Watchguard

Review configuration options for WatchGuard firewalls in RocketCyber

DDoS attack Detects attempts to crash your network by overwhelming available resources.  
This can take the form of using all available bandwidth, memory, or other network resources
Port scan Detects malicious actors attempting to discover what ports are open on your network
IPS detection (general) Detections from the WatchGuard Intrusion Prevention System (IPS)
APT detection Detections from WatchGuards Advanced Persistent Threat tools
Data leak Detects your network leaking data
Reputation lookup Determines whether traffic originated from a known malicious IP address
IP spoofing Detects attempts to change the reported source of traffic entering your network (for example, to avoid reputation lookups)
IPS license expired A friendly reminder when your IPS license expires
ICMP, IKE, IPSEC, UDP flood attacks Various methods of overwhelming network resources to crash your network
GAV Virus A virus detected at your gateway
Detect VPN use This will monitor and inform you if someone enables or attempts to use a VPN on your network.
Only use this if VPN should be disabled on your network!

 

Log Format

The expected format for WatchGuard logs is space-separated.  For example

<140>Feb 4 10:47:38 ABC-FW 8265941A0BAD (2020-02-04T15:47:38) firewall: msg_id="3000-0148" Allow 1-Trusted 0-External 52 tcp 20 127 192.168.101.12 24.102.62.243 31757 443 offset 8 S 2947993982 win 32 geo_dst="USA" (HTTPS-proxy-00)