See What Your Firewall Can't
IzGuard collects your firewall / IPS / WAF logs to detect attacker IPs, runs deep behavioral analysis, automatically terminates attacker sessions and manages VPN usage. It runs on your site — your data stays with you.
One Agent, Three Independent Modules
IzGuard runs on-premise via Docker; it listens to your firewall over syslog and pulls metrics from the FortiGate API. Pick the modules you need and pay only for those. A single module is enough to get started.
Event Management
Normalizes syslog and FortiGate logs into Elasticsearch; runs threshold+action detection and a 7-detector deep behavioral engine. Attackers, Events, Log Search, a GeoIP attack map and security reports.
- GeoIP world attack map (country/city)
- FortiGate-style funnel filters + forensic log search
- 7 deep detectors: beaconing, exfil, brute, lateral, DNS-tunnel…
- On-demand / scheduled PDF/Excel/email reports
Performance Management
Monitors FortiGate CPU/RAM/session count, auto-quarantines attacker IPs on the firewall, applies session-protection and raises capacity alarms. Drop sessions with one click during an attack.
- Auto-ban attacker IPs on the firewall
- CPU/RAM/session monitoring + capacity alarm
- Live session view + instant IP blocking
- Whitelisted sources are always exempt
VPN Management
Manages SSL-VPN statistics, per-user access (who, when, where) and sessions. Detects after-hours/long sessions in real time and produces user reports.
- Per-user access: tunnel-IP ↔ traffic logs
- After-hours / long session real-time alerts
- Active-work ratio, connected time, visited destinations
- Staff roster: manual / endpoint / CSV-Excel
Build Your Plan
Choose how many firewalls (devices) to monitor and select your modules. You must select at least one module.
Why IzGuard?
Runs On-Site, Data Stays Yours
Installed on-premise via Docker; your logs and analysis are processed on your own server and never leave.
Detections Your Firewall Misses
Catches second-layer attacks like beaconing (C2), data exfiltration, credential stuffing and lateral movement.
Automated Response
Auto-quarantines attacker IPs on the firewall and drops sessions the moment an attack happens.
Self-Updating
Installs with a single script and pulls new versions automatically (10-min timer). No maintenance hassle.
TR/EN Panel & Reports
Embedded web panel, GeoIP map, scheduled PDF/Excel/email reports.
Modular & Flexible
Take only the module you need; scales with your device count.
Your Entire Security Operation in One Console
With IzGuard's embedded web console (TR/EN), see attacks, investigate history and respond instantly — no separate SIEM required.
Overview
A live summary of the last 24 hours — attacker count, top attacking IP, most common attack type and total events at a glance.
Attackers
Every detected attacker with a risk score, reasons, hit count, first/last seen and ban status. 15m–7d time picker + custom range, search and FortiGate-style funnel (column) filters.
Live Sessions & Capacity
Live FortiGate sessions (source/destination IP). Block an IP with one click during an attack — all of its sessions drop instantly.
Banned IPs
Quarantined on the firewall, with reason, source and time. Remove individually or in bulk — also lifts the ban on the firewall.
Events — Traffic
Live traffic flow; "where is it going at a glance" — top destination IPs and ports, refreshed every 5 seconds.
Log Search
Forensic search over raw Elasticsearch logs — historical queries, field filters and free text.
7 Second-Layer Detections Your Firewall Misses
Individual logs may look innocent, but IzGuard periodically scans all normalized traffic to catch behavioral attack patterns. Each detector can be toggled independently.
Beaconing (C2)
Regular-interval connections on the same source→external-destination pair — low variance is the signature of command-and-control (C2) traffic.
Data Exfiltration
Abnormally high outbound data volume to a single external destination — catches covert data exfiltration.
Distributed Brute-Force
Denies to a single auth port from many different sources — credential stuffing / distributed password spraying.
Lateral Movement
An internal source scanning many internal destinations — a compromised device trying to spread across the network.
Geo Anomaly
Sources outside the expected (home) country producing denies to an auth port — suspicious access attempts.
DNS Tunneling
High-entropy / long-subdomain DNS queries — tunneling and DGA (algorithmic domain) detection.
Threat Intelligence
Matches the source IP against known-bad reputation lists (botnet C2 / Spamhaus DROP).
VPN Management — Work Hours, Access and Auto-Restriction
IzGuard doesn't just monitor SSL-VPN; it controls access by work-hour rules, automatically acts on risky sessions and produces detailed per-user reports.
Work Schedule Management
Default work hours + per-user schedules + date-ranged shifts. Schedule source: manual table, external endpoint (method+auth+header) or file (CSV·TXT·.xlsx).
Auto-Restriction by Work Hours
VPN sessions opened outside a user's work window are terminated automatically — after-hours access is blocked from the start.
Long-Session Protection
VPN sessions exceeding the duration you set are dropped automatically; forgotten or left-open sessions are closed.
Access Tracking
Who connected, when, from which tunnel IP and which destinations they reached — end-to-end visibility via tunnel-IP ↔ traffic log correlation.
Log & Session Tracking
Live SSL-VPN sessions, login/logout and usage statistics; per-user active-work ratio and total connected time.
Alerts & Reports
Real-time email alerts on after-hours or long sessions; per-user daily/weekly automatic PDF/Excel reports.
Threshold-Based Detection + Automated Response
Define a threshold, time window and action per attack type; IzGuard applies the decision within seconds. Recommended values come as defaults.
- Detected types: Port Scan, SYN/HTTP/ICMP/DNS Flood, Login/VPN/SMTP/RDP-SMB Brute-Force, Deny Flood and IPS/WAF events.
- Actions: Monitor · Warn · Block · Log — per type, with a configurable ban duration.
- Auto-ban: attacker IPs exceeding the score threshold are quarantined on FortiGate and their active sessions are dropped.
- IP Whitelist: trusted IPs/CIDRs are never flagged by any detection/ban; adding them also clears existing bans automatically.
Attack Map and Live Threat Feeds
Visualize where attacks come from and auto-block known-bad sources.
- GeoIP attack map: country bubbles and city dots on a world map, plus country and ASN distribution.
- Threat-intel feeds: IP/CIDR blocklist URLs (default: abuse.ch Feodo Tracker + Spamhaus DROP), refreshed periodically.
- Country/city/ASN resolution via DB-IP Lite; optional city database for per-IP location.
Automated Security and VPN Reports
Management- and audit-ready outputs; download on demand or receive scheduled email.
- Security reports: attacker/threat summary — download PDF/Excel or email on demand, plus daily/weekly automatic email (PDF/Excel attached).
- VPN reports: per-user (active-work ratio, login/logout, connected time, visited destinations) — on-demand, scheduled and real-time (after-hours/long session) email.
- Branded PDF and Excel (.xlsx) outputs; recipients and send time are configurable.
Runs On-Site, Manages Itself
Installs with one command, updates itself; your data never leaves.
- On-premise Docker compose: receiver + analyzer + PostgreSQL + Elasticsearch — two binaries in one image.
- One-line install script with your license key. Just point your firewall to send syslog to the agent IP (udp/tcp 5514).
- Self-update: checks the published image's sha256 tag every 10 minutes; if different, pulls the image and restarts.
- FortiGate REST integration (API token for Performance/VPN); all other firewall/IPS/WAF devices work via syslog.
- Data sovereignty: all logs, session records and analysis results are processed and kept only on your own server — no data ever leaves, nothing is sent to us.