1. Manuals
  2. Brands
  3. Watchguard Manuals
  4. Software
  5. Firebox FireboxTM System 4.6
  6. User manual

Watchguard Firebox FireboxTM System 4.6 User Manual

Watchguard firebox system user guide
Hide thumbs Also See for Firebox FireboxTM System 4.6:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual
WatchGuard
®
Firebox
System

User Guide

Firebox System 4.6

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Firebox FireboxTM System 4.6 and is the answer not in the manual?

Questions and answers

Related Manuals for Watchguard Firebox FireboxTM System 4.6

Summary of Contents for Watchguard Firebox FireboxTM System 4.6

  • Page 1: User Guide

    WatchGuard ® Firebox System ™ User Guide Firebox System 4.6...
  • Page 2 Copyright© 1998 - 2001 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, LiveSecurity, and SpamScreen are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications.
  • Page 3 IMPORTANT — READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE: This WFS End-User License Agreement (“AGREEMENT”) is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. (“WATCHGUARD”)for the WATCHGUARD WFS software product identified above, which includes computer software and may include associated media, printed materials, and on-line or electronic documentation (“SOFTWARE...
  • Page 4 (D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMENT, and (iii) you do not retain any copies of the SOFTWARE PRODUCT; or (E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT. Limited Warranty.

  • Page 5: Declaration Of Conformity

    (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 Fifth Avenue, Suite 500, Seattle, WA 98104.

  • Page 6: Fcc Certification

    CE Notice The official CE symbol indicates compliance of this WatchGuard Technologies, Inc. product to the EMC directive of the European Community. The CE symbol found here or elsewhere indicates that this WatchGuard product meets or exceeds the...

  • Page 7: Table Of Contents

    Table of Contents PART I Introduction ...1 Welcome to WatchGuard WatchGuard Firebox System components Minimum requirements PART II WatchGuard Services ...5 LiveSecurity Service CHAPTER 1 LiveSecurity broadcasts Technical Support CHAPTER 2 Accessing frequently asked questions (FAQ) Getting Internet technical support Getting telephone support Training ...
  • Page 8 Resetting Firebox passphrases Setting the time zone Reinitializing a misconfigured Firebox Using the WatchGuard Control Center CHAPTER 5 Navigating the WatchGuard Control Center Control Center components Working with the Control Center ...30 Policy Manager Firebox Monitors ...32 LogViewer ...32 HostWatch ...33 Historical Reports ...33 LiveSecurity Event Processor...
  • Page 9 Service precedence Controlling Web Traffic CHAPTER 9 How WebBlocker works ... 59 Configuring the WebBlocker service Manually downloading the WebBlocker database ... 62 Setting Up Network Address Translation CHAPTER 10 What is dynamic NAT? Using simple dynamic NAT Using service-based NAT Configuring a service for incoming static NAT Setting Up Logging and Notification CHAPTER 11...
  • Page 10 Reviewing and Working with log files CHAPTER 15 Viewing files with LogViewer Displaying and hiding fields Working with log files Generating Reports of Network Activity CHAPTER 16 Starting Historical Reports Creating and editing reports Specifying report sections Specifying a report time span Consolidating report sections ...111 Setting report properties Exporting reports...

  • Page 11: Part I Introduction

    Introduction PART I Welcome to WatchGuard The WatchGuard Firebox System consists of: • A suite of management and security software tools • A Plug and Play network appliance called the WatchGuard Firebox • A security-related broadcast service In the past, a connected enterprise needed a complex set of tools, systems, and personnel for access control, authentication, virtual private networking, network management, and security analysis.

  • Page 12: Watchguard Firebox

    WatchGuard Firebox System components • Security suite • LiveSecurity Service WatchGuard Firebox The Firebox family of appliances are specially designed and optimized machines. They are small, efficient, and reliable. The Firebox is a low-profile component with an indicator display panel in front and physical interfaces in back. For detailed Firebox specifications, see the Reference Guide.

  • Page 13: Minimum Requirements

    Minimum requirements LiveSecurity Service The innovative LiveSecurity Service subscription makes it easy to maintain the security of an organization’s network. WatchGuard’s team of security experts publish alerts and software updates, which are broadcast to your e-mail client. Minimum requirements This section describes the minimum hardware and software configurations necessary to successfully install, run, and administer version 4.6 of the WatchGuard Firebox System.

  • Page 14: Hardware Requirements

    Minimum requirements Hardware requirements Minimum hardware requirements are the same as for the operating system on which the WatchGuard Firebox System 4.6 runs. The recommended hardware ranges are listed below. Hardware feature Memory Hard disk space CD-ROM drive (optional) Minimum requirement Pentium II Same as for operating system.

  • Page 15: Part Ii Watchguard Services

    WatchGuard PART II The WatchGuard Firebox System is considerably more than a piece of hardware. This section describes two WatchGuard service components that address your security requirements, and the optional features available to you. LiveSecurity Service The key to a high quality, effective network security policy is rapid response to challenges and threats.

  • Page 17: Chapter 1 Livesecurity Service

    LiveSecurity Service CHAPTER 1 No Internet security solution is complete without systematic updates. From the latest hacker techniques to the most recently discovered operating system bug, the daily barrage of new threats poses a perpetual challenge to any Internet security solution. The LiveSecurity Service keeps your security system up-to-date by delivering solutions to you.
  • Page 18 LiveSecurity broadcasts accompany each transmission for easy installation. These convenient transmissions relieve you of the burden of tracking the latest software version to keep your system state of the art. Editorial Leading security experts from around the world join the WatchGuard Rapid Response Team in contributing useful editorials to provide a source of continuing education on this rapidly changing subject.
  • Page 19 LiveSecurity broadcasts • The License Key number is located on the WatchGuard LiveSecurity Agreement License Key Certificate. Enter the number in the exact form shown on the key, including the hyphens. • Verify that your e-mail address is correct. You will receive your activation confirmation mail and all of your LiveSecurity broadcasts at this address.
  • Page 20 LiveSecurity broadcasts...

  • Page 21: Chapter 2 Technical Support

    Technical Support CHAPTER 2 Developing and implementing a network security policy can be a challenge. In addition to familiarity with the WatchGuard Firebox System, it requires experience with advanced networking concepts, programs, and protocols. The WatchGuard Technical Support team has a variety of methods to answer your questions and assist you with improving the security of your network, including: •...

