2. Computers & electronics
  3. Software
  4. Watchguard
  5. Fireware XTM WSM

Watchguard Fireware XTM WSM User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Fireware XTM WSM User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
WatchGuard System Manager 11.4 User Guide
Fireware XTM
WatchGuard System Manager
11.4 User Guide
WatchGuard XTMDevices
ii WatchGuard System Manager
About this User Guide
The Fireware XTM WatchGuard System Manager User Guide is updated with each major product release.
For minor product releases, only the Fireware XTM WatchGuard System Manager Help system is updated.
The Help system also includes specific, task-based implementation examples that are not available in the
User Guide.
For the most recent product documentation, see the Fireware XTM WatchGuard System Manager Help on
the WatchGuard web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission
of WatchGuard Technologies, Inc.
Guide revised: 1/26/2011
Copyright, Trademark, and Patent Information
Copyright © 1998-2011 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names
mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL filtering
to protect your network from spam, viruses, malware, and
intrusions. The new XCS line offers email and web content
security combined with data loss prevention. WatchGuard
extensible solutions scale to offer right-sized security ranging
from small businesses to enterprises with 10,000+ employees.
WatchGuard builds simple, reliable, and robust security
appliances featuring fast implementation and comprehensive
management and reporting tools. Enterprises throughout the
world rely on our signature red boxes to maximize security
without sacrificing efficiency and productivity.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
Table of Contents
Introduction to Network Security 1
About Networks and Network Security 1
About Internet Connections 1
About Protocols 2
About IP Addresses 3
Private Addresses and Gateways 3
About Subnet Masks 3
About Slash Notation 3
About Entering IP Addresses 4
Static and Dynamic IP Addresses 4
About DNS (Domain Name System) 5
About Firewalls 6
About Services and Policies 7
About Ports 8
Introduction to Fireware XTM 9
About Fireware XTM 9
Fireware XTM Components 10
WatchGuard System Manager 10
WatchGuard Server Center 11
Fireware XTM Web UI and Command Line Interface 12
Fireware XTMwith a Pro Upgrade 13
Service and Support 15
About WatchGuard Support 15
LiveSecurity Service 15
LiveSecurity Service Gold 16
Service Expiration 16
Getting Started 17
Before You Begin 17
Verify Basic Components 17
Get an XTM Device Feature Key 18
Gather Network Addresses 18
Select a Firewall Configuration Mode 19
Decide Where to Install Server Software 20
Install WatchGuard System Manager Software 20
Back up Your Previous Configuration 20
Download WatchGuard System Manager 21
About Software Encryption Levels 22
About the Quick Setup Wizard 22
Run the Web Setup Wizard 23
Run the WSM Quick Setup Wizard 26
Complete Your Installation 28
Customize Your Security Policy 28
About LiveSecurity Service 28
Start WatchGuard System Manager 29
Connect to an XTM Device 29
Start WSMApplications 30
Additional Installation Topics 32
Install WSM and Keep an Older Version 32
Install WatchGuard Servers on Computers with Desktop Firewalls 32
Dynamic IP Support on the External Interface 33
About Connecting the XTM Device Cables 33
Connect to an XTM Device with Firefox v3 34
Disable the HTTP Proxy in the Browser 35
Find Your TCP/IP Properties 36
Configuration and Management Basics 39
About Basic Configuration and Management Tasks 39
About Configuration Files 39
Open a Configuration File 39
Make a New Configuration File 41
Save the Configuration File 42
Make a Backup of the XTM Device Image 43
Restore an XTM Device Backup Image 44
iv WatchGuard System Manager
User Guide v
Use a USB Drive for System Backup and Restore 44
About the USB Drive 44
Save a Backup Image to a Connected USB Drive 45
Restore a Backup Image from a Connected USB Drive 45
Automatically Restore a Backup Image from a USB Drive 46
USB Drive Directory Structure 48
Save a Backup Image to a USB Drive Connected to Your Management Computer 49
Use a USBDrive to Save a Support Snapshot 49
Use an Existing Configuration for a New XTM Device Model 50
Upgrade a Non-e-Series Configuration File For Use With an e-Series or XTM Device 52
Configure a Replacement XTM Device 54
Save the Configuration from the Original XTM Device to a File 54
Get the Feature Key for the Replacement XTM Device 54
Use the Quick Setup Wizard to Configure Basic Settings 54
Update the Feature Key in the Original Configuration File and Save to the New Device 54
Reset an XTM Device to a Previous or New Configuration 55
Start an XTM Device in Safe Mode 55
Reset an XTM 2 Series Device to Factory-Default Settings 55
Run the Quick Setup Wizard 56
About Factory-Default Settings 56
About Feature Keys 58
When You Purchase a New Feature 58
See Features Available with the Current Feature Key 58
Verify Feature Key Compliance 59
Get a Feature Key from LiveSecurity 59
Add a Feature Key to Your XTM Device 62
See the Details of a Feature Key 64
Download a Feature Key 64
Enable NTP and Add NTP Servers 65
Set the Time Zone and Basic Device Properties 66
About SNMP 67
SNMP Polls and Traps 67
Enable SNMP Polling 68
Enable SNMP Management Stations and Traps 69
About Management Information Bases (MIBs) 71
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 72
Create a Secure Passphrase, Encryption Key, or Shared Key 72
XTM Device Passphrases 73
User Passphrases 73
Server Passphrases 73
Encryption Keys and Shared Keys 74
Change XTM Device Passphrases 75
Define XTM Device Global Settings 76
Define ICMP Error Handling Global Settings 77
Configure TCP Settings 78
Enable or Disable Traffic Management and QoS 78
Change the Web UI Port 78
Automatic Reboot 79
Manage an XTM device from a Remote Location 79
Upgrade to a New Version of Fireware XTM 81
Install the Upgrade on Your Management Computer 81
Upgrade the XTM Device 82
Use Multiple Versions of Policy Manager 83
About Upgrade Options 83
Subscription Services Upgrades 83
Appliance and Software Upgrades 84
How to Apply an Upgrade 84
Renew Security Subscriptions 84
Renew Subscriptions from Firebox System Manager 85
Network Setup and Configuration 87
About Network Interface Setup 87
Network Modes 88
Interface Types 89
About Network Interfaces on the Edge e-Series 89
vi WatchGuard System Manager
User Guide vii
Mixed Routing Mode 90
Configure an External Interface 90
Configure DHCP in Mixed Routing Mode 94
About the Dynamic DNS Service 96
Use Dynamic DNS 96
Drop-In Mode 98
Use Drop-In Mode for Network Interface Configuration 98
Configure Related Hosts 99
Configure DHCP in Drop-In Mode 100
Bridge Mode 103
Common Interface Settings 105
Disable an Interface 108
Configure DHCPRelay 110
Restrict Network Traffic by MAC Address 110
Add WINS and DNS Server Addresses 111
Configure a Secondary Network 112
About Advanced Interface Settings 114
Network Interface Card (NIC)Settings 114
Set Outgoing Interface Bandwidth 116
Set DF Bit for IPSec 117
PMTU Setting for IPSec 117
Use Static MAC Address Binding 118
Find the MAC Address of a Computer 118
About LAN Bridges 119
Create a Network Bridge Configuration 119
Assign a Network Interface to a Bridge 121
