Watchguard Fireware XTM Web UI User guide

Fireware XTM Web UI v11.3 User Guide

Fireware XTM

Web UI

v11.3 User Guide

WatchGuard XTMDevices

Firebox XPeak e-Series

Firebox XCore e-Series

Firebox XEdge e-Series

ii WatchGuard System Manager

About this User Guide

The Fireware XTM Web UI User Guide is updated with each major product release. For minor product

releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes specific,

task-based implementation examples that are not available in the User Guide.

For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard web

site at: http://www.watchguard.com/help/documentation/.

Information in this guide is subject to change without notice. Companies, names, and data used in examples

herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any

form or by any means, electronic or mechanical, for any purpose, without the express written permission

of WatchGuard Technologies, Inc.

Guide revised: 6/23/2010

Copyright, Trademark, and Patent Information

mentioned herein, if any, are the property of their respective owners.

Complete copyright, trademark, patent, and licensing information can be found in the Copyright and

Licensing Guide, available online at: http://www.watchguard.com/help/documentation/

Note This product is for indoor use only.

About WatchGuard

WatchGuard offers affordable, all-in-one network and content

security solutions that provide defense-in-depth and help meet

regulatory compliance requirements. The WatchGuard XTM line

combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to

protect your network from spam, viruses, malware, and intrusions.

The new XCS line offers email and web content security combined

with data loss prevention. WatchGuard extensible solutions scale to

offer right-sized security ranging from small businesses to enterprises

with 10,000+ employees. WatchGuard builds simple, reliable, and

robust security appliances featuring fast implementation and

comprehensive management and reporting tools. Enterprises

throughout the world rely on our signature red boxes to maximize

security without sacrificing efficiency and productivity.

For more information, please call 206.613.6600 or visit

www.watchguard.com.

Address

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

Support

www.watchguard.com/support

U.S. and Canada +877.232.3531

All Other Countries +1.206.521.3575

Sales

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.613.0895

User Guide iii

Table of Contents

Introduction to Network Security 1

About networks and network security 1

About Internet connections 1

About protocols 2

About IP addresses 3

Private addresses and gateways 3

About subnet masks 3

About slash notation 3

About entering IP addresses 4

Static and dynamic IP addresses 4

About DNS (Domain Name System) 5

About firewalls 6

About services and policies 7

About ports 8

The Firebox or XTM device and your network 8

Introduction to Fireware XTM 11

About Fireware XTM 11

Fireware XTM Components 12

WatchGuard System Manager 12

WatchGuard Server Center 13

Fireware XTM Web UI and Command Line Interface 14

Fireware XTMwith a Pro Upgrade 15

Service and Support 17

About WatchGuard Support 17

LiveSecurity Service 17

LiveSecurity Service Gold 18

Service expiration 18

Getting Started 21

Before you begin 21

Verify basic components 21

Get a Firebox or XTM device feature key 22
Gather network addresses 22
Select a firewall configuration mode 23
About the Quick Setup Wizard 24
Run the Web Setup Wizard 25
Connect to Fireware XTMWeb UI 28
Connect to Fireware XTMWeb UI from an external network 29
About Fireware XTMWeb UI 30
Select Fireware XTM Web UI language 31
Limitations of Fireware XTM Web UI 31
Complete your installation 32
Customize your security policy 32
About LiveSecurity Service 33
Additional installation topics 33
Connect to a Firebox or XTM device with Firefox v3 33
Identify your network settings 35
Set your computer to connect to your Firebox or XTM device 38
Disable the HTTP proxy in the browser 39
Configuration and Management Basics 41
About basic configuration and management tasks 41
Make a backup of the Firebox or XTM device image 41
Restore a Firebox or XTM device backup image 41
Use a USB drive for system backup and restore 42
About the USB drive 42
Save a backup image to a connected USB drive 42
Restore a backup image from a connected USB drive 43
Automatically restore a backup image from a USB drive 44
USB drive directory structure 45
Save a backup image to a USB drive connected to your computer 46
Reset a Firebox or XTM device to a previous or new configuration 48
Start a Firebox or XTM device in safe mode 48
iv Fireware XTMWeb UI

User Guide v
Reset a Firebox X Edge e-Series or WatchGuard XTM 2 Series device to factory-default settings
49
Run the Quick Setup Wizard 49
About factory-default settings 49
About feature keys 51
When you purchase a new feature 51
See features available with the current feature key 51
Get a feature key from LiveSecurity 52
Add a feature key to your Firebox or XTM device 54
Restart your Firebox or XTM device 55
Restart the Firebox or XTM device locally 55
Restart the Firebox or XTM device remotely 56
Enable NTP and add NTP servers 56
Set the time zone and basic device properties 58
About SNMP 59
SNMP polls and traps 59
About Management Information Bases (MIBs) 59
Enable SNMP polling 61
Enable SNMP management stations and traps 62
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 64
Create a secure passphrase, encryption key, or shared key 64
Firebox or XTM device Passphrases 64
User Passphrases 65
Server Passphrases 65
Encryption Keys and Shared Keys 65
Change Firebox or XTM device passphrases 67
Define Firebox or XTM device global settings 68
Define ICMP error handling global settings 68
Enable TCP SYN checking 69
Define TCP maximum segment size adjustment global settings 70
Enable or disable Traffic Management and QoS 70
Change the Web UI port 70

Automatic Reboot 70
External Console 71
See also 71
About WatchGuard Servers 71
Manage a Firebox or XTM device from a remote location 72
Configure a Firebox or XTM device as a managed device 74
Edit the WatchGuard policy 74
Set up the Managed Device 75
Upgrade to a new version of Fireware XTM 77
Install the upgrade on your management computer 77
Upgrade the Firebox or XTM device 77
Download the configuration file 78
About upgrade options 78
Subscription Services upgrades 78
Appliance and software upgrades 78
How to apply an upgrade 79
Network Setup and Configuration 81
About network interface setup 81
Network modes 82
Interface types 83
About network interfaces on the Edge e-Series 83
Mixed Routing Mode 84
Configure an external interface 84
Configure DHCP in mixed routing mode 87
About the Dynamic DNS service 90
Configure Dynamic DNS 90
Drop-in Mode 91
Use drop-in mode for network interface configuration 92
Configure related hosts 92
Configure DHCP in drop-in mode 93
Bridge Mode 96
Common interface settings 98
vi Fireware XTMWeb UI

User Guide vii
Disable an interface 100
Configure DHCPRelay 100
Restrict network traffic by MAC address 100
Add WINS and DNS server addresses 101
Configure a secondary network 102
About advanced interface settings 103
Network Interface Card (NIC)settings 104
Set DF bit for IPSec 105
PMTU Setting for IPSec 106
Use static MAC address binding 106
Find the MAC address of a computer 107
About LAN bridges 107
Create a network bridge configuration 108
Assign a network interface to a bridge 109
About routing 109
Add a static route 109
About virtual local area networks (VLANs) 110
VLAN requirements and restrictions 111
About tagging 111
About VLANIDnumbers 112
Define a new VLAN 112
Assign interfaces to a VLAN 114
Network Setup Examples 114
Example: Configure Two VLANs on the Same Interface 114
Use your Firebox or XTM device with the 3G Extend wireless bridge 118
Multi-WAN 121
About using multiple external interfaces 121
Multi-WAN requirements and conditions 121
Multi-WAN and DNS 122
About multi-WAN options 122
Round-robin order 122
Failover 122

Interface overflow 123
Routing table 123
Serial modem (Firebox XEdge only) 124
Configure Round-robin 125
Before You Begin 125
Configure the interfaces 125
Find how to assign weights to interfaces 125
Configure Failover 126
Before You Begin 126
Configure the interfaces 126
Configure Interface Overflow 127
Before You Begin 127
Configure the interfaces 127
Configure Routing Table 128
Before you begin 128
Routing Table mode and load balancing 128
Configure the interfaces 128
About the Firebox or XTM device route table 129
When to use multi-WAN methods and routing 129
Serial modem failover 131
Enable serial modem failover 131
Account settings 132
DNS settings 132
Dial-up settings 133
Advanced settings 133
Link Monitor settings 134
About advanced multi-WAN settings 135
Set a global sticky connection duration 135
Set the failback action 136
About WAN interface status 136
Time needed for the Firebox or XTM device to update its route table 136
Define a link monitor host 137
viii Fireware XTMWeb UI

User Guide ix
Network Address Translation (NAT) 139
About Network Address Translation 139
Types of NAT 140
About dynamic NAT 140
Add firewall dynamic NAT entries 140
Configure policy-based dynamic NAT 144
About 1-to-1 NAT 145
About 1-to-1 NAT and VPNs 146
Configure firewall 1-to-1 NAT 146
Configure policy-based 1-to-1 NAT 149
Configure NAT loopback with static NAT 151
Add a policy for NATloopback to the server 152
NAT loopback and 1-to-1 NAT 153
About static NAT 156
Configure server load balancing 157
NAT Examples 159
1-to-1 NAT example 159
Wireless Setup 161
About wireless configuration 161
About wireless access point configuration 162
Before you begin 163
About wireless configuration settings 164
Enable/disable SSID broadcasts 164
Change the SSID 165
Log authentication events 165
Change the fragmentation threshold 165
Change the RTS threshold 166
About wireless security settings 167
Set the wireless authentication method 167
Set the encryption level 168
Enable wireless connections to the trusted or optional network 169
Enable a wireless guest network 171

Enable a wireless hotspot 174
Configure user timeout settings 175
Customize the hotspot splash screen 175
Connect to a wireless hotspot 177
See wireless hotspot connections 178
Configure your external interface as a wireless interface 179
Configure the primary external interface as a wireless interface 179
Configure a BOVPN tunnel for additional security 181
About wireless radio settings on the Firebox X Edge e-Series Wireless device 182
Set the operating region and channel 183
Set the wireless mode of operation 184
About wireless radio settings on the WatchGuard XTM2 Series Wireless device 185
Country is set automatically 186
Select the Band and Wireless mode 186
Select the Channel 187
Configure the wireless card on your computer 188
Dynamic Routing 189
About dynamic routing 189
About routing daemon configuration files 189
About Routing Information Protocol (RIP) 190
Routing Information Protocol (RIP) commands 190
Configure the Firebox or XTM device to use RIP v1 192
Configure the Firebox or XTM device to use RIP v2 193
Sample RIP routing configuration file 195
About Open Shortest Path First (OSPF) Protocol 196
OSPF commands 197
OSPF Interface Cost table 200
Configure the Firebox or XTM device to use OSPF 200
Sample OSPF routing configuration file 202
About Border Gateway Protocol (BGP) 204
BGP commands 205
Configure the Firebox or XTM device to use BGP 207
x Fireware XTMWeb UI

User Guide xi
Sample BGP routing configuration file 208
Authentication 211
About user authentication 211
User authentication steps 212
Manage authenticated users 213
Use authentication to restrict incoming traffic 213
Use authentication through a gateway Firebox 214
Set global authentication values 214
Set global authentication timeouts 215
Allow multiple concurrent logins 216
Limit login sessions 216
Automatically redirect users to the login portal 217
Use a custom default start page 217
Set Management Session timeouts 218
About the WatchGuard Authentication (WG-Auth) policy 218
About Single Sign-On (SSO) 218
Before You Begin 220
Set up SSO 220
Install the WatchGuard Single Sign-On (SSO) agent 220
Install the WatchGuard Single Sign-On (SSO) client 221
Enable Single Sign-On (SSO) 222
Authentication server types 223
About using third-party authentication servers 223
Use a backup authentication server 224
Configure your Firebox or XTM device as an authentication server 224
Types of Firebox authentication 224
Define a new user for Firebox authentication 227
Define a new group for Firebox authentication 229
Configure RADIUS server authentication 230
Authentication key 230
RADIUSauthentication methods 230
Before you begin 230

Use RADIUSserver authentication with your Firebox or XTM device 230
How RADIUS server authentication works 232
Configure VASCO server authentication 235
Configure SecurID authentication 237
Configure LDAP authentication 238
About LDAP optional settings 240
Configure Active Directory authentication 241
About Active Directory optional settings 242
Find your Active Directory search base 243
Change the default port for the Active Directory server 244
Use Active Directory or LDAP Optional Settings 244
Before You Begin 245
Specify Active Directory or LDAP Optional Settings 245
Use a local user account for authentication 248
Use authorized users and groups in policies 248
Define users and groups for Firebox authentication 248
Define users and groups for third-party authentication 248
Add users and groups to policy definitions 249
Policies 251
About policies 251
Packet filter and proxy policies 251
About adding policies to your Firebox or XTM device 252
About the Firewall or Mobile VPN Policies page 253
Add policies to your configuration 254
Add a policy from the list of templates 255
Disable or delete a policy 256
About aliases 257
Alias members 257
Create an alias 258
About policy precedence 259
Automatic policy order 260
Policy specificity and protocols 260
xii Fireware XTMWeb UI

User Guide xiii
Traffic rules 260
Firewall actions 261
Schedules 261
Policy types and names 261
Set precedence manually 261
Create schedules for Firebox or XTM device actions 262
Set an operating schedule 262
About custom policies 263
Create or edit a custom policy template 263
About policy properties 266
Policy tab 266
Properties tab 266
Advanced tab 266
Proxy settings 267
Set access rules for a policy 267
Configure policy-based routing 269
Set a custom idle timeout 271
Set ICMP error handling 271
Apply NAT rules 271
Set the sticky connection duration for a policy 272
Proxy Settings 273
About proxy policies and ALGs 273
Proxy configuration 274
About Application Blocker Configurations 274
Configure Application Blocker 274
About Skype and Application Blocker 276
Add a proxy policy to your configuration 276
About proxy actions 278
Set the proxy action 278
Edit, delete, or clone proxy actions 278
About predefined and user-defined proxy actions 279
About the DNS proxy 279

Policy tab 279

Properties tab 280

Advanced tab 280

Settings and Content tabs 280

DNSProxy:Content 280

DNSProxy:Settings 281

About the FTP proxy 282

Policy tab 284

Properties tab 284

Advanced tab 285

Settings and Content tabs 285

FTP proxy: Content 285

FTPProxy:Settings 286

About the H.323 ALG 287

VoIPcomponents 287

ALGfunctions 288

Policy tab 288

Properties tab 289

Advanced tab 289

Settings and Content tabs 289

H.323 ALG:Content 289

H.323 ALG:Settings 291

About the HTTP proxy 292

Policy tab 293

Properties tab 294

Advanced tab 294

Settings, Content and Application Blocker tabs 294

Enable Windows updates through the HTTPproxy 294

HTTP proxy: Settings tab 295

HTTP proxy: Content tab 299

HTTP proxy: Application Blocker 301

About the HTTPS proxy 301

xiv Fireware XTMWeb UI

User Guide xv

Policy tab 302

Properties tab 302

Advanced tab 302

Settings and Content tabs 302

HTTPSProxy:Content 302

HTTPSProxy:Settings 304

About the POP3 proxy 306

Policy tab 306

Properties tab 307

Advanced tab 307

Settings and Content tabs 307

POP3Proxy:Content 307

POP3Proxy:Settings 308

About the SIP proxy 309

VoIPcomponents 310

ALGfunctions 310

Policy tab 310

Properties tab 311

Advanced tab 311

Settings and Content tabs 311

SIP ALG:Content 311

SIP ALG:Settings 313

About the SMTP proxy 314

Policy tab 314

Properties tab 315

Advanced tab 315

Settings, Addressing, and Content tabs 315

SMTPProxy:Addressing 315

SMTPProxy:Content 316

SMTPProxy:Settings 317

Configure the SMTPproxy to quarantine email 318

About the TCP-UDP proxy 320

Policy tab 320
Properties tab 320
Advanced tab 321
Settings and Content tabs 321
TCP-UDP Proxy: Settings 321
TCP-UDP Proxy: Content 322
Traffic Management and QoS 323
About Traffic Management and QoS 323
Enable traffic management and QoS 323
Guarantee bandwidth 324
Restrict bandwidth 325
QoS Marking 325
Traffic priority 325
Set Outgoing Interface Bandwidth 325
Set Connection Rate Limits 327
About QoS Marking 327
Before you begin 327
QoS markingfor interfaces and policies 328
QoS marking and IPSec traffic 328
Marking types and values 328
Enable QoS Marking for an interface 330
Enable QoS Marking or prioritization settings for a policy 331
Traffic control and policy definitions 332
Define a Traffic Management action 332
Add a Traffic Management action to a policy 334
Default Threat Protection 335
About default threat protection 335
About default packet handling options 336
About spoofing attacks 337
About IP source route attacks 338
About port space and address space probes 338
About flood attacks 340
xvi Fireware XTMWeb UI

