If you want all updatable vms to go through sys-whonix try settings below.
sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy
@type:TemplateVM @default allow,target=sys-whonix
@type:TemplateVM @anyvm deny
@tag:whonix-updatevm @default allow,target=sys-whonix
@tag:whonix-updatevm @anyvm deny
@type:StandaloneVM @default allow,target=sys-whonix
@type:StandaloneVM @anyvm deny
To update air-gapped StandaloneVM, add updates-proxy-setup in the vm’s settings from Services tap. Also, disable all updater checks and uncheck for dom0 updates and for qubes updates in Qubes Global Settings as far as I remember they do not go through whonix traffic.
Have a look at 90-default.policy and edit if any lines below are missing.
sudo nano /etc/qubes/policy.d/90-default.policy
# HTTP proxy for downloading updates
# Upgrade all TemplateVMs through sys-whonix.
#qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-whonix
# Upgrade Whonix TemplateVMs through sys-whonix.
qubes.UpdatesProxy * @tag:whonix-updatevm @default allow target=sys-whonix
# Deny Whonix TemplateVMs using UpdatesProxy of any other VM.
qubes.UpdatesProxy * @tag:whonix-updatevm @anyvm deny
# Default rule for all TemplateVMs - direct the connection to sys-whonix.
qubes.UpdatesProxy * @type:TemplateVM @default allow target=sys-whonix
qubes.UpdatesProxy * @type:TemplateVM @anyvm deny
# rules for StandaloneVMs - direct the connection to sys-whonix.
qubes.UpdatesProxy * @type:StandaloneVM @default allow target=sys-whonix
qubes.UpdatesProxy * @type:StandaloneVM @anyvm deny
qubes.UpdatesProxy * @anyvm @anyvm deny
In the official documents @ character is advised over $.
If fresh install files still have $ character in /etc/qubes-rpc/policy, then optionally you can try:
cd /etc/qubes-rpc/policy
for i in qubes* whonix*; do
sed -i 's/\$/\@/g' $i
done
This will replace every $ to @ in every files in /etc/qubes-rpc/policy.