Watchguard Fireware XTM Web UI User guide

Fireware XTM

Web UI

v11.0 User Guide

WatchGuard XTM 1050

Firebox X Peak e-Series

Firebox X Core e-Series

Firebox X Edge e-Series

ii Fireware XTM Web UI

ADDRESS

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

SUPPORT

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

SALES

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

ABOUT WATCHGUARD

Since 1996, WatchGuard has been building award-winning unified threat management

(UTM) network security solutions that combine firewall, VPN and security services to

protect networks and the businesses they power. We recently launched the next

generation: extensible threat management (XTM) solutions featuring reliable, all-in-

one security, scaled and priced to meet the unique security needs of every sized

enterprises. Our products are backed by 15,000 partners representing WatchGuard in

120 countries. More than a half million signature red WatchGuard security appliances

have already been deployed worldwide in industries including retail, education, and

healthcare. WatchGuard is headquartered in Seattle, Washington, with offices

throughout North America, Europe, Asia Pacific, and Latin America.

For more information, please call 206.613.6600 or visit www.watchguard.com

.

Notice to Users

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are

fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,

electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Guide revision: 08/03/2009

Copyright, Trademark, and Patent Information

herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide,

available online:

http://www.watchguard.com/help/documentation/

Abbreviations Used in this Guide

This product is for indoor use only.

3DES Triple Data Encryption

Standard

IPSec Internet Protocol

Security

SSL Secure Sockets

Layer

BOVPN Branch Office Virtual

Private Network

ISP Internet Service

Provider

TCP Transfer Control

Protocol

DES Data Encryption

Standard

MAC Media Access Control UDP User Datagram

Protocol

DNS Domain Name Service NAT Network Address

Translation

URL Uniform Resource

Locator

DHCP Dynamic Host

Configuration Protocol

PPP Point-to-Point Protocol VPN Virtual Private

Network

DSL Digital Subscriber Line PPTP Point-to-Point

Tunneling Protocol

WAN Wide Area Network

IP Internet Protocol PPPoE Point-to-Point Protocol

over Ethernet

WSM WatchGuard

System Manager

User Guide iii

Table of Contents

Chapter 1 Introduction to Network Security ............................................................................................ 1

About networks and network security .......................................................................................................... 1

About Internet connections.......................................................................................................................... 1

How information travels on the Internet ................................................................................................. 2

About protocols................................................................................................................................................. 2

Private addresses and gateways ................................................................................................................. 3

About subnet masks ........................................................................................................................................ 3

About slash notation ....................................................................................................................................... 3

About entering IP addresses......................................................................................................................... 4

Static and dynamic IP addresses ................................................................................................................. 4

Static IP addresses ....................................................................................................................................... 4

Dynamic IP addresses................................................................................................................................. 4

About DHCP............................................................................................................................................................. 5

About PPPoE............................................................................................................................................................ 5

About DNS (Domain Name System) ............................................................................................................... 5

About firewalls........................................................................................................................................................ 6

About services and policies ............................................................................................................................... 7

About ports.............................................................................................................................................................. 8

Chapter 2 Introduction to Fireware XTM ................................................................................................ 11

Introduction to Fireware XTM ......................................................................................................................... 11

WatchGuard System Manager ................................................................................................................... 12

WatchGuard Server Center.......................................................................................................................... 13

Fireware XTM Web UI and Command Line Interface......................................................................... 13

Fireware XTM with a Pro Upgrade................................................................................................................. 14

Chapter 3 Service and Support ................................................................................................................ 15

About WatchGuard Support............................................................................................................................ 15

LiveSecurity Service................................................................................................................................... 15

LiveSecurity Service Gold........................................................................................................................ 16

Service expiration ...................................................................................................................................... 16

iv Fireware XTM Web UI

Chapter 4 Getting Started ........................................................................................................................ 17

Before you begin.................................................................................................................................................. 17

Verify basic components ......................................................................................................................... 17

Get a WatchGuard device feature key................................................................................................ 17

Gather network addresses...................................................................................................................... 18

Select a firewall configuration mode.................................................................................................. 19

Run the Web Setup Wizard.......................................................................................................................... 20

Start the Web Setup Wizard ................................................................................................................... 20

After the wizard finishes.......................................................................................................................... 22

If you have problems with the wizard ................................................................................................ 22

Connect to Fireware XTM Web UI.................................................................................................................. 23

Customize your security policy ............................................................................................................. 26

About LiveSecurity Service..................................................................................................................... 26

Additional installation topics .......................................................................................................................... 27

Connect to a Firebox with Firefox v3....................................................................................................... 27

Add a certificate exception to Mozilla Firefox v3 ........................................................................... 27

Identify your network settings................................................................................................................... 28

Network Addressing Requirements .................................................................................................... 28

Find your TCP/IP properties on Microsoft Windows Vista .......................................................... 29

Find your TCP/IP properties on Microsoft Windows 2000, Windows 2003, and Windows XP

29

Find your TCP/IP properties on Microsoft Windows NT............................................................... 29

Find your TCP/IP properties on Macintosh OS 9............................................................................. 29

Find your TCP/IP properties on other operating systems (Unix, Linux) ................................. 30

Find PPPoE settings................................................................................................................................... 30

Set your computer to connect to your WatchGuard device ........................................................... 30

Use DHCP ...................................................................................................................................................... 30

Use a static IP address .............................................................................................................................. 31

Disable the HTTP proxy in the browser................................................................................................... 32

Disable the HTTP proxy in Internet Explorer 6.x or 7.x ................................................................. 32

Disable the HTTP proxy in Firefox 2.x ................................................................................................. 32

Disable the HTTP proxy in Safari 2.0.................................................................................................... 32

Chapter 5 Configuration and Management Basics ................................................................................ 33

About basic configuration and management tasks................................................................................ 33

Restore a Firebox backup image.................................................................................................................... 34

Reset a Firebox to a previous or new configuration ............................................................................... 35

Start a Firebox X Core or Peak e-Series, or a WatchGuard XTM device in safe mode........ 35

Run the Quick Setup Wizard .................................................................................................................. 36

About feature keys .............................................................................................................................................. 38

When you purchase a new feature...................................................................................................... 38

See features available with the current feature key ...................................................................... 38

Activate the license key for a feature....................................................................................................... 39

Add a feature key to your Firebox ............................................................................................................ 41

Remove a feature key.................................................................................................................................... 42

Restart your Firebox............................................................................................................................................ 42

Restart the Firebox locally............................................................................................................................ 42

Reboot from Fireware XTM Web UI.......................................................................................................... 42

Power cycle ....................................................................................................................................................... 42

Restart the Firebox remotely ...................................................................................................................... 42

Set the time zone and basic device properties......................................................................................... 43

User Guide v

About SNMP .......................................................................................................................................................... 44

SNMP polls and traps..................................................................................................................................... 44

Enable SNMP polling ..................................................................................................................................... 46

Enable SNMP management stations and traps.................................................................................... 47

Configure SNMP Management Stations................................................................................................. 48

Send an SNMP trap for a policy.................................................................................................................. 49

Create a secure passphrase, encryption key, or shared key ....................................................... 50

Firebox Passphrases.................................................................................................................................. 50

User Passphrases........................................................................................................................................ 50

Server Passphrases .................................................................................................................................... 51

Encryption Keys and Shared Keys ........................................................................................................ 51

Enable TCP SYN checking ....................................................................................................................... 54

Enable or disable Traffic Management and QoS ............................................................................ 55

Change the Web UI port.......................................................................................................................... 55

Automatic Reboot...................................................................................................................................... 55

External Console......................................................................................................................................... 55

Edit the WatchGuard policy ................................................................................................................... 60

Set up the Managed Device................................................................................................................... 61

Upgrade to a new version of Fireware XTM............................................................................................... 62

Install the upgrade on your management computer................................................................... 62

Upgrade the Firebox................................................................................................................................. 62

Subscription Services upgrades............................................................................................................ 63

Appliance and software upgrades....................................................................................................... 63

How to apply an upgrade ....................................................................................................................... 63

Chapter 6 Network Setup and Configuration ......................................................................................... 65

About network interface setup....................................................................................................................... 65

Network modes ............................................................................................................................................... 65

Interface types.................................................................................................................................................. 66

Mixed Routing Mode.......................................................................................................................................... 67

Configure an external interface................................................................................................................. 67

Use a static IP address ................................................................................................................................... 67

Use PPPoE authentication ........................................................................................................................... 68

Configure DHCP in mixed routing mode ............................................................................................... 70

About the Dynamic DNS service ............................................................................................................... 72

About network configuration in drop-in mode........................................................................................ 74

Use drop-in mode for network interface configuration ................................................................... 74

Use DHCP ...................................................................................................................................................... 76

Use DHCP relay ........................................................................................................................................... 77

Specify DHCP settings for a single interface ......................................................................................... 77

Disable an interface........................................................................................................................................ 81

Configure DHCP Relay................................................................................................................................... 81

Set DF bit for IPSec ......................................................................................................................................... 86

PMTU Setting for IPSec ................................................................................................................................. 87

Use static MAC address binding................................................................................................................ 87

About LAN bridges.............................................................................................................................................. 88

Create a network bridge configuration .................................................................................................. 88

Assign a network interface to a bridge ................................................................................................... 89

Add a static route............................................................................................................................................ 90

vi Fireware XTM Web UI

About virtual local area networks (VLANs)................................................................................................. 91

About tagging.................................................................................................................................................. 92

Use DHCP on a VLAN ..................................................................................................................................... 94

Use DHCP relay on a VLAN .......................................................................................................................... 94

Assign interfaces to a VLAN......................................................................................................................... 94

Chapter 7 Multi-WAN ............................................................................................................................... 95

About using multiple external interfaces ................................................................................................... 95

Multi-WAN requirements and conditions.............................................................................................. 95

Multi-WAN and DNS....................................................................................................................................... 96

About multi-WAN options................................................................................................................................ 96

Round-robin order.......................................................................................................................................... 96

Interface overflow........................................................................................................................................... 97

Routing table.................................................................................................................................................... 97

Serial modem (Firebox X Edge only)........................................................................................................ 97

Before You Begin............................................................................................................................................. 98

Configure the interfaces............................................................................................................................... 98

Before You Begin.......................................................................................................................................... 100

Configure the interfaces............................................................................................................................ 100

Before You Begin.......................................................................................................................................... 101

Configure the interfaces............................................................................................................................ 101

Before you begin.......................................................................................................................................... 102

Routing Table mode and load balancing............................................................................................ 102

Configure the interfaces............................................................................................................................ 102

When to use Multi-WAN methods and routing ................................................................................ 103

When to use the Routing Table method ........................................................................................ 103

When to use the Round-Robin method.......................................................................................... 103

About advanced multi-WAN settings ....................................................................................................... 104

Set a global sticky connection duration .............................................................................................. 104

Set the failback action ................................................................................................................................ 105

Serial modem failover ..................................................................................................................................... 105

Enable serial modem failover .................................................................................................................. 105

Account settings...................................................................................................................................... 106

DNS settings.............................................................................................................................................. 106

Dial-up settings........................................................................................................................................ 107

Link Monitor settings............................................................................................................................. 107

Time needed for the Firebox to update its route table.................................................................. 109

Define a link monitor host ........................................................................................................................ 109

Chapter 8 Network Address Translation (NAT) .................................................................................... 111

About Network Address Translation (NAT) ............................................................................................. 111

Add firewall dynamic NAT entries ......................................................................................................... 113

Delete a dynamic NAT entry .................................................................................................................... 114

Reorder dynamic NAT entries.................................................................................................................. 114

Configure policy-based dynamic NAT.................................................................................................. 115

Disable policy-based dynamic NAT....................................................................................................... 116

About 1-to-1 NAT and VPNs................................................................................................................ 117

Configure firewall 1-to-1 NAT.................................................................................................................. 118

Define a 1-to-1 NAT rule ............................................................................................................................ 119

Configure policy-based 1-to-1 NAT....................................................................................................... 120

Enable policy-based 1-to-1 NAT ............................................................................................................. 120

Disable policy-based 1-to-1 NAT............................................................................................................ 120

Configure NAT loopback with static NAT ................................................................................................ 121

Configure server load balancing................................................................................................................. 127

User Guide vii

Chapter 9 Wireless Setup ....................................................................................................................... 129

About wireless configuration....................................................................................................................... 129

Enable/disable SSID broadcasts ............................................................................................................. 133

Change the SSID........................................................................................................................................... 134

Log authentication events........................................................................................................................ 134

Change the fragmentation threshold .................................................................................................. 134

When to change the default fragmentation threshold.................................................................. 134

Change the fragmentation threshold .................................................................................................. 135

Change the RTS threshold ........................................................................................................................ 135

About wireless security settings.................................................................................................................. 136

Set the wireless authentication method ............................................................................................. 136

Set the encryption level............................................................................................................................. 136

WPA and WPA2 PSK authentication...................................................................................................... 137

Enable a wireless guest network................................................................................................................. 140

Configure your external interface as a wireless interface .................................................................. 142

Configure the primary external interface as a wireless interface .......................................... 142

Configure a BOVPN tunnel for additional security ..................................................................... 144

Set the operating region and channel ............................................................................................ 145

Set the wireless mode of operation ................................................................................................. 146

Configure the wireless card on your computer..................................................................................... 147

Chapter 10 Dynamic Routing ...................................................................................................................149

About dynamic routing .................................................................................................................................. 149

About routing daemon configuration files ............................................................................................. 149

About Routing Information Protocol (RIP) .............................................................................................. 150

Routing Information Protocol (RIP) commands................................................................................ 150

Configure the Firebox to use RIP v2...................................................................................................... 153

Allow RIP v2 traffic through the Firebox.............................................................................................. 154

Sample RIP routing configuration file .................................................................................................. 154

About Open Shortest Path First (OSPF) Protocol .................................................................................. 156

OSPF commands .......................................................................................................................................... 156

OSPF Interface Cost table.......................................................................................................................... 158

Configure the Firebox to use OSPF ....................................................................................................... 159

Sample OSPF routing configuration file .............................................................................................. 160

Allow BGP traffic through the Firebox ................................................................................................. 167

Sample BGP routing configuration file ................................................................................................ 167

Chapter 11 Authentication ......................................................................................................................169

About user authentication ............................................................................................................................ 169

User authentication steps......................................................................................................................... 170

Manually close an authenticated session ........................................................................................... 170

See authenticated users ....................................................................................................................... 171

Close a user session................................................................................................................................ 171

Use authentication through a gateway Firebox.......................................................................... 172

Allow multiple concurrent logins...................................................................................................... 174

Automatically redirect users to the login portal.......................................................................... 174

Use a custom default start page........................................................................................................ 175

Set Management Session timeouts.................................................................................................. 175

About the WatchGuard Authentication (WG-Auth) policy................................................................ 175

Set up SSO ................................................................................................................................................. 177

Install the WatchGuard Single Sign-On (SSO) agent....................................................................... 177

Download the SSO agent software ....................................................................................................... 177

Before you install.......................................................................................................................................... 178

viii Fireware XTM Web UI

Install the SSO agent service.................................................................................................................... 178

Install the WatchGuard Single Sign-On (SSO) client ....................................................................... 178

Install the SSO client service .................................................................................................................... 179

Enable Single Sign-On (SSO).................................................................................................................... 179

Enable and configure SSO ........................................................................................................................ 180

Define SSO exceptions............................................................................................................................... 180

About using third-party authentication servers............................................................................... 181

Use a backup authentication server...................................................................................................... 181

Types of Firebox authentication............................................................................................................. 182

Firewall authentication ......................................................................................................................... 182

Mobile VPN with PPTP connections ................................................................................................. 183

Mobile VPN with SSL connections .................................................................................................... 184

Define a new user for Firebox authentication................................................................................... 185

Define a new group for Firebox authentication ............................................................................... 186

Authentication key ................................................................................................................................. 187

RADIUS authentication methods ...................................................................................................... 187

Before you begin..................................................................................................................................... 187

About RADIUS groups................................................................................................................................ 191

Practical use of RADIUS groups .............................................................................................................. 191

Configure SecurID authentication.............................................................................................................. 195

Configure LDAP authentication .................................................................................................................. 196

About LDAP optional settings............................................................................................................ 197

About Active Directory optional settings....................................................................................... 199

DN of Searching User and Password of Searching User fields..................................................... 200

Change the default port for the Active Directory server ............................................................... 201

Configure the Firebox to use the global catalog port .................................................................... 201

To find out if your Active Directory server is configured as a global catalog server ........... 201

Before You Begin..................................................................................................................................... 202

Specify Active Directory or LDAP Optional Settings .................................................................. 203

Use a local user account for authentication............................................................................................ 206

Define users and groups for Firebox authentication................................................................. 207

