Best Practices and Troubleshooting for WebBlocker
Websense or SurfControl?
WatchGuard recommends that you use Websense Cloud for most networks. Websense cloud is a URL categorization database with over 100 content categories provided by Websense. Websense cloud offers globally distributed servers to respond quickly to users all over the world. Websense lookups may perform poorly with high-latency connections.
The local WatchGuard WebBlocker Server hosts the SurfControl URL categorization database with 54 categories. This database has limited categories and requires that you install a WebBlocker server within the local network. Smaller devices such as the XTM-33 and Firebox T10 can also connect to a WebBlocker server hosted by WatchGuard.
Use WebBlocker for outbound HTTP and HTTPS proxy policies. You can also use WebBlocker on a TCP-UDP proxy to categorize sites on ports other than 80 and 443.
For best performance, WatchGuard recommends you create WebBlocker Exceptions with regular expressions. When you use a pattern match or exact match, the Firebox device must convert this to a regular expression before it evaluates each site. When you use a regular expression, this step is not necessary and the lookup occurs more quickly. For more information and configuration instructions, see the knowledge base article Use regular expressions in proxy definitions.
WebBlocker does not use the query string (any text that follows a question mark symbol) for an HTTP request. You can use the URL Paths configuration of the HTTP proxy to deny a specific query. For more information on how to deny specific paths with HTTP Proxy, see HTTP Request: URL Paths.
If you need to create a WebBlocker exception for traffic on non-standard ports, see the knowledge base article Add a WebBlocker exception for traffic on non-standard ports.
HTTP Proxy Exceptions or WebBlocker Exceptions
When you configure an HTTP proxy policy with WebBlocker, it is important to remember that HTTP Proxy Exceptions only apply to the content of sites the users get through the proxy. The WebBlocker Exceptions only impact whether a site is blocked by WebBlocker.
An HTTP Proxy Exceptions entry for a site does not prevent WebBlocker from blocking that site, and a WebBlocker exception does not impact whether the HTTP Proxy action will change or remove the content received by the user.
Allow Access only to Specific Web Sites
If you plan to only allow user access to specific sites with the HTTP Proxy, it is not necessary to use WebBlocker. You can configure the HTTP Proxy to allow only specific paths in the HTTP request. To learn more, see HTTP Request: URL Paths.
WebBlocker over HTTPS without Content Inspection
Fireware v11.9.4 and higher
In versions v11.9.4 and higher, WebBlocker examines both the Server Name Indication (SNI) and the Common Name (CN) fields during the certificate exchange to determine the web address. This allows WebBlocker to successfully identify the domain or sub-domain of a website to block or allow.
Fireware v11.9.3 and lower
In versions 11.9.3 and lower, WebBlocker uses only the Common Name (CN) field on a certificate to determine the web address of a web site. With this configuration, WebBlocker cannot consistently block or allow sites with a wildcard value in the CN field, such as *.google.com, or *.yahoo.com without the use of Content Inspection on the HTTPS Proxy.
WebBlocker may also fail to block HTTPS sites with wildcard certificates. For more information, see the knowledge base article Block HTTP Sites that use wildcard certificates.
Server Selection and DNS
To optimize the performance of WebBlocker with Websense, see the knowledge base article Optimize WebBlocker with Websense Performance.
Call Home Behavior
WebBlocker with Websense creates an HTTP connection to one of 15 Websense data centers worldwide for URL categorization.
WebBlocker with SurfControl creates a UDP 5003 connection to the configured local WebBlocker server for URL categorization.
To examine an issue with WebBlocker, you must first have a clear understanding of the scope of the issue:
- Does this impact only specific sites or all web traffic?
- Is this an issue of sites incorrectly blocked or incorrectly allowed?
Only Impacts Certain Sites
If you find that some sites are incorrectly blocked, or not blocked, there are a few possible causes:
- This can occur if the site does not match the category you expect it to. To learn how to test which category a site falls under, and how to suggest a change, visit WatchGuard Security Portal. Remember that you can always create a WebBlocker exception to block or allow a site if you do not wish to change how you handle the full category.
When a site is allowed or denied based on the category, the traffic logs may contain a message like:
Allow 1-Trusted 0-External tcp 10.0.1.2 18.104.22.168 50790 80 msg="ProxyAllow: HTTP Request categories" proxy_act="HTTP-Client.2" cats="Reference Materials" op="GET" dstname="www.walkscore.com" arg="/" (HTTP-proxy-00)
- This can occur if you do not have WebBlocker enabled for an HTTPS proxy. Web sites accessed over HTTPS will not be blocked.
- This can occur if you have WebBlocker enabled for HTTPS, but do not use content inspection on those HTTPS Proxy actions. To learn more, see this known issue: WebBlocker may fail to block HTTPS sites with wildcard certificates.
- If you use the installed WebBlocker Database powered by SurfControl, make sure you keep it up to date for correct categorization. With WatchGuard System Manager version 11.6 and higher, this update is automatic, but the host PC must be able to connect outbound on port 5003, both TCP and UDP.
Impacts All Sites
If all user traffic is allowed or all traffic is denied, there are several possible causes to consider:
- The policy configuration could be incorrect. Make sure the user web traffic is handled by the correct HTTP, HTTPS, or TCP-UDP proxy policy for the WebBlocker action.
- If you use WebSense Cloud for WebBlocker, the Firebox device may be unable to reach the server, or not receiving a timely response. For more information on how to resolve common connection problems for WebSense, see Optimize WebBlocker with Websense performance.
- If you use the local WebBlocker server with WatchGuard System Manager (Surfcontrol), make sure that the server is running, and able to reply.
If the WebBlocker server is inactive, or WebBlocker has an incorrect IP address in the configuration, you may see a log message such as:
Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.23 22.214.171.124 60921 80 msg="ProxyDeny: HTTP Service unavailable" proxy_act="HTTP-Client.1" service="WebBlocker.1" details="Webblocker server is not available" (HTTP-proxy-00)