Watchguard Fireware XTM Web UI User guide

Brand: Watchguard

Model: Fireware XTM Web UI

Category: Software

Type: User guide

Fireware XTM Web UI 11.5.1 User Guide

Fireware XTM

Web UI

11.5.1 User Guide

WatchGuard XTMDevices

ii Fireware XTMWeb UI

About this User Guide

The Fireware XTM Web UI User Guide is updated with each major product release. For minor product

releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes

specific, task-based implementation examples that are not available in the User Guide.

For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard

web site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in

examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or

transmitted in any form or by any means, electronic or mechanical, for any purpose, without the

express written permission of WatchGuard Technologies, Inc.

Guide revised: 12/2/2011

names mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and

Licensing Guide, available online at: http://www.watchguard.com/help/documentation/

Note This product is for indoor use only.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content

security solutions that provide defense-in-depth and help meet

regulatory compliance requirements. The WatchGuard XTM line

combines firewall, VPN, GAV, IPS, spam blocking and URL

filtering to protect your network from spam, viruses, malware, and

intrusions. The new XCS line offers email and web content

security combined with data loss prevention. WatchGuard

extensible solutions scale to offer right-sized security ranging from

small businesses to enterprises with 10,000+ employees.

WatchGuard builds simple, reliable, and robust security

appliances featuring fast implementation and comprehensive

management and reporting tools. Enterprises throughout the world

rely on our signature red boxes to maximize security without

sacrificing efficiency and productivity.

For more information, please call 206.613.6600 or visit

www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

User Guide iii

Table of Contents

Introduction to Network Security 1

About Networks and Network Security 1

About Internet Connections 1

About Protocols 2

About IP Addresses 3

IPv4 Addresses 3

IPv6 Addresses 4

About Slash Notation 5

About Entering Addresses 6

Static and Dynamic IP Addresses 6

About DNS (Domain Name System) 7

About Firewalls 8

About Services and Policies 9

About Ports 10

The XTM Device and Your Network 10

Introduction to Fireware XTM 13

About Fireware XTM 13

Fireware XTM Components 14

WatchGuard System Manager 14

WatchGuard Server Center 15

Fireware XTM Web UI and Command Line Interface 16

Fireware XTMwith a Pro Upgrade 17

Fireware XTM on an XTMv Device 17

XTMv Device Limitations 18

XTMv Device Installation 18

FIPS Support in Fireware XTM 18

About FIPSMode 18

FIPS Mode Operation and Constraints 19

Service and Support 21

About WatchGuard Support 21

LiveSecurity Service 21

LiveSecurity Service Gold 22
Service Expiration 23
Getting Started 25
Before You Begin 25
Verify Basic Components 25
Get an XTM Device Feature Key 26
Gather Network Addresses 26
Select a Firewall Configuration Mode 27
About the Quick Setup Wizard 28
Run the Web Setup Wizard 29
Connect to Fireware XTMWeb UI 32
Connect to Fireware XTMWeb UI from an External Network 33
About Fireware XTMWeb UI 33
Limitations of Fireware XTM Web UI 34
Complete Your Installation 36
Customize Your Security Policy 36
About LiveSecurity Service 36
Additional Installation Topics 37
Connect to an XTM Device with Firefox v3 37
Identify Your Network Settings 38
Set Your Computer to Connect to Your XTM Device 41
Disable the HTTP Proxy in the Browser 42
Configuration and Management Basics 45
About Basic Configuration and Management Tasks 45
Make a Backup of the XTM Device Image 45
Restore an XTM Device Backup Image 46
Use a USB Drive for System Backup and Restore 47
About the USB Drive 47
Save a Backup Image to a Connected USB Drive 47
Restore a Backup Image from a Connected USB Drive 47
Automatically Restore a Backup Image from a USB Drive 48
USB Drive Directory Structure 51
Save a Backup Image to a USB Drive Connected to Your Computer 52
iv Fireware XTMWeb UI

