Configure Content Scanning in WatchGuard Cloud

Applies To: Cloud-managed Fireboxes

For cloud-managed Fireboxes, you can configure content scanning with these security services:

  • Gateway AntiVirus
  • IntelligentAV
  • APT Blocker

For content scanning to apply to traffic through the Firebox, you must also enable content scanning in firewall policies. For information about policy settings, see Configure Security Services in a Firewall Policy.

Configure Gateway AntiVirus

The Gateway AntiVirus subscription service operates with the SMTP, IMAP, POP3, HTTP, FTP, Explicit, and TCP-UDP proxies to identify a new attack and record the features that make the virus unique. These recorded features are known as the signature. Gateway AntiVirus uses signatures to find viruses when content is scanned by the proxy. Gateway AntiVirus automatically uses the latest signatures when you enable it.

For more information on how to enable Gateway AntiVirus in a proxy, see Enable Gateway AntiVirus in a Proxy Policy.

In WatchGuard Cloud, you can configure the action Gateway AntiVirus takes when a virus is detected, an error occurs, scanned content exceeds the configured size limit, or scanned content is encrypted. For information on how to set the scan size limit, see Configure Advanced Settings. We recommend that you select the Alarm option when a virus is detected.

To configure Gateway AntiVirus:

  1. Select Configure > Devices.
  2. Select a cloud-managed Firebox.
    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
    The Device Configuration page displays the WatchGuard Cloud security services.
  4. Click the Content Scanning tile.

    The Content Scanning page opens.

WatchGuard Cloud screen shot of Content Scanning page

  1. On the Settings tab, enable Gateway AntiVirus.

WatchGuard Cloud screen shot of Gateway AntiVirus options

  1. In the Action column, select the Drop check box for each status to specify when you want the Firebox to drop connections:
    • When a virus is detected — If Gateway AntiVirus detects a virus in an email message, file, web page, or web upload, the Firebox drops the packet and the connection. No information is sent to the source of the message.
    • When a scan error occurs — If the Firebox cannot scan an object or an attachment, the Firebox drops the packet and the connection. No information is sent to the source of the message.
    • When content exceeds scan size limit — When content exceeds the configured scan size limit, the Firebox drops the packet and the connection. No information is sent to the source of the message.
    • When content is encrypted — When Gateway AntiVirus cannot scan a file because it is encrypted, password-protected, or uses a type of compression that Gateway AntiVirus does not support, such as password-protected ZIP files, the Firebox drops the packet and the connection. No information is sent to the source of the message.
  1. To generate an alarm, select the Alarm check box.
    If you do not want to set an alarm, clear the Alarm check box.
  1. To save configuration changes to the cloud, click Save.

Configure IntelligentAV

To add another layer of protection to the Gateway AntiVirus security service, enable IntelligentAV. When IntelligentAV is enabled, Gateway AntiVirus uses two scan engines that work together to increase the ability of the Firebox to detect and block malware before it can enter your network.

IntelligentAV uses artificial intelligence, not signatures, to identify and block known and unknown malware. IntelligentAV operates with all proxies supported by Gateway AntiVirus. For more information, see About IntelligentAV.

To enable APT Blocker, you must first enable Gateway AntiVirus.

To configure IntelligentAV:

  1. Select Configure > Devices.
  2. Select a cloud-managed Firebox.

    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
  4. Click the Content Scanning tile.

    The Content Scanning page opens.

WatchGuard Cloud screen shot of Content Scanning page

  1. On the Settings tab, enable IntelligentAV.
    There are no individual settings to configure for IntelligentAV.

  1. To save configuration changes to the cloud, click Save.

Configure APT Blocker

An Advanced Persistent Threat (APT) attack is a type of network attack that uses advanced malware and zero-day exploits to get access to networks and confidential data over extended periods of time. APT Blocker is a subscription service that uses full-system emulation analysis to identify the characteristics and behavior of APT malware in files and email attachments that enter your network. APT Blocker does not use signatures like other traditional scanners, such as antivirus programs. For more information, see About APT Blocker.

APT Blocker categorizes APT activity based on the severity of the threat. In WatchGuard Cloud, you can configure the action to take for each threat level (High, Medium, Low). The Clean threat level helps you track the status of files analyzed by APT Blocker that are determined to be clean and do not contain malware. We recommend that you select the Alarm option for all threat levels in your APT Blocker configuration to monitor APT Blocker activity.

To enable APT Blocker, you must first enable Gateway AntiVirus.

To configure APT Blocker:

  1. Select Configure > Devices.
  2. Select a cloud-managed Firebox.

    Status and settings for the selected Firebox appear.
  3. Select Device Configuration.
  4. Click the Content Scanning tile.

    The Content Scanning page opens.

WatchGuard Cloud screen shot of Content Scanning page

  1. On the Settings tab, enable APT Blocker.


  1. In the Action column, select the Drop check box for each Threat Level you want APT Blocker to drop the connection for.
  2. To trigger an alarm for the threat level, select the Alarm check box.
    If you do not want to set an alarm, clear the Alarm check box for that threat level.
  1. To save configuration changes to the cloud, click Save.

Configure Advanced Settings

The File Scan setting controls the maximum size of files that Gateway AntiVirus and IntelligentAV can scan. The scan limit also controls the maximum size of files that APT Blocker sends for analysis. Gateway AntiVirus default scan size is set based on the hardware capabilities of each Firebox model. Minimum scan size for all models is 1 MB.

For more information about scan limits, see About Gateway AntiVirus Scan Limits.

To configure file scan size:

  1. Select the Advanced tab.
    The File Scan default and maximum value varies by Firebox model and is set to the recommended value by default.

WatchGuard Cloud screen shot of Content Scanning Advanced settings page

  1. In the Maximum Kilobytes text box, type the file scan limit in kilobytes.
  2. To save configuration changes to the cloud, click Save.

See Also

Add a Cloud-Managed Firebox to WatchGuard Cloud

Content Scanning in WatchGuard Cloud

About Gateway AntiVirus

About IntelligentAV

About APT Blocker