Prevent Security vulnerability exploitation attempts

I run a pair of M470 in a active passive cluster with version 12.8.B659436 and total security. Every so often i get an alert from my 3rd party endpoint protection software of a Security vulnerability exploitation attempt event. It seems like someone or something externally is trying to things against a software application that is hosted on a server and uses java processes.

The 3rd party endpoint protection software is blocking those attempts but what i can do to prevent these sort of attacks at firewall?

I have policy that allows ssl traffic only from external sources, IPS, application control and geolocation configured on the policy.

Comments

  • It depends on what the exploit is.
    Care to give an example or 2?

    1) it is possible that it is a false positive - and is thus not a real exploit
    2) it is possible that this software has at that moment a signature for an exploit which at the time has not been yet added to the firewall IPS or GAV signatures

    Neither Application Control or Geo will address incoming exploits to your server.

    Do you have incoming packet inspection enabled for access to this server?
    If not, look at doing this, as IPS and GAV can't see the contents of HTTPS/SSL packets.

  • @Bruce_Briggs I just sent you a message with what i have on this

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Kamikaze
    I would suggest opening a support case (use the support center link in the top right of the page.) If you can attach any info from the IDS, we can look into it and see what might be going on.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.