Local policy category fails to match for domains defined by IP address
search cancel

Local policy category fails to match for domains defined by IP address

book

Article ID: 433309

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

After upgrading to SGOS 7.4.11.1, 7.3.27.1, or later versions, you may observe that policy rules using local or policy-defined categories no longer match as expected. This occurs specifically when a category is defined using an IP address, but the client request is made using a Fully Qualified Domain Name (FQDN).

Symptoms of this issue include:

  • Requests are blocked by "catch-all" or default deny rules despite being in an allowed category.
  • Policy traces show the url.category as "none" for the local or policy database.
  • Inconsistent matching, as the proxy no longer performs an automatic DNS lookup to bridge the gap between domain names and IP-based category entries

Environment

  • Product: Symantec Edge SWG and Advanced Secure Gateway (ASG).
  • Software Version: SGOS 7.4.11.1 and later, 7.3.27.1 and later.

Cause

To improve performance and prevent page load slowness caused by DNS timeouts, SGOS no longer automatically performs a DNS lookup to match a requested hostname against IP addresses defined in local or policy categories. The proxy only uses the IP address for categorization if the request was initiated via an IP address directly or if the IP address was already resolved and available to the policy engine prior to the categorization step.

Resolution

Update your local or policy category definitions to include both the FQDN/domain and the associated IP addresses to ensure consistent policy enforcement.

  1. Identify the policy-defined or local categories that rely on IP addresses only.
  2. Update the category definitions by adding the hostname/domain (e.g., example.com) to the category.
  3. Ensure that if a destination is ever accessed directly by IP, that IP remains in the category.
  4. Example of a corrected policy definition:

    define category "Trusted_Websites"
    example.com
    1.1.1.1
    end category "Trusted_Websites"

  5. Install the updated policy.
  6. Verify the fix by running a policy trace and confirming the url.category now reflects the expected category name.

If the destination can also be accessed by IP, both the hostname and IP addresses can be added to the category. If a destination is only ever accessed by IP addresses, these addresses can be included without including a hostname

Additional Information

This behavioral change was implemented to address latency issues where unresponsive DNS servers caused significant delays during policy evaluation.

Powered by Wolken Software