Chapter 2: Managing Content Policy Language
As discussed in Chapter 1, Content Policy Language policies are composed of transactions that are
placed into rules and tested against various conditions.
This chapter discusses the following:
"Understanding Transactions and Timing"
"Understanding Layers"
"Understanding Sections"
"Defining Policies"
"Best Practices"

Understanding Transactions and Timing

Transactions are classified as administrator, proxy, cache, and forwarding. Only a subset of layer types,
conditions, properties, and actions is appropriate for each of these four transaction types.

Administrator Transactions

An administrator transaction evaluates policy in <Admin> layers. The policy is evaluated in two stages:
Before the authentication challenge.
After the authentication challenge.
If an administrative user logs in to the ProxySG Management Console, and the administrator’s Web
browser is proxied through that same ProxySG, then a proxy transaction is created and <Proxy> policy
is evaluated before the administrator transaction is created and <Admin> policy is evaluated. In this
case, it is possible for an administrator to be denied access to the Management Console by proxy
policy.
Important: Policy is not evaluated for serial console access, RSA authenticated SSH access, managers
logged in using the console account credentials, or SNMP traffic.

Proxy Transactions

When a client connects to one of the proxy service ports configured on the secure proxy appliance
(refer to Chapter 6: “Proxies” of the Configuration and Management Guide), a proxy transaction is created
to cover both the request and its associated response.
A proxy transaction evaluates policy in <Proxy>, <Cache>, <Forward> and <Exception> layers. The
<Forward> layers are only evaluated if the transaction reaches the stage of contacting an origin server
to satisfy the request (this is not the case if the request is satisfied by data served from cache, or if the
transaction is terminated by an exception). The <Exception> layers are only evaluated if the
transaction is terminated by an exception.