WatchGuard Support Center

Knowledge Base - Article

Article

000008382
 Best practices and troubleshooting tips for APT Blocker

Information
What are some best practices for configuring and troubleshooting APT Blocker?

Best Practices for APT Blocker

Suggested Configuration

  • Enable APT Blocker on proxy policies for HTTP, FTP, and SMTP traffic.
  • Even low-level malware detected by APT is a threat to your network, so make sure to use the Drop action for all threat levels in the global APT Blocker configuration.
  • For best results, make sure your Firebox device is configured to use an NTP server to ensure the time on your device matches the Lastline cloud servers.
For more information on how to configure APT Blocker, see Configure APT Blocker.

Enable Logging for Reports

To make sure APT Blocker activity is logged for reports:

All reports for APT Blocker are available in WatchGuard Dimension. 

APT Blocker activity appears in these Dimension utilities and reports:

  • Security Dashboard
  • Executive Summary Report
  • APT Blocker Summary and Detail Reports
  • PCI Compliance Report
For more detailed information on Dimension reports and their contents, see About Dimension Reports.

Enable APT Blocker Notifications

When an APT malware threat is detected, it is very important that you are notified of the event. 

To configure APT Blocker notifications:
  • Select the Alarm check box when you configure APT Blocker Threat Actions.
  • Click Notification Settings to configure the types of alerts you want to receive when an APT is detected.
For more information, see Set Logging and Notification Preferences

Processing Order and Actions

Incoming files are processed by security services in this order:

Gateway AntiVirus > APT Blocker > Data Loss Prevention

APT Blocker checks only occur when the file is allowed by Gateway AntiVirus scanning. Data Loss Prevention actions are only applied if Gateway AV or APT Blocker allowed the file.

The maximum size of files that APT Blocker sends to Lastline for analysis is based on the Gateway AntiVirus scan limit. Lastline accepts files of up to 10 MB in size for analysis. If you set the Gateway AntiVirus scan limit higher than 10 MB, APT Blocker does not send files larger than 10 MB to Lastline and instead generates the log message "file size exceeds the submission size limit".

Troubleshoot APT Blocker File Submission

When first examined, an MD5 hash check of the file occurs. If there is no match to any previously analyzed files, the file must be submitted to the Lastline data center for analysis.

When the file is submitted successfully, it is assigned a task uuid as a reference and included in the log message:

Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80 msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe" md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)

When the file is submitted to the Lastline data center and the file is identified as a threat, this event log is generated to inform you that the APT Blocker notification has been sent.
 
APT threat notified. Details='Policy Name: HTTPS-proxy-00 Reason: high APT threat detected Task_UUID: d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port: 43130 Destination IP: 67.228.175.200 Destination Port: 443 Proxy Type: HTTP Proxy Host: analysis.lastline.com Path: /docs/lastline-demo-sample.exe'

This type of log message appears when APT Blocker detects a threat. The log message specifies the threat level, threat name, threat class, malicious activities, destination hostname, and URI path.

Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80 msg="ProxyDrop: HTTP APT Detected" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/apt_sample.exe" md5="2e77cadb722944a3979571b444ed5183"