xtm firewall basics v11 9.pdfx

WatchGuard Training ©2014 WatchGuard Technologies,

Inc.

Firewall Basicswith Fireware XTM 11.9

WatchGuard Training 2

Course Introduction:Firewall Basics with Fireware XTM

2


Training Objectives

Use the basic management and monitoring components of WatchGuard System Manager (WSM)

Configure a Firebox or XTM device, or a XTMv device that runs Fireware XTM OS v11.9 or later for your network

Create basic security policies for your Firebox or XTM device to enforce

Use security services to expand XTM device functionality

3


Requirements Necessary equipment and software:

• Management computer• WatchGuard System Manager and Fireware XTM OS• Firewall configuration file• Firebox, XTM, or XTMv devices running Fireware XTM OS v11.9 or

later (optional) Prerequisites:

• Basic knowledge of TCP/IP network functions and structure It is helpful, but not necessary, to have:

• WatchGuard System Manager installed on your management computer

• Access to a Firebox or XTM device• A printed copy of the instructor’s notes of this presentation, or a copy

of the Fireware XTM Basics Student Guide

4


Outline Product Overview Getting Started Work with Device Configuration Files Configure Device Interfaces Configure Logging Generate Reports of Network Activity Use FSM to Monitor XTM Device Activity Use NAT (Network Address Translation) Define Basic Network Security Policies Work with Proxy Policies Work with SMTP and POP3 Proxies Verify Users’ Identities

5


Outline Block Unwanted Email with spamBlocker Manage Web Traffic Defend Your Network From Intruders Use Gateway AntiVirus Use Data Loss Prevention Use Intrusion Prevention Service Use Application Control Use APT Blocker Use Reputation Enabled Defense Explore Fireware XTM Web UI and FireWatch

6


Training Scenario Fictional organization named the Successful Company Training partners may use different examples for exercises Try the exercises to implement your security policy

7


Product Overview

8


Fireware XTM is the robust operating system that forms the backbone of WatchGuard integrated UTM security solutions.

• Advanced networking features• Zero Day protection• UTM Security Subscriptions

Available security subscriptions include:

Fireware OS v11.9

9

• Application Control

• Intrusion Prevention Service

• Web Blocker

• Gateway AntiVirus

• spamBlocker

• Reputation Enabled Defense

• Data Loss Prevention (DLP)

• APT Blocker

XTM 1050

1500 Series

Firebox and XTM Hardware Models

8 Series

5 Series

800 Series

XTM 2520

XTM 2050

Firebox T10

XTM 2 Series Small, medium, large, and datacenter editions

For midsize to large businessesFor enterprise headquarters and datacenters

For virtual network environments

For small businesses, branch offices, and wireless hotspots

XTM 3 Series

10

WatchGuard Training

Management Software Three ways to manage your device:

• WatchGuard System Manager• Fireware XTM Web UI• Command Line

This training focuses primarily onWatchGuard System Manager

11

WatchGuard Training

Getting Started:Set Up Your Management Computer

and Firebox or XTM Device

12


Learning Objectives Use the Quick Setup Wizard to make a configuration file Start WatchGuard System Manager Connect to Firebox or XTM devices and WatchGuard servers Launch other WSM applications

13


Select a computer with Windows 8, Windows 7, Windows XP SP2, Windows Server 2003, 2008, or 2012, or Windows Vista

Install WatchGuard System Manager (WSM) to configure, manage, and monitor your devices

Install Fireware XTM OS, then use WSM to install updatesand make configurationchanges on the device

Management Computer

14


Server Software When you install WSM, you have the option to install any or all of

these WSM servers:• Management Server• Log Server• Report Server• WebBlocker Server• Quarantine Server

Servers can be installed on separate computers• Each server must use a supported version of Windows.• There are access requirements between the management computer,

the Firebox or XTM device, and some servers.

15

WatchGuard Training

Activate your XTM Device You must have or create a WatchGuard account You must activate the Firebox or XTM device before you can fully

configure it Have your device serial number ready

16


Setup Wizards There are two setup wizards you can use to create an initial

functional configuration file for your Firebox or XTM device. • Web Setup Wizard

To start the Web Setup Wizard, in a web browser, type: https://10.0.1.1:8080

• Quick Setup Wizard To start the Quick Setup Wizard, in WatchGuard System Manager, select Tools > Quick Setup Wizard.

• To use either setup wizard, you must connect the management computer to the trusted interface (eth1) of the Firebox or XTM device.

• The Web Setup Wizard can activate your Firebox or XTM device and download the feature key from the WatchGuard web site, if you connect the external interface (eth0) to a network with Internet access.

17

WatchGuard Training

Quick Setup Wizard

18

Installs Fireware XTM OS on the Firebox or XTM device

Creates and uploads a basic configuration file

Assigns passphrases to the default Device Management user accounts to control access to the Firebox or XTM device


Prepare to Use the Quick Setup Wizard Before you start, you must have:

• WSM and Fireware XTM OS installed on the management computer• Network information

It is a good idea to have the feature key for your device before you start the wizard. You can copy it from the LiveSecurity web site during registration.

19


Launch the Quick Setup Wizard For the Quick Setup Wizard to operate correctly, you must:

• Prepare the device to be discovered by the Quick Setup Wizard (QSW). The QSW shows you how to prepare each device.

• Assign a static IP address to your management computer from the same subnet that you plan to assign to the Trusted interface of the Firebox or XTM device. Alternatively, you can get a DHCP address from the device when it is in Safe Mode.

• Connect the Ethernet interface of your computer to interface #1 of the device.

• Launch WatchGuard System Manager (WSM) and launch the Quick Setup Wizard from the WSM Tools menu.

20


Quick Setup Wizard — Select Your Device Choose which model of Firebox or XTM device to configure.

21


Quick Setup Wizard — Verify the Device Details Verify that the model and serial number are correct.

22


Quick Setup Wizard — Name Your XTM Device The name you assign to the device in the wizard is used to:

• Identify the device in WSM• Identify the device in log files• Identify the device in Log Manager and Report Manager

23


Quick Setup Wizard — Device Feedback The Quick Setup Wizard enables the device to send feedback to

WatchGuard by default.• If this option is enabled, the device sends feedback to WatchGuard

once a day and when the device reboots.• The information includes information about how your device is used

and any issues you encounter with your device, but does not include information about your company, or company data.

• All device feedback sent to WatchGuard is encrypted.

To disable device feedback:• Clear the Send device feedback

to WatchGuard check box.• You can also change this setting

in the Global Settings.

24


Quick Setup Wizard — Configure the External Interface The IP address you give to the external interface can be:

• A static IP address• An IP address assigned with DHCP• An IP address assigned with PPPoE

You must also add an IP address for the device default gateway. This is the IP address of your gateway router.

25


Quick Setup Wizard — Configure Interfaces Configure the Trusted and Optional interfaces. Select one of these configuration options:

• Mixed Routing Mode (Use these IP addresses) Each interface is configured with an IP address on a different subnet.

• Drop-in Mode (Use the same IP address as the external interface) All XTM device interfaces have

the same IP address. Use drop-inmode when devices from thesame publicly addressednetwork are located on morethan one device interface.

26


Understand Routed Configurations In mixed routing mode (routed configuration):

• Configure each interface with an IP address on a different subnet. • Assign secondary networks on any interface.

27


Understand Drop-in Configurations

28

In drop-in mode:• Assign the same primary IP

address to all interfaces on your device.

• Assign secondary networks on any interface.

• You can keep the same IP addresses and default gateways for devices on your trusted and optional networks, and add a secondary network address to the Firebox or XTM device interface so the device can correctly send traffic to those devices.


Quick Setup Wizard — Add a Feature Key When you purchase additional options for your device, you must

get a new feature key to activate the new options. You can add the feature key in the Quick Setup Wizard or later in Policy Manager.

29


Quick Setup Wizard — Set Passphrases

30

Specify the passphrases for the two default user accounts to use for connections to the device:• Status passphrase

For read-only connections with the default status user account

• Configuration passphrase For read-write connections with the default admin user account

• Both passphrases must be unique and include 8–32 characters


Quick Setup Wizard — Final Steps Save a basic configuration to the device. You are now ready to put your device in place on your network. Remember to reset your management computer IP address.

31


WatchGuard System Manager

32

Start WSM Connect to a Firebox or XTM

device or the Management Server

Display device status


Components of WSM WSM includes a set of management and monitoring tools:

• Policy Manager • Firebox System Manager• HostWatch• Log Manager (WebCenter)• Report Manager (WebCenter)• CA Manager• Quarantine Server Client

To launch a tool, select it from the WSM Tools menu or click the tool icon

33


Administration:Work with Device Configuration Files

34


Learning Objectives Start Policy Manager Open and save configuration files Configure the device for remote administration Add Device Management user accounts Change user account passphrases Back up and restore the device configuration Add device identification information

35


What is Policy Manager? A configuration tool that you can use to modify the settings of

your Firebox or XTM device Changes made in Policy Manager do not take effect until you save

them to the device Launch Policy Manager from WSM

• Select a connected or managed device• Click the Policy Manager icon on the toolbar

36


Navigate Policy Manager From the View menu,

select how policies are displayed

37

Details View Large Icons View


Navigate Policy Manager Use the menu bar to configure many device features.

38


Navigate Policy Manager Security policies that control traffic through the device are

represented by policies. To edit a security policy, double-click the policy name.

39


OS Compatibility Version Policy Manager can manage devices that use different versions of

Fireware XTM OS. Each device configuration has an OS Compatibility setting that controls which options are available for some features.• If you use Policy Manager to open the configuration from a device, the

Fireware XTM version is automatically set based on the OS version the device uses.

• For a new configuration file, you must select the Fireware XTM version before you can configure some features, such as network settings and Traffic Management.

To see or set the OS Compatibility version, in Policy Manager select Setup > OS Compatibility.

To configure all of the features described in this training, you must select 11.9 or higher.

40

WatchGuard Training

Open and Save Configuration Files Open a file from your local drive or from a Firebox or XTM device Save configuration files to your local drive or to the Firebox or

XTM device Create new configuration files in Policy Manager

• New configuration files include a basic set of policies.• You can add more policies.

41


Configure Your Device for Remote Administration Connect from home to monitor device status Change policies remotely to respond to new threats Make the policy as restrictive as possible for security Edit the WatchGuard policy to enable access from an external

IP address You can also use Fireware XTM Web UI to configure a device (over

TCP port 8080)

42


Add Device Management User Accounts Use role-based administration on your Firebox or XTM device to

share the configuration and monitoring responsibilities among several individuals in your organization

Run audit reports to monitor which administrators make which changes to your device configuration

Default user accounts:

43

Default User Account Default Role Default Passphrase

admin Device Administrator (read-write permissions) readwrite

status Device Monitor (read-only permissions) readonly

wgsupport Disabled

WatchGuard Training

Add Device Management User Accounts Use the default user accounts for initial Device Administrator and

Device Monitor connections to the device Enable the wgsupport user account only as directed by

WatchGuard Technical Support Use these authentication servers for Device Management user

accounts on your device:• Firebox-DB (default user account authentication server)• Active Directory• LDAP• RADIUS

44

WatchGuard Training

Add Device Management User Accounts Add, edit, and remove Device Management user accounts in

Policy Manager or Fireware XTM Web UI1. In Policy Manager, select File > Manage Users and Roles.

45

WatchGuard Training

Add Device Management User Accounts2. Specify the user account credentials for a user account with

Device Administrator privileges.(The default user account credentials are admin/readwrite.)

46

WatchGuard Training

Add Device Management User Accounts3. Add, edit, or remove new Device Management user accounts. You cannot delete the default user accounts (admin, status,

wgsupport)

47

WatchGuard Training

Change User Account Passphrases Passphrases must use 8–32 characters Change frequently Restrict use of the default user accounts Use individual user accounts for all users

48


Back Up the Device Images Create and restore an encrypted backup image Backup includes feature key and certificate information Encryption key is required to restore an image

49


Firebox or XTM device name and model Contact information Time zone for log files and reports

Add Device Identification Information

50


Upgrade Your Device1. Back up your existing device image.2. Download and install the new version of Fireware XTM OS on

your management computer.3. From Policy Manager, select File > Upgrade.

51


Upgrade Your Device4. Browse to the location of the OS upgrade file:

C:\Program Files\Common Files\WatchGuard\Resources\Fireware XTM

5. Select the correct .sysa-dl file for your device:• XTM 2500 Series: xtm800_1500_2500.sysa-dl• XTM 2050: xtm2050_bc.sysa-dl• XTM 1500 Series: xtm800_1500_2500.sysa-dl• XTM 1050: xtm1050_bb.sysa-dl• XTM 800 Series: xtm800_1500_2500.sysa-dl• XTM 8 Series: xtm8_b5.sysa-d • XTM 5 Series: xtm5_b0.sysa-dl• XTM 330: xtm330_bd.sysa-dl• XTM 33: xtm3_aa.sysa-dl• XTM 25, 26: xtm2_a6.sysa-dl• XTMv: xtmv_c5.sysa-dl• Firebox T10: T10.sysa-dl

52


Network Settings:Configure Firebox or XTM Device

Interfaces

53


Learning Objectives Configure external network interfaces with a static IP address,

DHCP and PPPoE Configure a trusted and optional network interface Use the Firebox or XTM device as a DHCP server Add WINS/DNS server locations to the device configuration Add Dynamic DNS settings to the device configuration Set up a secondary network or address Understand Drop-In Mode and Bridge Mode

54


Add a Firewall to Your Network Interfaces on separate networks Most configurations have at least one external and one trusted

55

External203.0.113.2/24

Trusted Network10.0.1.1/24

Optional Network10.0.2.1/24


Beyond the Quick Setup Wizard The Quick Setup Wizard configures the device with External,

Trusted, and Optional networks by default: eth0 = external eth1 = trusted eth2 = optional (only if you

provide an optional interface IP address in the wizard)

You can change theinterface assignments. In Policy Manager, select Network > Configuration.

56


Network Configuration Options Modify the properties of an interface

• Change the interface type (from trusted to optional, etc.)• Add secondary networks and addresses• Enable the DHCP server

Configure additional interfaces Configure WINS/DNS settings for the device Add network or host routes Configure NAT

57


Interface Independence and Interface Types You can change the interface type of any interface configured

with the Quick Setup Wizard, or any other interface. Some interface types correspond to a network security zone:

• External — External interface, member of the Any-External alias• Trusted — Internal interface, member of the Any-Trusted alias• Optional — Internal interface, member of the Any-Optional alias• Custom — Internal interface, not a

member of any alias by default. Other types configure the interface as

a member of a virtual interface:• Bridge• VLAN • Link Aggregation

58


Use a Dynamic IP Address for the External Interface The Firebox or XTM device can use DHCP or PPPoE to get a

dynamic IP address.

59


Use Dynamic DNS If you want to maintain a public association between a domain

name and the assigned dynamic IP address, you can register the external IP address of the Firebox or XTM device with the supported dynamic DNS service, DynDNS.

60


Use a Static IP Address for the External Interface The Firebox or XTM device can use a static IP address given to

you by your Internet Service Provider.

61


Enable the Device DHCP Server Can be used on a trusted, optional, or custom interface Type the first and last IP addresses of the range for DHCP Configure up to 6 IP address ranges Reserve some

IP addresses for specified MAC addresses

62


Configure Trusted and Optional Interfaces

Trusted-Main10.0.1.1/24

Public Servers10.0.2.1/24

1. Start with a trusted network.

2. Add an optional network for public servers.

Conference10.0.5.1/24

Optional

3. As your business grows, add more trusted and optional networks.

Finance10.0.3.1/24

Trusted

Sales Force10.0.4.1/24

Optional

63


Add WINS/DNS Servers All devices on the trusted, optional, and custom networks can use

this server Use an internal server or an external server Used by the Firebox or XTM device for DHCP, Mobile VPN, NTP

time updates, and Subscription Service updates

64


Secondary Networks Share one of the same physical networks as one of the device

interfaces. Add an IP alias to the interface, which is the default gateway for

computers on the secondary network.

