Manage Items Blocked by ThreatSync

Applies To: ThreatSync

Some of the features described in this topic are only available to participants in the ThreatSync Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

The Items Blocked by ThreatSync page shows a list of all IP addresses blocked by ThreatSync actions on eligible Fireboxes and all MAC addresses of blocked access points.

IP addresses blocked by the Firebox do not appear on the Items Blocked by ThreatSync page. To check if an incident was blocked by the Firebox, review the Automatic Response in the Threat Details section of a specific incident. For more information, go to Review Incident Details.

IP addresses blocked by ThreatSync do not appear on the Firebox Blocked Sites list in Fireware or WatchGuard Cloud.

Blocked IP Addresses by Fireboxes

The Items Blocked by ThreatSync page shows these details on the Firebox tab:

Screenshot of the Blocked Items by ThreatSync page (Firebox tab) in WatchGuard Cloud

  • Blocked IP Address — The IP address blocked by manual action or by an automation policy.
  • Blocked By — The user name or automation policy name that blocked the IP address.
  • Time Stamp — The date and time the IP address was blocked.

IP addresses blocked in ThreatSync+ NDR show on the Firebox tab of the Items Blocked by ThreatSync page. For more information, go to All IP Addresses.

If ThreatSync blocks critical IP addresses, you can add the IP addresses to the Blocked Sites Exception list on your Firebox. When you add a site to the Blocked Sites Exception list, traffic from that site is not blocked. For more information, go to Create Blocked Sites Exceptions.

Unblock an IP Address

As you review incident details and monitor threats, you might decide to unblock one or more IP addresses that were blocked by a ThreatSync automation policy, or blocked by manual response to an incident.

To unblock IP addresses that are blocked by eligible Fireboxes:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync > Blocked Items.
    The Items Blocked by ThreatSync page opens.
  4. Select the Firebox tab.
  5. Select one or more blocked IP addresses.
  6. Click Unblock.
    All eligible Fireboxes no longer block traffic to and from the selected IP addresses.

Blocked MAC Addresses of Access Points

The Items Blocked by ThreatSync page shows these details on the Access Point tab:

Screenshot of the Blocked Items by ThreatSync page (Access Point tab) in WatchGuard Cloud

  • Blocked MAC Addresses — The access point MAC address blocked by manual action or by an automation policy.
  • Threat Type — The detected threat type of the access point.

For example:

  • Malicious Access Point - Rogue Access Point
  • Malicious Access Point - Suspected Rogue Access Point
  • Malicious Access Point - Evil Twin
  • Blocked By — The user name or automation policy name that blocked the access point MAC address.
  • Time Stamp — The date and time the access point MAC address was blocked.

Unblock an Access Point MAC Address

As you review incident details and monitor threats, you might decide to unblock one or more access points that were blocked by a ThreatSync automation policy, or blocked by manual response to an incident.

Caution: Make sure that you identify the access point you want to unblock. If this is a malicious access point, your wireless clients will be able to connect to the threat device and communicate vulnerable data after you unblock the device.

To unblock an access point MAC address from the Items Blocked by ThreatSync page:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync > Blocked Items.
    The Items Blocked by ThreatSync page opens.
  4. Select the Access Point tab.
  5. Select one or more blocked access point MAC addresses.
  6. Click Unblock.
    All selected access points are no longer blocked.

Refresh List of Blocked Access Points

To refresh the list of blocked access point MAC addresses, click .

Download List of Blocked Access Points

To download a list of blocked access Point MAC addresses in comma-separated value (CSV) format, click .

Related Topics

Configure ThreatSync

Configure ThreatSync Device Settings

About ThreatSync Automation Policies