Investigating and fixing the HTTP "Client.response.code 403" with custom-configured exception triggered
Article ID: 236416
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
Investigating and fixing the HTTP "Client.response.code 403" with custom-configured exception triggered
Resolution
The issue reported was with the HTTP "403" client response error reported when trying to access specific urls. With the issue seen with only some end users while the others do not experience the challenge.
To investigate, we requested that the issue be reproduced, with the policy rule allowing the "office/Business Application" rated URL category for all three websites and a rule for the Web Application Controls. Checks confirmed that the Microsoft Power BI is a supported web application, within ProxySG.
The "client-response-code 403" HTTP error points to a forbidden, or possibly malformed, HTTP request being sent to the ProxySG for which it isn't able to process. This could also mean that the initial GET/CONNECT request, for the respective transactions, is rated with a category that's possibly denied in policy, and with the configured custom exception which specifies that an HTTP "403" code be triggered for every site blocked in policy, the HTTP "403" client-response code is inevitable.
To help further isolate the cause of the triggered HTTP error, a PCAP from the ProxySG, with the test client PC IP address and the reported URLs and a PCAP from the test client, for all traffic leaving the LAN interface, at the time of the transaction would provide good insight into the traffic behavior between the client and the Proxy alongside the policy trace debug.
Work to reproduce the issue within the lab. This has been done for all three URLs and the outputs are shown and described below. To reproduce this, a single Web Access rule, allowing only the "Office/Business Application" & "Technology/Internet" categories would be configured. See the snippets below.
With the above policy rule, tests were carried out, for all three URLs, and while https://app.powerbi.com, https://freedcamp.com, were fully successful, the https://doodle.com website returned the reported HTTP "403" client response code, for some it's transactions, and went through, successfully, for the other transactions. See the policy trace excerpts for the transactions, below.
https://app.powerbi.com
connection: service.name=Explicit HTTP client.address=10.0.200.1 (effective address=10.0.200.1) proxy.port=8080 source.port=51630 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-07 15:51:33 UTC
GET https://app.powerbi.com/test.xxx
rewritten URL(s):
cache_url=https://app.powerbi.com/test.xxx?bcsi_scan_f454a9c809b1f5c5=OMkIKBNT3bPAkSjOxd/CQKVk+A8BAAAAjRsAAA==
origin server next-hop IP address=192.0.2.1
Referer: https://app.powerbi.com/test142xxx?ru=https:%2f%2fapp.powerbi.com%2f%3fnoSignUpCheck%3d1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/192.0.2.1 Safari/537.36 Edg/192.0.2.1
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.ip: 192.0.2.1
supplier.country: United States
supplier.failures: -
verdict: ALLOWED
url.category: none@Policy;none@IWF;none@YouTube;Office/Business Applications@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 0
static categorization time: 0
request.header.Referer.url.category: none@Policy;none@IWF;none@YouTube;Office/Business Applications@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 0
static categorization time: 0
server.certficate.hostname.category: none@Policy;none@IWF;none@YouTube;Technology/Internet@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 1
static categorization time: 1
server.response.code: 200
client.response.code: 200
application.name: Microsoft Power BI
application.operation: none
application.group: Analytics
DSCP client outbound: 65
DSCP server outbound: 65
ICAP RESPMOD Scan Summary:
Error code: none
Transaction timing: total-transaction-time 235 ms
Checkpoint timings:
new-connection: start 1 elapsed 0 ms
client-in: start 1 elapsed 0 ms
server-out: start 1 elapsed 0 ms
server-in: start 1 elapsed 0 ms
client-out: start 234 elapsed 0 ms
access-logging: start 234 elapsed 1 ms
stop-transaction: start 235 elapsed 0 ms
Total Policy evaluation time: 1 ms
url_categorization complete time: 0
ICAP Response Scan: start 120 delay 0 finish 234
server connection: start 1
Server DNS Lookup: start 1 ms
server connection: connected: 1 first-byte 120 last-byte 120
client connection: first-response-byte 234 last-response-byte 234
Total time added: 114 ms
Total latency to first byte: 114 ms
Request latency: 0 ms
OCS connect time: 0 ms
Response latency (first byte): 114 ms
Response latency (last byte): 114 ms
stop transaction --------------------
start transaction -------------------
transaction ID=7052 type=https.forward-proxy
POST https://mycompany.com/v2/track
For the rule match, as seen in the policy trace debug, please refer to the below.
<Cache> [layer 15] [vpm-cpl:28]
MATCH: response.icap_service(contentanalysis_respmod, fail_open) response.icap_service.secure_connection[contentanalysis_respmod](auto)
<Proxy> [layer 16] [vpm-cpl:30]
MATCH: response.icap_feedback(trickle_end)
<Proxy> [layer 18] [vpm-cpl:38]
MATCH: authenticate.force(no) reference_id(PolicyID2_Test)
<Proxy> [layer 19] [vpm-cpl:42]
MATCH: ALLOW category=("Office/Business Applications", Technology/Internet) authenticated=yes trace.destination("Trace1")
<Proxy> [layer 20] [local:5]
miss: url.domain=/wpad.dat
miss: url.domain=/proxy.pac
https://freedcamp.com
connection: service.name=Explicit HTTP client.address=10.0.200.20 (effective address=10.0.200.20) proxy.port=8080 source.port=51680 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-07 15:51:58 UTC
GET https://freedcamp.com/
rewritten URL(s):
cache_url=https://freedcamp.com/?bcsi_scan_f454a9c809b1f5c5=Y2F6E4lK3+CDWarzVFjdJuyH+nYBAAAAWRwAAA==
origin server next-hop IP address=143.204.167.72
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.30
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.ip: 143.204.167.72
supplier.country: United States
supplier.failures: -
verdict: ALLOWED
url.category: none@Policy;none@IWF;none@YouTube;Office/Business Applications@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 0
static categorization time: 0
server.certficate.hostname.category: none@Policy;none@IWF;none@YouTube;Office/Business Applications@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 0
static categorization time: 0
server.response.code: 200
client.response.code: 200
application.name: Freedcamp
application.operation: none
application.group: Collaboration;Project Management
DSCP client outbound: 65
DSCP server outbound: 65
ICAP RESPMOD Scan Summary:
Error code: none
Transaction timing: total-transaction-time 310 ms
Checkpoint timings:
new-connection: start 1 elapsed 0 ms
client-in: start 3 elapsed 1 ms
server-out: start 4 elapsed 0 ms
server-in: start 4 elapsed 0 ms
client-out: start 310 elapsed 0 ms
access-logging: start 310 elapsed 0 ms
stop-transaction: start 310 elapsed 0 ms
Total Policy evaluation time: 1 ms
url_categorization complete time: 3
ICAP Response Scan: start 183 delay 0 finish 310
server connection: start 4
Server DNS Lookup: start 4 ms
Elapsed downstream https handshake time: 2 ms
server connection: connected: 4 first-byte 182 last-byte 183
client connection: first-response-byte 310 last-response-byte 310
Total time added: 128 ms
Total latency to first byte: 129 ms
Request latency: 1 ms
OCS connect time: 0 ms
Response latency (first byte): 128 ms
Response latency (last byte): 127 ms
stop transaction --------------------
start transaction -------------------
transaction ID=7262 type=https.forward-proxy
transaction handed off from: 7261
GET https://cdn.freedcamp.com/test/123/v4/css/style.css?version=877
For the rule match, as seen in the policy trace debug, please refer to the below.
<Proxy> [layer 16] [vpm-cpl:30]
MATCH: response.icap_feedback(trickle_end)
<Proxy> [layer 18] [vpm-cpl:38]
MATCH: authenticate.force(no) reference_id(PolicyID2_Test)
<Proxy> [layer 19] [vpm-cpl:42]
MATCH: ALLOW category=("Office/Business Applications", Technology/Internet) authenticated=yes trace.destination("Trace1")
<Proxy> [layer 20] [local:5]
miss: url.domain=/wpad.dat
miss: url.domain=/proxy.pac
https://doodle.com
With the above URL, we see the issue reported, clearly reproduced. With this URL, the client GET requests are generated for different forbidden/malformed, and in some cases, URLs with categories that are not allowed in the policy, all for the same web request to https://doodle.com. In all of these scenarios, the HTTP "403" client response code is returned. Again, this code is particularly returned because this was configured to happen from the custom exceptions, for any URL whose category is denied in the policy. During the investigative session, we saw this in your configured custom exceptions. See the trace excerpts collected from the lab work, for both scenarios described here.
Note: In all of the scenarios, https://doodle.com is used as a referrer.
