Watchguard Fireware XTM Web UI User guide

Brand: Watchguard

Model: Fireware XTM Web UI

Category: Software

Type: User guide

Fireware XTM Web UI 11.7

User Guide

Fireware XTM

Web UI

11.7 User Guide

WatchGuard XTMDevices

ii Fireware XTMWeb UI

About this User Guide

The Fireware XTM Web UI User Guide is updated with each major product release. For minor product

releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes

specific, task-based implementation examples that are not available in the User Guide.

For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard

web site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in

examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without the

express written permission of WatchGuard Technologies, Inc.

Guide revised: 1/24/2013

names mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and

Licensing Guide, available online at: http://www.watchguard.com/help/documentation/

Note This product is for indoor use only.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content

security solutions that provide defense-in-depth and help meet

regulatory compliance requirements. The WatchGuard XTM line

combines firewall, VPN, GAV, IPS, spam blocking and URL

filtering to protect your network from spam, viruses, malware,

and intrusions. The new XCS line offers email and web content

security combined with data loss prevention. WatchGuard

extensible solutions scale to offer right-sized security ranging

from small businesses to enterprises with 10,000+ employees.

WatchGuard builds simple, reliable, and robust security

appliances featuring fast implementation and comprehensive

management and reporting tools. Enterprises throughout the

world rely on our signature red boxes to maximize security

without sacrificing efficiency and productivity.

For more information, please call 206.613.6600 or visit

www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

User Guide iii
Table of Contents
Fireware XTM Web UI 11.7 User Guide 1
Introduction to Network Security 1
About Networks and Network Security 1
About Internet Connections 1
About Protocols 2
About IP Addresses 3
IPv4 Addresses 3
IPv6 Addresses 4
About Slash Notation 5
About Entering Addresses 6
Static and Dynamic IP Addresses 6
About DNS (Domain Name System) 7
About Firewalls 8
About Services and Policies 9
About Ports 10
The XTM Device and Your Network 10
Introduction to Fireware XTM 13
About Fireware XTM 13
Fireware XTM Components 14
WatchGuard System Manager 14
WatchGuard Server Center 15
Fireware XTM Web UI and Command Line Interface 16
Fireware XTMwith a Pro Upgrade 17
Fireware XTM on an XTMv Device 18
XTMv Device Limitations 18
XTMv Device Installation 18
VMware Virtual Switch Configuration 18
FIPS Support in Fireware XTM 19
About FIPSMode 19
FIPS Mode Operation and Constraints 19
Service and Support 21

About WatchGuard Support 21
LiveSecurity Service 21
LiveSecurity Service Gold 22
Service Expiration 23
Getting Started 25
Before You Begin 25
Verify Basic Components 25
Get an XTM Device Feature Key 26
Gather Network Addresses 26
Select a Firewall Configuration Mode 27
About the Quick Setup Wizard 28
Run the Web Setup Wizard 29
Connect to Fireware XTMWeb UI 32
Connect to Fireware XTMWeb UI from an External Network 33
About Fireware XTMWeb UI 34
Limitations of Fireware XTM Web UI 35
Complete Your Installation 36
Customize Your Security Policy 36
About LiveSecurity Service 36
Additional Installation Topics 37
Connect to an XTM Device with Firefox v3 37
Identify Your Network Settings 38
Set Your Computer to Connect to Your XTM Device 40
Disable the HTTP Proxy in the Browser 41
Configuration and Management Basics 43
About Basic Configuration and Management Tasks 43
Make a Backup of the XTM Device Image 43
Restore an XTM Device Backup Image 44
Use a USB Drive for System Backup and Restore 45
About the USB Drive 45
Save a Backup Image to a Connected USB Drive 45
Restore a Backup Image from a Connected USB Drive 46
Automatically Restore a Backup Image from a USB Drive 46
iv Fireware XTMWeb UI

