BugZero | WatchGuard Technologies BugID kA1Vr0000009q5pKAA - WebBlocker deny page not shown when cloud-managed ...

WatchGuard Technologies - Defect ID: kA1Vr0000009q5pKAA

WebBlocker deny page not shown when cloud-managed Firebox blocks request for web content

WatchGuard Technologies - Defect ID: kA1Vr0000009q5pKAA

WebBlocker deny page not shown when cloud-managed Firebox blocks request for web content

Last updated on February 19th, 2025

BugZero Risk Score
0.0 Coming soon

Overall: N/A

Severity: N/A

Community: N/A

Lifecycle: N/A

What is the BugZero Risk Score?

WatchGuard Technologies Integration

Learn more about where this data comes from

WatchGuard Technologies Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Unspecified
Status: Resolved
Article View Count: 178

Description

Issue

When WebBlocker is configured on a cloud-managed Firebox to filter web traffic, users might see a connection error in the browser when WebBlocker blocks outgoing HTTPS traffic, instead of the WebBlocker deny page. This behavior is caused by how a cloud-managed Firebox detects website categories. The categorization of the website URL domain is blocked during the TLS key exchange. This means that the deny occurs before the browser sends the HTTP request, which prevents the Firebox from showing the WebBlocker deny message in the response.

Workaround/Solution

To display the WebBlocker deny page to the user, you must configure a combination of two settings on your cloud-managed Firebox: On the Firewall policy that handles the connection, in the Traffic Types section, enable Decrypt HTTPS Traffic. TLS decryption is required to insert the WebBlocker deny page into the established HTTPS connection. For more information, see Configure Traffic Types in a Firewall Policy in Help Center.On the Content Filtering action, enable the WebBlocker Override feature. When WebBlocker Override is enabled, it disables the domain check on the TLS key exchange. This allows the browser to send the full outgoing HTTP request that enables the Firebox to respond with the WebBlocker deny page. For more information, see WebBlocker Override in WatchGuard Cloud in Help Center. NOTE: This Known Issue was resolved on 13 February 2025. The update to WatchGuard Cloud on 13 February 2025 updated how policies with Decrypt HTTPS Traffic enabled handle user requests. When WebBlocker is configured on a cloud-managed Firebox to filter web traffic, outgoing HTTPS requests that pass through web policies with Decrypt HTTPS Traffic enabled now correctly show the WebBlocker deny page to users. For policies created before 13 February 2025, this resolution will be effective after your next configuration deployment in WatchGuard Cloud.If you enabled WebBlocker Override on any policies as a workaround to this issue, you can now disable it.

Change history

2025-03-21 Added: 11.1.x, 11.10, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.11, 11.11.1, 11.11.2, 11.11.4, 11.12, 11.12.1, 11.12.2, 11.12.4, 11.2.x, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.4, 11.4.1, 11.4.2, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6, 11.6.1, 11.6.3, 11.6.5, 11.6.6, 11.7, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.8, 11.8.1, 11.8.3, 11.8.4, 11.9, 11.9.1, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 12.0.x, 12.1, 12.1.1, 12.1.3, 12.10.x, 12.11.x, 12.2.x, 12.3.x, 12.4.x, 12.5.x, 12.6.x, 12.7.x, 12.8.x, 12.9.x, WatchGuard Cloud

Links

Original Vendor Announcement

Relevant Products

Click on a version to see all relevant bugs

Affected versions:11.1.x, 11.10, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.11, 11.11.1, 11.11.2, 11.11.4, 11.12, 11.12.1, 11.12.2, 11.12.4, 11.2.x, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.4, 11.4.1, 11.4.2, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6, 11.6.1, 11.6.3, 11.6.5, 11.6.6, 11.7, 11.7.2, 11.7.3, 11.7.4, 11.7.5, 11.8, 11.8.1, 11.8.3, 11.8.4, 11.9, 11.9.1, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 12.0.x, 12.1, 12.1.1, 12.1.3, 12.10.x, 12.11.x, 12.2.x, 12.3.x, 12.4.x, 12.5.x, 12.6.x, 12.7.x, 12.8.x, 12.9.x, WatchGuard Cloud

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Fixed versions: No known fixed versions

Top WatchGuard Defects by Risk Score

Defect ID: kA1Vr0000009xvJKAQ
WatchGuard Endpoint Security firewall protection's automatic network location is incorrect when using IKEV2 VPN adapters
Defect ID: kA1Vr0000007LVxKAM
WatchGuard Endpoint Security network infrastructure causes Windows BSOD crashes in driver NNSHTTP when browsing pages
Defect ID: kA1Vr0000009AkvKAE
WatchGuard Endpoint Security performance issues and computers erroneously identified as "Unmanaged" with Endpoint Access Enforcement
Defect ID: kA1Vr000000B2JRKA0
Endpoint Security Web Access Control fails to block sites
Defect ID: kA1Vr0000009AhhKAE
WatchGuard Enpoint Security shows Trojan/RansomDecoy.A detections as 'Ignored' in the Threats Detected by the Antivirus tile

WatchGuard Technologies Integration

Learn more about where this data comes from

WatchGuard Technologies Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

WatchGuard Technologies - Defect ID: kA1Vr0000009q5pKAA

WebBlocker deny page not shown when cloud-managed Firebox blocks request for web content

WatchGuard Technologies - Defect ID: kA1Vr0000009q5pKAA

WebBlocker deny page not shown when cloud-managed Firebox blocks request for web content

Last updated on February 19th, 2025

BugZero Risk Score0.0 Coming soon

Bug Details

Issue

Workaround/Solution

Links

Top WatchGuard Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
0.0 Coming soon