  • Page 22: Known Issues

    Getting Internet technical support Known issues Another source of information about the WatchGuard Firebox System is the Known Issues page on the Technical Support Web. When our engineering or Technical Support team discovers a limitation or problem with our product, we immediately post the information on the Known Issues page.

  • Page 23: Training

    Training When you call WatchGuard Technical Support, you are prompted for your LiveSecurity License key. We use this key to track the information you report about your network, and to add this issue to our database of all the support issues you have brought to our attention.

  • Page 24: Watchguard Users Group

    WatchGuard users group Instructor-led courses WatchGuard offers a series of courses supporting our product line. Current titles include a two-day course on firewalling basics with the WatchGuard Firebox System and a one-day course on virtual private networking. These courses are delivered by certified WatchGuard trainers, both at our facility in Seattle and by our partners around the country.

  • Page 25: Copying The Help System To Additional Platforms

    Online Help Starting WatchGuard Online Help WatchGuard Online Help can be started either from the WatchGuard Management Station or directly from a browser. • In the Management Station software, press F1. • On any platform, browse to the directory containing WatchGuard Online Help. Open LSSHelp.html WatchGuard/Help.

  • Page 26: Context-Sensitive Help

    Online Help Context-sensitive Help In addition to the regular online Help system, context-sensitive or What’s This? Help is also available. What’s This? Help provides a definition and useful information on fields and buttons in the dialog boxes. To access What’s This? Help: Right-click any field or button.

  • Page 27: Chapter 3 Watchguard Options

    WatchGuard Options CHAPTER 3 The WatchGuard Firebox System is enhanced by optional features designed to accommodate the needs of different customer environments and security requirements. Currently available options VPN Manager WatchGuard VPN Manager is a centralized module for creating and managing the network security of an organization that uses the Internet to conduct business.

  • Page 28: Mobile User Vpn

    Obtaining WatchGuard options Mobile User VPN Mobile User VPN is the WatchGuard IPSec implementation of remote user virtual private networking. Mobile User VPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet connection, without compromising security.

  • Page 29: Configuring A Security Policy

    Configuring a Security Policy PART III This section describes how to configure your security system. Its primary focus is on using the WatchGuard Control Center and Policy Manager to develop and implement a network security policy. It includes chapters on: WatchGuard Control Center The WatchGuard Control Center is an intuitive management, monitoring, and reporting package that puts everything you need at your fingertips.
  • Page 30 you to exert fine control over the type of Web sites users on your Trusted network are allowed to view. Set up network address translation (NAT) Hide the real IP addresses of the hosts and networks behind your firewall through the use of network address translation. You can set NAT policy at both the global and the individual service levels.

  • Page 31: Chapter 4 Firebox Basics

    Firebox Basics CHAPTER 4 This chapter describes the following tasks, which require direct interaction between the Management Station and the Firebox: • Set up a Firebox • Open and save a configuration file to a local hard disk or the Firebox •...
  • Page 32 What is a Firebox? Placing a Firebox within a network The most common location for a Firebox is directly behind the Internet router, as pictured below: Event Processor Management Station Trusted Network Other parts of the network are as follows: Management Station The computer on which you install and run the WatchGuard LiveSecurity Control Center.

  • Page 33: Opening A Configuration File

    Opening a configuration file Policy Manager is a comprehensive software tool for creating, modifying, and saving configuration files. A configuration file, with the extension .cfg, contains all the settings, options, addresses, and information that together constitute your Firebox security policy. You can open and edit a configuration file residing on either your local hard disk or in the primary area of the Firebox flash disk.

  • Page 34: Resetting Firebox Passphrases

    Resetting Firebox passphrases Saving a configuration to the local hard disk From Policy Manager in the Advanced view: Select File Save => The Save dialog box appears. Enter the name of the file. The default is to save the file to the WatchGuard directory. Click Save.

  • Page 35: Setting The Time Zone

    • Don’t use words in standard dictionaries, even if you use them backward or in a foreign language. Create your own acronyms instead. • Don’t use proper names, especially company names or those of famous people. • Use a combination of uppercase and lowercase characters, numerals, and special characters (such as Im4e@tiN9).
  • Page 36 Reinitializing a misconfigured Firebox When you complete the QuickSetup wizard, remove the loopback cable (assuming your Firebox has one) and return the Firebox to its regular position in your network. The Firebox resumes normal operation the next time it restarts. Some Fireboxes have a factory default button.

  • Page 37: Using The Watchguard Control Center

    Using the WatchGuard Control CHAPTER 5 Center The WatchGuard Control Center combines access to WatchGuard Firebox System applications and tools in one intuitive interface. The Control Center also displays a real-time monitor of traffic through the firewall, connection status, tunnel status, and recent log activity.

  • Page 38: Firebox And Vpn Tunnel Status

    Control Center components • A real-time monitor of traffic through the Firebox. QuickGuide The top part of the display just below the title bar is the QuickGuide. It contains buttons to: • Open the WatchGuard Control Center menu • Pause the display •...
  • Page 39 Control Center components • IPSec • DVCP • WatchGuard VPN The first line of the tunnel entry shows the name that was assigned when the tunnel was created, along with the tunnel type (IPSec, DVCP, or WatchGuard). If the tunnel is an IPSec or DVCP tunnel, it also shows the IP address of the destination IPSec device (such as another Firebox, SOHO, or SOHO|tc).

  • Page 40: Working With The Control Center

    Working with the Control Center When you expand an entry that has a red exclamation point, another exclamation point appears next to the specific device or tunnel with the problem. Use this feature to rapidly identify and locate problems with your VPN network. Traffic Monitor The Traffic Monitor shows, in real time, the traffic through the Firebox.

  • Page 41: Policy Manager

    Policy Manager much more appropriate tool for tracking logs; Traffic Monitor just provides a real- time view of what the Firebox activity. Click the WatchGuard Control Center button. Click Settings. Type or use the scroll control to change the Max Log Entries field. Click OK. The value entered represents the number of logs in thousands.

  • Page 42: Firebox Monitors

    Firebox Monitors The Policy Manager display includes: Pull-down menus Menus that provide access to most configuration and administration tasks. Toolbar A row of buttons immediately below the pull-down menus. Each button corresponds to a frequently performed Policy Manager task. Position the mouse over the button to view a tooltip and explanatory status bar text.

  • Page 43: Hostwatch

    HostWatch HostWatch The HostWatch application displays active connections occurring on a Firebox in real time. It can also graphically represent the connections listed in a log file, either playing back a previous file for review or displaying connections as they are added to the current log file. To open HostWatch, click the HostWatch button (pictured at left) on the Control Center QuickGuide.
  • Page 44 LiveSecurity Event Processor...

  • Page 45: Chapter 6 Configuring A Network

    Configuring a Network CHAPTER 6 Configuring a network refers to setting up the three Firebox interfaces. To do this, you need to: • Enter the IP address or addresses for the Firebox interfaces. • Enter the IP addresses of secondary networks that are connected to and associated with a Firebox interface.

  • Page 46: Setting Up A Drop-In Network

    Setting up a drop-in network The QuickSetup wizard also writes a basic configuration file called to the hard disk of the Management Station. If you later want to expand wizard.cfg or change the basic Firebox configuration using Policy Manager, use the base file to which you make changes.

  • Page 47: Setting Up A Routed Network

    Setting up a routed network • The Trusted interface ARP address replaces the router’s ARP address. • All three Firebox interfaces are assigned the same IP address. This is true whether or not you use the Optional interface. • The majority of a LAN resides on the Trusted interface. •...

  • Page 48: Adding A Secondary Network

    Adding a secondary network Adding a secondary network A secondary network is a network on the same physical wire as a Firebox interface that has an address belonging to an entirely different network. Adding a secondary network to a Firebox interface maps an IP address from the secondary network to the IP address of the interface.

  • Page 49: Defining A Host Route

    Defining a host route Defining a host route Configure a host route if there is only one host behind the router. Enter the IP address of that single, specific host, and do not enter a bitmask. From Policy Manager in the Advanced view: Select Network =>...

  • Page 50: Entering Wins And Dns Server Addresses

    Entering WINS and DNS server addresses Entering WINS and DNS server addresses Several advanced features of the Firebox, such as DHCP and Remote User VPN, rely on shared Windows Internet Name Server (WINS) and Domain Name System (DNS) server addresses. These servers must be accessible from the Firebox Trusted interface. From Policy Manager: Select Network =>...

  • Page 51: Modifying An Existing Subnet

    Defining a Firebox as a DHCP server Modifying an existing subnet From Policy Manager: Select Network => Configuration. Click the DHCP Server tab. Click the subnet to review or modify. Click Edit. When you have finished reviewing or modifying the subnet, click OK. Removing a Subnet From Policy Manager: Select Network =>...
  • Page 52 Defining a Firebox as a DHCP server...

  • Page 53: Blocking Sites And Ports

    Blocking Sites and Ports CHAPTER 7 Many types of network security attacks are easily identified by patterns found in packet headers. Port space probes, address space probes, and spoofing attacks all exhibit characteristic behavior that a good firewall can recognize and protect against. WatchGuard allows both manual and dynamic blocking of ports and sites, and uses default packet-handling options to automatically and temporarily block hosts that originate probes and attacks.

  • Page 54: Blocking A Site Permanently

    Blocking a site permanently Modify the default packet-handling properties according to your security policy preferences. For a description of each control, right-click the control, and then click What’s This? Click OK. Blocking a site permanently The WatchGuard auto-blocking and logging mechanisms help you decide which sites to permanently block.

  • Page 55: Blocking A Port Permanently

    Blocking a port permanently In the Category list, click Blocked Sites. Modify the logging and notification parameters according to your security policy preferences. For detailed instructions, see “Customizing logging and notification by service or option” on page 76. Blocking a port permanently You can block ports to explicitly cut off from external access certain network services that are vulnerable entry points to your network.

  • Page 56: Blocking Sites Temporarily With Service Settings

    Blocking sites temporarily with service settings Blocking sites temporarily with service settings Use service properties to automatically and temporarily block sites when incoming traffic attempts to use a denied service. You can use this feature to individually log, block, and monitor sites that attempt access to restricted ports on your network. Configuring a service to temporarily block sites Configure the service to automatically block sites that attempt to connect using a denied service.

  • Page 57: Chapter 8 Configuring Services

    Configuring Services CHAPTER 8 The Services Arena of Policy Manager displays an icon for each configured service. A service represents a particular type of proxy or packet-filtering connection such as FTP, SMTP, or proxied HTTP. A symbol next to the service indicates whether the service is configured for outgoing traffic, incoming traffic, or both.

  • Page 58: Creating A New Service

    Creating a new service You can add multiple services to the Services Arena while the Services dialog box is open. When you finish adding services, click Close. The Services Arena displays an icon for each service added. Click File => Save => To Firebox to save your changes to the Firebox. Specify the location and name of the new configuration file.

  • Page 59: Defining Service Properties

    Defining service properties In the Port text box, enter the well-known port number for this service. For a list of well-known services and their associated ports, see the Reference Guide or Online Help. Click OK. Policy Manager adds the port configuration to the New Service dialog box. 10 Verify that the name, description, and configuration of this service are correct.
  • Page 60 Defining service properties Click OK. Adding outgoing service properties From Policy Manager: In the Services Arena, double-click the service. Click the Outgoing tab. The Properties dialog box displays the Outgoing properties tab. Use the Outgoing Connections Are drop list to select Enabled and Allowed. To define specific users and hosts on the Trusted network that can send packets out through the service, click Add beneath the From list.

  • Page 61: Configuring Services For Authentication

    Configuring services for authentication Configuring services for authentication One way to create effective user authentication environments is to restrict all outgoing services to allow connections only from authenticated users. The following example applies to dynamically addressed (DHCP-based) networks. Create a group on the Windows NT server that contains all the user accounts. In the Policy Manager Services Arena, double-click the Outgoing or Proxy service icon.

  • Page 62: Setting Up Proxy Services

    Setting up proxy services On the toolbar, click the Delete Service icon (it appears as an “X”). You can also select Edit Click Yes. Policy Manager removes the service from the Services Arena. Click File => Save => To Firebox to save your changes to the Firebox. Specify the location and name of the new configuration file.
  • Page 63 Setting up proxy services Click Incoming. The Incoming SMTP Proxy dialog box appears, displaying the General tab. Modify general properties according to your preference. For a description of each control, right-click it, and then click What’s This?. To modify logging properties, click the Logging tab. Selecting content types From the SMTP Proxy Properties dialog box: Click the Content Types tab.