User Guide xvii
About unhandled packets 342
About distributed denial-of-service attacks 342
About blocked sites 344
Permanently blocked sites 344
Auto-blocked sites/Temporary Blocked Sites list 344
See and edit the sites on the Blocked Sites list 344
Block a site permanently 344
Create Blocked Site Exceptions 345
Block sites temporarily with policy settings 346
Change the duration that sites are auto-blocked 346
About blocked ports 347
Default blocked ports 347
Block a port 349
Logging and Notification 351
About logging and log files 351
Log Servers 351
System Status Syslog 352
Logging and notification in applications and servers 352
About log messages 352
Types of log messages 353
Send log messages to a WatchGuard Log Server 354
Add, edit, or change the priority of Log Servers 354
Send log information to a Syslog host 355
Configure Logging Settings 356
Set the diagnostic log level 357
Configure logging and notification for a policy 358
Set logging and notification preferences 359
Use Syslog to see log message data 360
View, Sort, and Filter log message data 360
Refresh log message data 362
Monitor Your Device 363
About the Dashboard and System Status Pages 363

The Dashboard 363

System Status pages 365

ARP Table 366

Authentication List 366

Bandwidth Meter 367

Blocked Sites 368

Add or edit temporary blocked sites 368

Checksum 369

Connections 369

Components List 370

CPUUsage 370

DHCP Leases 370

Diagnostics 371

Run a basic diagnostics command 372

Use command arguments 372

Dynamic DNS 373

Feature Key 374

When you purchase a new feature 374

See features available with the current feature key 374

Interfaces 375

LiveSecurity 376

Memory 376

Outbound Access List 377

Processes 378

Routes 379

Syslog 380

Traffic Management 380

VPN Statistics 380

Wireless statistics 381

Wireless hotspot connections 382

Certificates 383

About certificates 383

xviii Fireware XTMWeb UI

User Guide xix
Use multiple certificates to establish trust 383
How the Firebox or XTM device uses certificates 384
Certificate lifetimes and CRLs 384
Certificate authorities and signing requests 385
Certificate Authorities Trusted by the Firebox or XTM device 385
See and manage Firebox or XTM device certificates 391
Create a CSR with OpenSSL 393
Use OpenSSL to generate a CSR 393
Sign a certificate with Microsoft CA 393
Issue the certificate 394
Download the certificate 394
Use Certificates for the HTTPS Proxy 395
Protect a private HTTPSserver 395
Examine content from external HTTPS servers 396
Export the HTTPScontent inspection certificate 396
Import the certificates on client devices 397
Troubleshoot problems with HTTPScontent inspection 397
Use certificates for Mobile VPN with IPSec tunnel authentication 397
Certificates for Branch Office VPN (BOVPN) tunnel authentication 398
Verify the certificate with FSM 399
Verify VPN certificates with an LDAP server 399
Configure the web server certificate for Firebox authentication 400
Import a certificate on a client device 401
Import a PEMformat certificate with Windows XP 401
Import a PEMformat certificate with Windows Vista 402
Import a PEMformat certificate with Mozilla Firefox 3.x 402
Import a PEMformat certificate with Mac OSX10.5 403
Virtual Private Networks (VPNs) 405
Introduction to VPNs 405
Branch Office VPN 405
Mobile VPN 406
About IPSec VPNs 406

About IPSec algorithms and protocols 406
About IPSec VPN negotiations 408
Configure Phase 1 and Phase 2 settings 411
About Mobile VPNs 412
Select a Mobile VPN 412
Internet access options for Mobile VPN users 414
Mobile VPN setup overview 415
Branch Office VPNs 417
What you need to create a manual BOVPN 417
About manual Branch Office VPN tunnels 418
What you need to create a VPN 418
How to create a manual BOVPNtunnel 419
One-way tunnels 419
VPN Failover 419
Global VPN settings 419
BOVPNtunnel status 420
Rekey BOVPNtunnels 420
Sample VPN address information table 421
Configure gateways 422
Define gateway endpoints 424
Configure mode and transforms (Phase 1 settings) 425
Edit and delete gateways 430
Disable automatic tunnel startup 430
If your Firebox or XTM device is behind a device that does NAT 430
Make tunnels between gateway endpoints 432
Define a tunnel 432
Add routes for a tunnel 434
Configure Phase 2 settings 434
Add a Phase 2 proposal 436
Change order of tunnels 437
About global VPN settings 437
Enable IPSec Pass-through 438
xx Fireware XTMWeb UI

Page is loading ...

Watchguard Fireware XTM Web UI User guide

Watchguard Fireware XTM Web UI User guide

Related papers

Other documents