Access to the website is denied via Proxy
Access Denied (policy_denied)
ProxySG/EdgeSWG SGOS
Before troubleshooting begins make sure about the URL categorization and status
#### CHECK THE URL FOR CATEGORIZATION AND THREAT RISK #####
STEP1
Check what URL is being blocked by the Proxy are not being displayed properly on the workstation that connects via Proxy - EXAMPLE: https://example.com
STEP2
By default ProxySG is using the Bluecoat Webpulse Filter for Categorization/Threat risk, so please check if your site is well categorized and not marked as malicious.
Webpulse Sitereview: https://sitereview.bluecoat.com/#/
CATEGORY ASSIGNED: List of categories
NOTE: You can request a change if you feel like the site is not properly categorized.
Sites that are not CATEGORIZED or being INTERNAL CUSTOMER DOMAINS (not publicly available in Public DNSes) can be marked as suspicious/malicious:
STEP3
Check the URL ex. example.com in terms of the IP being resolved by DNS. You can open a Windows CMD and type nslookup example.com
STEP4
Ensure that ProxySG knows the route to specific domain via configured DNS on Proxy. Please open a SSH connection to your Proxy Management IP using ex. Putty client.
Use command: test dns <url-domain> bypass-cache
ex. test dns example.com bypass-cache
You'll find which DNS resolves the domain and if it is resolved successfully. If it's not then it's a DNS issue.
STEP5
Please write down the information gathered regarding the URL
#### TROUBLESHOOTING THE URL THAT IS BEING BLOCKED ####
STEP5
Check your policy, whether this URL is allowed with the defined Policy rule for destination URL/category with ALLOWED action
STEP6
Find out which workstations could not reach specific website and choose one workstation for testing purposes, based on behavior or source defined in the rule - EXAMPLE: 10.0.200.1
STEP7
Please, open the ProxySG from the terminal PC that has an access to the management console: https://<management-proxy-ip>:8082/ as example: https://10.0.80.81:8082
and open the Java Launcher.
STEP8
Please go to ProxySG > Configuration >Policy > Visual Policy Manager >> Launch Legacy Java VPM
STEP9
In the menu at the top choose Policy >> Add Web Access Layer, create and name it DEBUG
Then click on Source >> Set… >> Add New… >> Client IP address/subnet. Put the IP of endpoint client & subnet 255.255.255.255 and click Add, Close, OK
Source has been added. You can specify the destination with Request URL: example.com or you can leave it as blank (it will collect all the requests from PC)
In the Action field please right-click and Delete. This will make the rule transparent to other defined rules as we don't need to allow/deny but just track behavior.
In the Trace field, please right-click on Track >> Set… >> New… >> Trace. Name the trace ex. Trace1, tick trace level at trace enabled, then click 2xOK.
The Web Access trace should look like this:
Click on Install Policy
STEP9
If you have chosen to SSL-Intercept the URL that is being blocked in your Policy, we need to make one more change.
Please go to the SSL-Intercept layer of yours and create the URL with the same scheme as previously:
Click Install Policy
STEP10
Go back to the main Proxy Console window, then to Maintenance >> Service information >> Packet captures
Set the packet trace filter to
ip host <ip of endpoint testing device> or ip host <url> or port 53 or ip host <proxysg-management-ip>
ex. ip host 10.0.200.1 or ip host example.com or port 53 or ip host 10.0.80.80
Click Apply on the bottom, then click Start capture…>> Start Capture
The policy debug and capture has started
STEP11
On the testing device 10.0.200.1 where the issue occurs, open a browser with Incognito mode and try to access/test the blocked website - ex. example.com
STEP12
On the PC that is connected to the Proxy Management Console, open the browser and type the Proxy Management address https://<management-proxy-ip:8082/Policy ex. https://10.0.80.80:8082/Policy
Look if the trace was captured under Trace1
Open the Trace1 link, type CTRL+F and search for URL example.com. If it's there, copy the contents of the Trace1 into a text file Trace1.txt and save on the desktop
STEP13
Go back to the ProxySG > Maintenance > Service Information > Packet Captures tab, Click on Stop Capture, Download Capture and save it on desktop.
STEP14
Get back to the Policy Visual Manager and delete/disable rules created in step 8-9
STEP15
If you would like to send automatically the captures to the case ticket, please go to ProxySG >> Maintenance >> Service Information >> Send Information >> Send Service Information
Type the case number in the Service Request Number. Click on the Newest, tick Packet Capture, Policy Trace File, Access Logs, Event Log and SysInfo, then click on Send.
Files should be uploaded directly to the Broadcom case (you can check View Progress). Otherwise you need to upload the attachements with Packet trace and Wireshark capture manually to the case.
STEP16
At the end you can delete the trace from ProxySG, the trace that was taken by going to https://<management-ip-proxy>:8082/Policy
#### ALTERNATIVE WAY TO SET UP THE POLICY TRACE USING THE CPL CODE (STEP 8-9) ####
Add CPL code by going into ProxySG > Configuration > Policy Files > Policy Files tab > Install Local file from: Local File > Install and pasting the customized code:
<ssl-intercept>
client.address=x.x.x.x trace.destination(Trace1) trace.request(yes)
<proxy>
client.address=x.x.x.x trace.destination(Trace1) trace.request(yes)
as example:
<ssl-intercept>
client.address=10.0.200.1 trace.destination(Trace1) trace.request(yes)
<proxy>
client.address=10.0.200.1 trace.destination(Trace1) trace.request(yes)
After pasting, click INSTALL
####################
HOW TO BYPASS URLS VIA PROXY: Troubleshoot issues with a specific web site proxied by Edge SWG (ProxySG) or ASG appliance - https://knowledge.broadcom.com/external/article?articleId=167379
#################
More KB articles regarding Policy trace: