Page is loading ...
Fireware XTM Web UI 11.8
User Guide
Fireware XTM
Web UI
11.8 User Guide
WatchGuard XTMDevices
ii Fireware XTMWeb UI
About this User Guide
The Fireware XTM Web UI User Guide is updated with each major product release. For minor product
releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes
specific, task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard
web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Guide revised: 10/9/2013
Copyright, Trademark, and Patent Information
Copyright © 1998–2011 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/
This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL
filtering to protect your network from spam, viruses, malware,
and intrusions. The new XCS line offers email and web content
security combined with data loss prevention. WatchGuard
extensible solutions scale to offer right-sized security ranging
from small businesses to enterprises with 10,000+ employees.
WatchGuard builds simple, reliable, and robust security
appliances featuring fast implementation and comprehensive
management and reporting tools. Enterprises throughout the
world rely on our signature red boxes to maximize security
without sacrificing efficiency and productivity.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
For more information, please call 206.613.6600 or visit
www.watchguard.com.
User Guide iv
Table of Contents
Fireware XTM Web UI 11.8 User Guide 1
Introduction to Network Security 1
About Networks and Network Security 1
About Internet Connections 1
About Protocols 2
About IP Addresses 3
IPv4 Addresses 3
IPv6 Addresses 4
About Slash Notation 5
About Entering Addresses 6
Static and Dynamic IP Addresses 6
About DNS (Domain Name System) 7
About Firewalls 8
About Services and Policies 9
About Ports 10
The XTM Device and Your Network 10
Introduction to Fireware XTM 13
About Fireware XTM 13
Fireware XTM Components 14
WatchGuard System Manager 14
WatchGuard Server Center 15
Fireware XTM Web UI and Command Line Interface 16
Fireware XTMwith a Pro Upgrade 17
Fireware XTM on an XTMv Device 18
XTMv Device Limitations 18
Virtual Switch Configuration 18
Hyper-VVirtual Adapter Configuration 18
XTMv Device Installation 19
FIPS Support in Fireware XTM 20
About FIPSMode 20
FIPS Mode Operation and Constraints 20
Service and Support 21
About WatchGuard Support 21
LiveSecurity Service 21
LiveSecurity Service Gold 22
Service Expiration 23
Getting Started 25
Before You Begin 25
Verify Basic Components 25
Get an XTM Device Feature Key 26
Gather Network Addresses 26
Select a Firewall Configuration Mode 27
About the Quick Setup Wizard 28
Run the Web Setup Wizard 29
Connect to Fireware XTMWeb UI 33
Connect to Fireware XTMWeb UI from an External Network 34
About Fireware XTMWeb UI 35
Limitations of Fireware XTM Web UI 36
Complete Your Installation 37
Customize Your Security Policy 37
About LiveSecurity Service 37
Additional Installation Topics 38
Connect to an XTM Device with Firefox v3 38
Identify Your Network Settings 39
Set Your Computer to Connect to Your XTM Device 41
Disable the HTTP Proxy in the Browser 43
Configuration and Management Basics 45
About Basic Configuration and Management Tasks 45
Make a Backup of the XTM Device Image 45
Restore an XTM Device Backup Image 47
Use a USB Drive for System Backup and Restore 48
About the USB Drive 48
Save a Backup Image to a Connected USB Drive 48
Restore a Backup Image from a Connected USB Drive 49
v Fireware XTMWeb UI
User Guide vi
Automatically Restore a Backup Image from a USB Drive 49
USB Drive Directory Structure 52
Save a Backup Image to a USB Drive Connected to Your Computer 53
Use a USBDrive to Save a Support Snapshot 53
Reset an XTM Device 55
Start an XTM Device in Safe Mode 55
Reset an XTM 2 Series or XTM33 to Factory-Default Settings 55
Reset an XTMv VMto Factory-Default Settings 56
Run the Setup Wizard 56
About Factory-Default Settings 56
About Feature Keys 59
See Features Available with the Current Feature Key 59
Get a Feature Key for Your XTMDevice 61
Manually Add a Feature Key to Your XTM Device 65
Enable Automatic Feature Key Synchronization 68
Restart Your XTM Device 69
Restart the XTM Device Locally 69
