Downstream Edge SWG (ProxySG) CPL Best Practices For Web Isolation Integration
search cancel

Downstream Edge SWG (ProxySG) CPL Best Practices For Web Isolation Integration

book

Article ID: 279646

calendar_today

Updated On:

Products

Web Isolation Cloud Web Isolation

Issue/Introduction

Describes the required and recommended configurations for ensuring your Edge SWG (ProxySG) is setup and configured in a supported manner. You will find attached at the bottom of the document a boiler-plate template which can be used to onboard your Edge SWG (ProxySG) appliances with your own dedicated Web Isolation tenant. It is important to note while this document aims to provide the required information for configuring your Edge SWG (ProxySG) using CPL to work with your own cloud Web Isolation tenant it is strongly recommended to use the native isolation service in the Edge SWG (ProxySG).

Environment

Web Isolation On-Prem

Web Isolation Cloud

Resolution

Terminology

Tenant name “ryanwi” - Refers to the prefix used for your environment. This can be determined by logging into the management console and observing the name in the banner.

 


Load balancer name “ryanwi.prod.fire.glass” - Is a combination of the tenant name & “prod.fire.glass”. Is a GCP network load balancer that contains all of your Web Isolation gateways in the pool.

User gateway name “ryanwi-1-northamerica-northeast1.prod.fire.glass” - The name of an individual Web Isolation user gateway. The full list is present under the System Configuration > Gateways tab in the management console.

Web Isolation resources - Is a list of resources that is used internally within the Web Isolation product. Below is the most recent list as of 15/2/2024 (This is not actively maintained):

global-shared.fire.glass
global-noauth-shared.fire.glass
shared.fireglass
noauth.shared.fireglass
docisolation.prod.fire.glass
docisolation-eu.prod.fire.glass
doc-isolation-prod.prod.fire.glass
doc-isolation-prod-eu.prod.fire.glass
doc-isolation-stg.stg.fire.glass
doc-isolation-stg-eu.stg.fire.glass

 

Required configuration

Web Isolation

Downstream Proxy Settings

It is required to have the downstream proxy configuration added in the Management console in Web Isolation. The product should be set to “Symantec Secure Web Gateway (ProxySG)”.

If you have decided to forward headers i.e.: X-Forwarded-For (XFF), X-Authenticated-User (XAU) or X-Authenticated-Groups (XAG), enable the “Request Headers” option. The “Trust headers from IP(s)” field must contain all the egress IP addresses for your Edge SWG (ProxySG). It is not necessary to select the “HTTPS Interception”  or “Isolation Criteria” checkbox.

If your environment contains multiple regions ensure that the Isolation Gateway Clusters field contains all your regions/clusters.

 

Edge SWG (ProxySG)

Isolation service

It is NOT supported to use this documentation alongside the native Edge SWG (ProxySG) Isolation service. If you are implementing this CPL code the Edge SWG (ProxySG) Isolation service MUST BE DISABLED. To confirm the service is disabled, from an SSH session:

SG01> enable
SG01# conf t
SG01#(config) isolation
SG01#(config isolation) disable
SG01#(config isolation) view
...
Service status: disabled

 

Required CA certificates

The CSWG (WSS) CA certificates must be installed to avoid having TLS certificate issues. Use the below commands to add it to the browser-trusted CCL:

SG01> enable
SG01# conf t
SG01#(config) ssl
SG01#(config ssl) edit ccl "browser-trusted"
SG01#(config ssl) add "BC_Cloud_Services_Root_CA"

 

If the CA certificate does not exist import it (attached below):

 

User Gateways

There must be a valid regex or URL conditions in-place that will specifically match all traffic destined for your Web Isolation user gateways and load balancer name. The condition for this rule must be to NOT forward traffic to the forwarding host but instead send the traffic DIRECT.