  • Page 64: Configuring An Ftp Proxy Service

    Setting up proxy services Configuring the outgoing SMTP proxy Use the Outgoing SMTP Proxy dialog box to set the parameters for traffic going from your Trusted and Optional network to the world. You must already have an SMTP Proxy service icon in the Services Arena. Double-click the icon to open the service’s Properties dialog box: Click the Properties tab.
  • Page 65 Setting up proxy services Click OK. Click File => Save => To Firebox to save your changes to the Firebox. Specify the location and name of the new configuration file. Configuring an HTTP proxy service HyperText Transfer Protocol (HTTP) is the protocol used by the World Wide Web to move information around the Internet.

  • Page 66: Service Precedence

    Service precedence If you are using the HTTP proxy service because you want to use WebBlocker, follow the procedure in the next section. Otherwise, enable HTTP proxy properties according to your security policy preferences. For detailed descriptions of HTTP proxy options, see the Reference Guide . Zip files are denied when you deny Java or ActiveX applets, because zip files often contain these applets.
  • Page 67 Service precedence From List List “IP” refers to exactly one host IP address; “List” refers to multiple host IP addresses, a network address, or an alias; and “Any” refers to the special “Any” target (not “Any” services). When two icons are representing the same service (for example, two Telnet icons or two Any icons) they are sorted using the above tables.
  • Page 68 Service precedence...

  • Page 69: Controlling Web Traffic

    Controlling Web Traffic CHAPTER 9 WebBlocker is a feature of the Firebox System that works in conjunction with the HTTP proxy to provide Web-site filtering capabilities. It enables you to exert fine control over the type of Web sites that users on your trusted network are allowed to view.

  • Page 70: Configuring The Webblocker Service

    Configuring the WebBlocker service Logging and WebBlocker WebBlocker logs attempts to access sites blocked by WebBlocker. The log that is generated displays information about source and destination address as well as the blocked URL and the category that caused the denial. WebBlocker also generates a log entry showing the results of any attempted database retrieval, including whether or not it was successful and, if not successful, why.

  • Page 71: Creating Webblocker Exceptions

    Configuring the WebBlocker service Processor regularly and automatically updates the WebBlocker database stored on your Firebox. From Policy Manager: If you have not already done so, double-click the service icon you are using for HTTP. Click the Properties tab. Click Settings. The proxy’s dialog box appears.

  • Page 72: Manually Downloading The Webblocker Database

    Manually downloading the WebBlocker database In the Allowed Exceptions section, click Add to add either a network or host IP address to be allowed at all times. To allow a specific string for a domain, select Host Address. To allow a specific directory pattern, enter the string to be allowed.

  • Page 73: Setting Up Network Address Translation

    Setting Up Network Address CHAPTER 10 Translation Network address translation (NAT) hides internal network addresses from hosts on an external network. WatchGuard supports two types of NAT: • Outgoing dynamic NAT Hides network addresses from hosts on another network; works only on outgoing messages.

  • Page 74: Using Simple Dynamic Nat

    Using simple dynamic NAT Using simple dynamic NAT In the majority of networks, the preferred security policy is to globally apply network address translation to all outgoing packets. Simple dynamic NAT provides a quick method to set NAT policy for your entire network. Enabling simple dynamic NAT The default configuration of simple dynamic NAT enables it from the Trusted network to the External network.

  • Page 75: Using Service-Based Nat

    Using service-based NAT Using service-based NAT Using service-based NAT, you can set outgoing dynamic NAT policy on a service-by- service basis. Service-based NAT is most frequently used to make exceptions to a globally applied simple dynamic NAT entry. For example, use service-based NAT on a network with simple NAT enabled from the Trusted to the Optional network with a Web server on the Optional network that should not be masqueraded to the actual Trusted network.

  • Page 76: Configuring A Service For Incoming Static Nat

    Configuring a service for incoming static NAT Configuring a service for incoming static NAT Static NAT works on a port-to-host basis. Incoming packets destined for a specific public address and port on the External network are remapped to an address and port behind the firewall.
  • Page 77 Configuring a service for incoming static NAT Enter the internal IP address. The internal IP address is the final destination on the Trusted network. If appropriate, enable the Set Internal Port To Different Port Than Service checkbox. This feature is rarely used. It enables you to redirect packets not only to a specific internal host but also to an alternative port.
  • Page 78 Configuring a service for incoming static NAT...

  • Page 79: Setting Up Logging And Notification

    Setting Up Logging and CHAPTER 11 Notification Logging and notification are crucial to an effective network security policy. Together, they make it possible to monitor your network security, identify both attacks and attackers, and take action to address security threats and challenges. Logging occurs when the firewall records the occurrence of an event to a log file.

  • Page 80: Watchguard Logging Architecture

    WatchGuard logging architecture log messages to the second Event Processor. It continues through the list until it finds an Event Processor capable of recording events. Multiple Event Processors operate in failover mode, not redundancy mode—that is, events are not logged to multiple Event Processors simultaneously;...

  • Page 81: Enabling Syslog Logging

    Designating Event Processors for a Firebox you run the QuickSetup wizard. You can specify a different primary Event Processor as well as multiple backup Event Processors. • IP address of each Event Processor • Encryption key to secure the connection between the Firebox and Event Processors •...
  • Page 82 Designating Event Processors for a Firebox Removing an Event Processor Remove an Event Processor when you no longer want to use it for any logging purpose. From Policy Manager: Select Setup => Logging. The Logging Setup dialog box appears. Click the host name. Click Remove. Click OK.

  • Page 83: Setting Up The Livesecurity Event Processor

    Setting up the LiveSecurity Event Processor Another way to set the Event Processor (and domain controller) clocks is to use an independent source such as the atomic clock—based servers available on the Internet. One place to access this service is: http://www.bldrdoc.gov/timefreq Setting up the LiveSecurity Event Processor The LiveSecurity Event Processor controls logging and notification.
  • Page 84 Setting up the LiveSecurity Event Processor Windows NT service. The default method on installation is for it to run as a Windows NT service. As a Windows NT or Windows 2000 Service By default, the Event Processor is installed to run as a Windows NT service, starting automatically every time the host computer restarts.

  • Page 85: Setting Global Logging And Notification Preferences

    Setting global logging and notification preferences Starting and stopping the Event Processor The Event Processor starts automatically when you start the host on which it resides. However, it is possible to stop or restart the Event Processor from its interface at any time.

  • Page 86: Customizing Logging And Notification By Service Or Option

    Customizing logging and notification by service or option For a record size, enable the By Number of Entries checkbox. Use the scroll control or enter a number of log record entries. The Approximate Size field changes to display the approximate file size of the final log file. For a detailed description of each control, right-click it, and then select What’s This?.

  • Page 87: Setting Logging And Notification For A Service

    Customizing logging and notification by service or option Send Notification Enable this checkbox to enable notification on the event type; clear it to disable logging for the event type. The remaining controls are active when you enable the Send Notification checkbox: E-mail Triggers an e-mail message when the event occurs.
  • Page 88 Customizing logging and notification by service or option From Policy Manager: Double-click a service in the Services Arena. The Properties dialog box appears. Click Logging. The Logging and Notification dialog box appears. The options for each service are identical; the main difference is based on whether the service in question is for incoming, outgoing, or bidirectional communication.

  • Page 89: Connect With Out-Of-Band Management

    Connect with Out-of-Band CHAPTER 12 Management The WatchGuard Firebox System out-of-band (OOB) management feature enables the Management Station to communicate with a Firebox by way of a modem and telephone line. OOB is useful for remotely configuring a Firebox when access via the Ethernet interfaces is unavailable.

  • Page 90: Preparing A Windows 2000 Management Station For Oob

    Enabling the Management Station Preparing a Windows NT Management Station for OOB Install the Microsoft Remote Access Server (RAS) on the Management Station. From the Windows NT Desktop: Attach a modem to your computer according to the manufacturer’s instructions. Select Start => Settings => Control Panel. Double-click Network.

  • Page 91: Configuring The Firebox For Oob

    Configuring the Firebox for OOB Enter a name for your connection. This can be anything that reminds you of the icon’s purpose — VPN Connection, for example. Click Finish. Click either Dial or Cancel. A new icon is now in the Network and Dial-Up Connections folder. To use this dial- up connection, double-click the icon in the folder.
  • Page 92 Establishing an OOB connection...

  • Page 93: Administering A Security Policy

    Administering a Security Policy PART IV Network security is more than just designing and implementing a security policy and copying the resulting configuration file to a WatchGuard Firebox. Truly effective network security requires constant vigilance and ongoing adaptation to changing business needs.

  • Page 95: Creating Aliases And Implementing Authentication

    Creating Aliases and CHAPTER 13 Implementing Authentication Aliases are shortcuts used to identify groups of hosts, networks, or users with one name. The use of aliases simplifies user authentication and service configuration. User authentication provides access control for outgoing connections. Authentication dynamically maps an individual username to a workstation IP address, allowing the tracking of connections based on name rather than static IP address.
  • Page 96 Using host aliases Adding a host alias From Policy Manager: Select Setup => Authentication. The Member Access and Authentication Setup dialog box appears. Click the Aliases tab. Click Add. In the Host Alias Name text box, enter the name used to identify the alias when configuring services and authentication.

  • Page 97: What Is User Authentication

    What is user authentication? User authentication allows the tracking of connections based on name rather than IP address. With authentication, it no longer matters what IP address is used or from which machine a person chooses to work; the username defines the permissions of the user, and follows the user from workstation to workstation.

  • Page 98: Configuring Firebox Authentication

    Configuring Firebox authentication Configuring Firebox authentication You can use the WatchGuard Firebox System to define users and groups for authentication. Enter Firebox User information using Policy Manager. Firebox Users are intended for remote user virtual private networking (VPN). WatchGuard automatically adds two Firebox user groups to the basic configuration file: •...

  • Page 99: Configuring Radius Server Authentication

    Under Authentication Enabled Via, click the NT Service option. WatchGuard activates the Windows NT Server controls. Click the Windows NT Server tab. To identify the host either: - Enter both the host name and the IP address of the Windows NT network. - Enter the host name.

  • Page 100: Configuring Cryptocard Server Authentication

    Configuring CRYPTOCard server authentication On the RADIUS Server Gather the IP address of the Firebox and the user or group aliases you want to authenticate using RADIUS. The aliases appear in the “From” and “To” listboxes for the individual services’ Properties dialog boxes. Add the IP address of the Firebox where appropriate according to the RADIUS server vendor.

  • Page 101: Configuring Securid Authentication

    Enter the value of the shared secret between the Firebox and the CRYPTOCard server. This is the key or client key in the “Peers” file on the CRYPTOCard server. This key is case sensitive and must be identical on the Firebox and the CRYPTOCard server for CRYPTOCard authentication to work.

  • Page 102: Using Authentication To Define Remote User Vpn Access

    Using authentication to define remote user VPN access If you are using a backup server, enable the Specify backup SecurID server checkbox. Enter the IP address and port number for the backup server. Click OK. Using authentication to define remote user VPN access WatchGuard uses two built-in Firebox groups to identify currently active remote user virtual private network users.

  • Page 103: Monitoring Firebox Activity

    Monitoring Firebox Activity CHAPTER 14 An important part of an effective network security policy is the monitoring of network events. Monitoring enables you to recognize patterns, identify potential attacks, and take appropriate action. If an attack occurs, the records kept by WatchGuard will help you reconstruct what happened.

  • Page 104: Status Report

    Statistics from Wed Jan 11 14:54:24 2000 to Wed Jan 11 14:57:27 2000 Up since Tue Dec 30 15:26:48 1999 (23:30) Last network change Tue Nov 30 15:26:48 1999 WatchGuard, Copyright (C) 1998, 1999, 2000 WatchGuard Technologies, Inc. Driver version: 4.00.B99...
  • Page 105 Firebox Monitors Packet counts The number of packets allowed, denied, and rejected between status queries. Rejected packets are denied packets for which WatchGuard sends an ICMP error message. Allowed: 5832 Denied: Rejects: Log and notification hosts The IP addresses of the log and notification hosts. Log host(s): 206.148.32.16 Notification host:...
  • Page 106 Firebox Monitors Block Network 123.152.24.64/28 eth2 Logging options Logging options configured with either the QuickSetup wizard or by adding and configuring services from Policy Manager. Logging options: Outgoing traceroute Incoming traceroute logged(warning) notifies(traceroute) hostile Outgoing ping Incoming ping Outgoing Archie Incoming Archie logged(warning) printed notifies(Archie) hostile Outgoing SNMP Incoming SNMP hostile...
  • Page 107 Firebox Monitors 42 http-serve S 41 fwcheck 43 http-proxy S 22121 smtp-proxy S 19698 http-serve S Interfaces Each network interface is displayed in this section, along with detailed information regarding its status and packet count: Interfaces Link encap:Local Loopback inet addr:127.0.0.1 UP BROADCAST LOOPBACK RUNNING RX packets:15 errors:0 dropped:0 overruns:0 TX packets:15 errors:0 dropped:0 overruns:0...

  • Page 108: Authentication List

    HostWatch 198.148.32.0 eth1:0 127.0.0.0 default 207.54.9.30 eth0 ARP table A snapshot of the ARP table on the running Firebox. The ARP table is used to map IP addresses to hardware addresses: ARP Table Address 207.23.8.32 207.23.8.52 207.23.8.21 201.148.32.54 201.148.32.26 207.23.8.30 Authentication list The Authentication List tab displays the host IP addresses and user names of everyone currently authenticated to the Firebox.

  • Page 109: Connecting To A Firebox

    HostWatch The HostWatch display uses the logging settings configured for your Firebox using the Policy Manager. For instance, to see all denied attempts at incoming Telnet in HostWatch, configure the Firebox to log incoming denied Telnet attempts. The line connecting the source host and destination host is color-coded to display the type of connection being made.

  • Page 110: Controlling The Hostwatch Display

    HostWatch Browse to locate and select the Logdb file. By default, log files are stored in the WatchGuard installation directory at C:\Program Files\WatchGuard\logs. HostWatch loads the log file and begins to replay the activity. To pause the display, click Pause. To restart the display, click Continue.
  • Page 111 HostWatch In the New User field, enter the user ID of the authenticated user to watch. Click Add. Repeat for each authenticated user that HostWatch should monitor. Inside hosts and authenticated users are displayed even if there are no connections for them. Click OK.
  • Page 112 HostWatch...

  • Page 113: Chapter 11 Setting Up Logging And Notification

    Reviewing and Working with Log CHAPTER 15 Files Log entries are stored on the primary and backup LiveSecurity Event Processor. By default, log files are placed in the WatchGuard installation directory in a subdirectory called \logs. The log file to which the Event Processor is currently writing records is named Firebox IP.

  • Page 114: Copying And Exporting Logviewer Data

    Viewing files with LogViewer Configure LogViewer display preferences as you choose. For a description of each control on the General tab, right-click it and then click What’s This? For information on the Filter Data tab, see “Displaying and hiding fields” on page 105. Searching for specific entries LogViewer has a search tool to enable you to find specific transactions quickly by keyphrase or field.

  • Page 115: Displaying And Hiding Fields

    Displaying and hiding fields Use the Preferences dialog box to show or hide columns displayed in LogViewer. From LogViewer: Select View => Preferences. Click the Filter Data tab. Enable the checkboxes of the fields you would like to display. Disable the checkboxes of those columns you would like to hide.

  • Page 116: Working With Log Files

    Working with log files IP header length Length, in octets, of the IP header for this packet. A header length that is not equal to 20 indicates that IP options were present. Default = Hide TTL (time to live) The value of the TTL field in the logged packet. Default = Hide Source address The source IP address of the logged packet.

  • Page 117: Forcing The Rollover Of Log Files

    Enter the destination for the files in the Copy to This Directory box. Click Merge. The log files are merged and saved to the new file in the designated directory. Copying log files You can copy a single log file from one location to another, and you can copy the current, active log file.
  • Page 118 Working with log files...

  • Page 119: Generating Reports Of Network Activity

    Generating Reports of Network CHAPTER 16 Activity Historical Reports is a reporting tool that creates summaries and reports of Firebox log activity. It generates these reports using the log files created by and stored on the LiveSecurity Event Processor. Use Historical Reports to define reports, create filters, and process reports for viewing in a standard Web browser.

  • Page 120: Specifying Report Sections

    Specifying report sections Creating a new report From Historical Reports: Click Add. Enter the report name. The report name will appear in Historical Reports, the LiveSecurity Event Processor, and the title of the output. Use the box next to Log Directory to define the location of log files. The default location for log files is the \logs subdirectory of the WatchGuard installation directory.

  • Page 121: Specifying A Report Time Span

    Specifying a report time span Enable the checkboxes for sections to be included in the report. For a description of each section, see “Report sections and consolidated sections” on page 115. Specifying a report time span When running Historical Reports, the default is to run the report across the entire log file.

  • Page 122: Exporting Reports

    Exporting reports Enter the number of elements to rank in the table. Default is 100. Select the style of graph to use in the report. Select the manner in which you want the proxied summary reports sorted: bandwidth or connections. Enter the number of records to display per page for the detailed sections.

  • Page 123: Using Report Filters

    Using report filters Exporting a report to a text file When you select Text Export from the Setup tab on the Report Properties dialog box, the report output is created as a comma-delimited format file. The report appears as a file in the following path: .txt drive:\WatchGuard Install Directory\Reports\Report Directory...

  • Page 124: Scheduling And Running Reports

    Scheduling and running reports Editing a filter At any time, you can modify the properties of an existing filter. From the Filters dialog box in Historical Reports: Highlight the filter to modify. Click Edit. The Report Filter dialog box appears. Modify filter properties according to your preferences.

  • Page 125: Manually Running A Report

    Report sections and consolidated sections Manually running a report At any time, you can run one or more reports using Historical Reports. From Historical Reports: Enable the checkbox next to each report you would like to generate. Click Run. Report sections and consolidated sections You can use Historical Reports to build a report that includes one or more sections.
  • Page 126 Report sections and consolidated sections Session Summary – Packet Filtered A table, and optionally a graph, of the top incoming and outgoing sessions, sorted either by byte count or number of connections. The format of the session is: client -> server : service. If the connection is proxied, the service is represented in all capital letters.

  • Page 127: Consolidated Sections

    Report sections and consolidated sections Denied Outgoing Packet Detail A list of denied outgoing packets, sorted by time. The fields are Date, Time, Type, Client, Client Port, Server, Server Port, Protocol, and Duration. Denied Incoming Packet Detail A list of denied incoming packets, sorted by time. The fields are Date, Time, Type, Client, Client Port, Server, Server Port, Protocol, and Duration.
  • Page 128 Report sections and consolidated sections Reports attempts to resolve the server port to a table to represent the service name. If resolution fails, Historical Reports displays the port number. Time Summary – Proxied Traffic A table, and optionally a graph, of all accepted proxied connections distributed along user-defined intervals and sorted by time.

  • Page 129: Watchguard Virtual Private Networking

    WatchGuard PART V Networking A virtual private network (VPN) allows the secure tunneling of data between two networks (or a host to a network) via a third unprotected network. The WatchGuard Firebox System includes two methods to provide secure tunnels: Branch office virtual private network Use the WatchGuard Branch Office VPN features to securely connect two or more locations over the Internet.

  • Page 131: Chapter 17 Configuring Branch Office Virtual Private Networking

    Configuring Branch Office Virtual CHAPTER 17 Private Networking Branch office virtual private networking (VPN) creates a secure tunnel, over an unsecure network, between two networks protected by the WatchGuard Firebox System or between a WatchGuard Firebox and an IPSec-compliant device. Using branch office VPN, you can connect two or more locations over the Internet while still protecting the resources of your trusted and optional networks.

  • Page 132: Chapter 10 Setting Up Network Address Translation

    Using DVCP to connect to devices • IP network addresses for the networks communicating with one another. • A common passphrase, known as a shared secret. • For WatchGuard VPN only, the local VPN IP address of each Firebox. It must be selected from a reserved network address that is not in use on either of the networks being connected.
  • Page 133 Using DVCP to connect to devices Note also that if you configure a SOHO for both Basic and Enhanced DVCP, the gateway names must be different. From Policy Manager: Select Network => Branch Office VPN => Basic DVCP. The DVCP Configuration dialog box appears. Click Add.

  • Page 134: Branch Office Vpn With Ipsec

    Branch office VPN with IPSec You can also change the network range of a WatchGuard client. However, when you save the configuration to the server, it automatically triggers the client to reboot and load the new policy. From Policy Manager: Select Network =>...

  • Page 135: Configuring A Gateway

    Branch office VPN with IPSec and how WatchGuard implements branch office VPN with IPSec, see the Network Security Handbook. • Determine the tunnel and policy endpoints • Select an encryption method • Select an authentication method From Policy Manager: • Select Network => Branch Office VPN => IPSec. Configuring a gateway A gateway specifies endpoints for one or more tunnels.
  • Page 136 Branch office VPN with IPSec Removing a gateway From the Configure Gateways dialog box: Click the gateway. Click Remove. Configuring a tunnel with manual security A tunnel encapsulates packets between two gateways. It specifies encryption type and/or authentication method. A tunnel also specifies endpoints. The following describes how to configure a tunnel using a gateway with the manual key negotiation type.
  • Page 137 Branch office VPN with IPSec Use the Authentication drop list to select an authentication method. Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC (160-bit algorithm). Click Key. Enter a passphrase. Click OK. The passphrase appears in the Authentication Key field. You cannot enter a key here directly. Using Authenticated Headers (AH) Type or use the SPI scroll control to identify the Security Parameter Index (SPI).

  • Page 138: Creating An Ipsec Policy

    Branch office VPN with IPSec 11 After you add all tunnels for this gateway, click OK. The Configure Gateways dialog box appears. 12 To configure more tunnels for another gateway, click Tunnels. Select a new gateway and repeat the tunnel creation procedure for that gateway. 13 When all the tunnels are created, click OK.
  • Page 139 Branch office VPN with IPSec Use the Protocol drop list to limit the protocol used by the policy. Options include: * (specify ports but not protocol), TCP , and UDP . 10 In the Src Port field, enter the local host port. The local host port number is optional and is the port from which WatchGuard sends all communication for the policy.

  • Page 140: Configuring Watchguard Vpn

    Configuring WatchGuard VPN Allow VPN access to any services To allow all traffic from VPN connections, add the Any service to the Services Arena and configure it as described above. Allow VPN access to selective services To allow traffic from VPN connections only for specific services, add each service to the Services Arena and configure each as described above.
  • Page 141 Configuring WatchGuard VPN In the Local Firebox IP field, enter an IP address from a reserved network not in use on the local or remote networks. More information on reserved networks can be found in RFC 1918. You can use the same local VPN IP address for multiple VPN connections when specifying more than one—for example, when there are several branch offices connecting to a central office.
  • Page 142 Configuring WatchGuard VPN Configuring incoming services to allow VPN Because users on the remote Firebox are technically outside the trusted network, you must configure services to allow traffic through the VPN connection. WatchGuard recommends the following method: Create a host alias corresponding to the VPN remote networks. For more information see “Adding a host alias”...

  • Page 143: Configuring The Firebox For Remote User Vpn

    Configuring the Firebox for CHAPTER 18 Remote User VPN Remote user virtual private networking (RUVPN) establishes a secure connection between an unsecured remote host and a protected network over an unsecured network. RUVPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet dial-up connection without compromising security.

  • Page 144: Configuring Shared Servers For Ruvpn

    Configuring shared servers for RUVPN • The IP addresses of the DNS and WINS servers in the trusted network that perform IP address lookup on host alias names. • The usernames and passwords of those authorized to connect to the Firebox using RUVPN.

  • Page 145: Configuring Services To Allow Incoming Ruvpn

    Configuring services to allow incoming RUVPN Enter the username and password. Firebox usernames are case sensitive. To add the user to a group, select the group name in the Not Member Of list. Click the left-pointing arrow. Use pptp_users for Remote User PPTP and ipsec_users for Mobile User VPN. A given user can be a member of both groups.

  • Page 146: Configuring The Firebox For Remote User Pptp

    Configuring the Firebox for Remote User PPTP - From: Selected - To: pptp_users or ipsec_users Configuring the Firebox for Remote User PPTP Configuring the Firebox for Remote User PPTP requires that you perform the following: • Enter IP addresses and networks used for clients •...

  • Page 147: Configuring The Firebox For Mobile User Vpn

    Configuring the Firebox for Mobile User VPN From the Remote User Setup dialog box: Click the PPTP tab. Click Add. Use the Choose Type drop list to select either a host or network. You can configure up to 50 addresses. If you select a network address, Remote User PPTP will use the first 50 addresses in the subnet.
  • Page 148 Configuring the Firebox for Mobile User VPN automatically included in the Policy Manager software, to activate the feature a license for each installation of the client software must be purchased. To purchase IPSec license keys, contact your local reseller or visit: http://www.watchguard.com/sales Entering license keys The first step in configuring the Firebox for Mobile User VPN is to enter the license...
  • Page 149 Configuring the Firebox for Mobile User VPN 10 Use the Encryption drop list to select an encryption method. Options available with the strong encryption version of WatchGuard Firebox System include: None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit). 11 Click Next. Click Finish. The wizard closes and the username appears in the Remote User VPN Setup dialog box on the Mobile User tab Users list.

