Watchguard Fireware XTM Web UI User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Fireware XTM Web UI User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Fireware XTM
Web UI
v11.1 User Guide
WatchGuard XTM 1050
Firebox X Peak e-Series
Firebox X Core e-Series
Firebox X Edge e-Series
ii Fireware XTM Web UI
ADDRESS
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
SALES
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
ABOUT WATCHGUARD
Since 1996, WatchGuard has been building award-winning unified threat management
(UTM) network security solutions that combine firewall, VPN and security services to
protect networks and the businesses they power. We recently launched the next
generation: extensible threat management (XTM) solutions featuring reliable, all-in-
one security, scaled and priced to meet the unique security needs of every sized
enterprises. Our products are backed by 15,000 partners representing WatchGuard in
120 countries. More than a half million signature red WatchGuard security appliances
have already been deployed worldwide in industries including retail, education, and
healthcare. WatchGuard is headquartered in Seattle, Washington, with offices
throughout North America, Europe, Asia Pacific, and Latin America.
For more information, please call 206.613.6600 or visit www.watchguard.com
.
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Guide revision: 10/27/2009
Copyright, Trademark, and Patent Information
Copyright © 1998 - 2009 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned
herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide,
available online:
http://www.watchguard.com/help/documentation/
Abbreviations Used in this Guide
This product is for indoor use only.
3DES Triple Data Encryption
Standard
IPSec Internet Protocol
Security
SSL Secure Sockets
Layer
BOVPN Branch Office Virtual
Private Network
ISP Internet Service
Provider
TCP Transfer Control
Protocol
DES Data Encryption
Standard
MAC Media Access Control UDP User Datagram
Protocol
DNS Domain Name Service NAT Network Address
Translation
URL Uniform Resource
Locator
DHCP Dynamic Host
Configuration Protocol
PPP Point-to-Point Protocol VPN Virtual Private
Network
DSL Digital Subscriber Line PPTP Point-to-Point
Tunneling Protocol
WAN Wide Area Network
IP Internet Protocol PPPoE Point-to-Point Protocol
over Ethernet
WSM WatchGuard
System Manager
User Guide iii
Table of Contents
Chapter 1 Introduction to Network Security ............................................................................................ 1
About networks and network security .......................................................................................................... 1
About Internet connections.......................................................................................................................... 1
How information travels on the Internet ................................................................................................. 2
About protocols................................................................................................................................................. 2
Private addresses and gateways ................................................................................................................. 3
About subnet masks ........................................................................................................................................ 3
About slash notation ....................................................................................................................................... 3
About entering IP addresses......................................................................................................................... 4
Static and dynamic IP addresses ................................................................................................................. 4
Static IP addresses ....................................................................................................................................... 4
Dynamic IP addresses................................................................................................................................. 4
About DHCP............................................................................................................................................................. 5
About PPPoE............................................................................................................................................................ 5
About DNS (Domain Name System) ............................................................................................................... 5
About firewalls........................................................................................................................................................ 6
Chapter 2 Introduction to Fireware XTM ................................................................................................ 11
Introduction to Fireware XTM ......................................................................................................................... 11
WatchGuard System Manager ................................................................................................................... 12
WatchGuard Server Center.......................................................................................................................... 13
Fireware XTM Web UI and Command Line Interface......................................................................... 13
Fireware XTM with a Pro Upgrade................................................................................................................. 14
Chapter 3 Service and Support ................................................................................................................ 15
About WatchGuard Support............................................................................................................................ 15
LiveSecurity Service................................................................................................................................... 15
LiveSecurity Service Gold........................................................................................................................ 16
Service expiration ...................................................................................................................................... 16
Chapter 4 Getting Started ........................................................................................................................ 17
Before you begin.................................................................................................................................................. 17
Verify basic components ......................................................................................................................... 17
Get a WatchGuard device feature key................................................................................................ 17
Gather network addresses...................................................................................................................... 18
Select a firewall configuration mode.................................................................................................. 19
iv Fireware XTM Web UI
Run the Web Setup Wizard.......................................................................................................................... 20
Start the Web Setup Wizard ................................................................................................................... 20
After the wizard finishes.......................................................................................................................... 22
If you have problems with the wizard ................................................................................................ 22
Connect to Fireware XTM Web UI.................................................................................................................. 23
Customize your security policy ............................................................................................................. 26
About LiveSecurity Service..................................................................................................................... 26
Additional installation topics .......................................................................................................................... 27
Connect to a Firebox with Firefox v3....................................................................................................... 27
Add a certificate exception to Mozilla Firefox v3 ........................................................................... 27
Identify your network settings................................................................................................................... 28
Network Addressing Requirements .................................................................................................... 28
Find your TCP/IP properties on Microsoft Windows Vista .......................................................... 29
Find your TCP/IP properties on Microsoft Windows 2000, Windows 2003, and
Windows XP ................................................................................................................................................. 29
Find your TCP/IP properties on Microsoft Windows NT............................................................... 29
Find your TCP/IP properties on Macintosh OS 9............................................................................. 29
Find your TCP/IP properties on other operating systems (Unix, Linux) ................................. 30
Find PPPoE settings................................................................................................................................... 30
Set your computer to connect to your WatchGuard device ........................................................... 30
Use DHCP ...................................................................................................................................................... 30
Use a static IP address .............................................................................................................................. 31
Disable the HTTP proxy in the browser................................................................................................... 32
Disable the HTTP proxy in Internet Explorer 6.x or 7.x ................................................................. 32
Disable the HTTP proxy in Firefox 2.x ................................................................................................. 32
Disable the HTTP proxy in Safari 2.0.................................................................................................... 32
Chapter 5 Configuration and Management Basics ................................................................................ 33
About basic configuration and management tasks................................................................................ 33
Restore a Firebox backup image.................................................................................................................... 34
Reset a Firebox to a previous or new configuration ............................................................................... 35
Start a Firebox X Core or Peak e-Series, or a WatchGuard XTM device in safe mode........ 35
Run the Quick Setup Wizard .................................................................................................................. 36
About feature keys .............................................................................................................................................. 38
When you purchase a new feature...................................................................................................... 38
See features available with the current feature key ...................................................................... 38
Activate the license key for a feature....................................................................................................... 39
Add a feature key to your Firebox ............................................................................................................ 41
Remove a feature key.................................................................................................................................... 42
Restart your Firebox............................................................................................................................................ 42
Restart the Firebox locally............................................................................................................................ 42
Reboot from Fireware XTM Web UI.......................................................................................................... 42
Power cycle ....................................................................................................................................................... 42
Restart the Firebox remotely ...................................................................................................................... 42
Enable NTP and add NTP servers ................................................................................................................... 43
About SNMP .......................................................................................................................................................... 45
SNMP polls and traps..................................................................................................................................... 45
Enable SNMP polling ..................................................................................................................................... 47
Enable SNMP management stations and traps.................................................................................... 48
Configure SNMP Management Stations................................................................................................. 49
Send an SNMP trap for a policy.................................................................................................................. 50
Create a secure passphrase, encryption key, or shared key ....................................................... 51
Firebox Passphrases.................................................................................................................................. 51
User Guide v
User Passphrases........................................................................................................................................ 51
Server Passphrases .................................................................................................................................... 52
Encryption Keys and Shared Keys ........................................................................................................ 52
Enable TCP SYN checking ....................................................................................................................... 55
Enable or disable Traffic Management and QoS ............................................................................ 56
Change the Web UI port.......................................................................................................................... 56
Automatic Reboot...................................................................................................................................... 56
External Console......................................................................................................................................... 56
Edit the WatchGuard policy ................................................................................................................... 61
Set up the Managed Device................................................................................................................... 62
Upgrade to a new version of Fireware XTM............................................................................................... 63
Install the upgrade on your management computer................................................................... 63
Upgrade the Firebox................................................................................................................................. 63
Subscription Services upgrades............................................................................................................ 65
Appliance and software upgrades....................................................................................................... 65
How to apply an upgrade ....................................................................................................................... 65
Chapter 6 Network Setup and Configuration ......................................................................................... 67
About network interface setup....................................................................................................................... 67
Network modes ............................................................................................................................................... 67
Interface types.................................................................................................................................................. 68
Mixed Routing Mode.......................................................................................................................................... 69
Configure an external interface................................................................................................................. 69
Use a static IP address ................................................................................................................................... 69
Use PPPoE authentication ........................................................................................................................... 70
Configure DHCP in mixed routing mode ............................................................................................... 72
About the Dynamic DNS service ............................................................................................................... 74
About network configuration in drop-in mode........................................................................................ 76
Use drop-in mode for network interface configuration ................................................................... 76
Use DHCP ...................................................................................................................................................... 78
Use DHCP relay ........................................................................................................................................... 79
Specify DHCP settings for a single interface ......................................................................................... 79
Disable an interface........................................................................................................................................ 83
Configure DHCP Relay................................................................................................................................... 83
About MAC addresses .............................................................................................................................. 88
Set DF bit for IPSec ......................................................................................................................................... 89
PMTU Setting for IPSec ................................................................................................................................. 89
Use static MAC address binding................................................................................................................ 89
About LAN bridges.............................................................................................................................................. 90
Create a network bridge configuration .................................................................................................. 91
Assign a network interface to a bridge ................................................................................................... 92
Add a static route............................................................................................................................................ 93
About virtual local area networks (VLANs)................................................................................................. 94
About tagging.................................................................................................................................................. 95
Use DHCP on a VLAN ..................................................................................................................................... 97
Use DHCP relay on a VLAN .......................................................................................................................... 97
Assign interfaces to a VLAN......................................................................................................................... 97
Chapter 7 Multi-WAN ............................................................................................................................... 99
About using multiple external interfaces ................................................................................................... 99
Multi-WAN requirements and conditions.............................................................................................. 99
Multi-WAN and DNS.................................................................................................................................... 100
About multi-WAN options............................................................................................................................. 100
Round-robin order....................................................................................................................................... 100
vi Fireware XTM Web UI
Interface overflow........................................................................................................................................ 101
Routing table................................................................................................................................................. 101
Serial modem (Firebox X Edge only)..................................................................................................... 101
Before You Begin.......................................................................................................................................... 102
Configure the interfaces............................................................................................................................ 102
Before You Begin.......................................................................................................................................... 104
Configure the interfaces............................................................................................................................ 104
Before You Begin.......................................................................................................................................... 105
Configure the interfaces............................................................................................................................ 105
Before you begin.......................................................................................................................................... 106
Routing Table mode and load balancing............................................................................................ 106
Configure the interfaces............................................................................................................................ 106
When to use Multi-WAN methods and routing ................................................................................ 107
When to use the Routing Table method ........................................................................................ 107
When to use the Round-Robin method.......................................................................................... 107
About advanced multi-WAN settings ....................................................................................................... 108
Set a global sticky connection duration .............................................................................................. 108
Set the failback action ................................................................................................................................ 109
Serial modem failover ..................................................................................................................................... 109
Enable serial modem failover .................................................................................................................. 109
Account settings...................................................................................................................................... 110
DNS settings.............................................................................................................................................. 110
Dial-up settings........................................................................................................................................ 111
Link Monitor settings............................................................................................................................. 111
Time needed for the Firebox to update its route table.................................................................. 113
Define a link monitor host ........................................................................................................................ 113
Chapter 8 Network Address Translation (NAT) .................................................................................... 115
About Network Address Translation (NAT) ............................................................................................. 115
Add firewall dynamic NAT entries ......................................................................................................... 117
Delete a dynamic NAT entry .................................................................................................................... 118
Reorder dynamic NAT entries.................................................................................................................. 118
Configure policy-based dynamic NAT.................................................................................................. 119
Disable policy-based dynamic NAT....................................................................................................... 120
About 1-to-1 NAT and VPNs................................................................................................................ 121
Configure firewall 1-to-1 NAT.................................................................................................................. 122
Define a 1-to-1 NAT rule ............................................................................................................................ 123
Configure policy-based 1-to-1 NAT....................................................................................................... 124
Enable policy-based 1-to-1 NAT ............................................................................................................. 124
Disable policy-based 1-to-1 NAT............................................................................................................ 124
Configure NAT loopback with static NAT ................................................................................................ 125
Configure server load balancing................................................................................................................. 131
Chapter 9 Wireless Setup ....................................................................................................................... 133
About wireless configuration....................................................................................................................... 133
Enable/disable SSID broadcasts ............................................................................................................. 137
Change the SSID........................................................................................................................................... 138
Log authentication events........................................................................................................................ 138
Change the fragmentation threshold .................................................................................................. 138
When to change the default fragmentation threshold.................................................................. 138
Change the fragmentation threshold .................................................................................................. 139
Change the RTS threshold ........................................................................................................................ 139
About wireless security settings.................................................................................................................. 140
Set the wireless authentication method ............................................................................................. 140
User Guide vii
Set the encryption level............................................................................................................................. 140
WPA and WPA2 PSK authentication...................................................................................................... 141
Enable a wireless guest network................................................................................................................. 144
Configure your external interface as a wireless interface .................................................................. 146
Configure the primary external interface as a wireless interface .......................................... 146
Configure a BOVPN tunnel for additional security ..................................................................... 148
Set the operating region and channel ............................................................................................ 149
Set the wireless mode of operation ................................................................................................. 150
Configure the wireless card on your computer..................................................................................... 151
Chapter 10 Dynamic Routing ...................................................................................................................153
About dynamic routing .................................................................................................................................. 153
About routing daemon configuration files ............................................................................................. 153
About Routing Information Protocol (RIP) .............................................................................................. 154
Routing Information Protocol (RIP) commands................................................................................ 154
Configure the Firebox to use RIP v2...................................................................................................... 157
Allow RIP v2 traffic through the Firebox.............................................................................................. 158
Sample RIP routing configuration file .................................................................................................. 158
About Open Shortest Path First (OSPF) Protocol .................................................................................. 160
OSPF commands .......................................................................................................................................... 160
OSPF Interface Cost table.......................................................................................................................... 162
Configure the Firebox to use OSPF ....................................................................................................... 163
Sample OSPF routing configuration file .............................................................................................. 164
Allow BGP traffic through the Firebox ................................................................................................. 171
Sample BGP routing configuration file ................................................................................................ 171
Chapter 11 Authentication ......................................................................................................................173
About user authentication ............................................................................................................................ 173
User authentication steps......................................................................................................................... 174
Manually close an authenticated session ........................................................................................... 174
See authenticated users ....................................................................................................................... 175
Close a user session................................................................................................................................ 175
Use authentication through a gateway Firebox.......................................................................... 176
Allow multiple concurrent logins...................................................................................................... 178
Automatically redirect users to the login portal.......................................................................... 178
Use a custom default start page........................................................................................................ 179
Set Management Session timeouts.................................................................................................. 179
About the WatchGuard Authentication (WG-Auth) policy................................................................ 179
Set up SSO ................................................................................................................................................. 181
Install the WatchGuard Single Sign-On (SSO) agent....................................................................... 181
Download the SSO agent software ....................................................................................................... 181
Before you install.......................................................................................................................................... 182
Install the SSO agent service.................................................................................................................... 182
Install the WatchGuard Single Sign-On (SSO) client ....................................................................... 182
Install the SSO client service .................................................................................................................... 183
Enable Single Sign-On (SSO).................................................................................................................... 183
Enable and configure SSO ........................................................................................................................ 184
Define SSO exceptions............................................................................................................................... 184
About using third-party authentication servers............................................................................... 185
Use a backup authentication server...................................................................................................... 185
Types of Firebox authentication............................................................................................................. 186
Firewall authentication ......................................................................................................................... 186
Mobile VPN with PPTP connections ................................................................................................. 187
Mobile VPN with SSL connections .................................................................................................... 188
viii Fireware XTM Web UI
Define a new user for Firebox authentication................................................................................... 189
Define a new group for Firebox authentication ............................................................................... 190
Authentication key ................................................................................................................................. 191
RADIUS authentication methods ...................................................................................................... 191
Before you begin..................................................................................................................................... 191
About RADIUS groups................................................................................................................................ 195
Practical use of RADIUS groups .............................................................................................................. 195
Configure SecurID authentication.............................................................................................................. 199
Configure LDAP authentication .................................................................................................................. 200
About LDAP optional settings............................................................................................................ 201
About Active Directory optional settings....................................................................................... 203
DN of Searching User and Password of Searching User fields..................................................... 204
Change the default port for the Active Directory server ............................................................... 205
Configure the Firebox to use the global catalog port .................................................................... 205
To find out if your Active Directory server is configured as a global catalog server ........... 205
Before You Begin..................................................................................................................................... 206
Specify Active Directory or LDAP Optional Settings .................................................................. 206
Use a local user account for authentication............................................................................................ 209
Define users and groups for Firebox authentication................................................................. 210
Define users and groups for third-party authentication .......................................................... 210
Chapter 12 Policies ...................................................................................................................................213
About policies .................................................................................................................................................... 213
Packet filter and proxy policies .......................................................................................................... 213
About the Firewall or Mobile VPN Policies page .............................................................................. 215
Add a policy from the list of templates................................................................................................ 218
Disable or delete a policy.......................................................................................................................... 219
Delete a policy............................................................................................................................................... 219
Alias members............................................................................................................................................... 220
Create an alias ............................................................................................................................................... 221
Add an address, address range, DNS name, user, group, or another alias to the alias....... 222
Automatic policy order .............................................................................................................................. 223
Policy specificity and protocols .............................................................................................................. 223
Firewall actions ............................................................................................................................................. 224
Schedules................................................................................................................................................... 224
Policy types and names ........................................................................................................................ 224
Create or edit a custom policy template ............................................................................................. 227
Policy tab......................................................................................................................................................... 229
Properties tab................................................................................................................................................ 229
Advanced tab ................................................................................................................................................ 229
Proxy settings................................................................................................................................................ 229
Configure policy-based routing ............................................................................................................. 231
Policy-based routing, failover, and failback ....................................................................................... 232
Restrictions on policy-based routing.................................................................................................... 232
