Monitor and Manage Blocked Sites on Fireboxes in WatchGuard Cloud

Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes

This page is only available when your cloud-managed Firebox, or locally-managed Firebox with cloud reporting, is connected to WatchGuard Cloud.

Overview

A blocked site is an IP address that cannot make a connection through the Firebox. Many events can cause the Firebox to add an IP address to the Blocked Sites list, such as a port space probe, a spoofing attack, or an address space probe.

On the Live Status > Blocked Sites page, you can view a live list of all the external IP addresses that are permanently blocked in the Firebox configuration or temporarily blocked by your Firebox. You can also add, remove, and manage temporary blocked sites. You can permanently block a temporary blocked site, add a blocked site exception for the site, or change the length of time the site is temporarily blocked.

When you add a permanently blocked site to the configuration, you must deploy the change for the blocked site to appear on the Live Status > Blocked Sites page in WatchGuard Cloud.

IP addresses blocked by ThreatSync+ NDR do not appear on the Live Status > Blocked Sites page. IP addresses blocked in ThreatSync+ NDR show on the Firebox tab of the Items Blocked by ThreatSync page. For more information, go to All IP Addresses.

For more information about blocked sites, go to:

About Blocked Sites on Cloud-Managed Fireboxes
About Blocked Sites (Locally-Managed Fireboxes)

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Devices permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

For each blocked site, the Blocked Sites list includes this information:

Blocked Site

The address of the blocked site.

Host IPv4 — Host IP address in IPv4 format
Host Range IPv4 — From address and To address in IPv4 format
Host IPv6 — Host IP address in IPv6 format
Network IPv6 — Network address in IPv6 format
Host Range IPv6 — From and To Host IP addresses in IPv6 format
Fully Qualified Domain Names — FQDN, includes wildcard domains such as *.example.com.

You can add only Host IPv4 and Host IPv6 sites as manual temporary blocked sites.

Triggering Source

The source of the blocked site.

Admin — The source for shown for sites added on the Live Status > Blocked Sites page.
Configuration — The source shown for sites added to the Blocked Sites list on the Network Blocking page for cloud-managed Fireboxes or the Blocked Sites page in Fireware Web UI or Firebox System Manager for locally-managed Fireboxes.

Reason

The reason the site was blocked.

Permanent blocked sites have a reason of Static Blocked IP.
For sites temporarily blocked by the Firebox, the reason indicates if the site was blocked by a security service or default packet handling, or for another reason such as failed login attempts.
For manually added temporary blocked sites, the reason is the description entered when an operator added the blocked site.

Expiration

The amount of time that remains until the Firebox removes the site from the Blocked Sites list. Permanent blocked sites never expire.

Monitor the Blocked Sites List

To view the live blocked sites list, from WatchGuard Cloud:

Select Monitor > Devices.
Select a Firebox.
The Device Summary page for the selected Firebox opens.
Select Live Status > Blocked Sites.
The Blocked Sites page opens. The page refreshes automatically every 30 seconds.

Add a Temporary Blocked Site

If you want to temporarily block a site while you investigate suspicious activity or if you want to enforce short term access restrictions, you can add a temporary blocked site.

You cannot add local loopback addresses such as 127.0.0.1 as a temporary blocked site because it can block internal Firebox functions.

To add a temporary blocked site, from WatchGuard Cloud:

Select Monitor > Devices.
Select a Firebox.
The Device Summary page for the selected Firebox opens.
Select Live Status > Blocked Sites.
The Blocked Sites page opens. The page refreshes automatically every 30 seconds.
Click Add Temporary Blocked Site.
The Add Temporary Blocked Site dialog box opens.
From the Type drop-down list, select the type of site.

To add an IPv6 site, you must have IPv6 enabled for a network. For more information, go to Configure a Firebox External Network or Configure a Firebox Internal or Guest Network.

In the Host IP Address text box, enter the address of the site you want to block.
To specify how long the Firebox will block the site, in the Expiration text box, enter a duration in hours.
Optionally, in the Description text box, enter information about the temporary blocked site. You can enter up to 64 characters. This description appears in the Reason column of the Blocked Sites list.
To save the temporary blocked site, click Save.
The temporary blocked site is added to the Blocked Sites list.

