See What Your Firewall Can't
IzGuard collects your firewall / IPS / WAF logs to detect attacker IPs, runs deep behavioral analysis, automatically terminates attacker sessions and manages VPN usage. It runs on your site — your data stays with you.
One Agent, Three Independent Modules
IzGuard runs on-premise via Docker; it listens to your firewall over syslog and pulls metrics from the FortiGate API. Pick the modules you need and pay only for those. A single module is enough to get started.
Event Management
Normalizes syslog and FortiGate logs into Elasticsearch; runs threshold+action detection and a 7-detector deep behavioral engine. It also maps your external attack surface (asset discovery, open-port verification, vulnerability scanning). Attackers, Events, Open Ports, Asset Profile, Log Search, a GeoIP map and reports.
- GeoIP world attack map (country/city)
- External attack surface: open-port + vulnerability scan
- 7 deep detectors: beaconing, exfil, brute, lateral, DNS-tunnel…
- On-demand / scheduled PDF/Excel/email reports
Performance Management
Monitors FortiGate CPU/RAM/session count, auto-quarantines attacker IPs on the firewall, applies session-protection and raises capacity alarms. Drop sessions with one click during an attack.
- Auto-ban attacker IPs on the firewall
- CPU/RAM/session monitoring + capacity alarm
- Live session view + instant IP blocking
- Whitelisted sources are always exempt
VPN Management
Manages SSL-VPN statistics, per-user access (who, when, where) and sessions. Detects after-hours/long sessions in real time and produces user reports.
- Per-user access: tunnel-IP ↔ traffic logs
- After-hours / long session real-time alerts
- Active-work ratio, connected time, visited destinations
- Staff roster: manual / endpoint / CSV-Excel
Build Your Plan
Choose how many firewalls (devices) to monitor and select your modules. You must select at least one module.
Why IzGuard?
Runs On-Site, Data Stays Yours
Installed on-premise via Docker; your logs and analysis are processed on your own server and never leave.
Detections Your Firewall Misses
Catches second-layer attacks like beaconing (C2), data exfiltration, credential stuffing and lateral movement.
Automated Response
Auto-quarantines attacker IPs on the firewall and drops sessions the moment an attack happens.
Self-Updating
Installs with a single script and pulls new versions automatically (10-min timer). No maintenance hassle.
TR/EN Panel & Reports
Embedded web panel, GeoIP map, scheduled PDF/Excel/email reports.
Modular & Flexible
Take only the module you need; scales with your device count.
Your External Attack Surface — Everything an Attacker Sees
IzGuard maps not just the inside, but your internet-facing surface too. It discovers your assets, verifies which ports are truly reachable from an independent vantage point outside your network (edge), and scans those ports for TLS/cipher/certificate/version vulnerabilities. In each IP's detail, watch live traffic flow between attacker, firewall and open ports — vulnerable ports flagged in red.
legitimate access412
blocked375
:443 · vuln⚠
:22 · sensitive
:80
:3389 · sensitive
Real per-IP detail in the IzGuard console: source (people / attacker) → firewall → open ports. Vulnerable ports stand out with a red alert.
Asset Discovery (Profiling)
Learns the services actually running on each of your servers from traffic and active scanning; flags unexpected or newly-opened ports as anomalies. Dead, non-responding records are auto-pruned.
Independent Outside-In Verification
A vantage point outside your network (edge prober) confirms whether ports are truly reachable from the internet — clearly separating "assumed open" from "actually open".
Vulnerability Scanning
On every exposed port it detects weak TLS/ciphers, expired or self-signed certificates and outdated service versions; prioritizes findings by severity and risk score.
Open-Port Map & Live Flow
Lists internet-exposed IPs in a table; the detail shows source → firewall → port traffic as a live animation. Sensitive management ports (RDP/SSH/DB) are highlighted separately.
Graduated Ban & Blacklist Lifecycle
Escalating enforcement for persistent attackers (15 min → 1 hour → 1 day → permanent); the block lifts automatically once attacks stop. Subnet-based distributed-scan detection; a customer's whitelist is never shared.
Central Threat Blacklist
Persistent attacker IPs from all sites are aggregated centrally; via company-wide and global feeds, other deployments are proactively protected against those IPs.
Your Entire Security Operation in One Console
With IzGuard's embedded web console (TR/EN), see attacks, investigate history and respond instantly — no separate SIEM required.
Overview
A live summary of the last 24 hours — attacker count, top attacking IP, most common attack type and total events at a glance.
Attackers
Every detected attacker with a risk score, reasons, hit count, first/last seen and ban status. 15m–7d time picker + custom range, search and FortiGate-style funnel (column) filters.
Live Sessions & Capacity
Live FortiGate sessions (source/destination IP). Block an IP with one click during an attack — all of its sessions drop instantly.
Banned IPs
Quarantined on the firewall, with reason, source and time. Remove individually or in bulk — also lifts the ban on the firewall.
Events — Traffic
Live traffic flow; "where is it going at a glance" — top destination IPs and ports, refreshed every 5 seconds.
Log Search
Forensic search over raw Elasticsearch logs — historical queries, field filters and free text.
7 Second-Layer Detections Your Firewall Misses
Individual logs may look innocent, but IzGuard periodically scans all normalized traffic to catch behavioral attack patterns. Each detector can be toggled independently.
Beaconing (C2)
Regular-interval connections on the same source→external-destination pair — low variance is the signature of command-and-control (C2) traffic.
Data Exfiltration
Abnormally high outbound data volume to a single external destination — catches covert data exfiltration.
Distributed Brute-Force
Denies to a single auth port from many different sources — credential stuffing / distributed password spraying.
Lateral Movement
An internal source scanning many internal destinations — a compromised device trying to spread across the network.
Geo Anomaly
Sources outside the expected (home) country producing denies to an auth port — suspicious access attempts.
DNS Tunneling
High-entropy / long-subdomain DNS queries — tunneling and DGA (algorithmic domain) detection.
Threat Intelligence
Matches the source IP against known-bad reputation lists (botnet C2 / Spamhaus DROP).
VPN Management — Work Hours, Access and Auto-Restriction
IzGuard doesn't just monitor SSL-VPN; it controls access by work-hour rules, automatically acts on risky sessions and produces detailed per-user reports.
Work Schedule Management
Default work hours + per-user schedules + date-ranged shifts. Schedule source: manual table, external endpoint (method+auth+header) or file (CSV·TXT·.xlsx).
Auto-Restriction by Work Hours
VPN sessions opened outside a user's work window are terminated automatically — after-hours access is blocked from the start.
Long-Session Protection
VPN sessions exceeding the duration you set are dropped automatically; forgotten or left-open sessions are closed.
Access Tracking
Who connected, when, from which tunnel IP and which destinations they reached — end-to-end visibility via tunnel-IP ↔ traffic log correlation.
Log & Session Tracking
Live SSL-VPN sessions, login/logout and usage statistics; per-user active-work ratio and total connected time.
Alerts & Reports
Real-time email alerts on after-hours or long sessions; per-user daily/weekly automatic PDF/Excel reports.
Threshold-Based Detection + Automated Response
Define a threshold, time window and action per attack type; IzGuard applies the decision within seconds. Recommended values come as defaults.
- Detected types: Port Scan, SYN/HTTP/ICMP/DNS Flood, Login/VPN/SMTP/RDP-SMB Brute-Force, Deny Flood and IPS/WAF events.
- Actions: Monitor · Warn · Block · Log — per type, with a configurable ban duration.
- Auto-ban: attacker IPs exceeding the score threshold are quarantined on FortiGate and their active sessions are dropped.
- IP Whitelist: trusted IPs/CIDRs are never flagged by any detection/ban; adding them also clears existing bans automatically.
Attack Map and Live Threat Feeds
Visualize where attacks come from and auto-block known-bad sources.
- GeoIP attack map: country bubbles and city dots on a world map, plus country and ASN distribution.
- Threat-intel feeds: IP/CIDR blocklist URLs (default: abuse.ch Feodo Tracker + Spamhaus DROP), refreshed periodically.
- Country/city/ASN resolution via DB-IP Lite; optional city database for per-IP location.
Automated Security and VPN Reports
Management- and audit-ready outputs; download on demand or receive scheduled email.
- Security reports: attacker/threat summary — download PDF/Excel or email on demand, plus daily/weekly automatic email (PDF/Excel attached).
- VPN reports: per-user (active-work ratio, login/logout, connected time, visited destinations) — on-demand, scheduled and real-time (after-hours/long session) email.
- Branded PDF and Excel (.xlsx) outputs; recipients and send time are configurable.
Runs On-Site, Manages Itself
Installs with one command, updates itself; your data never leaves.
- On-premise Docker compose: receiver + analyzer + PostgreSQL + Elasticsearch — two binaries in one image.
- One-line install script with your license key. Just point your firewall to send syslog to the agent IP (udp/tcp 5514).
- Self-update: checks the published image's sha256 tag every 10 minutes; if different, pulls the image and restarts.
- FortiGate REST integration (API token for Performance/VPN); all other firewall/IPS/WAF devices work via syslog.
- Data sovereignty: all logs, session records and analysis results are processed and kept only on your own server — no data ever leaves, nothing is sent to us.