Watchguard Fireware XTM Web UI User guide

WatchGuard System Manager v11.2.1 User Guide

Fireware XTM

Web UI

v11.2.1 User Guide

WatchGuard XTM1050

Firebox XPeak e-Series

Firebox XCore e-Series

Firebox XEdge e-Series

User Guide ii

About this User Guide

The Fireware XTM Web UI User Guide is updated with each major product release. For minor product

releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes specific,

task-based implementation examples that are not available in the User Guide.

For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard web

site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in examples

herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission

of WatchGuard Technologies, Inc.

Guide revised: 2/26/2010

Copyright, Trademark, and Patent Information

mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and

Licensing Guide, available online at: http://www.watchguard.com/help/documentation/

Note This product is for indoor use only.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content security

solutions that provide defense-in-depth and help meet regulatory

compliance requirements. The WatchGuard XTM line combines firewall,

VPN, GAV, IPS, spam blocking and URL filtering to protect your network

from spam, viruses, malware, and intrusions. The new XCS line offers email

and web content security combined with data loss prevention. WatchGuard

extensible solutions scale to offer right-sized security ranging from small

businesses to enterprises with 10,000+ employees. WatchGuard builds

simple, reliable, and robust security appliances featuring fast

implementation and comprehensive management and reporting tools.

Enterprises throughout the world rely on our signature red boxes to

maximize security without sacrificing efficiency and productivity.

For more information, please call 206.613.6600 or visit

www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

User Guide iii
Table of Contents
Introduction to Network Security 1
About networks and network security 1
About Internet connections 1
About protocols 2
About IP addresses 3
Private addresses and gateways 3
About subnet masks 3
About slash notation 3
About entering IP addresses 4
Static and dynamic IP addresses 4
About DNS (Domain Name System) 5
About firewalls 6
About services and policies 7
About ports 8
The Firebox or XTM device and your network 8
Introduction to Fireware XTM 11
About Fireware XTM 11
Fireware XTM Components 12
WatchGuard System Manager 12
WatchGuard Server Center 13
Fireware XTM Web UI and Command Line Interface 14
Fireware XTMwith a Pro Upgrade 15
Service and Support 17
About WatchGuard Support 17
LiveSecurity Service 17
LiveSecurity Service Gold 18
Service expiration 18
Getting Started 19
Before you begin 19
Verify basic components 19
Get a Firebox or XTM device feature key 20
Gather network addresses 20
Select a firewall configuration mode 21
About the Quick Setup Wizard 22

Run the Web Setup Wizard 23
Connect to Fireware XTMWeb UI 26
Connect to Fireware XTMWeb UI from an external network 27
About Fireware XTMWeb UI 27
Limitations of Fireware XTMWeb UI 28
Complete your installation 29
Customize your security policy 30
About LiveSecurity Service 30
Additional installation topics 30
Connect to a Firebox or XTM device with Firefox v3 30
Identify your network settings 32
Set your computer to connect to your Firebox or XTM device 35
Disable the HTTP proxy in the browser 36
Configuration and Management Basics 39
About basic configuration and management tasks 39
Make a backup of the Firebox or XTM device image 39
Restore a Firebox or XTM device backup image 39
Reset a Firebox or XTM device to a previous or new configuration 41
Start a Firebox XCore or Peak e-Series, or a WatchGuard XTM device in safe mode 41
Reset a Firebox XEdge e-Series or WatchGuard XTM2 Series device to factory default settings
42
Run the Quick Setup Wizard 42
About factory default settings 42
About feature keys 44
When you purchase a new feature 44
See features available with the current feature key 44
Get a feature key from LiveSecurity 45
Add a feature key to your Firebox or XTM device 47
Restart your Firebox or XTM device 48
Restart the Firebox or XTM device locally 48
Restart the Firebox or XTM device remotely 49
Enable NTP and add NTP servers 49
Set the time zone and basic device properties 51
About SNMP 52
SNMP polls and traps 52
About Management Information Bases (MIBs) 52
iv WatchGuard System Manager

User Guide v
Enable SNMP polling 54
Enable SNMP management stations and traps 55
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 57
Create a secure passphrase, encryption key, or shared key 57
Firebox or XTM device Passphrases 57
User Passphrases 58
Server Passphrases 58
Encryption Keys and Shared Keys 58
Change Firebox or XTM device passphrases 60
Define Firebox or XTM device global settings 61
Define ICMP error handling global settings 61
Enable TCP SYN checking 62
Define TCP maximum segment size adjustment global settings 62
Enable or disable Traffic Management and QoS 63
Change the Web UI port 63
Automatic Reboot 63
External Console 63
About WatchGuard Servers 64
Manage a Firebox or XTM device from a remote location 65
Configure a Firebox or XTM device as a managed device 67
Edit the WatchGuard policy 67
Set up the Managed Device 68
Upgrade to a new version of Fireware XTM 69
Install the upgrade on your management computer 69
Upgrade the Firebox or XTM device 70
Download the configuration file 70
About upgrade options 70
Subscription Services upgrades 70
Appliance and software upgrades 71
How to apply an upgrade 71
Network Setup and Configuration 73
About network interface setup 73
Network modes 74
Interface types 75
About network interfaces on the Edge e-Series 75

Mixed Routing Mode 76
Configure an external interface 76
Configure DHCP in mixed routing mode 79
About the Dynamic DNS service 82
Configure Dynamic DNS 82
Drop-in Mode 83
Use drop-in mode for network interface configuration 84
Configure related hosts 84
Configure DHCP in drop-in mode 85
Bridge Mode 88
Common interface settings 90
Disable an interface 92
Configure DHCPRelay 92
Restrict network traffic by MAC address 92
Add WINS and DNS server addresses 93
Configure a secondary network 94
About advanced interface settings 95
Network Interface Card (NIC)settings 96
Set DF bit for IPSec 97
PMTU Setting for IPSec 98
Use static MAC address binding 98
Find the MAC address of a computer 99
About LAN bridges 99
Create a network bridge configuration 99
Assign a network interface to a bridge 100
About routing 101
Add a static route 101
About virtual local area networks (VLANs) 102
VLAN requirements and restrictions 103
About tagging 103
Define a new VLAN 103
Assign interfaces to a VLAN 106
Network Setup Examples 106
Use your Firebox or XTM device with the 3G Extend wireless bridge 107
Multi-WAN 109
vi WatchGuard System Manager

User Guide vii
About using multiple external interfaces 109
Multi-WAN requirements and conditions 109
Multi-WAN and DNS 110
About multi-WAN options 110
Round-robin order 110
Failover 110
Interface overflow 111
Routing table 111
Serial modem (Firebox XEdge only) 112
Configure Round-robin 113
Before You Begin 113
Configure the interfaces 113
Find how to assign weights to interfaces 113
Configure Failover 114
Before You Begin 114
Configure the interfaces 114
Configure Interface Overflow 115
Before You Begin 115
Configure the interfaces 115
Configure Routing Table 115
Before you begin 115
Routing Table mode and load balancing 116
Configure the interfaces 116
About the Firebox or XTM device route table 116
When to use multi-WAN methods and routing 117
Serial modem failover 118
Enable serial modem failover 118
Account settings 119
DNS settings 119
Dial-up settings 120
Advanced settings 120
Link Monitor settings 121
About advanced multi-WAN settings 122
Set a global sticky connection duration 122
Set the failback action 123

About WAN interface status 123
Time needed for the Firebox or XTM device to update its route table 123
Define a link monitor host 124
Network Address Translation (NAT) 127
About Network Address Translation 127
Types of NAT 128
About dynamic NAT 128
Add firewall dynamic NAT entries 128
Configure policy-based dynamic NAT 131
About 1-to-1 NAT 132
About 1-to-1 NAT and VPNs 133
Configure firewall 1-to-1 NAT 133
Configure policy-based 1-to-1 NAT 136
Configure NAT loopback with static NAT 138
Add a policy for NATloopback to the server 139
NAT loopback and 1-to-1 NAT 140
About static NAT 143
Configure server load balancing 144
NAT Examples 146
1-to-1 NAT example 146
Wireless Setup 149
About wireless configuration 149
About wireless access point configuration 150
Before you begin 151
About wireless configuration settings 152
Enable/disable SSID broadcasts 152
Change the SSID 153
Log authentication events 153
Change the fragmentation threshold 153
Change the RTS threshold 154
About wireless security settings 155
Set the wireless authentication method 155
Set the encryption level 155
Enable wireless connections to the trusted or optional network 157
Enable a wireless guest network 159
viii WatchGuard System Manager

User Guide ix
Configure your external interface as a wireless interface 161
Configure the primary external interface as a wireless interface 161
Configure a BOVPN tunnel for additional security 163
About wireless radio settings on the Firebox X Edge e-Series Wireless device 164
Set the operating region and channel 165
Set the wireless mode of operation 166
About wireless radio settings on the WatchGuard XTM2 Series Wireless device 167
Country is set automatically 168
Select the Band and Wireless mode 168
Select the Channel 169
Configure the wireless card on your computer 170
Dynamic Routing 171
About dynamic routing 171
About routing daemon configuration files 171
About Routing Information Protocol (RIP) 172
Routing Information Protocol (RIP) commands 172
Configure the Firebox or XTM device to use RIP v1 174
Configure the Firebox or XTM device to use RIP v2 175
Sample RIP routing configuration file 177
About Open Shortest Path First (OSPF) Protocol 178
OSPF commands 179
OSPF Interface Cost table 182
Configure the Firebox or XTM device to use OSPF 182
Sample OSPF routing configuration file 184
About Border Gateway Protocol (BGP) 186
BGP commands 187
Configure the Firebox or XTM device to use BGP 189
Sample BGP routing configuration file 190
Authentication 193
About user authentication 193
User authentication steps 194
Manage authenticated users 195
Use authentication to restrict incoming traffic 195
Use authentication through a gateway Firebox 196
Set global authentication values 196

Set global authentication timeouts 197
Allow multiple concurrent logins 197
Limit login sessions 197
Automatically redirect users to the login portal 198
Use a custom default start page 198
Set Management Session timeouts 199
About the WatchGuard Authentication (WG-Auth) policy 199
About Single Sign-On (SSO) 199
Before You Begin 201
Set up SSO 201
Install the WatchGuard Single Sign-On (SSO) agent 201
Install the WatchGuard Single Sign-On (SSO) client 202
Enable Single Sign-On (SSO) 203
Authentication server types 204
About using third-party authentication servers 204
Use a backup authentication server 205
Configure your Firebox or XTM device as an authentication server 205
Types of Firebox authentication 205
Define a new user for Firebox authentication 208
Define a new group for Firebox authentication 210
Configure RADIUS server authentication 211
Authentication key 211
RADIUSauthentication methods 211
Before you begin 211
Use RADIUSserver authentication with your Firebox or XTM device 211
How RADIUS server authentication works 213
Configure VASCO server authentication 216
Configure SecurID authentication 218
Configure LDAP authentication 219
About LDAP optional settings 221
Configure Active Directory authentication 222
About Active Directory optional settings 223
Find your Active Directory search base 224
Change the default port for the Active Directory server 224
Use Active Directory or LDAP Optional Settings 225
x WatchGuard System Manager

User Guide xi
Before You Begin 225
Specify Active Directory or LDAP Optional Settings 226
Use a local user account for authentication 229
Use authorized users and groups in policies 229
Define users and groups for Firebox authentication 229
Define users and groups for third-party authentication 229
Add users and groups to policy definitions 230
Policies 233
About policies 233
Packet filter and proxy policies 233
About adding policies to your Firebox or XTM device 234
About the Firewall or Mobile VPN Policies page 235
Add policies to your configuration 236
Add a policy from the list of templates 237
Disable or delete a policy 237
About aliases 239
Alias members 239
Create an alias 240
About policy precedence 241
Automatic policy order 241
Policy specificity and protocols 241
Traffic rules 242
Firewall actions 242
Schedules 243
Policy types and names 243
Create schedules for Firebox or XTM device actions 243
Set an operating schedule 244
About custom policies 244
Create or edit a custom policy template 245
About policy properties 247
Policy tab 247
Properties tab 247
Advanced tab 247
Proxy settings 248
Set access rules for a policy 248

Configure policy-based routing 250
Set a custom idle timeout 252
Set ICMP error handling 252
Apply NAT rules 252
Set the sticky connection duration for a policy 253
Proxy Settings 255
About proxy policies and ALGs 255
Proxy configuration 256
About Application Blocker Configurations 256
Configure Application Blocker 256
About Skype and Application Blocker 257
Add a proxy policy to your configuration 258
About proxy actions 259
Set the proxy action in a proxy definition 260
Edit, delete, or clone proxy actions 260
About predefined and user-defined proxy actions 260
About the DNS proxy 261
Policy tab 261
Properties tab 261
Advanced tab 261
Settings and Content tabs 262
DNSProxy:Content 262
DNSProxy:Settings 263
About the FTP proxy 264
Policy tab 265
Properties tab 265
Advanced tab 266
Settings and Content tabs 266
FTP proxy: Content 266
FTPProxy:Settings 267
About the H.323 ALG 268
VoIPcomponents 268
ALGfunctions 269
Policy tab 269
Properties tab 270
xii WatchGuard System Manager

User Guide xiii

Advanced tab 270

Settings and Content tabs 270

H.323 ALG:Content 270

H.323 ALG:Settings 272

About the HTTP proxy 273

Policy tab 274

Properties tab 275

Advanced tab 275

Settings, Content and Application Blocker tabs 275

Enable Windows updates through the HTTPproxy 275

HTTP proxy: Settings tab 276

HTTP proxy: Content tab 280

HTTPproxy: Application Blocker 282

About the HTTPS proxy 282

Policy tab 282

Properties tab 282

Advanced tab 283

Settings and Content tabs 283

HTTPSProxy:Content 283

HTTPSProxy:Settings 285

About the POP3 proxy 287

Policy tab 287

Properties tab 288

Advanced tab 288

Settings and Content tabs 288

POP3Proxy:Content 288

POP3Proxy:Settings 289

About the SIP proxy 290

VoIPcomponents 290

ALGfunctions 291

Policy tab 291

Properties tab 291

Advanced tab 292

Settings and Content tabs 292

SIP ALG:Content 292

SIP ALG:Settings 294
About the SMTP proxy 295
Policy tab 295
Properties tab 295
Advanced tab 296
Settings, Addressing, and Content tabs 296
SMTPProxy:Addressing 296
SMTPProxy:Content 297
SMTPProxy:Settings 298
Configure the SMTPproxy to quarantine email 299
About the TCP-UDP proxy 300
Policy tab 300
Properties tab 300
Advanced tab 301
Settings and Content tabs 301
TCP-UDP Proxy: Settings 301
TCP-UDPProxy:Content 302
Traffic Management and QoS 303
About Traffic Management and QoS 303
Enable traffic management and QoS 303
Guarantee bandwidth 304
Restrict bandwidth 305
QoS Marking 305
Traffic priority 305
Set Outgoing Interface Bandwidth 305
Set Connection Rate Limits 307
About QoS Marking 307
Before you begin 307
QoS markingfor interfaces and policies 307
QoS marking and IPSec traffic 308
Marking types and values 308
Enable QoS Marking for an interface 310
Enable QoS Marking or prioritization settings for a policy 310
Traffic control and policy definitions 312
Define a Traffic Management action 312
xiv WatchGuard System Manager

