Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

How the Web Policy Code Works

The web policy code underlies the functions provided by Secure Web Gateway to enable a policy that ensures protection against web threats.

Web threats can arise when users access the web. A web policy specifies rules for taking measures against web threats if they arise.

How the code enables a web policy

A general rule for a policy against web threats could read as follows.

  • If a threat arising from web usage is recognized, then do something against it.

A rule that addresses a particular threat, for example, a malware-infected file, would read:

  • If a file sent from a website in response to a user's request is found to be malware-infected, then block the response with this file.

In the web policy code, this rule is expressed by a statement that basically looks like this:

IF MWG.Body.Infected THEN MWG.Block

When this piece of code is processed, a file that a user requests access to is blocked if it is found to be infected. It is also referred to as IF-THEN statement or simply as rule.

The following two code items are mainly involved here:

  • Function: MWG.Body.Infected
  • Procedure: MWG.Block

Referring to these items, you could also paraphrase the statement as follows:

  • If a particular function returns a value (that shows there is a web threat), then a suitable procedure is executed.

Or, more shortly:

IF <Function returns (critical) value> THEN <Execute procedure>

The web policy code for Skyhigh Security Service Edge includes all kinds of IF-THEN statements or rules that address all kinds of web threats. Together they make up your web policy.

When a website sends a file in response to a user's request, it is usually sent as the body of the response. This is why the name of the function in the example includes a Body part. The response body is scanned following a rule of your web policy. If it is found to be infected, it is not forwarded to the user.

NOTE: These code items and others were developed for Skyhigh Security Service Edge based on similar items of the Web Gateway on-prem web security product. Many of them are, therefore, prefixed by MWG.

Routines

Code statements or rules that address the same kind of web threat are included, together with other code items, in a routine. There is a routine with rules for anti-malware filtering, URL filtering, media type filtering, and so on.

Other routines include rules for applying a particular method of protection against web threats. For example, there are routines for different modes of isolating a user's browser or for coaching a user's access to the web.

The name of a routine appears, together with the term ROUTINE, at the beginning of the code portion that makes up this routine, for example:

ROUTINE Anti_Malware_Rules

On the normal user interface, the Web Policy pages also offer suitable options for dealing with all kinds of web threats and unwanted web usage.

Usually each page addresses a particular kind of web threat as well. The code view option on each page allows you to access the underlying routine.

Pages and routines correspond to each other, for example, as follows:

  • Page: Anti-Malware — Routine: Anti_Malware_Rules
  • Page: Category, Reputation & Geo — Routine: URL_Filtering_Rules
  • Page: Full Isolation — Routine: Full_Isolation

Main parts of a routine

A routine within the web policy that is implemented under Skyhigh Security Service Edge usually has three main parts. These are not formal sections of the code, but are distinguished here to allow for a better understanding of the code structure.

  • Initial part — Begins with ROUTINE. Includes the routine name, the processing cycle or cycles where the routine is run, and information about whether the routine is enabled.

Example:

ROUTINE Anti_Malware_Rules ON (Web.Request,Web.Response,EmbeddedObject) [enabled="true"]
  • Variable setting — Variables are set here to particular values for further use in the routine.

While most variables are usually set in one place within a routine, this can also be done later on. In addition to variables, other code items can also be set here.

Example:

NUMBER transferSizeLimit = 209715200
  • IF-THEN statements — Several statements with an IF-THEN structure, which are also known as rules.

Example:

// Block If Virus Was Found
IF MWG.BodyInfected (gam) THEN {
        MWG.Block (McAfee_Malware_found, "Block If Virus Was Found",
         "Gateway Anti-Malware")
}

Understanding the initial part of a routine

The initial part of a routine provides basic information about it, including its name, when it is run, and whether it is enabled.

The code portion that makes up a routine begins with the ROUTINE term. It continues with the routine name and some other items.

