2. Computers & electronics
  3. Software
  4. Watchguard
  5. Fireware XTM Web UI

Watchguard Fireware XTM Web UI User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Fireware XTM Web UI User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Fireware XTM Web UI 11.6 User Guide
Fireware XTM
Web UI
11.6 User Guide
WatchGuard XTMDevices
ii Fireware XTMWeb UI
About this User Guide
The Fireware XTM Web UI User Guide is updated with each major product release. For minor product
releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes
specific, task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard
web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Guide revised: 6/27/2012
Copyright, Trademark, and Patent Information
Copyright © 1998–2011 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL
filtering to protect your network from spam, viruses, malware,
and intrusions. The new XCS line offers email and web content
security combined with data loss prevention. WatchGuard
extensible solutions scale to offer right-sized security ranging
from small businesses to enterprises with 10,000+ employees.
WatchGuard builds simple, reliable, and robust security
appliances featuring fast implementation and comprehensive
management and reporting tools. Enterprises throughout the
world rely on our signature red boxes to maximize security
without sacrificing efficiency and productivity.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
Table of Contents
Introduction to Network Security 1
About Networks and Network Security 1
About Internet Connections 1
About Protocols 2
About IP Addresses 3
IPv4 Addresses 3
IPv6 Addresses 4
About Slash Notation 5
About Entering Addresses 6
Static and Dynamic IP Addresses 6
About DNS (Domain Name System) 7
About Firewalls 8
About Services and Policies 9
About Ports 10
The XTM Device and Your Network 10
Introduction to Fireware XTM 13
About Fireware XTM 13
Fireware XTM Components 14
WatchGuard System Manager 14
WatchGuard Server Center 15
Fireware XTM Web UI and Command Line Interface 16
Fireware XTMwith a Pro Upgrade 17
Fireware XTM on an XTMv Device 18
XTMv Device Limitations 18
XTMv Device Installation 18
VMware Virtual Switch Configuration 18
FIPS Support in Fireware XTM 19
About FIPSMode 19
FIPS Mode Operation and Constraints 19
Service and Support 21
About WatchGuard Support 21
LiveSecurity Service 21
LiveSecurity Service Gold 22
Service Expiration 23
Getting Started 25
Before You Begin 25
Verify Basic Components 25
Get an XTM Device Feature Key 26
Gather Network Addresses 26
Select a Firewall Configuration Mode 27
About the Quick Setup Wizard 28
Run the Web Setup Wizard 29
Connect to Fireware XTMWeb UI 32
Connect to Fireware XTMWeb UI from an External Network 33
About Fireware XTMWeb UI 34
Limitations of Fireware XTM Web UI 35
Complete Your Installation 36
Customize Your Security Policy 36
About LiveSecurity Service 36
Additional Installation Topics 37
Connect to an XTM Device with Firefox v3 37
Identify Your Network Settings 38
Set Your Computer to Connect to Your XTM Device 40
Disable the HTTP Proxy in the Browser 42
Configuration and Management Basics 45
About Basic Configuration and Management Tasks 45
Make a Backup of the XTM Device Image 45
Restore an XTM Device Backup Image 46
Use a USB Drive for System Backup and Restore 47
About the USB Drive 47
Save a Backup Image to a Connected USB Drive 47
Restore a Backup Image from a Connected USB Drive 48
Automatically Restore a Backup Image from a USB Drive 48
USB Drive Directory Structure 51
iv Fireware XTMWeb UI
User Guide v
Save a Backup Image to a USB Drive Connected to Your Computer 52
Use a USBDrive to Save a Support Snapshot 52
Reset an XTM Device to a Previous or New Configuration 54
Start an XTM Device in Safe Mode 54
Reset an XTM 2 Series or XTM33 to Factory-Default Settings 54
Reset an XTMv to Factory Default Settings 55
Run the Quick Setup Wizard 55
About Factory-Default Settings 55
About Feature Keys 57
When You Purchase a New Feature 57
See Features Available with the Current Feature Key 57
Get a Feature Key for Your XTMDevice 58
Add a Feature Key to Your XTM Device 60
Restart Your XTM Device 62
Restart the XTM Device Locally 62
Restart the XTM Device Remotely 62
Enable NTP and Add NTP Servers 63
Set the Time Zone and Basic Device Properties 64
About SNMP 65
SNMP Polls and Traps 65
Enable SNMP Polling 66
Enable SNMP Management Stations and Traps 67
About Management Information Bases (MIBs) 69
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 70
Create a Secure Passphrase, Encryption Key, or Shared Key 70
XTM Device Passphrases 71
User Passphrases 71
Server Passphrases 71
Encryption Keys and Shared Keys 72
Change XTM Device Passphrases 73
Define XTM Device Global Settings 74
Define ICMP Error Handling Global Settings 75
Configure TCP Settings 76
Enable or Disable Traffic Management and QoS 76
Change the Web UI Port 76
Enable the External Console on a Firebox X Edge e-Series Device 77
Automatic Reboot 77
About WatchGuard Servers 77
Manage an XTM Device From a Remote Location 79
Configure an XTM Device as a Managed Device 81
Edit the WatchGuard Policy 81
Set Up the Managed Device 82
Upgrade to a New Version of Fireware XTM 84
Install the Upgrade on Your Management Computer 84
Upgrade the XTM Device 84
Download or Show the XTMDevice Configuration 85
Download the Configuration File 85
Show the XTMConfiguration Report 85
About Upgrade Options 87
Subscription Services Upgrades 87
Appliance and Software Upgrades 87
How to Apply an Upgrade 88
About Subscription Services Expiration 88
Subscription Renewal Reminders 88
Feature Key Compliance 89
Security Service Expiration Behavior 89
Gateway AntiVirus 89
Intrusion Prevention Service (IPS) 89
WebBlocker 90
spamBlocker 90
Reputation Enabled Defense 90
Application Control 90
LiveSecurity Service 91
Synchronize Subscription Renewals 91
Renew Subscription Services 91
Subscription Services Status and Manual Signatures Updates 91
vi Fireware XTMWeb UI
User Guide vii
Network Setup and Configuration 93
About Network Interface Setup 93
Network Modes 94
Interface Types 95
About Private IPAddresses 95
About IPv6 Support 96
Mixed Routing Mode 97
Configure an External Interface 97
Enable IPv6 for an External Interface 101
Enable IPv6 for a Trusted or Optional Interface 103
Configure DHCP in Mixed Routing Mode 108
About the Dynamic DNS Service 110
Configure Dynamic DNS 111
Drop-In Mode 112
Use Drop-In Mode for Network Interface Configuration 113
Configure Related Hosts 113
Configure DHCP in Drop-In Mode 115
Bridge Mode 118
Enable Bridge Mode 119
Common Interface Settings 120
Disable an Interface 121
Configure DHCPRelay 121
Restrict Network Traffic by MAC Address 121
Add WINS and DNS Server Addresses 122
Add a Secondary Network IPAddress 124
About Advanced Interface Settings 127
Network Interface Card (NIC)Settings 127
Set DF Bit for IPSec 129
PMTU Setting for IPSec 129
Use Static MAC Address Binding 130
Find the MAC Address of a Computer 131
About LAN Bridges 131
Create a Network Bridge Configuration 131
Assign a Network Interface to a Bridge 134
About Routing 135
Add a Static Route 135
About Virtual Local Area Networks (VLANs) 137
VLAN Requirements and Restrictions 137
About Tagging 138
About VLANIDNumbers 138
Define a New VLAN 138
Assign Interfaces to a VLAN 141
Network Setup Examples 143
Configure Two VLANs on the Same Interface 143
Configure One VLAN Bridged Across Two Interfaces 147
Use the Broadband Extend or 3G Extend Wireless Bridge 151
Multi-WAN 153
About Using Multiple External Interfaces 153
Multi-WAN Requirements and Conditions 153
Multi-WAN and DNS 154
About Multi-WAN Options 155
Round-Robin Order 155
Failover 155
Interface Overflow 156
Routing Table 156
Serial Modem (XTM2 Series and XTM 33 only) 156
Configure Round-Robin 157
Before You Begin 157
Configure the Interfaces 157
Find How to Assign Weights to Interfaces 158
Configure Failover 158
Before You Begin 158
Configure the Interfaces 158
Configure Interface Overflow 160
Before You Begin 160
Configure the Interfaces 160
viii Fireware XTMWeb UI
User Guide ix
Configure Routing Table 161
Before You Begin 161
Routing Table mode and load balancing 161
Configure the Interfaces 161
About the XTM Device Route Table 162
When to Use Multi-WAN Methods and Routing 162
Serial Modem Failover 163
Enable Serial Modem Failover 163
Account Settings 164
DNS Settings 164
Dial-up Settings 165
Advanced Settings 165
Link Monitor Settings 166
About Advanced Multi-WAN Settings 167
Set a Global Sticky Connection Duration 167
Set the Failback Action 168
About WAN Interface Status 168
Time Needed for the XTM Device to Update its Route Table 169
Define a Link Monitor Host 169
Network Address Translation (NAT) 171
About Network Address Translation 171
Types of NAT 172
About Dynamic NAT 172
Add Firewall Dynamic NAT Entries 173
Configure Policy-Based Dynamic NAT 175
About 1-to-1 NAT 177
About 1-to-1 NAT and VPNs 178
Configure Firewall 1-to-1 NAT 178
Configure Policy-Based 1-to-1 NAT 181
Configure NAT Loopback with Static NAT 182
Add a Policy for NATLoopback to the Server 183
NAT Loopback and 1-to-1 NAT 184
About SNAT 187
Configure Static NAT 187
Configure Server Load Balancing 190
1-to-1 NAT Example 196
Wireless Setup 197
About Wireless Configuration 197
About Wireless Access Point Configuration 198
Before You Begin 199
About Wireless Configuration Settings 200
Enable/Disable SSID Broadcasts 201
Change the SSID 201
Log Authentication Events 201
Change the Fragmentation Threshold 201
Change the RTS Threshold 203
About Wireless Security Settings 204
Set the Wireless Authentication Method 204
Use a RADIUS Server for Wireless Authentication 205
Use the XTMDevice as an Authentication Server for Wireless Authentication 206
Set the Encryption Level 208
Enable Wireless Connections to the Trusted or Optional Network 210
Enable a Wireless Guest Network 212
Enable a Wireless Hotspot 215
Configure User Timeout Settings 216
Customize the Hotspot Splash Screen 216
Connect to a Wireless Hotspot 218
See Wireless Hotspot Connections 219
Configure Your External Interface as a Wireless Interface 221
Configure the Primary External Interface as a Wireless Interface 221
Configure a BOVPN tunnel for additional security 223
About Wireless Radio Settings 224
Country is Set Automatically 225
Select the Band and Wireless Mode 226
Select the Channel 226
Configure the Wireless Card on Your Computer 227
x Fireware XTMWeb UI
User Guide xi
Rogue Access Point Detection 227
Enable Rogue Access Point Detection 228
Add an XTMWireless Device as a Trusted Access Point 233
