Tips on new Websence cloud Webblocker in Fireware 11.7

See here a list of all the categories you can allow/block:
http://www.websense.com/content/websense-url-categories.aspx
All except 'Social Web Controls' are include in Fireware v11.7

You can check the categorization of a URL here:
http://aceinsight.websense.com/

If incorrect or uncategorized you can submit the website to Websence by clicking on the 'Submit a site to Websense Labs for review' link on the result page (bottom right):
http://aceinsight.websense.com/Results.aspx?url=www.watchguard.com

If you have made an account with websence:
https://www.websense.com/content/Registration.aspx?task=signin
and are logged-in when you submit a site to Websence you get an email when they have categorized the URL. Nice!

Keep track of your ip / email

There are some things you might not want to block but just keep track of.
All the examples are HTTP proxy URL Path rules set to allow and log:

Your external ip:
*your_external_ip*

Your email domain:
*@your_domain.com*

China / Hong Kong / Russia:
*.cn*
*.hk*
*.ru*

Another idea would be to track you internal ip's with a regexe rule. To see if bot's are trying to report back to there C&C masters.

Spamhaus DROP (Don't Route Or Peer)

I came across this interesting Spamhaus DROP (Don't Route Or Peer) list.

Quote:
When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

I added this to my 'Blocked Sites...'. You can do this to:

1. Download the list.
2. Remove everything except the netblocks and save the file as a text file.
3. Go to 'Intrusion prevention' --> 'Blocked Sites...' and click on 'Import...'
4. Select your saved file and save the new configuration to your firebox.

You can do this every month because:

Quote:
The DROP list changes quite slowly.

Webblocker & Surfcontrol 2

On 17-12-2005 I wrote about the link between Webblocker & Surfcontrol.
I seams that Watchguard now has it's own page at Surfcontrol.

http://mtas.surfcontrol.com/mtas/WatchGuardTest-a-Site.asp

The categories you can select when you are submitting a site are exactly the same as on the Watchguard. How nice!

Fireboxsupport.com

If you need help with the configuration of your Watchguard Fireware box you might want to take a look at:

http://www.fireboxsupport.com/fireware_pro.htm

They have some very detailed guides, that will help you if you are setting up a box for the first time. They also have some Tips and Tricks. Very usefull.

URL Paths 2

From the comments of my original post about URL Paths:

<qoute src="Jon Cavallo">
You can put *.com in the URL Paths. You need to enter it as '/*.com'

I use the /*.x convention on all my extension blocking. This helps prevent them from wildcarding some other part of a complex url.
</quote>

You are totally right, this is a better way to implement extension blocking with URL Paths. Thanks

CLI

Did you know that fireware also has a command line interface.
You can SSH to your box on port 4118.
You can login with:
Username = admin
password = Your read-write password.

You can do all sorts of things from the command line.
I use it as a replacement for the 'Restart IPSec' function that was in WFS but not in fireware.

To clear individual BOVPN, MUVPN, or PPTP tunnels:
WG#no vpn-tunnel ipsec enter-ID-of-the-BOVPN-tunnel-here
WG#no vpn-tunnel muvpn enter-ID-of-the-MUVPN-tunnel-here
WG#no vpn-tunnel pptp enter-the-physical-IP-address-of-the-PPTP-client-here

To find out the ID of a tunnel:
WG#show vpn-tunnel ike-gateway
WG#show vpn-tunnel ipsec
WG#show vpn-tunnel muvpn
WG#show vpn-tunnel pptp

Very usefull but remember:
<quote src="Nathan Buff">
There is a CLI but the CLI creates configurations that are not compatible with the GUI-based Policy Manager. For this reason, the CLI is only supported when the Firebox is running in Common Criteria mode.
</quote>

URL Paths

I mainly use the URL Paths function of the HTTP Proxy for blocking file extensions. Here is a list of extension that I deny:

*.acf
*.ade
*.adp
*.ani
*.arj
*.bas
*.bat
*.cab
*.chm
*.class
*.cmd
*.clp
*.cpl
*.cur
*.dat
*.dcr
*.dif
*.fav
*.hhk
*.hhp
*.hlp
*.ht
*.hta
*.htt
*.htx
*.hqx
*.idc
*.inf
*.ins
*.isp
*.jar
*.jav
*.java
*.job
*.lnk
*.m3u
*.mad
*.maf
*.mam
*.maq
*.mar
*.mat
*.mcw
*.mda
*.mdb
*.mde
*.mdn
*.mdt
*.mdv
*.mdw
*.mht
*.mnd
*.mp3
*.mpc
*.msi
*.msp
*.mst
*.nws
*.odc
*.ofn
*.ogg
*.pbk
*.pcd
*.pif
*.pip
*.pls
*.pot
*.ppa
*.ppz
*.pwz
*.ra
*.ram
*.rar
*.rat
*.reg
*.rjs
*.rm
*.rmm
*.rmp
*.rmx
*.rpm
*.scf
*.scr
*.sct
*.shs
*.slk
*.smil
*.tar
*.url
*.vb
*.vbd
*.vbe
*.vbx
*.vxd
*.wab
*.wiz
*.wma
*.wsc
*.wsf
*.wsh
*.wsz
*.zip

Notice that the file extension *.com is missing. I hope you can guess why.
You can also use the URL Path function for some more advanced filtering. I use it to prevent my users from turning off the safe search for google image search.

Rule name: Google_images_Safe_Search_Off
Pattern match: images.google.*/*safe=off*

Authentication Solution's

Wayne Campbell has writen a good article about ways to:

1. Have users directed to login screen automatically when not logged in.
2. Have a personalized login screen.
3. Have users logged out automatically after x amount of time.

You can read it here.

Advanced Diagnostics

You are having a problem with a new VPN connection you are trying to make. You just know you can do this yourself, you just need a little more information from your firebox logs. But they are not showing you the information you need.
Do I really need to open a new incident for this?

No.

Open your "Fireware Policy Manager" and goto --> Setup --> Logging... --> Click on the "Advanced Diagnostics" button and select the VPN category and set the settings slider to High. Now save your new configuration and take a look at your logs now filling them selfs with detailed VPN configuration information.

Oooooohhh.... I'm using MD5 and the other end is using SHA1. You edit your VPN to use SHA1 and the VPN connection comes up.
Jhheeeehaaaiii. I Rule. Your colleagues are looking at you, thinking you have gone insane. But you know better. You know you are going to be the Geek that shall inherit the earth. :o)