URL Filtering - All Policies Assessed During Processing?

Interesting one.

URL Filtering Rule A - Location A traffic allowed to a defined Allow List X.
URL Filtering Rule B - Location A traffic blocked.
URL Filtering Rule C - Location A traffic (“any” selected on Location Group) allowed to a defined Allow List Y (different from List X).

I have above set up from a ZScaler system I inherited and I note that traffic from Location A can go to URLs in Allow List Y. Does this mean that all traffic is assessed against all filtering policies rather than only the first one that it hits against?

I can reduce the scope of Filtering Rule C to exclude Location A but more interested to understand what the design behaviour is.

Hi Andrew,

This is possible when a URL matches List Y instead of List X. If URL is in List Y then Rule A and Rule B cannot be true as all conditions (location, URL category, etc.) need to be true.

There could also be an exact match scenario with subdomains where URL matches List Y instead of List X. See my post on this topic: URL filtering when a URL/domain is present in multiple custom categories

Regards,
Pankaj
Sr. Product Manager, Zscaler

Thanks Pankaj - I did read that post before I posted my message as wasn’t sure if it applied as I was talking about the same ‘user’ (location in my instance) for all the rules. .

I think my question is - Why does this traffic even reach Rule C on the basis that Rule B should block it.

Rule A - “is this traffic from Location A & on my Allow List X?” - Not on Allow, don’t apply policy, go to next rule.
Rule B - “is this traffic from Location A” - yes. Apply Policy - Block.
Rule C - “why am I seeing this traffic?” :slight_smile:

Should I read this as every URL Filtering Rule is looked at for all traffic and the last one in the rule list which matches is applied?

Understood. This is unexpected result. Hope the rule order is correctly in place. Please open a support ticket for Support team to review.

No. In fact the first one in the rule list (order value lower) is applied.

Regards,
Pankaj

1 Like

Thanks Pankaj - that’s good to hear that this isn’t as per design.

I will speak with your Support team.

I vaguely remember having problems like this because we where not SSL inspecting the category we wanted to block.

Thanks Gordon - I had a look and the URLs that are ‘slipping’ through are not within those that are excluded from SSL inspection.

An interesting conundrum indeed!