Solved

Isolating a PC to get facebook while denying all others thru WatchGuard Webblocker 11.

Posted on 2010-11-08
14
3,758 Views
Last Modified: 2013-11-16
I am trying to isolate one PC thru my WatchGuard webblocker to get facebook while denying all other the same access.  So far I have given this PC a static IP, but am not clear what to do after.
0
Comment
Question by:ECHO50
  • 8
  • 5
14 Comments
 
LVL 9

Expert Comment

by:Brian
ID: 34084590
Follow the steps in this Watchguard Link:

http://www.watchguard.com/help/docs/fireware/10/en-US/index_Left.html#CSHID=en-US%2Fservices%2Fwebblocker%2Fwebblocker_outbound_auth_user_groups_f.html|StartTopic=Content%2Fen-US%2Fservices%2Fwebblocker%2Fwebblocker_outbound_auth_user_groups_f.html|SkinName=Fireware (en-US)

The example is an educational setting, but the idea and layout is the same. Make sure to follow each step, including the deny message near the end.
0
 
LVL 6

Accepted Solution

by:
Jon Snyderman earned 500 total points
ID: 34087670
What version of the software are you running.  It changes along the way, but here's what we do...

1) Create an IP reservation in the DHCP server for that machine.  You've effectively already done that by setting the IP.
2) Create a new HTTP Proxy rule by duplicating your existing policy and proxy.  Then make a change to it and call it "Http-proxy.Loose" or somthing like that.
3) Add the static IP in the FROM box of the policy.
4) Add the facebook URLs to the HTTP Proxy exeptions in the proxy
5) Save the config.
6) Now, all traffic for the presidents machine :-) will go through that prolicy and you can make further changes as needed.  But your basic policies are still the basis.

Again, this changes with versions, so if you give me that, I will be happy to get more specific.

Jon
0
 

Author Comment

by:ECHO50
ID: 34102064
Version 11.3.2
0
 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 500 total points
ID: 34102204
OK, I am assuming that you are NOT using the web interface..  Also, I am changing the process slightly because I would prefer that the facebook excpetion be in the web blocker vs. the proxy exceptions.  That would be the fallback.

1) Create an IP reservation in the DHCP server for that machine.  
            You've effectively already done that by setting the IP, but I prefer the DHCP route.
2) Create a new HTTP Proxy rule by duplicating your existing policy and proxy.
     a) You can do this easily by creating a new HTTP-Proxy policy
     b) Select the same proxy action from your general policy.
     c) Click the ADD (plus) button, not the pencil.  This will create a duplicate of the policy.
     d) Make a change to it and call it "Http-proxy.Loose" or somthing like that.
3) IN the same manner, change the webblocker action.  
     a) Change the new HTTP proxy action
     b) Select the current webblocker action and click the ADD (plus) button.
     c) Add the facebook URLS to the webblocker exceptions tab.
     d) Note that this format is different from the HTTP Proxy exceptions.  Instead of *.domain.com, it is *.domain.com/*.
     e) Save the webblocker action as "Webblocker.loose" or something along that line.
4) Click OK out of the webblocker action.  You should be back at the HTTP-PRoxy.Loose proxy action.
5) Click OK out of the proxy action.  You should be back at the HTTP-Proxy.Loose policy.
6) Add the static IP in the FROM box of the policy.  Leave the TO as any-external.
7) Click OK out of the policy.  You should be back to the policy list.
5) Save the config.
6) Now, all traffic for the presidents machine :-) will go through that prolicy and you can make further changes as needed.  But your basic policies are still the basis.

Let me know if you need more.

~Jon
0
 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 500 total points
ID: 34102230
*edit* the webblocker exception formal is *.domain.coim\*
Wrong slash :)

BTW, note that Facebook is a PIA because they have multiple URLs that they use for the main interface and images and scripts, etc.  You may not get it on the first try.  In the traffic monitor, filter for the users IP and watch as you test.  You should see the restriction and you can make further web blocker adjustments based on that.

~ Jon
0
 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 500 total points
ID: 34111098
Good morning ECHO50.  Did those instructions work for you?  Post if you need any more info.

~Jon
0
 

Author Comment

by:ECHO50
ID: 34113714
No, they have not.  I followed instructions to the letter.  I created a new policy and a new HTTP-Proxy, which I named HTTP-ProxyFrontDesk.  Used the new policy, Put in exceptions for facebook, put IP address in FROM and left to as Any External, but it is still looking at the original policy.

I am apparently missing something else.
Thanks
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 500 total points
ID: 34113797
OK, what makes you say that its still looking at the original policy.  Do you see the denial in the traffic monitor or are you just still getting the same message.  Do you get a message in the browser?  If so, can you post that?  Also, a clip from the traffic monitor for that PCs IP would put this right to bed quickly.

