Policy install returns the "Raw CPL requires #if enforcement=appliance-specific policy" error
search cancel

Policy install returns the "Raw CPL requires #if enforcement=appliance-specific policy" error

book

Article ID: 272312

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The guidance in the Tech. Articles below have been correctly implemented and verified. Yet, WSS isn't accepting it and unable to carry forward user authentication from the on-Premise Edge SWG (ProxySG) to the Cloud SWG (WSS)

Configure Edge SWG Appliance Proxy Forwarding (broadcom.com)

Edge SWG Proxy Forwarding for CloudSOC (broadcom.com)

 

Resolution

The requirement is to implement Edge SWG Proxy Forwarding for CloudSOC, and as per the reported error, we see the below.

"Raw CPL rewquires #if enforcement=appliance-specific policy"

To respond to the above, please note that sometimes there is a requirement to write single CPL policy and apply it for different products, software versions, or enforcement domains through Management center.

It is also easier to maintain a single CPL instead of different CPL per product, version or enforcement domains.

CPL allows you to segregate policies as below: 

  • Product specific policy -
    • #if product=asg
      <CPL Rules>
      #endif
    • #if product=sg
      <CPL Rules>
      #endif
  • Enforcement domain specific policy -
    • #if enforcement=appliance
      <CPL Rules>
      #endif
    • #if enforcement=wss
      <CPL Rules>
      #endif
  • Software version specific policy
    • if release.version=6.7.5.19
      <CPL Rules>
      #endif

Ref. doc.: https://knowledge.broadcom.com/external/article/245021/creating-conditional-policies-in-proxysg.html 

Implementing the option below resolves the error. Having the CPL rule(s) in position, and shown below is important.

Enforcement domain specific policy -

    • #if enforcement=appliance
      <CPL Rules>
      #endif
    • #if enforcement=wss
      <CPL Rules>
      #endif