Watchguard Firebox SOHO 6.1 User Manual
  1. Manuals
  2. Brands
  3. Watchguard Manuals
  4. Firewall
  5. Firebox SOHO 6.1
  6. User manual

Watchguard Firebox SOHO 6.1 User Manual

Internet firewall
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
WatchGuard
®
Firebox
SOHO 6
®

User Guide

SOHO 6.1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Firebox SOHO 6.1 and is the answer not in the manual?

Questions and answers

Related Manuals for Watchguard Firebox SOHO 6.1

Summary of Contents for Watchguard Firebox SOHO 6.1

  • Page 1: User Guide

    WatchGuard ® Firebox SOHO 6 ® User Guide SOHO 6.1...

  • Page 2: Using This Guide

    The following conventions are used in this guide. Convention Indication Bold type Menu commands, dialog box options, Web page options, Web page names. For example: “On the System Information page, select Disabled.” NOTE Important information, a helpful tip or additional instructions. WatchGuard Firebox SOHO 6.1...

  • Page 3: Industry Canada

    • This appliance must accept any interference received, including interference that may cause undesired operation. CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European Union (EU).

  • Page 4: Vcci Notice Class A Ite

    VCCI Notice Class A ITE WatchGuard Firebox SOHO 6.1...

  • Page 5: Declaration Of Conformity

    Declaration of Conformity User Guide...
  • Page 6 This WatchGuard SOHO Software End-User License Agreement ("EULA") is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. ("WATCHGUARD") for the WATCHGUARD SOHO software product, which includes computer software (whether installed separately on a computer workstation or on the WatchGuard hardware product) and...
  • Page 7 archival purposes only. 3. Prohibited Uses. You may not, without express written permission from WATCHGUARD: (A) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT; (B) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this EULA; (C) Use any backup or archival copy of the SOFTWARE PRODUCT (or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective;...
  • Page 8 EULA AND PERFORM ITS OBLIGATIONS UNDER THIS EULA AND; (C) THIS EULA AND THE PERFORMANCE OF THE ENTITY’S OBLIGATIONS UNDER THIS EULA DO NOT VIOLATE ANY THIRD- PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY. viii WatchGuard Firebox SOHO 6.1...
  • Page 9 Technologies, Inc., DVCP™ technology,, Enforcer/MUVPN™, FireChip™, HackAdmin™, HostWatch™, Make Security Your Strength™, RapidCare™, SchoolMate™, ServiceWatch™, Smart Security. Simply Done.™, Vcontroller™, VPNforce™ are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. © Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and 5146221 and other patents pending.
  • Page 10 The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] WatchGuard Firebox SOHO 6.1...
  • Page 11 The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The detailed license information follows. Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
  • Page 12 Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. Part No 0814-000 WatchGuard Firebox SOHO 6.1...

  • Page 13: Table Of Contents

    Contents Introduction CHAPTER 1 The Package Contents How Does a Firewall Work? How Does Information Travel on the Internet? IP addresses ...4 Protocol Port numbers How Does the SOHO 6 Process Information? ...5 Services Network Address Translation The SOHO 6 Hardware Description ... 6 The SOHO 6 front and rear views Installation CHAPTER 2...
  • Page 14 ... 27 ... 27 ... 28 ... 31 ... 32 ... 33 ... 38 ... 40 ... 42 WatchGuard Firebox SOHO 6.1 ... 16 ... 18 ... 19 . 20 ... 26 ... 31 ... 31 . 34 ... 36...
  • Page 15 Configure the Dynamic DNS Service Configure OPT Port Upgrades Configure Dual ISP Port Configure VPNforce™ Port Administrative Options CHAPTER 5 The System Security Page ... 52 System management SOHO Remote Management Set up VPN Manager Access Update Your Firmware Redeem your SOHO 6 Upgrade Options View the Configuration File Configure the Firewall Settings CHAPTER 6...
  • Page 16 ... 86 ... 86 ... 87 ... 87 ... 93 ... 93 ... 94 ... 95 ... 95 ... 97 ... 97 WatchGuard Firebox SOHO 6.1 ... 83 ... 83 ... 89 ... 96 ... 96 ... 96 ... 98...
  • Page 17 WebBlocker Categories Support Resources CHAPTER 10 Troubleshooting Tips ... 107 General Configuration VPN Management Contact Technical support Online Documentation and In-Depth FAQs Special Notices Index ... 117 User Guide ... 103 ... 107 ... 107 ... 111 ... 114 ... 116 ...
  • Page 18 WatchGuard Firebox SOHO 6.1...
  • Page 19 Introduction CHAPTER 1 Welcome Congratulations on purchasing the ideal solution for providing ® ® secure access to the Internet–the WatchGuard Firebox SOHO 6 or SOHO 6tc security appliance. User Guide...

  • Page 20: Chapter 1 Introduction

    First things first, check the package contents to make sure you have the following. • Firebox SOHO 6 QuickStart Guide • User documentation • AC adapter (12v, 1.0-1.2A) • Straight-through Ethernet cable • SOHO 6 security appliance WatchGuard Firebox SOHO 6.1...

  • Page 21: How Does A Firewall Work

    How Does a Firewall Work? How Does a Firewall Work? Fundamentally, a firewall is a way of distinguishing between, as well as protecting, “us” and “them”. On the external side of your SOHO 6 firewall is the entire Internet. The Internet offers many resources such as the Web, email, and video/audio conferencing.

  • Page 22: How Does Information Travel On The Internet

    A protocol defines how a packet is bundled and packaged for shipment across a network. The most commonly used protocols are TCP and UDP (User Datagram Protocol). In addition, there are a variety of IP protocols that are less frequently used. WatchGuard Firebox SOHO 6.1...

  • Page 23: Port Numbers

    How Does the SOHO 6 Process Information? Port numbers The port numbers are used by computers at both the sending and receiving end to determine the particular program or application for each connection. How Does the SOHO 6 Process Information? Services A service is the combination of protocol(s) and port numbers associated with a specific program or application type.

  • Page 24: The Soho 6 Hardware Description

    The SOHO 6 front and rear views The SOHO 6 has fourteen indicator lights on the front panel of the appliance. The following photograph shows the entire front view. When illuminated, this light indicates that the SOHO 6 is currently powered up. WatchGuard Firebox SOHO 6.1...
  • Page 25 Status When illuminated, this light indicates that a management connection has been made. Link The link indicator illuminates when there is a good physical connection to any of the numbered (0-3) interfaces of the trusted network. The link indicator blinks when traffic is passing through the interface.
  • Page 26 This interface is activated when you purchase the Dual ISP Port upgrade or VPNforce™ Port Upgrade. For more information on the Dual ISP Port and VPNforce Port upgrade , see “Configure OPT Port Upgrades” on page 44. WatchGuard Firebox SOHO 6.1...

  • Page 27: Wan Port

    The OPT port is only available if you purchase the Dual ISP Port or VPNforce Port upgrades. You can not use the OPT port as another Ethernet port on the Trusted network. RESET button Using the reset button, you can return to the SOHO 6 to the factory defaults.
  • Page 28 Chapter 1: Introduction WatchGuard Firebox SOHO 6.1...

  • Page 29: Chapter 2 Installation

    Installation CHAPTER 2 This chapter explains how to install the SOHO 6 into your network. You must complete the following steps: • Review and record your current TCP/IP settings • Disable the HTTP proxy setting of your Web browser • Enable your computer for DHCP •...

  • Page 30: Before You Begin

    Access to this information depends on your computer operating system. Microsoft Windows 2000 and Windows XP Click Start = > Programs = > Accessories => Command Prompt. WatchGuard Firebox SOHO 6.1...
  • Page 31 At the default prompt, type Enter the TCP/IP settings in the chart provided below. Click Cancel. Microsoft Windows NT Click Start = > Programs = > Command Prompt. At the default prompt, type Enter the TCP/IP settings in the chart provided below. Click Cancel.

  • Page 32: Disable The Http Proxy Setting Of Your Web Browser

    Web pages located in other places. Disabling the HTTP does not prevent you from accessing your favorite Web sites, but it does allow you to access the configuration pages that reside on the SOHO 6. Value Primary Secondary WatchGuard Firebox SOHO 6.1...
  • Page 33 To disable the HTTP proxy in three commonly used browsers, see the instructions below. If your browser is not listed, see your browser Help menus to learn how to disable the HTTP proxy settings. Netscape 4.7 Open Netscape. Click Edit = > Preferences. The Preferences window appears.

  • Page 34: Enable Your Computer For Dhcp

    Click Start = > Settings = > Control Panel. The Control Panel window appears. Double-click the Network & Dial-up Connections icon. Double-click on the connection you use to access the Internet. The network connection dialog box appears. WatchGuard Firebox SOHO 6.1 ®...
  • Page 35 Click Properties. The network connection Properties dialog box appears. Double click the Internet Protocol (TCP/IP) component. The Internet Protocol (TCP/IP) Properties dialog box appears. User Guide Before You Begin...

  • Page 36: Physically Connect The Soho 6

    Close the Control Panel window. Physically connect the SOHO 6 Your SOHO 6 protects a single computer or a multi-computer network. It also functions as a hub to connect a variety of other appliances. WatchGuard Firebox SOHO 6.1...

  • Page 37: Cabling The Soho 6 For One To Four Appliances

    Cabling the SOHO 6 for one to four appliances Each of the Trusted Network ports (numbered 0-3) is able to connect to a variety of appliances. These include computers, printers, scanners, or other network peripherals. Use your SOHO 6 to replace an existing hub if you have no more than four appliances to connect.

  • Page 38: Cabling The Soho 6 For More Than Four Computers

    Cabling the SOHO 6 for more than four computers While there are only four, numbered, Ethernet ports (labeled 0-3) on the back of the SOHO 6, it is possible to connect more appliances to your SOHO 6 using network hubs. WatchGuard Firebox SOHO 6.1...
  • Page 39 The SOHO 6 ships with a “10-seat” license. In other words, the SOHO 6 allows up to ten computers on a network behind the SOHO 6 to access the Internet. More than ten computers can exist on the network and communicate with each other, but only the first ten that attempt to access the Internet are allowed through the SOHO 6.
  • Page 40 For information on the factory default configuration options, see “Default Factory Settings” on page 25. For specialized configurations, see “Configure Your External Network” on page 31, as well as, “Configure the Trusted Network” on page 36. WatchGuard Firebox SOHO 6.1...

  • Page 41: Chapter 3 Soho 6 Basics

    SOHO 6 Basics CHAPTER 3 Once you have physically installed the SOHO 6, you can connect to it using your Web browser. The SOHO 6 includes a Web server that provides a configuration, Web page interface. The SOHO 6 Home Page—System Status With your Web browser, go to the System Status page of the SOHO 6 using the default IP address of the Trusted Network: http://192.168.111.1.
  • Page 42 SOHO 6 configuration. This information includes: • The firmware version • The serial number of the appliance • A few of the SOHO 6 features and their status: - WSEP Logging - VPN Manager Access - Syslog WatchGuard Firebox SOHO 6.1...

  • Page 43: Default Factory Settings

    - Pass Through • Upgrade options and their status • Configuration information for both the Trusted and External networks When the External network is configured to use the PPPoE Client, the page also displays a connect or disconnect button in order to terminate or initiate the PPPoE connection.

  • Page 44: Reset A Soho 6 To Factory Default

    SOHO 6 reboots– approximately 15 seconds. The PWR indicator light should blink in a steady pattern once the reboot is complete. When this occurs, reboot the SOHO 6 again by disconnecting the power supply. WatchGuard Firebox SOHO 6.1...

  • Page 45: The Base Model Soho 6

    Register your SOHO 6 and Activate the LiveSecurity Service Finally, the PWR indicator light should remain illuminated. Your SOHO 6 is now reset to factory defaults. The base model SOHO 6 The base model SOHO 6 comes with a ten-seat license; that is, ten computers have access to the Internet through the SOHO 6.

  • Page 46: Reboot The Soho 6

    To reboot a SOHO 6 located on a local system, use one of these methods: • With your Web browser, go to the System Status page using the trusted IP address of the SOHO 6. For example, if using WatchGuard Firebox SOHO 6.1...
  • Page 47 the default IP address, go to: http://192.168.111.1. Click Reboot. • Unplug the SOHO 6 and reconnect it to a power source. To reboot a SOHO 6 located on a remote system, you must set the SOHO 6 to allow either incoming HTTP (Web) or FTP traffic to the trusted address of the SOHO 6.
  • Page 48 Chapter 3: SOHO 6 Basics WatchGuard Firebox SOHO 6.1...

  • Page 49: Chapter 4 Configure The Network Interfaces

    Configure the CHAPTER 4 Network Interfaces Configure Your External Network When you configure the external network, you establish how the SOHO 6 communicates with your ISP. This configuration depends upon how your ISP distributes network addresses–using DHCP or PPPoE. Network addressing Each networked computer must have an IP address to identify itself to other computers.

  • Page 50: Configure The Soho 6 External Network For Dynamic Addressing

    DHCP. If your ISP supports this method, the SOHO 6 obtains all necessary address information when it powers on and attempts to connect to the Internet. No further configuration of the SOHO 6 is required. WatchGuard Firebox SOHO 6.1...

  • Page 51: Configure The Soho 6 External Network For Static Addressing

    Configure the SOHO 6 External Network for static addressing If you are assigned a static address, then you must transfer the permanent address assignment from your computer to the SOHO 6. Instead of communicating directly to your computer, the ISP now communicates through the SOHO 6. With your Web browser, go to the System Status page using the trusted IP address of the SOHO 6.

  • Page 52: Configure The Soho 6 External Network For Pppoe

    IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 From the navigation bar on the left side, select Network = > External. The External Network configuration page appears. WatchGuard Firebox SOHO 6.1...
  • Page 53 From the Configuration Mode drop list, select PPPoE Client. The page refreshes. Enter the PPPoE login name and domain supplied by your ISP. Enter the PPPoE password supplied by your ISP. Enter how long you want the system to wait before it disables an inactive TCP connections.

  • Page 54: Configure The Trusted Network

    With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 From the navigation bar on the left side, select Network = > Trusted. WatchGuard Firebox SOHO 6.1...
  • Page 55 The Trusted Network Configuration page appears. Enter the IP address and the Subnet Mask in the appropriate fields. Enable the checkbox labeled Enable DHCP Server on the Trusted Network. Enter the first IP address the DHCP server will hand out to computers connect to the Trusted network.

  • Page 56: Configure Additional Computers On The Trusted Network

    “Cabling the SOHO 6 for more than four computers” on page 20. Restart the computer. Set the computers to obtain their addresses using DHCP. For instructions see, “Enable your computer for DHCP” on page 16. Turn off and restart each computer. WatchGuard Firebox SOHO 6.1...

  • Page 57: Configure The Trusted Network With Static Addresses

    Configure the Trusted Network with static addresses To disable the SOHO 6 DHCP server and assign addresses statically, follow these steps: With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 From the navigation bar on the left side, select Network = >...

  • Page 58: Configure Static Routes

    With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 From the navigation bar on the left side, select Network = > Routes. WatchGuard Firebox SOHO 6.1...
  • Page 59 The Routes page appears. Click Add. The Add Route page appears. From the Type drop list, select either Host or Network. User Guide Configure Static Routes...

  • Page 60: View Network Statistics

    Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 From the navigation bar on the left side, select Network = > Network Statistics. The Network Statistics page appears. WatchGuard Firebox SOHO 6.1...

  • Page 61: Configure The Dynamic Dns Service

    Configure the Dynamic DNS Service This feature allows you to register the external, IP address of the SOHO 6 with a dynamic DNS (Domain Name Server) service (www.dyndns.org). This service allows customers to bind their DNS record in the event that their dynamically assigned IP address is reassigned.

  • Page 62: Configure Opt Port Upgrades

    This means that when the primary external port connections fails, the firewall will initiate a connection through the optional port. No new policy definitions are needed. The optional port uses the same set of policies as the external port. WatchGuard Firebox SOHO 6.1...
  • Page 63 The SOHO 6 uses two methods to determine if the external port connection is down: • The link to the nearest router • A ping to a specified location. The SOHO pings the default gateway or other location designated by the administrator. If there is no response, fail-over takes place. When this feature is activated, these actions automatically occur: •...
  • Page 64 Select the Enable Dual ISP checkbox. Enter the IP address for the External Interface. Enter the IP address for the Optional or Failover Interface. Enter how many seconds between pings. Enter how long (in seconds) to wait for a reply. WatchGuard Firebox SOHO 6.1...

  • Page 65: Configure Vpnforce™ Port

    Enter the number of times the system will ping the Interface before timeout. 10 Click Submit. Configure VPNforce™ Port The VPNforce port upgrade activates the SOHO 6 optional port for use on the trusted side. It’s main function is to provide a remote office or telecommuter a separate network behind the SOHO 6 firewall;...
  • Page 66 Trusted network. For specific instructions on these fields, see “Configure the Trusted Network” on page 36. To allow traffic between the Optional and Trusted network, enable the Allow traffic between Optional Network and Trusted Network checkbox. WatchGuard Firebox SOHO 6.1...
  • Page 67 To require encrypted MUVPN connections on this interface, enable the Require Encrypted MUVPN connections on this interface checkbox. Click Submit. User Guide Configure OPT Port Upgrades...
  • Page 68 Chapter 4: Configure the Network Interfaces WatchGuard Firebox SOHO 6.1...

  • Page 69: Chapter 5 Administrative Options

    Administrative CHAPTER 5 Options The SOHO 6 Administration page is where you configure access to the SOHO 6–using System Security, enabling SOHO 6 Remote Management, or providing VPN Manager Access. You can also update the firmware, enter the feature key for any upgrade options you have purchased and have redeemed at the LiveSecurity Service Web site, as well as see the SOHO 6 configuration file in a text format.

  • Page 70: The System Security Page

    SOHO 6. Change the system passphrase at least monthly. A passphrase (eight characters long) is a combination of letters, numbers, and symbols that do not spell out common words. WatchGuard WatchGuard Firebox SOHO 6.1...
  • Page 71 recommends that the passphrase contain at least one special character, number, and a mixture of upper and lower case letters for increased security. Follow these steps to setup the SOHO 6 System Passphrase: With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6.

  • Page 72: Soho Remote Management

    Follow these steps to setup VPN Manager access: With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 WatchGuard Firebox SOHO 6.1...
  • Page 73 From the navigation bar on the left side, select Administration = > VPN Manager Access. The VPN Manager Access page appears. Select Enable VPN Manager Access. Enter the status passphrase and confirm it. Enter the configuration passphrase and confirm it. must These two settings Manager or the connection will fail.

  • Page 74: Update Your Firmware

    This is because WatchGuard installation applications are only built for Windows platforms. Read through the End-User License Agreement, then select the I accept the above license agreement checkbox at the bottom of the page. WatchGuard Firebox SOHO 6.1 must...

  • Page 75: Redeem Your Soho 6 Upgrade Options

    Enter the location of the firmware files located on your computer. If you do not know the location of the firmware files, click Browse to browse your computer’s directories and select them. Click Update. Follow the instructions provided by the Update Wizard. The Update Wizard will request a User name and Password.
  • Page 76 The Upgrade page appears. Paste the Feature Key in the appropriate field. Click Submit. Upgrade options Seat Licenses This upgrade to the SOHO 6 provides more seats than the base model offers (for example, the 25 seat license). WatchGuard Firebox SOHO 6.1...
  • Page 77 Dual ISP Port This upgrade to the SOHO 6 activates the Optional port as a fail-over support for the external interface. This license key is purchased separately. VPNforce Port This upgrade to the SOHO 6 activates the Optional port as a separate secure connection to a corporate network for a remote office or telecommuter.

  • Page 78: View The Configuration File

    Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 From the navigation bar on the left side, select Administration = > View Configuration File. The View Configuration File page appears. WatchGuard Firebox SOHO 6.1...

  • Page 79: Chapter 6 Configure The Firewall Settings

    Configure the CHAPTER 6 Firewall Settings Firewall Settings The flow of incoming and outgoing traffic is controlled by the configuration setting you make. These decisions are made in accordance with a sound security policy that defines the kinds of risks that are acceptable to you or your firm. WatchGuard identifies several commonly used services that are used to define incoming and outgoing access.

  • Page 80: Configure Incoming And Outgoing Services

    Follow these steps to add an Incoming service: From the navigation bar on the left side, select Firewall => Incoming or Outgoing. The Filter Traffic page appears. WatchGuard Firebox SOHO 6.1...

  • Page 81: Create A Custom Service

    Locate a pre-configured service, such as FTP, Web, or Telnet, then select either Allow or Deny from the drop list. In our example, the HTTP service is set to Allow enabling Web traffic incoming. Enter the trusted network IP address of the computer to which this rule applies.
  • Page 82 The Custom Service page refreshes. In addition to TCP and UDP ports, there are several other types of Internet protocols. To create a service for one of these protocols, you must define the protocol number—you cannot specify a port number. WatchGuard Firebox SOHO 6.1...

  • Page 83: Block External Sites

    Enter the port number (or numbers if creating a range of ports) or enter the IP protocol number to allow in the appropriate fields and click Add. After creating a custom service, you need to specify a filter rule as well as define the incoming and outgoing properties.
  • Page 84 IP addresses in the appropriate fields. In our example, Host IP Address is selected and the IP address entered is 207.68.172.246. Click Add. The addressing appears in the Blocked Sites field. Click Submit. WatchGuard Firebox SOHO 6.1...

  • Page 85: Firewall Options

    Firewall Options The SOHO 6 firewall feature includes a few rule settings that are less specific then the service settings discussed previously and are used to provide further security for your private network. These options are found on the Firewall Options page. With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6.

  • Page 86: Ping Requests Received On The External Network

    SOHO 6 acts as the SOCKS proxy. You must, however, configure your application to be compliant with the SOHO 6 implementation of SOCKS version 5. The SOHO 6 SOCKS feature has the following characteristics and limitations: WatchGuard Firebox SOHO 6.1...
  • Page 87 • SOHO 6 supports SOCKS version 5 only. • It is a limited version of SOCKS and does not support authentication. Configure the particular application so that it does DNS look-ups with SOCKS. Some applications use only DNS through SOCKS and therefore do not function properly with the SOHO 6. •...

  • Page 88: Logging All Allowed Outbound Traffic

    However, the SOHO 6 is able to record all allowed outbound traffic. This option will record an extensive amount of log entries. For this reason, WatchGuard recommends that you use it for diagnostic purposes only. WatchGuard Firebox SOHO 6.1...

  • Page 89: Enable Override Mac Address For The External Network

    Follow these steps: Select Log All Allowed Outbound Access. Click Submit. Enable override MAC address for the External Network A SOHO administrator is able to assign a second MAC address to the SOHO 6 External Network making it easier to register with an ISP that requires a separate MAC for registration.

  • Page 90: Create An Unrestricted Pass Through

    Use of the Pass Through feature increases the security risk to computers on the Trusted network. This is because the computer using the Pass Through resides on the same Ethernet segment as the Trusted network. If you are not completely and thoroughly familiar with the risks involved WatchGuard Firebox SOHO 6.1...
  • Page 91 Create an Unrestricted Pass Through and Trusted network computers are not protected from potential threats, do not use the Pass Through feature User Guide...
  • Page 92 Chapter 6: Configure the Firewall Settings WatchGuard Firebox SOHO 6.1...

  • Page 93: Chapter 7 Configure Logging

    Configure Logging CHAPTER 7 What is logging? Logging is the act of recording “events” that occur at the SOHO 6 interfaces. An event is any single activity, such as communication with the WatchGuard WebBlocker database or incoming traffic passing through the SOHO 6. Logging is intended to record the kinds of activities that indicate security concerns–most importantly denied packets.

  • Page 94: View Soho 6 Log Messages

    From the navigation bar on the left side, select Logging. The Logging page appears and the Event Log is displayed in the lower portion of the page. The SOHO 6 displays the latest entry at the top of the Event Log. WatchGuard Firebox SOHO 6.1...

  • Page 95: Set Up Logging To A Watchguard Security Event Processor Log Host

    Set up Logging to a WatchGuard Security Event Processor Log Host To have your log messages synchronize with your computer: • Click Sync Time with Browser now. The SOHO 6 synchronizes the time at startup. Set up Logging to a WatchGuard Security Event Processor Log Host The WSEP (WatchGuard Security Event Processor) is an application available with the WatchGuard Firebox System...
  • Page 96 Enter the IP address of the WSEP server that is your log host in the appropriate field. In our example, 192.168.111.5. In the Log Encryption Key field, enter a passphrase and confirm it. Click Submit. This encryption key must be identical to the one used in the WSEP . WatchGuard Firebox SOHO 6.1...

  • Page 97: Set Up Logging To A Syslog Host

    Set up Logging to a Syslog Host The SOHO 6 also sends log entries to a Syslog host. Follow these steps to setup a Syslog Host: With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1.

  • Page 98: Set The System Time

    With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1. From the navigation bar on the left side, select Logging = > System Time. WatchGuard Firebox SOHO 6.1...
  • Page 99 The System Time page appears. If you have decided to use the WatchGuard Time Server: Select Get Time From WatchGuard Time Server. Or, to use a TCP Port 37 Time Server: Select Get Time From TCP Port 37 Time Server at. Enter the IP address of the time server in the appropriate field.
  • Page 100 Chapter 7: Configure Logging WatchGuard Firebox SOHO 6.1...

  • Page 101: Chapter 8 Vpn-Virtual Private Networking

    VPN—Virtual Private CHAPTER 8 Networking This chapter describes an optional feature of the WatchGuard SOHO 6, Virtual Private Networking (VPN) with IPSec. Why Create a Virtual Private Network? Virtual Private Networking (VPN) tunnels enable you to securely connect computers in two locations without requiring expensive, dedicated point-to-point data connections.

  • Page 102: What You Need

    IP addresses. It is imperative to keep these addresses accurate. WatchGuard recommends making a table of IP addresses such as the one outlined below. WatchGuard Firebox SOHO 6.1...
  • Page 103 IP Address Table (example): Item Description External IP The IP address that identifies the SOHO 6 to the Internet. Address Site A: 207.168.55.2 Site B: 68.130.44.15 External The overlay of bits that determines which part of the IP Subnet address identifies your network. For example, a Class C Mask address licenses 256 addresses and has a netmask of 255.255.255.0.

  • Page 104: Enable The Vpn Upgrade

    SOHO 6 VPN Tunnel WatchGuard has developed a series of step-by-step instructions to facilitate configuration for a SOHO 6 VPN tunnel to any of several other IPSec-compliant appliances. To download these instructions using your Web browser, go to: https://support.watchguard.com/AdvancedFaqs/sointerop_main.asp WatchGuard Firebox SOHO 6.1...

  • Page 105: Special Considerations

    Special Considerations Consider the following before configuring your WatchGuard SOHO 6 VPN network: • You can connect up to six SOHO 6 appliances together. To set up more VPN tunnels, you need at least one WatchGuard Firebox II/III configured with the WatchGuard VPN Manager.
  • Page 106 How do I obtain a VPN upgrade license key? You can purchase them online. Using your Web browser, go to: http://www.watchguard.com/sales/buyonline.asp How do I enable a VPN Tunnel? Full instructions for enabling a VPN tunnel are located at: https://support.watchguard.com/AdvancedFaqs/sointerop_main.asp must not be the same. WatchGuard Firebox SOHO 6.1...

  • Page 107: Set Up Multiple Soho-Soho Vpn Tunnels

    Set Up Multiple SOHO-SOHO VPN Tunnels With this release, a SOHO administrator has the ability to manually define up to six VPN tunnels to other SOHO 6 devices. VPN Manager’s ability to set up a larger number of SOHO 6 to SOHO 6 tunnels remains.
  • Page 108 The gateways can encrypt and decrypt the data correctly only if they share the same key. Phase 1 setting can be left at the defaults shown or modified as desired. To modify Phase 1 settings, complete the following WatchGuard Firebox SOHO 6.1...
  • Page 109 steps. Make sure that the Phase 1 settings on this device are the same as on the peer device. Select the type of negotiation for Phase 1. The two Mode Types are Main and Aggressive. If your external IP address is dynamic, you must use Aggressive Mode, otherwise you may use either option.
  • Page 110 19 Enter how many kilobytes until key expiration. 20 Enter how many hour until key expiration. 21 Add the IP address of the local and remote network that will use Phase 2 negotiation. 22 Click Submit. WatchGuard Firebox SOHO 6.1...

  • Page 111: Configure Split Tunneling

    Configure Split Tunneling Another new feature in this release is split tunneling that allows the administrator to specify all Internet traffic originating from the Trusted interface of the SOHO 6 to go through the VPN tunnel. Previously, only traffic headed specifically for the other end of the VPN tunnel was sent through the tunnel;...

  • Page 112: View The Vpn Statistics

    Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1. From the navigation bar on the left side, select VPN = > VPN Statistics. The VPN Statistics page appears. WatchGuard Firebox SOHO 6.1...

  • Page 113: Chapter 9 Soho 6 Webblocker

    SOHO 6 WebBlocker CHAPTER 9 WebBlocker is an optional feature of the SOHO 6 that provides Web site filtering capabilities. It gives you precise control over the types of Web sites users on your trusted network are allowed to view. How WebBlocker Works WebBlocker relies on a URL database service, which is owned and maintained by SurfControl.

  • Page 114: Web Site Not In The Webblocker Database

    If for any reason the WatchGuard WebBlocker database is unavailable (for example, if there is briefly a problem between your ISP and the nearest WatchGuard server), the browser displays a page informing the user that the site is unavailable for viewing. WatchGuard Firebox SOHO 6.1...

  • Page 115: Webblocker Users And Groups

    WebBlocker users and groups Groups A group is a collection of individuals or users of the system. Users These are individual members of a particular group. Bypass the SOHO 6 WebBlocker Occasionally, you may want to allow select individuals to bypass the filtering functions of SOHO 6 WebBlocker.

  • Page 116: Configure The Soho 6 Webblocker

    Settings page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 From the navigation bar on the left side, select WebBlocker = > Settings. The WebBlocker Settings page appears. WatchGuard Firebox SOHO 6.1...
  • Page 117 Select Enable WebBlocking. Enter the full access password. The full access password allows a user a to bypasses otherwise blocked sites. Enter the inactivity timeout in minutes. For example, setting the inactivity timeout at 15 minutes ensures that unattended Web browsers are disconnected after sitting idle for 15 minutes.
  • Page 118 Chapter 9: SOHO 6 WebBlocker The WebBlocker Groups page appears. Click New to create a group name and profile. WatchGuard Firebox SOHO 6.1...

  • Page 119: Click Submit

    Define a Group Name and select the blocked categories for this group. Click Submit. A new Groups page appears indicating the configuration changes were accepted and are providing access. User Guide Configure the SOHO 6 WebBlocker...
  • Page 120 To the right of the Users field, click New. The New User page appears. Enter a unique user name and passphrase (remember to confirm the passphrase). Use the Group drop list to assign the new user to a given group. WatchGuard Firebox SOHO 6.1...

  • Page 121: Webblocker Categories

    Click Submit. You can delete users or groups at any time by selecting them and clicking Delete. WebBlocker Categories WebBlocker relies on a URL database, which is a service of SurfControl. The WebBlocker database contains thousands of IP addresses and directories. These addresses are divided into categories based on content such as drug culture, intolerance, or sexual acts.
  • Page 122 Intolerance Pictures or text advocating prejudice or discrimination against any race, color, national origin, religion, disability WatchGuard Firebox SOHO 6.1...
  • Page 123 or handicap, gender, or sexual orientation. Any picture or text that elevates one group over another. Also includes intolerant jokes or slurs. Gross Depictions Pictures or text describing anyone or anything that is either crudely vulgar, grossly deficient in civility or behavior, or shows scatological impropriety.
  • Page 124 Louvre, or the Museum of Modern Art. Partial/artistic Nudity Pictures exposing the female breast or full exposure of either male or female buttocks except when exposing genitalia which is handled under the Full Nudity category. Topic does not include swimsuits, including thongs. WatchGuard Firebox SOHO 6.1...

