Cloud ASG Administrator rolling out a number of WSS Agent on Windows devices.

When checking the number of Agents where last access is configured on “24 hours”, a small subset of the total number of agents were reported.

Changing the “last access” to 24 days showed up a lot more agents, but still did not match what was expected.

Selecting the admin's device reported the last access a week back, when the agent has been active every day since.

Problem seems to have started late January 2023.

WSS Agent.

Cloud SWG Portal.

Access logs missing values for key fields that caused reports to show up empty.

Fixed in Cloud SWG Portal update end of February.

Troubleshooting the problem, we looked at the HTTP logs for impacted users and saw that a lot of the x-client-agent fields were empty as shown below:

#Fields: x-bluecoat-request-tenant-id date time x-bluecoat-appliance-name time-taken c-ip cs-userdn cs-userdn-current-hashed x-cs-user-email-address-hashed cs-auth-groups x-exception-id sc-filter-result cs-uri-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes cs-icap-service rs-icap-service x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata) x-data-leak-detected x-virus-id cs-icap-failure-mode rs-icap-failure-mode x-bluecoat-location-id x-bluecoat-location-name x-bluecoat-access-type x-bluecoat-application-name x-bluecoat-application-operation r-ip r-supplier-country x-rs-certificate-validate-status x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-ssl-version x-rs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-size x-rs-certificate-hostname x-rs-certificate-hostname-categories x-cs-connection-negotiated-ssl-version x-cs-connection-negotiated-cipher x-cs-connection-negotiated-cipher-size x-cs-certificate-subject cs-icap-status cs-icap-error-details rs-icap-status rs-icap-error-details s-supplier-ip s-supplier-country s-supplier-failures x-cs-client-ip-country cs-threat-risk x-rs-certificate-hostname-threat-risk x-client-agent-type x-client-os x-client-agent-sw x-client-agent-ip x-client-device-id x-client-device-name x-client-device-type x-client-security-posture-details x-client-security-posture-risk-score x-bluecoat-reference-id x-sc-connection-issuer-keyring x-sc-connection-issuer-keyring-alias x-cloud-rs x-bluecoat-placeholder cs(X-Requested-With) x-random-ipv6 x-bluecoat-transaction-uuid s-source-ip x-sr-vpop-ip x-sr-vpop-country-code x-sr-vpop-country x-dei-token x-symc-dei-app x-symc-dei-via

2023-01-16 16:34:19 "DP2-GBEBR11_proxysg4" 157 117.25.57.101 "1234" "h8yeCCq5v3Pec+NiOxsrHiYOFQSp7gbafBlqLvW1w4s=" - "yey\INTERNET_STANDARD" - OBSERVED "Technology/Internet" - 200 TCP_NC_MISS GET text/html;%20charset=UTF-8 http pod.threatpulse.com 80 / - - "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" 192.168.2.87 1502 398 - cas_group - "{ %22expect_sandbox%22: false }" no - - - 0 "client" client_connector "Symantec Web Security Service" "none" 35.227.235.56 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NO_MODIFICATION - 35.227.235.56 "United States" - "France" 2 - - - - - - - - - - - - - - - - - a91463aec8cad62c-00000000092e9ae5-0000000063c57c8b 148.64.19.62 148.64.19.62 "FR" "France" - - -

When looking at HTTP logs for reported agents, we could clearly see the same fields were populated correctly.

2023-01-16 17:31:40 "DP2-GGBLO99_proxysg1" 1 18.103.125.251 "4321" "KUaQW3VdhyiYa7GXa7wEP9N+vJ4y4Gq4Jp2c=" "yey\INTERNET_STANDARD" - - OBSERVED "Technology/Internet" - 0 TCP_ACCELERATED TUNNEL - tcp 142.250.187.196 443 / - - - 192.168.2.84 0 0 - - - - - - - - 0 "client" client_connector "-" "-" 142.250.187.196 "United States" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - "United States" - "Ireland" 3 - wss-agent architecture=x86_64%20name=Windows%2010%20Pro%20version=10.0.19041 9.0.65.18892 192.168.178.117 8eeba2bc-8959-4ada-97da-37ab9d436a4e LAB-FKSWNQ2 PC - - - - - - - - - 07828d8ef8aef5f7-00000000000dcf9c-0000000063c589fc - - "Invalid" "Invalid" - - -