How to efficiently and regularly add blocked sites to 40+ Fireboxes that are managed by WSM

How to efficiently and regularly add blocked sites to 40+ Fireboxes that are managed by WSM

I am looking for a better way to add/manage "Blocked sites ..." on more than 40 Fireboxes.

I want to be able to react to information like:
"Ryuk Ransomware is spread via the initial Trickbot installs through newly identified Cobalt Strike Domains." and quickly add the "Cobalt Strike Domains" to the block list.

The Fireboxes are managed by a Watchguard System Manager server. WSM does not manage "Blocked sites ..." (it would be great if it did) and Watchguard CLI cannot be used on WSM managed Fireboxes. I t is also not advisable to manually order policies that use WSM templates. So making my own catchall block policy as the first policy probably would not work either, since it would auto order wrong.

Please let me know your thoughts.

Thank you for your time.

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Logan5

    If you'd like to use management server to do this, you can create policies and apply them to multiple firewalls to do so. Adding entries to blocked sites would require going to that menu in each firewall and importing your list.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    With the above in mind, tools like Botnet Detection, and webblocker's security section handle most of these types of block lists. If you're not already using those services, I'd suggest taking a look at them.

    -James Carson
    WatchGuard Customer Support

  • James, Thank you for the advice. They are good tools and I do use them, but they are not right for my use case.

    Use case: When 3rd party monitoring becomes aware of an active threat not recognized by the WG tools/DB, such as breakin attempts from an IP not in WG tools/DBs, I want to be able to push out blocked IP changes to all my FWs.

    I would like to see WSM become more robust. It does a lot, but there are a lot more settings and use cases that it could help address.

  • While I can import a list manually into a FW to update blocked sites. I have 40+ FWs. It is not the most practical option, especially when I do pay for WSM to manage them. However, blocked sites are not one of the data elements managed by WSM.

  • Kimmo, I do not know if this can work with WSM managed boxes. I think that this only applies to cloud managed devices and has a high level of complexity that may not be sustainable.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Logan5
    Most work is going into cloud management and cloud managed API functions -- it's unlikely a robust feature like that would be added to the WSM app.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.