Setting Blocked Websites - Watchguard XTM 23

I just purchased a new XTm 23 Series Firebox.  Firmware 11.4

What is the best method to setup blocking for specific websites?

Example:  facebook.com

Also, I am subscribing to the Subscriptions Services and would like to utilize the various Categories under WebBlocker.  I have the specific Categories selected (Adult/Sexually Explicit selected but when I go to www.penthouse.com I am not getting blocked.  Why?

Thanks in advance.
j4piperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

setasoujiroCommented:
If you purchased a new XTM, did you get it with the security bundle?
if so you can install the Webblocker , it's the best imo not too expensive.

otherwise you can setup a HTTP-proxy and configure the blocked sites there by pattern match (e.g facebook.com/*.facebook.com etc...)

if you need more help please say so :)
0
setasoujiroCommented:
Sorry i didn't read the full question,
You say you don't get blocked. did you follow these steps:
-install webblocker server on a machine somewhere
-setup webblocker IP in the watchguard
-Setup a HTTP Proxy that uses this Webblocker
0
BrianCommented:
Do you have any HTTP policies that are before your HTTP Policy with WebBlocker?
What WebBlocker Server are you subscribing to?

The best way to block a specific site is to go in to the WebBlocker Setup, select the HTTP Proxy, go to the Exceptions Tab and add *.facebook.com/* you will also want to create an HTTPS Proxy as well. A lot of Facebook users go on with HTTPS and therefore would bypass your HTTP proxy.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

BrianCommented:
Forgot, when adding the exception, make sure to select Deny, not Allow.
0
j4piperAuthor Commented:
I do not have a WebBlocker Server setup.  I want the FireBox to handle all my allows and denys.
0
setasoujiroCommented:
Then you need to setup denies in the proxy properties as per my screenshot, and also set a HTTPS proxy wto block the certificates for google/facebook etc...


be advised that you will have a LOT of work doing things this way, you're real better off just installing WB server
when using WB server, you need to enable deep packet inspection for HTTPS traffic , in order to work
HTTPProxy.png
deepinspection.png
0
j4piperAuthor Commented:
Thank you for your help.

Your pictures shown are from your WatchGuard System Manager?

I have tried to install this program and had difficulty getting it to find my Firebox.

Also, in the Firebox, under System - Managed Device:  I am not able to get past the Management Server CA Certificate part?
0
setasoujiroCommented:
You dont need to be in the managed device settings... what are u trying to do?
For the system manager, install it, click on the red icon with a little firewall at the top , enter your ip and read password

The webinterface cannot do what we said regarding the proxies, you must use system manager.

0
j4piperAuthor Commented:
That worked!  Holy Moly!   I am very excited now!

May I add 1 more thing?

How do I allow 1 specific IP to view facebook.com if I have put in a DENY rule to block facebook?

Where do I setup smtp so that emails will be sent when blocked websites are encountered?

(I can open up another ticket if you feel the need.)
0
setasoujiroCommented:
for 1 ip, you need to setup a SEPERATE http proxy with that configured, from THAT IP to ANY EXTERNAL
then make sure that the rule for that IP is under the normal HTTP proxy, so that it get's processed after the general one. (normally this is the case by default)

you need to install log server in case you want to enable mail notifications, the watchguard will not do it by itself.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
j4piperAuthor Commented:
Awesome solutions!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.