SWG (Secure Web Gateway)
The SWG is your TLS inspection workhorse — it decrypts, inspects, and re-encrypts all web traffic at cloud scale. With 95%+ of web traffic now encrypted, without a SWG your entire security stack is blind. Replaces on-prem proxies like Blue Coat, Skyhigh Security (formerly McAfee Web Gateway), and Broadcom (formerly Symantec). The single biggest deployment risk is certificate rollout — start pushing root CAs to endpoints two weeks before go-live.
The SWG is the workhorse. It handles more traffic, inspects more sessions, and blocks more threats than any other SASE component — and it is almost always the first thing you deploy because you can have it live in days, not months. Over 95% of web traffic is now TLS-encrypted, which means without a cloud SWG decrypting and inspecting it, your entire security stack is blind to the content of most internet traffic. Attackers know this, which is why malware C2, phishing, and data exfiltration overwhelmingly use HTTPS.
If you are migrating from on-prem proxies like Blue Coat, Broadcom (formerly Symantec), Skyhigh Security (formerly McAfee Web Gateway), or Forcepoint — welcome to elastic capacity. No more 3 AM alerts about proxy CPU at 98%. No more capacity planning spreadsheets. Cloud SWG scales horizontally across globally distributed PoPs, and the same inspection policies follow your users whether they are in headquarters, a branch, or a hotel lobby.
The core function is straightforward: intercept HTTPS traffic, decrypt it with a man-in-the-middle TLS inspection architecture, apply security policies (URL categorization, malware scanning, sandboxing, content filtering), then re-encrypt and forward clean traffic. What makes this complex in practice is certificate deployment to every endpoint, the political challenge of maintaining bypass lists for certificate-pinned apps, and the performance sensitivity of adding inspection latency to every web request. Get the TLS bypass list wrong and you will be writing a rollback email within 48 hours. Get it right and you have immediate visibility into shadow IT, threat exposure, and data flows that were previously invisible.
What it does
A Secure Web Gateway is a cloud-delivered web proxy that intercepts, decrypts, inspects, and re-encrypts all HTTP and HTTPS traffic between users and the internet. It replaces on-premises proxy appliances with globally distributed inspection points that apply URL categorization against databases of billions of classified URLs, real-time malware scanning using signature-based and behavioral engines, file sandboxing for zero-day threat detection, content filtering by category and risk level, and acceptable use policy enforcement. The SWG operates as a full TLS termination point: it presents its own CA-signed certificate to the user's browser, decrypts the traffic, inspects it in cleartext, then initiates a new TLS session to the destination server. This break-and-inspect model is the only way to apply security controls to encrypted traffic at scale.
How it works
Traffic reaches the SWG through one of three steering methods, each with different tradeoffs. PAC files configure the browser to send HTTP/HTTPS traffic to the cloud proxy and require no endpoint agent, but only cover browser traffic, not application-level HTTP calls. Endpoint agents capture all TCP traffic at the network stack level, route web traffic to the SWG and non-web traffic to FWaaS, and provide device posture data for policy decisions. GRE or IPsec tunnels from branch office routers steer all site traffic to the nearest SWG PoP, covering every device on the network without per-device agent deployment. Once traffic arrives at the SWG PoP, the TLS inspection engine terminates the client-side TLS session using the organization's deployed root CA certificate, decrypts the payload, runs it through a pipeline of security engines in sequence — URL categorization, reputation scoring, antivirus signature matching, behavioral analysis, and optionally cloud sandboxing for suspicious files — then re-encrypts with a new TLS session to the destination and forwards the traffic.
Why it matters
Over 95% of internet traffic is now encrypted with TLS 1.2 or 1.3. Without decryption, your entire security stack — IPS, antivirus, DLP, content filtering — is effectively blind to threats and data exfiltration hiding inside encrypted sessions. Attackers know this: malware command-and-control channels use HTTPS to blend with legitimate traffic, phishing pages use free TLS certificates from Let's Encrypt to appear trustworthy, and data exfiltration to cloud storage services happens over encrypted connections that look identical to legitimate business use. A cloud SWG makes this traffic visible again at scale, without the capacity constraints, single-points-of-failure, and geographic limitations of on-premises proxy appliances. For globally distributed workforces, the cloud SWG ensures consistent security policy regardless of whether the user is in headquarters, a branch office, a home office, or a coffee shop.
