Detection Type

Description

Comments

No matched Zero Trust Secure Access rule

There is no match to any Cloud Access Rule.

Missing or invalid client certificate

Due to the client certificate requirement, it is unable to decrypt the traffic.

Tunnel this traffic by default. Customers can also add these URLs to the HTTPS Inspection Exception.

Untrusted server certificate

The server certificate is not trusted.

Trust the cert in the HTTPS Inspection → TLS/SSL Certificates

HTTPS inspection exception

The traffic is in the HTTPS Inspection Exceptions or does not match any HTTPS Inspection Rule.

If want to decrypt, please add one HTTPS Inspection Rule to decrypt or remove from the HTTPS Inspection Exceptions.

HTTPS inspection failure

Decryption failed due to reasons like SSL ERROR, Client Closed, Network ERROR.

HTTPS bypass at inspection failure

Auto tunnel due to decryption failed.

Approved URLs

URLs in the company Allow List

Remove from the company Allow List if want to match Cloud Access Rules.

Blocked URLs

URLs in the company Deny List

Remove from the company Deny List if want to match Cloud Access Rules.

Private IP address access

Access one private destination address

Web Reputation

Match the WRS in one Threat Protection Profile.

URL Filtering

Match the Cloud Access Rule with some URL Categories selected.

Application Control

Match the Cloud Access Rule with some custom cloud app categories.

Anti-malware scan

Match one Threat Protection Profile, content scan.

Predictive Machine Learning

Match the Prediction Machine Learning in one Threat Protection Profile.

Botnet

Match the Botnet in one Threat Protection Profile.

Virtual Analyzer submission

Match the Sandbox Analysis in one Threat Protection Profile.

Suspicious Object Blocked List

Match the suspicious objects in one Threat Protection Profile.

Data Loss Prevention

Match the Data Loss Prevention profile.

Ransomware

Match one Threat Protection Profile and detected as the ransomware.

Risk Control

Match the risk control rule.

Non-compliant device

Match one cloud access rule with one device posture profile.

How to check Cloud Access Rule match issue in Trend Vision One

Product / Version includes:

Trend Vision OneAll

Last updated: 2023/12/18

Solution ID: KA-0015480

Category: Configure , Troubleshoot

Summary

This article will provide you steps on how to troubleshoot the Cloud Access Rule match issue in Trend Vision One.

Check first if the environment has the ZTSA agent deployed. If it is deployed, make sure the traffic is redirected to the ZTSA IA. You can use the Diagnose age to check the ZTSA IA connection status. If the connection is 'Connected as proxy server', check if the URL exists in the PAC File skiphosts or not. If the URL is not in the PAC File skipshots, follow the steps to check. (It is the same if ZTSA Agent is not deployed).

If the environment does not have the ZTSA agent deployed, follow these steps:

Check whether the traffic is decrypted or not.
- If the Cloud Access Rule has file profiles, HTTP/HTTPS request filters, add one HTTPS Inspection Rule to decrypt the traffic.
- If the Cloud Access Rule has some custom cloud app actions, add one HTTPS Inspection Rule to decrypt the traffic.
- If customers want to match the Tenancy Restriction, ATP (File Scan, DDAaaS, DDAN), DLP, add one HTTPS Inspection Rule to decrypt the traffic.
Deploy the HTTPS inspection default CA to the client if does not use the cross-signed CA. Refer to the Docs Center article, Deploying the Built-in CA Certificate.
If it configures some private IP in the Cloud Access Rule, it only works for the gateway traffic. Customers can deploy the on-premises gateway or add the cloud gateway location.

If the traffic is decrypted, check the logs from Search App.

clientIp - Make sure the logs belong to your own client.
urlCat - If the Cloud Access Rule has configured some URL categories, check this information.
act -The traffic action
ruleName - Check the matched ruleName. If it is not the expected ruleName, check the rule priority.
principalName - Check if the Cloud Access Rule has configured some users.
sender - Check if the Cloud Access Rule has configured some locations.
profile - It shows the matched ATP profile name or the DLP Profile name.
failedHTTPSInspection - Decrypt failed if it is true.
respCode - It is 200, 403, or some abnormal status like 503, 502, or 400.

detectionType:

Detection Type	Description	Comments
No matched Zero Trust Secure Access rule	There is no match to any Cloud Access Rule.
Missing or invalid client certificate	Due to the client certificate requirement, it is unable to decrypt the traffic.	Tunnel this traffic by default. Customers can also add these URLs to the HTTPS Inspection Exception.
Untrusted server certificate	The server certificate is not trusted.	Trust the cert in the HTTPS Inspection → TLS/SSL Certificates
HTTPS inspection exception	The traffic is in the HTTPS Inspection Exceptions or does not match any HTTPS Inspection Rule.	If want to decrypt, please add one HTTPS Inspection Rule to decrypt or remove from the HTTPS Inspection Exceptions.
HTTPS inspection failure	Decryption failed due to reasons like SSL ERROR, Client Closed, Network ERROR.
HTTPS bypass at inspection failure	Auto tunnel due to decryption failed.
Approved URLs	URLs in the company Allow List	Remove from the company Allow List if want to match Cloud Access Rules.
Blocked URLs	URLs in the company Deny List	Remove from the company Deny List if want to match Cloud Access Rules.
Private IP address access	Access one private destination address
Web Reputation	Match the WRS in one Threat Protection Profile.
URL Filtering	Match the Cloud Access Rule with some URL Categories selected.
Application Control	Match the Cloud Access Rule with some custom cloud app categories.
Anti-malware scan	Match one Threat Protection Profile, content scan.
Predictive Machine Learning	Match the Prediction Machine Learning in one Threat Protection Profile.
Botnet	Match the Botnet in one Threat Protection Profile.
Virtual Analyzer submission	Match the Sandbox Analysis in one Threat Protection Profile.
Suspicious Object Blocked List	Match the suspicious objects in one Threat Protection Profile.
Data Loss Prevention	Match the Data Loss Prevention profile.
Ransomware	Match one Threat Protection Profile and detected as the ransomware.
Risk Control	Match the risk control rule.
Non-compliant device	Match one cloud access rule with one device posture profile.

mimeType, fileType, fileName - Check if the Cloud Access Rule has configured the file profile.
If the Cloud Access Rule with Cloud Application cannot be matched, check the URL in Trend Micro Site Safety Center. It should have the Cloud Applications. If not, please submit a SEG case.

If all information are correct, but the Cloud Access Rule can not be matched, disable and enable the rule again. Wait a couple of minutes, and trigger the traffic again.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

How to check Cloud Access Rule match issue in Trend Vision One

How to check Cloud Access Rule match issue in Trend Vision One

Product / Version includes:

Summary