Can someone help me. I have a policy called Google Only. It maps to my username (in this example "myuserid"). The first rule onyl allows access to google based on the wildcard *google.com*
Then I want to block everything else. U thought the Action Stop Cycle would then stop the proxy from processing the request further but it didnt work, i could access other sites. THen I tried the next disabled rule call Stop Processing which is Always applied and the Stop Cycle action but it still moves on to the next rule called "Block Streaming Media" (i know this becuase i also map tot he Block Streaming Media and i get a block page from the Block Streaming media rule. Then i put the 3rd rule "Block Everything else" which basically blocks anything not in the Goolge only list. This works. Why doesnt the Stop Cycle work? I thought it would.
Can someone explain how it works.
"Stop Cycle" actually means that the current Cycle (Request, Response or Embedded) is stopped when the action is triggered. This means that, in your above example, no more rule processing is performed after the "Stop Cycle" action. If there is no "Block" action called anywhere, the request will pass. In order to allow Google and block everything else you will have to "Stop Cycle" for Google URLs (to skip the Block action), but you need a Block action to block everything else!
"Stop Cycle" in this context is more an "Allow" than a "Block" action, since MWG does not block everything that does not match any rule, but allows it unless it is explicitly blocked.
So what your saying in my ruleset here i actually need the Block everying else after all, no other action would achieve what im trying to do?
as far as I understood - yes. Basically Web Gateway is "open", which means if you had no rules at all, you would be able to freely pass Web Gateway without being blocked. Therefore - if no Block action is applied - your request will walk through the policy and will be forwarded to the Internet.
In the firewall world this is different. Usually you would block everything here, unless you explicitly allowed it. This is a bit confusing when working with the Web Gateway policy.
MWG will not block your request unless and until you have block rule in place, below your allow rules. In your case, google.com is getting matched in your first rule "google only" and then due to action "Stop Cycle" it is directly going out with out any further rules processing.
However now for requests other then google, since the criteria doesn't match, the request flows down on the next rule and sequentially the next rule set. If there is no matching criteria found below, till the last rule, the request will directly go out. I.e the request will be allowed.