We are a rural school system using a Fortigate 800f as our firewall/gateway to our ISP. We are in the process of redesigning our public addresses due to a new ISP and are curious if we can do the following: All of our connections are fiber, which leaves us with 3 1-gB ethernet connections free on the Fortigate box. Our campuses are subnetted through a Cisco switch, then sent via fiber to the Fortigate box, and currently all Fortigate rules and policies are applied to all campuses equally, then sent out via fiber to our ISP. We would like to separate our High School subnet at the Fortigate box, using rules and policies, to send all High School traffic out to one of the ethernet ports, to go to a SQUID proxy box using a simplex ethernet card , be processed/authenticated/filtered by the SQUID, then returned via another simplex ethernet card to another ethernet port on the Fortigate box, then apply normal Fortigate rules and policies, then sent out through normal connection to our ISP. Return paths would be routed the same path. If all this sounds unnecessarily complicated, here are our reasons why: 1) Fortigate box, with newest firmware, will block some proxies, but not all. When we experimented with a SQUID box, all proxies were blocked, presumably because the HTTPS ' handshake' between the client and the external proxy was interrupted. I' m tired of kids circumventing my filters. 2) We can' t afford the Fortianalyzer right now, but want to track those innocent High Schoolers in their web travels. 3) We want to use the SQUID for LDAP authentication, but only for the High School. 4) We want the ability to add additional filters (through SQUID) on High School. 5) We want the ability to bypass the SQUID if needed. In theory, all that would be needed would be to connect one ethernet port back to the other ethernet port on the Fortigate, taking the SQUID out of the " loop" . Anyone have any experience or knowledge about this possibility?