An example of the implementation is provided below:

define condition Isolation_Gateways
    server_url.domain="prod.fire.glass" server_url.host.substring="ryanwi" ; Replace "ryanwi" with your tenant name
end condition Isolation_Gateways

<Forward "Isolation_Universal">
condition=Isolation_Gateways forward(no)

 

Web Isolation Resources

The list of URLs below is not being actively updated as this is done automatically with the native Edge SWG (ProxySG) isolation service. The list of URLs below is current as of 15/02/2024

The URLs below must match a forwarding rule to be sent for Isolation using a forwarding host and also be TLS intercepted:

global-shared.fire.glass
global-noauth-shared.fire.glass
shared.fireglass
noauth.shared.fireglass
docisolation.prod.fire.glass
docisolation-eu.prod.fire.glass
doc-isolation-prod.prod.fire.glass
doc-isolation-prod-eu.prod.fire.glass
doc-isolation-stg.stg.fire.glass
doc-isolation-stg-eu.stg.fire.glass

 

An example of the implementation is provided below:

define condition Isolation_GatewayDestinations
    url.host.exact="global-shared.fire.glass"
    url.host.exact="global-noauth-shared.fire.glass"
    url.host.exact="shared.fireglass"
    url.host.exact="noauth.shared.fireglass"
    url.host.exact="docisolation.prod.fire.glass"
    url.host.exact="docisolation-eu.prod.fire.glass"
    url.host.exact="doc-isolation-prod.prod.fire.glass"
    url.host.exact="doc-isolation-prod-eu.prod.fire.glass"
    url.host.exact="doc-isolation-stg.stg.fire.glass"
    url.host.exact="doc-isolation-stg-eu.stg.fire.glass"
end condition Isolation_GatewayDestinations

define condition Isolation_Resources
    server_url.host.exact="global-shared.fire.glass"
    server_url.host.exact="global-noauth-shared.fire.glass"
    server_url.host.exact="shared.fireglass"
    server_url.host.exact="noauth.shared.fireglass"
    server_url.host.exact="docisolation.prod.fire.glass"
    server_url.host.exact="docisolation-eu.prod.fire.glass"
    server_url.host.exact="doc-isolation-prod.prod.fire.glass"
    server_url.host.exact="doc-isolation-prod-eu.prod.fire.glass"
    server_url.host.exact="doc-isolation-stg.stg.fire.glass"
    server_url.host.exact="doc-isolation-stg-eu.stg.fire.glass"
end condition Isolation_Resources

define action Isolation_actionRemoveBluecoatVia
    delete(request.x_header.X-Bluecoat-Via)
end action Isolation_actionRemoveBluecoatVia

<Proxy "Isolation_Universal">
condition=Isolation_GatewayDestinations action.Isolation_actionRemoveBluecoatVia(yes) Allow

<Forward "Isolation">
condition=Isolation_Resources forward("Isolation_Instance_1") forward.fail_open(no)

 

Bypass Cache

Due to problems related to caching of the Web Isolation resources it is mandatory to implement the “bypass_cache(yes)” action on all traffic that is being sent to Web Isolation.

An example of the implementation is provided below:

define condition Isolation_SSL
    url.scheme=(http,https)
end condition Isolation_SSL

define condition Isolation_HTTP
    url.scheme=(http)
end condition Isolation_HTTP

define action Isolation_actionRemoveBluecoatVia
    delete(request.x_header.X-Bluecoat-Via)
end action Isolation_actionRemoveBluecoatVia

<Proxy "Isolation">
condition=Isolation_SSL condition=Isolation_HTTP action.Isolation_actionRemoveBluecoatVia(yes) bypass_cache(yes)
condition=Isolation_SSL action.Isolation_actionRemoveBluecoatVia(yes) bypass_cache(yes)

 

SGOS TLS1.3 Session Resumption issue with HTTP/2

Web Isolation Cloud introduced support for TLS1.3 and HTTP/2 in version 1.16.95.

Customers forwarding traffic through an Edge SWG(ProxySG) with an SGOS version prior to 7.3.20 are affected by an SGOS defect with TLS1.3 Session Resumption and HTTP/2.

The following policy should be applied for the best experience.

