Watchguard Fireware XTM Web UI User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Fireware XTM Web UI User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Fireware XTM Web UI 11.9
User Guide
Fireware XTM
Web UI
11.9 User Guide
WatchGuard XTMDevices
ii Fireware XTMWeb UI
About this User Guide
The Fireware XTM Web UI User Guide is updated with each major product release. For minor product
releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes
specific, task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard
web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Guide revised: 5/12/2014
Copyright, Trademark, and Patent Information
Copyright © 1998–2014 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/
This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM
line combines firewall, VPN, GAV, IPS, spam blocking and
URL filtering to protect your network from spam, viruses,
malware, and intrusions. The new XCS line offers email and
web content security combined with data loss prevention.
WatchGuard extensible solutions scale to offer right-sized
security ranging from small businesses to enterprises with
10,000+ employees. WatchGuard builds simple, reliable, and
robust security appliances featuring fast implementation and
comprehensive management and reporting tools. Enterprises
throughout the world rely on our signature red boxes to
maximize security without sacrificing efficiency and
productivity.
For more information, please call 206.613.6600 or visit
www.watchguard.com.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
User Guide iii
Table of Contents
Fireware XTM Web UI 11.9 User Guide 1
Introduction to Network Security 1
About Networks and Network Security 1
About Internet Connections 1
About Protocols 2
About IP Addresses 3
IPv4 Addresses 3
IPv6 Addresses 4
About Slash Notation 5
About Entering Addresses 6
Static and Dynamic IP Addresses 6
About DNS (Domain Name System) 7
About Firewalls 8
About Services and Policies 9
About Ports 10
The XTM Device and Your Network 10
Introduction to Fireware XTM 13
About Fireware XTM 13
Fireware XTM Components 14
WatchGuard System Manager 14
WatchGuard Server Center 15
Fireware XTM Web UI and Command Line Interface 16
Fireware XTMwith a Pro Upgrade 17
Fireware XTM on an XTMv Device 18
XTMv Device Limitations 18
Virtual Switch Configuration 18
Hyper-VVirtual Adapter Configuration 19
XTMv Device Installation 19
FIPS Support in Fireware XTM 20
About FIPSMode 20
FIPS Mode Operation and Constraints 20
Service and Support 21
About WatchGuard Support 21
LiveSecurity Service 21
LiveSecurity Service Gold 22
Service Expiration 23
Getting Started 25
Before You Begin 25
Verify Basic Components 25
Get an XTM Device Feature Key 26
Gather Network Addresses 26
Select a Firewall Configuration Mode 27
About the Quick Setup Wizard 28
Run the Web Setup Wizard 29
Connect to Fireware XTMWeb UI 34
Connect to Fireware XTMWeb UI from an External Network 36
About Fireware XTMWeb UI 37
Limitations of Fireware XTM Web UI 38
Complete Your Installation 39
Customize Your Security Policy 39
About LiveSecurity Service 39
Additional Installation Topics 40
Connect to an XTM Device with Firefox 40
Identify Your Network Settings 41
Set Your Computer to Connect to Your XTM Device 43
Disable the HTTP Proxy in the Browser 45
Configuration and Management Basics 47
About Basic Configuration and Management Tasks 47
Make a Backup of the XTM Device Image 47
Restore an XTM Device Backup Image 49
Use a USB Drive for System Backup and Restore 50
About the USB Drive 50
Save a Backup Image to a Connected USB Drive 50
iv Fireware XTMWeb UI
User Guide v
Restore a Backup Image from a Connected USB Drive 51
Automatically Restore a Backup Image from a USB Drive 51
USB Drive Directory Structure 54
Save a Backup Image to a USB Drive Connected to Your Computer 55
Use a USBDrive to Save a Support Snapshot 55
Reset a Device 57
Start an XTM Device in Safe Mode 57
Reset a Firebox T10, XTM 2 Series or XTM33 to Factory-Default Settings 57
Reset an XTMv VMto Factory-Default Settings 58
Run the Setup Wizard 58
About Factory-Default Settings 59
About Feature Keys 61
See Features Available with the Current Feature Key 61
Get a Feature Key for Your XTMDevice 63
Manually Add a Feature Key to Your XTM Device 67
Enable Automatic Feature Key Synchronization 70
Restart Your Firebox or XTM Device 71
Restart the XTM Device Locally 71
Restart the XTM Device Remotely 71
Enable NTP and Add NTP Servers 72
Set the Time Zone and Basic Device Properties 73
About SNMP 74
SNMP Polls and Traps 74
Enable SNMP Polling 75
Enable SNMP Management Stations and Traps 76
About Management Information Bases (MIBs) 79
About WatchGuard Passphrases, Encryption Keys, and Shared Keys 80
Create a Secure Passphrase, Encryption Key, or Shared Key 80
Device Default Account Passphrases 82
User Passphrases 82
Server Passphrases 82
Encryption Keys and Shared Keys 83
Define Device Global Settings 84
Change the Web UI Port 85
Automatic Reboot 86
Device Feedback 86
Define ICMP Error Handling Global Settings 87
Configure TCP Settings 88
Enable or Disable Traffic Management and QoS 89
Manage Traffic Flow 90
About WatchGuard Servers 90
Manage an XTM Device From a Remote Location 92
Configure an XTM Device as a Managed Device 94
Edit the WatchGuard Policy 94
Set Up the Managed Device 95
Configure a Deployed Remote Device for a Management Tunnel over SSL 97
Upgrade to a New Version of Fireware XTM 99
Install the Upgrade on Your Management Computer 99
Upgrade the XTM Device 99
Downgrade Fireware XTMOS 101
Use a Saved Backup Image to Downgrade 101
Downgrade Without a Backup Image 101
Use the Web UI to Downgrade from Fireware XTM OS v11.7 or Higher 103
Download or Show the XTMDevice Configuration 105
Download the Configuration File 105
Show the XTMConfiguration Report 105
About Upgrade Options 107
Subscription Services Upgrades 107
Appliance and Software Upgrades 108
How to Apply an Upgrade 108
About Subscription Services Expiration and Renewal 108
Subscription Renewal Reminders 109
Feature Key Compliance 109
Security Service Expiration Behavior 109
vi Fireware XTMWeb UI
User Guide vii
LiveSecurity Service 111
Synchronize Subscription Renewals 111
Renew Subscription Services 112
Subscription Services Status and Manual Signatures Updates 112
RemoteConfig and RapidDeploy 114
About RemoteConfig and RapidDeploy 115
RemoteConfig 115
RapidDeploy 115
Automatic Configuration Download 115
Use RemoteConfig 116
Use RapidDeploy 129
Use a USB Drive to Configure Interface Settings 135
Network Setup and Configuration 139
About Network Interface Setup 139
Network Modes 140
Interface Types 141
Wireless Interfaces 141
About Private IPAddresses 142
About IPv6 Support 142
Mixed Routing Mode 144
Configure an External Interface 144
Configure a Trusted or Optional Interface 153
Configure the DHCPv6 Address Pool 163
Configure DHCPv6 Reservations 163
Enable Rapid Commit 163
Configure IPv6 Address Lifetimes 163
Configure a Custom Interface 166
About the Dynamic DNS Service 167
Configure Dynamic DNS 168
Drop-In Mode 169
Use Drop-In Mode for Network Interface Configuration 170
Configure Related Hosts 170
Configure DHCP in Drop-In Mode 172
Bridge Mode 175
Enable Bridge Mode 177
Allow Management Access from a VLAN 177
Common Interface Settings 178
Disable an Interface 179
Configure DHCPRelay 179
Restrict Network Traffic by MAC Address 179
Add WINS and DNS Server Addresses 180
Add a Secondary Network IPAddress 182
About Advanced Interface Settings 185
Network Interface Card (NIC)Settings 185
Set DF Bit for IPSec 188
PMTU Setting for IPSec 188
Use Static MAC Address Binding 189
Find the MAC Address of a Computer 190
About LAN Bridges 190
Create a Network Bridge Configuration 190
Assign a Network Interface to a Bridge 193
About Routing 194
Add a Static Route 194
Add Static ARPEntries 199
About Virtual Local Area Networks (VLANs) 200
VLAN Requirements and Restrictions 200
About Tagging 201
About VLANIDNumbers 201
Define a New VLAN 201
Assign Interfaces to a VLAN 206
About Link Aggregation 207
Requirements and Limitations 207
Link Aggregation Modes 207
Configure Link Aggregation 209
viii Fireware XTMWeb UI
User Guide ix
Monitor Link Aggregation Interfaces 215
Network Setup Examples 216
Configure Two VLANs on the Same Interface 216
Configure One VLAN Bridged Across Two Interfaces 220
Use the Broadband Extend or 3G Extend Wireless Bridge 224
Multi-WAN 227
About Using Multiple External Interfaces 227
Multi-WAN Requirements and Conditions 227
Multi-WAN and DNS 228
About Multi-WAN Options 229
Round-Robin Order 229
Failover 229
Interface Overflow 230
Routing Table 230
Modem (XTM2 Series, 3 Series or 5 Series only) 231
Configure Round-Robin 232
Before You Begin 232
Configure the Interfaces 232
Find How to Assign Weights to Interfaces 233
Configure Failover 233
Before You Begin 233
Configure the Interfaces 233
Configure Interface Overflow 235
Before You Begin 235
Configure the Interfaces 235
Configure Routing Table 236
Before You Begin 236
Routing Table mode and load balancing 236
Configure the Interfaces 236
About the XTM Device Route Table 237
When to Use Multi-WAN Methods and Routing 237
Configure Modem Failover 238
Enable Modem Failover 238
Account Settings 239
DNS Settings 241
Dial-Up Settings 242
Advanced Settings 242
Link Monitor Settings 243
About Advanced Multi-WAN Settings 244
Set a Global Sticky Connection Duration 244
Set the Failback Action 245
Set Notification Settings 246
About WAN Interface Status 246
Time Needed for the XTM Device to Update its Route Table 246
Define a Link Monitor Host 246
Network Address Translation (NAT) 249
About Network Address Translation 249
Types of NAT 250
About Dynamic NAT 250
Add Network Dynamic NAT Rules 252
Configure Policy-Based Dynamic NAT 255
About Dynamic NATSource IPAddresses 258
About 1-to-1 NAT 260
About 1-to-1 NAT and VPNs 261
Configure Firewall 1-to-1 NAT 261
Configure Policy-Based 1-to-1 NAT 264
Configure NAT Loopback with Static NAT 266
Add a Policy for NATLoopback to the Server 267
NAT Loopback and 1-to-1 NAT 268
About SNAT 271
Configure Static NAT 271
Configure Server Load Balancing 275
1-to-1 NAT Example 282
Wireless Device Setup 285
x Fireware XTMWeb UI
User Guide xi
About Wireless Device Configuration 285
Wireless Settings in Fireware XTM OS v11.8.x and v11.9.x 285
Enable Wireless 286
Wireless Device Configuration Options 287
Wireless Device Configuration Options (Fireware XTMOS v11.9 and Later) 287
Wireless Device Configuration Options (Fireware XTM OSv11.8.x and Older) 288
Before You Begin 289
About Wireless Configuration Settings 291
Enable/Disable SSID Broadcasts 292
Change the SSID 292
Log Authentication Events 292
Change the Fragmentation Threshold 292
Change the RTS Threshold 293
About Wireless Security Settings 293
Set the Wireless Authentication Method 294
Use a RADIUS Server for Wireless Authentication 295
Use the XTMDevice as an Authentication Server for Wireless Authentication 296
Set the Encryption Level 298
Enable Wireless Connections (Fireware XTMOS v11.9.x and Later) 300
Enable Wireless Connections (Fireware XTMOS v11.8.x and Older) 304
Enable a Wireless Guest Network (Fireware XTMOSv11.9.x and Later) 306
Wireless Guest and Policies 309
Enable a Wireless Guest Network (Fireware XTMOS v11.8.x and Older) 309
Enable a Hotspot on a Wireless Access Point 313
Configure Your External Interface as a Wireless Interface 314
Configure the Primary External Interface as a Wireless Interface 314
Configure a BOVPN tunnel for additional security 316
About Wireless Radio Settings 317
Country is Set Automatically 318
Select the Band and Wireless Mode 319
Select the Channel 320
Monitor Wireless Access Points and Clients 321
Configure the Wireless Card on Your Computer 322
Rogue Access Point Detection 322
Enable Rogue Access Point Detection 323
Add an XTMWireless Device as a Trusted Access Point 328
Find the Wireless MACAddress of a Trusted Access Point 331
Rogue Access Point Scan Results 331
WatchGuard AP Device Setup 332
Wireless Access Point Types 332
About AP Device Configuration 333
SSIDConfiguration 333
APDevice Configuration 334
WatchGuard AP Device Requirements and Limitations 335
Requirements 335
Limitations 335
Plan your Wireless APDevice Deployment 336
Wireless Site Survey 337
Wireless Modes and Channels 339
Wireless Signal Strength and Noise Levels 342
Wireless Environmental Factors 343
Wireless Placement 344
WatchGuard AP Device Deployment Overview 346
Deploy APDevices Without VLANTagging 347
Deploy APDevices With VLANTagging Enabled 350
Configure VLANs for WatchGuard AP Devices 353
When to Enable VLANTagging in SSIDs 353
ConfigureVLANs on the XTMDevice 354
Configure VLANs on a Managed Switch 354
About APStation Isolation 356
Station Isolation for a Single AP Device 356
Station Isolation for Multiple AP Devices 356
Example — Station Isolation and Roaming 357
About APDevice Activation 360
xii Fireware XTMWeb UI
User Guide xiii
Automatic Activation 360
Manual Activation 360
About APDevice Passphrases 361
Pairing Passphrase 361
WatchGuard APPassphrase 361
Passphrases and Pairing 361
Resolve a Passphrase Mismatch 362
Configure AP Devices in the Gateway Wireless Controller 363
Enable the Gateway Wireless Controller 363
Set the Diagnostic Log Level 364
Configure WatchGuard APDevice SSIDs 365
Configure SSIDSecurity Settings 367
WatchGuard AP Device Discovery and Pairing 371
Configure APDevice Settings 373
Configure AP Device Radio Settings 378
Configure Gateway Wireless Controller Settings 382
Configure MACAccess Control 386
Unpair an AP Device 388
Monitor AP Device Status 389
See APConnection Status and Uptime 389
See AP Radio Frequency and Channel 390
See the APActivation Status 390
See APDevice Network Statistics 391
See Log Messages on an APDevice 392
Flash the Power LED on the APDevice 392
Restart Wireless on the APDevice 392
Reboot an AP Device 392
Upgrade an APDevice 393
Perform a Site Survey 394
Monitor Wireless Clients 396
View Wireless Deployment Maps 397
Wireless Deployment Maps Overview 397
Use Maps for APDevice Placement 398
See Wireless Channel Conflicts 400
Find Unauthorized Access Points 404
Enable a Hotspot on an AP Device 404
Reset the WatchGuard AP Device 405
Reset the WatchGuard APDevice with the Reset Button 405
Reset the WatchGuard AP Device from the Access Point Web UI 406
Unpair the WatchGuard AP Device 406
Update APDevice Firmware 407
See the Current Firmware Version 407
Options for APDevice Firmware Updates 407
Add an HTTPSPolicy for Access Point Web UI Connections 408
Use the WatchGuard Access Point Web UI 408
Connect to the WatchGuard Access Point Web UI 409
Verify the Current AP Device Settings 410
Manage Network Settings 411
Change the Access Point Passphrase 412
Upgrade the AP Device Firmware 412
Save or Revert Configuration Changes 413
WatchGuard APDevice Deployment Examples 414
APDevice Deployment with a Single SSID 414
APDevice Deployment with Simple Roaming 415
APDevice Deployment with VLANs 416
Dynamic Routing 419
About Dynamic Routing 419
Dynamic Routing Protocols 419
Dynamic Routing Policies 420
Monitor Dynamic Routing 420
About Routing Daemon Configuration Files 420
About Routing Information Protocol (RIP and RIPng) 421
Configure IPv4 Routing with RIP 422
Configure IPv6 Routing with RIPng 428
xiv Fireware XTMWeb UI
User Guide xv
About Open Shortest Path First (OSPF and OSPFv3) Protocol 434
Configure IPv4 Routing with OSPF 435
Configure IPv6 Routing with OSPFv3 442
OSPF Interface Cost Table 447
About Border Gateway Protocol (BGP) 448
Configure IPv4 and IPv6 Routing with BGP 448
BGP Commands 451
Sample BGP Routing Configuration File 455
FireCluster 458
About WatchGuard FireCluster 458
FireCluster Device Roles 460
Use the Web UI with a FireCluster 461
Web UI for the Cluster Master 461
Web UI for the Backup Master 462
FireCluster Backup, Restore, and Upgrade in the Web UI 462
Authentication 465
About User Authentication 465
User Authentication Steps 466
Manage Authenticated Users 468
Use Authentication to Restrict Incoming Traffic 469
Use Authentication Through a Gateway Firebox 471
About the WatchGuard Authentication (WG-Auth) Policy 471
Set Global Firewall Authentication Values 471
Specify Firewall Authentication Settings 471
Set Global Authentication Timeouts 472
Allow Unlimited Concurrent Login Sessions 473
Limit Login Sessions 473
Specify the Default Authentication Server in the Authentication Portal 475
Automatically Redirect Users to the Authentication Portal 475
Use a Custom Default Start Page 476
Set Management Session Timeouts 476
About Single Sign-On (SSO) 477
The WatchGuard SSO Solution 477
Example Network Configurations for SSO 481
Choose Your SSO Components 483
Before You Begin 484
Set Up SSO 484
Install the WatchGuard Single Sign-On (SSO) Agent 484
Configure the SSO Agent 486
Use Telnet to Debug the SSO Agent 496
Install the WatchGuard Single Sign-On (SSO) Client 500
Install the WatchGuard SSOExchange Monitor 501
Enable Single Sign-On (SSO) 503
About SSO Log Files 506
Install and Configure the Terminal Services Agent 508
About Single Sign-On for Terminal Services 509
Before You Begin 510
Install the Terminal Services Agent 510
Configure the Terminal Services Agent 511
Configure Terminal Services Settings 515
Authentication Server Types 517
About Third-Party Authentication Servers 517
Use a Backup Authentication Server 517
Configure Your XTM Device as an Authentication Server 518
Types of Firebox Authentication 518
Define a New User for Firebox Authentication 522
Define a New Group for Firebox Authentication 526
Customize the AuthenticationPortal Page 527
Configure RADIUS Server Authentication 530
Authentication Key 530
RADIUSAuthentication Methods 530
Before You Begin 530
Use RADIUSServer Authentication with Your XTM Device 530
How RADIUS Server Authentication Works 533
xvi Fireware XTMWeb UI
User Guide xvii
Configure RADIUS Server Authentication with Active Directory Users and Groups For
Mobile VPN Users 537
WPA and WPA2 Enterprise Authentication 540
Configure VASCO Server Authentication 540
Configure SecurID Authentication 543
Configure LDAP Authentication 546
About LDAP Optional Settings 550
Test the Connection to the Server 550
Configure Active Directory Authentication 551
Add an Active Directory Authentication Domain and Server 551
About Active Directory Optional Settings 555
Test the Connection to the Server 555
