#### TROUBLESHOOTING THE URL THAT IS BEING BLOCKED ####
Using Policy Traces and Packet Captures to Troubleshoot 'Access Denied' Errors in Edge SWG - Web Visual Policy Manager
Article ID: 263111
Updated On:
Products
ISG Proxy
ProxySG Software - SGOS
Advanced Secure Gateway Software - ASG
Issue/Introduction
Access to the website is denied via Proxy
Access Denied message seen in the browser when trying to reach a website:
- Access Denied (policy_denied)
- Your system policy has denied the requested action
- For assistance, contact your network support team
Environment
ProxySG/EdgeSWG SGOS with SGAC
Cause
#### CHECK THE URL FOR CATEGORIZATION AND THREAT RISK #####
STEP1
Determine which URL is triggering the block or causing display issues on the workstation connecting through the EdgeSWG. Example: https://<domain>.
STEP2
EdgeSWG uses Bluecoat WebPulse to determine URL categorization and threat risk. Check the status of the SiteReview page to ensure it is accurately categorized and not identified as malicious.
CATEGORY ASSIGNED: List of categories
Note: Use the SiteReview portal to submit a change request for any miscategorized websites.
Sites that are not CATEGORIZED or being INTERNAL CUSTOMER DOMAINS (not publicly available in Public DNSes) can be marked as suspicious/malicious:
STEP3
Verify the DNS resolution for the domain (e.g., <domain>) from the client workstation by executing the nslookup <domain> command in a Windows Command Prompt (CMD).
C:\Users\user>nslookup <domain>Server: <dns-domain-name>Address:<dns-server-ip>
Non-authoritative answer:Name: <domain>Addresses: <domain-ip-address>
STEP4
Verify domain reachability from the EdgeSWG by connecting to the Management IP via SSH (e.g., using PuTTY) to check the appliance's DNS configuration.
Use command: test dns <domain> bypass-cache
ProxySG#test dns <domain> bypass-cachePerforming DNS lookup for: <domain>
Sending A query for<domain>to <dns-server-ip>
DNS Response data:Official Host Name: <domain>Resolved Addresses:<domain-ip-address>Cache TTL: 11354, cache MISSDNS Resolver Response: Success
The output identifies the specific DNS server resolving the domain and confirms whether the resolution was successful. A failure at this stage indicates a DNS-related issue.
STEP5
Document the gathered information for the URL, including the IP address, WebPulse category, and DNS resolution status.
URL:<domain>IP:<domain-ip-address>WEBPULSE CATEGORY: Technology/InternetProxy DNS resolution: OK (DNS:<dns-server-ip>)
Resolution
STEP6
Verify the current policy configuration to determine if a rule explicitly allows or denies the specific URL or category. Access the EdgeSWG Management Console at https://<proxy-ip>:8082 and select the Visual Policy Manager link in the top-right corner.
STEP7
Identify the workstations unable to access the specific website and select a single representative workstation for testing. The selection should be based on the source IP or behavior defined in the existing policy rule (e.g., <test-client-ip>).
STEP8
In the Web Visual Policy Manager, select Add Layer, choose Web Access Layer, and name it DEBUG. Navigate to Source > Set… > Add New… > Client IP address/subnet. Enter the endpoint client IP (<test-client-ip>) with subnet 255.255.255.255, then select Add, Close, and OK.
Source has been added. You can specify the destination with Request URL: <domain> or you can leave it as blank (it will collect all the requests from PC)
Right-click the Action field and select Delete. This ensures the rule only as a monitor. To configure the log, right-click the Track field, select Set...> New...> Trace, name it Trace1, enable the Trace enable level and select OK twice to save.