#if release.version=7.3.8..7.3.19
<SSL>
condition=Isolation_GatewayDestinations server.connection.max_ssl_version(tlsv1.2)
#endif

 

Recommended Configuration

The configuration provided below is the recommended CPL configuration that should be used and should cover all suitable use-cases. Always ensure if making major changes that the required configurations as outlined in the previous section remain intact. By default the provided recommended configuration assumes that the Edge SWG (ProxySG) is performing authentication so by default the XAU, XAG and XFF headers are being set and forwarded to Web Isolation.

Note: The XAU, XAG and XFF headers will be sent in a non-secure manner so for security or privacy reasons this may need to be disabled per your own requirements. If it is required for this information to be sent in a secure manner use the native Isolation service, with secure enabled.

 

; ---------------   CPL generated by John Doe for Cloud Web Isolation   ---------------  
; --------------------        Revision - 1.3[Public] 17/06/2024            ----------------------


; =========================        Universal code            =========================
define condition Isolation_Gateways
    server_url.domain="prod.fire.glass" server_url.host.substring="ryanwi" ; Replace "ryanwi" with your tenant name
end condition Isolation_Gateways

define condition Isolation_GatewayDestinations
    url.domain="prod.fire.glass" url.host.substring="ryanwi" ; Replace "ryanwi" with your tenant name
    url.host.exact="global-shared.fire.glass"
    url.host.exact="global-noauth-shared.fire.glass"
    url.host.exact="shared.fireglass"
    url.host.exact="noauth.shared.fireglass"
    url.host.exact="docisolation.prod.fire.glass"
    url.host.exact="docisolation-eu.prod.fire.glass"
    url.host.exact="doc-isolation-prod.prod.fire.glass"
    url.host.exact="doc-isolation-prod-eu.prod.fire.glass"
    url.host.exact="doc-isolation-stg.stg.fire.glass"
    url.host.exact="doc-isolation-stg-eu.stg.fire.glass"
end condition Isolation_GatewayDestinations

define condition Isolation_Resources
    server_url.host.exact="global-shared.fire.glass"
    server_url.host.exact="global-noauth-shared.fire.glass"
    server_url.host.exact="shared.fireglass"
    server_url.host.exact="noauth.shared.fireglass"
    server_url.host.exact="docisolation.prod.fire.glass"
    server_url.host.exact="docisolation-eu.prod.fire.glass"
    server_url.host.exact="doc-isolation-prod.prod.fire.glass"
    server_url.host.exact="doc-isolation-prod-eu.prod.fire.glass"
    server_url.host.exact="doc-isolation-stg.stg.fire.glass"
    server_url.host.exact="doc-isolation-stg-eu.stg.fire.glass"
end condition Isolation_Resources

define condition Isolation_SSL
    url.scheme=(http,https)
end condition Isolation_SSL

define condition Isolation_HTTP
    url.scheme=(http)
end condition Isolation_HTTP

define action Isolation_actionAddXFFForWebAccess
    set(request.header.X-Forwarded-For, "$(x-cs-client-effective-ip)")
end action Isolation_actionAddXFFForWebAccess

define action Isolation_actionAddXAUForWebAccess
    set(request.x_header.x-authenticated-user, "$(user:encode_base64)")
end action Isolation_actionAddXAUForWebAccess

define action Isolation_actionAddXAGForWebAccess
    set(request.x_header.x-authenticated-groups, "$(groups:encode_base64)")
end action Isolation_actionAddXAGForWebAccess

define action Isolation_actionAddXFFForForward
    set(forward.http_connect.header.X-Forwarded-For, "$(x-cs-client-effective-ip)")
end action Isolation_actionAddXFFForForward

define action Isolation_actionAddXAUForForward
    set(forward.http_connect.x_header.x-authenticated-user, "$(user:encode_base64)")
end action Isolation_actionAddXAUForForward

define action Isolation_actionAddXAGForForward
    set(forward.http_connect.x_header.x-authenticated-groups, "$(groups:encode_base64)")
end action Isolation_actionAddXAGForForward

define action Isolation_actionRemoveBluecoatVia
    delete(request.x_header.X-Bluecoat-Via)
end action Isolation_actionRemoveBluecoatVia
; +=+=+=+=+=+=+=+=+=+=+=+=+        END Universal code        +=+=+=+=+=+=+=+=+=+=+=+=+


