Through Web policies, you set the rules as to how Umbrella applies security and access control to your identities Web traffic. This article will help an Umbrella administrator:
- Confirm that Web traffic is routed to Umbrella’s Secure Web Gateway (SWG)
- Identify the applied Web Policy for a given identity
- Conduct basic Web policy troubleshooting
Confirm Traffic is Reaching the SWG
If traffic is sent to the SWG the public IP address will fall within the 188.8.131.52/16 or 184.108.40.206/16 range. The following test will determine if traffic is reaching the SWG.
|The external IP will fall within the 220.127.116.11/16, 18.104.22.168/16 or 22.214.171.124/16|
|https://www.toolsvoid.com/proxy-test||Information about any proxy servers on your internet connection|
|http://httpbin.org||A simple HTTP Request and Response Service. Run a GET request and look for the origin of the JSON output|
|View the SSL certificate chain within the Web browser|
Determine the Web Policy
To know which Web policy the identity is matching a given identity, the administrator will need to open a Web browser on the client machine and navigate to the following debug link:
The output will look similar to the example below:
<OrgID> is a unique organization identifier
<Bundle ID> is a unique policy identifier
If the administrator is logged into the Umbrella dashboard, clicking the link will direct them to the applied Web Policy. In the screenshot below, we see the ‘webpolicy’ (bundle 1215094) is applied.
- Ensure traffic is routed to the SWG
- Ensure the Web policy is applied to the expected identity. Please see: https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/add-a-gateway-policy
- If the domain is bypassing the SWG, check if the domain is listed in the dashboard's 'External Domains' list. Found under Deployments > Configuration > Domain Management
If you are raising a Support case, please provide the following:
- A copy of the debug link
- The expected identity and Web policy
- Method of connection to the SWG: PAC file, AnyConnect SWG module or Tunnel
The command nslookup-q=txt debug.opendns.com cannot be used to determine policy for SWG and is only limited to determining policy for DNS.