GET request generated for forbidden/malformed URL
connection: service.name=Explicit HTTP client.address=10.0.200.20 (effective address=10.0.200.20) proxy.port=8080 source.port=51665 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-07 15:51:51 UTC
GET https://www.mycompanymanager.com/gtm.js?id=GTM-CFKQ
Accept-Language: en-US
Accept-Language: en;q=0.9
Referer: https://mycompany.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.30
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.failures: -
verdict: DENIED: Either 'deny' or 'exception' was matched in policy
url.category: none@Policy;none@IWF;none@YouTube;Web Ads/Analytics@Blue Coat
category groups: Business Related@Blue Coat;Commerce@Blue Coat
total categorization time: 0
static categorization time: 0
request.header.Referer.url.category: none@Policy;none@IWF;none@YouTube;Office/Business Applications@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 0
static categorization time: 0
server.certficate.hostname.category: none@Policy;none@IWF;none@YouTube;Web Ads/Analytics@Blue Coat
category groups: Business Related@Blue Coat;Commerce@Blue Coat
total categorization time: 0
static categorization time: 0
server.response.code: 0
client.response.code: 403
application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65
Transaction timing: total-transaction-time 1 ms
Checkpoint timings:
new-connection: start 1 elapsed 0 ms
client-in: start 1 elapsed 0 ms
server-out: start 1 elapsed 0 ms
server-in: start 1 elapsed 0 ms
client-out-terminated: start 1 elapsed 0 ms
access-logging: start 1 elapsed 0 ms
stop-transaction: start 1 elapsed 0 ms
Total Policy evaluation time: 0 ms
url_categorization complete time: 0
server connection: start 1
Server DNS Lookup: start 1 ms
Elapsed server DNS Lookup: 1 ms
server connection: connected 1
client connection: first-response-byte 0 last-response-byte 1
Total time added: 0 ms
Total latency to first byte: 0 ms
Request latency: 0 ms
OCS connect time: 0 ms
Response latency (first byte): 0 ms
Response latency (last byte): 0 ms
stop transaction --------------------
start transaction -------------------
transaction ID=7241 type=https.forward-proxy
transaction handed off from: 7240
GET https://widget.intercom.io/widget/n1aywc8c
For the rule match, as seen in the policy trace debug, please refer to the below.
<Cache> [layer 15] [vpm-cpl:28]
MATCH: response.icap_service(contentanalysis_respmod, fail_open) response.icap_service.secure_connection[contentanalysis_respmod](auto)
<Proxy> [layer 16] [vpm-cpl:30]
MATCH: response.icap_feedback(trickle_end)
<Proxy> [layer 18] [vpm-cpl:38]
MATCH: authenticate.force(no) reference_id(PolicyID2_Test)
<Proxy> [layer 19] [vpm-cpl:42]
MATCH: ALLOW category=("Office/Business Applications", Technology/Internet) authenticated=yes trace.destination("Trace1")
<Proxy> [layer 20] [local:5]
miss: url.domain=/wpad.dat
miss: url.domain=/proxy.pac
The malformed request here is
GET https://www.googletagmanager.com/gtm.js?id=GTM-CFKQ - categorized as Web Ads/Analytics@Blue Coat, which is, clearly, forbidden and is denied in the policy.
and was handed off from
GET https://widget.testcom.io/widget/n1aywc8c - Categorized as Technology/Internet
So, the above fully explains why the HTTP "403" client response code was returned. The client, for this specific transaction (https://doodle.com), sent a forbidden/malformed HTTP request to the ProxySG and got blocked/denied, with the requisite client response returned.
In a second scenario, we see the below.
