search cancel

Bypassed domain still showing up in Cloud SWG (formerly known as WSS) proxy logs

book

Article ID: 257151

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Added bypass for the domains containing "anaplan.com", but we still see the records for these domains (e.g. "us1a.app.anaplan.com"," eu2a.app.anaplan.com") in the proxy logs.

Running a Cloud SWG reports for bypassed domains below, confirms we are still seeing a lot of entries for certain subdomains. These reports can also include the destination IP address which can come in handy for workarounds:

 After adding a bypass, the traffic should not go through WSS and hence we should not see it in logs as well ... but we we do see it.

Environment

WSS Agent.

Domain bypasses.

Cause

DNS TTL sync issues on WSS Agent host and IP address removed the cached bypass list.

Resolution

When WSS Agent sends traffic into WSS for bypassed domains, it is typically due to DNS TTL timeout on the host that can be worked around with IP address changes. In this specific example, the Application documents the IP addresses at the following location - https://support.anaplan.com/domain-and-ip-ranges-c8235c7d-8af2-413b-a9ff-d465978806b9.

 

Additional Information

DNS bypasses are very easy to setup but are obviously dependent on DNS. If the DNS entries TTL expires and we do not see another DNS request for that domain, then requests will sent into WSS for a brief time until the next DNS request for that domain is seen.

By adding the IP address bypass, we are working at layer 3 (which agent really works at) and are not dependent on anything else. However, adding the IP addresses can be painful if the 3rd party does not publish IP addresses, or update them when they change. Fortunately for Anaplan, they do seem to do both and for this application, I would simply go with the IP bypass. 

Attachments