These items are explained here in more detail:

  • Routine name — Name of the routine preceded by ROUTINE

Example:

ROUTINE Anti_Malware_Rules
  • Processing cycles — Cycles of the filtering process preceded by ON

Example:

ON (Web.Request, Web.Response, EmbeddedObject)

A routine is run when the filtering process on Skyhigh Security Service Edge is in one of the cycles that are specified for it. These cycles can be specified:

  • Web Request — Cycle where user requests for web access are filtered
  • Web Response — Cycle where responses to user requests received from the requested websites are filtered
  • Embedded Object — Cycle where objects embedded in requests or responses are filtered

Only one of these cycles is going on at a given moment. Any combination of them can be specified for a routine, depending on its purpose.

For example, only the request cycle is usually specified for a URL filtering routine because it serves the purpose of evaluating and filtering URLs that are submitted in user requests.

All three cycles are usually specified for an anti-malware filtering routine because malware can inhere, for example, in a file that is uploaded to the web, as requested by a user. It can intrude into your network through a file that is received as a response from the web, or in an object that is embedded in a request or response.

Later in the routine, a particular processing cycle can be the condition of an IF-THEN statement. The cycle is checked using the term Trigger:

IF Trigger == "Web.Request" THEN {
  • Enabling — Information about whether the routine is enabled

Example:

[enabled="true"]

Understanding variable setting in a routine

After the initial part of a routine, variables are usually set for further use in this routine.

Example:

NUMBER transferSizeLimit = 209715200

This variable is set in a routine for anti-malware filtering to limit the size of the web objects that are filtered. If a web object exceeds this limit, it is allowed to skip the filtering to save time and resources.

The variable is used later on in an IF-THEN statement:

// Bypass Based on Size (default 200 MB)
IF skipBigSize AND MWG.CycleName == "Response" AND MWG.BodySize > transferSizeLimit THEN {
    END
}

A comparison between the value of this variable and the size of a web object shows whether the limit is exceeded. The object size is the return value of the MWG.BodySize function. The result of this comparison is one of three conditions in the IF clause.

If all three are met, a web object is allowed to skip anti-malware filtering. It means that no procedure is executed. So, THEN is immediately followed by END.

Understanding IF-THEN statements in a routine

IF-THEN statements are used in a routine to specify measures that are taken, such as blocking a web object or forwarding it to a user, and the conditions that must be met for taking these measures.

These statements are known as IF-THEN statements due to their structure and also as rules because of their function as elements in a policy against web threats.

An IF-THEN statement can include another IF-THEN statement or more of them as embedded elements. A statement can also be made more complex by using ELSE clauses. You will see this when you review individual routines.

What is explained in the following applies to statements that are not complex, but only include one IF and one THEN clause. Most of it applies, however, in a similar way to complex statements as well.

The IF clause of an IF-THEN statement specifies a condition for taking a measure that is specified in the THEN clause. To find out whether a condition is met, a function can be run to return a value that determines whether the condition is met. For a complex condition, more functions and other code items can be used.

A function is run, for example, to scan a file for malware infections. If it returns the value TRUE, which means the file is infected, the condition is met and a block procedure is executed.

Functions and procedures can have parameters, which are added to these code items in parentheses. This is explained here in more detail:

  • IF clause — Part of an IF-THEN statement specifying the condition that must be met for the measure in the THEN clause to be taken

Example:

IF MWG.Body.Infected (gam)

An IF clause can include a function, which can have one or more parameters.

The condition that is specified in an IF clause can be complex and include, for example, more than one function. Functions are connected by operators such as AND or OR.

  • Function — Code item in an IF clause that is run to return a value to find out whether the condition specified by this clause is met.

Example:

MWG.Body.Infected (gam)

If the return value for a condition to be met is TRUE, it is usually left out in the code. So ...

IF MWG.Body.Infected (gam)

can be read as:

IF MWG.Body.Infected (gam) = TRUE
  • Function parameters — Modify the behavior of a function, for example, by specifying the settings of a component that supports the function

Example:

(gam)

A component that is available on Skyhigh Security Service Edge for supporting a function is referred to as a feature.