Restart the XTM Device Remotely 69
Enable NTP and Add NTP Servers 70
Set the Time Zone and Basic Device Properties 71
About SNMP 72
SNMP Polls and Traps 72
Enable SNMP Polling 73
Enable SNMP Management Stations and Traps 74
About Management Information Bases (MIBs) 77
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 78
Create a Secure Passphrase, Encryption Key, or Shared Key 78
XTM Device Passphrases 80
User Passphrases 80
Server Passphrases 80
Encryption Keys and Shared Keys 81
Change XTM Device Passphrases 82
Define XTM Device Global Settings 83
Change the Web UI Port 84
Automatic Reboot 85
Device Feedback 85
Define ICMP Error Handling Global Settings 86
Configure TCP Settings 87
Enable or Disable Traffic Management and QoS 87
Manage Traffic Flow 88
About WatchGuard Servers 88
Manage an XTM Device From a Remote Location 90
Configure an XTM Device as a Managed Device 92
Edit the WatchGuard Policy 92
Set Up the Managed Device 93
Upgrade to a New Version of Fireware XTM 95
Install the Upgrade on Your Management Computer 95
Upgrade the XTM Device 95
Downgrade Fireware XTMOS 97
Use a Saved Backup Image to Downgrade 97
Downgrade Without a Backup Image 97
Use the Web UI to Downgrade from Fireware XTM OS v11.7 or Higher 98
Download or Show the XTMDevice Configuration 100
Download the Configuration File 100
Show the XTMConfiguration Report 100
About Upgrade Options 102
Subscription Services Upgrades 102
Appliance and Software Upgrades 103
How to Apply an Upgrade 103
About Subscription Services Expiration and Renewal 103
Subscription Renewal Reminders 104
Feature Key Compliance 104
Security Service Expiration Behavior 104
LiveSecurity Service 106
Synchronize Subscription Renewals 106
Renew Subscription Services 106
vii Fireware XTMWeb UI
User Guide viii
Subscription Services Status and Manual Signatures Updates 107
Network Setup and Configuration 109
About Network Interface Setup 109
Network Modes 110
Interface Types 111
About Private IPAddresses 111
About IPv6 Support 112
Mixed Routing Mode 114
Configure an External Interface 114
Enable IPv6 for an External Interface 119
Configure IPv4 DHCP in Mixed Routing Mode 122
Configure a Trusted or Optional Interface 125
Enable IPv6 for a Trusted or Optional Interface 125
About the Dynamic DNS Service 134
Configure Dynamic DNS 134
Drop-In Mode 136
Use Drop-In Mode for Network Interface Configuration 136
Configure Related Hosts 137
Configure DHCP in Drop-In Mode 139
Bridge Mode 142
Enable Bridge Mode 144
Allow Management Access from a VLAN 144
Common Interface Settings 145
Disable an Interface 146
Configure DHCPRelay 146
Restrict Network Traffic by MAC Address 146
Add WINS and DNS Server Addresses 147
Add a Secondary Network IPAddress 149
About Advanced Interface Settings 152
Network Interface Card (NIC)Settings 152
Set DF Bit for IPSec 155
PMTU Setting for IPSec 155
Use Static MAC Address Binding 156
Find the MAC Address of a Computer 157
About LAN Bridges 157
Create a Network Bridge Configuration 157
Assign a Network Interface to a Bridge 159
About Routing 160
Add a Static Route 160
About Virtual Local Area Networks (VLANs) 164
VLAN Requirements and Restrictions 164
About Tagging 165
About VLANIDNumbers 165
Define a New VLAN 165
Assign Interfaces to a VLAN 168
About Link Aggregation 170
Requirements and Limitations 170
Link Aggregation Modes 170
Configure Link Aggregation 172
Monitor Link Aggregation Interfaces 177
Network Setup Examples 178
Configure Two VLANs on the Same Interface 178
Configure One VLAN Bridged Across Two Interfaces 182
Use the Broadband Extend or 3G Extend Wireless Bridge 186
Multi-WAN 189
About Using Multiple External Interfaces 189
Multi-WAN Requirements and Conditions 189
Multi-WAN and DNS 190
About Multi-WAN Options 191
Round-Robin Order 191
Failover 191
Interface Overflow 192
Routing Table 192
Modem (XTM2 Series, 3 Series or 5 Series only) 193
Configure Round-Robin 194
Before You Begin 194
ix Fireware XTMWeb UI
User Guide x
Configure the Interfaces 194
Find How to Assign Weights to Interfaces 195
Configure Failover 195
Before You Begin 195
Configure the Interfaces 195
Configure Interface Overflow 197
Before You Begin 197
Configure the Interfaces 197
