Watchguard Firebox FireboxTM System 4.6 User Manual page 141

Watchguard firebox system user guide

Hide thumbs Also See for Firebox FireboxTM System 4.6:

Reference manual (78 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

page of 170

/ 170
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring WatchGuard VPN

In the Local Firebox IP field, enter an IP address from a reserved network not in

use on the local or remote networks.

More information on reserved networks can be found in RFC 1918. You can

use the same local VPN IP address for multiple VPN connections when

specifying more than one—for example, when there are several branch offices

connecting to a central office.

In the text box to the left of the Add button, enter the IP address in slash notation

of any remote network to which access should be granted from the local Firebox .

Click Add.

The remote Firebox must reciprocate by adding the local networks in its Remote Networks box.

Because WatchGuard VPN is a peer-to-peer situation, each Firebox must have the other's

network listed.

Click the Encryption tab.

Under Encryption, select the number of bits used to encrypt the tunnel.

The greater the number of bits, the stronger the encryption.

Enter the encryption key. Click Make Key.

WatchGuard hashes the encryption key and then displays a key in the bottom panel.

The hashed key must be identical on both Fireboxes. If you are running

different versions of WatchGuard Security System software, verify that the

hashes match exactly on the two Fireboxes.

Click the Options tab.

10 Enable the Activate WatchGuard VPN checkbox.

11 To automatically block sites when the source fails to properly connect to the

Firebox, enable the Add Source to Blocked List When Denied checkbox.

12 Enable Logging options according to your security policy preferences.

Activating logging often generates a high volume of log entries, significantly slowing the passage

of VPN traffic. WatchGuard recommends logging only for debugging purposes.

Changing remote network entries

You cannot edit a remote network entry. You must remove the original and add the

new remote network address. From the WatchGuard VPN Setup dialog box:

Click the network address. Click Remove.

Click Add.

Add the new network configuration.

Preventing IP spoofing with WatchGuard VPN

There is a potential IP spoofing problem if the remote Firebox IP is on the same

network as a remote network. It is theoretically possible to spoof packets from that

single IP address (the remote Firebox IP). Although this situation is relatively rare,

you can prevent it by disallowing access to internal servers from the remote Firebox

IP.

User Guide

131

Table of Contents

Related Products for Watchguard Firebox FireboxTM System 4.6

Watchguard 4RE

Watchguard Firebox 4500

Watchguard Firebox FireboxTM System 4.6 User Manual page 141

Related Manuals for Watchguard Firebox FireboxTM System 4.6

Related Products for Watchguard Firebox FireboxTM System 4.6

Table of Contents