connection: service.name=Explicit HTTP client.address=10.0.200.20 (effective address=10.0.200.20) proxy.port=8080 source.port=51640 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-07 15:51:37 UTC
GET https://fonts.googleapis.com/css?family=Fira+Sans:300,400,500,500i,400italic,700,700italic|Caveat+Brush
rewritten URL(s):
cache_url=https://fonts.googleapis.com/css?family=Fira+Sans:300,400,500,500i,400italic,700,700italic|Caveat+Brush&bcsi_scan_f454a9c809b1f5c5=O76tvOzkr4miuCm5eEC+N3ttUJoBAAAAoRsAAA==
origin server next-hop IP address=142.251.40.74
Referer: https://doodle.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.30
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.ip: 142.251.40.74
supplier.country: United States
supplier.failures: -
verdict: ALLOWED
url.category: none@Policy;none@IWF;none@YouTube;Technology/Internet@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 0
static categorization time: 0
request.header.Referer.url.category: none@Policy;none@IWF;none@YouTube;Office/Business Applications@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 0
static categorization time: 0
server.certficate.hostname.category: none@Policy;none@IWF;none@YouTube;Audio/Video Clips@Blue Coat;Mixed Content/Potentially Adult@Blue Coat
category groups: Adult Related@Blue Coat;Legal Liability@Blue Coat;Multimedia@Blue Coat;Non-Productive@Blue Coat
total categorization time: 0
static categorization time: 0
server.response.code: 200
client.response.code: 200
application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65
ICAP RESPMOD Scan Summary:
Error code: none
Transaction timing: total-transaction-time 137 ms
Checkpoint timings:
new-connection: start 1 elapsed 0 ms
client-in: start 2 elapsed 0 ms
server-out: start 2 elapsed 0 ms
server-in: start 3 elapsed 0 ms
client-out: start 136 elapsed 0 ms
access-logging: start 136 elapsed 1 ms
stop-transaction: start 137 elapsed 0 ms
Total Policy evaluation time: 1 ms
url_categorization complete time: 2
ICAP Response Scan: start 17 delay 0 finish 136
server connection: start 2
Server DNS Lookup: start 2 ms
server connection: connected: 2 first-byte 16 last-byte 17
client connection: first-response-byte 136 last-response-byte 136
Total time added: 119 ms
Total latency to first byte: 120 ms
Request latency: 0 ms
OCS connect time: 0 ms
Response latency (first byte): 120 ms
Response latency (last byte): 119 ms
stop transaction --------------------
start transaction -------------------
transaction ID=7111 type=https.forward-proxy
GET https://images.ctfassets.net/p24lh3qexxeo/20Rpf1j8gZF923flTIqshv/81dcd4369ba2d1e970f7b62c1e81effc/home_female_quote_1.svg
For the rule match, as seen in the policy trace debug, please refer to the below.
<Cache> [layer 15] [vpm-cpl:28]
MATCH: response.icap_service(contentanalysis_respmod, fail_open) response.icap_service.secure_connection[contentanalysis_respmod](auto)
<Proxy> [layer 16] [vpm-cpl:30]
MATCH: response.icap_feedback(trickle_end)
<Proxy> [layer 18] [vpm-cpl:38]
MATCH: authenticate.force(no) reference_id(PolicyID2_Test)
<Proxy> [layer 19] [vpm-cpl:42]
miss: category=("Office/Business Applications", Technology/Internet)
MATCH: DENY trace.destination("Trace1")
<Proxy> [layer 20] [local:5]
miss: url.domain=/wpad.dat
miss: url.domain=/proxy.pac
In this second transaction, for https://doodle.com, the malformed GET request is
https://fonts.googleapis.com/css?family=Fira+Sans:300,400,500,500i,400italic,700,700italic|Caveat+Brush - categorized as "Technology/Internet". Though this URL is malformed (incorrect), the connection got established. However, the policy rule did not match the transaction and that's because the transaction was forwarded to https://images.ctfassets.net/p24lh3qexxeo/20Rpf1j8gZF923flTIqshv/81dcd4369ba2d1e970f7b62c1e81effc/home_female_quote_1.svg, another malformed URL categorized as "Content Delivery Networks", during the forward proxy evaluation. The rule did not match because the "Content Delivery Networks" category isn't wasn't allowed in the policy.
To fix the above issue and have the policy rule match this specific transaction for https://doodle.com, "Content Delivery Networks" category was allowed in the policy rule. See the resulting transaction, in the policy trace excerpt below.
