Users accessing internet via Cloud SWG using SEP Web and Cloud Access Protection Agent.

Users can authenticate and access any resource they are allowed access without problems.

When you quarantine a SEP device running the Web and Cloud Access Protection Agent with the default quarantine policy in ICDm, the policy seems to fail. The tunnel stays connected and you can reach internet resources even though ctc.threatpulse.com is not in the allowed domain list in the quarantine policy.

RECONNECTING the Agent allows the establishment of a new tunnel on a quarantined device which was successfully quarantined when the device was behind Edge SWG.

SEP Web and Cloud Access Protection Client.

Cloud SWG.

ICDm quarantine policy enabled.

Make a copy of the Web and Cloud Access Protection Agent policy in ICDm where the feature is turned of and add it to the policy target rule quarantine.

Default policy is working as designed - when a host is quarantined, access to certain Broadcom endpoints are allowed.

Network traffic will always go through the Web and Cloud Access Protection Agent tunnel into Cloud SWG, so quarantined hosts can still transmit traffic into Broadcom sites. 

If any traffic is bypassed from Cloud SWG, then it will reach the firewall (FW) and the quarantine process will block this traffic. 

ctc.threatpulse.com is also one of the external Broadcom URLs allowed through when in the quarantined state.