United States
Understand IP addresses even if you're not a math major
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Brochures & Datasheets

Frequently Asked Questions

Network Security Education Center

Product Demos

Microsoft® Visio® Icons

White Papers

Case Studies

Network Security Glossary

Certifications

End-of-Life Policy

Frequently Asked Questions
Gateway AntiVirus/Intrusion Prevention Service

General Questions

Gateway AV/IPS Functionality

High Availability

Licensing

Purchasing Gateway AV/IPS

Additional Security Subscriptions from WatchGuard

Did you find what you were looking for?

Yes
No


General Questions

Q: What is Gateway AntiVirus/Intrusion Prevention Service (Gateway AV/IPS)?
A: Gateway AntiVirus/Intrusion Prevention Service (Gateway AV/IPS) is an easy-to-manage, signature-based security subscription for Firebox® X security appliances. Complementing the application proxy capabilities on the Firebox, it identifies and blocks suspicious network activity and malicious code in real time. By adding Gateway AV/IPS, you get an additional layer of powerful protection against spyware, viruses, and application exploits including trojans, buffer overflows, SQL injections, instant messaging and P2P usage, and policy violations. It continually checks for new signatures and automatically updates your system as new signatures are available. A single subscription provides network-wide protection for all users configured behind your Firebox® X.

Q: Who can use Gateway AV/IPS?
A: Gateway AV/IPS is available to customers who are using:

  • Firebox X Peak appliances (all)
  • Firebox X Core e-Series appliances
  • Firebox X Core (pre–e-Series) that are upgraded to Fireware® Pro advanced appliance software
  • Firebox X Edge e-Series appliances with v8.5 or later appliance software

Q: What does the Gateway AntiVirus component do?
A: Gateway AntiVirus provides an additional layer of security designed to identify and block viruses, worms, spyware, and other blended threats attempting to enter your network through email. The signature database, comprising thousands of signatures of the most active global virus exploits, extends far beyond “in the wild” viruses.

Q: What does the Intrusion Prevention Service (IPS) component do?
A: Signature-based IPS is designed to stop attacks coming in through all TCP protocols supported by the Firebox X including SMTP, HTTP, FTP, and DNS, as well as DNS traffic using the UDP transport. IPS blocks attacks that do not break protocol standards or behavioral rules, such as spyware cross-site scripting attacks, HTML and SQL injections, trojans, and buffer overflows.

IPS protects against application vulnerabilities that are not easily recognized by the protocol anomaly detection methods utilized within WatchGuard's Intelligent Layered Security architecture. The IPS database currently identifies and blocks over 1400 exploits and the use of vulnerable applications such as IM and P2P. Additional exploit signatures can be added throughout the life of an active Gateway AV/IPS subscription term, as they become available from WatchGuard.

Q: Why do I need Gateway AntiVirus/Intrusion Prevention Service?
A: Including gateway anti-virus and intrusion prevention in your network security solution is considered essential in order to have complete unified threat management (UTM).

WatchGuard's existing firewall architecture already blocks many spyware attacks, viruses, trojans, buffer overflows, and other application attacks through its protocol anomaly detection (PAD) and pattern matching capabilities. The Firebox® X series blocks suspicious files, traffic, and attachments with risky extensions, MIME-content type, and content fingerprinting using efficient proxy rules – not the resource-intensive approach of a traditional antivirus/IPS solution. But for those files, traffic, and attachments that are allowed by policy because they are deemed business-critical, it is important to have an AV/IPS scanning layer.

Signature-based AV scanning is reserved for those emails that have successfully passed through the other layers of security, but require scanning of attachments that haven't already been blocked.

Signature-based IPS protects against client/server attacks that take advantage of critical vulnerabilities in network systems and are delivered in non-suspicious traffic. These include – but are not limited to – trojans, scripting attacks, HTML injections, SQL injections, and IM/P2P traffic.

Q: What types of attacks does Gateway AV/IPS prevent?
A: Gateway AV/IPS stops attacks that do not break protocol standards or behavioral rules, or that attempt to enter the network through email attachments. Types of attacks Gateway AV/IPS prevents include:

  • Viruses, worms, backdoors, keylogger, and dialers spread through email
  • Spyware, phone home, phishing, and bot attacks
  • Buffer overflows exploiting critical Windows and SQL servers, Internet Explorer clients, and FTP servers
  • Cross-site scripting attacks
  • HMTL injections
  • Suspicious login attempts
  • Protocol command decoding
  • Use of vulnerable applications including IM and P2P

Q: What's unique about WatchGuard Gateway AV/IPS?
A: WatchGuard Gateway AV/IPS provides the following key advantages not found in competitors' products:

  • WatchGuard's Gateway AV/IPS subscription provides some of the fastest signature responses to new, unknown threats. For example, many other UTM vendors did not respond to the Sober virus until four hours after the WatchGuard successfully identified, developed, certified, signed, and posted the signature for the first attack and for possible unpacked/repacked variants
  • WatchGuard's unique application proxy-based architecture is more secure than other UTM vendors using in-stream scanning and protects against exploits that cross many packet boundaries. Many other UTM vendors that use in-stream scanning suffer from these types of exploits as they typically don't buffer up enough data to protect against exploits that cross many packet boundaries. In-stream signatures will have a difficult time catching these types of attacks.
  • WatchGuard spends hundreds of engineering hours regularly developing, testing, and qualifying our IPS signatures to ensure high efficacy and low false positives.
  • Only WatchGuard Gateway AV/IPS offers the ability to dynamically block attack sources after they have been identified by the IPS engine, meaning an attacker is prevented from reaching the network via an otherwise open port (such as may be configured for a public-facing Web or mail server). This ability to “shun” further attacks provides a level of security unmatched today.

Q: Why do I need Gateway Antivirus if my employee's PCs and laptops already have desktop antivirus software?
A: A sound security strategy implements multiple layers of antivirus scanning, including gateway- and desktop-based antivirus.

As threats become more complex and sophisticated, every organization needs multiple layers of optimized protection. Working together, these two solutions provide a strong combination for protection at the gateway, within the LAN, and for mobile users coming into the network. In addition to Gateway AV/IPS, WatchGuard also offers bundled managed desktop antivirus clients through our partnership with McAfee®.

Q: What antivirus engine and virus signatures are being used?
A: WatchGuard evaluated the size, performance, features, and value of several solutions available on the market, and opted to integrate the ClamAV antivirus engine and signatures. WatchGuard's integration of the ClamAV engine into its Gateway AV solution offers the following key benefits for customers:

  • The ClamAV engine supports detection of WildList viruses, zoo viruses, virus variants, trojans, and spyware on Firebox X Core™ and Peak™ platforms. The ClamAV engine is optimized with a WildList signature set for the Firebox X Edge platform. Other UTM providers typically only provide more limited support of a WildList virus list across their entire product line.
  • The engine has very strong support for compressed files – more than other UTM providers.
  • The response times from the ClamAV project for virus outbreaks are very rapid. For example, AV-test.org reported quick detection rates for ClamAV when the recent string of Bagle variants re-appeared. The ClamAV project identified and delivered a signature within two hours of the viruses' propagation. This is a 6th place ranking out of 23 antivirus vendors, including well known desktop vendors like Symantec®, McAfee, and CA. Av-test.org reported that it took some UTM vendors eight hours on average to identify and provide a signature for these same Bagle variants.

Q: Which IPS engine and attack signatures are being used?
A: WatchGuard has developed a proprietary, next-generation in-line scanning engine that works in tight conjunction with the Intelligent Layered Security (ILS) engine of the Firebox X. Gateway AV/IPS uses a well-vetted signature set from Endeavor Security, a proven IPS technology vendor, as well as unique attack signatures developed by WatchGuard's Threat Defense Center.

Q: Which Firebox® platforms support Gateway AV/IPS?
A: All Firebox® X Core™ and Peak™ platforms running Fireware® or Fireware Pro, and Firebox X Edge platforms running v8.5 or later support Gateway AV/IPS.

Q: Can I use Gateway AV/IPS on a Firebox® Core™?
A: Yes, as long as you are running Fireware or Fireware Pro appliance software.

Q: What are the major differences between Gateway AV/IPS and the older Gateway AV for E-mail service that runs on WatchGuard Firebox System (WFS)?
A:

  Gateway AV for E-mail Gateway AV/IPS
GAV Protocol Support SMTP SMTP, POP3, HTTP, FTP, IMAP*
IPS Protocol Support N/A SMTP, POP3, HTTP, FTP, DNS
Attachment Options Allow, Strip Allow, Strip, Lock
Attachment Size 4MB 4MB
Decompression Layers 2 10
Decompression Support ZIP, BZIP, TAR, RAR, GZIP, MS CAB ZIP, BZIP, TAR, GZIP, BZIP2, RAR, MS CAB, MD5
Historical Reporting No Yes
AV Signatures Database 23,000+ 23,000+
IPS Signature Database N/A 1,400+
IM/P2P/Webmail Blocking N/A Yes
Appliance Operating System WFS 7.3 Fireware, Fireware Pro, Edge v8.5+
Spyware Sites No 1,500 IP addresses

*Targeted for future releases


Gateway AV/IPS Functionality

Q: How does Gateway AV/IPS with anti-spyware handle attachments that contain malicious code?
A: Gateway AV/IPS can handle infected attachments four ways, based on administrator preference:

  • Quarantine – Infected e-mail messages are sent to the Quarantine Server
  • Strip - The attachment is stripped and a corresponding text file is attached to the email alerting the end user that the attachment was stripped.
  • Lock – Uses a non-standard encoding utility to lock the attachment and prevent self-extraction or accidental extraction. The file can then be moved to an isolated system and unlocked by an administrator or end user (to run a cleanup utility, for example).
  • Allow – Attachments are passed through regardless of security posture.

Q: How does Gateway AV/IPS with anti-spyware handle malicious traffic and content?
A: Content determined to be malicious, based on a matched signature, can be handled as follows:

  • Strip – If the malicious content is identified within an email attachment, that attachment can be stripped.
  • Deny – the connection containing the exploit is dropped by the Firebox.
  • Block – the connection containing the exploit is dropped and the source of that connection is placed on the dynamic blocked sites list.
  • Alert/Allow – the connection containing the exploit is allowed, but that attack/connection can be alerted on and logged for analysis.

Q: Does Gateway AV/IPS inspect email attachments for viruses?
A: Yes. Gateway AV/IPS inspects the attachment for viruses, worms, and trojans. If an email contains multiple attachments, each will be scanned individually. If an email contains a compressed attachment, Gateway AV/IPS will decompress up to ten layers within that attachment to identify a virus within the compressed file.

Q: Will Gateway AV/IPS scan any attachment?
A: Yes, as long as the individual attachment is not larger than the maximum size configured by the administrator, the attachment is not compressed using a type not supported by WatchGuard (see below for list of supported compression types), and the attachment is not encrypted or encoded. Gateway AV/IPS will not scan attachments larger than the maximum size configured in the SMTP proxy settings (“unlimited” is an available setting as well). SMTP attachment settings take priority over Gateway AV settings.

If an email attachment cannot be scanned, the administrator can either have that attachment stripped, or have it sent through to the end user. In either situation, the end user will be notified as to the action taken on the attachment and that action will be logged.

Q: What information is logged, displayed, and reported for Gateway AV/IPS?
A: Information available in the log file and reports includes:

  • The attachment disposition: clean, containing a virus, or error
  • The action taken: allowed, stripped due to virus, quarantined, stripped due to configuration, blocked, denied, locked
  • The traffic/content/email source and destination information
  • Gateway AV/IPS status: enabled or disabled
  • License expiration date
  • Date/time of last signature query
  • Number of signatures in database

Information available in the Firebox System Manager > Security Services status page includes:

  • Number of files scanned
  • Number of viruses found
  • Date/time of last signature update
  • Signature database versions
  • Engine versions
  • Spyware activity

Q: Is there a file size (decompressed) limitation for Gateway AV scanning?
A: No, although the administrator may configure a file size limit if desired.

Q: How many levels of decompression do we provide?
A: The default is three. Gateway AV/IPS can scan up to ten levels.

Q: What compression types are supported?
A: ZIP, GZIP, BZIP, TAR, BZIP2, MS CAB, MD5

Q: Is there a limit to the number of SMTP or HTTP proxies in Fireware or Fireware Pro when Gateway AV/IPS is enabled?
A: The maximum number of concurrent proxy sessions is 3,000 (Core) and 6,000 (Peak), shared across all proxy services. Gateway AV/IPS does not affect these sessions. These maximum numbers are not hard-coded; rather they are bound only to available space on the appliance.

Q: Can I enable/disable individual IPS signatures?
A: Yes, a user can view and disable/enable signatures by severity, protocol, and attack category – or by individual signature. This includes IPS, spyware, IM, and P2P signatures.

Q: Which IM/P2P services can be blocked?
A: On the Firebox X Core and Firebox X Peak, Gateway AV/IPS can block the following:

  • IM – MSN Messenger, Yahoo IM, AIM, and IRC
  • P2P – Napster, GNUTella, Kazaa, Morpheus, BitTorrent, eDonkey2000, and Phatbot

We expect to offer additional IM/P2P signatures in the future for even more comprehensive blocking capabilities.

Q: Can the IM/P2P services be individually blocked?
A: Not at this time. There is an increasing number of attacks leveraging IM and P2P applications, including SPIM (Spam on IM), spyware, backdoors, and adware, causing an increasing amount of network traffic and attack exposure. Unless organizations use a secure IM services – such as OmniPod, for instance – neither IM nor P2P applications should be permitted between the network and outside sources.

Q: Can I add my own IPS signatures?
A: No. New, vetted signatures will be automatically delivered to your Firebox X based on how you configure your signature auto-updates.

Q: What should a customer do if he/she is receiving false positives on a particular signature or set of signatures?
A: Customers should contact Customer Care to first ensure they have their Firebox X properly configured for their environment. If there is an issue with a signature, this will be reported directly to the Threat Defense Center for analysis. If a signature is found to cause issues for multiple customers, tuning or deletion of that signature will occur, and the update will take effect with the next automated signature-update process.

Q: How often will new IPS signatures be made available by WatchGuard?
A: Signatures for the Intrusion Prevention Service will be made available to customers within 15 minutes of publishing of the signature. We expect to generally add new signatures on a bi-weekly basis, but this will be dependent on how often new exploits are published. Microsoft publishes their vulnerabilities on a monthly basis, and exploits leveraging these vulnerabilities are created on an ongoing basis. We expect to publish new signatures for high severity attacks within three to five days of the vulnerability/attack publishing.

Q: How often will I receive updates to the Gateway AV/IPS signature databases?
A: WatchGuard updates the Threat Defense System with new virus definitions in real time. As soon as WatchGuard's Threat Defense Center has posted a new set of signatures, our signature server will publish them to WatchGuard customers.

Based on the Gateway AV/IPS setting, customers can query for new signatures on a 15-minute interval. The default polling interval is two hours. WatchGuard recommends one to two queries per day. Customer's can also do a real-time IPS signature download using the “update now” button in the Firebox System Manager to get signatures.

Q: How does WatchGuard's Gateway AV/IPS sustain low false positives?
A: Because we apply signatures to a specific portion of a stream (HTTP, SMTP, FTP, etc.), we are less prone to false positives than solutions that don't proxy the traffic. Additionally, the Threat Defense Center has vetted – tested, qualified, and classified – each IPS signature to increase efficacy. Finally, certain signatures which are rendered redundant by the inherent capabilities of WatchGuard’s application proxy technology are removed.


High Availability

Q: Can Gateway AV/IPS be configured to support a High Availability pair?
A: Yes, Gateway AV/IPS will support a High Availability pair. Each license will need to be configured, managed, and updated separately to ensure maximum protection.

Q: Do I have to purchase an additional Gateway AV/IPS subscription license for both appliances in the High Availability pair?
A: No. If the primary unit has active licenses for additional Gateway AV/IPS subscriptions, the standby unit will be provided with corresponding licenses for each like service. The LiveSecurity® Service subscription must be active on each device to receive these licenses.


Licensing

Q: How is Gateway AntiVirus/IPS delivered?
A: You purchase a license key, and activate the key on the LiveSecurity site. LiveSecurity returns a different type of key, called a Feature Key, which you enter in the appliance UI (Policy Manager for Firebox X Core and Peak; or the Edge Web Manager). Your Gateway AV/IPS subscription will be enabled immediately. This process is the same for all Firebox X security subscriptions.

Q: Will the Firebox need to reboot with each signature update?
A: No, once the Firebox downloads new signatures, these signatures will be enabled automatically.

Q: How large is an average signature update?
A: The entire Gateway AV signature database is approximately 1.2MB in size. The database is updated incrementally, so average download size will range from 10K to 200K. Full database downloads will occur every three to four weeks, depending on how many new signatures have been added.

The IPS signature database is approximately 500K. This database is updated in its entirety to allow for tuning, removal, and the addition of individual signatures by our Threat Defense Center.

Q: How do I know if my Gateway AV/IPS service has expired?
A: If you make a configuration change during the expiration period, WatchGuard System Manager or the Edge Web Manager will notify you that the service is expired and offer to remove the service option. To renew, purchase a renewal key from your reseller and activate it as described above.


Purchasing Gateway AV/IPS

Q: Do I have to purchase Gateway AV/IPS separately?
A: Gateway AV/IPS may be purchased a la carte, or as part of the UTM Bundle or UTM Security Suite.

Q: Do I have to buy Gateway AV separately from IPS?
A: No, Gateway AV/IPS is a single, combined security subscription.

Q: Can I buy Gateway AV/IPS at any time?
A: Yes, as long as you meet the system requirements for using Gateway AV/IPS. These include:

  • Firebox X Core, Peak, and Edge appliances that have been registered through LiveSecurity. Legacy Edge (pre e-Series) may not run Gateway AV/IPS.

Q: What is the price for Gateway AV/IPS?
A: Gateway AV/IPS is priced on a per-appliance basis. 12-month initial subscriptions and subsequent 12-month renewal subscriptions are available.

Please contact your reseller or call WatchGuard sales at 800.734.9905 or 206.613.0895 for exact pricing.

Q: What is included with a subscription?
A: A 12-month subscription and subsequent yearly renewals include regular signature updates from WatchGuard, software updates, and documentation.

Q: Can I try Gateway AV/IPS before I buy it?
A: Yes. A 30-day trial is available for:

  • Firebox X Peak appliances
  • Firebox X Core appliances running Fireware or Fireware Pro appliance software
  • Firebox X Edge e-Series appliances running v8.5 appliance software

Q: How do I upgrade from Gateway AV for E-mail to Gateway AV/IPS on my Firebox X Core?
A: Once you purchase a Fireware Pro upgrade for your Firebox X Core appliance, you will need to register that license within LiveSecurity. Upon registration, a new Gateway AV/IPS feature key will be generated and the service can then be enabled as described earlier.

Q: If I already have a Gateway AV for E-mail subscription and want to buy and use Gateway AV/IPS, will I forfeit my remaining subscription months?
A: No. If you have an existing Gateway AV for E-mail subscription with remaining months activated, and you purchase Fireware Pro, your Gateway AV for E-mail subscription will be transferred to a Gateway AV/IPS subscription at no cost. Your remaining Gateway AV for E-mail subscription months will be transferred as well.

Q: If I want to upgrade from one model to another model within the Firebox X Peak or Core lines, do I need to upgrade my Gateway AV/IPS license as well?
A: No, the Gateway AV/IPS license does not need to be upgraded at that time. Once you are ready to renew the Gateway AV/IPS subscription, you will need to purchase a renewal for the current model enabled on the Firebox. For example, if you upgraded to the Firebox X8500e from a Firebox X6500e, when the time came to renew Gateway AV/IPS, you would purchase and activate a Gateway AV/IPS renewal for a Firebox X8500e.


Additional Security Subscriptions from WatchGuard

Q: What other security subscriptions are available from WatchGuard?
A: WatchGuard's suite of security subscriptions also includes:

  • WebBlocker – WatchGuard's easy-to-manage, integrated URL filtering security service—with version 10 and later, WebBlocker filters HTTPS as well as HTTP traffic.
  • spamBlocker, the industry's best service at distinguishing legitimate communication from spam in real time, blocking nearly 100% of unwanted email