Users accessing internet sites via Cloud SWG using mix of WSS Agents and explicit access methods.
Cloud SWG tenant is managed using Management center.
Tenant has a full Web Isolation license, and admin is using CPL to configure isolation policy per the UPE isolation documentation.
Everything works as it should except one thing - we cannot bypass any site from isolation.
Can we have a CPL for full isolation with the option to bypass traffic from isolation?
Cloud SWG configured using UPE policy.
Web isolation.
All Cloud SWG access methods.
To simply bypass one site from isolation, we could add it to the isolation conditions as shown below. This example assumes we want to isolate all sites with a risk level of 7-10, with the exception of myriskysite.com (assuming it has a risk level of 7-10 too); pippo.com should be bypass from isolation:
;; Begin Template
#if enforcement=wss
define condition Isolation_CondWebIsolationMatchCriteriaWebAccess
url.threat_risk.level=7..10 url.domain=!"myriskysite.com"
url.category=!("Malicious Outbound Data/Botnets","Suspicious")
;url.domain="malicious.com"
;authenticated=yes
;client.address=192.168.10.0/24
;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
end
define condition Isolation_CondWebIsolationMatchCriteriaForwarding
server_url.threat_risk.level=7..10 server_url.domain=!"myriskysite.com"
server_url.category=!("Malicious Outbound Data/Botnets","Suspicious")
;server_url.domain="malicious.com"
;authenticated=yes
;client.address=192.168.10.0/24
;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
end
; This should be conditioned but is required for Isolation
<SSL-Intercept> condition=Isolation_CondWebIsolationMatchCriteriaWebAccess
ssl.forward_proxy(https)
#endif
;; End Template
If we have a group of domains that we want to bypass, or IP subnets to exempt from isolation, we could add the following CPL:
;; Begin Template
#if enforcement=wss
define category domain_iso_exemptions
myriskysite1.com
myriskysite2.com
end
define subnet client_ip_iso_exemptions
192.168.10.125
end
define condition Isolation_CondWebIsolationMatchCriteriaWebAccess
url.threat_risk.level=7..10 url.category=!("domain_iso_exemptions")
;url.category=("Malicious Outbound Data/Botnets","Suspicious")
;url.domain="malicious.com"
;authenticated=yes
client.address=192.168.10.0/24 client.address=!client_ip_iso_exemptions
;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
end
define condition Isolation_CondWebIsolationMatchCriteriaForwarding
server_url.threat_risk.level=7..10 server_url.category=!("domain_iso_exemptions")
; server_url.category=("Malicious Outbound Data/Botnets","Suspicious") server_url.category=!("domain_iso_exemptions")
;server_url.domain="malicious.com"
;authenticated=yes
client.address=192.168.10.0/24 client.address=!client_ip_iso_exemptions
;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
end
; This should be conditioned but is required for Isolation
<SSL-Intercept> condition=Isolation_CondWebIsolationMatchCriteriaWebAccess
ssl.forward_proxy(https)
#endif
;; End Template