Applies To: ThreatSync+ NDR
The Firebox page in the ThreatSync+ Integrations UI enables you to configure which Fireboxes you want ThreatSync+ NDR to monitor, and is where you enable or disable IP address remediation for Fireboxes in your account.
This page is only available with a ThreatSync+ NDR or Total NDR license. For more information, go to About ThreatSync+ NDR Licenses and About Total NDR Licenses.
Firebox Monitoring
You can select which Fireboxes you want ThreatSync+ NDR to monitor and which Fireboxes to exclude from monitoring.
The Firebox Monitoring table shows these details:
- Name — The name of the Firebox or FireCluster.
- Model — The model number of the Firebox. For example, T30 or FireboxV-SM.
- Serial Number — The serial number of the Firebox.
- Version — The version of Fireware on the Firebox.
- Monitoring Status — Shows whether the Firebox is monitored by ThreatSync+ NDR. The status can be Active, Inactive or Unsupported Version.
ThreatSync+ NDR requires Fireware v12.10.3 or higher.
To manage which Fireboxes in your network you want ThreatSync+ NDR to monitor:
- Log in to your WatchGuard Cloud Subscriber account.
- Select Configure > ThreatSync+ Integrations > Firebox.
The Firebox page opens with the Firebox Monitoring tab open by default. - Select the Fireboxes you want ThreatSync+ NDR to monitor.
- From the Select an action drop-down list, select Activate or Deactivate. Available options depend on the existing status of the Firebox.
If you deactivate monitoring for all Fireboxes in your account, ThreatSync+ NDR does not ingest any Firebox data and a banner shows in the UI.
Firebox Remediation
Select the Firebox Remediation tab to manage Firebox remediation for Fireboxes in your account.
IP addresses blocked by ThreatSync+ NDR do not appear on the Firebox Blocked Sites list in Fireware or WatchGuard Cloud.
If ThreatSync is enabled on your account, blocked IP addresses show on the Items Blocked by ThreatSync page. For more information, go to Manage Items Blocked by ThreatSync.
When you enable IP address remediation for Fireboxes in your account, you can perform manual and automatic remediation actions.
To enable IP address remediation:
- Log in to your WatchGuard Cloud Subscriber account.
- Select Configure > ThreatSync+ Integrations > Firebox.
The Firebox page opens. - Select the Firebox Remediation tab.
- Select Firebox Remediation.
After remediation is enabled for your Fireboxes, you can perform manual actions on specific external IP addresses on the All IP Addresses page.
The All IP Addresses page shows a list of IP addresses and whether they are blocked by Fireboxes in the account. For more information, go to All IP Addresses.
To configure a ThreatSync+ NDR policy to automatically block external IP addresses that violate a policy, select the If this policy is violated, automatically block involved external IPs check box in the Remediation section of a ThreatSync+ NDR policy.
IP address remediation blocks external IP addresses in ThreatSync+ NDR only. If you have ThreatSync enabled on your account, all remediation of incidents must be performed in the ThreatSync management UI. For more information, go to Perform Actions in ThreatSync.
For more information, go to Configure ThreatSync+ Policies.
To view IP address remediation history, go to ThreatSync+ Audit Logs.