Page 1: User Guide
WatchGuard ® Firebox System ® User Guide WatchGuard Firebox System...
Page 2 RapidCare, SchoolMate, ServiceWatch, Smart Security. Simply Done., Vcontroller, VPNforce, The W-G logo are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other courtries. © Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and 5146221 and other patents pending.
Page 3 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Page 4 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. WatchGuard Firebox System...
Page 5 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/ or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by Ralf S.
Page 6 PCRE in software that you distribute to others, commercially or otherwise, you must put a sentence like this: Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England. WatchGuard Firebox System...
Page 7 WATCHGUARD Firebox software product, which includes computer software components (whether installed separately on a computer workstation or on the WATCHGUARD hardware product or included on the WATCHGUARD hardware product) and may include associated media, printed materials, and on-line or electronic documentation, and any updates or modifications thereto, including those received through the WatchGuard LiveSecurity Service (or its equivalent), (the “SOFTWARE PRODUCT”).
Page 8 PRODUCT for a full refund of the price you paid. The WATCHGUARD hardware product is subject to a separate agreement and limited hardware warranty included with the WATCHGUARD hardware product packaging and/or in the associated user documentation. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties.
Page 9 WATCHGUARD with a dated proof of purchase. (B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it.
Page 10 (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite 500, Seattle, WA 98104. 6.Export Controls. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S.
Page 11 OF THE ENTITY’S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD. User Guide...
Page 12 WatchGuard Firebox System...
Page 13: Table Of Contents
Contents Introduction CHAPTER 1 Welcome to WatchGuard® WatchGuard Firebox System Components WatchGuard Firebox Firebox System Manager WatchGuard security applications WatchGuard LiveSecurity® Service Minimum Requirements Software requirements Web browser requirements Hardware requirements WatchGuard Options ...5 VPN Manager ... 6 High Availability Mobile User VPN ...
Page 14 Activating the LiveSecurity® Service LiveSecurity® Self Help Tools WatchGuard Users Forum WatchGuard Users Group ... 15 Online Help Starting WatchGuard Online Help Searching for topics Copying the Help system to additional platforms Online Help system requirements Context-sensitive Help Product Documentation ...
Page 15 Testing the connection Entering IP addresses Deploying the Firebox into Your Network ... 44 What’s Next Customizing your security policy What to expect from LiveSecurity® Service Firebox Basics CHAPTER 4 ... 47 What is a Firebox? Opening a Configuration File Opening a configuration from the Firebox Opening a configuration from a local hard disk Saving a Configuration File...
Page 16 ... 81 ... 82 ... 82 ... 83 ... 83 ... 84 ... 84 ... 84 ... 85 ... 87 ... 88 ... 95 ... 98 ... 98 ... 99 WatchGuard Firebox System ... 73 ... 81 ... 82 ... 88...
Page 17 Controlling the HostWatch display Modifying HostWatch view properties Configuring Network Address CHAPTER 7 Translation ... 102 Dynamic NAT Using Simple Dynamic NAT Enabling simple dynamic NAT Adding simple dynamic NAT entries Reordering simple dynamic NAT entries Specifying simple dynamic NAT exceptions Using Service-Based Dynamic NAT Enabling service-based dynamic NAT Configuring service-based dynamic NAT...
Page 18 ... 156 ... 157 ... 158 ... 161 ... 165 ... 166 ... 171 ... 175 ... 178 ... 178 ... 180 ... 180 ... 181 ... 182 WatchGuard Firebox System ... 137 ... 167 ... 170 ... 173 ... 177...
Page 19 Changing the log encryption key Removing a log host Reordering log hosts Synchronizing log hosts Setting up the WatchGuard Security Event Processor Running the WSEP application on Windows NT, Windows 2000, or Windows XP Viewing the WSEP application Starting and stopping the WSEP User Guide ...
Page 20 ... 222 ... 223 ... 223 ... 224 ... 225 ... 228 ... 229 ... 229 ... 230 ... 230 ... 231 ... 235 ... 236 ... 236 ... 238 WatchGuard Firebox System ... 211 ... 214 ... 218 ... 231...
Page 21 Controlling Web Site Access CHAPTER 15 Getting Started with WebBlocker Installing the WebBlocker server Downloading the database using WebBlocker Utility Configuring the WatchGuard service icon Add an HTTP service Configuring the WebBlocker Service Activating WebBlocker Allowing WebBlocker server bypass Configuring the WebBlocker message...
Page 22 Method 4: Serial Dongle (Firebox II only) Index ... 279 xxii ... 262 ... 262 ... 262 ... 263 ... 265 ... 265 ... 266 ... 269 ... 269 ... 272 ... 274 ... 276 ... 277 WatchGuard Firebox System ... 266 ... 268...
Page 23: Chapter 1 Introduction
• Managing the security system from a single site The WatchGuard Firebox System is a reliable, flexible, scalable, and inexpensive network security solution. Its setup and maintenance costs are small, and it sup- ports a rich feature set. When properly configured and administered, the Firebox System reliably defends any network against external threats.
Page 24: Watchguard Firebox System Components
Chapter 1: Introduction WatchGuard Firebox System Components The WatchGuard Firebox System has all of the components needed to conduct electronic business safely. It is made up of the following: • Firebox–a plug-and-play network appliance • Firebox System Manager–a suite of management and monitoring tools •...
Page 25: Watchguard Security Applications
This section describes the minimum hardware and soft- ware requirements necessary to successfully install, run, and administer the WatchGuard Firebox System. Software requirements WatchGuard Firebox System software can run on Microsoft Windows NT 4.0, Windows 2000, or Windows XP as speci- fied below: User Guide...
Page 26: Web Browser Requirements
Microsoft Internet Explorer 5.01 or later Hardware requirements Minimum hardware requirements are the same as those for the operating system on which the WatchGuard Firebox System runs. The recommended hardware ranges are listed on the following table: WatchGuard Firebox System...
Page 27: Watchguard Options
The following options are currently available for the WatchGuard Firebox System. VPN Manager WatchGuard VPN Manager is a centralized module for cre- ating and managing the network security of an organiza- tion that uses the Internet to conduct business. It turns the complex task of setting up multi-site virtual private net- works (VPNs) into a simple three-step process.
Page 28: High Availability
WFS and enter your license key. The Firebox model 700 does not support VPN Manager. High Availability WatchGuard High Availability software lets you install a second, standby Firebox on your network. If your primary Firebox fails, the second Firebox automatically takes over to give your customers, business partners, and employees virtually uninterrupted access to your protected network.
Page 29: Bovpn Upgrade
The audience for this guide represents a wide range of experience and expertise in network management and security. The end user of the WatchGuard Firebox System is generally a network administrator for a company that can range from a small branch office to a large enterprise with multiple offices around the world.
Page 30 • Code, messages, and file names appear in monospace font; for example: .wgl and .idx files • In command syntax, variables appear in italics; for example: fbidsmate • Optional command parameters appear in square brackets. import_passphrase WatchGuard Firebox System...
Page 31: Chapter 2 Service And Support
LiveSecurity security system up-to-date by providing solutions directly to you. In addition, the WatchGuard Technical Support team and Training department offer a wide variety of meth- ods to answer your questions and assist you with improving the security of your network.
Page 32: Livesecurity® Broadcasts
Access to technical support and training When you have questions about your WatchGuard system, you can quickly find answers using our extensive online support resources, or by talking directly to one of our sup- port representatives.
Page 33 You receive functional software enhancements on an ongoing basis that cover your entire WatchGuard Firebox System. Editorial Leading security experts join the WatchGuard Rapid Response Team in contributing useful editorials to provide a source of continuing education on this rapidly changing subject.
Page 34: Activating The Livesecurity® Service
The LiveSecurity Service can be activated through the setup wizard on the CD-ROM or through the activation section of the WatchGuard LiveSecurity Web pages. The setup wizard is detailed thoroughly in the QuickStart Guide and in the “Getting Started” chapter of this book.
Page 35: Livesecurity® Self Help Tools
TAB key or the mouse. All of the fields are required for successful registration. The profile information helps WatchGuard target information and updates to your needs. Verify that your email address is correct. You will receive your activation confirmation mail and all of your LiveSecurity broadcasts at this address.
Page 36: Watchguard Users Forum
Support. Log in to LiveSecurity Service. WatchGuard Users Forum The WatchGuard users forum is an online group in which the users of the WatchGuard Firebox System exchange ideas, questions, and tips regarding all aspects of the prod- uct, including configuration, compatibility, and network- ing.
Page 37: Watchguard Users Group
They should not be the same as that of your LiveSecurity Service. WatchGuard Users Group The WatchGuard users group is an online group in which the users of WatchGuard products can communicate infor- mation. Because this group is not monitored by Watch- Guard, it should not be used for reporting support issues to WatchGuard Technical Support.
Page 38: Starting Watchguard Online Help
WatchGuard Online Help. Open LSSHelp.html. The default help directory is C:\Program Files\WatchGuard\Help. Searching for topics You can search for topics in WatchGuard Online Help three ways: Contents The Contents tab displays a list of topics within the Help system. Double-click a book to expand a category.
Page 39: Copying The Help System To Additional Platforms
Search feature does not support Boolean searches. Copying the Help system to additional platforms WatchGuard Online Help can be copied from the manage- ment station to additional workstations and platforms. When doing so, copy the entire Help directory from the WatchGuard installation directory on the management sta- tion.
Page 40: Product Documentation
WatchGuard offers a variety of technical support services for your WatchGuard products. Several support programs, described throughout this section, are available through WatchGuard Technical Support. For a summary of the cur- rent technical support services offered by WatchGuard Technical Support, please refer to the WatchGuard Web site http://support.watchguard.com/aboutsupport.asp...
Page 41: Livesecurity® Gold Program
Firebox, SOHO, and ServerLock enterprise systems Single Incident Priority Response Upgrade (SIPRU) and Single Incident After-hours Upgrade (SIAU) are available. For more information, please refer to the WatchGuard Web site at: http://support.watchguard.com/lssupport.asp ® LiveSecurity...
Page 42: Firebox Installation Services
Firebox installation. You can schedule a dedicated two-hour time slot with one of our WatchGuard techni- cians to help you review your network and security policy, install the LiveSecurity software and Firebox hardware, and build a configuration in accordance with your com- pany security policy.
Page 43 WatchGuard products. No matter where you are located or which products you own, we have a training solution for you.
Page 44 Chapter 2: Service and Support WatchGuard Firebox System...
Page 45: Chapter 3 Getting Started
Getting Started CHAPTER 3 The WatchGuard Firebox System acts as a barrier between your networks and the public Internet, pro- tecting them from security threats. This chapter explains how to install the WatchGuard Firebox Sys- tem into your network. You must complete the follow- ing steps in the installation process: •...
Page 46: Gathering Network Information
Chapter 3: Getting Started Before installing the WatchGuard Firebox System, check the package contents to make sure you have the following items: • WatchGuard Firebox security appliance • QuickStart Guide • User documentation • WatchGuard Firebox System CD-ROM • A serial cable (blue) •...
Page 47 Gathering Network Information Network addresses One good way to set up your network is to create two worksheets: the first worksheet represents your network now–before deploying the Firebox–and the second rep- resents your network after the Firebox is deployed. Fill in the IP addresses in the worksheets below.
Page 48 In this example, the Inter- net router performs network address translation (NAT) for the internal network. The router has a public IP address of 208.15.15.1, and the private network has an address of 192.168.10.0/24. This network also has three public servers with the addresses 208.15.15.10, 208.15.15.15, and...
Page 49 The following figure shows the same example network with a Firebox deployed. The IP address of the Internet router in the previous figure becomes the IP address of the Firebox’s default gateway. This network uses drop-in con- figuration because the public servers will maintain their own IP addresses.
Page 50: Selecting A Firewall Configuration Mode
192.168.10.1/24. This IP address then becomes the default gateway for devices on the local LAN. Selecting a Firewall Configuration Mode Before installing the WatchGuard Firebox System, you must decide how to incorporate the Firebox into your net- work. This decision determines how you will set up the three Firebox interfaces–external, trusted, and optional.
Page 51: Routed Configuration
Trusted interface Connects to the private LAN or internal network that you want protected. Optional interface Connects to the DMZ (Demilitarized Zone) or mixed trust area of your network. Computers on the optional interface contain content you do not mind sharing with the rest of the world. Common applications housed on this interface are Web, email, and FTP servers.
Page 52: Drop-In Configuration
VPNs. Drop-in configuration In a drop-in configuration, the Firebox is put in place with the same network address on all Firebox interfaces. All three Firebox interfaces must be configured. Because this configuration mode distributes the network’s logical WatchGuard Firebox System...
Page 53 Firebox interfaces, you can “drop” the Firebox between the router and the LAN without reconfiguring any local machines. Public servers behind the Firebox use public addresses, and traffic is routed through the Firebox with no network address translation.
Page 54: Choosing A Firebox Configuration
IP address, or you are not willing or able to reconfigure machines on your LAN. The following table summarizes the criteria for choosing a Firebox configura- tion. (For illustrative purposes, it is assumed that the drop- in IP address is a public address.) WatchGuard Firebox System...
Page 55: Adding Secondary Networks To Your Configuration
Routed Configuration Criterion 1 All interfaces of the Firebox are on different networks. Minimum configured are external and trusted. Criterion 2 Trusted and optional interfaces must be on separate networks and must use IP addresses drawn from those networks. Both interfaces must be configured with an IP address on the same network, respectively.
Page 56 Firebox” when you are entering the IP addresses for the Firebox interfaces. The additional private network you specify becomes the secondary network on the trusted interface. For more information on the QuickSetup Wizard, see “Running the QuickSetup Wizard” on page 40. WatchGuard Firebox System...
Page 57: Dynamic Ip Support On The External Interface
• After you have finished with the installation, you can add secondary networks to any interface using Policy Manager, as described in “Adding Secondary Networks” on page 64. Dynamic IP support on the external interface If you are supporting dynamic IP addressing, you must choose routed configuration.
Page 58: Setting Up The Management Station
Click Download Latest Software on the Firebox System Installation screen. This launches your Web browser and connects you to the WatchGuard Web site. If you do not have an Internet connection, you can install directly from the CD-ROM. However, you will not be eligible for support until you activate the LiveSecurity Service.
Page 59: Software Encryption Levels
Download the WatchGuard Firebox System software. Download time will vary depending on your connection speed. Make sure you write down the name and path of the file as you save it to your hard drive! Execute the file you downloaded and follow the screens to guide you through the installation.
Page 60: Cabling The Firebox
Port (CONSOLE) to the management station COM port. • Use the red crossover cable to connect the Firebox trusted interface to the management station Ethernet port. • Plug the power cord into the Firebox power input and into a power source. WatchGuard Firebox System...
Page 61 Cabling the Firebox User Guide...
Page 62: Using Tcp/Ip
Firebox System Area chapter in the If the QuickSetup Wizard is not already launched, launch it from the Windows desktop by selecting Start => Programs = > WatchGuard = > QuickSetup Wizard. Reference Guide WatchGuard Firebox System...
Page 63 Enter the IP address of the default gateway, which is usually the IP address of your Internet router. This IP address must be on the same network as the Firebox external interface. If the IP address is not on the same network, the QuickSetup Wizard will warn you and ask whether you want to continue.
Page 64: Testing The Connection
Firebox cannot communicate, and you will not be able to use the management station software to view the Firebox activity. You can remove the blue serial cable from the management station and Firebox after the QuickSetup Wizard is com- pleted. WatchGuard Firebox System...
Page 65: Entering Ip Addresses
Entering IP addresses You generally enter IP addresses into fields that resemble the one below. When typing IP addresses, type the digits and periods in sequence. Do not use the TAB key, arrow key, spacebar, or mouse to jump past the periods. For example, if you are typing the address 172.16.1.10, do not type a space after you type “16”...
Page 66: Deploying The Firebox Into Your Network
All outgoing traffic is allowed. • All incoming traffic is blocked except ping on the external interface. • Logs are sent to the WatchGuard Security Event Processor on the management station. Complete the following steps to deploy the Firebox into your network: •...
Page 67: What To Expect From Livesecurity Service
services, in addition to the basic ones described in the pre- vious section, that expand what you allow in and out of your firewall. Every service brings trade-offs between network security and accessibility. When selecting services, balance the needs of your organization with the requirement that com- puter assets be protected from attack.
Page 68 Chapter 3: Getting Started WatchGuard Firebox System...
Page 69: Chapter 4 Firebox Basics
• Setting a Firebox friendly name What is a Firebox? A WatchGuard Firebox is a specially designed and optimized security appliance. Three independent net- work interfaces allow you to separate your protected office network from the Internet while providing an optional public interface for hosting Web, email, or FTP servers.
Page 70 Other parts of the network are as follows: Management station The computer on which you install and run the WatchGuard Firebox System Manager software. WatchGuard Security Event Processor The computer that receives and stores log messages and sends alerts and notifications. You can configure the management station to also serve as the event processor.
Page 71: Opening A Configuration File
“Using Policy Manager to Configure Your Network” for information on how to create a basic configuration from scratch. Select Start => Programs => WatchGuard = > Firebox System Manager. If you are prompted to run the QuickSetup Wizard, click Continue.
Page 72: Opening A Configuration From The Firebox
Firebox before returning a message indicating that the device is unreachable. Opening a configuration from a local hard disk Select File = > Open => Configuration File. Locate and select the configuration file to open. Click Open. WatchGuard Firebox System...
Page 73: Saving A Configuration File
From the New Firebox Configuration dialog box, select the model of Firebox you are connected to. The new configuration file contains defaults for the model of Firebox specified. Saving a Configuration File After making changes to a configuration file, you can either save it directly to the Firebox or to a local hard disk.
Page 74 Instead, you will need to reset the Firebox and then save a new or existing configuration file to it. If you are not making a backup, click Continue. If you are making a backup, in the Encryption Key field, WatchGuard Firebox System...
Page 75: Saving A Configuration To The Management Station's Local Drive
You can also use the shortcut Ctrl+S. The Save dialog box appears. Enter the name of the file. The default is to save the file to the WatchGuard directory. Click Save. The configuration file is saved to the local hard disk.
Page 76: Setting The Firebox Model
Although you choose the Firebox model when you start a new configuration file or open an existing one, you can change the Firebox model at any time: From the Setup menu, select Firebox Model. The New Firebox Configuration dialog box appears. WatchGuard Firebox System...
Page 77: Setting The Time Zone
Select the model of the Firebox you are connecting to. The model of the Firebox entered appears at the bottom of the Policy Manager window. Setting the Time Zone The Firebox time zone determines the date and time stamp that appear on logs and that are displayed by services such as LogViewer, Historical Reports, and WebBlocker.
Page 78 Chapter 4: Firebox Basics WatchGuard Firebox System...
Page 79: Chapter 5 Using Policy Manager To Configure Your Network
Using Policy CHAPTER 5 Manager to Configure Your Network Normally, you incorporate the Firebox into your net- work when you run the QuickSetup Wizard, as described in “Running the QuickSetup Wizard” on page 40. However, you can also create a basic configu- ration file from scratch using several functions in Pol- icy Manager.
Page 80: Starting A New Configuration File
IP addresses for the Firebox interfaces. If you specify an incorrect IP address, you may run into problems later. Setting IP Addresses of Firebox Interfaces The way you set the IP addresses for the Firebox interfaces depends on the configuration mode you have chosen. WatchGuard Firebox System...
Page 81: Setting Addresses In Drop-In Mode
Setting addresses in drop-in mode If you are using drop-in mode, all interfaces use the same IP address: Select Network = > Configuration. The Network Configuration dialog box appears, as shown in the following figure. Select the Configure interfaces in Drop-In mode checkbox, located at the bottom of the dialog box.
Page 82: Setting Addresses In Routed Mode
Select Network = > Configuration. The Network Configuration dialog box appears. Select either DHCP or PPPoE from the Configuration drop-down list. If you enabled PPPoE support, enter the PPP user name and password in the fields provided. WatchGuard Firebox System...
Page 83: Configuring Dhcp Or Pppoe Support
Setting DHCP or PPPoE Support on the External Interface Configuring DHCP or PPPoE support If you enable DHCP or PPPoE on the external interface, you can set several optional properties: From the Network Configuration dialog box, click Properties. The Advanced dialog box appears, showing the DHCP or PPPoE tab, as shown in the following figures.
Page 84: Enabling Static Pppoe
Configuring Drop-in Mode If you selected drop-in mode, you can set several optional properties: From the Network Configuration dialog box, click Properties. The Advanced dialog box appears, showing the Drop-In tab, as shown in the following figure. WatchGuard Firebox System...