For example, when the MWG.Body.Infected function is run, it is supported by the Anti-Malware feature. This feature has settings that can involve a particular scanning engine, for example, the Gateway Anti-Malware (GAM) engine, in the filtering process.

The GAM engine scans a file when it is received as the body of a response sent from a website. The result might be that this file is infected.

Then the Anti-Malware feature provides the MWG.Body.Infected function with this result. The function returns TRUE, so the condition is met and a block procedure is executed.

The settings for a feature are specified as a function parameter. In the example, the settings name is gam.

  • THEN clause — Code item in an IF-THEN statement specifying what is to happen if the condition in the IF clause is met.

Example:

THEN {
 MWG.Block (McAfee_Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware")
}
  • Procedure — Code item in a THEN clause that is executed if the condition in the IF clause is met.

A procedure can have one or more parameters.

Example:

MWG.Block (McAfee_Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware")
  • Procedure parameters — Modify the behavior of a procedure

Example:

(McAfee_Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware")

The parameters in this example have the following meanings:

  • Block reason: McAfee_Malware_found
    This reason is usually shown in the block message.
     
  • Name of the blocking rule: "Block If Virus Was Found"
    This name is usually shown in the block message.
     
  • Setting name: "Gateway Anti-Malware"

What functions do in a routine

Functions return values that are needed, for example, to find out whether a condition is met that requires a procedure to be executed.

For example, to find out whether the condition is met for executing a procedure that blocks an infected file, a function is run. It lets the file be scanned and returns TRUE or FALSE, depending on whether the file is found to be infected or not.

This function is explained here in more detail as an example.

MWG.BodyInfected(<Setting>)

Returns value of type: Boolean

This function lets a web object, for example, a file, be scanned and returns TRUE if the result of the scanning is that the file is infected by a virus or other malware. Otherwise it returns FALSE.

The file might have been received, for example, as the body of a response that a website sent to respond to a user's download request.

The file can be scanned using different methods involving different scanning devices, for example, the Gateway Anti-Malware (GAM) scanning engine. The setting parameter specifies a setting for the function that determines which method and engine or engines are involved in the scanning.

The setting for involving the GAM scanning engine is the MWG.AntimalwareSetting:

MWG.BodyInfected(MWG.AntimalwareSetting)

This setting name can be replaced with gam in a routine, for example, in the variable setting part.

MWG.AntimalwareSetting gam = McAfee_Gateway_AntiMalware

The name that the setting has when it is configured for a web policy feature is specified here as McAfee_Gateway_AntiMalware. When the function is used in an IF clause to find out whether the condition of being infected is met for a file, the parameter name is gam.

IF MWG.BodyInfected (gam)

What procedures do in a routine

Procedures are executed as measures against web threats if particular conditions are met.

For example, a block procedure is executed if the condition is met that a file that was received from a website is infected.

This procedure is explained here in more detail as an example.

MWG.Block (<Block reason and other parameters>)

This procedure blocks requests and responses.

It is used, for example, in the Anti_Malware_Rules routine to block a response from a website with an infected file as its body. This file is not forwarded to the user who requested access to it. A block message is sent to the user instead providing the block reason and other information.

You can edit the layout and structure of a block message using the options provided under End User Notification Pages on the user interface.

  • Procedure with sample parameters:
MWG.Block (McAfee_Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware")

These parameters specify:

  • Block reason: McAfee_Malware_found
  • Name of the blocking rule: Block If Virus Was Found
  • Setting name: Gateway Anti-Malware

Procedure in a sample statement:

IF MWG.BodyInfected (gam) THEN {
MWG.Block (McAfee_Malware_found, "Block If Virus Was Found", "Gateway Anti-Malware",
"Gateway Anti-Malware")
}

This statement is included in the Anti_Malware_Rules routine where it blocks malware-infected web objects.

  • Was this article helpful?