  • Page 150: Configuring Debugging Options

    Configuring debugging options The packages are located on the WatchGuard LiveSecurity Service Web site at http://www.watchguard.com/support. Enter the Service Web site using your LiveSecurity username and password. Click the Mobile User VPN link. • end-user configuration file .exp A prompt appears so you can save the end-user configuration files when you save a configuration to the Firebox.

  • Page 151: Chapter 18 Configuring The Firebox For Remote User Vpn

    Preparing a Host for Remote CHAPTER 19 User VPN Remote user virtual private networking (RUVPN) establishes a secure connection between an unsecured remote host and a protected network over an unsecured network. RUVPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet dial-up connection without compromising security.
  • Page 152 Preparing the client computers • Public IP address Remote host operating system The remote client must be running Windows and have the most recent MSDUN (Microsoft Dial-Up Networking) upgrades installed and may need other extensions and updates for proper configuration. Currently, Remote User VPN with PPTP requires these upgrades according to platform: Encryption Both...
  • Page 153 Preparing the client computers Enter the domain name you are connecting to. This should be the same as the “Log on to Windows NT domain” value. Enter a description for your computer (optional). Verify that Dial-Up Adapter #2 (VPN Support) is installed. If you do not have Dial-Up Adapter #2 (VPN Support), you must install it.
  • Page 154 Preparing the client computers Click Dial Out Only. Click Continue. 10 Click OK. 11 Restart the machine. Adding a domain name to a Windows NT workstation Often remote clients need to connect to a domain behind the firewall. To do this, the remote client must be able to recognize the domains to which they belong.

  • Page 155: Configuring The Remote Host For Ruvpn With Pptp

    Configuring the remote host for RUVPN with PPTP In the Initial Connection window that appears, click Yes. 10 Click Properties. The Virtual Private Connection window appears. 11 Click the General tab, and enter a host name or an IP address of the destination computer.

  • Page 156: Using Remote User Pptp

    Using Remote User PPTP 10 Click OK. Click OK again. 11 Restart the computer. Installing a VPN adapter on Windows NT From the Windows NT Desktop of the remote host: Double-click My Computer. Double-click Dial-Up Networking. If you have not already configured an entry, Windows guides you through the creation of a dial- up configuration.

  • Page 157: Configuring Debugging Options

    Configuring debugging options Double-click the RUVPN connection. If you configured the client computer as described in “Windows 95/98 platform preparation” on page 142, double-click Connect with RUVPN. Enter the remote client username and password. These are assigned when you add the user to the pptp_users group. See “Using Remote User PPTP”...
  • Page 158 Configuring debugging options...

  • Page 159: Index

    Index Access controlling Access rules defining Accessing known issues Activating LiveSecurity Service Active connections Active TCP connections Adding existing service incoming service properties new domain outgoing service properties permanent blocked sites secondary network service addresses SMTP masquerading options Address patterns Address space probe AH (Authenticated Headers) Alias...
  • Page 160 Changing an interface IP address IPSec policy order remote network entries on VPN Checklist, branch office VPN Client DVCP Client for Microsoft Networks installing Client Wizard, DVCP Communication,out-of-band Completing Support Incident form, Configuration Firebox network RUVPN checklist verifying configuration Configuration checklist branch office VPN Configuration file creating basic...
  • Page 161 characteristics configuration DVCP Client Wizard introduction Dynamic NAT adding entries described disabling enabling 63, 65 enabling simple reordering entries using simple Dynamic security Dynamically blocked sites Editing filter in Historical Reports gateway reports SOHO tunnel properties Editorial information Ehanced system mode E-mail list e-mail...
  • Page 162 monitors 2, 32, 93 BandwidthMeter opening configuration file opening configuration file from PPP timeout disconnects reinitializing resetting pass phrase saving configuration file saving configuration file to saving RUVPN configuration to setting interfaces setting the time zone starting monitors status synchronizing to Event Processor users inside users outside using out-of-band...
  • Page 163 exporting reports as HTTP 48, 60, 94, 99 protocol proxied proxy types of services HTTP proxy HTTP proxy reports HTTP detail most popular domains Icon WatchGuard Service Icons working with wg_ Icons Implementing Authentication Index search, online help Infopacks editorial information alert news from WatchGuard software updates...
  • Page 164 for blocked sites global preferences LogViewer options PPTP replaying a file searching log files setting for a service setting up viewing files WebBlocker Logs consolidating in LogViewer LogViewer 2, 83 consolidating logs copying copying log files described displaying fields fields and meanings forcing file roll over hiding fields preferences...
  • Page 165 Navigating Control Center Netscape Communicator Network broadcast changing range of client configuration configuring configuring OOB interfaces LiveSecurity Broadcast 5, 7 routed described secondary services debugging setting the default gateway star with DVCP Network address translation Network address translation. See also Dynamic NAT.
  • Page 166 pull-down menus services arena Status Bar toolbar Policy order changing IPSec Polling rate changing Port address translation. See also Dynamic NAT Port numbers, protecting Port space probes Ports blocked Ethernet for WatchGuard VPN permanently blocked viewing on HostWatch PPTP logging running with RUVPN starting remote user using for remote user...
  • Page 167 adding a domain name to an NT workstation adding new domain for NT workstation installing a VPN adaptor for Windows 95/ installing a VPN adaptor on Windows NT installing client for Microsoft Networks installing dial-up adapter #2 for Windows 95/ preparing Windows 95/98 for RUVPN running remote user VPN with PPTP starting Remote User PPTP...
  • Page 168 introduction Routes network configuration RUVPN activating remote user PPTP adding a domain name for NT adding members to built-in user groups adding new domain for NT workstation adding remote access users configuration checklist configure remote host for remote user PPTP configuring a Firebox for IPSec configuring debugging options configuring shared servers for...
  • Page 169 Software Update SOHO editing tunnel properties rebooting removing tunnel SpamScreen Security Parameter Index see also SPI (Security Parameter Index) Spoofing 43, 95, 124 Star network DVCP Starting Control Center LogViewer WatchGuard Online Help Static NAT adding external IP addresses configuring a service configuring a service for described setting on a service...
  • Page 170 manager mobile user multiple-box configuration preventing IP spoofing remote user removing IPSec gateway running with PPTP two-box configuration verifying successful configuration VPN adaptor installing on Windows NT VPN Monitor collapsing display expanding display Firebox Status front panel icons interpreting display QuickGuide reading display red exclamation point...

Table of Contents