Watch out
Certificate deployment is the single biggest source of delay and frustration in SWG rollouts. The SWG's TLS inspection requires installing a custom root CA certificate on every endpoint, and every operating system and browser has its own certificate store with its own deployment mechanism. Windows uses Group Policy or Intune, macOS uses MDM profiles, iOS uses supervised device management, Android varies by manufacturer, and Linux is a per-distribution adventure. Start certificate deployment weeks before your planned SWG go-live. Equally critical is your bypass list: certificate-pinned applications like banking apps, healthcare portals, and some government sites will break under TLS inspection because they reject the SWG's re-signed certificate. You need a well-maintained bypass list from day one, reviewed quarterly, with a clear process for users to request bypass additions. Every SWG vendor publishes a recommended bypass list — start there and iterate.
Vendor comparison — SWG
Full proxy SWG with TLS 1.3 decryption, Talos-powered URL categorization covering 200M+ domains, Snort 3.0 IPS signatures inline, and advanced malware protection with Threat Grid sandboxing. Supports explicit proxy, transparent proxy, and PAC file deployment modes.
Full-proxy SWG with FortiGuard web filtering covering 500M+ rated URLs across 90 categories. SSL/TLS deep inspection with certificate pinning bypass for supported applications. Integrated IPS with 15,000+ signatures and AV with AI/ML detection models. Performance is strong thanks to FortiOS single-pass inspection architecture.
Cloud-delivered SWG with URL filtering covering hundreds of millions of URLs across 80+ categories, TLS 1.3 decryption with configurable bypass policies, integrated IPS and anti-spyware with WildFire-trained signatures, and Advanced Threat Prevention ML models for inline zero-day detection. DNS Security blocks malicious domains using predictive analytics trained on 10B+ DNS queries daily.
Hybrid SWG with on-device URL filtering for low-latency common web browsing and cloud-based full proxy for deep content inspection. ThreatCloud-powered URL categorization and threat intelligence. SSL/TLS inspection for encrypted traffic. Capable for standard web security use cases but lacks the inspection depth (IPS signature count, advanced sandboxing) of Cisco or Palo Alto SWG implementations.
ZIA's SWG terminates and inspects every HTTP/HTTPS connection through full TLS decryption. URL filtering with 100M+ URL database, inline malware detection with ML models trained on 250B+ daily transactions, and Advanced Threat Protection with cloud sandboxing. SSMA processes all SWG policies in parallel with CASB and DLP — no chained latency. The only SWG to achieve 100% CyberRatings efficacy.
NG-SWG accounts for ~40% of Netskope revenue, reflecting how central inline inspection is to the platform. Single-pass TLS 1.3 decryption with 50ms RTT SLA. Real-time threat protection with cloud sandboxing, ML-based malware detection, and patient zero analysis for retroactive alerting. Remote Browser Isolation integrated for uncategorized and risky web content. Granular policy controls by user, group, app, instance, and activity.
Full-proxy SWG with TLS 1.3 inspection, URL categorization, and threat prevention powered by Cato Research Labs intelligence. The SPACE single-pass engine means SWG inspection shares decrypted traffic context with IPS, CASB, and DLP simultaneously rather than re-decrypting for each function. Handles both explicit proxy and transparent proxy modes. IPS signatures are updated continuously from Cato's threat research team with sub-hour response to new CVE disclosures.
Gateway SWG provides DNS filtering, HTTP inspection, and network filtering with TLS decryption in a single-pass architecture. Claims 50% faster than alternatives due to anycast proximity and single-server processing. URL categorization, anti-malware scanning, and file type controls are solid. Inline threat intelligence benefits from Cloudflare's visibility into 20%+ of global web traffic. Performance is the differentiator — inspection depth is adequate but does not match Cisco's Talos/Snort 3.0 or Palo Alto's WildFire/ATP.
Related guides & articles
SWG is part of the SASE/SSE stack. See how all six capabilities fit together and compare vendors.