Universal Policy Enforcement (UPE) 101 for Edge and Cloud SWG
search cancel

Universal Policy Enforcement (UPE) 101 for Edge and Cloud SWG


Article ID: 259547


Updated On:


Cloud Secure Web Gateway - Cloud SWG ProxySG Software - SGOS


Learn how to troubleshoot Universal Policy Enforcement issues for Edge and Cloud Secure Web Gateway.



  • About Universal Policy Enforcement in your Environment
  • Prerequisites
  • SSL Requirements
  • Deploy UPE First Steps
  • UPE Use Cases and Examples
  • Troubleshoot UPE

About Universal Policy Enforcement in your Environment

In Management Center (MC), use UPE to define a single policy that MC shares with Edge Secure Web Gateway (Edge SWG) appliances and Cloud Secure Web Gateway (Cloud SWG).

Universal Policy comprises various rules that are required of your enterprise to enforce acceptable web-use policies for employees who connect through an on-premises Edge SWG appliance, Cloud SWG, or both. To achieve Universal Policy Enforcement, MC allows you to centralize your policy creation, maintenance, and installation to multiple appliances and the cloud service.

In UPE deployments, MC uses Edge SWG reference devices to get custom exception pages, security roles, and several other settings that impact policy. MC requires these reference devices to determine what part of the policy is for on-premise devices and what part is for Cloud SWG.

After you set up UPE, you use MC to quickly maintain, edit and publish policy updates without having to log in to multiple products.


To use the universal policy feature, you must first:

  • Have a valid Cloud SWG account registered to accept the policy from the Management Center using the WSS onboarding wizard. Existing WSS cloud customers may contact Customer Support for configuration assistance. For steps on onboarding a new WSS portal, see Register the Cloud SWG Portal.
  • Enable enforcement domains and create the policy on the reference ProxySG appliance. Although you can import the universal policy from a source that does not have enforcement domains that are enabled, you cannot deploy the policy unless you launch the VPM Editor and save a new revision of the policy. Saving the new revision generates the CPL with enforcement domains enabled.

SSL Requirements

The universal policy requires proper SSL certificate validation. You must:

  • Ensure that Management Center is able to connect to https://sgapi.es.bluecoat.com
  • Verify that no inline proxies disrupt SSL connections to your devices.
  • If Management Center uses the explicit HTTP proxy, ensure that it does not decrypt the traffic

Software Version Requirements



ProxySG Appliance SGOS 7.x, 6.7.1+, 6.6.x,
Cloud SWG Subscription ID
Management Center or later

UPE Technical Requirements

Deploy UPE First Steps

UPE Use Cases and Examples

Search Restrictions





Web Isolation

Header Modification