Web-access layer seem to be used as the default mode of access however there are some cases where using a deny on those layer will have no effective impact.

For example, if you want to allow access to certain sites, and you want to prevent the users from posting comments, if you use a Web-access layer to block the POST request to a comment URL the users will receive the deny message when they post a comment on the site, but the comment will be sent to the server and added, as the Web-access layer performs the deny once it has received the server response.

So, it is quite important to be clear on when the block should happen and whether any data should be sent to the server or if this should be absolutely avoided, in which case the deny has to be implemented in a Web-request layer.

In Cloud SWG portal managed policies the web-request and web-access distinction is readily visible via the "Group A - Request-based" and "Group B - Response-based" rule sets that are available on the Content filtering and Threat-protection policies.