xtm firewall basics v11 9.pdfx
TRANSCRIPT
WatchGuard Training ©2014 WatchGuard Technologies,
Inc.
Firewall Basicswith Fireware XTM 11.9
WatchGuard Training 2
Course Introduction:Firewall Basics with Fireware XTM
2
WatchGuard Training 3
Training Objectives
Use the basic management and monitoring components of WatchGuard System Manager (WSM)
Configure a Firebox or XTM device, or a XTMv device that runs Fireware XTM OS v11.9 or later for your network
Create basic security policies for your Firebox or XTM device to enforce
Use security services to expand XTM device functionality
3
WatchGuard Training 4
Requirements Necessary equipment and software:
• Management computer• WatchGuard System Manager and Fireware XTM OS• Firewall configuration file• Firebox, XTM, or XTMv devices running Fireware XTM OS v11.9 or
later (optional) Prerequisites:
• Basic knowledge of TCP/IP network functions and structure It is helpful, but not necessary, to have:
• WatchGuard System Manager installed on your management computer
• Access to a Firebox or XTM device• A printed copy of the instructor’s notes of this presentation, or a copy
of the Fireware XTM Basics Student Guide
4
WatchGuard Training 5
Outline Product Overview Getting Started Work with Device Configuration Files Configure Device Interfaces Configure Logging Generate Reports of Network Activity Use FSM to Monitor XTM Device Activity Use NAT (Network Address Translation) Define Basic Network Security Policies Work with Proxy Policies Work with SMTP and POP3 Proxies Verify Users’ Identities
5
WatchGuard Training 6
Outline Block Unwanted Email with spamBlocker Manage Web Traffic Defend Your Network From Intruders Use Gateway AntiVirus Use Data Loss Prevention Use Intrusion Prevention Service Use Application Control Use APT Blocker Use Reputation Enabled Defense Explore Fireware XTM Web UI and FireWatch
6
WatchGuard Training 7
Training Scenario Fictional organization named the Successful Company Training partners may use different examples for exercises Try the exercises to implement your security policy
7
WatchGuard Training 8
Product Overview
8
WatchGuard Training 9
Fireware XTM is the robust operating system that forms the backbone of WatchGuard integrated UTM security solutions.
• Advanced networking features• Zero Day protection• UTM Security Subscriptions
Available security subscriptions include:
Fireware OS v11.9
9
• Application Control
• Intrusion Prevention Service
• Web Blocker
• Gateway AntiVirus
• spamBlocker
• Reputation Enabled Defense
• Data Loss Prevention (DLP)
• APT Blocker
XTM 1050
1500 Series
Firebox and XTM Hardware Models
8 Series
5 Series
800 Series
XTM 2520
XTM 2050
Firebox T10
XTM 2 Series Small, medium, large, and datacenter editions
For midsize to large businessesFor enterprise headquarters and datacenters
For virtual network environments
For small businesses, branch offices, and wireless hotspots
XTM 3 Series
10
WatchGuard Training
Management Software Three ways to manage your device:
• WatchGuard System Manager• Fireware XTM Web UI• Command Line
This training focuses primarily onWatchGuard System Manager
11
WatchGuard Training
Getting Started:Set Up Your Management Computer
and Firebox or XTM Device
12
WatchGuard Training 13
Learning Objectives Use the Quick Setup Wizard to make a configuration file Start WatchGuard System Manager Connect to Firebox or XTM devices and WatchGuard servers Launch other WSM applications
13
WatchGuard Training 14
Select a computer with Windows 8, Windows 7, Windows XP SP2, Windows Server 2003, 2008, or 2012, or Windows Vista
Install WatchGuard System Manager (WSM) to configure, manage, and monitor your devices
Install Fireware XTM OS, then use WSM to install updatesand make configurationchanges on the device
Management Computer
14
WatchGuard Training 15
Server Software When you install WSM, you have the option to install any or all of
these WSM servers:• Management Server• Log Server• Report Server• WebBlocker Server• Quarantine Server
Servers can be installed on separate computers• Each server must use a supported version of Windows.• There are access requirements between the management computer,
the Firebox or XTM device, and some servers.
15
WatchGuard Training
Activate your XTM Device You must have or create a WatchGuard account You must activate the Firebox or XTM device before you can fully
configure it Have your device serial number ready
16
WatchGuard Training 17
Setup Wizards There are two setup wizards you can use to create an initial
functional configuration file for your Firebox or XTM device. • Web Setup Wizard
To start the Web Setup Wizard, in a web browser, type: https://10.0.1.1:8080
• Quick Setup Wizard To start the Quick Setup Wizard, in WatchGuard System Manager, select Tools > Quick Setup Wizard.
• To use either setup wizard, you must connect the management computer to the trusted interface (eth1) of the Firebox or XTM device.
• The Web Setup Wizard can activate your Firebox or XTM device and download the feature key from the WatchGuard web site, if you connect the external interface (eth0) to a network with Internet access.
17
WatchGuard Training
Quick Setup Wizard
18
Installs Fireware XTM OS on the Firebox or XTM device
Creates and uploads a basic configuration file
Assigns passphrases to the default Device Management user accounts to control access to the Firebox or XTM device
WatchGuard Training 19
Prepare to Use the Quick Setup Wizard Before you start, you must have:
• WSM and Fireware XTM OS installed on the management computer• Network information
It is a good idea to have the feature key for your device before you start the wizard. You can copy it from the LiveSecurity web site during registration.
19
WatchGuard Training 20
Launch the Quick Setup Wizard For the Quick Setup Wizard to operate correctly, you must:
• Prepare the device to be discovered by the Quick Setup Wizard (QSW). The QSW shows you how to prepare each device.
• Assign a static IP address to your management computer from the same subnet that you plan to assign to the Trusted interface of the Firebox or XTM device. Alternatively, you can get a DHCP address from the device when it is in Safe Mode.
• Connect the Ethernet interface of your computer to interface #1 of the device.
• Launch WatchGuard System Manager (WSM) and launch the Quick Setup Wizard from the WSM Tools menu.
20
WatchGuard Training 21
Quick Setup Wizard — Select Your Device Choose which model of Firebox or XTM device to configure.
21
WatchGuard Training 22
Quick Setup Wizard — Verify the Device Details Verify that the model and serial number are correct.
22
WatchGuard Training 23
Quick Setup Wizard — Name Your XTM Device The name you assign to the device in the wizard is used to:
• Identify the device in WSM• Identify the device in log files• Identify the device in Log Manager and Report Manager
23
WatchGuard Training 24
Quick Setup Wizard — Device Feedback The Quick Setup Wizard enables the device to send feedback to
WatchGuard by default.• If this option is enabled, the device sends feedback to WatchGuard
once a day and when the device reboots.• The information includes information about how your device is used
and any issues you encounter with your device, but does not include information about your company, or company data.
• All device feedback sent to WatchGuard is encrypted.
To disable device feedback:• Clear the Send device feedback
to WatchGuard check box.• You can also change this setting
in the Global Settings.
24
WatchGuard Training 25
Quick Setup Wizard — Configure the External Interface The IP address you give to the external interface can be:
• A static IP address• An IP address assigned with DHCP• An IP address assigned with PPPoE
You must also add an IP address for the device default gateway. This is the IP address of your gateway router.
25
WatchGuard Training 26
Quick Setup Wizard — Configure Interfaces Configure the Trusted and Optional interfaces. Select one of these configuration options:
• Mixed Routing Mode (Use these IP addresses) Each interface is configured with an IP address on a different subnet.
• Drop-in Mode (Use the same IP address as the external interface) All XTM device interfaces have
the same IP address. Use drop-inmode when devices from thesame publicly addressednetwork are located on morethan one device interface.
26
WatchGuard Training 27
Understand Routed Configurations In mixed routing mode (routed configuration):
• Configure each interface with an IP address on a different subnet. • Assign secondary networks on any interface.
27
WatchGuard Training 28
Understand Drop-in Configurations
28
In drop-in mode:• Assign the same primary IP
address to all interfaces on your device.
• Assign secondary networks on any interface.
• You can keep the same IP addresses and default gateways for devices on your trusted and optional networks, and add a secondary network address to the Firebox or XTM device interface so the device can correctly send traffic to those devices.
WatchGuard Training 29
Quick Setup Wizard — Add a Feature Key When you purchase additional options for your device, you must
get a new feature key to activate the new options. You can add the feature key in the Quick Setup Wizard or later in Policy Manager.
29
WatchGuard Training 30
Quick Setup Wizard — Set Passphrases
30
Specify the passphrases for the two default user accounts to use for connections to the device:• Status passphrase
For read-only connections with the default status user account
• Configuration passphrase For read-write connections with the default admin user account
• Both passphrases must be unique and include 8–32 characters
WatchGuard Training 31
Quick Setup Wizard — Final Steps Save a basic configuration to the device. You are now ready to put your device in place on your network. Remember to reset your management computer IP address.
31
WatchGuard Training 32
WatchGuard System Manager
32
Start WSM Connect to a Firebox or XTM
device or the Management Server
Display device status
WatchGuard Training 33
Components of WSM WSM includes a set of management and monitoring tools:
• Policy Manager • Firebox System Manager• HostWatch• Log Manager (WebCenter)• Report Manager (WebCenter)• CA Manager• Quarantine Server Client
To launch a tool, select it from the WSM Tools menu or click the tool icon
33
WatchGuard Training 34
Administration:Work with Device Configuration Files
34
WatchGuard Training 35
Learning Objectives Start Policy Manager Open and save configuration files Configure the device for remote administration Add Device Management user accounts Change user account passphrases Back up and restore the device configuration Add device identification information
35
WatchGuard Training 36
What is Policy Manager? A configuration tool that you can use to modify the settings of
your Firebox or XTM device Changes made in Policy Manager do not take effect until you save
them to the device Launch Policy Manager from WSM
• Select a connected or managed device• Click the Policy Manager icon on the toolbar
36
WatchGuard Training 37
Navigate Policy Manager From the View menu,
select how policies are displayed
37
Details View Large Icons View
WatchGuard Training 38
Navigate Policy Manager Use the menu bar to configure many device features.
38
WatchGuard Training 39
Navigate Policy Manager Security policies that control traffic through the device are
represented by policies. To edit a security policy, double-click the policy name.
39
WatchGuard Training 40
OS Compatibility Version Policy Manager can manage devices that use different versions of
Fireware XTM OS. Each device configuration has an OS Compatibility setting that controls which options are available for some features.• If you use Policy Manager to open the configuration from a device, the
Fireware XTM version is automatically set based on the OS version the device uses.
• For a new configuration file, you must select the Fireware XTM version before you can configure some features, such as network settings and Traffic Management.
To see or set the OS Compatibility version, in Policy Manager select Setup > OS Compatibility.
To configure all of the features described in this training, you must select 11.9 or higher.
40
WatchGuard Training
Open and Save Configuration Files Open a file from your local drive or from a Firebox or XTM device Save configuration files to your local drive or to the Firebox or
XTM device Create new configuration files in Policy Manager
• New configuration files include a basic set of policies.• You can add more policies.
41
WatchGuard Training 42
Configure Your Device for Remote Administration Connect from home to monitor device status Change policies remotely to respond to new threats Make the policy as restrictive as possible for security Edit the WatchGuard policy to enable access from an external
IP address You can also use Fireware XTM Web UI to configure a device (over
TCP port 8080)
42
WatchGuard Training 43
Add Device Management User Accounts Use role-based administration on your Firebox or XTM device to
share the configuration and monitoring responsibilities among several individuals in your organization
Run audit reports to monitor which administrators make which changes to your device configuration
Default user accounts:
43
Default User Account Default Role Default Passphrase
admin Device Administrator (read-write permissions) readwrite
status Device Monitor (read-only permissions) readonly
wgsupport Disabled
WatchGuard Training
Add Device Management User Accounts Use the default user accounts for initial Device Administrator and
Device Monitor connections to the device Enable the wgsupport user account only as directed by
WatchGuard Technical Support Use these authentication servers for Device Management user
accounts on your device:• Firebox-DB (default user account authentication server)• Active Directory• LDAP• RADIUS
44
WatchGuard Training
Add Device Management User Accounts Add, edit, and remove Device Management user accounts in
Policy Manager or Fireware XTM Web UI1. In Policy Manager, select File > Manage Users and Roles.
45
WatchGuard Training
Add Device Management User Accounts2. Specify the user account credentials for a user account with
Device Administrator privileges.(The default user account credentials are admin/readwrite.)
46
WatchGuard Training
Add Device Management User Accounts3. Add, edit, or remove new Device Management user accounts. You cannot delete the default user accounts (admin, status,
wgsupport)
47
WatchGuard Training
Change User Account Passphrases Passphrases must use 8–32 characters Change frequently Restrict use of the default user accounts Use individual user accounts for all users
48
WatchGuard Training 49
Back Up the Device Images Create and restore an encrypted backup image Backup includes feature key and certificate information Encryption key is required to restore an image
49
WatchGuard Training 50
Firebox or XTM device name and model Contact information Time zone for log files and reports
Add Device Identification Information
50
WatchGuard Training 51
Upgrade Your Device1. Back up your existing device image.2. Download and install the new version of Fireware XTM OS on
your management computer.3. From Policy Manager, select File > Upgrade.
51
WatchGuard Training 52
Upgrade Your Device4. Browse to the location of the OS upgrade file:
C:\Program Files\Common Files\WatchGuard\Resources\Fireware XTM
5. Select the correct .sysa-dl file for your device:• XTM 2500 Series: xtm800_1500_2500.sysa-dl• XTM 2050: xtm2050_bc.sysa-dl• XTM 1500 Series: xtm800_1500_2500.sysa-dl• XTM 1050: xtm1050_bb.sysa-dl• XTM 800 Series: xtm800_1500_2500.sysa-dl• XTM 8 Series: xtm8_b5.sysa-d • XTM 5 Series: xtm5_b0.sysa-dl• XTM 330: xtm330_bd.sysa-dl• XTM 33: xtm3_aa.sysa-dl• XTM 25, 26: xtm2_a6.sysa-dl• XTMv: xtmv_c5.sysa-dl• Firebox T10: T10.sysa-dl
52
WatchGuard Training 53
Network Settings:Configure Firebox or XTM Device
Interfaces
53
WatchGuard Training 54
Learning Objectives Configure external network interfaces with a static IP address,
DHCP and PPPoE Configure a trusted and optional network interface Use the Firebox or XTM device as a DHCP server Add WINS/DNS server locations to the device configuration Add Dynamic DNS settings to the device configuration Set up a secondary network or address Understand Drop-In Mode and Bridge Mode
54
WatchGuard Training 55
Add a Firewall to Your Network Interfaces on separate networks Most configurations have at least one external and one trusted
55
External203.0.113.2/24
Trusted Network10.0.1.1/24
Optional Network10.0.2.1/24
WatchGuard Training 56
Beyond the Quick Setup Wizard The Quick Setup Wizard configures the device with External,
Trusted, and Optional networks by default: eth0 = external eth1 = trusted eth2 = optional (only if you
provide an optional interface IP address in the wizard)
You can change theinterface assignments. In Policy Manager, select Network > Configuration.
56
WatchGuard Training 57
Network Configuration Options Modify the properties of an interface
• Change the interface type (from trusted to optional, etc.)• Add secondary networks and addresses• Enable the DHCP server
Configure additional interfaces Configure WINS/DNS settings for the device Add network or host routes Configure NAT
57
WatchGuard Training 58
Interface Independence and Interface Types You can change the interface type of any interface configured
with the Quick Setup Wizard, or any other interface. Some interface types correspond to a network security zone:
• External — External interface, member of the Any-External alias• Trusted — Internal interface, member of the Any-Trusted alias• Optional — Internal interface, member of the Any-Optional alias• Custom — Internal interface, not a
member of any alias by default. Other types configure the interface as
a member of a virtual interface:• Bridge• VLAN • Link Aggregation
58
WatchGuard Training 59
Use a Dynamic IP Address for the External Interface The Firebox or XTM device can use DHCP or PPPoE to get a
dynamic IP address.
59
WatchGuard Training 60
Use Dynamic DNS If you want to maintain a public association between a domain
name and the assigned dynamic IP address, you can register the external IP address of the Firebox or XTM device with the supported dynamic DNS service, DynDNS.
60
WatchGuard Training 61
Use a Static IP Address for the External Interface The Firebox or XTM device can use a static IP address given to
you by your Internet Service Provider.
61
WatchGuard Training 62
Enable the Device DHCP Server Can be used on a trusted, optional, or custom interface Type the first and last IP addresses of the range for DHCP Configure up to 6 IP address ranges Reserve some
IP addresses for specified MAC addresses
62
WatchGuard Training 63
Configure Trusted and Optional Interfaces
Trusted-Main10.0.1.1/24
Public Servers10.0.2.1/24
1. Start with a trusted network.
2. Add an optional network for public servers.
Conference10.0.5.1/24
Optional
3. As your business grows, add more trusted and optional networks.
Finance10.0.3.1/24
Trusted
Sales Force10.0.4.1/24
Optional
63
WatchGuard Training 64
Add WINS/DNS Servers All devices on the trusted, optional, and custom networks can use
this server Use an internal server or an external server Used by the Firebox or XTM device for DHCP, Mobile VPN, NTP
time updates, and Subscription Service updates
64
WatchGuard Training 65
Secondary Networks Share one of the same physical networks as one of the device
interfaces. Add an IP alias to the interface, which is the default gateway for
computers on the secondary network.
Trusted-Main10.0.1.1/24
Secondary
172.16.100.1
172.16.100.0/24
65
WatchGuard Training 66
Network or Host Routes Create static routes to send traffic from a device interface to a
routerThe router can then send the traffic to the correct destination from the specified route.
If you do not specify a route to a remote network or host, all traffic to that network or host is sent to the device default gateway.
66
WatchGuard Training 67
Routes Table The routes for your Firebox or XTM device appear in the Routes
section of the Status Report in Firebox System Manager. The default route is the gateway IP address configured for the
external interface. It is used when a more specific route to a destination is not defined.
67
WatchGuard Training
Drop-In Mode and Bridge Mode Use Drop-In Mode if you want to have the same logical network
(subnet) spread across all device interfaces.• Computers in this subnet can be on any device interface• You can add a secondary address to any device interface to use an
additional network on the interface Use Bridge Mode when you want the device to be invisible.
• You assign one IP address to the device for management connections• Bridge Mode turns the device into a transparent Layer 2 bridge
To set the interface configuration mode, select Network > Configuration.
68
WatchGuard Training 69
Logging:Set Up Logging and Notification
69
WatchGuard Training 70
Learning Objectives Set up a WSM Log Server Configure the device to send messages to a WSM or Dimension
Log Server Configure logging and notification preferences Set the Diagnostic Log Level View log messages
70
WatchGuard Training 71
Introduction to the WSM Log Server
71
WatchGuard Training 72
Introduction to the Dimension Log Server
72
WatchGuard Training 73
Log Message Types Traffic — Allowed and denied packets Alarm — An event you configure as important that requires a log
message or alert Event — A device restart, or a VPN tunnel creation or failure Debug — Additional messages with diagnostic information to help
you troubleshoot network or configuration problems Statistic — Information about the performance of the Firebox or
XTM device
73
WatchGuard Training 74
Configure Logging For log messages to be correctly stored, you must:
• Install the WSM Log Server software or deploy a Dimension VM• Configure the WSM or Dimension Log Server settings• Configure the Firebox or XTM device to send log messages to the WSM
or Dimension Log Server
74
WatchGuard Training 75
Install the WSM Log Server In the WSM installer, select to install the Log Server component The Log Server does not have to be installed on the same
computer that you use as your management computer
The Log Server should be on a computer with a static IP address
75
WatchGuard Training 76
Configure the WSM Log Server Settings Right-click the WatchGuard Server Center icon in your Windows
system tray to open WatchGuard Server Center.The Server Center Setup Wizard starts.
Set the administrator passphrase. Set the log encryption key.
76
WatchGuard Training 77
Configure the WSM Log Server Settings Open WatchGuard Server Center to configure Log Server
properties. Type the administrator passphrase. From the Servers tree, select Log Server to configure Log Server
settings.
77
WatchGuard Training 78
Configure the WSM Log Server Settings Server Settings — Database size and encryption key settings. Database Maintenance — Specify database back up file settings,
and select to use the Built-in database or an External PostgreSQL database.
Notification — Configure settings for event notification and the SMTP Server.
Logging — Firebox Status (which devices are currently connected to the Log Server) and where to send log messages.
78
WatchGuard Training 79
Deploy the Dimension VM & Set Up Dimension In a VMWare or Hyper-V environment, deploy the Dimension VM. VMWare ESXi 5.x — Dimension OVA installation file
• Use only the vSphere client to provision and install the OVA file. Hyper-V — Dimension VHD installation file
• Use Hyper-V Manager on Microsoft Server, or another Hyper-V environment, to deploy the VHD file.
Dimension must be deployed on a 64-bit platform Use the public IP address to connect to Dimension and run the
Dimension Setup Wizard, and specify these settings:• Host name for Dimension• IPv4 settings for the Eth0 interface• Log Encryption Key• Administrator passphrase
To send log messages to Dimension, specify the public IP address and the Log Encryption Key for Dimension in the device’s logging settings
79
WatchGuard Training
Configure the Device to Send Log Messages
80
Use Policy Manager Set the same log encryption
key that is used for the WSM or Dimension Log Server
Backup Log Servers can be used when the primary fails
Specify the port to connect to a syslog server
WatchGuard Training 81
Default Logging Policy When you create a policy that allows traffic, logging is not
enabled by default When you create a policy that denies traffic, logging is enabled by
default If denied traffic does not match a specific policy, it is logged by
default
81
WatchGuard Training 82
Set the Diagnostic Log Level You can also configure the device to send detailed diagnostic log
messages to help you troubleshoot a specific problem. From Policy Manager, select
Setup > Logging, and click Diagnostic Log Level.
82
WatchGuard Training 83
You can see log messages with these WSM tools:• Traffic Monitor — Real-time monitoring in FSM from any computer
with WSM
View Log Messages
83
WatchGuard Training 84
• WebCenter Log Manager — From WatchGuard WebCenter, you can use Log Manager to see any log messages stored on the Log Server. Use the search feature to locate specific information in your log files.
View Log Messages
84
WatchGuard Training 85
View Log Messages
85
You can also see log messages in Dimension:• Use Log Manager to
see any log messages stored on the Dimension Log Server for a specific device or group of devices.
• Use the search feature to locate specific information in your log files.
WatchGuard Training 86
Reports:View Reports of Network Activity
86
WatchGuard Training 87
Learning Objectives Set up and configure a WSM Report Server Generate and save reports at regular intervals Generate and view reports Change report settings Save, print, and share reports View reports in Dimension
87
WatchGuard Training 88
WSM Reporting Architecture
88
WatchGuard Training 89
Configure the WSM Report Server Install on a Microsoft
Windows computer Can be the same computer
as the Log Server Configure the Report Server
from WatchGuard Server Center
Select to use the Built-in database or an External PostgreSQL database
Add one or more Log Server IP addresses
Set report interval, report type, and notification preferences
89
WatchGuard Training 90
View Reports with Report Manager Report Manager is
available in WatchGuard WebCenter, which is installed with the Report Server
Add users in WatchGuard Server Center to enable them to use Report Manager
90
WatchGuard Training 91
View Reports with Report Manager Connect to WatchGuard
WebCenter over port 4130, and select Report Manager to view and generate reports
View Available Reports (scheduled reports)
Create On-Demand Reports and Per Client Reports
Launch Report Manager from WSM
Save reports in PDF format
91
WatchGuard Training 92
View Reports in Dimension
92
When you send log messages to Dimension, the reports for the log messages sent to Dimension are automatically generated.
1. Connect to Dimension in a web browser at the IP address you specified for Dimension.
2. Log in with the administrator credentials you specified in the Setup Wizard.
WatchGuard Training
View Reports in Dimension
93
3. From the Home page:• Select the Devices tab
and select a device.OR
• Select the Groups tab and select a group of devices.
WatchGuard Training
View Reports in Dimension
94
4. To view the available reports, select the Reports tab for the device or group.
5. To export a report as a PDF file, click .
6. To export a report as a CSV file, click .The available export option depends on the type of report.
WatchGuard Training
Monitor Your Firewall:Monitor Activity Through the Device with WSM Tools
95
WatchGuard Training 96
Learning Objectives Interpret the information in the WSM display Use Firebox System Manager to monitor device status Change Traffic Monitor settings Use Performance Console to visualize device performance Use HostWatch to view network activity and block a site Add and remove sites from the Blocked Sites list
96
WatchGuard Training 97
WatchGuard System Manager Display
97
WatchGuard Training 98
Firebox System Manager Front Panel Traffic Monitor Bandwidth Meter Service Watch Status Report Authentication List Blocked Sites Subscription
Services Gateway Wireless
Controller
98
WatchGuard Training 99
Traffic Monitor View log messages
as they occur Set custom colors
and fields Start traceroute or
Ping to source and destination IP addresses
Copy information to another application
99
WatchGuard Training 100
Performance Console Monitor and graph XTM device activity Launch from Firebox System Manager System Information — Firebox statistics,
such as the number of total active connections and CPU usage
Interfaces — Total number of packets sent and received through the Firebox or XTM device interfaces
Policies — Total connections, current connections, and discarded packets
VPN Peers — Inbound and outbound SAs and packets Tunnels — Inbound and outbound packets, authentication errors,
and replay errors
100
WatchGuard Training 101
Use HostWatch to View Connections Graphical display
of live connections One-click access
to more details on any connection
Temporarily block sites
101
WatchGuard Training 102
Use the Blocked Sites List View sites added temporarily by the device as it blocks the source
of denied packets Change expiration settings for temporarily blocked sites
102
WatchGuard Training 103
Examine and Update Feature Keys View the feature keys
currently on your Firebox or XTM device Add a new feature key to
your Firebox or XTM device
103
WatchGuard Training 104
NAT:Use Network Address Translation
104
WatchGuard Training 105
Learning Objectives Understand network address translation types Add dynamic NAT entries Use static NAT for public servers
105
WatchGuard Training 106
What is Network Address Translation? Network Address Translation (NAT) is a term used to describe
any of several forms of IP address and port translation. At its most basic level, NAT changes the IP address of a packet
from one value to a different value. The primary purposes of NAT are:
• to increase the number of computers that can operate off a single publicly routable IP address
• to hide the private IP addresses of hosts on your LAN. Fireware XTM supports three types of NAT:
• Dynamic NAT — applies to outbound traffic• Static NAT — applies to inbound traffic• 1-to-1 NAT — applies to traffic in both directions
106
WatchGuard Training 107
Dynamic NAT Changes the source IP addresses for outbound traffic to a single
IP address Protect the map of your network
Your Network
Devices and users with private IP addresses
NAT Enabled
Internet sees only one public address (the external interface IP address)
107
WatchGuard Training 108
Add Firewall Dynamic NAT Entries Most frequently used form of NAT Changes the outgoing source IP address to the external IP address
of the Firebox or XTM device Enabled by default for standard
private network IP addresses, such as 192.168.0.0/16
108
WatchGuard Training 109
Changes the inbound destination IP address based on the port number.
Static NAT for Public Servers
Your Network
Port 80 TCPWeb server
Port 21 TCPFTP server
Port 25 TCPEmail server Web traffic — One external IP
to private static IPFTP traffic — Same external IP to second, private static IPSMTP traffic — Same external IP to third, private static IP
203.0.113.2
10.0.2.80
10.0.2.21
10.0.2.25
109
WatchGuard Training 110
1-to-1 NAT for Public Servers
Your Network NetMeeting traffic — Dedicated IP address on the external
IKE traffic — Second dedicated public IP address
Intel Phone (H.323) — Another external IP address
Ports 1720, 389, dynamic10.0.2.11
NetMeeting
Without NAT-T10.0.2.12
IKE
Ports 1720, 52210.0.2.13
Intel-Video-Phone
203.0.1
13.11
203.0.113.12
203.0.113.13
110
Translates one range of IP addresses to a different range of addresses for incoming and outgoing traffic.
WatchGuard Training 111
Configure Policies You can customize 1-to1 NAT and
Dynamic NAT settings in each policy Select Network > NAT to configure
the settings The settings you specify apply unless
you modify the NAT settings in a policy
Select the Set Source IP option when you want any traffic that uses this policyto show a specified address from your public or external IP address range as the source IP address.
111
WatchGuard Training 112
Configure Policies To configure a policy to use static NAT,
click Add in the To section of the policy, then select Add SNAT.
To add, edit, or delete SNAT actions, you can also select Setup > Actions > SNAT.
To add an SNAT member, click Add.
112
WatchGuard Training 113
Policies:Convert Network Policy to Device
Configuration
113
WatchGuard Training 114
Learning Objectives Understand the difference between a packet filter policy and a
proxy policy Add a policy to Policy Manager and configure its access rules Create a custom packet filter policy Set up logging and notification rules for a policy Use advanced policy properties Understand the function of the Outgoing policy Understand the function of the TCP-UDP proxy Understand the function of the WatchGuard policy Understand how the Firebox or XTM device determines policy
precedence
114
WatchGuard Training 115
What is a Policy? A rule to limit access through the Firebox or XTM device Can be configured to allow traffic or deny traffic Can be enabled or disabled Applies to specific port(s) and protocols Applies to traffic that matches From and To fields:
• From — Specific source hosts, subnets or users/groups• To — Specific destination hosts, subnets, or users/groups
115
WatchGuard Training 116
Packet Filters, Proxies, and ALGs Two types of policies:
• Packet Filter — Examines the IP header of each packet, and operates at the network and transport protocol packet layers.
• Proxy & ALG (Application Layer Gateway) Proxy — Examines the IP header and the content of a packet at the
application layer. If the content does not match the criteria you set in your proxy policies, you can set the proxy to deny the packet. Some proxy policies allow you to remove the disallowed content.
ALG — Completes the same functions as a proxy, but also provides transparent connection management.
Proxy policies and ALGs examine the commands used in the connection to make sure they are in the correct syntax and order, and use deep packet inspection to make sure that connections are secure.
116
WatchGuard Training 117
Packet Filters, Proxies, and ALGs Proxies & ALGs:
• Remove all the network data• Examine the contents• Add the network data again• Send the packet to its destination
117
WatchGuard Training 118
What are Packet Filters, Proxies, and ALGs?
Packet Filter Proxy & ALG
Source Destination Port(s)/Protocols Packet body Attachments RFC Compliance Commands
118
WatchGuard Training 119
Add a Policy in Policy Manager
119
2. Decide if the policy allows or denies traffic.
3. Configure the source (From) and destination (To).
1. Select a policy from a pre-defined list.
WatchGuard Training 120
Modify Policies To edit a policy, double-click the policy By default, a new policy:
• Is enabled and allowed• Allows traffic on the port(s) specified by
the policy• Allows traffic from any trusted network to
any external destination
120
WatchGuard Training 121
Change Policy Sources and Destinations You can:
• Select a pre-defined alias, then click Add.• Click Add User to select an authentication user or group.• Click Add Other to add a host IP address, network IP address, or host
range.
121
WatchGuard Training 122
When do I use a custom policy? A custom policy can be either a packet filter or proxy policy. Use a custom policy if:
• None of the pre-defined policies include the specific combination of ports that you want.
• You need to create a policy that uses a protocol other than TCP or UDP.
122
WatchGuard Training 123
Logging and Notification for Policies When you enable logging in a policy, you can also select whether
the Firebox or XTM device sends a notification message or triggers an SNMP trap. Notification options include:• Send email to a specified address• A pop-up notification on the Log Server
123
WatchGuard Training 124
Set Logging Rules for a Policy the Firebox or XTM device generates log messages
for many different types of activities You enable logging for policies to specify
when log messages are generated and sent to the Log Server
124
WatchGuard Training 125
What is Precedence? Precedence is used to decide which policy controls a connection
when more than one policy could control that connection In Details view, the higher the policy appears in the list, the
greater its precedence. If two policies could apply to a connection, the policy higher in
the list controls that connection
125
WatchGuard Training 126
What is Precedence? Policies can be moved up or down in Manual Order mode to set
precedence, or restored to the order assigned by Policy Manager with Auto-Order Mode.
126
WatchGuard Training 127
Advanced Policy Properties Schedules Connection rate limits Override NAT settings QoS settings ICMP error handling Override Multi-WAN sticky connection
setting
127
WatchGuard Training 128
Schedule Policies Set the times of day when the policy is enabled
128
WatchGuard Training 129
Understand the Outgoing policy The Outgoing packet filter policy is added in the default
configuration Allows all outgoing TCP and UDP connections from trusted and
optional networks to external networks Enables the Firebox or XTM device to “work out of the box” but
could have security problems If you remove the Outgoing policy, you must add policies to allow
outgoing traffic
129
WatchGuard Training 130
Understand the TCP-UDP-Proxy Enables TCP and UDP protocols for outgoing traffic Applies proxy rules to traffic for the HTTP, HTTPS, SIP, and FTP
protocols, regardless of the port numbers Blocks selected IM and P2P
applications, regardless of port
130
WatchGuard Training 131
The WatchGuard Policy Controls management connections to
the Firebox or XTM device By default, this policy allows only
local administration of the device; edit the configuration to allow remote administration
131
WatchGuard Training 132
Find Policy Tool Fireware XTM includes a utility to find policies that match the
search criteria you specify With the Find Policies tool, you can quickly locate policies that
match user or group names, IP addresses, port numbers, and protocols.
132
WatchGuard Training 133
Policy Tags and Filters Assign policy tags to policies to create policy groups Sort the policy list by policy tag to see the policy list by policy
group Create and save policy filters to specify which policies appear in
the policy list
133
WatchGuard Training 134
Proxy Policies:Use Proxy Policies and ALGs to Protect
Your Network
134
WatchGuard Training 135
Learning Objectives Understand the purpose and configuration of proxy policies and
ALGs Configure the DNS-proxy to protect DNS server Configure an FTP-Server proxy action Configure an FTP-Client proxy action Enable logging for proxy actions
135
WatchGuard Training 136
What are Proxies and ALGs? Proxy policies and ALGs (Application Layer Gateway) are
powerful and highly customizable application inspection engines and content filters.
A packet filter looks at IP header information only. A proxy or ALG looks at the content of the network data. ALGs
also provide transparent connection management.
