TTechclick ⚡ XP 0% All lessons
SASE · SWG · Secure Web GatewayInteractive · L1 / L2 / L3

Secure Web Gateway (SWG): — How Every Outbound Click Gets Inspected

Sneha opens a 'PhonePe-rewards' link on her work laptop and nothing happens — no malware, no popup, just a clean block page. That silent catch is a Secure Web Gateway: a cloud checkpoint every outbound click passes through, where the URL is categorised, the HTTPS is decrypted and inspected, and the download is sandboxed before it ever reaches her. This lesson builds the model of how that checkpoint actually works.

📅 2026-06-11 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Secure Web Gateway (SWG) for L1/L2 engineers and Security+ SY0-701: URL filtering, TLS/SSL decryption + inspection, sandboxing, how traffic is steered (PAC, client, IPsec/GRE), and where SWG sits in SSE next to CASB and ZTNA.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What an SWG does

The cloud checkpoint on every outbound click.

 2

TLS inspection

Decrypt the 95% that is HTTPS — or stay blind.

 3

Steering traffic

PAC, client or tunnel — how clicks reach the SWG.

 4

Policy in practice

Rules, bypass lists, and the gotchas that break apps.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A user clicks a gambling site. The SWG sees the HTTPS request and blocks it. For the SWG to read the URL category AND scan the page body, what must it do to the encrypted traffic first?

Answered in What an SWG does.

2. Your branch has no agent on the laptops, but the firewall can build a tunnel. How would you most likely send that branch's web traffic to a cloud SWG?

Answered in Steering traffic.

3. An SWG controls outbound web traffic. Which sibling SSE service governs your sanctioned SaaS apps (Google Workspace, M365) and their data, instead?

Answered in TLS inspection.

Most engineers think…

Most engineers first meet an SWG as 'the web filter that blocks Facebook' — a glorified blocklist that checks the domain name and moves on. So they assume HTTPS traffic is a black box it can only allow or deny by URL.

Wrong — and that gap is exactly where modern malware hides. Over 95% of web traffic is HTTPS, so a filter that only reads domain names is blind to the page body, the file download and the data being uploaded. A real SWG performs TLS inspection: it acts as a controlled man-in-the-middle, decrypting traffic with its own CA certificate, scanning the actual content for malware and policy violations, sandboxing risky downloads, then re-encrypting onward. URL filtering is one of five jobs — and the easy one. The decryption is what makes the other four possible.

① What an SWG actually does — the checkpoint on every outbound click

Picture Rahul, an L1 security analyst at Infosys. Every laptop in his org — in the office, at home, at a client site — sends its web traffic through one cloud checkpoint before it touches the internet. That checkpoint is a Secure Web Gateway (SWG). Think of it as the society gate-pass register at the entrance of an apartment complex: every visitor (every outbound request) is checked against the rules before they are let in or turned away. Nothing reaches the internet un-inspected.

An SWG isn't one feature — it's five jobs stacked on the same outbound stream. (1) URL filtering by category: every request's destination is mapped to a category — Gambling, Adult, Malware, Social Networking, Streaming, Business — and a rule allows, cautions or blocks it. (2) Malware scanning: the actual response body is scanned with signatures and heuristics. (3) TLS/SSL decryption + inspection: because most traffic is HTTPS, the SWG decrypts it to do jobs 1, 2, 4 and 5 properly (that's all of Section ②). (4) Sandboxing of downloads: an unknown .exe or macro-laden .docx is detonated in an isolated sandbox and watched before the user receives it. (5) Tenant restrictions: the SWG can force traffic so that only your corporate Google or Microsoft 365 tenant is reachable, blocking a personal Gmail login that could be used to exfiltrate data.

👉 So far: an SWG is a cloud checkpoint doing five jobs on outbound web traffic. Next: why it moved off the on-prem proxy box and into the cloud.

For years job #1 to #5 lived on a physical on-prem proxy box in the data centre. Every branch backhauled its web traffic to that box, got it inspected, then sent it out. With staff now working from home and apps living in SaaS, backhauling a work-from-home laptop in Lucknow through a Mumbai data centre to reach a server in Mumbai is absurd. The cloud SWG moves the checkpoint to a provider's edge (Zscaler ZIA, Netskope, Palo Alto Prisma Access, Cisco Secure Access) near the user, so inspection happens close by and the box-in-the-DC disappears. Same five jobs, no hardware to backhaul to.

