Activate Web Isolation on a Cloud Secure Web Gateway (Cloud SWG) Universal Policy Enforcement (UPE) tenant
search cancel

Activate Web Isolation on a Cloud Secure Web Gateway (Cloud SWG) Universal Policy Enforcement (UPE) tenant


Article ID: 246155


Updated On:


Cloud Secure Web Gateway - Cloud SWG


To activate Web Isolation on a Cloud SWG (WSS) UPE tenant, your deployment must meet the following requirements:

  1. You have an existing UPE implementation.
  2. The tenant has one of the following entitlements for Web Isolation:
    • High Risk Isolation (HRI): Available with the Web Protect entitlement 
    • Full Isolation with an isolation tenant: Available as an add-on entitlement
  3. Web Isolation policy is configured on the Cloud SWG tenant. See the Resolution section in this article for more information.

    Note: If your policy does not include these required Web Isolation rules, the following warnings appear when you push the policy from Management Center to Cloud SWG:
    • HRI: "Threat Isolation is entitled (restricted) but no ExemptCriteria exist. Threat Isolation will not be performed."
    • Full Isolation: "Threat Isolation is entitled but no MatchCriteria exist. Threat Isolation will not be performed."


Review the resolution that is appropriate for your deployment.

New Deployments

To activate Web Isolation, use the equivalent isolate() action in a CPL Layer in the Web VPM. The following example defines an isolation rule for requests that match the specified conditions:

; match criteria for the requests to isolate
define condition isolate_conditions

; send the matching requests to the isolation service
<Proxy "isolate rule">
  condition=isolate_conditions isolate(yes)
Note: This policy requires SGOS 7.x.
For full instructions on configuring the Web Isolation service and policy, see KB 201609

Existing Deployments

Previously, CPL was required on UPE tenants to activate Web Isolation. The CPL format consists of define conditions within an #if enforcement=wss rule. If your existing deployment includes this CPL, you can continue to use the policy without modifications. Optionally, you can remove the High_Risk_Isolation_CondWebIsolationExemptCriteriaForwarding condition to simplify your policy; removing this condition has no impact on the Web Isolation functionality.

Note: To bypass specific domains from Full Isolation, modify the CPL format as described in KB 263359.

For the simplest Web Isolation policy, switch to the policy that is described in New Deployments (SGOS 7.x is required).

Additional Information

Requests that meet the following requirements are sent to the HRI service: 

  • The Threat Risk Level of the destination is 5 or higher.
  • The category of the destination is either None (Uncategorized) or Suspicious.