Configure Routing Table 198
Before You Begin 198
Routing Table mode and load balancing 198
Configure the Interfaces 198
About the XTM Device Route Table 199
When to Use Multi-WAN Methods and Routing 199
Configure Modem Failover 200
Enable Modem Failover 200
Account Settings 201
DNS Settings 203
Dial-Up Settings 204
Advanced Settings 204
Link Monitor Settings 205
About Advanced Multi-WAN Settings 206
Set a Global Sticky Connection Duration 206
Set the Failback Action 207
Set Notification Settings 208
About WAN Interface Status 208
Time Needed for the XTM Device to Update its Route Table 208
Define a Link Monitor Host 208
Network Address Translation (NAT) 211
About Network Address Translation 211
Types of NAT 212
About Dynamic NAT 212
Add Network Dynamic NAT Rules 214
Configure Policy-Based Dynamic NAT 217
About Dynamic NATSource IPAddresses 220
About 1-to-1 NAT 222
About 1-to-1 NAT and VPNs 223
Configure Firewall 1-to-1 NAT 223
Configure Policy-Based 1-to-1 NAT 226
Configure NAT Loopback with Static NAT 228
Add a Policy for NATLoopback to the Server 229
NAT Loopback and 1-to-1 NAT 230
About SNAT 233
Configure Static NAT 233
Configure Server Load Balancing 237
1-to-1 NAT Example 245
Wireless XTMDevice Setup 247
About Wireless XTMDevice Configuration 247
Wireless XTMDevice Configuration Options 249
Before You Begin 249
About Wireless Configuration Settings 251
Enable/Disable SSID Broadcasts 252
Change the SSID 252
Log Authentication Events 252
Change the Fragmentation Threshold 252
Change the RTS Threshold 254
About Wireless Security Settings 254
Set the Wireless Authentication Method 254
Use a RADIUS Server for Wireless Authentication 256
Use the XTMDevice as an Authentication Server for Wireless Authentication 257
Set the Encryption Level 259
Enable Wireless Connections to the Trusted or Optional Network 261
Enable a Wireless Guest Network 263
Enable a Hotspot on an XTMWireless Access Point 267
Configure Your External Interface as a Wireless Interface 268
Configure the Primary External Interface as a Wireless Interface 268
xi Fireware XTMWeb UI
User Guide xii
Configure a BOVPN tunnel for additional security 270
About Wireless Radio Settings 271
Country is Set Automatically 272
Select the Band and Wireless Mode 273
Select the Channel 273
Configure the Wireless Card on Your Computer 274
Rogue Access Point Detection 274
Enable Rogue Access Point Detection 275
Add an XTMWireless Device as a Trusted Access Point 280
Find the Wireless MACAddress of a Trusted Access Point 283
Rogue Access Point Scan Results 283
WatchGuard AP Device Setup 284
Wireless Access Point Types 284
About AP Device Configuration 285
SSIDConfiguration 285
APDevice Configuration 286
WatchGuard AP Device Requirements and Limitations 286
Requirements 286
Limitations 286
Plan your Wireless APDevice Deployment 287
Wireless Site Survey 288
Wireless Modes and Channels 290
Wireless Signal Strength and Noise Levels 292
Wireless Environmental Factors 293
Wireless Placement 294
WatchGuard AP Device Deployment Overview 295
Deploy APDevices Without VLANTagging 296
Deploy APDevices With VLANTagging Enabled 299
Configure VLANs for WatchGuard AP Devices 302
When to Enable VLANTagging in SSIDs 302
ConfigureVLANs on the XTMDevice 302
Configure VLANs on a Managed Switch 303
About APStation Isolation 305
Station Isolation for a Single AP Device 305
Station Isolation for Multiple AP Devices 305
Example — Station Isolation and Roaming 306
About APDevice Activation 309
Automatic Activation 309
Manual Activation 309
About APDevice Passphrases 310
Pairing Passphrase 310
WatchGuard APPassphrase 310
Passphrases and Pairing 310
Resolve a Passphrase Mismatch 311
Configure AP Devices in the Gateway Wireless Controller 312
Enable the Gateway Wireless Controller 312
Set the Diagnostic Log Level 313
Configure WatchGuard APDevice SSIDs 314
Configure SSIDSecurity Settings 316
WatchGuard AP Device Discovery and Pairing 320
Configure APDevice Settings 321
Configure AP Device Radio Settings 326
Configure Gateway Wireless Controller Settings 330
Configure MACAccess Control 333
Unpair an AP Device 335
Monitor AP Device Status 336
See APConnection Status and Uptime 336
