Watchguard Legacy Firebox X Core & Peak User guide

WatchGuard

®

System Manager

User Guide

Version 7.3

ii WatchGuard System Manager

ADDRESS:

505 Fifth Avenue South

Suite 500

Seattle, WA 98104

SUPPORT:

www.watchguard.com/support

suppor[email protected]

U.S. and Canada +877.232.3531

All Other Countries +1.206.613.0456

SALES:

U.S. and Canada +1.800.734.9905

All Other Countries +1.206.521.8340

ABOUT WATCHGUARD

WatchGuard network security solutions provide small- to

mid-sized enterprises worldwide with effective, afford-

able security. Our Firebox line of extendable, integrated

security appliances is designed to be fully upgradeable

as an organization grows, and to deliver the industry's

best combination of security, performance, intuitive

interface, and value. WatchGuard Intelligent Layered

Security architecture protects against emerging threats

effectively and efficiently, and provides the flexibility to

integrate additional security functionality and services

offered through WatchGuard. Every WatchGuard product

comes with an initial LiveSecurity Service subscription

to help customers stay on top of security with vulnerabil-

ity alerts, software updates, expert security instruction,

and superior customer care.

FOR MORE INFORMATION: Please visit us at

www.watchguard.com or contact your reseller for more

information.

Firmware Version: 7.3

Part Number:

Guide Version: 7.3-1

User Guide 1

Contents

CHAPTER 1 Introduction .....................................................1

Welcome to WatchGuard® ................................................1

WatchGuard System Manager Components .......................2

WatchGuard Firebox ............................................................2

Firebox System Manager ....................................................2

WatchGuard network security features .............................3

WatchGuard LiveSecurity® Service ....................................3

Minimum Hardware and Software ......................................3

Software requirements ........................................................3

Web browser preconditions ................................................4

Hardware preconditions ......................................................4

WatchGuard Options ........................................................4

Firebox X 3-Port Upgrade ....................................................4

Firebox X Model Upgrade ....................................................5

VPN Manager .......................................................................5

High Availability ....................................................................5

Mobile User VPN ..................................................................5

SpamScreen .........................................................................5

BOVPN Upgrade ...................................................................6

Get WatchGuard Options .....................................................6

Controlling and Enabling License Keys ..............................6

2 WatchGuard System Manager v7.3

About this User Guide ......................................................7

CHAPTER 2 Service and Support.........................................9

LiveSecurity® Service Solutions .......................................9

LiveSecurity® Broadcasts ..............................................10

Activating the LiveSecurity® service .................................12

LiveSecurity® Self Help Tools .........................................13

WatchGuard Users Forum ...............................................14

WatchGuard Users Group ...............................................15

Online Help ...................................................................15

Starting WatchGuard Online Help ....................................16

Searching for information .................................................16

Copy the Online Help system to more computers ..........16

Software Requirements .....................................................17

Context-sensitive Help .......................................................17

Product Documentation ..................................................17

Technical Support ..........................................................17

LiveSecurity® Technical Support .......................................18

LiveSecurity® Gold .............................................................18

Firebox Installation Service ...............................................19

VPN Installation Service ....................................................19

Training and Certification ................................................19

CHAPTER 3 Getting Started ..............................................21

Updating Your Software and Configuration .....................22

Collecting Network Information .......................................22

Selecting a Firewall Configuration Mode ..........................24

Routed configuration .........................................................25

Drop-in configuration .........................................................26

Adding secondary networks to your configuration .........28

Dynamic IP support on the external interface ................29

Setting Up the Management Station ...............................30

Software encryption levels ................................................31

Connecting the Firebox X Edge .......................................32

If you use a serial cable ....................................................33

If you connect through a hub ...........................................33

Using the QuickSetup Wizard ..........................................34

User Guide 3

Do a test on the connection .............................................36

Enter the IP addresses ......................................................36

Put the Firebox into operation on your network .................37

After your Installation .....................................................37

Align your security policy ...................................................37

Features of the LiveSecurity® Service .............................38

CHAPTER 4 Basic Firebox Configuration.............................39

Firebox Description ........................................................39

Opening a Configuration File ...........................................41

Opening a configuration from the Firebox ......................41

Opening a configuration from a local hard disk .............42

Saving a Configuration File .............................................42

Saving a configuration to the Firebox ..............................42

Changing the Firebox passphrases .................................44

Setting the Firebox Model ..............................................45

Setting the Time Zone ....................................................45

Setting a Firebox Friendly Name ......................................46

CHAPTER 5 Using Policy Manager to Configure the Network 47

Making a New Configuration File .....................................48

Setting the IP Addresses of Firebox Interfaces .................48

Setting addresses in drop-in mode ..................................48

Using proxy ARP .................................................................50

Setting the addresses in routed mode ............................52

Configuring the external interface ...................................53

Setting the external interface for DHCP ..........................54

Setting the external interface for PPPoE .........................54

Using a static DHCP or static PPPoE address .................55

Adding external IP aliases .................................................56

Adding Secondary Networks ...........................................56

Adding WINS and DNS Server Addresses ........................59

Configuring the Firebox as a DHCP Server .......................59

Adding a subnet .................................................................61

Changing a subnet .............................................................61

Removing a subnet ............................................................61

Adding Basic Services to Policy Manager .........................62

4 WatchGuard System Manager v7.3

Configuring Routes ........................................................63

Adding a network route .....................................................64

Adding a host route ...........................................................65

Firebox interface speed and duplex .................................65

CHAPTER 6 Managing and Monitoring the Firebox...............67

About Incoming and Outgoing Traffic ...............................67

Starting the Firebox System Manager ..............................68

Using the Security Traffic Display ....................................70

Monitoring status information ..........................................70

Selecting the middle of the star .......................................71

Basic System Manager Functionality ...............................71

Monitoring basic indicators ..............................................72

Firebox and VPN tunnel status .........................................72

Monitoring Firebox Traffic ...............................................75

Changing the polling rate and number of log messages 76

Using color for log messages ............................................77

Copying log messages .......................................................78

Doing Basic Tasks with System Manager .........................78

Running the QuickSetup Wizard .......................................79

Flushing the ARP cache ....................................................79

Connecting to a Firebox ....................................................80

Getting more information on the Web .............................80

Starting Firebox tools ........................................................81

Viewing Bandwidth Usage ...............................................82

Viewing Number of Connections by Service ......................84

Viewing Information About Firebox Status ........................86

Status Report .....................................................................86

Authentication ....................................................................92

Blocked Sites ......................................................................92

HostWatch ....................................................................93

HostWatch ..........................................................................94

Connecting HostWatch to a Firebox .................................94

Showing a log file in HostWatch .......................................95

Controlling the HostWatch window ...................................96

Changing HostWatch view properties ..............................96

User Guide 5

CHAPTER 7 Configuring Network Address Translation..........97

Dynamic NAT .................................................................98

Using Simple Dynamic NAT .............................................98

Enabling simple dynamic NAT ...........................................99

Adding simple dynamic NAT entries .................................99

Reordering simple dynamic NAT entries ........................100

Specifying simple dynamic NAT exceptions ...................100

Using Service-Based Dynamic NAT ................................101

Enabling service-based dynamic NAT ............................101

Configuring service-based dynamic NAT ........................102

Configuring Service-Based Static NAT ............................102

Adding external IP addresses .........................................102

Setting static NAT for a service ......................................103

Using 1-to-1 NAT ..........................................................104

Proxies and NAT ..........................................................106

CHAPTER 8 Configuring a Service....................................107

Packet Filters and Proxies ...............................................107

Services and the Policy Manager ...................................108

Selecting Services for your Security Policy .....................108

Incoming and outgoing services .....................................109

Incoming service guidelines ...........................................109

Outgoing service guidelines ............................................110

Adding and Configuring Services ...................................111

Changing the Policy Manager View ................................111

Service Parameters to Configure ...................................112

Adding a service ..............................................................114

Making a new service ......................................................115

Adding more than one service of the same type .........117

Deleting a service ............................................................118

Configuring Service Properties ......................................118

Opening the Service Properties dialog box ...................119

Adding service properties ...............................................119

Adding addresses or users to service properties .........120

Working with wg_icons ....................................................121

Customizing logging and notification .............................122

Service Precedence .....................................................123

6 WatchGuard System Manager v7.3

CHAPTER 9 Configuring Proxied Services .........................127

Protocol Anomaly Detection ............................................128

Customizing Logging and Notification for Proxies ............128

Configuring an SMTP Proxy Service ...............................129

Configuring Incoming SMTP Proxy .................................130

Enabling protocol anomaly detection for SMTP ............135

Configuring the Outgoing SMTP Proxy ...........................138

Configuring A FTP Proxy Service ....................................140

Enabling protocol anomaly detection for FTP ...............141

Selecting an HTTP Service ............................................141

Adding a proxy service for HTTP .....................................142

Configuring a caching proxy server ................................144

Configuring the DNS Proxy Service ................................145

Adding the DNS Proxy Service ........................................145

Enabling protocol anomaly detection for DNS ..............146

DNS file descriptor limit ..................................................147

CHAPTER 10 Using Aliases and Authentication...................149

Using Aliases ..............................................................150

Adding an alias ................................................................150

How User Authentication Works ....................................152

Using external authentication .........................................152

Enabling remote authentication .....................................153

Authenticating from optional networks ..........................153

Authentication Server Types .........................................153

Defining Firebox Users and Groups for Authentication ....154

Configuring Windows NT Server Authentication ..............156

Configuring RADIUS Server Authentication .....................158

Configuring CRYPTOCard Server Authentication ..............159

Configuring SecurID Authentication ...............................161

CHAPTER 11 Intrusion Detection and Prevention ................163

Default Packet Handling ...............................................164

Blocking spoofing attacks ...............................................164

Blocking port space and address space attacks ..........165

Stopping IP options attacks ............................................165

Stopping SYN Flood attacks ............................................166

User Guide 7

Changing SYN flood settings ..........................................167

Blocking Sites .............................................................167

Blocking a site permanently ...........................................168

Creating exceptions to the Blocked Sites list ................169

Changing the auto-block duration ..................................170

Logging and notification for blocked sites ....................170

Blocking Ports .............................................................170

Avoiding problems with approved users ........................172

Blocking a port permanently ..........................................172

Auto-blocking sites that try to use blocked ports .........173

Setting logging and notification for blocked ports ........173

Blocking Sites Temporarily with Service Settings ............173

Configuring a service to temporarily block sites ...........174

Viewing the Blocked Sites list .........................................174

Integrating Intrusion Detection ......................................174

Using the fbidsmate tool .................................................175

CHAPTER 12 Setting Up Logging and Notification ...............177

Developing Logging and Notification Policies ..................178

Logging policy ...................................................................178

Notification policy ............................................................179

Failover Logging ...........................................................179

WatchGuard Logging Architecture ..................................180

Designating Log Hosts for a Firebox ..............................180

Adding a log host .............................................................180

Enabling Syslog logging ...................................................181

Changing the log encryption key ....................................182

Removing a log host ........................................................182

Reordering log hosts ........................................................182

Synchronizing log hosts ...................................................182

Setting up the WatchGuard Security Event Processor ......183

Running the WSEP application ......................................183

Viewing the WSEP ............................................................185

Starting and stopping the WSEP ....................................186

Setting the log encryption key ........................................186

Setting Global Logging and Notification Preferences .......186

Log file size and rollover frequency ...............................187

8 WatchGuard System Manager v7.3

Setting the interval for log rollover .................................187

Scheduling log reports ....................................................188

Controlling notification ....................................................188

Setting a unique Firebox name for log files ..................189

Customizing Logging and Notification ...........................189

Setting Launch Interval and Repeat Count ...................191

Setting logging and notification for a service ...............192

Logging and notification for default packet-handling .192

Logging and notification for blocked sites and ports ...193

CHAPTER 13 Reviewing and Working with Log Files ............195

Log File Names and Locations ......................................195

Viewing Files with LogViewer ........................................196

Starting LogViewer and opening a log file .....................196

Setting LogViewer preferences .......................................196

Searching for specified entries .......................................196

Copying and exporting LogViewer data ..........................197

Displaying and Hiding Fields .........................................199

Working with Log Files .................................................201

Consolidating logs from multiple locations ...................202

Copying log files ...............................................................202

Forcing the rollover of log files .......................................202

Saving log files to a new location ...................................203

Setting log encryption keys .............................................203

Sending logs to a log host at another location .............204

CHAPTER 14 Generating Reports of Network Activity ..........207

Creating and Editing Reports ........................................207

Starting a new report ......................................................208

Editing an existing report ................................................209

Deleting a report ..............................................................209

Viewing the reports list ....................................................209

Specifying a Report Time Interval ..................................209

Specifying Report Sections ...........................................210

Consolidating Report Sections ......................................210

Setting Report Properties .............................................211

Exporting Reports ........................................................212

Exporting reports to HTML format .................................212

User Guide 9

Exporting reports to NetIQ format ..................................212

Exporting a report to a text file ......................................213

Using Report Filters .....................................................213

Creating a new report filter .............................................214

Editing a report filter .......................................................214

Deleting a report filter .....................................................214

Applying a report filter .....................................................214

Scheduling and Running Reports ..................................215

Scheduling a report .........................................................215

Manually running a report ..............................................215

Report Sections and Consolidated Sections ..................215

Report sections ................................................................215

Consolidated sections .....................................................218

CHAPTER 15 Controlling Web Site Access..........................221

Getting Started with WebBlocker ...................................221

Installing the WebBlocker server ...................................221

Downloading the database using WebBlocker ..............222

Configuring the WatchGuard service icon .....................223

Add an HTTP Service .......................................................223

Configuring the WebBlocker Service .............................223

Activating WebBlocker .....................................................223

Allowing WebBlocker server bypass ...............................224

Configuring the WebBlocker Message ...........................224

Scheduling operational and non-operational hours .....225

Setting privileges ..............................................................226

Creating WebBlocker exceptions ....................................226

Managing the WebBlocker Server ..................................228

Installing Multiple WebBlocker Servers ..........................228

Automating WebBlocker Database Downloads ...............229

Installing Scheduled Tasks ..............................................230

CHAPTER 16 Connecting with Out-of-Band Management......231

Connecting a Firebox with OOB Management .................231

Enabling the Management Station ................................232

Preparing a WinNT management station for OOB ........232

Preparing a Win2000 management station for OOB ...232

Preparing a WinXP management station for OOB ........233

10 WatchGuard System Manager v7.3

Configuring the Firebox for OOB ....................................234

Establishing an OOB Connection ...................................234

CHAPTER 17 Introduction to VPN Technology......................237

Tunnels and Tunnel Protocols .......................................238

IPSec .................................................................................238

PPTP ..................................................................................239

Encryption ...................................................................239

Authentication .............................................................239

Extended authentication .................................................240

Internet Key Exchange (IKE) ..........................................240

WatchGuard VPN Solutions ...........................................241

Mobile User VPN ..............................................................242

RUVPN with PPTP .............................................................244

RUVPN with extended authentication ............................244

Branch Office Virtual Private Network (BOVPN) ............244

CHAPTER 18 Designing a VPN Environment........................249

Selecting an Authentication Method ..............................249

Selecting an Encryption and Data Integrity Method .........250

IP Addressing ..............................................................250

NAT and VPNs .............................................................251

Access Control ............................................................252

Network Topology ........................................................252

Meshed networks ............................................................252

Hub-and-spoke networks .................................................254

Tunneling Methods ......................................................255

Determining Which WatchGuard VPN Solution to Use .....256

VPN Installation Services ................................................257

VPN Scenarios ............................................................258

Large company with branch offices: VPN Manager ......258

Medium-sized company with main office and auxillary...259

Small company with telecommuters: MUVPN ...............259

Company with remote employees ..................................260

CHAPTER 19 Activating the Certificate Authority ................263

Public Key Cryptography and Digital Certificates .............263

PKI in a WatchGuard VPN .............................................264

User Guide 11

Defining a Firebox as a DVCP Server and CA ..................267

Managing the Certificate Authority ................................270

Managing certificates from the CA Manager ................271

Restarting the CA .............................................................272

CHAPTER 20 Configuring RUVPN with PPTP ........................273

Configuration Checklist ................................................273

Encryption levels ..............................................................274

Configuring WINS and DNS Servers ..............................275

Adding New Users to Authentication Groups .................276

Configuring Services to Allow Incoming RUVPN Traffic .....277

By individual service ........................................................277

Using the Any service ......................................................278

Activating RUVPN with PPTP .........................................279

Enabling Extended Authentication .................................279

Entering IP Addresses for RUVPN Sessions ...................280

Configuring Debugging Options .....................................281

Preparing the Client Computers ....................................281

Installing MSDUN and Service Packs ............................282

Windows NT Platform Preparation .................................282

Windows 2000 Platform Preparation .............................284

Windows XP Platform Preparation .................................285

Starting RUVPN with PPTP ............................................286

Running RUVPN and Accessing the Internet ...................286

Making Outbound PPTP Connections ............................287

Making Outbound IPSec Connections ...........................287

CHAPTER 21 Configuring BOVPN with Basic DVCP ..............289

Configuration Checklist ................................................290

Creating a Tunnel to a Device .......................................290

Editing a tunnel to a device ............................................292

Removing a tunnel to a device .......................................293

Configuring Logging for a DVCP Server ..........................293

CHAPTER 22 Configuring BOVPN with Manual IPSec ...........295

Configuration Checklist ................................................296

Configuring a Gateway ..................................................296

12 WatchGuard System Manager v7.3

Making a Tunnel with Manual Security ...........................300

Making a Tunnel with Dynamic Key Negotiation ..............303

Making a Routing Policy ...............................................304

Configuring routing policies for proxies over VPN .......307

Changing IPSec policy order ...........................................307

Configuring multiple policies per tunnel ........................308

Configuring services for BOVPN with IPSec ...................308

Enabling the BOVPN Upgrade ........................................309

CHAPTER 23 Configuring IPSec Tunnels with VPN Manager .311

Configuring a Firebox as a DVCP Server and CA .............312

Starting VPN Manager ..................................................312

Adding Devices to VPN Manager (Dynamic Devices Only) 313

Updating a device’s settings ...........................................314

Configuring a Firebox as a DVCP Client (Dynamic Only) ...315

Adding Policy Templates (Necessary for Dynamic) ..........315

Adding resources to a policy template ..........................316

Adding Security Templates ...........................................317

Making Tunnels Between Devices .................................318

Drag-and-drop tunnel procedure ....................................318

Menu-driven tunnel creation ...........................................319

Enabling a Telecommuter Tunnel ...................................320

Editing a Tunnel ...........................................................321

Removing Tunnels and Devices from VPN Manager .........321

Removing a tunnel ...........................................................322

Removing a device ...........................................................322

Giving Remote Access to the DVCP Server ...................322

CHAPTER 24 Monitoring VPN Devices and Tunnels .............325

Monitoring VPN tunnels from System Manager ...............325

Branch Office VPN tunnels ..............................................326

Remote VPN Tunnels .......................................................327

Monitoring VPN tunnels through VPN Manager ...............327

Opening the VPN Manager Window ...............................328

Device Status ...................................................................328

Connection status ............................................................329

Tunnel status ....................................................................329

User Guide 13

Log server status .............................................................329

Making a custom view .....................................................330

CHAPTER 25 VPN Manager and Firebox X Edge & SOHO .....331

Importing Certificates ..................................................331

Microsoft Internet Explorer 5.5 and 6.0 ........................332

Netscape Communicator 4.79 .......................................333

Netscape 6 ......................................................................333

Managing the Firebox X Edge or SOHO 6 .......................334

Microsoft Internet Explorer 5.5 and 6.0 ........................337

Netscape Navigator 4.79 ................................................337

Netscape 6 .......................................................................338

CHAPTER 26 Troubleshooting Firebox Connectivity..............339

Procedure 1: Ethernet Dongle Procedure .......................339

Procedure 2: The Flash Disk Management Utility ............342

Procedure 3: Using the Reset Button ............................343

14 WatchGuard System Manager v7.3

User Guide 1

CHAPTER 1 Introduction

Welcome to WatchGuard®

Historically, it was necessary to use many tools, systems, and personnel

to control the security of your network. Different computer systems

control access, authentication, virtual private networking, and network

control. More computers are used to monitor and report on network

traffic. These expensive systems are not easy to use together or to keep

the software current. WatchGuard System Manager provides an alter-

native with an integrated solution to control these security problems

and helps you to:

• Keep the network security current

• Protect all offices with a connection to the Internet

• Encrypt the messages to and from remote offices and users

• Control all network security system from one location

WatchGuard System Manager is a stable, flexible, and inexpensive net-

work security solution. You can quickly install the hardware and soft-

ware, and the installation of the system includes many features to

make it easy to protect your network. Management tools let you make

a custom security policy, monitor your network traffic, and trouble-

shoot network errors and problems.

Introduction

2 WatchGuard System Manager

WatchGuard System Manager Components

WatchGuard System Manager includes hardware, software, and ser-

vices to help you make a safe network for your users and electronic

information. It includes:

• A Firebox — an integrated security device

• Firebox System Manager — software tools to control and

monitor your system

• LiveSecurity® service — a service that sends e-mail messages

with information about networks and network security

WatchGuard Firebox

The Firebox hardware is a specially made computer which puts a

firewall, virtual private networking, and other network security fea-

tures on one device. The Firebox X has an indicator LED and inter-

face connectors on the forward panel. The Firebox III has indicator

LEDs on the forward panel and interface connectors on the rear

panel. The WatchGuard System Manager software can configure

Firebox III and Firebox X hardware devices.

Firebox System Manager

The Firebox System Manager is a group of software tools that oper-

ate from one location which we call the management station. The

Firebox System Manager lets you to configure and monitor your

network security policy. The Firebox System Manager includes:

Policy Manager

The Policy Manager lets you install, configure, and customize a

network security policy.

Log Viewer

The Log Viewer shows a static view of a log file. It lets you:

- Apply a filter by data type

- Search for words and fields

- Print and save to a file

HostWatch

HostWatch shows the connections through a Firebox from the

trusted network to the external network. It shows the current

connections, or it can show the connections from a list in a log

file.

Minimum Hardware and Software

User Guide 3

Historical Reports

These HTML reports give data to use when you monitor or

troubleshoot the network. The data can include:

-Type of session

- Most active hosts

- Most used services

-URLs

- Other important information

WatchGuard network security features

WatchGuard System Manager includes more than the basic configu-

ration for your network security policy. It also gives you:

• User authentication

• Network address translation

• Remote user virtual private networking (RUVPN)

• Branch office virtual private networking (BOVPN)

• Intrusion detection and prevention

WatchGuard LiveSecurity® Service

The special LiveSecurity service makes the maintenance of network

security easy. The WatchGuard Rapid Response Team sends frequent

e-mail information alerts, software updates, and security alarms to

help you protect your network.

Minimum Hardware and Software

This section tells you about the hardware and software requirements

that are necessary to install and operate WatchGuard System Man-

ager.

Software requirements

WatchGuard System Manager software can run on Microsoft Win-

dows NT 4.0, Windows 2000, or Windows XP as follows:

Windows NT

• Microsoft Windows NT 4.0

• Microsoft Service Pack 4, Service Pack 5, or Service Pack 6a for

Windows NT 4.0

Introduction

4 WatchGuard System Manager

Windows 2000

• Microsoft Windows 2000 Professional or Windows 2000 Server

Windows XP

• Microsoft Windows XP

Web browser preconditions

You must have Microsoft Internet Explorer 4.0 or a subsequent ver-

sion to run the installation from the CD. WatchGuard recommends

one of these HTML-based browsers to look at the WatchGuard

Online Help:

• Netscape Communicator 4.7 or a subsequent version

• Microsoft Internet Explorer 5.01 or a subsequent version

Hardware preconditions

The table that follows shows the necessary minimum and recom-

mended hardware.

.

WatchGuard Options

Options make the WatchGuard System Manager able to be used in

environments and network security policies of different users.

The options that follow are available for WatchGuard System Man-

ager.

Firebox X 3-Port Upgrade

This option lets you operate three more network ports on your Fire-

box X. You can use the added ports to set up DMZs for public serv-

ers or to give protection to more internal components of your

network with your Firebox. When you add this upgrade to your Fire-

box X, you get more functions. These functions operate with the

same configuration tools and processes as your optional port.

Hardware part Minimum Recommended

Memory 128 MB 256 MB

Processor 700 MHz 1.4 GHz

Hard disk space 100 MB 1 GB

Page is loading ...

Watchguard Legacy Firebox X Core & Peak User guide

Watchguard Legacy Firebox X Core & Peak User guide

Related papers

Other documents