Domain has been added to the bypass list but is not being bypassed when using Web Security Service Agent (WSSA)

Cloud Secure Web Gateway (Cloud SWG)

WSS Agent

In order to ensure that WSSA traffic gets bypassed correctly, refer to the following guidelines: 

1. By adding an IP/Subnet to the bypass list:
   In the Cloud SWG Portal under Connectivity -> Bypassed Traffic
   
   Or
    
2. By adding a domain to the bypass list: 
   In the Cloud SWG under Connectivity -> Bypassed Traffic, as long as both DNS conditions below are true: 
   • WSSA observed the DNS lookup/response for the FQDN
   • The cached DNS results TTL hasn't expired
      

If either of the above conditions are not met when using a domain bypass, then domains listed in the bypass list may not continue to be bypassed.

WSSA monitors the DNS requests on a user's machine for a domain to IP address mapping and essentially creates a cache of its own based on the mapping that it monitors.

If WSSA sees that a DNS mapping has expired due to its TTL, it will delete that entry in its own cache and it will no longer bypass traffic based on the domain until it observes that a new DNS request has been made and cached.

Some applications and browsers will have their own DNS cache and will use the mapping within their own cache rather than making a new DNS request. If the DNS cache entry for a domain has expired and the application/browser continues to use its own DNS cache, WSSA will not observe a new DNS request from the application/browser and the domain will no longer be bypassed until the application/browser re-queries the DNS for the domain.

A domain or an IP can be placed in the bypass list but because WSSA relies on the DNS cache on the local machine and because inconsistencies can occur as described above, Symantec recommends to avoid using only a domain in the bypass list. If possible, it is recommended to use an IP address in the bypass list whenever possible.

he Bypassed IPs/Subnets list in the WSS Portal under Service> Network> Bypassed Siteshe Bypassed IPs/Subnets list in the WSS Portal under Service> Network> Bypassed Siteshe Bypassed IPs/Subnets list in the WSS Portal under Service> Network> Bypassed Sites

DNS bypasses requires that the WSS Agent be able to snoop DNS A responses on the wire. Using any secure DNS service that encrypts DNS requests to an end server, or using DNS-Over-HTTPS (DoH) means that the WSS Agent cannot snoop or read the DNS responses, and cannot verify whether it is related to a domain we are bypassing. When this happens, the traffic will not be bypassed and sent into the Cloud SWG service instead for processing.