What can I do to optimize the performance of WebBlocker?
Understand WebBlocker Categories
You can use the WatchGuard Security Portal to see how WebBlocker categorizes a web site.
If a site is not categorized, or is miscategorized, you can submit the URL and suggested category from the WatchGuard Security Portal at:
In your request, make sure to include the URL of the site, and information about which categories you think the site should be removed from or added to.
Use Regular Expressions for WebBlocker Exceptions
WebBlocker could deny a web site that is necessary for your business. You can override WebBlocker by defining a web site that WebBlocker would normally deny. To do this, you add a WebBlocker Exception. You can create WebBlocker Exceptions using a pattern match, an exact match, or a regular expression.
For best performance, WatchGuard recommends you create WebBlocker Exceptions using regular expressions. When you use a pattern match or exact match, the XTM device must convert this to a regular expression before it evaluates each site. When you use a regular expression, this step is not necessary and the lookup occurs more quickly. For instructions, see the knowledge base article Use regular expressions in proxy definitions.
Improve Performance with Local DNS
For best performance with WebBlocker, it is essential to use a trusted and fast DNS server. The Firebox performs multiple DNS lookups for each WebBlocker request, and any delay in response can cause a delay or complete failure for user web requests.
The WebBlocker cloud makes use of many cloud service providers worldwide, and will provide fastest response if the Firebox connects to a local provider for DNS requests. It is important to use a local DNS provider, such as your ISP, instead of a global DNS service such as OpenDNS, or Google DNS. Be careful about using Google DNS as your default DNS server. The Google GeoLoad balancing redirects requests from Google to the US west coast.
Confirm Your DNS Region
You can use DNS lookups to determine which "cluster" of WebBlocker regional cloud servers the DNS provider used by your XTM or Firebox connects to. In general, geographically closer clusters respond more quickly, which improves WebBlocker performance.
208.87.233.x USA West Coast
208.87.234.x USA East Coast
116.50.57.x Hong Kong
On any Windows-based computer, you can use the command-line tool nslookup to determine which cluster a DNS provider returns for the address rp.cloud.threatseeker.com , the WebBlocker cloud server.
If your default DNS server does not return the IP address of the WebBlocker cluster that is geographically closest to you, we recommend you change the default DNS server to one that returns the IP address of the WebBlocker cluster closest to you.
For information about how to change the DNS server in the XTM device configuration, see Add WINS and DNS Server Addresses.
If the connection to the WebBlocker cloud server times out, the Firebox creates log messages that look like this:
2013-07-01 12:53:38 webblocker categorize_cloud: curl returned error: Connection time-out Debug 2013-07-01 12:53:38 webblocker categorize_cloud: curl returned error: Connection time-out Debug
These messages are likely to occur if:
Make sure that your Internet connection is responsive, and that your default DNS server returns the address of the geographically closest WebBlocker cloud cluster.
Check Ping Response Time
You can also use the ping command to send a ping to rp.cloud.threatseeker.com. Make sure that there are no lost packets and that ping response time is less than 100ms.