Edit an Existing Active Directory Domain 556
Delete an Active Directory Domain 556
Find Your Active Directory Search Base 556
Change the Default Port for the Active Directory Server 558
Use Active Directory or LDAP Optional Settings 558
Before You Begin 559
Specify Active Directory or LDAP Optional Settings 559
Use a Local User Account for Authentication 564
Use Authorized Users and Groups in Policies 564
Define Users and Groups for Firebox Authentication 564
Define Users and Groups for Third-Party Authentication 564
Allow Unlimited Concurrent Login Sessions 566
Limit Login Sessions 566
Add Users and Groups to Policy Definitions 566
Enable a Hotspot 567
Configure User Timeout Settings 570
Select the Hotspot Type 570
Configure the Hotspot Custom Page 571
Connect to a Hotspot 574
See Hotspot Connections 575
About Hotspot External Guest Authentication 577
Before You Begin 577
Configuration 578
External Guest Authentication Example 578
Configure a Web Server for Hotspot External Guest Authentication 581
Configure the Hotspot for External Guest Authentication 588
Troubleshoot Hotspot External Guest Authentication 590
Policies 593
About Policies 593
Packet Filter and Proxy Policies 593
Add Policies to Your XTM device 594
About the Policies Pages 595
About the Outgoing Policy 597
Add Policies to Your Configuration 598
Use Policy Checker to Find a Policy 598
Add a Policy from the List of Templates 599
Disable or Delete a Policy 600
Use Policy Checker to Find a Policy 601
Read the Results 602
About Policy Tags and Filters 605
Create and Apply Policy Tags 605
Remove Policy Tags From Policies 608
Modify Policy Tags 610
Create and Apply a Filter 610
Modify a Filter 611
About Aliases 613
Alias Members 613
Create an Alias 615
About Policy Precedence 619
Automatic Policy Order 619
Policy Specificity and Protocols 619
Traffic Rules 620
Firewall Actions 620
xviii Fireware XTMWeb UI
User Guide xix
Schedules 621
Policy Types and Names 621
Set Precedence Manually 621
Create Schedules for XTM Device Actions 622
Set an Operating Schedule 623
About Custom Policies 624
Create or Edit a Custom Policy Template 624
About Policy Properties 627
Settings Tab 628
Application Control Tab 628
Traffic Management Tab 628
Scheduling Tab 628
Advanced Tab 629
Proxy Settings 629
Set Access Rules for a Policy 629
Configure Policy-Based Routing 631
Set a Custom Idle Timeout 635
Set ICMP Error Handling 636
Apply NAT Rules 636
Set the Sticky Connection Duration for a Policy 636
Proxy Settings 639
About Proxy Policies and ALGs 639
Proxy Configuration 640
Add a Proxy Policy to Your Configuration 640
About Proxy Actions 643
Set the Proxy Action in a Proxy Policy 643
Clone, Edit, or Delete Proxy Actions 644
Proxy and AV Alarms 649
About Rules and Rulesets 650
About Working with Rules and Rulesets 650
Configure Rulesets 651
Add, Change, or Delete Rules 651
Cut and Paste Rule Definitions 653
Change the Order of Rules 653
Change the Default Rule 654
About Regular Expressions 656
About the DNS-Proxy 660
Settings Tab 661
Application Control Tab 661
Traffic Management Tab 661
Proxy Action Tab 662
Scheduling Tab 662
Advanced Tab 663
DNS-Proxy: General Settings 664
DNS-Proxy: OPcodes 665
DNS-Proxy: Query Types 668
DNS-Proxy: Query Names 671
DNS-Proxy: Proxy Alarm 673
About MX (Mail eXchange) Records 675
About the FTP-Proxy 677
Settings Tab 678
Application Control Tab 678
Traffic Management Tab 678
Proxy Action Tab 679
Scheduling Tab 679
Advanced Tab 680
FTP-Proxy: General Settings 681
FTP-Proxy: Commands 683
FTP-Proxy: Content 684
FTP-Proxy: Data Loss Prevention 684
FTP-Proxy: Proxy and AV Alarms 684
FTP-Proxy: APTBlocker 685
About the H.323-ALG 687
VoIPComponents 687
xx Fireware XTMWeb UI
/