Configure Profile Elements

Add a Custom Application Element

To add a custom application element:

1. Go to Configure > Profile Elements > Elements > Application > Custom Application.
   
   
   
   The following screen displays.
   
   
    
2. Click + Custom Application. The Create Custom Applications screen displays. Enter information for the following fields.
   
   
    

   Field	Description
   Name	Enter a name for the custom application.
   Type	Select the application type. Internet is the only available custom application type.
   Logo	Add a logo for the custom application. Click the + Add icon to upload an application image, and then select an image and upload it. The image must be in .png or .svg format.
   Tags	Enter one or more tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.

3. Select the Advanced tab, and then enter information for the following fields.
   
   .
    

   Field	Description
   IP Prefix	Click to use an IP prefix. Then enter a valid IP prefix and subnet. Note that if you select IP Prefix, you cannot also select Host Pattern.
   Host Pattern	Click to use a host pattern. Then enter a host pattern to detect. Note that if you select Host Pattern, you cannot also select IP Prefix.
   Protocol	Select a protocol. If you selected Host Pattern, TCP is the only protocol available.
   Source Port	If you select IP Prefix and either TCP or UDP, enter the source port number. You can enter a single port value or a range of value,; for example, 500 and 1-100. Range: 0 through 65535 Default: None
   Destination Port	If you select IP Prefix and either TCP or UDP, enter the destination port number. You can enter a single port value or a range of values, for example, 500 and 1-100. Range: 0 through 65535 Default: None
   Family	(For Releases 11.4.1 and later.) Select the application's family type: business-system collaboration general-internet media networking
   Subfamily	(For Releases 11.4.1 and later.) Select the application's subfamily type: antivirus application-service audio-video authentication behavorial compression database encrypted encrypted-tunnel erp file-server file-transfer forum game instant-messaging internet-utility mail microsoft-office middleware network-management network-service peer-to-peer printer routing security-service standard telephony terminal thin-client tunneling unknown wap web webmail
   Risk	(For Releases 11.4.1 and later.) Select a risk level to assign to the application. Value: 1 through 5
   Productivity	(For Releases 11.4.1 and later.) Select a productivity value to assign the application. Value: 1 through 5
   Precedence	(For Releases 11.4.1 and later.) Enter a unique priority number to use when multiple applications match the traffic. The application with a higher precedence value is matched first. Range: 0 through 65535

4. Select the Permissions tab, and then revise the permissions if necessary.
   
   
5. Click Save to create the custom application.

Add an Application Group Element

To add a new application group:

1. Go to Configure > Profile Elements > Elements > Application > Application Group.
   
   
   
   The following screen displays.
   
   
    
2. Click + Application Group. The Create Application Group screen displays. Enter information for the following fields.
   
   
    

   Field	Description
   Name	Enter a name for the custom application.
   Type	Select the custom application type. Internet is the only available type.
   Logo	Add a logo for the custom application. Click the + Add icon to upload an application image, and then select an image and upload it. The image must be in .png or .svg format.
   Tags	Enter one or more tags. A tag is an alphanumeric descriptor, with no white spaces or special characters that you can use to search the objects.

3. Select the Applications tab, click in the Search for Applications field, and then select the applications to include in the group.

4. Select the Permissions tab, and then revise the permissions if necessary.
   
   
5. Click Save to create the application group.

Add an Application Classification Element

To add a new application classification element:

1. Go to Configure > Profile Elements > Elements > Application > Application Classification.
   
   
    
2. Select Application Classification. The screen displays the application classifications that are already configured.
   
   
    
3. Click + Application Classification. The Create Application Classification screen displays.
4. Enter information for the following fields.
   
   
    

   Field	Description
   Name	Enter a name for the application classification.
   Forwarding Class (Group of Fields)
   Category	Select a category: Assured Best Effort Expedited Network
   Class	Select a class. The classes listed depend on the category you select. 0 through 3 (for Network category) 4 through 7 (for Expedited category) 8 through 11 (for Assured category) 12 through 15 (for Best Effort category)

5. Click Advanced to configure advanced options.
   
   
6. Select a term, and then enter information for the following fields. Available terms are Loss Priority, Traffic Conditioning, SLA Metrics, and Connection Priority.
    

   Field	Description
   Connection Priority	Select a connection type: Internet LTE MPLS Click Avoid to avoid using the selected connections when forwarding traffic. Click Add to add the term, or click cancel to cancel the selected connection type.
   Loss Priority	Select the loss priority: High Low
   SLA Metrics	Select an SLA metric: Low Latency Low Packet Loss Low Delay Variation
   Traffic Conditioning	Select one or more traffic conditions: FEC (forward error correction) Load Balance—Click the slider to select per-flow or per-packet load balancing. Replication

7. Click Advanced again, or click Add Term to add more terms.
8. Select the Application Category tab.
   
   
    
9. Click Add Category to add more categories.
   
   
    
10. In the Name field, enter a name for the application category.
11. Click Add Term.
12. Add Traffic Conditioning, SLA Metrics, and Connection Priority terms, as described in Step 5 above.
13. Select the Members tab.
    
    
     
14. Click Add Criteria, and then add the desired criteria. For more information, see Configure QoS Policies and Rules and Configure Traffic-Steering Policies and Rules, above.
15. Click Save.

Add a Forwarding Profile Application Element

1. Click Configure > Profile Elements > Elements > Application > Forwarding Profile.
   
   
   
   The Forwarding Profile screen displays all the configured forwarding profiles.
   
   
2. To customize which columns to display, click Select Columns and then click the columns to display or hide. Click Reset to return to the default column settings.
   
   
3. To create a forwarding profile, click +Add Forwarding Profile. In the Step 1, Path Selection screen, select a route path type.
   • SD-WAN (see steps 4 through 6)
   • Direct Internet and/or Preferred Exit Location (see steps 9 through 13)
4. Click SD-WAN to select the SD-WAN route path for forwarding traffic, and then enter information for the following fields. Note that in Releases 11.3.2 and earlier, you configure the forwarding profile on a single screen.
   
   
    

   Field	Description
   Priority	Select the path priorities based on WAN connection names, types, or remote site names: 1 through 8 Avoid—Configure the path as one to avoid. An avoided path is not used even if it is the only available path. If the only available paths are configured as avoid, traffic is dropped. Last Resort—Use the when all other paths are down. As an example, you can configure a last resort so as not to use LTE paths when other paths are available.
   Connection Mode	Select the connection mode: Name Type
   Local	If you select the Name WAN connection mode, select a WAN connection name on the local branch: Internet-1 Internet-2 If you select the Type WAN connection mode, select a WAN connection type on the local branch: Broadband LTE MPLS
   Remote	If you select the Name WAN connection mode, select a WAN connection name on the remote branch: Internet-1 Internet-2 If you select the Type WAN connection mode, select a WAN connection type on the remote branch: Broadband LTE MPLS

5. To add another path with the same priority value, click the Plus icon. To remove a path within the same priority value, click the Minus icon.
6. To add a path with a different priority value, click Add Priority, and perform Steps 4 and 5.
7. Select Connection Priority for Unconfigured Paths.
8. Click Direct Internet and/or Preferred SD-WAN Exit Location to select a direct internet preferred exit location route type, and then enter information for the following fields.
   
   
    

   Field	Description
   Next-Hop Selection Method	Select how to choose the next hop for DIA traffic: Automatic—Select the next hop that provides the best performance based on passively collected performance metrics. High-Available Bandwidth—Use high-available bandwidth to load-balance DIA traffic among equal priority next hops. Load Balance—Perform equal-cost load balancing among all active next hops at the highest priority level using SLA monitoring and SLA-based path selection metrics. Weighted Round-Robin—Use WRR to load-balance DIA traffic between equal priority next-hops.
   Next-Hop Failure Action	Select the action to take when none of the configured next hops is deemed reachable: Failover—Fall back to routing-based path selection. Next Rule—Fail over to the next matching rule. Wait Recover—Wait for this rule to recover at least one next hop.
   Session Pinning to DNS Path	Slide the toggle button to pin all sessions between a client and server to the path of the DNS query that resolved the server.

9. Click Next-Hop Priority, and then click Add Route Path. Enter information for the following fields.
   
   
    

   Field	Description
   Priority	Select a next-hop priority value. Range: 1 through 15
   Path Type	Select a path type: Preferred SD-WAN Exit Location—Select the traffic path in the SD-WAN VPN network where the next hop or exit location is a branch, gateway, or hub. Direct Internet—Select the WAN circuit for internet breakout traffic at the branch.
   Preferred SD-WAN Exit Location (Group of Fields)
   Exit Location	Select the branch as an exit location.
   SLA Monitor	Select the SLA Monitor created under the Monitor. See Configure SaaS Application Monitors.
   Maximum Latency	Enter a value for the maximum traffic latency, in milliseconds.
   Maximum Packet Loss	Enter a percentage value for the total combined forward and reverse packet loss.
   Direct Internet (Group of Fields)
   WAN Connection	Select the WAN connection.
   Next-Hop Address	Enter the next-hop address.
   Reachability Monitor	Select the reachability monitor.
   SLA Monitor	Select an SLA nonitor that you created under the Monitor. See Configure SaaS Application Monitors.
   Maximum Latency	Enter a value for the maximum traffic latency, in milliseconds.
   Maximum Packet Loss	Enter a percentage value for the total combined forward and reverse packet loss.

10. Click SD-WAN Path Priority, and then click Add Priority. Enter information for the following fields.
    
    
     

    Field	Description
    Priority	Select the path priorities based on WAN connection names, types, or remote site names: 1 through 8 Avoid—Configure the path as one to avoid. An avoided path is not used even if it is the only available path. If the only available paths are configured as avoid, traffic is dropped. Last Resort—Use the when all other paths are down. As an example, you can configure a last resort so as not to use LTE paths when other paths are available.
    Connection Mode	Select the connection mode: Name Type
    Local	If you select the Name WAN connection mode, select a WAN connection name on the local branch: Internet-1 Internet-2 If you select the Type WAN connection mode, select a WAN connection type on the local branch: Broadband LTE MPLS
    Remote	If you select the Name WAN connection mode, select a WAN connection name on the remote branch: Internet-1 Internet-2 If you select the Type WAN connection mode, select a WAN connection type on the remote branch: Broadband LT MPLS

11. To add another path with the same priority value, click the Plus icon. To remove a path within the same priority value, click the Minus icon.
12. To add a path with a different priority value, click Add Priority, and perform steps 3 and 4.
13. Click Next. In the Step 2, Service Level Agreement (SLA) screen, enter information for the following fields.
    
    
     

