Configure APT Blocker

You can use APT Blocker in addition to Gateway AntiVirus to provide protection against advanced malware techniques that exploit zero-day vulnerabilities and evade traditional signature-based scanning. To use APT Blocker, you must have a feature key that enables APT Blocker and Gateway AntiVirus.

APT Blocker is part of the same scan process as Gateway AntiVirus. When you enable APT Blocker in a proxy action, APT Blocker scans content only when content matches a proxy action rule configured with the AV Scan action.

To use APT Blocker, you must have a feature key that enables the service.

For more information, see:

APT Blocker and NTP

When you use APT Blocker, WatchGuard recommends that you enable NTP to make sure the time is synchronized with the data center. For more information on how to enable and configure NTP, see Enable NTP and Configure NTP Servers.

APT Blocker and IPv6

In Fireware v11.12 and higher, Fireware supports IPv6 for proxy policies and subscription services. APT Blocker uses IPv4 to connect to the server. If your Firebox is configured for IPv6, you must configure the external interface with both an IPv4 address and an IPv6 address.

Enable APT Blocker and Configure APT Blocker Actions

Before you can enable APT Blocker, Gateway AntiVirus must be enabled for one or more active proxy policies. For more information, see Enable Gateway AntiVirus in a Proxy Policy.

When you configure APT Blocker, you specify the action that APT Blocker takes for each threat level. Options include:

Allow

Allows and delivers the file or email attachment to the recipient.

Drop

  • HTTP and FTP — Drops the connection immediately. The Firebox does not give any error messages to the sending server.
  • SMTP and POP3 — If you use the drop action with the SMTP-proxy or POP3-proxy, the attachment is stripped before the message is delivered to the recipient.

Block

  • HTTP and FTP — Drops the connection, and the sender or source address is added to the Blocked Sites list for 20 minutes.
  • SMTP and POP3 — If you use the block action with the SMTP-proxy or POP3-proxy, the attachment is stripped before the message is delivered to the recipient. The sender or source address is added to the Blocked Sites list for 20 minutes.

Quarantine (SMTP only)

When you use the SMTP-proxy with APT Blocker, you can send email messages to the Quarantine Server. The SMTP-proxy removes the part of the message that triggered APT Blocker and sends the modified message to the recipient. The removed part of the message is replaced with the deny message that is configured in the proxy action settings. If the Quarantine Server cannot be contacted, the message is temporarily rejected.

For more information on the Quarantine Server, see About the Quarantine Server.

For the HTTP-proxy and FTP-proxy, the quarantine action is converted to a Drop action. For the POP3-proxy, the quarantine action is converted to a Strip action.

To enable APT Blocker:

  1. Select Subscription Services > APT Blocker.

Screen shot of the APT page, Settings tab

APT Blocker configuration in Fireware Web UI

Screen shot of APT Blocker dialog box

APT Blocker configuration in Policy Manager

  1. Select the Enable APT Blocker check box.
  2. For each threat level, select the action. Available actions are:
    • Allow
    • Drop
    • Block
    • Quarantine
  1. To send a log message for an APT Blocker action, select the Log check box.
  2. To trigger an alarm for an APT Blocker action, select the Alarm check box.
    Click the Notification Settings button to configure the types of alarm notifications you want to receive.
  3. Click OK.

Configure Other APT Blocker Settings

In the Policies section, you can disable or enable APT Blocker for each policy in your configuration. For more information, see Enable or Disable APT Blocker for a Proxy Policy.

To disable or enable APT Blocker for each policy, select the Policies tab. For more information, see Enable or Disable APT Blocker for a Proxy Policy

To send APT Blocker requests to a region-specific or local on-premise server, and to specify whether to send PDF files for analysis, select the Advanced tab. For more information, see Configure APT Blocker Advanced Settings.

To connect to the APT Blocker server with an HTTP proxy server, from Policy Manager, select the HTTP Proxy Server tab. To connect to the APT Blocker server with an HTTP proxy server, from Fireware Web UI, select the Advanced tab. For more information, see Configure APT Blocker Advanced Settings.

To monitor APT Blocker activity, configure logging for APT Blocker, and view APT Blocker Dimension reports, see Monitor APT Blocker Activity.

To configure notification settings for APT Blocker, click Notification Settings. For more information, see Set Logging and Notification Preferences.

To specify files that you do not want APT Blocker to scan, click File Exceptions. For more information, see Configure File Exceptions.

Related Topics

About APT Blocker

Enable or Disable APT Blocker for a Proxy Policy

Video tutorial: Getting Started with APT Blocker