When running some checks on the Cloud SWG portal the customer noticed that some requests going to a global block lists were showing an "Allowed" verdict which is unexpected based on the policy.

Why are we seeing some allowed transactions in the logs and is there a reason to be concerned about those?

WSS Agent

Upon capturing a large set of policy trace files we could narrow down the behavior to be expected and normal.

The allowed transactions can be explained once the standard deny process is detailed and some random client disconnections are added in said process:

Here is the (very abbreviated) process for the specific requests to be blocked:

• a tcp transaction is opened on the proxy to handle the request from the client / browser
  • the transaction verdict is "Allowed"
• an ssl transaction is created when the client sends a TLS client hello
  • the ssl transaction is evaluated with a "Deny" verdict
• an ssl intercept transaction is created with an Allow verdict to 
  • a https transaction is created to sent back the policy denied page

What the policy trace shows is that for most of the requests the process completes as expected and a deny verdict is shown on the https transaction.

However a small fraction of the requests were apparently terminated by the client before the https proxy could send the exception page. In those cases because the communication path was broken (the tcp session with the client) the transaction was terminated before the process completion. As the proxy stopped the transaction the results were recorded with the transaction state at that specific moment thus showing the Allowed verdict for a transaction that was properly denied but for which the deny processing (and exception page response) could not complete fully.