After creating routing domains and adding routing entries, as specified in the guide below, still some proxy traffic is outgoing through the default routing domain interface:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/7-1/generated-pdfs/RoutingDomains71.pdf

Note to add, if traffic comes in on a domain, it must leave on that same domain. Traffic is not supposed to traverse from one routing domain to another (even if default domain), and forwarding hosts only work in the default routing domain.

• Each routing domain object includes its own routing table that enforces Layer 3 segregation as follows:
• Each routing table is associated with one or more logical interfaces.
• IP traffic that arrives on these interfaces is subject to routing and forwarding decisions defined by the routing table.
• Traffic never crosses multiple routing domains.

The configuration of routing domains has certain limitations to specific traffic and services, which can only use the default routing table. This limitation applies to the below traffic and services:

• All ProxySG appliance management traffic.
• WCCP configuration on the appliance.
• VLANs, ICAP services, and forwarding hosts configured on the appliance.
• All requests originating from the appliance (such as subscriptions, access log upload, and support case upload).

This is expected behavior of the products, as designed.

Creating Multiple Logical Networks on a Single ProxySG Appliance with Routing Domains Guide:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/7-1/generated-pdfs/RoutingDomains71.pdf