User Guide xv
Add a Traffic Management action to a policy 313
Default Threat Protection 315
About default threat protection 315
About default packet handling options 316
About spoofing attacks 317
About IP source route attacks 317
About port space and address space probes 318
About flood attacks 320
About unhandled packets 322
About distributed denial-of-service attacks 322
About blocked sites 323
Permanently blocked sites 324
Auto-blocked sites/Temporary Blocked Sites list 324
See and edit the sites on the Blocked Sites list 324
Block a site permanently 324
Create Blocked Site Exceptions 325
Block sites temporarily with policy settings 326
Change the duration that sites are auto-blocked 326
About blocked ports 327
Default blocked ports 327
Block a port 329
Logging and Notification 331
About logging and log files 331
Log Servers 331
System Status Syslog 332
Logging and notification in applications and servers 332
About log messages 332
Types of log messages 333
Send log messages to a WatchGuard Log Server 334
Add, edit, or change the priority of Log Servers 334
Send log information to a Syslog host 335
Configure Logging Settings 336
Set the diagnostic log level 337
Configure logging and notification for a policy 338
Set logging and notification preferences 339

Use Syslog to see log message data 340

View, Sort, and Filter log message data 340

Refresh log message data 341

Monitor Your Device 1

About the Dashboard and System Status Pages 1

The Dashboard 1

System Status pages 3

ARP Table 4

Authentication List 4

Bandwidth Meter 5

Blocked Sites 5

Add or edit temporary blocked sites 6

Checksum 7

Connections 7

Components List 7

CPUUsage 7

DHCP Leases 8

Diagnostics 8

Run a basic diagnostics command 9

Use command arguments 9

Dynamic DNS 10

Feature Key 10

When you purchase a new feature 11

See features available with the current feature key 11

Interfaces 12

LiveSecurity 12

Memory 13

Outbound Access List 13

Processes 14

Routes 15

Syslog 15

Traffic Management 16

VPN Statistics 16

Wireless statistics 17

Certificates 19

xvi WatchGuard System Manager

User Guide xvii
About certificates 19
Use multiple certificates to establish trust 19
How the Firebox or XTM device uses certificates 20
Certificate lifetimes and CRLs 20
Certificate authorities and signing requests 21
Certificate Authorities Trusted by the Firebox or XTM device 21
See and manage Firebox or XTM device certificates 26
Create a CSR with OpenSSL 28
Use OpenSSL to generate a CSR 28
Sign a certificate with Microsoft CA 29
Issue the certificate 29
Download the certificate 30
Use Certificates for the HTTPS Proxy 31
Protect a private HTTPSserver 31
Examine content from external HTTPS servers 32
Export the HTTPScontent inspection certificate 32
Import the certificates on client devices 33
Troubleshoot problems with HTTPScontent inspection 33
Use certificates for Mobile VPN with IPSec tunnel authentication 33
Certificates for Branch Office VPN (BOVPN) tunnel authentication 34
Verify the certificate with FSM 34
Verify VPN certificates with an LDAP server 35
Configure the web server certificate for Firebox authentication 35
Import a certificate on a client device 37
Import a PEMformat certificate with Windows XP 37
Import a PEMformat certificate with Windows Vista 37
Import a PEMformat certificate with Mozilla Firefox 3.x 37
Import a PEMformat certificate with Mac OSX10.5 39
Virtual Private Networks (VPNs) 41
Introduction to VPNs 41
Branch Office VPN 41
Mobile VPN 42
About IPSec VPNs 42
About IPSec algorithms and protocols 42
About IPSec VPN negotiations 44

Configure Phase 1 and Phase 2 settings 47
About Mobile VPNs 48
Select a Mobile VPN 48
Internet access options for Mobile VPN users 50
Mobile VPN setup overview 51
Branch Office VPNs 53
What you need to create a manual BOVPN 53
About manual Branch Office VPN tunnels 54
What you need to create a VPN 54
How to create a manual BOVPNtunnel 55
One-way tunnels 55
VPN Failover 55
Global VPN settings 55
BOVPNtunnel status 56
Rekey BOVPNtunnels 56
Sample VPN address information table 57
Configure gateways 58
Define gateway endpoints 60
Configure mode and transforms (Phase 1 settings) 61
Edit and delete gateways 66
Disable automatic tunnel startup 66
If your Firebox or XTM device is behind a device that does NAT 66
Make tunnels between gateway endpoints 68
Define a tunnel 68
Add routes for a tunnel 70
Configure Phase 2 settings 70
Add a Phase 2 proposal 72
Change order of tunnels 73
About global VPN settings 73
Enable IPSec Pass-through 74
Enable TOS for IPSec 74
Enable LDAP server for certificate verification 75
Use 1-to-1 NATthrough a Branch Office VPN tunnel 76
1-to-1 NAT and VPNs 76
Other reasons to use 1-to-1 NAT through a VPN 76
xviii WatchGuard System Manager

