Configure Web Access Control

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EPP

In the Web Access Control settings of a workstations and servers settings profile, you can limit access to specific web content categories, and configure a list of URLs to allow and deny access to.

The Web Access Control feature does not support browsers with the HTTP/3 (QUIC) protocol. For more information, go to Disable the HTTP/3 (QUIC) Protocol.

Screen shot of WatchGuard Endpoint Security, Web Access Control settings

Each computer on the network keeps a database of the URLs accessed from it. This database can only be accessed from the computer for a period of 30 days.

To configure web access control:

  1. In WatchGuard Cloud, select Monitor > Endpoints.
  2. Select Settings.
  3. Select Workstations and Servers.
  4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
    The Add Settings or Edit Settings page opens.
  5. Enter a Name and Description for the profile, if required.
    1. Select Web Access Control.
    2. Enable the Enable Web Access Control toggle.
    3. To specify when you want to enable web access control:
      1. Select Enable Only During the Following Times.
      2. On the calendar, select the days and hours when you want to enable web access control.
        Click the day to select the whole day. Click and drag the squares to select multiple days and times. Click Clear to disable web access control for all of the times selected.

    Screen shot of WatchGuard Endpoint Security, Web Access Control date selector

    1. Select the categories you want to deny computers access to.

    Screen shot of WatchGuard Endpoint Security, Web Access Control categories

    1. To Deny Access to Pages Characterized as Unknown, enable the toggle.
      Internal and intranet sites accessible on ports 80 and 8080 could be categorized as unknown. To avoid this, add exclusions for internal pages you want to allow.
    2. To exclude sites from web access control and always allow access to them, in the Always allow access to the following addresses and domains text box, enter the URLs.
      Access is allowed to all addresses that start with the specified addresses and domains, even if the full URL is longer.
    3. To always deny access to an IP address or domain, in the Deny access to the following addresses and domains text box, enter the IP address or domain.
      Access is denied to all addresses that start with the specified addresses and domains, even if the full URL is longer. You can use wildcard domains such as *.example.com.
  1. Click Save.
  2. Select the profile and assign recipients, if required.
    For more information, go to Assign a Settings Profile.

Wildcard Domain Names Examples

You can use a specific domain name (host.example.com) or a wildcard domain name (*.example.com). For example, the wildcard domain *.example.com includes:

  • example.com
  • a.example.com
  • b.example.com
  • a.b.example.com

Wildcard domain names must include at least two domain labels, for example *.example.com. Wildcard domain names that include only the top-level domain, such as *.com, are not supported.

You can also use sub-domain wildcards, for example:

  • *.b.example.com
  • *.b.c.example.com
  • *.b.c.d.example.com

These wildcard entries are not supported:

  • *.net or *.com (the list of IP address entries would be too large to process)
  • *.*.example.com
  • example*.com
  • *. example.*.com
  • example.*.com

Related Topics

Manage Settings Profiles