Find the Wireless MACAddress of a Trusted Access Point 236
Rogue Access Point Scan Results 236
Dynamic Routing 239
About Dynamic Routing 239
Dynamic Routing Protocols 239
Dynamic Routing Policies 239
Monitor Dynamic Routing 240
About Routing Daemon Configuration Files 240
About Routing Information Protocol (RIP) 240
Routing Information Protocol (RIP) Commands 240
Configure the XTM Device to Use RIP 243
Sample RIP Routing Configuration File 245
About Open Shortest Path First (OSPF) Protocol 247
OSPF Commands 247
OSPF Interface Cost Table 250
Configure the XTM Device to Use OSPF 251
Sample OSPF Routing Configuration File 252
About Border Gateway Protocol (BGP) 255
BGP Commands 256
Configure the XTM Device to Use BGP 258
Sample BGP Routing Configuration File 260
Authentication 263
About User Authentication 263
User Authentication Steps 264
Manage Authenticated Users 265
Use Authentication to Restrict Incoming Traffic 266
Use Authentication Through a Gateway Firebox 267
About the WatchGuard Authentication (WG-Auth) Policy 268
Set Global Firewall Authentication Values 268
Set Global Authentication Timeouts 269
Allow Multiple Concurrent Logins 270
Limit Login Sessions 270
Specify the Default Authentication Server in the Authentication Portal 272
Automatically Redirect Users to the Authentication Portal 272
Use a Custom Default Start Page 273
Set Management Session Timeouts 273
About Single Sign-On (SSO) 274
The WatchGuard SSO Solution 274
Example Network Configurations for SSO 276
Before You Begin 278
Set Up SSO 278
Install the WatchGuard Single Sign-On (SSO) Agent 278
Configure the SSO Agent 280
Use Telnet to Debug the SSO Agent 287
Install the WatchGuard Single Sign-On (SSO) Client 290
Enable Single Sign-On (SSO) 291
Install and Configure the Terminal Services Agent 294
About Single Sign-On for Terminal Services 295
Before You Begin 295
Install the Terminal Services Agent 296
Configure the Terminal Services Agent 297
Configure Terminal Services Settings 303
Authentication Server Types 305
About Third-Party Authentication Servers 305
Use a Backup Authentication Server 305
Configure Your XTM Device as an Authentication Server 306
Types of Firebox Authentication 306
Define a New User for Firebox Authentication 309
Define a New Group for Firebox Authentication 311
Configure RADIUS Server Authentication 312
Authentication Key 312
RADIUSAuthentication Methods 312
Before You Begin 312
xii Fireware XTMWeb UI
User Guide xiii
Use RADIUSServer Authentication with Your XTM Device 312
How RADIUS Server Authentication Works 314
WPA and WPA2 Enterprise Authentication 317
Configure VASCO Server Authentication 317
Configure SecurID Authentication 320
Configure LDAP Authentication 322
About LDAP Optional Settings 324
Test the Connection to the Server 325
Configure Active Directory Authentication 326
Add an Active Directory Authentication Domain and Server 326
About Active Directory Optional Settings 330
Test the Connection to the Server 330
Edit an Existing Active Directory Domain 331
Delete an Active Directory Domain 332
Find Your Active Directory Search Base 332
Change the Default Port for the Active Directory Server 334
Use Active Directory or LDAP Optional Settings 334
Before You Begin 335
Specify Active Directory or LDAP Optional Settings 335
Use a Local User Account for Authentication 339
Use Authorized Users and Groups in Policies 339
Define Users and Groups for Firebox Authentication 339
Define Users and Groups for Third-Party Authentication 339
Add Users and Groups to Policy Definitions 340
Policies 343
About Policies 343
Packet Filter and Proxy Policies 343
Add Policies to Your XTM device 344
About the Policies Pages 345
About the Outgoing Policy 346
Add Policies to Your Configuration 348
Use Policy Checker to Find a Policy 348
Add a Policy from the List of Templates 348
Disable or Delete a Policy 350
Use Policy Checker to Find a Policy 351
Read the Results 352
About Aliases 354
Alias Members 354
Create an Alias 355
About Policy Precedence 359
Automatic Policy Order 359
Policy Specificity and Protocols 359
Traffic Rules 360
Firewall Actions 360
Schedules 361
Policy Types and Names 361
Set Precedence Manually 361
Create Schedules for XTM Device Actions 362
Set an Operating Schedule 362
About Custom Policies 363
Create or Edit a Custom Policy Template 363
About Policy Properties 366
Policy Tab 366
Properties Tab 366
Advanced Tab 367
Proxy Settings 367
Set Access Rules for a Policy 367
Configure Policy-Based Routing 369
Set a Custom Idle Timeout 372
Set ICMP Error Handling 372
Apply NAT Rules 372
Set the Sticky Connection Duration for a Policy 373
Proxy Settings 375
About Proxy Policies and ALGs 375
Proxy Configuration 376
Add a Proxy Policy to Your Configuration 376
xiv Fireware XTMWeb UI
User Guide xv
About Proxy Actions 377
Set the Proxy Action in a Proxy Policy 377
Clone, Edit, or Delete Proxy Actions 378
Proxy and AV Alarms 382
About Rules and Rulesets 382
About Working with Rules and Rulesets 383
Configure Rulesets 383
Add, Change, or Delete Rules 383
Cut and Paste Rule Definitions 385
Change the Order of Rules 385
Change the Default Rule 386
About Regular Expressions 387
About the DNS-Proxy 391
Action Settings 391
Policy Tab 391
Properties Tab 392
Advanced Tab 392
Configure the Proxy Action 392
DNS-Proxy: General Settings 393
DNS-Proxy: OPcodes 394
DNS-Proxy: Query Names 397
DNS-Proxy: Query Types 398
DNS-Proxy: Proxy Alarm 399
About MX (Mail eXchange) Records 400
About the FTP-Proxy 403
Action Settings 403
Policy Tab 403
Properties Tab 404
Advanced Tab 404
Configure the Proxy Action 404
FTP-Proxy: General Settings 405
FTP-Proxy: Commands 407
FTP-Proxy: Content 408
FTP-Proxy: Proxy and AV Alarms 408
About the H.323-ALG 410
VoIPComponents 410
ALGFunctions 410
Action Settings 411
Policy Tab 411
Properties Tab 411
Advanced Tab 411
Configure the Proxy Action 412
H.323-ALG: General Settings 412
H.323-ALG: Access Control 414
H.323-ALG: Denied Codecs 416
About the HTTP-Proxy 418
Action Settings 418
Policy Tab 419
Properties Tab 419
Advanced Tab 419
Configure the Proxy Action 420
HTTP Request: General Settings 420
HTTP Request: Request Methods 423
HTTP Request: URL Paths 424
HTTP Request: Header Fields 425
HTTP Request: Authorization 426
HTTP Response: General Settings 427
HTTP Response: Header Fields 428
HTTP Response: Content Types 429
HTTP Response: Cookies 431
HTTP Response: Body Content Types 431
HTTP-Proxy: Exceptions 432
HTTP-Proxy: Deny Message 434
HTTP-Proxy: Proxy and AV Alarms 435
Enable Windows Updates Through the HTTP-Proxy 437
Use a Caching Proxy Server 437
xvi Fireware XTMWeb UI
User Guide xvii
About the HTTPS-Proxy 439
Action Settings 439
Policy Tab 439
Properties Tab 440
Advanced Tab 440
Configure the Proxy Action 440
HTTPS-Proxy: General Settings 441
HTTPS-Proxy: Content Inspection 443
HTTPS-Proxy: Certificate Names 446
HTTPS-Proxy: Proxy Alarm 446
About the POP3-Proxy 448
Action Settings 448
Policy Tab 448
Properties Tab 449
Advanced Tab 449
Configure the Proxy Action 449
POP3-Proxy: General Settings 450
POP3-Proxy: Authentication 452
POP3-Proxy: Content Types 453