Trusted-Main10.0.1.1/24

Secondary

172.16.100.1

172.16.100.0/24

65


Network or Host Routes Create static routes to send traffic from a device interface to a

routerThe router can then send the traffic to the correct destination from the specified route.

If you do not specify a route to a remote network or host, all traffic to that network or host is sent to the device default gateway.

66


Routes Table The routes for your Firebox or XTM device appear in the Routes

section of the Status Report in Firebox System Manager. The default route is the gateway IP address configured for the

external interface. It is used when a more specific route to a destination is not defined.

67

WatchGuard Training

Drop-In Mode and Bridge Mode Use Drop-In Mode if you want to have the same logical network

(subnet) spread across all device interfaces.• Computers in this subnet can be on any device interface• You can add a secondary address to any device interface to use an

additional network on the interface Use Bridge Mode when you want the device to be invisible.

• You assign one IP address to the device for management connections• Bridge Mode turns the device into a transparent Layer 2 bridge

To set the interface configuration mode, select Network > Configuration.

68


Logging:Set Up Logging and Notification

69


Learning Objectives Set up a WSM Log Server Configure the device to send messages to a WSM or Dimension

Log Server Configure logging and notification preferences Set the Diagnostic Log Level View log messages

70


Introduction to the WSM Log Server

71


Introduction to the Dimension Log Server

72


Log Message Types Traffic — Allowed and denied packets Alarm — An event you configure as important that requires a log

message or alert Event — A device restart, or a VPN tunnel creation or failure Debug — Additional messages with diagnostic information to help

you troubleshoot network or configuration problems Statistic — Information about the performance of the Firebox or

XTM device

73


Configure Logging For log messages to be correctly stored, you must:

• Install the WSM Log Server software or deploy a Dimension VM• Configure the WSM or Dimension Log Server settings• Configure the Firebox or XTM device to send log messages to the WSM

or Dimension Log Server

74


Install the WSM Log Server In the WSM installer, select to install the Log Server component The Log Server does not have to be installed on the same

computer that you use as your management computer

The Log Server should be on a computer with a static IP address

75


Configure the WSM Log Server Settings Right-click the WatchGuard Server Center icon in your Windows

system tray to open WatchGuard Server Center.The Server Center Setup Wizard starts.

Set the administrator passphrase. Set the log encryption key.

76


Configure the WSM Log Server Settings Open WatchGuard Server Center to configure Log Server

properties. Type the administrator passphrase. From the Servers tree, select Log Server to configure Log Server

settings.

77


Configure the WSM Log Server Settings Server Settings — Database size and encryption key settings. Database Maintenance — Specify database back up file settings,

and select to use the Built-in database or an External PostgreSQL database.

Notification — Configure settings for event notification and the SMTP Server.

Logging — Firebox Status (which devices are currently connected to the Log Server) and where to send log messages.

78


Deploy the Dimension VM & Set Up Dimension In a VMWare or Hyper-V environment, deploy the Dimension VM. VMWare ESXi 5.x — Dimension OVA installation file

• Use only the vSphere client to provision and install the OVA file. Hyper-V — Dimension VHD installation file

• Use Hyper-V Manager on Microsoft Server, or another Hyper-V environment, to deploy the VHD file.

Dimension must be deployed on a 64-bit platform Use the public IP address to connect to Dimension and run the

Dimension Setup Wizard, and specify these settings:• Host name for Dimension• IPv4 settings for the Eth0 interface• Log Encryption Key• Administrator passphrase

To send log messages to Dimension, specify the public IP address and the Log Encryption Key for Dimension in the device’s logging settings

79

WatchGuard Training

Configure the Device to Send Log Messages

80

Use Policy Manager Set the same log encryption

key that is used for the WSM or Dimension Log Server

Backup Log Servers can be used when the primary fails

Specify the port to connect to a syslog server


Default Logging Policy When you create a policy that allows traffic, logging is not

enabled by default When you create a policy that denies traffic, logging is enabled by

default If denied traffic does not match a specific policy, it is logged by

default

81


Set the Diagnostic Log Level You can also configure the device to send detailed diagnostic log

messages to help you troubleshoot a specific problem. From Policy Manager, select

Setup > Logging, and click Diagnostic Log Level.

82


You can see log messages with these WSM tools:• Traffic Monitor — Real-time monitoring in FSM from any computer

with WSM

View Log Messages

83


• WebCenter Log Manager — From WatchGuard WebCenter, you can use Log Manager to see any log messages stored on the Log Server. Use the search feature to locate specific information in your log files.

View Log Messages

84


View Log Messages

85

You can also see log messages in Dimension:• Use Log Manager to

see any log messages stored on the Dimension Log Server for a specific device or group of devices.

• Use the search feature to locate specific information in your log files.


Reports:View Reports of Network Activity

86


Learning Objectives Set up and configure a WSM Report Server Generate and save reports at regular intervals Generate and view reports Change report settings Save, print, and share reports View reports in Dimension

87


WSM Reporting Architecture

88


Configure the WSM Report Server Install on a Microsoft

Windows computer Can be the same computer

as the Log Server Configure the Report Server

from WatchGuard Server Center

Select to use the Built-in database or an External PostgreSQL database

Add one or more Log Server IP addresses

Set report interval, report type, and notification preferences

89


View Reports with Report Manager Report Manager is

available in WatchGuard WebCenter, which is installed with the Report Server

Add users in WatchGuard Server Center to enable them to use Report Manager

90


View Reports with Report Manager Connect to WatchGuard

WebCenter over port 4130, and select Report Manager to view and generate reports

View Available Reports (scheduled reports)

Create On-Demand Reports and Per Client Reports

Launch Report Manager from WSM

Save reports in PDF format

91


View Reports in Dimension

92

When you send log messages to Dimension, the reports for the log messages sent to Dimension are automatically generated.

1. Connect to Dimension in a web browser at the IP address you specified for Dimension.

2. Log in with the administrator credentials you specified in the Setup Wizard.

WatchGuard Training


93

3. From the Home page:• Select the Devices tab

and select a device.OR

• Select the Groups tab and select a group of devices.

WatchGuard Training


94

4. To view the available reports, select the Reports tab for the device or group.

5. To export a report as a PDF file, click .

6. To export a report as a CSV file, click .The available export option depends on the type of report.

WatchGuard Training

Monitor Your Firewall:Monitor Activity Through the Device with WSM Tools

95


Learning Objectives Interpret the information in the WSM display Use Firebox System Manager to monitor device status Change Traffic Monitor settings Use Performance Console to visualize device performance Use HostWatch to view network activity and block a site Add and remove sites from the Blocked Sites list

96


WatchGuard System Manager Display

97


Firebox System Manager Front Panel Traffic Monitor Bandwidth Meter Service Watch Status Report Authentication List Blocked Sites Subscription

Services Gateway Wireless

Controller

98


Traffic Monitor View log messages

as they occur Set custom colors

and fields Start traceroute or

Ping to source and destination IP addresses

Copy information to another application

99


Performance Console Monitor and graph XTM device activity Launch from Firebox System Manager System Information — Firebox statistics,

such as the number of total active connections and CPU usage

Interfaces — Total number of packets sent and received through the Firebox or XTM device interfaces

Policies — Total connections, current connections, and discarded packets

VPN Peers — Inbound and outbound SAs and packets Tunnels — Inbound and outbound packets, authentication errors,

and replay errors

100


Use HostWatch to View Connections Graphical display

of live connections One-click access

to more details on any connection

Temporarily block sites

101


Use the Blocked Sites List View sites added temporarily by the device as it blocks the source

of denied packets Change expiration settings for temporarily blocked sites

102


Examine and Update Feature Keys View the feature keys

currently on your Firebox or XTM device Add a new feature key to

your Firebox or XTM device

103


NAT:Use Network Address Translation

104


Learning Objectives Understand network address translation types Add dynamic NAT entries Use static NAT for public servers

105


What is Network Address Translation? Network Address Translation (NAT) is a term used to describe

any of several forms of IP address and port translation. At its most basic level, NAT changes the IP address of a packet

from one value to a different value. The primary purposes of NAT are:

• to increase the number of computers that can operate off a single publicly routable IP address

• to hide the private IP addresses of hosts on your LAN. Fireware XTM supports three types of NAT:

• Dynamic NAT — applies to outbound traffic• Static NAT — applies to inbound traffic• 1-to-1 NAT — applies to traffic in both directions

106


Dynamic NAT Changes the source IP addresses for outbound traffic to a single

IP address Protect the map of your network

Your Network

Devices and users with private IP addresses

NAT Enabled

Internet sees only one public address (the external interface IP address)

107


Add Firewall Dynamic NAT Entries Most frequently used form of NAT Changes the outgoing source IP address to the external IP address

of the Firebox or XTM device Enabled by default for standard

private network IP addresses, such as 192.168.0.0/16

108


Changes the inbound destination IP address based on the port number.

