Reports show downloads from a blocked site
search cancel

Reports show downloads from a blocked site


Article ID: 174712


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Traffic is being reported as downloaded by a user from a blocked site in Cloud SWG (Web Security Service - WSS) reports.


Cloud SWG


When a user tries to access a website, they will send out a TCP handshake which is forwarded by Cloud SWG. When it returns, Cloud SWG has executed a policy verdict for that user and domain. If it is allowed, the TCP initiation continues as normal.

If it is blocked, WSS intercepts the return TCP packet and injects it with a block page. In the reports, it shows this intercepted packet with:

  • A 200 status code
  • An allow verdict
  • A nominal file size (a few hundred bytes)

All other traffic from that blocked domain will show:

  • A 403 status code
  • A block verdict
  • The size of the packet that was blocked (often several kilobytes)


There is no solution; Cloud SWG is working as intended.

This may bring up some concern when viewed in reports generated from WSS data. For example, a user has a policy block for Dropbox. When the user attempts to access Dropbox, they get a block page. The reports generated in the Cloud SWG portal, Cloud Access Security Broker (CASB), etc. will show several hundred kilobytes of data being downloaded from Dropbox every time the user attempts to access it.

Admins may wonder why a user is downloading data from a domain they have blocked from accessing. This data is being reported as downloaded but it is not reaching the user.