How to integrate Friendly WiFi and the WatchGuard Firebox


Friendly WiFi Integration Overview


Friendly WiFi offers safe and secure access to the Internet by limiting access to inappropriate websites when you use public wireless services.

Friendly WiFi uses the WatchGuard WebBlocker service to help protect public wireless services with a database of website addresses organized by content categories.

When a user tries to connect to a website, the WatchGuard Firebox checks the website URL with the WebBlocker database. If the website is not listed in the database or is not blocked, the page is accessible to the user. If the website appears in the WebBlocker database and is blocked based on the content category of the site, a notification appears and access to the web site is denied.

This document describes how to block inappropriate websites with WebBlocker to satisfy the requirements for using the Friendly WiFi symbol with your public wireless service.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

   Firebox with Fireware OS v11.10.x or higher


   WebBlocker subscription service configured to use the Websense database.

How WebBlocker Works 

  1.  A user sends a URL request to access a website.
  2. Firebox sends a URL categorization lookup request to the Websense cloud.
  3. Websense cloud sends the lookup response.
  4. If the web site is in a blocked category, a notification appears and the website is not displayed. If the website is not in the database or is not blocked, the page is displayed for the user.

Categorization Database

When you configure WebBlocker, you have two options for the type of WebBlocker database the Firebox uses to control access to web content.

  Websense cloud with Websense categories

  Local WebBlocker Server with SurfControl categories

Based on the commitment by the UK for filtering content for standard public wireless access with data provided by the IWF (Internet Watch Foundation), Friendly WiFi chose Websense as the preferred content filtering database because Websense is a member of the IWF and updates its lists based on IWF data.


Activate WebBlocker

You can activate and configure WebBlocker in one of these two ways:

    Add a WebBlocker action and applicable HTTP/HTTPS policies, and apply the WebBlocker action to these policies

    Use the WebBlocker Activation Wizard 

In this example, we use the WebBlocker Activation Wizard from Fireware Web UI.

  1. From the Fireware Web UI, select SUBSCRIPTION SERVICES > WebBlocker

If WebBlocker has never been configured, the Activation Wizard is displayed. If you already have WebBlocker actions defined and you want to add a new one, you can click RUN WIZARD at the bottom of the page to start the Activation Wizard.

     2.Click NEXT.

     3.Type a valid DNS server address in the DNS Server text box and click NEXT

A DNS server is required to allow the Firebox to perform website categorization lookups to the Websense cloud.

     4.Type a descriptive name for the WebBlocker action in the Profile Name text box, then click NEXT.

     5. By default, Websense cloud is selected and all available categories are shown.

Select the categories you want to block. To meet the minimum requirements for Friendly WiFi, you must select the "Sex" category.

Click NEXT when finished. 

     6.Select the HTTP Client and HTTPS Client proxy policies, and then click NEXT


Proxy policies for HTTP and HTTPS are automatically created and configured with your WebBlocker action.

To view these new HTTP and HTTPS proxy policies, select FIREWALL > Firewall Policies.


Test WebBlocker Integration

To test WebBlocker, try to access a website from a client computer that would be categorized in the "Sex" category. The request should be denied and a notification displayed in the web browser.