Figure 1 — An SWG is one checkpoint doing five jobs on every outbound click
A Secure Web Gateway is a single inline checkpoint that runs five inspection jobs on every outbound web request before it reaches the internet A horizontal flow. On the left a user laptop sends an outbound web click. It enters the cloud Secure Web Gateway, drawn as a tall checkpoint gate. Inside, five stacked gates inspect the traffic in order: URL filtering by category, TLS or SSL decryption and inspection (highlighted as the decision point that unlocks the rest), malware scanning of the content, sandboxing of unknown downloads, and tenant restriction so only the corporate SaaS tenant is reachable. Allowed traffic exits to the internet on the right in green; blocked traffic is turned back in red. The decrypt gate is amber because it is the policy decision that makes the deep checks possible. One checkpoint, five jobs — the Secure Web Gateway User laptopSneha · Infosysclicks a link Cloud SWG (provider edge, near the user) 1 · URL filtering — category: Gambling → Block 2 · TLS decrypt + inspect — unlocks 1, 3, 4, 5 3 · Malware scan — read the actual page body 4 · Sandbox — detonate unknown downloads 5 · Tenant restriction — corp M365 only decrypt (amber) is the gate that makes 1,3,4,5 see content Internetallowed + clean allow Block pageturned back to user block untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed
Read left to right: the user's click enters the SWG and passes five gates — URL category, TLS decrypt, malware scan, sandbox, tenant check — before it reaches the internet. The amber gate (decrypt) is what unlocks the other four.

The five jobs, one tap each

Tap each card — these are the five reasons a web filter is now called a 'gateway', and every SWG interview starts here.

🗂️
URL filtering
tap to flip

Maps each request to a category (Gambling, Malware, Social) and allows/cautions/blocks. So: acceptable-use + a first threat layer in one rule.

🦠
Malware scan
tap to flip

Signatures + heuristics on the real response body. So: a drive-by payload on an allowed site is still caught — category isn't enough.

📦
Sandbox
tap to flip

Unknown .exe/.docx is detonated in isolation and watched first. So: zero-day files are judged by behaviour, not just signatures.

🏢
Tenant control
tap to flip

Forces only the corporate SaaS tenant to be reachable. So: a user can't log into personal Gmail to smuggle company data out.

Quick check · Q1 of 10

Priya at Wipro sets a URL-filtering rule that blocks the 'Malware' category, and is told that's 'full protection'. A user then visits an allowed news site that's been compromised and silently serves a trojan. Why does category-only filtering miss it?

Correct: a. URL filtering judges the destination's category/reputation; it does not read the bytes coming back. A legitimate, allowed site that's compromised serves a payload that only the separate malware-scanning (and sandboxing) job catches — which is exactly why an SWG stacks five jobs, not one. The other options invent unrelated causes.

Pause & Predict

Predict: an org moves from an on-prem proxy box in its Mumbai data centre to a cloud SWG near each user. Name ONE thing that gets better for a work-from-home user and ONE new dependency the org now has. Type your guess.

Answer: Better: the WFH user's traffic is inspected at a nearby provider edge instead of being backhauled all the way to the Mumbai DC and back, so latency drops and the DC internet pipe stops being a chokepoint. New dependency: the org now relies on the SWG provider's cloud being up and reachable — and on the endpoint client/PAC steering traffic to it — so SWG availability and steering health become things you must monitor.

② TLS inspection — why the SWG must become a man-in-the-middle

Here's the uncomfortable truth that defines a modern SWG: over 95% of web traffic is HTTPS. The payload — the page body, the file you download, the form you submit — is encrypted end-to-end between the browser and the server. So an SWG that only reads the domain name is blind to everything that matters. To scan content, sandbox a download or stop a data upload, it must see inside the tunnel. That requires TLS/SSL inspection.

How can a checkpoint read traffic that's encrypted for the real server? By becoming a deliberate, trusted man-in-the-middle (MITM). The SWG splits the one HTTPS session into two: it terminates the browser's session by presenting its own certificate, and it opens a fresh HTTPS session to the real server. In the middle, for a brief moment, the traffic is in clear text — and that's where the five jobs run.

The trick that makes the browser accept this is the enterprise CA certificate. Your org pushes the SWG provider's (or its own) root CA certificate into every managed laptop's trust store via Intune/Jamf/GPO. Now, when Sneha visits flipkart.com, the SWG generates a fake flipkart.com certificate on the fly, signs it with that trusted CA, and hands it to her browser. The browser sees a cert chaining to a CA it trusts → no warning. The SWG separately validates the real Flipkart certificate on its onward session. If the device doesn't have the CA installed, the user gets a scary certificate-warning page — the #1 symptom of a botched TLS-inspection rollout.

Figure 2 — TLS inspection splits one HTTPS session into two so the SWG can read the content
To inspect HTTPS the SWG terminates the browser session with its own CA-signed certificate, inspects the clear text, then opens a separate encrypted session to the real server A left-to-right diagram of TLS inspection. On the left a browser opens an HTTPS session (session A) to the SWG. The SWG presents a certificate it minted on the fly and signed with the enterprise CA root that is trusted on the device, so the browser shows no warning. Inside the SWG the traffic is decrypted to clear text in a highlighted lime inspection zone where URL, malware, sandbox and DLP checks run. On the right the SWG opens a separate HTTPS session B to the real destination server using and validating the server's genuine certificate. A red note shows that without the CA installed on the device the browser throws a certificate warning. TLS inspection — one session becomes two, content visible in the middle Browsertrusts the CA root→ no warning SWG (controlled MITM) clear-text inspection zoneURL · malware · sandbox · DLPdecrypt → inspect → re-encryptthe only place content is readable Real serverflipkart.comgenuine cert 🔒 Session ASWG cert, signed by enterprise CA 🔒 Session Breal server cert, validated No CA on the device?browser throws a cert warning — #1 rollout bug untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed
Follow the two padlocks: session A (browser ↔ SWG) uses the SWG's CA-signed cert; session B (SWG ↔ server) uses the real cert. Between them the traffic is briefly in clear text — the lime zone — where inspection happens.

