Network rule strange behaviour



On our XG125 we have a default LAN to WAN rule, any Host and any Service with only HTTP scanning, this rule is set at the bottom.

For some testing I want to have a network rule for one PC, this rule is set at the top and has a webfilter + application filter applied to it, So the rule is as follows:


Source: LAN, Device: TEST-PC (added as MAC-host)
Destination: WAN, Service: ANY
Web Malware and Content Scanning: Scan HTTP, Decrypt and Scan HTTPS, Block Google QUIC
Custom webfilter applied and custom appliction filter applied, webfilter and app filter is set to anyone

Installed the Sophos CA cert on the client and the client could indeed not access websites that I set in the web filter.


However, other clients on the network received a cert error on websites with HTTPS because it tries to decrypt and scan, but the sophos cert is not installed on other pc's.

From my understanding rules are read from top to bottom, so why is the rule not skipped by other clients besides TEST-PC? It seems that it skips the webfilter because other clients can browse the blocked sites set for TEST-PC just fine, but HTTPS decrypt is not skipped?