You have policy on your Edge SWG (ProxySG) which has TLS version control policy. However, the policy doesn't appear to do anything even though it is matching the policy rule.

• Edge SWG (ProxySG) running SGOS 7.3 or later
• SSL Visibility (SSLV) offloading configured
• Policy rules setting TLS versions for sites similar to:
  •  
  • <ssl>
condition=TLSv12_Limit client.connection.max_ssl_version(tlsv1.2) server.connection.max_ssl_version(tlsv1.2)

SSLV offloading overrides Edge SWG (ProxySG) TLS policy controls

The policy on the Edge SWG (ProxySG) doesn't apply to SSLV offloaded traffic. Since the SSL control is on the SSLV for offloading, you can control the TLS versions from the SSLV device.

Refer to the technical document Configure Rulesets to Handle SSL Traffic for setting the TLS version on the SSLV