Decryption isn't optional for real security — but it forces a privacy conversation, and that's where do-not-decrypt exceptions come in. Reading a user's online banking session, health portal, or payroll page is both a privacy issue and, in regulated contexts, a compliance one. So mature SWG policy inspects most categories but explicitly bypasses sensitive ones: traffic categorised as Finance, Banking, Health, Government, Legal is set to Do Not Inspect — the SWG still sees the domain and applies URL filtering, but it doesn't crack the payload open. You get security on the 90% and privacy on the sensitive 10%.

Common mistake — 'Do Not Inspect' silently turned off URL filtering too

Symptom: an analyst adds a Do Not Inspect rule for a banking domain to protect privacy, and later finds that other web policies stopped applying to it as well. Cause: in Zscaler ZIA, the Do Not Inspect action has a sub-choice — Evaluate Other Policies vs Bypass Other Policies. Picking Bypass Other Policies skips not just decryption but the URL Filtering and Cloud App Control engines too, so that traffic is no longer access-controlled at all. Fix: use Do Not Inspect → Evaluate Other Policies for privacy exceptions, so the domain stays un-decrypted but URL filtering and logging still apply. Reserve full bypass for cert-pinned apps that genuinely break.

Quick check · Q2 of 10

Karthik at ICICI is told to 'turn on TLS inspection for everything, no exceptions, for maximum security'. What's the strongest professional objection to a blanket no-exceptions decrypt policy?

Correct: b. Inspecting most traffic is right, but a blanket no-exceptions policy decrypts sensitive personal sessions (privacy/compliance risk) and shatters certificate-pinned apps. The professional answer is targeted do-not-inspect exceptions for Finance/Health/Government while still applying URL filtering. TLS inspection is widely legal with consent (so 'illegal everywhere' is false); it adds modest latency, not dial-up; and the CA-trust mechanism is exactly how browsers are made to accept the SWG cert.

Pause & Predict

Predict: a managed laptop has the enterprise CA installed and HTTPS inspection works perfectly. The same user installs a personal app (say a fitness tracker) that uses certificate pinning. What happens when its traffic hits the SWG, and why? Type your guess.

Answer: The app's connection fails. Certificate pinning means the app ships with a hard-coded copy of the exact server certificate (or its public key) it expects and refuses anything else. The SWG hands it a freshly minted cert signed by the enterprise CA — which is NOT the pinned one — so even though the OS trusts the CA, the app itself rejects the handshake and won't connect. The fix is a Do-Not-Inspect / SSL-bypass entry for that app's domains, because pinning is enforced inside the app, not in the OS trust store.

③ Steering traffic to the SWG — and where it sits in SSE

An SWG only protects traffic that actually reaches it. So the real-world question on day one is: how do you steer every device's web traffic into the gateway? There are three standard methods, and a mature org uses more than one.

Method 1 — Explicit proxy via a PAC file. A PAC (Proxy Auto-Config) file is a tiny JavaScript file the browser fetches; its FindProxyForURL(url, host) function returns either the SWG's proxy address or DIRECT for traffic that should skip it. You point devices at the PAC URL via GPO/MDM. It's flexible and granular — but a single typo in the PAC logic can send all traffic DIRECT (no inspection) or, worse, loop it. Method 2 — Endpoint client / connector. A lightweight agent (Zscaler Client Connector, Netskope Client, Cisco Secure Client) installed on the laptop tunnels web traffic to the nearest SWG node automatically, wherever the user roams — best for laptops that leave the office. Method 3 — IPsec/GRE tunnel from the edge. The branch firewall/router builds an IPsec or GRE tunnel straight to the SWG, so everything from that site — including guest Wi-Fi, printers and IoT with no agent — is steered without touching each device.