Page 85: Defining External Ip Aliases
Configure the properties in the dialog box. For a description of each control, right-click it and then select What’s This?. Defining External IP Aliases You use the Aliases button on the Network Configuration dialog box when you are using static NAT. For more infor- mation, see “Adding external IP addresses”...
Page 86: Adding Secondary Networks
When typing IP addresses, type the digits and periods in sequence. Do not use the TAB or arrow key to jump past the periods. For more information on entering IP addresses, see “Entering IP addresses” on page 43. WatchGuard Firebox System...
Page 87: Entering Wins And Dns Server Addresses
Check secondary network addresses carefully. Policy Manager does not verify that you have entered the correct address. WatchGuard strongly recommends that you do not enter a subnet on one interface that is part of a larger network on another interface.
Page 88: Configuring Out-Of-Band Management
DHCP server. If you already have a DHCP server configured, you should continue to use that server for DHCP. From Policy Manager: Select Network = > DHCP Server. The DHCP Server dialog box appears, as shown in the following figure. WatchGuard Firebox System...
Page 89: Adding A New Subnet
Select the Enable DHCP Server checkbox. Enter the default lease time for the server. The default lease time is provided to clients that do not specifically request times. Enter the maximum lease time. The maximum lease time is the longest time the server will provide for a client.
Page 90: Modifying An Existing Subnet
Firebox may return an IP address that does not work with certain devices or services. From Policy Manager: Select Network = > DHCP Server. Click the subnet to remove it. Click Remove. WatchGuard Firebox System...
Page 91: Adding Basic Services To Policy Manager
After you have set up IP addressing, add the following ser- vices to Policy Manager to give your Firebox some basic functionality. The WatchGuard service is particularly important. If you omit it from your configuration or misconfigure it, you will lock yourself out of the Firebox.
Page 92: Configuring Routes
For more information on routing issues, see the following FAQ: http://support.watchguard.com/advancedfaqs/ general_routers.asp The WatchGuard user’s forum is also a good source of information on routing information. Log in to your LiveSe- curity account for more details. Defining a network route Define a network route if you have an entire network behind the router.
Page 93: Defining A Host Route
The route data is written to the configuration file. Defining a host route Define a host route if there is only one host behind the router. Enter the IP address of that single, specific host, without slash notation. From Policy Manager: Select Network = > Routes.
Page 94 Chapter 5: Using Policy Manager to Configure Your Network Click OK. The route data is written to the configuration file. WatchGuard Firebox System...
Page 95: Chapter 6 Managing And Monitoring The Firebox
Starting System Manager and Connecting to a Firebox From the Windows Desktop: Select Start = > Programs = > WatchGuard = > Firebox System Manager. If you have not yet configured your Firebox, click QuickSetup to start the QuickSetup Wizard, as...
Page 96: Viewing Basic Firebox Status
“Entering IP addresses” on page 43. Enter the Firebox status (read-only) passphrase. Click OK. The Front Panel tab of the Firebox System Manager appears. Viewing Basic Firebox Status The System Manager initially displays the information shown in the following figure. WatchGuard Firebox System...
Page 97: Viewing Basic Indicators
The top part of the display just below the title bar contains several buttons for performing basic operations and launching Firebox System applications: Open the main menu for System Manager. (This is also referred to as the Main Menu button.) Pause the display (appears only when connected to Firebox) Connect to Firebox (appears only when not con-...
Page 98: Firebox And Vpn Tunnel Status
The following information is displayed under Firebox Sta- tus, as shown in the following figure: • Status of the High Availability option. When properly configured and operational, the IP address of the standby box appears. If High Availability is installed WatchGuard Firebox System...
Page 99 but the secondary Firebox is not responding, the display indicates “Not Responding.” • The IP address of each Firebox interface, and the configuration mode of the External interface. • Status of the CA (root) certificate and the IPSec (client) certificate. If you expand the entries under Firebox Status, as shown in the following figure, you can view: •...
Page 100 (such as another Firebox, SOHO, or SOHO|tc), and the tunnel type (IPSec or DVCP). If the tunnel is DVCP, the IP address refers to the entire remote network address rather than that of the Firebox or equivalent IPSec device. WatchGuard Firebox System...
Page 101 • The amount of data sent and received on the tunnel in both bytes and packets. • The time at which the key expires and the tunnel is renegotiated. Expiration can be expressed as a time deadline or in bytes passed. DVCP tunnels that have been configured for both traffic and time deadline expiration thresholds display both;...
Page 102: Monitoring Firebox Traffic
Firebox entry indicates that a Firebox is not communicating with either the WatchGuard Security Event Processor (WSEP) or man- agement station. A red exclamation point next to a tunnel listing indicates a tunnel is down.
Page 103: Setting The Maximum Number Of Log Entries
Setting the maximum number of log entries You can change the maximum number of log entries that are stored and viewable on the Traffic Monitor tab. After the maximum is reached, the earliest logs are removed as more come in. A high value in this field places a large demand on your system if you have a slow processor or a limited amount of RAM.
Page 104: Copying Messages To Another Application
Destination IP => Trace Route. (When you issue this command, you are prompted to enter the configuration passphrase.) Performing Basic Tasks with System Manager The basic tasks you perform with System Manager are: • Running the QuickSetup Wizard WatchGuard Firebox System...
Page 105: Running The Quicksetup Wizard
• Flushing the ARP cache • Connecting to a Firebox • Changing the interval at which the Firebox is queried for status information • Getting Help on the Web • Opening other Firebox System applications Running the QuickSetup Wizard Normally, you will run the QuickSetup Wizard when you first install your Firebox.
Page 106: Connecting To A Firebox
Type or use the scroll control to change the polling rate. Click OK. Getting Help on the Web You can access additional information about the Watch- Guard Firebox System from System Manager. Click the Main Menu button. Click On the Web. The menu has the following options: WatchGuard Firebox System...
Page 107: Launching Firebox Applications
Home Page Select to bring up the WatchGuard home page at: http://www.watchguard.com LiveSecurity Service Logon Select to log in to the LiveSecurity Service. For more information on this service, see Chapter 2, “Service and Support.” Training and Certification Select to bring up the WatchGuard Training and Certificate page at: http://www.watchguard.com/training/...
Page 108 The WSEP automatically runs when you start the machine on which it is installed. Unlike other Firebox System applications, the WSEP but- ton does not appear in System Manager. To open the WSEP, right-click the WatchGuard Security Event Processor icon WatchGuard Firebox System...
Page 109: Viewing Bandwidth Usage
(shown above) in the Windows Desktop tray. Click WSEP Status/Configuration. For more information, see “Setting up the WatchGuard Security Event Processor” on page 207. If the WSEP icon is not displayed in the Windows desktop tray, click the Main Menu button. Select Tools = > Logging = >...
Page 110: Viewing Number Of Connections By Service
Viewing Details on Firebox Activity The Status Report tab on System Manager provides a number of statistics on Firebox activity. Whenever the Status Report display refreshes, the view reverts back to the top of the report. WatchGuard Firebox System...
Page 111: Network Configuration
Firebox uptime and version information The time range on the statistics, the Firebox uptime, and the WatchGuard Firebox System software version. Current UTC time (GMT): Thu May 1 17:03:44 2003 +----- Time Statistics (in GMT) ---------------| Statistics from Thu Sep 20 17:03:02 2001 to Thu Sep 20 17:03:44 2001...
Page 112 Memory: total: Mem: 65032192 25477120 39555072 Load average The number of jobs in the run queue averaged over 1, 5, and 15 minutes. The fourth number pair is the used: free: shared: buffers: cached: 9383936 9703424 362905 WatchGuard Firebox System...
Page 113 number of active processes per number of total processes running, and the last number is the next process ID number. Load Average: 0.04 0.06 0.09 2/21 6282 Processes The process ID, the name of the process, and the status of the process, as shown in the figure on the next page.
Page 114 2076 1248 307:29.75 ( 0) 0:00.03 ( 0) 1152 57:00.26 ( 0) 0:01.82 ( 0) 0:39.47 ( 0) 1112 0:02.21 ( 0) 0:00.10 ( 0) 0:00.05 ( 0) 0:00.72 ( 0) Bcast:127.255.255.255 MTU:3584 HWaddr 00:90:7F:1E:79:84 Bcast:192.168.49.255 MTU:1500 WatchGuard Firebox System...
Page 115 RX packets:3254358 errors:0 dropped:0 overruns:0 frame:0 TX packets:1662288 errors:0 dropped:0 overruns:0 carrier:0 Collisions:193 Interrupt:11 Base address:0xf000 eth0:0 Link encap:Ethernet 00:90:7F:1E:79:84 inet addr:192.168.49.5 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST Metric:1 RX packets:3254358 errors:0 dropped:0 overruns:0 frame:0 TX packets:1662288 errors:0 dropped:0 overruns:0 carrier:0 Collisions:193 eth1 Link encap:Ethernet...
Page 116 Kernel IP routing table Destination Window Use Iface 207.54.9.16 58 eth0 207.54.9.48 19 eth1 198.148.32.0 129 eth1:0 127.0.0.0 9 lo default 95 eth0 Gateway Genmask 255.255.255.240 U 255.255.255.240 U 255.255.255.0 255.0.0.0 207.54.9.30 WatchGuard Firebox System Flags MSS 1500 1500 1500 3584 1500...
Page 117: Authentication List
207.23.8.30 eth0 For more information on the status report page, see the fol- lowing FAQ: https://support.watchguard.com/advancedfaqs/ log_statusall.asp Authentication list The Authentication List tab displays the host IP addresses and user names of everyone currently authenticated to the Firebox. If you are using DHCP, the IP address—to—user name mapping may change whenever machines restart.
Page 118: Blocked Site List
If you opened the Firebox with the status (read-only) pass- phrase, System Manager prompts you to enter the configu- ration (read/write) passphrase before removing a site from the list. WatchGuard Firebox System...
Page 119: Hostwatch
HostWatch HostWatch is a real-time display of active connections occurring on a Firebox. It can also graphically represent the connections listed in a log file, either playing back a previ- ous file for review or displaying connections as they are logged into the current log file.
Page 120: Hostwatch Display
From HostWatch: Select File = > Connect. Or, on the Hostwatch toolbar, click the Connect icon (shown at right). Use the Firebox drop-down list to select a Firebox. You can also type the Firebox name or IP address. WatchGuard Firebox System...
Page 121: Replaying A Log File In Hostwatch
From HostWatch: Select File = > Open. Browse to locate and select the log file. By default, log files are stored in the WatchGuard installation directory at C:\Program Files\WatchGuard\logs with the extension .wgl. HostWatch loads the log file and begins to replay the activity.
Page 122: Modifying Hostwatch View Properties
Use the Line Color tab to choose colors for lines drawn between denied, dynamic NAT, proxy, and normal connections. Use the Misc. tab to control the refresh rate of the real- time display and the maximum number of connections displayed. WatchGuard Firebox System...
Page 123: Chapter 7 Configuring Network Address Translation
