Explore and Analyze Watchguard Firewall Events

All WatchGuard logs

col_type = "watchguard" OR norm_id = "Watchguard*"

Denied connections

norm_id = "Watchguard*" action = "deny"

Allowed connections

norm_id = "Watchguard*" action = "allow"

IPS detections

norm_id = "Watchguard*" signature_name = *

Virus detections

norm_id = "Watchguard*" label = "Virus"

Failed authentication

norm_id = "Watchguard*" label = "Authentication" label = "Fail"

Successful authentication

norm_id = "Watchguard*" label = "Authentication" label = "Success"

Port scan detections

norm_id = "Watchguard*" (label = "Port" AND label = "Scan")

DDoS attacks

norm_id = "Watchguard*" label = "DDOS"

Flood attacks

norm_id = "Watchguard*" label = "Flood"

VPN events

norm_id = "Watchguard*" (label = "VPN" OR label = "IPSec")

Temporary blocked IPs

norm_id = "Watchguard*" message_id = "3001-1001"

HTTP proxy denials

norm_id = "Watchguard*" message_id IN ["1AFF-0021", "1AFF-0022"]

APT threats

norm_id = "Watchguard*" (message_id = "1AFF-0034" OR label = "APT")

DLP violations

norm_id = "Watchguard*" (message_id = "1AFF-002F" OR label = "DLP")

Configuration changes

norm_id = "Watchguard*" (message_id = "0101-0001" OR label = "Configuration")

Cluster failover events

norm_id = "Watchguard*" (message_id = "3900-0007" OR label = "Failover")

High bandwidth usage

`norm_id = "Watchguard*"

Top denied destination ports

`norm_id = "Watchguard*" action = "deny"

Top 10 Denied Connection

The top ten denied connections trying to access confidential content or specified potentially dangerous or inappropriate based on source addresses and destination addresses.

Firewall Action on Connection-List

A list of the WatchGuard Firewall actions such as allowed, denied or deleted on a connection by source interface, destination interface, action, protocol, source address and destination address.

Firewall Action on Connection

The Firewall actions (allowed, denied and error) taken to handle HTTP requests based on source addresses and destination addresses.

Firewall Error Message

The Firewall error messages, such as error binding to a client or MIME header error indicating incorrect settings or a software conflict.

Failed User Authentication

The users who failed to authenticate successfully based on user and host.

Successful User Authentication

The users who authenticated successfully with valid credentials.

Firewall Action-Timetrend

A dynamic view of firewall actions and how they are changed over time.

Top 10 Allowed Source Addresses

The top ten source addresses from which the traffic originates and are allowed for connection.

Top 10 Denied Source Addresses

Top ten source addresses denied for connection to protect restricted data and save internal network resources by stopping spam messages.

Top 10 Denied Destination Addresses

The top ten destination addresses to which traffic goes denied for connection.

All Connection Logs-Timetrend

A dynamic view of the allowed or denied WatchGuard Firewall connection logs and how they are changed over time.

Top 10 Allowed Destination Addresses

Top ten destination addresses allowed for connection.

Top 10 Temporary Blocked IPs

The top ten IPs temporarily blocked for violating the firewall or server rule.

HTTP Proxy Denied by Content Type

The HTTP proxy denied routing user requests from web browsers to the internet and supported rapid data caching based on content type and rule.

HTTP Proxy Denied by Content Type-List

A list of HTTP proxy denied access to potentially dangerous or inappropriate contents based on timestamp, process, action, content type, rule, source address, destination address and message.

Top 10 IPS Detected by Signature Name

The top ten Intrusion Prevention Service (IPS) detected to provide real-time protection against network attacks, including spyware, SQL injections, cross-site scripting and buffer overflows based on the signature name. IPS can be either host-based or network-based.

Top 10 Denied Connection by Rule

The top ten connections denied based on the customized firewall rules through which a proxy compares traffic.

Top 10 HTTP Proxy Denied by Reason

The top ten HTTP proxy requests denied by a remote web server, including the reason.

