How to bypass domains from full isolation for Cloud SWG users configured using UPE CPL
search cancel

How to bypass domains from full isolation for Cloud SWG users configured using UPE CPL

book

Article ID: 263359

calendar_today

Updated On:

Products

Web Protection Suite

Issue/Introduction

Users accessing internet sites via Cloud SWG using mix of WSS Agents and explicit access methods.

Cloud SWG tenant is managed using Management center.

Tenant has a full Web Isolation license, and admin is using CPL to configure isolation policy per the UPE isolation documentation.

Everything works as it should except one thing - we cannot bypass any site from isolation.

Can we have a CPL for full isolation with the option to bypass traffic from isolation?

Environment

Cloud SWG configured using UPE policy.

Web isolation.

All Cloud SWG access methods.

Resolution

To simply bypass one site from isolation, we could add it to the isolation conditions as shown below. This example assumes we want to isolate all sites with a risk level of 7-10, with the exception of myriskysite.com (assuming it has a risk level of 7-10 too); pippo.com should be bypass from isolation:

;; Begin Template
#if enforcement=wss
    define condition Isolation_CondWebIsolationMatchCriteriaWebAccess
      url.threat_risk.level=7..10 url.domain=!"myriskysite.com"
      url.category=!("Malicious Outbound Data/Botnets","Suspicious")
      ;url.domain="malicious.com"
      ;authenticated=yes
      ;client.address=192.168.10.0/24
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end

    define condition Isolation_CondWebIsolationMatchCriteriaForwarding
      server_url.threat_risk.level=7..10 server_url.domain=!"myriskysite.com"
      server_url.category=!("Malicious Outbound Data/Botnets","Suspicious")
      ;server_url.domain="malicious.com"
      ;authenticated=yes
      ;client.address=192.168.10.0/24
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end
    
    ; This should be conditioned but is required for Isolation
    <SSL-Intercept> condition=Isolation_CondWebIsolationMatchCriteriaWebAccess
      ssl.forward_proxy(https)
#endif
;; End Template

 

If we have a group of domains that we want to bypass, or IP subnets to exempt from isolation, we could add the following CPL:

;; Begin Template
#if enforcement=wss

    define category domain_iso_exemptions
        myriskysite1.com
        myriskysite2.com
    end

    
    define subnet client_ip_iso_exemptions
        192.168.10.125
    end

    define condition Isolation_CondWebIsolationMatchCriteriaWebAccess
      url.threat_risk.level=7..10 url.category=!("domain_iso_exemptions")
      ;url.category=("Malicious Outbound Data/Botnets","Suspicious")
      ;url.domain="malicious.com"
      ;authenticated=yes
      client.address=192.168.10.0/24 client.address=!client_ip_iso_exemptions
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end

    define condition Isolation_CondWebIsolationMatchCriteriaForwarding
      server_url.threat_risk.level=7..10 server_url.category=!("domain_iso_exemptions")
      ; server_url.category=("Malicious Outbound Data/Botnets","Suspicious") server_url.category=!("domain_iso_exemptions")
      ;server_url.domain="malicious.com"
      ;authenticated=yes
      client.address=192.168.10.0/24 client.address=!client_ip_iso_exemptions
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end
    
    ; This should be conditioned but is required for Isolation
    <SSL-Intercept> condition=Isolation_CondWebIsolationMatchCriteriaWebAccess
      ssl.forward_proxy(https)
#endif
;; End Template