Page 1 WatchGuard ® Firebox Vclass User Guide Vcontroller 5.0...
Page 2 No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Page 3 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”...
Page 4 The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license.
Page 5 5. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their name, without prior written permission of the Apache Software Foundation. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 6 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes the Expat XML parser Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Copyright (c) 2001, 2002 Expat maintainers.
Page 7 PLEASE NOTE: Some components of the WatchGuard Vclass software incorporate source code covered under the GNU Lesser General Public License (LGPL). To obtain the source code covered under the LGPL, please contact WatchGuard Technical Support at: 877.232.3531 in the United States and Canada +1.360.482.1083 from all other countries...
Page 8 This product includes software covered by the LGPL. Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL.
Page 9 any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.
Page 10 Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms.
Page 11 a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole.
Page 12 However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
Page 13 specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
Page 14 restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
Page 15 PLEASE NOTE: Some components of the WatchGuard Vclass software incorporate source code covered under the GNU General Public License (GPL). To obtain the source code covered under the GPL, please contact WatchGuard Technical Support at: 877.232.3531 in the United States and Canada +1.360.482.1083 from all other countries...
Page 16 To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have.
Page 17 notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole.
Page 18 by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6.
Page 19 Technologies, Inc. (‘WATCHGUARD’) for the WATCHGUARD Firebox Vclass software product, which includes computer software components (whether installed separately on a computer workstation or on the WATCHGUARD hardware product or included on the WATCHGUARD hardware product) and may include associated media, printed...
Page 20 To use the SOFTWARE PRODUCT on more than one WATCHGUARD hardware product at once, you must purchase an additional copy of the SOFTWARE PRODUCT for each additional WATCHGUARD hardware product on which you want to use it. To the extent that you install copies of the SOFTWARE PRODUCT on additional...
Page 21 PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE...
Page 22 THE PERFORMANCE OF THE ENTITY’S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD. Part No: 0150-00 xxii...
Page 23: Table Of Contents
Contents Introduction CHAPTER 1 Welcome to WatchGuard® WatchGuard Firebox Vclass Components Minimum Requirements for the WatchGuard Vcontroller Software License Keys WatchGuard Firebox Vclass Appliance Options ... 6 High Availability Mobile User VPN ... 6 About This Guide Service and Support ...9 CHAPTER 2 Benefits of LiveSecurity®...
Page 24 Firebox Vclass Installation Services VPN Installation Services Training and Certification Using the Online Help Getting Started ... 21 CHAPTER 3 Gathering Network Information Setting up the Management Station Installing Vcontroller on a Windows workstation Installing Vcontroller on a Solaris workstation Installing Vcontroller on a Linux workstation Cabling the Appliance Start a Firebox Vclass Security Appliance...
Page 25 The status viewer Logging out of Vcontroller Shutting Down and Rebooting Restarting the appliance Upgrading and Downgrading the Software Version The Upgrade History Transferring from Vcontroller to WatchGuard Central Policy Manager (CPM) Router and Transparent Mode CHAPTER 5 ... 79 Router Mode ...
Page 26 SNMP Configuration Log Configuration Certificate Configuration Importing a certificate or CRL file LDAP Server Configuration NTP Server Configuration Advanced Configuration Hacker Prevention Configuration CPM Management Configuration License Configuration Add a single license Install licenses from a license package VLAN Forwarding Option Blocked Sites Configuration High Availability Configuration Using Account Manager...
Page 27 Defining an address group Defining a service Defining the incoming interface ... 186 Using Tenants About VLANs and tenants User domain tenant authentication ... 189 Defining tenants Using the Firewall Options Defining the firewall action Using Quality of Service (QoS) Defining a QoS action Activating TOS marking ...
Page 28 QoS Policy Examples ... 226 Example 1: ... 226 Example 2: Static NAT Policy Examples Example 1: Translating IP addresses into aliases Example 2: Preventing conflicts between IP addresses Load Balancing Policy Examples Configuring Load Balancing for a Web Server Configuring Load Balancing for an E-commerce Site Using Proxies CHAPTER 10...
Page 29 VPN to other IPSec compliant devices About VPN Policies VPN policies and IPSec actions Using Authentication and Encryption Defining an IKE Policy Defining an IKE action Defining a VPN Security Policy Defining an IPSec action Using Tunnel Switching Enabling tunnel switching Creating a Remote User VPN Policy CHAPTER 12 About Remote User VPN...
Page 30 Monitoring configured probes A Catalog of Real-time Monitor Probe Counters System Counters Aggregate counters for all VPN end-point pairs IPSec counters per VPN end-point pair Policy counters for all policies Policy counters per policy Using Log Manager CHAPTER 15 ... 380 Viewing the Logs Filtering a current log ...
Page 31 Importing a configuration file using Appliance Discovery Editing an exported configuration file Using the Diagnostics/CLI Feature CHAPTER 18 Using Connectivity to Test Network Connections Using the Support Features Configuring debugging support Saving a Policy to a text file Executing a CLI Script Saving Diagnostic Information Setting Up a High Availability System CHAPTER 19...
Page 32 xxxii Vcontroller...
Page 33: Chapter 1 Introduction
Introduction CHAPTER 1 Welcome to WatchGuard The WatchGuard Firebox Vclass series of security appliances brings high speed network security to enterprise-class businesses, remote offices, service providers, and data centers. In the past, a connected enterprise needed a complex set of tools, systems, and personnel for access control, authentication, virtual private networking, network management, and security analysis.
Page 34: Watchguard Firebox Vclass Components
WatchGuard Firebox Vclass administrative client applications The WatchGuard Vcontroller (or the companion WatchGuard CPM client software) gives you full control of all the customizable operating system parameters, including basic system configurations, ™ Vcontroller...
Page 35: Minimum Requirements For The Watchguard Vcontroller
Minimum Requirements for the WatchGuard Vcontroller security policies, maintenance, and activity logging. Minimum Requirements for the WatchGuard Vcontroller This section describes the minimum hardware and soft- ware requirements necessary to successfully install, run, and administer the WatchGuard Vcontroller. For the most current information on Vclass hardware and operating system requirements, see the Readme file on the Firebox Vcontroller CD.
Page 36 CHAPTER 1: Introduction Network interface Network Interface Cards (NICs) or embedded network connections Linux workstation Operating system Linux kernel v2.2.12 and glibc v2.1.2-11 or later. The officially supported Linux platform for JRE 1.4 is RedHat Linux 6.2. Because of localization issues involving Linux platforms, see the Sun Web site.
Page 37: Software License Keys
LiveSecurity Service. For more information on this service, see “Service and Support” on page 9. Some features of the WatchGuard Firebox Vclass series of appliances must be licensed for use, and others can be expanded by licensing additional capacity. Licensing...
Page 38: High Availability
The audience for this guide represents a wide range of experience and expertise in network management and security. The end user of the WatchGuard Firebox Vclass is generally a network administrator for a large enterprise with multiple offices around the world.
Page 39 Configuration File from the Open drop-down list. • URLs and email addresses appear in sans serif font; for example, wg-users@watchguard.com. • Code, messages, and file names appear in monospace font; for example: .wgl and .idx files •...
Page 40 CHAPTER 1: Introduction Vcontroller...
Page 41: Chapter 2 Service And Support
LiveSecurity security system up-to-date by providing solutions directly to you. In addition, the WatchGuard Technical Support team and Training department offer a wide variety of meth- ods to answer your questions and assist you with improving the security of your network.
Page 42: Livesecurity® Broadcasts
Access to technical support and training When you have questions about your WatchGuard Firebox Vclass, you can quickly find answers using our extensive online support resources, or by talking directly to one of our support representatives.
Page 43 You receive functional software enhancements on an ongoing basis that cover your entire WatchGuard Firebox Vclass. Editorial Leading security experts join the WatchGuard Rapid Response Team in contributing useful editorials to provide a source of continuing education on this rapidly changing subject.
Page 44: Activating The Livesecurity® Service
Activating the LiveSecurity The LiveSecurity Service can be activated using the activa- tion section of the WatchGuard LiveSecurity Web pages. To activate the LiveSecurity Service: Be sure that you have the Firebox Vclass serial number handy. You will need this during the activation process.
Page 45 Key page from the LiveSecurity Service Web site. If you closed the Feature Key page, you can regenerate your Feature Key by logging back into LiveSecurity Service on the WatchGuard Web site at: https://www3.watchguard.com/archive/login.asp Once logged into the LiveSecurity Service, you can regenerate your unit’s unique Feature Key by selecting Get...
Page 46: Livesecurity® Self Help Tools
Detailed information about configuration options and interoperability. Known Issues Confirmed issues and fixes for current software. Interactive Support Forum A moderated Web board about WatchGuard products. Online Training Information on product training, certification, and a broad spectrum of publications about network security and WatchGuard products.
Page 47: Interactive Support Forum
Log in to LiveSecurity Service. Interactive Support Forum The WatchGuard Interactive Support forum is an online group in which the users of the WatchGuard Firebox Vclass and Firebox System exchange ideas, questions, and tips regarding all aspects of the product, including configu- ration, compatibility, and networking.
Page 48: Product Documentation
WatchGuard offers a variety of technical support services for your WatchGuard products. Several support programs, described throughout this section, are available through WatchGuard Technical Support. For a summary of the cur- rent technical support services offered, please refer to the WatchGuard Web site at: http://support.watchguard.com/aboutsupport.asp...
Page 49: Livesecurity® Gold Program
Firebox Vclass, Firebox System, SOHO, and ServerLock enterprise systems Single Incident Priority Response Upgrade (SIPRU) and Single Incident After-hours Upgrade (SIAU) are available. For more information, please refer to WatchGuard Web site http://support.watchguard.com/lssupport.asp ® LiveSecurity This premium program is designed to meet the aggressive...
Page 50: Firebox Vclass Installation Services
Firebox Vclass installation. You can sched- ule a dedicated two-hour time slot with a WatchGuard technician to help you review your network and security policy, install the LiveSecurity software and Firebox Vclass hardware, and build a configuration in accordance with your company security policy.
Page 51: Using The Online Help
Using the Online Help Online help is available from almost all WatchGuard Vcontroller windows. Because the online help uses Web browsers for display, you should be aware of a problem in opening help in Netscape browsers.
Page 52 CHAPTER 2: Service and Support Vcontroller...
Page 53: Chapter 3 Getting Started
“Running the Vcontroller Installation Wizard” on page 34 • “Deploying the Firebox Vclass into your Network” on page 57 For a quick summary of this information, see the WatchGuard Firebox Vclass QuickStart Guide included with your Firebox Vclass appliance. Firebox Vclass User Guide...
Page 54: Gathering Network Information
CHAPTER 3: Getting Started This chapter is intended for new WatchGuard Firebox Vclass installations only. If you have a previously installed appliance with a prior software version, connect to it with Vcontroller, and then follow the upgrade instructions as described in “Upgrading and Downgrading the Software Version”...
Page 55: Setting Up The Management Station
Java Runtime Environment, to enable the software to run. This installation of the JRE is independent of any other JRE or JDK you install on your system. For additional updates, check the WatchGuard Web site. To install Vcontroller: Remove the Vcontroller CD from the package and insert it in the workstation CD-ROM.
Page 56: Installing Vcontroller On A Solaris Workstation
Solaris and JRE versions. For additional updates, check the WatchGuard Web site. To install Vcontroller: Insert the WatchGuard CD into the CD-ROM (in Solaris, the CD should automatically mount at / cdrom). Start the installer application by entering the following...
Page 57: Installing Vcontroller On A Linux Workstation
If you have an older version of the JDK, the installer asks whether you prefer to use it instead of a more recent version. WatchGuard recommends that you install the most recent version. If you have not installed JRE or JDK, type N. The...
Page 58 If you have an older version of JDK, the installer asks whether you prefer to use it instead of a more recent version. WatchGuard recommends that you install the most recent version. If you have not installed JRE or JDK, type N. The...
Page 59: Cabling The Appliance
Firebox model). Connect the appliance to a nearby power source using the power cord. If connecting the appliance to a UPS device, be sure to use the WatchGuard-supplied cable to connect the two devices through their respective RS- 232 ports.
Page 60: If Problems Occur
Firebox V10 Connect the appliance end of the power cable to the jack on the V10 before you connect the plug end of the power cable to the AC outlet. When your appliance has been started and initialized, the following lights on the front of the device should be lit: •...
Page 61: Using Appliance Discovery
Using Appliance Discovery After the WatchGuard Vcontroller is installed on the Man- agement Station, you can use Vcontroller to discover any new factory default appliance on the network. This appliance must be connected to the same LAN seg- ment or subnet as the Management Station through inter- face 0 (Private).
Page 62: If No Appliance Is Discovered
CHAPTER 3: Getting Started A status dialog box appears and remains displayed until the discovery process is complete. If no appliance is discovered If no appliances are discovered, a Devices Not Found dia- log box appears. Check the Firebox Vclass appliance for the following: - Verify that the appliance has been properly connected to the network.
Page 63: If An Appliance Is Discovered
If an appliance is discovered When an appliance is discovered, the Devices Found dia- log box appears, displaying all discovered appliances with their models and serial numbers. This window provides the following features: • A large list area that displays all of the appliances discovered in the local subnet.
Page 64: Setting The Ip Address Of Interface 0 Or The System Ip
CHAPTER 3: Getting Started If you have already installed and configured at least one Firebox Vclass appliance, you can import its configuration information into a new factory default appliance using an XML profile. For more information, see “Exporting and Importing Configuration Files” on page 410. Setting the IP address of Interface 0 or the System IP If you are deploying the Vclass appliance in Router Mode,...
Page 65 In the System Mask field, type the subnet mask for this IP address. Click Update. If more than one appliance is listed in this window, you can set an IP address for each appliance at this time, prior to clicking Apply All.
Page 66: Running The Vcontroller Installation Wizard
The IP addresses of any SNMP management stations • The VPN client user name and password (for Firebox V10 setup) If you need to make any changes to the configuration at a later date, you can do so with the System Configuration...
Page 67: Starting The Installation Wizard
window, as described in “System Configuration” on page 89. Starting the Installation Wizard Start the Firebox Vclass appliance (see “Start a Firebox Vclass Security Appliance” on page 27). Launch Vcontroller and click Login. The Login dialog box appears. Type the IP address or host name of the Firebox Vclass in the Server IP/Name field or select it from the drop- down list.
Page 68: Edit The General Information
CHAPTER 3: Getting Started Read the qualifications and instructions. Edit the General information Click Next to proceed. The General Information window appears. Vcontroller...
Page 69 In the System Name field, type either the assigned DNS name for the appliance or another arbitrary name. In the System Location field, type a description of where your appliance will be used. This can be a building, floor number, office name, or other simple description.
Page 70 CHAPTER 3: Getting Started Vcontroller...
Page 71: Configure The Interfaces In Router Mode
Configure the Interfaces in Router Mode This procedure describes how to configure an interface using the Installation Wizard for an appliance running in Router Mode. Configure Interface 0 (Private) Click Next. The Interface Information window appears. The appliance is in Router Mode by default.
Page 72 CHAPTER 3: Getting Started Double-click on Interface 0 to edit it. The Edit Interface window appears. Enter the IP address and network mask for the interface in the appropriate fields. If you wish to change the size of the Maximum Transmission Unit (MTU), type a number in the MTU field.
Page 73 Enter the maximum number of potential clients that will be assigned IP addresses in the Number of Clients field. Select either Days or Hours from the Leasing Time drop-down list, and type the number of hours or days that an IP address will be loaned to a DHCP client. You can use a separate DHCP Server with the Vclass appliance using DHCP relay.
Page 74 CHAPTER 3: Getting Started Configure Interface 1 (Public) To configure Interface 1 (Public) for Static, DHCP, or PPPoE addressing, choose the appropriate interface option and provide the relevant entries as follows: Static IP Enter the IP address and network mask in the appropriate fields.
Page 75 Click Backup Connection to configure WAN Interface Failover, if desired. This allows you to specify a backup ISP to provide internet service to interface 1, in the event of a primary ISP failure. The Edit Backup Connection screen appears. Select the Enable Wan Interface Failover checkbox to enable failover to another ISP.