User Guide v
USB Drive Directory Structure 49
Save a Backup Image to a USB Drive Connected to Your Computer 50
Use a USBDrive to Save a Support Snapshot 50
Reset an XTM Device 52
Start an XTM Device in Safe Mode 52
Reset an XTM 2 Series or XTM33 to Factory-Default Settings 52
Reset an XTMv to Factory-Default Settings 53
Run the Setup Wizard 53
About Factory-Default Settings 53
About Feature Keys 55
See Features Available with the Current Feature Key 55
Get a Feature Key for Your XTMDevice 56
Manually Add a Feature Key to Your XTM Device 59
Enable Automatic Feature Key Synchronization 61
Restart Your XTM Device 62
Restart the XTM Device Locally 62
Restart the XTM Device Remotely 62
Enable NTP and Add NTP Servers 63
Set the Time Zone and Basic Device Properties 64
About SNMP 65
SNMP Polls and Traps 65
Enable SNMP Polling 66
Enable SNMP Management Stations and Traps 67
About Management Information Bases (MIBs) 69
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 70
Create a Secure Passphrase, Encryption Key, or Shared Key 70
XTM Device Passphrases 71
User Passphrases 71
Server Passphrases 71
Encryption Keys and Shared Keys 72
Change XTM Device Passphrases 73
Define XTM Device Global Settings 74
Define ICMP Error Handling Global Settings 75

Configure TCP Settings 76
Enable or Disable Traffic Management and QoS 76
Change the Web UI Port 76
Enable the External Console on a Firebox X Edge e-Series Device 77
Automatic Reboot 77
About WatchGuard Servers 77
Manage an XTM Device From a Remote Location 79
Configure an XTM Device as a Managed Device 81
Edit the WatchGuard Policy 81
Set Up the Managed Device 82
Upgrade to a New Version of Fireware XTM 84
Install the Upgrade on Your Management Computer 84
Upgrade the XTM Device 84
Downgrade Fireware XTMOS 86
Use a Saved Backup Image to Downgrade 86
Downgrade Without a Backup Image 86
Use the Web UI to Downgrade from Fireware XTM OS v11.7 or Higher 87
Download or Show the XTMDevice Configuration 89
Download the Configuration File 89
Show the XTMConfiguration Report 89
About Upgrade Options 91
Subscription Services Upgrades 91
Appliance and Software Upgrades 91
How to Apply an Upgrade 92
About Subscription Services Expiration 92
Subscription Renewal Reminders 92
Feature Key Compliance 93
Security Service Expiration Behavior 93
Gateway AntiVirus 93
Intrusion Prevention Service (IPS) 93
WebBlocker 94
spamBlocker 94
Reputation Enabled Defense 94
vi Fireware XTMWeb UI

User Guide vii
Application Control 94
LiveSecurity Service 95
Synchronize Subscription Renewals 95
Renew Subscription Services 95
Subscription Services Status and Manual Signatures Updates 95
Network Setup and Configuration 97
About Network Interface Setup 97
Network Modes 98
Interface Types 99
About Private IPAddresses 99
About IPv6 Support 100
Mixed Routing Mode 102
Configure an External Interface 102
Enable IPv6 for an External Interface 106
Enable IPv6 for a Trusted or Optional Interface 108
Configure IPv6 Connection Settings 111
Configure DHCP in Mixed Routing Mode 112
About the Dynamic DNS Service 114
Configure Dynamic DNS 115
Drop-In Mode 116
Use Drop-In Mode for Network Interface Configuration 117
Configure Related Hosts 117
Configure DHCP in Drop-In Mode 119
Bridge Mode 123
Enable Bridge Mode 124
Allow Management Access from a VLAN 124
Common Interface Settings 125
Disable an Interface 126
Configure DHCPRelay 126
Restrict Network Traffic by MAC Address 126
Add WINS and DNS Server Addresses 127
Add a Secondary Network IPAddress 129
About Advanced Interface Settings 132

