While using management center to manage Cloud SWG(formally known as WSS), certain websites are being blocked, albeit category based allowed rule. The block page shows category-based block which does not match the categorization with Sitereview DB.

Release :

Component : WSS with UPE, WSSA or IPSEC

Unless using proxy settings with WSSA or IPSec, the dns resolution happens locally and the wss proxy gets a tcp connection request eg tcp://52.13.171.212:443.

In this case, Cloud SWG checks categorization against both IP of the URL and the URL. URL might have categorized correctly, but its IP(s) also needs to have categorization or to have a categorization which is allowed in the policy.

Issue happens when:

1. IP addresses are not categorized and therefore uncategorized ip addresses can give undesired results and block sites if uncategorized/none category is set to block.
2. IP addresses have different category than original URL and that category is defined under blocked rule. 

Compose a cpl layer inside VPM using below cpl. Below rule will allow all the uncategorized URL IPs (not URLs).

#if enforcement=wss
<proxy>
url.scheme=tcp category=Uncategorized url.host.is_numeric=true Allow
#endif

Admin may add other categories in above rule in order to allow broader spectrum of IPs after evaluating security risk. However, for unsecure categories, it is always recommended to raise recategorization request for that IP from Sitereview Website as allowing category in above rule will grant access to all IPs under that category regardless of URL.

Ref:

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-2/visual-policy-manager/how-policy-layers-rules-and-files-interact/how-vpm-layers-relate-to-cpl-layers/vpm-generated-cpl-layers.html

https://knowledge.broadcom.com/external/article/166537/how-to-write-rules-using-cpl-with-exampl.ht