Web Blocker Override Password loop

Hi There,

I am trying to set up our Watchguard to block a list of social networking websites (company policy), but to only allow certain directors to access it when needed. So we decided to use HTTPS Proxy with inspection and local CA certificate on the firebox.

Once I get the HTTPS proxy set up, and point to the correct HTTP proxy for action to inspect traffic.

When I am testing out on one of the computers, it gives the Deny message with the option to enter the Override password. Once I add the password, it loads back to the deny message and it just keeps on looping to the same deny message every time you enter the correct password.

Any suggestions would be great, as currently have the case opened with Watchguard support, who haven't been able to find the issue.

Comments

  • Is the domain name different for each need for a password?

    Care to provide a sample URL which is showing this issue?

    Could you have separate policies for the certain directors, and thus not need the WB override option?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @karolis

    The issue you're likely running into is that you're allowing the URL you're typing in, but not the others that are associated with it.

    For example, if I attempt to access Facebook from my location in Seattle, the following domains would need to be allowed:
    -facebook.com
    -scontent-sea1-1.xx.fbcdn.net
    -scontent.xx.fbcdn.net
    -static.xx.fbcdn.net
    This isn't accounting for any advertising, or additional content I might load, and one of those links is region based.

    You have a few options:

    -You can put a * in for the site on the override page to simply allow everything for that time period -- while less than ideal, end users won't generally be able to or want to determine what sites are needed for the thing they're trying to access to load.

    -Use single sign on and make a different policy set for these users that allows use of these sites by category.

    (Quick Start — Set Up Active Directory Single Sign-On (SSO))
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_quick_start.html

    Once SSO is enabled, you can use the groups the users are part of to determine what firewall rules apply to them. This would allow you to have a policy set like

    Directors (HTTP)
    Directors (HTTPS)
    Everyone else / existing policy (HTTP)
    Everyone else / existing policy (HTTPS)

    if you need assistance finding a solution that'll best fit your situation, I'd suggest opening a support ticket with our team and we can help go over details and find something that'll best fit your situation.

    -James Carson
    WatchGuard Customer Support

  • edited November 2021

    Hi There,

    Thanks for both of your replies. I was on annual leave for couple days.

    There is currently a test policy which only applies only single device, which i am setting this up on.
    No other policy has Password Override enabled.

    As I have access to other watchguard firewalls, I made a test policy on another watchguard firewall (other site), to enforce this for just 1 computer, and it works as you should expect.
    I exported Proxies and web blocker configs from the working setup and uploaded to the looping site. This unfortunately did not manage to fix this issue.

    James, as I mentioned, I do have the ticket logged with support, but so far they haven't been able to provide me with any tips / suggestions, so I was just hoping that some people out there might have came across this before.

    Regards,

    Karolis

Sign In to comment.