Web Policy and Filtering Not Working at All

Question

XG V16 - It seems yet another thing real simple in other firewalls just doesn't want to work. I'm not sure if the KB article I found isn't complete, but if I have the default web filtering policy or Default Workplace Policy applied on the only LAN-to-WAN network rule, nothing gets blocked, nor does anything show up in the log viewer. Also, while I can see the value of doing it on a rule basis, is there a way to just filtering on a zone like with other firewalls?

This thread was automatically locked due to age.

Michael Dunn · Answer

Firewall Rule 1 had a Web Policy. That Web Policy was "Block Social Media and a Default Action of Allow". The rule was matched based on the user and it correctly followed the logic of the Default Action, which is to allow. It never hits the second Firewall Rule. 
 In v16 and later, as much as possible you should put all web decisions into a single Web Policy. Within that policy you can do the Rule 1, Rule 2, Rule 3 that you describe. 
 
 Firewall rules basically have two parts: Match this traffic THEN apply this action. Firewall rules flow from one to the other on the "match this traffic" part until a Firewall Rule is matched. It then follows all the logic in the "apply this action". It does not then, after that, go the the next firewall rule to see if it matches that as well. For a given packet, only one firewall rule is applied. 
 Web Policy rules work differently. It also has a "match this traffic then apply this action". However for those rules, traffic is always matched against all rules that apply to it. For the Web Policy a "Block" will Block and "Allow" really means "I'm not going to block, continue evaluating the next rule". 
 EDIT: Update/Clarification. Web Policy also applies the first rule that matches, whether it is allow or block. Allow does mean Allow, not "continue processing". This makes a difference if Rule 1 is allow Document Files and Rule 2 is block Adult sites. If someone downloads a pdf from an adult site, it will be allowed.

sachingurung · Answer

Hi David, 
 Take a look at #1 in my guide here and verify with the help of Packet Capture that which FW-rule does the traffic forwards through. 
 I guess the traffic gets passed through Rule ID 25 which has no filters applied. 
 Thanks

sachingurung · Answer

Hi David, 
 I completely missed to see that the FW-rule was disabled. Is the issue resolved? If not, try restarting the Web Proxy services from Administration> Services> Web proxy and also, show me a picture of drop-packet and packet filter logs. Next, go to Advance Shell and capture few log lines for awarrenhttp.log which states that the websites are allowed and filtering is not working. 
 Last but not the least, check if the Web Protection license is active.