Access to the website is denied via Proxy
Access Denied message seen in the browser when trying to reach a website:
ProxySG/EdgeSWG SGOS with SGAC
#### CHECK THE URL FOR CATEGORIZATION AND THREAT RISK #####
STEP1
Check what URL is being blocked by the Proxy are not being displayed properly on the workstation that connects via Proxy - EXAMPLE: https://<domain>
STEP2
By default ProxySG is using the Bluecoat Webpulse Filter for Categorization/Threat risk, so please check if your site is well categorized and not marked as malicious.
Webpulse Sitereview: https://sitereview.bluecoat.com/#/
CATEGORY ASSIGNED: List of categories
NOTE: You can request a change if you feel like the site is not properly categorized.
Sites that are not CATEGORIZED or being INTERNAL CUSTOMER DOMAINS (not publicly available in Public DNSes) can be marked as suspicious/malicious:
STEP3
Check the URL ex. <domain> in terms of the IP being resolved by DNS. You can open a Windows CMD and type nslookup <domain>
C:\Users\user>nslookup <domain>
Server: <dns-domain-name>
Address:
<dns-server-ip>
Non-authoritative answer:
Name: <domain>
Addresses: <domain-ip-address>
STEP4
Ensure that ProxySG knows the route to specific domain via configured DNS on Proxy. Please open a SSH connection to your Proxy Management IP using ex. Putty client.
Use command: test dns <domain> bypass-cache
ProxySG#test dns <domain> bypass-cache
Performing DNS lookup for: <domain>
Sending A query for
<domain>
to <dns-server-ip>
DNS Response data:
Official Host Name: <domain>
Resolved Addresses:
<domain-ip-address>
Cache TTL: 11354, cache MISS
DNS Resolver Response: Success
You'll find which DNS resolves the domain and if it is resolved successfully. If it's not then it's a DNS issue.
STEP5
Please write down the information gathered regarding the URL
URL: <domain>
IP: <domain-ip-address>
WEBPULSE CATEGORY: Technology/Internet
Proxy DNS resolution: OK (DNS: <dns-server-ip>
)
STEP6
Check your policy, whether this URL is allowed with the defined Policy rule for destination URL/category with ALLOWED action
Open in browser the EdgeSWG Management Console - the https://<proxy-ip>:8082 and click on the Visual Policy Manager link in the top-right corner:
STEP7
Find out which workstations could not reach specific website and choose one workstation for testing purposes, based on behavior or source defined in the rule - EXAMPLE: <test-client-ip>
STEP8
In the Web Visual Policy Manager window, please click on Add Layer and choose the Web Access layer and name it DEBUG
Then click on Source >> Set… >> Add New… >> Client IP address/subnet. Put the IP of endpoint client <test-client-ip> & subnet 255.255.255.255 and click Add, Close, OK
Source has been added. You can specify the destination with Request URL: <domain> or you can leave it as blank (it will collect all the requests from PC)
In the Action field please right-click and Delete. This will make the rule transparent to other defined rules as we don't need to allow/deny but just track behavior.
In the Trace field, please right-click on Track >> Set… >> New… >> Trace. Name the trace ex. Trace1, tick trace level at trace enabled, then click 2xOK.
The Web Access trace should look like this:
Click on Apply Policy
STEP9
If you have chosen to SSL-Intercept the URL that is being blocked in your Policy, we need to make one more change.
Please go to the SSL-Intercept layer of yours and create the URL with the same scheme as previously:
Click Install Policy
STEP10
Go back to the main Proxy Console window, then to Administration >> Service information >> Packet capture
Set the packet trace filter to
ip host <test-client-ip> or ip host <domain> or port 53 or ip host <proxy-ip> or port 443 or port 80 or ip host <domain-ip-address>
Click Apply on the bottom, then click Start capture…>> Start Capture
The policy debug and capture has started
STEP11
On the testing device <test-client-ip> where the issue occurs, open a browser with Incognito mode and try to access/test the blocked website - ex. <domain>
STEP12
On the PC that is connected to the Proxy Management Console, open the browser and type the Proxy Management address https://<proxy-ip>:8082/Policy
Look if the trace was captured under Trace1
Open the Trace1 link, type CTRL+F and search for URL <domain>. If it's there, copy the contents of the Trace1 into a text file Trace1.txt and save on the desktop
STEP13
Go back to the ProxySG > Administration > Service Information > Packet Capture tab, Click on Stop Capture, Download Capture and save it on desktop.
STEP14
Get back to the Policy Visual Manager and delete/disable rules created in step 8-9
STEP15
If you would like to send automatically the captures to the case ticket, please go to ProxySG >> Administration >> Service Information >> Send Information >> Send Selected Info Now
Type the case number in the Service Request Number. Click on the Newest, tick Packet Capture, Policy Trace File, Access Logs, Event Log and SysInfo, then click on Send.
Files should be uploaded directly to the Broadcom case. Otherwise you need to upload the attachements with Packet trace and Wireshark capture manually to the case.
STEP16
At the end you can delete the trace from ProxySG, the trace that was taken by going to https://<proxy-ip>:8082/Policy
OPTIONAL TRACE FROM USER BROWSER
If you don't see a Policy Blocked message in your browser but any other issue, please make a screenshot of Web Browser view and collect a HAR file from web browser - https://knowledge.broadcom.com/external/article/170836/obtain-a-har-file.html. HAR file can be used to confirm that Proxy is blocking the request or there are any other networking issue.
#### ALTERNATIVE WAY TO SET UP THE POLICY TRACE USING THE CPL CODE (STEP 8-9) ####
Add CPL code by creating a new CPL layer in the Web Visual Policy Manager and pasting the customized code:
; * * * * * * * * * * * * Policy Trace for troubleshooting * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
<dns-Proxy>
client.address=<test-client-ip> trace.destination(myTraceForDNS) trace.request(yes) trace.session(yes)
<SSL>
client.address=<test-client-ip> trace.destination(myTraceFor_TLS_SSL_decision) trace.request(yes) trace.session(yes)
<ssl-intercept>
client.address=<test-client-ip> trace.destination(myTraceFor_TLS_SSL_Intercept) trace.request(yes) trace.session(yes)
<proxy>
client.address=<test-client-ip> trace.destination(myTraceForProxy) trace.request(yes) trace.session(yes)
<Cache>
client.address=<test-client-ip> trace.destination(myTraceForCache) trace.request(yes) trace.session(yes)
<Exception>
client.address=<test-client-ip> trace.destination(myTraceForException) trace.request(yes) trace.session(yes)
<Forward>
client.address=<test-client-ip> trace.destination(myTraceForForward) trace.request(yes) trace.session(yes)
; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
After pasting, click Apply Policy
####################
HOW TO BYPASS URLS VIA PROXY: Troubleshoot issues with a specific web site proxied by Edge SWG (ProxySG) or ASG appliance - https://knowledge.broadcom.com/external/article?articleId=167379
#################
More KB articles regarding Policy trace: