Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
The Intrusions (IPS) report shows a summary of intrusions on your network.
This report is available when log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report, follow the steps to Enable Logging for this Report.
How to Use this Report
This report can help you to find out more about threats blocked by the Intrusion Prevention Service. Here are some ways to use this report:
- Select the Signatures pivot to see the top blocked intrusion attacks on your network. You can use the IPS signature ID shown on this pivot and the Detail report to get more information about the threat in the WatchGuard Security Portal.
- Select the Source pivot to see the IP address or user name associated with the intrusion. For example, this could help you identify which computer or user triggered the intrusion.
- Select the Threat Level pivot to see the intrusions ranked by threat level.
- Select the Activity Trend pivot to see the number of intrusions detected and prevented over time.
- Select the Protocol pivot to identify the protocols associated with intrusion attacks.
View the Report
- Log in to WatchGuard Cloud.
- Select Monitor > Devices.
- Select a folder or a specific device.
- To select the report date range, click
.
- From the Reports menu, select Services > Intrusions (IPS).
The Intrusions (IPS) report opens.
- To see reports for your Fireboxes or FireClusters, select Home > Devices.
The Devices list opens.
To see reports for your groups of Fireboxes, select Home > Groups.
The Groups list opens. - Select the Name of a Firebox, cluster, or group.
The Tools > Executive Dashboard page opens. - Select the Reports tab.
- Select Services > Intrusions (IPS).
The Intrusions (IPS) report opens.
Pivots
You can use pivots to change the view of the data on the report.
To switch to a different view, select a pivot from the drop-down list above the report.
This report includes these pivots:
Activity Trend
Summary report of the trend of intrusions on your network over time.
Protocol
Summary of the IPS actions, organized by the protocol used for the traffic.
Signatures
Summary of the IPS actions, organized by signature.
Source
Summary of the IPS actions, organized by the IP address where the traffic originated.
Threat Level
Summary of the IPS actions, organized by the threat level.
Intrusions (IPS) Report Detail View
To view a detailed report of all intrusions detected by IPS, click View Details at the top of the report.
The Intrusions (IPS) Detail report includes a row for each threat detected by IPS:
| Column | Description |
|---|---|
| Disposition | Action taken by the Firebox for this traffic, such as Denied or Allowed |
| Time | Date and time that the action occurred |
| Threat Level | Severity of the threat: Critical, High, Medium, Low, or Information |
| Name | Name of the file that was identified as a threat |
| Category | Type of threat, such as Virus/Worm |
| Source | IP address of the traffic source |
| Destination | IP address of the traffic destination |
| Policy | Name of the Firebox policy that examined the traffic |
| Protocol | Protocol used to send the traffic |
| Hits | Number of hits |
| More Information |
In Dimension, click Security Portal in this column to view more information about the threat on WatchGuard Security Portal. |
| Signature |
Signature ID of the threat |
Enable Logging for this Report
Logging for cloud-managed Fireboxes is automatically enabled. For locally-managed Fireboxes, you must manually enable logging in Fireware Web UI or Policy Manager. For more information, see Set Logging and Notification Preferences.
To collect the data required for this report for locally-managed Fireboxes, in Fireware Web UI or Policy Manager:
-
In the Intrusion Prevention settings on the Firebox, select the Log check box for threat levels with the Block and Drop actions. For more information, see Configure Intrusion Prevention.