How to bypass requests from Web Isolation when using WSS Universal Policy Enforcement (UPE).

book

Article ID: 223313

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The article below explains how to forward the requests from WSS to Web Isolation when the policies are managed from the Management Center (UPE).

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/help/about_malware_co/about-upe-webiso.html

This article explains how to bypass specific requests from Web Isolation when the policies are managed from the Management Center.

Resolution

In order to forward requests from WSS to Web Isolation, the CPL code from the article below needs to be installed on the Management center VPM (CPL Layer). 
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/help/about_malware_co/upe-webiso-pol.html

To bypass any specific request from this policy, the CPL needs to be modified as highlighted below;

#if enforcement=wss
    define condition Isolation_CondWebIsolationMatchCriteriaWebAccess
      condition=!Isolation_bypass_WebAccess
      ;url.threat_risk.level=7..10
      ;url.category=("Malicious Outbound Data/Botnets","Suspicious")
      ;url.domain="malicious.com"
      ;authenticated=yes
      ;client.address=192.168.10.0/24
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end

    define condition Isolation_CondWebIsolationMatchCriteriaForwarding
      condition=!Isolation_bypass_Forwarding
      ;server_url.threat_risk.level=7..10
      ;server_url.category=("Malicious Outbound Data/Botnets","Suspicious")
      ;server_url.domain="malicious.com"
      ;authenticated=yes
      ;client.address=192.168.10.0/24
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end
    
    ; This should be conditioned but is required for Isolation
    <SSL-Intercept> condition=Isolation_CondWebIsolationMatchCriteriaWebAccess
      ssl.forward_proxy(https)

define condition Isolation_bypass_WebAccess
      ;url.threat_risk.level=7..10
      ;url.category=("Malicious Outbound Data/Botnets","Suspicious")
      ;url.domain="malicious.com"
      ;authenticated=yes
      ;client.address=192.168.10.0/24
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
end

define condition Isolation_bypass_Forwarding
      ;server_url.threat_risk.level=7..10
      ;server_url.category=("Malicious Outbound Data/Botnets","Suspicious")
      ;server_url.domain="malicious.com"
      ;authenticated=yes
      ;client.address=192.168.10.0/24
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
end

#endif

The requests that need to be bypassed should be defined in both “Isolation_bypass_WebAccess” and “Isolation_bypass_Forwarding” conditions.
Notice that all of the criteria gestures are commented out with a semi-colon ;. You must elect which ones to enable (delete the ;) and edit the line to craft your policy.