Consider a situation where the domain (e.g., www.example.com) should be exempted from Explicit Proxy Authentication. To accomplish the goal, follow these steps:

1. Create an FQDN Address Object (for the domain to exempt):

config firewall address

    edit "example_com"

        set type fqdn

        set fqdn "www.example.com"

    next

end

2. Create a new authentication rule with no authentication method:

config authentication rule

    edit "no_authentication"

        set srcaddr "all"

        set dstaddr "example_com"

        set ip-based disable

    next

end

3. Move the No-Auth Rule to the Top (above any authenticating rules):

config authentication rule

    move "no_authentication" before “kerberos_rule”

end

4. Create a dedicated Proxy Policy (accepts traffic without triggering auth):

config firewall proxy-policy

    edit 20

        set name "no_authentication"

        set srcaddr "all"

        set dstaddr "example_com"

        set action accept

        set service "webproxy"
        set schedule always
        set logtraffic all

    next

end

5. Ensure Policy Order: Proxy policies are evaluated top-down. Place this policy above general policies.

Result:

The traffic to the domain (www.example.com) will be allowed to bypass the explicit proxy authentication.