About Routing 123
Add a Static Route 123
About Virtual Local Area Networks (VLANs) 124
VLAN Requirements and Restrictions 124
About Tagging 125
About VLANIDNumbers 125
Define a New VLAN 125
Assign Interfaces to a VLAN 129
Network Setup Examples 130
Configure Two VLANs on the Same Interface 130
Configure One VLAN Bridged Across Two Interfaces 133
Use Your XTM Device with the 3G Extend Wireless Bridge 138
Multi-WAN 141
About Using Multiple External Interfaces 141
Multi-WAN Requirements and Conditions 141
Multi-WAN and DNS 142
Multi-WAN and FireCluster 142
About Multi-WAN Options 142
Round-Robin Order 142
Failover 143
Interface Overflow 143
Routing Table 143
Serial Modem (XTM2 Series only) 144
Configure Round-Robin 145
Before You Begin 145
Configure the Interfaces 145
Find How to Assign Weights to Interfaces 147
Configure Failover 147
Before You Begin 147
Configure the Interfaces 147
Configure Interface Overflow 149
Before You Begin 149
Configure the Interfaces 149
Configure Routing Table 150
Before You Begin 150
Routing Table mode and load balancing 150
Configure the Interfaces 150
About the XTM Device Route Table 151
viii WatchGuard System Manager
User Guide ix
When to Use Multi-WAN Methods and Routing 152
Serial Modem Failover 153
Enable Serial Modem Failover 153
Account Settings 154
DNS Settings 154
Dial-up Settings 155
Advanced Settings 155
Link Monitor Settings 155
Advanced Multi-WAN Settings 157
About Sticky Connections 157
Set a Global Sticky Connection Duration 157
Set the Failback Action 158
About WAN Interface Status 159
Time Needed for the XTM Device to Update its Route Table 159
Define a Link Monitor Host 159
Network Address Translation (NAT) 161
About Network Address Translation 161
Types of NAT 162
About Dynamic NAT 162
Add Firewall Dynamic NAT Entries 163
Configure Policy-Based Dynamic NAT 165
About 1-to-1 NAT 168
About 1-to-1 NAT and VPNs 169
Configure Firewall 1-to-1 NAT 169
Configure Policy-Based 1-to-1 NAT 172
Configure NAT Loopback with Static NAT 173
Add a Policy for NATLoopback to the Server 174
NAT Loopback and 1-to-1 NAT 175
Configure Static NAT 179
Add a Static NATAction 179
Add a Static NAT Action to a Policy 180
Edit or Remove a Static NATAction 181
Configure Server Load Balancing 182
Add a Server Load Balancing SNATAction 183
Add a Server Load Balancing SNAT Action to a Policy 185
Edit or Remove a Server Load Balancing SNATAction 186
NAT Examples 187
1-to-1 NAT Example 187
Wireless Setup 189
About Wireless Configuration 189
About Wireless Access Point Configuration 190
Before You Begin 191
About Wireless Configuration Settings 192
Enable/Disable SSID Broadcasts 193
Change the SSID 193
Log Authentication Events 193
Change the Fragmentation Threshold 193
Change the RTS Threshold 195
About Wireless Security Settings 196
Set the Wireless Authentication Method 196
Use a RADIUS Server for Wireless Authentication 197
Use the XTMDevice as an Authentication Server for Wireless Authentication 198
Set the Encryption Level 200
Enable Wireless Connections to the Trusted or Optional Network 201
Enable a Wireless Guest Network 204
Enable a Wireless Hotspot 207
Configure User Timeout Settings 208
Customize the Hotspot Splash Screen 208
Connect to a Wireless Hotspot 209
See Wireless Hotspot Connections 210
Configure Your External Interface as a Wireless Interface 211
Configure the Primary External Interface as a Wireless Interface 212
Configure a BOVPN tunnel for additional security 214
About Wireless Radio Settings 215
x WatchGuard System Manager
User Guide xi
Country is Set Automatically 216
Select the Band and Wireless Mode 217
Select the Channel 217
Configure the Wireless Card on Your Computer 218
Rogue Access Point Detection 218
Enable Rogue Access Point Detection 218
Add an XTMWireless Device as a Trusted Access Point 222
Find the Wireless MACAddress of a Trusted Access Point 225
Rogue Access Point Scan Results 226
Dynamic Routing 227
About Dynamic Routing 227
About Routing Daemon Configuration Files 227
About Routing Information Protocol (RIP) 228
Routing Information Protocol (RIP) Commands 228
Configure the XTM Device to Use RIP v1 230
Configure the XTM Device to Use RIP v2 232
Sample RIP Routing Configuration File 234
About Open Shortest Path First (OSPF) Protocol 235
OSPF Commands 236
OSPF Interface Cost Table 239
Configure the XTM Device to Use OSPF 239
Sample OSPF Routing Configuration File 241
About Border Gateway Protocol (BGP) 244
BGP Commands 245
Configure the XTM Device to Use BGP 247
Sample BGP Routing Configuration File 249
FireCluster 251
About WatchGuard FireCluster 251
FireCluster Status 253
About FireCluster Failover 253
Events that Trigger a Failover 253
What Happens When a Failover Occurs 254
FireCluster Failover and Server Load Balancing 254
Monitor the Cluster During a Failover 255
Features not Supported With FireCluster 255
FireCluster Network Configuration Limitations 255
FireCluster Management Limitations 255
About the Interface for Management IPAddress 255
Configure the Interface for Management IP Address 255
Use the Management IP Address to Restore a Backup Image 256
Use the Management IP Address to Upgrade from an External Location 256
The Management IPAddress and the WatchGuard Policy 257
Configure FireCluster 257
FireCluster Requirements and Restrictions 258
Cluster Synchronization and Status Monitoring 258
FireCluster Device Roles 259
FireCluster Configuration Steps 259
Before You Begin 260
Connect the FireCluster Hardware 262
Switch and Router Requirements for an Active/Active FireCluster 263
Use the FireCluster Setup Wizard 269
Configure FireCluster Manually 274
Find the Multicast MAC Addresses for an Active/Active Cluster 280
Active/Passive Cluster ID and the Virtual MAC Address 281
Monitor and Control FireCluster Members 282
Monitor Status of FireCluster Members 283
Monitor and Control Cluster Members 284
Discover a Cluster Member 284
Force a Failover of the Cluster Master 285
Reboot a Cluster Member 286
Shut Down a Cluster Member 286
Connect to a Cluster Member 287
Make a Member Leave a Cluster 288
Make a Member Join a Cluster 289
xii WatchGuard System Manager
User Guide xiii
Remove or Add a Cluster Member 290
Remove a Device from a FireCluster 290
Add a New Device to a FireCluster 291
Update the FireCluster Configuration 291
Configure FireCluster Logging and Notification 292
About Feature Keys and FireCluster 292
See the Feature Keys and Cluster Features for a Cluster 293
See or Update the Feature Key for a Cluster Member 294
See the FireCluster Feature Key in Firebox System Manager 296
Create a FireCluster Backup Image 297
Restore a FireCluster Backup Image 298
Make the Backup Master Leave the Cluster 298
Restore the Backup Image to the Backup Master 298
Restore the Backup Image to the Cluster Master 298
Make the Backup Master Rejoin the Cluster 299
Upgrade Fireware XTM for FireCluster Members 299
Disable FireCluster 301
Authentication 303
About User Authentication 303
User Authentication Steps 304
Manage Authenticated Users 305
Use Authentication to Restrict Incoming Traffic 306
Use Authentication Through a Gateway Firebox 307
About the WatchGuard Authentication (WG-Auth) Policy 308
Set Global Firewall Authentication Values 308
Set Global Authentication Timeouts 309
Allow Multiple Concurrent Logins 310
Limit Login Sessions 310
