About multiple universal policy validity errors, with UPE domains

book

Article ID: 242752

calendar_today

Updated On:

Products

Management Center - VA

Issue/Introduction

We are unable to utilize universal policy enforcement for WSS. We have converted the policy from appliance to Universal policy, however, when setting the enforcement domain we get the below errors in relation to SSL Interception and Authentication.

When creating an entirely new policy in the management center and pushing it to WSS SSL Interception and authentication work correctly, but when utilizing the imported policy from the on-premise devices the policy cannot be saved in universal enforcement mode due to the errors in the screenshots below 

Resolution

About Enforcement Points

To prepare for policy migration to the Web Security Service or to facilitate managing policy in a mixed environment with the cloud and on-premises appliances, specify an Enforcement Domain for each applicable policy rule.

When you enable Enforcement Domains on the VPM, it displays icons next to applicable layer titles. The VPM also displays an Enforcement column, which allows you to select the domain(s) the rule applies to; Appliance, WSS (cloud service), or Universal (both appliance and WSS). When you install a VPM policy that includes Enforcement Domains, the generated CPL guards appliance-specific rules and cloud-specific rules with the enforcement preprocessor variable.

The following layers support Enforcement Domains :

  • DNS Access Layer
  • SSL Intercept Layer
  • SSL Access Layer
  • Web Authentication Layer
  • Web Access Layer
  • Web Content Layer
  • Web Request Layer

However, not all objects and actions within these layers are available for Universal Policy Enforcement.

For the errors reported, with UPE domains, please note that while the VPM calculates the policy, it's expected, to see multiple Universal Policy errors. See the snippet below, for reference.

    • Warnings (yellow) do not prevent policy installation. For example, the policy might be valid for the ProxySG appliance, but the Web Security Service will ignore it.

    • Errors (red) prevent policy installation; the Install Policy button becomes inactive.

Click OK, nonetheless.

  • Select a layer that contains an error. See the sample in the snippet below. 

In this example, this SSL Interception Action object cannot function on both the appliance and in the cloud service. You can open and examine the object and it evaluate the requirement for changes. Or right-click Enforcement and select Appliance. This removes the rule from Universal use.

So, the errors received are happening because not all objects and actions within these layers are available for Universal Policy Enforcement. This is expected, and in situations like this, the solution is to add layers and rules that apply only to the Web Security Service traffic.

Note: The same cause of the issue and resolution guidance also applies to the "Authenticate" error reported.

Ref. doc. https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/UPE-PDF.pdf