Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=resourceid_fcj_nyv_skb

Control traffic requiring web proxy filtering

You can create a firewall rule with web proxy filtering for pre-configured FQDN host groups to enforce SafeSearch, YouTube restrictions, and to restrict sign-ins to Google Workspace applications.

Introduction

Proxy mode is needed to enforce SafeSearch, YouTube restrictions, and to restrict sign-ins to Google Workspace applications (for example, Gmail or Drive) to certain domain accounts. Sophos Firewall offers pre-configured FQDN host groups for these features and domains.

Create a firewall rule with these groups if you want to enforce control over these features, but want the DPI engine to enforce SSL/TLS inspection on the other traffic.

Create a firewall rule specifying FQDN host groups and web proxy filtering

  1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and position.

  3. Specify the following settings:

    Name Description
    Action Allow
    Source zone Any
    Source networks and devices Any
    Destination zones WAN
    Destination networks

    Select these pre-configured FQDN host groups:

    • SafeSearch enforcement
    • YouTube restrictions enforcement
    • Google app enforcement
    Services HTTP, HTTPS

  4. Select the following web filtering settings:

    • Scan HTTP and decrypted HTTPS
    • Block QUIC protocol
    • Use web proxy instead of DPI engine
    • Decrypt HTTPS during web proxy filtering
  5. Click Save.

Place the rule above the firewall rules that apply the DPI engine instead of the web proxy.

More resources