Users in certain geographic regions may experience intermittent connectivity issues—such as frequent connection resets, timeouts, or degraded performance—when accessing the internet via explicit proxy or proxy forwarding to Cloud SWG, particularly for external or international destinations.

Some countries or regions implement network-level traffic monitoring or filtering policies through local Internet Service Providers (ISPs). These mechanisms may inspect or interfere with certain types of traffic, especially when identifiable metadata such as destination domain names (via HTTP CONNECT requests) is visible.

While the actual content of encrypted HTTPS traffic remains secure, the visibility of connection metadata in explicit proxy setups can be sufficient for triggering inspection, throttling, or even connection termination by the ISP.
These behaviors are generally outside the control of the Cloud SWG platform and are attributed to region-specific ISP policies or restrictions.

As an example, regions like China are known to apply such network-level controls, which may result in TCP resets or access failures when using explicit proxy methods.

To avoid these issues, we recommend using one of the following tunneled connectivity methods, which encapsulate traffic and prevent content-level interference:

1. WSS Agent (Web Security Service Agent)
   Securely tunnels traffic from endpoint devices to Cloud SWG.
   Traffic is encrypted and encapsulated, preventing inspection or tampering.
   Ideal for roaming or remote users.
   
   
2. IPSec Tunnel
   Establishes a site-to-site tunnel from your on-prem firewall/router to Cloud SWG.
   Suitable for office locations with fixed infrastructure.
   Provides stable and encrypted transmission unaffected by ISP-level interference.
3.  

If you're currently using explicit proxy and facing issues in China, consult your network/security team to evaluate a switch to WSS Agent or IPSec tunnel.
Refer to the configuration guides for WSS Agent Setup or IPSec Tunnel Setup.

If assistance is required, please contact our support team with traffic logs and connection details for further analysis.