Page 76: Configure Interface 2 And 3 (Dmz)
The Interface Change dialog box appears providing two options, Save Only and Apply. Click Save Only. Click OK to proceed. WatchGuard recommends selecting Save Only in order to continue with the Installation Wizard. If you select Apply, and then click OK, the Wizard prompts you to stop the installation process and restart the Firebox Vclass appliance to apply the changes.
Page 77: Configure The Interfaces In Transparent Mode
will need to login again, using the new IP address information, to continue configuring the appliance. For information on configuring the appliance without using the Installation Wizard, see “System Configuration” on page 89. Configure the Interfaces in Transparent Mode In Transparent Mode, the Firebox Vclass is given a single System IP and System Subnet Mask.
Page 78 CHAPTER 3: Getting Started Click Transparent Mode. The appliance must be in factory default configuration to switch to Transparent Mode. If the device has already been configured, you must restore it to factory default before taking this step. See “Restoring to Factory Default” on page 407. In the System IP field, type the IP address that will be used for all interfaces on the appliance.
Page 79: Configure Routing
Configure Routing From the Interface Information window, click Next. The Routing screen appears. All entries made to configure routing are optional for completing the Installation Wizard and are dependent upon your network environment. In the Specify Default Route field, type the IP address of the default gateway.
Page 80: Define The Dns Servers
CHAPTER 3: Getting Started Type the destination IP address, network mask, and gateway of the route in the appropriate fields. Select the interface–0, 1, 2, or 3–through which traffic will be exchanged, from the Interface/Port drop-down list. Type the Metric number in the appropriate field. Click OK.
Page 81 All entries made to configure DNS servers are optional for completing the Installation Wizard, and will differ based on your network configuration. Type the domain name of the Firebox Vclass appliance in the Domain Name field. To add a DNS server, click Insert. The DNS Server window appears.
Page 82: Define A Default Firewall Policy
CHAPTER 3: Getting Started Type the DNS server IP address in the appropriate field and then click Add. Repeat this process if needed to add more DNS servers. Define a Default Firewall Policy When you have finished listing the DNS servers, click Next to proceed.
Page 83 checkbox and then determine which of the following predefined policies you want to enable. Allow ping to the device Allows ping traffic to the private interface of this appliance from other workstations within the network. Allow all Out-bound traffic from the Private Port Allows all internal network users to have unlimited access to all external network connections.
Page 84 CHAPTER 3: Getting Started Denial of service options These options safeguard your servers from Denial of Ser- vice (DoS) attacks. Denial of Service attacks flood your net- work with requests for information, clogging your servers and possibly shutting down your sites. ICMP Flood Attack Protects against a sustained flood of ICMP pings.
Page 85 IP Source Route Protects against a flood of false client IP addresses, designed to bypass firewall security. Distributed denial of service options As a subset of Denial of Service attacks, Distributed DoS (DDoS) attacks occur when hackers coordinate a number of compromised computers for malicious purposes and program them to simultaneously assault a network with information requests.
Page 86: Using Dynamic Network Address Translation (Dnat)
CHAPTER 3: Getting Started Using Dynamic Network Address Translation (DNAT) When you have configured the preferred levels of hacker defense, click OK to close this window, and click Next to proceed. If you enabled the Allow all outbound traffic from the Interface 0 (private) option, a DNAT window appears.
Page 87 In the Password field, type a new password. Passwords must be between 6 and 20 characters, can include letters or numbers, and are case-sensitive. Confirm the password by retyping it in the provided field. Click Next to proceed. The completion window appears. Firebox Vclass User Guide Running the Vcontroller Installation Wizard...
Page 88 CHAPTER 3: Getting Started Click Finish. If you changed the IP address for interface 0 (Private), a window appears, asking if you want to restart the Firebox Vclass appliance. Click Yes. The Firebox Vclass appliance reboots and reinitializes itself. Vcontroller...
Page 89: Deploying The Firebox Vclass Into Your Network
Deploying the Firebox Vclass into your Network After the appliance reboots, restart Vcontroller and per- form a complete shutdown of the appliance. When the shutdown is complete, you can turn off the appliance and move it to a permanent network setting, if it is not already there.
Page 90 • For a V10, make sure that you connect the power cord to the V10 before you connect it to the AC outlet or the UPS device. This will start the V10 appliance. •...
Page 91: Chapter 4 Firebox Vclass Basics
Firebox Vclass Basics CHAPTER 4 This chapter provides an overview of the Firebox Vclass hardware and the companion Vcontroller soft- ware. What is a Firebox Vclass Appliance? Every Firebox Vclass appliance is a combination of powerful network-monitoring hardware and software policies that you, the administrator, set up and main- tain.
Page 92: Firebox Vclass Features
Firebox Vclass Features The Firebox appliances provide the following features: Firewall Protects your network from unauthorized access and use. Load balancing (except the V10 model) Distributes incoming data to specific internal destinations. Quality of Service Makes data exchanges more efficient. Prioritizes and enhances user-specified data exchange.
Page 93: Where The Information Is Stored
IP address into the appropriate private IP address. Static NAT (except the V10 model) Also called port forwarding. Assigns a port specific to a given service (such as port 80 for HTTP) to...
Page 94: Vcontroller
CHAPTER 4: Firebox Vclass Basics Launching the WatchGuard Vcontroller The WatchGuard Vcontroller can be used to administer one or more Firebox Vclass appliances as well as any leg- acy RapidStream security appliances. This Java application offers a basic set of system indicators and three collections of button-activated features that provide complete control over all the operations of a Firebox Vclass appliance.
Page 95 Type your administrator login name in the Name field. For information on creating administrator accounts, see “Using Account Manager” on page 149. In the Password field, type the password for your administrator account. Click OK. The main Vcontroller window appears. Firebox Vclass User Guide Launching the WatchGuard Vcontroller...
Page 96: The Vcontroller Main Page
CHAPTER 4: Firebox Vclass Basics The Vcontroller Main Page This section describes the buttons displayed in Vcontroller. Activities column buttons The Activities column contains a series of buttons that, when clicked, provide dialog boxes that update you on system activities. This includes outstanding alarms, recent events, and the current status of the appliance.
Page 97: Policy Column Buttons
System Information Click this button to open the System Information window, which provides several distinct views of the current appliance’s status and activity. The various tabbed displays are detailed in separate chapters within this guide, depending upon your choice of view. For more information, see “Monitoring the Firebox Vclass”...
Page 98: Administration Column Buttons
Click this button to open the RAS Configuration dialog box, which assists in the setup of remote access service (RAS) connections. This feature is not available on the V10 model. Proxies Click this button to open a dialog box that lists all existing Proxy Actions, and allows you to add, delete, and edit them.
Page 99 Install Wizard Click this button to reopen the Installation Wizard, which you can use to reestablish the basic configuration for a Firebox Vclass appliance if required. For more information, see “Getting Started” on page 21. Account Click this button to open the Account Manager window, which you can use to modify or add new administrative accounts, and end-user accounts to allow internal users to bypass any firewall policies...
Page 100: Page-Top Buttons
CHAPTER 4: Firebox Vclass Basics Diagnostics/CLI Click this button to open the Diagnostics window, which includes testing tools, connectivity probes, and a workspace for importing CLI scripts. For more information, see “Monitoring the Firebox Vclass” on page 363. Page-top buttons The page-top title area includes the Log Out and Help but- tons, as well as an alarm indicator that is displayed when an alarm has been triggered.
Page 101: Logging Out Of Vcontroller
This panel is automatically refreshed every sixty seconds; however, you can click the blue star button to refresh man- ually. Logging out of Vcontroller Make sure you properly log out of a Firebox Vclass appli- ance after you finish with administrative tasks. Otherwise, you may have trouble logging in later because a previous session may still be active.
Page 102: Shutting Down And Rebooting
CHAPTER 4: Firebox Vclass Basics To save the changes, click Yes. An Information dialog box appears indicating that the save was successful. Click OK. You can now exit Vcontroller or click Log In to reconnect to the Firebox Vclass appliance. Shutting Down and Rebooting To perform a software shutdown prior to turning off the appliance:...
Page 103 Disconnecting the appliance too quickly can cause serious damage. After 30 seconds have elapsed, use the power switch on the back to turn off the appliance. For the V10 model, simply disconnect the power cord. Unplug the power cord from the Firebox Vclass appliance.
Page 104: Restarting The Appliance
To upgrade the software version: Verify that the Management Station has an active Internet connection. You need an Internet connection to check the WatchGuard Web site for the latest software updates. From the main Vcontroller window, click Upgrade. The Upgrade dialog box appears.
Page 105 Upgrade tab. Click Check our Web site to verify whether a more recent version of the Vcontroller software is available. Your web browser appears and connects to the WatchGuard Web site. When this connection is complete, you can quickly verify the version number of the latest available upgrade against the version number listed in the Upgrade tab.
Page 106 CHAPTER 4: Firebox Vclass Basics Locate and select the downloaded upgrade file and then click Select. When the upgrade is complete, a confirmation dialog box appears. 10 Click OK to proceed. The Vclass appliance automatically restarts. When the restart is complete, you can log into the appliance and use Vcontroller to check the upgraded appliance.
Page 107: The Upgrade History
Upgrading and Downgrading the Software Version Click OK. The appliance performs the downgrade, and then reboots itself. After the appliance reboots, the Login dialog box automatically appears. At this time, to use your previous policies and configura- tion, you must restore the last backup of policies and con- figurations that you saved when this version of the software was in effect.
Page 108: Transferring From Vcontroller To Watchguard Central Policy Manager (Cpm)
CHAPTER 4: Firebox Vclass Basics Transferring from Vcontroller to WatchGuard Central Policy Manager (CPM) If you need to transfer the management of the Firebox Vclass from Vcontroller to the WatchGuard Central Policy Manager (CPM), consider the following differences between the two environments: •...
Page 109 Transferring from Vcontroller to WatchGuard Central Policy Manager (CPM) Vcontroller will be erased when a new or updated profile is deployed to that appliance from CPM. Firebox Vclass User Guide...
Page 110 CHAPTER 4: Firebox Vclass Basics Vcontroller...
Page 111: Chapter 5 Router And Transparent Mode
Router and CHAPTER 5 Transparent Mode Vclass appliances can operate in two distinctly differ- ent modes–Router Mode and Transparent Mode. Descriptions of these modes and configuration infor- mation are included in this chapter. Router Mode Router Mode is the default mode for Vclass appli- ances.
Page 112 CHAPTER 5: Router and Transparent Mode In Router Mode, all interfaces are routable. Each individual interface is assigned an IP address on the subnet it is con- nected to. Packets crossing the Vclass appliance are man- aged by configured policies and proxies. Allowed packets are routed to their destinations.
Page 113: Transparent Mode
Transparent Mode Not Trusted Internet Router Not Trusted Internet Router Existing Network with a Transparent Mode Vclass appliance Figure 7: Vclass Transparent Mode operation Vclass Transparent Mode is designed to allow simple “drop-in” integration of the Vclass appliance in an existing network topology.
Page 114: Unsupported Features In Transparent Mode
CHAPTER 5: Router and Transparent Mode • In Transparent Mode, the Vclass appliance uses one IP address and one Subnet Mask for all interfaces. These addresses are called the System IP and the System Mask. All interfaces on the Vclass appliance use these addresses.
Page 115: Setting An Appliance To Transparent Mode Using Device Discovery
Launch Vcontroller. The Vcontroller Login dialog box appears. Click the binoculars icon to the right of the Server/IP Name drop-down list. The WatchGuard Security Appliance Discovery dialog box appears. Click Find to start the process. Firebox Vclass User Guide Setting a Vclass Appliance to Transparent Mode...
Page 116 CHAPTER 5: Router and Transparent Mode If the Management Station has more than one Network Interface Card (NIC), you must select the IP address of the appropriate card from the drop-down list before proceed- ing. A status dialog box appears and remains open until the discovery process is complete.
Page 117 If an appliance is discovered If an appliance is discovered, the Devices Found dialog box appears, displaying all discovered appliances with their models and serial numbers. This dialog box provides the following features: • A large list area that displays all of the appliances discovered in the local subnet.
Page 118 CHAPTER 5: Router and Transparent Mode Set the System IP address If you are deploying the Vclass appliance in Router Mode, you must now assign a temporary IP address to interface 0 (Private) for use in the initial configuration. If you are deploying the device in Transparent Mode, you must set the System IP.
Page 119: Setting An Appliance To Transparent Mode Using The Installation Wizard
Click Update. If more than one appliance is listed in this window, you can set an IP address for each appliance at this time, prior to clicking Apply All. If there are no more appliances to be set, click Apply All.
Page 120 CHAPTER 5: Router and Transparent Mode “Configure the Interfaces in Transparent Mode” on page 45. Vcontroller...
Page 121: Chapter 6 System Configuration
System CHAPTER 6 Configuration Use the System Configuration window to enter or edit system settings. This window, a key component of Vcontroller, provides access to a wide spectrum of controls, ranging from network connection parame- ters to an array of hacker prevention options. The following configuration functions are available in the System Configuration window.
Page 122: General Configuration
CHAPTER 6: System Configuration • “License Configuration” on page 137 • “VLAN Forwarding Option” on page 142 • “Blocked Sites Configuration” on page 145 • “High Availability Configuration” on page 148 General Configuration Use the General tab to fill in general information about the Vclass name, location, and owner, and to set the system time.
Page 123 Configure the following system settings: System Name Type a name to represent this appliance. System Location Type the location of your Firebox Vclass appliance. The location can be a building and floor number, or a simple identifier such as “LAN Room.” System Contact Type the name, phone number, or email address of the principal system administrator or the person...
Page 124 CHAPTER 6: System Configuration System Time Displays the current date and time. To change the date and time currently displayed, click Change. The Date, Time, and Time Zone dialog box appears. - Click the Date & Time tab and then type the appropriate time and date for your system.
Page 125: Interface Configuration
Interface Configuration The Interface tab is used to make changes to the IP addresses and subnet masks of the interfaces. Different combinations of interfaces are displayed according to the model of Firebox Vclass appliance you are configuring. In addition, Interfaces appear differently depending on whether the appliance is deployed in Router Mode or Transparent Mode.
Page 126 CHAPTER 6: System Configuration • Both the Accelerated Interfaces and the HA (High Availability) Interfaces are listed: Router Mode/Transparent Mode Indicates the System Mode in which this system is deployed. In addition, you can switch from Transparent Mode to Router Mode here, but you cannot automatically switch from Router Mode to Transparent Mode–you must restore the appliance to Factory Default first, a process which...
Page 127 Interface 2 Interface 2 should be assigned to any DMZ network traffic. This interface is not available on the V10, V100, or V200 models. Interface 3 Interface 3 should be assigned to any DMZ network traffic. This interface is not available on the V10, V100, or V200 models.
Page 128: Configuring Interface 0
For more information, see “Setting Up a High Availability System” on page 425. This interface is not available on the V10 model. High Availability is not supported in Transparent Mode. If you need to make any changes to the configuration of the interfaces, use the following instructions.
Page 129: Enable Dhcp Server
In the IP Address and Network Mask fields, type the appropriate IP address. The interface Hardware Address (MAC address) is displayed beneath these fields. In the MTU field, type the MTU to determine the maximum size of each packet. The default is 1500 bytes.
Page 130 CHAPTER 6: System Configuration Type the maximum number of potential clients that will be assigned IP addresses in the Number of Clients field. From the Leasing Time drop-down list, select either Days or Hours. Type the number of days or hours that an IP address will be loaned to a DHCP client.
Page 131: Configuring Interface 1
In the Remote DHCP Server IP field, type the address for the remote DHCP server. 10 Click the Link Speed Configuration option you want to use for this interface. The default is Auto Negotiate. Auto Negotiate is the only option available on the V100 and V200 models.
Page 132 CHAPTER 6: System Configuration Interface 1 (Public) allows you to choose from three net- work addressing options. Select the addressing option you want to use (Static, DHCP, or PPPoE). Static • In the IP Address and Network Mask fields, type the IP address and network mask.
Page 133 DHCP • In the Host ID field, type the host name or the IP address of your DHCP server . This option is not available when using High Availability, or in Transparent Mode. PPPoE • In the User Name and Password fields, type the user name and password.
Page 134 CHAPTER 6: System Configuration This option is not available when using High Availability, or in Transparent Mode. In the MTU field, type a new size for the MTU if you want to change it from the default size (1500 bytes). Click the Link Speed Configuration option you want to use for this interface.
Page 135 Select the Enable WAN Interface Failover checkbox to enable failover to another ISP. Configure the interface as previously described, by clicking Static, DHCP, or PPPoE and entering the required values. If PPPoE is selected for the backup WAN, it must be configured as Always On.
Page 136: Configuring Interface 2 Or 3
CHAPTER 6: System Configuration IP addresses for these sites, and remember that pingable addresses might change frequently. In the Polling Interval field, type the polling interval in seconds to determine a failure. This value determines the amount of time between ping sessions to test the servers listed in the previous step.
Page 137 In the IP Address and Network Mask fields, type the IP address and network mask. The interface Hardware Address (MAC address) is displayed beneath these fields. In the MTU field, type a new size for the MTU if you want to change it from the default size (1500 bytes). Click the Link Speed Configuration option you want to use for this interface.
Page 138: Configuring The Ha Interfaces
CHAPTER 6: System Configuration Configuring the HA Interfaces For more information on setting up and managing these HA interfaces, see “Setting Up a High Availability System” on page 425. To edit High Availability settings: Select the interface entry and then double-click. The Edit Interface dialog box appears.
Page 139: Routing Configuration
Apply To immediately commit the settings to the Firebox Vclass appliance. If you have only changed Link Speed, MTU, or the HA configuration, the system will not restart. If you have made any other changes to the Interface configuration for the appliance, a Warning dialog box appears alerting you that this action forces a restart of the system.
Page 140 CHAPTER 6: System Configuration To configure a static route, click Add. The Add Route dialog box appears. Vcontroller...
Page 141: Configuring Dynamic Routing
Type the destination, network mask, gateway, and metric in the appropriate fields. Select the interface from the drop-down list and then click OK. You cannot select the Interface in Transparent Mode. Repeat this process to add other static route entries. To modify an existing route, select the entry and click Edit.
Page 142 CHAPTER 6: System Configuration For each routing protocol you enable, click the Edit button. The Edit dialog for the routing protocol appears. Click Paste to paste a preconfigured dynamic routing configuration file into the text field, or click Browse to locate the *.conf file on your management station.
Page 143 It is possible that dynamic routing can fail. If this occurs, the Current Status displays “Not Running.” Click Restart for the protocol. A Confirmation dialog box appears. Click Yes to restart. When you have finished configuring routing, click one of the following options: Reset To return the settings to the previous configuration.
Page 144: Dns Configuration
CHAPTER 6: System Configuration If an entry displays a red X, click the Routing Table Edit button to open the Edit Route dialog box. The box allows you to check the text for errors. DNS Configuration Use the DNS tab to configure the Firebox Vclass appliance with a host domain name and DNS server entries.
Page 145 In the Domain Name field, type the domain name of the Firebox Vclass appliance. To add a DNS server: Click Insert. The DNS Server dialog box appears. Type the IP address in the appropriate field. Firebox Vclass User Guide DNS Configuration...
Page 146: Snmp Configuration
For a complete list of supported MIBs for Firebox Vclass appliances, review the MIB files that are stored on the WatchGuard CD. Because Firebox Vclass appliances support the SNMP ver- sion 1 protocol, you can assign an SNMP community to this Firebox Vclass appliance so that it can be managed through SNMP management stations.
Page 147 Vclass appliance, you must first create and apply a security policy that allows SNMP traffic to pass through the appli- ance. To configure SNMP traps: Click the SNMP tab. The SNMP settings are displayed. Click Add. The SNMP Management Station dialog box appears. Firebox Vclass User Guide SNMP Configuration...
Page 148: Log Configuration
CHAPTER 6: System Configuration In the SNMP Station IP field, type the IP address. Click Add. Repeat this process to record the IP addresses of all other management stations. Type the password that will identify the appliance to the Management Station or stations in the Community String field.
Page 149 A payment method for all requested certificates, preferably credit card • Any root certificates provided by this authority To import certificates: Click the Certificate tab. The Certificate fields are displayed. A WatchGuard certificate is imported by default. Firebox Vclass User Guide Certificate Configuration...
Page 150 CHAPTER 6: System Configuration To request a new x.509 certificate, click Create Request. The Certificate Request dialog box appears. Vcontroller...
Page 151 Type the following information: Name The name of the Firebox Vclass appliance. This is the same as the system name configured in the General settings. See “General Configuration” on page 90. Department Name The group or department name that administers this appliance.
Page 152 CHAPTER 6: System Configuration Fill in the following fields and then click Next. Subject Name This field is automatically updated with processed data from your first step entries. You can make any deletions or changes in this text field if you know the proper formatting for all the elements.
Page 153 Key Usage Click the preferred option. (If you chose DSA as the algorithm, you can only select Signature for key usage.) Click Next. The Certificate Signing Request (CSR) is displayed. Select the text in the dialog box and then press Control+a .
Page 154 CHAPTER 6: System Configuration 14 Review the information displayed in the Certificate Request dialog box, and then click Finish. The Certificate Request dialog box closes and the System Configuration dialog box reappears. A new entry appears in the Certificate list representing the pending certificate request. To view specific information about a pending certificate: Select the entry from the Certificates list.
Page 155: Importing A Certificate Or Crl File
Click Review CSR to view the Certificate Signing Request. The Review CSR dialog box appears. Click Copy/Close to return to the Review CSR dialog box. A copy of the CSR is sent to the clipboard. Click OK. You must wait for the certificate to arrive in the form of a text file from the co-signing authority.
Page 156 CHAPTER 6: System Configuration Click Load the certificate from a file. Locate and select the root certificate file. If you prefer, you can also use a text editor to open the file. Then copy and paste the text. When the certificate text is displayed, click Import Certificate.
Page 157: Ldap Server Configuration
Click Browse. Locate and select the appropriate CRL file. When the file path appears in the File Name field, click Import CRL. This imports the CRL into the Firebox Vclass appliance. After the import is complete, the dialog box closes and the newly imported CRL name appears in the Certificates list.
Page 158 CHAPTER 6: System Configuration Select the Use LDAP Server checkbox. In the Server IP/Name field, type the IP address or domain name of the LDAP server. If the LDAP server is not using the default port number 389, type the correct port number in the Port Number field.
Page 159: Ntp Server Configuration
Apply To immediately apply the settings to the Firebox Vclass appliance. NTP Server Configuration Use the NTP tab to configure the Firebox Vclass to contact a NTP server. A NTP server uses Coordinated Universal Time (UTC) to synchronize computer clock times. To configure the NTP settings: Click the NTP tab.
Page 160 CHAPTER 6: System Configuration Click Yes to enable NTP. If you later decide to disable NTP , click No. Enter the IP address of an NTP server. It is possible that the connection to a NTP server can be broken. If this occurs, the Current NTP Status displays “Not Running.”...
Page 161: Advanced Configuration
Click Yes to restart NTP. When you have finished configuring the NTP server set- tings, click one of the following options: Reset To return the settings to the previous configuration. Apply To immediately commit the settings to the Firebox Vclass appliance. Advanced Configuration The Advanced tab allows you to configure global policy settings.
Page 162 CHAPTER 6: System Configuration The following global policy settings are displayed: TCP Syn Checking This option enables the inspection of a proper TCP three-way handshake. It provides an extra layer of protection against illegal TCP connections. - To enable TCP SYN checking, select the Enable Syn Checking checkbox.
Page 163 - To ignore a DF bit (Don’t Fragment) during an IPSec transmission, select the Ignore DF for IPSec checkbox. - To allow IPSec traffic to pass through to an internal address that is using NAT, select the IPSec pass-through checkbox. ICMP Error Handling Regular network traffic may include various ICMP error messages.
Page 164: Hacker Prevention Configuration
CHAPTER 6: System Configuration - The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet transmission. The results of this calculation are used as the MSS for the connection.
Page 165 Hacker Prevention Configuration You can customize and apply the following two groups of options at this time: Denial-of-service settings: These options safeguard your servers from denial-of-service (DOS) attacks. These attacks flood your network with requests for information, clogging servers and possibly shutting down your network.
Page 166 CHAPTER 6: System Configuration through. This protects your servers from becoming overwhelmed by too many requests within a short period of time. ICMP Flood Attack Safeguards your network from a sustained flood of ICMP pings. After selecting the checkbox, type the threshold number in the text field that will trigger the denial-of-service protection.
Page 167 Per Server Quota Safeguards your servers from coordinated denial- of-service attacks from any client to any single server. After selecting the checkbox, type a threshold number in the text field that represents the maximum request capacity (per second) of that server.
Page 168: Cpm Management Configuration
CHAPTER 6: System Configuration CPM Management Configuration Use the CPM Management tab to allow a specified CPM server to manage the Firebox Vclass appliance. Click the CPM Management tab. The CPM Management settings are displayed. Select the Enable CPM Management checkbox. In the CPM Server IP Address field, type the CPM server IP address.
Page 169: License Configuration
Vclass appliance. License Configuration Use the Licenses tab to import licenses, which you obtain from WatchGuard, and add extra features. For more infor- mation about licensing additional features and capacity for your Firebox Vclass appliance, visit the WatchGuard Web site.
Page 170 CHAPTER 6: System Configuration To import a new license: Click Add. The Import License dialog box appears. Vcontroller...
Page 171 Click Load the license from a file. Locate and select the license file. If you prefer, you can also use a text editor to open the file. Then copy and paste the text. When the license text is displayed, click Import License.
Page 172: Install Licenses From A License Package
CHAPTER 6: System Configuration Review the license information. When you are finished, click Close. To see which features are currently active: Click Show Active Features. The Active Features dialog box appears. Review the active features along with their capacity and status. Click Refresh to update the feature list.
Page 173 licenses from a License Package file, only the licenses that apply to the current appliance (determined by the serial number) are applied. You must install the License Package separately to each appliance to apply or update all of your licenses. To install a License Package: Click the Licenses tab.
Page 174: Vlan Forwarding Option
CHAPTER 6: System Configuration Locate and select the bulk license file, and click Open. The License Package is read by Vcontroller, and any licenses that apply to the current Vclass appliance are loaded. There are three possible results for this action: the license installation is successful, in which case a success dialog appears;...
Page 175 two VLANs, one using this appliance, and another, sepa- rate VLAN behind another appliance, all connected to the same switch. This function enables you to use an IT management work- station in VLAN 1 to connect through the local gateway appliance and to monitor and maintain a Web server assigned to VLAN 3–which entails inter-VLAN connec- tions.
Page 176 CHAPTER 6: System Configuration If this tab is not visible, this Firebox Vclass appliance does not incorporate these VLAN-forwarding features. Select the Enable Inter-VLAN Forwarding checkbox. When you have finished configuring the VLAN Forward- ing settings, click one of the following options: Reset To return the settings to the previous configuration.
Page 177: Blocked Sites Configuration
Blocked Sites Configuration The System Configuration Blocked Sites List allows you to create a permanent list of blocked IP addresses, and a per- manent list of Exceptions, which are never blocked. When packets from a Blocked IP address reach the Vclass through the Public port, they are dropped.
Page 178 CHAPTER 6: System Configuration To Block an IP address: Click the Blocked Sites tab. The System Configuration Blocked Sites window appears. To add a blocked site, click the Add button under the Permanent Blocked Site IP List. To edit a blocked site entry, select the entry and click Edit.
Page 179 In the Site (IP) field, type the IP address to block, then click OK. The new or edited site address is listed in the Blocked IP List. To add an IP address to the exception list: Click the Blocked Sites tab. The System Configuration Blocked Sites window appears.
Page 180: High Availability Configuration
CHAPTER 6: System Configuration To find an IP address on the Blocked Sites or Exception List: Click Find under the applicable list. The Find Site dialog appears. In the Site (IP) field, type the IP address you want to find, then click OK to find the address. You can click Cancel to return the Blocked Sites List.
Page 181: Chapter 7 Using Account Manager
Using Account CHAPTER 7 Manager This chapter shows you how to create three separate types of access accounts: admin, super admin, and end user. Admin and super admin accounts enable users to con- nect to a Firebox Vclass appliance so that they can monitor and manage the system.
Page 182 CHAPTER 7: Using Account Manager super admin This account has complete control of the entire system. When a user logs into Vcontroller as a super admin, they have access to all the Manager window features and can add to or edit all the settings and policies.
Page 183 Click Add. The account settings become active. In the Account Name field, type an account name. The account name must be between 2 and 8 characters. In the Description field, type a brief description for the account . This field is optional. Type the appropriate password in the Password field.
Page 184: End-User Accounts For Authentication
CHAPTER 7: Using Account Manager Repeat this process to add more accounts. 10 When you have finished, click Close. End-user accounts for authentication You can configure a security policy to block internal users from connecting through the Firebox Vclass appliance to the Internet or to other external networks.
Page 185 Type the IP address of interface 0 (Private) of the Firebox Vclass appliance as in this example: https://10.10.10.27 Press Return. A Security Alert dialog box should appear, according to the browser used. Click Yes/OK to accept the certificate. A Login page appears in the Web browser, similar to this example: Type the end-user account name in the User ID field.
Page 186: Managing Accounts
CHAPTER 7: Using Account Manager Managing accounts Showing and hiding accounts You can hide accounts in the Account Manager window by double-clicking the minus (—) box at the top of the role mini-icon. This hides the list of accounts from view, and replaces the minus box with a plus box.
Page 187: External Access For Remote Management
To remove a role from this account, select the appropriate role in the Selected column, then click Delete. When you have finished, click Apply. The Account Manager window displays the results under each of the roles in the left-hand column. Click Close to save your entries and close the Account Manager.
Page 188: Account Access Conflicts
CHAPTER 7: Using Account Manager external access, you can then use Vcontroller to remotely manage the appliance. Account Access Conflicts If you create several super admin access accounts, remem- ber that Firebox Vclass appliances allow only one super admin account to connect at any time with full administra- tive privileges.
Page 189 This window appears in the following circumstances: • You were recently logged in as a super admin user and your computer froze or crashed, terminating the administrative session, or you simply exited Vcontroller and did not log out correctly. • Another person was already logged in as a non-default super admin user when you attempted to log in with the default super admin account.
Page 190 CHAPTER 7: Using Account Manager Vcontroller...
Page 191: Chapter 8 About Security Policies
About Security CHAPTER 8 Policies The purpose of a Firebox Vclass appliance is to deter- mine whether data is to be passed or blocked and, if passed, what action will be taken with the data. The set of rules by which data is evaluated and managed is called a security policy.
Page 192: Security Policy Components
CHAPTER 8: About Security Policies You can use Vcontroller to create and combine any number of policies on a Firebox Vclass appliance, enabling that appliance to fully protect and enhance your network traf- fic. Security policy components Every security policy is composed of two basic compo- nents: the traffic specifications and an action.
Page 193: Types Of Policies
Policy actions A policy action prompts the Firebox Vclass appliance to perform certain management tasks with data that matches qualifying traffic specifications. Your appliance can take one or more of the following actions: • Protect your private networks from unauthorized intrusions, if the traffic is external.
Page 194 CHAPTER 8: About Security Policies Virtual Private Networks create secure tunnels through both internal networks or through the Internet, so that encrypted data can be sent efficiently and securely from one device to the other. VPN policies can be applied to both site-to- site traffic and remote-client-to-site traffic.
Page 195 automatically dumps the excess traffic and protects your systems from stalling or crashing. Multi-tenant You can route VLAN traffic through a Firebox Vclass appliance, including inter-VLAN forwarding, or you can establish a number of user domains to virtually define restricted groups of network tenants and then route traffic to and from the members of that domain.
