When going over a tunnel all traffic will go through the CDFW and then all web traffic will be sent to the proxy (excluding any bypassed domains/IPs). Any traffic going through the CDFW and the proxy will be subject to policy enforcement based on the...
Are your sure the file type you are downloading matches the file type you are blocking in Secure Access? If so you might want to open a TAC case to further look into the issue.
Is the web security enabled in your internet security settings in Secure Access? If so, first check the network requirements doc below to make sure all allowed IPs/urls and ports are being allow through your firewall.
https://docs.sse.cisco.com/sse-u...
From a quick glance it looks like you have decryption disabled in your security profile. This needs to be enabled.
https://docs.sse.cisco.com/sse-user-guide/docs/advanced-application-controls
Troubleshooting
If advanced application control is...
