Layer 3 switches with Access Control Lists prevent Symantec Web Gateway in span/tap mode from blocking URLs and displaying a block page.
|Article:TECH158328|||||Created: 2011-04-18|||||Updated: 2012-10-01|||||Article URL http://www.symantec.com/docs/TECH158328|
When you enable Access Control Lists (ACLs) within one or more Layer 3 switches, Symantec Web Gateway (SWG) appliance in Span/Tap mode fails to block pages by URL and fails to display a blocking page. Instead browsers clients are able to access content that SWG would otherwise block.
To implement URL blocking in Span/Tap mode, SWG appliance performs TCP session hijacking. When SWG detects an URL that is in a category for which SWG has a policy which the action of "BLOCK", SWG sends a TCP RST packet to the foreign IP address. SWG also sends a blocking page to the local IP address.
Layer 3 switches have multiple security features which can interfere with SWG using TCP session hijacking to block content in this way.
Do one of the following:
- Within the Layer 3 switch where SWG is connected, disable ACLs and other security features preventing session hijacking. Please consult the documentation on your Layer 3 switch for more information.
- Deploy SWG appliance in Inline mode.
- Retain SWG appliance in Span/Tap, but change from Blocking to Monitoring.
Article URL http://www.symantec.com/docs/TECH158328