Intrusions (IPS) Report

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

The Intrusions (IPS) report shows a summary of intrusions on your network.

This report is available when log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report, follow the steps to Enable Logging for this Report.

How to Use this Report

This report can help you to find out more about threats blocked by the Intrusion Prevention Service. Here are some ways to use this report:

  • Select the Signatures pivot to see the top blocked intrusion attacks on your network. You can use the IPS signature ID shown on this pivot and the Detail report to get more information about the threat in the WatchGuard Security Portal.
  • Select the Source pivot to see the IP address or user name associated with the intrusion. For example, this could help you identify which computer or user triggered the intrusion.
  • Select the Threat Level pivot to see the intrusions ranked by threat level.
  • Select the Activity Trend pivot to see the number of intrusions detected and prevented over time.
  • Select the Protocol pivot to identify the protocols associated with intrusion attacks.

View the Report


You can use pivots to change the view of the data on the report.

To switch to a different view, select a pivot from the drop-down list above the report.

This report includes these pivots:

Activity Trend

Summary report of the trend of intrusions on your network over time.


Summary of the IPS actions, organized by the protocol used for the traffic.


Summary of the IPS actions, organized by signature.


Summary of the IPS actions, organized by the IP address where the traffic originated.

Threat Level

Summary of the IPS actions, organized by the threat level.

Detail View

To view a detailed report of all intrusions detected by IPS, click View Details at the top of the report.

Screen shot of View Details link in a report

The Intrusions (IPS) Detail report includes a row for each threat detected by IPS:

Column Description
Disposition Action taken by the Firebox for this traffic, such as Denied or Allowed
Time Date and time that the action occurred
Threat Level Severity of the threat: Critical, High, Medium, Low, or Information
Name Name of the file that was identified as a threat
Category Type of threat, such as Virus/Worm
Source IP address of the traffic source
Destination IP address of the traffic destination
Policy Name of the Firebox policy that examined the traffic
Protocol Protocol used to send the traffic
Hits Number of hits
More Information

In Dimension, click Security Portal in this column to view more information about the threat on WatchGuard Security Portal.


Signature ID of the threat

Enable Logging for this Report

Logging for cloud-managed Fireboxes is automatically enabled. For locally-managed Fireboxes, you must manually enable logging in Fireware Web UI or Policy Manager. For more information, see Set Logging and Notification Preferences.

To collect the data required for this report for locally-managed Fireboxes, in Fireware Web UI or Policy Manager:

  • In the Intrusion Prevention settings on the Firebox, select the Log check box for threat levels with the Block and Drop actions. For more information, see Configure Intrusion Prevention.

See Also

WatchGuard Cloud Device Reports List