Figure 3 — Three ways to steer traffic into the SWG — pick by device type
Traffic can be steered into the SWG three ways — a PAC file explicit proxy, an endpoint client connector, or an IPsec or GRE tunnel from the site edge — each suited to a different device type A comparison diagram with three input lanes feeding one cloud SWG. Lane one, a PAC file explicit proxy, suits managed browsers and uses a FindProxyForURL function to send traffic to the proxy or DIRECT. Lane two, an endpoint client or connector agent, suits roaming laptops and tunnels to the nearest SWG node automatically. Lane three, an IPsec or GRE tunnel from the branch firewall, suits a whole site including guest Wi-Fi, printers and IoT that have no agent. All three lanes converge on the SWG, which then sends inspected traffic to the internet. Amber marks the decision of which steering method to use. Three steering methods, one gateway 1 · PAC file (explicit proxy)FindProxyForURL → PROXY swg:80 / DIRECTbest for: managed browsersrisk: one typo sends all traffic DIRECT 2 · Client / connector agenttunnels to nearest SWG node, anywherebest for: roaming laptops (WFH)follows the user off-network 3 · IPsec / GRE tunnel (edge)branch firewall sends ALL site trafficbest for: guest Wi-Fi, printers, IoTno per-device agent needed Cloud SWG5 inspection jobsURL · TLS · malwaresandbox · tenant Internetinspected untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed
Compare the three lanes: PAC (explicit proxy) for managed browsers, client/connector for roaming laptops, IPsec/GRE tunnel for whole sites including agentless devices. All three funnel into the same SWG.
🖥️ This is where you define the proxy decision a browser obeys — a PAC file's FindProxyForURL() logic served from the SWG. (Recreated as a terminal/editor frame for clarity — your provider's PAC editor matches this shape.)
swg-admin · PAC file editor · pac/default.pac
1
function
FindProxyForURL(url, host)
2
bypass (DIRECT)
if (isInNet(host,'10.0.0.0','255.0.0.0')) return 'DIRECT';
3
bank → DIRECT
if (dnsDomainIs(host,'.icicibank.com')) return 'DIRECT';
4
default
return 'PROXY gateway.swg.example.net:80; DIRECT';
served at
https://swg.example.net/pac/default.pac
Save & publish

Now place the SWG in the bigger picture. An SWG is one pillar of SSE (Security Service Edge), the security half of SASE. Its siblings: CASB governs your sanctioned SaaS apps and the data in them (the next lesson); ZTNA replaces the VPN for private-app access. The SWG owns the outbound, user-to-internet direction. Critically, because the SWG already decrypts the stream, DLP rides on the same decrypted traffic — the same inspection that scans for malware can also catch a user pasting a customer database or an Aadhaar number into a web form and block the upload. One decrypt, many checks.

▶ Watch one HTTPS click ride through the SWG

Sneha at Infosys clicks a file-sharing link. Follow her request from the laptop, into the SWG, through decryption and inspection, and out to the internet — step by step. Press Play for the healthy path, then Break it to see the failure.

① Steerlaptop client tunnels the HTTPS click to the nearest SWG node
② DecryptSWG presents a CA-signed cert, terminates session A, sees clear text
③ InspectURL category + malware scan + DLP run on the now-readable content
④ Re-encryptclean → SWG opens session B to real server, re-encrypts, forwards
Press Play to step through the healthy path. Then press Break it.
PAC file (default.pac) — the proxy decision served to every browser; DIRECT = skip the SWG
function FindProxyForURL(url, host) {
  // Internal + bank → go DIRECT (no SWG)
  if (isInNet(host, "10.0.0.0", "255.0.0.0")) return "DIRECT";
  if (dnsDomainIs(host, ".icicibank.com"))     return "DIRECT";
  // Everything else → send to the SWG, fail open to DIRECT
  return "PROXY gateway.swg.example.net:80; DIRECT";
}
Expected output
# client fetches the PAC, then for app.box.com:
host=app.box.com  ->  PROXY gateway.swg.example.net:80
host=intranet (10.4.2.9) -> DIRECT
host=www.icicibank.com -> DIRECT   (bank bypass, privacy)
# proxy log: app.box.com  category=File-Share  action=ALLOW  tls=inspected
Prove traffic is actually being steered AND inspected

Two quick checks any L1 can run. (1) Steering: from the user's browser open the provider's status page (e.g. ip.zscaler.com for ZIA) — it confirms whether you're going through the SWG and which node. (2) Inspection: click the padlock on any HTTPS site and view the certificate — if the issuer is your enterprise/SWG CA (not the site's real CA like DigiCert), that session is being decrypted and inspected. If the issuer is the site's real CA, that domain is on a Do-Not-Inspect/bypass list. These two together tell you exactly what's happening to the traffic.

Quick check · Q3 of 10

A Flipkart branch has 200 guest Wi-Fi devices, IP printers and IoT sensors — none of which can run an agent or be reconfigured. You must still send their web traffic through the SWG. Which steering method fits?

Correct: c. An IPsec/GRE tunnel from the site edge forwards every device's traffic to the SWG without touching the devices — exactly right for guest, printer and IoT traffic that can't take an agent or a PAC. Installing clients on printers/IoT or hand-editing PACs on sensors isn't feasible, and agentless devices are very much protectable via the tunnel method.

