Configure WebBlocker Exceptions
If you want WebBlocker to always allow or always deny access to a website, regardless of the content category, you can add a WebBlocker exception for that site. You can add a WebBlocker exception that is an exact match of a URL, a pattern match of a URL, or a regular expression.
WebBlocker does not include query strings (the part of a URL that starts with the ? character) in the categorization request it sends to the WebBlocker Server. This means that you cannot create a WebBlocker exception to deny specific queries.
Exact match
Exact matches match an exact URL or IP address, character by character. You cannot use wildcards, and you must type each character exactly as you want it to be matched. For example, if you enter an exception to allow www.yahoo.com as an exact match only, and a user types “www.yahoo.com/news”, the request is denied.
Pattern match
Pattern matches match a pattern in the URL or IP address, for example “pattern” in www.pattern.com. Make sure to drop the leading “http://” and include “/*" at the end. Use the wildcard symbol, *, to match any character. You can use more than one wildcard in one pattern. For example, the pattern www.somesite.com/* will match all URL paths on the www.somesite.com website. To enter a network address, use a pattern match that ends in a wildcard. For example, to match all the websites at 1.1.1.1 on port 8080, set the directory to “*”.
Regular expression
Regular expression matches use a Perl-compatible regular expression to make a match. For example, \.[onc][eor][gtm] matches .org, .net, .com, or any other three-letter combination of one letter from each bracket, in order. When you create a regular expression to match URL paths, do not include the leading “http://”. Regular expressions support wildcards used in shell scripts. For example:
- The regular expression: (www\.)?watchguard\.(com|net) matches URL paths such as www.watchguard.com, www.watchguard.net, watchguard.com, and watchguard.net
- The regular expression: 1.1.1.[1-9] matches all IP addresses from 1.1.1.1 to 1.1.1.9.
Regular expressions are more efficient than pattern matches, in terms of CPU usage. For best performance, we recommend that you use regular expressions rather than pattern matches to define your WebBlocker exceptions, when several exceptions are configured. You can create a regular expression that is equivalent to a pattern match. For example, the pattern match *.hostname.com/* is equivalent to the regular expression ^[0-9a-zA-Z\-\_.]{1,256}hostname\.com.
For more information about regular expressions, go to About Regular Expressions.
WebBlocker Exception Types
You can configure two types of WebBlocker exceptions:
WebBlocker action exceptions
WebBlocker action exceptions are configured in the Exceptions tab of each WebBlocker action. These exceptions apply only to the WebBlocker action in which they are defined and are not used by other WebBlocker actions.
Global WebBlocker exceptions
Global WebBlocker exceptions are configured in the WebBlocker Global Settings. Global exceptions can be used by multiple WebBlocker actions and eliminate the need to add the same exceptions to multiple actions.
In each WebBlocker action, you specify whether the action checks the global exception rules in the WebBlocker global settings. For more information, go to Check Global Exceptions and Remove Duplicates.
You can configure global WebBlocker exceptions in Fireware v12.3 and higher.
Add WebBlocker Exceptions
To add a WebBlocker exception:
- To add exceptions to a WebBlocker action, edit the action.
To add global WebBlocker exceptions, open the WebBlocker Global Settings. - Select the Exceptions tab.
The WebBlocker Exceptions list appears.
- To add a new WebBlocker exception, click Add.
- In the Name text box, type a name for this exception.
- From the Action drop-down list, select whether WebBlocker allows or denies content that matches the exception.
- From the Match Type drop-down list, select Pattern Match, Exact Match, or Regular Expression.
- From the Type drop-down list, select the website type: URL or Host IP Address (Policy Manager only).
- Specify the URL pattern, value, or expression to match.
For a host IP address, type the address, port, and directory. - Click OK.
- Click OK (Policy Manager) or Save (Fireware Web UI).
For each exception, you can configure these settings in the WebBlocker Exceptions list.
