Configure Reputation Enabled Defense
You can enable Reputation Enabled Defense (RED) to increase the security and performance of HTTP proxy policies, when used with Gateway AntiVirus.
If you enable Reputation Enabled Defense for an HTTP proxy policy that also has Gateway AntiVirus enabled, Reputation Enabled Defense can improve overall performance, because the HTTP proxy skips the Gateway AV scan for sites with a known good or bad reputation.
If you enable Reputation Enabled Defense for an HTTP proxy policy that does not have Gateway AntiVirus enabled, the HTTP proxy still does a reputation score lookup for each URL, and blocks sites that have a bad reputation. But since no Gateway AV scan is avoided, there is no performance benefit, and HTTP proxy performance could be slower than without Reputation Enabled Defense enabled.
For best effectiveness and performance, we recommend that you enable Reputation Enabled Defense, Gateway AntiVirus, and APT Blocker in your HTTP proxy policy.
In Fireware OS v11.10.2 and higher, APT Blocker always scans files even if Gateway AntiVirus scanning is bypassed because of a good reputation.
Before You Begin
The Firebox sends reputation queries over UDP port 10108. Make sure this port is open between your Firebox and the Internet.
Before you can configure Reputation Enabled Defense for the HTTP proxy policy, you must configure the policy to use a user-defined proxy action. To create a user-defined proxy action, you can clone the default (predefined) proxy action, and then apply that to your proxy policy.
To find the proxy action your policy uses:
- Select Firewall > Firewall Policies.
- Select the proxy policy, and from the Action menu, select Edit Policy.
The Policy Configuration page appears.
- Select the Proxy Action tab.
The Proxy Action for the policy appears at the top.
- Verify whether the proxy action is a predefined or user-defined proxy action.
For more information about proxy actions, see About Proxy Actions.
If the proxy policy uses a predefined proxy action, you must clone the proxy action before you can enable subscription services for the proxy policy. You can clone the proxy action in the Proxy Action tab when you edit the proxy policy.
- From the Proxy Action drop-down list, select Clone the current proxy action.
- Type a new name for the cloned proxy action, or use the default name.
- Edit the proxy action.
For more information, see About Proxy Actions.
- Click Save.
Enable Reputation Enabled Defense
To enable Reputation Enabled Defense, from Fireware Web UI:
- Select Subscription Services > Reputation Enabled Defense.
The Reputation Enabled Defense configuration page appears with a list of HTTP proxy actions.
- Select a user-defined HTTP proxy action. Click Configure. You cannot configure Reputation Enabled Defense settings for predefined proxy actions.
The Reputation Enabled Defense configuration settings for that proxy action appear.
- Select the Immediately block URLs that have a bad reputation check box to block access to sites that score higher than the configured Bad reputation threshold.
- Select the Bypass any configured virus scanning for URLs that have a good reputation check box to have Gateway AntiVirus not scan sites that have a score lower than the configured Good reputation threshold.
- To trigger an alarm for an action, select the Alarm check box for that RED action. To disable the alarm, clear the Alarm check box for that action.
- To record log messages for an action, select the Log check box for that RED action. If you do not want to record log messages for a RED response, clear the Log check box for that action.
To enable Reputation Enabled Defense, from Policy Manager:
- In Policy Manager, select Subscription Services > Reputation Enabled Defense.
The Reputation Enabled Defense dialog box appears.
- Select the HTTP-proxy policy you want to enable RED for and click Enable. You must configure at least one HTTP proxy policy to use RED.
The Reputation Enabled Defense status changes to Enabled.
- Click Configure.
The Reputation Enabled Defense settings for that policy appear.
If you want a Reputation Enabled Defense action to appear in reports you generate from WatchGuard Log and Report Manager, make sure that you:
- select the Log check box for the Reputation Enabled Defense action
- select the Enable logging for reports check box in the General settings of the HTTP proxy action.
Configure the Reputation Thresholds
You can change the reputation thresholds in the Advanced settings.
- Click Advanced in the Reputation Enabled Defense configuration settings.
The Advanced Settings dialog box appears.
Reputation Advanced settings in Fireware Web UI
Reputation Advanced settings in Policy Manager
- In the Bad reputation threshold text box, type or select the threshold score for bad reputation.
The proxy can block access to sites with a reputation higher than this threshold.
- In the Good reputation threshold text box, type or select the threshold score for good reputation.
The proxy can bypass a Gateway AntiVirus scan for sites with a reputation score lower than this threshold.
- Click Restore Defaults if you want to reset the reputation thresholds to the default values.
- Click OK.
You can also configure Reputation Enabled Defense from the Policy Manager Edit Policy Properties dialog box:
- Double-click on the policy.
- Select the Policy tab.
- Adjacent to the Proxy action drop-down list, click .
- Select Reputation Enabled Defense from the Categories list.
Configure Alarm Notification for RED Actions
An alarm is a mechanism to tell users when a proxy rule applies to network traffic. If you enable alarms for a proxy action, you must also configure the type of alarm to use in the proxy policy.
To configure the alarm type to use for an HTTP proxy policy, from Policy Manager:
- Double-click the policy.
- Select the Properties tab.
- Click .
- Select the Proxy and AV Alarms category.
- Configure the Proxy/AV Alarms settings as described in Set Logging and Notification Preferences.