WSS Agent in Selective Intercept mode intercepting traffic from PAC file DIRECT domains
search cancel

WSS Agent in Selective Intercept mode intercepting traffic from PAC file DIRECT domains

book

Article ID: 258770

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet via Cloud SGW using WSS Agents.

WSS Agent is setup with Selective Intercept enabled from on-premise locations. With Selective Intercept mode enabled, the WSS Agent should only intercept traffic destined for ep.threatpulse.com.

PAC files pushed down to WSS Agent hosts to route the traffic between DIRECT and ep.threatpulse.com:80.

The domain github.com should be sent DIRECT as per the PAC file script and the browser appears to be sending it DIRECT.  However WSS Agent is intercepting this request and sending it through the tunnel. The domain github.com is not part of their bypassed domains list however the WSS Agent logs indicate that it is a bypassed domain.

 

Environment

WSS Agent.

CASB enabled and integrated with Cloud SWG (formerly known as WSS).

Cause

CASB enabled with github gatelet active, forcing inspection on the Cloud SWG side.

Resolution

Disable github gatelet on CASB side.

github.com is listed in their interceptDomains list directive read by the WSS Agent, because tenant also has CASB enabled for this domain. These are part of the "selective intercept"...meaning that when CASB gatelets are configured, they will still be intercepted. This is listed on the portal as part of what is involved in selective intercept: