Watchguard Fireware XTM Web UI User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Fireware XTM Web UI User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Fireware XTM Web UI 11.5.1 User Guide
Fireware XTM
Web UI
11.5.1 User Guide
WatchGuard XTMDevices
ii Fireware XTMWeb UI
About this User Guide
The Fireware XTM Web UI User Guide is updated with each major product release. For minor product
releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes
specific, task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard
web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Guide revised: 12/2/2011
Copyright, Trademark, and Patent Information
Copyright © 1998–2011 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL
filtering to protect your network from spam, viruses, malware, and
intrusions. The new XCS line offers email and web content
security combined with data loss prevention. WatchGuard
extensible solutions scale to offer right-sized security ranging from
small businesses to enterprises with 10,000+ employees.
WatchGuard builds simple, reliable, and robust security
appliances featuring fast implementation and comprehensive
management and reporting tools. Enterprises throughout the world
rely on our signature red boxes to maximize security without
sacrificing efficiency and productivity.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
Table of Contents
Introduction to Network Security 1
About Networks and Network Security 1
About Internet Connections 1
About Protocols 2
About IP Addresses 3
IPv4 Addresses 3
IPv6 Addresses 4
About Slash Notation 5
About Entering Addresses 6
Static and Dynamic IP Addresses 6
About DNS (Domain Name System) 7
About Firewalls 8
About Services and Policies 9
About Ports 10
The XTM Device and Your Network 10
Introduction to Fireware XTM 13
About Fireware XTM 13
Fireware XTM Components 14
WatchGuard System Manager 14
WatchGuard Server Center 15
Fireware XTM Web UI and Command Line Interface 16
Fireware XTMwith a Pro Upgrade 17
Fireware XTM on an XTMv Device 17
XTMv Device Limitations 18
XTMv Device Installation 18
FIPS Support in Fireware XTM 18
About FIPSMode 18
FIPS Mode Operation and Constraints 19
Service and Support 21
About WatchGuard Support 21
LiveSecurity Service 21
LiveSecurity Service Gold 22
Service Expiration 23
Getting Started 25
Before You Begin 25
Verify Basic Components 25
Get an XTM Device Feature Key 26
Gather Network Addresses 26
Select a Firewall Configuration Mode 27
About the Quick Setup Wizard 28
Run the Web Setup Wizard 29
Connect to Fireware XTMWeb UI 32
Connect to Fireware XTMWeb UI from an External Network 33
About Fireware XTMWeb UI 33
Limitations of Fireware XTM Web UI 34
Complete Your Installation 36
Customize Your Security Policy 36
About LiveSecurity Service 36
Additional Installation Topics 37
Connect to an XTM Device with Firefox v3 37
Identify Your Network Settings 38
Set Your Computer to Connect to Your XTM Device 41
Disable the HTTP Proxy in the Browser 42
Configuration and Management Basics 45
About Basic Configuration and Management Tasks 45
Make a Backup of the XTM Device Image 45
Restore an XTM Device Backup Image 46
Use a USB Drive for System Backup and Restore 47
About the USB Drive 47
Save a Backup Image to a Connected USB Drive 47
Restore a Backup Image from a Connected USB Drive 47
Automatically Restore a Backup Image from a USB Drive 48
USB Drive Directory Structure 51
Save a Backup Image to a USB Drive Connected to Your Computer 52
iv Fireware XTMWeb UI
User Guide v
Use a USBDrive to Save a Support Snapshot 52
Reset an XTM Device to a Previous or New Configuration 54
Start an XTM Device in Safe Mode 54
Reset an XTM 2 Series Device to Factory-Default Settings 54
Reset an XTMv Device to Factory Default Settings 55
Run the Quick Setup Wizard 55
About Factory-Default Settings 55
About Feature Keys 57
When You Purchase a New Feature 57
See Features Available with the Current Feature Key 57
Get a Feature Key from LiveSecurity 58
Add a Feature Key to Your XTM Device 60
Restart Your XTM Device 62
Restart the XTM Device Locally 62
Restart the XTM Device Remotely 62
Enable NTP and Add NTP Servers 62
Set the Time Zone and Basic Device Properties 64
About SNMP 65
SNMP Polls and Traps 65
Enable SNMP Polling 66
Enable SNMP Management Stations and Traps 67
About Management Information Bases (MIBs) 69
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 70
Create a Secure Passphrase, Encryption Key, or Shared Key 70
XTM Device Passphrases 71
User Passphrases 71
Server Passphrases 71
Encryption Keys and Shared Keys 72
Change XTM Device Passphrases 73
Define XTM Device Global Settings 74
Define ICMP Error Handling Global Settings 75
Configure TCP Settings 76
Enable or Disable Traffic Management and QoS 76
Change the Web UI Port 76
Enable the External Console on a Firebox X Edge e-Series Device 77
Automatic Reboot 77
About WatchGuard Servers 77
Manage an XTM Device From a Remote Location 79
Configure an XTM Device as a Managed Device 81
Edit the WatchGuard Policy 81
Set Up the Managed Device 82
Upgrade to a New Version of Fireware XTM 83
Install the Upgrade on Your Management Computer 83
Upgrade the XTM Device 84
Download the Configuration File 84
About Upgrade Options 85
Subscription Services Upgrades 85
Appliance and Software Upgrades 85
How to Apply an Upgrade 86
About Subscription Services Expiration 86
Subscription Renewal Reminders 86
Feature Key Compliance 87
Security Service Expiration Behavior 87
Gateway AntiVirus 87
Intrusion Prevention Service (IPS) 87
WebBlocker 88
spamBlocker 88
Reputation Enabled Defense 88
Application Control 88
LiveSecurity Service 89
Synchronize Subscription Renewals 89
Renew Subscription Services 89
Subscription Services Status and Manual Signatures Updates 89
Network Setup and Configuration 91
About Network Interface Setup 91
Network Modes 92
vi Fireware XTMWeb UI
User Guide vii
Interface Types 93
About IPv6 Support 93
Mixed Routing Mode 94
Configure an External Interface 95
Enable IPv6 for an External Interface 98
Enable IPv6 for a Trusted or Optional Interface 100
Configure DHCP in Mixed Routing Mode 103
About the Dynamic DNS Service 106
Configure Dynamic DNS 107
Drop-In Mode 108
Use Drop-In Mode for Network Interface Configuration 109
Configure Related Hosts 109
Configure DHCP in Drop-In Mode 111
Bridge Mode 114
Common Interface Settings 116
Disable an Interface 117
Configure DHCPRelay 117
Restrict Network Traffic by MAC Address 117
Add WINS and DNS Server Addresses 118
Configure a Secondary Network 119
About Advanced Interface Settings 121
Network Interface Card (NIC)Settings 121
Set DF Bit for IPSec 123
PMTU Setting for IPSec 123
Use Static MAC Address Binding 124
Find the MAC Address of a Computer 125
About LAN Bridges 125
Create a Network Bridge Configuration 125
Assign a Network Interface to a Bridge 128
About Routing 128
Add a Static Route 128
About Virtual Local Area Networks (VLANs) 129
VLAN Requirements and Restrictions 130
About Tagging 130
About VLANIDNumbers 131
Define a New VLAN 131
Assign Interfaces to a VLAN 134
Network Setup Examples 135
Configure Two VLANs on the Same Interface 135
Configure One VLAN Bridged Across Two Interfaces 139
Use Your XTM Device with the 3G Extend Wireless Bridge 143
Multi-WAN 145
About Using Multiple External Interfaces 145
Multi-WAN Requirements and Conditions 145
Multi-WAN and DNS 146
About Multi-WAN Options 146
Round-Robin Order 146
Failover 147
Interface Overflow 147
Routing Table 148
Serial Modem (XTM2 Series only) 148
Configure Round-Robin 149
Before You Begin 149
Configure the Interfaces 149
Find How to Assign Weights to Interfaces 150
Configure Failover 150
Before You Begin 150
Configure the Interfaces 150
Configure Interface Overflow 152
Before You Begin 152
Configure the Interfaces 152
Configure Routing Table 153
Before You Begin 153
Routing Table mode and load balancing 153
Configure the Interfaces 153
About the XTM Device Route Table 154
viii Fireware XTMWeb UI
User Guide ix
When to Use Multi-WAN Methods and Routing 154
Serial Modem Failover 155
Enable Serial Modem Failover 155
Account Settings 156
DNS Settings 156
Dial-up Settings 157
Advanced Settings 157
Link Monitor Settings 158
About Advanced Multi-WAN Settings 159
Set a Global Sticky Connection Duration 159
Set the Failback Action 160
About WAN Interface Status 160
Time Needed for the XTM Device to Update its Route Table 161
Define a Link Monitor Host 161
Network Address Translation (NAT) 163
About Network Address Translation 163
Types of NAT 164
About Dynamic NAT 164
Add Firewall Dynamic NAT Entries 165
Configure Policy-Based Dynamic NAT 167
About 1-to-1 NAT 169
About 1-to-1 NAT and VPNs 170
Configure Firewall 1-to-1 NAT 170
Configure Policy-Based 1-to-1 NAT 173
Configure NAT Loopback with Static NAT 174
Add a Policy for NATLoopback to the Server 175
NAT Loopback and 1-to-1 NAT 176
About SNAT 179
Configure Static NAT 179
Configure Server Load Balancing 182
1-to-1 NAT Example 187
Wireless Setup 189
About Wireless Configuration 189
About Wireless Access Point Configuration 190
Before You Begin 191
About Wireless Configuration Settings 192
Enable/Disable SSID Broadcasts 193
Change the SSID 193
Log Authentication Events 193
Change the Fragmentation Threshold 193
Change the RTS Threshold 195
About Wireless Security Settings 196
Set the Wireless Authentication Method 196
Use a RADIUS Server for Wireless Authentication 197
Use the XTMDevice as an Authentication Server for Wireless Authentication 198
Set the Encryption Level 200
Enable Wireless Connections to the Trusted or Optional Network 202
Enable a Wireless Guest Network 204
Enable a Wireless Hotspot 207
Configure User Timeout Settings 208
Customize the Hotspot Splash Screen 208
Connect to a Wireless Hotspot 210
See Wireless Hotspot Connections 211
Configure Your External Interface as a Wireless Interface 213
Configure the Primary External Interface as a Wireless Interface 213
Configure a BOVPN tunnel for additional security 215
About Wireless Radio Settings 216
Country is Set Automatically 217
Select the Band and Wireless Mode 218
Select the Channel 218
Configure the Wireless Card on Your Computer 219
Rogue Access Point Detection 219
Enable Rogue Access Point Detection 220
Add an XTMWireless Device as a Trusted Access Point 224
Find the Wireless MACAddress of a Trusted Access Point 228
Rogue Access Point Scan Results 228
x Fireware XTMWeb UI
User Guide xi
Dynamic Routing 231
About Dynamic Routing 231
Dynamic Routing Protocols 231
Monitor Dynamic Routing 231
About Routing Daemon Configuration Files 232
About Routing Information Protocol (RIP) 232
Routing Information Protocol (RIP) Commands 232
Configure the XTM Device to Use RIP v1 235
Configure the XTM Device to Use RIP v2 236
Sample RIP Routing Configuration File 237
About Open Shortest Path First (OSPF) Protocol 239
OSPF Commands 239
OSPF Interface Cost Table 242
Configure the XTM Device to Use OSPF 242
Sample OSPF Routing Configuration File 244
About Border Gateway Protocol (BGP) 247
BGP Commands 248
Configure the XTM Device to Use BGP 250
Sample BGP Routing Configuration File 251
Authentication 253
About User Authentication 253
User Authentication Steps 254
Manage Authenticated Users 255
Use Authentication to Restrict Incoming Traffic 256
Use Authentication Through a Gateway Firebox 257
About the WatchGuard Authentication (WG-Auth) Policy 258
Set Global Firewall Authentication Values 258
Set Global Authentication Timeouts 259
Allow Multiple Concurrent Logins 260
Limit Login Sessions 260
Automatically Redirect Users to the Authentication Portal 261
Specify the Default Authentication Server in the Authentication Portal 262
Use a Custom Default Start Page 263
Set Management Session Timeouts 263
About Single Sign-On (SSO) 264
The WatchGuard SSO Solution 264
Example Network Configurations for SSO 265
Before You Begin 267
Set Up SSO 268
Install the WatchGuard Single Sign-On (SSO) Agent 268
Configure the SSO Agent 270
Use Telnet to Debug the SSO Agent 277
Install the WatchGuard Single Sign-On (SSO) Client 280
Enable Single Sign-On (SSO) 281
Install and Configure the Terminal Services Agent 284
Install the Terminal Services Agent 285
Configure the Terminal Services Agent 286
Configure Terminal Services Settings 286
Authentication Server Types 288
About Third-Party Authentication Servers 288
Use a Backup Authentication Server 288
Configure Your XTM Device as an Authentication Server 289
Types of Firebox Authentication 289
Define a New User for Firebox Authentication 291
Define a New Group for Firebox Authentication 293
Configure RADIUS Server Authentication 294
Authentication Key 294
RADIUSAuthentication Methods 294
Before You Begin 294
Use RADIUSServer Authentication with Your XTM Device 294
How RADIUS Server Authentication Works 296
WPA and WPA2 Enterprise Authentication 299
Configure VASCO Server Authentication 299
Configure SecurID Authentication 302
Configure LDAP Authentication 304
About LDAP Optional Settings 306
xii Fireware XTMWeb UI
User Guide xiii
Configure Active Directory Authentication 307
Add an Active Directory Authentication Domain and Server 307
About Active Directory Optional Settings 311
Edit an Existing Active Directory Domain 311
Delete an Active Directory Domain 313
Find Your Active Directory Search Base 313
Change the Default Port for the Active Directory Server 314
Use Active Directory or LDAP Optional Settings 315
Before You Begin 315
Specify Active Directory or LDAP Optional Settings 315
Use a Local User Account for Authentication 320
Use Authorized Users and Groups in Policies 320
Define Users and Groups for Firebox Authentication 320
Define Users and Groups for Third-Party Authentication 320
Add Users and Groups to Policy Definitions 321
Policies 323
About Policies 323
Packet Filter and Proxy Policies 323
Add Policies to Your XTM device 324
About the Policies Pages 325
Add Policies to Your Configuration 327
Add a Policy from the List of Templates 327
Disable or Delete a Policy 329
About Aliases 330
Alias Members 330
Create an Alias 331
About Policy Precedence 335
Automatic Policy Order 335
Policy Specificity and Protocols 335
Traffic Rules 335
Firewall Actions 336
Schedules 336
Policy Types and Names 337
Set Precedence Manually 337
Create Schedules for XTM Device Actions 337
Set an Operating Schedule 337
About Custom Policies 338
Create or Edit a Custom Policy Template 339
About Policy Properties 341
Policy Tab 341
Properties Tab 341
Advanced Tab 342
Proxy Settings 342
Set Access Rules for a Policy 342
Configure Policy-Based Routing 344
Set a Custom Idle Timeout 347
Set ICMP Error Handling 347
Apply NAT Rules 347
Set the Sticky Connection Duration for a Policy 348
Proxy Settings 349
About Proxy Policies and ALGs 349
Proxy Configuration 350
Add a Proxy Policy to Your Configuration 350
About Proxy Actions 351
Set the Proxy Action in a Proxy Policy 351
Clone, Edit, or Delete Proxy Actions 352
Proxy and AV Alarms 356
About Rules and Rulesets 356
About Working with Rules and Rulesets 357
Configure Rulesets 357
Add, Change, or Delete Rules 357
Cut and Paste Rule Definitions 360
Change the Order of Rules 360
Change the Default Rule 360
About Regular Expressions 361
About the DNS-Proxy 365
xiv Fireware XTMWeb UI
User Guide xv
Action Settings 365
Policy Tab 365
Properties Tab 366
Advanced Tab 366
Configure the Proxy Action 366
DNS-Proxy: General Settings 367
DNS-Proxy: OPcodes 368
DNS-Proxy: Query Names 371
DNS-Proxy: Query Types 372
DNS-Proxy: Proxy Alarm 373
About MX (Mail eXchange) Records 374
About the FTP-Proxy 377
Action Settings 377
Policy Tab 377
Properties Tab 378
Advanced Tab 378
Configure the Proxy Action 378
FTP-Proxy: General Settings 379
FTP-Proxy: Commands 381
FTP-Proxy: Content 382
FTP-Proxy: Proxy and AV Alarms 382
About the H.323-ALG 384
VoIPComponents 384
ALGFunctions 384
Action Settings 385
Policy Tab 385
Properties Tab 385
Advanced Tab 385
Configure the Proxy Action 386
H.323-ALG: General Settings 387
H.323-ALG: Access Control 389
H.323-ALG: Denied Codecs 391
About the HTTP-Proxy 392
Action Settings 393
Policy Tab 393
Properties Tab 393
Advanced Tab 393
Configure the Proxy Action 394
HTTP Request: General Settings 394
HTTP Request: Request Methods 397
HTTP Request: URL Paths 398
HTTP Request: Header Fields 399
HTTP Request: Authorization 400
HTTP Response: General Settings 401
HTTP Response: Header Fields 402
HTTP Response: Content Types 403
HTTP Response: Cookies 405
HTTP Response: Body Content Types 405
HTTP-Proxy: Exceptions 406
HTTP-Proxy: Deny Message 408
HTTP-Proxy: Proxy and AV Alarms 409
Enable Windows Updates Through the HTTP-Proxy 410
Use a Caching Proxy Server 410
About the HTTPS-Proxy 412
Action Settings 412
Policy Tab 412
Properties Tab 413
Advanced Tab 413
Configure the Proxy Action 413
