The Edge SWG must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279194	SRG-NET-000273-ALG-000129	SYME-00-006600	SV-279194r1170667_rule	2025-12-16	1

Description
Providing too much information in error messages risks compromising the data and security of the application and system. Organizations carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes, for example, ICMP messages that reveal the use of firewalls or access-control lists.

Description

Providing too much information in error messages risks compromising the data and security of the application and system. Organizations carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes, for example, ICMP messages that reveal the use of firewalls or access-control lists.

ℹ️ Check
1. Log in to the Edge SWG SSH CLI. 2. Enter "enable". 3. Enter "show exceptions". If there are no user-define d exceptions, this is finding. In the Edge SWG Web UI, navigate to the VPM. Under the Web Access Layer, for the Action on disallowed content, if there is no User-Defined exception implemented, this is a finding.

✔️ Fix
These procedures will create a user-defined exception page that will show only necessary errors to the proxy user with specific contact information. 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "exceptions". 4. Enter "create DOD-BLOCKS". 5. Enter "edit DOD-BLOCKS". 6. Enter "inline format EOF". 7. Copy and paste the data below exactly as it appears and edit items such as Organization, email addresses, etc.: <!DOCTYPE html> <html> <head> <title>Denied Access Policy </title> <meta name= "author" content = "SAMPLE ORGANIZATION" > <meta name="description" content = "Denied Access Policy" > <meta name="category" content = "$(exception.category)"> </head> <body> <center> <p> <font face = "Arial, Helvetica, sans-serif" size = "4" color = "Red" ><b>You have reached a website that is currently being blocked due to malicious activity and/or current acceptable use policies.</font><br> <font face= "Arial, Helvetica, sans-serif" size = "4" color = "Red">INTERNET USAGE IS MONITORED AND LOGGED.</font><br> <font face = "Arial, Helvetica, sans-serif" size = "3" color = "Red"><b>Your IP address: $(client.address) <br>Your username: $(user.name) <br> Banned Website: $(url) <br> Website IP address: $(url.address)<br>Banned Category: $(category) <br> Rule Name: $(exception.id)</b></font><br> <br> <font face = "Arial, Helvetica, sans-serif" size = "4" color = "red" > This has been reported by: $(proxy.name)<font><br> <A href='mailto:email@mail.mil?subject=Barred web page $(url),IP address: $(client.address)&body=IP address:$(client.address)%0DYour username:$(user.name)%0DBanned Website:$(url)%0DWebsite IP address:$(url.address)%0DBanned Category:$(category)%0DRule Name:$(exception.id)' > If you have further questions or require assistance click here to send an email <br> to your Information Management Office (IMO) or ORGANIZATION Cyber Security & Risk Management</a></font></a></font> </p> </center> </body> </html> EOF 8. After the EOF, click "Enter". 9. Enter "http-code 403". 1. In the Edge SWG Web UI, navigate to the VPM. 2. Under the Web Access Layer for the Action on disallowed content, click "Set and Add New Object". 3. Select "Return Exception". 4. Enter a name and select "User-defined exception". 5. Select the previously created user-defined exception. 6. Check the box for "Force exception even if later policy would allow request". 7. Click "Set" and repeat steps for other services being proxied. 8. Click "Apply Policy".

✔️ Fix

These procedures will create a user-defined exception page that will show only necessary errors to the proxy user with specific contact information. 1. Log in to the Edge SWG SSH CLI. 2. Enter "enable" and "configure terminal". 3. Enter "exceptions". 4. Enter "create DOD-BLOCKS". 5. Enter "edit DOD-BLOCKS". 6. Enter "inline format EOF". 7. Copy and paste the data below exactly as it appears and edit items such as Organization, email addresses, etc.: <!DOCTYPE html> <html> <head> <title>Denied Access Policy </title> <meta name= "author" content = "SAMPLE ORGANIZATION" > <meta name="description" content = "Denied Access Policy" > <meta name="category" content = "$(exception.category)"> </head> <body> <center> You have reached a website that is currently being blocked due to malicious activity and/or current acceptable use policies. INTERNET USAGE IS MONITORED AND LOGGED. Your IP address: $(client.address) Your username: $(user.name) Banned Website: $(url) Website IP address: $(url.address) Banned Category: $(category) Rule Name: $(exception.id) This has been reported by: $(proxy.name) <A href='mailto:email@mail.mil?subject=Barred web page $(url),IP address: $(client.address)&body=IP address:$(client.address)%0DYour username:$(user.name)%0DBanned Website:$(url)%0DWebsite IP address:$(url.address)%0DBanned Category:$(category)%0DRule Name:$(exception.id)' > If you have further questions or require assistance click here to send an email to your Information Management Office (IMO) or ORGANIZATION Cyber Security & Risk Management</a></a> </center> </body> </html> EOF 8. After the EOF, click "Enter". 9. Enter "http-code 403". 1. In the Edge SWG Web UI, navigate to the VPM. 2. Under the Web Access Layer for the Action on disallowed content, click "Set and Add New Object". 3. Select "Return Exception". 4. Enter a name and select "User-defined exception". 5. Select the previously created user-defined exception. 6. Check the box for "Force exception even if later policy would allow request". 7. Click "Set" and repeat steps for other services being proxied. 8. Click "Apply Policy".