XTM 330 Web Blocker not blocking sites

Hi guys, I have a problem with our WatchGuard. It's not blocking social media sites even though I already ticked Society and Lifestyles, I even ticked

  1. Social Web - Facebook
  2. Social Web - LinkedIn
  3. Social Web - Twitter
  4. Social Web - Youtube

but still, users can access all of these sites.

I even put those URLs in the Exceptions tab and set the action to Deny. Still didn't worked. What could be the reason for this?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited August 2019

    Hi Carl

    Thanks for writing.

    There are a few things you'll want to check.

    1. I'd suggest making sure that your XTM330 is on the latest firmware -- that will be 12.1.3 for the XTM line. This will be listed when you log in via system manager, or on the front panel display of the webUI. If you're out of date, you can get the latest software at software.watchguard.com.

    2. All of the sites you linked are primarily HTTPS, so you'll want to make sure you're not looking at an HTTP proxy policy. WebBlocker works best when Content Inspection is enabled, but can work pretty well with that feature turned off. If you're editing a normal HTTP proxy policy, those sites will bypass it.

    3. If your users are using chrome, and your standard outgoing policy is in place, you'll want to ensure you're denying the QUIC protocol, which will bypass the proxy and webblocker. You can read more about that here:

    (How to prevent connections from Chrome browsers that bypass WebBlocker and SafeSearch restrictions with QUIC protocol?)
    https://watchguardsupport.secure.force.com/publicKB?type=KBArticle&SFDCID=kA2F0000000k9gSKAQ&lang=en_US

    If you're still having issues with this, I'd suggest creating a support ticket so that one of our technicians can look at the issue with you. You can create a support case online or via the phone, more info here: https://www.watchguard.com/wgrd-support/contact-support

    Welcome, and we look forward to getting your configuration all set up to do what you need it to!

    Thank you,

    (edit - fixed typo)

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    Hi Carl

    Thanks for writing.

    There are a few things you'll want to check.

    1. I'd suggest making sure that your XTM330 is on the latest firmware -- that will be 12.1.3 for the XTM line. This will be listed when you log in via system manager, or on the front panel display of the webUI. If you're out of date, you can get the latest software at software.watchguard.com.

    2. All of the sites you linked are primarily HTTPS, so you'll want to make sure you're not looking at an HTTP proxy policy. WebBlocker works best when Content Inspection is enabled, but can work pretty well with that feature turned off. If you're editing a normal HTTP proxy policy, those sites will bypass it.

    3. If your users are using chrome, and your standard outgoing policy is in place, you'll want to ensure you're denying the QUIC protocol, which will bypass the proxy and webblocker. You can read more about that here:

    (How to prevent connections from Chrome browsers that bypass WebBlocker and SafeSearch restrictions with QUIC protocol?)
    https://watchguardsupport.secure.force.com/publicKB?type=KBArticle&SFDCID=kA2F0000000k9gSKAQ&lang=en_US

    If you're still having issues with this, I'd suggest creating a support ticket so that one of our technicians can look at the issue with you. You can create a support case online or via the phone, more info here: https://www.watchguard.com/wgrd-support/contact-support

    Welcome, and we look forward to getting your configuration all set up to do what you need it to!

    Thank you,

    (edit - fixed typo)

    oh man. I just checked the firmware. It's still Fireware XTM v11.9.4! And I asked my officemate who's in the company for 3 years, he said he can't remember that they upgraded the firmware of this firebox. now I'm also afraid to do that because it might cause internet outage. can you help me go through the firmware upgrade? I would love to do it but I'm just not sure what to do.

  • @James_Carson said:
    Hi Carl

    Thanks for writing.

    There are a few things you'll want to check.

    1. All of the sites you linked are primarily HTTPS, so you'll want to make sure you're not looking at an HTTP proxy policy. WebBlocker works best when Content Inspection is enabled, but can work pretty well with that feature turned off. If you're editing a normal HTTP proxy policy, those sites will bypass it.

    2. If your users are using chrome, and your standard outgoing policy is in place, you'll want to ensure you're denying the QUIC protocol, which will bypass the proxy and webblocker. You can read more about that here:

    (How to prevent connections from Chrome browsers that bypass WebBlocker and SafeSearch restrictions with QUIC protocol?)
    https://watchguardsupport.secure.force.com/publicKB?type=KBArticle&SFDCID=kA2F0000000k9gSKAQ&lang=en_US

    If you're still having issues with this, I'd suggest creating a support ticket so that one of our technicians can look at the issue with you. You can create a support case online or via the phone, more info here: https://www.watchguard.com/wgrd-support/contact-support

    Welcome, and we look forward to getting your configuration all set up to do what you need it to!