Page 196: Using Policy Manager
CHAPTER 8: About Security Policies Static Using Policy Manager Policy Manager allows you to create and edit a detailed security policy. Within the security policy, you can create a variety of actions as well as define schedules, address groups, tenants, and other components for security poli- cies.
Page 197 • Click Address Group to view the list of defined entries. The Address Group dialog box appears. - To create a new Address Group, click New. For instructions on defining the entry, see “Defining an address group” on page 180. - To edit an address group, select the entry and click Edit.
Page 198 CHAPTER 8: About Security Policies • Click Service to view the list of defined entries. The Service dialog box appears. - To create a new Service, click New. For instructions on defining the entry, see “Defining a service” on page 182. - To edit a service, select the entry and click Edit.
Page 199 • Click IPSec Action to view the list of defined entries. The IPSec Action dialog box appears. - To create a new IPSec action, click New. For instructions on defining the entry, see “Defining an IPSec action” on page 315. - To edit an IPSec action, select the entry and click Edit.
Page 200 CHAPTER 8: About Security Policies • Click Proxy Action to view the list of defined entries. The Proxy Action dialog box appears. - To create a new Proxy action, click New. For instructions on defining the entry, see “Creating a Proxy Action”...
Page 201 • Click QoS Action to view the list of defined entries. The QoS Action dialog box appears. - To create a new QoS action, click New. For instructions on defining the entry, see “Defining a QoS action” on page 196. - To edit a QoS action, select the entry and click Edit.
Page 202 CHAPTER 8: About Security Policies • Click NAT/LB Action to view the list of defined entries. The NAT/LB Action dialog box appears. - To create a new NAT or Load Balancing action, click New. For instructions on defining the entry, see “About Load Balancing”...
Page 203 • Click Schedule to view the list of defined entries. The Schedule dialog box appears. - To create a new schedule, click New. For instructions on defining the entry, see “Defining a Schedule” on page 205. - To edit a schedule, select the entry and click Edit. - To delete a schedule, select the entry and click Delete.
Page 204 CHAPTER 8: About Security Policies • Click Tenant to view the list of defined entries. The Tenant dialog box appears. - To create a new tenant, click New. For instructions on defining the entry, see “Defining tenants” on page 189. - To edit a tenant, select the entry and click Edit.
Page 205: How Policy Order Governs Policy Application
• To save the settings to the Management Station and apply them to the Firebox Vclass appliance when it is restarted, click OK. • To close the Policy Manager window without saving or applying any changes, click Cancel. • To immediately commit the settings to the Firebox Vclass appliance, click Apply.
Page 206: Applying System-Wide Qos Port Shaping
CHAPTER 8: About Security Policies After you have created a number of policies and tested them, you may need to move one or more policies out of their current place to another, to permit them to be used before or after other existing policies. To do this, use the arrow buttons to the left of the policy list in the Policy Man- ager window.
Page 207: Using Tunnel Switching
overall outgoing throughput, while individual policy actions prioritize specific data. To apply system-wide QoS port shaping: Click System QoS. The System QoS dialog box appears. To configure QoS for either the Public or Private interfaces, select the Enable QoS checkbox. Select either Kbps or Mbps from the drop-down lists.
Page 208 CHAPTER 8: About Security Policies side of the window. The Security Policy Checker dialog box appears. In the Source field, type the IP address of the external device from which the expected source traffic will arrive. In the Destination field, type the IP address of the internal device to which the expected source traffic will arrive.
Page 209 From the Service drop-down list (if active), select the service this policy should check for. From the Protocol drop-down list (if active), select the protocol to be used. In the Server Port field (if active), type the port number for this protocol. If this test will verify a policy for multi-tenant domain traffic, type an ID in the Tenant ID field.
Page 210: Default Policies
CHAPTER 8: About Security Policies Default policies When you first install Vcontroller, three preinstalled poli- cies are put into effect. PRIVATE_HTTPS Permits incoming HTTPS traffic access to interface 0 (Private). Vcontroller uses HTTPS traffic, so this policy allows management connections to the private interface.
Page 211: Defining Source And Destination
Click the Traffic Specs tab to view and edit traffic information for the policy. Click the Actions tab to view and edit actions performed by the policy. When you have finished, click Done. Defining source and destination Source and destination information for a security policy are defined in the Traffic Specs page of the Insert Security Policy dialog box.
Page 212: Defining An Address Group
CHAPTER 8: About Security Policies PRIVATE_PORT_IP The IP address of the Private interface. PUBLIC _PORT_IP The IP address of the Public interface. DMZ_PORT_IP The IP address of the DMZ interface. DMZ2_PORT_IP The IP address of the second DMZ interface. INTERFACE_IPS The IP addresses of all interfaces.
Page 213 In the Name and Description fields, type a name and brief description for the address group. The Description field is optional. Click New. The New Address Group Member window appears. From the Type drop-down list, select the category of members that will be the source or destination of traffic.
Page 214: Defining A Service
CHAPTER 8: About Security Policies If you chose IP Address Range, type the starting and ending IP addresses for the range. If you chose Address Group, from the Address Group drop-down list, select the appropriate item. This drop- down list lists every address group created for use with the Firebox Vclass appliance.
Page 215 • An existing service group, which includes two more related services. You can assemble a service group of one or more services for use in a single policy to save you from having to create a separate policy for each service. Although a comprehen- sive set of protocols is included in the Service drop-down list, you can create a new service group using the proce- dure in the next section.
Page 216 CHAPTER 8: About Security Policies From the Type drop-down list, select the appropriate option. To create a service group combining a protocol and port number: - Select Single Service from the Type drop-down list. - From the Protocol drop-down list, make the appropriate selection.
Page 217: Defining The Incoming Interface
- Click Done. To combine two or more existing services into a convenient group: - Select Service Group from the Type drop-down list. - From the Protocol drop-down list, select the first service you want to add to this group. - The New Service dialog box reappears, listing your new service group.
Page 218: Using Tenants
2 (DMZ) Also considered an “optional” interface. This interface receives traffic originating from both external networks as well as your internal networks. This interface is not available on the V10 or V100 models. 3 (DMZ2) Also considered an “optional” interface. This...
Page 219: About Vlans And Tenants
rity appliance. This reduces the cost of providing firewall and VPN services to all tenants. In addition to VLAN-type tenants, all Vclass security appliances allow administrators to apply security policies to VLAN-like tenants in a non-VLAN environment. This type of tenancy is called a user domain. By logging on and providing a user ID, password, and domain name to a Vclass security appliance, an end user can access the Inter- net or use VPN policies defined for his or her specified...
Page 220: User Domain Tenant Authentication
Although Vcontroller does not require all policies with the same VLAN object to be grouped together in the Policy Manager security policy table, WatchGuard recommends that you do so for better policy management. The current line of Firebox Vclass appliances recognize VLAN/802.1Q headers in data for routing purposes.
Page 221: Defining Tenants
• When the connection is made, a Login form appears in the browser. • The user clicks in each of the three text entry fields and types the required information. • The browser displays either a Confirmation message, indicating that the connection is complete and ready for use, or an Invalid Entry alert, allowing the user to try reentering his or her login information.
Page 222 CHAPTER 8: About Security Policies In the Tenant Name and Description fields, type a name and brief description for the tenant. The Description field is optional. In hte Public Interface IP and Public Interface Mask fields, type the IP address and netmask of the public interface, or select the Use Default checkbox to use the default IP address and netmask.
Page 223 In the Tenant ID field, type a number (5001 or higher) to identify this particular tenant’s traffic. In the Idle Time Out field, type the number of minutes a tenant user’s connection can remain idle before it is automatically terminated. In the RADIUS IP field, type the IP address of the RADIUS server.
Page 224: Using The Firewall Options
CHAPTER 8: About Security Policies In the Request Time Out field, type the number of seconds that determine when an unanswered authentication request to the RADIUS system will be dropped. Two seconds is the recommended value. In the Request Retry field, type the number of retries that this appliance will make in requesting authentication from the RADIUS system if the initial attempts go unanswered.
Page 225: Defining The Firewall Action
You can define multiple firewall policies to work in con- junction with each other. For example, in addition to the policy described previously, you could define a separate policy that grants HTTP access to the Internet for internal users. You can also define a firewall policy for internal traffic, to block internal network users from unauthorized Internet access, such as Web browsing.
Page 226: Using Quality Of Service (Qos)
CHAPTER 8: About Security Policies Block Prevents all qualifying traffic from gaining access to your network. Reject Blocks incoming traffic from the source and sends a TCP reset message back to that source’s interface. Proxy Inserts a proxy action to provide content filtering. When this is selected, you can select from the list of available proxy actions, create a new proxy action, or edit an existing proxy action.
Page 227 work. When severe network congestion occurs, all traffic is affected equally. The Firebox Vclass security appliance offers two Quality- of-Service (QoS) features that enable you to assign more bandwidth to your most valuable traffic. The QoS features implemented in Firebox Vclass appli- ances include Weighted Fair Queuing (WFQ), Type of Ser- vice (TOS) marking, and port shaping.
Page 228: Defining A Qos Action
CHAPTER 8: About Security Policies bandwidth of the physical connection. If a huge volume of traffic comes from the private network to interface 1, packets are transmitted according to the weight defined in a QoS policy action–with no unnecessary loss of packets. Defining a QoS action To define a QoS action: Click New, next to the QoS Action drop-down list.
Page 229: Activating Tos Marking
Activating TOS marking You can now activate and customize the TOS Marking val- ues, which enables this policy to overwrite the TOS byte in the IP header of qualified incoming packets. Before doing so, make sure you know the direction of traffic that will be affected by this policy, so you can determine whether marking will be forward, reverse, or both.
Page 230: About Nat
CHAPTER 8: About Security Policies To toggle a particular field’s bit to ON, click the 0 in a field, which will automatically turn into a 1. To reverse this setting, click the 1 to restore it to 0. Click Done. About NAT Network address translation (NAT)–also called IP mas- querading or port forwarding–takes IP addresses used on...
Page 231: Dynamic Nat
You can apply one-to-one, many-to-many, or subnet-to- subnet static NAT policies to qualifying traffic. All types of static NAT action are described in this section. Before you proceed, you should be aware of the following constraints on static NAT policies as applied by a Firebox Vclass appliance: •...
Page 232: About Load Balancing
CHAPTER 8: About Security Policies User assigned IP This action substitutes a publicly routable IP address of your choosing for internal use IP addresses. This option is particularly useful if this appliance will be managing more than 55,000 simultaneous sessions using the IP address of the Public interface.
Page 233 address of interface 1 (Public) of the Firebox Vclass appliance as the translation address. To create a Dynamic NAT action using a user-defined IP address: Select either 0 (Private), 2 (DMZ), or 3 (DMZ2) from the Incoming Interface drop-down list. You cannot apply dynamic NAT to interface 1 (Private).
Page 234 CHAPTER 8: About Security Policies Type the publicly routable IP address in the IP Address field. Click Done to close the New Mapping dialog box and return to the New Load Balancing/NAT Action dialog box. 10 Click Done to close the New Load Balancing/NAT Action dialog box.
Page 235: Defining A Load-Balancing Action
Click Done to close the New Mapping dialog box and return to the New Load Balancing/NAT dialog box. The new mapping entry is displayed. Click Done. Defining a Load-Balancing Action To define a load-balancing action: Click New. The New Load Balancing/NAT Action dialog box appears. In the Name and Description fields, type a name and brief description for the load balancing action.
Page 236 CHAPTER 8: About Security Policies Weighted Least Connection When new traffic is sent to the servers, an algorithm determines the least number of connection and weights that can be assigned. If you chose Weighted Round Robin, Weighted Random, or Weighted Least Connection from the Load Balancing drop-down list, you can assign specific weights to particu- lar IP addresses or address groups.
Page 237: Using Policy Schedules
Using Policy Schedules After a policy is defined and applied, it is in effect immedi- ately, 24 hours a day, seven days a week. However, you can modify a policy such that it is active only during specific times of the day or certain days of the week. For any given day in a week, you can choose up to four periods that a policy will be activated.
Page 238 CHAPTER 8: About Security Policies If you do not want the policy scheduler to make use of these schedules right away, clear the Enable Scheduler checkbox. You can reopen this schedule and reactivate the Scheduler at a later time. To create weekly schedules: Select Weekly.
Page 239: Using The Advanced Settings
Click Done. Repeat this process until a complete week’s schedule has been recorded. Click Done. If you want to create a daily schedule that affects every day of the week: Select Daily. Click Edit Day Schedule. The Edit Day Schedule dialog box appears. Select the Period 1 checkbox.
Page 240 CHAPTER 8: About Security Policies Click one of the following options: Use Global Settings Selecting this option enables the ICMP error handling global policy settings configured using the System Configuration button. For more information, see “Advanced Configuration” on page 129. Use Per-Policy Settings Selecting this option allows you to define ICMP error handling parameters particularly for this...
Page 241 To enable the Firebox Vclass appliance to log for this particular security policy, click Enable Per-policy Log. The traffic log setting information on configuring logging, see “Log Settings” on page 383. Click the MSS tab. To enable per-Policy TCP MSS (Maximum Segment Size), click Use Per-policy Settings.
Page 242 CHAPTER 8: About Security Policies This feature works in conjunction with the MTU settings, but on a per-policy basis, to limit the size of packets, if configured. This feature overcomes the following problems: • Oversized packets can result in fragmentation, degrading VPN performance.
Page 243: Chapter 9 Security Policy Examples
Security Policy CHAPTER 9 Examples This chapter includes examples of Vclass Firewall pol- icies, VLAN policies, Quality of Service policies, NAT policies, and Load Balancing policies. You can use these polices as a guide when designing your system security policies. Firewall Policy Examples The following sections describe different types of net- works and how to create firewall policies to meet their...
Page 244: Example 2: Restricting Internet Access
CHAPTER 9: Security Policy Examples The following illustration shows the internal, private net- work (with private IP addresses assigned to the three com- puters) as connected to the Private interface of the Firebox Vclass appliance. This interface has its own IP address, and the Public interface (through which all communications with the external networks are routed) has a separate IP address.
Page 245 However, this company also wants to set the following restrictions on how internal users access the Internet: • No web surfing (HTTP traffic) during office hours • Only Web services and email traffic are passed by the Firebox Vclass appliance to the Internet This example uses the firewall policies created in Example 1.
Page 246: Example 3: Allowing Unlimited Access For Authorized Users
CHAPTER 9: Security Policy Examples Name Dest Deny_ HTTP Allow_ HTTP Allow_ MAIL Deny_ Private Deny_ Public Create a schedule with these parameters: NAME 9 to 5, Monday - Friday DESCRIPTION Schedule for 9:00am - 5:00pm, Monday - Friday ENABLE SCHEDULER Checked TYPE Weekly...
Page 247 rized users are allowed to gain external access. Unautho- rized users are still blocked. Use the Account Manager to create end-user access accounts for each individual to be allowed Internet access during working hours. Distribute login IDs, passwords, and connection instructions to these users so that they can connect through the firewall.
Page 248: Example 4: Allowing Communication Between Branch Offices
CHAPTER 9: Security Policy Examples Example 4: Allowing communication between branch offices Appleby Incorporated has two branch offices, each with a separate Firebox Vclass appliance. These branch offices need separate sets of firewall policies to enable all users in the offices to communicate with the other branch office. To achieve such control over inter-branch traffic, you must create policies on both Firebox Vclass appliances.
Page 249 Create two separate address groups to represent the computers in each branch office, using the following entries in the New Address Group dialog box: Address Group 1: Name: Branch_1, Member type: IP Network, Addresses: 128.100.1.0, Subnet mask: 255.255.255.0 Address Group 2: Name: Branch_2, Member type: IP Network, Addresses: 176.14.1.0, Subnet mask: 255.255.255.0 Create the following policy on Appliance 1:...
Page 250: Example 5: Defining Policies For An Isp