    Field	Description
    Maximum Latency	Enter a value for the maximum traffic latency (delay). The link latency is a two-way measurement. Range: 1 to 1000 milliseconds Default: None
    Low Latency	Slide the toggle button to select a path based on the lowest latency.
    Maximum Jitter	Enter a value for the forward and reverse delay variation (jitter). Range: 1 to 100 milliseconds Default: None
    Low Jitter	Slide the toggle button to select a path based on the lowest delay variation (jitter).
    Maximum Packet Loss	Enter a percentage value for the total combined forward and reverse packet loss. Range: 1 to 100 percent Default: None
    Low Packet Loss	Slide the toggle button to select a path based on the lowest packet loss.
    Maximum Transmit Utilization	Enter the percentage of a circuit's available bandwidth to use to transmit traffic. Range: 1 to 100 percent Default: None
    Maximum Receive Utilization	Enter the percentage of a circuit's available bandwidth to use to receive traffic. <Range: 1 to 100 percent Default: None
    Connection Selection Method	Select how to forward a traffic flow when multiple available WAN paths have the highest priority. For example, if there are two paths at priority 1 and one path at priority 2, one of the priority 1 paths is chosen. High available bandwidth—Use the circuit with the highest available bandwidth. Continuing with the example in the previous bullet, because the available bandwidth on WAN2 is higher, this link would be used. Path high available bandwidth Path weighted round-robin Weighted round-robin—Use WRR, which balances flows across paths proportional to their available bandwidth. This is the default connection selection method. Default: WRR
    Recompute Timer	Enter how often to re-evaluate the SLA-compliance state of all paths. If the re-evaluation identifies an SLA violation on a circuit, the traffic is switched to a different circuit. Range: 5 through 1800 seconds Default: 300 seconds
    Mean Opinion Score (MOS)	Enter a mean opinion score for audio, video, and voice traffic. Mean opinion score is a measure of the quality of voice data traffic, and it represents the user experience of audio, video, and voice applications. Voice data is always compressed using a codec before it is transmitted, and so the MOS score can vary for the voice data on the same link depending on the codec. Range: 0 to 5, where 5 represents the best traffic quality Default: None
    Enable Gradual Migration	Click the toggle button to enable gradual migration.
    Enable SLA Violation Damping	Click the toggle button to enable gradual migration. Select this option to associate the recompute interval value with the damping interval value. If you do not enable SLA violation damping, the SLA compliance of a path is checked every recompute interval.
    SLA Smoothing Interval	Enter the SLA smoothing interval, in seconds. Range: 10 through 300 seconds Default: 120 seconds
    SLA Violation Damping Interval	Enter the SLA violation damping interval, in seconds. Range: 10 through 300 seconds

14. Click Next. In the Step 3, Path Conditioning screen, enter information for the following fields.
    
    
     

    Field	Description
    Forwarding Error Correction (FEC) (Group of Fields)
    Enable FEC	Click the toggle button to enable FEC. Default: Disabled
    Send FEC Packet To	Select the circuit on which to send FEC parity packets: Alternate circuit—Send FEC parity packets on a WAN interface that is not an interface on which data packets are transmitted. This is the default. If an alternate circuit is unavailable, FEC parity packets are sent on the same circuit as data packets. Same circuit—Send FEC parity packets on the same WAN interface used to transmit data packets. Default: Alternate circuit
    Duplicate FEC Packet	Select how to duplicate FEC parity packets: Alternate circuit—Duplicate FEC parity packets and send them on a WAN interface that is not an interface on which data packets are transmitted. Disable—Do not duplicate FEC parity packets. This is the default. Same circuit—Duplicate FEC parity packets and send them on the same WAN interface used to transmit data packets. Default: Disable
    Number of Data Packets per FEC Packets	Enter the number of data packets after which an FEC packet is generated and sent to the peer branch. The generated FEC parity packet can recover a packet on the peer branch only if there is one lost packet in the specified number of packets per FEC. Range: 1 through 32 Default: 4
    Start When	Select when to start sending FEC parity packets: Always SLA violated—When all available paths are SLA violated
    Stop When	Click to set the circuit utilization threshold at which to stop sending FEC parity packets.
    Circuit Utilization	When you enable Stop When, enter the utilization threshold at which replication stops automatically. Specify this as a percentage of the total circuit bandwidth. When the circuit utilization of the links used for data packets or FEC parity packet transmission exceeds this threshold, FEC stops. Range: 1 through 100 percent Default: None
    Packet Replication (Group of Fields)
    Enable Packet Replication	Click the toggle button to enable packet replication. Default: Disabled
    Replication Factor	For each ingress packet, define the number of egress packets to send. Range: 2 through 4
    Start When	Select when to start replication automatically: Always SLA violated—When all available paths do not meet configured SLA threshold
    Stop When	Click to enable using a circuit utilization threshold value to stop packet replication.
    Circuit Utilization	When you enable Stop When, enter the circuit utilization threshold at which replication stops automatically. Specify this as a percentage of the total circuit bandwidth. When the circuit utilization exceeds this threshold value, packet replication stops automatically. Range: 1 through 100 percent Default: None

15. Click Next. In Step 4, Permissions screen displays, showing the default roles and their inherited permissions.
    
    
16. If desired, change the permissions by selecting a new permission level for each role.
17. Click Next to go to Step 5, Review and Submit screen.
    
    
18. In the General section, enter a name for the forwarding profile. Optionally, enter a description and add tags for the profile.
19. Click Edit next to any section to make changes.
20. Click Save.

Add a TCP Optimization Application Element

For Releases 11.3.1 and later.

TCP optimizations mitigate the effects of high latency and packet loss on the performance of TCP-based applications. The optimizations are based on a TCP proxy architecture in which one or more VOS devices in a network path between a client and server split the TCP connection into two. One connection faces the client and one faces the server, with the VOS devices acting as TCP proxies for each of the split network segments. The optimizations can be done in one of the following modes:

• Dual-ended mode—TCP connection is split between two peer VOS devices in the network path
• Single-ended mode—TCP connection is split independently on one or more VOS devices in the network path

After you create a new TCP optimization application element, you can use it when configuring traffic-steering rules.

To add aTCP optimization application forwarding profile element:

1. Go to Configure > Profile Elements > Elements > Application.
   
   
    
2. Select TCP Optimization Profile. The screen displays already configured TCP optimization profiles.
   
   
    
3. Click + TCP Optimization Profile. In the Create TCP Optimization Profile screen, enter information for the following fields.
   
   
    

   Field	Description
   Name	Enter a name for the TCP optimization profile.
   Maximum TCP Send Buffer	Enter the maximum size of the TCP send buffer. Setting the buffer size limits TCP memory consumption. Range: 64 through 16384 KB Default: 4096 KB
   Maximum TCP Received Buffer	Enter the maximum size of the TCP receive buffer. Setting the buffer size limits TCP memory consumption. Range: 64 through 16384 KB Default: 4096 KB
   TCP Congestion Control	Select the congestion control algorithm to use: BBR congestion control algorithm—Bottleneck bandwidth and round-trip propagation time measures both the largest amount of recent bandwidth available to a connection and the connection's smallest recent round-trip delay. BBR then uses these metrics to control how fast it sends data and how much data it allows to be sent at any given time. Cubic congestion control algorithm—An algorithm that uses a cubic function instead of a linear window increase function to improve scalability and stability for fast and long-distance networks. This is the default. New Reno congestion control algorithm—An algorithm that responds to partial acknowledgments. Default: Cubic congestion control algorithm.
   TCP Loss Detection	Select the method to use to detect TCP packet loss: Duplicate ACKs—Loss detection based on duplicate acknowledgements. Duplicate acknowledgements mean that one or more packets have been lost in a TCP stream and the connection is attempting to recover them. They are a common symptom of packet loss. Recent acknowledgment (RACK). RACK uses the notion of time, instead of packet or sequence counts, to detect losses. Default: Duplicate ACKs
   TCP Loss Recovery	Select the method to use to recover lost TCP packets: Pipe algorithm—Perform TCP loss recovery as described in RFC 6675. This is the default. Proportional rate reduction—Perform TCP loss recovery as described in RFC 6937. Default: Pipe algorithm
   TCP Hybrid Slow/Start	Click to enable TCP hybrid slow start. Hybrid slow start maintains the TCP slow-start mechanism, which probes network bandwidth and gradually increases the amount of data transmitted until it finds the network's maximum carrying capacity. It also provides a mechanism to help TCP slow-start to exit without incurring a large number of lost packets. By default, hybrid slow start is disabled. Default: Disabled
   Rate Pacing	Click to enable rate pacing. Rate pacing injects packets smoothly into the network, thereby avoiding transmission bursts, which could lead to packet loss. By default, rate pacing is disabled. Default: Disabled
   Automatic Rate-Pacing Limit	Click to enable rate pacing. Rate pacing injects packets smoothly into the network, thereby avoiding transmission bursts, which could lead to packet loss. By default, rate pacing is disabled. Default: Disabled
   Tags	Enter one or more tags. A tag is an alphanumeric descriptor, with no white spaces or special characters, that you can use to search the objects.

4. Click Next, or select the Permissions tab and update the permissions as needed.
5. Click Save.

Reference a TCP Optimization Application Element in a Traffic-Steering Rule

For Releases 11.3.1 and later.

1. Go to Configure > Profile Elements > Rules > Applications > Traffic Steering.
   
   
    
2. Click + Traffic Steering.
   
   
    
3. In the Create Traffic Steering Rule screen, enter a name for the rule.
   
   
    
4. Select the Criteria tab, and the add the desired criteria. For more information, see Configure Traffic-Steering Policies and Rules, above.
   
   
5. Click the Actions tab, and then enter information for the following fields.
   
   
   
    

   Field	Description
   Type Flow	Select the flow type action: Allow Drop. If you select Drop, no other actions can be taken.
   Type Log	Under Events, select one of the following: Never—Do not send logs. Priority Change—Send logs only when the traffic priority changes. SLA Violated—Send logs only when the traffic violates the SLA.
   Forwarding Profile (Group of Fields)
   Name	Enter a name for the forwarding profile.
   Term Type	Select a term type: Connection Priority Path Conditioning SLA
   Connection Priority	Create path priorities based on WAN connection names, types, or remote site names. The WAN connection name and type can be local, remote, or both.   For Path Type Enterprise: Connection Mode Name—Select Internet-1 or Internet-2 from the first drop-down list, and then select Any (default), Local, or Remote from the second drop-down list. Type—Select Broadband, MPLS, or LTE, and then select Any (default), Local, or Remote from the second drop-down list. Exit Location—Currently not supported.   For Path Type Direct Internet: Name—Select Internet-1 or Internet-2. Application Monitor—Select an application monitor. Add Connection Mode—Click to add an additional connection mode. Avoid—If Guest is enabled, this VPN does not participate in the SD-WAN topology and only Direct Internet Access is provisioned.
   Path Conditioning	Set level of FEC and packet replication: Aggressive Moderate Standard
   SLA	SLA—Select the SLA by criteria or based on absolute metrics.   If you select Custom, enter information for the following fields: Latency—Enter the amount of latency in milliseconds (ms). Range: 1 through 1000 milliseconds Packet Loss—Enter the percentage of packet loss allowed. Jitter—Enter the amount of jitter allowed, in milliseconds. Range: 1 through 100 milliseconds Transmit Utilization—Enter the percentage of transit traffic. Receive Utilization—Enter the percentage of received traffic.
   Add Term	Click to add additional forwarding profile terms.
   TCP Optimization Profile (Group of Fields)
   Mode	Select the TCP optimization mode: Auto—Detect which VOS device is closest to the client and which is closest to the server (peer discovery) Bypass—Disable TCP optimizations. Forward proxy—Optimize data being sent from clients to servers. You configure this option on the VOS device closer to the client. Proxy—Configure a single VOS device to be a proxy for the TCP connection instead of performing end-to-end peer discovery. Reverse proxy—Optimizes data being sent from servers to clients. You configure this option on the VOS device closer to the server. Splice—Split the TCP connection locally after an application or URL category is identified or when the VOS device receives the first data packet after the three-way handshake completes.
   Bypass Latency Threshold	If you select TCP Auto or Splice mode, enter how much latency must be measured before TCP optimizations begin. Range: 0 through 60000 milliseconds Default: 10 milliseconds
   LAN Profile	Select a LAN profile. For proxy mode, you must configure a TCP profile. Note that you can select the same TCP profile for LAN profiles and WAN profiles. If you do not select TCP profiles, a system default LAN profile is applied that uses the cubic congestion control algorithm and duplicate ACK loss detection.
   WAN Profile	Select a WAN profile. For proxy mode, you must configure a TCP profile. Note that you can select the same TCP profile for WAN profiles and LAN profiles. If you do not select TCP profiles, a system default WAN profile is applied that uses the BBR congestion control algorithm and RACK loss detection.

6. Click Next, or select the Permissions tab and update the permissions as desired.
7. Click Save.

Configure Security Actions

To configure a security actions profile element:

1. Go to Configure > Profile Elements > Elements > Security > Security Actions.
   
   
   
   The following screen displays.
   
