Watchguard Fireware XTM WSM User guide

WatchGuard System Manager v11.2.1 User Guide

Fireware XTM

WatchGuard System Manager

v11.2.1 User Guide

WatchGuard XTMDevices

Firebox XPeak e-Series

Firebox XCore e-Series

Firebox XEdge e-Series

User Guide ii

About this User Guide

The Fireware XTM WatchGuard System Manager User Guide is updated with each major product release.

For minor product releases, only the Fireware XTM WatchGuard System Manager Help system is updated.

The Help system also includes specific, task-based implementation examples that are not available in the

User Guide.

For the most recent product documentation, see the Fireware XTM WatchGuard System Manager Help on

the WatchGuard web site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in examples

herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission

of WatchGuard Technologies, Inc.

Guide revised: 2/26/2010

Copyright, Trademark, and Patent Information

mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and

Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.

Note This product is for indoor use only.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content security

solutions that provide defense-in-depth and help meet regulatory

compliance requirements. The WatchGuard XTM line combines firewall,

VPN, GAV, IPS, spam blocking and URL filtering to protect your network

from spam, viruses, malware, and intrusions. The new XCS line offers email

and web content security combined with data loss prevention. WatchGuard

extensible solutions scale to offer right-sized security ranging from small

businesses to enterprises with 10,000+ employees. WatchGuard builds

simple, reliable, and robust security appliances featuring fast

implementation and comprehensive management and reporting tools.

Enterprises throughout the world rely on our signature red boxes to

maximize security without sacrificing efficiency and productivity.

For more information, please call 206.613.6600 or visit

www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

User Guide iii
Table of Contents
Introduction to Network Security 1
About networks and network security 1
About Internet connections 1
About protocols 2
About IP addresses 3
Private addresses and gateways 3
About subnet masks 3
About slash notation 3
About entering IP addresses 4
Static and dynamic IP addresses 4
About DNS (Domain Name System) 5
About firewalls 6
About services and policies 7
About ports 8
Introduction to Fireware XTM 9
About Fireware XTM 9
Fireware XTM Components 10
WatchGuard System Manager 10
WatchGuard Server Center 11
Fireware XTM Web UI and Command Line Interface 12
Fireware XTMwith a Pro Upgrade 13
Service and Support 15
About WatchGuard Support 15
LiveSecurity Service 15
LiveSecurity Service Gold 16
Service expiration 16
Getting Started 17
Before you begin 17
Verify basic components 17
Get a Firebox or XTM device feature key 18
Gather network addresses 18
Select a firewall configuration mode 19
Decide where to install server software 20
Install WatchGuard System Manager software 20

Back up your previous configuration 20
Download WatchGuard System Manager 21
About software encryption levels 22
About the Quick Setup Wizard 22
Run the Web Setup Wizard 23
Run the WSM Quick Setup Wizard 26
Complete your installation 28
Customize your security policy 28
About LiveSecurity Service 29
Start WatchGuard System Manager 29
Connect to a Firebox or XTM device 29
Start WSMapplications 30
Additional installation topics 32
Install WSM and keep an older version 32
Install WatchGuard Servers on computers with desktop firewalls 32
Dynamic IP support on the external interface 33
About connecting the Firebox or XTM device cables 33
Connect to a Firebox or XTM device with Firefox v3 34
Disable the HTTP proxy in the browser 35
Find your TCP/IP properties 36
Configuration and Management Basics 39
About basic configuration and management tasks 39
About configuration files 39
Open a configuration file 39
Make a new configuration file 41
Save the configuration file 42
Make a backup of the Firebox or XTM device image 43
Restore a Firebox or XTM device backup image 44
Use an existing configuration for a new Firebox or XTM device model 45
Configure a replacement Firebox or XTM device 46
Save the configuration from the original Firebox or XTM device to a file 46
Get the feature key for the replacement Firebox or XTM device 47
Use the Quick Setup Wizard to configure basic settings 47
Update the feature key in the original configuration file and save to the new device 47
Reset a Firebox or XTM device to a previous or new configuration 48
iv WatchGuard System Manager

User Guide v
Start a Firebox XCore or Peak e-Series, or a WatchGuard XTM device in safe mode 48
Reset a Firebox XEdge e-Series or WatchGuard XTM2 Series device to factory default settings
49
Run the Quick Setup Wizard 49
About factory default settings 49
About feature keys 51
When you purchase a new feature 51
See features available with the current feature key 51
Verify feature key compliance 52
Get a feature key from LiveSecurity 53
Add a feature key to your Firebox or XTM device 55
See the details of a feature key 57
Download a feature key 57
Enable NTP and add NTP servers 58
Set the time zone and basic device properties 59
About SNMP 60
SNMP polls and traps 60
Enable SNMP polling 61
Enable SNMP management stations and traps 62
About Management Information Bases (MIBs) 64
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 65
Create a secure passphrase, encryption key, or shared key 65
Firebox or XTM device Passphrases 65
User Passphrases 65
Server Passphrases 66
Encryption Keys and Shared Keys 66
Change Firebox or XTM device passphrases 67
About aliases 68
Alias members 68
Create an alias 69
Define Firebox or XTM device global settings 71
Define ICMP error handling global settings 72
Enable TCP SYN checking 73
Define TCP maximum segment size adjustment global settings 73
Enable or disable Traffic Management and QoS 73
Change the Web UI port 73

Automatic Reboot 73
External Console 74
Manage a Firebox or XTM device from a remote location 74
Locations of WatchGuard System Manager files 77
Locations of application and user-created files 77
Upgrade to a new version of Fireware XTM 79
Install the upgrade on your management computer 79
Upgrade the Firebox or XTM device 80
Use multiple versions of Policy Manager 80
About upgrade options 81
Subscription Services upgrades 81
Appliance and software upgrades 81
How to apply an upgrade 82
Renew security subscriptions 82
Renew subscriptions from Firebox System Manager 83
Network Setup and Configuration 85
About network interface setup 85
Network modes 86
Interface types 87
About network interfaces on the Edge e-Series 87
Mixed Routing Mode 88
Configure an external interface 88
Configure DHCP in mixed routing mode 92
About the Dynamic DNS service 94
Use dynamic DNS 94
Drop-in Mode 95
Use drop-in mode for network interface configuration 96
Configure related hosts 97
Configure DHCP in drop-in mode 98
Bridge Mode 101
Common interface settings 103
Disable an interface 106
Configure DHCPRelay 108
Restrict network traffic by MAC address 108
Add WINS and DNS server addresses 109
vi WatchGuard System Manager

User Guide vii
Configure a secondary network 110
About advanced interface settings 112
Network Interface Card (NIC)settings 113
Set Outgoing Interface Bandwidth 114
Set DF bit for IPSec 115
PMTU Setting for IPSec 115
Use static MAC address binding 116
Find the MAC address of a computer 116
About LAN bridges 117
Create a network bridge configuration 117
Assign a network interface to a bridge 119
About routing 121
Add a static route 121
About virtual local area networks (VLANs) 122
VLAN requirements and restrictions 122
About tagging 123
Define a new VLAN 123
Assign interfaces to a VLAN 127
Network Setup Examples 127
Use your Firebox or XTM device with the 3G Extend wireless bridge 128
Multi-WAN 131
About using multiple external interfaces 131
Multi-WAN requirements and conditions 131
Multi-WAN and DNS 132
Multi-WAN and FireCluster 132
About multi-WAN options 132
Round-robin order 132
Failover 133
Interface overflow 133
Routing table 133
Serial modem (Firebox XEdge only) 134
Configure Round-robin 135
Before You Begin 135
Configure the interfaces 135
Find how to assign weights to interfaces 137

Configure Failover 137
Before You Begin 137
Configure the interfaces 137
Configure Interface Overflow 138
Before You Begin 138
Configure the interfaces 139
Configure Routing Table 140
Before you begin 140
Routing Table mode and load balancing 140
Configure the interfaces 140
About the Firebox or XTM device route table 141
When to use multi-WAN methods and routing 142
Serial modem failover 143
Enable serial modem failover 143
Account settings 144
DNS settings 144
Dial-up settings 145
Advanced settings 145
Link Monitor settings 145
Advanced multi-WAN settings 147
About sticky connections 147
Set a global sticky connection duration 147
Set the failback action 148
About WAN interface status 149
Time needed for the Firebox or XTM device to update its route table 149
Define a link monitor host 149
Network Address Translation (NAT) 151
About Network Address Translation 151
Types of NAT 152
About dynamic NAT 152
Add firewall dynamic NAT entries 152
Configure policy-based dynamic NAT 155
About 1-to-1 NAT 156
About 1-to-1 NAT and VPNs 157
Configure firewall 1-to-1 NAT 158
viii WatchGuard System Manager

User Guide ix
Configure policy-based 1-to-1 NAT 160
Configure NAT loopback with static NAT 162
Add a policy for NATloopback to the server 163
NAT loopback and 1-to-1 NAT 164
About static NAT 168
Configure Static NAT 168
Configure server load balancing 169
NAT Examples 173
1-to-1 NAT example 173
Wireless Setup 175
About wireless configuration 175
About wireless access point configuration 176
Before you begin 177
About wireless configuration settings 178
Enable/disable SSID broadcasts 178
Change the SSID 179
Log authentication events 179
Change the fragmentation threshold 179
Change the RTS threshold 181
About wireless security settings 181
Set the wireless authentication method 181
Set the encryption level 182
Enable wireless connections to the trusted or optional network 183
Enable a wireless guest network 185
Configure your external interface as a wireless interface 188
Configure the primary external interface as a wireless interface 188
Configure a BOVPN tunnel for additional security 190
About wireless radio settings on the Firebox X Edge e-Series Wireless device 191
Set the operating region and channel 192
Set the wireless mode of operation 193
About wireless radio settings on the WatchGuard XTM2 Series Wireless device 194
Country is set automatically 195
Select the Band and Wireless mode 195
Select the Channel 196
Configure the wireless card on your computer 197

Dynamic Routing 199
About dynamic routing 199
About routing daemon configuration files 199
About Routing Information Protocol (RIP) 200
Routing Information Protocol (RIP) commands 200
Configure the Firebox or XTM device to use RIP v1 202
Configure the Firebox or XTM device to use RIP v2 203
Sample RIP routing configuration file 206
About Open Shortest Path First (OSPF) Protocol 207
OSPF commands 208
OSPF Interface Cost table 211
Configure the Firebox or XTM device to use OSPF 211
Sample OSPF routing configuration file 213
About Border Gateway Protocol (BGP) 215
BGP commands 217
Configure the Firebox or XTM device to use BGP 219
Sample BGP routing configuration file 221
FireCluster 223
About WatchGuard FireCluster 223
FireCluster status 225
About FireCluster failover 225
Events that trigger a failover 225
What happens during a failover 226
FireCluster failover and the cluster MAC address 226
FireCluster failover and server load balancing 227
Monitor the cluster during a failover 227
Features not supported with FireCluster 227
FireCluster network configuration limitations 227
FireCluster management limitations 227
About the interface for management IPaddress 227
Configure the interface for management IP address 228
Use the interface for management IP address to restore a backup image 228
Use the interface for management IP address to upgrade from an external location 228
Configure FireCluster 229
FireCluster requirements and restrictions 229
x WatchGuard System Manager

User Guide xi
Cluster synchronization and status monitoring 230
FireCluster device roles 231
FireCluster configuration steps 231
Before you begin 232
Connect the FireCluster hardware 233
Switch and router recommendation for an active/passive FireCluster 235
Switch and router requirements for an active/active FireCluster 235
Use the FireCluster Setup Wizard 240
Configure FireCluster manually 245
Find the multicast MAC addresses for an active/active cluster 250
Monitor and control FireCluster members 252
Monitor status of FireCluster members 253
Monitor and control cluster members 254
Discover a cluster member 254
Force a failover of the cluster master 255
Reboot a cluster member 255
Shut down a cluster member 256
Connect to a cluster member 257
Make a member leave a cluster 258
Make a member join a cluster 258
Remove or add a cluster member 258
Remove a device from a FireCluster 258
Add a new device to a FireCluster 260
Update the FireCluster configuration 260
Configure FireCluster logging and notification 260
About feature keys and FireCluster 261
See the features keys and Cluster Features for a cluster 262
See or update the feature key for a cluster member 262
See the FireCluster feature key in Firebox System Manager 264
Create a FireCluster backup image 265
Restore a FireCluster backup image 266
Make the backup master leave the cluster 266
Restore the backup image to the backup master 266
Restore the backup image to the cluster master 266
Make the backup master rejoin the cluster 267

Upgrade Fireware XTM for FireCluster members 267
Disable FireCluster 268
Authentication 269
About user authentication 269
User authentication steps 270
Manage authenticated users 271
Use authentication to restrict incoming traffic 271
Use authentication through a gateway Firebox 272
Set global authentication values 273
Set global authentication timeouts 274
Allow multiple concurrent logins 274
Limit login sessions 274
Automatically redirect users to the login portal 275
Use a custom default start page 276
Set Management Session timeouts 276
Enable Single Sign-On 276
About the WatchGuard Authentication (WG-Auth) policy 276
About Single Sign-On (SSO) 277
Before You Begin 278
Set up SSO 278
Install the WatchGuard Single Sign-On (SSO) agent 278
Install the WatchGuard Single Sign-On (SSO) client 279
Enable Single Sign-On (SSO) 280
Authentication server types 282
About using third-party authentication servers 282
Use a backup authentication server 282
Configure your Firebox or XTM device as an authentication server 283
Types of Firebox authentication 283
Define a new user for Firebox authentication 286
Define a new group for Firebox authentication 288
Configure RADIUS server authentication 289
Authentication key 289
RADIUSauthentication methods 289
Before you begin 289
Use RADIUSserver authentication with your Firebox or XTM device 289
xii WatchGuard System Manager

User Guide xiii
How RADIUS server authentication works 291
Configure VASCO server authentication 294
Configure SecurID authentication 296
Configure Active Directory authentication 298
About Active Directory optional settings 300
Find your Active Directory search base 300
Change the default port for the Active Directory server 301
Configure LDAP authentication 302
About LDAP optional settings 304
Use Active Directory or LDAP Optional Settings 304
Before You Begin 304
Specify Active Directory or LDAP Optional Settings 304
Use a local user account for authentication 308
Use authorized users and groups in policies 308
Define users and groups for Firebox authentication 308
Define users and groups for third-party authentication 308
Add users and groups to policy definitions 309
Policies 311
About policies 311
Packet filter and proxy policies 311
About adding policies to your Firebox or XTM device 312
About Policy Manager 312
Open Policy Manager 313
Change the Policy Manager view 314
Change colors used for Policy Manager text 316
Find a policy by address, port, or protocol 317
Add policies to your configuration 318
See the list of policy templates 319
Add a policy from the list of templates 320
Add more than one policy of the same type 321
See template details and modify policy templates 322
Disable or delete a policy 322
About policy precedence 323
Automatic policy order 323
Policy specificity and protocols 323

