Configure APT Blocker
You can use APT Blocker in addition to Gateway AntiVirus to provide protection against advanced malware techniques that exploit zero-day vulnerabilities and evade traditional signature-based scanning.
APT Blocker uses the same scan process as Gateway AntiVirus. You must enable Gateway AntiVirus before you can enable APT Blocker for a proxy.
To use APT Blocker, you must have a feature key that enables the service.
For more information, see:
APT Blocker and NTP
When you use APT Blocker, WatchGuard recommends that you enable NTP to make sure the time is synchronized with the Lastline data center. For more information on how to enable and configure NTP, see Enable NTP and Configure NTP Servers.
APT Blocker and IPv6
In Fireware v11.12 and higher, Fireware supports IPv6 for proxy policies and subscription services. APT Blocker uses IPv4 to connect to the Lastline server. If your Firebox is configured for IPv6, you must configure the external interface with both an IPv4 address and an IPv6 address.
Enable APT Blocker and Configure APT Blocker Actions
When you configure APT Blocker, you specify the action that APT Blocker takes for each threat level. Options include:
Allows and delivers the file or email attachment to the recipient.
- HTTP and FTP — Drops the connection immediately. The Firebox does not give any error messages to the sending server.
- SMTP and POP3 — If you use the drop action with the SMTP-proxy or POP3-proxy, the attachment is stripped before the message is delivered to the recipient.
- HTTP and FTP — Drops the connection, and the sender or source address is added to the Blocked Sites list for 20 minutes.
- SMTP and POP3 — If you use the block action with the SMTP-proxy or POP3-proxy, the attachment is stripped before the message is delivered to the recipient. The sender or source address is added to the Blocked Sites list for 20 minutes.
Quarantine (SMTP only)
When you use the SMTP-proxy with APT Blocker, you can send email messages to the Quarantine Server. The SMTP-proxy removes the part of the message that triggered APT Blocker and sends the modified message to the recipient. The removed part of the message is replaced with the deny message that is configured in the proxy action settings. If the Quarantine Server cannot be contacted, the message is temporarily rejected.
For more information on the Quarantine Server, see About the Quarantine Server.
For the HTTP-proxy and FTP-proxy, the quarantine action is converted to a Drop action. For the POP3-proxy, the quarantine action is converted to a Strip action.
To enable APT Blocker:
- Select Subscription Services > APT Blocker.
APT Blocker configuration in Fireware Web UI
APT Blocker configuration in Policy Manager
- Select the Enable APT Blocker check box.
- For each threat level, select the action. Available actions are:
- To send a log message for an APT Blocker action, select the Log check box.
- To trigger an alarm for an APT Blocker action, select the Alarm check box.
Click the Notification Settings button to configure the types of alarm notifications you want to receive.
- Click OK.
Configure Other APT Blocker Settings
In the Policies section, you can disable or enable APT Blocker for each policy in your configuration. For more information, see Enable or Disable APT Blocker for a Proxy Policy.
To disable or enable APT Blocker for each policy, select the Policies tab. For more information, see Enable or Disable APT Blocker for a Proxy Policy
To send APT Blocker requests to a region-specific or local on-premise server, select the Advanced tab. For more information, see Configure APT Blocker Server Settings.
To monitor APT Blocker activity, configure logging for APT Blocker, and view APT Blocker Dimension reports, see Monitor APT Blocker Activity.
To configure notification settings for APT Blocker, click Notification Settings. For more information, see Set Logging and Notification Preferences.