WatchGuard Support Center

Knowledge Base - Article

 How to configure your Firebox with DNSWatch for Friendly WiFi

How to configure your Firebox with DNSWatch for Friendly WiFi compliance.
WatchGuard is an accredited Friendly WiFi Approved Provider. Customers that use WatchGuard Fireboxes with an active DNSWatch subscription can provide the content filtering required to make sure wireless users cannot access inappropriate content.

WatchGuard DNSWatch monitors DNS requests both on network and off network to prevent connections to known malicious domains. DNSWatch protects against malicious clickjacking and phishing domains regardless of the connection type, protocol, or port. DNSWatch can also block content based on categories. For more information and DNSWatch, see About DNSWatch.

You can use the DNSWatch service on your Firebox with these wireless deployments:
  • Firebox with built-in wireless
  • Firebox with WatchGuard APs managed by a Gateway Wireless Controller
  • Firebox with third-party APs
These procedures describe how to block inappropriate websites with your Firebox and DNSWatch to satisfy the requirements for using the Friendly WiFi symbol with your public wireless service.

Note: You can also use WatchGuard WebBlocker to configure content filtering for Friendly WiFi compliance. For more information, see: How to configure your Firebox with WebBlocker for Friendly WiFi.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:
  • Firebox or wireless-capable Firebox with Fireware v12.1.1 or higher
  • DNSWatch subscription service
  • WatchGuard APs or third-party APs

How DNSWatch Works

When DNSWatch is enabled and your Firebox receives a DNS query from a host on a protected network, it sends the request to DNSWatch. DNSWatch determines whether the domain is a known threat. If a content filter policy is assigned to the Firebox, DNSWatch also determines if a domain is on the content filter list.

If the domain is not a known threat or filtered content, DNSWatch returns the requested content.

If the domain is a known threat:

  • DNSWatch returns the DNSWatch Blackhole content
  • DNSWatch tries to gather more information about the threat from the endpoint that made the DNS request
  • For HTTP and HTTPS requests, DNSWatch redirects the user to a customizable block page

If the domain is filtered content:

  • DNSWatch redirects the user to a customizable block page

Configure DNSWatch on your Firebox

To enable DNSWatch from Fireware Web UI:
  1. Select Subscription Services > DNSWatch.

Screen shot of the DNSWatch settings in Fireware Web UI

  1. Select the Enable DNSWatch Service check box.
  2. From the Usage Enforcement drop-down list, select the enforcement option.
  3. You can Enforce on all Trusted, Optional and Custom interfaces, Enforce on selected interfaces, or Disable enforcement. For most networks, we recommend that you enable enforcement on all Firebox interfaces.
  4. Click Save.

Configure Content Filters

In addition to DNSWatch protection from malicious domains based on intelligence feeds, you can use DNSWatch policies to block domains in selected content categories on protected networks and devices. The Safe Search option will help filter out explicit content in search results across multiple search engines. You can create multiple policies to meet the needs of your different networks. Each protected network and the DNSWatchGO client can use a different policy. For more information, see Manage User Access to Content

A content filter policy is required to add the categories necessary for Friendly WiFi compliance.

To configure content filtering policies in DNSWatch:
  1. Log in to DNSWatch in the WatchGuard Portal.
  2. Select Configure > Content Filtering Policies.
  3. In the Policies tab, click Create New Policy.
  4. In the Policy Name text box, type a descriptive name for the policy and click Save Policy.
  5. If you want to enable Safe Search enforcement, select the Enable Safe Search check box.
  6. Click Save Policy.
  7. Select the Categories tab.
  8. Select the check boxes for the categories you want to filter. To see subcategories, click the arrow to the right of the category name. When you select a top-level category, its subcategories are automatically selected. If you do not want to block that category, clear the check box. For a complete list of available categories and descriptions, see About DNSWatch Content Filter Categories.
For Friendly WiFi compliance, make sure you block Adult Material / Pornography type categories as part of your policy.
  1. Click Save Categories.