Configuring Network CHAPTER 7 Address Translation Network address translation (NAT) protects your net- work by hiding its internal structure. It also provides an effective way to conserve public IP addresses when the number of addresses is limited. At its most basic level, NAT translates the address of a packet from one value to another.
Page 124: Dynamic Nat
IP addresses is not a concern, dynamic NAT pro- vides extra security for internal hosts that use the Internet by allowing them to use non-routable addresses. The WatchGuard Firebox System implements two forms of outgoing dynamic NAT: Simple dynamic NAT...
Page 125: Using Simple Dynamic Nat
Simple dynamic NAT provides a quick method to set a NAT policy for your entire network. For more information on this type of NAT, see the following FAQ: https://support.watchguard.com/advancedfaqs/ nat_howdynamicnat.asp Enabling simple dynamic NAT The default configuration of simple dynamic NAT enables it from all non-routable addresses to the external network.
Page 126: Adding Simple Dynamic Nat Entries
Trusted network. For a definition of built-in Firebox aliases, see “Using Aliases” on page 162. For more information on how to add a user-defined host alias, see “Adding an alias” on page 163. WatchGuard Firebox System...
Page 127: Reordering Simple Dynamic Nat Entries
Use the To drop-down list to select the destination of outgoing packets. To add either a host or network IP address, click the ... button. Use the drop-down list to select the address type. Enter the IP address or range. Network addresses must be entered in slash notation.
Page 128: Using Service-Based Dynamic Nat
You can also use service-based NAT instead of simple dynamic NAT. Rather than applying NAT rules globally to all outgoing packets, you can start from the premise that no masquerading takes place and then selectively masquerade a few individual services. WatchGuard Firebox System...
Page 129: Enabling Service-Based Dynamic Nat
Enabling service-based dynamic NAT Service-based NAT is not dependent on enabling simple dynamic NAT. From Policy Manager: Select Setup => NAT. Click Advanced. Select the checkbox marked Enable Service-Based NAT. Click OK to close the Advanced NAT Settings dialog box. Click OK to close the NAT Setup dialog box. Configuring service-based dynamic NAT By default, services take on whatever dynamic NAT prop- erties you have set for simple NAT.
Page 130: Configuring A Service For Incoming Static Nat
UDP, which use a specific port. A service containing any other protocol cannot use incoming static NAT, and the NAT button in the service’s Properties dialog box is dis- abled. Static NAT also cannot be used with the Any ser- WatchGuard Firebox System...
Page 131 See the following FAQ before configuring static NAT for a service: https://support.watchguard.com/advancedfaqs/nat_outin.asp Double-click the service icon in the Services Arena. The service’s Properties dialog box appears displaying the Incoming tab. Use the Incoming drop-down list to select Enabled and Allowed.
Page 132: Using 1-To-1 Nat
For instance, the following policy: 210.199.6.0–192.168.69.0:255 (NAT base to real base range) means that all traffic addressed to hosts between 210.199.6.0 and 210.199.6.255 is forwarded to the corre- sponding IP address between 192.168.69.0 and 192.168.69.255. WatchGuard Firebox System...
Page 133 A one-to-one mapping exists between each NAT address and the forwarded (real) IP address: 210.199.6.0 becomes 192.168.69.0. From Policy Manager: Select Setup => NAT. The NAT Setup dialog box appears. Click Advanced. The Advanced NAT Settings dialog box appears. Click the 1-to-1 NAT Setup tab. Select the checkbox marked Enable 1-1 NAT.
Page 134: Proxies And Nat
Click OK to close the NAT Setup dialog box. Proxies and NAT This table identifies each proxy and what types of NAT it supports. HTTP SMTP DCE-RPC H323 RTSP RealNetworks Simple Static Service dynamic -based WatchGuard Firebox System 1-to-1...
Page 135: Chapter 8 Configuring Filtered Services
Chapter 3, “Types of Services,” in the Reference Guide. For information specifically on prox- ied services, see Chapter 9, “Configuring Proxied Ser- vices,” in this manual. See also the Services FAQ on the WatchGuard Web site: User Guide...
Page 136: Selecting Services For Your Security Policy Objectives
Chapter 8: Configuring Filtered Services https://support.watchguard.com/advancedfaqs/svc_main.asp Selecting Services for your Security Policy Objectives The WatchGuard Firebox System, like most commercial firewalls, discards all packets that are not explicitly allowed, often stated as “that which is not explicitly allowed is denied.”...
Page 137: Outgoing Service Guidelines
Selecting Services for your Security Policy Objectives • Services that send passwords in the clear (FTP, telnet, POP) are very risky. • Services with built-in strong authentication (such as ssh) are reasonably safe. If the service does not have built-in authentication, you can mitigate the risk by using user authentication with that service.
Page 138: Adding And Configuring Services
Normal View of the Services Arena To display the detailed view of the Services Arena, select the Details icon (shown at right) at the far WatchGuard Firebox System...
Page 139: Configurable Parameters For Services
right of the toolbar. The detailed view appears, as shown in the following figure. Detailed View of the Services Arena To return to the normal view of the Services Arena, select the Large Icons button (shown at right). Configurable parameters for services Several service parameters can be configured: Sources and Destinations You use separate controls for configuring incoming...
Page 140 When you click a service, the service icon appears in the area below the New, Edit, and Remove buttons. Also, the Details box displays basic information about the service. Click Add. The Add Service dialog box appears, as shown in the following figure. WatchGuard Firebox System...
Page 141 (Optional) You can customize both the name and the comments that appear when the service is being configured. Click in the Name or Comment box and type the name or comment you want. Click OK. The service’s Properties dialog box appears. For information on configuring service properties see, “Defining Service Properties”...
Page 142: Creating A New Service
From Policy Manager: On the Policy Manager toolbar, click the Add Services icon (shown at right). The Services dialog box appears. Click New. The New Service dialog box appears, as shown in the following figure. WatchGuard Firebox System...
Page 143 In the Name text box, type the name of the service. This name must be unique and not already listed in the Services dialog box. In the Description text box, type a description of the service. This description appears in the Details section of the New Services dialog box when you select the service.
Page 144 Verify that the name, description, and configuration of this service are correct. If necessary, click Add to configure an additional port for this service. Repeat the process until all ports for the service are configured. WatchGuard Firebox System...
Page 145: Deleting A Service
11 Click OK. The Services dialog box appears with the new service displayed under the User Filters folder. You can now add the custom service to the Services Arena just as you would an existing service. 12 In the Services dialog box, expand the User Filter folder, and then click the name of the service.
Page 146: Defining Service Properties
HTTP. Enabled and Denied No traffic is allowed through this service, and packets for this service will be blocked. The service logs the attempts to connect to it. WatchGuard Firebox System...
Page 147: Accessing A Service's Properties Dialog Box
Enabled and Allowed Traffic is allowed through this service in the selected direction according to the From and To properties. Accessing a service’s Properties dialog box When you add a service, the service’s Properties dialog box automatically appears. You can bring up an existing service’s Properties dialog box either by double-clicking the service icon in the Services Arena or by selecting the services icon and clicking the Edit...
Page 148: Adding Addresses Or Users To Service Properties
From the Choose Type drop-down list, click the type of address, range, host name, or user you want to add. In the Value text box, type the actual address, range, or name. Click OK. The member or address appears in the Selected Members and Addresses list. WatchGuard Firebox System...
Page 149: Working With Wg_Icons
Service icons beginning with “wg_” are created automati- cally when you enable features such as PPTP and authenti- cation. Because the wg_ service icons rarely require modification, WatchGuard recommends leaving wg_ icons in their default settings. The following wg_ services are available: wg_authentication Added when you enable authentication.
Page 150: Customizing Logging And Notification
Chapter 8: Configuring Filtered Services Customizing logging and notification The WatchGuard Firebox System allows you to create cus- tom logging and notification properties for each filtered service, proxied service, and blocking option. This level of flexibility allows you to fine-tune your security policies, logging only those events that require your attention and limiting notification to truly high-priority events.
Page 151 Send notification When you select this checkbox, a notification is sent every time packets are denied. You set notification criteria using the WatchGuard Security Event Processor (WSEP). For more information, see “Customizing Logging and Notification by Service or Option” on page 215.
Page 152: Service Precedence
(described previously) indepen- dent of the other subservices contained in the multiservice. Precedence is determined by group first. As shown in the following diagram, services from a higher precedence WatchGuard Firebox System...
Page 153 Service Precedence group always have higher precedence than the services of a lower precedence group, regardless of their individual settings. For example, because the “Any” service is in the highest precedence group, all incidences of the “Any” ser- vice will take precedence over the highest precedence Tel- net service.
Page 154 For example, if one Telnet icon allows from A to B, a Telnet attempt from A to C will be blocked without considering any services fur- Rank List List List WatchGuard Firebox System...
Page 155 Service Precedence ther down the precedence chain, including outgoing ser- vices. For more information on outgoing services, see the follow- ing FAQ: https://support.watchguard.com/advancedfaqs/ svc_outgoing.asp User Guide...
Page 156 Chapter 8: Configuring Filtered Services WatchGuard Firebox System...
Page 157: Chapter 9 Configuring Proxied Services
Configuring Proxied CHAPTER 9 Services Proxy filtering goes a step beyond packet filtering by examining a packet’s content, not just the packet’s header. Consequently, the proxy determines whether a forbidden content type is hidden or embedded in the data payload. For example, an email proxy examines all SMTP packets to determine whether they contain forbidden content types, such as executable programs or items written in scripting languages.
Page 158: Protocol Anomaly Detection
You can specify the rules that determine whether a packet is malformed, such as “non-allowed query type” or “question length too long for DNS request.” Protocol anomaly detection is supported by the SMTP, FTP, and DNS proxies. WatchGuard Firebox System...
Page 159: Customizing Logging And Notification For Proxies
Customizing Logging and Notification for Proxies For more information on logging and notification and the various fields on the Logging and Notification dialog box, see “Customizing logging and notification” on page 128. From the Properties dialog box: Click the Incoming tab. Click Logging.
Page 160: Configuring The Incoming Smtp Proxy
(For information on how to add a service, see the previous chapter.) From the Services Arena: Double-click the SMTP Proxy icon to open the SMTP Properties dialog box. Click the Properties tab. EXPN HELP RSET ONEX NOOP QSND CHUNKING EHLO ETRN SIZE WatchGuard Firebox System...
Page 161 Click Incoming. The Incoming SMTP Proxy dialog box appears, displaying the General tab. Modify properties on the General tab according to your preferences. For a description of each control, right-click it, and then select What’s This?. You can also refer to the “Field Definitions” chapter in the Reference Guide.
Page 162 From the Incoming SMTP Proxy Properties dialog box: Click the Content Types tab. Specify whether you want to block certain file-name patterns in email attachments by selecting the checkbox marked Allow only safe content types and block file patterns. WatchGuard Firebox System...
Page 163 If you want to specify content types to allow, click the upper Add button in the dialog box. The Select MIME Type dialog box appears as shown in the following figure. Select a MIME type. Click OK. User Guide Configuring an SMTP Proxy Service...
Page 164 A default message is provided. Use the variable %t to add the con- tent type to the message. Use the variable %f to add the file name pattern to the message. WatchGuard Firebox System...
Page 165 Adding address patterns Adding address patterns can be useful for reducing spam content. From the Incoming SMTP Proxy Properties dia- log box: Click the Address Patterns tab. Use the Category drop-down list to select a category. Type the address pattern in the text box to the left of the Add button.
Page 166 Specifying logging for the SMTP proxy Click the Logging tab to specify whether to log the follow- ing: • Unknown headers that are filtered by the proxy. • Unknown ESMTP extensions that are filtered by the proxy. • Accounting and auditing information. WatchGuard Firebox System...
Page 167: Enabling Protocol Anomaly Detection For Smtp
Enabling protocol anomaly detection for SMTP For a description of protocol anomaly detection, see “Pro- tocol Anomaly Detection” on page 136. From the SMTP Properties dialog box, click the Properties tab. The SMTP Properties dialog box appears, as shown in the following figure.
Page 168 Content Types tab (“Allowing safe content types” on page 140). By default, none of these extension types trigger protocol anomaly detection. If you want to enable protocol anomaly detection for these extensions, select the corresponding checkbox. WatchGuard Firebox System...
Page 169: Configuring The Outgoing Smtp Proxy
Configuring the Outgoing SMTP Proxy Use the Outgoing SMTP Proxy dialog box to set the parameters for traffic going from the trusted and optional networks to the world. You must already have an SMTP Proxy service icon in the Services Arena to use this func- tionality.
Page 170 IDs in the Message-ID and Resent-Message-ID header fields are converted to a new ID composed of an encoded version of the original ID, a time stamp, and the host name entered in the domain name field described in step 2. WatchGuard Firebox System...
Page 171: Configuring An Ftp Proxy Service
For detailed information about the FTP proxy, see the fol- lowing FAQ: https://support.watchguard.com/advancedfaqs/proxy_ftp.asp For troubleshooting information for the FTP proxy, see the following FAQ: https://support.watchguard.com/advancedfaqs/ proxy_ftptrouble.asp...
Page 172: Enabling Protocol Anomaly Detection For Ftp
Select the Enable auto-blocking of sites using protocol anomaly detection checkbox. To set rules for anomaly detection, click the Auto- blocking Rules button. The PAD Rules for FTP Proxy dialog box appears, as shown in the following figure. WatchGuard Firebox System...
Page 173: Selecting An Http Service
Outgoing traffic is generally less restrictive. For example, many companies open outgoing HTTP traffic from Any to Any. WatchGuard Firebox System offers three different types of HTTP services. Choose the HTTP service that best meets your needs: •...
Page 174: Adding A Proxy Service For Http
Proxied-HTTP, except that it controls both incoming and outgoing access only on port 80. The WatchGuard service called “HTTP” is not to be confused with an HTTP caching proxy. An HTTP caching proxy refers to a separate machine that performs caching of Web data.
Page 175 What’s This?. Or, refer to the Field Definitions chapter in the Reference Guide. For detailed information about the HTTP proxy, see the online support resources at http://support.watchguard.com. Restricting content types for the HTTP proxy You can configure the HTTP proxy to allow only those MIME types you decide are acceptable security risks.
Page 176: Configuring A Caching Proxy Server
Instead of a GET request from the Firebox to the Internet looking like this: GET / HTTP/1.1 It ends up looking like this, and the request is sent to the configured caching proxy server instead: WatchGuard Firebox System...
Page 177: Configuring The Dns Proxy Service
TCP port of the caching proxy server. Click OK. Save this configuration to the Firebox. Configuring the DNS Proxy Service Internet domain names (such as WatchGuard.com) are located and translated into IP addresses by the domain name system (DNS). DNS lets users navigate the Internet with easy-to-remember “dot-com”...
Page 178: Adding The Dns Proxy Service
DNS attacks, which in turn lets you see how often and from where you were attacked. On the toolbar, click the Add Services icon. Expand the Proxies folder. A list of pre-configured proxies appears. WatchGuard Firebox System...
Page 179: Enabling Protocol Anomaly Detection For Dns
Click DNS-Proxy. Click Add. The Add Service dialog box appears. You can change the name assigned to the DNS proxy or change the comment associated with the proxy. Click OK to close the Add Service dialog box. The DNS-Proxy Properties dialog box appears. Click the Incoming tab.
Page 180: Dns File Descriptor Limit
The file descriptor limit is rarely a problem, but an occa- sional site may experience slow name resolution and many instances of the following log message: dns-proxy[xx] dns_setup_connect_udp: Unable to cre- ate UDP socket for port: Invalid argument WatchGuard Firebox System...
Page 181 You can work around this problem in two ways (the first method is the most secure): • Avoid using dynamic NAT between your clients and your DNS server. • Disable the outgoing portion of the DNS proxied service and replace it with a filtered DNS service. User Guide Configuring the DNS Proxy Service...
Page 182 Chapter 9: Configuring Proxied Services WatchGuard Firebox System...
Page 183: Chapter 10 Creating Aliases And Implementing Authentication
Creating Aliases and CHAPTER 10 Implementing Authentication Aliases are shortcuts used to identify groups of hosts, networks, or users. The use of aliases simplifies ser- vice configuration. User authentication allows the tracking of connections based on name rather than IP address. With authenti- cation, it does not matter which IP address is used or from which machine a person chooses to work.
Page 184: Using Aliases
Use aliases to quickly build service filter rules. Aliases cannot, however, be used to configure the network itself. WatchGuard automatically adds six aliases to the basic configuration: WatchGuard Firebox System...
Page 185: Adding An Alias
Group firebox trusted optional external dvcp_nets dvcp_local_nets A host alias takes precedence over a Windows NT or RADIUS group with the same name. Adding an alias From Policy Manager: Select Setup => Aliases. The Aliases dialog box appears, as shown in the following figure. Click Add.
Page 186 To remove an alias, select it, click Remove, and then remove the alias from Properties box of any services con- figured to use the alias. For more information, see “Defin- ing Service Properties” on page 124. WatchGuard Firebox System...
Page 187: How User Authentication Works
How User Authentication Works A specialized HTTP server runs on the Firebox. To authen- ticate, clients must connect to the authentication server using a Java-enabled Web browser pointed to: http://IP address of any Firebox interface:4100/ A Java applet loads a prompt for a username and pass- word that it then passes to the authentication server using a challenge-response protocol.
Page 188: Authentication Server Types
Click Add Under and add the IP addresses of the remote users you are allowing to authenticate externally. Authentication Server Types The WatchGuard Firebox System can authenticate users against any of five authentication server types: • A built-in authentication server on the Firebox •...
Page 189: Defining Firebox Users And Groups For Authentication
Defining Firebox Users and Groups for Authentication In the Authentication Enabled Via box, select the authentication server you want you use. In Logon Time-out, select how many seconds are allowed for an attempted logon before the time-out shuts down the connection. In Session Time-out, set how many hours a session can remain open before the time-out shuts down the connection.
Page 190 You can define only a limited number of Firebox users. If you have more than approximately 100 users to authenticate, WatchGuard recommends that you use a third-party authentication server. WatchGuard automatically adds two groups–intended for remote users–to the basic configuration file: ipsec_users Add the names of authorized users of MUVPN.
Page 191 Defining Firebox Users and Groups for Authentication To add a new group, click the Add button beneath the Groups list. The Add Firebox Group dialog box appears. Type the name of the group. Click OK. To add a new user, click the Add button beneath the Users list.
Page 192: Configuring Windows Nt Server Authentication
Windows NT groups Administrators and Replicators will not authenticate using this feature. From Policy Manager: Select Setup => Authentication Servers. The Authentication Servers dialog box appears. Click the NT Server tab. The information appears as shown in the following figure. WatchGuard Firebox System...
Page 193: Configuring Radius Server Authentication
To identify the host, enter both the host name and the IP address of the Windows NT network. If you don’t know the IP address of the host, click Find IP. The IP address is automatically entered. When typing IP addresses, type the digits and periods in sequence.
Page 194 Chapter 10: Creating Aliases and Implementing Authentication Although WatchGuard supports both CHAP and PAP authentication, CHAP is considered more secure. From Policy Manager: Select Setup => Authentication Servers. The Authentication Servers dialog box appears. Click the RADIUS Server tab. The RADIUS information appears, as shown in the following figure.
Page 195: Configuring Cryptocard Server Authentication
Card challenge response system which includes off-line hashing of passwords. It enables you to authenticate indi- viduals independent of the hosts they are on. Configuring WatchGuard CRYPTOCard server authentica- tion assumes that you have acquired and installed a CRYP- TOCard server according to the manufacturer’s instructions, and that the server is accessible for authenti- cations to the Firebox.
Page 196 CRYPTOCard server. This key is case-sensitive and must be identical on the Firebox and the CRYPTOCard server for CRYPTOCard authentication to work. Click OK. Gather the IP address of the Firebox and the user or group aliases to be authenticated by way of WatchGuard Firebox System...
Page 197: Configuring Securid Authentication
SecurID token and PIN number. Please see the relevant documentation for these products. WatchGuard does not support the third-party program Steel Belted RADIUS for use with SecurID. You should use the RADIUS program bundled with the RSA SecurID software.
Page 198 If you are using a backup server, select the Specify backup SecurID server checkbox. Enter the IP address and port number for the backup server. Click OK. To set up the RADIUS server, see “To configure the RADIUS server” on page 173. WatchGuard Firebox System...
Page 199: Chapter 11 Intrusion Detection And Prevention
Intrusion Detection CHAPTER 11 and Prevention The WatchGuard Firebox System can protect your net- work from many types of attacks. In addition to the protection provided through filtered and proxied ser- vices, the Firebox also gives you the following tools to stop attacks that services are not designed to defeat.
Page 200: Chapter 11 Intrusion Detection And Prevention
Chapter 11: Intrusion Detection and Prevention Default Packet Handling The WatchGuard Firebox System provides default packet handling options to automatically block hosts that origi- nate probes and attacks. Logging options help you identify sites that exhibit suspicious behavior such as spoofing. You can use the information gathered to manually and perma- nently block an offending site.
Page 201 tion. In conjunction with the false identity, the attacker may route the packet so that it appears to originate from a host that the targeted system trusts. If the destination system performs session authentication based on a connection’s IP address, the destination system may allow the packet with the spoofed address through your firewall.
Page 202: Blocking Port Space And Address Space Attacks
Internet Protocol that are usually used for debugging or for special applications. For example, if you allow IP options, the attacker can use the options to specify a route that helps him or her gain access to your WatchGuard Firebox System...
Page 203: Stopping Syn Flood Attacks
ACK. When the backlog fills up, the server will be unavailable to users. The WatchGuard Firebox System can help defend your servers against a SYN Flood attack by tracking the number of SYNs that are sent without a following ACK. If this...
Page 204: Changing Syn Flood Settings
SYN Validation: deacti- vated will be recorded. If these messages occur frequently when your server is not under attack, the Maximum Incomplete Connections setting may be too low. If the SYN Flood protection feature is not preventing attacks from WatchGuard Firebox System...
Page 205: Detecting Man-In-The-Middle Attacks
affecting your server, the setting may be too high. Consult your server’s documentation for help choosing a new value, or experiment by adjusting the setting until the problems disappear. The validation timeout controls how long the Firebox “remembers” clients that pass the validation test. The default setting of 120 seconds means that a client that drops a legitimate connection has a two-minute window to reconnect without being challenged.
Page 206: Blocking Sites
A blocked site is an IP address outside the Firebox that is prevented from connecting to hosts behind the Firebox. If any packet comes from a host that is blocked, it does not get past the Firebox. There are two kinds of blocked sites: WatchGuard Firebox System...
Page 207: Blocking A Site Permanently
• Permanently blocked sites–which are listed in the configuration file and change only if you manually change them. • Auto-blocked sites–which are sites the Firebox adds or deletes dynamically based on default packet handling rules and service-by-service rules for denied packets.
Page 208 Do not use the TAB or arrow key to jump past the periods. For more information on entering IP addresses, see “Entering IP addresses” on page 43. Click OK. The Blocked Sites dialog box appears displaying the new site in the Blocked Sites list. WatchGuard Firebox System...
Page 209: Creating Exceptions To The Blocked Sites List
Using an external list of blocked sites You can create a list of blocked sites in an external file. This file must be a .txt file. To load an external file into your blocked sites list: In the Blocked Sites dialog box, click Import. Browse to locate the file.
Page 210: Logging And Notification For Blocked Sites
1024. These connections can be attacked by appearing to be an allowed connection in the opposite direction. You can prevent this type of attack by blocking the port numbers of services whose port numbers are under 1024. WatchGuard Firebox System...
Page 211 By default, the Firebox blocks several destination ports. This measure provides convenient defaults which do not normally require changing. Typically, the following ser- vices should be blocked: X Window System (ports 6000-6063) The X Window System (or X-Windows) has several distinct security problems that make it a liability on the Internet.
Page 212 213. NetBIOS services (ports 137 through 139) You should block these ports if you use NetBIOS internally. Although such services are blocked implicitly by default packet handling, blocking them here provides additional security. WatchGuard Firebox System...
Page 213: Avoiding Problems With Legitimate Users
Avoiding problems with legitimate users It is possible for legitimate users to have problems because of blocked ports. In particular, some clients might tempo- rarily fail because of blocked ports. You should be very careful about blocking port numbers between 1000 through 1999, as these numbers are particu- larly likely to be used as client ports.
Page 214: Auto-Blocking Sites That Try To Use Blocked Ports
Notification by Service or Option” on page 215. Blocking Sites Temporarily with Service Settings Use service properties to automatically and temporarily block sites when incoming traffic attempts to use a denied service. You can use this feature to individually log, block, WatchGuard Firebox System...
Page 215: Configuring A Service To Temporarily Block Sites
and monitor sites that attempt access to restricted ports on your network. Configuring a service to temporarily block sites Configure the service to automatically block sites that attempt to connect using a denied service. From Policy Manager: Double-click the service icon in the Services Arena. The Properties dialog box appears.
Page 216 Chapter 11: Intrusion Detection and Prevention The WatchGuard Firebox System default packet handling options provide a basic intrusion detection system by blocking common and readily recognizable attacks such as IP address spoofing and linear port space probes. The intrusion detection capabilities of the Firebox, however, are necessarily limited.
Page 217: Using The Fbidsmate Command-Line Utility
Using the fbidsmate command-line utility The fbidsmate utility works from the command line. Although you can execute the commands directly against the Firebox, the tool is used most frequently in the context of an IDS application script. The command syntax is: fbidsmate rwpassphrase_file [add_log_message...
Page 218 Because you are running your IDS application outside the firewall perimeter, you decide to encrypt the configuration passphrase used in your IDS scripts. Note that even with encryption, you should lock down the IDS host as tightly as WatchGuard Firebox System...
Page 219 Integrating Intrusion Detection possible. First, you must import the passphrase “secure1” to an encrypted file on the IDS host: fbidsmate import_passphrase secure1 /etc/ fbidsmate.passphrase Then you could rewrite the previous examples as: fbidsmate 10.0.0.1 -f /etc/ fbidsmate.passphrase add_hostile 209.54.94.99 fbidsmate 10.0.0.1 -f /etc/ fbidsmate.passphrase add_log_message 3 "IDS system temp.
Page 220 Chapter 11: Intrusion Detection and Prevention WatchGuard Firebox System...
Page 221: Chapter 12 Setting Up Logging And Notification
Guard Security Event Processor (WSEP), a call to a pager, or the execution of a custom program. For example, WatchGuard recommends that you con- figure default packet handling to issue a notification when the Firebox detects a port space probe. When the...
Page 222: Developing Logging And Notification Policies
Developing these policies simplifies the setup of individual services in the WatchGuard Firebox System. If you have fully mapped out a policy, you can more easily delegate configuration duties and ensure that individual efforts do not contradict the overall security stance or logging and notification policies.
Page 223: Notification Policy
WatchGuard provides the option to log allowed events pri- marily for diagnostic purposes when setting up or trouble- shooting an installation. Or, you might have a situation...
Page 224: Failover Logging
Failover Logging WatchGuard uses failover logging to minimize the possi- bility of missing log events. With failover logging, you con- figure a list of log hosts to accept logs in the event of a failure of the primary log host.
Page 225: Watchguard Logging Architecture
Guard Security Event Processor” on page 207. WatchGuard Logging Architecture By default, Policy Manager and the log and notification application–the WatchGuard Security Event Processor– are installed on the same computer. You can, however, install the event processor software on multiple computers.
Page 226: Adding A Log Host
Firebox and the log host. The default encryption key is the status passphrase set in the QuickSetup Wizard. You must use the same log encryption key for both the Firebox and the WatchGuard Security Event Processor. WatchGuard Firebox System...
Page 227: Enabling Syslog Logging
Click OK. Repeat until all primary and backup log hosts appear in the WatchGuard Security Event Processors list. Enabling Syslog logging Note that Syslog logging is not encrypted; therefore, do not set the Syslog server to a host on the external interface.
Page 228: Removing A Log Host
Type in the new log encryption key. Click OK. You must use the same log encryption key for both the Firebox and the WatchGuard Security Event Processor. To change the log encryption key on the WSEP application, see “Setting the log encryption key”...
Page 229: Setting Up The Watchguard Security Event Processor
Setting up the WatchGuard Security Event Processor Firebox time to that of the primary log host. Therefore, you should set all log hosts’ clocks to a single source. In a local installation where all log hosts are on the same domain, set each log host to the common domain controller.
Page 230 By default, the WSEP application is installed to run as a Windows service, starting automatically every time the host computer restarts. To start the WatchGuard Security Event Processor service: - In Windows NT, go to Start = > Settings => Control Panel = >...
Page 231 Setting up the WatchGuard Security Event Processor If the WSEP application was running, restart it after saving the changes. As a service, using the Command Prompt If the WSEP application was not installed by the Watch- Guard Firebox System installation wizard, this must be done from the Command Prompt DOS window.
Page 232: Viewing The Wsep Application
WSEP Status/Configuration. The status and configuration information appears as shown in the following figure. If the WatchGuard Security Event Processor icon is not in the tray, in Firebox System Manager, select Tools = > Log- ging = > Event Processor Interface. To start the Event Pro- cessor interface when you log in to the system, add a shortcut to the Startup folder in the Start menu.
Page 233: Setting The Log Encryption Key
You must enter an encryption key for the log host to receive logs from the Firebox. It must be the same key used when adding a WSEP application to the management station. From the WatchGuard Security Event Processor user inter- face: Select File = > Set Log Encryption Key.
Page 234: Log File Size And Rollover Frequency
When considering your ideal maximum log file, consider how often you plan to issue reports of the Firebox activity. WatchGuard Historical Reports uses a log file as its source to build reports. If you issue weekly reports to manage- ment, you would want a log file large enough to hold a typical eight or nine days’...
Page 235: Scheduling Log Reports
Setting Global Logging and Notification Preferences over by time interval, number of entries, or both. From the WatchGuard Security Event Processor interface: Click the Log Files tab. The Log Files tab information appears, as shown in the following figure. For a time interval, select the Roll Log Files By Time Interval checkbox.
Page 236: Controlling Notification
Fire- box has detected a triggering event. Use the WSEP applica- tion to control when and to whom such notifications are sent. From the WatchGuard Security Event Processor inter- face: Click the Notification tab.
Page 237: Customizing Logging And Notification By Service Or Option
Customizing Logging and Notification by Service or Option Customizing Logging and Notification by Service or Option The WatchGuard Firebox System allows you to create cus- tom logging and notification properties for each service and blocking option. You can fine-tune your security pol- icy, logging only those events that require your attention and limiting notification to those of truly high priority.
