Troubleshoot ETP

This topic describes how to troubleshoot issues in Enterprise Threat Protector (ETP):
Troubleshoot ETP
Problem Suggested Steps
Traffic does not reach ETP
  1. Review DNS traffic on the DNS Summary activity report. For more information on this report, see Summary of DNS activity.
  2. If DNS traffic is not logged, verify that the primary DNS server in your network forwards requests to ETP DNS servers.
You can also deploy ETP Client on end user machines to direct requests to ETP.
Traffic does not reach ETP Proxy
  1. Review network traffic on the Network Traffic activity report. For more information on this report, see Network traffic.
  2. If proxy traffic is not reported:
    1. Confirm that the domain or IP address of the traffic is not configured in an exception list or the Allow custom list that was migrated from Quick Lists.
    2. Confirm that the domain or IP address of the traffic is not configured in a custom list that is assigned an Allow action in a policy. The Allow action permits domains and IP addresses in the list to bypass the ETP proxy.
TLS traffic is not inspected by the ETP proxy or the user receives certificate validation error messages
  1. Review network traffic on the Network Traffic activity report. For more information on this report, see Network traffic
  2. If TLS traffic is not reported, confirm that the trusted root certificate an ETP administrator generated or signed in ETP is deployed to the user’s computer.
  3. Confirm that no TLS errors appear.
A non-browser application is not available
  1. Review network traffic on the Network Traffic activity report. For more information on this report, see Network traffic
  2. If the application traffic is not logged, confirm that the certificate is distributed and configured properly in your network. For example, if certificate pinning is used, ensure that the certificate you generated or signed with is correctly saved.

To workaround this issue, you can also add the application to a custom list that is configured in a policy with the Allow action. The Allow action permits domains and IP addresses in the list to bypass the ETP proxy.

For more information, see Edit a custom list and Edit a policy.

Malware is not blocked
  1. Search for the domain on the Indicator Search page and confirm the action that was taken on the event. See Search for threats based on domain.
  2. Review existing custom lists and check whether the policy is associated with a custom list.
  3. If the domain is assigned to a custom list, review existing policies and confirm that the Allow or Monitor action is not assigned to the custom list with the malicious domain.
Client IP address is not reported for blocked traffic If events in ETP do not report the client IP address (including Security Connector events), you can do the following: