Add WebBlocker Exceptions

If you want WebBlocker to always allow or always deny access to a website, regardless of the content category, you can add a WebBlocker exception for that site. You can add a WebBlocker exception that is an exact match of a URL, a pattern match of a URL, or a regular expression.

WebBlocker does not include query strings (the part of a URL that starts with the ? character) in the categorization request it sends to the WebBlocker Server. This means that you cannot create a WebBlocker exception to block specific queries.

Exact match

Exact matches match an exact URL or IP address, character by character. You cannot use wildcards, and you must type each character exactly as you want it to be matched. For example, if you enter an exception to allow www.yahoo.com as an exact match only, and a user types “www.yahoo.com/news”, the request is denied.

Pattern match

Pattern matches match a pattern in the URL or IP address, for example “pattern” in www.pattern.com. Make sure to drop the leading “http://” and include “/*" at the end. Use the wildcard symbol, *, to match any character. You can use more than one wildcard in one pattern. For example, the pattern www.somesite.com/* will match all URL paths on the www.somesite.com website. To enter a network address, use a pattern match that ends in a wildcard. For example, to match all the websites at 1.1.1.1 on port 8080, set the directory to “*”.

Regular expression

Regular expression matches use a Perl-compatible regular expression to make a match. For example, \.[onc][eor][gtm] matches .org, .net, .com, or any other three-letter combination of one letter from each bracket, in order. When you create a regular expression to match URL path, do not include the leading “http://”. Regular expressions support wild cards used in shell scripts. For example:

• The regular expression: “(www\.)?watchguard\.[com|net]” matches URL paths including www.watchguard.com, www.watchguard.net, watchguard.com, and watchguard.net
  

• The regular expression: 1.1.1.[1-9] matches all IP addresses from 1.1.1.1 to 1.1.1.9.
  

Regular expressions are more efficient, in terms of CPU usage, than pattern matches. For best performance, we recommend that you use regular expressions rather than pattern matches to define your WebBlocker exceptions, when several exceptions are configured. You can create a regular expression that is equivalent to a pattern match. For example, the pattern match *.hostname.com/* is equivalent to the regular expression ^[0-9a-zA-Z\-\_.]{1,256}hostname\.com.

For more information about how to use regular expressions, see About Regular Expressions.

To create exceptions to the WebBlocker categories, from Fireware Web UI:

To create exceptions to the WebBlocker categories, from Policy Manager:

After you add an exception for to allow connections to a URL, test the connection to the website to make sure that content on the site displays correctly. Many web sites include references to content located at other sites, or use a content delivery network (CDN) to host content. Users might not see a deny message in the web browser when WebBlocker denies access to referenced content.

If you select the Deny website access option to deny access to URLs that do not match an exception, select the Log this Action check box so that you can see log messages about denied URLs in Traffic Monitor. This can help you troubleshoot any issues with blocked access to content at a different URL.