1

Background:
I’ve been working as a helpdesk technician for an MSP for almost three years. Recently, I’ve been assigned tasks that push me outside my comfort zone. One of these tasks involves configuring a client’s WatchGuard firewall to ensure their veterinary practice management software can communicate properly.

The Task:
The software vendor has requested that I confirm specific URLs are allowed through the firewall. I have access to the WatchGuard system and located the “Blocked Site Exceptions” tab. However, based on my understanding of the WatchGuard documentation, it seems that I can only allow exceptions for:

  • IPv4 or IPv6 host addresses
  • Network IP or host IP address ranges
  • Host names
  • Fully Qualified Domain Name (FQDN) exceptions

I don’t see an option to allow specific URLs—only FQDNs. The vendor provided several URLs that share the same base domain but have different paths and parameters.

Since I’m new to WatchGuard, I’d appreciate any insight on how to properly handle this request. Should I be focusing on allowing the base domain via FQDN, or is there a method for permitting specific URLs that I may have overlooked?

3 Spice ups
2

Just allow the FQDN. If you wanted to specifically block URLs, you would need to have (and you may already) content inspection, which means you have a cert installed and the firewall is decrypting the traffic and re-encrypting it.

Are you even filtering URLs outbound? I ask because very few people have a full deny and selective approve for web browsing. You should not need to allow them unless you block all and have an exceptions list.

1 Spice up
3

It would also depend on how you are blocking things. Are you doing it via blocked sites, via web blocker, etc.

Again I don’t expect you will have to do anything fancy. I see requests from places all the time, please whitelist these URLs. No need as we’re not blocking them to begin with. If they are tripping on security software, I want them to trip so I can see why, and if it’s a legitimate exception that needs to be added, or if their site has been compromised (which is a very real scenario that I’ve encountered).

2 Spice ups
4

Use the Firebox System Manager to monitor the IP of a PC with the software on it to check if it is getting blocked to a particular relevant site. Sometimes images or scripts may be called from other sites and may need to be included (or excluded with Webblocker) to make their software run correctly.

To add a site …

Right Click on the Proxy that you want to add the exceptions to.
At the bottom select View / Edit Proxy
Select the WebBlocker Category > Edit WebBlocker >Exceptions tab
Example
You would add the host name rather the full URL eg .vetsrus.com/
The asterisk are wildcards and will allow all URL paths on the www.vetsrus.com web site.
Save the updated Profile to the Server to implement it.

2 Spice ups
5

Thanks for the input.

We determined the problem. We had nothing blocked so I reached out to the vendor for some clarification.

One of the services for remote help wasn’t working properly. My boss informed me that even though its not being blocked sometimes services can be disrupted when they are being inspected by the firewall; this is similar to what @Jono described.

We configured a bypass policy for a single FQDN that the vendor listed and this allowed the vendor’s service to run properly.

Once again, I appreciate the input I received.

6

You’re welcome. SSL inspection can break quite a few things. It’s a game of whack-o-mole, except it starts out fast and gets slower as time goes on and you get everything added. That first time enabling though can be a rough day.