WSS Bypassed Traffic functionality
Article ID: 257509
Updated On:
Products
Cloud Secure Web Gateway - Cloud SWG
Issue/Introduction
Do portal bypass entries still apply when the WSS agent is unable to connect to the Cloud SWG and was in a failed-close state?
Would connections to destinations listed in the Bypassed Traffic section still be expected to function?
Environment
Cloud SWG (Cloud Secure Web Gateway)
Resolution
Bypasses take effect while fail-closed
Usually, the Cloud Traffic Controller (CTC) connection will still succeed - and only the tunnels will fail, and that is the most common way to get into failure mode.
However, if CTC fails, the cached bypass list will be used while in fail-closed mode ( Failure mode set to 'Block all traffic )
Usually, if both CTC and tunnels fail, it means that there is some kind of major network outage (from the device’s perspective), so the device won't be able to reach the bypassed destinations.
So - during the time while in a fail closed state, all traffic that would be tunnelled (ports 80, 443, 8080, 8443 if you're using CFS, or all ports if they are using CFS) will be blocked except for traffic that is bypassed.
Meaning if you are bypassing example.com (by IP or by domain), the example.com will still be allowed while in fail closed state. But traffic to site.com will be dropped.
If you are not using CFS, traffic to site.com:1234 would still be allowed (because it would be direct even if the tunnel were up).
Feedback
Yes
No
Powered by
