Policy Installation failed -- Late condition guards early action Condition
search cancel

Policy Installation failed -- Late condition guards early action Condition

book

Article ID: 251039

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Receiving error when trying to install the policy:

Error: Late condition guards early action Condition 'condition=dst_Allow_Example_access_global' which depends on 'condition=dst_Allow_Example_access_global/certificate_hostnames' vpm-cpl:1585 which depends on 'server.certificate.hostname=example.com' vpm-cpl:1546 Action 'policy.__DisableSSLDetection1APPS_action'  Error: Late condition guards early action Condition 'condition=dst_Allow_Example_access_global'  which depends on 'condition=dst_Allow_Example_access_global/certificate_hostnames' vpm-cpl:1585 which depends on 'server.certificate.hostname=example.com' vpm-cpl:1546 Action 'bypass_cache(yes)' tenant:12303 Error: Late condition guards early action Condition 'condition=dst_Allow_Example_access_global'  which depends on 'condition=dst_Allow_Example_access_global/certificate_hostnames' vpm-cpl:1585 which depends on 'server.certificate.hostname=example.com' vpm-cpl:1546 Action 'policy.__DisableSSLDetection1APPS_action'  There were 4 errors and 497 warnings ]
1 Error: Policy installation failed: [ % Load failed with 4 error(s) and 497 warning(s) Tenant 'APPS' Policy (Policy 

Cause

The definition of __DisableSSLDetection1APPS_action is,

define proxy policy __DisableSSLDetection1APPS_action
 <Proxy>
  client.protocol=http http.method=CONNECT detect_protocol.[ssl,https,sips](no)
end

 

"server.certificate.hostname" and "detect_protocol.[ssl,https,sips](no)" cannot be put together, as the disable detecting ssl will prevent the EdgeSWG to hand off traffic to ssl proxy, without ssl proxy, it cannot process/handle anything related to ssl protocol (such as parse the server certificate hostname from the request)

 

Destination URL list is a shared object created in MC that includes the "server.certificate.hostname trigger" (enabled by default) and that causes the conflict.

When export the object to a json file, it has following node,

"advancedSettings" : {
   "includeServerCertificateCpl" : true,
   "includeSubnetCpl" : true,
   "trigger" : "URL",
   "serverUrl" : false
   }

Resolution

Need to uncheck the "server.certificate.hostname trigger" from the advanced settings of the shared object.

Additional Information

For more details of the shared object triggers,

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/management-center/3-3/distribute_sol/config_policy/config_shared_policy/list_triggers.html

Powered by Wolken Software