http proxy exceptions vs separate packet filter policy

I've got a whole bunch of fqdns i'd like to whitelist on for new outbound connections all fireboxes i set up. Is there technically a difference where i put the whitelist? For instance, I was thinking of creating a packet filter policy for port 80/443 and adding all of my fqnd's to an 'allowed' alias. Seems like better visibility and easier management, versus adding items to the http proxy exceptions list in the proxy action. (We typically do not inspect https traffic, but do use https proxy for webblocker). is there a best practice for this? and is there any technical difference in how these objects would be processed?

Comments

  • There is a difference.

    For the packet filter, the FQDNs would need to get resolved to IP addr(s) for this to work, whereas the HTTP proxy can see the domain name being accessed.
    For HTTPS, all the HTTPS proxy can see is the CN or the SNI from the web site certificate, which may not match the FQDN for that site.

    Review this - related to using a FQDN on a packet filter.
    About Policies by Domain Name (FQDN)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html

  • Awesome. Will do, thanks Bruce

  • There is also the difference of what gets blocked. A packet filter does not inspect content and won't block anything, but an HTTP proxy, even with exceptions, still does some filtering and can block web pages if the traffic is not HTTP traffic.

    Gregg Hill

Sign In to comment.