ProxySG/EdgeSWG policy trace and wireshark log for access denied website via Web Visual Policy Manager
search cancel

ProxySG/EdgeSWG policy trace and wireshark log for access denied website via Web Visual Policy Manager

book

Article ID: 263111

calendar_today

Updated On: 05-09-2024

Products

ISG Proxy ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

Access to the website is denied via Proxy

 

Access Denied message seen in the browser when trying to reach a website:

  • Access Denied (policy_denied)
  • Your system policy has denied the requested action
  • For assistance, contact your network support team

Environment

ProxySG/EdgeSWG SGOS with SGAC

Cause

#### CHECK THE URL FOR CATEGORIZATION AND THREAT RISK  #####


STEP1

Check what URL is being blocked by the Proxy are not being displayed properly on the workstation that connects via Proxy - EXAMPLE: https://<domain>

 

STEP2

By default ProxySG is using the Bluecoat Webpulse Filter for Categorization/Threat risk, so please check if your site is well categorized and not marked as malicious.

Webpulse Sitereview: https://sitereview.bluecoat.com/#/ 

 

CATEGORY ASSIGNED: List of categories

 

NOTE: You can request a change if you feel like the site is not properly categorized.

 

Sites that are not CATEGORIZED or being INTERNAL CUSTOMER DOMAINS (not publicly available in Public DNSes) can be marked as suspicious/malicious:

 

STEP3

Check the URL ex. <domain> in terms of the IP being resolved by DNS. You can open a Windows CMD and type nslookup <domain>

 

C:\Users\user>nslookup <domain>
Server:  <dns-domain-name>
Address:  <dns-server-ip>

Non-authoritative answer:
Name:    <domain>
Addresses:  <domain-ip-address>

 

STEP4

Ensure that ProxySG knows the route to specific domain via configured DNS on Proxy. Please open a SSH connection to your Proxy Management IP using ex. Putty client.

Use command: test dns <domain> bypass-cache

 

ProxySG#test dns <domain> bypass-cache
Performing DNS lookup for: <domain>

Sending A query for <domain> to <dns-server-ip>

DNS Response data:
Official Host Name: <domain>
Resolved Addresses:
  <domain-ip-address>
Cache TTL: 11354, cache MISS
DNS Resolver Response: Success

 

You'll find which DNS resolves the domain and if it is resolved successfully. If it's not then it's a DNS issue.

 

STEP5

Please write down the information gathered regarding the URL

  • URL: <domain>
  • IP: <domain-ip-address>
  • WEBPULSE CATEGORY: Technology/Internet
  • Proxy DNS resolution: OK (DNS: <dns-server-ip>)

Resolution

#### TROUBLESHOOTING THE URL THAT IS BEING BLOCKED ####

 

STEP6

Check your policy, whether this URL is allowed with the defined Policy rule for destination URL/category with ALLOWED action

Open in browser the EdgeSWG Management Console -  the https://<proxy-ip>:8082  and click on the Visual Policy Manager link in the top-right corner:

 

 

STEP7

Find out which workstations could not reach specific website and choose one workstation for testing purposes, based on behavior or source defined in the rule - EXAMPLE: <test-client-ip>

 

STEP8

In the Web Visual Policy Manager window, please click on Add Layer and choose the Web Access layer and name it DEBUG

Then click on Source >> Set… >> Add New… >> Client IP address/subnet.  Put the IP of endpoint client <test-client-ip> & subnet 255.255.255.255  and click Add, Close, OK




Source has been added. You can specify the destination with Request URL: <domain> or you can leave it as blank (it will collect all the requests from PC)

 

 

In the Action field please right-click and Delete. This will make the rule transparent to other defined rules as we don't need to allow/deny but just track behavior.

In the Trace field, please right-click on Track >> Set… >> New… >> Trace. Name the trace ex. Trace1, tick trace level at trace enabled, then click 2xOK.

The Web Access trace should look like this:

  • Source: <test-client-ip>/255.255.255.255
  • Destination: Any or specified url as with previous rule ex. <domain>
  • Action: None
  • Track: Trace1

 

Click on Apply Policy



STEP9

If you have chosen to SSL-Intercept the URL that is being blocked in your Policy, we need to make one more change.

Please go to the SSL-Intercept layer of yours and create the URL with the same scheme as previously:

  • Source: <test-client-ip>/255.255.255.255
  • Destination: Any or specified url as with previous rule ex. <domain>
  • Action: SSLInterception (default bluecoat keyring or custom used>
  • Track: Trace1

 

Click Install Policy

 

STEP10

Go back to the main Proxy Console window, then to Administration >> Service information >> Packet capture

Set the packet trace filter to

ip host <test-client-ip> or ip host <domain> or port 53 or ip host <proxy-ip> or port 443 or port 80 or ip host <domain-ip-address>

 

Click Apply on the bottom, then click Start capture…>> Start Capture



The policy debug and capture has started

 

STEP11

On the testing device <test-client-ip> where the issue occurs, open a browser with Incognito mode and try to access/test the blocked website - ex. <domain>

 

STEP12

On the PC that is connected to the Proxy Management Console, open the browser and type the Proxy Management address https://<proxy-ip>:8082/Policy 

Look if the trace was captured under Trace1

 

Open the Trace1 link, type CTRL+F and search for URL <domain>. If it's there, copy the contents of the Trace1 into a text file Trace1.txt  and save on the desktop

 



STEP13

Go back to the ProxySG > Administration > Service Information > Packet Capture tab, Click on Stop CaptureDownload Capture and save it on desktop.

 

STEP14

Get back to the Policy Visual Manager and delete/disable rules created in step 8-9

 

STEP15

If you would like to send automatically the captures to the case ticket, please go to ProxySG >> Administration >> Service Information >> Send Information >> Send Selected Info Now

Type the case number in the Service Request Number. Click on the Newest, tick Packet Capture, Policy Trace File, Access Logs, Event Log and SysInfo, then click on Send.



Files should be uploaded directly to the Broadcom case. Otherwise you need to upload the attachements with Packet trace and Wireshark capture manually to the case.

 

STEP16

At the end you can delete the trace from ProxySG, the trace that was taken by going to https://<proxy-ip>:8082/Policy

 

OPTIONAL TRACE FROM USER BROWSER

If you don't see a Policy Blocked message in your browser but any other issue, please make a screenshot of Web Browser view and collect a HAR file from web browser - https://knowledge.broadcom.com/external/article/170836/obtain-a-har-file.html. HAR file can be used to confirm that Proxy is blocking the request or there are any other networking issue.

Additional Information

#### ALTERNATIVE WAY TO SET UP THE POLICY TRACE USING THE CPL CODE (STEP 8-9) ####

Add CPL code by creating a new CPL layer in the Web Visual Policy Manager and pasting the customized code:

; * * * * * * * * * * * * Policy Trace for troubleshooting * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
<dns-Proxy>
client.address=<test-client-ip> trace.destination(myTraceForDNS) trace.request(yes) trace.session(yes)
<SSL>
client.address=<test-client-ip> trace.destination(myTraceFor_TLS_SSL_decision) trace.request(yes) trace.session(yes)
<ssl-intercept>
client.address=<test-client-ip> trace.destination(myTraceFor_TLS_SSL_Intercept) trace.request(yes) trace.session(yes)
<proxy>
client.address=<test-client-ip> trace.destination(myTraceForProxy) trace.request(yes) trace.session(yes)
<Cache>
client.address=<test-client-ip> trace.destination(myTraceForCache) trace.request(yes) trace.session(yes)
<Exception>
client.address=<test-client-ip> trace.destination(myTraceForException) trace.request(yes) trace.session(yes)
<Forward>
client.address=<test-client-ip> trace.destination(myTraceForForward) trace.request(yes) trace.session(yes)
; * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

After pasting, click Apply Policy

 

####################

HOW TO BYPASS URLS VIA PROXY: Troubleshoot issues with a specific web site proxied by Edge SWG (ProxySG) or ASG appliance - https://knowledge.broadcom.com/external/article?articleId=167379 

#################

More KB articles regarding Policy trace: