About WebBlocker

If you give users unlimited website access, your company can suffer lost productivity and reduced bandwidth. Uncontrolled Internet surfing can also increase security risks and legal liability. The WebBlocker security subscription gives you control of the websites that are available to your users.

WebBlocker uses a database of website addresses that are identified by content categories. When a user on your network tries to connect to a website, the Firebox looks up the website address in the WebBlocker database. If the website is not in the database or is not denied in the WebBlocker configuration, the page opens. If the website is in the WebBlocker database and is denied based on the content category of the site, a notification appears and the website content is not displayed.

WebBlocker Actions and Proxy Policies

You can define multiple WebBlocker actions. In each WebBlocker action you select the content categories WebBlocker denies access to.

WebBlocker works with the HTTP and HTTPS proxy policies to control web browsing. After you configure a WebBlocker action, you must apply it to an HTTP proxy or HTTPS proxy action. WebBlocker is not supported in HTTPS server proxy actions.

WebBlocker and DNS

To enable the Firebox to connect to the WebBlocker servers, you must configure DNS servers on the Firebox.

If there are no DNS servers configured, all external interfaces must use either DHCP or PPPoE. If any external interfaces are configured with a static IP address, you must manually configure DNS servers before you can enable WebBlocker. For more information, see Add WINS and DNS Server Addresses.

WebBlocker and IPv6

In Fireware v11.12 and higher, Fireware supports IPv6 for proxy policies and subscription services. WebBlocker uses IPv4 to connect to the Websense server. If your Firebox is configured for IPv6 and the WebBlocker configuration uses Websense cloud for URL categorization lookup requests, you must configure the external interface with both an IPv4 address and an IPv6 address.

WebBlocker Licensing

To configure WebBlocker, your Firebox must have a WebBlocker service subscription. After you activate or renew your WebBlocker subscription, make sure to get an updated feature key for your Firebox.

For more information about feature keys, see About Feature Keys.

WebBlocker Server Options

WebBlocker supports two options for the WebBlocker server, which defines the database the Firebox uses to categorize web content. By default, WebBlocker uses the Websense cloud.

Websense cloud (recommended)

Websense cloud is a URL categorization database with over 130 content categories, provided by Websense.

The Websense cloud option does not use a locally installed WebBlocker Server. When you enable WebBlocker for the first time, Websense cloud is selected by default.

The Firebox sends URL categorization lookup requests to the Websense cloud encrypted over HTTPS. In versions lower than 12.0, lookup requests are sent unencrypted over HTTP.

Websense is now known as Forcepoint. For more information, see www.forcepoint.com.

WebBlocker Server with SurfControl

The WebBlocker Server is a WatchGuard server that uses a URL categorization database with 54 categories, provided by SurfControl.

Firebox T10, T15, XTM 2 Series, and XTM 33 devices can use a WebBlocker Server hosted and maintained by WatchGuard. If you use WebBlocker with the WebBlocker Server on any other Firebox model, you must first set up a local WebBlocker Server on your management computer.

The Firebox sends URL categorization lookup requests to the WebBlocker server over UDP port 5003.