The High-Risk Isolation policy is not activated by default for UPE tenants. The UPE tenants with Web Protect license would see the following warning while pushing the policy from the Management center to Cloud SWG.

"Threat Isolation is entitled (restricted) but no ExemptCriteria exist. Threat Isolation will not be performed."

To activate the Hight Risk Isolation for UPE tenants with a Web Protect license, the following CPL code should be installed on the Management center and pushed to Cloud SWG.

#if enforcement=wss
     define condition High_Risk_Isolation_CondWebIsolationExemptCriteriaWebAccess
       ;url.threat_risk.level=7..10
       ;url.domain="malicious.com"
       ;authenticated=yes
       ;client.address=192.168.10.0/24
     end
 
     define condition High_Risk_Isolation_CondWebIsolationExemptCriteriaForwarding
       ;server_url.threat_risk.level=7..10
       ;server_url.domain="malicious.com"
       ;authenticated=yes
       ;client.address=192.168.10.0/24
     end
#endif

The same policy definitions can be used to exempt anything from the HRI. Examples are given in the above definitions (commented).

Full Isolation - Activating Full Isolation requires a policy in the Management Center. UPE tenants with Full Isolation add-on would see the following warning while pushing the policy without the supporting CPL.

"Threat Isolation is entitled but no MatchCriteria exist. Threat Isolation will not be performed."

To activate the Full Isolation, install the CPL policy documented in the Cloud SWG Documentation. Uncomment (remove the “;”) the lines based on your requirement to send requests to Isolation. You could also add\remove objects to the definition.

To bypass domains from full isolation, manipulation of the documented CPL policy is required. Check out the following article on how to bypass domains from full isolation for Cloud SWG users configured using CPL policy