Network Interface Card (NIC)Settings 132
Set DF Bit for IPSec 134
PMTU Setting for IPSec 134
Use Static MAC Address Binding 135
Find the MAC Address of a Computer 136
About LAN Bridges 136
Create a Network Bridge Configuration 136
Assign a Network Interface to a Bridge 139
About Routing 140
Add a Static Route 140
About Virtual Local Area Networks (VLANs) 142
VLAN Requirements and Restrictions 142
About Tagging 143
About VLANIDNumbers 143
Define a New VLAN 143
Assign Interfaces to a VLAN 146
About Link Aggregation 148
Requirements and Limitations 148
Link Aggregation Modes 148
Configure Link Aggregation 150
Monitor Link Aggregation Interfaces 156
Network Setup Examples 157
Configure Two VLANs on the Same Interface 157
Configure One VLAN Bridged Across Two Interfaces 161
Use the Broadband Extend or 3G Extend Wireless Bridge 165
Multi-WAN 167
About Using Multiple External Interfaces 167
Multi-WAN Requirements and Conditions 167
Multi-WAN and DNS 168
About Multi-WAN Options 169
Round-Robin Order 169
Failover 169
Interface Overflow 170
viii Fireware XTMWeb UI

User Guide ix
Routing Table 170
Serial Modem (XTM2 Series and XTM 33 only) 170
Configure Round-Robin 171
Before You Begin 171
Configure the Interfaces 171
Find How to Assign Weights to Interfaces 172
Configure Failover 172
Before You Begin 172
Configure the Interfaces 172
Configure Interface Overflow 174
Before You Begin 174
Configure the Interfaces 174
Configure Routing Table 175
Before You Begin 175
Routing Table mode and load balancing 175
Configure the Interfaces 175
About the XTM Device Route Table 176
When to Use Multi-WAN Methods and Routing 176
Serial Modem Failover 177
Enable Serial Modem Failover 177
Account Settings 178
DNS Settings 179
Dial-up Settings 180
Advanced Settings 180
Link Monitor Settings 181
About Advanced Multi-WAN Settings 182
Set a Global Sticky Connection Duration 182
Set the Failback Action 183
About WAN Interface Status 183
Time Needed for the XTM Device to Update its Route Table 184
Define a Link Monitor Host 184
Network Address Translation (NAT) 187
About Network Address Translation 187

Types of NAT 188
About Dynamic NAT 188
Add Network Dynamic NAT Rules 190
Configure Policy-Based Dynamic NAT 193
About Dynamic NATSource IPAddresses 195
About 1-to-1 NAT 197
About 1-to-1 NAT and VPNs 198
Configure Firewall 1-to-1 NAT 198
Configure Policy-Based 1-to-1 NAT 201
Configure NAT Loopback with Static NAT 202
Add a Policy for NATLoopback to the Server 203
NAT Loopback and 1-to-1 NAT 204
About SNAT 207
Configure Static NAT 207
Configure Server Load Balancing 210
1-to-1 NAT Example 217
Wireless Setup 219
About Wireless Configuration 219
About Wireless Access Point Configuration 220
Before You Begin 221
About Wireless Configuration Settings 222
Enable/Disable SSID Broadcasts 223
Change the SSID 223
Log Authentication Events 223
Change the Fragmentation Threshold 223
Change the RTS Threshold 225
About Wireless Security Settings 226
Set the Wireless Authentication Method 226
Use a RADIUS Server for Wireless Authentication 227
Use the XTMDevice as an Authentication Server for Wireless Authentication 228
Set the Encryption Level 230
Enable Wireless Connections to the Trusted or Optional Network 232
Enable a Wireless Guest Network 234
x Fireware XTMWeb UI

