings (blockOnLicenseExceeded, cookiesOnLocalMachine, copyLocalMachine, pasteLocalMachine, maxClipboardPasteSize,
And then ...
CALL "RBI_Isolation"
The embedded statement for handling file uploads includes a Boolean variable in the IF clause. If its value is TRUE, the condition for executing what is included in the THEN clause is met.
Otherwise, what is in the ELSE clause is executed. This way file uploads are either allowed or denied under full isolation.
// Isolated File Upload Control IF permitUploadByDomain THEN { RBI.SetUploadFileControlPermit (permitUploadExceptions) } ELSE { RBI.SetUploadFileControlBlock (denyUploadExceptions) }
File downloads under full isolation are handled in the same way.
- The embedded statement on license expiration blocks access to all websites that isolation would otherwise have been applied to. The condition for this is that the license for the isolation feature has expired.
IF blockOnLicenseExceeded AND RBI.MustBeIsolated THEN { MWG.Block (RBI_No_Session, "Full Browser Isolation cannot be used", "Full Browser Isolation") }