When configuring Destination Objects in Cloud SWG, it's important to distinguish between domain-based and URL-based matching.

This article explains how Cloud SWG interprets entries and provides guidance to avoid common misconfigurations.

In Cloud SWG, administrators can create Destination Objects to define rules based on specific domains or URLs. However, it uses the format of the input to determine whether it should be interpreted as a domain or a URL. Understanding this behavior is critical for proper policy enforcement.

Cloud SWG classifies input as either a domain or a URL based on the presence of a protocol or path (such as http:// or https:// or example.com/test)

A frequent issue occurs when administrators input values like https://example.com expecting the policy to apply to all traffic for example.com.

However, https://example.com is treated as a URL match and will not apply to subdomains or variations such as http://example.com or https://www.example.com.

Enter only the domain name when you want the rule to apply to all traffic directed to that domain, regardless of protocol or subdomain.
Use a full URL only when the policy needs to target a specific request pattern or exact resource.

To validate if the object is URL or Domain, just hover mouse to the object icon as below to confirm: