WSS Bypassed Traffic functionality
search cancel

WSS Bypassed Traffic functionality


Article ID: 257509


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Do portal bypass entries still apply when the WSS agent is unable to connect to the Cloud SWG and was in a failed-close state?

Would connections to destinations listed in the Bypassed Traffic section still be expected to function?


Cloud SWG (Cloud Secure Web Gateway) 


Bypasses take effect while fail-closed

Usually, the Cloud Traffic Controller (CTC) connection will still succeed - and only the tunnels will fail, and that is the most common way to get into failure mode.
However, if CTC fails, the cached bypass list will be used while in fail-closed mode ( Failure mode set to 'Block all traffic ) 
Usually, if both CTC and tunnels fail, it means that there is some kind of major network outage (from the device’s perspective), so the device won't be able to reach the bypassed destinations.
So - during the time while in a fail closed state, all traffic that would be tunnelled (ports 80, 443, 8080, 8443 if you're using CFS, or all ports if they are using CFS) will be blocked except for traffic that is bypassed.
Meaning if you are bypassing (by IP or by domain), the will still be allowed while in fail closed state. But traffic to will be dropped.
If you are not using CFS, traffic to would still be allowed (because it would be direct even if the tunnel were up).