Product and Support News

Enhancements to Our Botnet Detection Service

WG Generic Circle

As part of our ongoing mission to enhance threat visibility and provide intelligent, proactive protection, WatchGuard is rolling out important updates to the Botnet Detection service on WatchGuard Firewalls.

These enhancements are designed to improve detection accuracy and expand the scope of threat intelligence, helping you identify more potentially malicious activity on your network. As a result, you may notice an increase in detection events, which is expected and reflects stronger visibility into emerging threats.

What’s Changing 

  1. Expanded Filtering of Threat Intelligence Feeds
    We’ve updated how we filter threat data from our Proofpoint integration, following new guidance from their team. This change triples the number of suspicious IP addresses we monitor in the Botnet Detection service.

    What to expect: You may see more botnet-related detections. This does not mean your network is under greater attack, it simply means your WatchGuard device now has a broader view of potentially risky activity.

  2. New Brute Force Threat Category
    We’re introducing a new category that flags IPs associated with brute-force login attempts, where attackers try to guess passwords to gain unauthorized access.

    Why it matters: This update helps you detect and stop credential-guessing activity earlier. We also strongly recommend enabling Multifactor Authentication (MFA) wherever possible to protect against these attacks.

  3. New Scanning Threat Category
    The Scanning category flags IPs known for performing reconnaissance scans, a common precursor to targeted attacks.

    How to manage it: While we recommend blocking these types of scans. WatchGuard maintains an allowlist of these trusted sources, and you can also manage custom exceptions through your device or WatchGuard Cloud.

What It Means for You

Don’t be alarmed by an increase in detections. These changes are expected and reflect improved visibility, not necessarily an increase in malicious activity. It’s important to review your Botnet Detection configuration and settings to ensure they match your organization’s needs and risk profile. 

TIP: WatchGuard Cloud users can activate ThreatSync to add context to Botnet detections. 

If you have questions about these changes or need support reviewing your detection policies, our support team and WatchGuard Partners are here to help.

Filed under: Network Security
Blog Home

Related Posts

WatchGuard Logo
Article

WatchGuard Fireware v12.11.2 Available Now

Article

WatchGuard Fireware v12.11.2 Available Now

At WatchGuard, security is our top priority. We're committed to providing our customers with the latest protection against evolving cyber threats. Today, we're pleased to announce the availability of Fireware v12.11.2, which addresses several bugs and some minor functional updates.

Which products are affected by this release?

  • T Series: T20, T25, T40, T45, T55, T70, T80, and T85
  • M Series: M270, M290, M370, M390, M470, M570, M590, M670, M690, M4600, M4800, M5600, and M5800
  • Firebox NV5, FireboxV, and Firebox Cloud

Upgrade Now and Stay Protected

We strongly recommend that all Firebox users upgrade to this update immediately. Upgrading to Fireware v12.11.2 is simple. Complete upgrade instructions and the firmware can be downloaded from the WatchGuard Software Downloads page. If you have Fireboxes connected to WatchGuard Cloud, you can upgrade the firmware immediately or schedule the upgrade for a future time.

Notable enhancements in this release include:

  • The Mobile VPN with SSL Client for macOS v12.11.2 now supports SAML authentication.
  • This release resolves a local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client (CVE-2025-2781). View the full advisory details on psirt.watchguard.com. [WGSA-2025-00004]
  • This release resolves a local privilege escalation vulnerability in the WatchGuard Terminal Services Agent (CVE-2025-2782). View the full advisory details on psirt.watchguard.com. [WGSA-2025-00005]

For additional information on this update, please refer to the Fireware v12.11.2 Release Notes.

Stay Informed

WatchGuard is committed to keeping our customers informed about the latest security threats. For the most up-to-date information on vulnerabilities and how WatchGuard products address them, please visit our Trust Center. Please contact your local WatchGuard representative if you have any additional questions about this release. For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available. 

Read Article
WatchGuard Logo
Article

New Firmware Available: Fireware v12.11.1 Update 1

Article

New Firmware Available: Fireware v12.11.1 Update 1

The new firmware, v12.11.1 Update 1, is now available to address bug fixes and functional updates and improve the geolocation feature for Firebox. This feature, which was included in the February Fireware v12.11.1 release, now operates effectively for all Firebox users.

Which products are improved in this release?

  • T Series: T20, T25, T40, T45, T55, T70, T80, and T85
  • M Series: M270, M290, M370, M390, M470, M570, M590, M670, M690, M4600, M4800, M5600, and M5800
  • Firebox NV5, FireboxV, and Firebox Cloud

Customer and Partner Actions

We strongly recommend that all Firebox users upgrade to this new version immediately. The firmware along with upgrade instructions can be downloaded from the WatchGuard Software Downloads page.

For additional information on this update, please refer to the Fireware v12.11.1 Update 1 Release Notes.

Stay Informed

Please contact your local WatchGuard representative if you have any additional questions about this release. For Sales or Support questions, you can find phone numbers for your region online

If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available. 

WatchGuard is committed to keeping our customers informed about the latest security threats. For the most up-to-date information on vulnerabilities and how WatchGuard products address them, please visit our Trust Center.

Read Article
WatchGuard Logo
Article

End of Life of the Fireware Data Loss Prevention Service

Article

End of Life of the Fireware Data Loss Prevention Service

Important Data Loss Prevention Update

On February 26, 2025, WatchGuard deprecated and removed the Data Loss Prevention service from Firebox Feature Keys, including license renewals for applicable models that previously supported the service.

Does this notice apply to me? 

This notice only applies to customers who use the Firebox Data Loss Prevention service. If you do not use the Data Loss Prevention service, you do not need to read further.

Affected models:

  • T Series: T35, T55, and T70
  • M Series: M270, M370, M470, M570,  M670, M4600, and M5600
  • FireboxV, and Firebox Cloud

Key Detail

WatchGuard’s contract for the Data Loss Prevention service on the Firebox ended in 2021 with expectations that WatchGuard would End of Life the service from any remaining Fireboxes. WatchGuard plans to remove the Data Loss Prevention options from Fireware UIs in an upcoming release, at which time those options will no longer be configurable.

Stay Informed

WatchGuard is committed to keeping our customers informed about the latest security threats. For the most up-to-date information on vulnerabilities and how WatchGuard products address them, please visit our Trust Center. Please contact your local WatchGuard representative if you have any additional questions about this release. For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available. 

Read Article
Blog Home