connection: service.name=Explicit HTTP client.address=10.0.200.20 (effective address=10.0.200.20) proxy.port=8080 source.port=52077 dest.port=8080 client.interface=0:0.1 routing-domain=default
location-id=0 access_type=unknown
time: 2022-03-08 18:49:48 UTC
GET https://images.ctfassets.net/p24lh3qexxeo/6eYKGuYGlGEE9A7dXtnH6F/0d7e088ba0bd1a85be682ae9e0a5f7e3/home_section_1_img_3.svg
origin server next-hop IP address=108.156.211.23
Referer: https://doodle.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.36
user: name="SYMCDEMOS\testuser" realm=SYMCDEMOS
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='testuser'
supplier.ip: 108.156.211.23
supplier.country: United States
supplier.failures: -
verdict: ALLOWED
url.category: none@Policy;none@IWF;none@YouTube;Content Delivery Networks@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 3
static categorization time: 3
request.header.Referer.url.category: none@Policy;none@IWF;none@YouTube;Office/Business Applications@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 1
static categorization time: 1
server.certficate.hostname.category: none@Policy;none@IWF;none@YouTube;Content Delivery Networks@Blue Coat
category groups: Business Related@Blue Coat;Technology@Blue Coat
total categorization time: 0
static categorization time: 0
server.response.code: 200
client.response.code: 200
application.name: none
application.operation: none
application.group: none
DSCP client outbound: 65
DSCP server outbound: 65
ICAP RESPMOD Scan Summary:
Error code: none
Transaction timing: total-transaction-time 27 ms
Checkpoint timings:
new-connection: start 1 elapsed 0 ms
client-in: start 3 elapsed 1 ms
server-out: start 4 elapsed 1 ms
server-in: start 13 elapsed 1 ms
client-out: start 27 elapsed 0 ms
access-logging: start 27 elapsed 0 ms
stop-transaction: start 27 elapsed 0 ms
Total Policy evaluation time: 3 ms
url_categorization complete time: 3
ICAP Response Scan: start 21 delay 1 finish 27
server connection: start 5
Server DNS Lookup: start 5 ms
server connection: connected: 13 first-byte 21 last-byte 21
client connection: first-response-byte 27 last-response-byte 27
Total time added: 8 ms
Total latency to first byte: 16 ms
Request latency: 2 ms
OCS connect time: 8 ms
Response latency (first byte): 6 ms
Response latency (last byte): 6 ms
stop transaction --------------------
start transaction -------------------
transaction ID=15863 type=https.forward-proxy
GET https://images.ctfassets.net/p24lh3qexxeo/6zOwkMlY0uXpZJHxNKUgBN/bb90600b4b9c09f1cf9723a5bdcb5cf4/home_section_1_img_2.svg
<Proxy@always> [layer 10] [builtin-prolog:142]
MATCH: variable.bc_notify1(empty1) variable.bc_notify2(empty2)
<Proxy@always ASP_variable_initialization> [layer 11] [policy-services-prolog:179] [is base]
MATCH: variable.asp.exemption(false)
<Cache@always CSP_variable_initialization> [layer 12] [policy-services-prolog:192] [is base]
MATCH: variable.csp.content_exemption(false) variable.csp.respmod_icap_overridden(false)
<Cache@trans CSP_variable_initialization> [layer 12] [policy-services-prolog:192] [has base@[always]]
MATCH: variable.csp.protection_level_decision("$(config.customer.csp.protection_level)")
<Proxy@req-url2 TRL_default_setting_url> [layer 6] [builtin-prolog:94]
MATCH: url.threat_risk.level=0..10 variable.url.threat_risk.effective_level("$(url.threat_risk.level)")
<Proxy@req-url2 ASP_variable_initialization> [layer 11] [policy-services-prolog:179] [has base@[always]]
MATCH: variable.asp.request_violated(false) variable.asp.reason_request(none) variable.asp.security_reason_alog_field_request(none)
<Proxy@req-url2 ASP_Security_Eval> [layer 32] [policy-services-epilog:18] [is base]
[Rule]
MATCH: policy.ASP_Strong_Security@req-url2 ; Optimizer: constant true
<Proxy@req-hdrs TRL_default_setting_referer> [layer 7] [builtin-prolog:100]
MATCH: request.header.Referer.url.threat_risk.level=0..10 variable.request.header.Referer.url.threat_risk.effective_level("$(request.header.Referer.url.threat_risk.level)")
<Proxy@client-ea-property> [layer 24] [local:71]
MATCH: client.effective_address.request("$(request.x_header.X-PolicyTester-IP)")
<Proxy@auth-property> [layer 18] [vpm-cpl:38]
MATCH: authenticate(symcdemos) authenticate.mode(auto)
<Proxy@auth-property> [layer 20] [local:5]
miss: url.domain=/wpad.dat
miss: url.domain=/proxy.pac
<Proxy@auth-result> [layer 25] [local:74]
