Wanted to know if there is the capacity to trace what portion of a policy is causing a site to be disallowed. I have heard that in Web Gateway there is a rule trace capability that can do this. Anything similar in SaaS Web Protection?
The error message will actually tell you quite a bit as to why a site was blocked. If you need additional details, you may find that the Forensics search will provide you the needed information. This is located under Web Protection, in a dedicated tab called "Forensics".