See AP Radio Frequency and Channel 336
See the APActivation Status 337
See APDevice Network Statistics 338
See Log Messages on an APDevice 339
Reboot an AP Device 339
Perform a Site Survey 340
Monitor Wireless Clients 342
Enable a Hotspot on an AP Device 342
Reset the WatchGuard AP Device 343
xiii Fireware XTMWeb UI
User Guide xiv
Reset the WatchGuard APDevice with the Reset Button 343
Reset the WatchGuard AP Device from the Access Point Web UI 344
Unpair the WatchGuard AP Device 344
Add an HTTPSPolicy for Access Point Web UI Connections 345
Use the WatchGuard Access Point Web UI 345
Connect to the WatchGuard Access Point Web UI 346
Verify the Current AP Device Settings 347
Manage Network Settings 348
Change the Access Point Passphrase 349
Upgrade the AP Device Firmware 349
Save or Revert Configuration Changes 350
WatchGuard APDevice Deployment Examples 350
WatchGuard AP Device Deployment with a Single SSID 351
WatchGuard APDevice Deployment with Multiple SSIDs 352
WatchGuard APDevice Deployment with VLANs 354
Dynamic Routing 357
About Dynamic Routing 357
Dynamic Routing Protocols 357
Dynamic Routing Policies 357
Monitor Dynamic Routing 358
About Routing Daemon Configuration Files 358
About Routing Information Protocol (RIP) 358
Routing Information Protocol (RIP) Commands 359
Configure the XTM Device to Use RIP 361
Sample RIP Routing Configuration File 362
About Open Shortest Path First (OSPF) Protocol 364
OSPF Commands 364
OSPF Interface Cost Table 367
Configure the XTM Device to Use OSPF 368
Sample OSPF Routing Configuration File 369
About Border Gateway Protocol (BGP) 372
BGP Commands 373
Configure the XTM Device to Use BGP 375
Sample BGP Routing Configuration File 376
Authentication 379
About User Authentication 379
User Authentication Steps 380
Manage Authenticated Users 382
Use Authentication to Restrict Incoming Traffic 383
Use Authentication Through a Gateway Firebox 385
About the WatchGuard Authentication (WG-Auth) Policy 385
Set Global Firewall Authentication Values 385
Specify Firewall Authentication Settings 385
Set Global Authentication Timeouts 386
Allow Unlimited Concurrent Login Sessions 387
Limit Login Sessions 387
Specify the Default Authentication Server in the Authentication Portal 389
Automatically Redirect Users to the Authentication Portal 389
Use a Custom Default Start Page 390
Set Management Session Timeouts 390
About Single Sign-On (SSO) 391
The WatchGuard SSO Solution 391
Example Network Configurations for SSO 394
Before You Begin 397
Set Up SSO 398
Install the WatchGuard Single Sign-On (SSO) Agent 398
Configure the SSO Agent 400
Use Telnet to Debug the SSO Agent 410
Install the WatchGuard Single Sign-On (SSO) Client 413
Install the WatchGuard SSOExchange Monitor 414
Enable Single Sign-On (SSO) 415
Install and Configure the Terminal Services Agent 419
About Single Sign-On for Terminal Services 420
Before You Begin 421
Install the Terminal Services Agent 421
Configure the Terminal Services Agent 422
xv Fireware XTMWeb UI
User Guide xvi
Configure Terminal Services Settings 426
Authentication Server Types 428
About Third-Party Authentication Servers 428
Use a Backup Authentication Server 428
Configure Your XTM Device as an Authentication Server 429
Types of Firebox Authentication 429
Define a New User for Firebox Authentication 432
Define a New Group for Firebox Authentication 435
Configure RADIUS Server Authentication 436
Authentication Key 436
RADIUSAuthentication Methods 436
Before You Begin 436
Use RADIUSServer Authentication with Your XTM Device 436
How RADIUS Server Authentication Works 439
Configure RADIUS Server Authentication with Active Directory Users and Groups For
Mobile VPN Users 443
WPA and WPA2 Enterprise Authentication 446
Configure VASCO Server Authentication 446
Configure SecurID Authentication 449
Configure LDAP Authentication 452
About LDAP Optional Settings 455
Test the Connection to the Server 455
Configure Active Directory Authentication 456
Add an Active Directory Authentication Domain and Server 456
About Active Directory Optional Settings 460
Test the Connection to the Server 460
Edit an Existing Active Directory Domain 461
Delete an Active Directory Domain 461
