IMPORTANT: Bypassed traffic configured in the Cloud SWG portal only apply to locations that use the Explicit Proxy and WSS Agent or SEP (WCAP - Web and Cloud Access Protection) access methods to connect to Cloud SWG. Bypassed traffic configured in the Cloud SWG portal will not be effective for IPSEC (see notes below on how to bypass traffic for IPSEC connections) or Proxy Forwarding/Chaining to Cloud SWG.
UPDATE: With advanced Agent Traffic Manager now enabled on all Cloud SWG tenants (end of November 2024), the WSS Agent domain/IP/Application bypass configuration has moved into the 'Agent Traffic Manager' configuration under Connectivity and needs to be performed there.
WSS Agent or SEP Agent (with WCAP enabled):
- Log in to Cloud SWG Portal
- Navigate to Connectivity
- Under Setup and Configuration > Agent Traffic Manager
- Expand the Traffic Bypass Rules Section
- Choose one of the following options:
- Bypass Domain
-
- Using traffic bypass policy rules, either select an existing rule with an existing Domain Bypass List and add the new domain there, or create a new or additional rule to add a domain to be bypassed.
- Domains defined in these rules will be bypassed from Cloud SWG when using the Agent access method.
- For further information to implement "Bypass Domains," see Prevent a Domain From Routing to Cloud SWG
- For further information to implement "Bypassed IPs/Subnets," see Prevent IP Addresses/Subnets From Routing to Cloud SWG
-
- Bypass IP/Subnet
-
- Using traffic bypass policy rules, either select an existing rule with an existing IP/Subnet List and add the new IP there, or create a new or additional rule to add the IP to be bypassed.
- IPs defined in these rules will be bypassed from Cloud SWG when using the Agent access method.
- For further information to implement "Bypassed IPs/Subnets," see Prevent IP Addresses/Subnets From Routing to Cloud SWG
- Bypass Executables
-
- Select Add Rule
- Under Sources > Select Add Executables > Bypass Executable
- Select a previously defined Executable or Select New to add a newly defined executable
- Once selected, Destinations will be set to all. Traffic matching the conditions will not be intercepted by the agent.
- Complete the rule by selecting Add rule
To see common executable bypasses with examples, please refer to the following:
Cloud SWG Common Application Bypasses
- Executable bypasses applies to traffic from the WSS Agent version 7.1.1 or later
- Beginning with WSS Agent version 7.3.1 or later you are able to use wildcards for application bypasses, see Bypass Applications for the Agent
Important Note:
NOTE: Make sure that the changes are ACTIVATED. Prior to the Agent Traffic Manager changes, IP/Domain/Application bypasses could be added and no apply or activation was needed. With this new approach, it is imperative that the changes are activated, else the WSS Agent will not pick them up.
Explicit Proxy:
- Log in to Cloud SWG Portal
- Navigate to Connectivity
- Under Setup and Configuration > Select PAC File Bypasses
- Choose one of the following options:
- Bypassed IPs/Subnets tab.
- Bypassed Domains tab.
- Cloud SWG will bypass traffic that is sent to domains in this list.
- Applies to PAC files generated by the PAC File Manager
- For further information to implement "Bypass Domains," see Prevent a Domain From Routing to Cloud SWG
Notes:
- On premises where a Remote Internet Proxy is used on end-user hosts, bypassing that Internet Proxy on our service implies bypassing all Internet traffic.
- For the Firewall/VPN and Proxy forwarding methods, it is necessary to bypass IP/subnets at the firewall/proxy gateway before they reach Cloud SWG.
- For IPSEC and Explicit Proxy over IPSEC access methods, sites added to the bypass list are still sent to the WSS proxy. The only way to prevent this from occurring, is to configure the router/firewall to exclude that traffic from the IPSEC tunnel, before it reaches the Cloud SWG.