Block URL group for all except authenticated users

First of all, this can be done within one Firewall Rule and Web Policy, as long as you are not trying to force authentication for unauthenticated users.  If you are, there are a few options.

New to XG line, trying to block only the specific "URL group" for every user while only authenticated user group ("managers") that can login and access blacklisted websites listed in the group.

Issue is that:

a) every website is blocked for non-authenticated users not just our blacklisted few in the URL group. 

b) when user authenticates then they are allowed to view ONLY blacklisted websites and nothing else.

 -- our web policy Block Blacklisted Websites --

What you describe is exactly how you have set up your web policy.  The issue is the "Default Action" which is set to block.  So anything that does not match the two above rules are blocked.

Right now you have three types of users - not authenticated, authenticated but not manager, and authenticated and manager.

Be aware that in the Web Policy has the following "users/groups"

Known users - this is anyone who has authenticated

Unknown users - this is anyone who has not authenticated

Anybody - this is both known and unknown users

Assuming you want only managers access, then your web policy is correct after you change the default action to Allow.

First of all, this can be done within one Firewall Rule and Web Policy, as long as you are not trying to force authentication for unauthenticated users.  If you are, there are a few options.

New to XG line, trying to block only the specific "URL group" for every user while only authenticated user group ("managers") that can login and access blacklisted websites listed in the group.

Issue is that:

a) every website is blocked for non-authenticated users not just our blacklisted few in the URL group. 

b) when user authenticates then they are allowed to view ONLY blacklisted websites and nothing else.

 -- our web policy Block Blacklisted Websites --

What you describe is exactly how you have set up your web policy.  The issue is the "Default Action" which is set to block.  So anything that does not match the two above rules are blocked.

Right now you have three types of users - not authenticated, authenticated but not manager, and authenticated and manager.

Be aware that in the Web Policy has the following "users/groups"

Known users - this is anyone who has authenticated

Unknown users - this is anyone who has not authenticated

Anybody - this is both known and unknown users

Assuming you want only managers access, then your web policy is correct after you change the default action to Allow.

Thanks Michael.

- Changed 'default action' to 'allow' = now the authentication window shows up only when we try to access blacklisted websites, all other websites time out with "DNS_PROBE_FINISHED_NO_INTERNET". After Manager authenticates, it can access all websites except those that are blacklisted.

- Yes, essentially we want to have Managers to gain access to blacklisted ULRs when they authenticate while everyone else (Anybody) should be blocked from those blacklisted sites. Simply put, "must be Manager, login to view".