Static NAT for Public Servers

Your Network

Port 80 TCPWeb server

Port 21 TCPFTP server

Port 25 TCPEmail server Web traffic — One external IP

to private static IPFTP traffic — Same external IP to second, private static IPSMTP traffic — Same external IP to third, private static IP

203.0.113.2

10.0.2.80

10.0.2.21

10.0.2.25

109


1-to-1 NAT for Public Servers

Your Network NetMeeting traffic — Dedicated IP address on the external

IKE traffic — Second dedicated public IP address

Intel Phone (H.323) — Another external IP address

Ports 1720, 389, dynamic10.0.2.11

NetMeeting

Without NAT-T10.0.2.12

IKE

Ports 1720, 52210.0.2.13

Intel-Video-Phone

203.0.1

13.11

203.0.113.12

203.0.113.13

110

Translates one range of IP addresses to a different range of addresses for incoming and outgoing traffic.


Configure Policies You can customize 1-to1 NAT and

Dynamic NAT settings in each policy Select Network > NAT to configure

the settings The settings you specify apply unless

you modify the NAT settings in a policy

Select the Set Source IP option when you want any traffic that uses this policyto show a specified address from your public or external IP address range as the source IP address.

111


Configure Policies To configure a policy to use static NAT,

click Add in the To section of the policy, then select Add SNAT.

To add, edit, or delete SNAT actions, you can also select Setup > Actions > SNAT.

To add an SNAT member, click Add.

112


Policies:Convert Network Policy to Device

Configuration

113


Learning Objectives Understand the difference between a packet filter policy and a

proxy policy Add a policy to Policy Manager and configure its access rules Create a custom packet filter policy Set up logging and notification rules for a policy Use advanced policy properties Understand the function of the Outgoing policy Understand the function of the TCP-UDP proxy Understand the function of the WatchGuard policy Understand how the Firebox or XTM device determines policy

precedence

114


What is a Policy? A rule to limit access through the Firebox or XTM device Can be configured to allow traffic or deny traffic Can be enabled or disabled Applies to specific port(s) and protocols Applies to traffic that matches From and To fields:

• From — Specific source hosts, subnets or users/groups• To — Specific destination hosts, subnets, or users/groups

115


Packet Filters, Proxies, and ALGs Two types of policies:

• Packet Filter — Examines the IP header of each packet, and operates at the network and transport protocol packet layers.

• Proxy & ALG (Application Layer Gateway) Proxy — Examines the IP header and the content of a packet at the

application layer. If the content does not match the criteria you set in your proxy policies, you can set the proxy to deny the packet. Some proxy policies allow you to remove the disallowed content.

ALG — Completes the same functions as a proxy, but also provides transparent connection management.

Proxy policies and ALGs examine the commands used in the connection to make sure they are in the correct syntax and order, and use deep packet inspection to make sure that connections are secure.

116


Packet Filters, Proxies, and ALGs Proxies & ALGs:

• Remove all the network data• Examine the contents• Add the network data again• Send the packet to its destination

117


What are Packet Filters, Proxies, and ALGs?

Packet Filter Proxy & ALG

Source Destination Port(s)/Protocols Packet body Attachments RFC Compliance Commands

118


Add a Policy in Policy Manager

119

2. Decide if the policy allows or denies traffic.

3. Configure the source (From) and destination (To).

1. Select a policy from a pre-defined list.


Modify Policies To edit a policy, double-click the policy By default, a new policy:

• Is enabled and allowed• Allows traffic on the port(s) specified by

the policy• Allows traffic from any trusted network to

any external destination

120


Change Policy Sources and Destinations You can:

• Select a pre-defined alias, then click Add.• Click Add User to select an authentication user or group.• Click Add Other to add a host IP address, network IP address, or host

range.

121


When do I use a custom policy? A custom policy can be either a packet filter or proxy policy. Use a custom policy if:

• None of the pre-defined policies include the specific combination of ports that you want.

• You need to create a policy that uses a protocol other than TCP or UDP.

122


Logging and Notification for Policies When you enable logging in a policy, you can also select whether

the Firebox or XTM device sends a notification message or triggers an SNMP trap. Notification options include:• Send email to a specified address• A pop-up notification on the Log Server

123


Set Logging Rules for a Policy the Firebox or XTM device generates log messages

for many different types of activities You enable logging for policies to specify

when log messages are generated and sent to the Log Server

124


What is Precedence? Precedence is used to decide which policy controls a connection

when more than one policy could control that connection In Details view, the higher the policy appears in the list, the

greater its precedence. If two policies could apply to a connection, the policy higher in

the list controls that connection

125


What is Precedence? Policies can be moved up or down in Manual Order mode to set

precedence, or restored to the order assigned by Policy Manager with Auto-Order Mode.

126


Advanced Policy Properties Schedules Connection rate limits Override NAT settings QoS settings ICMP error handling Override Multi-WAN sticky connection

setting

127


Schedule Policies Set the times of day when the policy is enabled

128


Understand the Outgoing policy The Outgoing packet filter policy is added in the default

configuration Allows all outgoing TCP and UDP connections from trusted and

optional networks to external networks Enables the Firebox or XTM device to “work out of the box” but

could have security problems If you remove the Outgoing policy, you must add policies to allow

outgoing traffic

129


Understand the TCP-UDP-Proxy Enables TCP and UDP protocols for outgoing traffic Applies proxy rules to traffic for the HTTP, HTTPS, SIP, and FTP

protocols, regardless of the port numbers Blocks selected IM and P2P

applications, regardless of port

130


The WatchGuard Policy Controls management connections to

the Firebox or XTM device By default, this policy allows only

local administration of the device; edit the configuration to allow remote administration

131


Find Policy Tool Fireware XTM includes a utility to find policies that match the

search criteria you specify With the Find Policies tool, you can quickly locate policies that

match user or group names, IP addresses, port numbers, and protocols.

132


Policy Tags and Filters Assign policy tags to policies to create policy groups Sort the policy list by policy tag to see the policy list by policy

group Create and save policy filters to specify which policies appear in

the policy list

133


Proxy Policies:Use Proxy Policies and ALGs to Protect

Your Network

134


Learning Objectives Understand the purpose and configuration of proxy policies and

ALGs Configure the DNS-proxy to protect DNS server Configure an FTP-Server proxy action Configure an FTP-Client proxy action Enable logging for proxy actions

135


What are Proxies and ALGs? Proxy policies and ALGs (Application Layer Gateway) are

powerful and highly customizable application inspection engines and content filters.

A packet filter looks at IP header information only. A proxy or ALG looks at the content of the network data. ALGs

also provide transparent connection management.

