About Blocked Sites

A blocked site is an IP address that cannot make a connection through the Firebox. You tell the Firebox to block specific sites you know, or think, are a security risk. After you find the source of suspicious traffic, you can block all connections from that IP address. You can also configure the Firebox to send a log message each time the source tries to connect to your network. From the log file, you can see the services that the sources use to launch attacks.

You can define two different types of blocked IP addresses: permanent and auto-blocked.

Permanently Blocked Sites

The Firebox denies connection to or from sites that are permanently blocked. These site addresses are stored in the Blocked Sites list and you must add them manually. For example, you can add an IP address that constantly tries to scan your network to the Blocked Sites list to prevent port scans from that site.

The Firebox denies connections to or from sites that are permanently blocked.

To block a site, go to Block a Site Permanently.

Auto-Blocked Sites/Temporary Blocked Sites List

Some of the features described in this section are only available to participants in the WatchGuard Beta program. If a feature described in this section is not available in your version of Fireware, it is a beta-only feature.

The Firebox denies connections from sites that are temporarily blocked for the amount of time you specify.

In Fireware v12.5.4 and higher and Fireware v11.11 and lower, the Firebox denies connections both to and from auto-blocked sites. In other Fireware versions, the Firebox denies connections from auto-blocked sites, but does not block connections to auto-blocked sites.

The Firebox uses the packet handling rules specified for each policy to determine whether to block a site. For example, if you create a policy that denies all traffic on port 23 (Telnet), any IP address that tries to send Telnet traffic through that port is automatically blocked for the amount of time you specify. Each time the Firebox receives a connection of any kind from a site on the Temporary Blocked Sites list, the timer for that site is reset. The IP address is removed from the Temporary Blocked Sites list only after no traffic is received from the site for the time period specified in the Duration for Auto-Blocked Sites setting in the Blocked Sites configuration.

To automatically block connections from sites that send denied traffic, go to Block Sites Temporarily with Policy Settings.

You can also automatically block sites that are the source of packets that do not match any policy rule. For more information, go to About Unhandled Packets.

You can manually add a temporary blocked site, on the Blocked Sites page in Fireware Web UI. For more information, go to Blocked Sites.

In Fireware v12.10.4 and higher, to help prevent brute force attacks against the login pages of a locally-managed Firebox, you can enable the Block IP Addresses with Consecutive Failed Logins feature. This feature temporarily blocks an IP address that makes consecutive failed login attempts to the login pages on a locally-managed Firebox. For more information, go to Set Global Firewall Authentication Values.

Blocked Sites Exceptions

If the Firebox blocks connections to a site you believe to be safe, you can add the site to the Blocked Site Exceptions list, so that traffic from that site is not blocked.

Blocked Site Exceptions bypass all Default Packet Handling checks except spoofing and IP source route attacks. Any traffic from an exception site that would normally be blocked by Default Packet Handling will not appear in the traffic logs as an attack. In Fireware v12.5.6/12.6.3 or higher, traffic that would normally be blocked by Flood Attack protection does appear in the traffic logs as a flood attack from an exception site.

When you add a site to any one of the Botnet Detection Exceptions, Geolocation Exceptions, or Blocked Sites Exceptions lists, the site is not blocked by any of these services or Default Packet Handling.

For example, if you add www.example.com to the Geolocation Exceptions list, then Botnet Detection, Blocked Sites, and Default Packet Handling also do not block the site. If you already added a site to one exception list, you might see an error if you try to add the site to an exception list for another service.

For information about how to add a blocked site exception, go to Create Blocked Sites Exceptions.

In Fireware v11.12.2 and higher, the Blocked Sites Exceptions list includes default exceptions for servers that WatchGuard products and subscription services must connect to. The default blocked site exceptions include:

Products and Services Blocked Sites Exceptions
All services hosted by WatchGuard *.watchguard.com
WatchGuard Wi-Fi Cloud






*.ctmail.com (for Fireware v12.1.3 and lower, Fireware v12.2.x to Fireware v12.5.3 and Panda URL filtering and anti-spam protection)

*.cloudfilter.net (for Fireware v12.5.4 and higher, or Fireware v12.1.4 to Fireware v12.1.x)




APT Blocker



All services hosted by Panda Security *.pandasecurity.com
Panda Aether Comms




Panda Patch Management content.ivanti.com
Panda root certificates




These exceptions allow connections through the Firebox to these sites, regardless of whether other configuration settings (for example, Geolocation) block connections to these sites.

See and Manage the Blocked Sites List

You can see a list of all sites currently on the Blocked Sites list.

From Fireware Web UI, select System Status > Blocked Sites. From the Blocked Sites page you can see the current blocked sites, and you can add, edit, or remove temporary blocked sites. For more information, go to Blocked Sites.

From Firebox System Manager, select the Blocked Sites tab. From the Blocked Sites tab you can see the current blocked sites, and you can add, edit, or remove temporary blocked sites. For more information, go to Manage the Blocked Sites List (Blocked Sites).

Related Topics

Visit or Block a Site from HostWatch