search cancel

WSS Agent users accessing domains via WSS despite domains being included in WSS Bypass list


Article ID: 243069


Updated On:


Cloud Secure Web Gateway - Cloud SWG


- WSS Agent is sending internet traffic via the WSS Agent tunnel.
- WSS Bypass lists defined so that traffic for certain domains/IP addresses from WSS Agents go direct and not via WSS
   -  traffic to,, domains bypassed from WSS.
   - Corresponding IPs (, bypasses from WSS

- No PAC file is configured on WSS Agent host


WSS Agent - all platforms


Browser was set to automatically detect proxy settings.

DHCP server was forwarding a legacy/redundant PAC file and due to the browser settings this was being picked up, even though there was no pac file defined in the browser proxy settings.


Disable the browser option to automatically detect proxy settings.

After that change, the traffic started going to correct domain IP address and it was correctly bypassed as seen in the packet capture for direct traffic:

- and packet capture for in-tunnel traffic is not showing connectivity to that domain anymore:

Additional Information

Looking at SymDiag logs, this can be seen:

- dns answer is showing same IP address as nslookup in the packet capture for direct traffic:

- same packet capture is showing no request to domains:

- packet capture for in-tunnel traffic is showing connectivity to bypassed domain, but instead of pointing to domain IP (, the destination IP is on port 80 ( as it would be going via pac file:

- WSS Agent trace log is confirming that the bypasses are added correctly:
(...) 05/06/2022-14:06:07.4025388 Debug    Adding for to domain bypass list

- since connection is going to different IP, the traffic is not bypassed