About Security Services Precedence

With a Total Security Suite subscription, the Firebox and WatchGuard security services provide comprehensive protection against attacks. You enable some services globally and enable other services in policies. Together, they provide an integrated and layered security solution.

When a Firebox with a Total Security Suite subscription receives a packet, these global services inspect the packet:

  • Default Threat Protection
  • Botnet Detection
  • DNSWatch (when the packet arrives internally on UDP port 53)

If the packet is allowed, then it moves to policy-based inspection and the security services that are enabled in those policies. This list shows the order that security services scan the packet and, when enabled in a proxy policy, inspect the content:

  1. Geolocation
  2. Application Control and Intrusion Prevention Service
  3. WebBlocker or spamBlocker
  4. Reputation Enabled Defense
  5. Gateway AntiVirus
  6. IntelligentAV
  7. APT Blocker
  8. Data Loss Prevention

The order can change based on the packet type. In general, the services race to inspect the content and the first service to deny the content drops the connection. After the connection drops, the other services do not scan the packet.

HTTPS Packet Inspection Example

This example shows the steps an HTTPS packet takes for a Firebox with an active HTTPS-proxy policy with content inspection enabled. If the Firebox does not drop the connection at a step, then the packet continues to the next step.

  1. Default Threat Protection and Botnet Detection inspect the connection to ensure that the source and destination IP addresses and port number are safe.
  2. Fireware checks for an HTTPS-proxy policy. If enabled, Geolocation inspects the source and destination IPs.
  3. With content inspection enabled, Application Control and Intrusion Prevention Service (IPS) inspect the packet.
  4. The proxy inspects the proxy actions for anything that is denied (for example, domains, URLs, media types, file types, etc.) before the remaining security services begin to scan the packet or content.
  5. Reputation Enabled Defense (RED) inspects the URL.
  6. WebBlocker inspects the URL, domain, and IP address (IPv4) to determine whether it matches a category or exception.
  7. These WatchGuard security services inspect the content of the packet, in this order:
    1. Gateway AntiVirus — Scans content for known threats to find viruses and block them.
    2. IntelligentAV — Identifies and blocks known and unknown malware, without the use of signatures.
    3. APT Blocker — Identifies characteristics and behavior of APT malware in files and email attachments and blocks them.
    4. Data Loss Prevention — Detects accidental or unauthorized transmission of confidential information outside your network or across network boundaries and blocks it.

If RED returns a response at the same time or after a service starts to scan the content, the service continues to scan the content. The first service to deny the content drops the connection.

See Also

About Gateway AntiVirus

About IntelligentAV

About APT Blocker

About Data Loss Prevention