Cisco Cisco Web Security Appliance S170 Guía Del Usuario
A-10
AsyncOS 8.6 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Policy Problems
User Matches Global Policy for HTTPS and FTP over HTTP Requests
When the appliance uses cookie-based authentication, the Web Proxy does not get cookie information
from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name from the
cookie.
from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name from the
cookie.
HTTPS and FTP over HTTP requests still match the according to the other membership criteria, but the
Web Proxy does not prompt clients for authentication even if the requires authentication. Instead, the
Web Proxy sets the user name to NULL and considers the user as unauthenticated.
Web Proxy does not prompt clients for authentication even if the requires authentication. Instead, the
Web Proxy sets the user name to NULL and considers the user as unauthenticated.
Then, when the unauthenticated request is evaluated against a policy, it matches only a policy that
specifies “All Identities” and apply to “All Users.” Typically, this is the global policy, such as the global
Access Policy.
specifies “All Identities” and apply to “All Users.” Typically, this is the global policy, such as the global
Access Policy.
User Assigned Incorrect Access Policy
•
Clients on your network use Network Connectivity Status Indicator (NCSI)
•
Web Security appliance uses NTLMSSP authentication.
•
uses IP based surrogates
A user might be identified using the machine credentials instead of the user’s own credentials, and as a
result, might be assigned to an incorrect Access Policy.
result, might be assigned to an incorrect Access Policy.
Workaround:
•
Reduce the surrogate timeout value for machine credentials.
Step 1
Use the advancedproxyconfig > authentication CLI command.
Step 2
Enter the surrogate timeout for machine credentials.
Policy Troubleshooting Tool: Policy Trace
•
•
•
•
About the Policy Trace Tool
The Policy Trace Tool can emulate a client request and then detail how the Web Proxy processes that
request. It can be used to trace client requests and debug policy processing when troubleshooting Web
Proxy issues. You can perform a basic trace, or you can enter advanced trace settings and override options.
request. It can be used to trace client requests and debug policy processing when troubleshooting Web
Proxy issues. You can perform a basic trace, or you can enter advanced trace settings and override options.
The policy trace tool evaluates requests against polices used by the Web Proxy only. These are Access,
Encrypted HTTPS Management, Routing, Data Security, and Outbound Malware Scanning polices.
Encrypted HTTPS Management, Routing, Data Security, and Outbound Malware Scanning polices.
Note
SOCKS and External DLP polices are not evaluated by the policy trace tool.