Manage Security Services > WebBlocker > WebBlocker Examples > Use a WebBlocker Server Protected by Another XTM Device

Use a WebBlocker Server Protected by Another Firebox

If you have Fireboxes in different office locations, you can configure WebBlocker on a branch office device to use the WebBlocker Server protected by a central Firebox. There are two ways to configure this:

  • Send the WebBlocker traffic over a BOVPN tunnel. This traffic is encrypted.
  • Send the WebBlocker traffic in clear text through the Internet. This traffic is not encrypted.

In these procedures, the central Firebox is the device that protects the WebBlocker Server. The branch office Firebox is the device that you want to configure to use the WebBlocker Server protected by the central Firebox.

Send WebBlocker Traffic Through the BOVPN Tunnel

If you have a BOVPN tunnel between two Fireboxes, use these steps to send WebBlocker traffic through the tunnel. We recommend this configuration, because all traffic between the branch office device and the central WebBlocker Server is encrypted.

From Policy Manager, configure the WebBlocker Server address on each branch office Firebox.

  1. Select Subscription Services > WebBlocker > Configure.
    The Configure WebBlocker dialog appears.

Screen shot of the Configure WebBlocker dialog box

  1. Select a Policy Name. Click Configure.
    The WebBlocker Configuration of Policy dialog box for that policy appears.

Screen shot of the WebBlocker Configuration of Policy dialog box

  1. Click Add to add a new WebBlocker Server IP address.
    Or, select an existing IP address. Click Edit.
    The Edit WebBlocker Server dialog appears.
  2. In the Server IP text box, type the real (private) IP address of the WebBlocker Server protected by the central Firebox.

From Policy Manager, add a tunnel route to the WebBlocker Server in each branch office Firebox.

  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog appears.

Screen shot of the Branch Office IPSec Tunnels dialog box

  1. Select the tunnel to the central Firebox. Click Edit.
    The Edit Tunnel dialog appears.
  2. On the Addresses tab, click Add.
    The Tunnel Route Settings dialog appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local text box, type the external IP address of this branch office Firebox.
  2. In the Remote text box, type the private IP address of the WebBlocker Server.
  1. Save the configuration to the device.

From Policy Manager, on the central Firebox, add a tunnel route from the WebBlocker Server to each branch office Firebox.

  1. Select VPN > Branch Office Tunnels.
  2. Click the tunnel to the branch office Firebox to select it. Click Edit.
  3. On the Addresses tab, click Add.
  4. In the Local text box, type the private IP address of the WebBlocker Server.
  5. In the Remote text box, type the external IP address of the branch office Firebox.
  6. If you have more than one branch office Firebox that you want to use this WebBlocker Server, repeat these steps to create a tunnel route from the WebBlocker Server to each branch office Firebox.
  7. Save the configuration to the device.

The branch office Firebox can now use the WebBlocker Server protected by the central Firebox over the encrypted VPN tunnel.

Send WebBlocker Traffic Unencrypted Over the Internet

We do not recommend you send WebBlocker traffic unencrypted over the Internet. This procedure can be useful if you need a secondary path to the WebBlocker Server when a VPN tunnel is not available. For more about configuring a secondary connection, see configure a backup connection to the WebBlocker Server below.

From Policy Manager, configure the WebBlocker Server address on each branch office Firebox.

  1. Select Subscription Services > WebBlocker > Configure.
    The Configure WebBlocker dialog appears.

Screen shot of the Configure WebBlocker dialog box

  1. Select a Policy Name. Click Configure.
    The WebBlocker Configuration of Policy dialog for that policy appears.

Screen shot of the WebBlocker Configuration of Policy dialog box

  1. Click Add to add a new WebBlocker Server IP address.
    Or, select an existing WebBlocker Server IP address. Click Edit.
    The Edit WebBlocker Server dialog appears.
  2. In the Server IP text box, type the external IP address of the central Firebox that protects the WebBlocker Server.
  3. Click OK.
  4. Save the configuration to the device.

From Policy Manager, configure the WB-WebBlocker policy on the central Firebox.

  1. Select Edit > Add Policy.
  2. Expand the Packet Filters folder.
  3. Double-click the WG-WebBlocker policy to add it.
    The New Policy Properties dialog appears.

Screen shot of the New Policy Properties dialog box

  1. In the From section, click Any-Trusted. Click Remove.
  2. In the From section, click Add.
    The Add Address dialog appears.

Screen shot of the Add Address dialog box

  1. If the branch office Firebox has a dynamic external IP address, in the Available Members list, select Any-External. Click Add.
  2. If the branch office Firebox has a static external IP address, use these steps to add the Host IP address for each Firebox that will use this WebBlocker Server.
    • Click Add Other.
    • From the Choose type drop-down list, select Host-IP.
    • In the Value text box, type the external IP address of the branch office Firebox. Click OK.
  3. Click OK to close the Add Address dialog box.
  4. In the New Policy Properties dialog box, in the To section, select Any-External. Click Remove.
  5. Click Add.
    The Add Address dialog appears.
  6. Click Add SNAT.
    The Add SNAT dialog box appears.
  7. Click Add.
    The Add SNAT dialog box appears.

Screen shot of the Add SNAT dialog box

  1. In the SNAT Name text box, type a name to identify this static NAT action.
  2. Click Add.

Screen shot of the Add Static NAT/Server Load Balancing dialog box

  1. From the External IP Address drop-down list, select the external interface IP address.
  2. In the Internal IP Address text box, type the private IP address of the WebBlocker Server. Click OK.
  3. Save the configuration to the device.

The branch office Firebox can now use the WebBlocker Server protected by the central Firebox.

Configure a Backup Connection to the WebBlocker Server

If you configure a Firebox to send WebBlocker queries over the VPN tunnel, and the VPN tunnel goes down, WebBlocker loses access to the WebBlocker Server. For redundancy, you can use the Internet as a secondary path to the WebBlocker Server.

If you configure two connections, make sure that you configure WebBlocker on the branch office Firebox to use the private IP address of the WebBlocker Server as the first WebBlocker Server in the list.

Screen shot of the WebBlocker Configuration dialog box with two servers configured

With this redundant configuration, WebBlocker on the branch office Firebox always tries to get access to the WebBlocker Server with the VPN tunnel first. If it cannot connect to the WebBlocker Server over the VPN tunnel, it tries to connect outside the tunnel.

See Also

About WebBlocker

About Manual Branch Office VPNs

Give Us Feedback     Get Support     All Product Documentation     Technical Search