Very often while performing reviews of WatchGuard firewalls, I find a huge hole in the device’s security. One of the newer services that WatchGuard has implemented is APT Blocker, whose purpose is to look for Advanced Persistent Threats. These threats, or zero-day malware, are unique and highly dangerous because they haven’t yet been identified. This means that services such as Intrusion Prevention and Gateway Antivirus can’t do anything about them, because they don’t know they exist.
APT Blocker creates a sandbox, or “testing”, environment for your firewall. When enabled, this sandbox environment that the WatchGuard firewall creates, lets unknown files and attachments do whatever they want without it affecting your actual network. Configured properly, when a file or attachment causes damage in the sandbox, you will be alerted immediately so you can take action and protect your network. This service works really well, but most people miss a step during setup, rendering the service useless. One of the biggest things that people miss is that this service actually relies on Gateway Antivirus, because they use the same scanning engine. So first, make sure your GAV is enabled on all available proxies.
The next step is where a lot of people get confused. When you go into the APT Blocker settings, there is a checkbox to enable it. Don’t stop here, because you’re not done! Next, you have to actually enable APT Blocker on the policies themselves.
Think you’re done now? Well, not quite. This is actually the most important step. The thing about APT Blocker is that it doesn’t actually stop the threat. It’s job is simply to identify the risk. It is relying on your to take care of the problem. However, you can only do that if you know about it. So, before you save your policy, make sure you enable email notifications. Then, make sure you have a Dimension server configured that can send you that email. Once you do all of this, then APT Blocker will be configured correctly, and will greatly increase your ability to prevent threats on your network.