The WSS Agent tunnel is up and running successfully.

On the same host, a VPN client running in full tunnel mode with exceptions (Cloud Traffic Controller (CTC) and WSS Agent VIP are bypassed). 

After starting the VPN connection, the VPN client modified routes to direct traffic destined for the CTC IP to be sent via the default route instead of the VPN tunnel interface as expected.

Despite this, macOS routes traffic destined for ctc.threatpulse.com (130.211.30.2) via the VPN tunnel interface.

Since CTC access isn't allowed via the VPN tunnel, the agent cannot connect to the Cloud SWG Service.

Note: Corporate Security Policy does not allow CTC to be routed via the VPN tunnel.

Check System Extensions: 

System Extensions can be reviewed on a macOS device using the terminal by running:

systemextensionsctl list 

Output: (e.g)

2 extension(s)
--- com.apple.system_extension.network_extension
enabled    active    teamID    bundleID (version)    name    [state]
*    *    Y2CCP3S9W7    com.symantec.wssa.wssax (9.5.5.20473/9.5.5)    WSSA Network Extension    [activated enabled]
--- com.apple.system_extension.endpoint_security
enabled    active    teamID    bundleID (version)    name    [state]
*    *    Y2CCP3S9W7    com.broadcom.mes.systemextension (9.6.0/9.6.0)    Symantec System Extension    [activated enabled]

This command will display a list of all installed system extensions along with their bundle identifiers, team identifiers, and other relevant details. You'll be able to identify any network-related system extensions from the list that is displayed.

Apple's Guidance:

In recent discussions with Apple and third-party VPN providers surrounding network extension behavior on macOS, there have been observations indicating that both the WSS agent and macOS are functioning as intended.

Apple has clarified that Network Extension providers like Cloud SWG Agents operate within a separate context which does not honor the full Unix routing table. This design, according to both Apple and Cloud SWG, is intended to enhance security by preventing end-user manipulation of routing tables. However, this behavior poses challenges for VPN providers like Palo Alto, Cisco and F5, prompting a quest for solutions to ensure seamless operation of VPN services on macOS.

macOS Big Sur+

VPN Client using legacy macOS API such as "bsd" or "posix"

Symantec Agents: Enterprise Agent, WSS Agent, SEP Agent Tunnel Mode

The core issue arises when VPN providers, such as F5 with its Edge Client, Palo Alto with its Global Protect product, and Cisco with its AnyConnect encounter conflicts between their VPN routing mechanisms and the Network Extensions framework on macOS.

If an application like a VPN client operates only in user space and is not part of the network extension list, it won't have direct access to the network extension layer's capabilities.

Therefore, it may not be able to utilize routes or intercept traffic in the same way as applications running within the network extension layer, therefore, routing tables don't apply to processes running within network extensions.

macOS treats network extensions differently due to security concerns. Network extensions have their own protected routing tables, preventing malicious user processes from modifying them.

Note: Apple has indicated that Network Extensions routing takes precedence over Unix routing table rules, potentially disrupting VPN functionality. This conflict needs a deeper understanding of how VPN traffic interacts with the macOS networking stack and Network Extensions.