Management Center Policies are not enforced to the Cloud

book

Article ID: 170671

calendar_today

Updated On:

Products

Management Center Web Security Service - WSS

Issue/Introduction

After you complete the integration of the Web Security Service (WSS) with Management Center. Custom and default policies push to WSS are not applied. For example, categories blocked by default on G3 such as "Proxy Avoidance" are not being blocked. This happens even if you receive the "You are protected" message from test.threatpulse.com.

Cause

  • The policies have been declared only with "Appliance" enforcement, and no policy has "Universal" or "WSS" enforcement.
  • Since WSS's own policy engine is disabled after the integration, having only "Appliance" policies declared will push an empty policy to WSS, and nothing will be filtered or blocked, including default rules (as mentioned earlier).

Note: Have in mind that a policy needs to be defined for SSL Interception to be performed by WSS, otherwise, rules dependant on SSL Interception will not work on Cloud policy.

Environment

Deployment with ProxySG and Unified Agent. After switching Unified Agent to an unprotected network (without ProxySG or other access methods) to test it in Active mode status.

Resolution

  1. Change enforcement on Management Center's policies, to point the desired policies to be either "Universal" or "WSS".
  2. Save the policy and go to "Target" tab.
  3. Select WSS as the target.
  4. Click on "Analyzer"
  5. "Analyze in Production" to verify that the policy can be pushed to Cloud. If no problem arises, continue with the normal procedure by pressing "Install to target". (Make sure that other unintended targets, such as other proxySGs or WSS instances, are not selected).