CHAPTER 9: Security Policy Examples Example 5: Defining policies for an ISP ConnectYouUp.com is an ISP with a firewall that both pro- tects all internal private network assets while permitting access by subscribers to servers in a DMZ, reading and sending email, surfing the Internet, and taking advantage of FTP services.
Page 251: Example 6: Controlling Access At Corporate Headquarters
Reconfigure all of the computers in the private network to use a default gateway corresponding to interface 0 of the Firebox Vclass appliance. In this example, the gateway is 126.20.20.1. Create three separate policies, permitting access to different servers in the DMZ network. Define an email service for the DMZ interface, enabling subscribers to send email.
Page 252 CHAPTER 9: Security Policy Examples • All other types of Internet connections are permitted. • Everyone from the outside world can send email to the Mail server (accessible through interface 2). Open the System Configuration dialog box and use the Route tab features to add a new route to the appliance.
Page 253 Member type IP Network Addresses Address 126.20.20.0 Subnet mask 255.255.255.0 Create a schedule called “9to5M-F”, as described in “Example 2: Restricting Internet access” on page 212. Create the necessary end-user accounts for all of the authorized users, as described in “Example 3: Allowing unlimited access for authorized users”...
Page 254: Vlan Policy Examples
XYZ to access their assets in the ASP through secure VPN tunnels. Because the ASP should not be allowed to access Company ABC and XYZ’s private networks, uni-direc- tional VPN policies on the WatchGuard appliances are nec- essary. The following address groups and VLAN objects for use by...
Page 255 Address groups ABC_Net XYZ_Net: Tenant_ABC: Tenant_XYZ: VLAN tenant entries ABC: XYZ: The requisite VPN policies on “ASP” should have the fol- lowing parameters: Dest ABC_Net Tenant_ABC XYZ_Net Tenant_XYZ At the Company ABC site, a new policy should be applied to “ABC” with the following parameters: Dest ABC_Net Tenant_ABC...
Page 256: Using A Firebox Vclass Appliance In A Vlan Setting
CHAPTER 9: Security Policy Examples Using a Firebox Vclass appliance in a VLAN setting If your SNMP management stations, DNS servers, OSPF routers, RADIUS servers, and mail servers are located in a VLAN-enabled network, you must explicitly define sepa- rate policies that allow Firebox Vclass appliances to send traffic to those devices.
Page 257: An Example Of A User-Domain Policy In Use
fied by the RADIUS system, the Firebox appliance associ- ates the user (IP address) to the relevant domain. Any traffic from the user will then be covered by policies that incorporate that domain. An example of a user-domain policy in use As noted previously, the key element in user-domain ten- ant policies is user authentication, which is how traffic per- taining to a specific tenant is identified.
Page 258: Qos Policy Examples
CHAPTER 9: Security Policy Examples and the IP address simply becomes a temporary location for the duration of the connection. QoS Policy Examples When using QoS actions within your policies to prioritize your network traffic, remember that any traffic streams not included in explicit QoS actions will be affected by a default QoS action with WFQ set to 5.
Page 259: Static Nat Policy Examples
Policy 6: QoS action B with WFQ weight = 5 In this case, the ratio between all three QoS actions is 5 (default), 15 (QoS A), and 5 (QoS B) which is a 1:3:1 ratio. Therefore, when the network capacity is fully utilized, policy 1 traffic will use 60% of the total bandwidth (3/5), policy 4 and policy 6 traffic will share 20% (1/5) of the bandwidth, and all other traffic will share the remaining...
Page 260: Example 2: Preventing Conflicts Between Ip Addresses
CHAPTER 9: Security Policy Examples The policies would incorporate these entries:. Name Source Inbound static NAT Outbound Internal_Net static NAT The two address groups would include these entries: Internal_net 192.168.12.0/24 Alias 192.168.24.0/24 The static NAT action would reflect these entries: static NAT_1 Internal = Internal_net External = Alias...
Page 261 192.168.12.11 192.168.12.12 192.168.12.13 192.168.12.14 192.168.12.15 These address groups must first be entered in Vcontroller in the respective locations: For Site A For Site B: The following static NAT actions must be entered in Vcon- troller in the respective locations: For Site A For Site B The policies in the Site A security appliance would include these settings:...
Page 262 CHAPTER 9: Security Policy Examples Name Dest SITE_ Net_A Net_B The policies in the Site B security appliance would include these settings: Name Dest SITE_ Net_B Net_A Srvc Static action 0 (pvt) static NAT_A Srvc static action 0 (pvt) static NAT_b IPSec_A-B (<->)
Page 263: Load Balancing Policy Examples
Load Balancing Policy Examples Configuring Load Balancing for a Web Server After starting Vcontroller application, click Security Policy in the Policy column. The Policy Manager window appears. Click any existing policy entries (or click the last row) in the Security Policies list. Your new policy appears in the row you selected and moves the existing policy down a row.
Page 264: Configuring Load Balancing For An E-Commerce Site
CHAPTER 9: Security Policy Examples Configuring Load Balancing for an E- commerce Site The following example shows how a Firebox Vclass appli- ance can function as a load balancing accessory to evenly distribute data requests to a series of Web servers. This sce- nario can be adapted to full effect in e-commerce sites that use a large number of servers to manage the growing num- ber of consumers.
Page 265 challenge is to evenly distribute each new data request to a different server, although the requests originally expect 128.100.0.2 to answer. Open the System Configuration dialog box and use the Route tab to either add a default gateway or change the existing default gateway to 128.100.0.1. Open the Insert Security Policy dialog box and make the following entries.
Page 266 CHAPTER 9: Security Policy Examples From the Load Balancing Algorithm, select Weighted Least Connection. The Firebox Vclass appliance will route incoming HTTP traffic to the Web server that has the least number of active requests among the three servers. Click New to the right of the Servers list. When the New Server dialog box appears, select IP Address and type 127.10.10.2 in the accompanying text field.
Page 267 14 Save your new policy and then apply it in the Policy Manager window. The final load balancing policy will have these settings: Name Dest Allow_HTT 128.100.0.2 Firebox Vclass User Guide Load Balancing Policy Examples Service Firewall NAT/LB HTTP Pass Web-Load...
Page 268 CHAPTER 9: Security Policy Examples Vcontroller...
Page 269: Chapter 10 Using Proxies
Using Proxies CHAPTER 10 Proxy filtering goes a step beyond packet filtering by examining a packet’s content, not just the packet’s header. Consequently, the proxy determines whether a forbidden content type is hidden or embedded in the data payload. For example, an SMPT Incoming proxy examines all incoming SMTP packets (email) to deter- mine whether they contain forbidden content types, such as executable programs or items written in script-...
Page 270: In This Chapter
CHAPTER 10: Using Proxies catch dangerous content types in ways that packet filters cannot. In This Chapter This chapter includes the following topics: • “Proxy Description” on page 238 • “General Proxy Configuration” on page 241 • “Proxy Parameters Reference” on page 251 •...
Page 271: Smtp Proxy
The HTTP proxy sits between the sending Web server and your receiving Web client, much like a standard proxy server. It processes the HTTP line-by-line for any poten- tially harmful content before passing it to the internal Web client. It also acts as a buffer between your Web server and potentially harmful Web clients, enforcing HTTP RFC com- pliance for GET and POST operations.
Page 272 CHAPTER 10: Using Proxies Rulesets Every rule is part of a ruleset. A ruleset can include fac- tory-configured rules and user-defined rules. Every ruleset also includes a default rule. Figure 11, “Ruleset descrip- tion,” on page 240, illustrates the different parts of a rule. Rule ordering arrows...
Page 273: General Proxy Configuration
• All content of the specified type that does not match a listed rule is processed according to the default rule. • The default rule is always the last step for content filtering. The action in the default rule is applied to all content in a rule Category that does not match a listed rule.
Page 274 CHAPTER 10: Using Proxies Click New. The Add Proxy Action dialog appears. Select an existing proxy action to use as the base for the new proxy action from the Based On drop-down list. Click OK. The proxy action Details window appears. This window is different for each type of proxy.
Page 275: Editing An Existing Proxy Action
Adjust the values and rulesets using the tabs, according to your preference. A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter. See “Proxy Parameters Reference” on page 251 for more information. Editing an existing Proxy Action To edit an existing proxy action: Launch Vcontroller, and log in.
Page 276 CHAPTER 10: Using Proxies Select a proxy action from the list, and click Edit. Note that you cannot save changes to the three default proxy actions. The Add Proxy Action dialog appears. Vcontroller...
Page 277: Configuring Proxy Rules
Adjust the values and rulesets using the tabs, according to your preference. A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter. See “Proxy Parameters Reference” on page 251 for more information. When you have finished configuring the proxy action, click OK to save your changes, or click Cancel to close the proxy action without saving your changes.
Page 278 CHAPTER 10: Using Proxies Edit or Add a rule. • To edit a rule, double-click the rule, or select the rule and click Edit. The Edit Rule dialog box appears. To add a new rule, click Add. • The New Rule dialog box appears. Vcontroller...
Page 279 In the Name field, type a name for the rule. Select the type of matching to use with this rule from the pull-down menu. Rule matching options are: Exact Match Select this to match an exact (case-insensitive) string. For example, you can use this to match the exact e-mail address “spammer@spam.com”...
Page 280 CHAPTER 10: Using Proxies sensitive. Substring is the default; explicit anchoring is required otherwise, using “^(regexp)$”. For example, “(\.bat|\.exe)$” will match anything ending in “.bat” or “.exe”. For more information consult a reference book, such as O’Reilly’s Mastering Regular Expressions. From the Action drop-down list, select the action the the proxy takes when a match occurs.
Page 281: Ordering Listed Rules In A Proxy Action
Ordering listed Rules in a Proxy Action Rules are processed in order from top to bottom of the win- dow. The default rule is always the last step for filtered content in a proxy action. To order listed rules: Edit a proxy action. See “Editing an existing Proxy Action”...
Page 282 CHAPTER 10: Using Proxies Proxy Action Rule ordering example This example describes how you can use proxy action rule ordering to strip a specific MIME subtype, while still allowing the rest of the master MIME type. This example uses the SMTP-Inbound proxy action, with the default set- tings.
Page 283: Proxy Parameters Reference
Proxy Parameters Reference This parameter reference describes the fields you can con- figure for proxy actions. Settings for the three factory default proxy actions are also described. The following default proxy actions are described: • “HTTP Client Proxy” on page 251 •...
Page 284 CHAPTER 10: Using Proxies Name A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than 30 characters, the name is truncated to 30 characters. Description A description of the proxy, for your reference. The proxy action should be used with the following services The default services for the HTTP proxy are TCP...
Page 285 Request General tab This tab allows you to configure content filtering for client- side general HTTP Request parameters. Client Connection Idle Timeout Specifies the time in seconds the proxy waits before dropping an idle connection. Default is 110 seconds. Maximum Allowed URL Length Specifies the maximum length in bytes of an allowed outbound HTTP URL.
Page 286 CHAPTER 10: Using Proxies Log Connections / Maximum Log URL Length Enables or disables logging of HTTP outbound connections. When enabled, you can specify a maximum Log URL length in bytes. The default is 1024 bytes. Category Specifies the category of HTTP request rules. The Request Methods ruleset specifies HTTP request methods that the proxy allows.
Page 287 - Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles - Providing a block of data, such as the result of submitting a form, to a data-handling process - Extending a database through an append operation The actual function performed by the POST method is determined by the server and is usually...
Page 288 CHAPTER 10: Using Proxies the resource ceases to exist or becomes inaccessible for future references (RFC 2068 section 19.6.1.3). Trace The TRACE method is used to invoke a remote, application-layer loop-back of the request message. The final recipient of the request reflects the message received back to the client as the body of a 200 (OK) response.
Page 289 Checkin A CHECKIN request can be applied to a checked- out, version-controlled resource, to produce a new version whose content and dead properties are copied from the checked-out resource. If a CHECKIN request fails, the server state preceding the request is restored (RFC 3253 section 4.4). Checkout A CHECKOUT request can be applied to a checked-in version-controlled resource, to allow...
Page 290 CHAPTER 10: Using Proxies advertising users see. Check the URLs of popup windows or banner ads you or your users find on the Web for other ideas. Windows EXE A pattern match rule that denies URL path content with the extension “.exe.” This effectively prevents users from accessing common Windows applications using HTTP.
Page 291 Request Headers tab This tab allows you to configure content filtering for client- side HTTP Request Headers. Maximum Total Length The maximum total length of the HTTP Request Header. Some systems may be vulnerable to overflow attacks if the header field is too large. The default value is 0, which means there is no maximum.
Page 292 CHAPTER 10: Using Proxies Category This specifies the ruleset category–Header Fields or Authorization. Header Fields This ruleset provides content filtering for HTTP Header fields. The ruleset uses exact matching rules to strip Via, Referer, and From headers, and allows all other headers by default. The Via general-header field must be used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent...
Page 293 Authorization This ruleset provides content filtering for HTTP Request Header authorization fields. A user agent that wishes to authenticate itself with a server does so by including an Authorization request-header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.
Page 294 CHAPTER 10: Using Proxies include systems running the Windows NT operating system, and on stand-alone systems. NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password.
Page 295 Response General tab This tab allows you to configure general content filtering for server-side HTTP Response parameters. Server Connection Idle Timeout Specifies the amount of time, in seconds, that the connection to the server is allowed to idle before the connection is dropped. Default is 110 seconds. Body Content Type This ruleset specifies rules for filtering content in an HTTP Response.
Page 296 CHAPTER 10: Using Proxies a pattern match for the Windows OCX signature: %0x5a4d00900003000000040000ffff0000%*. Windows CAB A cabinet (.cab) file is a library of compressed files stored as a single file. Cabinet files are used to organize installation files. A CAB file can contain malicious code that can be executed on a client system.
Page 297 Maximum Total Length Specifies the maximum total length of the HTTP Response Headers, in bytes. Set this to 0 to specify no limit. Some systems might be vulnerable to overflow exploits that use very large headers. If the total header size exceeds this limit, the entire HTTP Response is denied.
Page 298 CHAPTER 10: Using Proxies Category This specifies the ruleset category–Header Fields, Content-Type, or Cookies. Header Fields This ruleset specifies rules for filtering content in HTTP Response Header Fields. The ruleset is configured to allow a number of typical Header Fields. The default rule strip all other Response Header Fields.
Page 299 - Derived-From (RFC 2068 19.6.2.3) - ETag (RFC 2616) - Expires (RFC 2616) - From (RFC 2616) - Host (RFC 2616) - If-Match (RFC 2616) - If-Modified-Since (RFC 2616) - If-None-Match (RFC 2616) - If-Range (RFC 2616) - If-Unmodified-Since (RFC 2616) - Keep-Alive (RFC 2068 19.7.1.1) - Last-Modified (RFC 2616) - Link (RFC 1945 D.2.6)
Page 300 CHAPTER 10: Using Proxies - UA-Color (non-standard header sent by Internet Explorer to specify color depth) - UA-OS (non-standard header sent by Internet Explorer to specify operating system) - UA-Pixels (non-standard header sent by Internet Explorer to specify screen pixel size) - URI (RFC 1945 D.2.10) - Upgrade (RFC 2616) - User-Agent (RFC 2616)
Page 301 WebLogic Server This rule allows Web Logic Server content, by identifying the MIME Content-Type “application/ x-WebLogic.” The rule uses an exact match for application/x-WebLogic. Video This rule allows all MIME video types, by identifying the MIME Content-Type “video.” The rule uses a pattern match for video/*. Text-based This rule allows all MIME text types, by identifying the MIME Content-Type “text.”...
Page 302 CHAPTER 10: Using Proxies Cookies This ruleset specifies rules for filtering Cookies in HTTP Responses. The ruleset can be configured to strip cookies, based on your network needs. The default rule allows all cookies. When you configure a rule to strip a Cookie, use pattern matching, then type *cookiedomain.com* as the pattern to match.
Page 303 You can also change the character set, for non-English text, and you can call values from the proxy action to describe why content was removed. The following values can be called from the proxy action: %(method)% This inserts the proxy rule that identified the content to strip.
Page 304: Smtp Incoming Proxy
CHAPTER 10: Using Proxies SMTP Incoming Proxy Info tab This tab allows you to type a name and description for the SMTP Incoming proxy action. Name A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than 30 characters, the name is truncated to 30 characters.
Page 305 proxy will filter all content of the specified type, regardless of the port used. General tab This tab allows you to specify general values for incoming SMTP content filtering. Maximum Recipients Specifies the maximum number of email recipients to which a message can be sent. This acts as a counter, and allows the specified number of messages through, then drops the remaining addresses.
Page 306 CHAPTER 10: Using Proxies support@watchguard.com) are counted as a single address. Maximum Message Size Specifies the maximum size of an incoming SMTP message. Note that most email is sent as 7-bit ASCII text, with the exceptions of Binary MIME and 8bit MIME. 8-bit content (for example, MIME...
