Accessing websites through Skyhigh Security SSE Cloud Service (Web Gateway) may sometimes result in block messages with the following status codes:
403 Access denied
500 Server Error
502 Cannot connect
The following situations that can trigger a block:
High connection rate from SSE Proxy infrastructure (a MULTI-tenant cloud service where traffic from multiple customers and regions is seen on single IPs)
Geo-Location
Generic IP blocking
Rule-based blocking
Reputation-based blocking
Troubleshooting Block Responses
You can contact CSP Global Support for assistance for any of the actions listed below. We recommends to contact the vendors or website administrators first. CSP Global Support team can then provide assistance or follow up as necessary.
High connection / rate limit blocks
These restrictions may trigger policies or controls from the destination firewall, leading to blocked access. Alternatively, the service might reject connection requests that exceed normal levels. If you are accessing services through an SSE Point of Presence (PoP), inform your business partners and suppliers that you are using a multi-tenant cloud service with a single, shared egress IP. This service might require the SSE network ranges to be put on a Firewall allow list. For details about the SSE IP addresses and ranges, please contact CSP Global Support for further assistance
Geo-Location blocks
IP-based Geo-Location is the mapping of an IP address or MAC address to the real-world geographic location of a device or service. Skyhigh Security uses major Geo-Location vendors for mapping, they will be informed in time when we put new IP(s) online or apply changes where Geo-Location information needs to be updated. Nevertheless some database providers report incorrect country information, which results in a block action.
IP / Rule-Based / Reputation blocks
If you're blocked or unable to access a website/resource through our SSE Web Proxy, it is usually a result of a policy of the destination vendor/site and could be caused by WAF (Web Application Firewall) rules, generic blocks on IP or any other security mechanism in place. In such cases destination vendor/host need to unblock or add whitelist rules on their systems/services to allow access again.
For blockings not mentioned above, please contact CSP Global Support team for further assistance. By providing the following first level information, it will help us to underline the issue towards the provider/host as well as are the minimum requirements in ensuring the request can be resolved smoothly:
Are you getting error on all the websites or specific websites/URLs?
What is the website/URL which is giving an error during access by users?
Screen shot of the error message as seen by the user.
What is the time since this is not working?
Egress IP from the user machine?
Use: https://www.whatismyip.com/ or https://ipchicken.com/
Check the Egress IP from above using https://www.brightcloud.com/tools/url-ip-lookup.php
Open "About Skyhigh Client Proxy” and make a note of active proxy. Copy to clipboard and save information.
Browser HAR file - Press F12 then Save as all HAR Content to a file
Wireshark Packet Capture from user machine
If it becomes necessary to engage with CSP Global Support, providing the above information will expedite the analysis and a complete first level information helps in resolving the case faster.