Did you know your WatchGuard firewall has intrusion prevention configured right out of the box? Even without turning it on or the need for a license, your firewall can do initial intrusion scanning to help prevent attacks. This is accomplished through the Default Threat Protection settings.
Default Threat Protection is a first layer of defense against malicious activity. It can step in and block or drop connections, regardless of how your policies are written. There are several layers involved that all work together to stop inbound threats.
Default Packet Handling
The key part of Default Threat Protection is Default Packet Handling. This is what dictates what the firewall will do with potentially dangerous inbound connections.
The settings for this can be found in Policy Manager under Setup > Default Threat Protection > Default Packet Handling.
Based mostly on thresholds, the firewall can step in and block things such as port scans, IP scans, spoofing attacks and flood attacks. Once the specified threshold is hit, the originating IP address will either be dropped or blocked.
As an extra layer of protection, JSCM Group recommends that the settings for Block Port Scan and Block IP Scan be set to a threshold of 5. This will make it even harder for an attacker to try and gain information about your network before their IP is blocked.
Blocked Sites
The second part of Default Threat Protection is Blocked Sites. This can be found in Policy Manager under Setup > Default Threat Protection > Blocked Sites.
The first window for Blocked Sites gives you the ability to statically block an IP address so that no connections can be made to or from this connection. Any connection listed here will be permanently blocked, regardless of how policies are written.
The second tab for Blocked Sites Exceptions allows you to add exceptions so connections do not get blocked by Default Threat Protection. You may see pre-defined entries added by WatchGuard that relate to their services.
The Auto-Blocked tab is where you can set the duration for how long a connection will get blocked. The default settings is 20 minutes, however we recommend you set it to at least 60 minutes to make it harder for an attacker to bypass.
Blocked Ports
The final piece of Default Threat Protection is Blocked Ports. This can be found in Policy Manager under Setup > Default Threat Protection > Blocked Ports. Here you will find a list of ports that are predefined to be blocked. These ports are commonly used by attackers for malicious purposes.
You can add additional ports to this list that you do not want to be allowed. At the very least, JSCM Group recommends that you check the box for Automatically block sites that try to use blocked ports.