Page 307 Proxy Parameters Reference you do not allow, remove them from this field. All allowed 7-bit ASCII characters are listed by default. The percentage sign (%) is listed twice (%%) to represent itself. The percentage sign is used as an escape character in the Proxy windows, to enclose hex code and high ASCII characters, but the Proxy windows read two percentage signs in a row as a single percentage sign character.
Page 308 CHAPTER 10: Using Proxies Content Checking tab This tab allows you to specify values for Incoming SMTP content filtering. Category This specifies the ruleset category–Content Types or Address Patterns. Content Types This ruleset allows six common MIME types, and all of their subtypes. The default rule strips all other MIME types.
Page 309 the current master list of MIME types, located at http://www.iana.org/assignments/media-types/. audio/* This rule allows all MIME audio types, by identifying the MIME Content-Type “audio.” The rule uses a pattern match for audio/*. image/* This rule allows all MIME image types, by identifying the MIME Content-Type “image.”...
Page 310 CHAPTER 10: Using Proxies Attachment Filenames This ruleset allows three common attachment filename extensions. The default rule strips all other filename content. Word document This rule allows attachments with the standard Microsoft Word .doc file extension. The rule uses a pattern match for *.doc.
Page 311 Category This specifies the ruleset category–Mail From or Mail To. Mail From This ruleset contains no listed rules from the factory. The default rule is allow. In this configuration, mail from all senders is allowed into your network. Mail To This ruleset contains no listed rules from the factory.
Page 312 CHAPTER 10: Using Proxies Headers tab This tab allows you to specify values for incoming SMTP Header filtering. Header Rules This ruleset allows a number of SMTP Headers. The default rule strips all other SMTP headers. As there are hundreds of possible SMTP headers, it might be useful or necessary to allow other SMTP headers in your system.
Page 313 Proxy Parameters Reference - Content-Disposition - Content-ID - Content-Language - Content-Length - Content-MD5 - Content-Transfer-Encoding - Content-Type - Date - Encoding - Encrypted - From - In-Reply-To - Keywords - MIME-Version - Message-ID - Precedence - References - Reply-To - Resent-Bcc - Resent-Cc - Resent-Date - Resent-From...
Page 314 CHAPTER 10: Using Proxies ESMTP tab The ESMTP tab allows you to specify the filtering for ESMTP content. Although SMTP is widely accepted and widely used, some parts of the Internet community have found a need to extend SMTP to allow more functionality. ESMTP provides a means for functional extensions to SMTP, and for clients who support extended features to recognize each other.
Page 315 the SMTP service that allows an SMTP client and server to interact to start the processing of message queues for a given host (RFC 1985). Allow 8bit-MIME Allows 8bit-MIME, if the client and host support the extension. The 8bit-MIME extension allows a client and host to exchange messages made up of text containing octets outside of the US-ASCII octet range (hex 00-7F, or 7-bit ASCII) using SMTP...
Page 316 Type a domain name here to replace the domain names for incoming messages with the specified domain. For example, if you type “watchguard.com,” then to your users it will appear that all incoming email is from senders at watchguard.com. Vcontroller...
Page 317 Masquerade Message IDs Select this checkbox to replace the Message-ID Header field in all incoming messages. Note that this may disrupt message threading. Deny Message tab This tab allows you to customize a Deny Message. The Deny Message replaces inline content that is stripped. You can customize the Deny Message with standard text.
Page 318: Smtp Outgoing Proxy
CHAPTER 10: Using Proxies %(filename)% This inserts the filename of the stripped content. %(rulename)% This inserts the name of the rule that stripped the content. SMTP Outgoing Proxy Info tab This tab allows you to type a name and description for the SMTP Outgoing proxy action.
Page 319 Description A description of the proxy, for your reference. The proxy action should be used with the following services The default service for the SMTP proxy is TCP Ports 25. This section is informational only. The proxy will filter all content of the specified type, regardless of the port used.
Page 320 50 addressees, and the last two addressees are dropped. Distribution lists that appear as a single SMTP email address (for example, support@watchguard.com) are counted as a single address. Maximum Message Size Specifies the maximum size of an outgoing SMTP message.
Page 321 Connection Idle Timeout Specifies the amount of time an outgoing SMTP connection can idle before the connection is timed out. The default is 600 seconds (10 minutes). Address Validation (RFC-822 Compliance) Allowable Characters: Allows you to specify all of the characters that are allowed in outgoing email addresses.
Page 322 CHAPTER 10: Using Proxies Content Checking tab This tab allows you to specify values for Incoming SMTP content filtering. Category This specifies the ruleset category–Content Types or Address Patterns. Content Types This ruleset does not include any factory-defined rules. The default rule is set to allow. Attachment Filenames This ruleset does not include any factory-defined rules.
Page 323 Address Patterns tab This tab allows you to specify values for Incoming Address Pattern filtering. Category This specifies the ruleset category–Mail From or Mail To. Mail From This ruleset contains no listed rules from the factory. The default rule is allow. In this configuration, mail from all senders is allowed out of your network.
Page 324 CHAPTER 10: Using Proxies Headers tab This tab allows you to specify values for outgoing SMTP Header filtering. Header Rules This ruleset includes no factory-defined rules. The default rule allows all SMTP headers. Vcontroller...
Page 325 ESMTP tab The ESMTP tab allows you to specify the filtering for ESMTP content. Although SMTP is widely accepted and widely used, some parts of the Internet community have found a need to extend SMTP to allow more functionality. ESMTP provides a means for functional extensions to SMTP, and for clients who support extended features to recognize each other.
Page 326 CHAPTER 10: Using Proxies to the SMTP service that allows an SMTP client and server to interact to start the processing of message queues for a given host (RFC 1985). Allow 8bit-MIME Allows 8bit-MIME, if the receiver and host support the extension.
Page 327 Type a domain name here to replace the domain names for outgoing messages with the specified domain. For example, if you type “watchguard.com,” then all messages originating from your network will appear to originate from “username@ watchguard.com.” Firebox Vclass User Guide...
Page 328 CHAPTER 10: Using Proxies Masquerade Message IDs Select this checkbox to replace the Message-ID Header field in all outgoing messages. Note that this may disrupt message threading. Deny Message tab This tab allows you to customize a Deny Message. The Deny Message replaces messages that are denied.
Page 329: Reference Sources
%(filename)% This inserts the filename of the stripped content. %(rulename)% This inserts the name of the rule that stripped the content. Reference Sources Throughout this Reference, material is adapted from–and linked to–information from Internet standards bodies, rel- evant corporations and groups. In all possible cases, the most recent available definition for a parameter is used.
Page 330 CHAPTER 10: Using Proxies • RFC 2068, Hypertext Transfer Protocol -- HTTP/1.1 [January 1997] http://www.w3.org/Protocols/rfc2068/rfc2068.txt • RFC 2518, HTTP Extensions for Distributed Authoring -- WEBDAV http://www.ietf.org/rfc/rfc2518.txt • RFC 2554, SMTP Service Extension for Authentication http://www.ietf.org/rfc/rfc2554.txt • RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1 [June 1999] http://www.w3.org/Protocols/rfc2616/rfc2616.html RFC 2821, Simple Mail Transfer Protocol [April 2001]...
Page 331: Chapter 11 Using Virtual Private Networks (Vpn)
Using Virtual Private CHAPTER 11 Networks (VPN) The Internet is a technical and social development that puts a vast quantity of information at your fingertips. The benefits of using the Internet to exchange infor- mation and conduct business are enormous. Unfortu- nately, so are the risks.
Page 332: Tunneling Protocols
For more information on VPN technology, see the online support resources at http://support.watchguard.com. The main page contains links to basic FAQs, advanced FAQs, and the WatchGuard User’s Forum.
Page 333: Ipsec
generally the Internet. Tunneling involves encrypting and encapsulating data and protocol information within units called IP packets. The “tunnel” is the path that the IP pack- ets travel over the Internet. A tunnel is also defined by its start and end points, the type of authentication and encryption used, and the users allowed to use it.
Page 334: Internet Key Exchange (Ike)
Internet Key Exchange (IKE) As the number of VPN tunnels between WatchGuard appliances and other IPSec compliant devices grow, main- taining the large number of session keys used by tunnels becomes a challenge.
Page 335: Nat Traversal (Udp Encapsulation)
Internet Key Exchange (IKE) tion. Phase 2 involves an exchange of keys to determine how the data between the two will be encrypted. Diffie-Hellman is an algorithm used in IKE to negotiate keys required for data encryption. Diffie-Hellman groups are collections of parameters used to achieve the negotia- tion.
Page 336: Firebox Vclass Appliance Vpn Solutions
The default interval is 20 seconds, but this value can be changed. Firebox Vclass appliance VPN Solutions The WatchGuard Firebox System offers several methods to provide secure tunnels: • Mobile User VPN (Remote User VPN) •...
Page 337: Vpn To Other Ipsec Compliant Devices
VPN with IPSec is available with the WatchGuard medium encryption version at DES (56-bit) strength, and with the WatchGuard strong encryption ver- sions at both DES (56-bit) and Triple DES (168-bit) strengths.
Page 338: Using Authentication And Encryption
CHAPTER 11: Using Virtual Private Networks (VPN) Three major qualifications are established in an IPSec action: Mode Tunnel mode is used when Firebox Vclass appliances act as security gateways on both ends or when a remote Firebox Vclass VPN client connects to a Firebox Vclass security appliance.
Page 339: Defining An Ike Policy
You must activate your LiveSecurity Service to enable 3DES encryption. To activate your LiveSecurity Service, go to: http:\\www.watchguard.com\activate For more information on LiveSecurity Service, see “Service and Support” on page 9. Defining an IKE Policy To define an IKE policy: From the main Vcontroller window, click IKE Policy.
Page 340 CHAPTER 11: Using Virtual Private Networks (VPN) Select an entry point from the list of policies and then click Insert . The Insert IKE Policy dialog box appears. Vcontroller...
Page 341 In the Name and Description fields, type a name and brief description for the IKE policy. The Description is optional. Select a preconfigured address group from the Peer Address Group drop-down list or click New to create a new address group. For information on creating an address group, see “Defining an address group”...
Page 342: Defining An Ike Action
CHAPTER 11: Using Virtual Private Networks (VPN) Select the Local ID Type from the drop-down list. This should be a Local ID type that the peer system can validate with a copy of your certificate sent to the peer system as well as settings in their own policy.
Page 343 In the Name and Description fields, type a name and brief description for the IKE action. The Description field is optional. From the Mode drop-down list, select one of these options: Main A slower mode that provides greater security. This is the recommended mode.
Page 344 CHAPTER 11: Using Virtual Private Networks (VPN) In the Keep-Alive message field, type the number of seconds between keep-alive messages. If you selected the Main from the Mode drop-down list, you can select the Enable Extended User Authentication checkbox. Select an IKE transform from the list or click New to create a new IKE transform.
Page 345 11 From the Encryption Algorithm drop-down list, select an encryption algorithm. 12 From the Hash Algorithm drop-down list, select a hash algorithm. 13 In the Lifetimes field, type the number of hours or minutes that the transform will remain active. 14 From the Lifetime drop-down list, select Hours or Minutes .
Page 346: Defining A Vpn Security Policy
CHAPTER 11: Using Virtual Private Networks (VPN) Defining a VPN Security Policy This section provides information on defining a VPN secu- rity policy that creates a VPN connection between two Fire- box Vclass appliances. If you want to permit connections that exchange traffic in both directions, you must create a single bidirectional VPN policy.
Page 347: Defining An Ipsec Action
If this a bidirectional policy, make sure that the incoming interface selection is 0 or 2, and not 1. Defining an IPSec action To define an IPSec action: Click New . The New IPSec Action dialog box appears. In the Name and Description fields, type a name and brief description for the IPSec action.
Page 348 CHAPTER 11: Using Virtual Private Networks (VPN) Tunnel This policy prompts the Firebox Vclass appliance to hide any information about the original sender of data, representing the Firebox Vclass as the original sender. This option is preferred for site-to- site connections, in which the traffic goes through the Firebox Vclass appliance.
Page 349 If you want to permit connections initiated in both directions, select the Gateway to Gateway VPN checkbox. If this a bidirectional policy, make sure that the incoming interface selection is 0 or 2, and not 1. For information on configuring the remaining options of the policy (QoS action, TOS Marking, NAT/Load Balancing, Scheduling, and the Advanced Settings) see those sections in chapter 7, “About Security Policies”...
Page 350 CHAPTER 11: Using Virtual Private Networks (VPN) Review the default encryption options listed in the Unselected Proposals list, select any options that your new IPSec action requires, and then click Add . The proposal is displayed in the Selected Proposals field. If none of the unselected proposals meets the requirements of this automatic key IPSec action, you can create your own proposals.
Page 351 recommended because they incorporate both encryption and authentication of your data. To define an ESP transform: Select the ESP checkbox. Click the New button to the right of the ESP transforms list. The New ESP Transform dialog box appears In the Lifetime field, type the number of hours or minutes a key will be in effect.
Page 352 CHAPTER 11: Using Virtual Private Networks (VPN) You cannot choose None for both encryption and authentication when creating an ESP transform. Repeat this process to create additional ESP transforms. 10 You can use the arrow keys to the left of the transforms list to reorganize the transforms into the proper order of application.
Page 353 Either Lifetime or Life Length must be a non-zero entry. From the Encryption Algorithm drop-down list, select an encryption algorithm. From the Authentication Algorithm drop-down list, select an authentication algorithm. Click Done . Repeat this process to create additional AH transforms. 10 You can use the arrow keys to reorganize the transforms into the proper order of application.
Page 354 CHAPTER 11: Using Virtual Private Networks (VPN) You can configure the manual key to use ESP (Encapsu- lated Security Payload), AH (Authenticated Headers), or both. Enable the ESP checkbox. In the Local SPI (Security Parameter Index) field, type a unique number between 256 and 65535. This SPI entry is used to identify this manual key in the local Firebox Vclass appliance.
Page 355: Using Tunnel Switching
10 Select the AH checkbox. 11 In the Local SPI (Security Parameter Index) field, Type a unique number between 256 and 65535. This SPI entry is used to identify this manual key in the local Firebox Vclass appliance. 12 In the Peer SPI field, type the unique number of the remote appliance.
Page 356 CHAPTER 11: Using Virtual Private Networks (VPN) A more efficient way to manage a complex corporate VPN with numbers of sites and remote users is to use a hub-and- spoke configuration, in which all branch offices connect to corporate headquarters (or any centralized site) with a sin- gle VPN tunnel.
Page 357 To make such a hub-and-spoke topology effective and effi- cient, Firebox Vclass appliances provide tunnel switching capabilities. Such a setup means that Site A can communi- cate with site B by sending traffic to the central office, which then switches this traffic from one tunnel (site A / central office) to another tunnel (site B / central office).
Page 358: Enabling Tunnel Switching
CHAPTER 11: Using Virtual Private Networks (VPN) Tunnel switching is not available on the V10 model, or in Transparent Mode. Enabling tunnel switching Before you set up individual VPN policies for site-to-site tunnel switching, you must activate tunnel switching in the Firebox Vclass appliance hardware (which is disabled by default).
Page 359: Chapter 12 Creating A Remote User Vpn Policy
Creating a Remote CHAPTER 12 User VPN Policy Remote User VPN (RUVPN), also labeled as Remote Access Service (RAS), requires configuration of both the Firebox Vclass appliance and the remote client computers. The complete procedure for using RUVPN is documented in the Vclass Mobile User VPN Adminis- tration Guide and the operating system-specific MUVPN end-user brochures.
Page 360: About Remote User Vpn
Remote User VPN is available on all Firebox Vclass models except the V10. The Firebox Vclass appliance models V200, V100, V80, V60, and V60L come with 20 Remote User VPN licenses, upgradeable in increments of 20, 100, 500, or 1,000.
Page 361 Configuring the Remote Users Authentication Policy Authentication takes place either by using shared keys or certificates. To configure the general settings of the RUVPN authentica- tion policy: From the main Vcontroller window, click Remote Users. The RAS Configuration dialog box appears. To the right of the Default User Group drop-down list, click New.
Page 362 CHAPTER 12: Creating a Remote User VPN Policy In the Name and Description fields, type a name and brief description for the user group. The Description field is optional. From the Address Assignment drop-down list, select one of the following options: None Remote users belonging to this group will not be assigned an internal IP address when a connection...
Page 363 Configuring the Remote Users Authentication Policy In the Session Time Limit field, type the appropriate number or hours or minutes until a user session expires. From the Session Time Limit drop-down list, select either Hours or Minutes. In the Idle Timeout field, type the appropriate number of hours or minutes.
Page 364 CHAPTER 12: Creating a Remote User VPN Policy 13 Click Apply. The Commit dialog box appears. 14 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit. To continue configuring the remote users authentication policy, select an authentication method: Internal database For information on using this option to...
Page 365: Using An Internal Authentication Database
