Adding .local secondary domain in CMP does not propagate over to CloudSOC and CASB entitlement goes into Error state
search cancel

Adding .local secondary domain in CMP does not propagate over to CloudSOC and CASB entitlement goes into Error state

book

Article ID: 276223

calendar_today

Updated On: 06-03-2025

Products

CASB Gateway Advanced CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

Adding a .local secondary domain in CMP does not propagate over to CloudSOC

 

Additionally after the .local domain is added to the entitlement/tenant the CASB entitlement will go into error state:

 

Cause

Email addresses associated with .local domains may not be globally routable therefore are not allowed to be added as secondary domains in CloudSOC

CloudSOC tasks that require the system to send an email won't work.

Some examples are sending CloudSOC User a password, getting an email with link to large report, Protect policy email alerts, etc.

Resolution

The secondary domain does not propagate to CASB so it should not cause any issues with the product itself however it is still necessary to clean up the invalid domain entry from the entitlement to clear the error state.

To cleanup the .local domain entry from the entitlement in the Enterprise Console, and to clear the error state from the CASB entitlement, open a case with the Technical Support.

Additional Information

The CloudSOC (CASB) email validator we use marks .local domains as invalid and the reason is:

# RFC 6762 says that applications "may" treat ".local" as special and
# that "name resolution APIs and libraries SHOULD recognize these names
# as special," and since ".local" has no global definition, we reject
# it, as we expect email addresses to be globally routable.
Powered by Wolken Software