Can you enable No Ads in firewall rule, but have certain sites be whitelisted?

Hi,Most certainly is. You need to be using decrypt and scan in the proxy. Create your own web policy using the no adverts, then create exception in the web exceptions.

the block policy needs to be in your firewall rule web setting, you will also need ips enabled.

ian

Where do you set this-decrypt and scan in the proxy?  Not familiar with IPS.  Why does it need to be enabled?

Hi,

ips is used as part of the detection system. You will see check boxes in your firewall rules when you enable the web function. Also you will need to install the XG ca on your devices.

ian

Do you mean tick "Decrypt HTTPS during web proxy filtering?"

XG ca should be installed on each and every device, or?  No access to internet for those devices?

Hi,

please see the screenshot below from my XG.

Ian

What happens if I don't install CA?  I've tried installing activating it before, resulting in a lot of blocked access, if I remember correctly.  Is it also required in mobile phones, tablets?

What happens is the sites are not evaluated and therefore not blocked. If you are seeing blocked access that means the ca is not installed correctly. Yes it needs to be installed on all devices that use that firewall rule.

ian

What happens is the sites are not evaluated and therefore not blocked. If you are seeing blocked access that means the ca is not installed correctly. Yes it needs to be installed on all devices that use that firewall rule.

ian

ok, the installation of CA part gives me hesitation.  Is that an additional thing I can do, to make it more effective?  Or is that a hard requirement?

If you require any form of decryption, the ca is mandatory, except if you use the ssl/tls rules, but they don’t provide the full web search and block you are after.

ian

so is the purpose of CA to sign the decrypted https sites after scanning?

No,

before scanning otherwise XG would not be able scan the url download.

Ian

Ok.  thanks for the confirmation.  I'm undecided due to need to install CA on each device.  

How often do you need to reinstall a new CA on existing devices?  Is it 1x only, no need to update, reinstall new CA?  

Hi,

once should be enough, but sometimes after updates to devices.

Ian

Thank you for patiently answering my questions!  I will create a new firewall rule and test on some devices first.