Users accessing internet via Cloud SWG using WSS Agents.
Cloud SWG Agent is setup with Selective Intercept enabled from on-premise locations. With Selective Intercept mode enabled, the Cloud SWG (formerly known as WSS) Agent should only intercept traffic destined for ep.threatpulse.com.
PAC files pushed down to Cloud SWG Agent hosts to route the traffic between DIRECT and ep.threatpulse.com:80.
The domain github.com should be sent DIRECT as per the PAC file script and the browser appears to be sending it DIRECT. However Cloud SWG Agent is intercepting this request and sending it through the tunnel. The domain github.com is not part of their bypassed domains list however the Cloud SWG Agent logs indicate that it is a bypassed domain.
WSS Agent.
SEP Agent.
CASB enabled and integrated with Cloud SWG.
CASB enabled with github gatelet active, forcing inspection on the Cloud SWG side.
Disable github gatelet on CASB side.
github.com is listed in their interceptDomains list directive read by the WSS Agent, because tenant also has CASB enabled for this domain. These are part of the "selective intercept" which means that when CASB gatelets are configured, they will still be intercepted. This is listed on the portal as part of what is involved in selective intercept: