diff --git a/op-mode-definitions/webproxy.xml.in b/op-mode-definitions/webproxy.xml.in
index 4e555c3d9..57df44ff8 100644
--- a/op-mode-definitions/webproxy.xml.in
+++ b/op-mode-definitions/webproxy.xml.in
@@ -1,95 +1,106 @@
 <?xml version="1.0"?>
 <interfaceDefinition>
   <node name="monitor">
     <children>
       <node name="log">
         <children>
           <node name="webproxy">
             <properties>
               <help>Monitor last lines of Webproxy log</help>
             </properties>
             <command>journalctl --no-hostname --boot --follow --unit squid.service</command>
             <children>
               <leafNode name="access-log">
                 <properties>
                   <help>Monitor the last lines of the Webproxy access log</help>
                 </properties>
                 <command>if [ -f /var/log/squid/access.log ]; then sudo tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi</command>
               </leafNode>
               <leafNode name="cache-log">
                 <properties>
                   <help>Monitor the last lines of the Webproxy cache log</help>
                 </properties>
                 <command>if [ -f /var/log/squid/cache.log ]; then sudo tail --follow=name /var/log/squid/cache.log; else echo "WebProxy cache-log does not exist"; fi</command>
               </leafNode>
             </children>
           </node>
         </children>
       </node>
     </children>
   </node>
   <node name="restart">
     <children>
       <node name="webproxy">
         <properties>
           <help>Restart WebProxy service</help>
         </properties>
         <command>if cli-shell-api existsActive service webproxy; then sudo systemctl restart squid.service; else echo "Service WebProxy not configured"; fi</command>
       </node>
     </children>
   </node>
   <node name="show">
     <children>
       <node name="webproxy">
         <properties>
           <help>Show WebProxy information</help>
         </properties>
         <children>
           <!-- missing blacklist command -->
           <node name="blacklist">
             <properties>
               <help>Show webproxy blacklist information</help>
             </properties>
             <children>
               <node name="categories">
                 <properties>
                   <help>Show webproxy blacklist categories</help>
                 </properties>
                 <command>${vyos_completion_dir}/list_webproxy_category.sh</command>
               </node>
             </children>
           </node>
           <node name="log">
             <properties>
               <help>Show contents of WebProxy access log</help>
             </properties>
             <command>if [ -e /var/log/squid/access.log ]; then sudo less $_vyatta_less_options --prompt="file %i of %m, page %dt of %D" -- `printf "%s\n" /var/log/squid/access.log* | sort -nr`; else echo "No WebProxy log"; fi</command>
           </node>
           <node name="update-log">
             <properties>
               <help>Show update log for url-filter database</help>
             </properties>
             <command>if [ -e /opt/vyatta/etc/config/url-filtering/squidguard/updatestatus ]; then cat /opt/vyatta/etc/config/url-filtering/squidguard/updatestatus; else echo "Update log not found"; fi</command>
           </node>
         </children>
       </node>
     </children>
   </node>
   <node name="update">
     <children>
       <node name="webproxy">
         <properties>
           <help>Update WebProxy</help>
         </properties>
         <children>
           <node name="blacklists">
             <properties>
               <help>Update the webproxy blacklist database</help>
             </properties>
             <command>sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist</command>
+            <children>
+              <tagNode name="vrf">
+                <properties>
+                  <help>Update webproxy blacklist database via specified VRF</help>
+                  <completionHelp>
+                    <path>vrf name</path>
+                  </completionHelp>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist --vrf "${5}" </command>
+              </tagNode>
+            </children>
           </node>
         </children>
       </node>
     </children>
   </node>
 </interfaceDefinition>
diff --git a/src/op_mode/webproxy_update_blacklist.sh b/src/op_mode/webproxy_update_blacklist.sh
index 4fb9a54c6..05ea86f9e 100755
--- a/src/op_mode/webproxy_update_blacklist.sh
+++ b/src/op_mode/webproxy_update_blacklist.sh
@@ -1,131 +1,138 @@
 #!/bin/sh
 #
 # Copyright (C) 2020 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 blacklist_url='ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz'
 data_dir="/opt/vyatta/etc/config/url-filtering"
 archive="${data_dir}/squidguard/archive"
 db_dir="${data_dir}/squidguard/db"
 conf_file="/etc/squidguard/squidGuard.conf"
 tmp_conf_file="/tmp/sg_update_db.conf"
 