Top 10 HTTP Proxy Denied by Category

The top ten HTTP proxy requests denied by the remote web server, including the category.

Top 10 Denied Connection by Category and Application

The top ten denied connections based on the category and application.

Denied Connections by Category and Application-List

A list of the denied connections by the WatchGuard Firewall based on source address, destination address, category, application, message and rule.

Top 10 Denied Destination Ports Without External Interface

The top ten destination ports denied to receive the data as it does not have an external interface with an IP address to connect to the internet or a wide area network (WAN).

Denied Destination Port without External Interface-List

A list of the top destination ports without external interface denied based on source interface, destination interface, source address, destination address, destination port and protocol.

Virus Detected-List

A list of the virus detected based on source address, destination address and URL.

Service Reputation Enabled Defense

The URLs reputation as good, bad or unknown (Inconclusive represents -1, OK represents a value between 0-10, AV Scan represents a value between 11-89 and Bad represents a value between 90-100). For this alert to work, you need a table Watchguard_Reputation containing the reputation and corresponding score list.

Sent vs Received Data-Timetrend

A dynamic view of send vs. received data size in MB and how they are changed over time.

Outbound Connections by Datasize

The outbound connections originated from inside the network by users to access websites and other resources that fall outside the network perimeter based on data size in MB.

Port scan detection

norm_id = "Watchguard*" message_id = "3000-0159"

Discovery: Network Service Scanning (T1046)

DDoS attacks

norm_id = "Watchguard*" (message_id IN ["3000-0161", "3000-0160"])

Impact: Network Denial of Service (T1498)

Flood attacks

norm_id = "Watchguard*" (message_id IN ["3000-0162", "3000-0164", "3000-0165", "3000-0163", "3000-0166"])

Impact: Network Denial of Service (T1498)

IP spoofing detection

norm_id = "Watchguard*" message_id = "3000-0169"

Defense Evasion: Network Boundary Bridging (T1599)

ARP spoofing attack

norm_id = "Watchguard*" message_id = "3000-012C"

Defense Evasion: Network Boundary Bridging (T1599)

Multiple failed authentications

norm_id = "Watchguard*" (message_id IN ["0900-0004", "1100-0005", "3E00-0003"]) | chart count() by user, source_address | search count > 5

Credential Access: Brute Force (T1110)

Temporary IP blocks

norm_id = "Watchguard*" message_id = "3001-1001"

Impact: Account Access Removal (T1531)

IPS high severity events

norm_id = "Watchguard*" message_id = "3000-0150" severity IN [0, 1, 2, 3]

Discovery, Defense Evasion: Exploitation (T1211)

Virus detection

norm_id = "Watchguard*" (message_id IN ["1AFF-0028", "1BFF-000C", "1CFF-000E"])

Defense Evasion: Exploitation (T1211)

APT threat detection

norm_id = "Watchguard*" (message_id IN ["0F00-0015", "1AFF-0034", "1BFF-0028", "1CFF-0015", "21FF-001F"])

Initial Access: Phishing (T1566)

DLP violations

norm_id = "Watchguard*" (message_id IN ["1AFF-002F", "1BFF-0024", "1CFF-0011"])

Exfiltration: Automated Exfiltration (T1020)

VPN tunnel failures

norm_id = "Watchguard*" (message_id IN ["021A-0004", "021A-0013", "0203-0013"])

Initial Access: Valid Accounts (T1078)

Cluster failover events

norm_id = "Watchguard*" message_id = "3900-0007"

Impact: Service Stop (T1489)

Configuration changes

norm_id = "Watchguard*" message_id = "0101-0001"

Impact, Persistence: Account Manipulation (T1098)

Admin authentication failures

norm_id = "Watchguard*" message_id = "1100-000C"

Credential Access: Valid Accounts (T1078)

License expiration warning

norm_id = "Watchguard*" (message_id IN ["0102-0003", "0102-0005"])

Impact: Service Stop (T1489)