136


What is the DNS Proxy? Domain Name System Validates all DNS traffic Blocks badly formed DNS packets Fireware XTM includes two methods to control DNS traffic:

• DNS packet filter — IP headers only• DNS-Proxy filter — content

137


Control Incoming Connections Use the DNS-Incoming action as a template You own the server You decide who gets to

connect to the server

138

DNS server

DNS Proxy

Your network


Configuring DNS-Incoming General OpCodes Query Types Query Name Proxy Alarm

139


Control Outgoing Connections Use the DNS-Outgoing action as a template Operates with Intrusion Prevention Service Deny queries for specified

domain names

140

DNS server

DNS Proxy

Your Network


Use DNS-Outgoing Use DNS-Outgoing proxy action to block DNS requests for

services, such as queries for:• POP3 servers• Advertising networks• IM applications• P2P applications

141


Fireware XTM Proxy Policies DNS FTP H323 and SIP (Application Layer Gateways) HTTP and HTTPS SMTP and POP3 TCP-UDP

• Applies the proxies to traffic on all TCP ports

142


What is a Proxy Action? A set of rules that tell the Firebox or XTM device how to apply

one of the proxies to traffic of a specific type You can apply a proxy action to more than one proxy policy

143


Import & Export Proxy Actions You can import and export:

• Entire user-created proxy actions (not predefined proxy actions)• Rulesets• WebBlocker exceptions• spamBlocker exceptions

144


What is FTP? File Transfer Protocol Often used to move files between two locations Client and server architecture Fireware XTM includes two methods to control:

• FTP packet filter — IP headers only• FTP-proxy — Content and commands

145


FTP-Proxy Restricts the types

of commands and files that can be sent through FTP

Works with the Gateway AV Service

Works with the DataLoss PreventionService

Works with the APT Blocker Service

146


FTP-Client Proxy Action Rulesets General Commands Download Upload AntiVirus Data Loss Prevention Proxy and

AV alarms APT Blocker

147


Control Incoming Connections Use the FTP-Server proxy action as a template The FTP server must be protected by the Firebox or XTM device You decide who can connect to the FTP server

148

AnybodyYour FTP server

FTP Proxy


Define FTP-Server Proxy Action Rulesets General Commands Download Upload AntiVirus Data Loss Prevention Proxy and AV alarms APT Blocker Options available in the

FTP-Client proxy action are also available in the FTP-Server proxy action

Smart defaults are used in each ruleset to protect clients (FTP-Client) and servers (FTP-Server)

149


Logging and Proxies Proxy policies contain

many more advancedoptions for logging than packet filter policies

Each proxy category hasits own check box to enable logging

To generate detailed reports with information on packets handled by proxy policies, you must select the Enable logging for reports check box ineach proxy action

150


Email Proxies:Work with the SMTP and POP3

Proxies

151


Learning Objectives Understand the SMTP and POP3 proxies Understand the available actions for email Control incoming email Control outgoing email

152


SMTP and POP3 Proxies Used to restrict the types and

size of files sent and received in email

Operate with Gateway AV and spamBlocker

Operate with Data Loss Prevention(SMTP-proxy only)

Operate with APT Blocker (SMTP-proxy only)

153


Proxy Actions Available for Email Default actions available:

• Allow — Email is allowed through your device• Lock — Email is allowed through your device; the attachment is

encoded so only the Firebox or XTM device administrator can open it• AV Scan — Gateway AntiVirus is used to scan the attachment• Strip — Email is allowed through your device, but the file

attachment(s) are deleted• Drop — The SMTP connection is closed• Block — The SMTP connection is closed and the sender is added to

the blocked sites list Also available with Gateway AntiVirus, spamBlocker, APT Blocker,

and Data Loss Prevention:• Quarantine — Email is stored on the Quarantine Server (only with

SMTP) and is not sent to the recipient

154


Control Incoming Email Use SMTP-Incoming and POP3-Server actions as a template You decide what email you want to allow

155

Anybody Your SMTP server

Your users

SMTP Proxy


Control Outgoing Email Use SMTP-Outgoing or POP3-Client action as a template You know the users You decide what they can send

156

SMTP Proxy

Your usersTheir email server

Anybody


Authentication:Verify a User’s Identity

157


Learning Objectives Understand authentication and how it works with the Firebox or

XTM device List the types of third-party authentication servers you can use

with Fireware XTM Use Firebox authentication users and groups Add a Firebox authentication group to a policy definition Modify authentication timeout values Use the Firebox or XTM device to create a custom web server

certificate

158


What is User Authentication? Identify each user as they connect to network resources Restrict policies by user name

159


WatchGuard Authentication The user browses to the Firebox or XTM device interface IP

address on TCP port 4100

the Firebox or XTM device presents an authentication page The XTM device verifies that the credentials entered are correct,

and allowed for the type of connection The XTM device allows access to resources valid for that

authenticated user or group

160


Supported Authentication Servers Firebox RADIUS VASCO SecurID LDAP Active Directory

• Single Sign-On options

161


Use Firebox Authentication

162

To use the Firebox or XTM device as an authentication server:• Make groups• Define users• Edit policies


Edit Policies for Authentication Create users

and groups Use the user

and group names in policy properties

Define From or To information

163


Use Third-Party Servers Set up a third-party authentication

server Get configuration information,

such as secrets and IP addresses

Make sure the authentication server can contact the Firebox or XTM device

164


Set Global Authentication Values Session and idle timeout values Number of concurrent connections Enable Single Sign-On with

Active Directory authentication Enable redirect to the

authentication page if the user is not yet authenticated• After users authenticate, they are

redirected to the site theyoriginally selected.

Specify the authentication server that appears at the top of the Domain list in the Authentication Portal

Configure Terminal Services

165


Enable Single Sign-On Transparent authentication, no need to open a web page Available with Windows Active Directory Install the SSO Agent on a Windows server with a static IP

address Install the SSO Client on all workstations (Optional) Install the Event Log Monitor on one computer in the domain

(Clientless SSO) SSO Agent passes user

credentials to the XTM device

Use SSO exceptions for IP addresses that cannot authenticate (computers that are not domain members, or non-Windows PCs)

166


Enable Terminal Services

167

Enables users to authenticate to your Firebox or XTM device over a Terminal Server or Citrix server

Enables your Firebox or XTM device to report the actual IP address of each user logged in to the device

Can be used with any configured authentication method (e.g. Firebox authentication, Active Directory, RADIUS, etc.)


Fireware XTM Web Server Certificate Why does the user get warnings from

the browser?• Name on the certificate does not match

the URL• Fix this problem with a custom certificate

that has all of the Firebox or XTM device IP addresses as possible name matches

• User must still import this certificate to trusted root stores

168


Blocking Spam:Stop Unwanted Email with

spamBlocker

169


Learning Objectives Activate and configure spamBlocker Specify the actions to take when suspected spam email is

detected Block or allow email messages from specified sources Monitor spamBlocker activity Install and configure Quarantine Server

170


What is spamBlocker? Technology licensed from CYREN (formerly Commtouch) to

identify spam, bulk, or suspect email No local server to install

You can install Quarantine Server, but it is not necessary for spamBlocker to work correctly.

XTM device sends information to external servers to classify email and caches the results

Operates with the SMTP and POP3 proxies You must have an SMTP or POP3 proxy action configured to use

spamBlocker

171


Activate spamBlocker A feature key is required to enable spamBlocker

• Use Policy Manager or FSM to add the feature key• Save the configuration to the Firebox or XTM device

Run the Activate spamBlocker Wizard

172


Configure a Policy for spamBlocker Use the SMTP-proxy

or POP3-proxy Choose the proxy

response to spam categorization

Add exceptions

173


spamBlocker Actions Spam is classified into three categories:

• Spam• Bulk• Suspect

For each category, you can configure the action taken:• Allow• Add Subject Tag• Quarantine (SMTP only)• Deny (SMTP only)• Drop (SMTP only)

174


spamBlocker Exceptions You can configure

exceptions for specific senders or recipients by:• Email address• Domain by pattern

match (*@xyz.com)

175


Customize spamBlocker Use multiple SMTP or POP3 proxies

176


Monitor spamBlocker Activity Status visible in

Firebox System Manager

Select the Subscription Services tab

177


Quarantine Spam Quarantine Server operates with spamBlocker for the SMTP-

proxy only (not the POP3-proxy)

Install with server components during WSM install, or from WatchGuard Server Center

178


Quarantine Server Configuration You can configure:

• Database size and administrator notifications• Server settings• Length of time to keep messages• The domains for which the Quarantine Server keeps mail• Rules to automatically remove messages:

From specific senders From specific domains That contain specific text in the Subject field

