silent_denied verdict found in Cloud SWG portal report albeit there are no silent_denied verdicts in the customer policy
search cancel

silent_denied verdict found in Cloud SWG portal report albeit there are no silent_denied verdicts in the customer policy

book

Article ID: 379152

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

The customer found from the Cloud SWG reports that some requests have a verdict of "silent_denied" yet they have no such verdict configured in their Cloud SWG portal policy.

Environment

Cloud SWG policy managed by the Portal.

Cause

The Cloud SWG portal policies are not simple customer policies that are implemented on the Cloud SWG proxies.

They are built on:

  • the portal customer specific policy
  • Broadcom sets the policies with CPL facilities that apply to all tenants (UPE and Portal tenants with commonalities and specifiities to both) that are designed for specific purposes:
    • ensure the Cloud SWG features are implemented uniformaly and safely across all tenants
    • enforce licensing and terms or services

Resolution

The silent_denied verdicts that can be encountered by customer are mainly caused by Cloud SWG "Deny unknown protocols" policy that is set to ensure we don't allow random protocols to be tunnelled over the service.

This silent_denied verdict will be matched when:

  • protocol detection is enabled
  • the request is not from http connect
  • the protocol is not tunnelled tcp, https or socks
  • the traffic is tunnelled and not SSL-unintercepted and not a web-sockect connection

There are other silent_denied verdicts (not to be listed here) that can be encountered for a few specific url's, but those are very specific and not likely to be hit randomly by customers.