Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes, WatchGuard Cloud-managed Access Points
WatchGuard Cloud includes predefined reports that are automatically generated from the log message data from your devices.
The reports that are available for each device depend on the log message data that the device sent to WatchGuard Cloud. If the data required for a report has not been collected, the report does not appear on the Monitor page. For information about where to enable logging for reports in your device configuration, see Where to Enable Logging for Reports. For information about how to enable logging for a policy on locally-managed Fireboxes, see Configure Logging and Notification for a Policy.
For information about how to run a report manually, see View WatchGuard Cloud Device Reports.
For information about how to schedule reports, see Schedule WatchGuard Cloud Reports.
NONE line items in proxy-based reports are the result of traffic logs for requests where the primary key data of a report (such as sni or sender) is not available. If this occurs frequently, NONE can appear as the top entry in summary reports.
Available Reports
You can view available reports when you select a folder or a device.
| Name | Description |
|---|---|
| Device Summary |
Displays summary information for the selected device Includes device connection status, basic device details, license information, device statistics, subscription service statistics, most active policies, average bandwidth, and number of authenticated users To download the Executive Summary report, click |
above the summary information
You must select a device to view the Log Manager and Log Search options. They are not available when you select a folder.
| Report | Description |
|---|---|
| Log Manager | View log messages generated by the selected device or devices to monitor your network activity, and identify and address security risks |
| Log Search | Run simple or complex search queries to find specific details in your device log messages |
| Report | Description |
|---|---|
| Executive Summary |
PDF report that includes a high-level summary of the attacks and traffic blocked by the Firebox Includes malware attacks, network attacks, and top categories Available from the Device Summary page |
| Executive Dashboard (WatchGuard Cloud) |
High-level view of the traffic through the selected device Includes top countries, top clients, top domains, top URL categories, top destinations, top applications, top application categories, and top protocols |
| Security Dashboard | High-level view of the top security threats in areas protected by your subscription services |
| Subscription Dashboard | High-level view of all subscription services that are active on the device for the selected date and time range |
| Threat Map | Visual representation of the countries from which attacks on your network originate |
| Firewatch | Real-time, interactive report tool that groups, aggregates, and filters statistics about the traffic through your device |
| Policy Map | Interactive report tool that shows a visualization of the traffic flows through your device |
| Report | Description |
|---|---|
| Most Active Clients | Summary of the top web traffic for clients, by hits and bytes transferred |
| Most Popular Domains | Summary of the top domains visited by clients, by hits and bytes transferred |
| Web Audit | Summary of allowed web traffic for each WebBlocker category and client |
| Web Activity Trend | Summary of the upload and download rates for web traffic, shown for regular intervals |
| Report | Description |
|---|---|
| Packet Filter Traffic | Summary of packet-filter traffic data, organized by activity |
| Proxy Traffic | Summary of proxied traffic data, organized by activity |
| Top Clients | Summary of the clients that use the most bandwidth or establish the most connections on your network |
| Report | Description |
|---|---|
| Access Portal Report | Summary of the most frequently used applications |
| Advanced Malware (APT) | Summary of the malware and malicious activity on your network that was detected by APT Blocker |
| Application Usage | Summary of application usage data. Includes applications that use the most bandwidth and have the most hits, and the top users and hosts |
| Blocked Applications | Summary of the applications used on your network that were blocked by Application Control |
| Blocked Websites | Summary of the websites blocked by WebBlocker |
| Botnet Detection | Summary of all activity on your network related to botnet sites |
| Data Loss Violations (DLP) | Summary of data loss violations on your network and DLP actions |
| Intrusions (IPS) |
Summary of intrusions on your network and IPS actions, organized by signature ID, activity trend, source, threat level, or protocol |
| Reputation Enabled Defense | Summary of Reputation Enabled Defense actions for traffic through the device |
| Spam | Summary of the amount and type of spam email detected on your network and actions taken by spamBlocker |
| Virus | Summary of the malware stopped by Gateway AntiVirus or IntelligentAV, organized by virus, host, protocol, and sender email address |
| Zero-Day Malware (APT) | Summary of the zero-day malware detected by APT Blocker |
| Report | Description |
|---|---|
| SMTP Proxy | Summary of email traffic handled by SMTP proxies |
|
Summary of email traffic handled by POP3 proxies |
|
| IMAP Proxy | Summary of email traffic handled by IMAP and IMAP/S proxies |
| Report | Description |
|---|---|
| Alarms | Summary of alarms generated by the device |
| Authentication | Summary of users who successfully authenticated to the device and users who were not allowed to authenticate |
| Blocked Default Threats | Summary of the packets blocked by the Default Threat Protection feature |
| Denied Packets |
Summary of the incoming and outgoing packets that were denied access through the device Includes traffic denied for users who exceed the bandwidth and time quota settings on your device |
| Denied Quota |
Summary of the denied traffic for users who exceed the bandwidth and time quotas configured on the device Includes the name of the user, the count of user attempts to connect, and the percentage of denied connections for each user |
| DHCP Lease Activity | Summary of DHCP leases the Firebox assigned to network clients |
| Policy Usage |
Summary of policy usage data Shows which policies handle the largest traffic volume and have the most hits |
| Audit Trail |
Summary of configuration changes for a device Includes the user account that made the change, the change that was made, the date and time of the change, and a brief description of type of change |
| Report | Description |
|---|---|
| Interface Summary | Detailed report that shows statistics and a chart of the data sent and received for each interface or for all interfaces in a security zone |
| SD-WAN Report | Detailed report that shows the Loss, Latency, and Jitter for each interface (Status tab) or for all interfaces (Summary tab) over time |
Compliance reports combine data from other reports into a single report with data relevant to HIPAA and PCI compliance.
You can view the combined report or export it as a .PDF file.
| Report | Description |
|---|---|
| HIPAA Compliance | A group of reports with data relevant to HIPAA compliance. |
| PCI Compliance |
A group of reports with data relevant to PCI compliance. |
For more information about HIPAA and PCI compliance reports see:
| Report | Description |
|---|---|
| Advanced Malware (APT) |
Detailed report of all the threats identified by APT Blocker |
| Alarms |
Detailed report of the threat levels assigned to malicious activity on your network. Includes the time of the event, the name of the alarm, and an informational message for each alarm event |
| Application Usage |
Detailed report about the applications used by clients on your network |
| Blocked Applications |
Detailed report about the applications on your network that were blocked by Application Control |
| Blocked Websites |
Detailed report about websites that were blocked by WebBlocker |
| Botnet Detection |
Detailed report about the traffic sent to and from a botnet address |
| Data Loss Violations (DLP) |
Detailed report about all the violations of the Data Loss Prevention rules configured on your device |
| Denied Packets |
Detailed report of all the packets denied by your device, organized by detail or client Includes the date/time of the first action, the source and destination IP addresses, the intended packet destination, the number of attempts for each packet, the protocol and port, and the action |
| Denied Quota |
Detailed report of traffic denied because of bandwidth and time quota settings on your Firebox Includes the time of the first action, the source and destination of the traffic, the number of connection attempts, the protocol applied to the traffic, and the quota action applied |
| IMAP Proxy | Detailed report about all traffic through the IMAP proxy |
| Intrusions (IPS) |
Detailed report of all Intrusion Prevention Service actions |
| KCSiE | Detailed report of web searches made on popular search engines for KCSiE keywords. Includes the user name, host IP address, and query keyword |
| POP3 Proxy |
Detailed report about all traffic through the POP3 proxy |
| Search Engine | Detailed report of web searches made on popular search engines. Includes the user name, host IP address, and search query text |
| SMTP Proxy |
Detailed report about all traffic through the SMTP proxy |
| Virus |
Detailed report of all Gateway AntiVirus and Intelligent AntiVirus actions, organized by detail, email sender (SMTP and POP3 proxies), host name, protocol, or virus name |
| Web Audit |
Detailed report about all allowed web traffic connections through your device, organized by category or client |
| Zero-Day Malware (APT) | Detailed report of threats identified by APT Blocker as zero-day malware (not identified until after the traffic passed through the firewall) |
The Access Points section provides several reports about your WatchGuard access points and wireless network. You can specify the time range and select the SSIDs for the report.
You can export reports as a .PDF file.
| Report | Description |
|---|---|
| Network Usage | Shows the network usage of wireless clients associated to WatchGuard access points |
| Performance Issues | Shows the client performance issues that have occurred on your wireless network due to low RSSI and low data rate |
| Top Clients | Shows the most active clients associated to WatchGuard access points on your wireless network |
| Connection Issues | Shows clients that experienced connection issues on your wireless network |
Per Client reports contain information about activity for a specific client on your network. Per Client reports are divided into two categories: Summary and Detail reports. Summary reports include the top results, a chart and data selection grid. You can export Summary reports as a .PDF file. Detail reports include all results for the specified client and date range. You can export Detail reports as a CSV file.
Per Client reports include sections from other reports that are populated from proxy traffic. If there is no proxy traffic, then the Per Client report section shows no data.
When you run a Per Client report, you can specify this criteria:
- User Name
- Host
In the Host text box, you can type the IP address or the host name, if available.
If log data for the specified date range includes DLP log messages for the specified client, you can specify additional criteria for DLP reports. You can use wildcards when you apply a filter with DLP criteria to Per Client reports.
In the criteria for DLP reports, you can specify:
- Policy Name
- Rule Name
To switch between Summary and Detail reports, from the drop-down list at the top of the page, select Summary or Detail.
Per Client Summary and Detail reports include:
| Per Client Report | Report Category | Description |
|---|---|---|
| Web Activity Trend | Summary | Hourly trend data for websites visited by clients |
| Most Popular Domains | Summary | Top websites visited by clients |
| Application Usage | Summary |
Summary report of application usage data for allowed connections Includes TCP-UDP-Proxy incoming and outgoing connection transaction data, when available |
| Application Usage | Detail |
Detail report for application usage data Includes the Disposition, Event Time, Client, Source, Destination, Policy, Protocol, Category, Application, Bytes, and Hits for the traffic |
| Data Loss Violations (DLP) | Summary | All Data Loss Prevention activity and actions on the Firebox |
| Data Loss Violations (DLP) by Detail | Detail | Data Loss Prevention activity and actions on the Firebox, organized by the detail type |
| URL Audit Detail | Detail |
Detailed report of traffic through the Firebox, organized by URL Includes the Event Time, Policy, Disposition, Destination, and Path for the traffic |
| Application Usage by Category | Detail | Application usage data for allowed connections, by category |
| Web Audit by Category | Summary |
Summary report of web traffic by category Includes the Event Time, Category, Policy, Disposition, Destination, and Hits |
| Web Audit by Category Detail | Detail |
Detailed report of web traffic by category, organized by the category details Includes Disposition, Event Time, Category, Policy, Destination, and Hits for the traffic |