Verify SSL Interception for a website in Cloud SWG (formerly known as WSS)
Article ID: 175533
Updated On: 09-17-2024
Products
Issue/Introduction
Verify that a website is being SSL intercepted while going through Cloud SWG (formerly known as WSS)
Environment
Cloud SWG (formerly known as WSS)
Resolution
- Verify that SSL Interception is enabled within the Cloud SWG portal under Policy > TLS/SSL Interception.
- Verify that you are not exempting the domain or IP from SSL Interception in the SSL Interception Policy.
- Ensure that you have installed the SSL root certificate within the Trusted Root Certification Authorities certificate store.
- Verify that you are connected to WSS by visiting pod.threatpulse.com.
- Browse to the website that you want to verify is being SSL intercepted. Then, click on the padlock icon in the address bar. Click on Certificate.
- In the Certificate Viewer, Details, you will see the Cloud Services CA. If you see this certificate being used, then the traffic to this website is being SSL Intercepted.
Additional Information
Cloud SWG admins can also check proxy logs in Cloud SWG Portal > Reports > Proxy Log.
SSL/TLS intercepted websites usually show full path of the URL with https protocol(below screenshot). While it only shows "ssl://" or "tcp://" as protocols (no "https://") and does not show full path of the URL in case SSL interception is disabled or did not occur.
In the access logs, you will see lines with 1 of 3 entries:
tcp://
ssl://
https://
What these mean:
tcp:// ...neither Protocol Detection nor SSL decryption has happened
ssl:// ...Protocol Detection has happened (but not SSL decryption)
https:// ...both Protocol Detection and SSL decryption have happened
Feedback
