WatchGuard Gateway Antivirus vs. IntelligentAV

WatchGuard Gateway Antivirus vs. IntelligentAV

With WatchGuard’s release of firmware version 12.2, a new feature became available called IntelligentAV.  This service is not only firmware specific but hardware specific.  IntelligentAV is supported as part of the Total Security Suite on:

  • Firebox M270

  • Firebox M370

  • Firebox M400

  • Firebox M440

  • Firebox M470

  • Firebox M500

  • Firebox M570

  • Firebox M670

  • Firebox M4600

  • Firebox M5600

  • Firebox Cloud

  • FireboxV


There have been many questions surrounding IntelligentAV because there is already the Gateway Antivirus service available through both Basic and Total Security Suite.  The difference in these two is quite substantial, however.


GAV vs. IntelligentAV
With Gateway Antivirus, the firewall is relying on virus signatures.  This service works great at stopping threats, if they are known.  However, with the growing threat of advanced malware, there are increasingly high numbers of threats that have no signature identified, and would therefore not be caught by typical AV programs like the Gateway Antivirus service.

This is where IntelligentAV comes in.  This service uses artificial intelligence and machine learning to identify and block known and unknown malware.  Because it is not based on signature analysis, it is much more capable of preventing zero-day threats.

With the addition of IntelligentAV, WatchGuard has implemented a dual-layer of scanning when it comes to processing traffic.  This gives the firewall the ability to stop an even higher number of threats, further protecting your network and your users.

Firebox Performance
Due to the increased amount of scanning that your Firebox will be performing with IntelligentAV, you may notice a performance hit on your device.  As with any new feature, we recommend you monitor your device to ensure you are not noticing any significant performance hits once the service is turned on.  

Traffic Processing
IntelligentAV and Gateway Antivirus are configured to work in sequence to ensure traffic is analyzed as completely as possible.  First, GAV will scan the files using its Bitdefender engine.  If it can identify the file as being malicious, it will stop the threat and does not need to send it to IntelligentAV.  

If GAV does not see the file as malicious, IntelligentAV will then step in and scan the content using its Cylance engine.  If IntelligentAV identifies a threat, the firewall will take the action configured through Gateway Antivirus.

Since IntelligentAV relies on Gateway Antivirus to work, it is important that this service be configured first.  The steps below will outline first enabling GAV, and then enabling IntelligentAV on your firewall.

Gateway Antivirus Configuration
The first step to configuration is to ensure your firewall has proxy policies in place.  A proxy policy is required so that the firewall can fully review the data that is being processed.  Both antivirus services can be configured on the following proxies:


Step 1: 
Through Policy Manager, go to Subscription Services > Gateway Antivirus > Configure.  Click Enable on all available proxies.

Gateway Antivirus Configuration image

Step 2:
Since Gateway Antivirus is purely a signature service, you will need to ensure automatic updates are enabled.  To do so, click the Update Server button.  Then check the box to make sure GAV signatures are updated.  NOTE: Leave the default of 1 hour for the interval.

Gateway Update Server configuration Screen Shot
 
Update AV Signatures screen image

IntelligentAV Configuration
Once you have Gateway Antivirus enabled, you can now turn on IntelligentAV.


Step 1:
Through Policy Manager, go to Subscription Services > IntelligentAV.  Select the box Enable IntelligentAV.

Subscription Services - IntelligentAV screen shot

Step 2:
IntelligentAV does not rely on signatures, but it does rely on updates to ensure the artificial intelligence can properly identify threats.  Automatic Updates must be enabled for this service as well.  To do so, click the Update Server button.  Then check the box to make sure IntelligentAV is updated.

IntelligentAV Updates selected screen shot

Layers of Protection
The key concept when securing any network is to understand that layering security is the most efficient way to ensure our devices and users are protected.  No one service will ever be capable of securing everything, however through WatchGuard’s Subscription Services we can continue to add additional pieces to help protect the data we want to secure.  If you would like further information on the other services available on your WatchGuard firewall or would like assistance getting them configured, contact us today!