Define users and groups for third-party authentication .......................................................... 207

Chapter 12 Policies ...................................................................................................................................209

About policies .................................................................................................................................................... 209

Packet filter and proxy policies .......................................................................................................... 209

About the Firewall or Mobile VPN Policies page .............................................................................. 211

Add a policy from the list of templates................................................................................................ 214

Disable or delete a policy.......................................................................................................................... 215

Delete a policy............................................................................................................................................... 215

Alias members............................................................................................................................................... 216

Create an alias ............................................................................................................................................... 217

Add an address, address range, DNS name, user, group, or another alias to the alias....... 218

Automatic policy order .............................................................................................................................. 219

Policy specificity and protocols .............................................................................................................. 219

Firewall actions ............................................................................................................................................. 220

Schedules................................................................................................................................................... 220

Policy types and names ........................................................................................................................ 220

Create or edit a custom policy template ............................................................................................. 223

Policy tab......................................................................................................................................................... 225

Properties tab................................................................................................................................................ 225

Advanced tab ................................................................................................................................................ 225

Proxy settings................................................................................................................................................ 225

User Guide ix

Configure policy-based routing ............................................................................................................. 227

Policy-based routing, failover, and failback ....................................................................................... 228

Restrictions on policy-based routing.................................................................................................... 228

Add policy-based routing to a policy ................................................................................................... 228

Set a custom idle timeout......................................................................................................................... 229

Set ICMP error handling............................................................................................................................. 229

Apply NAT rules ............................................................................................................................................ 229

1-to-1 NAT....................................................................................................................................................... 229

Set the sticky connection duration for a policy ................................................................................ 230

Chapter 13 Proxy Settings .......................................................................................................................231

About proxy policies and ALGs.................................................................................................................... 231

Proxy configuration..................................................................................................................................... 231

Add a proxy policy to your configuration................................................................................................ 232

Set the proxy action in a proxy definition........................................................................................... 234

Edit, delete, or clone proxy actions ....................................................................................................... 234

About the DNS proxy ...................................................................................................................................... 235

Policy tab......................................................................................................................................................... 235

Advanced tab ................................................................................................................................................ 236

Settings and Content tabs........................................................................................................................ 236

About the FTP proxy........................................................................................................................................ 239

Policy tab......................................................................................................................................................... 239

Properties tab................................................................................................................................................ 239

Advanced tab ................................................................................................................................................ 239

Settings and Content tabs........................................................................................................................ 240

FTP proxy: Content...................................................................................................................................... 240

About the H.323 ALG....................................................................................................................................... 242

VoIP components......................................................................................................................................... 242

ALG functions................................................................................................................................................ 242

Properties tab................................................................................................................................................ 243

Advanced tab ................................................................................................................................................ 243

Settings and Content tabs........................................................................................................................ 243

H.323 ALG: Settings..................................................................................................................................... 246

About the HTTP proxy..................................................................................................................................... 247

Policy tab......................................................................................................................................................... 247

Properties tab................................................................................................................................................ 247

Settings and Content tabs........................................................................................................................ 248

Allow Windows updates through the HTTP proxy .......................................................................... 248

If you still cannot download Windows updates .......................................................................... 248

File name patterns.................................................................................................................................. 250

HTTP proxy: Settings tab ........................................................................................................................... 252

HTTP requests........................................................................................................................................... 253

HTTP responses........................................................................................................................................ 253

HTTP proxy exceptions ......................................................................................................................... 254

Policy tab......................................................................................................................................................... 255

Properties tab................................................................................................................................................ 255

Settings and Content tabs........................................................................................................................ 256

HTTPS Proxy: Content................................................................................................................................. 256

HTTPS Proxy: Settings................................................................................................................................. 258

Policy tab......................................................................................................................................................... 260

Properties tab................................................................................................................................................ 260

Advanced tab ................................................................................................................................................ 260

POP3 Proxy: Content................................................................................................................................... 261

x Fireware XTM Web UI

About the SIP proxy ......................................................................................................................................... 264

VoIP components......................................................................................................................................... 264

ALG functions................................................................................................................................................ 264

Properties tab................................................................................................................................................ 265

Advanced tab ................................................................................................................................................ 265

Settings and Content tabs........................................................................................................................ 265

Policy tab......................................................................................................................................................... 270

Properties tab................................................................................................................................................ 270

Advanced tab ................................................................................................................................................ 270

Settings, Addressing, and Content tabs .............................................................................................. 271

SMTP Proxy: Addressing............................................................................................................................ 271

SMTP Proxy: Settings .................................................................................................................................. 273

Configure the SMTP proxy to quarantine email ............................................................................... 274

Policy tab......................................................................................................................................................... 275

Properties tab................................................................................................................................................ 275

Advanced tab ................................................................................................................................................ 275

Settings and Content tabs........................................................................................................................ 275

Chapter 14 Traffic Management and QoS .............................................................................................. 279

About Traffic Management and QoS......................................................................................................... 279

Enable traffic management and QoS.................................................................................................... 280

Restrict bandwidth ...................................................................................................................................... 281

QoS Marking .................................................................................................................................................. 281

Traffic priority ................................................................................................................................................ 281

Before you begin.......................................................................................................................................... 284

QoS marking for interfaces and policies.............................................................................................. 284

Marking types and values ......................................................................................................................... 285

QoS marking settings ................................................................................................................................. 288

Prioritization settings ................................................................................................................................. 289

Priority Levels ................................................................................................................................................ 289

Define a Traffic Management action..................................................................................................... 290

Determine available bandwidth............................................................................................................. 290

Determine the sum of your bandwidth............................................................................................... 290

Create or modify a Traffic Management action ................................................................................ 291

Add a Traffic Management action to a policy.................................................................................... 292

Add a traffic management action to multiple policies................................................................... 292

Chapter 15 Default Threat Protection ..................................................................................................... 293

About default threat protection.................................................................................................................. 293

About spoofing attacks.............................................................................................................................. 295

How the WatchGuard device identifies network probes .............................................................. 297

To protect against port space and address space probes ............................................................ 298

About the SYN flood attack setting....................................................................................................... 300

About unhandled packets ........................................................................................................................ 300

About distributed denial-of-service attacks....................................................................................... 301

Permanently blocked sites................................................................................................................... 302

Auto-blocked sites/Temporary Blocked Sites list........................................................................ 302

See and edit the sites on the Blocked Sites list ............................................................................ 302

Block a site permanently ........................................................................................................................... 303

Create Blocked Site Exceptions............................................................................................................... 304

Block sites temporarily with policy settings....................................................................................... 304

User Guide xi

Change the duration that sites are auto-blocked ............................................................................ 305

Default blocked ports............................................................................................................................ 306

Block a port .................................................................................................................................................... 307

Block IP addresses that try to use blocked ports .............................................................................. 307

Chapter 16 Logging and Notification ...................................................................................................... 309

About logging and log files .......................................................................................................................... 309

Log Servers ................................................................................................................................................ 309

Logging and notification in applications and servers ............................................................... 310

About log messages............................................................................................................................... 310

Types of log messages ............................................................................................................................... 310

Traffic log messages............................................................................................................................... 310

Alarm log messages ............................................................................................................................... 310

Debug log messages ............................................................................................................................. 311

Statistic log messages ........................................................................................................................... 311

Send log messages to a WatchGuard Log Server ................................................................................. 311

Add, edit, or change the priority of Log Servers............................................................................... 312

Configure Logging Settings.......................................................................................................................... 314

Set logging and notification preferences ........................................................................................... 316

View, Sort, and Filter log message data .......................................................................................... 318

Refresh log message data .................................................................................................................... 319

Chapter 17 Monitor your Firebox ............................................................................................................ 321

The Dashboard .................................................................................................................................................. 321

System Status pages........................................................................................................................................ 323

Bandwidth Meter .............................................................................................................................................. 325

Blocked sites status.......................................................................................................................................... 326

Add or edit temporary blocked sites ............................................................................................... 326

Checksums .......................................................................................................................................................... 327

Connections........................................................................................................................................................ 327

CPU Usage ........................................................................................................................................................... 328

Diagnostics.......................................................................................................................................................... 330

Run a basic diagnostics command ................................................................................................... 330

Use command arguments ................................................................................................................... 331

Dynamic DNS ..................................................................................................................................................... 331

Feature Key ......................................................................................................................................................... 332

Interfaces ............................................................................................................................................................. 332

LiveSecurity......................................................................................................................................................... 333

Memory ................................................................................................................................................................ 333

Syslog.................................................................................................................................................................... 335

Chapter 18 Certificates .............................................................................................................................339

About certificates.............................................................................................................................................. 339

Use multiple certificates to establish trust.......................................................................................... 339

How the Firebox uses certificates .......................................................................................................... 340

Certificate lifetimes and CRLs .................................................................................................................. 340

Certificate authorities and signing requests ...................................................................................... 341

See current certificates .............................................................................................................................. 342

Import a certificate from a file ................................................................................................................. 342

Use a web server certificate for authentication ................................................................................ 343

Use OpenSSL to generate a CSR............................................................................................................. 344

Send the certificate request ..................................................................................................................... 345

Issue the certificate...................................................................................................................................... 345

Download the certificate........................................................................................................................... 345

xii Fireware XTM Web UI

Use Certificates for the HTTPS Proxy ......................................................................................................... 346

Protect a private HTTPS server ................................................................................................................ 346

Examine content from external HTTPS servers ................................................................................. 347

Import the certificates on client devices ............................................................................................. 348

Troubleshoot problems with HTTPS content inspection.............................................................. 348

Use a certificate for BOVPN tunnel authentication .............................................................................. 350

Verify the certificate with FSM ................................................................................................................ 350

Verify VPN certificates with an LDAP server ....................................................................................... 351

Chapter 19 Branch Office Virtual Private Networks ...............................................................................355

What you need to create a VPN................................................................................................................... 355

About manual BOVPN tunnels..................................................................................................................... 356

What you need to create a VPN ......................................................................................................... 356

How to create a manual BOVPN tunnel .......................................................................................... 357

One-way tunnels ..................................................................................................................................... 357

VPN Failover .............................................................................................................................................. 357

Global VPN settings................................................................................................................................ 357

BOVPN tunnel status.............................................................................................................................. 357

Rekey BOVPN tunnels............................................................................................................................ 357

Sample VPN address information table.................................................................................................... 358

Disable automatic tunnel startup for the gateway..................................................................... 360

Edit and delete gateways..................................................................................................................... 360

Define the credential method................................................................................................................. 361

If you selected Pre-Shared Key........................................................................................................... 361

If you selected Use IPSec Firebox Certificate ................................................................................ 361

Define gateway endpoints ....................................................................................................................... 361

Local Gateway ............................................................................................................................................... 362

Remote Gateway.......................................................................................................................................... 363

DH groups and Perfect Forward Secrecy (PFS) ............................................................................ 368

How to choose a Diffie-Hellman group .......................................................................................... 368

Performance analysis............................................................................................................................. 368

Define a tunnel ............................................................................................................................................. 369

Edit and delete a tunnel ............................................................................................................................ 370

Add routes for a tunnel.............................................................................................................................. 371

Add an existing proposal ..................................................................................................................... 373

Create a new proposal .......................................................................................................................... 373

Edit a proposal .............................................................................................................................................. 374

Change order of tunnels ........................................................................................................................... 374

About global VPN settings ............................................................................................................................ 375

Enable IPSec Pass-through ....................................................................................................................... 375

Enable LDAP server for certificate verification .................................................................................. 376

1-to-1 NAT and VPNs.............................................................................................................................. 377

Other reasons to use 1-to-1 NAT through a VPN......................................................................... 377

Alternative to using NAT ...................................................................................................................... 377

Example ...................................................................................................................................................... 378

Define a Branch Office gateway on each Firebox ....................................................................... 379

Configure the local tunnel................................................................................................................... 379

Define a route for all Internet-bound traffic ........................................................................................... 383

Configure the BOVPN tunnel on the remote Firebox ................................................................ 383

Configure the BOVPN tunnel on the central Firebox................................................................. 384

Add a dynamic NAT entry on the central Firebox....................................................................... 384

Enable a WatchGuard device to send multicast traffic through a tunnel .......................... 386

Example: Multicast routing through a BOVPN tunnel.................................................................... 388

User Guide xiii

Example settings ..................................................................................................................................... 388

Enable broadcast routing for the local Firebox............................................................................ 393

Configure broadcast routing for the Firebox at the other end of the tunnel ................... 394

Example settings ..................................................................................................................................... 395

Configure broadcast routing for the BOVPN tunnel at Site A................................................. 395

Configure broadcast routing for the BOVPN tunnel at Site B ................................................. 397

Define multiple gateway pairs ........................................................................................................... 399

See VPN statistics .................................................................................................................................... 401

Rekey BOVPN tunnels...................................................................................................................................... 401

Why do I need a static external address? ....................................................................................... 402

How do I get a static external IP address?...................................................................................... 402

How do I troubleshoot the connection?......................................................................................... 402

Why is ping not working? .................................................................................................................... 402

How do I set up more than the number of allowed VPN tunnels on my Edge?............... 402

Collect IP address and tunnel settings ............................................................................................ 403

PHASE 1 Settings (Both sides must use exactly the same values) ........................................ 404

PHASE 2 Settings (Both sides must use exactly the same values)......................................... 404

Configure the Phase 1 settings .......................................................................................................... 409

Configure the Phase 2 settings .......................................................................................................... 413

Configure the Phase 1 settings .......................................................................................................... 418

Add a VPN Tunnel ................................................................................................................................... 420

Configure the Phase 2 settings .......................................................................................................... 422

Collect IP address and tunnel settings ............................................................................................ 424

PHASE 1 Settings (Both sides must use exactly the same values) ........................................ 425

PHASE 2 Settings (Both sides must use exactly the same values)......................................... 425

Configure Site A, Fireware XTM v11.x................................................................................................... 427

Configure the Phase 1 settings .......................................................................................................... 430

Configure the Phase 2 settings .......................................................................................................... 434

Add a VPN Gateway................................................................................................................................ 436

Configure the Phase 1 settings .......................................................................................................... 438

Configure the Phase 2 settings .......................................................................................................... 442

Collect IP address and tunnel settings ............................................................................................ 446

PHASE 1 Settings (Both sides must use exactly the same values)......................................... 447

PHASE 2 Settings (Both sides must use exactly the same values)......................................... 447

PHASE 1 Settings (Both sides must use exactly the same values)......................................... 448

PHASE 2 Settings (Both sides must use exactly the same values)......................................... 448

Configure Site A, Fireware 11.x ............................................................................................................... 449

Configure the Phase 1 settings .......................................................................................................... 452

Configure the Phase 2 settings .......................................................................................................... 456

Configure the Phase 1 settings .......................................................................................................... 459

Configure the Phase 2 settings .......................................................................................................... 460

Configure VPN Keep Alive.................................................................................................................... 461

Select either IKE Keep-alive or Dead Peer Detection, but not both...................................... 462

Use the default settings........................................................................................................................ 463

Configure the Firebox to send log traffic through the tunnel................................................ 464

Chapter 20 Mobile VPN with PPTP ..........................................................................................................467

About Mobile VPN with PPTP....................................................................................................................... 467

Mobile VPN with PPTP requirements ........................................................................................................ 467

Configure Mobile VPN with PPTP ............................................................................................................... 469

Encryption Settings ................................................................................................................................ 470

Advanced Tab settings.......................................................................................................................... 471

Configure policies to allow Mobile VPN with PPTP traffic........................................................ 475

xiv Fireware XTM Web UI

Configure policies to allow Mobile VPN with PPTP traffic ................................................................. 476

Allow PPTP users to access a trusted network ............................................................................. 476

Options for Internet access through a Mobile VPN with PPTP tunnel........................................... 477

Default-route VPN................................................................................................................................... 477

Split tunnel VPN....................................................................................................................................... 477

Default-route VPN setup for Mobile VPN with PPTP .................................................................. 478

Split tunnel VPN setup for Mobile VPN with PPTP ...................................................................... 478

Prepare a Windows NT or 2000 client computer: Install MSDUN and service packs...... 479

Create a PPTP connection.................................................................................................................... 480

Establish the PPTP connection........................................................................................................... 480

Create the PPTP Mobile VPN............................................................................................................... 481

Connect with the PPTP Mobile VPN ................................................................................................. 481

Create the PPTP Mobile VPN............................................................................................................... 482

Connect with the PPTP Mobile VPN ................................................................................................. 482

Make outbound PPTP connections from behind a Firebox .............................................................. 482

Chapter 21 Mobile VPN with IPSec ..........................................................................................................483

About WatchGuard Mobile VPN with IPSec............................................................................................ 483

Configure a Mobile VPN with IPSec connection............................................................................... 483