miss: request.x_header.X-PolicyTester-Groups.substring=SYMCDEMOS\Allow_FileStorage
<Proxy@auth-result> [layer 26] [local:79]
miss: request.x_header.X-PolicyTester-Groups.substring=SYMCDEMOS\Allow_Games
<Proxy@auth-result> [layer 27] [local:84]
miss: request.x_header.X-PolicyTester-Groups.substring=SYMCDEMOS\Allow_WebMail
<Proxy@auth-result> [layer 28] [local:89]
miss: request.x_header.X-PolicyTester-Groups.substring=SYMCDEMOS\Allow_SocialNetworking
<Proxy@auth-result> [layer 29] [local:94]
miss: request.x_header.X-PolicyTester-Groups.substring=SYMCDEMOS\Executives
<Proxy@service-req ASP_DSP_request> [layer 33] [policy-services-epilog:27]
miss: variable.asp.request_violated=true
<Proxy@isolation-properties Initialize_isolation_var> [layer 13] [policy-services-prolog:737]
MATCH: variable.isolation.add_user("$(x-isolation-add-user)") variable.isolation.add_group("$(x-isolation-add-groups)") variable.isolation.add_xff("$(x-isolation-add-xff)")
<Proxy@isolation-properties Initialize_isolation_var2> [layer 14] [policy-services-prolog:793]
MATCH: variable.isolation.add_appliance_identifier("$(x-isolation-add-appliance-identifier)")
<Forward@serv-conn TRL_default_setting_server_url> [layer 8] [builtin-prolog:106]
MATCH: server_url.threat_risk.level=0..10 variable.server_url.threat_risk.effective_level("$(server_url.threat_risk.level)")
<Proxy@ssl-int ASP_variable_initialization> [layer 11] [policy-services-prolog:179] [has base@[always]]
MATCH: variable.asp.request_so_violated(false) variable.asp.reason_request_so(none) variable.asp.security_reason_alog_field_request_so(none)
<Proxy@ssl-int ASP_Security_Eval> [layer 32] [policy-services-epilog:18] [has base@[req-url2]]
[Rule]
MATCH: policy.ASP_Strong_Security@ssl-int ; Optimizer: constant true
<Proxy@resp-hdrs ASP_variable_initialization> [layer 11] [policy-services-prolog:179] [has base@[always]]
MATCH: variable.asp.strip_active_content(false) variable.asp.response_violated(false) variable.asp.reason_response(none) variable.asp.security_reason_alog_field_response(none)
<Proxy@resp-hdrs ASP_Security_Eval> [layer 32] [policy-services-epilog:18] [has base@[req-url2]]
[Rule]
MATCH: policy.ASP_Strong_Security@resp-hdrs ; Optimizer: constant true
<Proxy@service-resp ASP_DSP_response> [layer 35] [policy-services-epilog:35]
miss: variable.asp.response_violated=true
miss: <Proxy@audit-properties Populate_asp_action_field_request> [layer 37] [policy-services-epilog:77] variable.asp.request_violated=true
miss: <Proxy@audit-properties Populate_asp_action_field_so> [layer 38] [policy-services-epilog:80] variable.asp.request_so_violated=true
miss: <Proxy@audit-properties Populate_asp_action_field_response> [layer 39] [policy-services-epilog:83] variable.asp.response_violated=true
miss: <Proxy@audit-properties Populate_asp_action_field_active_content> [layer 40] [policy-services-epilog:86] variable.asp.strip_active_content=true
<Proxy@audit-properties Populate_asp_security_reason_request> [layer 41] [policy-services-epilog:90]
miss: variable.asp.security_reason_alog_field_request=!none
<Proxy@audit-properties Populate_asp_security_reason_so> [layer 42] [policy-services-epilog:92]
miss: variable.asp.security_reason_alog_field_request_so=!none
<Proxy@audit-properties Populate_asp_security_reason_response> [layer 43] [policy-services-epilog:94]
miss: variable.asp.security_reason_alog_field_response=!none
<Cache> [layer 15] [vpm-cpl:28]
MATCH: response.icap_service(contentanalysis_respmod, fail_open) response.icap_service.secure_connection[contentanalysis_respmod](auto)
<Proxy> [layer 16] [vpm-cpl:30]
MATCH: response.icap_feedback(trickle_end)
<Proxy> [layer 18] [vpm-cpl:38]
MATCH: authenticate.force(no) reference_id(PolicyID2_Test)
<Proxy> [layer 19] [vpm-cpl:42]
MATCH: ALLOW category=("Content Delivery Networks", "Office/Business Applications", Technology/Internet) authenticated=yes trace.destination("Trace1")
<Proxy> [layer 20] [local:5]
miss: url.domain=/wpad.dat
miss: url.domain=/proxy.pac
So, to fully fix the reported HTTP "403" client response code returned in web requests, with triggered custom-configured exception(s), the categories for the URL in the GET/CONNECT requests, the referrer, the handed off traffic as well as the forwarded one(s) should be allowed in the relevant policy rule(s).
Feedback
Yes
No
Powered by