Automatically Redirect Users to the Authentication Portal 311
Use a Custom Default Start Page 312
Set Management Session Timeouts 312
About Single Sign-On (SSO) 312
Before You Begin 314
Set Up SSO 314
Install the WatchGuard Single Sign-On (SSO) Agent 314
Configure the SSO Agent 315
Install the WatchGuard Single Sign-On (SSO) Client 319
Enable Single Sign-On (SSO) 320
Install and Configure the Terminal Services Agent 324
Install the Terminal Services Agent 325
Configure the Terminal Services Agent 325
Configure Terminal Services Settings 326
Authentication Server Types 328
About Third-Party Authentication Servers 328
Use a Backup Authentication Server 328
Configure Your XTM Device as an Authentication Server 329
Types of Firebox Authentication 329
Define a New User for Firebox Authentication 332
Define a New Group for Firebox Authentication 334
Configure RADIUS Server Authentication 335
Authentication Key 335
RADIUSAuthentication Methods 335
Before You Begin 335
Use RADIUSServer Authentication with Your XTM Device 335
How RADIUS Server Authentication Works 337
WPA and WPA2 Enterprise Authentication 340
Configure VASCO Server Authentication 340
Configure SecurID Authentication 343
Configure LDAP Authentication 345
About LDAP Optional Settings 347
Configure Active Directory Authentication 348
Add an Active Directory Authentication Domain and Server 348
About Active Directory Optional Settings 352
Edit an Existing Active Directory Domain 352
xiv WatchGuard System Manager
User Guide xv
Delete an Active Directory Domain 354
Find Your Active Directory Search Base 354
Change the Default Port for the Active Directory Server 355
Use Active Directory or LDAP Optional Settings 356
Before You Begin 356
Specify Active Directory or LDAP Optional Settings 357
Use a Local User Account for Authentication 360
Use Authorized Users and Groups in Policies 360
Define Users and Groups for Firebox Authentication 360
Define Users and Groups for Third-Party Authentication 360
Add Users and Groups to Policy Definitions 361
Policies 363
About Policies 363
Packet Filter and Proxy Policies 363
Add Policies to Your XTM device 364
About Policy Manager 364
Open Policy Manager 366
About Policy Manager Views 367
Change Colors Used for Policy Manager Text 369
Find a Policy by Address, Port, or Protocol 371
Add Policies to Your Configuration 372
See the List of Policy Templates 372
Add a Policy from the List of Templates 374
Add More than One Policy of the Same Type 376
See Template Details and Modify Policy Templates 376
Disable or Delete a Policy 377
About Aliases 378
Alias Members 378
Create an Alias 379
About Policy Precedence 383
Automatic Policy Order 383
Policy Specificity and Protocols 384
Traffic Rules 384
Firewall Actions 385
Schedules 385
Policy Types and Names 385
Set Precedence Manually 385
Create Schedules for XTM Device Actions 386
Set an Operating Schedule 387
About Custom Policies 388
Create or Edit a Custom Policy Template 388
Import and Export Custom Policy Templates 390
About Policy Properties 391
Policy Tab 391
Properties Tab 391
Advanced Tab 392
Proxy Settings 392
Set Access Rules for a Policy 392
Configure Policy-Based Routing 395
Set a Custom Idle Timeout 399
Set ICMP Error Handling 399
Apply NAT Rules 399
Set the Sticky Connection Duration for a Policy 400
Proxy Settings 401
About Proxy Policies and ALGs 401
Proxy Configuration 402
Proxy and AV Alarms 402
About Proxy Actions 403
About Rules and Rulesets 408
Use Predefined Content Types 417
Add a Proxy Policy to Your Configuration 417
About the DNS-Proxy 419
Policy Tab 419
Properties Tab 419
xvi WatchGuard System Manager
User Guide xvii
Advanced Tab 420
Configure the Proxy Action 420