Traffic rules 324
Firewall actions 324
Schedules 325
Policy types and names 325
Set precedence manually 325
Create schedules for Firebox or XTM device actions 325
Set an operating schedule 327
About custom policies 327
Create or edit a custom policy template 328
Import and export custom policy templates 329
About policy properties 330
Policy tab 330
Properties tab 330
Advanced tab 330
Proxy settings 331
Set access rules for a policy 331
Configure policy-based routing 334
Set a custom idle timeout 336
Set ICMP error handling 336
Apply NAT rules 336
Set the sticky connection duration for a policy 337
Proxy Settings 339
About proxy policies and ALGs 339
Proxy configuration 340
Proxy and AV alarms 340
About rules and rulesets 341
About proxy actions 349
Use predefined content types 351
About Application Blocker Configurations 351
Intrusion prevention in proxy definitions 355
Add a proxy policy to your configuration 356
About the DNS proxy 357
Policy tab 358
Properties tab 358
Advanced tab 359
xiv WatchGuard System Manager

User Guide xv

DNS proxy: General settings 359

DNS proxy: OPcodes 360

DNS proxy: Query types 361

DNS proxy: Query names 362

About MX (Mail eXchange) records 362

About the FTP proxy 364

Policy tab 365

Properties tab 365

Advanced tab 366

FTP proxy: General settings 366

FTP proxy: Commands 367

FTP proxy: Content 368

FTP proxy: AntiVirus 369

About the H.323 ALG 369

VoIPcomponents 370

ALGfunctions 370

Policy tab 370

Properties tab 371

Advanced tab 371

H.323 ALG: General Settings 372

H.323 ALG: Access Control 373

H.323 ALG: Denied Codecs 374

About the HTTP proxy 375

Policy tab 375

Properties tab 376

Advanced tab 376

HTTP request: General settings 377

HTTP request: Request methods 378

HTTP request: URL paths 380

HTTP request: Header fields 380

HTTP request: Authorization 381

HTTP Response: General settings 382

HTTP Response: Header fields 382

HTTP Response: Content types 383

HTTP Response: Cookies 384

HTTP Response: Body content types 385

HTTP proxy exceptions 385

HTTP proxy:WebBlocker 386

HTTP proxy:Application Blocker 387

HTTP proxy: AntiVirus 387

HTTP proxy:Intrusion Prevention 387

HTTP proxy: Deny message 389

Enable Windows updates through the HTTPproxy 390

Use a caching proxy server 391

About the HTTPS proxy 392

Policy tab 392

Properties tab 392

Advanced tab 393

HTTPS proxy: Content inspection 394

HTTPS proxy: Certificate names 396

HTTPS proxy:WebBlocker 396

HTTPS proxy: General settings 396

About the POP3 proxy 398

Policy tab 398

Properties tab 399

Advanced tab 399

POP3 proxy: General settings 400

POP3 proxy: Authentication 402

POP3 proxy: Content types 403

POP3 proxy: File names 404

POP3 proxy: Headers 406

POP3 proxy: AntiVirus 407

POP3 proxy: Deny message 408

POP3 proxy: spamBlocker 409

About the SIP proxy 410

VoIPcomponents 411

ALGfunctions 411

Policy tab 411

Properties tab 412

Advanced tab 412

xvi WatchGuard System Manager

User Guide xvii
SIP ALG: General Settings 412
SIP ALG: Access Control 414
SIP ALG: Denied Codecs 415
About the SMTP proxy 416
Policy tab 416
Properties tab 416
Advanced tab 417
SMTP proxy: General settings 417
SMTP proxy: Greeting rules 420
SMTP proxy: ESMTP settings 421
SMTP proxy: Authentication 422
SMTP proxy: Content types 422
SMTP proxy: File names 424
SMTP proxy: Mail From/Rcpt To 424
SMTP proxy: Headers 425
SMTP proxy: AntiVirus 425
SMTP proxy: Deny message 426
SMTP proxy: spamBlocker 427
Configure the SMTPproxy to quarantine email 427
Protect your SMTP server from email relaying 428
About the TCP-UDP proxy 429
Policy tab 429
Properties tab 429
Advanced tab 430
TCP-UDP proxy: General settings 430
TCP-UDPproxy: Application blocking 430
Traffic Management and QoS 433
About Traffic Management and QoS 433
Enable traffic management and QoS 433
Guarantee bandwidth 434
Restrict bandwidth 435
QoS Marking 435
Traffic priority 435
Set Connection Rate Limits 436
About QoS Marking 436

Before you begin 436
QoS markingfor interfaces and policies 437
QoS marking and IPSec traffic 437
Marking types and values 437
Enable QoS Marking for an interface 439
Enable QoS Marking or prioritization settings for a policy 440
Enable QoS Marking for a managed BOVPN tunnel 441
Traffic control and policy definitions 443
Define a Traffic Management action 443
Add a Traffic Management action to a policy 444
Add a Traffic Management action to a BOVPN firewall policy 445
Default Threat Protection 447
About default threat protection 447
About default packet handling options 448
Set logging and notification options 449
About spoofing attacks 449
About IP source route attacks 450
About port space and address space probes 451
About flood attacks 453
About unhandled packets 454
About distributed denial-of-service attacks 455
About blocked sites 456
Permanently blocked sites 456
Auto-blocked sites/Temporary Blocked Sites list 457
Block a site permanently 457
Create Blocked Site Exceptions 458
Import a list of blocked sites or blocked sites exceptions 459
Block sites temporarily with policy settings 459
Change the duration that sites are auto-blocked 460
About blocked ports 460
Default blocked ports 461
Block a port 462
WatchGuard Server Setup 463
About WatchGuard Servers 463
Set up WatchGuard Servers 464
xviii WatchGuard System Manager

User Guide xix
Before you begin 465
Start the wizard 465
General settings 465
Management Server settings 466
Log Server and Report Server settings 466
Quarantine Server settings 466
WebBlocker Server settings 467
Review and finish 467
About the gateway Firebox 467
Find your Management Server license key 468
Monitor the status of WatchGuard servers 469
Configure your WatchGuard servers 470
Open WatchGuard Server Center 471
Stop and start your WatchGuard servers 472
Install or configure WatchGuard servers from the WatchGuard Server Center 473
Exit or open the WatchGuardServer Center application 475
Management Server Setup and Administration 477
About the WatchGuard Management Server 477
Install the Management Server 477
Set up the Management Server 478
Configure the Management Server 478
Define settings for the Management Server 478
Configure the certificate authority on the Management Server 479
Update the Management Server with a new gateway address 480
Change the IP address of a Management Server 482
Change the Administrator passphrase 484
Configure License Key and Notification settings 486
Enable and configure Active Directory authentication 487
Configure Logging settings for the Management Server 489
Back up or restore the Management Server configuration 491
Back up your configuration 491
Restore your configuration 491
Move the WatchGuard Management Server to a new computer 492
Back up, move, and restore your Management Server 492
Configure other installed WatchGuard Servers 492

Use WSM to connect to a Management Server 493
Disconnect from the Management Server 494
Import or Export a Management Server configuration 494
Export a configuration 494
Import a configuration 494
Centralized Management 495
About WatchGuard System Manager 495
Device status 495
Device management 496
About the Device Management page 498
See information for managed devices 498
About Centralized Management modes 499
Change the Centralized Management mode 500
Add managed devices to the Management Server 503
If you know the current IPaddress of the device 504
If you do not know the IP address of the device 505
Set device management properties 506
Connection settings 506
IPSec tunnel preferences 508
Contact information 509
Schedule tasks for managed devices 509
Schedule OS Update 511
Schedule Feature Key Synchronization 512
Schedule Reboot 514
Review, cancel, or delete Scheduled Tasks 517
Update the configuration for a Fully Managed device 520
Manage Server Licenses 521
See current license key information 521
Add or remove a license key 522
Save or discard your changes 522
Manage customer contact information 522
Add a contact to the Management Server 522
Edit a contact in the Contact List 523
See and manage the Monitored Report Servers list 523
Add a Report Server to the list 524
xx WatchGuard System Manager

Page is loading ...

Watchguard Fireware XTM WSM User guide

Related papers

Other documents