No Block Page visible on browser when DLP block WSS traffic
search cancel

No Block Page visible on browser when DLP block WSS traffic

book

Article ID: 218355

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Integrated WSS with Cloud DLP solution

When WSS sends the traffic to DLP for inspection , DLP logs confirm it is triggering the policy but it is not showing any block page.

User sees a spinning wheel highlighted below but has no idea why upload failed

 

I have tried on dlptest.com , it keeps on trying to upload but no error . Attached is the har file for that .

Environment

WSS agent used to connect to WSS

DLPTEST.COM used to test DLP policies

Cause

Web application used to upload file is not rendering the correct response from WSS

Proxy HTTP logs confirm that WSS blocked the upload operation, a status it got from DLP server, and includes the correct exception ID and action highlighted below

$ grep POST logdownload-12345-2021-06-22T1* |grep dlp

logdownload-12345-2021-06-22T17-8937617123625782696.csv:"2021-06-22","17:02:07","667","84.120.28.48","BCOM\neil","-","data_leak_denied","DENIED","""null""","http://dlptest.com/http-post/","200","TCP_DENIED","POST","-","http","dlptest.com","80","/wp-admin/admin-ajax.php","-","php","""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 Edg/91.0.864.48""","192.168.3.87","12893","22181","yes","-","client","DLPTest","none","35.209.241.59","""United States""","ICAP_REPLACED","-","ICAP_NOT_SCANNED","-","Ireland","3","XMLHttpRequest","DP3-GIEDU1_proxysg4","None","-","-","0","-","30850","-","-","-"

 

HAR file from the operation confirms WSS sends the exception info back to browser

<!-- ### Exception specific page content ### -->
<div class="content">
<H2 id="lang-summary">WARNING &nbsp;-&nbsp; ACTION DENIED</H2>
<div class="warning">
  <p>
   <span id="lang-details">
         <p><b>Exception details:</b></p>
<ul>
<li><span class="c1">Denied URL:</span> http:&#x2F;&#x2F;dlptest.com&#x2F;wp-admin&#x2F;admin-ajax.php</li>
<li><span class="c1">Browser query:</span> POST http:&#x2F;&#x2F;dlptest.com&#x2F;wp-admin&#x2F;admin-ajax.php HTTP&#x2F;1.1</li>
</ul>
   </span>
  </p>
</div>
</div>
<!-- ### Report on generic details ### -->
<div class="content">
<p><b>Generic user details:</b></p>
<ul>
  <li><span class="c1">Your IP address:</span> 84.120.28.48</li>
  <li><span class="c1">Your username:</span> <span class="c2">BCOM\neil</span><span id="group-id" class="hidden">group(s): </span></li>
  <li><span class="c1">Current date/time:</span> [22&#x2F;Jun&#x2F;2021:17:02:07 +0000] (GMT)</li>
  <li><span class="c1">User-Agent:</span> Mozilla&#x2F;5.0 (Windows NT 10.0; Win64; x64) AppleWebKit&#x2F;537.36 (KHTML, like Gecko) Chrome&#x2F;91.0.4472.101 Safari&#x2F;537.36 Edg&#x2F;91.0.864.48</li>
</ul>
</div>

 

 

Resolution

Unfortunately we are at the mercy of the WebApp here - as it is responsible for rendering the data returned from WSS and the logic there needs to be tweaked to handle this better.

There are plans to create a notification service that integrates with DLP but not ETA committed yet. It will be similar in operation to the CASB block notification service referenced here.

Attachments

Powered by Wolken Software