User Guide v
Use a USBDrive to Save a Support Snapshot 52
Reset an XTM Device to a Previous or New Configuration 54
Start an XTM Device in Safe Mode 54
Reset an XTM 2 Series Device to Factory-Default Settings 54
Reset an XTMv Device to Factory Default Settings 55
Run the Quick Setup Wizard 55
About Factory-Default Settings 55
About Feature Keys 57
When You Purchase a New Feature 57
See Features Available with the Current Feature Key 57
Get a Feature Key from LiveSecurity 58
Add a Feature Key to Your XTM Device 60
Restart Your XTM Device 62
Restart the XTM Device Locally 62
Restart the XTM Device Remotely 62
Enable NTP and Add NTP Servers 62
Set the Time Zone and Basic Device Properties 64
About SNMP 65
SNMP Polls and Traps 65
Enable SNMP Polling 66
Enable SNMP Management Stations and Traps 67
About Management Information Bases (MIBs) 69
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 70
Create a Secure Passphrase, Encryption Key, or Shared Key 70
XTM Device Passphrases 71
User Passphrases 71
Server Passphrases 71
Encryption Keys and Shared Keys 72
Change XTM Device Passphrases 73
Define XTM Device Global Settings 74
Define ICMP Error Handling Global Settings 75
Configure TCP Settings 76
Enable or Disable Traffic Management and QoS 76

Change the Web UI Port 76
Enable the External Console on a Firebox X Edge e-Series Device 77
Automatic Reboot 77
About WatchGuard Servers 77
Manage an XTM Device From a Remote Location 79
Configure an XTM Device as a Managed Device 81
Edit the WatchGuard Policy 81
Set Up the Managed Device 82
Upgrade to a New Version of Fireware XTM 83
Install the Upgrade on Your Management Computer 83
Upgrade the XTM Device 84
Download the Configuration File 84
About Upgrade Options 85
Subscription Services Upgrades 85
Appliance and Software Upgrades 85
How to Apply an Upgrade 86
About Subscription Services Expiration 86
Subscription Renewal Reminders 86
Feature Key Compliance 87
Security Service Expiration Behavior 87
Gateway AntiVirus 87
Intrusion Prevention Service (IPS) 87
WebBlocker 88
spamBlocker 88
Reputation Enabled Defense 88
Application Control 88
LiveSecurity Service 89
Synchronize Subscription Renewals 89
Renew Subscription Services 89
Subscription Services Status and Manual Signatures Updates 89
Network Setup and Configuration 91
About Network Interface Setup 91
Network Modes 92
vi Fireware XTMWeb UI

User Guide vii
Interface Types 93
About IPv6 Support 93
Mixed Routing Mode 94
Configure an External Interface 95
Enable IPv6 for an External Interface 98
Enable IPv6 for a Trusted or Optional Interface 100
Configure DHCP in Mixed Routing Mode 103
About the Dynamic DNS Service 106
Configure Dynamic DNS 107
Drop-In Mode 108
Use Drop-In Mode for Network Interface Configuration 109
Configure Related Hosts 109
Configure DHCP in Drop-In Mode 111
Bridge Mode 114
Common Interface Settings 116
Disable an Interface 117
Configure DHCPRelay 117
Restrict Network Traffic by MAC Address 117
Add WINS and DNS Server Addresses 118
Configure a Secondary Network 119
About Advanced Interface Settings 121
Network Interface Card (NIC)Settings 121
Set DF Bit for IPSec 123
PMTU Setting for IPSec 123
Use Static MAC Address Binding 124
Find the MAC Address of a Computer 125
About LAN Bridges 125
Create a Network Bridge Configuration 125
Assign a Network Interface to a Bridge 128
About Routing 128
Add a Static Route 128
About Virtual Local Area Networks (VLANs) 129
VLAN Requirements and Restrictions 130

About Tagging 130
About VLANIDNumbers 131
Define a New VLAN 131
Assign Interfaces to a VLAN 134
Network Setup Examples 135
Configure Two VLANs on the Same Interface 135
Configure One VLAN Bridged Across Two Interfaces 139
Use Your XTM Device with the 3G Extend Wireless Bridge 143
Multi-WAN 145
About Using Multiple External Interfaces 145
Multi-WAN Requirements and Conditions 145
Multi-WAN and DNS 146
About Multi-WAN Options 146
Round-Robin Order 146
Failover 147
Interface Overflow 147
Routing Table 148
Serial Modem (XTM2 Series only) 148
Configure Round-Robin 149
Before You Begin 149
Configure the Interfaces 149
Find How to Assign Weights to Interfaces 150
Configure Failover 150
Before You Begin 150
Configure the Interfaces 150
Configure Interface Overflow 152
Before You Begin 152
Configure the Interfaces 152
Configure Routing Table 153
Before You Begin 153
Routing Table mode and load balancing 153
Configure the Interfaces 153
About the XTM Device Route Table 154
viii Fireware XTMWeb UI

User Guide ix
When to Use Multi-WAN Methods and Routing 154
Serial Modem Failover 155
Enable Serial Modem Failover 155
Account Settings 156
DNS Settings 156
Dial-up Settings 157
Advanced Settings 157
Link Monitor Settings 158
About Advanced Multi-WAN Settings 159
Set a Global Sticky Connection Duration 159
Set the Failback Action 160
About WAN Interface Status 160
Time Needed for the XTM Device to Update its Route Table 161
Define a Link Monitor Host 161
Network Address Translation (NAT) 163
About Network Address Translation 163
Types of NAT 164
About Dynamic NAT 164
Add Firewall Dynamic NAT Entries 165
Configure Policy-Based Dynamic NAT 167
About 1-to-1 NAT 169
About 1-to-1 NAT and VPNs 170
Configure Firewall 1-to-1 NAT 170
Configure Policy-Based 1-to-1 NAT 173
Configure NAT Loopback with Static NAT 174
Add a Policy for NATLoopback to the Server 175
NAT Loopback and 1-to-1 NAT 176
About SNAT 179
Configure Static NAT 179
Configure Server Load Balancing 182
1-to-1 NAT Example 187
Wireless Setup 189
About Wireless Configuration 189

About Wireless Access Point Configuration 190
Before You Begin 191
About Wireless Configuration Settings 192
Enable/Disable SSID Broadcasts 193
Change the SSID 193
Log Authentication Events 193
Change the Fragmentation Threshold 193
Change the RTS Threshold 195
About Wireless Security Settings 196
Set the Wireless Authentication Method 196
Use a RADIUS Server for Wireless Authentication 197
Use the XTMDevice as an Authentication Server for Wireless Authentication 198
Set the Encryption Level 200
Enable Wireless Connections to the Trusted or Optional Network 202
Enable a Wireless Guest Network 204
Enable a Wireless Hotspot 207
Configure User Timeout Settings 208
Customize the Hotspot Splash Screen 208
Connect to a Wireless Hotspot 210
See Wireless Hotspot Connections 211
Configure Your External Interface as a Wireless Interface 213
Configure the Primary External Interface as a Wireless Interface 213
Configure a BOVPN tunnel for additional security 215
About Wireless Radio Settings 216
Country is Set Automatically 217
Select the Band and Wireless Mode 218
Select the Channel 218
Configure the Wireless Card on Your Computer 219
Rogue Access Point Detection 219
Enable Rogue Access Point Detection 220
Add an XTMWireless Device as a Trusted Access Point 224
Find the Wireless MACAddress of a Trusted Access Point 228
Rogue Access Point Scan Results 228
x Fireware XTMWeb UI

User Guide xi
Dynamic Routing 231
About Dynamic Routing 231
Dynamic Routing Protocols 231
Monitor Dynamic Routing 231
About Routing Daemon Configuration Files 232
About Routing Information Protocol (RIP) 232
Routing Information Protocol (RIP) Commands 232
Configure the XTM Device to Use RIP v1 235
Configure the XTM Device to Use RIP v2 236
Sample RIP Routing Configuration File 237
About Open Shortest Path First (OSPF) Protocol 239
OSPF Commands 239
OSPF Interface Cost Table 242
Configure the XTM Device to Use OSPF 242
Sample OSPF Routing Configuration File 244
About Border Gateway Protocol (BGP) 247
BGP Commands 248
Configure the XTM Device to Use BGP 250
Sample BGP Routing Configuration File 251
Authentication 253
About User Authentication 253
User Authentication Steps 254
Manage Authenticated Users 255
Use Authentication to Restrict Incoming Traffic 256
Use Authentication Through a Gateway Firebox 257
About the WatchGuard Authentication (WG-Auth) Policy 258
Set Global Firewall Authentication Values 258
Set Global Authentication Timeouts 259
Allow Multiple Concurrent Logins 260
Limit Login Sessions 260
Automatically Redirect Users to the Authentication Portal 261
Specify the Default Authentication Server in the Authentication Portal 262
Use a Custom Default Start Page 263

Set Management Session Timeouts 263
About Single Sign-On (SSO) 264
The WatchGuard SSO Solution 264
Example Network Configurations for SSO 265
Before You Begin 267
Set Up SSO 268
Install the WatchGuard Single Sign-On (SSO) Agent 268
Configure the SSO Agent 270
Use Telnet to Debug the SSO Agent 277
Install the WatchGuard Single Sign-On (SSO) Client 280
Enable Single Sign-On (SSO) 281
Install and Configure the Terminal Services Agent 284
Install the Terminal Services Agent 285
Configure the Terminal Services Agent 286
Configure Terminal Services Settings 286
Authentication Server Types 288
About Third-Party Authentication Servers 288
Use a Backup Authentication Server 288
Configure Your XTM Device as an Authentication Server 289
Types of Firebox Authentication 289
Define a New User for Firebox Authentication 291
Define a New Group for Firebox Authentication 293
Configure RADIUS Server Authentication 294
Authentication Key 294
RADIUSAuthentication Methods 294
Before You Begin 294
Use RADIUSServer Authentication with Your XTM Device 294
How RADIUS Server Authentication Works 296
WPA and WPA2 Enterprise Authentication 299
Configure VASCO Server Authentication 299
Configure SecurID Authentication 302
Configure LDAP Authentication 304
About LDAP Optional Settings 306
xii Fireware XTMWeb UI

User Guide xiii
Configure Active Directory Authentication 307
Add an Active Directory Authentication Domain and Server 307
About Active Directory Optional Settings 311
Edit an Existing Active Directory Domain 311
Delete an Active Directory Domain 313
Find Your Active Directory Search Base 313
Change the Default Port for the Active Directory Server 314
Use Active Directory or LDAP Optional Settings 315
Before You Begin 315
Specify Active Directory or LDAP Optional Settings 315
Use a Local User Account for Authentication 320
Use Authorized Users and Groups in Policies 320
Define Users and Groups for Firebox Authentication 320
Define Users and Groups for Third-Party Authentication 320
Add Users and Groups to Policy Definitions 321
Policies 323
About Policies 323
Packet Filter and Proxy Policies 323
Add Policies to Your XTM device 324
About the Policies Pages 325
Add Policies to Your Configuration 327
Add a Policy from the List of Templates 327
Disable or Delete a Policy 329
About Aliases 330
Alias Members 330
Create an Alias 331
About Policy Precedence 335
Automatic Policy Order 335
Policy Specificity and Protocols 335
Traffic Rules 335
Firewall Actions 336
Schedules 336
Policy Types and Names 337

Set Precedence Manually 337
Create Schedules for XTM Device Actions 337
Set an Operating Schedule 337
About Custom Policies 338
Create or Edit a Custom Policy Template 339
About Policy Properties 341
Policy Tab 341
Properties Tab 341
Advanced Tab 342
Proxy Settings 342
Set Access Rules for a Policy 342
Configure Policy-Based Routing 344
Set a Custom Idle Timeout 347
Set ICMP Error Handling 347
Apply NAT Rules 347
Set the Sticky Connection Duration for a Policy 348
Proxy Settings 349
About Proxy Policies and ALGs 349
Proxy Configuration 350
Add a Proxy Policy to Your Configuration 350
About Proxy Actions 351
Set the Proxy Action in a Proxy Policy 351
Clone, Edit, or Delete Proxy Actions 352
Proxy and AV Alarms 356
About Rules and Rulesets 356
About Working with Rules and Rulesets 357
Configure Rulesets 357
Add, Change, or Delete Rules 357
Cut and Paste Rule Definitions 360
Change the Order of Rules 360
Change the Default Rule 360
About Regular Expressions 361
About the DNS-Proxy 365
xiv Fireware XTMWeb UI

