Get Started with WebBlocker

To use WebBlocker, you must define WebBlocker actions for at least one WebBlocker profile, which specifies the WebBlocker Server to use and the content categories to block. Then you can apply the WebBlocker profile to a user-defined HTTP or HTTP proxy policy.

When a user tries to visit a web site, your XTM device sends a request to the WebBlocker Server to find out if the user can get access to that web site based on the site category. The result of this request is saved in a cache. You can change the size of this cache to improve performance.

Before You Begin

For all XTM devices except the XTM 2 Series, you must install a local WebBlocker server before you can configure WebBlocker.

For more information, see Configure a Local WebBlocker Server.

Create WebBlocker Profiles

1. Select Subscription Services > WebBlocker.
   The WebBlocker page appears.

2. In the WebBlocker Profiles section, click New.
   The WebBlocker settings page appears.

3. In the Profile Name text box, type a name for the WebBlocker profile.
4. In the Server Timeout section, set the server timeout settings:

If your Firebox cannot connect to the WebBlocker server in

Set the number of seconds to try to connect to the server before the XTM device times out.

Alarm

Select to send an alarm when the XTM device cannot connect to the WebBlocker Server and times out. To set parameters for the alarms, click the Alarm tab. For information about the settings on the Alarm tab, see Set Logging and Notification Preferences.

Log this action

Select to send a message to the log file if the XTM device times out.

Allow the user to view the web site

Select if you want to allow the user to see the web site if the XTM device times out and does not connect to the WebBlocker Server.

Deny access to the web site

Select to deny access if the XTM device times out.

Optionally select the Alarm or Log this action

5. To control whether users on your network can access web sites if WebBlocker is enabled but the WebBlocker security subscription expires, from the When the WebBlocker license expires, access to all sites is drop-down list, select one of these options:

Denied

Select this option to block access to all web sites when the WebBlocker license expires.

Allowed

Select this option to allow access to all web sites when the WebBlocker license expires.

By default, License Bypass is configured to block access to all web sites if your WebBlocker security subscription is expired. This is the most secure option if you must block your users from specific types of content.

For information about how to renew your security subscription, see Renew Subscription Services.

6. To improve WebBlocker performance, increase the Cache Size value.
7. In the WebBlocker Servers section, configure a WebBlocker Server.

If your XTM device is a 2 Series model, you can either use a WebBlocker Server hosted by WatchGuard or use a local WebBlocker server. To use the WatchGuard hosted WebBlocker Server, select the Use WatchGuard hosted WebBlocker Server check box. This option is only available if your device is an XTM 2 Series.

To add an entry for a local WebBlocker Server:

• In the IP text box, type the IP address of your WebBlocker Server.
• In the Port text box, type or select the port number. The default port number for the WebBlocker Server is 5003.
• To add the WebBlocker Server to the list, click Add.

You can add a second WebBlocker Server to use as a backup server if the XTM device cannot connect to the primary server. Follow the same steps to add a backup WebBlocker Server. The first server in the list is the primary server.

• To move a server higher or lower in the list, click the server IP address and click Move Up or Move Down.
• To remove a server from the list, select it and click Remove.

Enable Local Override

When you enable WebBlocker local override, if a user tries to connect to a site that is denied by WebBlocker the user is prompted to enter the override password. When the user enters the correct password, WebBlocker allows the user to go to the destination web site until the inactivity timeout is reached or until an authenticated user logs out. This feature operates only with HTTP proxy policies. For more information about local override, see Use WebBlocker Local Override.

To allow users to bypass WebBlocker if they have the correct passphrase:

1. In the Local Override section, select the Use this passphrase and inactivity timeout to enable WebBlocker local override check box.
2. In the Passphrase text box, type the passphrase.
3. In the Confirm text box, type the same password again.
4. (Optional) Change the Inactivity Timeout value.

Select Categories to Block

1. Select the Categories tab.
   The list of WebBlocker categories appears.

2. Select the check boxes adjacent to the categories of web sites you want to block in this WebBlocker profile.

For more information on WebBlocker categories, see About WebBlocker Categories.

3. To create a log message when a web site is denied based on a category you choose to block, select the Log this action check box.
4. Click Save.
   The WebBlocker policy is added to the list.

Use the WebBlocker Profile with HTTP and HTTPS Proxies

You can use the WebBlocker profile you created with user-defined HTTP and HTTPS proxy actions. For more information about proxy actions, see About Proxy Actions.

On the WebBlocker page:

1. In the WebBlocker Actions section, in the HTTP and HTTPS Actions list, adjacent to each user-defined proxy action, click the drop-down list and select a WebBlocker profile.

2. Click Save.

Add WebBlocker Exceptions

To always allow or deny access to specific web sites, regardless of the WebBlocker category, select the Exceptions tab. You can add the URL or URL pattern of sites you want WebBlocker to always allow or deny.

For more information about how to add WebBlocker exceptions, see Add WebBlocker Exceptions.

See Also

Define WebBlocker Alarms

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base

© 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.