Pause & Predict

Predict: DLP (Data Loss Prevention) and the SWG's malware scanner both run on the same decrypted web stream. So if you put a banking domain on the Do-Not-Inspect list for privacy, what happens to DLP's ability to catch a user pasting an Aadhaar number into THAT site? Type your guess.

Answer: DLP goes blind for that domain. DLP rides on the clear-text the SWG produces by decrypting — so the moment a domain is Do-Not-Inspect, the stream to it stays encrypted and DLP (and malware scanning) can't read the upload at all. That's the deliberate trade: you bought privacy on banking/health sessions at the cost of content-inspection on them. It's why the Do-Not-Inspect list is kept tight and why genuinely high-risk uploads are pushed through inspected channels — you can't have both privacy and content-DLP on the same un-decrypted session.

④ Policy in practice — rules, bypass lists, the gotchas & the cheat-sheet

Time to build real policy. An SWG rule is layered: category + threat + tenant rules evaluated in order, with bypass lists as exceptions. In Zscaler ZIA you build URL rules under Policy → URL & Cloud App Control, and decryption choices under Policy → SSL Inspection. A clean baseline reads like this: block the obvious bad categories (Malware, Phishing, Adult, Gambling), caution the productivity-drainers (Streaming, Social), allow Business, force tenant restriction on M365/Google, and inspect everything except a tight Do-Not-Inspect list (Finance, Health, Government + known cert-pinned apps).

The three classic gotchas that page an L1 at 2 a.m.: (1) Cert-pinned apps break under decryption — Microsoft 365 native clients, WebEx, Dropbox, many banking and Aadhaar/UPI apps pin their certs and refuse the SWG's cert; fix is a Do-Not-Inspect/SSL-bypass entry for their domains. (2) PAC misconfig — a wrong isInNet mask or a missing semicolon sends all traffic DIRECT (silent no-inspection) or breaks the internet entirely. (3) Latency — decrypt + inspect + sandbox adds milliseconds; over-broad inspection of huge streaming/backup flows can feel slow, which is one reason streaming is often Do-Not-Inspect.

🖥️ This is the screen you'll use to block a category — Zscaler ZIA Admin Portal → Policy → URL & Cloud App Control → URL Filtering → Add URL Filtering Rule. (Recreated for clarity — your console matches this.)
admin.zscaler.net · Policy → URL & Cloud App Control → URL Filtering
1
Rule Name
Block-Gambling-AllUsers
2
Rule Order
3
Rule Status
Enabled
3
URL Categories
Gambling, Adult, Malware
Users / Groups
Any (All Users)
Request Methods
GET, POST, CONNECT
4
Action
Block
End User Notification
Show Zscaler block page
Save

Aditya at HCL faces this

Aditya, an L1 analyst, gets a flood of tickets right after TLS inspection goes live: users can browse normal websites fine, but the Microsoft 365 Outlook and Teams desktop apps won't connect, and one team's banking-portal upload silently fails.

Likely cause

Certificate pinning. The M365 native clients and the banking app ship with pinned certificates and reject the SWG's CA-minted cert — even though the OS trusts the enterprise CA, the apps enforce pinning themselves, so the handshake is refused. Browser traffic works because browsers honour the OS trust store; pinned apps don't.

Diagnosis

Aditya separates browser vs app: HTTPS sites load (so the CA push worked), but specific apps fail. That pattern = pinning, not a CA problem. He checks the SWG's recommended SSL-bypass list and confirms the M365 and banking domains aren't yet excepted.

Zscaler ZIA Admin Portal → Policy → SSL Inspection → SSL Inspection Policy → Add rule → Action: Do Not Inspect → Evaluate Other Policies (and enable the one-click Microsoft 365 bypass)
Fix

Add a Do-Not-Inspect rule for the cert-pinned domains (turn on the one-click recommended Microsoft 365 bypass, plus the banking app's domains), using 'Evaluate Other Policies' so URL filtering and logging still apply — only decryption is skipped.

Verify

Re-open Outlook/Teams and the banking upload — they now connect; on a normal HTTPS site the cert issuer is still the enterprise CA (proving inspection is intact for everything that isn't excepted).

Figure 4 — Decrypt or do-not-decrypt — the decision every SWG policy must make
A decision tree for whether an SWG should decrypt a given destination: bypass cert-pinned apps and sensitive personal categories, but inspect everything else A top-down decision tree. Start with an outbound HTTPS request. First decision: is the destination a certificate-pinned app such as Microsoft 365, WebEx, Dropbox or a UPI banking app? If yes, set Do Not Inspect with SSL bypass so the app works, but keep URL filtering. If no, second decision: is the category sensitive personal data — Finance, Banking, Health, Government, Legal? If yes, Do Not Inspect to protect privacy but still apply URL filtering and logging. If no, third decision: is it a known bad category like Malware, Phishing, Adult, Gambling? If yes, block outright. Otherwise inspect the traffic fully — decrypt, scan, sandbox, DLP, then re-encrypt. Amber diamonds are decision points, green is fully inspected and allowed, blue is bypassed but still filtered, red is blocked. Decrypt or do-not-decrypt? — the policy decision tree Outbound HTTPS request Cert-pinned app?M365 / WebEx / UPI Do-Not-Inspect (SSL bypass)app works · URL filtering still on YES Sensitive category?Finance / Health / Gov NO Do-Not-Inspect (privacy)no decrypt · URL filter + log on YES Known-bad category?Malware / Phishing NO Block outrightshow block page YES INSPECT fullydecrypt · scan · sandbox · DLP · re-encrypt NO
Run any destination down the tree: pinned app or sensitive personal category → Do-Not-Inspect (still URL-filtered); everything else → Inspect. The amber diamonds are the decisions; green = inspected, blue = bypassed-but-filtered.

