Symantec SWG POP localization zone not working with IPSEC access method
search cancel

Symantec SWG POP localization zone not working with IPSEC access method

book

Article ID: 379928

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet via IPSEC tunnel going to GITMO VIP in Italy.

Cloud SWG Admin has defined the Location for this IPSEC tunnel with Croatia as the country.

Users accessing most internet sites appear to successfully GEO locate in Croatia as expected, but some requests are being GEO located in Italy.

Cloud SWG reports seems to show all the working requests, but the requests that fail are not visible in the reports for some reason.

Environment

Cloud SWG.

VeloCloud SDWAN IPSEC tunnel.

Client Firewall Service is enabled.

Cause

Failing requests were using QUIC protocol (from Chrome browsers) and not getting passed to Proxy to handle localisation zone traffic.

Resolution

Make sure the following block for UDP 443 is enabled within the CFS configuration - it was there by default, but removed by the Admin.

This will force the user's browser to fallback from using the QUIC protocol and revert back to TCP based traffic for HTTP, addressing the GEO location concerns.

Additional Information

QUIC uses UDP 443.

When the Client Firewall Service is enabled, all TCP traffic and UDP 53 is sent upstream to the proxy for validation. All other traffic egresses from the CFS device in Italy, which does not use the localisation zone IP addresses.