Blackhole DNAT not working

Question

Hello, 
 I want to be able to block a clients complete traffic to the internet on the UTM. 
 To not create seperate firewall and web protection rules, I found out that you can create a blackhole DNAT rule so that all traffic for this clients goes to nirvana. I tried the following: 
 1. Created new group "BAD_CLIENTS". There I can put the clients to block with their IP or DNS name, e.g. "192.168.1.222" or "CLIENT-122.DOMAIN.LOCAL". 
 2. Created new DNAT rule with automatically created firewall rule: 
 Position: 1 
 Type: DNAT 
 Source: Group "BAD_CLIENTS" 
 Service: Any 
 Destination: Internet IPv4 
 --- 
 Change Destination: 1.2.3.4 
 
 The clients in the BAD_CLIENTS group are not longer able to ping any internet adress, e.g. google.com. But they can still access all internet via browser?? 
 Is my configuration wrong or am I thinking wrong? 
 
 What is the fastest, easiest and effective way to block all internet traffic of clients?

dirkkotte · Accepted Answer

i think your "bad client" use the proxy and the blackhole DNAT rule don't match. try to add your BAD_CLIENTS group to the transparent-proxy exceptions. If you use Proxy in standard mode, build a Proxy profile for clients from "BAD_CLIENTS group" and deny all webpages. There is a document by Balfson which illustrates the packet flow through the SG. I will insert a link if I find it.