There are two different entitlements for Web Isolation in Cloud SWG
Activating High Risk Isolation or Full Isolation requires supporting CPL policy to be pushed to Cloud SWG from the Management Center.
The High-Risk Isolation policy is not activated by default for UPE tenants. The UPE tenants with Web Protect license would see the following warning while pushing the policy from the Management center to Cloud SWG.
"Threat Isolation is entitled (restricted) but no ExemptCriteria exist. Threat Isolation will not be performed."
To activate the Hight Risk Isolation for UPE tenants with a Web Protect license, the following CPL code should be installed on the Management center and pushed to Cloud SWG.
define condition High_Risk_Isolation_CondWebIsolationExemptCriteriaWebAccess
define condition High_Risk_Isolation_CondWebIsolationExemptCriteriaForwarding
The same policy definitions can be used to exempt anything from the HRI. Examples are given in the above definitions (commented).
Full Isolation - Activating Full Isolation requires a policy in the Management Center. UPE tenants with Full Isolation add-on would see the following warning while pushing the policy without the supporting CPL.
"Threat Isolation is entitled but no MatchCriteria exist. Threat Isolation will not be performed."
To activate the Full Isolation, install the CPL policy documented in the Cloud SWG Documentation. Uncomment (remove the “;”) the lines based on your requirement to send requests to Isolation. You could also add\remove objects to the definition.
To bypass domains from full isolation, manipulation of the documented CPL policy is required. Check out the following article on how to bypass domains from full isolation for Cloud SWG users configured using CPL policy
The High Risk Isolation would only send the request to Isolation if,