How to Troubleshoot CASB Gatelet Traffic Inspection through WSS.

book

Article ID: 211700

calendar_today

Updated On:

Products

CASB Gateway

Issue/Introduction

Gatelet activity should be seen investigate.  The following document provides some general insight from WSS perspective.

Resolution

Check the WSS\CASB perspective from within the threatpulse portal.

Activated gatelets in WSS are seen here: Policy, CASB Gatelets.

If the gatelets are not available make sure the product is integrated and that Symantec support has activated WSS sync with the CASB Gateway.

To check the CloudSoc activation, see  Account Configuration, Products & Licensing, CloudSOC Gateway.

Check the Report center logging for Gatelet aware SaaS traffic. Report center, Web Browsing per Site or Full logs, or similar options.

If no SaaS traffic exists, check if gatelets are enabled?

If gatelets are enabled, SaaS traffic can be steered away from WSS. Check on-prem firewall and proxy configuration for both the WSSAgent traffic and the gatelet traffic. Verify the URLS and IP's for WSS and SAAS urls are properly whitelisted.  See WSS-ingress whitelisting and verify the SaaS traffic is not being sent through the local proxy or blocked at the firewall.

Collect a SymDIAG of the machine while replicating the problem with the gatelet SaaS e.g. o365.  Test with more than one gatelet to make sure the problem is not gatelet specific.

The symdiag will also get a pcap of the traffic from the workstation.

If your using the Full version of WSS, hitting pod.threatpulse.com from a browser will state if the traffic is protected.  WSS-lite agent will not suggest it is protected because only the gatelet traffic is protected and not all traffic.

From the audit datasource in CloudSOC, check the WSS datasource to see if gatelet SaaS traffic is detected e.g. o365, box etc...

 

Attachments