Re: Web filter override
Did it match the policy with the correct webfilter profile?
Policies are always exempt, i.e. once one policy matches the packet the rest will not be applied anymore.
Some flow debug will show you which policy got the packet.
diag debug enable
diag debug flow show console enable
diag debug flow filter clear|list|<filter>
diag debug trace start <numberofpacketstotrace>
Probably filter for the destination ip (not sure if you could us FQDN here, probably not because this is ip layer) and then try to ping or http access the site from your client and watch your cli.
Btw: if you want to identify the policy in gui you have to turn on the id column in the view first because the number shown by default is not the policy id and flow trace on cli shows the policy id.