About Default Packet Handling Options

When your Firebox receives a packet, it examines the source and destination for the packet. It looks at the IP address and the port number. The device also monitors the packets to look for patterns that can show your network is at risk. This process is called default packet handling.

Default packet handling can:

• Reject a packet that could be a security risk, including packets that could be part of a spoofing attack or SYN flood attack
• Automatically block all traffic to and from an IP address
• Add an event to the log file
• Send an SNMP trap to the SNMP management server
• Send a notification of possible security risks

Most default packet handling options are enabled in the default Firebox configuration. You can change the thresholds at which the Firebox takes action. You can also change the options selected for default packet handling.

The default packet handling options related to IPSec, IKE, ICMP, SYN, and UDP flood attacks apply to both IPv4 and IPv6 traffic. All other options apply only to IPv4 traffic.

Configure Default Packet Handling

To configure default packet handling, from Fireware Web UI:

1. Select Firewall > Default Packet Handling.
   The Default Packet Handling page appears.

2. Select the check boxes for the traffic patterns you want to take action against, as explained in these topics:

To configure default packet handling, from Policy Manager:

1. Click .
   Or, select Setup > Default Threat Protection > Default Packet Handling.
   The Default Packet Handling dialog box appears.

2. Select the check boxes for the traffic patterns you want to take action against, as explained in these topics:

• About Spoofing Attacks
• About IP Source Route Attacks
• About Port and IP Address Scans
• About Flood Attacks
• About Unhandled Packets
• About Distributed Denial-of-Service Attacks  

Set Logging and Notification Options

The default device configuration tells the Firebox to send a log message when an event that is specified in the Default Packet Handing dialog box occurs .

Log messages for these events are enabled by default and cannot be disabled:

• IP and ARP Spoofing Attacks
• Port and Address scans
• IP Source Route
• Ping of Death
• IPSec, IKE, SYN, ICMP, UDP Flood Attacks
• DDOS Attack Source and Destination

Log messages for these events are enabled by default and can be disabled if required.

• Unhandled Internal and External Packet — An unhandled packet is a packet that does not match any policy rule. By default, the Firebox always denies unhandled packets and logs the occurrence.

Log messages for these events are disabled by default and can be enabled if required.

• Incoming and Outgoing Broadcasts — By default, allowed incoming and outgoing broadcasts are not logged. Enable this option to send log messages for these allowed broadcasts. Broadcasts that are allowed include DHCP (if the Firebox device is configured as a DHCP server), DHCP Relay, and BOVPN broadcast/multicast routing. Denied broadcasts are always logged by default.

To configure an SNMP trap or notification:

1. Click Logging.
   The Logging and Notification dialog box appears.
2. Configure notification settings as described in Set Logging and Notification Preferences.

For more information, see About SNMP or About Notification.

See Also

About Blocked Sites

About Blocked Ports

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.