Assign Webblocker policies to specific PCs

I am familiar with Watchguard but only at a beginner level. I have a Firebox M400. The previous admin uses another service to block websites and content. However, there are certain machines that need access to more websites. This is currently accomplished by placing an agent on the specific PCs. You can then place these agents into specific groups and apply a different policy to these groups. My question is if there is a way to do this with the Watchguard, thus eliminating a duplication of effort and cost. Any help would be appreciated.

Answers

  • Create multiple policies - 1 with those that need a specific WB settings, and another that doesn't need any settings.
    Each policy needs specific From: info entered to know which policy should be applied to which traffic.
    For example - it could be a list of IP addresses (or an Alias name which contains that list of IP addrs), or a list of authenticated users.

  • Thanks. One question, can you make a list of systems based on MAC address instead of IP address?

  • No, but you can set up DHCP reservations for the MAC address and specify the IP addr for it.

  • OK. I know it's been a while but I'm taking a different tact on this. What if we filter based on user logins from Active Directory? The AD domain is already set up in the Firebox but I'm trying to determine if I need to fully implement the SSO configuration for the Firebox to make things seamless. Also, if I use the Client app on a laptop, how will it affect anything if they are offsite? TIA

  • edited April 2022

    For the firewall to know a user ID, either the used needs to authenticate to the firewall directly using the auth applet, or you need to use SSO. SSO only works for locally connected users.

    If the user is offsite, if they use a VPN or AuthPoint to connect, then there is a user ID for the connection.
    If you have a Terminal Server, then you can use the SSO Terminal Service Agent that you can use, which will provide a user ID for the connection.

  • So, if they are offsite and on a network not covered by the Firebox, they will have full internet access and the SSO Client will just be unconnected in the background? And it will then reconnect to the SSO Agent once back on the local network? Just trying to make sure I understand things....

  • Would DNSWatchGo help you for the off-network people?

    https://www.watchguard.com/wgrd-products/dnswatchgo

    Gregg Hill

  • The SSO server Agent will try to contact a SSO client, in order to get the logged on user ID. The SSO client doesn't do anything else - just responds to the SSO Agent. It doesn't control any traffic to/from the PC.
    The SSO client is optional, but is usually recommended.

Sign In to comment.