Watchguard Firebox X1000 User Manual page 216

Chapter 11: Intrusion Detection and Prevention
The WatchGuard Firebox System default packet handling
options provide a basic intrusion detection system by
blocking common and readily recognizable attacks such as
IP address spoofing and linear port space probes. The
intrusion detection capabilities of the Firebox, however, are
necessarily limited. The primary function of your firewall
is to examine and either allow or deny packets. Little extra
bandwidth is available to conduct sophisticated analysis of
traffic patterns.
LiveSecurity Service subscribers can download a com-
mand-line utility called the Firebox System Intrusion
Detection System Mate (fbidsmate) that integrates the Fire-
box with most commercial and shareware IDS applica-
tions. You use the fbidsmate utility to configure your IDS
to run scripts that query the Firebox for information.
Because versions are available for Win32 (Windows NT,
Windows 2000, and Windows XP), SunOS, and Linux oper-
ating systems, you can select whatever IDS application best
suits your security policy and network environments.
Working with an external IDS application, the Firebox can
automatically add sites to the Blocked Sites list. Timeouts
and blocked site exceptions work exactly as they do for
sites blocked using default packet handling options. Sites
added to the Blocked Sites list appear in the Firebox Moni-
tors Blocked Sites tab. In addition, you can use the utility to
add explanatory log messages to the log file which can sub-
sequently be used for reports.
Because the fbidsmate utility is external to the Firebox, no
changes in the configuration file are required, nor is there
anything additional to configure using Policy Manager.
To obtain a copy of the fbidsmate command-line utility that
matches the operating system on which your IDS applica-
tion is running, log in to your
LiveSecurity Service account at:
https://www.watchguard.com/support
194 WatchGuard Firebox System