In a transparent proxy configuration that uses URL category-based destination policies, security inspections are applied based on the predefined URL categories assigned to the destination objects. 

If a requested URL does not match to any of the categories defined in the active policy, it moves to the next policy in the evaluation sequence that matches its URL category.

See the following demonstration of the behavior in this case.  

Traffic Redirection to Transparent Proxy

Here, LAN web traffic is redirected to a transparent proxy for inspection. To accomplish this, http-policy-redirect is enabled on the firewall policy and both SSL deep inspection and proxy mode inspection are applied.

Firewall Policy:

config firewall policy

    edit 1

        set name "Redirect-To-Transparent-Proxy"

        set srcintf "vsw.port3"

        set dstintf "port1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set inspection-mode proxy

        set http-policy-redirect enable

        set ssl-ssh-profile "Deep-inspection"

        set logtraffic all

        set nat enable

    next

end

FortiGuard URL Category based address object:

User that belongs to multiple groups:

Transparent Web Proxy:

In this case, a user belongs to two groups with distinct URL-category-based policies. 

When a user requests a URL, the traffic matches the proxy policy based on the destination URL category, allowing access even if a previous policy web filter would have blocked it. For example, if social media is blocked in web filter policy 1 but policy 2 permits it based on the URL category, the traffic will follow policy 2 and be allowed.

Note: The URL category must also be explicitly allowed in the web filter profile attached to policy 2 for successful access.

Proxy policy:

config firewall proxy-policy

    edit 1

        set name "News"

        set proxy transparent-web

        set srcintf "vsw.port3"

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "News & Media"

        set service "webproxy"

        set action accept

        set schedule "always"

        set logtraffic all

        set groups "News & Media"

        set utm-status enable

        set profile-protocol-options "default"

        set ssl-ssh-profile "Deep-inspection"

        set webfilter-profile "News"

    next

    edit 2

        set name "Social"

        set proxy transparent-web

        set srcintf "vsw.port3"

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "Social Networking"

        set service "webproxy"

        set action accept

        set schedule "always"

        set logtraffic all

        set groups "Social Networking"

        set utm-status enable

        set profile-protocol-options "default"

        set ssl-ssh-profile "Deep-inspection"

        set webfilter-profile "Social Media"

    next

end

Security Inspection Validation:

The logs indicate that the accessed URL matches an allowed category in the corresponding policy, and that the traffic is being inspected by the web filter as expected.

Web filter logs:

Proxy (WAD) Session Dashboard:

Proxy (WAD) session via CLI:

diagnose wad session list

Session:transparentproxy 172.18.100.2:53538(172.16.30.254:53538)->212.58.236.129:443 <- BBC

    id=105134 worker=0 vd=0:0 fw-policy=1

    duration=3 expire=3588 session-ttl=3590

    state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0

    SSL enabled

    to-client

        SSL Port:

            state=3

        TCP Port:

            state=2 r_blocks=0 w_blocks=0 read_blocked=0

            bytes_in=1073 bytes_out=83525 shutdown=0x0

    to-server

        SSL Port:

            state=3

        TCP Port:

            state=2 r_blocks=1 w_blocks=0 read_blocked=0

            bytes_in=84947 bytes_out=901 shutdown=0x0

session:transparentproxy 172.18.100.2:60798(172.16.30.254:60798)->185.60.219.174:443 <-Insta

    id=104694 worker=0 vd=0:0 fw-policy=2

    duration=167 expire=3585 session-ttl=3590

    state=3 app=http sub_type=0 wan_opt_mode=0 dd_method=0

    SSL enabled

    to-client

        SSL Port:

            state=3

        TCP Port:

            state=2 r_blocks=0 w_blocks=0 read_blocked=0

            bytes_in=1774 bytes_out=219394 shutdown=0x0

    to-server

        SSL Port:

            state=3

        TCP Port:

            state=2 r_blocks=1 w_blocks=0 read_blocked=0

            bytes_in=215341 bytes_out=2551 shutdown=0x0

Sessions total=2

Implicit Deny and Block Category - Proxy policy:

If a user attempts to access content outside the destination objects defined in the proxy policy, the traffic will be blocked by the implicit deny policy.

To speed up troubleshooting and see exactly which category is being blocked, add a web-filter 'block' policy at the very bottom of the proxy policy list.

Generally, when a user belongs to multiple groups, only the first matching web filter policy is applied. If that policy blocks a specific category, access will be denied. However, with the current setup, administrators can structure proxy policies in a way that allows users to match the correct policy based on the URL category, ensuring access without being blocked by earlier web filter rules. 

Note:

Whenever a User Definition or User Group is included in a proxy policy, it is necessary to set up both an Authentication Scheme and an Authentication Rule so that the policy can properly identify and verify those users.