Policy install returns the "Raw CPL requires #if enforcement=appliance-specific policy" error
Article ID: 272312
Updated On:
Products
Issue/Introduction
The guidance in the Tech. Articles below have been correctly implemented and verified. Yet, WSS isn't accepting it and unable to carry forward user authentication from the on-Premise Edge SWG (ProxySG) to the Cloud SWG (WSS)
Configure Edge SWG Appliance Proxy Forwarding (broadcom.com)
Edge SWG Proxy Forwarding for CloudSOC (broadcom.com)
Resolution
The requirement is to implement Edge SWG Proxy Forwarding for CloudSOC, and as per the reported error, we see the below.
"Raw CPL rewquires #if enforcement=appliance-specific policy"
To respond to the above, please note that sometimes there is a requirement to write single CPL policy and apply it for different products, software versions, or enforcement domains through Management center.
It is also easier to maintain a single CPL instead of different CPL per product, version or enforcement domains.
CPL allows you to segregate policies as below:
- Product specific policy -
- #if product=asg
<CPL Rules>
#endif - #if product=sg
<CPL Rules>
#endif
- #if product=asg
- Enforcement domain specific policy -
- #if enforcement=appliance
<CPL Rules>
#endif - #if enforcement=wss
<CPL Rules>
#endif
- #if enforcement=appliance
- Software version specific policy
-
- if release.version=6.7.5.19
<CPL Rules>
#endif
- if release.version=6.7.5.19
Ref. doc.: https://knowledge.broadcom.com/external/article/245021/creating-conditional-policies-in-proxysg.html
Implementing the option below resolves the error. Having the CPL rule(s) in position, and shown below is important.
Enforcement domain specific policy -
-
- #if enforcement=appliance
<CPL Rules>
#endif - #if enforcement=wss
<CPL Rules>
#endif
- #if enforcement=appliance
Feedback