Page 238 A custom batch file or program enables you to trigger multiple types of notification. Type the full path to the program in the accompanying field, or use Browse to locate and select the program. WatchGuard allows only one notification type per event. WatchGuard Firebox System...
Page 239: Setting Launch Interval And Repeat Count
Customizing Logging and Notification by Service or Option Setting Launch Interval and Repeat Count Two parameters work in conjunction with the Event Pro- cessor Repeat Interval to control notification timing: Launch Interval The minimum time (in minutes) between separate launches of a notifier. Set this parameter to prevent the launch of several notifiers in response to similar events that take place in a short amount of time.
Page 240: Setting Logging And Notification For A Service
When this option is selected, you can control logging and notification properties for the following default packet- handling options: • Spoofing attacks • IP options • Port probes • Address space probes • Incoming packets not handled • Outgoing packets not handled WatchGuard Firebox System...
Page 241: Setting Logging And Notification For Blocked Sites And Ports
Customizing Logging and Notification by Service or Option From Policy Manager: Select Setup => Intrusion Protection = > Default Packet Handling. The Default Packet Handling dialog box appears. Click Logging. Modify logging and notification properties according to your security policy preferences. Click OK. Setting logging and notification for blocked sites and ports You can control logging and notification properties for...
Page 242 Chapter 12: Setting Up Logging and Notification WatchGuard Firebox System...
Page 243 The WatchGuard Security Event Processor (WSEP) controls logging, report schedules, and notification. It also provides timekeeping services for the Firebox. For...
Page 244: Reviewing And Working With Log Files 221
Log entries are stored on the primary and backup Watch- Guard Security Event Processor (WSEP). By default, log files are placed in the WatchGuard installation directory in a subdirectory called \logs . The log file to which the WSEP is currently writing records can be named in two ways.
Page 245: Setting Logviewer Preferences
Browse to select a log file. Click Open. By default, logs are stored in a subdirectory of the WatchGuard installation directory called \logs. LogViewer opens and displays the selected log file. Setting LogViewer preferences You can adjust the content and format of the display. From LogViewer: Select View = >...
Page 246: Copying And Exporting Logviewer Data
LogViewer filter window, prior to exporting them. Within the filter window (shown on top of the LogViewer window in the figure on the next page) you can perform the same search functions as described in “Searching for specific entries” on page 223. WatchGuard Firebox System...
Page 247: Displaying And Hiding Fields
The following figure shows an example of the type of dis- play you normally see in LogViewer. Log entries sent to the WatchGuard log state the time stamp, host name, process name, and the process ID before the log summary. Use the Preferences dialog box to show or hide columns displayed in LogViewer.
Page 248 Firebox. Because some installations contain Fireboxes in multiple time zones with a single log host, the Firebox uses Greenwich Mean time received from the log host by way of the logging channel (controld). The local time for the log files is WatchGuard Firebox System...
Page 249 then computed on the log host based on the Firebox’s time zone setting. To change the Firebox time zone, see “Setting the Time Zone” on page 55. The rest of the columns vary according to the type of event displayed. The events of most frequency and interest, how- ever, are packet events, which display data as shown below: deny in eth0 339 udp 20 128 192.168.49.40...
Page 250: Working With Log Files
IP fragmentation, TCP flag bits, IP options, and source file and line number when in trace mode. If WatchGuard logging is in debug or verbose mode, additional information is reported. In addition, the type of connection may be displayed in parentheses.
Page 251: Consolidating Logs From Multiple Locations
WSEP utilities to work with active log files. Unlike other Firebox System utilities, you cannot access the WatchGuard Security Event Processor user interface from Firebox System Manager. To open the WSEP Status/Con- figuration user interface: •...
Page 252: Forcing The Rollover Of Log Files
Saving log files to a new location Although log files are, by default, stored in a subdirectory of the WatchGuard installation directory called /logs , you can change this destination by using a text editor to edit the controld.wgc file.
Page 253: Setting Log Encryption Keys
The log connection (but not the log file) between the Fire- box and an event processor is encrypted for security pur- poses. Both the management station and the WatchGuard Security Event Processor must have the same encryption key. From the WSEP Status/Configuration user interface: Select File = >...
Page 254 You can also select Edit = > Add Service. The Services dialog box appears. Expand Packet Filters. Select WatchGuard-Logging. Click Add. Click OK. On the Incoming tab, select Enabled and Allowed. Under the To list, click Add. Click NAT. Enter the external IP address of the main office Firebox in the External IP Address box.
Page 255 Working with Log Files appear until the remote office Firebox has been properly configured. User Guide...
Page 256 Chapter 13: Reviewing and Working with Log Files WatchGuard Firebox System...
Page 257: Chapter 14 Generating Reports Of Network Activity
Firebox log activity. It generates these reports using the log files created by and stored on the WatchGuard Security Event Processor (WSEP). You can customize reports to include exactly the infor- mation you need in a form that is most useful to you.
Page 258: Creating And Editing Reports
Manager, click the Historical Reports icon (shown at right). You can also start Historical Reports from the installation directory. The file name is WGRe- ports.exe . Starting a new report From Historical Reports: Click Add. The Report Properties dialog box appears. WatchGuard Firebox System...
Page 259 Enter the report name. The report name will appear in Historical Reports, the WatchGuard Security Event Processor, and the title of the output. Use the Log Directory text box to define the location of log files. The default location for log files is the \logs subdirectory of the WatchGuard installation directory.
Page 260: Editing An Existing Report
From the Report Properties dialog box, click the Time Filters tab. Select the time stamp option that will appear on your report: Local Time or GMT. WatchGuard Firebox System...
Page 261: Specifying Report Sections
From the Time Span drop-down list, select the time you want the report to cover. If you chose anything but Specify Time Filters, click OK. If you chose Specify Time Filters, click the Start and End drop- down lists and select a start time and end time, respectively. Click OK.
Page 262: Setting Report Properties
Enter the number of records to display per page for the detailed sections. The default is 1,000 records. A larger number than this might crash the browser or cause the file to take a long time to load. Click OK. WatchGuard Firebox System...
Page 263: Exporting Reports
Reports can be exported to three formats: HTML, Web- Trends, and text. All reports are stored in the path drive:\WatchGuard Install Directory\ Reports . Under the Reports directory are subdi- rectories that include the name and time of the report. Each report is filed in one of these subdirectories.
Page 264: Exporting A Report To Webtrends For Firewalls And Vpns
URL requests. These numbers vary because multiple URL requests may go over the same Port 80 connection. WatchGuard HTTP proxy logging must be turned on to supply WebTrends the logging information required for its reports. When you select WebTrends Export from the Setup tab on the Reports Properties dialog box, the report output is cre- ated as a WebTrends Enhanced Log Format (WELF) file.
Page 265: Exporting A Report To A Text File
:\ WatchGuard Install Directory \Reports Exporting a report to a text file When you select Text Export from the Setup tab on the Report Properties dialog box, the report output is created as a comma-delimited format file, which you can then use in other programs such as databases and spreadsheets.
Page 266: Creating A New Report Filter
Filter a report based on authenticated username. Creating a new report filter Use Historical Reports to create a new report filter. Filters are stored in the WatchGuard installation directory, in the subdirectory report-defs with the file extension .ftr . From Historical Reports: Click Filters.
Page 267: Deleting A Report Filter
The filter will be applied the next time the report is run. Scheduling and Running Reports WatchGuard offers two methods to run reports: manually at any time or scheduled automatically using the Watch- Guard Security Event Processor (WSEP).
Page 268: Manually Running A Report
Summary – Sections that rank information by bandwidth or connections. • Detailed – Sections that display all activity with no summary graphs or ranking. The following is a listing of the different types of report sections and consolidated sections. WatchGuard Firebox System...
Page 269 Firebox Statistics A summary of statistics on one or more log files for a single Firebox. Authentication Detail A detailed list of authenticated users sorted by connection time. Fields include: authenticated user, host, start date of authenticated session, start time of authenticated session, end time of authenticated session, and duration of session.
Page 270 HTTP proxy, sorted by byte count or number of connections. HTTP Detail Tables for incoming and outgoing HTTP traffic, sorted by time stamp. The fields are Date, Time, Client, URL Request, and Bytes Transferred. WatchGuard Firebox System...
Page 271 SMTP Summary A table, and optionally a graph, of the most popular incoming and outgoing email addresses, sorted by byte count or number of connections. SMTP Detail A table of incoming and outgoing SMTP proxy traffic, sorted by time stamp. The fields are: Date, Time, Sender, Recipient(s), and Bytes Transferred.
Page 272: Consolidated Sections
If the connection is packet filtered, Historical Reports attempts to resolve the server port to a table to represent the service name. If resolution fails, Historical Reports displays the port number. WatchGuard Firebox System...
Page 273 Time Summary – Proxied Traffic A table, and optionally a graph, of all accepted proxied connections distributed along user-defined intervals and sorted by time. If you choose the entire log file or specific time parameters, the default time interval is daily. Otherwise, the time interval is based on your selection.
Page 274 Chapter 14: Generating Reports of Network Activity WatchGuard Firebox System...
Page 275: Chapter 15 Controlling Web Site Access
Controlling Web Site CHAPTER 15 Access WebBlocker is a feature of the WatchGuard Firebox System that works in conjunction with the HTTP proxy to provide Web site filtering capabilities. It enables you to exert fine control over the Web surfing in your organization.
Page 276: Installing The Webblocker Server
“Setting Up the Management Station” on page 36. By default, the setup program installs the Web- Blocker server on the same server as the WatchGuard Secu- rity Event Processor. However, to preserve performance if you are running WFS under high load conditions, consider installing the WebBlocker server on a dedicated server run- ning Windows NT 4.0.
Page 277: Configuring The Watchguard Service Icon
Because WebBlocker relies on copying updated versions of the WebBlocker database to the event processor, you must configure the WatchGuard service setting Allow Outgoing to Any. It is possible to narrow this setting and use the IP address of webblocker.watchguard.com. However, this address may change without notice.