POP3-Proxy: Filenames 455
POP3-Proxy: Headers 456
POP3-Proxy: Deny Message 456
POP3-Proxy: Proxy and AV Alarms 457
About the SIP-ALG 459
VoIPComponents 459
Instant Messaging Support 459
ALGFunctions 460
Action Settings 460
Policy Tab 460
Properties Tab 461
Advanced Tab 461
Configure the Proxy Action 461
SIP-ALG: General Settings 462
SIP-ALG: Access Control 464
SIP-ALG: Denied Codecs 465
About the SMTP-Proxy 467
Action Settings 467
Policy Tab 467
Properties Tab 468
Advanced Tab 468
Configure the Proxy Action 468
SMTP-Proxy: General Settings 469
SMTP-Proxy: Greeting Rules 472
SMTP-Proxy: ESMTP Settings 473
SMTP-Proxy: TLS Encryption 475
SMTP-Proxy: Authentication 478
SMTP-Proxy: Content Types 480
SMTP-Proxy: Filenames 483
SMTP-Proxy: Mail From/Rcpt To 484
SMTP-Proxy: Headers 486
SMTP-Proxy: Deny Message 487
SMTP-Proxy: Proxy and AV Alarms 488
Configure the SMTP-Proxy to Quarantine Email 489
Protect Your SMTP Server from Email Relaying 490
About the TCP-UDP-Proxy 491
Action Settings 491
Policy Tab 491
Properties Tab 491
Advanced Tab 492
Configure the Proxy Action 492
TCP-UDP-Proxy: General Settings 492
Traffic Management and QoS 495
About Traffic Management and QoS 495
Enable Traffic Management and QoS 495
Guarantee Bandwidth 496
Restrict Bandwidth 497
xviii Fireware XTMWeb UI
User Guide xix
QoS Marking 497
Traffic priority 497
Set Outgoing Interface Bandwidth 498
Set Connection Rate Limits 499
About QoS Marking 499
Before you begin 499
QoS markingfor interfaces and policies 500
QoS marking and IPSec traffic 500
Enable QoS Marking for an Interface 500
Enable QoS Marking or Prioritization Settings for a Policy 501
Traffic Control and Policy Definitions 503
Define a Traffic Management Action 503
Add a Traffic Management Action to a Policy 504
Default Threat Protection 507
About Default Threat Protection 507
About Default Packet Handling Options 508
About Spoofing Attacks 509
About IP Source Route Attacks 510
About Port Space and Address Space Probes 510
About Flood Attacks 512
About Unhandled Packets 514
About Distributed Denial-of-Service Attacks 515
About Blocked Sites 516
Permanently Blocked Sites 516
Auto-Blocked Sites/Temporary Blocked Sites List 516
Blocked Site Exceptions 517
See and Edit the Sites on the Blocked Sites List 517
Block a Site Permanently 517
Create Blocked Site Exceptions 518
Block Sites Temporarily with Policy Settings 518
Change the Duration that Sites are Auto-Blocked 519
About Blocked Ports 519
Default Blocked Ports 520
Block a Port 521
Logging and Notification 523
About Logging, Log Files, and Notification 523
About Log Messages 523
Log Servers 523
Logging and Notification in Applications and Servers 524
System Status Syslog 524
Types of Log Messages 524
Send Log Messages to a WatchGuard Log Server 525
Add, Edit, or Change the Priority of Log Servers 526
Send Log Information to a Syslog Host 527
Configure Logging Settings 529
Set the Diagnostic Log Level 530
Configure Logging and Notification for a Policy 532
Set Logging and Notification Preferences 533
Use Syslog to See Log Message Data 534
View, Sort, and Filter Log Message Data 534
Refresh Log Message Data 536
Monitor Your Device 537
About the Dashboard and System Status Pages 537
The Dashboard 537
System Status Pages 539
ARP Table 540
Authentication List 541
Server Connection 542
Test the Server Connection 543
Read the Server Connection Results 545
Bandwidth Meter 545
Blocked Sites 546
Add or Edit Temporary Blocked Sites 546
Checksum 547
Connections 548
Components List 548
xx Fireware XTMWeb UI
/