How to force all the internet traffic at branch office to flow through the HQ firebox
Hi, I have a questions, I have 2 sites with firebox installed:
Site A : branch office
Site B : HQ
Currently site A has a BOVPN tunnel link back to Site B HQ Firebox, but I found that in the traffic monitor the traffic is flow through the external interface instead of VPN tunnel.
Is that any way to force all traffic at Site A to flow through HQ firebox first and then go to the Internet ? So that I can filter the traffic. Thanks
0
Sign In to comment.
Comments
Set up a default-route VPN.
Review this:
Define a Route for All Internet-Bound Traffic Through a Branch Office VPN Tunnel
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_default_route_c.html
Hi, thanks, it's working. Now my Site A traffic will flow through Site B first, but I still can't filter my traffic
Now I want to block my Site A computers to browse youtube. So I add a firewall policy with HTTPS proxy action within webblocker which has blocked youtube. I also put this policy to first priority, but it doesn't filter the traffic to youtube.
1) HTTPS traffic is encrypted between the web browser and the web server, so the firewall does not know what URL is being accessed.
Without Inspect being enabled on a HTTPS proxy, the only info that the firewall can match on is the CN (Common Name) or SNI (Server Name Indication) fields in the web server certificate for the web server being accessed.
The when accessing YouTube.com, the CN in the cert is *.google.com, so without Inspect, there is no way to know what traffic is really access to YouTube.
To implement Inspect on a HTTPS proxy, you would need to have a certificate from the firewall installed on all devices behind the firewall which you would want to prevent access to YouTube
HTTPS-Proxy: Content Inspection
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/https/https_proxy_contentinspection_c.html
2) If you are doing Inspect, try blocking QUIC - HTTP & HTTPS over UDP
Review this article:
How to prevent connections from browsers that bypass WebBlocker and SafeSearch restrictions with QUIC protocol?
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3dzSAA&lang=en_US
I had tried these method yesterday, it was working. But after I add an exception in the webblocker, it's suddenly not working, and I can access every website. And when I check the traffic monitor, it's keep using Bovpn policy instead of the policy I created
And I also export the certificates type proxy authority from my main firebox and install it on my user's computer
Please post a Traffic Monitor line showing the traffic is going via the BOVPN allow policy.
Also, what was the exception that you added to WB?
Below is the traffic monitor line that show successfully deny Youtube after I first setup the policies, but in this case, I didn't configure content inspection and QUIC but it still can deny the Youtube
Below is the exception I add, the second one
After I added the exception, it becomes that all websites are allowed and u can refer to the traffic monitor line, it shows that it's using bovpn allow in policies
I have to delete the policies and recreate the policies so that it can works