179


Web Traffic:Manage Web Traffic Through Your

Firewall

180


Learning Objectives Control outgoing HTTP traffic Protect your web server Use the HTTPS-proxy Set up WebBlocker Select categories of web sites to block Override WebBlocker rules for specified sites

181


What is the HTTP-Proxy? Fully configurable HTTP requests and responses Use URL paths to block complete URLs, or match a pattern you

specify Select header fields, protocol settings, and request/response

methods Allow or deny based on content types Block the transfer of all or some attachments over port 80 Allow or deny cookies from specified domains Enforce search engine Safe Search rules

182


Control Outgoing HTTP Traffic Use the HTTP-Client proxy action as a template You know the users You decide where they go and what they can get access to Enforce Safe Search rules

183

Your Network

HTTP Proxy


Settings for the HTTP-Client Proxy Action HTTP Request HTTP Response Use Web Cache Server HTTP Proxy Exceptions Data Loss Prevention WebBlocker AntiVirus Reputation Enabled

Defense Deny Message Proxy and AV Alarms APT Blocker

184


Protect Your Web Server Use the HTTP-Server proxy action template Block malformed packets Prevent attacks on your server Enforce Safe Search rules

185Your Network

Web ServerHTTP Proxy


Settings for the HTTP-Server Proxy Action HTTP Request HTTP Response HTTP Proxy Exceptions Data Loss Prevention WebBlocker AntiVirus Reputation Enabled

Defense Deny Message Proxy and AV Alarms APT Blocker

186


When to Use the HTTPS-Proxy HTTP on a secure, encrypted channel (SSL) Can use Deep Packet Inspection (DPI) to examine content and re-

sign the original HTTPS site certificate OCSP can confirm the validity of the original HTTPS site

certificate Use a certificate that all clients on your network automatically

trust for this purpose when possible Can use WebBlocker to block categories of web sites When DPI is not enabled, checks the certificate and blocks by

domain name

187


What is WebBlocker? Reduces malicious web content that enters the network Blocks URLs and IP addresses that you specify Reduces unproductive web surfing and potential liability Blocks access to IM/P2P download sites Blocks access to spyware sites Helps schools to attain CIPA compliance Two database options Global URL database — English, German, Spanish, French, Italian,

Dutch, Japanese, traditional Chinese, and simplified Chinese sites

188


WebBlocker Server Options Websense cloud

• Uses a cloud-based URL categorization database with over 100 content categories, provided by Websense

• Does not use a locally installed WebBlocker Server• URL categorization queries are sent over HTTP

WebBlocker Server• Uses a WatchGuard WebBlocker Server with 54 categories, provided

by SurfControl• Usually requires a locally installed WebBlocker Server

XTM 2 Series and XTM 33 can use a WebBlocker Server hosted by WatchGuard

• URL categorization queries are sent over UDP 5003

189


The WebBlocker Database Database updates keep the

filtering rules up-to-date Use multiple categories to

allow or deny different groups of users at different times of the day

190


WebBlocker Content Categories The available categories depend on which type of server you

choose.

191

Websense cloud — 100+ categories WebBlocker Server — 54 categories

WatchGuard Training

WebBlocker Server with Websense Cloud

192Your Network

1. When a user browses, the Firebox or XTM device checks the Websense cloud

2. If the site is not in a blocked category, the device allows the connection

WebSite

WebSite

Websense Cloud


WebBlocker Server with Local WebBlocker Server

193

WebBlockerServer

Your Network WatchGuard

WebBlockerUpdates

1. WebBlocker Server gets WebBlocker database from WatchGuard.

2. When a user browses, the Firebox or XTM device checks the WebBlocker Server.

3. If the site is not in a blocked category, the device allows the connection.

WebSite


Keep the WebBlocker Database Updated The locally installed WebBlocker Server automatically downloads

an incremental update to the local WebBlocker database update at midnight.

To update the database at other times, you can:• Manually trigger an incremental update in WatchGuard Server Center.• Use Windows Task Scheduler to run the “updatedb.bat” process,

which is installed in the C:\Program Files\WatchGuard\wsm11\bin directory.

194


Advanced WebBlocker Settings On the WebBlocker

Configuration Advanced tab, you can control what happens if the device cannot contact the WebBlocker Server.

You can:• Allow access to all web sites• Deny access to all web sites

You can also set a password to use override WebBlocker when entered on individual computers.

195


WebBlocker Exceptions Add exceptions for web sites that

WebBlocker denies and you want to allow (white list).

Add web sites that WebBlocker allows and you want to deny (black list).

196


Threat Protection:Defend Your Network From Intruders

197


Learning Objectives Understand the different types of intrusion protection Configure default packet handling to stop common attacks Block IP addresses and ports used by hackers Automatically block the sources of suspicious traffic

198


Intrusion Detection and Prevention

199

IT admininstallspatch

Attack signaturedeveloped

and distributed

Proactively blocks many threats

Ongoing protection at higher performance

Hacker builds attack

that uses vulnerability

Attack launched

Vendorbuildspatch

Vendordistributes

patch

Firewall-based IPS supplies zero-day

protection

IT admin queues patch update based on severity

Vulnerabilityfound and exposed


Default Packet Handling Spoofing attacks Port and address

space probes Flood attacks Denial of service Options for logging

and automatic blocking

200


Block the Source of Attacks

201

Your Network

LogServer

WebServer

Remote users use valid packets to browse your web site.

2. Attacker runs a port space probe on your network.

3. XTM device blocks the probe and adds the IP address of the source (the attacker) to the temporary list of blocked sites.

4. Now, even valid traffic from the attacker’s IP address is blocked by the Firebox or XTM device.


Auto-Block Sites Each policy configured to deny traffic has a check box you can

select to auto-block the source of the denied traffic. If you select it, the source IP address of

any packet denied by the policy is automatically added to the Blocked Sites List.

202


Use a Proxy Action to Block Sites When you select the

Block action, the IP address denied by the proxy action is automatically added to the Blocked Sites List.

203


Block Known Attack Vectors Protect sensitive services on your network

• Get log messages • Close traffic for unwanted services

Static configuration• Add specific ports to block• Add specific IP addresses or subnets

to be permanently blocked Dynamic configuration

• This feature can be enabled from manydifferent places in Policy Manager: Proxy actions Default packet handling settings Policy configuration

204


Signature Services:Gateway AntiVirus, Data Loss

Prevention, Intrusion Prevention, and Application Control

205


Learning Objectives Understand how signature-based security subscriptions work Set up and configure Gateway AntiVirus Configure proxies to use Gateway AntiVirus Set up and configure Data Loss Prevention Set up and configure the Intrusion Prevention Service Set up and configure Application Control Enable IPS and Application Control in policies

206


What is Gateway AV? Signature-based antivirus subscription the Firebox or XTM device downloads signature database updates

at regular, frequent intervals Gateway AV operates with the SMTP, HTTP, FTP, POP3, and

TCP-UDP proxies

207


Set Up Gateway AntiVirus

208

Gateway AntiVirusdatabase updates

1. XTM device downloads the initial signature file

2. Device gets new signatures and updates at a regular interval

3. Gateway AV strips viruses and allows valid email or web pages to load

Your NetworkWatchGuard


Gateway AV Wizard Gateway AntiVirus can be enabled and configured with the

wizard that you launch from the Subscription Services menu In the wizard, you select the proxy policies to include in the

Gateway AV configuration

209


Configure the Proxy with Gateway AntiVirus Use the HTTP-proxy

and SMTP-proxy to enable Gateway AV

Define actions Define content

types to scan Monitor Gateway

AV status

210


Gateway AV and the SMTP-Proxy When an email attachment contains a known virus signature, the

Firebox or XTM device can take one of these actions:• Allow — Attachment passes through with no change• Lock — Attachment can only be opened by an administrator• Remove — Attachment is stripped from the email• Quarantine — Message is sent to the Quarantine Server• Drop — The connection is denied• Block — The connection is denied, and the server is added to the

Blocked Sites List

211


Gateway AV and the HTTP-Proxy When Gateway AV finds a known virus signature in an HTTP

session, the Firebox or XTM device can:• Allow — The file is

allowed to pass through without changes

• Drop — The HTTP connection is denied

• Block — The HTTP connection is denied,and the web server is added to the Blocked Sites List

212


Gateway AV and the FTP-Proxy The FTP-proxy applies Gateway AV settings to:

• Downloaded files allowed in your configuration

• Uploaded files allowed in your configuration

213


Gateway AV Settings Select this option if you want Gateway AV to decompress file

formats such as .zip or .tar The number of levels

to scan is the depth for which Gateway AV scans archive files inside archive files

214


What is Data Loss Prevention? Data Loss Prevention (DLP) is a signature-based security service

that can help you control the loss of confidential data from your network.

DLP uses content control rules to identify sensitive data, such as • Bank routing numbers• Credit card numbers• Confidential document markers• National identity numbers• Driver’s license numbers• Medical records• Postal addresses and telephone numbers• Email addresses

DLP scans outbound traffic over proxied SMTP, FTP, HTTP, and HTTPS connections.

215


DLP Custom Rule You can add a custom rule to

your DLP configuration. Allows you to customize your

DLP configuration beyond the predefined rules.

You can scan your network traffic for special phrases specific to your organization.

For example, use email and document security classifications with your custom rule to prevent sensitive messages and documents from leaving your network.

216

WatchGuard Training

DLP Sensors To configure DLP, you define a DLP sensor. For each DLP sensor, you configure:

• Rules — enable one or more of the predefined or custom content rules• Actions — define the action to take if data matches the selected rules

By default, a sensor has two types of actions:– Action for email traffic– Action for non-email traffic

• Settings — scan limit, and actions for items that cannot be scanned Scan limit controls how much of a file or object to scan Actions control what happens when:

– Content is larger than the scan limit– A scan error occurs– Content is password protected

217


DLP Actions Actions you can configure in a DLP sensor are:

• Allow — Allows the connection or email• Drop — Denies the request and drops the connection. No information

is sent to the source of the content.• Block — Denies the request, drops the connection, and adds the IP

address of the content source or sender to the Blocked Sites list.• Lock — (email content only) Locks the email attachment. A file that

is locked cannot be opened easily by the user. Only the administrator can unlock the file.

• Remove — (email content only) Removes the attachment and allows the message to be sent to the recipient.

• Quarantine — (email content only) Send the email message to the Quarantine Server.

218

WatchGuard Training

DLP Text Extraction DLP can extract and scan text from these file types:

• Adobe PDF, RTF• Microsoft PowerPoint 2000, 2003, 2007, 2010• Microsoft Excel 2000, 2003, 2007, 2010• Microsoft Word 2000, 2003, 2007, 2010• Microsoft Project 2000, 2003, 2007, 2010• Microsoft Visio 2000, 2003, 2007, 2010• Microsoft Outlook .MSG• Microsoft Outlook Express .EML• OpenOffice Calc, Impress, Writer• LibreOffice Calc, Impress, Writer• HTML

219


Enable DLP Enable Data Loss Prevention Add a DLP Sensor using the wizard

• Apply sensor to proxy policies• Select content control rules• Select actions to take when

content is detected in email and non-email traffic

220


Edit a DLP Sensor Enable/disable rules Configure sensor actions

by source and destination• Action for email traffic• Action for non-email

Configure sensor settings• Set actions for items that

cannot be scanned due to: Size exceeds scan limit Scan error File is password protected

• Set the file scan limit

221

WatchGuard Training

Assign DLP Sensors to Policies When you add a DLP sensor, you select which proxy policies it

applies to. You can also configure this on the Policies tab in the Data Loss

Prevention configuration. And when you edit an FTP, HTTP, or SMTP proxy action.

222

WatchGuard Training

Use Signature-Based IPS Configure IPS to Allow, Drop,

or Block connections from sources that match an IPS signature

Action is set based on the threat level of the matching signature

223


Use Signature-Based IPS Configure settings globally Enable or disable per-policy Can scan traffic for all policies Blocks malicious threats before

they enter your network

224


Use Application Control Application Control is a Subscription Service Monitor and control hundreds of applications based on signatures Block or allow traffic for application categories, applications, and

application behaviors• If you have created Traffic Management actions, you can also use Traffic

Management actions to control the bandwidth used for allowed application traffic.

When Application Control blocks HTTP content, a deny message appears in the browser• The deny message

is not configurable• For HTTPS or other

content types, the deny message does not appear

225


Use Application Control To configure actions by application category, click Select by

Category

226


Apply Application Control to Policies First configure Application Control actions On the Policies tab, select one or more policies, then select the

action to apply

227


Enable Application Control and IPS in Policies Application Control

• Application Control is not automatically enabled for policies

• For each policy, you select which Application Control action to use

• To monitor the use of applications, enable logging of allowed packets in the policies that have Application Control enabled

IPS• When you enable IPS it is enabled

for all policies by default• You can enable or disable IPS for

each policy

228


Application Control, IPS, and DLP in HTTPS-Proxy Policies If you enable Application Control, IPS, or DLP for an HTTPS-

proxy policy, you must also enable deep inspection of HTTPS content in the HTTPS-proxy action• Required for IPS to scan the HTTPS content• Required for Application Control to detect applications over an

HTTPS connection• Required for DLP to scan content

229


Enable Automatic Signature Updates To protect against the latest viruses and

exploits, and to identify the latest applications, make sure your device is configured to get automatic updates to Gateway AntiVirus, Intrusion Prevention, and Application Control signatures at regular intervals

Update requests can be routed through a proxy server

230


Monitor Signature Update Status In Firebox System Manager,

select the Subscription Services tab to see the status of Gateway AV, IPS, DLP, and Application Control signatures, or to manually get signature updates

231


APT Blocker:Block Advanced Malware in Email, FTP,

and Web Traffic

232

WatchGuard Training

APT Blocker

233

What is an APT (Advanced Persistent Threat)?• APTs leverage the latest targeted malware techniques and

zero-day exploits (flaws which software vendors have not yet discovered or fixed) to infect and spread within a network.

• Designed to gain access to networks and access confidential data over extended periods of time.

• APTs are highly sophisticated and often target specific high-profile institutions such as government or financial-sector companies

• APT use has now expanded to target smaller networks and lower profile organizations.

• Traditional signature-based scan techniques do not provide adequate protection against APTs.

WatchGuard Training

APT Blocker

234

APT Blocker is a subscription service that uses best-of-breed full-system emulation analysis by our solution partner Lastline.

Lastline cloud performs file analysis in a sandbox environment to identify the characteristics and behavior of advanced malware in files and email attachments.

Includes full system emulation that goes beyond simple detection techniques to simulate a physical and software environment to analyze the deepest level of advanced malware activity.

Full system emulation ensures that advanced malware does not detect and evade the analysis.

WatchGuard Training

APT Blocker — How Does it Work

235

Files that enter your network are scanned and an MD5 hash of the file is generated.

This MD5 hash is submitted to the Lastline cloud-based data center over HTTPS where it is compared to a database of analyzed files and results are returned immediately.

If the analysis results in a match to a known malware threat, you can take immediate action on the file.

If there is no match with the available data center analysis results, this means the specific file has never been seen or analyzed before. • In this case the actual file is submitted to the Lastline data center

where the file undergoes deep analysis for advanced malware activity.

• This analysis occurs at the same time as the file transfer and the connection is passed though while the device waits for the result of the analysis.

• The result is returned in minutes, and if there is evidence of malware activity in the file, your WatchGuard Firebox or XTM device can generate an alarm notification.

WatchGuard Training

APT Blocker — Supported Proxies and File Types

236

APT Blocker can scan files for the HTTP, FTP, and SMTP proxies.

APT Blocker can scan these file types:• Windows PE (Portable Executable) files.

Includes Windows XP and Windows 7/8 files with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi extensions.

• Adobe PDF documents• Microsoft Office documents• Rich Text Format (RTF) documents• Android executable files (.apk)

APT Blocker can also examine files within these compressed archives:• gzip• tar• zip

WatchGuard Training

APT Blocker & Gateway Anti-Virus

237

APT Blocker utilizes the same scanning process as Gateway Anti-Virus.

You must have Gateway Anti-Virus enabled to enable APT Blocker on a specific proxy.

Files are scanned by Gateway Anti-Virus before they are scanned by APT Blocker.

Only files that have been scanned and processed as clean by Gateway AntiVirus are scanned by APT Blocker.

You can customize which file types you want scanned by APT in the Gateway Anti-Virus configuration.

If the Gateway Anti-Virus scan is enabled on a specific file/content type in the configuration, APT will scan the file as long as the file type is supported by APT.

WatchGuard Training

Enable APT Blocker Before you enable APT Blocker:

• Your device must have an APT Blocker feature key• Gateway AntiVirus must be enabled

238WatchGuard Training

WatchGuard Training

APT Blocker — Configuration

239

APT Blocker categorizes APT activity based on the severity of the threat:• High• Medium• Low

All threat levels are considered malware.

Higher levels have more significant indicators of malware.

For each threat level, you can assign an action:• Allow• Drop (SMTP proxy strips attachment)• Block (SMTP proxy strips attachment)• Quarantine (SMTP only, HTTP/FTP

drops connection) Enable notification and log settings to

make sure you are notified of malware activity.

WatchGuard Training

APT Blocker — Enable in a Policy

240

You can enable or disable APT Blocker for a specific policy in the APT Blocker configuration or when you edit a proxy action.

WatchGuard Training

Reputation Enabled Defense:Improve the Performance and Security

of Web Access

241

WatchGuard Training

Learning Objectives Understand how Reputation Enabled Defense works Configure Reputation Enabled Defense Monitor Reputation Enabled Defense

242


What is Reputation Enabled Defense (RED)? Reputation-based HTTP anti-virus and anti-spyware prevention

subscription, available for WatchGuard XTM device models only RED operates with the HTTP-proxy RED uses a cloud-based reputation server that assigns a

reputation score between 1 and 100 to every URL• The reputation score for a URL is based on AV scanning feedback and

other URL reputation data collected from sources around the world. When a user browses to a web site, RED looks up the score for

the URL• For URLs with a good reputation score, local scanning is bypassed• For URLs with a bad reputation score, the HTTP-proxy denies access

without local scanning by Gateway AV• For URLs with an inconclusive reputation score, local Gateway AV

scanning is performed as configured Eliminates the need to locally scan the content of web sites that

have a known good or bad reputation and improves XTM device performance


WatchGuard Training

RED Reputation Scores Reputation Scores:

• High scores indicate a bad reputation• Low scores indicate a good reputation• If RED has no knowledge of a URL, it assigns a score of 50• The reputation score assigned to a URL increases based on:

Negative scan results for that URL Negative scan results for a referring link Negative information from other sources of malware data

• The reputation score assigned to a URL decreases based on: Multiple clean scans Recent clean scans

RED continually updates the reputation scores for URLs based on:• Scan results from devices around the world by two leading anti-

malware engines: Kaspersky and AVG• Data from other leading sources of malware intelligence for the web

244

WatchGuard Training

RED Reputation Thresholds and Actions The action performed by

the HTTP-proxy depends on:• The reputation score of a

requested URL• The locally configured

reputation thresholds RED Actions:

• If score is higher than the Bad reputation threshold, Deny access

• If score is lower than the Good reputation threshold, Bypass local scanning

• Otherwise, perform local Gateway AV scanning as configured

245

WatchGuard Training

Enable Reputation Enabled Defense Before you enable RED:

• Your device must have a Reputation Enabled Defense feature key• You must have configured at least one HTTP-proxy policy


WatchGuard Training

Configure Reputation Enabled Defense Enable RED for the HTTP-proxy Define thresholds Monitor RED status


WatchGuard Training

Reputation Enabled Defense and the HTTP-Proxy Based on the reputation score for a URL, the HTTP-Proxy can:

• Immediately block the URL if it has a bad reputation• Bypass any

configured local virus scanning for a URL that has a good reputation

If neither of these RED actions occur, then any locally configured virus scanning proceeds as configured


WatchGuard Training

Reputation Enabled Defense and the HTTP-Proxy Default reputation thresholds are set to balance security with

performance Change bad and good reputation thresholds in the Advanced

Settings dialog box WatchGuard recommends that you use the default reputation

thresholds


WatchGuard Training

Monitor Reputation Enabled Defense RED status is visible in

Firebox System Manager on the Subscription Services tab


WatchGuard Training

Web UI:Explore Fireware XTM Web UI

251


Learning Objectives Log in to Fireware XTM Web UI Change the port that the Firebox or XTM device uses for the Web

UI Discuss limitations of the Web UI Manage timeouts for the Web UI management sessions

252


Introduction to Fireware XTM Web UI Monitor and manage any device running Fireware XTM without

installing extra software Real-time management tool Easily find what you need and understand how the configuration

options work

253


Limitations of the Web UI Things you can do with Policy Manager, but not with the Web UI:

• Change the name of a policy• Change the logging of default packet handling options• Enable or disable the notification of BOVPN events• Add a custom address to a policy• Use Host Name (DNS lookup) to add an IP address to the From or To

section of a policy• Create a .wgx file for Mobile VPN with IPSec client configuration

(You can get only the equivalent, but unencrypted, .ini file)• Export certificates stored on the device, or see their details

(You can only import certificates)• Enable FireCluster or change the cluster configuration.

(You can monitor a cluster and update policies and other configuration settings)

• Some of the logging and reporting functions provided by HostWatch, Log Manger, Report Manager, and WSM are also not available

254


Log in to the Web UI You need only a web browser Real-time configuration tool, no option to store configuration

changes locally and save to device later https://<XTM.device.IP.address>:8080

• Uses a self-signed certificate, so you must accept certificate warnings or replace the certificate with a trusted certificate

• You can change the port for the Web UI Log in with one of two default Device Management user accounts

• status — For read-only permission; uses the status passphrase• admin — For read-write permission; uses the configuration

passphrase Or, log in with another Device Management user account you

have added

255


Log in to the Web UI

256

To log in with the default Device Management user accounts, the Username must be status or admin. It is case sensitive.

Multiple concurrent logins are allowed with a Device Monitor user account (such as the status user account)

Only one Device Administrator user account can be logged in at a time

The last user to log in with a Device Administrator user account is the only user that can make changes• Includes changes from Policy

Manager and WSM


Log in to the Web UI The user account name appears at the top of the screen The navigation menu is at the left side

257


Web UI Dashboards The Dashboard pages appear at the top of the Web UI navigation

menu:• Front Panel — Summary of current system status and activity• Subscription Services — Summary of activity for all subscription

services• FireWatch — Treemap visualization of current traffic through the

Firebox or XTM device• Interfaces — Status of network interfaces• Traffic Monitor — Log messages from the Firebox or XTM device• Gateway Wireless Controller — Shows WatchGuard AP device activity

and clients

258

WatchGuard Training

FireWatch FireWatch provides a treemap view to help you visualize your

network traffic• Blocks in each tab

are proportionately sized to represent the data in that tab

• Place your cursorover an item in thetreemap to see moredetails about it

• Select the data typefrom the drop-downlist at the top-rightof the page Rate Bytes Connections Duration

259

WatchGuard Training

FireWatch You can use FireWatch to see:

• Who uses the most bandwidth on your network• Which is the most popular site that users visit• Which sites use the most bandwidth• Which applications use the most bandwidth• Which sites has a particular user visited• Which applications are most used by a particular user

260

WatchGuard Training

Conclusion This presentation provides an overview of basic Fireware XTM

features For more information, see these training, documentation, and

support resources available in the Support section of the WatchGuard web site:• WatchGuard System Manager Help• Fireware XTM Web UI Help• WatchGuard Dimension Help• WatchGuard Knowledge Base• Fireware XTM Training courseware

261


Thank You!

262

xtm firewall basics v11 9.pdfx

Documents

series xtm

fireware xtm os v11

firebox t10 xtm

training objectives

firewatch6watchguard

xtm hardware models8

use security services

series firebox