Users accessing internet via Cloud SGW using WSS Agents.
WSS Agent is setup with Selective Intercept enabled from on-premise locations. With Selective Intercept mode enabled, the WSS Agent should only intercept traffic destined for ep.threatpulse.com.
PAC files pushed down to WSS Agent hosts to route the traffic between DIRECT and ep.threatpulse.com:80.
The domain github.com should be sent DIRECT as per the PAC file script and the browser appears to be sending it DIRECT. However WSS Agent is intercepting this request and sending it through the tunnel. The domain github.com is not part of their bypassed domains list however the WSS Agent logs indicate that it is a bypassed domain.
CASB enabled and integrated with Cloud SWG (formerly known as WSS).
CASB enabled with github gatelet active, forcing inspection on the Cloud SWG side.
Disable github gatelet on CASB side.
github.com is listed in their interceptDomains list directive read by the WSS Agent, because tenant also has CASB enabled for this domain. These are part of the "selective intercept"...meaning that when CASB gatelets are configured, they will still be intercepted. This is listed on the portal as part of what is involved in selective intercept: