ProxySG/EdgeSWG policy trace and wireshark log for access denied website via legacy Java Visual Policy Manager

Products

ISG Proxy ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

Access to the website is denied via Proxy

Access Denied (policy_denied)

Environment

ProxySG/EdgeSWG SGOS

Cause

Before troubleshooting begins make sure about the URL categorization and status

#### CHECK THE URL FOR CATEGORIZATION AND THREAT RISK #####

STEP1

Check what URL is being blocked by the Proxy are not being displayed properly on the workstation that connects via Proxy - EXAMPLE: https://example.com

STEP2

By default ProxySG is using the Bluecoat Webpulse Filter for Categorization/Threat risk, so please check if your site is well categorized and not marked as malicious.

Webpulse Sitereview: https://sitereview.bluecoat.com/#/

CATEGORY ASSIGNED: List of categories

NOTE: You can request a change if you feel like the site is not properly categorized.

Sites that are not CATEGORIZED or being INTERNAL CUSTOMER DOMAINS (not publicly available in Public DNSes) can be marked as suspicious/malicious:

STEP3

Check the URL ex. example.com in terms of the IP being resolved by DNS. You can open a Windows CMD and type nslookup example.com

STEP4

Ensure that ProxySG knows the route to specific domain via configured DNS on Proxy. Please open a SSH connection to your Proxy Management IP using ex. Putty client.

Use command: test dns <url-domain> bypass-cache

ex. test dns example.com bypass-cache

You'll find which DNS resolves the domain and if it is resolved successfully. If it's not then it's a DNS issue.

STEP5

Please write down the information gathered regarding the URL

URL: example.com
IP: 93.184.200.1
WEBPULSE CATEGORY: Technology/Internet
Proxy DNS resolution: OK (DNS: <ip-of-server)

Resolution

#### TROUBLESHOOTING THE URL THAT IS BEING BLOCKED ####

STEP5

Check your policy, whether this URL is allowed with the defined Policy rule for destination URL/category with ALLOWED action

STEP6

Find out which workstations could not reach specific website and choose one workstation for testing purposes, based on behavior or source defined in the rule - EXAMPLE: 10.0.200.1

STEP7

Please, open the ProxySG from the terminal PC that has an access to the management console: https://<management-proxy-ip>:8082/ as example: https://10.0.80.81:8082

and open the Java Launcher.

STEP8

Please go to ProxySG > Configuration >Policy > Visual Policy Manager >> Launch Legacy Java VPM

STEP9

In the menu at the top choose Policy >> Add Web Access Layer, create and name it DEBUG

Then click on Source >> Set… >> Add New… >> Client IP address/subnet. Put the IP of endpoint client & subnet 255.255.255.255 and click Add, Close, OK

Source has been added. You can specify the destination with Request URL: example.com or you can leave it as blank (it will collect all the requests from PC)

In the Action field please right-click and Delete. This will make the rule transparent to other defined rules as we don't need to allow/deny but just track behavior.

In the Trace field, please right-click on Track >> Set… >> New… >> Trace. Name the trace ex. Trace1, tick trace level at trace enabled, then click 2xOK.

The Web Access trace should look like this:

Click on Install Policy

STEP9

If you have chosen to SSL-Intercept the URL that is being blocked in your Policy, we need to make one more change.

Please go to the SSL-Intercept layer of yours and create the URL with the same scheme as previously:

Source: 10.0.200.1/255.255.255.255
Destination: Any or specified url as with previous rule
Action: SSLInterception
Track: Trace1

Click Install Policy

STEP10

Go back to the main Proxy Console window, then to Maintenance >> Service information >> Packet captures

Set the packet trace filter to

ip host <ip of endpoint testing device> or ip host <url> or port 53 or ip host <proxysg-management-ip>

ex. ip host 10.0.200.1 or ip host example.com or port 53 or ip host 10.0.80.80

Click Apply on the bottom, then click Start capture…>> Start Capture

The policy debug and capture has started

STEP11

On the testing device 10.0.200.1 where the issue occurs, open a browser with Incognito mode and try to access/test the blocked website - ex. example.com

STEP12

On the PC that is connected to the Proxy Management Console, open the browser and type the Proxy Management address https://<management-proxy-ip:8082/Policy ex. https://10.0.80.80:8082/Policy

Look if the trace was captured under Trace1

Open the Trace1 link, type CTRL+F and search for URL example.com. If it's there, copy the contents of the Trace1 into a text file Trace1.txt and save on the desktop

STEP13

Go back to the ProxySG > Maintenance > Service Information > Packet Captures tab, Click on Stop Capture, Download Capture and save it on desktop.

STEP14

Get back to the Policy Visual Manager and delete/disable rules created in step 8-9

STEP15

If you would like to send automatically the captures to the case ticket, please go to ProxySG >> Maintenance >> Service Information >> Send Information >> Send Service Information

Type the case number in the Service Request Number. Click on the Newest, tick Packet Capture, Policy Trace File, Access Logs, Event Log and SysInfo, then click on Send.

Files should be uploaded directly to the Broadcom case (you can check View Progress). Otherwise you need to upload the attachements with Packet trace and Wireshark capture manually to the case.

STEP16

At the end you can delete the trace from ProxySG, the trace that was taken by going to https://<management-ip-proxy>:8082/Policy

Additional Information

#### ALTERNATIVE WAY TO SET UP THE POLICY TRACE USING THE CPL CODE (STEP 8-9) ####

Add CPL code by going into ProxySG > Configuration > Policy Files > Policy Files tab > Install Local file from: Local File > Install and pasting the customized code:

<ssl-intercept>

client.address=x.x.x.x trace.destination(Trace1) trace.request(yes)

<proxy>

client.address=x.x.x.x trace.destination(Trace1) trace.request(yes)

as example:

<ssl-intercept>

client.address=10.0.200.1 trace.destination(Trace1) trace.request(yes)

<proxy>

client.address=10.0.200.1 trace.destination(Trace1) trace.request(yes)

After pasting, click INSTALL

####################

HOW TO BYPASS URLS VIA PROXY: Troubleshoot issues with a specific web site proxied by Edge SWG (ProxySG) or ASG appliance - https://knowledge.broadcom.com/external/article?articleId=167379

#################

More KB articles regarding Policy trace:

ProxySG/EdgeSWG policy trace and wireshark log for access denied website via Web Visual Policy Manager - https://knowledge.broadcom.com/external/article?articleId=263111
Use policy tracing to debug access denied errors or website accessibility issues - https://knowledge.broadcom.com/external/article?articleId=166514
Policy Layers description and Policy Tracing introduction. - https://knowledge.broadcom.com/external/article?articleId=170934
Add CPL to a local policy file on the Edge SWG (ProxySG) - https://knowledge.broadcom.com/external/article?legacyId=TECH241564
In a policy trace, what does the late tag mean? - https://knowledge.broadcom.com/external/article?articleId=169002
Size limitation on a policy trace file.- https://knowledge.broadcom.com/external/article?articleId=236656
SSL-Intercept layer evaluation not displayed when running a policy trace on ProxySG - https://knowledge.broadcom.com/external/article?articleId=167612
Troubleshooting high latency due to DNS using a policy trace - https://knowledge.broadcom.com/external/article?articleId=170684