Configuring the Remote Users Authentication Policy Using an internal authentication database To set up an internal authentication database: Enable the Internal database option. Click the Internal Database tab. The RAS users list is displayed. To create a new user entry, click New. The New RAS User dialog box appears.
Page 366 CHAPTER 12: Creating a Remote User VPN Policy Type a name in the User Name field. User names are case-sensitive and must consist of 1 – 15 characters. In the Full Name and Description fields, type the full name of the RAS user and a brief description. The Description field is optional.
Page 367: Using A Radius Authentication Database
Configuring the Remote Users Authentication Policy Using a RADIUS authentication database To use a database stored on a RADIUS server: From the main Vcontroller window, click Remote Users. The RAS Configuration dialog box appears. Click RADIUS Server. To the right of Primary Radius, click Edit. The RADIUS Server dialog box appears.
Page 368 CHAPTER 12: Creating a Remote User VPN Policy To change the port number, clear the Use default port checkbox, and then type the number in the Port field. Click Done. Repeat the previous steps to configure a connection to a backup RADIUS server.
Page 369: Editing And Deleting A User Group Profile
Configuring the Remote Users Authentication Policy Select the Reset Password checkbox. The password fields become active. In the Password and Confirm Password fields, type a password and confirm it. Passwords are case-sensitive and consist of six to eight characters. Click Done. Click Apply.
Page 370: Removing The Backup Server
CHAPTER 12: Creating a Remote User VPN Policy vice versa), then all existing user connections belonging to this user group are disconnected. Any changes made to a policy are enforced immediately. Similarly, if the address group used to store internal-use IP addresses is changed, then all user connections currently using IP addresses that are no longer valid are discon- nected immediately.
Page 371: Defining An Ike Policy And Ike Action
establish the Firebox Vclass appliance connection to this server. Defining an IKE Policy and IKE Action After configuring an authentication policy, you must define IKE and Security policies. Defining an IKE action for RUVPN To define an IKE action: From the main Vcontroller window, click IKE Policy. The Policy Manager window appears.
Page 372 CHAPTER 12: Creating a Remote User VPN Policy From the Mode drop-down list, select Main. Select Enable Extended User Authentication. Disable NAT Traversal, if necessary (NAT Traversal is enabled by default). For more information, see “NAT Traversal (UDP Encapsulation)” on page 303. Select an IKE transform from the list or click New to create a new IKE transform.
Page 373: Defining An Ike Policy
13 From the Lifetime drop-down list, select Hours or Minutes . 14 In the Life Length field, type the maximum size in kilobytes. This field is optional. 15 Click Done . The transform is added to the IKE transforms list. 16 Repeat this process to add any other transforms.
Page 374 CHAPTER 12: Creating a Remote User VPN Policy In the Name and Description fields, type a name and brief description for the IKE policy. The Description is optional. Select a preconfigured address group from the Peer Address Group drop-down list or click New to create a new address group.
Page 375: Defining An Ruvpn Security Policy And An Ipsec Action
Defining an RUVPN Security Policy and an IPSec Action drop-down list, select the appropriate certificate. Next, select the Local ID Type from the drop-down list. This should be one that the peer system can validate with a copy of your certificate sent to the peer system as well as settings in their own policy.
Page 376 CHAPTER 12: Creating a Remote User VPN Policy In the Name and Description fields, type a name and brief description for the IPSec action. The Description field is optional. From the Mode drop-down list, select Tunnel. Click Peer Tunnel Address Group or Peer Tunnel IP Address.
Page 377: Defining A Security Policy For Ruvpn
Defining an RUVPN Security Policy and an IPSec Action Click Perfect Forward Secrecy. Select an option from the Unselected Proposals list, and then click Add . The proposal is displayed in the Selected Proposals field. For more information on configuring IPSec actions, see “Defining an IPSec action”...
Page 378 CHAPTER 12: Creating a Remote User VPN Policy Click the Traffic Specs tab. The Traffic Specs page appears. Select one of the following options from the Source drop-down list: - If no internal IP addresses are to be assigned to remote users, the Source should be an address group with a membership of ANY.
Page 379 Defining an RUVPN Security Policy and an IPSec Action From the Service drop-down list select New to create a new service. For information on creating a service, see “Defining a service” on page 182. The Services will be limited to those that remote users will use, whether a few or a wide range of services.
Page 380: Controlling A Remote User's Access Privileges
Monitoring Remote User Activity WatchGuard recommends that you take advantage of the Log Manager features. You can track and record remote access connections and system use.
Page 381 Monitoring Remote User Activity You can also view a basic summary of the recent connec- tion history of a particular user, though not the current one, by opening the RAS Configuration dialog box and clicking the Internal Database tab, select a listed user, and click Details.
Page 382 CHAPTER 12: Creating a Remote User VPN Policy A RAS User Detail dialog box appears, summarizing the most recent connection history of that user. • Click Active Users to monitor currently active users. The System Information dialog box appears displaying a list of active RAS users.
Page 383: Chapter 13 Using Alarm Manager
Using Alarm CHAPTER 13 Manager The Vcontroller Alarm Manager allows you to define alarms that can alert the appropriate parties when cer- tain system or policy conditions occur. You can configure alarm notifications for basic system processes such as the log file reaching a certain size, or you can configure alarms that alert the on-duty sys- tem administrator when critical conditions have been detected.
Page 384: Alarm Definitions
CHAPTER 13: Using Alarm Manager Alarm Definitions To define a specific alarm condition: From the main Vcontroller window, click Alarm. The Alarm Manager window appears. Click the Alarm Definitions tab to view the current list of alarm definitions. This tab lists pre-defined default alarms along with indications of their severity and whether or not they have been enabled.
Page 385 Click Add. The Alarm Definition dialog box appears. In the Alarm Name field, type a name for the alarm. Click and move the Severity slider to the point on the scale that matches the value of this alarm: Low, Medium, or High. Firebox Vclass User Guide Alarm Definitions...
Page 386: Defining A Single-Condition Alarm
CHAPTER 13: Using Alarm Manager Decide whether the alarm will have more than one triggering condition. Defining a single-condition alarm Click the Condition(s) to trigger the Alarm field where <counter> appears. This field acts as a button. The Select a Counter dialog box appears. From the Probe Category drop-down list, select System, Policy, or VPN End-point Pairs.
Page 387 Click Select. For more information about the counters and their capabilities, see “A Catalog of Real-time Monitor Probe Counters” on page 368. From the Alarm Definition drop-down list, select the option you want. < Indicates “less than” > Indicates “greater than” Indicates “equal to”...
Page 388: Defining A Multiple-Condition Alarm
CHAPTER 13: Using Alarm Manager Click Email Notification to activate email notification. Type the email address in the appropriate field. To send an email notification to more than one email address, type each address using a space to separate them. Click OK.
Page 389 Policy Select the policy of your choice and then select the counter you want to use for the alarm. Selecting For All Policies displays a different list of counters. System Select the counter you want to use for the alarm. VPN End-point Pairs Select the IPSec pair of your choice and then select the counter you want to use for the alarm.
Page 390 CHAPTER 13: Using Alarm Manager 10 Once you complet the list of conditions,click All conditions must hold to trigger the alarm or Any condition holds to trigger the alarm. 11 Select the Alarm Log checkbox to keep a record of all instances of this alarm.
Page 391: Managing Alarm Definitions
14 Click OK. The new alarm definition appears in the list of Alarm Definitions. Repeat this process to create other multi-condition alarms. Managing alarm definitions You can update an alarm definition, enable or disable a current alarm, or delete an alarm definition that is no longer needed in the Alarm Manager window.
Page 392: Responding To An Alarm Notification
Responding to an Alarm Notification Alarm notifications come in several forms: • An animated alarm bell icon appears at the top of the WatchGuard Vcontroller main page. • The red Alarm LED illuminates on the front of the Firebox Vclass appliance.
Page 393 give administrators instant notice of a new alarm condi- tion. To view outstanding alarms: From the Vcontroller main page, click the animated alarm bell or click the Alarm button. The Alarm Manager window appears, listing the current alarms at the Outstanding Alarms tab. Review the list of alarm notices.
Page 394 CHAPTER 13: Using Alarm Manager Review the information displayed. Click OK to close the Alarm Detail dialog box. To clear an outstanding alarm, select the alarm notice and click Clear. To clear all outstanding alarms, click Clear All. The Alarm Manager removes the alarm notice from the Outstanding Alarms tab.
Page 395: Chapter 14 Monitoring The Firebox Vclass
Monitoring the CHAPTER 14 Firebox Vclass You can use the Real-time Monitor to view the status of your Firebox Vclass appliance You can activate the self-reporting capabilities by set- ting up and applying custom probes in the Real-time Monitor window. Then you can open the Real-time Chart window and watch the custom probes as they dynamically track the activities of the appliance and its network traffic.
Page 396 CHAPTER 14: Monitoring the Firebox Vclass detailed catalog of available counters, see “A Catalog of Real-time Monitor Probe Counters” on page 368. From the main Vcontroller window, click Monitor. The Real-time Monitor window appears. The following categories of system activity can be defined and monitored: Policy Policy probes observe and report on the activities...
Page 397: Defining Probes
assessing traffic between a designated pair of security appliances. A “VPN End-point Pair” indicates a pair of appliances actively exchanging traffic through any number of IPSec tunnels, whether one or several. Interface Interface probes observe and report on the activities of selected interfaces. For example, you can set up a probe to monitor the number of packets received by a specific interface.
Page 398: Monitoring Configured Probes
CHAPTER 14: Monitoring the Firebox Vclass Click Add when you are finished configuring this probe. The Select Probe window closes and the new probe is displayed in the appropriate tab list. Repeat these steps to add more probes. Click Done when you are finished. To edit the settings of an existing probe: Select the probe and click Edit.
Page 399 Click Start Monitoring. After a brief pause, which reflects the Interval times previously selected, the activity measured by each probe is displayed. The graph changes according to the per second interval you configured. When you are finished monitoring, click Stop Monitoring.
Page 400: A Catalog Of Real-Time Monitor Probe Counters
CHAPTER 14: Monitoring the Firebox Vclass To conserve system resources, you can temporarily disable any probes until the next time you want to monitor that particular system activity. At that time, you can re-enable the probe and observe the results in the Real-Time Chart window.
Page 401 Counter Name Interface 1(Public)Sent (Bytes) Interface 1(Public)Recv. (Packets) Interface 1(Public)Sent (Packets) Interface 1(Public)Recv Throughput, (Bytes/sec) Interface 1(Public)Sent Throughput, (Bytes/sec) Interface 1(Public)Recv Throughput, (Packets/sec) Interface 1(Public)Sent Throughput, (Packets/sec) Interface 0(Private) Received (Bytes) Interface 0(Private) Sent (Bytes) Interface 0(Private) Recv. (Packets) Interface 0(Private) Sent (Packets) Interface 0(Private) Recv.
Page 402 CHAPTER 14: Monitoring the Firebox Vclass Counter Name Interface 0(Private) Sent Throughput, (Packets/sec) Interface 2(DMZ)Recv. (Bytes) Interface 2(DMZ)Sent (Bytes) Interface 2(DMZ)Recv. (Packets) Interface 2(DMZ)Sent (Packets) Interface 2(DMZ)Recv. Throughput, (Bytes/sec) Interface 2(DMZ)Sent Throughput, (Bytes/sec) Interface 2(DMZ)Recv. Throughput, (Packets/sec) Interface 2(DMZ)Sent Throughput, (Packets/sec) Log Disk Total (KB) Log Disk Used (KB) Log Disk Free (KB)
Page 403 Counter Name Event Log Size (KB) Traffic Log Size (KB) Alarm Log Size (KB) Event Log Increment (KB) Traffic Log Increment (KB) Alarm Log Increment (KB) Event Log Growth Rate (KB/sec) Traffic Log Growth Rate (KB/sec) Alarm Log Growth Rate (KB/sec) Phase One SA Log Size (KB) Phase Two SA Log...
Page 404 CHAPTER 14: Monitoring the Firebox Vclass Counter Name Interface 1(Public) Stream Req./sec Interface 0(Private) Stream Req./sec Interface 2(DMZ) Stream Req./sec Incoming Stream Requests Denied Interface 1(Public) Stream Requests Denied Interface 0(Private) Stream Requests Denied Interface 2(DMZ)Stream Requests Denied Incoming Stream Req. Denied/sec Interface 1(Public)Stream Requests Denied/sec...
Page 405 Counter Name Total IPSEC Traffic (bytes) Total IPSEC Packets Total Tunnel Mode SA Total Transport Mode SA Total ESP SA Total AH SA Total Manual Key SA Total Auto Key SA Total Expired SA HA1 Port Status (1=up) HA2 Port Status (1=up) Active User Sessions Remote Users Logon Remote Users Logoff...
Page 406: Aggregate Counters For All Vpn End-Point Pairs
CHAPTER 14: Monitoring the Firebox Vclass Aggregate counters for all VPN end-point pairs Counter Name Total Inbound SA Total Outbound SA Total SA Total Inbound Bytes/sec Total Outbound Bytes/sec Total Inbound Pkts/sec Total Outbound Pkts/sec Total Decryption Error Rate (%) Total Authentication Error Rate (%) Total Authentication Error Packet Rate Total Inbound SA IPSec counters per VPN end-point pair...
Page 407: Policy Counters For All Policies
Counter Name Inbound Pkts/sec Outbound Pkts/sec Decryption Error Rate (%) ESP Authentication Error Rate (%) ESP authentication error packet rate of AH Authentication Error Rate (%) Replay Error Rate (%) Inbound Bytes Outbound Bytes Inbound Packets Outbound Packets Policy counters for all policies Counter Name Number of Policies Packets Disc.
Page 408: Policy Counters Per Policy
CHAPTER 14: Monitoring the Firebox Vclass Counter Name Packets Disc. at Interface 0(Private)(%) Packets Disc. at Interface 2(DMZ)(%) Packets Disc. by IPSEC Error (%) Packets Disc. by Decryption Error (%) Packets Disc. by Authentication Error (%) Packets Disc. by Replay Error (%) Policy counters per policy Counter Name Traffic (Bytes)
Page 409 Counter Name Replay Error Packets Decryption Error Rate (%) Authentication Error Rate (%) Replay Error Rate (%) Firebox Vclass User Guide A Catalog of Real-time Monitor Probe Counters Description of Counter’s Function Number of error packets handled by a policy with replay error. Decryption error rate of a policy Authentication error rate of a policy Replay error rate of a policy...
Page 410 CHAPTER 14: Monitoring the Firebox Vclass Vcontroller...
Page 411: Chapter 15 Using Log Manager
Using Log Manager CHAPTER 15 Vcontroller can log an extensive array of system activ- ities and save all logs as text files that can be saved for future reference. You can activate logging to record the following categories of system activities: Event log Records all the events such as key negotiation activities, denial-of-service attacks, device...
Page 412: Viewing The Logs
“LOG_FILE_FULL,” alerts you when a specific log file is getting too big. At that time, you can back up the log file for future reference. WatchGuard recommends the use of remote logging, using syslog, as described in “Activating the remote logging fea- ture” on page 385.
Page 413 Click each tab to review the entries for that category. If the log has more than 500 entries, as noted in the status message in the lower-left corner, click Next to download the next group of records. Click Prev to display earlier listings. To update the screen with the latest entries, click Refresh.
Page 414: Filtering A Current Log
CHAPTER 15: Using Log Manager - Move the slider to the desired number and then click outside of the pop-up to close it. Filtering a current log When viewing a log, you may see entries that seem irrele- vant. You can use the Filter feature to view only those records that you want to see.
Page 415: Log Settings
Following a filtering action, you can right-click other column headings and repeat this process to further filter the entries until you have the exact records that you want. To undo the filtering, reopen the Filter pop-up and click Disable Filter. Vcontroller restores the previously visible log entries that were filtered out of view.
Page 416 CHAPTER 15: Using Log Manager To enable traffic logging, click the Enable Traffic Logging checkbox. The Firebox Vclass appliance begins logging traffic. If you leave this option disabled, you can still use the Log Manager window to view information about other system activity.
Page 417: Activating The Remote Logging Feature
frequently the log content is deleted. Vcontroller provides a default alarm that notifies you when a log file is almost full. Activating the remote logging feature If you have a syslog server accessible through the network, you can designate that server as the default destination for all future log archive files.
Page 418 CHAPTER 15: Using Log Manager Select the Facility and Priority from the drop-down lists for each log category. To use the default settings, click Default. Click Done. When you have finished configuring, click Reset or Apply. Reset To return the settings to the previous configuration. Apply To immediately commit the settings to the Firebox Vclass appliance.
Page 419: Log Archiving
This file will be archived to a specific directory on your workstation: Windows workstations: c:\WatchGuard\log UNIX workstations: users home directory Log files are assigned a name in this format: <type>_<date>.rsl...
Page 420 Events, Traffic, RAS Users, Phase One SA, and Phase Two SA. Click Archive Now to archive a file to the default directory location: C:\WatchGuard\Log\ or click Browse to select a different directory. When the archiving is complete, a dialog box appears.
Page 421: Chapter 16 System Information
System Information CHAPTER 16 The System Information window provides accurate and up-to-date information on your system’s current status. This dialog box contains a number of tabs that provide information on a variety of system compo- nents. General Information For general information on Firebox Vclass appliance status, use the System Information window General tab.
Page 422: Vpn Tunnel Information
