I support a school with 3 locations that uses a Watchguard XTM 505. They are implementing a BYOD wireless solution with Aerohive APs, and they will have 3 SSIDs (School, Guest, BYOD).
Each SSID needs to have different WebBlocker permissions, how can we do this with the equipment in place? Is there a best practices guide to follow?
Assuming the wireless networks will be on a different subnet than the main network, what I would do is set up an alias for the wireless network eg alias 'Wireless' for network 10.1.1.1/24. Then set up an HTTP-proxy that uses that web blocker and add that alias to the proxy.
I don't know of a best practices guide, but I think it's a bit too simple* to need one - WebBlocker is designed so you can have multiple policies.
You haven't explained the network setup at all and how the networks will get to the Watchguard - you can't tie the policy to an SSID - but presumably they are all individual, distinct networks that the Watchguard can see?
In Watchguard Policy Manager, Edit -> Add Policy, and add three new HTTP-Proxy policies. Make each them "From: {wireless network}", "To: Any External". Depending on how the networks get to the Watchguard, "From: " could be a VLAN interface, a physical interface, an IP range, etc. as appropriate.
Where it asks for "Proxy Action:", click the plus to make a new one, call it "HTTP-Client.{SSID}", go to the WebBlocker line and click the plus to make a new one, call it "WebBlocker.{SSID}". Configure.
To edit them later without diving into the policies, go to Setup -> Actions -> WebBlocker.
Check over your rules to make sure there are no other HTTP or HTTP-proxy rules higher up that will allow internet access without WebBlocker.
WebBlocker documentation: http://www.watchguard.com/help/docs/wsm/11_xtm/en-US/index.html#CSHID=en-US/services/webblocker/webblocker_get_started_wsm.html
(* simple ish, in the sense that it's just one firewall policy repeated three times, I mean).