136
WatchGuard Training 137
What is the DNS Proxy? Domain Name System Validates all DNS traffic Blocks badly formed DNS packets Fireware XTM includes two methods to control DNS traffic:
• DNS packet filter — IP headers only• DNS-Proxy filter — content
137
WatchGuard Training 138
Control Incoming Connections Use the DNS-Incoming action as a template You own the server You decide who gets to
connect to the server
138
DNS server
DNS Proxy
Your network
WatchGuard Training 139
Configuring DNS-Incoming General OpCodes Query Types Query Name Proxy Alarm
139
WatchGuard Training 140
Control Outgoing Connections Use the DNS-Outgoing action as a template Operates with Intrusion Prevention Service Deny queries for specified
domain names
140
DNS server
DNS Proxy
Your Network
WatchGuard Training 141
Use DNS-Outgoing Use DNS-Outgoing proxy action to block DNS requests for
services, such as queries for:• POP3 servers• Advertising networks• IM applications• P2P applications
141
WatchGuard Training 142
Fireware XTM Proxy Policies DNS FTP H323 and SIP (Application Layer Gateways) HTTP and HTTPS SMTP and POP3 TCP-UDP
• Applies the proxies to traffic on all TCP ports
142
WatchGuard Training 143
What is a Proxy Action? A set of rules that tell the Firebox or XTM device how to apply
one of the proxies to traffic of a specific type You can apply a proxy action to more than one proxy policy
143
WatchGuard Training 144
Import & Export Proxy Actions You can import and export:
• Entire user-created proxy actions (not predefined proxy actions)• Rulesets• WebBlocker exceptions• spamBlocker exceptions
144
WatchGuard Training 145
What is FTP? File Transfer Protocol Often used to move files between two locations Client and server architecture Fireware XTM includes two methods to control:
• FTP packet filter — IP headers only• FTP-proxy — Content and commands
145
WatchGuard Training 146
FTP-Proxy Restricts the types
of commands and files that can be sent through FTP
Works with the Gateway AV Service
Works with the DataLoss PreventionService
Works with the APT Blocker Service
146
WatchGuard Training 147
FTP-Client Proxy Action Rulesets General Commands Download Upload AntiVirus Data Loss Prevention Proxy and
AV alarms APT Blocker
147
WatchGuard Training 148
Control Incoming Connections Use the FTP-Server proxy action as a template The FTP server must be protected by the Firebox or XTM device You decide who can connect to the FTP server
148
AnybodyYour FTP server
FTP Proxy
WatchGuard Training 149
Define FTP-Server Proxy Action Rulesets General Commands Download Upload AntiVirus Data Loss Prevention Proxy and AV alarms APT Blocker Options available in the
FTP-Client proxy action are also available in the FTP-Server proxy action
Smart defaults are used in each ruleset to protect clients (FTP-Client) and servers (FTP-Server)
149
WatchGuard Training 150
Logging and Proxies Proxy policies contain
many more advancedoptions for logging than packet filter policies
Each proxy category hasits own check box to enable logging
To generate detailed reports with information on packets handled by proxy policies, you must select the Enable logging for reports check box ineach proxy action
150
WatchGuard Training 151
Email Proxies:Work with the SMTP and POP3
Proxies
151
WatchGuard Training 152
Learning Objectives Understand the SMTP and POP3 proxies Understand the available actions for email Control incoming email Control outgoing email
152
WatchGuard Training 153
SMTP and POP3 Proxies Used to restrict the types and
size of files sent and received in email
Operate with Gateway AV and spamBlocker
Operate with Data Loss Prevention(SMTP-proxy only)
Operate with APT Blocker (SMTP-proxy only)
153
WatchGuard Training 154
Proxy Actions Available for Email Default actions available:
• Allow — Email is allowed through your device• Lock — Email is allowed through your device; the attachment is
encoded so only the Firebox or XTM device administrator can open it• AV Scan — Gateway AntiVirus is used to scan the attachment• Strip — Email is allowed through your device, but the file
attachment(s) are deleted• Drop — The SMTP connection is closed• Block — The SMTP connection is closed and the sender is added to
the blocked sites list Also available with Gateway AntiVirus, spamBlocker, APT Blocker,
and Data Loss Prevention:• Quarantine — Email is stored on the Quarantine Server (only with
SMTP) and is not sent to the recipient
154
WatchGuard Training 155
Control Incoming Email Use SMTP-Incoming and POP3-Server actions as a template You decide what email you want to allow
155
Anybody Your SMTP server
Your users
SMTP Proxy
WatchGuard Training 156
Control Outgoing Email Use SMTP-Outgoing or POP3-Client action as a template You know the users You decide what they can send
156
SMTP Proxy
Your usersTheir email server
Anybody
WatchGuard Training 157
Authentication:Verify a User’s Identity
157
WatchGuard Training 158
Learning Objectives Understand authentication and how it works with the Firebox or
XTM device List the types of third-party authentication servers you can use
with Fireware XTM Use Firebox authentication users and groups Add a Firebox authentication group to a policy definition Modify authentication timeout values Use the Firebox or XTM device to create a custom web server
certificate
158
WatchGuard Training 159
What is User Authentication? Identify each user as they connect to network resources Restrict policies by user name
159
WatchGuard Training 160
WatchGuard Authentication The user browses to the Firebox or XTM device interface IP
address on TCP port 4100
the Firebox or XTM device presents an authentication page The XTM device verifies that the credentials entered are correct,
and allowed for the type of connection The XTM device allows access to resources valid for that
authenticated user or group
160
WatchGuard Training 161
Supported Authentication Servers Firebox RADIUS VASCO SecurID LDAP Active Directory
• Single Sign-On options
161
WatchGuard Training 162
Use Firebox Authentication
162
To use the Firebox or XTM device as an authentication server:• Make groups• Define users• Edit policies
WatchGuard Training 163
Edit Policies for Authentication Create users
and groups Use the user
and group names in policy properties
Define From or To information
163
WatchGuard Training 164
Use Third-Party Servers Set up a third-party authentication
server Get configuration information,
such as secrets and IP addresses
Make sure the authentication server can contact the Firebox or XTM device
164
WatchGuard Training 165
Set Global Authentication Values Session and idle timeout values Number of concurrent connections Enable Single Sign-On with
Active Directory authentication Enable redirect to the
authentication page if the user is not yet authenticated• After users authenticate, they are
redirected to the site theyoriginally selected.
Specify the authentication server that appears at the top of the Domain list in the Authentication Portal
Configure Terminal Services
165
WatchGuard Training 166
Enable Single Sign-On Transparent authentication, no need to open a web page Available with Windows Active Directory Install the SSO Agent on a Windows server with a static IP
address Install the SSO Client on all workstations (Optional) Install the Event Log Monitor on one computer in the domain
(Clientless SSO) SSO Agent passes user
credentials to the XTM device
Use SSO exceptions for IP addresses that cannot authenticate (computers that are not domain members, or non-Windows PCs)
166
WatchGuard Training 167
Enable Terminal Services
167
Enables users to authenticate to your Firebox or XTM device over a Terminal Server or Citrix server
Enables your Firebox or XTM device to report the actual IP address of each user logged in to the device
Can be used with any configured authentication method (e.g. Firebox authentication, Active Directory, RADIUS, etc.)
WatchGuard Training 168
Fireware XTM Web Server Certificate Why does the user get warnings from
the browser?• Name on the certificate does not match
the URL• Fix this problem with a custom certificate
that has all of the Firebox or XTM device IP addresses as possible name matches
• User must still import this certificate to trusted root stores
168
WatchGuard Training 169
Blocking Spam:Stop Unwanted Email with
spamBlocker
169
WatchGuard Training 170
Learning Objectives Activate and configure spamBlocker Specify the actions to take when suspected spam email is
detected Block or allow email messages from specified sources Monitor spamBlocker activity Install and configure Quarantine Server
170
WatchGuard Training 171
What is spamBlocker? Technology licensed from CYREN (formerly Commtouch) to
identify spam, bulk, or suspect email No local server to install
You can install Quarantine Server, but it is not necessary for spamBlocker to work correctly.
XTM device sends information to external servers to classify email and caches the results
Operates with the SMTP and POP3 proxies You must have an SMTP or POP3 proxy action configured to use
spamBlocker
171
WatchGuard Training 172
Activate spamBlocker A feature key is required to enable spamBlocker
• Use Policy Manager or FSM to add the feature key• Save the configuration to the Firebox or XTM device
Run the Activate spamBlocker Wizard
172
WatchGuard Training 173
Configure a Policy for spamBlocker Use the SMTP-proxy
or POP3-proxy Choose the proxy
response to spam categorization
Add exceptions
173
WatchGuard Training 174
spamBlocker Actions Spam is classified into three categories:
• Spam• Bulk• Suspect
For each category, you can configure the action taken:• Allow• Add Subject Tag• Quarantine (SMTP only)• Deny (SMTP only)• Drop (SMTP only)
174
WatchGuard Training 175
spamBlocker Exceptions You can configure
exceptions for specific senders or recipients by:• Email address• Domain by pattern
match (*@xyz.com)
175
WatchGuard Training 176
Customize spamBlocker Use multiple SMTP or POP3 proxies
176
WatchGuard Training 177
Monitor spamBlocker Activity Status visible in
Firebox System Manager
Select the Subscription Services tab
177
WatchGuard Training 178
Quarantine Spam Quarantine Server operates with spamBlocker for the SMTP-
proxy only (not the POP3-proxy)
Install with server components during WSM install, or from WatchGuard Server Center
178
WatchGuard Training 179
Quarantine Server Configuration You can configure:
• Database size and administrator notifications• Server settings• Length of time to keep messages• The domains for which the Quarantine Server keeps mail• Rules to automatically remove messages:
From specific senders From specific domains That contain specific text in the Subject field
179
WatchGuard Training 180
Web Traffic:Manage Web Traffic Through Your
Firewall
180
WatchGuard Training 181
Learning Objectives Control outgoing HTTP traffic Protect your web server Use the HTTPS-proxy Set up WebBlocker Select categories of web sites to block Override WebBlocker rules for specified sites
181
WatchGuard Training 182
What is the HTTP-Proxy? Fully configurable HTTP requests and responses Use URL paths to block complete URLs, or match a pattern you
specify Select header fields, protocol settings, and request/response
methods Allow or deny based on content types Block the transfer of all or some attachments over port 80 Allow or deny cookies from specified domains Enforce search engine Safe Search rules
182
WatchGuard Training 183
Control Outgoing HTTP Traffic Use the HTTP-Client proxy action as a template You know the users You decide where they go and what they can get access to Enforce Safe Search rules
183
Your Network
HTTP Proxy
WatchGuard Training 184
Settings for the HTTP-Client Proxy Action HTTP Request HTTP Response Use Web Cache Server HTTP Proxy Exceptions Data Loss Prevention WebBlocker AntiVirus Reputation Enabled
Defense Deny Message Proxy and AV Alarms APT Blocker
184
WatchGuard Training 185
Protect Your Web Server Use the HTTP-Server proxy action template Block malformed packets Prevent attacks on your server Enforce Safe Search rules
185Your Network
Web ServerHTTP Proxy
WatchGuard Training 186
Settings for the HTTP-Server Proxy Action HTTP Request HTTP Response HTTP Proxy Exceptions Data Loss Prevention WebBlocker AntiVirus Reputation Enabled
Defense Deny Message Proxy and AV Alarms APT Blocker
186
WatchGuard Training 187
When to Use the HTTPS-Proxy HTTP on a secure, encrypted channel (SSL) Can use Deep Packet Inspection (DPI) to examine content and re-
sign the original HTTPS site certificate OCSP can confirm the validity of the original HTTPS site
certificate Use a certificate that all clients on your network automatically
trust for this purpose when possible Can use WebBlocker to block categories of web sites When DPI is not enabled, checks the certificate and blocks by
domain name
187
WatchGuard Training 188
What is WebBlocker? Reduces malicious web content that enters the network Blocks URLs and IP addresses that you specify Reduces unproductive web surfing and potential liability Blocks access to IM/P2P download sites Blocks access to spyware sites Helps schools to attain CIPA compliance Two database options Global URL database — English, German, Spanish, French, Italian,
Dutch, Japanese, traditional Chinese, and simplified Chinese sites
188
WatchGuard Training 189
WebBlocker Server Options Websense cloud
• Uses a cloud-based URL categorization database with over 100 content categories, provided by Websense
• Does not use a locally installed WebBlocker Server• URL categorization queries are sent over HTTP
WebBlocker Server• Uses a WatchGuard WebBlocker Server with 54 categories, provided
by SurfControl• Usually requires a locally installed WebBlocker Server
XTM 2 Series and XTM 33 can use a WebBlocker Server hosted by WatchGuard
• URL categorization queries are sent over UDP 5003
189
WatchGuard Training 190
The WebBlocker Database Database updates keep the
filtering rules up-to-date Use multiple categories to
allow or deny different groups of users at different times of the day
190
WatchGuard Training 191
WebBlocker Content Categories The available categories depend on which type of server you
choose.
191
Websense cloud — 100+ categories WebBlocker Server — 54 categories
WatchGuard Training
WebBlocker Server with Websense Cloud
192Your Network
1. When a user browses, the Firebox or XTM device checks the Websense cloud
2. If the site is not in a blocked category, the device allows the connection
WebSite
WebSite
Websense Cloud
WatchGuard Training 193
WebBlocker Server with Local WebBlocker Server
193
WebBlockerServer
Your Network WatchGuard
WebBlockerUpdates
1. WebBlocker Server gets WebBlocker database from WatchGuard.
2. When a user browses, the Firebox or XTM device checks the WebBlocker Server.
3. If the site is not in a blocked category, the device allows the connection.
WebSite
WatchGuard Training 194
Keep the WebBlocker Database Updated The locally installed WebBlocker Server automatically downloads
an incremental update to the local WebBlocker database update at midnight.
To update the database at other times, you can:• Manually trigger an incremental update in WatchGuard Server Center.• Use Windows Task Scheduler to run the “updatedb.bat” process,
which is installed in the C:\Program Files\WatchGuard\wsm11\bin directory.
194
WatchGuard Training 195
Advanced WebBlocker Settings On the WebBlocker
Configuration Advanced tab, you can control what happens if the device cannot contact the WebBlocker Server.
You can:• Allow access to all web sites• Deny access to all web sites
You can also set a password to use override WebBlocker when entered on individual computers.
195
WatchGuard Training 196
WebBlocker Exceptions Add exceptions for web sites that
WebBlocker denies and you want to allow (white list).
Add web sites that WebBlocker allows and you want to deny (black list).
196
WatchGuard Training 197
Threat Protection:Defend Your Network From Intruders
197
WatchGuard Training 198
Learning Objectives Understand the different types of intrusion protection Configure default packet handling to stop common attacks Block IP addresses and ports used by hackers Automatically block the sources of suspicious traffic
198
WatchGuard Training 199
Intrusion Detection and Prevention
199
IT admininstallspatch
Attack signaturedeveloped
and distributed
Proactively blocks many threats
Ongoing protection at higher performance
Hacker builds attack
that uses vulnerability
Attack launched
Vendorbuildspatch
Vendordistributes
patch
Firewall-based IPS supplies zero-day
protection
IT admin queues patch update based on severity
Vulnerabilityfound and exposed
WatchGuard Training 200
Default Packet Handling Spoofing attacks Port and address
space probes Flood attacks Denial of service Options for logging
and automatic blocking
200
WatchGuard Training 201
Block the Source of Attacks
201
Your Network
LogServer
WebServer
Remote users use valid packets to browse your web site.
2. Attacker runs a port space probe on your network.
3. XTM device blocks the probe and adds the IP address of the source (the attacker) to the temporary list of blocked sites.
4. Now, even valid traffic from the attacker’s IP address is blocked by the Firebox or XTM device.
WatchGuard Training 202
Auto-Block Sites Each policy configured to deny traffic has a check box you can
select to auto-block the source of the denied traffic. If you select it, the source IP address of
any packet denied by the policy is automatically added to the Blocked Sites List.
202
WatchGuard Training 203
Use a Proxy Action to Block Sites When you select the
Block action, the IP address denied by the proxy action is automatically added to the Blocked Sites List.
203
WatchGuard Training 204
Block Known Attack Vectors Protect sensitive services on your network
• Get log messages • Close traffic for unwanted services
Static configuration• Add specific ports to block• Add specific IP addresses or subnets
to be permanently blocked Dynamic configuration
• This feature can be enabled from manydifferent places in Policy Manager: Proxy actions Default packet handling settings Policy configuration
204
WatchGuard Training 205
Signature Services:Gateway AntiVirus, Data Loss
Prevention, Intrusion Prevention, and Application Control
205
WatchGuard Training 206
Learning Objectives Understand how signature-based security subscriptions work Set up and configure Gateway AntiVirus Configure proxies to use Gateway AntiVirus Set up and configure Data Loss Prevention Set up and configure the Intrusion Prevention Service Set up and configure Application Control Enable IPS and Application Control in policies
206
WatchGuard Training 207
What is Gateway AV? Signature-based antivirus subscription the Firebox or XTM device downloads signature database updates
at regular, frequent intervals Gateway AV operates with the SMTP, HTTP, FTP, POP3, and
TCP-UDP proxies
207
WatchGuard Training 208
Set Up Gateway AntiVirus
208
Gateway AntiVirusdatabase updates
1. XTM device downloads the initial signature file
2. Device gets new signatures and updates at a regular interval
3. Gateway AV strips viruses and allows valid email or web pages to load
Your NetworkWatchGuard
WatchGuard Training 209
Gateway AV Wizard Gateway AntiVirus can be enabled and configured with the
wizard that you launch from the Subscription Services menu In the wizard, you select the proxy policies to include in the
Gateway AV configuration
209
WatchGuard Training 210
Configure the Proxy with Gateway AntiVirus Use the HTTP-proxy
and SMTP-proxy to enable Gateway AV
Define actions Define content
types to scan Monitor Gateway
AV status
210
WatchGuard Training 211
Gateway AV and the SMTP-Proxy When an email attachment contains a known virus signature, the
Firebox or XTM device can take one of these actions:• Allow — Attachment passes through with no change• Lock — Attachment can only be opened by an administrator• Remove — Attachment is stripped from the email• Quarantine — Message is sent to the Quarantine Server• Drop — The connection is denied• Block — The connection is denied, and the server is added to the
Blocked Sites List
211
WatchGuard Training 212
Gateway AV and the HTTP-Proxy When Gateway AV finds a known virus signature in an HTTP
session, the Firebox or XTM device can:• Allow — The file is
allowed to pass through without changes
• Drop — The HTTP connection is denied
• Block — The HTTP connection is denied,and the web server is added to the Blocked Sites List
212
WatchGuard Training 213
Gateway AV and the FTP-Proxy The FTP-proxy applies Gateway AV settings to:
• Downloaded files allowed in your configuration
• Uploaded files allowed in your configuration
213
WatchGuard Training 214
Gateway AV Settings Select this option if you want Gateway AV to decompress file
formats such as .zip or .tar The number of levels
to scan is the depth for which Gateway AV scans archive files inside archive files
214
WatchGuard Training 215
What is Data Loss Prevention? Data Loss Prevention (DLP) is a signature-based security service
that can help you control the loss of confidential data from your network.
DLP uses content control rules to identify sensitive data, such as • Bank routing numbers• Credit card numbers• Confidential document markers• National identity numbers• Driver’s license numbers• Medical records• Postal addresses and telephone numbers• Email addresses
DLP scans outbound traffic over proxied SMTP, FTP, HTTP, and HTTPS connections.
215
WatchGuard Training 216
DLP Custom Rule You can add a custom rule to
your DLP configuration. Allows you to customize your
DLP configuration beyond the predefined rules.
You can scan your network traffic for special phrases specific to your organization.
For example, use email and document security classifications with your custom rule to prevent sensitive messages and documents from leaving your network.
216
WatchGuard Training
DLP Sensors To configure DLP, you define a DLP sensor. For each DLP sensor, you configure:
• Rules — enable one or more of the predefined or custom content rules• Actions — define the action to take if data matches the selected rules
By default, a sensor has two types of actions:– Action for email traffic– Action for non-email traffic
• Settings — scan limit, and actions for items that cannot be scanned Scan limit controls how much of a file or object to scan Actions control what happens when:
– Content is larger than the scan limit– A scan error occurs– Content is password protected
217
WatchGuard Training 218
DLP Actions Actions you can configure in a DLP sensor are:
• Allow — Allows the connection or email• Drop — Denies the request and drops the connection. No information
is sent to the source of the content.• Block — Denies the request, drops the connection, and adds the IP
address of the content source or sender to the Blocked Sites list.• Lock — (email content only) Locks the email attachment. A file that
is locked cannot be opened easily by the user. Only the administrator can unlock the file.
• Remove — (email content only) Removes the attachment and allows the message to be sent to the recipient.
• Quarantine — (email content only) Send the email message to the Quarantine Server.
218
WatchGuard Training
DLP Text Extraction DLP can extract and scan text from these file types:
• Adobe PDF, RTF• Microsoft PowerPoint 2000, 2003, 2007, 2010• Microsoft Excel 2000, 2003, 2007, 2010• Microsoft Word 2000, 2003, 2007, 2010• Microsoft Project 2000, 2003, 2007, 2010• Microsoft Visio 2000, 2003, 2007, 2010• Microsoft Outlook .MSG• Microsoft Outlook Express .EML• OpenOffice Calc, Impress, Writer• LibreOffice Calc, Impress, Writer• HTML
219
WatchGuard Training 220
Enable DLP Enable Data Loss Prevention Add a DLP Sensor using the wizard
• Apply sensor to proxy policies• Select content control rules• Select actions to take when
content is detected in email and non-email traffic
220
WatchGuard Training 221
Edit a DLP Sensor Enable/disable rules Configure sensor actions
by source and destination• Action for email traffic• Action for non-email
Configure sensor settings• Set actions for items that
cannot be scanned due to: Size exceeds scan limit Scan error File is password protected
• Set the file scan limit
221
WatchGuard Training
Assign DLP Sensors to Policies When you add a DLP sensor, you select which proxy policies it
applies to. You can also configure this on the Policies tab in the Data Loss
Prevention configuration. And when you edit an FTP, HTTP, or SMTP proxy action.
222
WatchGuard Training
Use Signature-Based IPS Configure IPS to Allow, Drop,
or Block connections from sources that match an IPS signature
Action is set based on the threat level of the matching signature
223
WatchGuard Training 224
Use Signature-Based IPS Configure settings globally Enable or disable per-policy Can scan traffic for all policies Blocks malicious threats before
they enter your network
224
WatchGuard Training 225
Use Application Control Application Control is a Subscription Service Monitor and control hundreds of applications based on signatures Block or allow traffic for application categories, applications, and
application behaviors• If you have created Traffic Management actions, you can also use Traffic
Management actions to control the bandwidth used for allowed application traffic.
When Application Control blocks HTTP content, a deny message appears in the browser• The deny message
is not configurable• For HTTPS or other
content types, the deny message does not appear
225
WatchGuard Training 226
Use Application Control To configure actions by application category, click Select by
Category
226
WatchGuard Training 227
Apply Application Control to Policies First configure Application Control actions On the Policies tab, select one or more policies, then select the
action to apply
227
WatchGuard Training 228
Enable Application Control and IPS in Policies Application Control
• Application Control is not automatically enabled for policies
• For each policy, you select which Application Control action to use
• To monitor the use of applications, enable logging of allowed packets in the policies that have Application Control enabled
IPS• When you enable IPS it is enabled
for all policies by default• You can enable or disable IPS for
each policy
228
WatchGuard Training 229
Application Control, IPS, and DLP in HTTPS-Proxy Policies If you enable Application Control, IPS, or DLP for an HTTPS-
proxy policy, you must also enable deep inspection of HTTPS content in the HTTPS-proxy action• Required for IPS to scan the HTTPS content• Required for Application Control to detect applications over an
HTTPS connection• Required for DLP to scan content
229
WatchGuard Training 230
Enable Automatic Signature Updates To protect against the latest viruses and
exploits, and to identify the latest applications, make sure your device is configured to get automatic updates to Gateway AntiVirus, Intrusion Prevention, and Application Control signatures at regular intervals
Update requests can be routed through a proxy server
230
WatchGuard Training 231
Monitor Signature Update Status In Firebox System Manager,
select the Subscription Services tab to see the status of Gateway AV, IPS, DLP, and Application Control signatures, or to manually get signature updates
231
WatchGuard Training 232
APT Blocker:Block Advanced Malware in Email, FTP,
and Web Traffic
232
WatchGuard Training
APT Blocker
233
What is an APT (Advanced Persistent Threat)?• APTs leverage the latest targeted malware techniques and
zero-day exploits (flaws which software vendors have not yet discovered or fixed) to infect and spread within a network.
• Designed to gain access to networks and access confidential data over extended periods of time.
• APTs are highly sophisticated and often target specific high-profile institutions such as government or financial-sector companies
• APT use has now expanded to target smaller networks and lower profile organizations.
• Traditional signature-based scan techniques do not provide adequate protection against APTs.
WatchGuard Training
APT Blocker
234
APT Blocker is a subscription service that uses best-of-breed full-system emulation analysis by our solution partner Lastline.
Lastline cloud performs file analysis in a sandbox environment to identify the characteristics and behavior of advanced malware in files and email attachments.
Includes full system emulation that goes beyond simple detection techniques to simulate a physical and software environment to analyze the deepest level of advanced malware activity.
Full system emulation ensures that advanced malware does not detect and evade the analysis.
WatchGuard Training
APT Blocker — How Does it Work
235
Files that enter your network are scanned and an MD5 hash of the file is generated.
This MD5 hash is submitted to the Lastline cloud-based data center over HTTPS where it is compared to a database of analyzed files and results are returned immediately.
If the analysis results in a match to a known malware threat, you can take immediate action on the file.
If there is no match with the available data center analysis results, this means the specific file has never been seen or analyzed before. • In this case the actual file is submitted to the Lastline data center
where the file undergoes deep analysis for advanced malware activity.
• This analysis occurs at the same time as the file transfer and the connection is passed though while the device waits for the result of the analysis.
• The result is returned in minutes, and if there is evidence of malware activity in the file, your WatchGuard Firebox or XTM device can generate an alarm notification.
WatchGuard Training
APT Blocker — Supported Proxies and File Types
236
APT Blocker can scan files for the HTTP, FTP, and SMTP proxies.
APT Blocker can scan these file types:• Windows PE (Portable Executable) files.
Includes Windows XP and Windows 7/8 files with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi extensions.
• Adobe PDF documents• Microsoft Office documents• Rich Text Format (RTF) documents• Android executable files (.apk)
APT Blocker can also examine files within these compressed archives:• gzip• tar• zip
WatchGuard Training
APT Blocker & Gateway Anti-Virus
237
APT Blocker utilizes the same scanning process as Gateway Anti-Virus.
You must have Gateway Anti-Virus enabled to enable APT Blocker on a specific proxy.
Files are scanned by Gateway Anti-Virus before they are scanned by APT Blocker.
Only files that have been scanned and processed as clean by Gateway AntiVirus are scanned by APT Blocker.
You can customize which file types you want scanned by APT in the Gateway Anti-Virus configuration.
If the Gateway Anti-Virus scan is enabled on a specific file/content type in the configuration, APT will scan the file as long as the file type is supported by APT.
WatchGuard Training
Enable APT Blocker Before you enable APT Blocker:
• Your device must have an APT Blocker feature key• Gateway AntiVirus must be enabled
238WatchGuard Training
WatchGuard Training
APT Blocker — Configuration
239
APT Blocker categorizes APT activity based on the severity of the threat:• High• Medium• Low
All threat levels are considered malware.
Higher levels have more significant indicators of malware.
For each threat level, you can assign an action:• Allow• Drop (SMTP proxy strips attachment)• Block (SMTP proxy strips attachment)• Quarantine (SMTP only, HTTP/FTP
drops connection) Enable notification and log settings to
make sure you are notified of malware activity.
WatchGuard Training
APT Blocker — Enable in a Policy
240
You can enable or disable APT Blocker for a specific policy in the APT Blocker configuration or when you edit a proxy action.
WatchGuard Training
Reputation Enabled Defense:Improve the Performance and Security
of Web Access
241
WatchGuard Training
Learning Objectives Understand how Reputation Enabled Defense works Configure Reputation Enabled Defense Monitor Reputation Enabled Defense
242
WatchGuard Training 243
What is Reputation Enabled Defense (RED)? Reputation-based HTTP anti-virus and anti-spyware prevention
subscription, available for WatchGuard XTM device models only RED operates with the HTTP-proxy RED uses a cloud-based reputation server that assigns a
reputation score between 1 and 100 to every URL• The reputation score for a URL is based on AV scanning feedback and
other URL reputation data collected from sources around the world. When a user browses to a web site, RED looks up the score for
the URL• For URLs with a good reputation score, local scanning is bypassed• For URLs with a bad reputation score, the HTTP-proxy denies access
without local scanning by Gateway AV• For URLs with an inconclusive reputation score, local Gateway AV
scanning is performed as configured Eliminates the need to locally scan the content of web sites that
have a known good or bad reputation and improves XTM device performance
WatchGuard Training 243
WatchGuard Training
RED Reputation Scores Reputation Scores:
• High scores indicate a bad reputation• Low scores indicate a good reputation• If RED has no knowledge of a URL, it assigns a score of 50• The reputation score assigned to a URL increases based on:
Negative scan results for that URL Negative scan results for a referring link Negative information from other sources of malware data
• The reputation score assigned to a URL decreases based on: Multiple clean scans Recent clean scans
RED continually updates the reputation scores for URLs based on:• Scan results from devices around the world by two leading anti-
malware engines: Kaspersky and AVG• Data from other leading sources of malware intelligence for the web
244
WatchGuard Training
RED Reputation Thresholds and Actions The action performed by
the HTTP-proxy depends on:• The reputation score of a
requested URL• The locally configured
reputation thresholds RED Actions:
• If score is higher than the Bad reputation threshold, Deny access
• If score is lower than the Good reputation threshold, Bypass local scanning
• Otherwise, perform local Gateway AV scanning as configured
245
WatchGuard Training
Enable Reputation Enabled Defense Before you enable RED:
• Your device must have a Reputation Enabled Defense feature key• You must have configured at least one HTTP-proxy policy
246WatchGuard Training
WatchGuard Training
Configure Reputation Enabled Defense Enable RED for the HTTP-proxy Define thresholds Monitor RED status
WatchGuard Training 247
WatchGuard Training
Reputation Enabled Defense and the HTTP-Proxy Based on the reputation score for a URL, the HTTP-Proxy can:
• Immediately block the URL if it has a bad reputation• Bypass any
configured local virus scanning for a URL that has a good reputation
If neither of these RED actions occur, then any locally configured virus scanning proceeds as configured
WatchGuard Training 248
WatchGuard Training
Reputation Enabled Defense and the HTTP-Proxy Default reputation thresholds are set to balance security with
performance Change bad and good reputation thresholds in the Advanced
Settings dialog box WatchGuard recommends that you use the default reputation
thresholds
WatchGuard Training 249
WatchGuard Training
Monitor Reputation Enabled Defense RED status is visible in
Firebox System Manager on the Subscription Services tab
250WatchGuard Training
WatchGuard Training
Web UI:Explore Fireware XTM Web UI
251
WatchGuard Training 252
Learning Objectives Log in to Fireware XTM Web UI Change the port that the Firebox or XTM device uses for the Web
UI Discuss limitations of the Web UI Manage timeouts for the Web UI management sessions
252
WatchGuard Training 253
Introduction to Fireware XTM Web UI Monitor and manage any device running Fireware XTM without
installing extra software Real-time management tool Easily find what you need and understand how the configuration
options work
253
WatchGuard Training 254
Limitations of the Web UI Things you can do with Policy Manager, but not with the Web UI:
• Change the name of a policy• Change the logging of default packet handling options• Enable or disable the notification of BOVPN events• Add a custom address to a policy• Use Host Name (DNS lookup) to add an IP address to the From or To
section of a policy• Create a .wgx file for Mobile VPN with IPSec client configuration
(You can get only the equivalent, but unencrypted, .ini file)• Export certificates stored on the device, or see their details
(You can only import certificates)• Enable FireCluster or change the cluster configuration.
(You can monitor a cluster and update policies and other configuration settings)
• Some of the logging and reporting functions provided by HostWatch, Log Manger, Report Manager, and WSM are also not available
254
WatchGuard Training 255
Log in to the Web UI You need only a web browser Real-time configuration tool, no option to store configuration
changes locally and save to device later https://<XTM.device.IP.address>:8080
• Uses a self-signed certificate, so you must accept certificate warnings or replace the certificate with a trusted certificate
• You can change the port for the Web UI Log in with one of two default Device Management user accounts
• status — For read-only permission; uses the status passphrase• admin — For read-write permission; uses the configuration
passphrase Or, log in with another Device Management user account you
have added
255
WatchGuard Training 256
Log in to the Web UI
256
To log in with the default Device Management user accounts, the Username must be status or admin. It is case sensitive.
Multiple concurrent logins are allowed with a Device Monitor user account (such as the status user account)
Only one Device Administrator user account can be logged in at a time
The last user to log in with a Device Administrator user account is the only user that can make changes• Includes changes from Policy
Manager and WSM
WatchGuard Training 257
Log in to the Web UI The user account name appears at the top of the screen The navigation menu is at the left side
257
WatchGuard Training 258
Web UI Dashboards The Dashboard pages appear at the top of the Web UI navigation
menu:• Front Panel — Summary of current system status and activity• Subscription Services — Summary of activity for all subscription
services• FireWatch — Treemap visualization of current traffic through the
Firebox or XTM device• Interfaces — Status of network interfaces• Traffic Monitor — Log messages from the Firebox or XTM device• Gateway Wireless Controller — Shows WatchGuard AP device activity
and clients
258
WatchGuard Training
FireWatch FireWatch provides a treemap view to help you visualize your
network traffic• Blocks in each tab
are proportionately sized to represent the data in that tab
• Place your cursorover an item in thetreemap to see moredetails about it
• Select the data typefrom the drop-downlist at the top-rightof the page Rate Bytes Connections Duration
259
WatchGuard Training
FireWatch You can use FireWatch to see:
• Who uses the most bandwidth on your network• Which is the most popular site that users visit• Which sites use the most bandwidth• Which applications use the most bandwidth• Which sites has a particular user visited• Which applications are most used by a particular user
260
WatchGuard Training
Conclusion This presentation provides an overview of basic Fireware XTM
features For more information, see these training, documentation, and
support resources available in the Support section of the WatchGuard web site:• WatchGuard System Manager Help• Fireware XTM Web UI Help• WatchGuard Dimension Help• WatchGuard Knowledge Base• Fireware XTM Training courseware
261
WatchGuard Training 262
Thank You!
262