If the site is on the Exceptions list, it is not added as a temporary blocked site. For more information about blocked site exceptions, go to About Blocked Sites on Cloud-Managed Fireboxes.

Update the Expiration for a Temporary Blocked Site

If you want to change the time at which the Firebox automatically removes a temporary blocked site from the Blocked Sites list, you can update the expiration for the blocked site.

To update the expiration for a temporary blocked site, from WatchGuard Cloud:

Select Monitor > Devices.
Select a Firebox.
The Device Summary page for the selected Firebox opens.
Select Live Status > Blocked Sites.
The Blocked Sites page opens. The page refreshes automatically every 30 seconds.
Click next to a blocked site and select Update Expiration.
The Update Expiration dialog box opens.
To specify how long the Firebox will block the site, in the Expiration text box, enter a duration in hours.
To save the expiration change, click Save.
The expiration for the temporary blocked site is updated.

Delete a Temporary Blocked Site

If you want to remove a temporary blocked site from the Blocked Sites list before its expiration, you can delete it.

You cannot remove a permanent blocked site from the Live Status > Blocked Sites page. Instead you must remove it from the Blocked Sites list in the Firebox configuration.

To delete a temporary blocked site from the Blocked Sites list, from WatchGuard Cloud:

Select Monitor > Devices.
Select a Firebox.
The Device Summary page for the selected Firebox opens.
Select Live Status > Blocked Sites.
The Blocked Sites page opens. The page refreshes automatically every 30 seconds.
Click next to a blocked site and select Delete.
Or, if you want to delete multiple sites at one time, select the check box for each site, then select Delete.
The Delete Blocked Site dialog box opens.
To confirm the deletion, click Delete.
The temporary blocked site is removed from the Blocked Sites list.

Permanently Block a Temporary Blocked Site (Cloud-Managed Firebox Only)

For cloud-managed Fireboxes only, if you determine that a temporary blocked site poses a security risk and you want to block it permanently, you can add it to the Blocked Sites list in the Firebox configuration.

You cannot permanently block a temporary blocked site if the Firebox inherits Network Blocking settings from a Firebox template. To permanently block the site, add it to the Blocked Sites list on the Network Blocking page in the template.

After you change a temporary blocked site to a permanent blocked site and deploy the change, the triggering source updates to Configuration and the expiration updates to Never Expires.

To permanently block a temporary blocked site, from WatchGuard Cloud:

Select Monitor > Devices.
Select a cloud-managed Firebox.
The Device Summary page for the selected Firebox opens.
Select Live Status > Blocked Sites.
The Blocked Sites page opens. The page refreshes automatically every 30 seconds.
Click next to a blocked site and select Block Permanently.
The Block Site Permanently dialog box opens.
If necessary, update the description. This description appears in the Description column of the Blocked Sites list in the Firebox configuration.
Click Save.
The change is saved to the Firebox configuration in the cloud.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Add a Temporary Blocked Site to the Exceptions List (Cloud-Managed Firebox Only)

For cloud-managed Fireboxes only, if you determine that a temporary blocked site is safe, you can add it to the Exceptions list in the Firebox configuration. When you add an exception for a blocked site, the blocked site is removed from the Blocked Sites list and the Firebox allows connections to the site.

To add a temporary blocked site to the Exceptions list, from WatchGuard Cloud:

Select Monitor > Devices.
Select a cloud-managed Firebox.
The Device Summary page for the selected Firebox opens.
Select Live Status > Blocked Sites.
The Blocked Sites page opens. The page refreshes automatically every 30 seconds.
Click next to a blocked site and select Add Exception.
The Add Exception dialog box opens.
If necessary, update the description. This description appears in the Description column of the Exceptions list in the Firebox configuration.
Click Save.
The change is saved to the Firebox configuration in the cloud.

Export the Blocked Sites List

If you want to capture all the sites currently included on the Blocked Sites list for further analysis or record keeping, you can export the list to a .CSV file.

To export the list of blocked sites to a .CSV file, from WatchGuard Cloud:

Select Monitor > Devices.
Select a Firebox.

The Device Summary page for the selected Firebox opens.
Select Live Status > Blocked Sites.
The Blocked Sites page opens. The page refreshes automatically every 30 seconds.
To export the blocked sites list to a .CSV file, click .
T