1 Introduction to DNSWatch Guard Training Copyright 2018

1 Introduction to DNSWatch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

2 Introduction to DNSWatch § DNSWatch Overview § Enable DNSWatch § DNSWatch and Your Network § DNS Precedence § DNSWatch License Expiration § Manage DNSWatch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

3 DNSWatch Overview Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

4 DNSWatch Overview § DNSWatch is a cloud-based service that monitors DNS requests through the Firebox to prevent connections to known malicious domains § DNSWatch protects users from clickjacking and phishing domains regardless of the connection type, protocol, or port § DNSWatch requires Fireware v 12. 1. 1 or higher § It is included in the Total Security Suite subscription § Supported on Firebox T Series, M Series, XTMv, Firebox. V § Not supported on Firebox Cloud or XTM hardware models, or any Firebox configured in Bridge Mode Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

5 DNSWatch Overview § DNSWatch Components: • Threat Intelligence — constantly updated feeds with information about threats based on domain • DNS Servers — resolve DNS queries • Blackhole Servers — destination for queries to blocked domains • Dashboard — cloud-based management • Firebox — redirects DNS queries to DNSWatch § Watch. Guard customers and service providers: • Enable DNSWatch on the Firebox • Log in to the Watch. Guard Portal to manage DNSWatch • Receive email alerts when domains are denied Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

6 DNSWatch Overview Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

7 DNSWatch Threat Intelligence § Watch. Guard uses a complex set of heuristics to identify malicious certificates and websites § DNSWatch polls threat intelligence sources daily to identify new malicious domains and update the Domain Feeds § DNSWatch users can also share domains they manually add to the DNSWatch Blacklist with Watch. Guard to help improve DNSWatch for all users Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

8 DNSWatch and the Firebox § When the Firebox receives a DNS query from a host on a protected network, it forwards the request to DNSWatch § DNSWatch evaluates whether the domain is a known threat • If the domain is not a known threat: – DNSWatch resolves the DNS query to the destination • If the domain is a known threat: – DNSWatch resolves the domain to the IP address of the DNSWatch Blackhole Server – The DNSWatch Blackhole Server attempts to gather more information about the threat from the host endpoint – For HTTP and HTTPS requests, DNSWatch redirects the user to a customizable deny page Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

9 DNSWatch Deny Page § When an HTTP connection is blocked, a customizable deny page appears to the user § The Deny Page includes a short training exercise about how to recognize phishing attacks Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

10 DNSWatch Deny Page § For a denied HTTPS connection, an invalid certificate notice appears first § The Deny Page appears only if the user continues to the site Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

11 DNSWatch Email Alerts § When DNSWatch denies a connection, DNSWatch sends an email alert to account administrators, with a link to alert details Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

12 Enable DNSWatch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

13 DNSWatch Requirements § Before you can enable DNSWatch on the Firebox, make sure your Firebox meets these requirements: • Fireware OS v 12. 1. 1 or higher • A Total Security Suite subscription or a DNSWatch Trial Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

14 Update the Firebox Feature Key 1. Log in to Fireware Web UI 2. Select System > Feature Key 3. Click Get Feature Key 4. Verify that the DNSWatch feature is enabled in the feature key Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

15 Enable DNSWatch in Policy Manager § To enable DNSWatch from WSM Policy Manager, select Subscription Services > DNSWatch § DNSWatch Registration status and DNS Server IP addresses do not appear in Policy Manager • To see this information, log in to Fireware Web UI and select Subscription Services > DNSWatch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

16 Enable DNSWatch in Fireware Web UI § To enable DNSWatch, from Fireware Web UI: 1. Select Subscription Services > DNSWatch 2. Select Enable DNSWatch Service Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

17 Enable DNSWatch on the Firebox 3. Select the Usage Enforcement option – Usage Enforcement is disabled by default – For most networks, we recommend you enable Usage Enforcement for all internal interfaces – If you have internal DNS servers, review the deployment scenarios later in this presentation before you enable enforcement 4. Click Save Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

18 Enable DNSWatch on the Firebox § DNSWatch status is available only in Fireware Web UI § DNSWatch status information includes: • Status • Registration Date • DNS Servers • Blackhole Servers Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