; =========================        Workaround for SGOS Defect SG-38295            =========================
#if release.version=7.3.8..7.3.19
<SSL>
condition=Isolation_GatewayDestinations server.connection.max_ssl_version(tlsv1.2)
#endif
; +=+=+=+=+=+=+=+=+=+=+=+=+        END Workaround for SGOS Defect SG-38295        +=+=+=+=+=+=+=+=+=+=+=+=+


; =========================        Isolation Parameters        =========================
; This list contains the source objects that will NOT be sent to isolation
define condition Isolation_Bypass
    ;realm=REPLACEME    user="REPLACEME"
    ;realm=REPLACEME    group="REPLACEME\group one"
    ;client.address=10.1.1.1
end condition Isolation_Bypass

; This list contains conditions that will be matched for traffic sent to Web Isolation.
; It is used for header forwarding and cache control.
define condition Isolation_Criteria
    url.threat_risk.level=7..10
    url.category=("none","Suspicious")
    url.domain="malicious.com"
    authenticated=yes
    client.address=192.168.10.0/24
    authenticated=yes url.category=("Malicious Outbound Data/Botnets")
end condition Isolation_Criteria


; This list contains conditions that will be matched for forwarding traffic to Web Isolation.
; The forwarding condition types must be the equivalent of the proxy conditions used in Isolation_Criteria.
define condition Isolation_ForwardTraffic
    server_url.threat_risk.level=7..10
    server_url.category=("none","Suspicious")
    server_url.domain="malicious.com"
    authenticated=yes
    client.address=192.168.10.0/24
    authenticated=yes server_url.category=("Malicious Outbound Data/Botnets")
end condition Isolation_ForwardTraffic
; +=+=+=+=+=+=+=+=+=+=+=+=+        END Isolation Parameters    +=+=+=+=+=+=+=+=+=+=+=+=+


; =========================        Isolation Proxy layer        =========================
<Proxy "Isolation_Universal">
condition=Isolation_GatewayDestinations action.Isolation_actionAddXFFForWebAccess(yes) action.Isolation_actionAddXAUForWebAccess(yes) action.Isolation_actionAddXAGForWebAccess(yes) action.Isolation_actionRemoveBluecoatVia(yes) Allow

<Proxy "Isolation"> condition=Isolation_Criteria condition=!Isolation_Bypass
condition=Isolation_SSL condition=Isolation_HTTP action.Isolation_actionAddXFFForWebAccess(yes) action.Isolation_actionAddXAUForWebAccess(yes) action.Isolation_actionAddXAGForWebAccess(yes) action.Isolation_actionRemoveBluecoatVia(yes) bypass_cache(yes)
condition=Isolation_SSL action.Isolation_actionRemoveBluecoatVia(yes) bypass_cache(yes)
; +=+=+=+=+=+=+=+=+=+=+=+=+        END Isolation Proxy layer    +=+=+=+=+=+=+=+=+=+=+=+=+


; =========================        Isolation Forwarding layer    =========================
<Forward "Isolation"> condition=!Isolation_Bypass
condition=Isolation_Resources forward("Isolation_Instance_1") forward.fail_open(no) action.Isolation_actionAddXFFForForward(yes) action.Isolation_actionAddXAUForForward(yes) action.Isolation_actionAddXAGForForward(yes)
condition=Isolation_SSL condition=Isolation_ForwardTraffic forward("Isolation_Instance_1") forward.fail_open(no) action.Isolation_actionAddXFFForForward(yes) action.Isolation_actionAddXAUForForward(yes) action.Isolation_actionAddXAGForForward(yes)

<Forward "Isolation_Universal">
condition=Isolation_Gateways forward(no)
; +=+=+=+=+=+=+=+=+=+=+=+=+        END Isolation Forwarding layer    +=+=+=+=+=+=+=+=+=+=+=+=+

; ------------------------   END Cloud web Isolation CPL block   ------------------------

Additional Information

How To Configure High Risk Isolation

Attachments

BC_Cloud_Services_Root_CA.cer get_app
Powered by Wolken Software