WatchGuard Support Center

Knowledge Base - Article

 DNSWatch and WebBlocker Content Filters on Fireboxes

How do DNSWatch content filtering and WebBlocker work together on a Firebox?

NOTE: DNSWatch content filtering is supported in Fireware v12.4 and higher. It is not supported on XTM devices.

Both WebBlocker and DNSWatch filter the websites that users can get access to through your Firebox. Although these two services appear to do the same thing, they enforce content filtering at different levels and complement each other.

  • DNSWatch filters content on a domain level to block connections to sites that are blocked by your DNSWatch content filter policy as well as malicious sites.
  • WebBlocker denies content through Firebox proxy policies at a more granular IP address level and continues to do so for the entire connection.

Both DNSWatch and WebBlocker use the same database to categorize site content. The difference is when and at what level the services process the request for content.

  • DNSWatch is the first opportunity to block the connection because it processes the request before the connection begins. DNSWatch compares the requested domain to the DNSWatch content filter policy and malicious domains lists. For example, DNSWatch can block the domain, which blocks everything on the CNN website.
  • WebBlocker processes the requests throughout the connection based on the URL. With content inspection enabled, WebBlocker can allow access to news and sports content on and deny access to entertainment content on
  • The most strict content filtering policy is always applied. 

If you have DNSWatch content filter policies and WebBlocker enabled, the process flow is as follows:

  1. A computer sends a DNS query to the DNS resolver configured on the computer to get the domain. The DNS query is forwarded to the Firebox.
  2. The Firebox redirects the query to the DNSWatch DNS server.

    NOTE: This occurs one time for each DNS request.

  3. DNSWatch checks the requested domain name against the DNSWatch content filter policy and malicious domains lists.
    • If the domain is on a filtered or malicious domains list, then DNSWatch returns the IP address for the corresponding DNSWatch block page to the computer.
    • If the domain is not on any of the lists, DNSWatch returns the actual IP address of the requested domain to the computer.
  4. The computer establishes the connection to the returned server IP address through the Firebox, whether it is the DNSWatch block page IP address or the IP address of the requested domain.
    • If the connection is to a DNSWatch block page, the Firebox recognizes the block page IP address and the proxy system processes it as an exception. The Firebox forwards the connection to the block page. The Firebox also creates a proxy traffic log message.
    • If the connection is to the IP address of the requested domain, the Firebox proxy policies process the connection and enforce the appropriate WebBlocker action.
  5. If the IP address is in a category the WebBlocker action is configured to deny or warn users about, the Firebox returns the proxy deny or warn page to the computer.

    NOTE: If the transaction is a single request, there will be only one WebBlocker query in the connection. If there are multiple transactions (for example, multiple GET requests) then there are multiple WebBlocker queries in the same connection.

Block Pages

Both DNSWatch and Firebox proxies have different block or deny pages. The block or deny page that appears on the computer indicates which service blocked or denied the content.

  • If DNSWatch blocks a domain, the appropriate DNSWatch block page appears.
  • If DNSWatch allows a domain but WebBlocker denies it, then the proxy deny page appears.
NOTE: When you have a device with DNSWatchGO client behind a DNSWatch enabled Firebox, the user will see the custom block page for that Firebox, if one has been configured, if the domain is blocked by both the client and DNSWatch. 

Proxy Log Messages

When DNSWatch blocks a domain for filtered content, the Firebox creates this proxy log message:

Feb 5 12:53:35 2019 xxxxx_xtmv http-proxy[2245]: msg_id="1AFF-0041" Deny 1-Trusted 0-External tcp 54672 443 msg="ProxyDeny: HTTP DNSWatch content filtered domain" proxy_act="HTTP-Client.Standard" host="" path="/" geo_dst="USA" (HTTPS-proxy-00)

When DNSWatch blocks a domain for malicious content, the Firebox creates this proxy log message:

Feb 5 12:54:21 2019 xxxxx_xtmv http-proxy[2246]: msg_id="1AFF-0040" Deny 1-Trusted 0-External tcp 54686 443 msg="ProxyDeny: HTTP DNSWatch blackholed domain" proxy_act="HTTP-Client.Standard" host="" path="/?dnswatch-victim-ip=" geo_dst="USA" (HTTPS-proxy-00)