Very often while performing reviews of WatchGuard firewalls, I find a huge hole in the device’s security.  One of the newer services that WatchGuard has implemented is APT Blocker, whose purpose is to look for Advanced Persistent Threats.  These threats, or zero-day malware, are unique and highly dangerous because they haven’t yet been identified.  This means that services such as Intrusion Prevention and Gateway Antivirus can’t do anything about them, because they don’t know they exist.

APT Blocker creates a sandbox, or “testing”, environment for your firewall.  When enabled, this sandbox environment that the WatchGuard firewall creates, lets unknown files and attachments do whatever they want without it affecting your actual network.  Configured properly, when a file or attachment causes damage in the sandbox, you will be alerted immediately so you can take action and protect your network.  This service works really well, but most people miss a step during setup, rendering the service useless.  One of the biggest things that people miss is that this service actually relies on Gateway Antivirus, because they use the same scanning engine.  So first, make sure your GAV is enabled on all available proxies.

The next step is where a lot of people get confused.  When you go into the APT Blocker settings, there is a checkbox to enable it.  Don’t stop here, because you’re not done!  Next, you have to actually enable APT Blocker on the policies themselves.