SWG

What it does

A Secure Web Gateway is a cloud-delivered web proxy that intercepts, decrypts, inspects, and re-encrypts all HTTP and HTTPS traffic between users and the internet. It replaces on-premises proxy appliances with globally distributed inspection points that apply URL categorization against databases of billions of classified URLs, real-time malware scanning using signature-based and behavioral engines, file sandboxing for zero-day threat detection, content filtering by category and risk level, and acceptable use policy enforcement. The SWG operates as a full TLS termination point: it presents its own CA-signed certificate to the user's browser, decrypts the traffic, inspects it in cleartext, then initiates a new TLS session to the destination server. This break-and-inspect model is the only way to apply security controls to encrypted traffic at scale.

How it works

Traffic reaches the SWG through one of three steering methods, each with different tradeoffs. PAC files configure the browser to send HTTP/HTTPS traffic to the cloud proxy and require no endpoint agent, but only cover browser traffic, not application-level HTTP calls. Endpoint agents capture all TCP traffic at the network stack level, route web traffic to the SWG and non-web traffic to FWaaS, and provide device posture data for policy decisions. GRE or IPsec tunnels from branch office routers steer all site traffic to the nearest SWG PoP, covering every device on the network without per-device agent deployment. Once traffic arrives at the SWG PoP, the TLS inspection engine terminates the client-side TLS session using the organization's deployed root CA certificate, decrypts the payload, runs it through a pipeline of security engines in sequence — URL categorization, reputation scoring, antivirus signature matching, behavioral analysis, and optionally cloud sandboxing for suspicious files — then re-encrypts with a new TLS session to the destination and forwards the traffic.

Why it matters

Over 90% of internet traffic is now encrypted with TLS 1.2 or 1.3. Without decryption, your entire security stack — IPS, antivirus, DLP, content filtering — is effectively blind to threats and data exfiltration hiding inside encrypted sessions. Attackers know this: malware command-and-control channels use HTTPS to blend with legitimate traffic, phishing pages use free TLS certificates from Let's Encrypt to appear trustworthy, and data exfiltration to cloud storage services happens over encrypted connections that look identical to legitimate business use. A cloud SWG makes this traffic visible again at scale, without the capacity constraints, single-points-of-failure, and geographic limitations of on-premises proxy appliances. For globally distributed workforces, the cloud SWG ensures consistent security policy regardless of whether the user is in headquarters, a branch office, a home office, or a coffee shop.

Watch out

Certificate deployment is the single biggest source of delay and frustration in SWG rollouts. The SWG's TLS inspection requires installing a custom root CA certificate on every endpoint, and every operating system and browser has its own certificate store with its own deployment mechanism. Windows uses Group Policy or Intune, macOS uses MDM profiles, iOS uses supervised device management, Android varies by manufacturer, and Linux is a per-distribution adventure. Start certificate deployment weeks before your planned SWG go-live. Equally critical is your bypass list: certificate-pinned applications like banking apps, healthcare portals, and some government sites will break under TLS inspection because they reject the SWG's re-signed certificate. You need a well-maintained bypass list from day one, reviewed quarterly, with a clear process for users to request bypass additions. Every SWG vendor publishes a recommended bypass list — start there and iterate.

Vendor comparison — SWG