[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4964
  • Last Modified:

Setting Blocked Websites - Watchguard XTM 23

I just purchased a new XTm 23 Series Firebox.  Firmware 11.4

What is the best method to setup blocking for specific websites?

Example:  facebook.com

Also, I am subscribing to the Subscriptions Services and would like to utilize the various Categories under WebBlocker.  I have the specific Categories selected (Adult/Sexually Explicit selected but when I go to www.penthouse.com I am not getting blocked.  Why?

Thanks in advance.
0
j4piper
Asked:
j4piper
  • 5
  • 4
  • 2
1 Solution
 
setasoujiroCommented:
If you purchased a new XTM, did you get it with the security bundle?
if so you can install the Webblocker , it's the best imo not too expensive.

otherwise you can setup a HTTP-proxy and configure the blocked sites there by pattern match (e.g facebook.com/*.facebook.com etc...)

if you need more help please say so :)
0
 
setasoujiroCommented:
Sorry i didn't read the full question,
You say you don't get blocked. did you follow these steps:
-install webblocker server on a machine somewhere
-setup webblocker IP in the watchguard
-Setup a HTTP Proxy that uses this Webblocker
0
 
BrianCommented:
Do you have any HTTP policies that are before your HTTP Policy with WebBlocker?
What WebBlocker Server are you subscribing to?

The best way to block a specific site is to go in to the WebBlocker Setup, select the HTTP Proxy, go to the Exceptions Tab and add *.facebook.com/* you will also want to create an HTTPS Proxy as well. A lot of Facebook users go on with HTTPS and therefore would bypass your HTTP proxy.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
BrianCommented:
Forgot, when adding the exception, make sure to select Deny, not Allow.
0
 
j4piperAuthor Commented:
I do not have a WebBlocker Server setup.  I want the FireBox to handle all my allows and denys.
0
 
setasoujiroCommented:
Then you need to setup denies in the proxy properties as per my screenshot, and also set a HTTPS proxy wto block the certificates for google/facebook etc...


be advised that you will have a LOT of work doing things this way, you're real better off just installing WB server
when using WB server, you need to enable deep packet inspection for HTTPS traffic , in order to work
HTTPProxy.png
deepinspection.png
0
 
j4piperAuthor Commented:
Thank you for your help.

Your pictures shown are from your WatchGuard System Manager?

I have tried to install this program and had difficulty getting it to find my Firebox.

Also, in the Firebox, under System - Managed Device:  I am not able to get past the Management Server CA Certificate part?
0
 
setasoujiroCommented:
You dont need to be in the managed device settings... what are u trying to do?
For the system manager, install it, click on the red icon with a little firewall at the top , enter your ip and read password

The webinterface cannot do what we said regarding the proxies, you must use system manager.

0
 
j4piperAuthor Commented:
That worked!  Holy Moly!   I am very excited now!

May I add 1 more thing?

How do I allow 1 specific IP to view facebook.com if I have put in a DENY rule to block facebook?

Where do I setup smtp so that emails will be sent when blocked websites are encountered?

(I can open up another ticket if you feel the need.)
0
 
setasoujiroCommented:
for 1 ip, you need to setup a SEPERATE http proxy with that configured, from THAT IP to ANY EXTERNAL
then make sure that the rule for that IP is under the normal HTTP proxy, so that it get's processed after the general one. (normally this is the case by default)

you need to install log server in case you want to enable mail notifications, the watchguard will not do it by itself.
0
 
j4piperAuthor Commented:
Awesome solutions!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now