Symantec Cloud SWG - VeloCloud Support Troubleshooting
search cancel

Symantec Cloud SWG - VeloCloud Support Troubleshooting

book

Article ID: 330718

calendar_today

Updated On:

Products

VMware SD-WAN by VeloCloud Cloud Secure Web Gateway Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

The goal of this KB is to help troubleshoot Symantec Cloud SWG connectivity issues from the source device to the Symantec PoP. This will include enabling, deploying and troubleshooting Symantec PoP to PoP feature via VCG. This KB will include steps to ensure the correct policies are being applied, and to help identify any issues occurring.

Environment

SD-WAN by VeloCloud
Symantec Cloud SWG

Cause

N/A

Resolution

Starting with the 6.1.0 release, VeloCloud SD-WAN introduces the Symantec Web Security Service (Cloud SWG) PoP to PoP integration, which supports pre-provisioned Geneve tunnels from VeloCloud Gateways (VCG) to Symantec Cloud SWG Gateways in GCP. With pre-provisioned Geneve tunnels, SD-WAN customers who have a Symantec SSE subscription need not configure and setup IPsec tunnels from the Edge or Gateway for their tenant. They can use the pre-provisioned connectivity between VeloCloud Gateway to Cloud SWG to carry their network traffic. This is inspected by Symantec SSE via a Business Policy.

If you are troubleshooting a Cloud SWG case, make sure to gather the following information before you begin troubleshooting:

  1. Is this a new implementation?
  2. When did the issue start?
  3. Example Impacted Flow (Source / Destination IP address(es) and/or port numbers)
  4. Steps that can be performed to reproduce the issue
  5. Type of internet traffic error being experienced: blackholed, HTTPS error (404, 504...), certificate issue, etc
  6. Is the issue with how WSS is handling internet traffic (blocking a site that should be whitelisted, allowing access to a site that should be blocked, etc)?
  7. Is internet traffic successful if WSS is bypassed?
  8. Is this issue continuous or is it intermittent?
  9. Is this impacting specific users?

Once you have gathered these details, follow the troubleshooting steps below.
 

Prerequisites for WSS:

Note: Velocloud Technical Support is not authorized to Enable/Disable WSS.  

A. The WSS Subscription should be validated under at the Customer level on the VCO (Under Configure > Security Service Edge(SSE)>SSE Subscriptions):

     NOTE: Customer will need API credentials from Cloud SWG portal to validate subscription:

 

B. Once subscription is validated, complete SSE integration section -  (Under Configure > Security Service Edge(SSE)>SSE Integrations): 





C. Confirm that the Business Policy is setup correctly


BP should be configured at Profile Level for edge's that will be deploying WSS POP -to-POP tunnels to VCG. (NOTE: VCG must be at running software version 6.1+ and Symantec WSS feature must be enabled on VCG) In the example below you will see traffic from Source "Any"  and Destination "Internet" is set to be backhauled to the above WSS policy (NOTE: IP Version must be set to IPv4):




Once you have verified the above prerequisites and saved all configurations, you should see WSS endpoint light green under Monitor > Security Service Edge(SSE):




Known Issues will be tracked here:

Additional Information

6.1 Release Notes for more details 
 

Powered by Wolken Software