One sober, recent note from the real world: because the SWG sits inline on all your web traffic, the provider's platform and your tenant of it are high-value targets. In August 2025, the Salesloft Drift OAuth supply-chain attack (tracked as UNC6395) used stolen OAuth tokens to reach the Salesforce environments of 700+ orgs — including security vendors like Zscaler and Palo Alto Networks — exposing business-contact and support data (Zscaler revoked the integration and rotated tokens). And in 2025, researchers disclosed authentication-bypass flaws across multiple ZTNA/SSE products (e.g. CVE-2025-54982, a SAML signature-validation bypass). The takeaway for you: an SWG is a control you trust deeply, so its admin access, SSO and integrations must be hardened — a compromised SWG tenant can see (and mis-route) everything.

👉 So far: baseline policy, the three gotchas, a real ZIA rule and the decrypt/do-not-decrypt tree. Next: the cheat-sheet and the Security+ angle, then assessment.

For your certification path, this lesson maps onto the CompTIA Security+ SY0-701 blueprint, where SASE/SSE appears in Domain 3 (Security Architecture). The exam expects you to know that SASE = SD-WAN (networking) + SSE (security), that SSE bundles SWG + CASB + ZTNA, and that an SWG does URL filtering, TLS inspection and malware/sandbox on outbound web traffic delivered from the cloud edge. Get the SWG-vs-CASB-vs-ZTNA boundaries clear and you've locked a reliable cluster of Domain 3 questions.

Figure 5 — SWG controls — the one-glance cheat-sheet
Secure Web Gateway on one card — the five jobs, TLS inspection mechanics, steering methods, do-not-decrypt list, and place in SSE A nine-tile cheat sheet for Secure Web Gateways. Tiles cover the five SWG jobs, how TLS inspection works, the enterprise CA mechanism, the three steering methods, the decrypt versus do-not-decrypt rule, the classic gotchas, the place of SWG in SSE next to CASB and ZTNA, the Zscaler ZIA console paths, and the verification checks. Each tile has a one-line takeaway. Secure Web Gateway — your one-glance card The 5 jobsURL filter · malware scan · TLSdecrypt · sandbox · tenant controloutbound user→internet direction TLS inspection1 session → 2 (MITM)decrypt · inspect · re-encrypt95% of web is HTTPS — must decrypt Enterprise CApush root CA to device trust storeSWG mints fake site certs, signedno CA → cert-warning page 3 steering methodsPAC (explicit) · client · IPsec/GREbrowser · roaming laptop · whole sitetunnel = agentless guest/IoT Do-Not-Inspectcert-pinned apps (M365/WebEx)Finance · Health · Gov (privacy)still URL-filter; don't full-bypass 3 gotchascert pinning breaks appsPAC typo → all DIRECTlatency on huge flows SWG in SSESSE = SWG + CASB + ZTNASASE = SD-WAN + SSEDLP rides the same decrypt ZIA console pathsURL: Policy → URL & Cloud App ControlTLS: Policy → SSL Inspectionaction: Allow / Caution / Block Verify checkssteering: ip.zscaler.cominspect: cert issuer = your CA?real CA issuer = on bypass list
Your one-card map of this whole lesson — the five jobs, TLS-inspection mechanics, the three steering methods, the decrypt-exception list, and where SWG sits in SSE. Keep it open in week one and before any SASE interview.
Daily-life analogy — the society gate-pass register + the courier X-ray

An SWG is your apartment society's gate-pass register plus an X-ray scanner. The watchman checks every visitor's name against the rules (URL filtering), opens and X-rays every sealed parcel before it goes up (TLS decryption + malware scan), holds a suspicious package in a side room to watch it (sandbox), and only lets in your registered domestic help, not a stranger using their name (tenant restriction). But for a sealed legal/medical envelope addressed to a resident, the watchman logs who it's from and lets it pass un-opened (Do-Not-Inspect for Finance/Health) — security on the parcels, privacy on the personal mail.

