Policy Trace not returning any policy matches

Frank Dukes · ‎08-26-2012

Hi Guys,

Our issue here is that when we run a policy trace on any of our AD users - it doesnt seem to pull any group information and does not match any policies either.

However if i try access an URL like www.google.ie and monitor the activity from the cli - i cann see that the user has in fact had certain policies applied to it.

Does anyone have any suggestions as to how resolve this.

Running the command testauthconfig - completes successfully.

Cheers

Christian Rahl · ‎08-27-2012

What version of wsa are you running?

Also when typing in the username for the Policy trace include the domain name in all caps. For example. CISCO\test

The domain name needs to be all caps in order to match correctly. If that still does not work, let me know.

Christian Rahl

Customer Support Engineer

Cisco IronPort - Web Security Appliances

Cisco Technical Assistance Center RTP

United States Ironport: 1-877-641-IRON (4766)

Frank Dukes · ‎08-28-2012

Hi Christian,

I tried what you requested, but still no luck.

I can search for a user in the root domain and it will display policy information for that user. However if i specify a user in a subdomain i get nothing back.

Cisco support seem to be suggesting that the Policy trace utilty is useless and that i should use the cli for any tracing - which is what i have been doing.

The policy trace utilty would be handy though as its easier than deciphering the squid type logs.

Regards

Christian Rahl · ‎08-28-2012

Policy trace is not useless. However it is just another test. I would recommend using it as a confirmation of what you expected to happen. The real explanation of what will happen inside your box is the access-logs.

Can you take a screenshot of your test for me? Also when you say subdomains, what do you mean? Other domain names?

Christian Rahl