Руководство Пользователя для Cisco Cisco Web Security Appliance S170
A-14
AsyncOS 8.7 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Policy Problems
•
•
About the Policy Trace Tool
The Policy Trace Tool can emulate a client request and then detail how the Web Proxy processes that
request. It can be used to trace client requests and debug policy processing when troubleshooting Web
Proxy issues. You can perform a basic trace, or you can enter advanced trace settings and override options.
request. It can be used to trace client requests and debug policy processing when troubleshooting Web
Proxy issues. You can perform a basic trace, or you can enter advanced trace settings and override options.
The policy trace tool evaluates requests against polices used by the Web Proxy only. These are Access,
Encrypted HTTPS Management, Routing, Data Security, and Outbound Malware Scanning polices.
Encrypted HTTPS Management, Routing, Data Security, and Outbound Malware Scanning polices.
Note
SOCKS and External DLP polices are not evaluated by the policy trace tool.
Note
When you use the policy trace tool, the Web Proxy does not record the requests in the access log or
reporting database.
reporting database.
Tracing Client Requests
Step 1
Choose System Administration > Policy Trace.
Step 2
Enter the URL you wish to trace to in the Destination URL field.
Step 3
(Optional) Enter additional emulation parameters:
Step 4
Click Find Policy Match.
The policy trace output is displayed in the Results pane.
To emulate...
Enter...
The client source IP used to make the request.
An IP address in the Client IP Address field.
Note
If an IP address is not specified, AsyncOS
uses localhost. Also, SGTs (security group
tags) cannot be fetched and policies based on
SGTs will not be matched.
uses localhost. Also, SGTs (security group
tags) cannot be fetched and policies based on
SGTs will not be matched.
The authentication/identification credentials
used to make the request.
used to make the request.
A user name in the User Name field, and then choose
Identity Services Engine or an authentication realm
from the Authentication/Identification drop-down list.
Identity Services Engine or an authentication realm
from the Authentication/Identification drop-down list.
Note
Only enabled option(s) are available. That is,
authentication options and the ISE option are
available only if they are both enabled.
authentication options and the ISE option are
available only if they are both enabled.
For authentication of the user you enter here, the user
must have already successfully authenticated through
the Web Security appliance.
must have already successfully authenticated through
the Web Security appliance.