Symantec ProxySG 7.3
CPL Scripting & Automation
Content Policy Language: Techniques, Best Practices & Script Examples
ProxySG 7.3.x | Broadcom / Symantec
Agenda
1
What is CPL & What Can It Control?
2
CPL Architecture & Object Flow
3
Policy File Types & Layer Types
4
CPL Syntax Fundamentals & Condition Triggers
5
Script Examples: Auth, URL Rewrite, Threat Protection & More
6
Automation Methods for Enterprise Deployment
7
Best Practices & Resources
What is CPL?
CPL = Content Policy Language — the native scripting/policy language of the Symantec ProxySG appliance.
• Controls ALL proxy behavior: authentication, access control, filtering, SSL, headers, caching, routing, and more
• Domain-specific language — not general-purpose; designed specifically for proxy policy
• VPM (Visual Policy Manager) GUI generates CPL under the hood — or write CPL directly for advanced control
• Evaluated per-transaction: every HTTP/HTTPS/FTP/SOCKS request passes through the CPL policy engine
• Supports define statements for reusable subnets, conditions, actions, and URL rewrites
What Can You Control with CPL?
User Authentication
Web Access Control
Content Filtering
SSL/TLS Inspection
URL Rewriting
Header Manipulation
Cookie Management
Caching Behavior
Forwarding / Routing
ICAP Integration
Exception Pages
Access Logging
Application Control
Bandwidth Management
DNS Proxy Control
Threat Protection
CPL Architecture & Object Flow
Object Hierarchy
Policy Files
Layers
Sections
Rules
Conditions
+ Properties
Definitions: subnet, condition, action, url_rewrite
Policy Evaluation Order
CachePulse
Landlord
VPM
Local
Tenant
Central
Forward
Within Each Layer
Check Layer Guard
Evaluate Rules
(top to bottom)
Match Conditions
Set Properties
(last-set wins)
Execute Action
Source: ProxySG 7.3.x CPL Reference
Policy File Types
VPM
Generated by the Visual Policy Manager GUI. Best for standard policies. Evaluated after Landlord layer.
Local
Hand-written CPL that supplements VPM. Use for advanced rules not available in VPM. Evaluated after VPM.
Central
Hosted on a web server and shared across multiple appliances. Ideal for enterprise-wide policies.
Forward
Forwarding/routing rules. Supplements other policy files. Evaluated last in the chain.
Source: Broadcom TechDocs – CPL Basics
Layer Types
Layer | Purpose |
<Proxy> | Main proxy policy — authentication, access, filtering |
<Admin> | Admin console and CLI access control |
<Cache> | Cache transaction control and bypass rules |
<SSL> | SSL/TLS triggers and properties |
<SSL-Intercept> | SSL interception and bypass decisions |
<Forward> | Upstream connection routing and gateways |
<Exception> | Exception handling for denied transactions |
<DNS-Proxy> | DNS-level transaction control and blocking |
<Diagnostic> | Diagnostic information — no traffic effect |
<Tenant> | Multi-tenant identification and isolation |
Source: ProxySG 7.3.x CPL Reference
CPL Syntax Fundamentals
Basic Rule Structure
condition1 condition2 ... property1 property2 ...
; "If ALL conditions are true, then set ALL listed properties"
<layer_type ["label"]> [guard_conditions] [defaults]
[section_type] [section_guards]
rule1
rule2
Special Characters
Char | Meaning |
; | Comment |
< > | Layer headings |
[ ] | Section names |
= | Condition test |
( ) | Grouping |
\ | Line continuation |
|| | OR operator |
&& | AND operator |
! | NOT operator |
.. | Numeric range |
Example:
<Proxy "Block Gambling">
; Deny access to gambling sites during work hours
category=Gambling time=0900..1700 weekday=1..5 deny
Boolean Logic: Conditions on the same line are implicitly AND. Use || for OR. Use ! for NOT. Parentheses (a, b) create value lists (implicit OR).
Source: Broadcom TechDocs – CPL Basics
Condition Triggers Reference
Client / Network
client.address=10.0.0.0/24
client.address.country=(US,CA)
proxy.port=8080
URL / Domain
url.domain=example.com
url.extension=(exe,bat,cmd)
url.path.regex="pattern"
Category / Threat
category=(Sports, Games)
url.threat_risk.level=7..
server_url.category=Gambling
Authentication
authenticated=yes
realm=corp
group=all_staff
user=domain\\username
HTTP Specifics
http.method=POST
http.response.code=404
http.request.version=1.1
Time-Based
time=0900..1700
weekday=1..5
hour.utc=03..13
SSL / TLS
ssl_version=TLSv1.2
cipher.strength=high
cert.hostname_mismatch=yes
Source: ProxySG 7.3.x CPL Reference
Define Statements
Reusable definitions for modular, maintainable CPL policy
subnet
IP address ranges
condition
Reusable conditions
action
Multi-step actions
url_rewrite
URL transformations
string
Named strings
javascript
JS transformers
category
URL categories
Example: Define Subnet & Action
define subnet corporate_subnet
10.10.12.0/24
end
define action DeleteReferer
log_message("Referer deleted: $(.Referer)")
delete(request.header.Referer)
end
<Proxy>
client.address=!corporate_subnet deny
url.domain=sensitive-site.com action.DeleteReferer(yes)
Script: Authentication & Access Control
; Define trusted corporate network
define subnet corporate_subnet
10.10.12.0/24
end
; Deny non-corporate traffic and force authentication
<Proxy>
client.address=!corporate_subnet deny
force_authenticate(MyRealm)
; Block gambling category with custom exception page
<Proxy>
category=Gambling exception(content_filter_denied)
; Layer guard: HR group gets special access
<Proxy> group=hr
url.domain=sfgate.com/jobs/ OK
url.address=192.168.23.5 DENY
category=(news/media)
Key Concepts
Subnet Filtering
Define trusted networks; deny all others
Force Authentication
force_authenticate() requires login before access
Category Blocking
Deny by content category with custom exception pages
Layer Guards
group=hr on the layer header pre-filters — rules only apply to HR group
Exception Pages
exception() triggers custom block/deny page
Script: URL Rewriting & Header Manipulation
URL Rewriting
define action HTTP_rewrite
rewrite(url,
"^http://www\.example\.com/(.*)",
"http://www.server1.example.com/$(1)")
end
define url_rewrite example_portal
rewrite_url_prefix
"http://www.example.com/"
"http://www.server1.example.com/"
end
<Proxy>
url.domain=//www.example.com/
action.HTTP_rewrite(yes)
Header Manipulation
; Delete Referer header for sensitive sites
define action DeleteReferer
log_message("Referer deleted:
$(.Referer)")
delete(request.header.Referer)
end
<Proxy>
url.domain=sensitive-site.com
action.DeleteReferer(yes)
; Inject HSTS header
define action add_hsts
set(response.header.
Strict-Transport-Security,
"max-age=31536000;
includeSubDomains")
end
Two approaches: rewrite() uses regex for flexible pattern matching. rewrite_url_prefix provides simple prefix-based URL substitution. Header actions include set(), delete(), append() for both request and response headers.
Script: Threat Protection & ICAP Scanning
Virus Scanning with Whitelist
define condition extension_low_risk
url.extension=(gif,jpeg,mp3,txt,wmv)
end
define condition internal_prescanned
server_url.domain=internal.myco.com
server_url.extension=(doc,dot,html)
end
define condition white_list
condition=extension_low_risk
condition=internal_prescanned
end
<Cache>
condition=!white_list
action.virus_scan(true)
define action virus_scan
response.icap_service("ICAP_server")
end
SSL/TLS Hardening
; Block weak ciphers
<ssl>
client.connection\
.negotiated_cipher\
.strength=(low,medium)
force_exception(silent_denied)
server.connection\
.negotiated_cipher\
.strength=(low,medium)
force_exception(silent_denied)
; Block specific weak ciphers
<ssl>
client.connection\
.negotiated_cipher=\
(EXP-RC4-MD5,
EXP-RC2-CBC-MD5,
EXP-DES-CBC-SHA)
force_deny
ICAP integration routes content through external scanning engines (antivirus, DLP). Whitelists optimize performance by skipping safe content types. SSL hardening blocks weak cipher negotiation.
Source: ProxySG 7.3.x CPL Reference
Script: Notifications & Advanced Actions
Cookie Iteration & Deletion
define action DeleteSampleCookies
iterate(request.header.Cookie)
iterator.prefix="Sample"
iterator.delete()
end
end
Email Notification
define action email_notify_restricted
notify_email("restricted: ",
"$(client.address) accessed
URL: $(url)")
end
<Proxy>
category=Hacking
action.email_notify_restricted(yes)
deny
SNMP Notification
define action snmp_notify_restricted
notify_snmp("$(client.address)
accessed restricted URL: $(url)")
end
Time-Based Access Control
<Proxy>
url.domain=social-media.com
time=0900..1700
weekday=1..5 deny
CPL actions can iterate over headers/cookies, send email or SNMP alerts, and use substitution variables like $(client.address) and $(url) for dynamic content.
Source: ProxySG 7.3.x CPL Reference
Automation Methods
CLI Scripting via SSH
Batch commands via SSH for automated configuration changes across appliances
Central Policy Files
Host CPL on a web server — all appliances auto-download and apply the shared policy
Management Center REST API
Programmatic device management, policy deployment, and monitoring via RESTful endpoints
Inline Policy CLI
Push CPL directly via CLI using inline policy commands for rapid deployment
Policy Fragments
Modular, reusable CPL snippets managed via Management Center for enterprise scale
Example: Inline Policy via CLI
#(config) inline policy local eof
<Proxy>
url.domain=blocked-site.com deny
eof
Central Policy Tip
Host a .txt file on a web server accessible to all appliances. Configure each ProxySG to fetch the central policy URL.
Source: Management Center REST API
Best Practices
1
Start with deny default
Set default proxy policy to Deny, then whitelist allowed traffic
2
Use VPM for standard policy
Use Local file only for advanced CPL not available in the VPM GUI
3
Order rules specific to general
Most-specific rules first; saves CPU and prevents unintended overrides
4
Use layer guards
Pre-filter traffic before evaluating rules within a layer
5
Name layers descriptively
e.g., "WAL Finance Rule(1)" — aids troubleshooting and auditing
6
Use define statements
Reuse subnets, conditions, and actions across layers for maintainability
7
Use Central policy for multi-appliance
Host on a web server; all appliances auto-sync the shared policy
8
Policy tracing for debugging
Use policy-driven traces (not global) to minimize performance impact
9
Test in monitor mode first
Use detection(...monitor) before enforcing new security engines
10
Comment extensively
Use ; comments throughout CPL for documentation and team clarity
Source: ProxySG Best Practices
Resources & Links
Official PDFs
TechDocs
Video Tutorials
Community & Knowledge
Key Takeaways
✓ CPL is the most powerful way to control ProxySG behavior — from authentication to threat protection
✓ Use define statements for modular, maintainable, and reusable policy
✓ Combine VPM for standard rules with Local CPL for advanced customization
✓ Layer guards and evaluation order give you fine-grained control over policy application
✓ Automate with Central policy files, CLI scripting, and Management Center REST API
✓ Always follow best practices: deny-default, specific-to-general ordering, policy tracing
Questions?
Symantec ProxySG 7.3 | CPL Scripting & Automation | Broadcom