ZTNA Web application defined for group of users to access, and all working correctly.

To restrict access for managed devices, a Web access policy condition was enabled to only allow managed device coming in via Cloud SWG/WSS as shown below:

After applying the change, users accessing the Web application via WSS Agent or SEP Agent fail, due to unauthorized access.

The ZTNA logs fo the user requests confirm that no matching policy was found as shown below:

Cloud SWG.

ZTNA.

Web Access conditional policy enabled.

ZTNA database not updated to include all new Cloud SWG egress IP addresses.

Updated ZTNA database to include all new Cloud SWG POP email addresses - completed April 7 '24.

The users in this use case were accessing Cloud SWG GILTA2 POP, which was recently added with a new range of IP addresses. This new range of IP addresses had not been included in the ZTNA 'WSS' check and as a result, failed to find a matching IP address.

As part of the troubleshooting process, users in Israel manually connected to the Frankfurt, Germany GDEFR1 POP using dpOverride and the exact same policy worked fine there. The log entries indicated a matching policy was found, confirming that the policy was fine, but the evaluation was failing. Knowing that the 'Symantec Web Security Service' managed device condition checks the ingress IP to determine whether request came through Cloud SWG/WSS, the assumption about the ZTNA IP address database was raised and confirmed.