Views:

Use the rule simulator to test and validate rules, and see how your internet access rules respond to specific traffic scenarios before deploying changes to a production environment.

The rule simulator tests how your internet access configurations and rules respond to a specified traffic scenario, helping you identify and fix issues before they affect your production environment.
The rule simulation feature is a static policy evaluation tool that analyzes whether a given request matches configured rules based on request attributes such as URL, user, time, and location. It does not execute the full scanner pipeline. As a result, runtime behaviors that depend on actual traffic interception, network negotiation, or dynamic analysis are not supported.
Limitations
The simulation has the following limitations:
  • Only HTTP and HTTPS protocols are supported.
  • Cloud app action filtering is not evaluated.
  • Decryption results may differ between the simulation and a production environment.
  • Certain circumstances trigger forced HTTPS decryption in production environments, but are not supported in simulation:
    • Roaming users (access from browser): In production environments, the SWG may receive HTTPS traffic from public IP addresses without user authentication. In such cases, the scanner must force-decrypt the traffic to extract request details for policy evaluation. This scenario is not supported in simulation because the simulation API requires a user identity field.
    • Block action in connect stage: Since simulation only evaluates policy matching without presenting block pages to end users, forced HTTPS decryption for block page rendering is not implemented in the simulation feature.
  • The following runtime behaviors are not supported in simulation:
    • TLS/SSL certificate validation and pinning
    • Forced HTTPS decryption and man-in-the-middle interception
    • Block page rendering and injection
    • Authentication challenges and redirects
    • HTTP redirect following (301, 302, 307, 308)
For HTTPS traffic:
  • All certificates are treated as valid.
  • TLS decryption is always treated as successful once started.
  • The target URL is always treated as reachable. DNS resolution failures and server errors are not simulated.
  • The SNI value is assumed to be identical to the hostname in the target URL, and is transmitted in plaintext.

Procedure

  1. Go to Secure Access RulesInternet Access and click Rule Simulator.
    The Rule Simulator panel appears.
  2. Specify the details of the traffic scenario to simulate.
    Field
    Description
    URL (required)
    The destination URL to test. Must use HTTP or HTTPS.
    User / IP address (required)
    The user email address or public IP address to specify the source of the simulated request.
    Endpoint
    The endpoint device to associate with the request. When specified, the simulation runs from the perspective of a module user with the Secure Access Module installed. When left as Not specified, the simulation runs from the perspective of a browser user.
    Source location
    The gateway or network location to simulate as the source of the request. Leave as Not specified to omit location-based matching.
    Date/Time
    The date and time to use for the simulation. If not specified, the current date and time is used. Useful for testing time-based rules.
  3. Click Simulate.
    The simulator evaluates the scenario against your internet access rules in priority order and displays the results. Each check shows whether the scenario matched or did not match. The simulation stops at the first matching rule.
    The results include the following checks:
    • Allow List and Deny List: Whether the URL appears in your configured allow or deny lists.
    • HTTPS Inspection: Whether any HTTPS inspection rules matched.
    • Internet access rules: The priority-ordered evaluation of your configured rules, showing which rule matched and the action applied to the traffic.