But i can't figure out why
On traffic, here's what i get :

2026-02-20 10:51:13 Member2 Allow 10.0.1.16 -removed- http/tcp 60783 80 Reseau local adsl_orange_secours HTTP request (HTTP-Web-General-DHCP-00) proc_id="http-proxy" rc="525" msg_id="1AFF-0024" app_name="Google Chrome" app_cat_name="Web services" app_id="8" app_cat_id="14" proxy_act="HTTP sites interdits.1" geo_dst="FRA" op="GET" dstname="www.salmson.com" arg="/" sent_bytes="605" rcvd_bytes="0" elapsed_time="0.000289 sec(s)" sig_vers="18.408"
2026-02-20 10:51:13 Member2 Allow 10.0.1.16 -removed- http/tcp 60783 80 Reseau local adsl_orange_secours Application identified 40 64 (HTTP-Web-General-DHCP-00) proc_id="firewall" rc="100" msg_id="3000-0149" src_ip_nat="82.127.114.224" tcp_info="offset 5 AF 110353771 win 58030" app_name="Google Chrome" app_cat_name="Web services" app_id="8" app_cat_id="14" app_beh_name="Access" app_beh_id="6" action="AC-Logging" geo_dst="FRA" sig_vers="18.408"
2026-02-20 10:51:14 Member2 Allow 10.0.1.16 -removed- http/tcp 60784 80 Reseau local adsl_orange_secours HTTP request (HTTP-Web-General-DHCP-00) proc_id="http-proxy" rc="525" msg_id="1AFF-0024" app_name="Google Chrome" app_cat_name="Web services" app_id="8" app_cat_id="14" proxy_act="HTTP sites interdits.1" geo_dst="FRA" op="GET" dstname="www.salmson.com" arg="/favicon.ico" sent_bytes="515" rcvd_bytes="0" elapsed_time="0.001081 sec(s)" sig_vers="18.408"
2026-02-20 10:51:14 Member2 Allow 10.0.1.16 -removed- http/tcp 60784 80 Reseau local adsl_orange_secours Application identified 40 64 (HTTP-Web-General-DHCP-00) proc_id="firewall" rc="100" msg_id="3000-0149" src_ip_nat="82.127.114.224" tcp_info="offset 5 AF 1639057394 win 51373" app_name="Google Chrome" app_cat_name="Web services" app_id="8" app_cat_id="14" app_beh_name="Access" app_beh_id="6" action="AC-Logging" geo_dst="FRA" sig_vers="18.408"

website is -removed-

but i got a standard proxy message telling me the access was blocked.
seems to bne blocked by the rule http sites interdits.1
but i can't find what preciselly is making this site getting blocked by this rule.
It a normal hardware provider, and i don't see any words in their meta explaining this.
Is there anyther kind of log explaining preciselly why it's getting proxy blocked ?

i don't remeber changing something in our proxy filtering (maybe our DSI, but he would advertise us in this case)

when i check the traffic logs, i get this deny:
2025-12-10 15:44:23 Member2 Deny <clientIP> 172.64.155.209 https/tcp 53088 443 Reseau local FTTO-SFR Application identified 1500 128 (HTTPS-Web-General-DHCP-00) proc_id="firewall" rc="101" msg_id="3000-0149" route_type="SD-WAN" src_ip_nat="<our_public_IP>" tcp_info="offset 5 A 2580491961 win 61690" app_name="ChatGPT" app_cat_name="general" app_id="9" app_cat_id="29" app_beh_name="Access" app_beh_id="6" action="AC-Logging" geo_dst="USA" sig_vers="18.397"

I only get this is denyed by the firewall rule HTTPS-Web-General-DHCP, but can't find where inside.
This rule is here to proxy/filter internet access, and deny some sensitives content using proxy.

in the proxy setting assigned to this rule, can't find the app_cat_name "general" nor app_beh_name "Access"

Any hints on where i could find this ?

