[IAG] Description of the matching order of custom URLs and custom applications in access permission policies
Problem Description
Customers have reported that custom URLs and custom applications have added some identical domain names, and that access permission policies have been associated with the same user. Custom URLs have been given a pass rule, while custom applications have been given a deny rule.
Customer testing found that when accessing these websites, some were allowed by custom URLs, while some were prohibited by custom applications. The custom URL policy was placed before the custom application.
Effective troubleshooting steps
- For a single website test, when the custom URL and custom application exist at the same time, regardless of the order of the policies, the rejection policy of the custom application is matched.
- Firewall debugging was performed in the background. For the tested domain name, the background check showed that it was indeed identified as a custom application and banned, but it was actually allowed in the custom URL. (Firewall debug log method: http://tskb.sangfor.com/forum.php?mod=viewthread&tid=25734&is\_note=1)
- Communicate with R&D to confirm that the custom application is to find the domain name associated with the IP through the DNS cache (IAG device) and finally identify it as a custom application. The custom URL is identified by the domain name in the http request or the server name field in the client hello in https. The device cache query itself is definitely faster than the data packet transmission speed. In summary: **Custom applications have higher priority than custom URLs. **
Root cause
**The device itself due to cache query mechanism. When a URL matches both a custom application and a custom URL, the custom application takes precedence over the custom URL.
solution
This is normal and does not require resolution.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=25970&isOpen=true