CHAPTER 16: System Information You can use this tab allows you to view general information, such as the model number, current system software version, serial number, system mode (Router or Transparent), IP address for Interface 0 or the System IP, contact person, and location of the appliance.
Page 423 By IPSec Peers Displays a list of currently active IPSec peers. The total count of tunnels may include some that are not in active use, but are still on record within the database. By Policies Displays a list of all policies you have created and the number of VPN tunnels established by each policy.
Page 424: Viewing Tunnel Details
CHAPTER 16: System Information to view the traffic statistics and the associated tunnels for a particular IPSec peer or policy, select the entry from the IPSec Peer list. The display refreshes and the statistics are displayed on the right. if there are any tunnels associated with this entry, the tunnel list displays them.
Page 425: Traffic Information
Traffic Information To view traffic activity information: From the main Vcontroller window, click System Information. The System Information dialog box appears. Click the Traffic tab. The following information is displayed on the Traffic tab: Total Packets Total number of packets processed since the last reboot of this appliance.
Page 426: Route Information
CHAPTER 16: System Information IPSec Bytes IPSec encryption/decryption activity in bytes. Total Tunnels Number of VPN tunnels. Click Refresh to update the display with the most recent information. Click Reset Connections to disconnect all current connections. This will flush the Firebox Vclass appliance of all residual data connections that may be hampering performance.
Page 427: Ras User Information
When you are finished, click Close. Interfaces are not listed in this table in Transparent Mode. RAS User Information After you have set up Remote Access Service (RAS) and implemented VPN policies, you can monitor and manage the current remote user connections using the System Information window.
Page 428: Viewing Ras User Information And Tunnel Details
CHAPTER 16: System Information Viewing RAS user information and tunnel details You can view a real-time snapshot of a user connection, including information about the properties of a user, prop- erties of tunnels being used by this user, and detailed traf- fic statistics.
Page 429: Interface 1 (Public) Information
Click Disconnect to break the selected user connection, including any established tunnels. If an internal IP address was assigned to this user, it will be returned to the system for future use. To delete a specific tunnel associated with a RAS user and force the creation of a new tunnel, select the entry from the tunnel list and click Delete.
Page 430: Dhcp Server Information
CHAPTER 16: System Information Click Refresh to update the display with the most recent information. If the Backup WAN feature is enabled, you can switch between the Primary and Backup configurations by clicking the Switch to button. This button always lists the name of the currently inactive WAN. If Primary is the current configuration, the Switch To option is Backup.
Page 431: Runtime Blocked Ip List
Click the DHCP Server tab. THe DHCP server lease information is displayed. Click Refresh to update the display with the most recent information. When you are finished, click Close. Runtime Blocked IP List The Blocked IP List in the System Information window allows you to temporarily block sites by IP address.
Page 432 CHAPTER 16: System Information Click the Blocked IP List tab. The Runtime Blocked Site List dialog appears. Click Add to add a blocked site. The Add Blocked Site dialog appears. In the IP Address field, type the IP address that you want to block.
Page 433 To change expiration time for a runtime blocked site: Select the Blocked site on the list. Click Change Expiration. The Change Expiration Time dialog appears. In the IP Address field, type a new expiration period for the IP address, and then click Apply, or click Cancel to return to the Runtime Blocked Site List.
Page 434 CHAPTER 16: System Information To refresh the Runtime Blocked IP List: • Click Refresh. The List of Runtime Blocked IP addresses is refreshed. New sites that have been blocked by Proxy Actions since the last refresh of the window now appear. Sites that have expired since the last refresh of the window are no longer listed.
Page 435: Chapter 17 Backing Up And Restoring Configurations
Backing Up and CHAPTER 17 Restoring Configurations The WatchGuard Vcontroller offers an array of built-in archiving and data restoration capabilities. You can save all your configuration settings and policies in anticipation of a severe data loss, and then reapply that data, when needed, to restore a system.
Page 436: Create A Backup File
CHAPTER 17: Backing Up and Restoring Configurations configuration entries or policies. Make a habit of keeping regular archive sets available. Create a Backup File From the main Vcontroller window, click Back Up/ Restore. The Backup/Restore dialog box appears. Click the Backup tab. To use the default file name and directory, click Backup Now.
Page 437: Restoring An Archived Configuration
Browse to the directory, type a file name of your choosing in the appropriate field, and then click Select. The newly created file path appears in the file name field. Click Backup Now. It is strongly recommended that you copy the archived file into a safe location.
Page 438 CHAPTER 17: Backing Up and Restoring Configurations Click Browse. The Select the file to restore dialog box appears. This dialog box should automatically open to the directory containing all previous archived files. Select the appropriate backup file and then click Select. The backup file name appears in the File Name field.
Page 439: Restoring To Factory Default
Restoring to Factory Default Vcontroller enables you to revert a Firebox Vclass appli- ance to the initial factory configuration, so you start over with an appliance as if it just came out of the box. Perform this task only when all other diagnostics or troubleshooting efforts fail.
Page 440: Resetting An Appliance Completely
CHAPTER 17: Backing Up and Restoring Configurations Resetting an Appliance Completely In the event that you either lose the superadmin login or password to the box, or you have a configuration problem that you cannot fix in any other way, you may want to completely reset the Vclass appliance.
Page 441 connected to (e.g. COM1, COM2). Use the following settings to connect to the Vclass device: - Bits per Second: 9600 - Data Bits: 8 - Parity: None - Stop Bits: 1 - Flow Control: None Reset the device, and wait until you see the following text: Loading linux-wg...
Page 442: Exporting And Importing Configuration Files
CHAPTER 17: Backing Up and Restoring Configurations Exporting and Importing Configuration Files You can export a complete, ready-to-use profile (in XM for- mat) from an active, fully configured Firebox Vclass appli- ance. You can use this file as an efficient way to store your settings, and later import it to restore your Vclass configu- ration.
Page 443: Importing A Configuration File Using Appliance Discovery
To import an XML file containing the complete configura- tion settings and policies: Click Import. An Open dialog box appears. Locate and select the appropriate file. Click Open. When the process is complete, a confirmation dialog box appears. Click OK. The Firebox Vclass appliance reboots.
Page 444: Editing An Exported Configuration File
CHAPTER 17: Backing Up and Restoring Configurations imported. This System Mode must match the System Mode of the Profile you are importing. Click Browse. The Open dialog box appears. Locate and select the XML configuration file you want to apply to this appliance. Only files with “.xml”...
Page 445 The following example shows the beginning of a typical configuration file in an XML format. <?xml version="1.0" standalone="yes"?> <!--DOCTYPE rs-profile SYSTEM "profile.dtd"-- > <profile> <product-grade>2</product-grade> <rs-version>1055360192</rs-version> <using-cpm-profile>0</using-cpm-profile> <for-version>5.0</for-version> <for-model>V60</for-model> <xml-purpose>1</xml-purpose> The contents are organized within pairs of parameter tags. You can edit included text as required, though you should edit carefully.
Page 446 CHAPTER 17: Backing Up and Restoring Configurations Preshared Key Default Mode Main IKE transform -------- Authentication Preshared key Encryption algorithm Authentication algorithm Lifetime 8 hours Vcontroller...
Page 447: Chapter 18 Using The Diagnostics/Cli Feature
Using the CHAPTER 18 Diagnostics/CLI Feature This chapter describes a variety of useful trouble- shooting features that can help you identify and resolve problems. Using Connectivity to Test Network Connections If network connections appear to be broken, you can use the Firebox Vclass appliance to test the hardware and cabling: From the main Vcontroller window, click Diagnostics/CLI.
Page 448 CHAPTER 18: Using the Diagnostics/CLI Feature Click the Connectivity tab. In the IP Address/Name field, type the IP address or DNS host name. Click Ping. The Ping History table displays the result. This entry describes the time of the test, the address you attempted to ping and the result, either OK or Failed.
Page 449: Using The Support Features
If this test fails, check all physical connections, cables, hubs, and other hardware components. To obtain WatchGuard Technical Support, visit the WatchGuard Web site at the following URL: http://www.watchguard.com For more information on technical support, see “Service and Support”...
Page 450: Configuring Debugging Support
CHAPTER 18: Using the Diagnostics/CLI Feature Configuring debugging support From the main Vcontroller window, click Diagnostics/ CLI. The Diagnostics dialog box appears. Click the Support tab. Click Configuration. The Debugging Support dialog box appears. Vcontroller...
Page 451: Saving A Policy To A Text File
Under the direction of technical support, move the sliders to the requested locations. Click Apply. Click Save Debug Information. The Select the File dialog box appears. Browse to the proper directory and then click Save. A confirmation dialog box appears. Click OK.
Page 452 CHAPTER 18: Using the Diagnostics/CLI Feature Click Save Policy. The Select the file dialog box appears. Browse to the proper directory and click Select. A confirmation dialog box appears. Click OK. Vcontroller...
Page 453: Executing A Cli Script
Executing a CLI Script The CLI (Command Line Interface) feature in Vcontroller can be used to execute an update, maintenance, or other script on your Vclass device. This is not an actual command line interface window. After you have received the script from a network admin- istrator or other personnel and stored it on your file sys- tem, you can follow these steps to execute it on your appliance.
Page 454: Saving Diagnostic Information
A technical support representative may ask you to save diagnostic information and then forward the file to WatchGuard for analysis. From the main Vcontroller window, click Diagnostics/ CLI. The Diagnostics dialog box appears.
Page 455 Click Save. The Save dialog box appears. Browse to the proper directory and select the appropriate file. Click Select. A confirmation dialog box appears. Click OK. Firebox Vclass User Guide Saving Diagnostic Information...
Page 456 CHAPTER 18: Using the Diagnostics/CLI Feature Vcontroller...
Page 457: Chapter 19 Setting Up A High Availability System
Setting Up a High CHAPTER 19 Availability System In a WatchGuard High Availability (HA) system, two Firebox Vclass appliances are connected so that one serves as a ready backup to the other if the main appli- ance fails while managing network traffic. This chap-...
Page 458: Active/Standby
Active/Active requires the purchase of a software upgrade license, and requires V80 or V100 hardware. Please refer to the WatchGuard Web site for information on purchasing software upgrade licenses: https://www.watchguard.com/upgrade In this chapter This chapter discusses High Availability Active/Standby mode.
Page 459: How High Availability Works
How High Availability works The WatchGuard High Availability (HA) system is both automatic and transparent. Switching to a backup appli- ance occurs almost instantaneously. When active, the primary appliance regularly sends a “heartbeat”...
Page 460: Connecting The Appliances
CHAPTER 19: Setting Up a High Availability System Connecting the Appliances To set up a high availability system, you must connect two Firebox Vclass appliances through the HA port. • Connect the private interface (0) of the primary appliance to a hub or switch. •...
Page 461 Select the Enable High Availability checkbox. Select the Active/Standby checkbox. The following HA options are displayed. Firebox Vclass User Guide Configuring a Standby Appliance...
Page 462 CHAPTER 19: Setting Up a High Availability System These default HA settings include the following: - All of the appliance’s interfaces will be monitored. If any interface is detected as “LINK- DOWN,” the standby appliance will take over. - The HA heartbeat interval is set to one beat every second.
Page 463 - The appliance you are currently logged into will be configured as the primary. Make sure that the connection links both HA1 ports on the primary and secondary appliances, and that you are using a crossover cable. If the appliance cannot detect the secondary appliance, check the connection and restart the secondary appliance.
Page 464: Customizing Ha System Parameters
CHAPTER 19: Setting Up a High Availability System active, make sure that the standby appliance has been turned on and that all HA interface connections are secure. A status dialog box appears. When the synchronization is complete, a confirmation dialog box appears. Both appliances are now ready for standby protection.
Page 465 To activate monitoring through the HA ports, select the Enable HA on HA1 Port checkbox. You can also optionally select the Enable HA on HA2 Port checkbox. Note that if HA is enabled on the HA2 interface, that interface cannot be used for management access. If you already configured the HA2 interface for management access in the Interface tab of the System Configuration dialog box, reopen that dialog box and undo those entries.
Page 466 CHAPTER 19: Setting Up a High Availability System If you plan to set up more than one primary/Standby system in this subnet, delete the 3 in the HA Group ID field and type a number that uniquely identifies this system within the network context. (The number can range between 3 and 255.) HA Group IDs are used to identify High Availability Active/ standby pairs on your network.
Page 467: Checking Your Ha System Status
Checking your HA System Status The HA monitor tells you which appliance you are logged into, whether it is primary or standby, and whether it is Active or Failover. Detailed system status Detailed HA system status is shown in the System Config- uration/High Availability dialog box.
Page 468: Additional Preparation For Failover
CHAPTER 19: Setting Up a High Availability System Takeover The peer appliance has failed and the current system takes over Admin Administration mode Unavailable When then current appliance cannot detect its peer appliance, it shows this state in the peer HA status Additional Preparation for Failover Make sure, in anticipation of a failover, that you open and edit the existing Event Alarm definition so that you are...
Page 469: Index
Index access accounts. See accounts access privileges adding for remote users removing Account button Account Manager window account manager, using 149–157 accounts changing existing reactivating expired removing unwanted showing, hiding types of (see also admin, super user, and end user accounts) actions.
Page 470 cabling Certificate Request dialog box Certificate Revocation List, importing certificates importing nullifying requesting requirements for requesting specifying options for changing date and time CLI update script, importing configuration files exporting, importing importing using appliance discovery restoring context-sensitive help CPM-Vcontroller conflicts creating a Proxy Action CRL, importing date &...
Page 471 RAS Configuration 329, 335, 338, 339, 343 RAS User Detail RAS User Information Remote Log Detail Results Review CSR Schedule Security Policy Checker Select a Counter 354, 356 Select Backup File Select Condition Select the File Service SNMP Management Station System Configuration 383, 428 System Information...
Page 472 V10 firewall policies corporate HQ policy example defining policy actions for described for internal traffic multiple using schedules with forced restarts fully meshed topology Global Policy settings HA.
Page 473 IP source route attack IPSec Action button IPSec Action dialog box Kill Login dialog box known issues LDAP servers, configuring options 125–126 Least Connection License Detail dialog box license key certificates licenses importing license package obtaining viewing current licensing Linux installing Vcontroller onto starting Vcontroller with LiveSecurity Gold Program...
Page 474 174, 175 policy database, backing up Policy Manager, using policy. See security policy port shaping applying 174–175 described power all models except V10 PPPoE, IP address assigned using probes defining described real-time monitor types of 364, 365 profiles, editing promiscuous interface...
Page 475 removing appliance from backup using for authentication RADIUS Server dialog box Random (load balancing algorithm) Rapid Response Team 9, 10 RapidCore hardware ensemble RAS Configuration dialog box 335, 338, 339, 343 RAS User Detail dialog box RAS User Information dialog box RAS User log RAS users, monitoring 395, 397, 399...
Page 476 Select the File dialog box Server/IP Name window 29, 83 Service dialog box service groups blocking creating new with range of port numbers services Shutdown/Reboot button shutting down a Firebox SMTP Proxy SNMP Management Station dialog SNMP options, configuring SNMP trap, setting alarm for software requirements software upgrades, checking for Solaris, installing Vcontroller onto...
Page 477 VPN policies User Guide WAN Interface Failover enabling Enter Serve IPs polling interval polling timeout WAN interface failover WatchGuard users forum described joining WatchGuard Vcontroller. See Vcontroller Web server load balancing policy creating defining an action for weighted fair queuing...

This manual is also suitable for:

Firebox vclass v100 Firebox vclass v200 V60 V80 Firebox vclass v60l Firebox vclass v10 ... Show all

Watchguard V10 User Manual

CHAPTER 1 Introduction

CHAPTER 2 Service and Support

CHAPTER 3 Getting Started

CHAPTER 4 Firebox Vclass Basics

CHAPTER 5 Router and Transparent Mode

CHAPTER 6 System Configuration

CHAPTER 7 Using Account Manager

CHAPTER 8 About Security Policies

CHAPTER 9 Security Policy Examples

CHAPTER 10 Using Proxies

CHAPTER 11 Using Virtual Private Networks (VPN)

CHAPTER 12 Creating a Remote User VPN Policy

CHAPTER 13 Using Alarm Manager

CHAPTER 14 Monitoring the Firebox Vclass

CHAPTER 15 Using Log Manager

CHAPTER 16 System Information

CHAPTER 17 Backing up and Restoring Configurations

CHAPTER 18 Using the Diagnostics/Cli Feature

CHAPTER 19 Setting up a High Availability System

Quick Links

Related Manuals for Watchguard V10

Summary of Contents for Watchguard V10