Troubleshoot Internet Access Rules
To troubleshoot internet access rules:
General troubleshooting tips
- Navigate to the Overview page for possible status notifications
- Use Activity Search to look for logged events
Problems while creating the rule
The Next button is unavailable
The Next button is not available until you give the rule a name and then click out of the Rule name field.
Problems after creating a rule
- Internet traffic is unexpectedly blocked
- Internet traffic is unexpectedly allowed
- Internet Access rule is not matching traffic as expected
Internet traffic is unexpectedly blocked
A few things to try, either to temporarily suspend problematic blocks to allow end users to access a needed resource, or to narrow down the cause of the problem:
- Because traffic to internet destinations is allowed by default, there may be one or more existing rules that explicitly block this traffic.
- You can temporarily disable a rule that blocks desired traffic.
- To allow immediate access to a necessary destination that is being blocked by another rule, create a new access rule (using the "Enter manually" option for source and/or destination if necessary) and put this rule at or near the top of the rule list on the Policy page so it hits before more general rules that would otherwise apply to the traffic.
- Try disabling enforcement of certain web security features for a rule, in the Advanced settings at the bottom of the Security Controls section of the rule.
- Try disabling intrusion prevention (IPS) for a rule.
- Try disabling intrusion prevention (IPS) on the Rule Defaults page, which disables it for all rules that are configured to use the default setting for IPS.
- Try disabling decryption for intrusion prevention (IPS) for all rules in Global Settings, which effectively disables intrusion prevention.
- If the issue involves Microsoft 365 applications or sites that use certificate pinning, check Global Settings.
- If all traffic is blocked, make sure you have not inadvertently blocked traffic to a destination that is required infrastructure for managing access. For example, make sure there is no Geolocation rule that blocks traffic to your identity services (IdP) provider.
Internet traffic is unexpectedly allowed
A few things to try, either to block problematic traffic, or to narrow down the cause:
- Verify that any existing rule blocking the traffic is enabled (toggle at the top of the rule page)
- To immediately block access to a problem destination that is unexpectedly being allowed, you can create a new access rule (using the "Enter manually" option for source and/or destination if necessary).
- Make sure decryption is not disabled in the security profile in the rule that matched the traffic, or in the security profile selected in Rule Defaults.
- Make sure IPS is not disabled in the rule default or in the rule
- Make sure IPS Decryption and Certificate Pinning are not disabled in Global Settings.
- Make sure the destination is not on a Do Not Decrypt list used by the IPS feature or specified in the rule's security profile.
- Make sure web features are being enforced for the rule (Advanced settings at bottom of Security Controls section in the rule)
- Check the configured sources and destinations of the rule you expect to block the traffic to be sure they include the problematic source and destination.
- Check each rule component of the rule you expect to block the traffic (rule action and each security control) to be sure each specifies the behavior you expect.
- Check the rule order; traffic may be hitting a different rule than the one you expect.
Internet Access rule is not matching traffic as expected
Some things to try:
- Make sure the rule is enabled (toggle at top of rule page)
- Make sure web features are being enforced for the rule (Advanced settings at bottom of Security Controls section in the rule)
- Check the configured sources and destinations of the rule you expect to match the traffic to be sure they include the problematic source and destination.
- Check the rule order; traffic may be hitting a different rule than the one you expect.
Isolate Downgrade < Troubleshoot Internet Access Rules > Get Started with Private Access Rules
Updated 3 months ago