Watchguard
Review configuration options for WatchGuard firewalls in RocketCyber
| DDoS attack | Detects attempts to crash your network by overwhelming available resources. This can take the form of using all available bandwidth, memory, or other network resources |
| Port scan | Detects malicious actors attempting to discover what ports are open on your network |
| IPS detection (general) | Detections from the WatchGuard Intrusion Prevention System (IPS) |
| APT detection | Detections from WatchGuards Advanced Persistent Threat tools |
| Data leak | Detects your network leaking data |
| Reputation lookup | Determines whether traffic originated from a known malicious IP address |
| IP spoofing | Detects attempts to change the reported source of traffic entering your network (for example, to avoid reputation lookups) |
| IPS license expired | A friendly reminder when your IPS license expires |
| ICMP, IKE, IPSEC, UDP flood attacks | Various methods of overwhelming network resources to crash your network |
| GAV Virus | A virus detected at your gateway |
| Detect VPN use | This will monitor and inform you if someone enables or attempts to use a VPN on your network. Only use this if VPN should be disabled on your network! |
Log Format
The expected format for WatchGuard logs is space-separated.
EXAMPLE <140>Feb 4 10:47:38 ABC-FW 8265941A0BAD (2020-02-04T15:47:38) firewall: msg_id="3000-0148" Allow 1-Trusted 0-External 52 tcp 20 127 192.168.101.12 24.102.62.243 31757 443 offset 8 S 2947993982 win 32 geo_dst="USA" (HTTPS-proxy-00)
