Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Download the certificate authority for web filtering

When you create a firewall rule for web filtering in web proxy mode, you must download the built-in SecurityAppliance_SSL_CA certificate authority (CA) and install it on endpoints.

Create a firewall rule for web filtering

Here's an example of a firewall rule for web filtering.

To create a firewall rule, do as follows:

  1. Go to Rules and policies > Firewall rules, select IPv4 or IPv6, and click Add firewall rule.
  2. Select New firewall rule.
  3. Enter a name for the rule.
  4. In Source zones, select a zone. For example, LAN.
  5. In Source networks and devices, select a network.
  6. In Destination zones, select a zone. For example, WAN.
  7. In Destination networks, select a network.
  8. Under Security features, expand Web filtering.

    Web filtering settings.

  9. Select a web policy, and turn on Scan HTTP and decrypted HTTPS and Use web proxy instead of DPI engine.

  10. Click Save.

Download the certificate authority

To download the CA, do as follows:

  1. Go to Certificates > Certificate authorities.
  2. Click Default, and make sure you've configured all the settings for the default CA.
  3. On the Certificate authorities page, download the SecurityAppliance_SSL_CA certificate authority.

    Download the CA.

    Alternatively, go to Web > General settings, under HTTPS scanning certificate authority (CA), select SecurityAppliance_SSL_CA, and download it.

    Download the CA.

Install the CA on the endpoints

You must install the SecurityAppliance_SSL_CA certificate authority on the endpoints of the source network you selected in the firewall rule. See Add a CA manually to endpoints.