19 DNSWatch Regional DNS Servers § DNSWatch has DNS servers in three regions: • US (US East) • EU (Ireland) • APAC (Japan and Australia) § DNSWatch sends the Firebox the IP addresses of DNS servers in the nearest region Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

20 DNSWatch Servers and Exceptions § Many Watch. Guard products and services are hosted on regional servers • To make sure that these services connect to the closest regional server, the Firebox does not send DNS requests for these domains to DNSWatch when usage enforcement is enabled: – watchguard. com (for services hosted by Watch. Guard) – ctmail. com (for spam. Blocker) – rp. cloud. threatseeker. com (for Web. Blocker) • If you enable DNSWatch without usage enforcement, manually add DNS forwarding rules for these domains to make sure that these services connect to the closest regional server Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

21 DNSWatch Without Usage Enforcement § If usage enforcement is disabled: • Configure the local DNS server to use the Firebox as the primary server for DNS resolution • Configure any other local network hosts that use a manually configured DNS server to use the Firebox as the primary server for DNS resolution – For example, a local DHCP server or other local server • Alternatively, you can configure the local DNS server and any other network hosts that use a manually configured DNS server to use the DNSWatch DNS servers for DNS resolution Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

22 DNSWatch Without Usage Enforcement § If usage enforcement is disabled, to make sure that Watch. Guard services connect to a regional server: • Add DNS Forwarding rules for these domains: – watchguard. com – ctmail. com – rp. cloud. threatseeker. com • For each rule, specify the IP address of a regional DNS server Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

23 Best Practices § After you enable DNSWatch, we recommend that you not remove existing DNS server IP addresses from the Firebox configuration Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

24 DNSWatch License Expiration § When DNSWatch expires, the Firebox uses the existing DNS settings in the Firebox network configuration § If DNSWatch expires, and no DNS servers are configured on the Firebox: • The Firebox continues to use DNSWatch for DNS lookups only. No alerts or configuration options are applied • The Firebox generates a log message to alert you that DNS servers are missing Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

DNSWatch and Your Network Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

26 DNSWatch and Your Network § The examples in this section show to configure DNSWatch and other DNS settings on the Firebox for several different network scenarios: • Network without a local DNS server • Network with a local DNS server: – Network DNS server list on the Firebox does not include the local DNS server, DNSWatch enforcement is enabled – Network DNS server list on the Firebox includes the local DNS server, DNSWatch enforcement is disabled • Network with a local DNS server and mobile VPN users Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

27 DNSWatch and Your Network • Local DNS server and multiple internal networks • Network with a local DNS server and BOVPN users Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

28 DNSWatch and Your Network § Example 1 — Network without a local DNS server Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

29 DNSWatch and Your Network § Example 2 — Network with a local DNS server • Network DNS server list on the Firebox does not include the local DNS server Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

30 DNSWatch and Your Network § For Example 2 — • DNSWatch enforcement is enabled • The Network (Global) DNS server list on the Firebox only includes public DNS servers. The local DNS server is not included. • Configure DNS Forwarding rules for your local domain and local DNS server if the Firebox itself must resolve local FQDNs Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

31 DNSWatch and Your Network § Example 3 — Network with a local DNS server • Network DNS server list on the Firebox includes the local DNS server Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

32 DNSWatch and Your Network § For Example 3 — • DNSWatch enforcement is enabled • The Network (Global) DNS server list on the Firebox has your local DNS server first and public DNS servers last Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

33 DNSWatch and Your Network § Example 4 — Network with a local DNS server • DNSWatch enforcement disabled Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

34 DNSWatch and Your Network § For Example 4 — • If you do not want to enable DNSWatch enforcement on your network, you can use this configuration • You must manually add forwarders on your local DNS server that point to the Firebox IP address or to DNSWatch DNS servers • You can get the DNSWatch IP addresses from the DNSWatch Dashboard Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

35 DNSWatch and Your Network § For Example 4 — • DNSWatch includes an exception list that prevents DNS requests for Watch. Guard service domains from being sent to DNSWatch. When enforcement is disabled, this exception list is not used. • If you disable enforcement, we recommend that you configure conditional DNS Forwarding rules for the Watch. Guard service domains watchguard. com, ctmail. com, and rp. cloud. threatseeker. com if you use these services – These DNS Forwarding rules make sure that Watch. Guard services connect to the closest regional server Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