~Jon
0
 

Author Comment

by:ECHO50
ID: 34114405
Still getting the same message which is ....
Request denied by WatchGuard HTTP proxy.
Reason: one or more categories denied helper='WebBlocker.2' details='local-exception(Sorry_No_More_Facebook)'
--------------------------------------------------------------------------------
Method: GET
Host: www.facebook.com
Path: /

WebBlocker.2 is my original Proxy Action.  I created another proxy action just for the front desk, which is named WebBlocker.3 - FrontDesk, which is what I would like to use only for the front desk.

------------------------------------------------
This is from the traffic monitor and the only thing that I see relating to this front desk PC.  I cleared the traffic and launched facebook.

2010-11-12 05:55:32 Deny 64.52.230.65 224.0.0.1 igmp   0-External Firebox Denied 28 1 (Unhandled External Packet-00)  proc_id="firewall" rc="101"       Traffic

2010-11-12 05:55:32 Allow 192.168.1.200 173.194.34.100 http/tcp 4709 80 1-Trusted 0-External ProxyStrip: HTTP Header match   (HTTP-proxy-00) HTTP-Client.2 proc_id="http-proxy" rc="592" proxy_act="HTTP-Client.2" rule_name="Default" header="X-XSS-Protection: 1; mode=block\x0d\x0a" msg_id="262171"       Traffic

2010-11-12 05:55:36 Allow 192.168.1.200 173.194.34.100 http/tcp 4709 80 1-Trusted 0-External ProxyStrip: HTTP Header match   (HTTP-proxy-00) HTTP-Client.2 proc_id="http-proxy" rc="592" proxy_act="HTTP-Client.2" rule_name="Default" header="X-XSS-Protection: 1; mode=block\x0d\x0a" msg_id="262171"       Traffic

2010-11-12 05:55:36 Allow 192.168.1.200 173.194.34.104 http/tcp 4711 80 1-Trusted 0-External ProxyStrip: HTTP Header match   (HTTP-proxy-00) HTTP-Client.2 proc_id="http-proxy" rc="592" proxy_act="HTTP-Client.2" rule_name="Default" header="X-XSS-Protection: 1; mode=block\x0d\x0a" msg_id="262171"       Traffic

2010-11-12 05:55:37 Allow 192.168.1.200 69.63.181.12 http/tcp 4712 80 1-Trusted 0-External ProxyAllow: HTTP Request categories   (HTTP-proxy-00) HTTP-Client.2 proc_id="http-proxy" rc="590" proxy_act="HTTP-Client.2" cats="Personals & Dating" op="GET" dstname="facebook.com" arg="/" msg_id="262177"       Traffic

2010-11-12 05:55:37 Allow 192.168.1.200 69.63.181.12 http/tcp 4712 80 1-Trusted 0-External ProxyStrip: HTTP Header match   (HTTP-proxy-00) HTTP-Client.2 proc_id="http-proxy" rc="592" proxy_act="HTTP-Client.2" rule_name="Default" header="X-Cnection: close\x0d\x0a" msg_id="262171"       Traffic


I hope this is helpful!!!  Thanks again
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 34114480
HA :) I think I see the problem.  

In step 3b, change the *.facebook.com/* to *facebook.com/*.    Remove the first dot.

~Jon
0
 

Author Comment

by:ECHO50
ID: 34114986
Didn't work with removing the "."  This is what I recently copied from traffic monitor

2010-11-12 06:54:55 Deny 192.168.1.200 66.151.151.149 http/tcp 1121 80 1-Trusted 0-External ProxyDeny: HTTP Request categories   (HTTP-proxy-00) HTTP-Client.2 proc_id="http-proxy" rc="594" proxy_act="HTTP-Client.2" cats="Games" op="GET" dstname="www.zynga.com" arg="/" msg_id="262177"       Traffic
0
 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 500 total points
ID: 34115309
OK, so Facebook, in and of itself, is ok now.  This exemplifies the issue with Facebook.   They have so many little plug-ins that it is clearly very difficult to allow them all and not have future ongoing problems with the site.

Another, more broad stroke approach, is to loosen the webblocker on that new policy.   Go into webblocker, remove the facebook exception (as it wont be needed anymore) and unblock the personals category and the games category.  

I hope you (or your boss) really likes this person :)

~Jon
0
 

Author Comment

by:ECHO50
ID: 34139454
Jon, thanks for your help.  Your answer was a part of the solution.  The other part I got from the Users manual.  After setting up a new http proxy for the reception desk, the IP address for the reception PC had to be placed in FROM in Outgoing to make it work.

Thanks for all your help.  It has been resolved.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 34139665
Yep :)  I think you may have missed step #6 "Add the static IP in the FROM box of the policy.  Leave the TO as any-external."

Glad you got it working.  

Thanks
Jon
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now