Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X1000
161162163164165166167168169170
Blocking Sites
User Guide 149
Example 2
The IDS adds a message to the Firebox’s log stream:
fbidsmate 10.0.0.1 secure1 add_log_message 3 "IDS
system temp. blocked 209.54.94.99"
With the IDS running on host 10.0.0.2, the following message
appears in the Firebox log file:
msg from 10.0.0.2: IDS system temp. blocked
209.54.94.99
Example 3
Because you are running your IDS application outside the firewall
perimeter, you decide to encrypt the configuration passphrase
used in your IDS scripts. Note that even with encryption, you
should lock down the IDS host as tightly as possible. First, you
must import the passphrase “secure1” to an encrypted file on the
IDS host:
fbidsmate import_passphrase secure1 /etc/
fbidsmate.passphrase
Then you could rewrite the previous examples as:
fbidsmate 10.0.0.1 -f /etc/fbidsmate.passphrase
add_hostile 209.54.94.99
fbidsmate 10.0.0.1 -f /etc/fbidsmate.passphrase
add_log_message 3 "IDS system temp. blocked
209.54.94.99"
Blocking Sites
The Blocked Sites feature of the Firebox helps you prevent unwanted
contact from known or suspected hostile systems. After you identify an
intruder, you can block all attempted connections from them. You can
also configure logging to record all access attempts from these sources so
you can collect clues as to what services they are attempting to attack.
A blocked site is an IP address outside the Firebox that is prevented from
connecting to hosts behind the Firebox. If any packet comes from a host
that is blocked, it does not get past the Firebox.
There are two kinds of blocked sites: