About Blocked Sites
A blocked site is an IP address that cannot make a connection through the Firebox. You tell the Firebox to block specific sites you know, or think, are a security risk. After you find the source of suspicious traffic, you can block all connections from that IP address. You can also configure the Firebox to send a log message each time the source tries to connect to your network. From the log file, you can see the services that the sources use to launch attacks.
The Firebox denies all traffic from a blocked IP address. You can define two different types of blocked IP addresses: permanent and auto-blocked.
Permanently Blocked Sites
Network traffic from permanently blocked sites is always denied. These IP addresses are stored in the Blocked Sites list and must be added manually. For example, you can add an IP address that constantly tries to scan your network to the Blocked Sites list to prevent port scans from that site.
To block a site, see Block a Site Permanently.
Auto-Blocked Sites/Temporary Blocked Sites List
Packets from auto-blocked sites are denied for the amount of time you specify. The Firebox uses the packet handling rules specified for each policy to determine whether to block a site. For example, if you create a policy that denies all traffic on port 23 (Telnet), any IP address that tries to send Telnet traffic through that port is automatically blocked for the amount of time you specify. Each time the Firebox receives traffic of any kind from a site on the Temporary Blocked Sites list, the timer for that site is reset. The IP address is removed from the Temporary Blocked Sites list only after no traffic is received from the site for the time period specified in the Duration for Auto-Blocked Sites setting in the Blocked Sites configuration.
To automatically block sites that send denied traffic, see Block Sites Temporarily with Policy Settings.
You can also automatically block sites that are the source of packets that do not match any policy rule. For more information, see About Unhandled Packets.
You can manually add a temporary blocked site, on the Blocked Sites page in Fireware Web UI. For more information, see Blocked Sites.
Blocked Sites Exceptions
If the Firebox blocks connections to a site you believe to be safe, you can add the site to the Blocked Site Exceptions list, so that traffic from that site is not blocked.
Blocked Site Exceptions bypass all Default Packet Handling checks. Any traffic from an exception site that would normally be blocked by Default Packet Handling will not appear in the traffic logs as an attack.
For information about how to add a blocked site exception, see Create Blocked Sites Exceptions.
In Fireware v11.12.2 and higher, the Blocked Sites Exceptions list includes default exceptions for servers that WatchGuard products and subscription services must connect to. The default blocked site exceptions include:
|Products and Services||Blocked Sites Exceptions|
|All services hosted by WatchGuard||*.watchguard.com|
|WatchGuard Wi-Fi Cloud||
These exceptions allow connections through the Firebox to these sites, regardless of whether other configuration settings (for example, Geolocation Blocking), block connections to these sites.
See and Manage the Blocked Sites List
You can see a list of all sites currently on the Blocked Sites list.
From Fireware Web UI, select System Status > Blocked Sites. From the Blocked Sites page you can see the current blocked sites, and you can add, edit, or remove temporary blocked sites. For more information, see Blocked Sites.
From Firebox System Manager, select the Blocked Sites tab. From the Blocked Sites tab you can see the current blocked sites, and you can add, edit, or remove temporary blocked sites. For more information, see Manage the Blocked Sites List (Blocked Sites)