System requirements ................................................................................................................................. 484

Options for Internet access through a Mobile VPN tunnel........................................................... 484

Default-route VPN................................................................................................................................... 484

Split tunnel VPN....................................................................................................................................... 484

Configure the Firebox for Mobile VPN with IPSec............................................................................ 485

Configure a Mobile VPN with IPSec group .................................................................................... 485

Configure the external authentication server .............................................................................. 491

Modify an existing Mobile VPN with IPSec group profile.............................................................. 493

Configure a Mobile VPN with IPSec group ......................................................................................... 494

Define advanced Phase 1 settings.................................................................................................... 500

Define advanced Phase 2 settings.................................................................................................... 502

Lock down an end user profile................................................................................................................ 505

Mobile VPN with IPSec configuration files.......................................................................................... 505

Configure policies to filter Mobile VPN traffic ................................................................................... 506

Add an individual policy....................................................................................................................... 506

Distribute the software and profiles ..................................................................................................... 506

Making outbound IPSec connections from behind a Firebox................................................ 507

Terminate IPSec connections ............................................................................................................. 507

Global VPN settings................................................................................................................................ 507

See the number of Mobile VPN licenses......................................................................................... 507

Purchase additional Mobile VPN licenses ...................................................................................... 507

Add feature keys...................................................................................................................................... 507

Configure Mobile VPN with IPSec to a dynamic IP address.......................................................... 508

Keep a record of the current IP address.......................................................................................... 508

Configure the Firebox and IPSec client computers .................................................................... 508

Client Requirements ................................................................................................................................... 510

Install the Mobile VPN with IPSec client software............................................................................ 510

Import the end-user profile................................................................................................................. 511

Select a certificate and enter the PIN............................................................................................... 512

Uninstall the Mobile VPN client ......................................................................................................... 512

Disconnect the Mobile VPN client .................................................................................................... 513

Control connection behavior.............................................................................................................. 513

Mobile User VPN client icon ................................................................................................................ 515

See Mobile VPN log messages ................................................................................................................ 515

User Guide xv

Secure your computer with the Mobile VPN firewall...................................................................... 515

About the desktop firewall.................................................................................................................. 516

Define friendly networks ...................................................................................................................... 517

Create firewall rules................................................................................................................................ 518

Import the end user profile ................................................................................................................. 524

Select a certificate and enter the passphrase ............................................................................... 525

Connect and disconnect the Mobile VPN client .......................................................................... 525

Control the connection behavior...................................................................................................... 526

Mobile User VPN client icon ................................................................................................................ 527

Mobile VPN WM Configurator and Windows Mobile IPSec client requirements............. 528

Select a certificate and enter the PIN............................................................................................... 529

Upload the end-user profile to the Windows Mobile device.................................................. 532

Connect and disconnect the Mobile VPN for Windows Mobile client................................. 533

Secure your Windows Mobile device with the Mobile VPN firewall.......................................... 535

Uninstall the Configurator from your Windows computer...................................................... 537

Uninstall the WatchGuard Mobile VPN Service and Monitor from your

Windows Mobile device ....................................................................................................................... 537

Chapter 22 Mobile VPN with SSL ............................................................................................................. 539

About Mobile VPN with SSL.......................................................................................................................... 539

Configure authentication and connection settings................................................................... 540

Configure the Networking and IP Address Pool settings......................................................... 541

Configure Advanced settings for Mobile VPN with SSL............................................................ 543

Configure user authentication for Mobile VPN with SSL.......................................................... 544

Configure policies to control Mobile VPN with SSL client access.......................................... 544

Use other groups or users in a Mobile VPN with SSL policy .................................................... 545

How to choose a different port and protocol.................................................................................... 546

Allow direct access to the internet ................................................................................................... 547

Force all client traffic through tunnel.............................................................................................. 547

Use the HTTP proxy to control Internet access for Mobile VPN with SSL users .................... 547

Name resolution for Mobile VPN with SSL.......................................................................................... 547

Methods of name resolution through a Mobile VPN with SSL connection ............................ 548

Select the best method for your network........................................................................................... 548

Configure WINS or DNS for name resolution..................................................................................... 548

Add WINS and DNS servers to a Mobile VPN with SSL configuration....................................... 548

Configure an LMHOSTS file to provide name resolution .............................................................. 548

Edit an LMHOSTS file .................................................................................................................................. 549

Install and connect the Mobile VPN with SSL client............................................................................. 549

Client computer requirements........................................................................................................... 549

Install the client software ..................................................................................................................... 550

Connect to your private network...................................................................................................... 551

Manually distribute and install the Mobile VPN with SSL client software and

configuration file.......................................................................................................................................... 552

Install and configure the SSL client using the installation software and

a configuration file ...................................................................................................................................... 553

Update the configuration of a computer that is unable to connect to

the WatchGuard device ............................................................................................................................. 554

Uninstall the Mobile VPN with SSL client ............................................................................................ 554

Windows Vista and Windows XP............................................................................................................ 554

Mac OS X ......................................................................................................................................................... 554

Chapter 23 WebBlocker ............................................................................................................................ 555

About WebBlocker ........................................................................................................................................... 555

Before you begin..................................................................................................................................... 557

xvi Fireware XTM Web UI

Create WebBlocker profiles ................................................................................................................. 557

Enable local override ............................................................................................................................. 559

Select categories to block .................................................................................................................... 560

Add WebBlocker exceptions............................................................................................................... 561

About WebBlocker categories ..................................................................................................................... 563

See whether a site is categorized........................................................................................................... 563

Add, remove, or change a category ...................................................................................................... 564

Define the action for sites that do not match exceptions........................................................ 565

Components of exception rules ........................................................................................................ 565

