All URLs from certain users are categorized as “Uncategorized” and getting blocked when they should be allowed
Article ID: 225309
Updated On:
Products
Issue/Introduction
Users accessing Cloud SWG services via WSS agents.
All users appear to be working fine and malware detection, policy execution returns expected status.
All Cloud SWG policies defined within Management Center (UPE).
A group of users that have recently rolled out the WSS agent however keep getting blocked and the custom error page rendered would indicate that
- every blocked URL is 'uncategorized' and
- every target is an IP address and not a domain name
Cloud SWG Admin has force deny rule enabled when match detected, causing it to jump out of policy layer.
They do have a valid DNS server and all blocked URLs can be successfully resolved via nslookup.
Environment
WSS Agent.
UPE managed Cloud SWG tenant.
Force_deny rule implemented when matching rule found.
Cause
A negate policy rule triggered all requests for the group of users to be blocked at the TCP layer before the HTTPS proxy can validate the request.
The TCP layer check failed based on the destination IP address not being categorised (which is often the case)
Resolution
Took existing single policy with negate logic and split it into two separate policies.
The original policy checked to see if 'source' user was a member of group X and was NOT accessing any of the defined categories in a category list. This was turned into two rules:
- Rule 1: if 'source' user was a member of group X and was accessing any of the defined categories in a category list user was entitled to access, ALLOW and
- Rule 2: if 'source' user was a member of group X, force deny
Additional Information
HTTP logs showed that all blocked users were accessing IP addresses at the time at TCP level, even though it should have gone up to HTTPS level
2023-09-30 15:40:50 "DP2-GIEDU1_proxysg2" 12 10.1.1.1 EXAMPLE\user1 "Group1" Proxy_Denied DENIED "Uncategorized" - 0 TCP_ACCELERATED TUNNEL - tcp #.#.#.# 443 / - - - 192.168.2.85 0 0 - - - - 0 "client" client_connector "none" "none" #.#.#.# "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - "None" - "Ireland" 5 - wss-agent architecture=x86_64%20name=Windows%2010%20Enterprise%20version=10.0.18363 9.2.1.14939 x-x-x-x-MACHINE-NAME - - - - - - - - - - y-y-y
Policy trace showed force deny for TUNNELED (TCP) requests:
connection: service.name=HTTPS client.address=#.#.#.# (NAT address=10.242.0.8) (effective address=#.#.#.#) proxy.port=443 source.port=15750 dest.port=443
location-id=0 access_type=client_connector
time: 2021-09-30 16:16:46 UTC
TUNNEL tcp://#.#.#.#:443/
RDNS lookup was restricted
user: name="EXAMPLE\user1" realm=cloud_realm group-bitset=00000001000000100001100000011 goi-version=145
user: name="EXAMPLE\user1" realm=cloud_realm
authentication start 1 elapsed 0 ms
authorization start 1 elapsed 0 ms
authentication status='none' authorization status='none'
te_user address='F373A2220' te_session address='F373A20A0'
user: authenticated=true authorized=true relative username='User1'
supplier.allowed_countries: all
supplier.failures: -
EXCEPTION(Proxy_Denied): Either 'force_deny' or 'force_exception' was matched in policy
bypass_cache(yes)
url.category: Uncategorized@Policy;Uncategorized@Blue Coat
total categorization time: 0
static categorization time: 0
outbound source IP: #.#.#.#
Feedback
