WSM User Guide - WatchGuard Technologies

CHAPTER 11Firewall Intrusion Detection andPreventionWatchGuard® Fireware® and the policies you create in Policy Manager give you strict control over accessto your network. A strict access policy helps keep hackers out of your network. But, there are other typesof attacks that a strict policy cannot defeat. Careful configuration of the Firebox® default packet handlingoptions can stop attacks such as SYN flood attacks, spoofing attacks, and port or address spaceprobes.With default packet handling, a firewall examines the source and destination of each packet it receives.It looks at the IP address and port number and monitors the packets to look for patterns that show yournetwork is at risk. If there is a risk, you can configure the Firebox to automatically block against the possibleattack. This proactive method of intrusion detection keeps attackers out of your network. You canalso purchase an upgrade for your Firebox to use signature-based intrusion prevention. For more information,see the chapter “Signature-Based Intrusion Detection and Prevention” in this manual.Using Default Packet Handling OptionsThe firewall examines the source and destination of each packet it receives. It looks at the IP address andthe port number. The firewall also monitors the packets to look for patterns that can show that your networkis at risk.Default packet handling:• Rejects a packet that can be a security risk, including packets that could be part of a spoofingattack or SYN flood attack• Can automatically block all traffic to and from a source IP address• Adds an event to the log file• Sends an SNMP trap to the SNMP management server• Sends a notification of possible security risksYou set all default packet handling options with the Default Packet Handling dialog box.1 From Policy Manager, select Setup > Intrusion Prevention > Default Packet Handling.or,Click the default packet handling icon on the Policy Manager toolbar.The Default Packet Handling dialog box appears.User Guide 135