WatchGuard Support Center

Knowledge Base - Article

 Optimize WebBlocker performance

What can I do to optimize the performance of WebBlocker?

Understand WebBlocker Categories

You can use the WatchGuard Security Portal to see how WebBlocker categorizes a web site.

  1. Open a web browser and go
  2. In the WebBlocker section, click Cloud database
  3. If you are not already logged in to the WatchGuard web site, type your Username and Password.
  4. In the URL(s) text box, type the website URL or IP address. To specify multiple URLs or IP addresses, separate each with a space, comma, or semicolon.
  5. Select the I'm not a robot check box.
  6. Complete the reCAPTCHA task, if requested.
  7. Click Search.
    The WebBlocker categorization for each URL or IP address appears in the Results section of the page.

If a site is not categorized, or is miscategorized, you can submit the URL and suggested category from the WatchGuard Security Portal at:

In your request, make sure to include the URL of the site, and information about which categories you think the site should be removed from or added to.

Use Regular Expressions for WebBlocker Exceptions

WebBlocker could deny a web site that is necessary for your business. You can override WebBlocker by defining a web site that WebBlocker would normally deny. To do this, you add a WebBlocker Exception. You can create WebBlocker Exceptions using a pattern match, an exact match, or a regular expression.

For instructions on how to create WebBlocker Exceptions, see Add WebBlocker Exceptions.

For best performance, WatchGuard recommends you create WebBlocker Exceptions using regular expressions. When you use a pattern match or exact match, the XTM device must convert this to a regular expression before it evaluates each site. When you use a regular expression, this step is not necessary and the lookup occurs more quickly.  For instructions, see the knowledge base article Use regular expressions in proxy definitions.

WebBlocker does not include query strings (the part of a URL that starts with the ? character) in the categorization request it sends to the WebBlocker Server. This means that you cannot create a WebBlocker exception to block specific queries.

Improve Performance with Local DNS

For best performance with WebBlocker, it is essential to use a trusted and fast DNS server. The Firebox performs multiple DNS lookups for each WebBlocker request, and any delay in response can cause a delay or complete failure for user web requests.

The WebBlocker cloud makes use of many cloud service providers worldwide, and will provide fastest response if the Firebox connects to a local provider for DNS requests. It is important to use a local DNS provider, such as your ISP, instead of a global DNS service such as OpenDNS, or Google DNS. Be careful about using Google DNS as your default DNS server. The Google GeoLoad balancing redirects requests from Google to the US west coast. 

Confirm Your DNS Region

You can use DNS lookups to determine which "cluster" of WebBlocker regional cloud servers the DNS provider used by your XTM or Firebox connects to. In general, geographically closer clusters respond more quickly, which improves WebBlocker performance.

WebBlocker cloud has regional server clusters in seven regions:

85.115.52.x     UK Heathrow

85.115.54.x     UK Slough

208.87.233.x   USA West Coast

208.87.237.x   USA Central

208.87.234.x   USA East Coast

116.50.57.x      Hong Kong

116.50.58.x      Australia

On any Windows-based computer, you can use the command-line tool nslookup to determine which cluster a DNS provider returns for the address , the WebBlocker cloud server.

  1. Start the Windows Command Prompt.
    • From the Windows 7 Windows Start menu search box, type cmd. Press Enter.
    • From the Windows 8.x and 10 search bar, type cmd. Press Enter.
  2. Type nslookup
    The result shows the name and IP address of the default DNS server for your computer, and shows the IP address the DNS server returned for that address.
  3. Search the list above for the cluster IP address that includes the IP address that appears at the bottom of the nslookup response.
  4. To test which WebBlocker cluster a different DNS server returns, type the same nslookup command, with the IP address of a different DNS server at the end.  For example, to test the nslookup through the DNS server at, type: 
If your default DNS server does not return the IP address of the WebBlocker cluster that is geographically closest to you, we recommend you change the default DNS server to one that returns the IP address of the WebBlocker cluster closest to you.

For information about how to change the DNS server in the XTM device configuration, see Add WINS and DNS Server Addresses.

If the connection to the WebBlocker cloud server times out, the Firebox creates log messages that look like this:
2013-07-01 12:53:38 webblocker categorize_cloud: curl returned error: Connection time-out                 Debug
2013-07-01 12:53:38 webblocker categorize_cloud: curl returned error: Connection time-out                 Debug

These messages are likely to occur if:

  • Your Internet connection is slow and the connection times out to the cloud.
  • You are not using the geographically closest WebBlocker cluster, and the response time is too slow.
Make sure that your Internet connection is responsive, and that your default DNS server returns the address of the geographically closest WebBlocker cloud cluster. 

Check Ping Response Time

You can also use the ping command to send a ping to Make sure that there are no lost packets and that ping response time is less than 100ms.