For my test, if I move the packet filter in front of the proxy, will that screw up all my mail, as it will try that rule first? I kind of think it may be an issue to test this as I wanted to
Any suggestions on how to test this process rather than all at one time?
Was hoping to be able to test with the one domain, if at all possible

Anyhow, thought I would put it out here and see what you all think
I can open a ticket, if needed, but lots of smart people out here may answer me faster!

Thanks for any thoughts on the matter!

I'd like to restrict external access to each server:
Any-External > one.mydomain.com
Single IP > two.mydomain.com

I've looked at using a reverse proxy but I can't see a way to restirct the inbound traffic by domain and unless I'm mistaken I can't use 2 reverse proxies.

Is what I'm asking possible?

Thanks in advance for any help.

T40 v12.10.4

By investigating a different issue we found, that on every incoming email the SMTP proxy inserts a warning message on every multipart email. The message has always the following format:

Content-Type: text/plain; name="message.txt"; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

The WatchGuard Firebox that protects your network has detected a message =
that may not be safe.

Cause : The message content may not be safe.
Content type : (none)
File name : (none)
Virus status : Content-Type violation
Action : The Firebox deleted (none).

Your network administrator can not restore this attachment.

This message cannot be recognized when the email is opened in the email client however it is visible when looking at the raw content of the email.

We seem to have this issue on every Firebox of every customer however we stopped investigatin this after we found the same issue on five client boxes in sequence. All boxes are on FW 12.11.4.

Is this a known issue?

THX and kind regards

i did enable "Content Inspection" @ M370 (including Webblocker, AV and more). Websites are loading. Even for example youtube, but the videos dont run. Even radio-Streams or speedtest (like google speedtest) dont start. I disabled Webblocker, Antivirus, but it still doesnt work.

Do you have any idea?

Thanks

Mo

We have an M390 (12.11.2.B713726).

Our local LAN operates through Trusted2 interface.
We have a guest Wifi network operating on GuestWeb Interface.

One of our suppliers has a bunch of routers and we need to access their web portals.
These particular models appear to only listen for https on port 80 for some reason from what I can gather.

When I try to access one of these routers from Trusted2 LAN, it wont connect.

When I try to connect from the GuestWeb network then it will connect.

Trusted2 http proxy was using HTTP-Client.Standard.1

Guestweb proxy was using HTTP-Client.Standard.3

Comparing the 2 the only difference is that HTTP-Client.Standard.1 uses a Webblocker so I thought ok maybe the webblocker means it is inspecting the packets more and triggering the failure.

So I changed the config of the GuestWeb network http proxy to use the same HTTP-Client.Standard.1 as Trusted2 interface but it still works on the GuestWeb network.

On the Trusted2 network I then added a packet filter policy to blanket allow access from my PC to the remote IP address on port 80 and placed the policy above the default http-proxy policy and then the connection works for me.

This leads me to believe that it is the proxy that is causing the issue but it is confusing because the same policy causes no issues on the GuestWeb network.

I can see no other policies above the default http-proxy that should have an impact (there are less that a handful in total anyway)

Any suggestions appreciated...

Cheers,

~Shaun.

I increased the following proxy action:

HTTP Response > General Settings > Set the maximum line length to: 16384 (max value) does not solve it.

How do I fix this without putting the site on Content Inspection exception list?

Response denied by WatchGuard HTTP Proxy.

Reason: header-line too large line='link: https://s.yimg.com/aaq/benji/benji-2.2.195.js;rel="preload";as="script";nopush,https://s.yimg.com/du/ay/wnsrvbjmeprtfrnfx.js;rel="preload";as="script";nopush,https://securepubads.g.doubleclick.net/tag/js/gpt.js;rel="preload";as="script";nopush,https://s.yimg.com/aaq/prebid/prebid-2.0.js;rel="preload";as="script";nopush,https://s.yimg.com/eh/prebid-config/finance-us-desktop.json;rel="preload";as="fetch";crossorigin="anonymous";fetchpriority="high";nopush,https://s.yimg.com/eh/prebid-config/bp-finance.json;rel="preload";as="fetch";crossorigin="anonymous";fetchpriority="high";nopush,https://s.yimg.com/aaq/f10d509c/d3lm64ch1c76ug.js;rel="preload";as="script";nopush,<./assets/_app/immutable/assets/2.CLM3Rb54.css>; rel="preload";as="style"; nopush, '

Please contact your administrator for assistance.

More Details:

Method: GET

Host: finance.yahoo.com

Path: /

The problem devices are all wireless.

I am using a DNS-Proxy to prevent a wireless device from accessing specific destinations via name. I also have one IP address in the Blocked Sites list.

In Interfaces > DNS/WINS, the ISP's address is listed as the only DNS SERVER. The ISP takes care of autoconfiguring the modem with DNS server addresses and there are no DNS servers on the LAN side of this universe. DNS Forwarding is enabled for the hardwired devices but disabled for the wireless devices. Why? It seems that enabling DNS Forwarding for the wireless devices causes the DNS-Proxy's Proxy Action's Query Names to be useless even though the action to take is "Drop."

I've suppressed many of the log entries, but not quite all. Yes, I understand that "Unhandled Internal Packet" means the system ran through all the rules and found no final disposition for the packet. All the error messages are msg_id="3000-0148".

Deny  Wireless-1 Firebox 75 udp 20 64 [device] [firebox] 59511 53  (Unhandled Internal Packet-00)
Deny  Wireless-1 Firebox 75 udp 20 64 [device] [firebox] 35006 53  (Unhandled Internal Packet-00)
Deny  Wireless-1 Firebox 75 udp 20 63 [device] 8.8.8.8 60725 53 msg="blocked sites"  (DNS-proxy-00)
Deny  Wireless-1 Firebox 75 udp 20 64 [device] [firebox] 44401 53  (Unhandled Internal Packet-00)
Deny  Wireless-1 Firebox 75 udp 20 64 [device] [firebox] 49748 53  (Unhandled Internal Packet-00)
Deny  Wireless-1 Firebox 75 udp 20 64 [device] [firebox] 43824 53  (Unhandled Internal Packet-00)

Bonus Error

Deny External Firebox 36 igmp 24 1 [firebox] 224.0.0.1 (Unhandled External Packet-00)

That last one has been around for only about forever.

Any help here?

I'm seeking some clarification on the exact order of operations when traffic passes through an HTTPS-Proxy policy on a WatchGuard Firebox, especially when multiple security services are enabled.

Specifically, if an HTTPS-Proxy policy has IPS (Intrusion Prevention System), Application Control, Gateway AntiVirus (GAV), and WebBlocker all enabled for content inspection (assuming SSL/TLS decryption is in place), what is the precise sequence in which these services inspect the traffic?

From my understanding, it generally follows a logical flow after decryption, but I'd appreciate confirmation on the exact processing order to better understand traffic flow and troubleshoot effectively.

Any insights or links to official documentation detailing this specific order would be greatly appreciated.

Thank you in advance for your help!

Best regards,

M270 + fireware 12.11.2

I added a policy for dns queries out - tcp/upd 53 packet filter + application filter with network/dns allowed + proxy for op codes, query types, etc, from two bind9 server IPs, to any-external

Queries worked until I looked up youtube.com

It got blocked

Deny 192.168.10.111 192.43.172.30 dns/udp 60963 53 INT-PUBLIC-BRIDGE EXT-BUSINESS Application identified 80 63 (DNS OUT prefer NS1-00) proc_id="firewall" rc="101" msg_id="3000-0149" src_ip_nat="m.y.i.p" app_id="112" app_name="Youtube" app_cat_id="5" app_cat_name="Media streaming services" app_beh_id="6" app_beh_name="Access" action="DNS Only" sig_vers="18.376" flags="SR" duration="0" sent_pkts="2" rcvd_pkts="0" sent_bytes="160" rcvd_bytes="0" route_type="SD-WAN" geo_dst="USA"

