pod.threatpulse.com is a useful troubleshooting tool to identify where users are connected to.

One user, physically located in India and connected to GINMU pod, reported seeing correct data center and egress IP address details, but with WSS Egress Country of GB as shown below:

WSS Egress IP: 148.64.5.158
X Forwarded For: 192.168.1.1, 148.64.5.158
Client IP Header: unknown
WSS Ingress Proxy: dp3-ginmu1-4
WSS Egress Proxy: dp3-ginmu1-4
Target Name used for ETM tap: N/A
WSS Egress Country: GB
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.265 Safari/537.36 Edg/131.0.2903.146

The Cloud SWG admin could reproduce this on the DEV tenant, but not on the PROD tenant.

Cloud SWG.

Any access method.

Policy based routing/Dedicated IP address feature enabled.

When policy based routing or the dedicated IP address feature is enabled, egress country information is dependent on the path the request has travelled and may not be what is expected.

Other 'pod.threatpulse.com' endpoints must be used to report the correct country egress details.

Access the following endpoints depending on whether user traffic is being routed through the Dedicated IP address or Policy Based routing feature:

• Dedicated IP address: Simple access https://pod.threatpulse.com/mydedicatedip to get the correct information
• Policy based routing: Depending on whether users are using the dedicated IP or Shared IP option, the following endpoints would be used
  • https://pod.threatpulse.com/via-dei?country-code=<code> : Used when accessing a site using the dedicated IP address policy, where the country code is the 2 digit ISO country code representation e.g. US for United States, IN for India, DE for Germany, GB for United Kingdom
  • https://pod.threatpulse.com/via-shared?country-code=<code> : Used when accessing a site using the shared IP address policy, where the country code is the 2 digit ISO country code representation.