Intrusions (IPS) Report

The Intrusions (IPS) report shows a summary of intrusions on your network.

This report is available when log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report, follow the steps to Enable Logging for this Report.

How to Use this Report

This report can help you to find out more about threats blocked by the Intrusion Prevention Service. Here are some ways to use this report:

  • Select the Signatures pivot to see the top blocked intrusion attacks on your network. You can use the IPS signature ID shown on this pivot and the Detail report to get more information about the threat in the WatchGuard Security Portal.
  • Select the Source pivot to see the IP address or user name associated with the intrusion. For example, this could help you identify which computer or user triggered the intrusion.
  • Select the Threat Level pivot to see the intrusions ranked by threat level.
  • Select the Activity Trend pivot to see the number of intrusions detected and prevented over time.
  • Select the Protocol pivot to identify the protocols associated with intrusion attacks.

View the Report


You can use pivots to change the view of the data on the report.

To switch to a different view, select a pivot from the drop-down list above the report.

This report includes these pivots:

Activity Trend

Summary report of the trend of intrusions on your network over time.


Summary of the IPS actions, organized by the protocol used for the traffic.


Summary of the IPS actions, organized by signature.


Summary of the IPS actions, organized by the IP address where the traffic originated.

Threat Level

Summary of the IPS actions, organized by the threat level.

Detail View

To view a detailed report of all intrusions detected by IPS, click the View Details link at the top of the report.

Screen shot of View Details link in a report

The Intrusions (IPS) Detail report includes a row for each threat detected by IPS:

Column Description
Disposition The action taken by the Firebox for this traffic, such as Denied or Allowed.
Time Date and time that the action occurred.
Threat Level Severity of the threat: Critical, High, Medium, Low, or Information.
Name Name of the file that was identified as a threat.
Category The type of threat, such as Virus/Worm.
Source IP address of the traffic source.
Destination IP address of the traffic destination.
Policy Name of the Firebox policy that examined the traffic.
Protocol Protocol used to send the traffic.
Hits Number of hits.
More Information

In Dimension, you click Security Portal in this column to view more information about the threat on the WatchGuard Security Portal.


Signature ID of the threat.

Enable Logging for this Report

To collect the data required for this report:

  • In the Intrusion Prevention settings on the Firebox, select the Log check box for threat levels with the Block and Drop actions. For more information, see Configure Intrusion Prevention.

See Also

WatchGuard Cloud Device Reports List