Watchguard Fireware XTM Web UI User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Fireware XTM Web UI User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Fireware XTM Web UI v11.3 User Guide
Fireware XTM
Web UI
v11.3 User Guide
WatchGuard XTMDevices
Firebox XPeak e-Series
Firebox XCore e-Series
Firebox XEdge e-Series
ii WatchGuard System Manager
About this User Guide
The Fireware XTM Web UI User Guide is updated with each major product release. For minor product
releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes specific,
task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard web
site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission
of WatchGuard Technologies, Inc.
Guide revised: 6/23/2010
Copyright, Trademark, and Patent Information
Copyright © 1998–2010 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names
mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to
protect your network from spam, viruses, malware, and intrusions.
The new XCS line offers email and web content security combined
with data loss prevention. WatchGuard extensible solutions scale to
offer right-sized security ranging from small businesses to enterprises
with 10,000+ employees. WatchGuard builds simple, reliable, and
robust security appliances featuring fast implementation and
comprehensive management and reporting tools. Enterprises
throughout the world rely on our signature red boxes to maximize
security without sacrificing efficiency and productivity.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
Table of Contents
Introduction to Network Security 1
About networks and network security 1
About Internet connections 1
About protocols 2
About IP addresses 3
Private addresses and gateways 3
About subnet masks 3
About slash notation 3
About entering IP addresses 4
Static and dynamic IP addresses 4
About DNS (Domain Name System) 5
About firewalls 6
About services and policies 7
About ports 8
The Firebox or XTM device and your network 8
Introduction to Fireware XTM 11
About Fireware XTM 11
Fireware XTM Components 12
WatchGuard System Manager 12
WatchGuard Server Center 13
Fireware XTM Web UI and Command Line Interface 14
Fireware XTMwith a Pro Upgrade 15
Service and Support 17
About WatchGuard Support 17
LiveSecurity Service 17
LiveSecurity Service Gold 18
Service expiration 18
Getting Started 21
Before you begin 21
Verify basic components 21
Get a Firebox or XTM device feature key 22
Gather network addresses 22
Select a firewall configuration mode 23
About the Quick Setup Wizard 24
Run the Web Setup Wizard 25
Connect to Fireware XTMWeb UI 28
Connect to Fireware XTMWeb UI from an external network 29
About Fireware XTMWeb UI 30
Select Fireware XTM Web UI language 31
Limitations of Fireware XTM Web UI 31
Complete your installation 32
Customize your security policy 32
About LiveSecurity Service 33
Additional installation topics 33
Connect to a Firebox or XTM device with Firefox v3 33
Identify your network settings 35
Set your computer to connect to your Firebox or XTM device 38
Disable the HTTP proxy in the browser 39
Configuration and Management Basics 41
About basic configuration and management tasks 41
Make a backup of the Firebox or XTM device image 41
Restore a Firebox or XTM device backup image 41
Use a USB drive for system backup and restore 42
About the USB drive 42
Save a backup image to a connected USB drive 42
Restore a backup image from a connected USB drive 43
Automatically restore a backup image from a USB drive 44
USB drive directory structure 45
Save a backup image to a USB drive connected to your computer 46
Reset a Firebox or XTM device to a previous or new configuration 48
Start a Firebox or XTM device in safe mode 48
iv Fireware XTMWeb UI
User Guide v
Reset a Firebox X Edge e-Series or WatchGuard XTM 2 Series device to factory-default settings
49
Run the Quick Setup Wizard 49
About factory-default settings 49
About feature keys 51
When you purchase a new feature 51
See features available with the current feature key 51
Get a feature key from LiveSecurity 52
Add a feature key to your Firebox or XTM device 54
Restart your Firebox or XTM device 55
Restart the Firebox or XTM device locally 55
Restart the Firebox or XTM device remotely 56
Enable NTP and add NTP servers 56
Set the time zone and basic device properties 58
About SNMP 59
SNMP polls and traps 59
About Management Information Bases (MIBs) 59
Enable SNMP polling 61
Enable SNMP management stations and traps 62
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 64
Create a secure passphrase, encryption key, or shared key 64
Firebox or XTM device Passphrases 64
User Passphrases 65
Server Passphrases 65
Encryption Keys and Shared Keys 65
Change Firebox or XTM device passphrases 67
Define Firebox or XTM device global settings 68
Define ICMP error handling global settings 68
Enable TCP SYN checking 69
Define TCP maximum segment size adjustment global settings 70
Enable or disable Traffic Management and QoS 70
Change the Web UI port 70
Automatic Reboot 70
External Console 71
See also 71
About WatchGuard Servers 71
Manage a Firebox or XTM device from a remote location 72
Configure a Firebox or XTM device as a managed device 74
Edit the WatchGuard policy 74
Set up the Managed Device 75
Upgrade to a new version of Fireware XTM 77
Install the upgrade on your management computer 77
Upgrade the Firebox or XTM device 77
Download the configuration file 78
About upgrade options 78
Subscription Services upgrades 78
Appliance and software upgrades 78
How to apply an upgrade 79
Network Setup and Configuration 81
About network interface setup 81
Network modes 82
Interface types 83
About network interfaces on the Edge e-Series 83
Mixed Routing Mode 84
Configure an external interface 84
Configure DHCP in mixed routing mode 87
About the Dynamic DNS service 90
Configure Dynamic DNS 90
Drop-in Mode 91
Use drop-in mode for network interface configuration 92
Configure related hosts 92
Configure DHCP in drop-in mode 93
Bridge Mode 96
Common interface settings 98
vi Fireware XTMWeb UI
User Guide vii
Disable an interface 100
Configure DHCPRelay 100
Restrict network traffic by MAC address 100
Add WINS and DNS server addresses 101
Configure a secondary network 102
About advanced interface settings 103
Network Interface Card (NIC)settings 104
Set DF bit for IPSec 105
PMTU Setting for IPSec 106
Use static MAC address binding 106
Find the MAC address of a computer 107
About LAN bridges 107
Create a network bridge configuration 108
Assign a network interface to a bridge 109
About routing 109
Add a static route 109
About virtual local area networks (VLANs) 110
VLAN requirements and restrictions 111
About tagging 111
About VLANIDnumbers 112
Define a new VLAN 112
Assign interfaces to a VLAN 114
Network Setup Examples 114
Example: Configure Two VLANs on the Same Interface 114
Use your Firebox or XTM device with the 3G Extend wireless bridge 118
Multi-WAN 121
About using multiple external interfaces 121
Multi-WAN requirements and conditions 121
Multi-WAN and DNS 122
About multi-WAN options 122
Round-robin order 122
Failover 122
Interface overflow 123
Routing table 123
Serial modem (Firebox XEdge only) 124
Configure Round-robin 125
Before You Begin 125
Configure the interfaces 125
Find how to assign weights to interfaces 125
Configure Failover 126
Before You Begin 126
Configure the interfaces 126
Configure Interface Overflow 127
Before You Begin 127
Configure the interfaces 127
Configure Routing Table 128
Before you begin 128
Routing Table mode and load balancing 128
Configure the interfaces 128
About the Firebox or XTM device route table 129
When to use multi-WAN methods and routing 129
Serial modem failover 131
Enable serial modem failover 131
Account settings 132
DNS settings 132
Dial-up settings 133
Advanced settings 133
Link Monitor settings 134
About advanced multi-WAN settings 135
Set a global sticky connection duration 135
Set the failback action 136
About WAN interface status 136
Time needed for the Firebox or XTM device to update its route table 136
Define a link monitor host 137
viii Fireware XTMWeb UI
User Guide ix
Network Address Translation (NAT) 139
About Network Address Translation 139
Types of NAT 140
About dynamic NAT 140
Add firewall dynamic NAT entries 140
Configure policy-based dynamic NAT 144
About 1-to-1 NAT 145
About 1-to-1 NAT and VPNs 146
Configure firewall 1-to-1 NAT 146
Configure policy-based 1-to-1 NAT 149
Configure NAT loopback with static NAT 151
Add a policy for NATloopback to the server 152
NAT loopback and 1-to-1 NAT 153
About static NAT 156
Configure server load balancing 157
NAT Examples 159
1-to-1 NAT example 159
Wireless Setup 161
About wireless configuration 161
About wireless access point configuration 162
Before you begin 163
About wireless configuration settings 164
Enable/disable SSID broadcasts 164
Change the SSID 165
Log authentication events 165
Change the fragmentation threshold 165
Change the RTS threshold 166
About wireless security settings 167
Set the wireless authentication method 167
Set the encryption level 168
Enable wireless connections to the trusted or optional network 169
Enable a wireless guest network 171
Enable a wireless hotspot 174
Configure user timeout settings 175
Customize the hotspot splash screen 175
Connect to a wireless hotspot 177
See wireless hotspot connections 178
Configure your external interface as a wireless interface 179
Configure the primary external interface as a wireless interface 179
Configure a BOVPN tunnel for additional security 181
About wireless radio settings on the Firebox X Edge e-Series Wireless device 182
Set the operating region and channel 183
Set the wireless mode of operation 184
About wireless radio settings on the WatchGuard XTM2 Series Wireless device 185
Country is set automatically 186
Select the Band and Wireless mode 186
Select the Channel 187
Configure the wireless card on your computer 188
Dynamic Routing 189
About dynamic routing 189
About routing daemon configuration files 189
About Routing Information Protocol (RIP) 190
Routing Information Protocol (RIP) commands 190
Configure the Firebox or XTM device to use RIP v1 192
Configure the Firebox or XTM device to use RIP v2 193
Sample RIP routing configuration file 195
About Open Shortest Path First (OSPF) Protocol 196
OSPF commands 197
OSPF Interface Cost table 200
Configure the Firebox or XTM device to use OSPF 200
Sample OSPF routing configuration file 202
About Border Gateway Protocol (BGP) 204
BGP commands 205
Configure the Firebox or XTM device to use BGP 207
x Fireware XTMWeb UI
User Guide xi
Sample BGP routing configuration file 208
Authentication 211
About user authentication 211
User authentication steps 212
Manage authenticated users 213
Use authentication to restrict incoming traffic 213
Use authentication through a gateway Firebox 214
Set global authentication values 214
Set global authentication timeouts 215
Allow multiple concurrent logins 216
Limit login sessions 216
Automatically redirect users to the login portal 217
Use a custom default start page 217
Set Management Session timeouts 218
About the WatchGuard Authentication (WG-Auth) policy 218
About Single Sign-On (SSO) 218
Before You Begin 220
Set up SSO 220
Install the WatchGuard Single Sign-On (SSO) agent 220
Install the WatchGuard Single Sign-On (SSO) client 221
Enable Single Sign-On (SSO) 222
Authentication server types 223
About using third-party authentication servers 223
Use a backup authentication server 224
Configure your Firebox or XTM device as an authentication server 224
Types of Firebox authentication 224
Define a new user for Firebox authentication 227
Define a new group for Firebox authentication 229
Configure RADIUS server authentication 230
Authentication key 230
RADIUSauthentication methods 230
Before you begin 230
Use RADIUSserver authentication with your Firebox or XTM device 230
How RADIUS server authentication works 232
Configure VASCO server authentication 235
Configure SecurID authentication 237
Configure LDAP authentication 238
About LDAP optional settings 240
Configure Active Directory authentication 241
About Active Directory optional settings 242
Find your Active Directory search base 243
Change the default port for the Active Directory server 244
Use Active Directory or LDAP Optional Settings 244
Before You Begin 245
Specify Active Directory or LDAP Optional Settings 245
Use a local user account for authentication 248
Use authorized users and groups in policies 248
Define users and groups for Firebox authentication 248
Define users and groups for third-party authentication 248
Add users and groups to policy definitions 249
Policies 251
About policies 251
Packet filter and proxy policies 251
About adding policies to your Firebox or XTM device 252
About the Firewall or Mobile VPN Policies page 253
Add policies to your configuration 254
Add a policy from the list of templates 255
Disable or delete a policy 256
About aliases 257
Alias members 257
Create an alias 258
About policy precedence 259
Automatic policy order 260
Policy specificity and protocols 260
xii Fireware XTMWeb UI
User Guide xiii
Traffic rules 260
Firewall actions 261
Schedules 261
Policy types and names 261
Set precedence manually 261
Create schedules for Firebox or XTM device actions 262
Set an operating schedule 262
About custom policies 263
Create or edit a custom policy template 263
About policy properties 266
Policy tab 266
Properties tab 266
Advanced tab 266
Proxy settings 267
Set access rules for a policy 267
Configure policy-based routing 269
Set a custom idle timeout 271
Set ICMP error handling 271
Apply NAT rules 271
Set the sticky connection duration for a policy 272
Proxy Settings 273
About proxy policies and ALGs 273
Proxy configuration 274
About Application Blocker Configurations 274
Configure Application Blocker 274
About Skype and Application Blocker 276
Add a proxy policy to your configuration 276
About proxy actions 278
Set the proxy action 278
Edit, delete, or clone proxy actions 278
About predefined and user-defined proxy actions 279
About the DNS proxy 279
Policy tab 279
Properties tab 280
Advanced tab 280
Settings and Content tabs 280
DNSProxy:Content 280
DNSProxy:Settings 281
About the FTP proxy 282
Policy tab 284
Properties tab 284
Advanced tab 285
Settings and Content tabs 285
FTP proxy: Content 285
FTPProxy:Settings 286
About the H.323 ALG 287
VoIPcomponents 287
ALGfunctions 288
Policy tab 288
Properties tab 289
Advanced tab 289
Settings and Content tabs 289
H.323 ALG:Content 289
H.323 ALG:Settings 291
About the HTTP proxy 292
Policy tab 293
Properties tab 294
Advanced tab 294
Settings, Content and Application Blocker tabs 294
Enable Windows updates through the HTTPproxy 294
HTTP proxy: Settings tab 295
HTTP proxy: Content tab 299
HTTP proxy: Application Blocker 301
About the HTTPS proxy 301
xiv Fireware XTMWeb UI
User Guide xv
Policy tab 302
Properties tab 302
Advanced tab 302
Settings and Content tabs 302
HTTPSProxy:Content 302
HTTPSProxy:Settings 304
About the POP3 proxy 306
Policy tab 306
Properties tab 307
Advanced tab 307
Settings and Content tabs 307
POP3Proxy:Content 307
POP3Proxy:Settings 308
About the SIP proxy 309
VoIPcomponents 310
ALGfunctions 310
Policy tab 310
Properties tab 311
Advanced tab 311
Settings and Content tabs 311
SIP ALG:Content 311
SIP ALG:Settings 313
About the SMTP proxy 314
Policy tab 314
Properties tab 315
Advanced tab 315
Settings, Addressing, and Content tabs 315
SMTPProxy:Addressing 315
SMTPProxy:Content 316
SMTPProxy:Settings 317
Configure the SMTPproxy to quarantine email 318
About the TCP-UDP proxy 320
Policy tab 320
Properties tab 320
Advanced tab 321
Settings and Content tabs 321
TCP-UDP Proxy: Settings 321
TCP-UDP Proxy: Content 322
Traffic Management and QoS 323
About Traffic Management and QoS 323
Enable traffic management and QoS 323
Guarantee bandwidth 324
Restrict bandwidth 325
QoS Marking 325
Traffic priority 325
Set Outgoing Interface Bandwidth 325
Set Connection Rate Limits 327
About QoS Marking 327
Before you begin 327
QoS markingfor interfaces and policies 328
QoS marking and IPSec traffic 328
Marking types and values 328
Enable QoS Marking for an interface 330
Enable QoS Marking or prioritization settings for a policy 331
Traffic control and policy definitions 332
Define a Traffic Management action 332
Add a Traffic Management action to a policy 334
Default Threat Protection 335
About default threat protection 335
About default packet handling options 336
About spoofing attacks 337
About IP source route attacks 338
About port space and address space probes 338
About flood attacks 340
xvi Fireware XTMWeb UI
User Guide xvii
About unhandled packets 342
About distributed denial-of-service attacks 342
About blocked sites 344
Permanently blocked sites 344
Auto-blocked sites/Temporary Blocked Sites list 344
See and edit the sites on the Blocked Sites list 344
Block a site permanently 344
Create Blocked Site Exceptions 345
Block sites temporarily with policy settings 346
Change the duration that sites are auto-blocked 346
About blocked ports 347
Default blocked ports 347
Block a port 349
Logging and Notification 351
About logging and log files 351
Log Servers 351
System Status Syslog 352
Logging and notification in applications and servers 352
About log messages 352
Types of log messages 353
Send log messages to a WatchGuard Log Server 354
Add, edit, or change the priority of Log Servers 354
Send log information to a Syslog host 355
Configure Logging Settings 356
Set the diagnostic log level 357
Configure logging and notification for a policy 358
Set logging and notification preferences 359
Use Syslog to see log message data 360
View, Sort, and Filter log message data 360
Refresh log message data 362
Monitor Your Device 363
About the Dashboard and System Status Pages 363
The Dashboard 363
System Status pages 365
ARP Table 366
Authentication List 366
Bandwidth Meter 367
Blocked Sites 368
Add or edit temporary blocked sites 368
Checksum 369
Connections 369
Components List 370
CPUUsage 370
DHCP Leases 370
Diagnostics 371
Run a basic diagnostics command 372
Use command arguments 372
Dynamic DNS 373
Feature Key 374
When you purchase a new feature 374
See features available with the current feature key 374
Interfaces 375
LiveSecurity 376
Memory 376
Outbound Access List 377
Processes 378
Routes 379
Syslog 380
Traffic Management 380
VPN Statistics 380
Wireless statistics 381
Wireless hotspot connections 382
Certificates 383
About certificates 383
xviii Fireware XTMWeb UI
User Guide xix
Use multiple certificates to establish trust 383
How the Firebox or XTM device uses certificates 384
Certificate lifetimes and CRLs 384
Certificate authorities and signing requests 385
Certificate Authorities Trusted by the Firebox or XTM device 385
See and manage Firebox or XTM device certificates 391
Create a CSR with OpenSSL 393
Use OpenSSL to generate a CSR 393
Sign a certificate with Microsoft CA 393
Issue the certificate 394
Download the certificate 394
Use Certificates for the HTTPS Proxy 395
Protect a private HTTPSserver 395
Examine content from external HTTPS servers 396
Export the HTTPScontent inspection certificate 396
Import the certificates on client devices 397
Troubleshoot problems with HTTPScontent inspection 397
Use certificates for Mobile VPN with IPSec tunnel authentication 397
Certificates for Branch Office VPN (BOVPN) tunnel authentication 398
Verify the certificate with FSM 399
Verify VPN certificates with an LDAP server 399
Configure the web server certificate for Firebox authentication 400
Import a certificate on a client device 401
Import a PEMformat certificate with Windows XP 401
Import a PEMformat certificate with Windows Vista 402
Import a PEMformat certificate with Mozilla Firefox 3.x 402
Import a PEMformat certificate with Mac OSX10.5 403
Virtual Private Networks (VPNs) 405
Introduction to VPNs 405
Branch Office VPN 405
Mobile VPN 406
About IPSec VPNs 406
About IPSec algorithms and protocols 406
About IPSec VPN negotiations 408
Configure Phase 1 and Phase 2 settings 411
About Mobile VPNs 412
Select a Mobile VPN 412
Internet access options for Mobile VPN users 414
Mobile VPN setup overview 415
Branch Office VPNs 417
What you need to create a manual BOVPN 417
About manual Branch Office VPN tunnels 418
What you need to create a VPN 418
How to create a manual BOVPNtunnel 419
One-way tunnels 419
VPN Failover 419
Global VPN settings 419
BOVPNtunnel status 420
Rekey BOVPNtunnels 420
Sample VPN address information table 421
Configure gateways 422
Define gateway endpoints 424
Configure mode and transforms (Phase 1 settings) 425
Edit and delete gateways 430
Disable automatic tunnel startup 430
If your Firebox or XTM device is behind a device that does NAT 430
Make tunnels between gateway endpoints 432
Define a tunnel 432
Add routes for a tunnel 434
Configure Phase 2 settings 434
Add a Phase 2 proposal 436
Change order of tunnels 437
About global VPN settings 437
Enable IPSec Pass-through 438
xx Fireware XTMWeb UI
/