Per the log I modified app control "media streaming service > youtube > access" to "allow" and tried again

Allow 192.168.10.111 192.12.94.30 dns/udp 38196 53 INT-PUBLIC-BRIDGE EXT-BUSINESS Application identified 80 63 (DNS OUT prefer NS1-00) proc_id="firewall" rc="100" msg_id="3000-0149" src_ip_nat="m.y.i.p" app_id="112" app_name="Youtube" app_cat_id="5" app_cat_name="Media streaming services" app_beh_id="6" app_beh_name="Access" action="DNS Only" sig_vers="18.376" route_type="SD-WAN" geo_dst="USA" record_type="DS" question="youtube.com"

Can you help me understand why that's needed for dns queries?

We're having problem accessing facebook.com landing page. Please see attach picture. that's all it shows. We know that they're not having problems and outside of the firebox we're able to see the pages with no problems. We were on 12.11.2 then revert it back to 12.11.1 but still the same problem. No policy changes were made on both revisions.

Also, if we reboot the firebox, reaching and displaying facebook works fine, but after 20 or 30 minutes it goes back where we cannot access or see the white page with links and missing images.[Please see attached image] Please help! Thanks!

Can anyone help why we get this deny error. We cannot have facebook to load all the images, we only get links and sometimes it does not load. We checked the firebox and not blocking is set. Users try using the desktop browser but only get links and not images and sometimes do not load.

2025-05-15 10:27:36 Deny XXX.XXX.XXX.XXX 35.190.80.1 https/udp 52868 443 Trusted INT XX.XX.XX Denied 1278 127 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" flags="SR" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="1278" rcvd_bytes="0" geo_dst="USA" Traffic

Thanks!

Also on a locally managed firebox there is a method to remove the WAN IP from the ban, there doesn't appear to be anyway in a cloud managed firebox to remove the blocked IP.

Is there any reason the timing on this is different from a locally managed firebox?
Is there any method to remove the IP immediately?

Any feedback is appreciated.

We replaced a failed network device relating to Car Wash equipment. Device is same model # as previous. It's assigned IP: 10.11.17.129. We had no Firewall Policies in place for previous device. However, device is being blocked by Firewall communicating with external server. Receiving the following in Traffic Monitor:

2022-06-08 16:35:08 Deny 10.11.17.129 72.78.XXX.XXX https/tcp 1057 443 Trusted External ProxyDrop: HTTPS invalid protocol (HTTPS-proxy-00) proc_id="https-proxy" rc="594" msg_id="2CFF-0007" proxy_act="Default-HTTPS-Client" length="0"

2022-06-08 16:35:08 Deny 10.11.17.129 72.78.XXX.XXX https/tcp 1057 443 Trusted External HTTPS Request (HTTPS-proxy-00) proc_id="https-proxy" rc="548" msg_id="2CFF-0000" app_id="0" app_cat_id="0" proxy_act="Default-HTTPS-Client" action="drop" sent_bytes="64" rcvd_bytes="0" tls_version="SSL_0" tls_profile="TLS-Client-HTTPS.Standard" sig_vers="18.060"

Please let me know if additional information is needed. Any thoughts or suggestions would be much appreciated.
Thank you!
Shellie

1. Block all access the web server except for a specific URL, like HTTPS://name.domain.com/page
2. Block other sites on this IIS server. Like, https://www.name.domain and crucially https://name.domain.com

Notice the site with "page" at the end in example one.

Any ideas?

I'm rolling out IPv6 internally through my M470, and I get these spurious logs.

