Policy Installation failed -- Late condition guards early action Condition
search cancel

Policy Installation failed -- Late condition guards early action Condition

book

Article ID: 251039

calendar_today

Updated On:

Products

ASG-S500

Issue/Introduction

Receiving error when trying to install the policy:

 

The policy contains a bunch of URL's.

Error: Late condition guards early action Condition 'condition=dst_Allow_Example_access_global' tenant:12301 which depends on 'condition=dst_Allow_Example_access_global/certificate_hostnames' vpm-cpl:1585 which depends on 'server.certificate.hostname=example.com' vpm-cpl:1546 Action 'policy.__DisableSSLDetection1APPS_action' tenant:12302 Error: Late condition guards early action Condition 'condition=dst_Allow_Example_access_global' tenant:12301 which depends on 'condition=dst_Allow_Example_access_global/certificate_hostnames' vpm-cpl:1585 which depends on 'server.certificate.hostname=example.com' vpm-cpl:1546 Action 'bypass_cache(yes)' tenant:12303 Error: Late condition guards early action Condition 'condition=dst_Allow_Example_access_global' tenant:12301 which depends on 'condition=dst_Allow_Example_access_global/certificate_hostnames' vpm-cpl:1585 which depends on 'server.certificate.hostname=example.com' vpm-cpl:1546 Action 'policy.__DisableSSLDetection1APPS_action' tenant:12303 There were 4 errors and 497 warnings ]
1 Error: Policy installation failed: [ % Load failed with 4 error(s) and 497 warning(s) Tenant 'APPS' Policy (Policy 

Environment

Release : 6.7.5.19

Component :

Cause

The definition of __DisableSSLDetection1APPS_action is,

define proxy policy __DisableSSLDetection1APPS_action
 <Proxy>
  client.protocol=http http.method=CONNECT detect_protocol.[ssl,https,sips](no)
end

 

"server.certificate.hostname" and "detect_protocol.[ssl,https,sips](no)" cannot be put together, as the disable detecting ssl will prevent the proxySG to hand off traffic to ssl proxy, without ssl proxy, it cannot process/handle anything related to ssl protocol (such as parse the server certificate hostname from the request)

 

Further investigation shows that the destination URL list is a shared object created in MC, it includes the "server.certificate.hostname trigger" by default and that causes the conflict.

When export the object to a json file, it has following node,

"advancedSettings" : {
   "includeServerCertificateCpl" : true,
   "includeSubnetCpl" : true,
   "trigger" : "URL",
   "serverUrl" : false
   }

Resolution

Need to uncheck the "server.certificate.hostname trigger" from the advanced settings of the shared object.

Additional Information

For more details of the shared object triggers,

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/management-center/3-3/distribute_sol/config_policy/config_shared_policy/list_triggers.html