Configure Traffic Types in a Firewall Policy

Applies To: Cloud-managed Fireboxes

For firewall policies on a cloud-managed Firebox, the Traffic Types settings specify what types of traffic the policy applies to. When you add traffic types to a policy, you can select from a list or add a custom traffic type. Each traffic type specifies the protocols and ports or other parameters specific to the traffic type.

Configure Web Traffic Type Settings

In an Outbound policy, two settings specify how the policy applies to web traffic:

Web Traffic

This option configures the policy to apply to HTTP and HTTPS traffic on specified ports. By default, this option is selected, and the policy applies to HTTP and HTTPS traffic on ports 80 and 443. To change the ports for HTTP and HTTPS traffic, you can edit the ports list.

When Web Traffic is selected, the policy applies to HTTP and HTTPS traffic but the HTTP and HTTPS protocols do not show in the Traffic Types list.

HTTP and HTTPS traffic are strictly enforced when Web Traffic is selected. To avoid denials, you must create a First Run policy to allow other traffic sent over ports 80 and 443. 

Decrypt HTTPS Traffic

This option configures the policy to decrypt HTTPS traffic. When you select Decrypt HTTPS Traffic, the Firebox decrypts HTTPS connections and scans the content with enabled security services. If the policy allows the content, the Firebox then re-encrypts the HTTPS connections with a different certificate.

To avoid certificate warnings for network users, this option is not selected by default.

  1. Add or edit a policy. For more information, see Configure Firewall Policies in WatchGuard Cloud.
  2. To apply a policy to web traffic, select the Web Traffic check box.
    When enabled, the policy applies to HTTP and HTTPS web traffic on ports 80 and 443 by default.

Screen shot of the Traffic Types settings in an Outbound policy

  1. To decrypt HTTPS traffic, select the Decrypt HTTPS Traffic check box. For security services to scan HTTPS traffic, you must select this check box.

Before you enable this option, make sure that network clients trust the certificate the Firebox uses to re-encrypt the content. To avoid browser errors for network clients, download the Firebox certificate and import it to all network clients. For more information, see Download the Certificate for TLS Decryption.

  1. To change the ports where web traffic is allowed for this policy, click Edit.
    The Edit Web Traffic Ports page opens.

Screen shot of the Edit Web Traffic Ports dialog box

  1. To add a port for HTTP and HTTPS web traffic:
    1. Click Add Another Port.
      A new text box appears in the ports list.
    2. In the text box, type the port number to add.
  2. To remove a port for web traffic, click .
  3. Click Update.

To configure a First Run, Last Run, Inbound, or Custom policy to apply to web traffic, add the HTTP and HTTPS traffic types to the Traffic Types list.

Select Traffic Types in a Policy

In the Traffic Types list for a firewall policy you can add predefined and custom traffic types.

In a firewall policy for a cloud-managed Firebox, you can select multiple traffic types in the same policy. This is different from firewall policies for a locally-managed Firebox.

  1. Add or edit a policy. For more information, see Configure Firewall Policies in WatchGuard Cloud.
  2. In the policy configuration, click Add Traffic Types.
    The Add Traffic Types page opens.

  1. Select the check box for each traffic type to add.
  2. Click Add.
    The traffic types you selected are added to the policy.

Screen shot of traffic types added to a policy

To apply a policy to a traffic type that is not on the list, you can add a new custom traffic type. When you add a custom traffic type, you select one or more protocols. For each protocol, you specify ports or other parameters that define traffic for the protocol. After you add a custom traffic type to one policy, the custom traffic type is available to select in other policies.

  1. In the policy configuration, click Add Traffic Types.
    The Add Traffic Types page opens.
  2. Click Add Custom Traffic Type.
    The Add Custom Traffic Type page opens.

Screen shot of the Add Custom Traffic Type settings

  1. In the Name text box, type a name for the custom traffic type.
  2. In the Description text box, type a description for the custom traffic type.
  3. To add a protocol:
    1. From the Protocol drop-down list, select the protocol to add.
      The Type settings change based on the protocol you select.
    2. If required for the selected protocol, select the Type and specify other settings.
    3. Click Add.
      The protocol is added to the custom traffic type.

  1. To add another protocol, repeat the previous step.
  2. To remove a protocol from the custom traffic type, click .
  3. To save the custom traffic type, click Add.
    The traffic type is added to the current policy and to the global Traffic Types list.

If you edit a custom traffic type, the change affects all policies that reference it. You cannot delete a custom traffic type if the current policy or any other policy reference it.

To edit a custom traffic type:

  1. In the policy configuration, click Add Traffic Types.
    The Add Traffic Types page shows all predefined and custom traffic types.
  2. To filter the list to see only custom traffic types, in the search box, type Custom.
  3. To edit the custom traffic type, click the Name.
    The custom traffic type settings page opens.
  4. Edit the traffic type settings.
  5. To save the changes, click Update.

To delete a custom traffic type:

  1. In the policy configuration, click Add Traffic Types.
    The Add Traffic Types page shows all predefined and custom traffic types.
  2. To filter the list to see only custom traffic types, in the search box, type Custom.
  3. To delete a custom traffic type, click .
    The Delete a Traffic Type dialog box opens.
  4. Click Delete.

Related Topics

Configure Firewall Policies in WatchGuard Cloud

Firewall Policy Types