User Guide xv

Action Settings 365

Policy Tab 365

Properties Tab 366

Advanced Tab 366

Configure the Proxy Action 366

DNS-Proxy: General Settings 367

DNS-Proxy: OPcodes 368

DNS-Proxy: Query Names 371

DNS-Proxy: Query Types 372

DNS-Proxy: Proxy Alarm 373

About MX (Mail eXchange) Records 374

About the FTP-Proxy 377

Action Settings 377

Policy Tab 377

Properties Tab 378

Advanced Tab 378

Configure the Proxy Action 378

FTP-Proxy: General Settings 379

FTP-Proxy: Commands 381

FTP-Proxy: Content 382

FTP-Proxy: Proxy and AV Alarms 382

About the H.323-ALG 384

VoIPComponents 384

ALGFunctions 384

Action Settings 385

Policy Tab 385

Properties Tab 385

Advanced Tab 385

Configure the Proxy Action 386

H.323-ALG: General Settings 387

H.323-ALG: Access Control 389

H.323-ALG: Denied Codecs 391

About the HTTP-Proxy 392

Action Settings 393

Policy Tab 393

Properties Tab 393

Advanced Tab 393

Configure the Proxy Action 394

HTTP Request: General Settings 394

HTTP Request: Request Methods 397

HTTP Request: URL Paths 398

HTTP Request: Header Fields 399

HTTP Request: Authorization 400

HTTP Response: General Settings 401

HTTP Response: Header Fields 402

HTTP Response: Content Types 403

HTTP Response: Cookies 405

HTTP Response: Body Content Types 405

HTTP-Proxy: Exceptions 406

HTTP-Proxy: Deny Message 408

HTTP-Proxy: Proxy and AV Alarms 409

Enable Windows Updates Through the HTTP-Proxy 410

Use a Caching Proxy Server 410

About the HTTPS-Proxy 412

Action Settings 412

Policy Tab 412

Properties Tab 413

Advanced Tab 413

Configure the Proxy Action 413

HTTPS-Proxy: General Settings 414

HTTPS-Proxy: Content Inspection 416

HTTPS-Proxy: Certificate Names 418

HTTPS-Proxy: Proxy Alarm 419

About the POP3-Proxy 420

Action Settings 420

Policy Tab 420

xvi Fireware XTMWeb UI

User Guide xvii

Properties Tab 421

Advanced Tab 421

Configure the Proxy Action 421

POP3-Proxy: General Settings 422

POP3-Proxy: Authentication 424

POP3-Proxy: Content Types 425

POP3-Proxy: Filenames 427

POP3-Proxy: Headers 428

POP3-Proxy: Deny Message 428

POP3-Proxy: Proxy and AV Alarms 429

About the SIP-ALG 431

VoIPComponents 431

Instant Messaging Support 431

ALGFunctions 432

Action Settings 432

Policy Tab 432

Properties Tab 432

Advanced Tab 433

Configure the Proxy Action 433

SIP-ALG: General Settings 434

SIP-ALG: Access Control 436

SIP-ALG: Denied Codecs 437

About the SMTP-Proxy 440

Action Settings 440

Policy Tab 440

Properties Tab 441

Advanced Tab 441

Configure the Proxy Action 441

SMTP-Proxy: General Settings 442

SMTP-Proxy: Greeting Rules 445

SMTP-Proxy: ESMTP Settings 446

SMTP-Proxy: TLS Encryption 448

SMTP-Proxy: Authentication 451

SMTP-Proxy: Content Types 453
SMTP-Proxy: Filenames 456
SMTP-Proxy: Mail From/Rcpt To 457
SMTP-Proxy: Headers 459
SMTP-Proxy: Deny Message 460
SMTP-Proxy: Proxy and AV Alarms 461
Configure the SMTP-Proxy to Quarantine Email 462
Protect Your SMTP Server from Email Relaying 463
About the TCP-UDP-Proxy 464
Action Settings 464
Policy Tab 464
Properties Tab 464
Advanced Tab 465
Configure the Proxy Action 465
TCP-UDP-Proxy: General Settings 465
Traffic Management and QoS 469
About Traffic Management and QoS 469
Enable Traffic Management and QoS 469
Guarantee Bandwidth 470
Restrict Bandwidth 471
QoS Marking 471
Traffic priority 471
Set Outgoing Interface Bandwidth 472
Set Connection Rate Limits 473
About QoS Marking 473
Before you begin 473
QoS markingfor interfaces and policies 474
QoS marking and IPSec traffic 474
Enable QoS Marking for an Interface 474
Enable QoS Marking or Prioritization Settings for a Policy 475
Traffic Control and Policy Definitions 477
Define a Traffic Management Action 477
Add a Traffic Management Action to a Policy 478
xviii Fireware XTMWeb UI

User Guide xix
Default Threat Protection 481
About Default Threat Protection 481
About Default Packet Handling Options 482
About Spoofing Attacks 483
About IP Source Route Attacks 484
About Port Space and Address Space Probes 484
About Flood Attacks 486
About Unhandled Packets 488
About Distributed Denial-of-Service Attacks 488
About Blocked Sites 490
Permanently Blocked Sites 490
Auto-Blocked Sites/Temporary Blocked Sites List 490
Blocked Site Exceptions 490
See and Edit the Sites on the Blocked Sites List 490
Block a Site Permanently 491
Create Blocked Site Exceptions 491
Block Sites Temporarily with Policy Settings 492
Change the Duration that Sites are Auto-Blocked 493
About Blocked Ports 493
Default Blocked Ports 494
Block a Port 495
Logging and Notification 497
About Logging, Log Files, and Notification 497
About Log Messages 497
Log Servers 497
Logging and Notification in Applications and Servers 498
System Status Syslog 498
Types of Log Messages 499
Send Log Messages to a WatchGuard Log Server 500
Add, Edit, or Change the Priority of Log Servers 500
Send Log Information to a Syslog Host 501
Configure Logging Settings 503
Set the Diagnostic Log Level 504