Users accessing internet resources via Cloud SWG using WSS Agent devices.

Remote users can authenticate and access resources they are entitled to.

Office users cannot seem to connect successfully to Cloud SWG (using Wifi or LAN connections)

CTC would appear to give the correct Cloud SWG VIPs but UDP or TCP connectivity to these sites would fails as per the following logs:

[01-17-2024 14:56:39 (UTC+3:00)]: CTC Response: ACTIVE(GEOIP)  egress: #.#.#.# gsari-148.64.6.2  GBHMA-168.149.175.170  GAEAD-168.149.175.170  geolocation: SA 
[01-17-2024 14:56:40 (UTC+3:00)]: Attempting to connect togsari via UDP
[01-17-2024 14:56:45 (UTC+3:00)]: UDP Connection failed on Tunnel#23 (ec:26 - A timeout has occurred), will attempt TCP on the same DP
[01-17-2024 14:56:46 (UTC+3:00)]: Attempting to connect to gsari via TCP
[01-17-2024 14:56:56 (UTC+3:00)]: Connection failed for gsari, will try the next POP in the connect list - error was (ec:26 - A timeout has occurred)
[01-17-2024 14:56:57 (UTC+3:00)]: Attempting to connect to GBHMA via TCP
[01-17-2024 14:57:07 (UTC+3:00)]: Connection failed for GBHMA, will try the next POP in the connect list - error was (ec:26 - A timeout has occurred)
[01-17-2024 14:57:08 (UTC+3:00)]: Attempting to connect to GBHMA via TCP
[01-17-2024 14:57:18 (UTC+3:00)]: Connection failed for GBHMA, last POP in the connect list - error was (ec:26 - A timeout has occurred)
[01-17-2024 14:57:18 (UTC+3:00)]: Connection to WSS failed

Cloud SWG.

WSS Agents.

Fortigate Firewall.

Deep packet inspection on office firewall blocking OpenVPN protocol.

Modify the Fortigate to allow OpenVPN application data.

Symdiag logs from above clearly show UDP/TCP errors.

PCAPs on Cloud SWG confirmed no requests would arrive into the service from the office network egress point.

Fortigate logs checked and confirmed that dropped requests were picked up as OpenVPN application

Firewall policy was blocking OpenVPN application.