2024-04-22 10:46:14 https-proxy 0x2c1f480-64896 681: 2a00:xxxx:yyyy::50:53741 -> 2603:1020:705:8::400:443 [!B fc] {N}: Side channel SSL failed (Domain: N/A) - proceed with rule check Debug

2024-04-22 10:46:14 pxy 0x2c1f480-64896 connect failed Connection timed out -1: :::0 -> :::0 [!A] {N} | 681: 2a00:xxxx:yyyy::50:53741 -> 2603:1020:705:8::400:443 [!B c] {N}[L!BPeo] Debug

The 2a00:xxxx:yyyy::50 is the IPv6 on the WAN interface, not the IPv6 on the LAN interface.

I actually have OPNSense behind the Watchguard LAN doing NPTv6 to translate ULA to GUA, but I do not think this is anything to do with the issue above.

I am routing a /60 down from an upstream OPNSense router to the Watchguard appliance.

Anyone any ideas what this might be? It doesnt appear to be affecting anything, but is annoying me.

Thanks

Alan

I can see the following differences in the traffic logs.
192.168.15.49 is the Win 10 workstation traffic.
192.168.15.8 is the Server 2019 traffic.

Both going out the same WAN network - Corp
Both using Outbound HTTPS proxy policy
SourcePublicIP.Redacted shows as our Static WAN. Details pulled for security reasons.
Redacted.gov is a site the TLS Test client is looking at for a certificate.
The only places I see a difference is the tls_version="SSL_0" showing on the workstation traffic. The server side showing tls_version="TLS_V12"
And the App Names, workstation showing SSL/TLS but Server showing HTTP Protocol over TLS SSL

So my understanding here is that when running the client on the server, it sends on TLS1.2 (a changeable option in the client to 1.1 or 1.0, must be 1.2 though) and the site responds with the certificate.
When running the exact same client on the workstation it is somehow switched to SSL and the response fails.

I have verified that the source devices are TLS1.2 only. All lower versions and SSL are disabled.
The server traffic can see the Domain Match from the HTTPS policy exception; ProxyAllow: HTTPS domain name match
The workstation traffic does not see that the site is listed in exceptions.
I have tested multiple different TLS Profiles but it all comes back to this. So now I am here looking for smarter folk than me that will hopefully have an answer.

2025-01-15 22:51:27 FW1 Allow 192.168.15.49 DestinationIP.Redacted https/tcp 54818 443 Corp External Application identified 40 64 (Outbound HTTPS-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0149" src_ip_nat="SourcePublicIP.Redacted" tcp_info="offset 5 AF 3035482593 win 24065" app_id="697" app_name="SSL/TLS" app_cat_id="19" app_cat_name="Network protocols" app_beh_id="6" app_beh_name="Access" action="Global" sig_vers="18.350" src_user="SSOuser@Redacted.local" geo_dst="USA" Traffic

2025-01-15 22:51:27 FW1 Allow 192.168.15.49 DestinationIP.Redacted https/tcp 54818 443 Corp External HTTPS Request (Outbound HTTPS-proxy-00) HTTPS-Client.Standard.Main proc_id="https-proxy" rc="548" msg_id="2CFF-0000" proxy_act="HTTPS-Client.Standard.Main" tls_profile="TLS-Client-HTTPS.Standard.1" tls_version="SSL_0" sni="redacted.gov" cn="" cert_issuer="" cert_subject="" action="allow" app_id="697" app_cat_id="19" app_name="SSL/TLS" app_cat_name="Network protocols" sig_vers="18.350" sent_bytes="163" rcvd_bytes="7" src_user="SSOuser@Redacted.local" geo_dst="USA" Traffic

2025-01-15 22:51:27 FW1 Allow 192.168.15.49 DestinationIP.Redacted https/tcp 54819 443 Corp External HTTPS Request (Outbound HTTPS-proxy-00) HTTPS-Client.Standard.Main proc_id="https-proxy" rc="548" msg_id="2CFF-0000" proxy_act="HTTPS-Client.Standard.Main" tls_profile="TLS-Client-HTTPS.Standard.1" tls_version="SSL_0" sni="redacted.gov" cn="" cert_issuer="" cert_subject="" action="allow" app_id="697" app_cat_id="19" app_name="SSL/TLS" app_cat_name="Network protocols" sig_vers="18.350" sent_bytes="163" rcvd_bytes="7" src_user="SSOuser@Redacted.local" geo_dst="USA" Traffic

