About Reputation Enabled Defense

The web reputation authority service provided by Reputation Enabled Defense (RED) is not supported in Fireware v12.10 and higher. For more information, go to this Partner Blog post.

You can use the Reputation Enabled Defense (RED) security subscription to increase the performance and enhance the security of your Firebox.

WatchGuard RED uses a cloud-based WatchGuard reputation server that assigns a reputation score between 1 and 100 to every URL. When a user goes to a website, RED sends the requested web address (or URL) to the WatchGuard reputation server. The WatchGuard server responds with a reputation score for that URL. Based on the reputation score and locally configured thresholds, RED determines whether the Firebox should drop the traffic, allow the traffic and scan it locally with Gateway AntiVirus, or allow the traffic without a local Gateway AntiVirus scan. This increases performance, because Gateway AntiVirus does not need to scan URLs with a known good or bad reputation.

RED is supported in HTTP client proxy actions only. It is not supported in HTTP server proxy actions.

Reputation Thresholds

There are two reputation score thresholds you can configure:

  • Bad reputation threshold — If the score for a URL is higher than the Bad reputation threshold, the HTTP proxy denies access without any further inspection.
  • Good reputation threshold — If the score for a URL is lower than the Good reputation threshold and Gateway AntiVirus is enabled, the HTTP proxy bypasses the Gateway AntiVirus scan.

If the score for a URL is equal to or between the configured reputation thresholds and Gateway AntiVirus is enabled, the content is scanned for viruses.

When the HTTP proxy detects a Gateway AntiVirus violation, it sends feedback to the WatchGuard reputation server and the reputation score for the URL is updated for future reference.

Diagram of reputation scores and thresholds, from 100 (Bad) to 1 (Good)

Reputation Scores

The reputation score for a URL is based on feedback collected from devices around the world. It incorporates scan results data from leading anti-malware vendors of malware intelligence for the web.

A reputation score closer to 100 indicates that the URL is more likely to contain a threat. A score closer to 1 indicates that the URL is less likely to contain a threat. If the RED server does not have a previous score for a web address, it assigns a neutral score of 50. The reputation score changes from the default score of 50 based on a number of factors.

These factors can cause the reputation score of a URL to increase, or move toward a score of 100:

  • Negative scan results
  • Negative scan results for a referring link

These factors can cause the reputation score of a URL to decrease, or move toward a score of 1:

  • Multiple clean scans
  • Recent clean scans

Reputation scores can change over time. For increased performance, the Firebox stores the reputation scores for recently accessed web addresses in a local cache.

Reputation Lookups

The Firebox uses UDP port 10108 to send encrypted reputation queries to the WatchGuard reputation server. UDP is a best-effort service. If the Firebox does not receive a response to a reputation query soon enough to make a decision based on the reputation score, the HTTP proxy does not wait for the response, but instead processes the HTTP request without the reputation score. In this case the content is scanned locally if Gateway AntiVirus is enabled.

Reputation Enabled Defense does not do a reputation lookup for sites on the Blocked Sites Exceptions list or the HTTP Proxy Exceptions list of the HTTP proxy action. For connections to sites on these exceptions lists, log messages show a reputation score of -1.

If a site is not on the HTTP Proxy Exceptions or Blocked Sites Exceptions list, a reputation score of -1 indicates that the Firebox did not get a response soon enough to make a decision based on the reputation score.

Reputation lookups are based on the domain and URL path, not just the domain. Parameters after escape or operator characters, such as & and ? are ignored.

For example, for the URL:

http://www.example.com/example/default.asp?action=9&parameter=26

the reputation lookup is:

http://www.example.com/example/default.asp

Fireware v11.12 and higher support IPv6 for proxy policies and security services. Reputation Enabled Defense does not send the IPv6 address to the server for classification if a client sends an HTTP request directly to an IPv6 address, rather than to a host name.

Reputation Enabled Defense Feedback

If Gateway AntiVirus is enabled, you can choose if you want to send the results of local Gateway AntiVirus and APT Blocker scans to the WatchGuard server. You can also choose to upload Gateway AntiVirus and APT Blocker scan results to WatchGuard even if Reputation Enabled Defense is not enabled or licensed on your device. All communications between your network and the Reputation Enabled Defense server are encrypted.

We recommend that you enable the upload of local scan results to WatchGuard to improve overall coverage and accuracy of Reputation Enabled Defense.

Related Topics

Configure Reputation Enabled Defense

Reputation Enabled Defense Statistics