Users accessing internal Web applications via ZTNA (Web and not segment applications).

These same users access internet sites via Cloud SWG using WSS Agent access methods.

Web application defined with a conditional policy for managed devices referencing WSS as shown below:

When a user hits this ZTNA Web application via Cloud SWG, the policy appears to fail and ZTNA responds with a 403 instead of the Web page. This only started happening late November 2025.

If we disable the Web access policy WSS authentication check above, then all works fine and user sees web application.

When troubleshooting, we could see the impacted users were connected to Copenhagen, who's egress IP address range changed recently (along with many other sites).

Th forensic logs also reported the country code as United States. 

Following the migration of public IP addresses for WSS, we have experienced significant issues with ZTNA. We are encountering challenges with the geolocation of the new addresses, as some of them are being identified as US-based even if we go out through the Copenhagen location zone.

Additionally, there is a condition in ZTNA that requires traffic to originate from WSS - this no longer works after the update, likely because the addresses have not been correctly updated in ZTNA.