Verify the Web Access trace configuration against the following example:
- Source: <test-client-ip>/255.255.255.255
- Destination: Any or specified url as with previous rule ex. <domain>
- Action: None
- Track: Trace1
Click on Apply Policy
STEP9
If SSL Interception is enabled for the blocked URL, an additional configuration change is required. Navigate to the SSL-Intercept layer and create a rule using the same logic as the previous step:
- Source: <test-client-ip>/255.255.255.255
- Destination: Any or specified url as with previous rule ex. <domain>
- Action: SSLInterception (default bluecoat keyring or custom used>
- Track: Trace1
Click Install Policy
STEP10
Return to the main EdgeSWG Management Console and navigate to Administration > Service Information > Packet Capture. Configure the packet trace filter with the following syntax:
ip host <test-client-ip> or ip host <domain> or port 53 or ip host <proxy-ip> or port 443 or port 80 or ip host <domain-ip-address>
Click Apply on the bottom, then click Start capture…>> Start Capture
The policy trace and packet capture are now active.
STEP11
From the affected testing device (<test-client-ip>), open a browser in Incognito or Private mode and attempt to access the blocked website (e.g., <domain>).
STEP12
From the workstation connected to the Management Console, access https://<proxy-ip>:8082/Policy via a web browser. Confirm that the trace results are available under the Trace1 link.
Open the Trace1 link and use CTRL+F to search for the specific URL (<domain>). If the URL is present, copy the results into a new text file named Trace1.txt and save it to the desktop.
STEP13
Navigate back to Administration > Service Information > Packet Capture. Select Stop Capture, then select Download Capture and save the file to the desktop.
STEP14
Return to the Visual Policy Manager to disable or delete the debug rules created in Steps 8 and 9.
STEP15
To automatically upload captures to a support case, navigate to Administration > Service Information > Send Information > Send Selected Info Now. Enter the case number in the Service Request Number field. Select Newest, enable the checkboxes for Packet Capture, Policy Trace File, Access Logs, Event Log, and SysInfo, then select Send.
Files are uploaded directly to the Broadcom case upon completion. Alternatively, the packet capture and policy trace files may be attached manually to the case via the Broadcom support portal.
STEP16
To conclude the process, the temporary trace file may be deleted from the appliance by navigating to https://<proxy-ip>:8082/Policy.
OPTIONAL TRACE FROM USER BROWSER
If a "Policy Blocked" message is not visible but other issues persist, capture a screenshot of the browser error and collect a HAR file. Refer to KB 170836 for instructions on obtaining a HAR file. This data helps confirm whether the EdgeSWG is blocking the request or if an external networking issue exists.
Additional Information
#### ALTERNATIVE WAY TO SET UP THE POLICY TRACE USING THE CPL CODE (STEP 8-9) ####
To apply the policy trace via CPL, create a new CPL Layer within the Web Visual Policy Manager and paste the following customized code:
; * * * * * * * * * * * * Policy Trace for troubleshooting * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *<dns-Proxy>client.address=<test-client-ip> trace.destination(myTraceForDNS) trace.request(yes) trace.session(yes)<SSL>client.address=<test-client-ip> trace.destination(myTraceFor_TLS_SSL_decision) trace.request(yes) trace.session(yes)<ssl-intercept>client.address=<test-client-ip> trace.destination(myTraceFor_TLS_SSL_Intercept) trace.request(yes) trace.session(yes)<proxy>client.address=<test-client-ip> trace.destination(myTraceForProxy) trace.request(yes) trace.session(yes)<Cache>client.address=<test-client-ip> trace.destination(myTraceForCache) trace.request(yes) trace.session(yes)<Exception>client.address=<test-client-ip> trace.destination(myTraceForException) trace.request(yes) trace.session(yes)<Forward>client.address=<test-client-ip> trace.destination(myTraceForForward) trace.request(yes) trace.session(yes)
; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Once the rule is inserted, select Apply Policy to commit the changes.
Note: For instructions on bypassing specific URLs, refer to Troubleshoot issues with a specific web site proxied by Edge SWG (ProxySG) or ASG appliance.
More KB articles regarding Policy trace:
Feedback
Yes
No
Powered by