User Guide xi
Enable a Wireless Hotspot 237
Configure User Timeout Settings 238
Select the Hotspot Type 238
Configure the Hotspot Settings 238
Configure the Hotspot Custom Page 239
Connect to a Wireless Hotspot 241
See Wireless Hotspot Connections 242
About Hotspot External Guest Authentication 244
Before You Begin 244
Configuration 245
External Guest Authentication Example 245
Configure a Web Server for Hotspot External Guest Authentication 248
Configure the XTMHotspot for External Guest Authentication 252
Troubleshoot Hotspot External Guest Authentication 253
Configure Your External Interface as a Wireless Interface 255
Configure the Primary External Interface as a Wireless Interface 255
Configure a BOVPN tunnel for additional security 257
About Wireless Radio Settings 258
Country is Set Automatically 259
Select the Band and Wireless Mode 260
Select the Channel 260
Configure the Wireless Card on Your Computer 261
Rogue Access Point Detection 261
Enable Rogue Access Point Detection 262
Add an XTMWireless Device as a Trusted Access Point 267
Find the Wireless MACAddress of a Trusted Access Point 270
Rogue Access Point Scan Results 270
Dynamic Routing 273
About Dynamic Routing 273
Dynamic Routing Protocols 273
Dynamic Routing Policies 273
Monitor Dynamic Routing 274
About Routing Daemon Configuration Files 274

About Routing Information Protocol (RIP) 274
Routing Information Protocol (RIP) Commands 274
Configure the XTM Device to Use RIP 277
Sample RIP Routing Configuration File 279
About Open Shortest Path First (OSPF) Protocol 281
OSPF Commands 281
OSPF Interface Cost Table 284
Configure the XTM Device to Use OSPF 285
Sample OSPF Routing Configuration File 286
About Border Gateway Protocol (BGP) 289
BGP Commands 290
Configure the XTM Device to Use BGP 292
Sample BGP Routing Configuration File 294
Authentication 297
About User Authentication 297
User Authentication Steps 298
Manage Authenticated Users 299
Use Authentication to Restrict Incoming Traffic 300
Use Authentication Through a Gateway Firebox 301
About the WatchGuard Authentication (WG-Auth) Policy 302
Set Global Firewall Authentication Values 302
Set Global Authentication Timeouts 303
Allow Unlimited Concurrent Login Sessions 304
Limit Login Sessions 304
Specify the Default Authentication Server in the Authentication Portal 306
Automatically Redirect Users to the Authentication Portal 306
Use a Custom Default Start Page 307
Set Management Session Timeouts 307
About Single Sign-On (SSO) 308
The WatchGuard SSO Solution 308
Example Network Configurations for SSO 310
Before You Begin 312
Set Up SSO 312
xii Fireware XTMWeb UI

User Guide xiii
Install the WatchGuard Single Sign-On (SSO) Agent 312
Configure the SSO Agent 314
Use Telnet to Debug the SSO Agent 321
Install the WatchGuard Single Sign-On (SSO) Client 324
Enable Single Sign-On (SSO) 325
Install and Configure the Terminal Services Agent 328
About Single Sign-On for Terminal Services 329
Before You Begin 329
Install the Terminal Services Agent 330
Configure the Terminal Services Agent 330
Configure Terminal Services Settings 335
Authentication Server Types 337
About Third-Party Authentication Servers 337
Use a Backup Authentication Server 337
Configure Your XTM Device as an Authentication Server 338
Types of Firebox Authentication 338
Define a New User for Firebox Authentication 341
Define a New Group for Firebox Authentication 343
Configure RADIUS Server Authentication 344
Authentication Key 344
RADIUSAuthentication Methods 344
Before You Begin 344
Use RADIUSServer Authentication with Your XTM Device 344
How RADIUS Server Authentication Works 346
Configure RADIUS Server Authentication with Active Directory Users and Groups For
Mobile VPN Users 349
WPA and WPA2 Enterprise Authentication 352
Configure VASCO Server Authentication 352
Configure SecurID Authentication 355
Configure LDAP Authentication 357
About LDAP Optional Settings 359
Test the Connection to the Server 360
Configure Active Directory Authentication 361

Add an Active Directory Authentication Domain and Server 361
About Active Directory Optional Settings 365
Test the Connection to the Server 365
Edit an Existing Active Directory Domain 366
Delete an Active Directory Domain 367
Find Your Active Directory Search Base 367
Change the Default Port for the Active Directory Server 369
Use Active Directory or LDAP Optional Settings 369
Before You Begin 370
Specify Active Directory or LDAP Optional Settings 370
Use a Local User Account for Authentication 374
Use Authorized Users and Groups in Policies 374
Define Users and Groups for Firebox Authentication 374
Define Users and Groups for Third-Party Authentication 374
Allow Unlimited Concurrent Login Sessions 376
Limit Login Sessions 376
Add Users and Groups to Policy Definitions 376
Policies 379
About Policies 379
Packet Filter and Proxy Policies 379
Add Policies to Your XTM device 380
About the Policies Pages 381
About the Outgoing Policy 383
Add Policies to Your Configuration 384
Use Policy Checker to Find a Policy 384
Add a Policy from the List of Templates 384
Disable or Delete a Policy 386
Use Policy Checker to Find a Policy 387
Read the Results 388
About Policy Tags and Filters 390
Create and Apply Policy Tags 390
Remove Policy Tags From Policies 393
Modify Policy Tags 394
xiv Fireware XTMWeb UI

User Guide xv
Create and Apply a Filter 395
Modify a Filter 397
Clone a Filter 399
About Aliases 401
Alias Members 401
Create an Alias 402
About Policy Precedence 406
Automatic Policy Order 406
Policy Specificity and Protocols 406
Traffic Rules 407
Firewall Actions 407
Schedules 408
Policy Types and Names 408
Set Precedence Manually 408
Create Schedules for XTM Device Actions 409
Set an Operating Schedule 409
About Custom Policies 410
Create or Edit a Custom Policy Template 410
About Policy Properties 413
Policy Tab 413
Properties Tab 413
Advanced Tab 414
Proxy Settings 414
Set Access Rules for a Policy 414
Configure Policy-Based Routing 416
Set a Custom Idle Timeout 419
Set ICMP Error Handling 419
Apply NAT Rules 419
Set the Sticky Connection Duration for a Policy 420
Proxy Settings 421
About Proxy Policies and ALGs 421
Proxy Configuration 422
Add a Proxy Policy to Your Configuration 422

About Proxy Actions 423
Set the Proxy Action in a Proxy Policy 423
Clone, Edit, or Delete Proxy Actions 424
Proxy and AV Alarms 428
About Rules and Rulesets 428
About Working with Rules and Rulesets 429
Configure Rulesets 429
Add, Change, or Delete Rules 429
Cut and Paste Rule Definitions 431
Change the Order of Rules 431
Change the Default Rule 432
About Regular Expressions 433
About the DNS-Proxy 437
Action Settings 437
Policy Tab 437
Properties Tab 438
Advanced Tab 438
Configure the Proxy Action 438
DNS-Proxy: General Settings 439
DNS-Proxy: OPcodes 440
DNS-Proxy: Query Names 443
DNS-Proxy: Query Types 444
DNS-Proxy: Proxy Alarm 445
About MX (Mail eXchange) Records 446
About the FTP-Proxy 449
Action Settings 449
Policy Tab 449
Properties Tab 450
Advanced Tab 450
Configure the Proxy Action 450
FTP-Proxy: General Settings 451
FTP-Proxy: Commands 453
FTP-Proxy: Content 454
xvi Fireware XTMWeb UI

User Guide xvii

FTP-Proxy: Proxy and AV Alarms 454

About the H.323-ALG 456

VoIPComponents 456

ALGFunctions 456

Action Settings 457

Policy Tab 457

Properties Tab 457

Advanced Tab 457

Configure the Proxy Action 458

H.323-ALG: General Settings 458

H.323-ALG: Access Control 460

H.323-ALG: Denied Codecs 462

About the HTTP-Proxy 464

Action Settings 464

Policy Tab 465

Properties Tab 465

Advanced Tab 465

Configure the Proxy Action 466

HTTP Request: General Settings 467

HTTP Request: Request Methods 469

HTTP Request: URL Paths 471

HTTP Request: Header Fields 471

HTTP Request: Authorization 472

HTTP Response: General Settings 473

HTTP Response: Header Fields 474

HTTP Response: Content Types 475

HTTP Response: Cookies 477

HTTP Response: Body Content Types 477

HTTP-Proxy: Exceptions 478

HTTP-Proxy: Deny Message 480

HTTP-Proxy: Proxy and AV Alarms 481

Enable Windows Updates Through the HTTP-Proxy 483

Use a Caching Proxy Server 483

About the HTTPS-Proxy 485

Action Settings 485

Policy Tab 485

Properties Tab 486

Advanced Tab 486

Configure the Proxy Action 486

HTTPS-Proxy: General Settings 487

HTTPS-Proxy: Content Inspection 489

HTTPS-Proxy: Certificate Names 492

HTTPS-Proxy: Proxy Alarm 492

About the POP3-Proxy 494

Action Settings 494

Policy Tab 494

Properties Tab 495

Advanced Tab 495

Configure the Proxy Action 495

POP3-Proxy: General Settings 496

POP3-Proxy: Authentication 498

POP3-Proxy: Content Types 499

POP3-Proxy: Filenames 501

POP3-Proxy: Headers 502

POP3-Proxy: Deny Message 502

POP3-Proxy: Proxy and AV Alarms 503

About the SIP-ALG 505

VoIPComponents 505

Instant Messaging Support 505

ALGFunctions 506

Action Settings 506

Policy Tab 506

Properties Tab 507

Advanced Tab 507

Configure the Proxy Action 507

SIP-ALG: General Settings 508

xviii Fireware XTMWeb UI

User Guide xix
SIP-ALG: Access Control 510
SIP-ALG: Denied Codecs 511
About the SMTP-Proxy 513
Action Settings 513
Policy Tab 513
Properties Tab 514
Advanced Tab 514
Configure the Proxy Action 514
SMTP-Proxy: General Settings 515
SMTP-Proxy: Greeting Rules 518
SMTP-Proxy: ESMTP Settings 519
SMTP-Proxy: TLS Encryption 521
SMTP-Proxy: Authentication 524
SMTP-Proxy: Content Types 526
SMTP-Proxy: Filenames 529
SMTP-Proxy: Mail From/Rcpt To 530
SMTP-Proxy: Headers 532
SMTP-Proxy: Deny Message 533
SMTP-Proxy: Proxy and AV Alarms 534
Configure the SMTP-Proxy to Quarantine Email 535
Protect Your SMTP Server from Email Relaying 536
About the TCP-UDP-Proxy 537
Action Settings 537
Policy Tab 537
Properties Tab 537
Advanced Tab 538
Configure the Proxy Action 538
TCP-UDP-Proxy: General Settings 538
Traffic Management and QoS 541
About Traffic Management and QoS 541
Enable Traffic Management and QoS 541
Guarantee Bandwidth 542
Restrict Bandwidth 543

QoS Marking 543
Traffic priority 543
Set Outgoing Interface Bandwidth 544
Set Connection Rate Limits 545
About QoS Marking 545
Before you begin 545
QoS markingfor interfaces and policies 546
QoS marking and IPSec traffic 546
Enable QoS Marking for an Interface 546
Enable QoS Marking or Prioritization Settings for a Policy 547
Traffic Control and Policy Definitions 549
Define a Traffic Management Action 549
Add a Traffic Management Action to a Policy 550
Default Threat Protection 553
About Default Threat Protection 553
About Default Packet Handling Options 554
About Spoofing Attacks 555
About IP Source Route Attacks 556
About Port Space and Address Space Probes 556
About Flood Attacks 558
About Unhandled Packets 560
About Distributed Denial-of-Service Attacks 561
About Blocked Sites 562
Permanently Blocked Sites 562
Auto-Blocked Sites/Temporary Blocked Sites List 562
Blocked Site Exceptions 563
See and Manage the Blocked Sites List 563
Block a Site Permanently 563
Create Blocked Site Exceptions 564
Block Sites Temporarily with Policy Settings 565
Change the Duration that Sites are Auto-Blocked 566
About Blocked Ports 566
Default Blocked Ports 567
xx Fireware XTMWeb UI