User Guide xix
Alternative to using NAT 76
How to set up the VPN 77
Example 77
Configure the local tunnel 78
Configure the remote tunnel 80
Define a route for all Internet-bound traffic 81
Configure the BOVPN tunnel on the remote Firebox or XTM device 82
Configure the BOVPN tunnel on the central Firebox or XTM device 83
Add a dynamic NATentry on the central Firebox or XTM device 84
Enable multicast routing through a Branch Office VPN tunnel 85
Enable a Firebox or XTM device to send multicast traffic through a tunnel 87
Enable the other Firebox or XTM device to receive multicast traffic through a tunnel 89
Enable broadcast routing through a Branch Office VPN tunnel 89
Enable broadcast routing for the local Firebox or XTM device 90
Configure broadcast routing for the Firebox or XTM device at the other end of the tunnel 91
Configure VPN Failover 92
Define multiple gateway pairs 93
See VPN statistics 94
Rekey BOVPN tunnels 94
Related questions about Branch Office VPN set up 94
Why do I need a static external address? 94
How do I get a static external IP address? 95
How do I troubleshoot the connection? 95
Why is ping not working? 95
How do I set up more than the number of allowed VPN tunnels on my Edge? 95
Improve Branch Office VPN tunnel availability 96
Mobile VPN with PPTP 101
About Mobile VPN with PPTP 101
Mobile VPN with PPTP requirements 101
Encryption levels 102
Configure Mobile VPN with PPTP 102
Authentication 103
Encryption Settings 104
Add to the IP Address Pool 104
Advanced Tab settings 105

Configure WINS and DNS servers 106
Add new users to the PPTP-Users group 106
Configure policies to allow Mobile VPN with PPTP traffic 108
Configure policies to allow Mobile VPN with PPTP traffic 109
Allow PPTP users to access a trusted network 109
Use other groups or users in a PPTP policy 109
Options for Internet access through a Mobile VPN with PPTP tunnel 110
Default-route VPN 110
Split tunnel VPN 110
Default-route VPN setup for Mobile VPN with PPTP 110
Split tunnel VPN setup for Mobile VPN with PPTP 111
Prepare client computers for PPTP 111
Prepare a Windows NT or 2000 client computer: Install MSDUN and service packs 111
Create and connect a PPTP Mobile VPN for Windows Vista 112
Create and connect a PPTP Mobile VPN for Windows XP 113
Create and connect a PPTP Mobile VPN for Windows 2000 114
Make outbound PPTP connections from behind a Firebox or XTM device 115
Mobile VPN with IPSec 117
About Mobile VPN with IPSec 117
Configure a Mobile VPN with IPSec connection 117
System requirements 118
Options for Internet access through a Mobile VPN with IPSec tunnel 118
About Mobile VPN client configuration files 119
Configure the Firebox or XTM device for Mobile VPN with IPSec 119
Add users to a Firebox Mobile VPN group 126
Modify an existing Mobile VPN with IPSec group profile 127
Configure WINS and DNS servers 137
Lock down an end user profile 138
Mobile VPN with IPSec configuration files 138
Configure policies to filter Mobile VPN traffic 139
Distribute the software and profiles 139
Additional Mobile VPN topics 140
Configure Mobile VPN with IPSec to a dynamic IPaddress 141
About the Mobile VPNwith IPSec client 142
Client Requirements 143
xx WatchGuard System Manager

Page is loading ...

Watchguard Fireware XTM Web UI User guide

Watchguard Fireware XTM Web UI User guide

Related papers

Other documents