Is it possible to construct a CPL that enforces broad isolation while also allowing traffic from specified isolated sites to be bypassed?

Administrators using Cloud SWG to enable users to access internet sites are encountering a persistent issue despite employing a mix of WSS Agents and explicit access methods.

• The Cloud SWG tenant, managed via the Management Center, is equipped with a full Web Isolation license.
• Administrators utilize Content Policy Language (CPL) to configure the isolation policy, aligning with the guidelines provided in the UPE isolation documentation.
• Although the system is operational as expected in other respects, a critical limitation has been identified: the inability to bypass any site from isolation.
• The question arises: Is it feasible to develop a CPL that allows for comprehensive isolation while also facilitating the bypass of traffic from selected isolated sites?

• Cloud SWG configured using UPE policy.
• Web isolation.
• All Cloud SWG access methods.

To effectively bypass a single site from isolation, it can be added to the isolation conditions with a meticulous configuration. Below is an example that illustrates a scenario where the intent is to isolate all sites possessing a risk level of 7-10, with a notable exception for "myriskysite.com" (presuming it also holds a risk level within the 7-10 range). Additionally, the ".com" domain is to be bypassed from isolation:

;; Begin Template
#if enforcement=wss
    define condition Isolation_CondWebIsolationMatchCriteriaWebAccess
      url.threat_risk.level=7..10 url.domain=!"myriskysite.com"
      url.category=!("Malicious Outbound Data/Botnets","Suspicious")
      ;url.domain="malicious.com"
      ;authenticated=yes
      ;client.address=192.168.10.0/24
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end

    define condition Isolation_CondWebIsolationMatchCriteriaForwarding
      server_url.threat_risk.level=7..10 server_url.domain=!"myriskysite.com"
      server_url.category=!("Malicious Outbound Data/Botnets","Suspicious")
      ;server_url.domain="malicious.com"
      ;authenticated=yes
      ;client.address=192.168.10.0/24
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end
    
    ; This should be conditioned but is required for Isolation
    <SSL-Intercept> condition=Isolation_CondWebIsolationMatchCriteriaWebAccess
      ssl.forward_proxy(https)
#endif
;; End Template

If we have a group of domains that we want to bypass, or IP subnets to exempt from isolation, we could add the following CPL:

;; Begin Template
#if enforcement=wss

    define category domain_iso_exemptions
        myriskysite1.com
        myriskysite2.com
    end
    
    define subnet client_ip_iso_exemptions
        192.168.10.125
    end

    define condition Isolation_CondWebIsolationMatchCriteriaWebAccess
      url.threat_risk.level=7..10 url.category=!("domain_iso_exemptions")
      ;url.category=("Malicious Outbound Data/Botnets","Suspicious")
      ;url.domain="malicious.com"
      ;authenticated=yes
      client.address=192.168.10.0/24 client.address=!client_ip_iso_exemptions
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end

    define condition Isolation_CondWebIsolationMatchCriteriaForwarding
      server_url.threat_risk.level=7..10 server_url.category=!("domain_iso_exemptions")
      ; server_url.category=("Malicious Outbound Data/Botnets","Suspicious") server_url.category=!("domain_iso_exemptions")
      ;server_url.domain="malicious.com"
      ;authenticated=yes
      client.address=192.168.10.0/24 client.address=!client_ip_iso_exemptions
      ;authenticated=yes url.category=("Malicious Outbound Data/Botnets")
    end
    
    ; This should be conditioned but is required for Isolation
    <SSL-Intercept> condition=Isolation_CondWebIsolationMatchCriteriaWebAccess
      ssl.forward_proxy(https)
#endif
;; End Template