Troubleshoot Web Access Control

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product.

In the Web Access Control settings of a workstations and servers settings profile, you can limit access to specific web content categories and configure a list of URLs to allow and deny access to. However, Web Access Control might not always block access or allow access to web pages as you expect. This help topic provides information on possible causes and solutions.

Browsers and the QUIC Protocol

HTTP/3 (QUIC) is a transport layer network protocol. Web Access Control is not compatible with the QUIC protocol because it is a third-party proprietary protocol.

To disable the QUIC protocol, complete these steps in the relevant browser:

Browser settings can vary for different versions.

Google Chrome

In the browser address bar, type chrome://flags. Disable the Experimental QUIC protocol option.

Microsoft Edge

In the browser address bar, type edge://flags/. Disable the Experimental QUIC protocol option.

Mozilla Firefox

In the browser address bar, type about:config. Disable the network.http.http3.enabled option.

Opera

In the browser address bar, type opera://flags/#enable-quic. From the Experimental QUIC protocol drop-down list, select Disabled.

For more information, go to Disable the HTTP/3 (QUIC) Protocol.

Collect Information

Before you collect the information in this section for Support, you must first clear the cache of your browser and then close the browser. This makes sure that there is no cached information that could affect the Support case analysis. When you reproduce the issue, collect the information simultaneously.

If you contact Support:

• Provide a description of the issue.
• Use the Pserrortrace tool to generate a diagnostic file.
• Use the PSInfo tool to generate support-related information.
• Use the Urlviewer tool to generate URL support-related information.
• Use the NNSDiag tool to generate a diagnostic file.
• Enable Support Access to your WatchGuard Cloud account.

To use the Urlviewer tool:

1. Download the Urlviewer tool.
   • If your WatchGuard Endpoint Security software is 8.00.17 or earlier, download urlviewer_cyren.zip (external link).
   • If your WatchGuard Endpoint Security software is 8.00.18 or later, download urlviewer_forcepoint.zip (external link).

2. Unpack the .EXE file to a location of your choice.
   When prompted, the password is 'panda'.
3. Open a command window with administrator privileges.
4. From the command prompt, browse to the location of your install.
5. Type this command:
   WebAccessControlViewer.exe -d:1 -o:C:\urls.csv
6. Wait for the tool to complete.
   When done, the tool generates a .CSV file at the specified path.

7. Send the .CSV file to Support.

To use the NNSDiag tool:

You can use the NNSDiag tool to generate a diagnostic file when Web Access Control unexpectedly blocks one or more URLs. You can also use the tool to diagnose compatibility issues when you use an application other than Web Access Control to block URLs.

If Web Access Control unexpectedly cannot block one or more URLs, you can generate a diagnostic file with the NNSDiag tool and simultaneously generate a capture file with the third-party Wireshark application. For more information, go to the Wireshark section.

1. Download the NNSDiag tool:
   • For WatchGuard Endpoint Security version 8.00.22.00xx, download this NNSDiag install package (external link).
     Use the password 'panda' to open the archive.
   • For WatchGuard Endpoint Security version 8.00.23.00xx and higher, download this NNSDiag install package (external link).
     Use the password 'panda' to open the archive.

   For information about how to determine the WatchGuard Endpoint Security version, go to Determine the Software Version.

2. In the C:\ drive of your system, create a NNSDiag folder.
   
3. Unpack the NNSDiag.exe file, then place it in the NNSDiag folder.
   When prompted, the password is 'panda'.
4. Open a Command Prompt window with administrator privileges.
5. From the command prompt, browse to C:\NNSDiag.
6. Type and run this command:
   NNSDiag.exe c:\NNSDiag 5
7. Open a web browser, then recreate the issue.
8. Wait for the tool to complete.
   When done, the tool generates a NNSDiagResults.zip file at the specified path.
9. Send the .ZIP file to Support.

To use the Wireshark and NNSDiag tools:

1. If you have not already done so, download and install the NNSDiag tool.
2. Download and install the Wireshark application from https://www.wireshark.org/download.html (external link).
3. Start the Wireshark application.
4. Open a Command Prompt window with administrator privileges.
5. From the command prompt, browse to C:\NNSDiag.
6. To start and run the NNSDiag tool for 5 minutes, type this command:
   NNSDiag.exe c:\NNSDiag 5
7. From Wireshark, right-click the network interface and select Start Capture.

8. Open a web browser and recreate the issue. You must recreate the issue within 5 minutes of when you ran the NNSDiag command in Step 6.
   
9. Wait for the NNSDiag tool to complete.
   When complete, the tool generates a NNSDiagResults.zip archive at the path you specify.
10. From the Wireshark application, to stop the capture, click the red square icon.

11. From the Wireshark application, select File > Save As, and save the Wireshark capture as WireShark_KO.pcap.
12. Send the NNSDiagResults.zip and WireShark_KO.pcap files to Support. Make sure to include any URLs that were used to reproduce the issue.