Next: CASB — controlling the SaaS apps you cannot see
Prove you own SWG

Cold, in 30 seconds: name the five jobs (URL filter, malware scan, TLS decrypt, sandbox, tenant control); explain why TLS inspection is a controlled MITM with an enterprise CA; list the three steering methods (PAC, client, IPsec/GRE) and which fits agentless devices; and say what goes on the Do-Not-Inspect list (cert-pinned apps + Finance/Health/Gov) and why. If you can do that without notes, you're ready for the CASB lesson and the SASE/SSE questions on SY0-701.

Quick check · Q4 of 10

An interviewer asks Meera: 'In one sentence, why does a Secure Web Gateway have to perform TLS inspection at all, and what's the cost of doing it?' Best answer?

Correct: c. The whole point is that the valuable inspection (malware, sandbox, DLP) needs to see content, and ~95% of traffic is HTTPS — so the SWG must decrypt, which makes it a controlled MITM requiring an enterprise CA and forcing do-not-inspect exceptions for cert-pinned apps and sensitive categories. Domain-only filtering is exactly the blind spot being fixed; decryption adds latency and complexity, not zero cost; and logging visits alone ignores content threats.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from SASE docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

A Secure Web Gateway sits between users and the internet and performs which set of jobs on OUTBOUND web traffic?

Correct: c. Those five — URL filtering, malware scanning, TLS inspection, sandboxing and tenant restriction — are the SWG's jobs on outbound web traffic. BGP/IP addressing is routing, not an SWG; disk encryption and AV are endpoint controls; password issuance and VPN concentration are identity/remote-access functions (ZTNA replaces the VPN, not the SWG).
Q6 · Apply

TLS inspection has just gone live. A user on a fully managed laptop suddenly gets 'NET::ERR_CERT_AUTHORITY_INVALID' on every HTTPS site, but an unmanaged personal laptop on the same network is fine without inspection. What's the fix?

Correct: b. The cert warning means the device doesn't trust the CA the SWG uses to sign its on-the-fly certs — so the fix is to deploy the enterprise/SWG root CA into that managed device's trust store. You can't disable HTTPS on the web; swapping hardware doesn't add the CA; and turning off the SWG removes protection rather than fixing trust.
Q7 · Apply

You must steer web traffic from a branch full of guest Wi-Fi devices, IP printers and IoT sensors — none can run an agent or accept a PAC file. Which steering method do you choose?

Correct: d. An IPsec/GRE tunnel from the site edge forwards all the site's traffic to the SWG without touching individual devices — the right fit for agentless guest/IoT/printer traffic. PAC and client both require per-device configuration the devices can't take, and disabling inspection abandons protection instead of solving steering.
Q8 · Analyze

After enabling TLS inspection, normal HTTPS websites load fine, but the Microsoft 365 desktop apps and a UPI banking app refuse to connect. The enterprise CA is confirmed installed. Most likely root cause?

Correct: c. Browsers work (so the CA push succeeded) but specific apps fail — the signature of certificate pinning, where the app enforces its own pinned cert and refuses the SWG's, independent of the OS trust store. The fix is a Do-Not-Inspect/SSL-bypass for those domains. A missing CA would break browsers too; the link isn't selectively down per app; and a URL block would also stop browser HTTPS.
Q9 · Analyze

An analyst adds a 'Do Not Inspect' rule for a banking domain to protect user privacy, and a week later discovers that domain is no longer being URL-filtered or logged at all. In Zscaler ZIA, what most likely happened?

Correct: a. ZIA's Do-Not-Inspect action has two sub-choices; 'Bypass Other Policies' skips not just decryption but the URL Filtering and Cloud App Control engines, leaving the domain un-controlled. 'Evaluate Other Policies' keeps URL filtering and logging on while skipping decryption — which is what a privacy exception should use. The other options misstate how Do-Not-Inspect and URL filtering work.
Q10 · Evaluate

Two TLS-inspection strategies are proposed. Strategy A: 'decrypt absolutely everything, no exceptions, for maximum visibility.' Strategy B: 'decrypt broadly, but maintain a tight Do-Not-Inspect list for cert-pinned apps and Finance/Health/Government categories.' Which is the stronger professional design and why?

Correct: d. B is the mature design: inspect broadly for security, but except the traffic that either breaks under decryption (cert-pinned apps) or shouldn't be read for privacy/compliance (banking, health, government) — and those exceptions still get URL filtering and logging. A ignores real breakage and privacy/legal exposure; decryption demonstrably does break pinned apps; and the Do-Not-Inspect list materially changes both reliability and privacy posture, so 'identical' is wrong.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why must a Secure Web Gateway decrypt HTTPS to do its job, and what does that force it to become? Then compare to the expert version.