- To generate a log message when WebBlocker takes an action based on an exception, select the Log check box for that exception.
- To send an alarm when WebBlocker takes an action based on an exception, select the Alarm check box for that exception.
- To disable an exception but keep it in your configuration, clear the Enabled check box.
Check Global Exceptions and Remove Duplicates
In each WebBlocker action, you can specify whether the action checks the global exception rules defined in the WebBlocker Global Settings. WebBlocker always checks exceptions defined in the WebBlocker action first. If the Check global exceptions option is selected, and a URL does not match the exceptions defined in the WebBlocker action, WebBlocker checks the URL against the exception rules defined in the global exceptions list.
To check global exceptions:
- Edit the WebBlocker action.
- Select the Exceptions tab.
- Select the Check global exceptions check box.
- Click OK (Policy Manager) or Save (Fireware Web UI).
When the Check Global Exceptions check box is selected in a WebBlocker action, you can check whether any duplicate exceptions are defined in both the WebBlocker action and the WebBlocker global settings. If duplicate exceptions exist, you can remove the exceptions from the WebBlocker action. This reduces the size of your configuration file.
To remove duplicate exceptions from a WebBlocker action:
- Edit the WebBlocker action.
- Select the Exceptions tab.
- Select the Check Global Exceptions check box if it is not selected.
- Click Check Duplicates.
The Duplicate Exceptions dialog box appears. Duplicate exceptions are listed.
- Select the duplicate exceptions to remove from the WebBlocker action.
In Fireware Web UI, select check boxes next to the Matching Type of each exception. Or, select the check box in the column header to select all exceptions.
In Policy Manager, use the Ctrl or Shift keys to select multiple exceptions. - Click Remove.
A confirmation message appears. - Click OK (Fireware Web UI) or Yes (Policy Manager).
A confirmation message appears. - Click OK.
Define the Action for Sites that do not Match Exceptions
Below the list of exception rules, you can configure the action to occur if the URL does not match the exceptions you configure. By default, Use the WebBlocker category list to determine accessibility is selected, and WebBlocker compares sites against the categories you selected on the Categories tab to determine accessibility.
To use exception rules to restrict website access instead of the categories, select Deny website access.
Alarm
Select this option to send an alarm when the Firebox denies a WebBlocker exception. To set parameters for the alarms, select the Alarm tab. For information on the Alarm tab options, go to Set Logging and Notification Preferences.
Log this action
Select this option to send a message to the log file when the Firebox denies a WebBlocker exception.
If you select the Deny website access option, select the Log this Action check box so that you can see log messages about denied URLs in Traffic Monitor. If users report problems with missing content on an allowed website, you can look at the log messages to see if you need to add another exception to allow the referenced content.
Test Allowed Sites
After you configure WebBlocker exceptions to allow connections to a website, test the connection to the website and verify that content on the site displays correctly. Many websites include references to content located on other sites, or use a content delivery network (CDN) to host content. Users might not see a deny message in the web browser when WebBlocker denies access to referenced content.
Change the Order of WebBlocker Exceptions
In the WebBlocker Exceptions list, the order of the WebBlocker exceptions determines the order in which the Firebox compares site addresses to the rules. WebBlocker compares site addresses to the first rule in the list and continues in sequence from top to bottom.
If the Check global exceptions option is selected, when a site does not match an exception rule in the WebBlocker action, WebBlocker checks the global exception rules defined in the WebBlocker global settings.
When a site address matches an exception rule, WebBlocker performs the related action. It performs no other actions, even if a site matches a rule lower in the list.
To change the order of WebBlocker exceptions:
- Select the exception rule you want to move.
- Click Move Up or Move Down to move the rule up or down in the list.
In Policy Manager, you can export exceptions from one Firebox configuration and import them to another Firebox. For more information, go to Import or Export WebBlocker Exceptions.
Video tutorial: Add WebBlocker Exceptions