Watchguard Fireware XTM Web UI User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Fireware XTM Web UI User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Fireware XTM Web UI 11.4 User Guide
Fireware XTM
Web UI
11.4 User Guide
WatchGuard XTMDevices
ii Fireware XTMWeb UI
About this User Guide
The Fireware XTM Web UI User Guide is updated with each major product release. For minor product
releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes specific,
task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard web
site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission
of WatchGuard Technologies, Inc.
Guide revised: 1/26/2011
Copyright, Trademark, and Patent Information
Copyright © 1998–2011 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names
mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to
protect your network from spam, viruses, malware, and intrusions.
The new XCS line offers email and web content security combined
with data loss prevention. WatchGuard extensible solutions scale to
offer right-sized security ranging from small businesses to enterprises
with 10,000+ employees. WatchGuard builds simple, reliable, and
robust security appliances featuring fast implementation and
comprehensive management and reporting tools. Enterprises
throughout the world rely on our signature red boxes to maximize
security without sacrificing efficiency and productivity.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
Table of Contents
Introduction to Network Security 1
About Networks and Network Security 1
About Internet Connections 1
About Protocols 2
About IP Addresses 3
Private Addresses and Gateways 3
About Subnet Masks 3
About Slash Notation 3
About Entering IP Addresses 4
Static and Dynamic IP Addresses 4
About DNS (Domain Name System) 5
About Firewalls 6
About Services and Policies 7
About Ports 8
The XTM Device and Your Network 8
Introduction to Fireware XTM 11
About Fireware XTM 11
Fireware XTM Components 12
WatchGuard System Manager 12
WatchGuard Server Center 13
Fireware XTM Web UI and Command Line Interface 14
Fireware XTMwith a Pro Upgrade 15
Service and Support 17
About WatchGuard Support 17
LiveSecurity Service 17
LiveSecurity Service Gold 18
Service Expiration 18
Getting Started 19
Before You Begin 19
Verify Basic Components 19
Get an XTM Device Feature Key 20
Gather Network Addresses 20
Select a Firewall Configuration Mode 21
About the Quick Setup Wizard 22
Run the Web Setup Wizard 23
Connect to Fireware XTMWeb UI 26
Connect to Fireware XTMWeb UI from an External Network 27
About Fireware XTMWeb UI 27
Limitations of Fireware XTM Web UI 28
Complete Your Installation 30
Customize Your Security Policy 30
About LiveSecurity Service 30
Additional Installation Topics 31
Connect to an XTM Device with Firefox v3 31
Identify Your Network Settings 32
Set Your Computer to Connect to Your XTM Device 35
Disable the HTTP Proxy in the Browser 36
Configuration and Management Basics 39
About Basic Configuration and Management Tasks 39
Make a Backup of the XTM Device Image 39
Restore an XTM Device Backup Image 39
Use a USB Drive for System Backup and Restore 41
About the USB Drive 41
Save a Backup Image to a Connected USB Drive 41
Restore a Backup Image from a Connected USB Drive 41
Automatically Restore a Backup Image from a USB Drive 42
USB Drive Directory Structure 45
Save a Backup Image to a USB Drive Connected to Your Computer 46
Reset an XTM Device to a Previous or New Configuration 47
Start an XTM Device in Safe Mode 47
Reset an XTM 2 Series Device to Factory-Default Settings 47
Run the Quick Setup Wizard 48
iv Fireware XTMWeb UI
User Guide v
About Factory-Default Settings 48
About Feature Keys 50
When You Purchase a New Feature 50
See Features Available with the Current Feature Key 50
Get a Feature Key from LiveSecurity 51
Add a Feature Key to Your XTM Device 53
Restart Your XTM Device 55
Restart the XTM Device Locally 55
Restart the XTM Device Remotely 55
Enable NTP and Add NTP Servers 55
Set the Time Zone and Basic Device Properties 57
About SNMP 58
SNMP Polls and Traps 58
About Management Information Bases (MIBs) 58
Enable SNMP Polling 60
Enable SNMP Management Stations and Traps 61
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 63
Create a Secure Passphrase, Encryption Key, or Shared Key 63
XTM Device Passphrases 64
User Passphrases 64
Server Passphrases 64
Encryption Keys and Shared Keys 65
Change XTM Device Passphrases 66
Define XTM Device Global Settings 67
Define ICMP Error Handling Global Settings 68
Configure TCP Settings 69
Enable or Disable Traffic Management and QoS 69
Change the Web UI Port 69
Automatic Reboot 70
About WatchGuard Servers 70
Manage an XTM device from a Remote Location 72
Configure an XTM Device as a Managed Device 74
Edit the WatchGuard Policy 74
Set Up the Managed Device 75
Upgrade to a New Version of Fireware XTM 76
Install the Upgrade on Your Management Computer 76
Upgrade the XTM Device 77
Download the Configuration File 77
About Upgrade Options 78
Subscription Services Upgrades 78
Appliance and Software Upgrades 78
How to Apply an Upgrade 78
Renew Security Subscriptions 79
Subscription Services Status and Manual Signatures Updates 79
Network Setup and Configuration 81
About Network Interface Setup 81
Network Modes 82
Interface Types 83
Mixed Routing Mode 83
Configure an External Interface 84
Configure DHCP in Mixed Routing Mode 87
About the Dynamic DNS Service 89
Configure Dynamic DNS 89
Drop-In Mode 90
Use Drop-In Mode for Network Interface Configuration 91
Configure Related Hosts 91
Configure DHCP in Drop-In Mode 93
Bridge Mode 96
Common Interface Settings 98
Disable an Interface 100
Configure DHCPRelay 100
Restrict Network Traffic by MAC Address 101
Add WINS and DNS Server Addresses 102
Configure a Secondary Network 102
vi Fireware XTMWeb UI
User Guide vii
About Advanced Interface Settings 104
Network Interface Card (NIC)Settings 104
Set DF Bit for IPSec 106
PMTU Setting for IPSec 106
Use Static MAC Address Binding 107
Find the MAC Address of a Computer 107
About LAN Bridges 108
Create a Network Bridge Configuration 108
Assign a Network Interface to a Bridge 109
About Routing 109
Add a Static Route 109
About Virtual Local Area Networks (VLANs) 111
VLAN Requirements and Restrictions 111
About Tagging 112
About VLANIDNumbers 112
Define a New VLAN 112
Assign Interfaces to a VLAN 115
Network Setup Examples 115
Configure Two VLANs on the Same Interface 115
Configure One VLAN Bridged Across Two Interfaces 118
Use Your XTM Device with the 3G Extend Wireless Bridge 123
Multi-WAN 125
About Using Multiple External Interfaces 125
Multi-WAN Requirements and Conditions 125
Multi-WAN and DNS 126
About Multi-WAN Options 126
Round-Robin Order 126
Failover 126
Interface Overflow 127
Routing Table 127
Serial Modem (XTM2 Series only) 128
Configure Round-Robin 129
Before You Begin 129
Configure the Interfaces 129
Find How to Assign Weights to Interfaces 129
Configure Failover 130
Before You Begin 130
Configure the Interfaces 130
Configure Interface Overflow 132
Before You Begin 132
Configure the Interfaces 132
Configure Routing Table 132
Before You Begin 132
Routing Table mode and load balancing 133
Configure the Interfaces 133
About the XTM Device Route Table 133
When to Use Multi-WAN Methods and Routing 134
Serial Modem Failover 135
Enable Serial Modem Failover 135
Account Settings 135
DNS Settings 136
Dial-up Settings 137
Advanced Settings 137
Link Monitor Settings 138
About Advanced Multi-WAN Settings 139
Set a Global Sticky Connection Duration 139
Set the Failback Action 140
About WAN Interface Status 140
Time Needed for the XTM Device to Update its Route Table 140
Define a Link Monitor Host 141
Network Address Translation (NAT) 143
About Network Address Translation 143
Types of NAT 144
About Dynamic NAT 144
viii Fireware XTMWeb UI
User Guide ix
Add Firewall Dynamic NAT Entries 145
Configure Policy-Based Dynamic NAT 147
About 1-to-1 NAT 149
About 1-to-1 NAT and VPNs 150
Configure Firewall 1-to-1 NAT 150
Configure Policy-Based 1-to-1 NAT 153
Configure NAT Loopback with Static NAT 154
Add a Policy for NATLoopback to the Server 155
NAT Loopback and 1-to-1 NAT 156
About SNAT 158
Configure Static NAT 160
Configure Server Load Balancing 163
NAT Examples 167
1-to-1 NAT Example 167
Wireless Setup 169
About Wireless Configuration 169
About Wireless Access Point Configuration 170
Before You Begin 171
About Wireless Configuration Settings 172
Enable/Disable SSID Broadcasts 173
Change the SSID 173
Log Authentication Events 173
Change the Fragmentation Threshold 173
Change the RTS Threshold 175
About Wireless Security Settings 176
Set the Wireless Authentication Method 176
Use a RADIUS Server for Wireless Authentication 177
Use the XTMDevice as an Authentication Server for Wireless Authentication 178
Set the Encryption Level 180
Enable Wireless Connections to the Trusted or Optional Network 182
Enable a Wireless Guest Network 184
Enable a Wireless Hotspot 187
Configure User Timeout Settings 188
Customize the Hotspot Splash Screen 188
Connect to a Wireless Hotspot 190
See Wireless Hotspot Connections 191
Configure Your External Interface as a Wireless Interface 192
Configure the Primary External Interface as a Wireless Interface 193
Configure a BOVPN tunnel for additional security 195
About Wireless Radio Settings 196
Country is Set Automatically 197
Select the Band and Wireless Mode 198
Select the Channel 198
Configure the Wireless Card on Your Computer 199
Rogue Access Point Detection 199
Enable Rogue Access Point Detection 199
Add an XTMWireless Device as a Trusted Access Point 204
Find the Wireless MACAddress of a Trusted Access Point 207
Rogue Access Point Scan Results 208
Dynamic Routing 209
About Dynamic Routing 209
About Routing Daemon Configuration Files 209
About Routing Information Protocol (RIP) 210
Routing Information Protocol (RIP) Commands 210
Configure the XTM Device to Use RIP v1 212
Configure the XTM Device to Use RIP v2 214
Sample RIP Routing Configuration File 216
About Open Shortest Path First (OSPF) Protocol 217
OSPF Commands 218
OSPF Interface Cost Table 221
Configure the XTM Device to Use OSPF 221
Sample OSPF Routing Configuration File 223
About Border Gateway Protocol (BGP) 226
BGP Commands 227
x Fireware XTMWeb UI
User Guide xi
Configure the XTM Device to Use BGP 229
Sample BGP Routing Configuration File 230
Authentication 233
About User Authentication 233
User Authentication Steps 234
Manage Authenticated Users 235
Use Authentication to Restrict Incoming Traffic 236
Use Authentication Through a Gateway Firebox 237
About the WatchGuard Authentication (WG-Auth) Policy 238
Set Global Firewall Authentication Values 238
Set Global Authentication Timeouts 239
Allow Multiple Concurrent Logins 240
Limit Login Sessions 240
Automatically Redirect Users to the Authentication Portal 241
Use a Custom Default Start Page 242
Set Management Session Timeouts 242
About Single Sign-On (SSO) 242
Before You Begin 244
Set Up SSO 244
Install the WatchGuard Single Sign-On (SSO) Agent 244
Install the WatchGuard Single Sign-On (SSO) Client 245
Enable Single Sign-On (SSO) 246
Install and Configure the Terminal Services Agent 249
Install the Terminal Services Agent 250
Configure the Terminal Services Agent 250
Configure Terminal Services Settings 251
Authentication Server Types 253
About Third-Party Authentication Servers 253
Use a Backup Authentication Server 253
Configure Your XTM Device as an Authentication Server 254
Types of Firebox Authentication 254
Define a New User for Firebox Authentication 256
Define a New Group for Firebox Authentication 258
Configure RADIUS Server Authentication 259
Authentication Key 259
RADIUSAuthentication Methods 259
Before You Begin 259
Use RADIUSServer Authentication with Your XTM Device 259
How RADIUS Server Authentication Works 261
WPA and WPA2 Enterprise Authentication 264
Configure VASCO Server Authentication 264
Configure SecurID Authentication 267
Configure LDAP Authentication 269
About LDAP Optional Settings 271
Configure Active Directory Authentication 272
Add an Active Directory Authentication Domain and Server 272
About Active Directory Optional Settings 276
Edit an Existing Active Directory Domain 276
Delete an Active Directory Domain 278
Find Your Active Directory Search Base 278
Change the Default Port for the Active Directory Server 279
Use Active Directory or LDAP Optional Settings 280
Before You Begin 280
Specify Active Directory or LDAP Optional Settings 280
Use a Local User Account for Authentication 284
Use Authorized Users and Groups in Policies 285
Define Users and Groups for Firebox Authentication 285
Define Users and Groups for Third-Party Authentication 285
Add Users and Groups to Policy Definitions 286
Policies 287
About Policies 287
Packet Filter and Proxy Policies 287
Add Policies to Your XTM device 288
About the Policies Pages 289
xii Fireware XTMWeb UI
User Guide xiii
Add Policies to Your Configuration 291
Add a Policy from the List of Templates 291
Disable or Delete a Policy 293
About Aliases 294
Alias Members 294
Create an Alias 295
About Policy Precedence 299
Automatic Policy Order 299
Policy Specificity and Protocols 299
Traffic Rules 299
Firewall Actions 300
Schedules 300
Policy Types and Names 301
Set Precedence Manually 301
Create Schedules for XTM Device Actions 302
Set an Operating Schedule 302
About Custom Policies 303
Create or Edit a Custom Policy Template 303
About Policy Properties 306
Policy Tab 306
Properties Tab 306
Advanced Tab 307
Proxy Settings 307
Set Access Rules for a Policy 307
Configure Policy-Based Routing 309
Set a Custom Idle Timeout 312
Set ICMP Error Handling 312
Apply NAT Rules 312
Set the Sticky Connection Duration for a Policy 313
Proxy Settings 315
About Proxy Policies and ALGs 315
Proxy Configuration 316
Add a Proxy Policy to Your Configuration 316
About Proxy Actions 317
Set the Proxy Action in a Proxy Policy 317
Clone, Edit, or Delete Proxy Actions 318
Proxy and AV Alarms 322
About Rules and Rulesets 323
About Working with Rules and Rulesets 323
Configure Rulesets 324
Add, Change, or Delete Rules 324
Cut and Paste Rule Definitions 327
Change the Order of Rules 327
Change the Default Rule 327
About Regular Expressions 328
About the DNS-Proxy 331
Action Settings 332
Policy Tab 332
Properties Tab 332
Advanced Tab 333
Configure the Proxy Action 333
DNS-Proxy: General Settings 334
DNS-Proxy: OPcodes 335
DNS-Proxy: Query Names 337
DNS-Proxy: Query Types 338
DNS-Proxy: Proxy Alarm 339
About MX (Mail eXchange) Records 340
About the FTP-Proxy 343
Action Settings 343
Policy Tab 343
Properties Tab 344
Advanced Tab 344
Configure the Proxy Action 344
FTP-Proxy: General Settings 345
xiv Fireware XTMWeb UI
User Guide xv
FTP-Proxy: Commands 346
FTP-Proxy: Content 347
FTP-Proxy: Proxy and AV Alarms 348
About the H.323-ALG 349
VoIPComponents 349
ALGFunctions 349
Action Settings 350
Policy Tab 350
Properties Tab 350
Advanced Tab 350
Configure the Proxy Action 351
H.323-ALG: General Settings 352
H.323-ALG: Access Control 354
H.323 ALG: Denied Codecs 356
About the HTTP-Proxy 357
Action Settings 358
Policy Tab 358
Properties Tab 358
Advanced Tab 358
Configure the Proxy Action 359
HTTP Request: General Settings 359
HTTP Request: Request Methods 361
HTTP Request: URL Paths 363
HTTP Request: Header Fields 363
HTTP Request: Authorization 364
HTTP Response: General Settings 365
HTTP Response: Header Fields 366
HTTP Response: Content Types 367
HTTP Response: Cookies 369
HTTP Response: Body Content Types 369
HTTP-Proxy: Exceptions 370
HTTP-Proxy: Deny Message 372
HTTP-Proxy: Proxy and AV Alarms 373
Enable Windows Updates Through the HTTP-Proxy 375
Use a Caching Proxy Server 375
About the HTTPS-Proxy 377
Action Settings 377
Policy Tab 377
Properties Tab 378
Advanced Tab 378
Configure the Proxy Action 378
HTTPS-Proxy: General Settings 379
HTTPS-Proxy: Content Inspection 380
HTTPS-Proxy: Certificate Names 382
HTTPS-Proxy: Proxy Alarm 383
About the POP3-Proxy 384
Action Settings 384
Policy Tab 384
Properties Tab 385
Advanced Tab 385
Configure the Proxy Action 385
POP3-Proxy: General Settings 386
POP3-Proxy: Authentication 388
POP3-Proxy: Content Types 389
POP3-Proxy: File Names 391
POP3-Proxy: Headers 392
POP3-Proxy: Deny Message 392
POP3-Proxy: Proxy and AV Alarms 393
About the SIP-ALG 395
VoIPComponents 395
Instant Messaging Support 395
ALGFunctions 396
Action Settings 396
Policy Tab 396
xvi Fireware XTMWeb UI
User Guide xvii
Properties Tab 396
Advanced Tab 397
Configure the Proxy Action 397
SIP-ALG: General Settings 398
SIP-ALG: Access Control 400
SIP-ALG: Denied Codecs 401
About the SMTP-Proxy 404
Action Settings 404
Policy Tab 404
Properties Tab 405
Advanced Tab 406
Configure the Proxy Action 406
SMTP-Proxy: General Settings 407
SMTP Proxy: Greeting Rules 410
SMTP-Proxy: ESMTP Settings 411
SMTP-Proxy: Authentication 412
SMTP-Proxy: Content Types 414
SMTP-Proxy: File Names 415
SMTP-Proxy: Mail From/Rcpt To 416
SMTP-Proxy: Headers 417
SMTP-Proxy: Deny Message 418
SMTP-Proxy: Proxy and AV Alarms 419
Configure the SMTP-Proxy to Quarantine Email 420
Protect Your SMTP Server from Email Relaying 421
About the TCP-UDP-Proxy 422
Action Settings 422
Policy Tab 422
Properties Tab 422
Advanced Tab 423
Configure the Proxy Action 423
TCP-UDP-Proxy: General Settings 423
Traffic Management and QoS 427
About Traffic Management and QoS 427
Enable Traffic Management and QoS 427
Guarantee Bandwidth 428
Restrict Bandwidth 429
QoS Marking 429
Traffic priority 429
Set Outgoing Interface Bandwidth 430
Set Connection Rate Limits 431
About QoS Marking 431
Before you begin 431
QoS markingfor interfaces and policies 432
QoS marking and IPSec traffic 432
Marking Types and Values 433
Enable QoS Marking for an Interface 434
Enable QoS Marking or Prioritization Settings for a Policy 435
Traffic Control and Policy Definitions 437
Define a Traffic Management Action 437
Add a Traffic Management Action to a Policy 438
Default Threat Protection 441
About Default Threat Protection 441
About Default Packet Handling Options 442
About Spoofing Attacks 443
About IP Source Route Attacks 444
About Port Space and Address Space Probes 444
About Flood Attacks 446
About Unhandled Packets 448
About Distributed Denial-of-Service Attacks 448
About Blocked Sites 450
Permanently Blocked Sites 450
Auto-Blocked Sites/Temporary Blocked Sites List 450
Blocked Site Exceptions 450
See and Edit the Sites on the Blocked Sites List 450
xviii Fireware XTMWeb UI
User Guide xix
Block a Site Permanently 451
Create Blocked Site Exceptions 451
Block Sites Temporarily with Policy Settings 452
Change the Duration that Sites are Auto-Blocked 453
About Blocked Ports 453
Default Blocked Ports 454
Block a Port 455
Logging and Notification 457
About Logging and Log Files 457
Log Servers 457
System Status Syslog 458
Logging and Notification in Applications and Servers 458
About Log Messages 458
Types of Log Messages 459
Send Log Messages to a WatchGuard Log Server 460
Add, Edit, or Change the Priority of Log Servers 460
Send Log Information to a Syslog Host 461
Configure Logging Settings 463
Set the Diagnostic Log Level 464
Configure Logging and Notification for a Policy 465
Set Logging and Notification Preferences 466
Use Syslog to See Log Message Data 467
View, Sort, and Filter Log Message Data 467
Refresh Log Message Data 469
Monitor Your Device 471
About the Dashboard and System Status Pages 471
The Dashboard 471
System Status Pages 473
ARP Table 474
Authentication List 474
Bandwidth Meter 475
Blocked Sites 476
Add or Edit Temporary Blocked Sites 476
Checksum 477
Connections 477
Components List 478
CPUUsage 478
DHCP Leases 478
Diagnostics 479
Run a Basic Diagnostics Command 480
Use Command Arguments 480
Dynamic DNS 481
Feature Key 482
When You Purchase a New Feature 482
See Features Available with the Current Feature Key 482
Interfaces 483
LiveSecurity 485
Memory 485
Processes 486
Routes 486
Syslog 487
Traffic Management 487
VPN Statistics 488
Wireless Statistics 489
Wireless Hotspot Connections 490
Certificates 491
About Certificates 491
Use Multiple Certificates to Establish Trust 492
How the XTM device Uses Certificates 492
Certificate Lifetimes and CRLs 494
Certificate Authorities and Signing Requests 494
Certificate Authorities Trusted by the XTM Device 495
Manage XTM Device Certificates 500
Create a CSR with OpenSSL 503
xx Fireware XTMWeb UI
/