Domains bypassed at WSS side will not be blocked by SEP FW policy with WCAP in PAC file mode, however, they will be blocked by SEP FW with Web and Cloud Access Protection Policy (WCAP) in tunnel mode.
Any SEP version with WCAP policy in PAC mode or Tunnel mode.
WCAP Policy PAC File Mode:
A domain bypassed at WSS side using bypass lists in WCAP PAC mode will be bypassing the FW policy rules.
Example:
In WSS the domain example.com is added to the bypassed domains list, however SEP FW policy is configured with a rule to block example.com.
The expected behavior: user will be able to open example.com page in their browser. The SEP Firewall will not block the traffic to allow the administrator to use WSS rules to shape their traffic as they find appropriate.
WCAP Policy Tunnel Mode:
A domain bypassed at WSS side using bypass lists in WCAP Tunnel mode will not by bypassing the FW policy rules, and these domains will be processed by the FW policy rules.
Example:
In WSS the domain example.com is added to the bypassed domains list, however SEP FW policy is configured with a rule to block example.com, and SEP WCAP in tunnel mode.
The expected behavior: user will not be able to open example.com page in their browser, since the bypassed traffic outside the tunnel will be blocked by the SEP FW policy rules.
When switching from WCAP PAC file to WCAP Tunnel mode, make sure you add allow rules for all the bypassed domains configured at WSS bypassed domains list.
See "Requirements and limitations" section in the following techdoc page:
What is Web and Cloud Access Protection?