Upload File

fireware xtm web ui v11.1 user guide - watchguard technologies

  • Home
  • Documents
  • Fireware XTM Web UI v11.1 User Guide - WatchGuard Technologies
624
Fireware XTM Web UI v11.1 User Guide WatchGuard XTM 1050 Firebox X Peak e-Series Firebox X Core e-Series Firebox X Edge e-Series

Upload: others

Post on 28-Mar-2022

13 views

Category:

Documents


0 download

Report

TRANSCRIPT

Fireware XTM Web UI v11.1 User GuideWeb UI v11.1 User Guide
WatchGuard XTM 1050 Firebox X Peak e-Series Firebox X Core e-Series Firebox X Edge e-Series
ii Fireware XTM Web UI
ADDRESS 505 Fifth Avenue South Suite 500 Seattle, WA 98104
SUPPORT www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575
SALES U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895
ABOUT WATCHGUARD Since 1996, WatchGuard has been building award-winning unified threat management (UTM) network security solutions that combine firewall, VPN and security services to protect networks and the businesses they power. We recently launched the next generation: extensible threat management (XTM) solutions featuring reliable, all-in- one security, scaled and priced to meet the unique security needs of every sized enterprises. Our products are backed by 15,000 partners representing WatchGuard in 120 countries. More than a half million signature red WatchGuard security appliances have already been deployed worldwide in industries including retail, education, and healthcare. WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America.
For more information, please call 206.613.6600 or visit www.watchguard.com.
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Guide revision: 10/27/2009
Copyright, Trademark, and Patent Information Copyright © 1998 - 2009 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online: http://www.watchguard.com/help/documentation/
Abbreviations Used in this Guide
This product is for indoor use only.
3DES Triple Data Encryption Standard
IPSec Internet Protocol Security
SSL Secure Sockets Layer
ISP Internet Service Provider
TCP Transfer Control Protocol
DES Data Encryption Standard
URL Uniform Resource Locator
PPP Point-to-Point Protocol VPN Virtual Private Network
DSL Digital Subscriber Line PPTP Point-to-Point Tunneling Protocol
WAN Wide Area Network
WSM WatchGuard System Manager
About networks and network security .......................................................................................................... 1 About Internet connections.......................................................................................................................... 1 How information travels on the Internet ................................................................................................. 2 About protocols................................................................................................................................................. 2 Private addresses and gateways ................................................................................................................. 3 About subnet masks ........................................................................................................................................ 3 About slash notation ....................................................................................................................................... 3 About entering IP addresses......................................................................................................................... 4 Static and dynamic IP addresses ................................................................................................................. 4
Static IP addresses ....................................................................................................................................... 4 Dynamic IP addresses................................................................................................................................. 4
Introduction to Fireware XTM ......................................................................................................................... 11 WatchGuard System Manager ................................................................................................................... 12 WatchGuard Server Center.......................................................................................................................... 13 Fireware XTM Web UI and Command Line Interface......................................................................... 13
Fireware XTM with a Pro Upgrade................................................................................................................. 14
About WatchGuard Support............................................................................................................................ 15 LiveSecurity Service................................................................................................................................... 15 LiveSecurity Service Gold........................................................................................................................ 16 Service expiration ...................................................................................................................................... 16
Before you begin.................................................................................................................................................. 17 Verify basic components ......................................................................................................................... 17 Get a WatchGuard device feature key ................................................................................................ 17 Gather network addresses...................................................................................................................... 18 Select a firewall configuration mode.................................................................................................. 19
Run the Web Setup Wizard.......................................................................................................................... 20 Start the Web Setup Wizard ................................................................................................................... 20 After the wizard finishes .......................................................................................................................... 22 If you have problems with the wizard ................................................................................................ 22
Connect to Fireware XTM Web UI.................................................................................................................. 23 Customize your security policy ............................................................................................................. 26 About LiveSecurity Service..................................................................................................................... 26
Add a certificate exception to Mozilla Firefox v3 ........................................................................... 27 Identify your network settings................................................................................................................... 28
Network Addressing Requirements .................................................................................................... 28 Find your TCP/IP properties on Microsoft Windows Vista .......................................................... 29 Find your TCP/IP properties on Microsoft Windows 2000, Windows 2003, and Windows XP ................................................................................................................................................. 29 Find your TCP/IP properties on Microsoft Windows NT............................................................... 29 Find your TCP/IP properties on Macintosh OS 9............................................................................. 29 Find your TCP/IP properties on other operating systems (Unix, Linux) ................................. 30 Find PPPoE settings................................................................................................................................... 30
Set your computer to connect to your WatchGuard device ........................................................... 30 Use DHCP ...................................................................................................................................................... 30 Use a static IP address .............................................................................................................................. 31
Disable the HTTP proxy in the browser................................................................................................... 32 Disable the HTTP proxy in Internet Explorer 6.x or 7.x ................................................................. 32 Disable the HTTP proxy in Firefox 2.x ................................................................................................. 32 Disable the HTTP proxy in Safari 2.0.................................................................................................... 32
Chapter 5 Configuration and Management Basics ................................................................................ 33
About basic configuration and management tasks................................................................................ 33 Restore a Firebox backup image.................................................................................................................... 34 Reset a Firebox to a previous or new configuration ............................................................................... 35
Start a Firebox X Core or Peak e-Series, or a WatchGuard XTM device in safe mode........ 35 Run the Quick Setup Wizard .................................................................................................................. 36
About feature keys .............................................................................................................................................. 38 When you purchase a new feature...................................................................................................... 38 See features available with the current feature key ...................................................................... 38
Activate the license key for a feature....................................................................................................... 39 Add a feature key to your Firebox ............................................................................................................ 41 Remove a feature key .................................................................................................................................... 42
Enable NTP and add NTP servers ................................................................................................................... 43 About SNMP .......................................................................................................................................................... 45
SNMP polls and traps..................................................................................................................................... 45 Enable SNMP polling ..................................................................................................................................... 47 Enable SNMP management stations and traps.................................................................................... 48 Configure SNMP Management Stations................................................................................................. 49 Send an SNMP trap for a policy.................................................................................................................. 50
User Guide v
Upgrade to a new version of Fireware XTM............................................................................................... 63 Install the upgrade on your management computer................................................................... 63 Upgrade the Firebox................................................................................................................................. 63 Subscription Services upgrades............................................................................................................ 65 Appliance and software upgrades....................................................................................................... 65 How to apply an upgrade ....................................................................................................................... 65
About network interface setup....................................................................................................................... 67 Network modes ............................................................................................................................................... 67 Interface types.................................................................................................................................................. 68
About network configuration in drop-in mode........................................................................................ 76 Use drop-in mode for network interface configuration ................................................................... 76
Specify DHCP settings for a single interface ......................................................................................... 79 Disable an interface........................................................................................................................................ 83 Configure DHCP Relay................................................................................................................................... 83
About LAN bridges.............................................................................................................................................. 90 Create a network bridge configuration .................................................................................................. 91 Assign a network interface to a bridge ................................................................................................... 92 Add a static route............................................................................................................................................ 93
About virtual local area networks (VLANs) ................................................................................................. 94 About tagging.................................................................................................................................................. 95 Use DHCP on a VLAN ..................................................................................................................................... 97 Use DHCP relay on a VLAN .......................................................................................................................... 97 Assign interfaces to a VLAN......................................................................................................................... 97
Chapter 7 Multi-WAN ............................................................................................................................... 99
Interface overflow........................................................................................................................................ 101 Routing table ................................................................................................................................................. 101 Serial modem (Firebox X Edge only)..................................................................................................... 101 Before You Begin.......................................................................................................................................... 102 Configure the interfaces............................................................................................................................ 102 Before You Begin.......................................................................................................................................... 104 Configure the interfaces............................................................................................................................ 104 Before You Begin.......................................................................................................................................... 105 Configure the interfaces............................................................................................................................ 105 Before you begin.......................................................................................................................................... 106 Routing Table mode and load balancing............................................................................................ 106 Configure the interfaces............................................................................................................................ 106 When to use Multi-WAN methods and routing ................................................................................ 107
When to use the Routing Table method ........................................................................................ 107 When to use the Round-Robin method.......................................................................................... 107
About advanced multi-WAN settings ....................................................................................................... 108 Set a global sticky connection duration .............................................................................................. 108 Set the failback action ................................................................................................................................ 109
Serial modem failover ..................................................................................................................................... 109 Enable serial modem failover .................................................................................................................. 109
Account settings...................................................................................................................................... 110 DNS settings.............................................................................................................................................. 110 Dial-up settings........................................................................................................................................ 111 Link Monitor settings............................................................................................................................. 111
Chapter 8 Network Address Translation (NAT) .................................................................................... 115
About Network Address Translation (NAT) ............................................................................................. 115 Add firewall dynamic NAT entries ......................................................................................................... 117 Delete a dynamic NAT entry .................................................................................................................... 118 Reorder dynamic NAT entries.................................................................................................................. 118 Configure policy-based dynamic NAT.................................................................................................. 119 Disable policy-based dynamic NAT....................................................................................................... 120
About 1-to-1 NAT and VPNs................................................................................................................ 121 Configure firewall 1-to-1 NAT.................................................................................................................. 122 Define a 1-to-1 NAT rule ............................................................................................................................ 123 Configure policy-based 1-to-1 NAT....................................................................................................... 124 Enable policy-based 1-to-1 NAT ............................................................................................................. 124 Disable policy-based 1-to-1 NAT............................................................................................................ 124
Chapter 9 Wireless Setup ....................................................................................................................... 133
About wireless configuration....................................................................................................................... 133 Enable/disable SSID broadcasts ............................................................................................................. 137 Change the SSID........................................................................................................................................... 138 Log authentication events........................................................................................................................ 138 Change the fragmentation threshold .................................................................................................. 138 When to change the default fragmentation threshold.................................................................. 138 Change the fragmentation threshold .................................................................................................. 139 Change the RTS threshold ........................................................................................................................ 139
Set the encryption level............................................................................................................................. 140 WPA and WPA2 PSK authentication...................................................................................................... 141
Enable a wireless guest network................................................................................................................. 144 Configure your external interface as a wireless interface .................................................................. 146
Configure the primary external interface as a wireless interface .......................................... 146 Configure a BOVPN tunnel for additional security ..................................................................... 148 Set the operating region and channel ............................................................................................ 149 Set the wireless mode of operation ................................................................................................. 150
Configure the wireless card on your computer ..................................................................................... 151
Chapter 10 Dynamic Routing ................................................................................................................... 153
About dynamic routing .................................................................................................................................. 153 About routing daemon configuration files ............................................................................................. 153 About Routing Information Protocol (RIP) .............................................................................................. 154
Routing Information Protocol (RIP) commands................................................................................ 154 Configure the Firebox to use RIP v2...................................................................................................... 157 Allow RIP v2 traffic through the Firebox.............................................................................................. 158 Sample RIP routing configuration file .................................................................................................. 158
Chapter 11 Authentication ...................................................................................................................... 173
Install the WatchGuard Single Sign-On (SSO) agent....................................................................... 181 Download the SSO agent software ....................................................................................................... 181 Before you install.......................................................................................................................................... 182 Install the SSO agent service.................................................................................................................... 182 Install the WatchGuard Single Sign-On (SSO) client ....................................................................... 182 Install the SSO client service .................................................................................................................... 183 Enable Single Sign-On (SSO).................................................................................................................... 183 Enable and configure SSO ........................................................................................................................ 184 Define SSO exceptions............................................................................................................................... 184 About using third-party authentication servers ............................................................................... 185 Use a backup authentication server...................................................................................................... 185 Types of Firebox authentication............................................................................................................. 186
Firewall authentication ......................................................................................................................... 186 Mobile VPN with PPTP connections ................................................................................................. 187 Mobile VPN with SSL connections .................................................................................................... 188
viii Fireware XTM Web UI
Define a new user for Firebox authentication................................................................................... 189 Define a new group for Firebox authentication ............................................................................... 190
About RADIUS groups................................................................................................................................ 195 Practical use of RADIUS groups .............................................................................................................. 195
Configure SecurID authentication.............................................................................................................. 199 Configure LDAP authentication .................................................................................................................. 200
DN of Searching User and Password of Searching User fields..................................................... 204 Change the default port for the Active Directory server ............................................................... 205 Configure the Firebox to use the global catalog port .................................................................... 205 To find out if your Active Directory server is configured as a global catalog server ........... 205
Before You Begin..................................................................................................................................... 206 Specify Active Directory or LDAP Optional Settings .................................................................. 206
Chapter 12 Policies ................................................................................................................................... 213
About the Firewall or Mobile VPN Policies page .............................................................................. 215 Add a policy from the list of templates................................................................................................ 218 Disable or delete a policy.......................................................................................................................... 219 Delete a policy............................................................................................................................................... 219 Alias members............................................................................................................................................... 220 Create an alias ............................................................................................................................................... 221 Add an address, address range, DNS name, user, group, or another alias to the alias....... 222 Automatic policy order .............................................................................................................................. 223 Policy specificity and protocols .............................................................................................................. 223 Firewall actions ............................................................................................................................................. 224
Schedules................................................................................................................................................... 224 Policy types and names ........................................................................................................................ 224
Chapter 13 Proxy Settings ....................................................................................................................... 235
About proxy policies and ALGs.................................................................................................................... 235 Proxy configuration..................................................................................................................................... 235
About the HTTP proxy..................................................................................................................................... 251 Policy tab......................................................................................................................................................... 251 Properties tab................................................................................................................................................ 251 Settings and Content tabs ........................................................................................................................ 252 Allow Windows updates through the HTTP proxy .......................................................................... 252
If you still cannot download Windows updates .......................................................................... 252 File name patterns .................................................................................................................................. 254
HTTP proxy: Settings................................................................................................................................... 256 HTTP requests........................................................................................................................................... 256 HTTP responses........................................................................................................................................ 257 HTTP proxy exceptions ......................................................................................................................... 258
Policy tab......................................................................................................................................................... 279 Properties tab................................................................................................................................................ 279 Advanced tab ................................................................................................................................................ 279 Settings and Content tabs ........................................................................................................................ 279
About Traffic Management and QoS......................................................................................................... 283 Enable traffic management and QoS.................................................................................................... 284 Restrict bandwidth ...................................................................................................................................... 285 QoS Marking .................................................................................................................................................. 285 Traffic priority ................................................................................................................................................ 285 Before you begin.......................................................................................................................................... 288 QoS marking for interfaces and policies.............................................................................................. 288 Marking types and values ......................................................................................................................... 289 QoS marking settings ................................................................................................................................. 292 Prioritization settings ................................................................................................................................. 293 Priority Levels ................................................................................................................................................ 293 Define a Traffic Management action..................................................................................................... 294 Determine available bandwidth............................................................................................................. 294 Determine the sum of your bandwidth............................................................................................... 294 Create or modify a Traffic Management action ................................................................................ 295 Add a Traffic Management action to a policy.................................................................................... 296 Add a traffic management action to multiple policies................................................................... 296
Chapter 15 Default Threat Protection ..................................................................................................... 297
About default threat protection.................................................................................................................. 297 About spoofing attacks.............................................................................................................................. 299 How the WatchGuard device identifies network probes .............................................................. 301 To protect against port space and address space probes ............................................................ 302 About the SYN flood attack setting....................................................................................................... 304 About unhandled packets ........................................................................................................................ 304 About distributed denial-of-service attacks....................................................................................... 305
Permanently blocked sites................................................................................................................... 306 Auto-blocked sites/Temporary Blocked Sites list ........................................................................ 306 See and edit the sites on the Blocked Sites list ............................................................................ 306
Block a site permanently ........................................................................................................................... 307 Create Blocked Site Exceptions............................................................................................................... 308 Block sites temporarily with policy settings....................................................................................... 308 Change the duration that sites are auto-blocked ............................................................................ 309
Default blocked ports ............................................................................................................................ 310 Block a port .................................................................................................................................................... 311 Block IP addresses that try to use blocked ports .............................................................................. 311
Chapter 16 Logging and Notification ...................................................................................................... 313
About logging and log files .......................................................................................................................... 313 Log Servers ................................................................................................................................................ 313 Logging and notification in applications and servers ............................................................... 314 About log messages............................................................................................................................... 314
Types of log messages ............................................................................................................................... 314 Traffic log messages............................................................................................................................... 314 Alarm log messages ............................................................................................................................... 314 Debug log messages ............................................................................................................................. 315 Statistic log messages ........................................................................................................................... 315
Configure Logging Settings.......................................................................................................................... 318 Set logging and notification preferences ........................................................................................... 320
View, Sort, and Filter log message data .......................................................................................... 322 Refresh log message data .................................................................................................................... 323
Chapter 17 Monitor your Firebox ............................................................................................................ 325
The Dashboard .................................................................................................................................................. 325 System Status pages........................................................................................................................................ 327 Bandwidth Meter .............................................................................................................................................. 329 Blocked sites status .......................................................................................................................................... 330
Run a basic diagnostics command ................................................................................................... 334 Use command arguments ................................................................................................................... 335
Dynamic DNS ..................................................................................................................................................... 335 Feature Key ......................................................................................................................................................... 336 Interfaces ............................................................................................................................................................. 336 LiveSecurity......................................................................................................................................................... 337 Memory ................................................................................................................................................................ 337 Syslog.................................................................................................................................................................... 339
About certificates.............................................................................................................................................. 343 Use multiple certificates to establish trust.......................................................................................... 343 How the Firebox uses certificates .......................................................................................................... 344 Certificate lifetimes and CRLs .................................................................................................................. 344 Certificate authorities and signing requests ...................................................................................... 345 See current certificates .............................................................................................................................. 346 Import a certificate from a file ................................................................................................................. 346 Use a web server certificate for authentication ................................................................................ 347 Use OpenSSL to generate a CSR............................................................................................................. 348 Send the certificate request ..................................................................................................................... 349 Issue the certificate...................................................................................................................................... 349 Download the certificate........................................................................................................................... 349
Use Certificates for the HTTPS Proxy ......................................................................................................... 350 Protect a private HTTPS server ................................................................................................................ 350 Examine content from external HTTPS servers ................................................................................. 351 Import the certificates on client devices ............................................................................................. 352 Troubleshoot problems with HTTPS content inspection .............................................................. 352
Use a certificate for BOVPN tunnel authentication .............................................................................. 354 Verify the certificate with FSM ................................................................................................................ 354 Verify VPN certificates with an LDAP server ....................................................................................... 355
Chapter 19 Branch Office Virtual Private Networks ............................................................................... 359
What you need to create a VPN................................................................................................................... 359 About manual BOVPN tunnels..................................................................................................................... 360
What you need to create a VPN ......................................................................................................... 360 How to create a manual BOVPN tunnel .......................................................................................... 361 One-way tunnels ..................................................................................................................................... 361
xii Fireware XTM Web UI
VPN Failover .............................................................................................................................................. 361 Global VPN settings................................................................................................................................ 361 BOVPN tunnel status.............................................................................................................................. 361 Rekey BOVPN tunnels............................................................................................................................ 361
DH groups and Perfect Forward Secrecy (PFS) ............................................................................ 372 How to choose a Diffie-Hellman group .......................................................................................... 372 Performance analysis............................................................................................................................. 372
Define a tunnel ............................................................................................................................................. 373 Edit and delete a tunnel ............................................................................................................................ 374 Add routes for a tunnel.............................................................................................................................. 375
Add an existing proposal ..................................................................................................................... 377 Create a new proposal .......................................................................................................................... 377
Edit a proposal .............................................................................................................................................. 378 Change order of tunnels ........................................................................................................................... 378
About global VPN settings ............................................................................................................................ 379 Enable IPSec Pass-through ....................................................................................................................... 379 Enable LDAP server for certificate verification .................................................................................. 380
1-to-1 NAT and VPNs.............................................................................................................................. 381 Other reasons to use 1-to-1 NAT through a VPN......................................................................... 381 Alternative to using NAT ...................................................................................................................... 381 Example ...................................................................................................................................................... 382 Define a Branch Office gateway on each Firebox ....................................................................... 383 Configure the local tunnel ................................................................................................................... 383
Define a route for all Internet-bound traffic ........................................................................................... 387 Configure the BOVPN tunnel on the remote Firebox ................................................................ 387 Configure the BOVPN tunnel on the central Firebox................................................................. 388 Add a dynamic NAT entry on the central Firebox....................................................................... 388 Enable a WatchGuard device to send multicast traffic through a tunnel .......................... 390
Example: Multicast routing through a BOVPN tunnel .................................................................... 392 Example settings ..................................................................................................................................... 392 Enable broadcast routing for the local Firebox............................................................................ 397 Configure broadcast routing for the Firebox at the other end of the tunnel ................... 398 Example settings ..................................................................................................................................... 399 Configure broadcast routing for the BOVPN tunnel at Site A................................................. 399 Configure broadcast routing for the BOVPN tunnel at Site B ................................................. 401 Define multiple gateway pairs ........................................................................................................... 403 See VPN statistics .................................................................................................................................... 405
Rekey BOVPN tunnels...................................................................................................................................... 405 Why do I need a static external address? ....................................................................................... 406 How do I get a static external IP address?...................................................................................... 406 How do I troubleshoot the connection?......................................................................................... 406 Why is ping not working? .................................................................................................................... 406 How do I set up more than the number of allowed VPN tunnels on my Edge?............... 406 Collect IP address and tunnel settings ............................................................................................ 407
User Guide xiii
PHASE 1 Settings (Both sides must use exactly the same values) ........................................ 408 PHASE 2 Settings (Both sides must use exactly the same values)......................................... 408 Configure the Phase 1 settings .......................................................................................................... 413 Configure the Phase 2 settings .......................................................................................................... 417 Configure the Phase 1 settings .......................................................................................................... 422 Add a VPN Tunnel ................................................................................................................................... 424 Configure the Phase 2 settings .......................................................................................................... 426 Collect IP address and tunnel settings ............................................................................................ 428 PHASE 1 Settings (Both sides must use exactly the same values) ........................................ 429 PHASE 2 Settings (Both sides must use exactly the same values)......................................... 429
Configure Site A, Fireware XTM v11.x................................................................................................... 431 Configure the Phase 1 settings .......................................................................................................... 434 Configure the Phase 2 settings .......................................................................................................... 438 Add a VPN Gateway................................................................................................................................ 440 Configure the Phase 1 settings .......................................................................................................... 442 Configure the Phase 2 settings .......................................................................................................... 446 Collect IP address and tunnel settings ............................................................................................ 450 PHASE 1 Settings (Both sides must use exactly the same values)......................................... 451 PHASE 2 Settings (Both sides must use exactly the same values)......................................... 451 PHASE 1 Settings (Both sides must use exactly the same values)......................................... 452 PHASE 2 Settings (Both sides must use exactly the same values)......................................... 452
Configure Site A, Fireware 11.x ............................................................................................................... 453 Configure the Phase 1 settings .......................................................................................................... 456 Configure the Phase 2 settings .......................................................................................................... 460 Configure the Phase 1 settings .......................................................................................................... 463 Configure the Phase 2 settings .......................................................................................................... 464 Configure VPN Keep Alive.................................................................................................................... 465 Select either IKE Keep-alive or Dead Peer Detection, but not both...................................... 466 Use the default settings........................................................................................................................ 467 Configure the Firebox to send log traffic through the tunnel................................................ 468
Chapter 20 Mobile VPN with PPTP .......................................................................................................... 471
About Mobile VPN with PPTP....................................................................................................................... 471 Mobile VPN with PPTP requirements ........................................................................................................ 471 Configure Mobile VPN with PPTP ............................................................................................................... 473
Encryption Settings ................................................................................................................................ 474 Advanced Tab settings.......................................................................................................................... 475 Configure policies to allow Mobile VPN with PPTP traffic........................................................ 479
Configure policies to allow Mobile VPN with PPTP traffic ................................................................. 480 Allow PPTP users to access a trusted network ............................................................................. 480
Options for Internet access through a Mobile VPN with PPTP tunnel........................................... 481 Default-route VPN................................................................................................................................... 481 Split tunnel VPN....................................................................................................................................... 481 Default-route VPN setup for Mobile VPN with PPTP .................................................................. 482 Split tunnel VPN setup for Mobile VPN with PPTP ...................................................................... 482 Prepare a Windows NT or 2000 client computer: Install MSDUN and service packs...... 483 Create a PPTP connection.................................................................................................................... 484 Establish the PPTP connection........................................................................................................... 484 Create the PPTP Mobile VPN............................................................................................................... 485 Connect with the PPTP Mobile VPN ................................................................................................. 485 Create the PPTP Mobile VPN............................................................................................................... 486 Connect with the PPTP Mobile VPN ................................................................................................. 486
Make outbound PPTP connections from behind a Firebox .............................................................. 486
xiv Fireware XTM Web UI
Chapter 21 Mobile VPN with IPSec .......................................................................................................... 487
About WatchGuard Mobile VPN with IPSec............................................................................................ 487 Configure a Mobile VPN with IPSec connection............................................................................... 487 System requirements ................................................................................................................................. 488 Options for Internet access through a Mobile VPN tunnel........................................................... 488
Default-route VPN................................................................................................................................... 488 Split tunnel VPN....................................................................................................................................... 488
Modify an existing Mobile VPN with IPSec group profile.............................................................. 497 Configure a Mobile VPN with IPSec group ......................................................................................... 498
Define advanced Phase 1 settings .................................................................................................... 504 Define advanced Phase 2 settings .................................................................................................... 506
Lock down an end user profile................................................................................................................ 509 Mobile VPN with IPSec configuration files.......................................................................................... 509 Configure policies to filter Mobile VPN traffic ................................................................................... 510
Configure Mobile VPN with IPSec to a dynamic IP address.......................................................... 512 Keep a record of the current IP address.......................................................................................... 512 Configure the Firebox and IPSec client computers .................................................................... 512
Client Requirements ................................................................................................................................... 514 Install the Mobile VPN with IPSec client software............................................................................ 514
Import the end-user profile................................................................................................................. 515 Select a certificate and enter the PIN............................................................................................... 516 Uninstall the Mobile VPN client ......................................................................................................... 516 Disconnect the Mobile VPN client .................................................................................................... 517 Control connection behavior.............................................................................................................. 517 Mobile User VPN client icon ................................................................................................................ 519
About the desktop firewall .................................................................................................................. 520 Define friendly networks ...................................................................................................................... 521 Create firewall rules................................................................................................................................ 522 Import the end user profile ................................................................................................................. 528 Select a certificate and enter the passphrase ............................................................................... 529 Connect and disconnect the Mobile VPN client .......................................................................... 529 Control the connection behavior...................................................................................................... 530 Mobile User VPN client icon ................................................................................................................ 531 Mobile VPN WM Configurator and Windows Mobile IPSec client requirements............. 532 Select a certificate and enter the PIN............................................................................................... 533 Upload the end-user profile to the Windows Mobile device.................................................. 536 Connect and disconnect the Mobile VPN for Windows Mobile client................................. 537
User Guide xv
Chapter 22 Mobile VPN with SSL ............................................................................................................. 543
About Mobile VPN with SSL.......................................................................................................................... 543 Configure authentication and connection settings ................................................................... 544 Configure the Networking and IP Address Pool settings ......................................................... 545 Configure Advanced settings for Mobile VPN with SSL............................................................ 547 Configure user authentication for Mobile VPN with SSL.......................................................... 548 Configure policies to control Mobile VPN with SSL client access.......................................... 548 Use other groups or users in a Mobile VPN with SSL policy .................................................... 549
How to choose a different port and protocol.................................................................................... 550 Allow direct access to the internet ................................................................................................... 551 Force all client traffic through tunnel .............................................................................................. 551
Use the HTTP proxy to control Internet access for Mobile VPN with SSL users .................... 551 Name resolution for Mobile VPN with SSL.......................................................................................... 551 Methods of name resolution through a Mobile VPN with SSL connection ............................ 552 Select the best method for your network........................................................................................... 552 Configure WINS or DNS for name resolution..................................................................................... 552 Add WINS and DNS servers to a Mobile VPN with SSL configuration....................................... 552 Configure an LMHOSTS file to provide name resolution .............................................................. 552 Edit an LMHOSTS file .................................................................................................................................. 553
Install and connect the Mobile VPN with SSL client............................................................................. 553 Client computer requirements........................................................................................................... 553 Install the client software ..................................................................................................................... 554 Connect to your private network ...................................................................................................... 555
Chapter 23 WebBlocker ............................................................................................................................ 559
About WebBlocker categories ..................................................................................................................... 567 See whether a site is categorized........................................................................................................... 567 Add, remove, or change a category ...................................................................................................... 568
Define the action for sites that do not match exceptions........................................................ 569 Components of exception rules ........................................................................................................ 569 Exceptions with part of a URL............................................................................................................. 569
About WebBlocker subscription services expiration........................................................................... 572
Chapter 24 spamBlocker .......................................................................................................................... 573
Set global spamBlocker parameters .......................................................................................................... 582 Use an HTTP proxy server for spamBlocker........................................................................................ 583 Add trusted email forwarders to improve spam score accuracy................................................ 584 About spamBlocker and VOD scan limits............................................................................................ 585 File scan limits by WatchGuard device model, in kilobytes.......................................................... 585 Maximum number of connections by WatchGuard device model ........................................... 586 Send spam or bulk email to special folders in Outlook.................................................................. 587
Find the category a message is assigned to.................................................................................. 589
Chapter 25 Gateway AntiVirus and Intrusion Prevention ..................................................................... 591
About Gateway AntiVirus and Intrusion Prevention ........................................................................... 591 Install and upgrade Gateway AV/IPS ............................................................................................... 592 About Gateway AntiVirus/Intrusion Prevention and proxy policies .................................... 592 Configure the Gateway AntiVirus Service ...................................................................................... 593
Configure Gateway AntiVirus actions for a proxy action............................................................... 595 Configure alarm notification for antivirus actions ........................................................................... 596 Configure Gateway AntiVirus to quarantine email.......................................................................... 596 File scan limits by WatchGuard device model, in kilobytes.......................................................... 597
Update Gateway AntiVirus/IPS settings ................................................................................................... 597 If you use a third-party antivirus client............................................................................................ 597
Configure Gateway AV decompression settings.............................................................................. 598 Configure the Gateway AV/IPS update server................................................................................... 599 Connect to the update server through an HTTP proxy server..................................................... 600 Block access from the trusted network to the update server ...................................................... 600
Before you begin..................................................................................................................................... 602 Configure the Intrusion Prevention Service .................................................................................. 602
User Guide 1
1 Introduction to Network Security
About networks and network security
A network is a group of computers and other devices that are connected to each other. It can be two computers in the same room, dozens of computers in an organization, or many computers around the world connected through the Internet. Computers on the same network can work together and share data.
Although networks like the Internet give you access to a large quantity of information and business opportunities, they can also open your network to attackers. Many people think that their computers hold no important information, or that a hacker is not interested in their computers. This is not correct. A hacker can use your computer as a platform to attack other computers or networks. Information from your organization, including personal information about users, employees, or customers, is also valuable to hackers.
Your WatchGuard device and LiveSecurity subscription can help you prevent these attacks. A good network security policy, or a set of access rules for users and resources, can also help you find and prevent attacks to your computer or network. We recommend that you configure your Firebox to match your security policy, and think about threats from both inside and outside your organization.
About Internet connections ISPs (Internet service providers) are companies that give access to the Internet through network connections. The rate at which a network connection can send data is known as bandwidth: for example, 3 megabits per second (Mbps).
A high-speed Internet connection, such as a cable modem or a DSL (Digital Subscriber Line), is known as a broadband connection. Broadband connections are much faster than dial-up connections. The bandwidth of a dial-up connection is less than .1 Mbps, while a cable modem can be 5 Mbps or more.
Typical speeds for cable modems are usually lower than the maximum speeds, because each computer in a neighborhood is a member of a LAN. Each computer in that LAN uses some of the bandwidth. Because of this shared-medium system, cable modem connections can become slow when more users are on the network.
DSL connections supply constant bandwidth, but they are usually slower than cable modem connections. Also, the bandwidth is only constant between your home or office and the DSL central office. The DSL central office cannot guarantee a good connection to a web site or network.
Introduction to Network Security
2 Fireware XTM Web UI
How information travels on the Internet The data that you send through the Internet is cut into units, or packets. Each packet includes the Internet address of the destination. The packets that make up a connection can use different routes through the Internet. When they all get to their destination, they are assembled back into the original order. To make sure that the packets get to the destination, address information is added to the packets.
About protocols A protocol is a group of rules that allow computers to connect across a network. Protocols are the grammar of the language that computers use when they speak to each other across a network. The standard protocol when you connect to the Internet is the IP (Internet Protocol). This protocol is the usual language of computers on the Internet.
A protocol also tells how data is sent through a network. The most frequently used protocols are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP/IP is the basic protocol used by computers that connect to the Internet.
You must know some of the TCP/IP settings when you set up your WatchGuard device. For more information on TCP/IP, see “Find your TCP/IP properties” on page 29.
User Guide 3
About IP addresses
To send ordinary mail to a person, you must know his or her street address. For one computer on the Internet to send data to a different computer, it must know the address of that computer. A computer address is known as an Internet Protocol (IP) address. All devices on the Internet have unique IP addresses, which enable other devices on the Internet to find and interact with them.
An IP address consists of four octets (8-bit binary number sequences) expressed in decimal format and separated by periods. Each number between the periods must be within the range of 0 and 255. Some examples of IP addresses are:
206.253.208.100 4.2.2.2 10.0.4.1
Private addresses and gateways Many companies create private networks that have their own address space. The addresses 10.x.x.x and 192.168.x.x are reserved for private IP addresses. Computers on the Internet cannot use these addresses. If your computer is on a private network, you connect to the Internet through a gateway device that has a public IP address.
Usually, the default gateway is the router that is between your network and the Internet. After you install the Firebox on your network, it becomes the default gateway for all computers connected to its trusted or optional interfaces.
About subnet masks Because of security and performance considerations, networks are often divided into smaller portions called subnets. All devices in a subnet have similar IP addresses. For example, all devices that have IP addresses whose first three octets are 50.50.50 would belong to the same subnet.
A network IP address’s subnet mask, or netmask, is a series of bits that mask sections of the IP address that identify which parts of the IP address are for the network and which parts are for the host. A subnet mask can be written in the same way as an IP address, or in slash or CIDR notation.
About slash notation Your Firebox uses slash notation for many purposes, including policy configuration. Slash notation, also known as CIDR (Classless Inter-Domain Routing) notation, is a compact way to show or write a subnet mask. When you use slash notation, you write the IP address, a forward slash (/), and the subnet mask number.
To find the subnet mask number:
1. Convert the decimal representation of the subnet mask to a binary representation. 2. Count each “1” in the subnet mask. The total is the subnet mask number.
Introduction to Network Security
4 Fireware XTM Web UI
For example, you want to write the IP address 192.168.42.23 with a subnet mask of 255.255.255.0 in slash notation.
1. Convert the subnet mask to binary. In this example, the binary representation of 255.255.255.0 is: 11111111.11111111.11111111.00000000.
2. Count each "1" in the subnet mask. In this example, there are twenty-four (24).
3. Write the original IP address, a forward slash (/), and then the number from Step 2. The result is 192.168.42.23/24.
This table shows common network masks and their equivalents in slash notation.
About entering IP addresses When you type IP addresses in the Quick Setup Wizard or dialog boxes, type the digits and decimals in the correct sequence. Do not use the TAB key, arrow keys, spacebar, or mouse to put your cursor after the decimals.
For example, if you type the IP address 172.16.1.10, do not type a space after you type 16. Do not try to put your cursor after the subsequent decimal to type 1. Type a decimal directly after 16, and then type 1.10. Press the slash (/) key to move to the netmask.
Static and dynamic IP addresses ISPs (Internet service providers) assign an IP address to each device on their network. The IP address can be static or dynamic.
Static IP addresses A static IP address is an IP address that always stays the same. If you have a web server, FTP server, or other Internet resource that must have an address that cannot change, you can get a static IP address from your ISP. A static IP address is usually more expensive than a dynamic IP address, and some ISPs do not supply static IP addresses. You must configure a static IP address manually.
Dynamic IP addresses A dynamic IP address is an IP address that an ISP lets you use temporarily. If a dynamic address is not in use, it can be automatically assigned to a different device. Dynamic IP addresses are assigned using either DHCP or PPPoE.
Network mask Slash equivalent
About DHCP
Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that computers on a network use to get IP addresses and other information such as the default gateway. When you connect to the Internet, a computer configured as a DHCP server at the ISP automatically assigns you an IP address. It could be the same IP address you had before, or it could be a new one. When you close an Internet connection that uses a dynamic IP address, the ISP can assign that IP address to a different customer.
You can configure your WatchGuard device as a DHCP server for networks behind the device. You assign a range of addresses for the DHCP server to use.
About PPPoE
Some ISPs assign IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE adds some of the features of Ethernet and PPP to a standard dial-up connection. This network protocol allows the ISP to use the billing, authentication, and security systems of their dial-up infrastructure with DSL modem and cable modem products.
About DNS (Domain Name System)
You can frequently find the address of a person you do not know in the telephone directory. On the Internet, the equivalent to a telephone directory is the DNS (Domain Name System). DNS is a network of servers that translate numeric IP addresses into readable Internet addresses, and vice versa. DNS takes the friendly domain name you type when you want to see a particular web site, such as www.example.com, and finds the equivalent IP address, such as 50.50.50.1. Network devices need the actual IP address to find the web site, but domain names are much easier for users to type and remember than IP addresses.
A DNS server is a server that performs this translation. Many organizations have a private DNS server in their network that responds to DNS requests. You can also use a DNS server on your external network, such as a DNS server provided by your ISP (Internet Service Provider.)
Introduction to Network Security
About firewalls
A network security device, such as a firewall, separates your internal networks from external network connections to decrease the risk of an external attack. The figure below shows how a firewall protects the computers on a trusted network from the Internet.
User Guide 7
Introduction to Network Security
Firewalls use access policies to identify and filter different types of information. They can also control which policies or ports the protected computers can use on the Internet (outbound access). For example, many firewalls have sample security policies that allow only specified traffic types. Users can select the policy that is best for them. Other firewalls, such as WatchGuard devices like your Firebox, allow the user to customize these policies.
Firewalls can be in the form of hardware or software. A firewall protects private networks from unauthorized users on the Internet. Traffic that enters or leaves the protected networks is examined by the firewall. The firewall denies network traffic that does not match the security criteria or policies.
In some closed, or default-deny firewalls, all network connections are denied unless there is a specific rule to allow the connection. To deploy this type of firewall, you must have detailed information about the network applications required to meet needs of your organization. Other firewalls allow all network connections that have not been explicitly denied. This type of open firewall is easier to deploy, but it is not as secure.
Introduction to Network Security
About services and policies
You use a service to send different types of data (such as email, files, or commands) from one computer to another across a network or to a different network. These services use protocols. Frequently used Internet services are:
World Wide Web access uses Hypertext Transfer Protocol (HTTP) Email uses Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP3) File transfer uses File Transfer Protocol (FTP) Resolve a domain name to an Internet address uses Domain Name Service (DNS) Remote terminal access uses Telnet or SSH (Secure Shell)
When you allow or deny a service, you must add a policy to your WatchGuard device configuration. Each policy you add can also add a security risk. To send and receive data, you must open a door in your computer, which puts your network at risk. We recommend that you add only the policies that are necessary for your business.
As an example of how you can use a policy, suppose the network administrator of a company wants to activate a Windows terminal services connection to the company’s public web server on the optional interface of the Firebox. He or she routinely administers the web server with a Remote Desktop connection. At the same time, he or she wants to make sure that no other network users can use the Remote Desktop Protocol terminal services through the Firebox. The network administrator would add a policy that allows RDP connections only from the IP address of his or her own desktop computer to the IP address of the public web server.
When you configure your WatchGuard device with the Quick Setup Wizard, the wizard adds only limited outgoing connectivity. If you have more software applications and network traffic for your Firebox to examine, you must:
Configure the policies on your Firebox to pass through necessary traffic Set the approved hosts and properties for each policy Balance the requirement to protect your network against the requirements of your users to get access to external resources
User Guide 9
About ports
Although computers have hardware ports you use as connection points, ports are also numbers used to map traffic to a particular process on a computer. These ports, also called TCP and UDP ports, are where programs transmit data. If an IP address is like a street address, a port number is like an apartment unit number or building number within that street address. When a computer sends traffic over the Internet to a server or another computer, it uses an IP address to identify the server or remote computer, and a port number to identify the process on the server or computer that receives the data.
For example, suppose you want to see a particular web page. Your web browser attempts to create a connection on port 80 (the port used for HTTP traffic) for each element of the web page. When your browser receives the data it requests from the HTTP server, such as an image, it closes the connection.
Many ports are used for only one type of traffic, such as port 25 for SMTP (Simple Mail Transfer Protocol). Some protocols, such as SMTP, have ports with assigned numbers. Other programs are assigned port numbers dynamically for each connection. The IANA (Internet Assigned Numbers Authority) keeps a list of well-known ports. You can see this list at: http://www.iana.org/assignments/port-numbers
Most policies you add to your Firebox configuration have a port number between 0 and 1024, but possible port numbers can be from 0 to 65535.
Ports are either open or closed. If a port is open, your computer accepts information and uses the protocol identified with that port to create connections to other computers. However, an open port is a security risk. To protect against risks created by open ports, you can block ports used by hackers to attack your network. For more information, see About blocked ports.
The WatchGuard device and your network
Your WatchGuard device is a powerful network security device that controls all traffic between the external network and the trusted network. If computers with mixed trust connect to your network, you can also configure an optional network interface that is separate from the trusted network. You can then configure the firewall on your device to stop all suspicious traffic from the external network to your trusted and optional networks. If you route all traffic for the mixed trust computers through your optional network, you can increase the security for those connections to add more flexibility to your security solution. For example, customers frequently use the optional network for their remote users or for public servers such as a web server or an email server.
Some customers who purchase a WatchGuard device do not know a lot about computer networks or network security. Fireware XTM Web UI (web-based user interface), provides many self-help tools for these customers. Advanced customers can use the advanced integration and multiple WAN support features of the Fireware XTM Pro appliance software to connect a WatchGuard device to a larger wide area network. The WatchGuard device connects to a cable modem, DSL modem, or ISDN router.
You can use the Web UI to safely manage your network security settings from diff

WatchGuard XTM 2 Series - Newegg · 2016-09-21 · The XTM 2 Series devices support WatchGuard’s next generation UTM OS—Fireware® XTM. Each XTM 2 Series device includes Fireware

What’s New in Fireware XTM 11.7

WatchGuard Fireware XTM Configuration Example · IP addressofthehost(whichisroutablethroughtheIPaddressontheExternal-1interface),andasecondDNS recordwith ... WatchGuard Fireware XTM

Fireware XTM v11 .3 - WatchGuardcdn.watchguard.com/SoftwareCenter/Files/XTM/11_3_2/... · e-Series appliances. Fireware XTM v11.3.2 ... Start Guide that ships with your device before

What’s New in Fireware XTM 11.6.3

Whats New in Fireware XTM 11.7.2. Updates in Fireware XTM v11.7.2 Support for the new WatchGuard AP100 and AP200 wireless access points spamBlocker updated

What’s New in Fireware XTM 11.7.2

Fireware XTM v11.3.2 Release Notes.pdf

Fireware v12.1.3 Release Notes - watchguard.com · m300,m370,m400,m440,m470,m500,m570, m670,m4600,m5600 xtm8,800,1500,and2500series xtm25,xtm26,xtm 33,xtm 330,xtm515,xtm 525,xtm535,xtm545,xtm1050,xtm2050

Whats New in Fireware XTM 11.6.3. New Features in Fireware XTM v11.6.3 Automatic Feature Key Synchronization RapidDeploy New Hardware 2050A WatchGuard

Whats New in Fireware XTM v11.3.4. 2WatchGuard Training Whats New in Fireware XTM v11.3.4 Mobile VPN with IPSec Support for the Shrew Soft VPN client

What’s New in Fireware XTM v11.8.3

What’s New in Fireware XTM v11.8.3 WatchGuard Training

Fireware XTM v11 - WatchGuardcdn.watchguard.com/SoftwareCenter/Files/XTM/11_3/... · Single Sign-on). WG-Authentication-Client.msi (software cliente de SSO, opcional). Para obtener

Fireware XTM v11.9.3 Release Notes · FirewareXTMv11.9.3ReleaseNotes SupportedDevices XTM3,5,8,800,1500,and2500Series XTM25,XTM26,XTM1050,XTM2050 FireboxT10,FireboxM440 XTMv,WatchGuardAP

Whats New in Fireware XTM v11.5.2. New Features in Fireware XTM v11.5.2 Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple

What’s New in Fireware XTM v11.9.1 WatchGuard Training ©2014 WatchGuard Technologies, Inc

Fireware XTM v11.3 - Internet Security Solutions | Data Security

What’s New in Fireware XTM v11.9.4 WatchGuard Training ©2014 WatchGuard Technologies, Inc

Fireware XTM v11 - WatchGuardcdn.watchguard.com/SoftwareCenter/Files/xtm/11/EN... · FIREWARE XTM V11.0 RELEASE NOTES AUGUST 18, 2009 PAGE 6 To upgrade your Firebox X Edge from v10.2.9

Configuration Guide WatchGuard XTM 33 · 2014. 3. 19. · WatchGuard FireWare XTM Policy Manager version 11.7.4 used for configuration 1.5 WatchGuard XTM 33 VPN Gateway product info

Fireware XTM Command Line Interface Reference

What’s New in Fireware XTM v11.9 WatchGuard Training

Fireware XTM User Authentication · 1 Enclosure 2 Curricula Vitae of new Directors replaced those who retired by rotation Name : Mr. Jacques Marechal Birth Date th: 14 December 1965

Security Policy XTM - V2.1 - NIST...FIPS 140-2 Security Policy for WatchGuard XTM Page 1 of 61 FIPS 140-2 Security Policy for WatchGuard XTM XTM 21, XTM 21-W, XTM 22, XTM 22-W, XTM

What’s New in Fireware XTM v11.3.4

WatchGuard XTM 5 Series · PDF fileUpgrade your XTM 5 Series device with latest Fireware XTM OS ... la password di configurazione impostata durante la procedura guidata. Passaggi successivi

What’s New in Fireware XTM v11.8.1

What's new in Fireware XTM 11 - Comunicaciones - 3digits s New in Fireware XTM v11.5.1 . New Features in Fireware XTM v11.5.1 Major Changes ... WatchGuard Training 2 . New Features

WatchGuard Fireware XTM Configuration Example · UsePublicIPAddressesBehindanXTMDevice Exampleconfigurationfilescreatedwith—WSM v11.7.2 Revised—3/22/2013 UseCase

XTM Firewalls and Fireware XTM Operating System v11.5.1 Security

What’s New in Fireware XTM v11.7.3

What’s New in Fireware XTM v11.8.1 WatchGuard Training

XTM Firewalls and Fireware XTM Operating System v11.5.1 … · 2012-05-22 · The Target of Evaluation is the XTM Firewalls and Fireware XTM Operating System v11.5.1 from WatchGuard

What’s New in Fireware XTM v11.8