Users are not getting access denied exception page from Cloud Secure Web Gateway (Cloud SWG, formerly WSS) however site does not load properly. One can easily check the requestes in browser developer tool to find which requests is/are getting denied.

However when user gets access denied error in third-party application where there is no provision to check the request in developer tool unlike browser.

How to identify if any policy rule on Cloud SWG denied a traffic for specifc domain/URL?

Cloud SWG

Login to Cloug SWG Portal then nevigate to REPORTS > Reports Center

Under Full Log Details click on Proxy logs

Note: Each report displays default data columns based on the Access Log data for that specific report.

To remove columns from view or add (valid) additional columns, click a drop-down arrow in any column header, select Columns, and select which column to hide/show. In this case select Rule ID column.

Rule ID column value will show which rule denied that specific request.

Reference link : Change Visible Cloud SWG Report Data > Change the Columns