   
    
2. Click + Add Security Actions. The Add Security Actions screen displays.
3. Select Step 1, Define Security Action, and then enter information for the following fields.
   
   
    

   Field	Description
   Security Action Type	Select a security action type: All CASB Decryption DNS Intrusion Prevention System (IPS) IP Filtering URL Filtering (URLF)
   Action	Select an action: Allow—Forward the current packet without generating an entry in the log. Drop Packet—Browser waits for a response from the server and then drops the packets. Drop Sessions—Browser waits for a response from the server and then drops the session. Reset Client—TCP Reset packet is sent to the client and the browser displays an error message indicating that the connection has been reset. Reset Client and Server—TCP Reset packet is sent to the server. The browser waits for a response from the server and then drops the session. Block—Present an alert page to the user and block the user from continuing, in case of HTTP/HTTPS. Inform—Browser presents an information page that allows the user to continue with the operation by clicking OK. Ask—Browser presents an information page that allows the user to either cancel the operation by clicking Cancel, or continue with the operation by clicking OK. Justify—Browser presents an information page that allows the user to either cancel the operation by clicking Cancel, or continue with the operation after entering a justification message and clicking OK. Override—Browser prompts the user to enter a PIN (4 to 6 digits). Custom Redirection—Browser redirects the user to the URL configured in the Redirection URL field. Sinkhole—A DNS sinkhole spoofs DNS servers to prevent the resolution of the host names associated with URLs. And returns a false IP address to the URL, thus blocking a DNS sinkhole.
   Decrypt Bypass	(For all security types except CASB.) Click the slider bar to disable SSL encryption for matching traffic, to allow you to define web sites that are not subject to decryption. SSL encryption for matching traffic is enabled by default.
   Log Captive Portal Actions	(For all security types except CASB.) Click the slider bar to enable the logging of captive portal actions. Logging of captive portal actions is disabled by default.
   Expiration Time	(For the security types IP Reputation and URL Filtering.) Enter how often to redirect a user to the URL, in minutes.
   Message	(For the security types IP Reputation and URL Filtering.) Enter a message to display on the captive portal page.

4. Click Next to go to Step 2, Name, Description, and Tags, and then enter information for the following fields.
   
   
    

   Field	Description
   Name (Required)	Enter a name for the security action.
   Description	Enter a text description.
   Tags	Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching tunnels.

5. Click Save.

Configure URL Categories

To configure a URL categories profile element:

1. Go to Configure > Profile Elements > Elements > Security > URL Categories.
   
   
   
   The following screen displays.
   
   
    
2. Click + Add URL Categories.
3. In the Add URL Categories screen, select Step 1, URL Patterns, and then enter information for the following fields.
   
   
    

   Field	Description
   Patterns	Enter a URL pattern to match and group the URLs. You can include regex patterns. For example, you can use the pattern www.versa-networks.com, or you can use a wildcard such as *.versa-networks. To include a backslash (\) in the regex pattern, escape it by preceding it with a backslash.
   Reputation	Select a predefined reputation, and then assign it to the URL match pattern.

4. Click Next. In Step 2, URL Strings, enter information for the following fields.
   
   
    

   Field	Description
   String	Enter a URL string to match the URL, for example, www.versa-networks.com.
   Reputation	Select a predefined reputation, and then assign it to the URL string.

5. Click Next. In Step 3, URL Files, enter information for the following fields.
   
   
    

   Field	Description
   URL Files	Select a URL file.
   Add New File	Click to add a new URL file. The Upload File popup window displays.   Enter the name of the file to upload or click Browse to select the file. The file must be in .csv format Click Upload.

6. Click Next. In Step 4, Enter Name, Description, and Tags, enter information for the following fields.
   
   
    

   Field	Description
   Name (Required)	Enter a name for the URL category. This name is displayed in the category list when defining the URL-filtering policies and in the match criteria for URL categories in policy rules.
   Description	Enter a text description for the URL category.
   Tags	Enter one or more tags for the URL category. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching URL categories.

7. Click Save.