Related Topics
Add WebBlocker Exceptions
If you want WebBlocker to always allow or always deny access to a website, regardless of the content category, you can add a WebBlocker exception for that site. You can add a WebBlocker exception that is an exact match of a URL, a pattern match of a URL, or a regular expression.
WebBlocker does not include query strings (the part of a URL that starts with the ? character) in the categorization request it sends to the WebBlocker Server. This means that you cannot create a WebBlocker exception to deny specific queries.
Exact match
Exact matches match an exact URL or IP address, character by character. You cannot use wildcards, and you must type each character exactly as you want it to be matched. For example, if you enter an exception to allow www.yahoo.com as an exact match only, and a user types “www.yahoo.com/news”, the request is denied.
Pattern match
Pattern matches match a pattern in the URL or IP address, for example “pattern” in www.pattern.com. Make sure to drop the leading “http://” and include “/*" at the end. Use the wildcard symbol, *, to match any character. You can use more than one wildcard in one pattern. For example, the pattern www.somesite.com/* will match all URL paths on the www.somesite.com website. To enter a network address, use a pattern match that ends in a wildcard. For example, to match all the websites at 1.1.1.1 on port 8080, set the directory to “*”.
Regular expression
Regular expression matches use a Perl-compatible regular expression to make a match. For example, \.[onc][eor][gtm] matches .org, .net, .com, or any other three-letter combination of one letter from each bracket, in order. When you create a regular expression to match URL path, do not include the leading “http://”. Regular expressions support wild cards used in shell scripts. For example:
- The regular expression: (www\.)?watchguard\.[com|net] matches URL paths such as www.watchguard.com, www.watchguard.net, watchguard.com, and watchguard.net
- The regular expression: 1.1.1.[1-9] matches all IP addresses from 1.1.1.1 to 1.1.1.9.
Regular expressions are more efficient than pattern matches, in terms of CPU usage. For best performance, we recommend that you use regular expressions rather than pattern matches to define your WebBlocker exceptions, when several exceptions are configured. You can create a regular expression that is equivalent to a pattern match. For example, the pattern match *.hostname.com/* is equivalent to the regular expression ^[0-9a-zA-Z\-\_.]{1,256}hostname\.com.
For more information about regular expressions, see About Regular Expressions.
Add WebBlocker Exceptions
- To create exceptions to the WebBlocker categories, select the Exceptions tab.
The WebBlocker Exceptions list appears.
- To add a new WebBlocker exception, click Add .
The WebBlocker Exception dialog box appears.
- In the Name text box specify a name for this exception.
- From the Action drop-down list, select whether WebBlocker allows or denies content that matches the exception.
- From the Match Type drop-down list, select Pattern Match, Exact Match, or Regular Expression.
- Specify the URL pattern, value, or expression to match.
For a host IP address, type the address, port, and directory. - Click OK to close the New WebBlocker Exception dialog box.
- Click Save.
- To create exceptions to the WebBlocker categories, select the Exceptions tab.
- Click Addto add a new exception rule.
- Type a name for the new exception.
- From the Match Type drop-down list, select Pattern Match, Exact Match, or Regular Expression.
- From the Type drop-down list, select the website type: URL or Host IP Address.
- Specify the the URL pattern, value, or expression to match.
For a host IP address, type the address, port, and directory. - Click OK to close the New WebBlocker Exception dialog box.
For each exception, you can configure these settings in the WebBlocker Exceptions list.
- To generate a log message when WebBlocker takes an action based on an exception, select the Log check box for that exception.
- To send an alarm when WebBlocker takes an action based on an exception, select the Alarm check box for that exception.
- To disable a exception but keep it in your configuration, clear the Enabled check box.
Define the Action for Sites that do not Match Exceptions
In the Use category list section, below the list of exception rules, you can configure the action to occur if the URL does not match the exceptions you configure. By default Use the WebBlocker category list to determine accessibility is selected, and WebBlocker compares sites against the categories you selected on the Categories tab to determine accessibility.
To use exception rules to restrict website access instead of the categories, select Deny website access.
Alarm
Select to send an alarm when the Firebox denies a WebBlocker exception. To set parameters for the alarms, select the Alarm tab. For information on the Alarm tab options, see Set Logging and Notification Preferences.
Log this action
Select to send a message to the log file when the Firebox denies a WebBlocker exception.
If you select the Deny website access option, select the Log this Action check box so that you can see log messages about denied URLs in Traffic Monitor. If users report problems with missing content on an allowed website, you can look at the log messages to see if you need to add another exception to allow the referenced content.
Test Allowed Sites
After you configure WebBlocker exceptions to allow connections to a website, test the connection to the website and verify that content on the site displays correctly. Many web sites include references to content located at other sites, or use a content delivery network (CDN) to host content. Users might not see a deny message in the web browser when WebBlocker denies access to referenced content.
Change the Order of WebBlocker Exceptions
In the WebBlocker Exceptions list, the order that the WebBlocker exceptions determines the order in which the Firebox compares site addresses to the rules. WebBlocker compares site addresses to the first rule in the list and continues in sequence from top to bottom. When a site address matches an exception rule, WebBlocker performs the related action. It performs no other actions, even if a site matches a rule lower in the list.
To change the order of WebBlocker Exceptions:
- Select the rule you want to move.
- Click Up or Down to move the rule up or down in the list.
You can use Policy Manager, you can export exceptions from one Firebox configuration and import them to another Firebox. For more information, see Import or Export WebBlocker Exceptions.