macOS running WSS Agent 9.1.1.
Windows machine on same network (not same host) running Fiddler on local RFC1918 IP address.
Generate GET request on macOS for a blocked Cloud SWG domain and send traffic to Fiddler on Windows and got successful response.
Running a Web proxy on the macOS localhost (Charles proxy) blocks the request as we detect that user is trying to bypass Cloud SWG.
Same test with WSS Agent on Windows platform fails.

macOS 13.x and 12.x

WSS Agent 8.x and 9.x

Web proxy installed and running on local network (not localhost).

If proxy settings are enabled on the macOS device and the proxy is not on the host itself, the Agent cannot determine if requests are being proxied or not.

This works on Windows (using Windows network kernel), but fails with macOS interface due to mac network extension. With the mac network extension, we are given the flow but not what is inside flow (can only get app name, and ip address/port but not HTTP payload) and therefor cannot determine whether it is proxied traffic or not.

Make sure security policies only allow internet traffic go out from certain IP addresses (so that only valid proxy hosts are allowed out, and not something that someone spins up).

Can push client firewall policies out to only allow access to certain internal hosts and avoid this scenario.