When I try to use the transparent proxy to find and isolate ad network domains, I’m finding that https protocol is not being filtered. Perhaps the Facebook links are using this.
This is a limitation of the transparent proxy. There are some long and hazardous workarounds to it but, as the HAVP forum header suggests, it hasn’t been developed in a long time. I think it has to do with the proxy having to impersonate the secure server somehow.
If the proxy could be specified as an explicit proxy, such that you could add it as a setting in your browser (and enforce it in Group Policy if you use Windows), it might be possible to filter these.
It might also be time for ZS to use a different proxy solution if HAVP isn’t being developed anymore.