Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
Webblocker Configuration.
To configure Webblocker you must be using the HTTP proxy. It is recommended you use the service "HTTP" under the proxies section of services and not "Proxied-HTTP". The only difference is "HTTP" only proxies port 80 while "Proxied-HTTP" proxies ALL connections out and can unintentionally interfere with some outgoing connections.
This example assumes you have already configured the HTTP Proxy service. If you have not, visit the HTTP Proxy Configuration page first.
Make sure you have the latest strong encryption software for your Firebox downloaded and installed. To configure Webblocker, you must have installed your license for it. In Setup>Licensed Features, it should show your key.
If you have a Firebox III a key for Webblocker is not required
If you have a Firebox X, the key is obtained from the WatchGuard website after you register it for a certain Firebox. The key given to you has your Firebox serial number embedded in it as it will only work on your Firebox (the key in the diagram above will only work for the Firebox X with serial number 808200578ECC5).
If you just enter the Webblocker key without registering it on the WatchGuard website and obtaining a feature key, it will not function. You will be able to enter it into policy manager and it will accept it, but after saving to the Firebox the key will be rejected and Webblocker will not function.
If your key is not installed, is incorrectly installed, or you are not using the latest software, the Webblocker tab will not be displayed in the HTTP proxy properties section.
Doubleclick on your HTTP proxy and click the Properties Tab and click the Setting button.
Next click on the Webblocker controls tab.
The machine you installed the management software on is your Webblocker server.
Enter its IP as the Webblocker server and also check "Allow Webblocker server bypass".
You want to enable this bypass because should the Webblocker server become available, it will still let users browse HTTP. If left unchecked, all outgoing HTTP requests will be denied until the Webblocker server comes back online and is responding.
Use the <> scroll bars to see the remaining tabs. Scheduling can be used to allow different categories at different times, but it is recommended until you are familiar with the system to just leave scheduling alone and configure the same blocks for Operational and Non-Operational Privileges for the same categories.
Click on WB:Operational Privileges and configure what to block.
Do the same for Non-Operational Privileges so they match.
Lastly, there is the exceptions list. This is for allowing sites which are blocked but you wish to allow, or deny sites which are not blocked by the Webblocker.
If you click on "Add" in the allow to or denied from area, you will get a lookup prompt. Just enter the URL (in this case www.yahoo.com) and click lookup, and the management station will resolve the URL and put the related IP's it finds for this URL in the results. Click OK and these IP's will be put in the denied or allowed exceptions where you chose to add them.
Note: Some sites may change their DNS often to get around an IP based block, so these exceptions only will function if the target site is not changing their DNS to evade. Webblocker is URL based so it will still block, but these exceptions are IP based so keep this in mind.
