Users successfully accessing internet sites via Cloud SWG using WSS Agent access method
When using iCloud Private Relay on WSS Agent host, all the traffic is tunneled through either of the following hosts:

• mask.icloud.com
• mask-h2.icloud.com

Both of these hosts are categorized in WebPulse as Proxy Avoidance, which is blocked by default and users get the blocked message rendered on the user-agent.

After Cloud SWG admin allows users access this Proxy Avoidance category, all user requests coming into the Cloud SWG service from these devices with the iCloud Private Relay will show up in their Cloud SWG logs as those two domains.

Cloud SWG Access logs or reports do not show or see the original destinations.

WSS Agent.

Cloud SWG.

iCloud Private Relay.

Proxy avoidance category blocked by default.

To address the policy blocks, update your CloudSWG policy to allow these requests. This can be done by either:

• Unblocking the Proxy Avoidance category (only available for UPE managed Cloud SWG environments), or by
• unblocking the above two domains (add to the Threat Protection -> Trusted Destination G2 rule). 

The above workaround will not address the logging issue unfortunately. For the access logs to report the actual domains being accessed:

• Disable iCloud Private Relay on the device - this can be done by MDM or manually by the user