Page 278: Configuring The Webblocker Service
From Policy Manager: Double-click the service icon you are using for HTTP. Click the Properties tab. Click Settings. The service’s dialog box appears. Click the WebBlocker Controls tab. The tab appears, as shown in the following figure. WatchGuard Firebox System...
Page 279: Allowing Webblocker Server Bypass
Select the checkbox marked Activate WebBlocker. Next to the WebBlocker Servers box, click Add. In the dialog box that appears, type the IP address of the server in the Value field. Click OK. If you want to add additional WebBlocker servers, see “Installing Multiple WebBlocker Servers”...
Page 280: Scheduling Operational And Non-Operational Hours
Use these time blocks to build rules about when different types of sites are to be blocked. For example, you might block sports sites during business hours, but allow access at lunch time, evenings, and weekends. WatchGuard Firebox System...
Page 281: Setting Privileges
From the proxy’s dialog box: Click the WB: Schedule tab. The tab appears, as shown in the following figure. Click hour blocks to toggle from Operational to Non- operational. The operational and non-operational hours schedule is dependent on the time zone settings. WebBlocker defaults to GMT unless you have set a Firebox time zone.
Page 282: Creating Webblocker Exceptions
URL. For example, you can block www.sharedspace.com/ *sex and expect that www.sharedspace/sexsite.html will be blocked. This WebBlocker features is applicable only for outbound requests to access web sites. You cannot use WebBlocker exceptions to make an internal host exempt from WebBlocker rules. WatchGuard Firebox System...
Page 283 From the HTTP Proxy dialog box: Click the WB: Exceptions tab (you might need to use the arrow keys at the right of the dialog box to see this tab). In the Allowed Exceptions section, click Add. The Define Exceptions dialog box appears. Select the type of exception: host address, network address, or enter URL.
Page 284: Managing The Webblocker Server
Automating WebBlocker Database Downloads The most effective way to routinely download and update your WebBlocker database is to use Windows Task Sched- uler. To do this, add a process called WebDBdownload.bat, WatchGuard Firebox System...
Page 285: Installing Scheduled Tasks
WatchGuard directory under the WBServer folder: Open Control Panel and select Scheduled Tasks. (If it is not listed, see “Installing Scheduled Tasks,” in the following section.) Select Add Scheduled Task. The Scheduled Tasks wizard launches. Click Next.
Page 286 Internet Explorer, go to the Tools menu, and select Windows Update. This takes you to the Microsoft Web site, where you can download and install the appropriate software. After installation, Scheduled Tasks appears under My Computer. WatchGuard Firebox System...
Page 287: Connecting With Out-Of-Band Management
Connecting with Out- CHAPTER 16 of-Band Management The WatchGuard Firebox System out-of-band (OOB) management feature enables the management station to communicate with a Firebox by way of a modem (not provided with the Firebox) and telephone line. OOB is useful for remotely configuring a Firebox when access through the Ethernet interfaces is unavailable.
Page 288: Chapter 16 Connecting With Out-Of-Band Management
Preparing a Windows 2000 management station for OOB Before configuring the management station, you must first install the modem. If the modem is already installed, go to the instructions for configuring the dial-up connection. WatchGuard Firebox System...
Page 289 Install the modem From the Desktop, click Start = > Settings => Control Panel = > Phone and Modem Options. Click the Modems tab. Click Add. The Add/Remove Hardware Wizard appears. Follow the wizard through, completing the information requested. You will need to know the name and model of the Firebox modem and the modem speed.
Page 290: Preparing A Windows Xp Management Station For Oob
Enter the telephone number of the line connected to the modem in the Firebox. Click Next. Click Finish. Click either Dial or Cancel. A new icon is now in the Network Connections folder. To use this dial-up connection, double-click the icon in the folder. WatchGuard Firebox System...
Page 291: Configuring The Firebox For Oob
Configuring the Firebox for OOB OOB management features are configured in Policy Man- ager using the Network Configuration dialog box, OOB tab. The OOB tab is divided into two identical halves: the top half controls the settings of any external modem attached;...
Page 292 The Firebox starts the PPP session and waits for a valid connection from Policy Manager on your management sta- tion. If none is received within the default period of 90 sec- onds, the Firebox terminates the PPP session. WatchGuard Firebox System...
Page 293: Appendix A Troubleshooting Firebox Connectivity
Troubleshooting APPENDIX A Firebox Connectivity This chapter provides four ways of connecting to your Firebox should you lose connectivity. These proce- dures assume that you have already created a configu- ration file and will be restoring the Firebox with that file.
Page 294: Method 1: Ethernet Dongle Method
IP address so your management station can communicate with the Firebox. At the DOS prompt, type ping 192.168.0.1 (this is the default gateway of your computer). You will then see a request timeout. Ping again. You should get four replies. WatchGuard Firebox System...
Page 295 Open Policy Manager from Firebox System Manager. Do not connect to the Firebox at this time. In Policy Manager, select File => Open = > Configuration File. Select the configuration file you want to load onto the Firebox and load it into Policy Manager.
Page 296: Method 2: The Flash Disk Management Utility
System Manager, click the main menu button (shown at right). Select Tools = > Advanced = > Flash Disk Managament. From the first screen in the Flash Disk Management tool, select Boot from the System Area (Factory Default). Click Continue. WatchGuard Firebox System...
Page 297 When prompted to enter an IP address, it is recommended that you use the address that is currently configured as the default gateway on your management station. Click OK. Choose the COM port that is open on the management station. Click OK. This completes the Flash Disk Management utility.
Page 298: Method 3: Using The Reset Button - Firebox Models 500, 700, 1000, 2500, 4500
Open a DOS prompt, and ping the Firebox with 192.168.253.1. You should get a reply. In Policy Manager, select File => Open = > Configuration File. Select the configuration file you want to load onto the Firebox and load it into Policy Manager. WatchGuard Firebox System...
Page 299: Method 4: Serial Dongle (Firebox Ii Only)
In Policy Manager, select File => Save = > To Firebox. When you are asked for the IP address of the Firebox, use 192.168.253.1 with wg as the passphrase. When the Firebox Flash Disk dialog box appears, click the button marked Save Configuration File and New Flash Image.
Page 300 This will enable you to reconnect to the Firebox with the trusted IP address that is listed in the configuration file and your status passphrase. WatchGuard Firebox System...
Page 301: Index
Index Symbols .cfg files .ftr files .idx files .rep files .wgl files .wts files Numerics 1-1 Mapping dialog box 1-to-1 NAT. See NAT, 1-to-1 active connections on Firebox, viewing ActiveX applets Add Address dialog box 109, 126, 163 Add Exception dialog box 105, 111 Add External IP Address dialog Add External IP dialog box...
Page 302 Default Packet Handling dialog 179, 180, 181, 182, 219 Define Exceptions dialog box deny messages copying issuing ping or traceroute command for SMTP proxy DHCP DHCP server adding subnets WatchGuard Firebox System 74, 84 130,...
Page 303 default lease time for described enabling lease times maximum lease time for modifying subnets not using Firebox as removing subnets setting up Firebox as DHCP Server dialog box DHCP Subnet Properties dialog DHCP support on external interface 35, 41, 60, 61 dialog boxes 1-1 Mapping Add Address...
Page 304 ESMTP AUTH types configuring keywords supported eth1, eth 2 Ethernet dongle method for troubleshooting event processor. See WatchGuard Security Event Processor or log host event, described external alias external caching proxy servers, configuring external interface described...
Page 305 viewing active connections on viewing bandwidth usage viewing basic status viewing everyone authenticated viewing log messages generated viewing memory usage of viewing uptime and version Flash Disk management tool and optional network and security policy FTP proxy and NAT configuring described enabling protocol anomaly detection...
Page 306 NT viewing viewing IP addresses of log messages copying deny messages issuing ping or traceroute on deny messages log messages generated by Firebox WatchGuard Firebox System 211, 231...
Page 307 log rollover logging architecture blocked port activity described developing policies for enabling Syslog failover for blocked ports for blocked sites setting rollover interval specifying for SMTP proxy synchronizing NT log hosts logging and notification configuring Firebox for customizing by blocking option customizing by service default packet handling...
Page 308 VPN Manager outgoing services see entries under services Outgoing SMTP Proxy dialog box out-of-band management and PPP connection configuring dial-up connection 267, 268 configuring Firebox for configuring PPP connecting Firebox using described enabling management station WatchGuard Firebox System 200, 201...
Page 309 establishing connection installing modem 267, 268 preparing NT Management Station preparing Windows 2000 Management Station for preparing Windows XP Management Station for timeout disconnects packet filters, described packet handling, default. See default packet handling packet-handling services. See services packets viewing number allowed, denied, rejected viewing number sent and received...
Page 310 WINS/DNS server addresses monitoring tunnels Save dialog box Save Main Window dialog box Scheduled Tasks, installing secondary networks adding 34, 35, 41, 64 described SecurID authentication security applications security policy and DNS WatchGuard Firebox System 247, 248 248, 251...
Page 311 and FTP 115, 149 and HTTP and POP and services and SMTP and telnet customizing described guidelines for services opening configuration file Security Triangle Display Select MIME Type dialog box serial dongle method for troubleshooting service Properties dialog box 120, 124, 193 service properties, using to block sites service-based dynamic NAT.
Page 312 TSIG attacks tunnels Mobile User VPN monitoring RUVPN with PPTP viewing status of unconnected network addresses user authentication. See authentication users, viewing in HostWatch virus alerts VPN Installation Services VPN Manager WatchGuard Firebox System...
Page 313 VPNs allowing incoming services from and 1-to-1 NAT in routed configurations WatchGuard Certified Training Partners (WCTPs) WatchGuard Firebox System additional information on described documentation introduction Online Help options package contents WatchGuard installation directory, and log files...
Page 314 WSEP . See WatchGuard Security Event Processor X Font server X Window Zip files WatchGuard Firebox System...

Watchguard Firebox X1000 User Manual

CHAPTER 1 Introduction

CHAPTER 2 Service and Support

CHAPTER 3 Getting Started

CHAPTER 4 Firebox Basics

CHAPTER 5 Using Policy Manager to Configure Your Network

CHAPTER 6 Managing and Monitoring the Firebox

CHAPTER 7 Configuring Network Address Translation

CHAPTER 8 Configuring Filtered Services

CHAPTER 9 Configuring Proxied Services

CHAPTER 10 Creating Aliases and Implementing Authentication

CHAPTER 11 Intrusion Detection and Prevention

CHAPTER 12 Setting up Logging and Notification

CHAPTER 13 Reviewing and Working with Log Files

Reviewing and Working with Log Files 221

CHAPTER 14 Generating Reports of Network Activity

CHAPTER 15 Controlling Web Site Access

CHAPTER 16 Connecting with Out-Of-Band Management

Quick Links

User Guide

Related Manuals for Watchguard Firebox X1000

Summary of Contents for Watchguard Firebox X1000