Same, I don't see any hits at all. Neither in V14 or V15, I have been using NGFW Home Pro, never having any results?

I have seen a few people report this sort of experience but I've seen no clear explanations for it. I don't yet have v15 installed but I've had no issues across two installations of v14 (and earlier). I like the cookie filtering most.

My only thought is that using SSL inspector may make a difference, though I've never tested that idea. There are more robust client-side ad blocking solutions. One that seems attractive is uBlock Origin.

I just went through this, here's what I learned. You definitely need SSL inspector running, which means you also need to install the Untangle root certificate on the computers that you want to filter. A few years ago most connections were not encrypted, they were just strait http on port 80, any man in the middle such as Ad Blocker could look inside. Now almost all connections are encrypted, https on port 443. The whole purpose of encrypted connections is to keep 3rd parties from seeing what's inside, so Ad Blocker cannot look inside encrypted connections directly. SSL Inspector will decrypt the connection so that Ad Blocker can look inside. But SSL Inspector only works if your computers have the Untangle root certificate installed, so that the computers trust the Untangle. I'm over simplifying a bit, but the point is (1) enable SSL Inspector, and (2) Install the Untangle root certificate on your machines, and Ad Blocker will work.

Side note; some apps, such as youtube on android, use what's called certificate pinning, where you cannot install a new root certificate. In short this means that enabling SSL Inspector on the Untangle will break youtube for any android phones that are connected through the Untangle. I don't know if apple phones have the same issue or not. So if you want youtube on android phones to work over your wifi while SSL Inspector is enabled, you need to add rules to SSL Inspector to ignore the phones. It's easy, just another step. It can be argued that certificate pinning has some security benefits, but I personally think they're (Google) doing it specifically to prevent things such as ad blocking from working, to protect their revenue stream from ads.

Alternatively, you can use racks. That allows you to customize an instance of SSL Inspector to a device's needs without effectively disabling SSL inspection for that device altogether.

And as a compete alternative to Ad Blocker, there is Web Filter's ad category (or categories) and SNI capability. I like the granularity of Ad Blocker (I can easily allow ads without affecting other filtering) but for those interested in Untangle's perimeter advantage yet not the whole Ad Blocker approach, Web Filter is an effective alternative.

Can you please expand a bit on racks? I would love to keep SSL inspector enabled for the phones, and the caveat of ignoring youtube connections is fine, but so far I've been unable to create an effective rule in SSL Inspector. Using mac address to identify my phone, if I ignore everything then youtube works fine. If I try ignoring only connections that are identified in some way to be youtube, youtube is still broken. I've tried every combination I can think of using SNI Host Name and Certificate Subject to ignore youtube specific connections, but no luck. I copied an example below. Please elaborate on racks, I would love to get SSL Inspector working for the phones but without breaking youtube.

Sure. First of all, "racks" is something of an Untangle legacy term for Policy Manager policies. One of the very cool things about Untangle is the ability to create a policy with its own set of apps, and apps cascade in that a specific policy's apps replace the apps installed in the Default Policy. Any policy that does not contain an app included in the Default Policy uses the Default Policy's instance of that app.

So I have the same sort of situation you do. My wife uses Facebook apps on her iPhone, and SSL Inspector breaks whatever apps those are. But I don't want to uncheck SSL Inspector's default Facebook rule network wide and I don't want to bypass her phone at any level. My solution is to use Policy Manager to create a specific policy that handles her phone.

The first step is to identify her phone. In my case, her phone has a static IP address and her name as a username (manually assigned).

The next step is to create a policy that has a single app installed, SSL Inspector. I uncheck that instance of SSL Inspector's default Facebook rule.

The last step is to create a Policy Manager rule that in my case looks at usernames and directs any device under the target username to my created policy.

The result is that her iPhone is treated just like any other device on the network with the single exception of the change to SSL Inspector's default Facebook rule. Her apps work and I'm content to allow the exception without losing any other Untangle oversight.

Let me know if I've just confused things.

I understand what you're saying. For the one specific case I described above, trying to ignore youtube connections for devices with a specific mac address, I'm not sure how using a policy to apply that rule vs. putting it in the general stack of rules would make a difference? Mostly I'm trying to debug why my rule (screen shot in my previous post) doesn't seem to work, and would applying something different through a policy resolve the issue.