Layer 3 switches with Access Control Lists prevent Symantec Web Gateway in span/tap mode from blocking URLs and displaying a block page.

Article:TECH158328  |  Created: 2011-04-18  |  Updated: 2012-10-01  |  Article URL
Article Type
Technical Solution



When you enable Access Control Lists (ACLs) within one or more Layer 3 switches, Symantec Web Gateway (SWG) appliance in Span/Tap mode fails to block pages by URL and fails to display a blocking page. Instead browsers clients are able to access content that SWG would otherwise block.


To implement URL blocking in Span/Tap mode, SWG appliance performs TCP session hijacking. When SWG detects an URL that is in a category for which SWG has a policy which the action of "BLOCK", SWG sends a TCP RST packet to the foreign IP address. SWG also sends a blocking page to the local IP address.

Layer 3 switches have multiple security features which can interfere with SWG using TCP session hijacking to block content in this way.



Do one of the following:

  • Within the Layer 3 switch where SWG is connected, disable ACLs and other security features preventing session hijacking. Please consult the documentation on your Layer 3 switch for more information.
  • Deploy SWG appliance in Inline mode.
  • Retain SWG appliance in Span/Tap, but change from Blocking to Monitoring.

Article URL

Terms of use for this information are found in Legal Notices