Default Threat Protection in WatchGuard Cloud

Applies To: Cloud-managed Fireboxes

Default Threat Protection is the first line of defense, and takes precedence over the policy rules and other services you configure on your cloud-managed Firebox. The Firebox processes all components of Default Threat Protection before any configured policies and services.

Default Threat Protection has three components:

Default Packet Handling
Manually Blocked Sites
Blocked Ports

Default Packet Handling

When your cloud-managed Firebox receives a packet, it examines the IP address and port number of the packet source and destination. The device monitors the packets to identify patterns that can show your network is at risk. This process is called default packet handling.

You cannot change the default packet handling settings for a cloud-managed Firebox in WatchGuard Cloud.

To make sure that default packet handling does not affect traffic from your email server or any other server that has a high volume of traffic, add a Blocked Sites exceptions for the server. For more information, go to Add Exceptions in WatchGuard Cloud.

Default packet handling takes these actions:

Rejects packets that could be a security risk, such as packets that could be part of a spoofing attack or SYN flood attack.
Blocks all traffic to and from dangerous IP addresses.
Throttles Distributed Denial-of-Service attacks.
Generates log messages for events.
Blocks or drops traffic for dangerous activities:
- Drop — For most types of attack, the Firebox drops the connection but does not add the site to the Blocked Sites list.
- Block — For Port Scans and IP Scans, the Firebox drops the connection and adds the source IP address to the Blocked Sites list. For more information about sites that the Firebox automatically adds to the Blocked Sites list, go to Automatically Blocked Sites .

Automatically Blocked Sites

Automatically blocked sites are a type of temporary blocked site that the Firebox adds when traffic matches the pattern of a well-known network attack. When default packet handling automatically blocks traffic, the source of that traffic is temporarily added to the Blocked Sites list. Sites that the Firebox automatically blocks stay on the Blocked Sites list for a default of 20 minutes. If that blocked site sends any additional traffic in the 20 minute period, the timer resets.

You can remove a temporary blocked site from the Live Status > Blocked Sites page. For more information, go to Monitor and Manage Blocked Sites on Fireboxes in WatchGuard Cloud.

Unhandled Packets

An unhandled packet is a packet that does not match any configured firewall policy. By default, the Firebox denies all unhandled packets and generates a log message.

This is an example of a log message for a denied unhandled packet:

2022-09-29 09:41:30 Deny 192.0.2.99 203.0.113.250 9007/tcp 31069 9007 External1 Firebox Denied 52 51 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 S 2192251295 win 65535"

The Firebox does not automatically block the source of unhandled packets by default.

Manually Blocked Sites

A blocked site is an IP address that cannot make a connection through the Firebox, regardless of the configured policies. You can configure the Firebox to block specific sites you know, or think, are a security risk. To make sure the Firebox always blocks a site, you can add a permanent blocked site in the Firebox configuration. For more information, go to Add Blocked Sites and Blocked Ports.

Blocked sites that you add manually are part of the configuration and are not removed when you reboot the Firebox. Sites that the Firebox automatically blocks based on default packet handling and temporarily adds to the Blocked Sites list are removed when you reboot the Firebox.

In some cases, you might not want the cloud-managed Firebox to block an IP address, URL, domain, or email address. You can add exceptions to allow access. For more information, go to Add Exceptions in WatchGuard Cloud.

Blocked Ports

By default, the Blocked Ports list includes several ports related to known threats. The Firebox denies all traffic to blocked ports on all external interfaces. You can block ports to protect your most sensitive services.

You can also manually block the ports that you know attackers might use to attack your network. From the Network Blocking page, you can add a port number to the Blocked Ports list. For more information, go toAdd Blocked Sites and Blocked Ports.