Working with rules

A web security policy is implemented on Web Gateway, which includes various rules. When a situation arises where a rule applies, it performs an action. You can configure this policy by modifying its rules to adapt them to the needs of your organization.

To configure a web security policy, you modify its rules, dealing with them on different levels.

Rule sets

Rules are grouped in rule sets, each of which usually covers a particular field of web security, such as anti-malware filtering, URL filtering, media type filtering, and others.

A default system of rule sets is implemented on Web Gateway during the initial setup.

You can enable or disable these rule sets, move, copy, and delete them, modify their rules, import rule sets from a built-in or an online library, and create rule sets of your own.

The rules in these rule sets are applied to the traffic that is created by the web usage of the users of your organization. Unless you configure it differently, the rules are only applied to the web usage of users who access the web from inside your local network.

You can, however, enable one or more rule sets for cloud use. The rules in these rule sets are then enforced even when users of our organization access the web from outside your local network.


You can enable and disable individual rules, move, copy and paste them, delete them, and create rules of your own.

Rule elements

As default rules are already implemented on Web Gateway, you will usually configure individual elements of rules rather than creating completely new rules. The following are rule elements that you might deal with more often.

  • Properties — Every rule contains at least one property. A property in a rule on Web Gateway is usually a property of a web object or an entity that is related to a web object, such as the user who requests access to it.

    A property of a web object is, for example, Antimalware.Infected. If this property has the value true for a web object that access is requested to, a default rule on Web Gateway, which contains this property, blocks the request and, consequently, denies the user access.

  • Lists of web objects — Lists of web objects are used within rules, for example, to make sure that access to these objects is not impeded by a particular blocking rule.

    A rule that uses a list like this might stop processing for all rules that would otherwise be processed after it, including the blocking rule.

  • Module settings — Property values are found by modules of the filtering process on Web Gateway. These modules are also known as filters or engines. You can configure settings for these modules to let them complete their jobs in different ways.

    For example, to find out whether the value of the Antimalware.Infected property is true for a requested web object, the object must be scanned for infections. This process is handled by the Anti-Malware module.

    By configuring settings for this module, you can, for example, involve the Gateway Anti-Malware engine in the scanning process combined with additional scanning by Advanced Threat Defense.