I'm interested in setting up some maintenance policies. Its possible it won't work in the situations I'm trying to complete, but the two scenarios I'm trying to work with are: Scenario 1: The root of an application is unprotected. There is a single jsp page in the root folder that requires denial of access from an external source. I've attempted to create an explicit denial of access to the page with a redirect to an appropriate page, but it doesn't seem to pick it up. The root context is defined as unprotected. The rule explicitly notes that the specific page is a deny access on any get/put/or post to that specific page. A redirect is set up with an On Auth Reject redirect. Scenario 2: The root of an application is protected with an anonymous auth scheme. We are trying to create a maintenance policy so we can turn it on when the site is down for maintenance. I've created a secondary rule that denies access to the root of the application that is applied in a secondary policy. The policy explicitly states that all IP addresses are blocked when active. I just can't get either one to work properly. I think it might be a function of the unprotected or anonymous auth schemes. Any thoughts?