WebBlocker Override
When your users browse the Internet, WebBlocker denies access to websites in content categories that you configured the WebBlocker action to deny. If you want to allow users to get temporary access to websites that the WebBlocker action denies, you can enable and configure WebBlocker override.
For example, if you administer a network for a school, you might want to allow teachers to override WebBlocker when a student needs to connect to a website in a denied WebBlocker category.
There are two methods you can configure to allow users to override WebBlocker:
Passphrase
Specify a passphrase that users type to override the WebBlocker settings and get access to denied content.
User Group (Firebox v12.5 and higher)
Select an existing Firebox-DB or Active Directory user group. Users who are members of the selected group can type their user credentials to override the WebBlocker settings and get access to denied content. Users who are members of a different user group cannot override the WebBlocker settings. Other authentication servers, such as RADIUS, are not supported for User Group override.
When you enable WebBlocker override in a WebBlocker action, you select which method to use. For each WebBlocker action, you can configure only one override method.
When you enable WebBlocker override, the WG-Auth-WebBlocker policy is added to the configuration automatically.
With WebBlocker override enabled, when users navigate to a website that WebBlocker denies, the WebBlocker deny page includes a section where users can type the WebBlocker override passphrase or their user credentials.
For HTTPS, WebBlocker override is supported only when content inspection is enabled in the HTTPS proxy for all HTTPS traffic. If content inspection is not enabled, the HTTPS proxy drops the connection when users go to a website in a denied WebBlocker category that has override enabled. Users see a browser warning instead of the WebBlocker deny page.
Enable WebBlocker Override
When you enable WebBlocker override for a WebBlocker action, override is enabled for all denied categories automatically. If you want more control, you can select the WebBlocker categories that users can override.
In Fireware v12.4.x and lower, you enable WebBlocker Override in the WebBlocker Action dialog box, Advanced tab. For more information, go to Define Advanced WebBlocker Options.
To enable WebBlocker override (Fireware v12.5 or higher):
- Edit the WebBlocker action.
- On the Categories tab, select the Enable WebBlocker Override check box.
- From the drop-down list, select the method that users can use to override WebBlocker, either Passphrase or User Group.
- Configure the WebBlocker override settings by passphrase or user group.
- Click OK.
Configure WebBlocker Override by Passphrase
When you enable WebBlocker override and select Passphrase as the override method, you must configure these settings in the WebBlocker Override Passphrase dialog box:
Override Passphrase/Confirm
Specify and confirm the override passphrase that users can type to get access to denied content.
Inactivity Timeout
Type or select a number of minutes. When users are inactive for the specified time, they can no longer get access to the denied content.
Alarm (Fireware v12.3 and higher)
To send an alarm when a user types the override password to get access to content that WebBlocker denies, select this check box. To set parameters for the alarms, click the Alarm tab. For more information, go to Set Logging and Notification Preferences.
Log this action (Fireware v12.3 and higher)
To send a message to the log file when a user types the override password to get access to content that WebBlocker denies, select this check box. The log message includes the text "Allowed by passphrase overriding category action".
In Fireware v12.4.x and lower, you enable WebBlocker override and configure the override passphrase in the WebBlocker action Advanced tab. For more information, go to Define Advanced WebBlocker Options.
To configure WebBlocker override by passphrase:
- Enable WebBlocker override.
- From the drop-down list next to the Enable WebBlocker Override check box, select Passphrase.
- Click Edit.
The WebBlocker Override Passphrase Settings dialog box appears. - In the Passphrase and Confirm text boxes, specify and confirm the override passphrase that users can type to get access to denied content.
- In the Inactivity Timeout text box, type or select a number of minutes.
- To send an alarm when a user types the override password, select the Alarm check box.
- To send a message to the log file when a user types the override password, select the Log this action check box.
- Click OK.
- Select the categories you want to allow users to override.
- Click OK or Save.
Configure WebBlocker Override by User Group
To configure WebBlocker override by user group, you must first set up user groups on your Firebox or Active Directory server. For more information about how to set up user groups, go to Use Users and Groups in Policies.
When you enable WebBlocker override and select User Group as the override method, you must configure these settings in the WebBlocker Override User Group Settings dialog box:
User Group
Select a Firebox-DB or Active Directory user group. Other authentication servers are not supported for user group override.
Users in the specified Firebox-DB or Active Directory user group can type their credentials to get access to the website. This does not affect login limits configured in group settings.
Inactivity Timeout
Type or select a number of minutes. When users are inactive for the specified time, they can no longer get access to the denied content.
Alarm
To send an alarm when someone types user group credentials to get access to content that WebBlocker denies, select this check box. To set parameters for the alarms, click the Alarm tab. For more information, go to Set Logging and Notification Preferences.
Log this action
To send a message to the log file when someone in the user group types credentials to get access to content that WebBlocker denies, select this check box. The log message includes the text "Allowed by user group overriding category action".
To configure WebBlocker override by user group:
- Enable WebBlocker override.
- From the drop-down list next to the Enable WebBlocker Override check box, select User Group.
- Click Edit.
The WebBlocker Override User Group Settings dialog box appears. - From the User Group drop-down list, select a Firebox-DB or Active Directory user group.
- In the Inactivity Timeout text box, type or select a number of minutes.
- To send an alarm when a user types user group credentials to override WebBlocker, select the Alarm check box.
- To send a message to the log file when a user types user group credentials to override WebBlocker, select the Log this action check box.
- Click OK.
- Select the categories you want to allow users to override.
- Click OK or Save.
Select WebBlocker Override Categories
When you enable WebBlocker override in a WebBlocker action, your users can override all denied categories by default. In Fireware v12.5 and higher, you can specify which denied WebBlocker categories users can override. This gives you more control over which websites users can access. For example, you could enable WebBlocker override for all websites in the Health category but not the Shopping category.
If the WebBlocker action denies uncategorized URLs, you can also specify whether users can override the denied URLs.
To specify the categories users can override (Fireware 12.5 and higher):
- Edit the WebBlocker action.
- On the Categories tab, in the Override column, select or clear the check boxes for denied categories you want to allow users to override. Tip
Or, select a denied category, then from the Quick Action drop-down list, select Enable Override or Disable Override. - To allow users to override denied uncategorized URLs, next to the When a URL is uncategorized drop-down list, select the Override check box.
- Click OK or Save.
Override WebBlocker in the Deny Page
The deny page users see when they visit a website in a denied WebBlocker category depends on the override method you configure.
If the Firebox uses a self-signed certificate for authentication, users see a certificate warning for the deny page. We recommend that you install a trusted certificate on the Firebox for this purpose, or import the self-signed certificate on each client device.
After the user types the override passphrase or user group credentials, the Firebox allows access to the denied website. The override remains in effect until there is no activity for the time specified in the Inactivity Timeout text box or until an authenticated user logs out.
In Fireware v12.5.1 and higher, the override applies automatically to all websites in denied WebBlocker categories that have WebBlocker override enabled.
In Fireware v12.5 and lower, the deny page includes a Website text box that shows the URL that was denied. Users can type a different URL that includes wildcards in the text box to allow access to more than one website, or more pages in one website.
To override WebBlocker with a passphrase:
- In the Override Password text box, type the override passphrase configured in the WebBlocker action.
- Click Submit.
The website opens.
To override WebBlocker with your user group credentials:
- In the User Name and Password text boxes, type your credentials for the specified Firebox-DB or Active Directory user group.
- Click Submit.
The website opens.
If the website contains links to images or content hosted on other web locations that are still blocked, the page might not load correctly or completely.