We are unable to utilize universal policy enforcement for WSS. We have converted the policy from appliance to Universal policy, however, when setting the enforcement domain gets errors in relation to SSL Interception and Authentication.

When creating an entirely new policy in the management center and pushing it to WSS SSL Interception and authentication work correctly, but when utilizing the imported policy from the on-premise devices the policy cannot be saved in universal enforcement mode due to the errors.

About Enforcement Points

To prepare for policy migration to the Web Security Service or to facilitate managing policy in a mixed environment with the cloud and on-premises appliances, specify an Enforcement Domain for each applicable policy rule.

When you enable Enforcement Domains on the VPM, it displays icons next to applicable layer titles. The VPM also displays an Enforcement column, which allows you to select the domain(s) the rule applies to; Appliance, WSS (cloud service), or Universal (both appliance and WSS). When you install a VPM policy that includes Enforcement Domains, the generated CPL guards appliance-specific rules and cloud-specific rules with the enforcement preprocessor variable.

The following layers support Enforcement Domains :

• DNS Access Layer
• SSL Intercept Layer
• SSL Access Layer
• Web Authentication Layer
• Web Access Layer
• Web Content Layer
• Web Request Layer

However, Not all objects and actions within the layers supported by Enforcement Domains are compatible with Universal Policy Enforcement (UPE). This limitation often leads to errors when attempting to apply certain rules universally across both the appliance and the Web Security Service (WSS). For example:

• SSL Interception Actions: These may not function universally due to differences in how the appliance and WSS handle SSL traffic.
  
  
• Authentication Actions: Similar compatibility issues can arise with authentication rules.

To address these limitations, you can:

1. Adjust the enforcement domain for incompatible rules (e.g., restrict them to "Appliance" or "WSS").

2. Create separate layers or rules tailored specifically for the Web Security Service traffic.

Here are some troubleshooting steps for resolving errors related to Enforcement Domains in Symantec's Web Security Service:

1. Review the Error Type:

• Warnings (Yellow): These do not block policy installation but indicate that certain rules might not be applicable to both the appliance and the cloud service.
  
  
• Errors (Red): These prevent policy installation and require immediate attention.

2. Identify the Problematic Layer:

• Check which layer (e.g., SSL Intercept, Web Access) is causing the issue. Open the layer and locate the specific rule or object triggering the error.

3. Adjust Enforcement Domains:

• If a rule or object cannot function universally, modify its enforcement domain. For example, right-click the "Enforcement" column and select either "Appliance" or "WSS" to restrict the rule to a specific domain.

4. Add Layer-Specific Rules:

• For objects or actions incompatible with Universal Policy Enforcement, create separate layers or rules that apply only to the Web Security Service or the appliance.

5. Resolve SSL Interception Errors:

• If SSL Interception actions cause errors, review the object and evaluate whether changes are needed. Alternatively, restrict the rule to "Appliance" enforcement.

6. Fix Authentication Errors:

• Authentication errors often arise due to incompatibility with Universal Policy Enforcement. Adjust the enforcement domain or create separate rules for cloud and appliance environments.

5. Validate the Policy:

• After making adjustments, validate the policy in the Visual Policy Manager (VPM) to ensure there are no remaining errors.

6. Reinstall the Policy:

• Once the policy is error-free, reinstall it. The generated CPL will include enforcement preprocessor variables to handle domain-specific rules.
  
  

Refer UPE Troubleshooting and Symantec Universal Policy Enforcement for additional details