  • Page 125: Chapter 10 Support Resources

    Support Resources CHAPTER 10 Troubleshooting Tips The following information is offered to help overcome any difficulties that might occur when installing and setting up your SOHO 6. General What do the PWR, Status, and Mode lights signify on the SOHO 6? When the PWR light is lit, the SOHO 6 has power.
  • Page 126 Click Reboot. Wait for the SOHO 6 to complete the process. The MODE light on the front of the SOHO 6 will turn off, then back on. The SOHO 6 takes 30 seconds to boot up. WatchGuard Firebox SOHO 6.1...
  • Page 127 You can also reboot by removing the power source for ten seconds, and then restoring power. How do I reset my System Security password, if I forgot or lost it? If you forgot your password, you must reset the SOHO 6 to its factory default.
  • Page 128 DSL modem is connected correctly and has power. Also check the link light on your modem as well as the WAN link light on the SOHO 6. If you continue to have trouble connecting to the Internet, call your ISP. WatchGuard Firebox SOHO 6.1...

  • Page 129: Configuration

    How can I see the MAC address of my SOHO 6? A MAC (Media Access Control) address is a unique number used to identify the actual physical hardware of an Ethernet appliance. With your Web browser, go to the SOHO 6 Configuration Settings page using the Trusted IP address of the SOHO 6.
  • Page 130 From the navigation bar on the left side, select WebBlocker = > Settings. The WebBlocker Settings page appears. Select Enable WebBlocker. Enter a full access password, and an inactivity timeout (in minutes). Subnet mask 255.0.0.0 255.240.0.0 255.255.0.0 WatchGuard Firebox SOHO 6.1...
  • Page 131 To disable WebBlocker, deselect Enable WebBlocker. How do I allow incoming services such as POP3, Telnet, and Web (HTTP)? With your Web browser, go to the System Status page using the Trusted IP address of the SOHO 6. For example, if using the default IP address, go to: http://192.168.111.1 From the navigation bar on the left side, select Firewall =>...

  • Page 132: Vpn Management

    • The DNS and WINS server IP address, if used. • The shared key (passphrase) for the tunnel. • The same encryption method for each end of the tunnel (DES or 3DES). • The same authentication method for each end (MD-5 or SHA-1). WatchGuard Firebox SOHO 6.1...
  • Page 133 How do I set up my SOHO 6 for VPN Manager Access? This requires the add-on product, WatchGuard VPN Manager software, which is purchased separately and used with the WatchGuard Firebox System software. To purchase VPN Manager, use your Web browser to go to: https://www.watchguard.com/products/vpnmanager.asp For more information on how to allow VPN Manager access to a SOHO 6, see the VPN Guide.

  • Page 134: Contact Technical Support

    WatchGuard maintains an extensive knowledge base consisting of product documentation in the form of printer friendly .pdf files, tutorials, In-Depth FAQs, and more. This information is available https://support.watchguard.com/AdvancedFaqs/ U.S.; End-user support U.S.; Authorized Reseller support International support WatchGuard Firebox SOHO 6.1...

  • Page 135: Index

    Index Numerics 100 indicator Add Route page blocked sites configuring Blocked Sites page browsers, supported button, RESET cables correct setup included in package required configuration file, viewing custom incoming services, creating Custom Service page 64, 113 default factory settings DHCP described setting up on Trusted Network DNS service, dynamic...
  • Page 136 MAC address of SOHO 6 MacIntosh operating system Mode indicator MODE light MUVPN clients option MUVPN, license keys for Network Address Translation (NAT) Network Statistics page network statistics, viewing New User page numbered ports OPT port pages Add Route WatchGuard Firebox SOHO 6.1...
  • Page 137 Blocked Sites Custom Service 64, 113 Dynamic DNS client Filter Traffic Firewall Incoming Traffic Firewall Options Groups Logging Network Statistics New User Routes 41, 46, 48 SOHO 6 Administration Syslog Logging System Security 52, 53 System Status 23, 28 System Time Unrestricted Pass Through IP Address Update...
  • Page 138 VPNs View Configuration File page VPN Manager described purchasing setting up access to setting up SOHO 6 for VPN Manager Access page VPN Statistics page VPN upgrade enabling obtaining 12–14 WatchGuard Firebox SOHO 6.1 107–115 54–55...
  • Page 139 VPNforce™ Port VPNs and SOHO 6, SOHO 6 tc and static IP addresses between two SOHO 6s configuring with SOHO 6 described enabling tunnels encryption for license key for requirements for 84, 114 special considerations for troubleshooting connections viewing statistics WAN indicator WAN port WatchGuard Security Event...
  • Page 140 Index WatchGuard Firebox SOHO 6.1...

This manual is also suitable for:

Firebox soho 6

Table of Contents