While using management center to manage Cloud SWG(formally known as WSS), certain websites are being blocked, albeit category based allowed rule. The block page shows category-based block which does not match the categorization with Sitereview DB.
Release :
Component : WSS with UPE, WSSA or IPSEC
Unless using proxy settings with WSSA or IPSec, the dns resolution happens locally and the wss proxy gets a tcp connection request eg tcp://52.13.171.212:443.
In this case, Cloud SWG checks categorization against both IP of the URL and the URL. URL might have categorized correctly, but its IP(s) also needs to have categorization or to have a categorization which is allowed in the policy.
Issue happens when:
Compose a cpl layer inside VPM using below cpl. Below rule will allow all the uncategorized URL IPs (not URLs).
#if enforcement=wss
<proxy>
url.scheme=tcp category=Uncategorized url.host.is_numeric=true Allow
#endif
Admin may add other categories in above rule in order to allow broader spectrum of IPs after evaluating security risk. However, for unsecure categories, it is always recommended to raise recategorization request for that IP from Sitereview Website as allowing category in above rule will grant access to all IPs under that category regardless of URL.
Ref:
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-2/visual-policy-manager/how-policy-layers-rules-and-files-interact/how-vpm-layers-relate-to-cpl-layers/vpm-generated-cpl-layers.html
https://knowledge.broadcom.com/external/article/166537/how-to-write-rules-using-cpl-with-exampl.ht