By default, the Web Security Service (WSS) does not intercept HTTPS traffic from destination websites, but WSS applies Content Filtering policy to the furthest extent possible.

WSS, however, cannot apply policies to transactions that require deeper inspection (such as blocked categories, web application controls, or malware scanning) without decrypting that SSL/HTTPS content.

Enabling SSL Interception allows WSS to decrypt HTTPS connections, examine the contents and perform policy checks.

NOTE: If SSL Interception is not enabled, some encrypted web traffic is still filtered because due to the WSS "intercept on exception" feature.
This article describes possible scenarios where WSS intercepts traffic...even when SSL Interception is DISABLED.

Common "Intercept on exception" scenarios:

• Destination IP and URL category listed under "Content Filtering > Policies" Permanently Blocked Categories on row G1
• Destination IP and URL category listed under "Content Filtering > Policies" Blocked Categories on row G4
• Destination IP listed under "Content Filtering > Policies" Blocked Destination IPs/Subnets on row G4
• Destination domain/URL listed under "Content Filtering > Policies" Blocked Domain/URLs on row G4
• Traffic sources or destinations that belong to WebApps 
• Any traffic (Source/Destination/WebApp) where the Verdict is set to Block or Block--Password Override in any Content Filtering Policies
• Destination IP and URL categories listed under "Threat Protection > Policies" Permanently Blocked Categories (such as: Malicious Outbound Data/Botnets, Malicious Sources/Malnets, Phishing, Proxy Avoidance, Spam)
• Any other criteria for WSS evaluation (DNS, server certificate, site content, etc.) where the content is potentially unsafe

Distribute WSS Root Cert ("Cloud Services Root CA") to Endpoints