36 DNSWatch and Your Network § DNSWatch and Your Network • Conditional DNS Forwarding rules for Watch. Guard service domains: Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

37 DNSWatch and Your Network § Example 5 — Network with mobile VPN users Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

38 DNSWatch and Your Network § For Example 5 — • DNSWatch enforcement is enabled – Enforcement applies only to hosts on Trusted or Optional Firebox interfaces. Enforcement does not apply to mobile VPN users. – Mobile VPN devices must point to the local DNS server • The Network (Global) DNS server list on the Firebox has your local DNS server first and public DNS servers last Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

39 DNSWatch and Your Network § In Fireware v 12. 2. 1 or higher, for all mobile VPN types, you can select one of these DNS options: • Option 1 ─ Assign mobile VPN users the first DNS server in the Network (Global) DNS list – Mobile VPN users are also assigned one DNSWatch DNS server – Make sure to include the local DNS server first in the Network (Global) DNS list • Option 2 ─ Assign mobile VPN users the DNS server specified in the mobile VPN configuration – Make sure to include the local DNS server first in the list • Option 3 ─ Assign no DNS settings to mobile VPN users Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

40 DNSWatch and Your Network § In Fireware v 12. 2 or lower: • Mobile VPN with IPSec, L 2 TP, and IKEv 2 users get the first DNS server in Network (Global) DNS list on your Firebox, plus one DNSWatch DNS server. Make sure to include the local DNS server first in this list. • Mobile VPN with SSL users get the DNS servers in the Mobile VPN with SSL settings on the Firebox. Make sure to include the local DNS server first in the Mobile VPN with SSL settings. Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

41 DNSWatch and Your Network § Example 6 — Multiple internal networks Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

42 DNSWatch and Your Network § For Example 6 — • DNSWatch enforcement is enabled • The Network (Global) DNS server list on the Firebox has your local DNS server first and public DNS servers last Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

43 DNSWatch and Your Network § Example 7 — Network with BOVPN users Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

44 DNSWatch and Your Network § For Example 7 — • DNSWatch enforcement is enabled – Enforcement applies only to hosts on Trusted or Optional Firebox interfaces – BOVPN users at Site B must send DNS requests to the local DNS server at Site A to be protected by DNSWatch • On the local DNS server, configure forwarders for public DNS servers • The Network (Global) Server list on both Fireboxes includes the local DNS server at Site A and public DNS servers. The local DNS server must appear first in the list. Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

45 DNS Precedence Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

46 DNS Settings Precedence § In some cases, DNSWatch takes precedence over these DNS servers that could already be configured on your Firebox: • Network (Global) DNS server — Default DNS server for all interfaces and local processes on the Firebox • Interface DNS server — Specified in the DHCP server settings for an interface • DNS server obtained from your ISP — When Firebox is configured as a DHCP or PPPo. E client Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

47 Precedence ─ Network DNS Server § Network DNS servers • When DNSWatch is enabled with enforcement on – DNSWatch DNS servers take precedence over DNS servers in the Network DNS server list on the Firebox o There is one exception: DNSWatch does not take precedence over a local DNS server if it appears first in the Network DNS server list. – DNS queries initiated or received by the Firebox are: o Resolved by Firebox cache, or o Sent to DNS servers specified in conditional DNS forwarding rules, or o Sent to DNSWatch (in that order) Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

48 Precedence ─ Network DNS Server • When DNSWatch is enabled with enforcement off – DNSWatch DNS servers take precedence over DNS servers in the Network DNS server list on the Firebox for DNS requests initiated by the Firebox or addressed to the Firebox IP address o There is one exception: DNSWatch does not take precedence over a local DNS server if it appears first in the Network DNS server list. – DNS requests addressed to IP addresses other than the Firebox IP address or DNSWatch IP addresses are not sent to DNSWatch – If the DNS Forwarding feature is disabled, DNS requests initiated by or addressed to the Firebox are sent to DNSWatch – If the DNS Forwarding feature is enabled, DNS requests initiated by or addressed to the Firebox are: o Resolved by the Firebox cache, or o Sent to DNS servers specified in conditional DNS forwarding rules, or Watch. Guard Training o Sent to DNSWatch (in that order) Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