Find Your Active Directory Search Base 461
Change the Default Port for the Active Directory Server 463
Use Active Directory or LDAP Optional Settings 463
Before You Begin 464
Specify Active Directory or LDAP Optional Settings 464
Use a Local User Account for Authentication 468
Use Authorized Users and Groups in Policies 468
Define Users and Groups for Firebox Authentication 468
Define Users and Groups for Third-Party Authentication 468
Allow Unlimited Concurrent Login Sessions 470
Limit Login Sessions 470
Add Users and Groups to Policy Definitions 470
Enable a Hotspot 471
Configure User Timeout Settings 474
Select the Hotspot Type 474
Configure the Hotspot Custom Page 475
Connect to a Hotspot 478
See Hotspot Connections 479
About Hotspot External Guest Authentication 480
Before You Begin 480
Configuration 481
External Guest Authentication Example 481
Configure a Web Server for Hotspot External Guest Authentication 484
Configure the Hotspot for External Guest Authentication 491
Troubleshoot Hotspot External Guest Authentication 493
Policies 495
About Policies 495
Packet Filter and Proxy Policies 495
Add Policies to Your XTM device 496
About the Policies Pages 497
About the Outgoing Policy 499
Add Policies to Your Configuration 500
Use Policy Checker to Find a Policy 500
Add a Policy from the List of Templates 501
Disable or Delete a Policy 502
Use Policy Checker to Find a Policy 503
Read the Results 504
About Policy Tags and Filters 506
xvii Fireware XTMWeb UI
User Guide xviii
Create and Apply Policy Tags 506
Remove Policy Tags From Policies 509
Modify Policy Tags 511
Create and Apply a Filter 511
Modify a Filter 512
About Aliases 514
Alias Members 514
Create an Alias 515
About Policy Precedence 519
Automatic Policy Order 519
Policy Specificity and Protocols 519
Traffic Rules 520
Firewall Actions 520
Schedules 521
Policy Types and Names 521
Set Precedence Manually 521
Create Schedules for XTM Device Actions 522
Set an Operating Schedule 523
About Custom Policies 524
Create or Edit a Custom Policy Template 524
About Policy Properties 527
Settings Tab 528
Application Control Tab 528
Traffic Management Tab 528
Scheduling Tab 528
Advanced Tab 529
Proxy Settings 529
Set Access Rules for a Policy 529
Configure Policy-Based Routing 531
Set a Custom Idle Timeout 535
Set ICMP Error Handling 536
Apply NAT Rules 536
Set the Sticky Connection Duration for a Policy 536
Proxy Settings 539
About Proxy Policies and ALGs 539
Proxy Configuration 540
Add a Proxy Policy to Your Configuration 540
About Proxy Actions 543
Set the Proxy Action in a Proxy Policy 543
Clone, Edit, or Delete Proxy Actions 544
Proxy and AV Alarms 549
About Rules and Rulesets 550
About Working with Rules and Rulesets 550
Configure Rulesets 551
Add, Change, or Delete Rules 551
Cut and Paste Rule Definitions 553
Change the Order of Rules 553
Change the Default Rule 553
About Regular Expressions 555
About the DNS-Proxy 559
Settings Tab 560
Application Control Tab 560
Traffic Management Tab 560
Proxy Action Tab 561
Scheduling Tab 561
Advanced Tab 562
DNS-Proxy: General Settings 563
DNS-Proxy: OPcodes 564
DNS-Proxy: Query Types 567
DNS-Proxy: Query Names 570
DNS-Proxy: Proxy Alarm 572
About MX (Mail eXchange) Records 574
About the FTP-Proxy 576
Settings Tab 577
Application Control Tab 577
Traffic Management Tab 577
xix Fireware XTMWeb UI
User Guide xx
Proxy Action Tab 578
Scheduling Tab 578
Advanced Tab 579
FTP-Proxy: General Settings 580
FTP-Proxy: Commands 583
FTP-Proxy: Content 584
FTP-Proxy: Data Loss Prevention 584
FTP-Proxy: Proxy and AV Alarms 584
About the H.323-ALG 586
VoIPComponents 586
ALGFunctions 586
Settings Tab 588
Application Control Tab 588
Traffic Management Tab 588
Proxy Action Tab 589
Scheduling Tab 589
Advanced Tab 590
H.323-ALG: General Settings 590
H.323-ALG: Access Control 593
H.323-ALG: Denied Codecs 596
About the HTTP-Proxy 598
Settings Tab 599
Application Control Tab 599
Traffic Management Tab 599
Proxy Action Tab 600
Scheduling Tab 600
Advanced Tab 601
HTTP Request: General Settings 602
HTTP Request: Request Methods 605
HTTP Request: URL Paths 608
HTTP Request: Header Fields 608
HTTP Request: Authorization 609
HTTP Response: General Settings 610
/