Expert version: Because ~95% of web traffic is HTTPS and the valuable checks (malware scanning, download sandboxing, DLP) need to read the actual content — so the SWG must decrypt, which forces it to become a controlled man-in-the-middle that presents its own enterprise-CA-signed certificate, inspects the clear text, then re-encrypts on to the real server.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Secure Web Gateway (SWG)
A proxy between users and the internet that enforces acceptable-use and security on outbound web traffic — URL filtering, malware scan, TLS inspection, sandbox, tenant control.
URL filtering
Mapping each request's destination to a category (Gambling, Malware, Business) and allowing, cautioning or blocking by rule.
TLS/SSL inspection
Decrypting HTTPS, inspecting the clear content, then re-encrypting onward — so the SWG can scan what's otherwise opaque.
Man-in-the-middle (MITM)
A party sitting between two endpoints reading/altering traffic. For an SWG it's a controlled, consented interception your org runs.
Enterprise CA certificate
A root CA your org installs on every managed device; the SWG signs on-the-fly fake site certs with it so browsers trust them.
Certificate pinning
An app hard-codes the exact cert/key it expects and rejects anything else — so it breaks under SWG decryption and needs a bypass.
Sandbox
An isolated environment where an unknown download is detonated and watched before it reaches the user.
PAC file
Proxy Auto-Config — JavaScript with FindProxyForURL() that tells a browser, per destination, to use the proxy or go DIRECT.
IPsec / GRE tunnel
An encrypted (IPsec) or lighter (GRE) tunnel from a site edge that steers all that site's traffic to the SWG — good for agentless devices.
Do-Not-Inspect
A policy that skips decryption for chosen destinations (cert-pinned apps, Finance/Health/Gov) while still applying URL filtering and logging.
SSE
Security Service Edge — the cloud-security half of SASE, bundling SWG, CASB and ZTNA (often DLP/FWaaS) at the provider edge.
DLP
Data Loss Prevention — rules that detect and block sensitive data (cards, Aadhaar, customer records) leaving via the decrypted web stream.

📚 Sources

  1. Zscaler Help — "SSL Inspection" and "Configuring SSL/TLS Inspection Policy" (TLS/SSL decrypt-inspect-re-encrypt with the org CA; Action: Inspect / Do Not Inspect / Block; Do-Not-Inspect sub-choice Evaluate Other Policies vs Bypass Other Policies; menu Policy → SSL Inspection). help.zscaler.com/zia/about-ssl-inspection · help.zscaler.com/zia/configuring-ssltls-inspection-policy
  2. Zscaler Help — "ZIA SSL Inspection Leading Practices Guide" (cert-pinned apps like Microsoft 365/WebEx/Dropbox can't be inspected; recommended SSL bypass lists; one-click Microsoft 365 configuration under Policy → URL & Cloud App Control). help.zscaler.com/zscaler-deployments-operations/zia-ssl-inspection-leading-practices-guide
  3. Microsoft Security 101 — "What Is a Secure Web Gateway (SWG)?" + Zscaler glossary "What Is a Secure Web Gateway" (the five SWG functions: URL filtering, malware/AV, TLS inspection, sandboxing, app/tenant control; cloud SWG replaces the on-prem proxy; SWG as an SSE pillar). microsoft.com/en-us/security/business/security-101/what-is-secure-web-gateway-swg · zscaler.com/resources/security-terms-glossary/what-is-secure-web-gateway
  4. Cisco Secure Access / Umbrella docs — "Troubleshoot Non-Browser Applications" + "Troubleshoot SWG Website Access Issues" (certificate pinning enforced on the client breaks per-app; PAC/explicit-proxy vs tunnel steering; cert-warning symptoms when the CA isn't trusted). cisco.com/c/en/us/support/docs/security/umbrella/225056-troubleshoot-non-browser-applications.html · cisco.com/c/en/us/support/docs/security/secure-access/225927-troubleshoot-secure-web-gateway-swg.html
  5. Zscaler company blog + SecurityAffairs / Infosecurity Magazine — "Salesloft Drift supply-chain incident" (Aug 2025, UNC6395 stole OAuth tokens, 700+ orgs incl. Zscaler & Palo Alto; business-contact/support data exposed; tokens revoked) and 2025 ZTNA/SSE auth-bypass research incl. CVE-2025-54982 (SAML signature-validation bypass). zscaler.com/blogs/company-news/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response · securityaffairs.com/181801/data-breach/supply-chain-attack-hits-zscaler-via-salesloft-drift-leaking-customer-info.html
  6. CompTIA Security+ SY0-701 exam objectives — Domain 3 Security Architecture (SASE = SD-WAN + SSE; SSE bundles SWG, CASB, ZTNA; SWG = cloud URL filtering + TLS inspection + malware/sandbox on outbound web) + zero-trust as a core testable concept. comptia.org/certifications/security · professormesser.com/security-plus/sy0-701/sy0-701-video/sy0-701-comptia-security-plus-course/

What's next?

An SWG can decide whether you reach Dropbox at all — but once you're inside your sanctioned Google Workspace or M365 tenant, who stops a user sharing a customer file externally? That's the blind spot CASB fills, governing the SaaS apps and data the SWG can't see into.

Next · CASB: Controlling the SaaS Apps You Cannot See → Practice on exam.techclick.in →