real-time webblocker service status

Is there some place to check real-time (or nearly so) status of some of these external services; in this case webblocker? It appears to be giving us problems at the moment.

Best Answer

Answers

  • @Bruce_Briggs thanks for that. That's the concept of what I was hoping for. However, unless I'm missing them, I don't see webblocker or spamblocker as standalone services, both of which have been giving me fits this morning.

  • No, those are not listed.
    However, at this moment, WG doesn't think that there are issues with their services.

    I'm not experiencing issues with WB.
    I don't use spamBlocker.

    You can open a support case on this.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @eichenadmin

    I don't have any reported issues with webblocker, but I'd suggest taking a look at this article, specifically the second half of it:

    (Optimize WebBlocker performance)
    https://techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA2F00000000LRpKAM&type=KBArticle

    The majority of webblocker issues that I encounter end up being DNS based issues, so that's generally where I start looking.

    -James Carson
    WatchGuard Customer Support

  • edited April 2023

    Continuing the discussion and our ongoing problems with these services, I wonder if there might be another piece at play for us right now. Since I believe that both of these services reach out to the internet to make the final determination, I am now wondering exactly how they reach out to the backend service on the internet.

    We have multiple external connections with multiple SD-WAN actions and one of those connections is having sporadic problems over the past few days. In real world functionality, this particular external connection is our lowest throughput, least used external connection that is almost just a backup. So, I have not put that problem as a priority. However, as physically connected, it happens to be eth0.

    Does anyone exactly how the firebox decides what route is used to access the web specifically as used by the webblocker & spamblocker services themselves? Do they:
    1. use the configured multi-wan settings by weight? (hopefully not by interface order)
    2. follow the SD-WAN setting for the specific policy that is being evaluated at that moment?
    3. numerically lowest external interface?
    4. or something else?

    This is an M270 w/12.9.2 by the way.

  • What Multi-WAN setting do you have?
    Is eth0 the lowest on your interfaces list in the Multi-WAN settings?

    The evaluation traffic come from the firewall itself. So no SD-WAN settings will apply.

    See this:
    About Policies for Firebox-Generated Traffic
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policies_firebox_generated_traffic_about.html

    One can see them if one turns on the "Enable logging for traffic from this device" option. In Policy Manager, it is in Setup -> Logging -> Diagnostic Log Level

  • I forgot to mention that Multi-WAN is set for round-robin with a 1:20 weight ratio. The 1 in this case is eth0 which is listed first. Thanks for that KB article, I'll be diving into that.

  • What I find interesting from that article is the statement:
    When no IP address of an outgoing interface is in the same subnet as the destination address, the Firebox uses the primary IP address of the interface with the lowest index.

    Do you happen to if the To FQDN's services.watchguard.com & cdn.watchguard.com are sufficient for the webblocker & spamblocker serivices or is there a better way to define the policy to?

Sign In to comment.