Troubleshoot DNSWatch on a Firebox

When you enable DNSWatch on a Firebox, two separate actions occur. The two actions are:

Firebox registration

The Firebox contacts the DNSWatch servers and registers itself to the DNSWatch account where the Firebox was originally registered. After the Firebox is registered, it receives the IP addresses of two DNSWatch DNS servers and a Blackhole Server.

DNS forwarding

The Firebox forwards all outbound DNS queries to the DNSWatch DNS servers unless another DNS setting configured on the Firebox has precedence. For information about precedence of DNS settings, go to DNSWatch DNS Settings Precedence on a Firebox.

For all interfaces with DNSWatch Usage Enforcement enabled, the Firebox intercepts all DNS requests on port 53 and forwards them to a DNSWatch DNS Server, even if the DNS request was addressed to another DNS server. For more information about the options, go to Enable DNSWatch on Your Firebox.

Troubleshoot Registration and Status Errors

To determine the registration status of your Firebox, you can look at the information on the DNSWatch configuration page in Fireware Web UI. The DNSWatch page shows the Firebox registration status, and shows whether there are any errors related to the DNSWatch service. It also shows the IP addresses of DNSWatch DNS servers.

Screen shot of the DNSWatch page in Fireware Web UI

If the Firebox is registered and there are no DNSWatch errors, the DNSWatch page in Fireware Web UI shows:

Registration Date: Registered at <date and time>

Status: Operational

If registration fails, or if any other error affects the DNSWatch service, the Status line includes an error message that can be useful for troubleshooting. An error also appears for the Firebox on the Protected Fireboxes page in your DNSWatch account.

After the Firebox is registered to your DNSWatch account, the Firebox sends a request to to determine the public IP address for the Firebox external interface. The Firebox sends this IP address to DNSWatch. The public IP address for each Firebox external interface appears on the Protected Fireboxes page in your DNSWatch account. If DNSWatch cannot update interface information, a red cross appears in the Update Status column. For more information, go to View Fireboxes Protected by DNSWatch.

If the Firebox is behind a NAT device, the public IP address the Firebox reports to DNSWatch is not the same as the external interface IP address on the Firebox itself.

The external IP address is used to associate DNS requests from clients on your network to your DNSWatch account. DNSWatch also uses the external public interface to determine which regional DNS servers to assign to the Firebox, based on the region.

After the Firebox is registered and DNSWatch has received the public IP address, the Firebox receives the IP addresses for DNSWatch Servers and the Blackhole Server. These addresses appear in the DNSWatch page in Fireware Web UI.

If any errors occur for any of these steps, you can use the error messages described in the next section to troubleshoot the problem.

DNSWatch Error Messages and Log Messages

If the DNSWatch feature on your Firebox does not function as expected, errors appear in the Status section of the DNSWatch page in Fireware Web UI and in the Firebox log messages. To view log messages related to DNSWatch, open Traffic Monitor and filter on diagnostic logs. To find Firebox log messages related to DNSWatch, search the log file for dnswatchd.

These log messages contain information to help you troubleshoot issues with DNSWatch.

Troubleshoot DNSWatch Protection On a Client

To test your protection, use If you are protected, the phishing education page appears. If you are not protected, a page with information about the issue appears.

To troubleshoot DNSWatch protection from a client on a protected network, you must know:

  • The IP address of your Firebox internal (trusted, optional, or custom) interface
  • The IP address of a publicly available DNS server. For example,
  • The DNSWatch test domain:
  • A safe domain: (for example)
  • The URL of a Firebox subscription service excluded from DNSWatch:
  • The domain of the DNSWatch Blackhole:

To verify that your network is protected by DNSWatch and that DNS resolution works correctly, complete these tests from a computer protected by your Firebox:

If these tests all produce the expected results, your network is protected by DNSWatch.

By default, the domain is on the blocklist in your DNSWatch account. You can browse to to view the deny message that clients on your network see when DNSWatch denies a DNS request.

For information about how to customize the block page, go to Customize DNSWatch Block Pages.