 #$1-category
 #$2-type
 #$3-list
 create_sg_db ()
 {
        FILE=$db_dir/$1/$2
        if test -f "$FILE"; then
                 rm -f ${tmp_conf_file}
                 printf "dbhome $db_dir\ndest $1 {\n     $3      $1/$2\n}\nacl {\n       default {\n             pass    any\n   }\n}" >> ${tmp_conf_file}
                 /usr/bin/squidGuard -b -c ${tmp_conf_file} -C $FILE
                 rm -f ${tmp_conf_file}
        fi
 
 }
 
 while [ $# -gt 0 ]
 do
     case $1 in
     --update-blacklist)
         update="yes"
         ;;
     --auto-update-blacklist)
         auto="yes"
         ;;
+    --vrf)
+        vrf="yes"
+        ;;
     (-*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;;
     (*) break;;
     esac
     shift
 done
 
 if [ ! -d ${db_dir} ]; then
     mkdir -p ${db_dir}
     getent passwd proxy 2> /dev/null
     if [ $? -ne 0 ]; then
         echo "proxy system user does not exist"
         exit 1
     fi
     getent group proxy 2> /dev/null
     if [ $? -ne 0 ]; then
         echo "proxy system group does not exist"
         exit 1
     fi
     chown proxy:proxy ${db_dir}
 fi
 
 free_space=$(expr $(df ${db_dir} | grep -v Filesystem | awk '{print $4}') \* 1024)
 mb_size="100"
 required_space=$(expr $mb_size \* 1024 \* 1024) # 100 MB
 if [ ${free_space} -le ${required_space} ]; then
     echo "Error: not enough disk space, required  ${mb_size} MiB"
     exit 1
 fi
 
 if [[ -n $update ]] && [[ $update -eq "yes" ]]; then
     tmp_blacklists='/tmp/blacklists.gz'
-    curl -o $tmp_blacklists $blacklist_url
+    if [[ -n $vrf ]] && [[ $vrf -eq "yes" ]]; then
+        sudo ip vrf exec $1 curl -o $tmp_blacklists $blacklist_url
+    else
+        curl -o $tmp_blacklists $blacklist_url
+    fi
     if [ $? -ne 0 ]; then
         echo "Unable to download [$blacklist_url]!"
         exit 1
     fi
     echo "Uncompressing blacklist..."
     tar --directory /tmp -xf $tmp_blacklists
     if [ $? -ne 0 ]; then
         echo "Unable to uncompress [$blacklist_url]!"
     fi
 
     if [ ! -d ${archive} ]; then
         mkdir -p ${archive}
     fi
 
     rm -rf ${archive}/*
     count_before=$(find ${db_dir} -type f \( -name domains -o -name urls \) | xargs wc -l | tail -n 1 | awk '{print $1}')
     mv ${db_dir}/* ${archive} 2> /dev/null
     mv /tmp/blacklists/* ${db_dir}
     if [ $? -ne 0 ]; then
         echo "Unable to install [$blacklist_url]"
         exit 1
     fi
     mv ${archive}/local-* ${db_dir} 2> /dev/null
     rm -rf /tmp/blacklists $tmp_blacklists 2> /dev/null
     count_after=$(find ${db_dir} -type f \( -name domains -o -name urls \) | xargs wc -l | tail -n 1 | awk '{print $1}')
 
     # fix permissions
     chown -R proxy:proxy ${db_dir}
 
     #create db
     category_list=(`find $db_dir -type d -exec basename {} \; `)
     for category in ${category_list[@]}
     do
         create_sg_db $category "domains" "domainlist"
         create_sg_db $category "urls" "urllist"
         create_sg_db $category "expressions" "expressionlist"
     done
     chown -R proxy:proxy ${db_dir}
     chmod 755 ${db_dir}
 
     logger --priority WARNING "webproxy blacklist entries updated (${count_before}/${count_after})"
 
 else
     echo "SquidGuard blacklist updater"
     echo ""
     echo "Usage:"
     echo "--update-blacklist            Download latest version of the SquidGuard blacklist"
     echo "--auto-update-blacklist       Automatically update"
     echo ""
     exit 1
 fi