WebBlocker Exceptions

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

If you want WebBlocker to always allow or always deny access to a website, regardless of the content category, you can add a WebBlocker exception for that site. You can add a WebBlocker exception that is an exact match of a URL, a pattern match of a URL, or a regular expression.

WebBlocker does not include query strings (the part of a URL that starts with the ? character) in the categorization request it sends to the WebBlocker Server. This means that you cannot create a WebBlocker exception to deny specific queries.

Exact Match

Exact matches match an exact URL or IP address, character by character. You cannot use wildcards, and you must type each character exactly as you want it to be matched. For example, if you enter an exception to allow www.yahoo.com as an exact match only, and a user types “www.yahoo.com/news”, the request is denied.

Pattern Match

Pattern matches match a pattern in the URL or IP address, for example “pattern” in www.pattern.com. Make sure to drop the leading “http://” and include “/*" at the end. Use the wildcard symbol, *, to match any character. You can use more than one wildcard in one pattern. For example, the pattern www.somesite.com/* will match all URL paths on the www.somesite.com website. To enter a network address, use a pattern match that ends in a wildcard. For example, to match all the websites at 1.1.1.1 on port 8080, set the directory to “*”.

Regular Expression

Regular expression matches use a Perl-compatible regular expression to make a match. For example, \.[onc][eor][gtm] matches .org, .net, .com, or any other three-letter combination of one letter from each bracket, in order. When you create a regular expression to match URL paths, do not include the leading “http://”. Regular expressions support wildcards used in shell scripts. For example:

  • The regular expression: (www\.)?watchguard\.[com|net] matches URL paths such as www.watchguard.com, www.watchguard.net, watchguard.com, and watchguard.net
  • The regular expression: 1.1.1.[1-9] matches all IP addresses from 1.1.1.1 to 1.1.1.9.

Regular expressions are more efficient than pattern matches, in terms of CPU usage. For best performance, we recommend that you use regular expressions rather than pattern matches to define your WebBlocker exceptions, when several exceptions are configured. You can create a regular expression that is equivalent to a pattern match. For example, the pattern match *.hostname.com/* is equivalent to the regular expression ^[0-9a-zA-Z\-\_.]{1,256}hostname\.com.

For more information about regular expressions, see About Regular Expressions.

See Also

Add a Cloud-Managed Firebox to WatchGuard Cloud

Configure Content Filtering in WatchGuard Cloud