Error "Late condition guards early action" for server.certificate.hostname
search cancel

Error "Late condition guards early action" for server.certificate.hostname

book

Article ID: 433333

calendar_today

Updated On:

Products

Management Center - VA ProxySG Software - SGOS

Issue/Introduction

When installing CPL or updating policy in Edge SWG, the following errors appear: 

Error: Late condition guards early action
Condition 'condition={condition name}' vpm-cpl:xxxx
which depends on 'server.certificate.hostname=.example.com' vpm-cpl:xxxx

Environment

Edge SWG SGOS 7.x and Later

Cause

This occurs when an early action, like deciding whether to intercept SSL, is dependent on a late condition. The information isn't known until after the interception occurs.
Using server.certificate.hostname to trigger ssl.forward_proxy(no) or ssl.forward_proxy(yes) is the issue.
The Edge SWG cannot view the Server Certificate until it connects to the server, but it must decide whether to intercept the connection before it is made.

Resolution

Change the match criteria from server.certificate.hostname=".example.com" to url.domain=".example.com".
Powered by Wolken Software