49 Precedence ─ Interface DNS Server § Interface DNS server (configured in interface settings) • When DNSWatch is enabled with enforcement on and an interface DNS server is specified: – DNSWatch DNS servers take precedence over the DNS servers specified in the interface settings. – DNS queries for external resources are: o Resolved by the Firebox cache, or o Sent to DNS servers specified in conditional DNS forwarding rules, or o Sent to DNSWatch (in that order) • For a DHCP client with manually configured DNS servers, DNS queries for external resources are sent to DNSWatch because enforcement is on Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

50 Precedence ─ Interface DNS Server § Interface DNS server (configured in interface settings) • When DNSWatch is enabled with enforcement off and an interface DNS server is specified: – DNS requests are sent to the interface DNS server instead of DNSWatch – For a DHCP client with manually configured DNS servers, DNS queries are sent to the manually configured DNS servers instead of DNSWatch. To protect this client with DNSWatch, we recommend you change the manually configured DNS servers to the DNSWatch server IP addresses. Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

51 Precedence ─ DNS Server from ISP § DNS server obtained from your ISP for a Firebox configured as a DHCP or PPPo. E client • Not used when DNSWatch is enabled • DNS requests are sent to DNSWatch instead • The Firebox continues to obtain DNS servers from your ISP and stores that information Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

52 Manage DNSWatch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

53 Manage DNSWatch § After you activate DNSWatch for a Firebox in your account, you can connect to DNSWatch in the Watch. Guard Portal § In the Watch. Guard Support Center, select My Watch. Guard > Manage DNSWatch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

54 DNSWatch Dashboard § The DNSWatch Dashboard provides DNS traffic data, top domain requests, top network requests, and a summary of monthly alerts. § From the DNSWatch Dashboard you can add domains to the whitelist or blacklist, view reporting and alerts, change your settings, and customize the page users see when their HTTP or HTTPS connections are denied. Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

55 DNSWatch Dashboard § The DNSWatch Dashboard provides: • DNS traffic data • Top domain requests • Top network requests • Monthly alert summary Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

56 DNSWatch Web UI § On the Domains menu, you can select options to: • Add domains to the Blacklist (Blackholed Domains) • Add domains to the Whitelist • View list of DNSWatch Domain Feeds • Search for a domain on the Blacklist, Whitelist, and Domain Feeds Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

57 Blackholed Domains § When you add a domain to the Blackholed Domains list: • DNSWatch resolves all DNS requests for that domain to the IP address of the Blackhole Server • When an HTTP or HTTPS connection is denied, a customizable deny page appears to the user § To edit blackholed domains, select Domains > Blackholed Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

58 Blackholed Domains § The default list includes the test domain strongarm. test • Use this domain to test DNSWatch from your protected network • When you browse to this domain from a computer on your protected network, the DNSWatch deny page appears • Use this domain to verify or demonstrate that DNSWatch blocks connections to malicious sites • Do not add other non-malicious domains to the list for testing Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

59 Blackholed Domains § To add a domain to the Blackholed Domains list: 1. Click Blackhole a New Domain 2. Specify the domain name 3. To include all subdomains for the domain, select Include Subdomains 4. To share the domain with Watch. Guard, select Share this domain 5. In the Analysis text box, explain why you want to add the domain 6. Click Save Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

60 Whitelisted Domains § When you add a domain to the Whitelisted Domains list, DNSWatch considers the domain safe and resolves the IP address, even if the domain is on a Domain Feed § To edit whitelisted domains, select Domains > Whitelisted Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

61 Whitelisted Domains § To add a domain to the Whitelisted Domains list: 1. Click Whitelist a New Domain 2. Specify the domain name 3. To include all subdomains for the domain, select Include Subdomains Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

62 DNSWatch Reports and Traffic History § On the Reports menu you can select options to: • See weekly reports of DNS domain requests • Search the DNS traffic history § You can also click View Reports on the Dashboard Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

