HTTPS / Weblocker Configuration Question

Hello
I need some guidance on using webclocker + the HTTPS proxy.
Current running a M270 with 12.7.2
I use the system manager.

I currently am configurating http/https proxies for outbound internal traffic from our lan.
I configured the http proxy with webblocker without incident and it works perfectly.

When I add the https proxy there is a configuration option to use webblocker.
If I select the web blocker template I used for HTTP i notice that the inspect checkbox in the HTTPS PROXY config is not accessible for any category that I have set to deny in http.

I have installed the watchguard cert on my test machine and notice any https traffic to a denied category in http passes through.

Subsequently I created an independent webblocker template where I allowed everything. Then I check inspect in any category I want to block. Things are blocked properly and things work as expected.

Question: Am i doing this right. None of the videos/tutorials/ or wizards seem to hint that this is the proper way to configure this. I was expecting anything that is denied in http would carry through to https. I though the firebox decrypts and then applies the http category.

Thanks in advance.

DC

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    HI @DC,

    The checkbox is grayed out because it won't invoke content inspection when it's already in use.

    If it's already being sent to the HTTP proxy, the system will look at the actual HTTP get request, whereas in the HTTPS proxy it's using SNI in the certificate to determine where the user is going (since the actual traffic is encrypted.) Since the HTTP get will be more accurate, there's no need to bother with the SNI, hence the checkbox is grayed out.

    -James Carson
    WatchGuard Customer Support

  • edited December 2021

    So to confirm- If using both HTTP and HTTPS proxy then HTTPS proxy hands off the request to the HTTP proxy and the web-blocker list from HTTP is invoked?

    I ask again because when I had this setup and any HTTPS traffic to a restricted category was going through- meaning i could view denied categories on my browser.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @casteld73

    If content inspection is turned on, you'll see an option of what http proxy action to hand it off to, and it is handed off to that HTTP proxy. All proxy policies in that policy (including webblocker) are handled there.

    By far, the most common reason I see the WebBlocker bypassed is because of the QUIC protocol, which Chrome (and now Edge) use natively.

    You can make a policy to deny that traffic by following the KB here:
    https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3dzSAA&lang=en_US

    if you're still running into issues, I'd suggest a support case so we can get more details about what you're running into, see your logs, and work on a solution from there. You can create a support case via the support center link at the top right of this page.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.