Can't browse google.com sometimes

davidortenn79

So, sometimes, whenI try to browse google.com, I get these messages in my traffic monitor.

2022-12-29 20:25:07 Deny 10.0.1.225 142.250.190.4 https/tcp 65267 443 Trusted External blocked sites 52 127 (HTTPS-proxy-00) proc_id="firewall" rc="101" msg_id="3000-0173" tcp_info="offset 8 S 3077427955 win 61690" geo_dst="USA"
2022-12-29 20:26:04 Deny 10.0.1.225 142.250.190.4 https/tcp 65513 443 Trusted External blocked sites 52 127 (HTTPS-proxy-00) proc_id="firewall" rc="101" msg_id="3000-0173" tcp_info="offset 8 S 1022425615 win 61690" geo_dst="USA"

I can't find anything blocking google.com in my HTTPS Proxy rule. Any ideas?

james.carson

Hi @davidortenn79
Something in your blocked sites list is probably getting grabbed and matches that FQDN.

Pull a support file for your firewall
(Firebox System Manager under the status report tab, click support, then retreive, or WebUI under system status -> diagnostic tasks, and click to download a support log file.

You'll need a program like 7-zip (free) that can open TGZ files

Navigate to the following file in your support file:
Firewall_support.tgz\Firewall_support.tar\Fireware_XTM_Support.tgz\Fireware_XTM_Support.tar\support\firewall\fqdnd_cache_dump.txt

Search for that IP (142.250.190.4) in this file.

If you find it, look directly above the IP for the FQDN information for that IP. For example:

I have 23.7.179.246. The firewall logged that pandasecurity.org resolves to this:

FQDN[1403:1] domainID: 17, pandasecurity.com(pandasecurity.com), refcnt: 1, Status: Perfect
FQDN[1403:1] IP Count: 2 , Sub-label: 0 , total-adding=10 , total-deleting=8 , total-earlydrop=0
FQDN[1403:1] Type: wildcard , Duration: 0 (s)
FQDN[1403:1] NS: ns-1520.awsdns-62.org(205.251.197.240), AA-Min-TTL: 300 , Duration: 0 (s), Update-count: 1
FQDN[1403:1] TTL: 300(s), Flag: 00000600

 Index     Address       TTL   TTL-PKT   AA    Expiration           FLAG      Label        CNAME
[001]  23.7.179.246     300     20       NAA  remain 0h:1m:11s    00000032  www            

Do you have a blocked sites entry for that IP or FQDN in your blocked sites list?
(Block a Site Permanently)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/blocked_sites_permanent_c.html

If so, remove it.

(I would strongly recommend not putting FQDNs in the blocked sites list unless you have a very specific reason to do so. It should not be used as an alternate webblocker deny list. Webblocker looks at the full URL path, whereas blocked sites only makes a match to an IP and denies all traffic to that IP.)