Logging And Notification For Blocked Sites; Blocking Ports - Watchguard Firebox X1000 User Manual

Chapter 11: Intrusion Detection and Prevention

Logging and notification for blocked sites

From the Blocked Sites dialog box:
1 Click Logging.
The Logging and Notification dialog box appears.
2
In the Category list, click Blocked Sites.
3
Modify the logging and notification parameters
according to your security policy preferences.
For detailed instructions, see "Customizing Logging and
Notification by Service or Option" on page 215.

Blocking Ports

You can block ports to explicitly disable external network
services from accessing ports that are vulnerable as entry
points to your network. A blocked port setting takes prece-
dence over any of the individual service configuration set-
tings.
Like the Blocked Sites feature, the Blocked Ports feature
blocks only packets that enter your network through the
external interface. Connections between the optional and
Trusted interfaces are not subject to the Blocked Ports list.
You should consider blocking ports for several reasons:
• Blocked ports provide an independent check for
protecting your most sensitive services, even when
another part of the firewall is not configured correctly.
• Probes made against particularly sensitive services can
be logged independently.
• Some TCP/IP services that use port numbers above
1024 are vulnerable to attack if the attacker originates
the connection from an allowed well-known service
with a port number below 1024. These connections can
be attacked by appearing to be an allowed connection
in the opposite direction. You can prevent this type of
attack by blocking the port numbers of services whose
port numbers are under 1024.
188 WatchGuard Firebox System