Cloud SWG (formerly Web Security Service - WSS)

In the report logs, you would see the allowed requests are with 'tcp://' scheme. These are the initial TCP hand-shake request that hits the proxy when the user tries to access any HTTPS site. The proxy will detect the protocol and then pass the request to SSL proxy (ssl:// scheme) and once SSL interception is completed you will see https://

The tcp:// requests will be 'Allowed' to always complete protocol detection and SSL interception. At this stage (tcp://), the proxy is not sending the request out to the internet. It is only trying to detect the underlying protocol and complete the interception.