63 DNSWatch Weekly Reports § To see DNSWatch weekly reports, select Reporting > DNS Weekly Reports • Filter by week date range • To filter the report for a specific network, select the network • To see the top 20 domains without grouping by category, clear the Group domains by category check box Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

64 DNSWatch Weekly Reports § By default, DNSWatch reports group some domains by category, such as Advertising Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

65 DNSWatch Weekly Reports § Weekly reports summarize DNS request volume by hour Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

66 DNSWatch Traffic History § To see DNS traffic history, select Reporting > DNS Traffic History § Search for domains in DNS requests from computers on the protected networks § History includes DNS traffic from the past week § Results include only the exact domain name you specify Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

67 DNSWatch Alerts § An alert summarizes one or more connections that DNSWatch denied to a domain from the same protected network Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

68 DNSWatch Alerts — Filter § To filter the Alerts list, click Filter Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

69 DNSWatch Alerts — Status § The Status column shows Alert status: • Resolved green check mark – The alert was resolved by a DNSWatch user – DNSWatch sends a notification if a resolved alert is seen again • Unresolved red x – The alert is not resolved – For unresolved alerts, the adjacent connection icon is red if there active connections to the DNSWatch Blackhole Server for the alert Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

70 DNSWatch Alerts — Resolve Selected Alerts § To resolve an alert 1. Select the alerts 2. Click Resolve Selected Alerts Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

71 DNSWatch Alerts — Resolve Selected Alerts § If DNSWatch sees a DNS request that matches a resolved alert in the future, DNSWatch reopens the alert and sends a new notification § You cannot resolve an alert that has an open connection Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

72 DNSWatch Alerts — View Details § To see the details for an alert, click View Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

73 DNSWatch Alert Details § The alert details includes victim information, destination information, and malware information Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

74 DNSWatch Alert Details § Click Resolve Alert to change the status to Resolved § Click Silence Alerts to stop email notification for the alert without changing the alert status Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

75 DNSWatch Alert Details — Discussion § Select Discussion to see feedback from Watch. Guard support, and additional comments or questions Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

76 DNSWatch Alert Details — Domain Analysis § Select Domain Analysis to view the domains that DNSWatch extracted from this infection § Extracted domains are either the original destination domain, or domains related to it § To add a blocked domain to your Whitelist, click Actions and select Add to Whitelist Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

77 DNSWatch Alert Details — Malware Analysis § An alert may include multiple connections to a domain from the same protected network § The Malware Analysis tab shows details about the first connection Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

78 DNSWatch Alert Details — Connections § To see all connections associated with this alert select the Connections tab § To see details for a connection, click View Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

79 DNSWatch Connection Information § Connection information includes: • Netflow data • Hex dump of the first bytes sent by the victim • Parsed protocol details Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

80 DNSWatch Alert Details — History § The History tab for an alert is an audit trail of all actions taken for the alert by a DNSWatch user • Changed the alert status to Resolved or Unresolved • Silenced or enabled alert notification emails Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

81 DNSWatch Denied Connections § To see a list of all connections that DNSWatch has denied, on the Alerts page, click Connections Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

82 DNSWatch Denied Connections § The list of denied connections includes the source IP address, source and destination ports, and protocol § To see more information for a denied connection, click View Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

83 DNSWatch Settings — Profile § To configure DNSWatch account settings, click your user name and then select Settings Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

84 DNSWatch Settings — Profile § In the Profile settings you can change your time zone Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

85 DNSWatch Settings — Notifications § In the Notification settings you can enable or disable email notifications for new alerts, or updates to existing alerts § Email notifications go to the email address configured for your user account in the Watch. Guard Portal Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

86 DNSWatch Settings — Protected Fireboxes § To see a list of Fireboxes and networks protected by DNSWatch, click Protected Fireboxes • This page shows the public IP addresses for all Firebox external interfaces Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

87 DNSWatch Settings — Deny Page § You can customize the logo, text and colors of the deny page Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

88 DNSWatch Settings — Deny Page § To customize the deny page, click Block Page Content Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

89 Customize the Deny Page § To customize the colors and logo, select Block Page Style Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

90 For More Information § For more information about DNSWatch, see Fireware Help Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved

91 Thank You! Watch. Guard Training Copyright © 2018 Watch. Guard Technologies, Inc. All Rights Reserved