Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
The Botnet Detection report shows a summary of activity on your network related to botnet sites. The report includes the top blocked botnet sites, clients blocked, and the destinations botnet sites tried to connect to.
This report is available when log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report, follow the steps to Enable Logging for this Report.
How to Use this Report
This report can help you to undersstand botnet activity on your network. Here are some ways to use this report:
- Select the Botnet Detection by Client pivot to identify clients that were blocked before they connected to botnet sites.
- Select the Blocked Botnet Sites pivot to see a list of the top botnet destinations.
- Use the Detail report to see which protocols are associated with connections to botnet applications.
View the Report
This report is available in WatchGuard Cloud and in Dimension.
- Log in to WatchGuard Cloud.
- Select Monitor > Devices.
- Select a folder or a specific device.
- To select the report date range, click
.
- From the list of reports, select Services > Botnet Detection.
The Botnet Detection report opens.
- To see reports for your Fireboxes or FireClusters, select Home > Devices.
The Devices list opens.
To see reports for your groups of Fireboxes, select Home > Groups.
The Groups list opens. - Select the Name of a Firebox, cluster, or group.
The Tools > Executive Dashboard page opens. - Select the Reports tab.
- Select Services > Botnet Detection.
The Botnet Detection report opens.
Pivots
You can use pivots to change the view of the data on the report.
To switch to a different view, select a pivot from the drop-down list above the report.
This report includes these pivots:
Activity Trend
Summary report of a trend of the sites that were scanned in relation to the number of blocked botnet sites.
Blocked Botnet Sites
Summary report of the top 50 blocked botnet sites.
Botnet Detection by Client
Summary report of all the activity on your network related to botnet sites, by client. Summary data shows the top 50 clients that were blocked before they connected to botnet sites.
Botnet Detection by Destination
Summary report of all the activity on your network related to botnet sites, by destination. Summary data shows the top 50 destinations that botnet sites tried to connect to and were blocked.
Botnet Detection Report Detail View
To view a detailed report of all botnet activity on your network, click View Details at the top of the report.
The Botnet Detection Detail report includes a row for each instance of botnet activity detected on your network:
| Column | Description |
|---|---|
| First Action At | Date and time when the traffic was first detected |
| Source | IP address of the traffic source |
| Destination | IP address of the traffic destination |
| Attempts | Number of attempts made to send traffic to the botnet site |
| Protocol | Protocol used to send the traffic |
| Botnet | Indicates whether the botnet address was the source or destination of the traffic |
Enable Logging for this Report
Logging for cloud-managed Fireboxes is automatically enabled. For locally-managed Fireboxes, you must manually enable logging in Fireware Web UI or Policy Manager. For more information, see Set Logging and Notification Preferences.
To collect the data required for this report for locally-managed Fireboxes, in Fireware Web UI or Policy Manager:
- The device feature key must support the Reputation Enabled Defense (RED) security service.
- The Botnet Detection security service must be enabled. For more information, see Configure Botnet Detection.