T15W Blocked Sites

Is there a limit to the amount of blocked sites a T15W can handle, when it was installed it was fine with a few blocked sites then I notice a few more and it was taking time to load, now it just wont load the blocked sites at all. I suspect there will be quite a few but i have no way of knowing.

T15W 12.5.7.B640389

Comments

  • There clearly is a limit, but it is not published anywhere that I have seen.

    Why is your list so long? What are you trying to block?

    Are you using WSM Policy Manager or the Web UI?
    If the Web UI, try using WSM Policy Manager for this. When using the Web UI, memory is needed for the Web UI processes - which would not be needed if using WSM Policy Manager.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    For a T15 it's going to come down to how much memory the device can devote to that list. If you're using lots of subscription services or a lot of policies, it'll effecively be lower than normal.

    A T15 should be able to handle a few hundred without a problem. If you're getting into thousands, I'd ask the same question that bruce is -- what exactly are you trying to block.

    If there isn't an inbound rule for the firewall will drop it anyways. Creating a huge blocked sites list does not really make you any more secure in and of itself.

    -James Carson
    WatchGuard Customer Support

  • Thanks for the reply’s, not trying anything unusual just seam to get a lot of port scans which automatically get added to the list which I can’t view now to get a count.

    Very simple network one server with MDaemon and a voip server incoming to the voip server is from one ip our trunk provider

    Just seam to get a lot of nosy people want to look at our IP address.
  • Look at using WSM Firebox System Manager -> Blocked Sites to see the current list instead of using the Web UI.

  • Is your Blocked Sites list large because you manually added IPs to it? Or do you have a bunch of ports in the list and you have "Automatically block sites that try to use blocked ports" enabled?

    I suspect it's the latter that is filling the list. I don't use that feature because all of the ports in the default list are blocked inbound anyway. I clear the Blocked Ports list and then use a custom rule to block a specific list of ports, with all other inbound ports blocked by default. I have the specific list set to block the main attacked ports such as 21, 22, 23, 3389, etc. If anything scans those ports, they go onto the blocked sites list, and then they cannot see any ports even if they are open.

    Gregg Hill

Sign In to comment.