Exceptions with part of a URL............................................................................................................. 565

Renew security subscriptions....................................................................................................................... 567

About WebBlocker subscription services expiration........................................................................... 567

Chapter 24 spamBlocker .......................................................................................................................... 569

About spamBlocker.......................................................................................................................................... 569

spamBlocker actions, tags, and categories......................................................................................... 570

spamBlocker categories ............................................................................................................................ 571

About spamBlocker exceptions.............................................................................................................. 574

Add spamBlocker exception rules .................................................................................................... 575

Configure Virus Outbreak Detection actions for a policy.............................................................. 576

Configure spamBlocker to quarantine email..................................................................................... 577

About using spamBlocker with multiple proxies ............................................................................. 577

Set global spamBlocker parameters.......................................................................................................... 578

Use an HTTP proxy server for spamBlocker........................................................................................ 579

Add trusted email forwarders to improve spam score accuracy................................................ 580

About spamBlocker and VOD scan limits............................................................................................ 581

File scan limits by WatchGuard device model, in kilobytes.......................................................... 581

Maximum number of connections by WatchGuard device model ........................................... 582

Send spam or bulk email to special folders in Outlook.................................................................. 583

Find the category a message is assigned to.................................................................................. 585

Chapter 25 Gateway AntiVirus and Intrusion Prevention ..................................................................... 587

About Gateway AntiVirus and Intrusion Prevention ........................................................................... 587

Install and upgrade Gateway AV/IPS ............................................................................................... 588

About Gateway AntiVirus/Intrusion Prevention and proxy policies .................................... 588

Configure the Gateway AntiVirus Service ...................................................................................... 589

Configure Gateway AntiVirus actions for a proxy action............................................................... 591

Configure alarm notification for antivirus actions ........................................................................... 592

Configure Gateway AntiVirus to quarantine email.......................................................................... 592

File scan limits by WatchGuard device model, in kilobytes.......................................................... 593

Update Gateway AntiVirus/IPS settings ................................................................................................... 593

If you use a third-party antivirus client............................................................................................ 593

Configure Gateway AV decompression settings.............................................................................. 594

Configure the Gateway AV/IPS update server................................................................................... 595

Connect to the update server through an HTTP proxy server..................................................... 596

Block access from the trusted network to the update server...................................................... 596

Before you begin..................................................................................................................................... 598

Configure the Intrusion Prevention Service .................................................................................. 598

Set parameters for Intrusion Prevention Service (IPS).................................................................... 599

Configure IPS settings ................................................................................................................................ 601

Configure signature exceptions ............................................................................................................. 601

User Guide xvii

Chapter 26 Quarantine Server ................................................................................................................. 603

About the Quarantine Server ....................................................................................................................... 603

Configure the Firebox to quarantine email............................................................................................. 604

Define the Quarantine Server location on the Firebox....................................................................... 604

xviii Fireware XTM Web UI

User Guide 1

1

Introduction to Network

Security

About networks and network security

A network is a group of computers and other devices that are connected to each other. It can be two

computers in the same room, dozens of computers in an organization, or many computers around the world

connected through the Internet. Computers on the same network can work together and share data.

Although networks like the Internet give you access to a large quantity of information and business

opportunities, they can also open your network to attackers. Many people think that their computers hold no

important information, or that a hacker is not interested in their computers. This is not correct. A hacker can

use your computer as a platform to attack other computers or networks. Information from your organization,

including personal information about users, employees, or customers, is also valuable to hackers.

Your WatchGuard device and LiveSecurity subscription can help you prevent these attacks. A good network

security policy, or a set of access rules for users and resources, can also help you find and prevent attacks to

your computer or network. We recommend that you configure your Firebox to match your security policy, and

think about threats from both inside and outside your organization.

About Internet connections

ISPs (Internet service providers) are companies that give access to the Internet through network connections.

The rate at which a network connection can send data is known as bandwidth: for example, 3 megabits per

second (Mbps).

A high-speed Internet connection, such as a cable modem or a DSL (Digital Subscriber Line), is known as a

broadband connection. Broadband connections are much faster than dial-up connections. The bandwidth of

a dial-up connection is less than .1 Mbps, while a cable modem can be 5 Mbps or more.

Typical speeds for cable modems are usually lower than the maximum speeds, because each computer in a

neighborhood is a member of a LAN. Each computer in that LAN uses some of the bandwidth. Because of this

shared-medium system, cable modem connections can become slow when more users are on the network.

DSL connections supply constant bandwidth, but they are usually slower than cable modem connections.

Also, the bandwidth is only constant between your home or office and the DSL central office. The DSL central

office cannot guarantee a good connection to a web site or network.

Introduction to Network Security

2 Fireware XTM Web UI

How information travels on the Internet

The data that you send through the Internet is cut into units, or packets. Each packet includes the Internet

address of the destination. The packets that make up a connection can use different routes through the

Internet. When they all get to their destination, they are assembled back into the original order. To make sure

that the packets get to the destination, address information is added to the packets.

About protocols

A protocol is a group of rules that allow computers to connect across a network. Protocols are the grammar of

the language that computers use when they speak to each other across a network. The standard protocol

when you connect to the Internet is the IP (Internet Protocol). This protocol is the usual language of computers

on the Internet.

A protocol also tells how data is sent through a network. The most frequently used protocols are TCP

(Transmission Control Protocol) and UDP (User Datagram Protocol). TCP/IP is the basic protocol used by

computers that connect to the Internet.

You must know some of the TCP/IP settings when you set up your WatchGuard device. For more information

on TCP/IP, see “Find your TCP/IP properties” on page 29.

Page is loading ...

Watchguard Fireware XTM Web UI User guide

Related papers

Other documents