[IAG] Customized URL for some domain names is not effective
Problem Description
The IAG uses a custom URL to configure multiple WPS domain names, but one of the domain names is not recognized as a custom WPS and is rejected.
Effective troubleshooting steps
- Check that the corresponding custom URL contains httpdns.wps.cn, and the corresponding user has been online on the IAG device and matched the corresponding application access restriction policy;
- In the Internet behavior monitoring search, it was found that the application name matched by the corresponding domain name was "other" instead of "wps", and other domain names above and below the record were all matched with "wps" and rejected;
- No access log records corresponding to the domain name were found in any behavior logs in the intranet log center;
- Open the firewall debug log in the background of the IAG device and capture the packet. The client triggers access to the domain name. It is found that the host requested by the corresponding data packet is the IP address 120.92.33.171 instead of the httpdns.wps.cn domain name, resulting in IAG not being able to identify and match it.
Root cause
It is found that the host field of the corresponding data packet request is the IP address 120.92.33.171 instead of the httpdns.wps.cn domain name, resulting in IAG not being able to identify and match it.
solution
After adding the corresponding IP address 120.92.33.171 to the custom URL rule, the test shows that the domain name access record is no longer allowed.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=24587&isOpen=true