Block HTTPS Site with WatchGuard Firebox

Hey WatchGuard Experts,

I'm using a WatchGuard X500 and I need some assistance blocking a site.  I'm trying to block https://vtunnel.com.  Since this is "https", the webblocker isn't going to block it; is that correct?  I have also tried setting up some policies in the policy manager to block it, but no luck yet.  The most recent thing that I have tried was to create a custom policy that denies access to a range of IPs using TCP port 443.  I've done a couple lookups on vtunnel and I get something different every time.  I did a range like this: 67.159.45.1 -> 67.159.45.254.

Nothing I've done so far has blocked it.  I know there are some WatchGuard experts out here, so any help would be appreciated.  
admintj06Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hstilesCommented:
This appears to be the range of addresses used, based on a quick online DNS check

vtunnel.com. A 67.159.45.99 [TTL=1440] [US]
vtunnel.com. A 67.159.45.100 [TTL=1440] [US]
vtunnel.com. A 67.159.45.233 [TTL=1440] [US]
vtunnel.com. A 67.159.45.89 [TTL=1440] [US]
vtunnel.com. A 67.159.45.90 [TTL=1440] [US]
vtunnel.com. A 67.159.45.91 [TTL=1440] [US]
vtunnel.com. A 67.159.45.92 [TTL=1440] [US]
vtunnel.com. A 67.159.45.96 [TTL=1440] [US]

Are you using WFS or Fireware on your X500?  One problem I can envisage is that if the Outgoing HTTPS rule takes precendence, your deny rule will have no effect.  If I remember correctly, the behaviour of the firewall is to grant as much access aspossible rather than the opposite. If you are using Fireware, you can use manual order mode to position the deny rule higher than the outgoing HTTPS rule, so your global deny list takes precendence.

i.e.

4 HTTPS Outbound Restricted from Trusted to alias Restricted Sites
5 HTTPS Outbound Granted from Trusted to External
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dpk_walCommented:
You are right webblocker would not block HTTPS traffic because it resides on HTTP proxy; unfortunately the only solution which works is to create HTTPS policy and configure it for denying traffic as:
Outgoing Connections are enabled and denied; from ANY; to public-ip-of-site

which you have already tried.

I would suggest you to run wireshark when establishing a connection to the site and check the ports used; if the ports used are random (non-standard) then you can try adding ANY service as below and check if this make any difference:
Outgoing connections are enabled and denied; from Trusted; to public-ip-site

Other than this I am not sure of any solution which works.

Thank you.
0
admintj06Author Commented:
I am running Fireware v 8.3 build 14051.  Haven't tried to manually reorder the rules yet, but I plan to try this soon.
0
dpk_walCommented:
Please implement and let know.

Thank you.
0
admintj06Author Commented:
Reordering the rules did it.  Thank you both for your input.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.