Managing Unauthenticated User Access in Symantec CloudSOC Gatelets: permissive vs. restrictive Behavior

Products

CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Advanced Threat Protection CASB Audit CASB Security Premium CASB Security Standard CASB Securlet SAAS With DLP-CDS

Issue/Introduction

Here are the definitions and differences between the unauthenticated user and the guest user

GUEST USER

A guest user represents traffic where no user identity is provided at all - either because authentication was bypassed or the user-id header is missing - . CloudSOC treats this as anonymous traffic unless configured to map it to a guest identity.

Triggered by one of two cases:
- No authentication or missing user-id header.
- User-id shared by CloudSWG does not exist in CloudSoc
Header: Absent or Invalid value
CloudSOC Setup:
- Email: guest@<tenant_domain>
- Secondary ID: Optional
- Requires CASB Support to enable “Unauthorized User as Guest”

UNAUTHENTICATED USER

In CloudSOC, an unauthenticated user is a case where the on-prem proxy or CloudSWG fails to authenticate the user, and instead of passing a valid user ID, it explicitly sends "unauthenticated user" in the request header. This identity is recognized by CloudSOC and can be mapped to a specific user object for policy enforcement.

Triggered by: Failed authentication.
Header: user-id = "unauthenticated user"
CloudSOC Setup:
- Email: unauthenticated_user@<tenant_domain>
- Secondary ID: "unauthenticated user" (must include a space)

KEY DIFFERENCES

Key Differences between Guest User and Unauthenticated User:

User Type	Guest User	Unauthenticated User
Trigger Condition	- No User-Id present - User-Id shared does not exist in Cloudsoc	- Marked as "Unauthenticated" by Proxy or CloudSWG
Source of Identity	Inferred by Cloudsoc	Shared by Proxy or CloudSWG
Email format	guest@<tenant_primary_domain>	unauthenticated_user@<tenant_primary_domain>
Secondary User ID Requirement	Optional	Required (`unauthenticated user`) -with space-
Toggle Feature (Support)	Yes	No

Symptoms if Missing:

Users may encounter access denial errors when attempting to reach SaaS applications through CloudSOC Gatelets, particularly when authentication fails or is bypassed. Common symptoms include:

"Page Access Denied: Invalid User or Tenant"
"Something went wrong" with user shown as 'unauthenticated user'
Blocked access to non-Gatelet SaaS URLs
User identity shown as '[email protected]', 'unauthenticated user', or missing entirely

These issues are prevalent in environments using CloudSWG (formerly WSS), on-prem proxy chaining, where user signaling may be incomplete or authentication policies are selectively bypassed.

Environment

These behaviors are most commonly observed in any Gatelet/Data-In-Motion deployment.

Cause

The root cause is the absence or invalidity of user identity information in requests reaching CloudSOC.

This can occur due to:

User-id does not exist in CloudSOC tenant.
Explicit unauthenticated user signaling from CloudSWG or Proxy.
No user-id header present, often due to policy-based authentication bypass.
Proxy chaining misconfigurations, where user signaling is not properly enabled.
Improper or missing secondary user ID mapping, especially in Windows environments using NetBIOS format like 'DOMAIN\USERID'.

Resolution

To enable the permissive fail-open behavior and allow unauthenticated users limited access via Gatelets, follow these steps:

1. Create Guest and Unauthenticated User Accounts in CloudSOC

- Navigate to CloudSOC > Users.
- Create the following accounts:

1.1 Guest User:
- Email: 'guest@<tenant_primary_domain>' (e.g., '[email protected]')
- Secondary ID: Optional

1.2 Unauthenticated User:
- Email: 'unauthenticated_user@<tenant_primary_domain>' (e.g., '[email protected]')
- Secondary ID: 'unauthenticated user' *(must include a space)*

2. Enable Required Features via CASB Support

- Open a support ticket with Broadcom CASB to enable the guest user access, make sure to share the Cloudsoc tenant id (The feature name is: " Unauthorized User as Guest")

Additional Information

Note:

- Treating unauthenticated users as guests is a fail-open strategy that balances access with control, but may reduce audit granularity.
- Unauthenticated traffic will appear in INVESTIGATE under the 'guest' user, allowing policy enforcement and visibility.