search cancel

WSS Policy is not being applied with WSSA and "Selective Intercept" enabled


Article ID: 241209


Updated On:


Web Security Service - WSS


Users are able to access sites that are blocked in the Content Filtering policy in WSS.

Access Method is: WSS Agent (WSSA)

"Selective Intercept" is enabled in the Portal at: 

Connectivity -> Locations -> Agent Configuration -> Selective Intercept



Disabling "Selective Intercept" resolved the issue.


The customer had previously enabled the "Selective Intercept" radio button, but wasn't sure what the feature did.

By enabling Selective Intercept, you change the behavior of the WSSA client.


Normal (default) mode for WSSA is to send all port 80/443 traffic to the WSS service...expect for the IP's and domains in the Bypass List.

If you enable Selective Intercept, then you change the behavior of the WSSA client to send NO TRAFFIC, expect for CASB traffic or traffic that is explicitly sent to in a Pac file.

For more details, see the docs on the new Selective Intercept feature