search cancel

How to Troubleshoot CASB Gatelet Traffic Inspection through WSS.

book

Article ID: 211700

calendar_today

Updated On:

Products

CASB Gateway

Issue/Introduction

Gatelet activity should be seen CloudSOC Investigate.  This document provides general insight from the WSS perspective.

Resolution

Check the WSS\CASB integration from within the WSS threatpulse portal.

Activated Gatelets are displayed: Go to > Policy (left pane 'script' icon), CASB Gatelets.

If the Gatelets are not available make sure the product is integrated and that Symantec support has activated WSS sync with the CASB Gateway.

If the Gatelet was recently activated from CloudSOC, please allow 5-15 minutes for the sync window to complete.

To check the CloudSoc activation, go to Settings ('gear' icon on left pane), Products & Licensing, CloudSOC Gateway.

Check the Report center logging for Gatelet aware SaaS traffic. Report center, Web Browsing per Site or Full logs, or similar options.

If no SaaS traffic exists, verify if Gatelets are enabled from CloudSOC Store (example of enabled Gatelet below).

 

If the Gatelets are enabled, it could be that your SaaS traffic is being diverted/steered away from WSS. Check on-prem firewall and proxy configuration for both the WSSAgent traffic and the Gatelet traffic. Verify the URLS and IP's for WSS and SAAS urls are properly whitelisted.  See WSS-ingress whitelisting and verify the SaaS traffic is not being sent through the local proxy or blocked at the firewall.

Collect a SymDIAG of the machine while replicating the problem with the gatelet SaaS e.g. o365.  Test with more than one gatelet to make sure the problem is not gatelet specific.

The symdiag will also get a pcap of the traffic from the workstation.

If your using the Full version of WSS, hitting pod.threatpulse.com from a browser will state if the traffic is protected.  WSS-lite agent will not suggest it is protected because only the gatelet traffic is protected and not all traffic.

From the audit datasource in CloudSOC, check the WSS datasource to see if gatelet SaaS traffic is detected e.g. o365, box etc...

 

Additional Information

Domains of interest for a gatelet need to be SSL intercepted so the traffic can be inspected.  Broadcom support can help to get a policy trace to verify the traffic is properly intercepted. The domain or URL use to for login or upload could be bypassed. 

Attachments