Contents

Related Topics

Configure WebBlocker Policies for Groups with Firebox Authentication

Many organizations want to allow different levels of access to websites for different groups of users. To do this, you must first set up user authentication. You can then set up different WebBlocker settings for each group of users. At a high level, the steps are:

  • Configure user authentication.
  • Add the users to groups who you want to have different levels of access.
  • Add an HTTP proxy policy for each group of users. The policy includes WebBlocker configuration settings for that group.
  • Remove or modify the default Outgoing policy.
  • Configure authentication settings to automatically redirect users to the WatchGuard authentication page.

Example Scenario

To show how to set up this configuration, we use Policy Manager to configure WebBlocker policies for a school that wants to set different levels of web access for three groups:

  • Students (more restricted access)
  • Teachers (less restricted access)
  • IT (unrestricted access)

Configure Authentication

Before you configure WebBlocker settings, you must set up user authentication. You can use any authentication method, such as Active Directory, local authentication, RADIUS, or LDAP. For information about the supported authentication methods, see Authentication Server Types. In this example , we assume the school wants to use Firebox authentication.

Add Users for Firebox Authentication

  1. Select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.

Screen shot of the Authentication Servers dialog box

  1. On the Firebox tab, in the Users section, click Add.
    The Setup Firebox User dialog box appears.

Setup Firebox User dialog box

  1. Type the Name and (optional) a Description of the new user.
    The Name is the user name used to authenticate. The name cannot contain a space.
  2. Type and confirm the Passphrasefor the new user.

When you set this passphrase, the characters are masked and it does not appear in simple text again. If you lose the passphrase, you must set a new passphrase.

  1. In the Session Timeout text box, type or select the maximum length of time the user can send traffic to the external network.

The minimum setting for is one (1) seconds, minutes, hours, or days. The maximum value is 365 days.

  1. In the Idle Timeout text box, type or select the length of time the user can stay authenticated when idle (not passing any traffic to the external network).

The minimum setting is one (1) seconds, minutes, hours, or days. The maximum value is 365 days.

  1. To close the Setup Firebox User dialog box, click OK.
    The Authentication Servers dialog box appears, with the user name added to the Users list.

Repeat these steps to add each user to the Firebox authentication database. For this example, add all students, teachers, and members of the IT team.

Define Firebox Authentication Groups

Next, you must define the user groups that correspond to the different WebBlocker policies you want to use. From Policy Manager, create a group for each different level of website access you want to allow. In this example, we define three groups, Teachers, Students and IT.

  1. Select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.

Authentication Servers dialog box with users added

  1. In the User Groups section, click Add .
    The Setup Firebox Group dialog box appears.

Setup Firebox Group

  1. Type a name for the group. For this example, the group name is Teachers.
  2. (Optional) Type a description for the group.
  3. Add the user names of all the teachers to this group. To add a user to the group, select the user name in the Available list. Click the double left arrow icon to move the name to the Member list.
    You can also double-click the user name in the Available list.
  4. After you add all of the teachers to the group, click OK.
    The Authentication Servers dialog box appears with the Teachers user group added.

Screen shot of the Authentication Servers dialog box with added groups

Repeat the same steps to create a group called Students that contains the user names of all the students, and a group called IT that contains the user names of all members of the IT team.

Create an HTTP-proxy Policy for the Students

The Firebox uses two categories of policies to filter network traffic: packet filters and proxies.

Packet filter policy

A packet filter examines each packet's IP and TCP/UDP header. If the packet header information is permitted by the packet filter settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

Proxy policy

A proxy examines both the header information and the content of each packet. If the packet header information and the content of the packet is allowed by the proxy settings, then the Firebox allows the packet. Otherwise, the Firebox drops the packet.

To block access to categories of websites for a group of users, use Policy Manager to create an HTTP proxy policy for those users, and define a WebBlocker action for that policy. The HTTP proxy can then inspect the content and allow or deny the users access to a website based on the WebBlocker categories configured for that policy.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Proxies folder and select HTTP-proxy. Click Add.
    The New Policy Properties dialog box appears.

Screen shot of the New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    In this example, we call the proxy policy HTTP-proxy-Students.
  2. On the Policy tab, in the From list, select Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    The Add Address dialog appears.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Authorized Users or Groups dialog box appears.

Sceen shot of the Add Authorized Users or Groups dialog box

  1. Select the Students group. Click Select, then click OK.
    The New Policy Properties dialog box appears with the group Students (Firebox-DB) in the From section of the policy.

New Policy Properties dialog box

  1. Click the View/Edit Proxy icon.
    The HTTP Proxy Action Configuration dialog box appears.

Screen shot of the HTTP Proxy Action Configuration dialog box

  1. From the categories list, select WebBlocker.
    The WebBlocker configuration appears.
  2. Adjacent to the WebBlocker drop-down list, click the New/Clone icon.
    The New WebBlocker Configuration dialog box appears.

Screen shot of the Clone WebBlocker Configuration dialog box

  1. In the Name text box, type a name for this WebBlocker configuration.
    For this example, give this configuration the name Students.
  2. On the Servers tab, click Add, and type the IP address of the WebBlocker server.
  3. Select the Categories tab to show the categories of content that can be blocked.
  4. Select the check box for each content category that you want to block for users in the Students group.

Create an HTTP-Proxy Policy for the Teachers

From Policy Manager, repeat the same steps to set up a different policy for the Teachers group.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Proxies folder and select HTTP-proxy. Click Add.
    The New Policy Properties dialog box appears.

Screen shot of the New Policy Properties dialog box

  1. In the Name text box, type a descriptive name for the proxy policy to describe this group.
    For this example, type HTTP-proxy-Teachers.
  2. On the Policy tab, in the From list, select Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    For this example, add the group Teachers.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Authorized Users or Groups dialog box appears.

Add Authorized Users or Groups dialog box

  1. Select the Teachers group. Click Select. Click OK.
    The New Policy Properties dialog box appears with the group Teachers (Firebox-DB) in the From section of the policy.

Screen shot of the New Policy Properties dialog box

  1. Click the View/Edit Proxy icon.
    The HTTP Proxy Action Configuration dialog box appears.
  2. From the categories list, select WebBlocker.
    The WebBlocker configuration appears.
  3. Adjacent to the WebBlocker drop-down list, click New/Clone icon.
    The New WebBlocker Configuration dialog box appears.
  4. In the Name text box, type a name for this WebBlocker configuration.
    In this example, we use the name Teachers.
  5. On the Servers tab, click Add, then type the IP address of the WebBlocker server.
  6. Select the Categories tab to see the categories of content that can be blocked.

Screen shot of the New WebBlocker Configuration dialog box

  1. Select the check box for each content category that you want to block for users in the Teachers group.

Create an HTTP Packet Filter Policy for the IT Group

The IT team needs unrestricted access to the Internet. Because we do not need a policy to inspect the content of HTTP packets for these users, we use Policy Manager to create an HTTP packet filter policy instead of an HTTP proxy policy.

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder and select HTTP. Click Add.
    The New Policy Properties dialog box appears.

Screen shot of the New Policy Properties dialog box

  1. Change the name of the proxy policy to describe the group it applies to.
    In this example, we call the proxy policy HTTP-IT.
  2. On the Policy tab, in the From section, select Any-Trusted. Click Remove.
  3. In the From section, click Add to add the user group for this policy.
    For this example, add the group IT.
  4. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Authorized Users or Groups dialog box appears.

Add Authorized Users or Groups dialog box

  1. Select the IT group. Click Select. Click OK.
    The New Policy Properties dialog box appears with the group IT (Firebox-DB) in the From section of the policy.

New Policy Properties dialog box HTTP-IT policy

  1. Click OK.

Members of the IT group are no longer affected by WebBlocker restrictions.

Remove or Modify the Outgoing Policy

After you configure your HTTP proxy to add a WebBlocker profile, you must make sure that the default Outgoing policy does not allow network clients to visit websites without user authentication. To do this, you can use Policy Manager to either remove the Outgoing policy and add any other outgoing network policies you need, or you can edit the Outgoing policy to add your WebBlocker authentication user groups. Both options are explained below.

Option 1: Remove the Outgoing Policy and Add Other Outgoing Network Policies

This is the option we recommend if you want increased control over outbound network access. You must know what ports and protocols are necessary to meet the needs of your organization.

First, remove the Outgoing policy:

  1. Select the Outgoing policy.
  2. Select Edit > Delete Policy.
  3. Click Yes to confirm.

Then, add a DNS packet filter policy to allow outbound DNS queries:

  1. Select Edit > Add Policies.
    The Add Policies dialog box appears.
  2. Expand the Packet Filters folder and select DNS. Click Add.
    The New Policy Properties dialog box appears.
  3. Add all of your internal networks to the From section of the policy.
  4. Click OK to save the policy.

Finally, add other custom policies.

Add custom policies for any other necessary outgoing traffic. Examples of other custom policies you may want to add include:

  • UDP
  • SMTP (if you have a mail server)

For information about how to add a custom policy, see About Custom Policies.

Option 2: Add Your User Authentication Groups to the Outgoing Policy

If you are not sure what other outgoing ports and protocols are necessary for your business, or if you are comfortable with the same level of outbound control you have when you use the default configuration, you can modify the Outgoing policy to add your authentication groups.

  1. Double-click the Outgoing policy.
    The Edit Policy Properties dialog box appears.
  2. In the From list, select Any-Trusted. Click Remove.
  3. In the From list, select Any-Optional. Click Remove.
  4. In the From section, click Add.
    The Add Address dialog box appears.
  5. Click Add User. Select Firewall and Group from the drop-down lists.
    The Add Authorized Users or Groups dialog box appears.

Screen shot of the Add Authorized Users or Groups dialog box

  1. Select all three of the user authentication groups you created. Click Select.
  2. Click OK.
    The Edit Policy Properties dialog appears for the Outgoing policy. The selected groups appear in the From section of the policy.

Screen shot of the Edit Policy Properties dialog box

Automatically Redirect Users to the Login Portal

From Policy Manager, you can configure the global authentication settings to automatically send users who have not yet authenticated to the authentication login portal when they try to get access to the Internet.

  1. Select Setup > Authentication > Authentication Settings.
    The Authentication Settings dialog box opens.
  2. Select the Auto redirect users to authentication page for authentication check box.

WebBlocker is now configured to use different policies for different groups of authenticated users, and automatically redirects unauthenticated users to an authentication page.

See Also

Use WebBlocker Actions in Proxy Definitions

About the HTTP-Proxy

Set Global Firewall Authentication Values

Give Us Feedback     Get Support     All Product Documentation     Technical Search