HTTPS-Proxy: General Settings 414
HTTPS-Proxy: Content Inspection 416
HTTPS-Proxy: Certificate Names 418
HTTPS-Proxy: Proxy Alarm 419
About the POP3-Proxy 420
Action Settings 420
Policy Tab 420
xvi Fireware XTMWeb UI
User Guide xvii
Properties Tab 421
Advanced Tab 421
Configure the Proxy Action 421
POP3-Proxy: General Settings 422
POP3-Proxy: Authentication 424
POP3-Proxy: Content Types 425
POP3-Proxy: Filenames 427
POP3-Proxy: Headers 428
POP3-Proxy: Deny Message 428
POP3-Proxy: Proxy and AV Alarms 429
About the SIP-ALG 431
VoIPComponents 431
Instant Messaging Support 431
ALGFunctions 432
Action Settings 432
Policy Tab 432
Properties Tab 432
Advanced Tab 433
Configure the Proxy Action 433
SIP-ALG: General Settings 434
SIP-ALG: Access Control 436
SIP-ALG: Denied Codecs 437
About the SMTP-Proxy 440
Action Settings 440
Policy Tab 440
Properties Tab 441
Advanced Tab 441
Configure the Proxy Action 441
SMTP-Proxy: General Settings 442
SMTP-Proxy: Greeting Rules 445
SMTP-Proxy: ESMTP Settings 446
SMTP-Proxy: TLS Encryption 448
SMTP-Proxy: Authentication 451
SMTP-Proxy: Content Types 453
SMTP-Proxy: Filenames 456
SMTP-Proxy: Mail From/Rcpt To 457
SMTP-Proxy: Headers 459
SMTP-Proxy: Deny Message 460
SMTP-Proxy: Proxy and AV Alarms 461
Configure the SMTP-Proxy to Quarantine Email 462
Protect Your SMTP Server from Email Relaying 463
About the TCP-UDP-Proxy 464
Action Settings 464
Policy Tab 464
Properties Tab 464
Advanced Tab 465
Configure the Proxy Action 465
TCP-UDP-Proxy: General Settings 465
Traffic Management and QoS 469
About Traffic Management and QoS 469
Enable Traffic Management and QoS 469
Guarantee Bandwidth 470
Restrict Bandwidth 471
QoS Marking 471
Traffic priority 471
Set Outgoing Interface Bandwidth 472
Set Connection Rate Limits 473
About QoS Marking 473
Before you begin 473
QoS markingfor interfaces and policies 474
QoS marking and IPSec traffic 474
Enable QoS Marking for an Interface 474
Enable QoS Marking or Prioritization Settings for a Policy 475
Traffic Control and Policy Definitions 477
Define a Traffic Management Action 477
Add a Traffic Management Action to a Policy 478
xviii Fireware XTMWeb UI
User Guide xix
Default Threat Protection 481
About Default Threat Protection 481
About Default Packet Handling Options 482
About Spoofing Attacks 483
About IP Source Route Attacks 484
About Port Space and Address Space Probes 484
About Flood Attacks 486
About Unhandled Packets 488
About Distributed Denial-of-Service Attacks 488
About Blocked Sites 490
Permanently Blocked Sites 490
Auto-Blocked Sites/Temporary Blocked Sites List 490
Blocked Site Exceptions 490
See and Edit the Sites on the Blocked Sites List 490
Block a Site Permanently 491
Create Blocked Site Exceptions 491
Block Sites Temporarily with Policy Settings 492
Change the Duration that Sites are Auto-Blocked 493
About Blocked Ports 493
Default Blocked Ports 494
Block a Port 495
Logging and Notification 497
About Logging, Log Files, and Notification 497
About Log Messages 497
Log Servers 497
Logging and Notification in Applications and Servers 498
System Status Syslog 498
Types of Log Messages 499
Send Log Messages to a WatchGuard Log Server 500
Add, Edit, or Change the Priority of Log Servers 500
Send Log Information to a Syslog Host 501
Configure Logging Settings 503
Set the Diagnostic Log Level 504
Configure Logging and Notification for a Policy 506
Set Logging and Notification Preferences 507
Use Syslog to See Log Message Data 508
View, Sort, and Filter Log Message Data 508
Refresh Log Message Data 510
Monitor Your Device 511
About the Dashboard and System Status Pages 511
The Dashboard 511
System Status Pages 513
ARP Table 514
Authentication List 515
Bandwidth Meter 516
Blocked Sites 516
Add or Edit Temporary Blocked Sites 517
Checksum 518
Connections 518
Components List 518
CPUUsage 518
DHCP Leases 519
Diagnostics 519
Run a Basic Diagnostics Command 520
Use Command Arguments 520
Dynamic DNS 521
Feature Key 522
When You Purchase a New Feature 522
See Features Available with the Current Feature Key 522
Interfaces 523
Release or Renew a DHCP Lease 524
LiveSecurity 525
Memory 525
Processes 526
Routes 526
Syslog 527
xx Fireware XTMWeb UI
/