DNS-Proxy: General Settings 420
DNS-Proxy: OPcodes 422
DNS-Proxy: Query Types 423
DNS-Proxy: Query Names 425
About MX (Mail eXchange) Records 426
About the FTP-Proxy 428
Policy Tab 428
Properties Tab 428
Advanced Tab 429
Configure the Proxy Action 429
FTP-Proxy: General Settings 430
FTP-Proxy: Commands 431
FTP-Proxy: Content 432
FTP-Proxy: AntiVirus 433
About the H.323-ALG 434
VoIPComponents 434
ALGFunctions 434
Policy Tab 435
Properties Tab 435
Advanced Tab 435
Configure the Proxy Action 435
H.323-ALG: General Settings 436
H.323-ALG: Access Control 437
H.323 ALG: Denied Codecs 439
About the HTTP-Proxy 440
Policy Tab 441
Properties Tab 441
Advanced Tab 441
Configure the Proxy Action 441
HTTP Request: General Settings 442
HTTP Request: Request Methods 444
HTTP Request: URL Paths 445
HTTP Request: Header Fields 445
HTTP Request: Authorization 446
HTTP Response: General Settings 447
HTTP Response: Header Fields 448
HTTP Response: Content Types 449
HTTP Response: Cookies 451
HTTP Response: Body Content Types 452
HTTP-Proxy: Exceptions 452
HTTP-Proxy:WebBlocker 453
HTTP-Proxy: AntiVirus 454
HTTP-Proxy: Reputation Enabled Defense 454
HTTP-Proxy: Deny Message 455
Enable Windows Updates Through the HTTP-Proxy 457
Use a Caching Proxy Server 457
About the HTTPS-Proxy 459
Policy Tab 459
Properties Tab 460
Advanced Tab 460
Configure the Proxy Action 460
HTTPS-Proxy: General Settings 461
HTTPS-Proxy: Content Inspection 463
HTTPS-Proxy: Certificate Names 465
HTTPS-Proxy:WebBlocker 466
About the POP3-Proxy 467
Policy Tab 467
Properties Tab 468
Advanced Tab 468
Configure the Proxy Action 468
POP3-Proxy: General Settings 469
POP3-Proxy: Authentication 471
xviii WatchGuard System Manager
User Guide xix
POP3-Proxy: Content Types 472
POP3-Proxy: File Names 474
POP3-Proxy: Headers 475
POP3-Proxy: AntiVirus 476
POP3-Proxy: Deny Message 477
POP3-Proxy: spamBlocker 479
About the SIP-ALG 480
VoIPComponents 480
Instant Messaging Support 480
ALGFunctions 481
Policy Tab 481
Properties Tab 481
Advanced Tab 482
Configure the Proxy Action 482
SIP-ALG: General Settings 483
SIP-ALG: Access Control 485
SIP-ALG: Denied Codecs 486
About the SMTP-Proxy 488
Policy Tab 488
Properties Tab 488
Advanced Tab 489
Configure the Proxy Action 489
SMTP-Proxy: General Settings 490
SMTP Proxy: Greeting Rules 493
SMTP-Proxy: ESMTP Settings 494
SMTP-Proxy: Authentication 495
SMTP-Proxy: Content Types 497
SMTP-Proxy: File Names 498
SMTP-Proxy: Mail From/Rcpt To 499
SMTP-Proxy: Headers 501
SMTP-Proxy: AntiVirus 501
SMTP-Proxy: Deny Message 502
SMTP-Proxy: spamBlocker 504
Configure the SMTP-Proxy to Quarantine Email 504
Protect Your SMTP Server from Email Relaying 504
About the TCP-UDP-Proxy 506
Policy Tab 506
Properties Tab 506
Advanced Tab 507
Configure the Proxy Action 507
TCP-UDP-Proxy: General Settings 507
Traffic Management and QoS 509
About Traffic Management and QoS 509
Enable Traffic Management and QoS 509
Guarantee Bandwidth 510
Restrict Bandwidth 511
QoS Marking 511
Traffic priority 511
Set Connection Rate Limits 512
About QoS Marking 512
Before you begin 512
QoS markingfor interfaces and policies 513
QoS marking and IPSec traffic 513
Marking Types and Values 514
Enable QoS Marking for an Interface 515
Enable QoS Marking or Prioritization Settings for a Policy 516
Enable QoS Marking for a Managed BOVPN Tunnel 518
Traffic Control and Policy Definitions 520
Define a Traffic Management Action 520
Add a Traffic Management Action to a Policy 521
Add a Traffic Management Action to a BOVPN Firewall Policy 522
Default Threat Protection 525
About Default Threat Protection 525
About Default Packet Handling Options 526
xx WatchGuard System Manager
/