You shouldn't use GM and the proxy/content filter together. If you do, all traffic in GM will appear to come from the proxy and you cannot set up different policies per machine.

GM has nothing to do with port blocking. It is a DNS filtering tool so you cannot unblock GM by using the Egress Firewall.

In the proxy, you could have just bypassed the proxy for the one device.

I think you really need to rethink your filtering set up and decide whether to use GM of the Content Filter/Proxy. In general GM is much lighter on system resources and does not need any explicit set up on your clients and is possibly the better tool, especially in its paid versions.

Nick Howitt wrote:

You can move that device into the unfiltered Policy, or set up an new Policy for this device which is more permissive. You may need to check the logs to see what you need to allow, and sometimes you need to disable the Family Shield

I've try it on my phone but it doesn't exclude the block port in the Egress Firewall.

What I did,
1. Network Map->Mapped Devices-> I map my phone.
2. Groups->Group Manager-> Create a new group name "unblock" then edit members add user name "fri"
3. Content Filter Engine->App Policies>Configure Policy->General Settings
A. Filter Mode - No Filtering
B. Dynamic Scan Sensitivity - Disable
C. Deep URL Analysis - Disable.
D. Phrase Lists, MIME Types, Gray Sites - All uncheck.

You can move that device into the unfiltered Policy, or set up an new Policy for this device which is more permissive. You may need to check the logs to see what you need to allow, and sometimes you need to disable the Family Shield

Nick Howitt wrote:

The Application Filter is very different.

When you want to make an IP exception, is that a destination IP on the internet or a source IP on your LAN? In reality you don't use IP's at all, you need domains for the internet and devices (MAC addresses) for the LAN.

Application filter list is quite small compare to Gateway management and OPENDNS.

The source IP on my LAN. Yes I have also the MAC address for the end devices.

The Application Filter is very different.

When you want to make an IP exception, is that a destination IP on the internet or a source IP on your LAN? In reality you don't use IP's at all, you need domains for the internet and devices (MAC addresses) for the LAN.

Nick Howitt wrote:

GM does not know the difference between http and https as it blocks at the DNS level.

The status where goes dead? What is your default policy and what policy group is your device in?

I see just like OPENDNS. Does Application Filter also work like this?

Also is there a way to make an specific IP exception for the blacklist port in egress and in the filter blacklist?

GM does not know the difference between http and https as it blocks at the DNS level.

The status where goes dead? What is your default policy and what policy group is your device in?