ICAP bypass policies on UPE CloudSWG tenant is NOT working when CSP policy is enabled
search cancel

ICAP bypass policies on UPE CloudSWG tenant is NOT working when CSP policy is enabled

book

Article ID: 401756

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

ICAP bypass policies such as the one below are not bypassing ICAP properly when UPE CloudSWG tenant had Content Security Policy (CSP) enabled. 

<proxy>
url.domain=test.com request.icap_service(no) 

<cache>
url.domain=test.com response.icap_service(no)

Cause

CSP policy is a way to enable ICAP scanning (there are other ways to enable ICAP scanning e.g using response.icap_service(servicename_1,servicename_2, fail_open|fail_closed)) which the CSP policies are always evaluated last causing the above mentioned ICAP CPL policies to be overridden hence causing the bypass to not work.

Resolution

To properly bypass ICAP scanning with CSP policy enabled, all you need to do is to install the following define statement into your CPL layer with the url domains within. Note that it has to be exactly "define list domain BC_Cloud_Not_AV_Scannable_domains" with the "end" clause after all needed ICAP bypass domains.

E.g. 

#if enforcement=wss
define list domain BC_Cloud_Not_AV_Scannable_domains
    test.com
    color.com
    browser.com
end
#endif

Powered by Wolken Software