Add policy-based routing to a policy ................................................................................................... 232
Set a custom idle timeout......................................................................................................................... 233
Set ICMP error handling............................................................................................................................. 233
Apply NAT rules ............................................................................................................................................ 233
1-to-1 NAT....................................................................................................................................................... 233
Set the sticky connection duration for a policy ................................................................................ 234
Chapter 13 Proxy Settings .......................................................................................................................235
About proxy policies and ALGs.................................................................................................................... 235
Proxy configuration..................................................................................................................................... 235
User Guide ix
Add a proxy policy to your configuration................................................................................................ 236
Set the proxy action in a proxy definition........................................................................................... 238
Edit, delete, or clone proxy actions ....................................................................................................... 238
About the DNS proxy ...................................................................................................................................... 239
Policy tab......................................................................................................................................................... 239
Advanced tab ................................................................................................................................................ 240
Settings and Content tabs........................................................................................................................ 240
About the FTP proxy........................................................................................................................................ 243
Policy tab......................................................................................................................................................... 243
Properties tab................................................................................................................................................ 243
Advanced tab ................................................................................................................................................ 243
Settings and Content tabs........................................................................................................................ 244
FTP proxy: Content...................................................................................................................................... 244
About the H.323 ALG....................................................................................................................................... 246
VoIP components......................................................................................................................................... 246
ALG functions................................................................................................................................................ 246
Properties tab................................................................................................................................................ 247
Advanced tab ................................................................................................................................................ 247
Settings and Content tabs........................................................................................................................ 247
H.323 ALG: Settings..................................................................................................................................... 250
About the HTTP proxy..................................................................................................................................... 251
Policy tab......................................................................................................................................................... 251
Properties tab................................................................................................................................................ 251
Settings and Content tabs........................................................................................................................ 252
Allow Windows updates through the HTTP proxy .......................................................................... 252
If you still cannot download Windows updates .......................................................................... 252
File name patterns.................................................................................................................................. 254
HTTP proxy: Settings................................................................................................................................... 256
HTTP requests........................................................................................................................................... 256
HTTP responses........................................................................................................................................ 257
HTTP proxy exceptions ......................................................................................................................... 258
Policy tab......................................................................................................................................................... 259
Properties tab................................................................................................................................................ 259
Settings and Content tabs........................................................................................................................ 260
HTTPS Proxy: Content................................................................................................................................. 260
HTTPS Proxy: Settings................................................................................................................................. 262
Policy tab......................................................................................................................................................... 264
Properties tab................................................................................................................................................ 264
Advanced tab ................................................................................................................................................ 264
POP3 Proxy: Content................................................................................................................................... 265
About the SIP proxy ......................................................................................................................................... 268
VoIP components......................................................................................................................................... 268
ALG functions................................................................................................................................................ 268
Properties tab................................................................................................................................................ 269
Advanced tab ................................................................................................................................................ 269
Settings and Content tabs........................................................................................................................ 269
Policy tab......................................................................................................................................................... 274
Properties tab................................................................................................................................................ 274
Advanced tab ................................................................................................................................................ 274
Settings, Addressing, and Content tabs .............................................................................................. 275
SMTP Proxy: Addressing............................................................................................................................ 275
SMTP Proxy: Settings .................................................................................................................................. 277
Configure the SMTP proxy to quarantine email ............................................................................... 278
x Fireware XTM Web UI
Policy tab......................................................................................................................................................... 279
Properties tab................................................................................................................................................ 279
Advanced tab ................................................................................................................................................ 279
Settings and Content tabs........................................................................................................................ 279
Chapter 14 Traffic Management and QoS .............................................................................................. 283
About Traffic Management and QoS......................................................................................................... 283
Enable traffic management and QoS.................................................................................................... 284
Restrict bandwidth ...................................................................................................................................... 285
QoS Marking .................................................................................................................................................. 285
Traffic priority ................................................................................................................................................ 285
Before you begin.......................................................................................................................................... 288
QoS marking for interfaces and policies.............................................................................................. 288
Marking types and values ......................................................................................................................... 289
QoS marking settings ................................................................................................................................. 292
Prioritization settings ................................................................................................................................. 293
Priority Levels ................................................................................................................................................ 293
Define a Traffic Management action..................................................................................................... 294
Determine available bandwidth............................................................................................................. 294
Determine the sum of your bandwidth............................................................................................... 294
Create or modify a Traffic Management action ................................................................................ 295
Add a Traffic Management action to a policy.................................................................................... 296
Add a traffic management action to multiple policies................................................................... 296
Chapter 15 Default Threat Protection ..................................................................................................... 297
About default threat protection.................................................................................................................. 297
About spoofing attacks.............................................................................................................................. 299
How the WatchGuard device identifies network probes .............................................................. 301
To protect against port space and address space probes ............................................................ 302
About the SYN flood attack setting....................................................................................................... 304
About unhandled packets ........................................................................................................................ 304
About distributed denial-of-service attacks....................................................................................... 305
Permanently blocked sites................................................................................................................... 306
Auto-blocked sites/Temporary Blocked Sites list........................................................................ 306
See and edit the sites on the Blocked Sites list ............................................................................ 306
Block a site permanently ........................................................................................................................... 307
Create Blocked Site Exceptions............................................................................................................... 308
Block sites temporarily with policy settings....................................................................................... 308
Change the duration that sites are auto-blocked ............................................................................ 309
Default blocked ports............................................................................................................................ 310
Block a port .................................................................................................................................................... 311
Block IP addresses that try to use blocked ports .............................................................................. 311
Chapter 16 Logging and Notification ...................................................................................................... 313
About logging and log files .......................................................................................................................... 313
Log Servers ................................................................................................................................................ 313
Logging and notification in applications and servers ............................................................... 314
About log messages............................................................................................................................... 314
Types of log messages ............................................................................................................................... 314
Traffic log messages............................................................................................................................... 314
Alarm log messages ............................................................................................................................... 314
Debug log messages ............................................................................................................................. 315
Statistic log messages ........................................................................................................................... 315
User Guide xi
Send log messages to a WatchGuard Log Server ................................................................................. 315
Add, edit, or change the priority of Log Servers............................................................................... 316
Configure Logging Settings.......................................................................................................................... 318
Set logging and notification preferences ........................................................................................... 320
View, Sort, and Filter log message data .......................................................................................... 322
Refresh log message data .................................................................................................................... 323
Chapter 17 Monitor your Firebox ............................................................................................................ 325
The Dashboard .................................................................................................................................................. 325
System Status pages........................................................................................................................................ 327
Bandwidth Meter .............................................................................................................................................. 329
Blocked sites status.......................................................................................................................................... 330
Add or edit temporary blocked sites ............................................................................................... 330
Checksums .......................................................................................................................................................... 331
Connections........................................................................................................................................................ 331
CPU Usage ........................................................................................................................................................... 332
Diagnostics.......................................................................................................................................................... 334
Run a basic diagnostics command ................................................................................................... 334
Use command arguments ................................................................................................................... 335
Dynamic DNS ..................................................................................................................................................... 335
Feature Key ......................................................................................................................................................... 336
Interfaces ............................................................................................................................................................. 336
LiveSecurity......................................................................................................................................................... 337
Memory ................................................................................................................................................................ 337
Syslog.................................................................................................................................................................... 339
Chapter 18 Certificates .............................................................................................................................343
About certificates.............................................................................................................................................. 343
Use multiple certificates to establish trust.......................................................................................... 343
How the Firebox uses certificates .......................................................................................................... 344
Certificate lifetimes and CRLs .................................................................................................................. 344
Certificate authorities and signing requests ...................................................................................... 345
See current certificates .............................................................................................................................. 346
Import a certificate from a file ................................................................................................................. 346
Use a web server certificate for authentication ................................................................................ 347
Use OpenSSL to generate a CSR............................................................................................................. 348
Send the certificate request ..................................................................................................................... 349
Issue the certificate...................................................................................................................................... 349
Download the certificate........................................................................................................................... 349
Use Certificates for the HTTPS Proxy ......................................................................................................... 350
Protect a private HTTPS server ................................................................................................................ 350
Examine content from external HTTPS servers ................................................................................. 351
Import the certificates on client devices ............................................................................................. 352
Troubleshoot problems with HTTPS content inspection.............................................................. 352
Use a certificate for BOVPN tunnel authentication .............................................................................. 354
Verify the certificate with FSM ................................................................................................................ 354
Verify VPN certificates with an LDAP server ....................................................................................... 355
Chapter 19 Branch Office Virtual Private Networks ...............................................................................359
What you need to create a VPN................................................................................................................... 359
About manual BOVPN tunnels..................................................................................................................... 360
What you need to create a VPN ......................................................................................................... 360
How to create a manual BOVPN tunnel .......................................................................................... 361
One-way tunnels ..................................................................................................................................... 361
xii Fireware XTM Web UI
VPN Failover .............................................................................................................................................. 361
Global VPN settings................................................................................................................................ 361
BOVPN tunnel status.............................................................................................................................. 361
Rekey BOVPN tunnels............................................................................................................................ 361
Sample VPN address information table.................................................................................................... 362
Disable automatic tunnel startup for the gateway..................................................................... 364
Edit and delete gateways..................................................................................................................... 364
Define the credential method................................................................................................................. 365
If you selected Pre-Shared Key........................................................................................................... 365
If you selected Use IPSec Firebox Certificate ................................................................................ 365
Define gateway endpoints ....................................................................................................................... 365
Local Gateway ............................................................................................................................................... 366
Remote Gateway.......................................................................................................................................... 367
DH groups and Perfect Forward Secrecy (PFS) ............................................................................ 372
How to choose a Diffie-Hellman group .......................................................................................... 372
Performance analysis............................................................................................................................. 372
Define a tunnel ............................................................................................................................................. 373
Edit and delete a tunnel ............................................................................................................................ 374
Add routes for a tunnel.............................................................................................................................. 375
Add an existing proposal ..................................................................................................................... 377
Create a new proposal .......................................................................................................................... 377
Edit a proposal .............................................................................................................................................. 378
Change order of tunnels ........................................................................................................................... 378
About global VPN settings ............................................................................................................................ 379
Enable IPSec Pass-through ....................................................................................................................... 379
Enable LDAP server for certificate verification .................................................................................. 380
1-to-1 NAT and VPNs.............................................................................................................................. 381
Other reasons to use 1-to-1 NAT through a VPN......................................................................... 381
Alternative to using NAT ...................................................................................................................... 381
Example ...................................................................................................................................................... 382
Define a Branch Office gateway on each Firebox ....................................................................... 383
Configure the local tunnel................................................................................................................... 383
Define a route for all Internet-bound traffic ........................................................................................... 387
Configure the BOVPN tunnel on the remote Firebox ................................................................ 387
Configure the BOVPN tunnel on the central Firebox................................................................. 388
Add a dynamic NAT entry on the central Firebox....................................................................... 388
Enable a WatchGuard device to send multicast traffic through a tunnel .......................... 390
Example: Multicast routing through a BOVPN tunnel.................................................................... 392
Example settings ..................................................................................................................................... 392
Enable broadcast routing for the local Firebox............................................................................ 397
Configure broadcast routing for the Firebox at the other end of the tunnel ................... 398
Example settings ..................................................................................................................................... 399
Configure broadcast routing for the BOVPN tunnel at Site A................................................. 399
Configure broadcast routing for the BOVPN tunnel at Site B ................................................. 401
Define multiple gateway pairs ........................................................................................................... 403
See VPN statistics .................................................................................................................................... 405
Rekey BOVPN tunnels...................................................................................................................................... 405
Why do I need a static external address? ....................................................................................... 406
How do I get a static external IP address?...................................................................................... 406
How do I troubleshoot the connection?......................................................................................... 406
Why is ping not working? .................................................................................................................... 406
How do I set up more than the number of allowed VPN tunnels on my Edge?............... 406
Collect IP address and tunnel settings ............................................................................................ 407
User Guide xiii
PHASE 1 Settings (Both sides must use exactly the same values) ........................................ 408
PHASE 2 Settings (Both sides must use exactly the same values)......................................... 408
Configure the Phase 1 settings .......................................................................................................... 413
Configure the Phase 2 settings .......................................................................................................... 417
Configure the Phase 1 settings .......................................................................................................... 422
Add a VPN Tunnel ................................................................................................................................... 424
Configure the Phase 2 settings .......................................................................................................... 426
Collect IP address and tunnel settings ............................................................................................ 428
PHASE 1 Settings (Both sides must use exactly the same values) ........................................ 429
PHASE 2 Settings (Both sides must use exactly the same values)......................................... 429
Configure Site A, Fireware XTM v11.x................................................................................................... 431
Configure the Phase 1 settings .......................................................................................................... 434
Configure the Phase 2 settings .......................................................................................................... 438
Add a VPN Gateway................................................................................................................................ 440
Configure the Phase 1 settings .......................................................................................................... 442
Configure the Phase 2 settings .......................................................................................................... 446
Collect IP address and tunnel settings ............................................................................................ 450
PHASE 1 Settings (Both sides must use exactly the same values)......................................... 451
PHASE 2 Settings (Both sides must use exactly the same values)......................................... 451
PHASE 1 Settings (Both sides must use exactly the same values)......................................... 452
PHASE 2 Settings (Both sides must use exactly the same values)......................................... 452
Configure Site A, Fireware 11.x ............................................................................................................... 453
Configure the Phase 1 settings .......................................................................................................... 456
Configure the Phase 2 settings .......................................................................................................... 460
Configure the Phase 1 settings .......................................................................................................... 463
Configure the Phase 2 settings .......................................................................................................... 464
Configure VPN Keep Alive.................................................................................................................... 465
Select either IKE Keep-alive or Dead Peer Detection, but not both...................................... 466
Use the default settings........................................................................................................................ 467
Configure the Firebox to send log traffic through the tunnel................................................ 468
Chapter 20 Mobile VPN with PPTP ..........................................................................................................471
About Mobile VPN with PPTP....................................................................................................................... 471
Mobile VPN with PPTP requirements ........................................................................................................ 471
Configure Mobile VPN with PPTP ............................................................................................................... 473
Encryption Settings ................................................................................................................................ 474
Advanced Tab settings.......................................................................................................................... 475
Configure policies to allow Mobile VPN with PPTP traffic........................................................ 479
Configure policies to allow Mobile VPN with PPTP traffic ................................................................. 480
Allow PPTP users to access a trusted network ............................................................................. 480
Options for Internet access through a Mobile VPN with PPTP tunnel........................................... 481
Default-route VPN................................................................................................................................... 481
Split tunnel VPN....................................................................................................................................... 481
Default-route VPN setup for Mobile VPN with PPTP .................................................................. 482
Split tunnel VPN setup for Mobile VPN with PPTP ...................................................................... 482
Prepare a Windows NT or 2000 client computer: Install MSDUN and service packs...... 483
Create a PPTP connection.................................................................................................................... 484
Establish the PPTP connection........................................................................................................... 484
Create the PPTP Mobile VPN............................................................................................................... 485
Connect with the PPTP Mobile VPN ................................................................................................. 485
Create the PPTP Mobile VPN............................................................................................................... 486
Connect with the PPTP Mobile VPN ................................................................................................. 486
Make outbound PPTP connections from behind a Firebox .............................................................. 486
xiv Fireware XTM Web UI
Chapter 21 Mobile VPN with IPSec ..........................................................................................................487
About WatchGuard Mobile VPN with IPSec............................................................................................ 487
Configure a Mobile VPN with IPSec connection............................................................................... 487
System requirements ................................................................................................................................. 488
Options for Internet access through a Mobile VPN tunnel........................................................... 488
Default-route VPN................................................................................................................................... 488
Split tunnel VPN....................................................................................................................................... 488
Configure the Firebox for Mobile VPN with IPSec............................................................................ 489
Configure a Mobile VPN with IPSec group .................................................................................... 489
Configure the external authentication server .............................................................................. 495
Modify an existing Mobile VPN with IPSec group profile.............................................................. 497
Configure a Mobile VPN with IPSec group ......................................................................................... 498
Define advanced Phase 1 settings.................................................................................................... 504
Define advanced Phase 2 settings.................................................................................................... 506
Lock down an end user profile................................................................................................................ 509
Mobile VPN with IPSec configuration files.......................................................................................... 509
Configure policies to filter Mobile VPN traffic ................................................................................... 510
Add an individual policy....................................................................................................................... 510
Distribute the software and profiles ..................................................................................................... 510
Making outbound IPSec connections from behind a Firebox................................................ 511
Terminate IPSec connections ............................................................................................................. 511
Global VPN settings................................................................................................................................ 511
See the number of Mobile VPN licenses......................................................................................... 511
Purchase additional Mobile VPN licenses ...................................................................................... 511
Add feature keys...................................................................................................................................... 511
Configure Mobile VPN with IPSec to a dynamic IP address.......................................................... 512
Keep a record of the current IP address.......................................................................................... 512
Configure the Firebox and IPSec client computers .................................................................... 512
Client Requirements ................................................................................................................................... 514
Install the Mobile VPN with IPSec client software............................................................................ 514
Import the end-user profile................................................................................................................. 515
Select a certificate and enter the PIN............................................................................................... 516
Uninstall the Mobile VPN client ......................................................................................................... 516
Disconnect the Mobile VPN client .................................................................................................... 517
Control connection behavior.............................................................................................................. 517
Mobile User VPN client icon ................................................................................................................ 519
See Mobile VPN log messages ................................................................................................................ 519
Secure your computer with the Mobile VPN firewall...................................................................... 519
About the desktop firewall.................................................................................................................. 520
Define friendly networks ...................................................................................................................... 521
Create firewall rules................................................................................................................................ 522
Import the end user profile ................................................................................................................. 528
Select a certificate and enter the passphrase ............................................................................... 529
Connect and disconnect the Mobile VPN client .......................................................................... 529
Control the connection behavior...................................................................................................... 530
Mobile User VPN client icon ................................................................................................................ 531
Mobile VPN WM Configurator and Windows Mobile IPSec client requirements............. 532
Select a certificate and enter the PIN............................................................................................... 533
Upload the end-user profile to the Windows Mobile device.................................................. 536
Connect and disconnect the Mobile VPN for Windows Mobile client................................. 537
User Guide xv
Secure your Windows Mobile device with the Mobile VPN firewall.......................................... 539
Uninstall the Configurator from your Windows computer...................................................... 541
Uninstall the WatchGuard Mobile VPN Service and Monitor from your Windows Mobile
device .......................................................................................................................................................... 541
Chapter 22 Mobile VPN with SSL ............................................................................................................. 543
About Mobile VPN with SSL.......................................................................................................................... 543
Configure authentication and connection settings................................................................... 544
Configure the Networking and IP Address Pool settings......................................................... 545
Configure Advanced settings for Mobile VPN with SSL............................................................ 547
Configure user authentication for Mobile VPN with SSL.......................................................... 548
Configure policies to control Mobile VPN with SSL client access.......................................... 548
Use other groups or users in a Mobile VPN with SSL policy .................................................... 549
How to choose a different port and protocol.................................................................................... 550
Allow direct access to the internet ................................................................................................... 551
Force all client traffic through tunnel.............................................................................................. 551
Use the HTTP proxy to control Internet access for Mobile VPN with SSL users .................... 551
Name resolution for Mobile VPN with SSL.......................................................................................... 551
Methods of name resolution through a Mobile VPN with SSL connection ............................ 552
Select the best method for your network........................................................................................... 552
Configure WINS or DNS for name resolution..................................................................................... 552
Add WINS and DNS servers to a Mobile VPN with SSL configuration....................................... 552
Configure an LMHOSTS file to provide name resolution .............................................................. 552
Edit an LMHOSTS file .................................................................................................................................. 553
Install and connect the Mobile VPN with SSL client............................................................................. 553
Client computer requirements........................................................................................................... 553
Install the client software ..................................................................................................................... 554
Connect to your private network...................................................................................................... 555
Manually distribute and install the Mobile VPN with SSL client software and
configuration file.......................................................................................................................................... 556
Install and configure the SSL client using the installation software and
a configuration file ...................................................................................................................................... 557
Update the configuration of a computer that is unable to connect to
the WatchGuard device ............................................................................................................................. 558
Uninstall the Mobile VPN with SSL client ............................................................................................ 558
Windows Vista and Windows XP............................................................................................................ 558
Mac OS X ......................................................................................................................................................... 558
Chapter 23 WebBlocker ............................................................................................................................ 559
About WebBlocker ........................................................................................................................................... 559
Before you begin..................................................................................................................................... 561
Create WebBlocker profiles ................................................................................................................. 561
Enable local override ............................................................................................................................. 563
Select categories to block .................................................................................................................... 564
Add WebBlocker exceptions............................................................................................................... 565
About WebBlocker categories ..................................................................................................................... 567
See whether a site is categorized........................................................................................................... 567
Add, remove, or change a category ...................................................................................................... 568
Define the action for sites that do not match exceptions........................................................ 569
Components of exception rules ........................................................................................................ 569
Exceptions with part of a URL............................................................................................................. 569
About WebBlocker subscription services expiration........................................................................... 572
xvi Fireware XTM Web UI
Chapter 24 spamBlocker .......................................................................................................................... 573
About spamBlocker.......................................................................................................................................... 573
spamBlocker actions, tags, and categories......................................................................................... 574
spamBlocker categories ............................................................................................................................ 575
About spamBlocker exceptions.............................................................................................................. 578
Add spamBlocker exception rules .................................................................................................... 579
Configure Virus Outbreak Detection actions for a policy.............................................................. 580
Configure spamBlocker to quarantine email..................................................................................... 581
About using spamBlocker with multiple proxies ............................................................................. 581
Set global spamBlocker parameters.......................................................................................................... 582
Use an HTTP proxy server for spamBlocker........................................................................................ 583
Add trusted email forwarders to improve spam score accuracy................................................ 584
About spamBlocker and VOD scan limits............................................................................................ 585
File scan limits by WatchGuard device model, in kilobytes.......................................................... 585
Maximum number of connections by WatchGuard device model ........................................... 586
Send spam or bulk email to special folders in Outlook.................................................................. 587
Find the category a message is assigned to.................................................................................. 589
Chapter 25 Gateway AntiVirus and Intrusion Prevention ..................................................................... 591
About Gateway AntiVirus and Intrusion Prevention ........................................................................... 591
Install and upgrade Gateway AV/IPS ............................................................................................... 592
About Gateway AntiVirus/Intrusion Prevention and proxy policies .................................... 592
Configure the Gateway AntiVirus Service ...................................................................................... 593
Configure Gateway AntiVirus actions for a proxy action............................................................... 595
Configure alarm notification for antivirus actions ........................................................................... 596
Configure Gateway AntiVirus to quarantine email.......................................................................... 596
File scan limits by WatchGuard device model, in kilobytes.......................................................... 597
Update Gateway AntiVirus/IPS settings ................................................................................................... 597
If you use a third-party antivirus client............................................................................................ 597
Configure Gateway AV decompression settings.............................................................................. 598
Configure the Gateway AV/IPS update server................................................................................... 599
Connect to the update server through an HTTP proxy server..................................................... 600
Block access from the trusted network to the update server...................................................... 600
Before you begin..................................................................................................................................... 602
Configure the Intrusion Prevention Service .................................................................................. 602
Set parameters for Intrusion Prevention Service (IPS).................................................................... 603
Configure IPS settings ................................................................................................................................ 605
Configure signature exceptions ............................................................................................................. 605
Chapter 26 Quarantine Server ................................................................................................................. 607
About the Quarantine Server ....................................................................................................................... 607
Configure the Firebox to quarantine email............................................................................................. 608
Define the Quarantine Server location on the Firebox....................................................................... 608
User Guide 1
1
Introduction to Network
Security
About networks and network security
A network is a group of computers and other devices that are connected to each other. It can be two
computers in the same room, dozens of computers in an organization, or many computers around the world
connected through the Internet. Computers on the same network can work together and share data.