    Thank you,

    (edit - fixed typo)

    I only have an HTTPS-Proxy.Finance/HR/Sales/etc., and in the Content Inspection, Enable deep inspection of HTTPS content is ticked. then there's an HTTP-Client.Finance proxy action below it. and in that http-client.finance proxy action is where I play around with the web blocker.

  • You need an active LiveSecurity license in order to upgrade your firmware.
    You can open a support incident to get WG help on anything, including an upgrade.
    However, mostly all you need to do is to read the Release Notes, which has a section on how to do an upgrade.
    https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_1_3_U2/Fireware_Release-Notes_v12_1_3_U2.pdf

    FYI - WebBlocker Server w/ Surfcontrol is now End of Life - so that will not work.
    You need to use WebBlocker Cloud.

  • Let's also mention that GAV has not been working since it was changed with 12.0 and there is the whole certificate thing too.. Big job this one.. Time for a new and faster box me thinks.. B)

    Adrian from Australia

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Carl

    The best I can do for walking through upgrades would be the release notes that Bruce posted. There's a whole section that walks through each step.

    If you'd like to take a deeper look at it, please create a support case so that one of our technicians can take a look at it. The forums are a bit limited, as we don't want to post any personal information or firewall configurations here, as the whole world can see them.

    i would definitely recommend considering the upgrade (should take ~5-10 minutes or so) as the version you're running has the older Gateway AntiVirus engine that runs off AVG definitions. In v12.0 we moved to BitDefender, and those are the only definitions that are provided anymore as AVG's are now end of life.

    Again, if you're looking for anything more detailed, please create a support case and a tech can help. You can find more info here:
    https://www.watchguard.com/wgrd-support/contact-support

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    Hi Carl

    Thanks for writing.

    There are a few things you'll want to check.

    1. All of the sites you linked are primarily HTTPS, so you'll want to make sure you're not looking at an HTTP proxy policy. WebBlocker works best when Content Inspection is enabled, but can work pretty well with that feature turned off. If you're editing a normal HTTP proxy policy, those sites will bypass it.

    But HTTPS-proxy policy doesn't have web blocker. only HTTP-proxy policy has web blocker. So, how am I able to use the webblocker on HTTPS-proxy policy?

    I have already blocked UDP ports 80 and 443 and disabled their google chrome's quic extension. Still, they're able to access youtube.com.

    I only want to allow google, gmail, and certain sites except social media sites such as youtube, facebook, twitter, and other social media sites.

  • On the HTTPS proxy action, there is a WebBlocker category that you can select.

    You can review the HTTPS section of the docs for V11.9.4, here:
    https://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/proxies/https/https_webblocker_settings_c.html

  • @Bruce_Briggs said:
    On the HTTPS proxy action, there is a WebBlocker category that you can select.

    You can review the HTTPS section of the docs for V11.9.4, here:
    https://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/proxies/https/https_webblocker_settings_c.html

    Thanks a lot Bruce. I just did it but nothing happened. I really don't understand why is this not working. I already blocked UDP ports 80 and 443. They can still access social media sites. I myself tried using their pc accessing youtube without using VPNs. I also made sure that I selected the right alias which I want to block sites. They can access using google chrome, firefox, or even Internet Explorer.

    As of now, I have HTTP-proxy and HTTPS-proxy policies. both of the policies are using the same application control policy and webblocker policy. But I have another problem because there is no log server setup on this Firebox. I thought maybe it's just because of the manual ordering. So I switched it to auto-order mode, but still no changes.

  • More things to learn.
    1) many sites are now using HTTPS - so any WB settings on the HTTP proxy will not help for those sites if one is not doing Inspect on the HTTPS proxy action
    2) if one is not doing Inspect on the HTTPS proxy action, what the HTTPS proxy action can see is the info from the certificate of the web site - the CN or SNI fields. So you need to know what is in those fields to know if whatever you are entering in your WB rules will match the web site being accessed. The best way to do this is to look at the cert info from the web site involved - you can do this with most web browsers. One can also select Inspect, select Log on the Domain Names "If none Matched" = Allow entry - then you will see the CN & SNI info in Traffic Monitor.

  • Thanks a lot guys. Problem solved.

Sign In to comment.