2025-01-15 22:51:28 FW1 Allow 192.168.15.49 DestinationIP.Redacted https/tcp 54819 443 Corp External Application identified 40 64 (Outbound HTTPS-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0149" src_ip_nat="SourcePublicIP.Redacted" tcp_info="offset 5 AF 1493665836 win 24065" app_id="697" app_name="SSL/TLS" app_cat_id="19" app_cat_name="Network protocols" app_beh_id="6" app_beh_name="Access" action="Global" sig_vers="18.350" src_user="SSOuser@Redacted.local" geo_dst="USA" Traffic

2025-01-15 22:51:26 FW1 Allow 192.168.15.8 DestinationIP.Redacted https/tcp 65205 443 Corp External ProxyAllow: HTTPS domain name match (Outbound HTTPS-proxy-00) HTTPS-Client.Standard.Main proc_id="https-proxy" rc="590" msg_id="2CFF-0003" proxy_act="HTTPS-Client.Standard.Main" rule_name="Report" sni="redacted.gov" cn="" ipaddress="" src_user="SSOuser@Redacted.local" geo_dst="USA" Traffic

2025-01-15 22:51:27 FW1 Allow 192.168.15.8 DestinationIP.Redacted https/tcp 65205 443 Corp External Application identified 572 128 (Outbound HTTPS-proxy-00) proc_id="firewall" rc="100" msg_id="3000-0149" src_ip_nat="SourcePublicIP.Redacted" tcp_info="offset 5 A 866324252 win 4896" app_id="350" app_name="HTTP Protocol over TLS SSL" app_cat_id="19" app_cat_name="Network protocols" app_beh_id="6" app_beh_name="Access" action="Global" sig_vers="18.350" src_user="SSOuser@Redacted.local" geo_dst="USA" Traffic

2025-01-15 22:51:27 FW1 Allow 192.168.15.8 DestinationIP.Redacted https/tcp 65205 443 Corp External HTTPS Request (Outbound HTTPS-proxy-00) HTTPS-Client.Standard.Main proc_id="https-proxy" rc="548" msg_id="2CFF-0000" proxy_act="HTTPS-Client.Standard.Main" tls_profile="TLS-Client-HTTPS.Standard.1" tls_version="TLS_V12" sni="redacted.gov" cn="redacted.gov" cert_issuer="CN=DigiCert EV RSA CA G2,O=DigiCert Inc,C=US" cert_subject="CN=redacted.gov,O=Federal Deposit Insurance Corporation,L=Arlington,ST=Virginia,C=US,serialNumber=Government Entity,businessCategory=Government Entity,jurisdictionC=US" action="allow" app_id="350" app_cat_id="19" app_name="HTTP Protocol over TLS SSL" app_cat_name="Network protocols" sig_vers="18.350" sent_bytes="1186" rcvd_bytes="6317" src_user="SSOuser@Redacted.local" geo_dst="USA" Traffic

Thanks

-Client accesses an allowed site: Firebox passes the connection without decryption
-Client accesses a denied site: Firebox inspects, denies, and throws up block page

Here's how it seems to work with the cloud:

-Client accesses an allowed site: Firebox decrypts traffic, re-encrypts and passes traffic
-Client accesses a denied site: Firebox descrypts traffic, denies, and throws up block page

Given this, what's the point of "Bypass Decryption" in the WebBlocker? I've tried selecting it in several categories, but the Firebox still decrypts the traffic which can be confirmed by looking at the certificate when the page in question loads. What am I missing? Thanks!

Is this possible and if so what would the configuration look like?