Although networks like the Internet give you access to a large quantity of information and business
opportunities, they can also open your network to attackers. Many people think that their computers hold no
important information, or that a hacker is not interested in their computers. This is not correct. A hacker can
use your computer as a platform to attack other computers or networks. Information from your organization,
including personal information about users, employees, or customers, is also valuable to hackers.
Your WatchGuard device and LiveSecurity subscription can help you prevent these attacks. A good network
security policy, or a set of access rules for users and resources, can also help you find and prevent attacks to
your computer or network. We recommend that you configure your Firebox to match your security policy, and
think about threats from both inside and outside your organization.
About Internet connections
ISPs (Internet service providers) are companies that give access to the Internet through network connections.
The rate at which a network connection can send data is known as bandwidth: for example, 3 megabits per
second (Mbps).
A high-speed Internet connection, such as a cable modem or a DSL (Digital Subscriber Line), is known as a
broadband connection. Broadband connections are much faster than dial-up connections. The bandwidth of
a dial-up connection is less than .1 Mbps, while a cable modem can be 5 Mbps or more.
Typical speeds for cable modems are usually lower than the maximum speeds, because each computer in a
neighborhood is a member of a LAN. Each computer in that LAN uses some of the bandwidth. Because of this
shared-medium system, cable modem connections can become slow when more users are on the network.
DSL connections supply constant bandwidth, but they are usually slower than cable modem connections.
Also, the bandwidth is only constant between your home or office and the DSL central office. The DSL central
office cannot guarantee a good connection to a web site or network.
Introduction to Network Security
2 Fireware XTM Web UI
How information travels on the Internet
The data that you send through the Internet is cut into units, or packets. Each packet includes the Internet
address of the destination. The packets that make up a connection can use different routes through the
Internet. When they all get to their destination, they are assembled back into the original order. To make sure
that the packets get to the destination, address information is added to the packets.
About protocols
A protocol is a group of rules that allow computers to connect across a network. Protocols are the grammar of
the language that computers use when they speak to each other across a network. The standard protocol
when you connect to the Internet is the IP (Internet Protocol). This protocol is the usual language of computers
on the Internet.
A protocol also tells how data is sent through a network. The most frequently used protocols are TCP
(Transmission Control Protocol) and UDP (User Datagram Protocol). TCP/IP is the basic protocol used by
computers that connect to the Internet.
You must know some of the TCP/IP settings when you set up your WatchGuard device. For more information
on TCP/IP, see “Find your TCP/IP properties” on page 29.
User Guide 3
Introduction to Network Security
About IP addresses
To send ordinary mail to a person, you must know his or her street address. For one computer on the Internet
to send data to a different computer, it must know the address of that computer. A computer address is known
as an Internet Protocol (IP) address. All devices on the Internet have unique IP addresses, which enable other
devices on the Internet to find and interact with them.
An IP address consists of four octets (8-bit binary number sequences) expressed in decimal format and
separated by periods. Each number between the periods must be within the range of 0 and 255. Some
examples of IP addresses are:
206.253.208.100
4.2.2.2
10.0.4.1
Private addresses and gateways
Many companies create private networks that have their own address space. The addresses 10.x.x.x and
192.168.x.x are reserved for private IP addresses. Computers on the Internet cannot use these addresses. If
your computer is on a private network, you connect to the Internet through a gateway device that has a public
IP address.
Usually, the default gateway is the router that is between your network and the Internet. After you install the
Firebox on your network, it becomes the default gateway for all computers connected to its trusted or
optional interfaces.
About subnet masks
Because of security and performance considerations, networks are often divided into smaller portions called
subnets. All devices in a subnet have similar IP addresses. For example, all devices that have IP addresses
whose first three octets are 50.50.50 would belong to the same subnet.
A network IP address’s subnet mask, or netmask, is a series of bits that mask sections of the IP address that
identify which parts of the IP address are for the network and which parts are for the host. A subnet mask can
be written in the same way as an IP address, or in slash or CIDR notation.
About slash notation
Your Firebox uses slash notation for many purposes, including policy configuration. Slash notation, also
known as CIDR (Classless Inter-Domain Routing) notation, is a compact way to show or write a subnet mask.
When you use slash notation, you write the IP address, a forward slash (/), and the subnet mask number.
To find the subnet mask number:
1. Convert the decimal representation of the subnet mask to a binary representation.
2. Count each “1” in the subnet mask. The total is the subnet mask number.
Introduction to Network Security
4 Fireware XTM Web UI
For example, you want to write the IP address 192.168.42.23 with a subnet mask of 255.255.255.0 in slash
notation.
1. Convert the subnet mask to binary.
In this example, the binary representation of 255.255.255.0 is:
11111111.11111111.11111111.00000000.
2. Count each "1" in the subnet mask.
In this example, there are twenty-four (24).
3. Write the original IP address, a forward slash (/), and then the number from Step 2.
The result is 192.168.42.23/24.
This table shows common network masks and their equivalents in slash notation.
About entering IP addresses
When you type IP addresses in the Quick Setup Wizard or dialog boxes, type the digits and decimals in the
correct sequence. Do not use the TAB key, arrow keys, spacebar, or mouse to put your cursor after the
decimals.
For example, if you type the IP address 172.16.1.10, do not type a space after you type 16. Do not try to put
your cursor after the subsequent decimal to type 1. Type a decimal directly after 16, and then type 1.10. Press
the slash (/) key to move to the netmask.
Static and dynamic IP addresses
ISPs (Internet service providers) assign an IP address to each device on their network. The IP address can be
static or dynamic.
Static IP addresses
A static IP address is an IP address that always stays the same. If you have a web server, FTP server, or other
Internet resource that must have an address that cannot change, you can get a static IP address from your ISP.
A static IP address is usually more expensive than a dynamic IP address, and some ISPs do not supply static IP
addresses. You must configure a static IP address manually.
Dynamic IP addresses
A dynamic IP address is an IP address that an ISP lets you use temporarily. If a dynamic address is not in use, it
can be automatically assigned to a different device. Dynamic IP addresses are assigned using either DHCP or
PPPoE.
Network mask Slash equivalent
255.0.0.0 /8
255.255.0.0 /16
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
/