Manage Items Blocked by ThreatSync

Applies To: ThreatSync

The Blocked Items page in ThreatSync shows a list of all items blocked by ThreatSync actions on eligible Fireboxes and all MAC addresses of blocked access points.

IP addresses blocked by the Firebox do not appear on the Items Blocked by ThreatSync page. To check if an incident was blocked by the Firebox, review the Automatic Response in the Threat Details section of a specific incident. For more information, go to Review Incident Details in ThreatSync.

IP addresses blocked by ThreatSync do not appear on the Firebox Blocked Sites list in Fireware or WatchGuard Cloud.

Blocked Items by Fireboxes

The Items Blocked by ThreatSync page shows these details on the Firebox tab:

Screenshot of the Blocked Items by ThreatSync page (Firebox tab) in WatchGuard Cloud

  • Blocked Item — The IP address or domain blocked by manual action or by an automation policy.
  • Item Type — The type of item blocked.
  • Blocked By — The user name or automation policy name that blocked the item.
  • Time Stamp — The date and time the item was blocked.

IP addresses blocked in ThreatSync+ NDR show on the Firebox tab of the Items Blocked by ThreatSync page. For more information, go to All IP Addresses.

If ThreatSync blocks critical IP addresses, you can add the IP addresses to the Blocked Sites Exception list on your Firebox. When you add a site to the Blocked Sites Exception list, traffic from that site is not blocked. For more information, go to Create Blocked Sites Exceptions.

Automatically Remove Blocked IP Addresses

Blocked IP addresses should be removed from the Items Blocked by ThreatSync list after an issue is resolved, to restore access to legitimate users, and prevent network traffic disruptions. By default, ThreatSync automatically removes blocked IP addresses from the Items Blocked by ThreatSync list after 1 year. You can configure when ThreatSync automatically removes blocked IP addresses from the list.

This setting is configurable as of 10 July 2025. WatchGuard will start to remove expired IP addresses on 28 August 2025.

To configure when ThreatSync automatically removes blocked IP addresses from the Items Blocked by ThreatSync list: 

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync > Blocked Items.
    The Items Blocked by ThreatSync page opens.
  4. Select the Firebox tab.
  5. From the Remove blocked IP addresses after drop-down list, select one of these options:
    • 30 days
    • 2 months
    • 4 months
    • 6 months
    • 1 year

Unblock an Item

As you review incident details and monitor threats, you might decide to unblock one or more items that were blocked by a ThreatSync automation policy or manual response to an incident.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the ThreatSync Core permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

To unblock items that are blocked by eligible Fireboxes:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync > Blocked Items.
    The Items Blocked by ThreatSync page opens.
  4. Select the Firebox tab.
  5. Select one or more blocked items.
  6. Click Unblock.
    All eligible Fireboxes no longer block traffic to and from the selected IP addresses.

Refresh List of Blocked Items

To refresh the list of items blocked by ThreatSync, click .

Download List of Blocked Items

To download a list of items blocked by ThreatSync in comma-separated value (CSV) format, click .

Blocked MAC Addresses of Access Points

The Items Blocked by ThreatSync page shows these details on the Access Point tab:

Screenshot of the Blocked Items by ThreatSync page (Access Point tab) in WatchGuard Cloud

  • Blocked MAC Addresses — The access point MAC address blocked by manual action or by an automation policy. Wireless client connections to these access points are blocked.
  • Threat Type — The detected threat type of the access point.

For example:

  • Malicious Access Point - Rogue Access Point
  • Malicious Access Point - Suspected Rogue Access Point
  • Malicious Access Point - Evil Twin
  • Blocked By — The user name or automation policy name that blocked wireless client connections to the access point.
  • Time Stamp — The date and time the access point MAC address was blocked.

Unblock an Access Point MAC Address

As you review incident details and monitor threats, you might decide to unblock one or more access points that were blocked by a ThreatSync automation policy, or blocked by manual response to an incident.

Caution: Make sure that you identify the access point you want to unblock. If this is a malicious access point, your wireless clients will be able to connect to the threat device and communicate vulnerable data after you unblock the device.

To unblock an access point MAC address from the Items Blocked by ThreatSync page:

  1. Log in to your WatchGuard Cloud account.
    For Service Provider accounts, from Account Manager, select My Account.
  2. Select Configure > ThreatSync > Blocked Items.
    The Items Blocked by ThreatSync page opens.
  3. Select the Access Point tab.
  4. Select one or more blocked access point MAC addresses.
  5. Click Unblock.
    All selected access points are no longer blocked.

Refresh List of Blocked Access Points

To refresh the list of blocked access point MAC addresses, click .

Download List of Blocked Access Points

To download a list of blocked access Point MAC addresses in comma-separated value (CSV) format, click .

Related Topics

Configure ThreatSync

Configure Device Settings in ThreatSync

About ThreatSync Automation Policies