WatchGuard Allow Web SiteIt is possible to setup different access to different groups.
Typically we block web site to weapons by default. Going to a web site like the following is blocked: beretta.com
But what if they are a client and we want the MARKETING group to allow access to the web site?
-this was the simple setup:
https://www.jscmgroup.com/watchguard-blog/2016/8/29/watchguard-webblocker-actions
Without any setup the log is:
2019-06-05 14:53:51 Deny 10.192.480.250 199.83.128.143 http/tcp 56564 80 0-LANLAG 0-External ProxyDeny: HTTP Request categories (Outbound-HTTP-proxy-00) proc_id="http-proxy" rc="595" msg_id="1AFF-0021" proxy_act="HTTP-Client.Standard.1" cats="Weapons" op="GET" dstname="beretta.com" arg="/favicon.ico"
-you can see that the proxy-action is: HTTP-Client.Standard.1.
-but it should be: HTTP-Client.marketing
-this is because the proxy-action is not attaching to the group. This is because I was trying on a system on a subnet with an exception for authentication:
10.192.480.0/24 (note: subnet not real for posting purposes)
-this results in NO-AUTH, NO-GROUP and NO-PROXY-ACTION.
-using different pc on: 10.192.420.0/24
-for setup, the key here is that the WatchGuard group name needs to be the same as the AD group name: MARKETING
-next, create the rule where you can create the proxy. I went the long way around.
-ultimately, I had to:
-edit-policy > Proxy-Action > HTTP Proxy Exceptions
-add: *.beretta.com
NOTES:
-going to: -edit-policy > Proxy-Action > WebBlocker
-click: EDIT > EXCEPTIONS
-click: ADD
-type: *.beretta.com/*
Did not work. I still ended up with log:
2019-06-05 15:40:06 Deny 10.192.420.100 199.83.134.143 http/tcp 61063 80 0-LANLAG 0-External ProxyDeny: HTTP Content Type match (Outbound-HTTP-Marketing-00) proc_id="http-proxy" rc="595" msg_id="1AFF-0018" proxy_act="HTTP-Client.marketing" rule_name="Default" src_user="dakruhm"
-the fix should be:
-edit-policy > Proxy-Action > HTTP-RESPONSE > CONTENT-TYPES