Operational Defect Database
BugZero found this defect 41 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA1Vr00000011V7KAI
Categorization errors caused by client traffic might cause the WebBlocker service to be marked as Inactive
Last update date:
4/23/2024
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.10.x
Fixed releases:
All
Description:
Issue
If you use WebBlocker with an HTTPS proxy, the Firebox might incorrectly mark the WebBlocker service as unavailable when it scans outbound HTTPS connections from host agents (such as AnyDesk or Mimecast) that do not specify a Server Name Indication (SNI) in the TLS handshake. To verify the problem, look in Traffic Monitor for traffic log messages that contain both of these: error="Webblocker server is not available" dstname= [parameter that is not a fully qualified domain name, such as “AnyNet Relay” or “Mimecast SDNSG”] Example traffic log message: 2024-04-08 12:18:25 Deny 10.0.1.1 212.102.40.162 https/tcp 63161 443 Trusted External ProxyDrop: HTTPS service unavailable (HTTPS-proxy-00) HTTPS-Client.Standard.Out proc_id="https-proxy" rc="594" msg_id="2CFF-0002" proxy_act="HTTPS-Client.Standard.Out" error="Webblocker server is not available" action="WBtest" cats="" dstname="AnyNet Relay" geo_dst="USA" Traffic WebBlocker will also generate a “curl returned error:” diagnostic log message that does not contain additional information. Example diagnostic log message: 2024-04-08 12:18:25 webblocker categorize_url: curl returned error: Debug
Workaround/Solution
To exclude specific client traffic from being sent for categorization, in your WebBlocker actions, add a Pattern Match type WebBlocker exception for the client. For example, if you use AnyDesk, you might see dstname="AnyNet Relay" in the traffic log messages. To add the exception for this, use these settings: Match Type: Pattern MatchType: URLPattern: AnyNet Relay/* For locally-managed Fireboxes, you can add a regular expression WebBlocker exception in Policy Manager to include most host agents known to cause this issue. To do this, in Policy Manager, add a WebBlocker exception with these settings: Match Type: RegexType: URLRegular Expression: ^[^.]*$ For more information, go to Configure WebBlocker Exceptions (locally-managed Fireboxes) or Add Exceptions in WatchGuard Cloud (cloud-managed Fireboxes)
