Before adding any configurations under G Suite Cloud Access Filter, please make sure to set the following configurations:

1. Navigate to Policies tab. Under HTTPS Inspection > HTTPS Tunnels Exception list, add the domain/service used for G Suite (e.g. mail.google.com, drive.google.com).

   

   ^{Click the image to enlarge.}

   Click Save.

    

   The reason for adding such URLs in HTTPS Tunnels exception is that when URLs are automatically placed in Tunneled Domains List, it will bypass the filters and it will bypass the Cloud Service Filter.

    
2. Go to Policies tab. Under Approved/Blocked URLs, make sure that domains used by G Suite are not listed in either Approved URLs or Blocked URLs (e.g. mail.google.com, drive.google.com).
3. Go to Administration tab. Under Service Deployment, select PAC Files. Select the default PAC file or the PAC file in use and verify if Google domain(s) are included under "Bypass proxy for these hosts & domains". If yes, delete them from the list.

   

   ^{Click the image to enlarge.}

    

   The reason for removing related URLs used in Cloud Service Filters is that if these URLs are listed on the Skip Hosts, PAC script will instruct the browser to access such URLs directly, bypassing the proxy. This only applies if you are using PAC file.

    
4. After these settings are configured, go to Policies > Cloud Service Filters and select G Suite access filter. Under URLs, add the URL for the specific service under G Suite. Under Actions on Header, add your G Suite domain under Value.

   

   ^{Click the image to enlarge.}

   Click Save.

5. Go to Cloud Access Rules. Open a particular rule that you will use. Under Cloud Services, select G Suite access filter you configured earlier.

   

   ^{Click the image to enlarge.}

   Under Action, select Allow.

   

   ^{Click the image to enlarge.}

   Click Save.

For more information, refer to the G Suite Admin Help article, Block access to consumer accounts.