If you give users unlimited website access, your company can suffer lost productivity and reduced bandwidth. Uncontrolled Internet surfing can also increase security risks and legal liability. The WebBlocker security subscription gives you control of the websites that are available to your users.
WebBlocker uses a database of website addresses, which are identified by content categories. When a user on your network tries to connect to a website, the Firebox examines the WebBlocker database. If the website is not in the database or is not blocked, the page opens. If the website is in the WebBlocker database and is blocked based on the content category of the site, a notification appears and the website is not displayed.
WebBlocker Server Options
When you configure WebBlocker, you have two options for the type of WebBlocker database the Firebox uses to control access to web content.
Websense cloud with Websense categories
Websense cloud is a URL categorization database with over 130 content categories, provided by Websense.
The Websense cloud option does not use a locally installed WebBlocker Server. When you enable WebBlocker for the first time, Websense cloud is selected by default. The Websense cloud option is available for Fireboxes that use Fireware OS v11.7 and higher.
The Firebox sends URL categorization lookups to the Websense cloud unencrypted over HTTP.
Websense is now known as Forcepoint. For more information, see www.forcepoint.com.
WebBlocker Server with SurfControl categories
The WebBlocker Server is a WatchGuard server that uses a URL categorization database with 54 categories, provided by SurfControl.
Firebox T10, XTM 2 Series, and XTM 33 devices can use a WebBlocker Server hosted and maintained by WatchGuard. If you use WebBlocker with the WebBlocker Server on any other Firebox model, you must first set up a local WebBlocker Server on your management computer.
The Firebox sends URL categorization lookups to the WebBlocker server over UDP port 5003.
The WebBlocker Server is installed as part of the WatchGuard System Manager installation.
- To learn about how to set up a WebBlocker Server, in Fireware Web UI, see Install a Local WebBlocker Server.
- To learn about how to set up a WebBlocker Server in Policy Manager, see Set Up a WebBlocker Server.
WebBlocker and Policies
WebBlocker works with the HTTP and HTTPS proxy policies to control web browsing. After you configure WebBlocker, you must apply it to a user-defined HTTP or HTTPS proxy action.
WebBlocker and DNS
WebBlocker requires that you configure DNS servers to allow proper communications with WebBlocker servers.
If there are no DNS servers configured, all external interfaces must use either DHCP or PPPoE. If any external interfaces are set with a static IP address, DNS will not be considered configured in this state and WebBlocker cannot be enabled.
WebBlocker and IPv6
In Fireware v11.12 and higher, Fireware supports IPv6 for proxy policies and subscription services. WebBlocker uses IPv4 to connect to the Websense server. If your Firebox is configured for IPv6 and the WebBlocker configuration uses Websense cloud for URL categorization lookups, you must configure the external interface with both an IPv4 address and an IPv6 address.
To configure WebBlocker, your Firebox must have a WebBlocker service subscription. After you activate or renew your WebBlocker subscription, make sure to get an updated feature key for your Firebox.
For more information about feature keys, see About Feature Keys.