Unable to see user login information in access logs if Cloud SWG tenant when access is denied
search cancel

Unable to see user login information in access logs if Cloud SWG tenant when access is denied

book

Article ID: 274256

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet sites via Cloud SWG using multiple access methods (Proxy Forwarding, IPSEC and WSS Agents).

All requests require authentication (enabled using SAML), and all policies appear to work correctly.

When a user access to a site is blocked, the access logs do not appear to log any user info in any access denied record for the requests, as shown below:

Cloud SWG is managed using UPE.

 

Environment

Cloud SWG.

UPE/Management Center used to configure service.

Cause

"access_server(no)" directive causing the log event to remove user information.

Resolution

Modify the Cloud SWG UPE policy, so that all rules referencing the “access_server(no)” directive are removed.

Alternatively, if condition is used by an onpremise appliance, add an enforcement rule so that it only applies to the 'appliance' and not 'universal' or 'wss'

Here is a snippet of rules being push into Cloud SWG referencing “access_server(no)” :

condition=!__is_notify_internal_proxy condition=RSI_BlockAll_Cat Deny access_server(no) ; Rule 17
condition=!__is_notify_internal_proxy url.domain="setup.icloud.com" Deny access_server(no) ; Rule 22
condition=!__is_notify_internal_proxy condition=Grp_DenyAll Deny access_server(no) ; Rule 63

Additional Information

access_server(no) is not needed within the Cloud SWG environment to avoid unnecessary traffic into OCS.

 

Powered by Wolken Software