Users accessing internet services via Cloud SWG using WSS Agent and IPSEC access methods.

Cloud SWG admin enabled policies to block certain applications/categories/domains but wanted to extend that to enable the password override when blocked (and also coaching).

Using the following application operations, all applications operations were successfully blocked as expected.

When testing the block with coaching or password override feature, most applications also worked (Yahoo for example) but a few failed (Google drive downloads) in that there is no redirect to any page.

Why can we block downloads from Google Drive but not with coaching or password override enabled?

Cloud SWG.

Proxy policy includes redirects (password override or coaching pages).

For any redirects to the coaching or password override page, the request triggering the block must be a GET request.

Make sure that the download operation from the Application site uses the GET request. In the case of the Google download, the OPTIONS method was used and the Cloud SWG proxy does not redirect on any request other than a GET method.

The 'application_action_blocked' verdict is what is returned when the redirect fails.

When running a policy trace, the key entries were POST and OPTIONS method requests to the Google Drive application.

A sample entry of the problem request looks as follows:

time: 2025-06-18 10:18:05 UTC
OPTIONS https://drive.usercontent.google.com/uc?id=xxxxxx&authuser=1&export=native_doc_export
DNS lookup was unrestricted
rewritten URL(s):
:
Referer: https://drive.google.com/
:
authentication start 0 elapsed 0 ms
authorization start 0 elapsed 0 ms
authentication status='none' authorization status='none'
user: authenticated=true authorized=true relative username='[email protected]'
supplier.allowed_countries: all
supplier.failures: 
verdict: EXCEPTION(application_action_blocked): Either 'force_deny' or 'force_exception' was matched in policy
bypass_cache(yes)
  url.category: Uncategorized@Policy;Search Engines/Portals@Blue Coat
    category groups: Business Related@Blue Coat;Information Related@Blue Coat
    total categorization time: 1
    static categorization time: 1
  server.certficate.hostname.category: Uncategorized@Policy;Search Engines/Portals@Blue Coat
    category groups: Business Related@Blue Coat;Information Related@Blue Coat
    total categorization time: 0
    static categorization time: 0
outbound source IP: #.#.#.# poof: auto
server.response.code: 200
client.response.code: 403
client.request.version:  HTTP/2
server.response.version: HTTP/2
application.name: Google Drive