Page 1: User Guide
WatchGuard ® Firebox X Edge ® User Guide Firebox X Edge - Firmware Version 7.5 All Firebox X Edge Standard and Wireless Models...
Page 2 Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment, to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid.
Page 3 You must also maintain a current subscription to the WatchGuard LiveSecurity Service (or its equivalent) for each additional WATCHGUARD hardware product on which you will use a copy of an updated or modified version of the SOFTWARE PRODUCT received through the WatchGuard LiveSecurity Service (or its equivalent).
Page 4 AGREEMENT AND THE PERFORMANCE OF THE ENTITY’S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD. Version: 040226...
Page 5 Integrated Services Digital Network Internet Service Provider Media Access Control Mobile User Virtual Private Network Network Address Translation Point-to-Point Protocol Point-to-Point Protocol over Ethernet Transfer Control Protocol User Datagram Protocol Universal Resource Locator Virtual Private Network Wide Area Network WatchGuard Security Event Processor...
Page 6 SALES: U.S. and Canada +1.800.734.9905 All Other Countries +1.206.521.8340 ABOUT WATCHGUARD WatchGuard network security solutions provide small- to mid-sized enterprises worldwide with effective, afford- able security. Our Firebox line of extendable, integrated security appliances is designed to be fully upgradeable...
Page 7: Table Of Contents
Contents Introduction to Network Security ...1 CHAPTER 1 Network Security ...1 About Networks ...2 Clients and servers ...2 Connecting to the Internet Protocols ...3 How Information Travels on the Internet IP Addresses ...5 Network addressing ...5 About DHCP ...5 About PPPoE ...5 Domain Name Service (DNS) Services ...6...
Page 8 Remote reboot ...44 Selecting HTTP or HTTPS for Management Changing the HTTP Server Port Setting up WatchGuard System Manager Access Enable remote management with WSM v8.2 or higher ...46 Enable remote management with WSM v8.0 or v8.1 ...48 Enable remote management with WSM v7.3 or earlier ...50 Updating the Firebox X Edge Software ...52...
Page 9 Enabling the Model Upgrade Option Viewing the Configuration File ...57 Changing Your Network Settings ...59 CHAPTER 5 Using the Network Setup Wizard ...59 Configuring the External Network If your ISP uses DHCP ...61 If your ISP uses static IP addresses ...62 If your ISP uses PPPoE ...63 Configuring the Trusted Network Changing the IP address of the trusted network ...67...
Page 10 Filtering incoming traffic for services ...116 Filtering outgoing traffic for services ...116 Services for the Optional Network ...116 Controlling traffic from the trusted to optional network ...117 Disabling traffic filters ...118 Blocking External Sites ...94 ...97 ...99 ...105 ...111 ...119 WatchGuard Firebox X Edge ...101...
Page 11 Changing the MAC address of the external interface ...123 Configuring Logging and System Time ...125 CHAPTER 8 Viewing Log Messages Log to a WatchGuard Log Server ...126 Logging to a Syslog Host Setting the System Time Managing Users and Groups ...133...
Page 12 The MUVPN client icon ...207 Allowing the MUVPN client through a personal firewall ...208 Disconnecting the MUVPN client ...209 Monitoring the MUVPN Client Connection Using Log Viewer ...210 ...159 ...176 ...178 ...193 ...196 ...197 ...204 ...209 WatchGuard Firebox X Edge...
Page 13 Using Connection Monitor ...210 The ZoneAlarm Personal Firewall Allowing traffic through ZoneAlarm ...211 Shutting down ZoneAlarm ...212 Uninstalling ZoneAlarm ...212 Using MUVPN on the Edge Wireless Network Tips for Configuring the Pocket PC Troubleshooting Tips ...216 Firebox X Edge Hardware ...219 APPENDIX A Package Contents and Specifications Hardware Description...
Page 14 WatchGuard Firebox X Edge...
Page 15: Introduction To Network Security
Introduction to CHAPTER 1 Network Security Thank you for your purchase of the WatchGuard® Firebox® X Edge. This security device helps protect your computer network from threat and attack. This chapter gives you basic information about networks and network security. This information can help you when you configure the Edge.
Page 16: Chapter 1 Introduction To Network Security
Also, the bandwidth is only constant between your home or office and the DSL central office. The DSL central office cannot supply a constant connection to a Web site or network. WatchGuard Firebox X Edge...
Page 17: Protocols
Protocols A protocol is a group of rules that allow computers to connect across a network. Protocols are the “grammar” that computers use to speak to each other. The standard protocol when you connect to the Internet is the IP (Internet Protocol).
Page 18: How Information Travels On The Internet
The TCP and IP protocols are used to send and receive these packets. TCP disassembles the data and assembles it again. IP adds informa- tion to the packets, such as the sender, the recipient, and any special instructions. Packets traveling on the Internet Data packet WatchGuard Firebox X Edge...
Page 19: Ip Addresses
IP Addresses To send mail to a person, you must first know their physical address. For a computer to send data to a different computer, it must first know the address of that computer. A computer address is known as an IP address.
Page 20: Domain Name Service (Dns)
Ports Usually, a port is a connection point where you use a socket and a plug to connect two devices. Computers also have ports that are not physical locations. These ports are where programs transmit data. WatchGuard Firebox X Edge...
Page 21 Ports Some protocols, such as HTTP, have ports with assigned numbers. For example, most computers transmit e-mail on port 25 because the SMTP protocol is assigned to port 25. Other programs are assigned port numbers dynamically for each connection. The IANA (Internet Assigned Numbers Authority) keeps a list of well known ports.
Page 22: Firewalls
Internet (outbound access). Many fire- walls have sample security policies and users can select the policy that is best for them. With others—such as the Firebox® X Edge—the user can customize these policies. WatchGuard Firebox X Edge...
Page 23: Firebox® X Edge And Your Network
Firewalls can be in the form of hardware or software. They can prevent unauthorized Internet users from accessing private networks connected to the Internet. All messages that enter or go out of the trusted or protected networks go through the firewall, which examines each not match the security criteria.
Page 24 The Web-based user interface of the Firebox X Edge lets you man- age your network safely. You can manage your Edge from different locations and at different times. It gives you more time and resources to use on other components of your business. WatchGuard Firebox X Edge...
Page 25: Installing The Firebox X Edge
Installing the CHAPTER 2 Firebox X Edge To install the WatchGuard® Firebox® X Edge in your network, you must complete these steps: • Identify and record the TCP/IP properties for your Internet connection. • Disable the HTTP proxy properties of your Web browser.
Page 26: Chapter 2 Installing The Firebox X Edge
Explorer 6.0 (or later), or an equivalent browser. • The serial number of the Firebox X Edge. You can find the serial number on the bottom of the Firebox. You use the serial number to register the Edge. WatchGuard Firebox X Edge...
Page 27: Identifying Your Network Settings
An Internet connection. The external network connection can be a cable or DSL modem with a 10/100BaseT port, an ISDN router, or a direct LAN connection. If you have problems with your Internet connection, call your ISP (Internet Service Provider) to correct the problem before you install the Firebox X Edge.
Page 28: Finding Your Tcp/Ip Properties
IP address for your Edge external IP address. If you use a private IP address, you can have problems with some features, including VPN. many IP addresses can be on the smaller WatchGuard Firebox X Edge...
Page 29 Your TCP/IP Properties Table TCP/IP Property IP Address Subnet Mask Default Gateway DHCP Enabled DNS Server(s) Primary Secondary User Guide Identifying Your Network Settings Value...
Page 30 Record the values in Your TCP/IP Properties Table on page 15. Close the window. Macintosh OS 9 Click the Apple menu > Control Panels > TCP/IP. Record the values in Your TCP/IP Properties Table on page 15. Close the window. WatchGuard Firebox X Edge...
Page 31: Finding Pppoe Settings
Macintosh OS X Click the Apple menu > System Preferences. The System Preferences window appears. Click the Network icon. The Network preference pane appears. From the Show drop-down list, select the network adapter you use to connect to the Internet. Record the values in Your TCP/IP Properties Table on page 15.
Page 32 The Internet Options window appears. Click the Connections tab. Click the LAN Settings button. The Local Area Network (LAN) Settings window appears. Clear the check box labeled Use a proxy server for your LAN. Click OK twice. WatchGuard Firebox X Edge...
Page 33: Connecting The Firebox X Edge
Connecting the Firebox X Edge Use this procedure to connect your Firebox® X Edge Ethernet and power cables: Shut down your computer. If you use a DSL or cable modem to connect to the Internet, disconnect its power supply. Find the Ethernet cable between the modem and your computer.
Page 34: Connecting The Edge To More Than Seven Devices
Edge releases that session. • If the Automatic Session Termination time limit for all sessions is reached, the Edge releases all sessions at one time. • If the Edge restarts, all sessions are released. WatchGuard Firebox X Edge...
Page 35 For more information, see the FAQ: www.watchguard.com/support/AdvancedFaqs/edge_seatlicense.asp License upgrades are available from your reseller or from the Watch- Guard Web site: http://www.watchguard.com/products/purchaseoptions.asp To connect more than seven devices to the Edge, you must have: • An Ethernet 10/100Base TX hub or switch •...
Page 36: Setting Your Computer To Connect To The Edge
Enter. If you are asked to accept a security certificate, click OK. he Quick Setup Wizard starts. 11 Run the Quick Setup Wizard, as shown in “Using the Quick Setup Wizard” on page 24. WatchGuard Firebox X Edge...
Page 37: If Your Computer Has A Static Ip Address
If your computer has a static IP address This procedure configures a computer with the Windows XP operat- ing system to use a static IP address. If your computer does not use Windows XP, read the operating system help for instructions on how to set your computer to use a static IP address.
Page 38: Using The Quick Setup Wizard
Edge. Set the Wireless Region (For wireless models only.) Type the country or region in which the Firebox X Edge Wireless is being used. This setting cannot be changed after it is set. WatchGuard Firebox X Edge...
Page 39 The Quick Setup Wizard is complete The Quick Setup Wizard supplies a link to the WatchGuard web site to register your product. After you complete the wizard, the Firebox X Edge restarts. If you changed the IP address of the trusted interface, you must restart your computer before you connect to the Firebox X Edge.
Page 40: Registering And Activating Livesecurity Service
To activate the LiveSecurity Service, your browser must have JavaScript enabled. If you are registered at the WatchGuard web site, type your user name and password. If you are not registered, you must create a user profile. To do this, follow the instructions on the web site.
Page 41 Registering and Activating LiveSecurity Service http://www.watchguard.com/upgrade Select your product and follow the instructions for product activation. At this time you can configure your Edge. User Guide...
Page 42 Installing the Firebox X Edge WatchGuard Firebox X Edge...
Page 43: Chapter 3 Navigating The Firebox X Edge Configuration
X Edge Configuration Pages When you configure a WatchGuard® Firebox® X Edge, you create fire- wall rules to apply the security rules of your company. Before you cre- ate these rules, you must install your Firebox. To create a basic configuration, use your web browser to connect to the web pages on the Firebox X Edge.
Page 44: Navigating The Configuration Pages
Start Internet Explorer. Click File > Open, type https://192.168.111.1 in the text box adjacent to the word Open, and then click OK. You can also type the URL directly into the address bar and press the Enter key. WatchGuard Firebox X Edge...
Page 45: Using The Navigation Bar
If necessary, you can connect to the web server on the Firebox X Edge in HTTP mode instead of HTTPS mode. HTTP mode is less secure, because any configuration changes you make are sent to the Firebox in unencrypted text. Using the navigation bar On the left side of the System Status page is the navigation bar you use to get to other Firebox X Edge configuration pages.
Page 46: Configuration Overview
The status of upgrade options • Network configuration information • Which external network (external or failover) is active. A green triangle appears adjacent to the active network. • Firewall configuration information • A button to restart the Firebox WatchGuard Firebox X Edge...
Page 47: Network Page
Network Page The Network page shows the configuration of each network inter- face. It also shows any configured routes and has buttons you can use to change configurations and to see network statistics. For more information, see Chapter 5, “Changing Your Network Settings.” The Network menu contains links to these pages: •...
Page 48: Administration Page
The Administration page shows if the Firebox uses HTTP or HTTPS for its configuration pages, if the Edge is configured as a managed Firebox client, and which upgrades are enabled. It has buttons to change configurations, add upgrades, and see the configuration file. WatchGuard Firebox X Edge...
Page 49: Firewall Page
System Security: Use the System Security page to select HTTP or HTTPS for administrative access. • WSM Access: Use the WSM Access page to enable remote management of the Edge through the WatchGuard Management Server. • Update: Update the Edge firmware.
Page 50 Optional: Make one or more security services for outgoing traffic from the trusted to the optional network. • Blocked Sites: Prevent access to specified network addresses on the external interface. • Firewall Options: Customize your security policy. WatchGuard Firebox X Edge...
Page 51: Logging Page
“Configuring Logging and System Time.” The Logging menu contains links to these pages: • WatchGuard Logging: Configure the WatchGuard® Log Server to accept the log messages from your Edge. • Syslog Log: Configure the Edge to send log messages to a syslog host.
Page 52: Webblocker Page
VPN Page The VPN page shows information on managed VPN tunnels, manual VPN gateways, echo hosts, and buttons to change the configuration of VPN tunnels. It also has a button for you to see statistics on WatchGuard Firebox X Edge...
Page 53: Wizards Page
You can add the Firebox® X Edge to a Watchguard System Manager VPN network with the WSM Access page in Admin- istration. For more information, see Chapter 11, “Configuring Virtual Private Networks.” The VPN menu contains links to these pages: •...
Page 54 Set up the wireless interface. For more information, see Chapter 6, “Setting up the Firebox X Edge Wireless.” • WAN Failover Setup Wizard Set up the failover network. For more information, see “Enabling the WAN Failover Option” on page 83. WatchGuard Firebox X Edge...
Page 55: Configuration And Management Basics
Configuration and CHAPTER 4 Management Basics After your Firebox® X Edge is installed on your network and operating with a basic configuration file, you can start to add custom configura- tion settings to meet the needs of your organization. This chapter shows you how to do some basic management and maintenance tasks.
Page 56: Chapter 4 Configuration And Management Basics
For example, if you do not know the administrator account passphrase or a power inter- ruption damages the Firebox X Edge firmware, you can reset the Firebox to the factory-default settings. WatchGuard Firebox X Edge...
Page 57: Restarting The Firebox
If you do not start the Edge one more time, when you try to connect to the Edge you will see a web page with “Your WatchGuard Firebox X Edge is running from a backup copy of firmware.” You could also see this message if the reset button is stuck in the depressed position.
Page 58: Remote Reboot
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) is a more secure version of HTTP. When HTTPS is used, the Web server and your browser encrypt and decrypt the information you transmit. For better security, the Firebox® X Edge uses HTTPS by default. WatchGuard Firebox X Edge...
Page 59: Changing The Http Server Port
If your browser does not support HTTPS, or to make the Edge HTML configuration pages load faster, you can use HTTP. Using HTTP is less secure. When you use HTTP, all configuration changes are sent to the Edge from your computer in unencrypted text. We recom- mend that you use HTTPS to configure your Firebox X Edge.
Page 60: Setting Up Watchguard System Manager Access
HTTP Server Port, see this FAQ: https://www.watchguard.com/support/advancedfaqs/ edge_httpserverport.asp Setting up WatchGuard System Manager Access Use the WatchGuard® System Manager (WSM) Access page to enable remote management by WatchGuard System Manager. • With WatchGuard System Manager v7.3 or earlier, you can use VPN Manager to create managed VPN tunnels between a Firebox®...
Page 61 Select the Enable remote management check box. From the Management Type drop-down list, select WatchGuard Management System. To put the Firebox X Edge into the control of WatchGuard System Manager centralized Edge management, click the Use Centralized Management check box.
Page 62: Enable Remote Management With Wsm V8.0 Or V8.1
Configuration and Management Basics These passphrases must match the passphrases you use when you add the device to WatchGuard System Manager or the connection will fail. In the Management Server Address text box, type the IP address of the Management Server if it has a public IP address.
Page 63 Management System. Make sure the Use Centralized Management check box is cleared. WatchGuard System Manager v8.0 and 8.1 do not support centralized Edge management. Type a status passphrase for your Firebox X Edge and then type it again to confirm in the correct fields.
Page 64: Enable Remote Management With Wsm V7.3 Or Earlier
Guard System Manager include VPN Manager and use the Firebox as a DVCP Server. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 WatchGuard Firebox X Edge...
Page 65 VPN Manager or the connection will fail. Click the Enable Managed VPN check box to configure the Firebox X Edge as a client to a WatchGuard DVCP server. User Guide Setting up WatchGuard System Manager Access...
Page 66: Updating The Firebox X Edge Software
Firebox® X Edge software. To load any firmware on the Firebox X Edge, you must have a current LiveSecurity subscription. See the WatchGuard web site regularly for Firebox® X Edge updates: https://www.watchguard.com/archive/softwarecenter.asp (select Firebox X Edge) There are two different methods for installing firmware updates.
Page 67: Method 2 - Installing Software Manually
The installer gives a prompt for an IP address, a user name and password. Type the Firebox X Edge’s trusted interface IP address. The default address is 192.168.111.1 Type the administrator name and password. Click OK. The installer applies the firmware update to the Firebox X Edge. As part of the update process, the Firebox X Edge restarts one or two times—this is usual.
Page 68: Activating Upgrade Options
You use the license key to get the feature key for the upgrade. Use these steps to activate your license key and get your feature key: Go to the upgrade page of the WatchGuard Web site: http://www.watchguard.com/upgrade Type your LiveSecurity Service user name and password in the fields provided.
Page 69 From the navigation bar, select Administration > Upgrade. The Upgrade page appears. Paste the feature key in the correct field. Click Submit. User Guide Activating Upgrade Options...
Page 70: Enabling The Model Upgrade Option
Firebox X Edge models, go to: http://www.watchguard.com/docs/datasheet/edge_ds.asp You can upgrade an X5 or an X15 to a higher model. Go to the upgrade site on the WatchGuard web site (www.watchguard.com/upgrade) and log into your LiveSecurity Service account.
Page 71: Viewing The Configuration File
Viewing the Configuration File You can see the contents of the Firebox® X Edge configuration file in text format from the View Configuration page. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface.
Page 72 Configuration and Management Basics WatchGuard Firebox X Edge...
Page 73: Changing Your Network Settings
Changing Your CHAPTER 5 Network Settings A primary component of the WatchGuard® Firebox® X Edge setup is the configuration of the network interface IP addresses. At a minimum, you must configure the external network and the trusted network to let traffic flow through the Edge. You do this when you use the Quick Setup Wizard after you install the Edge.
Page 74: Chapter 5 Changing Your Network Settings
DHCP - Network administrators use DHCP (Dynamic Host Configuration Protocol) to give IP addresses to computers on their network automatically. With DHCP, your Firebox receives an external IP address each time it connects to the ISP network. WatchGuard Firebox X Edge...
Page 75: If Your Isp Uses Dhcp
It can be the same IP address each time, or it can be a different IP address. • Static IP address - Network administrators use static IP addresses to manually give an IP address to each computer on their network. A static IP address can be more expensive than a dynamic IP address because static IP addresses make it easier to set up servers.
Page 76: If Your Isp Uses Static Ip Addresses
To set your Edge to use a static IP address for the external interface: Use your browser to connect to the System Status page. From the navigation bar, select Network > External. The External Network Configuration page appears. From the Configuration Mode drop-down list, select Manual Configuration. WatchGuard Firebox X Edge...
Page 77: If Your Isp Uses Pppoe
Type the IP address, subnet mask, default gateway, primary DNS, secondary DNS, and DNS domain suffix into the related fields. Get this information from your ISP or corporate network administrator. If you completed the table on page 15, type the information from the table.
Page 78 Domain field. Do not type the @ symbol. Some ISPs do not use the domain. In the Inactivity Time-out field, type the number of minutes before the Edge disconnects inactive connections. We recommend a value of 20. WatchGuard Firebox X Edge...
Page 79 Select this option if there is more than one installation of the same PPPoE client on the network. This can prevent interference between the discovery packets of each client. This is not a supported Edge feature; WatchGuard includes this option to make the Edge compatible with ISPs which have this requirement.
Page 80: Configuring The Trusted Network
Edge tries to connect when it finds that the PPPoE connection is broken. Enable PPPoE debug trace WatchGuard Technical Support uses this check box to troubleshoot PPPoE problems. With this option on, the Edge makes a file that you can send to Technical Support. Use this option only when Technical Support tells you because it decreases Edge performance.
Page 81: Changing The Ip Address Of The Trusted Network
You can use static IP addresses or DHCP for the computers on your trusted network. The Firebox® X Edge has a built-in DHCP server to give IP addresses to computers on your trusted and optional net- works. You can also change the IP address of the trusted network. The factory-default settings of a Firebox DHCP server automatically give IP addresses to computers on the trusted network.
Page 82: Using Dhcp On The Trusted Network
When the Firebox receives a DHCP request from a computer on the trusted network, it gives the computer an IP address. By default, a Firebox has the DHCP Server option for the trusted interface enabled. WatchGuard Firebox X Edge...
Page 83: Setting Trusted Network Dhcp Address Reservations
To use DHCP on the trusted network: Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. Select the Enable DHCP Server on the Trusted Network check box.
Page 84: Configuring The Trusted Network For Dhcp Relay
In this proce- dure the Firebox is a DHCP Relay Agent. You must set up a VPN between the Firebox and the DHCP server for this feature to operate correctly. WatchGuard Firebox X Edge...
Page 85: Using Static Ip Addresses For Trusted Computers
To configure the Firebox as a DHCP Relay Agent for the trusted interface: Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. Select the Enable DHCP Relay check box. Type the IP address of the DHCP server in the related field.
Page 86: Configuring The Optional Network
If you make any changes to the optional network configuration page, you must click Submit and then restart the Firebox before the new configuration starts. You can make many changes, and then restart just once when you are done. WatchGuard Firebox X Edge...
Page 87: Enabling The Optional Network
Enabling the optional network To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Network > Optional. The Optional Network Configuration page appears.
Page 88: Using Dhcp On The Optional Network
Using DHCP on the optional network The DHCP Server option sets the Firebox X Edge to give IP addresses to the computers on the optional network. When the Firebox receives a DHCP request from a computer on the optional network, WatchGuard Firebox X Edge...
Page 89: Setting Optional Network Dhcp Address Reservations
it gives the computer an IP address. By default, a Firebox has the DHCP Server option for the optional interface turned off. To use DHCP on the optional network: Use your browser to connect to the System Status page. From the navigation bar, select Network >...
Page 90: Configuring The Optional Network For Dhcp Relay
This option lets computers in more than one office use the same network address range. In this procedure, the Firebox is a DHCP Relay Agent. WatchGuard Firebox X Edge...
Page 91: Using Static Ip Addresses For Optional Computers
Computers with static IP addresses on the optional net- work must use the optional interface IP address of the Edge as the default gateway or router. To disable the Firebox DHCP server, clear the Enable DHCP Server on the Optional Network check box on the Optional Network Con- figuration page and click Submit.
Page 92: Making Static Routes
To connect to the System Status page, type https:// in the browser address bar, followed by the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Network > Routes. The Routes page appears. WatchGuard Firebox X Edge...
Page 93 Type the destination IP address and the gateway in the related fields. The gateway is the local interface IP address of the router. The gateway IP address must be in the Firebox’s trusted, optional, or external network range. Click Submit.
Page 94: Viewing Network Statistics
This page includes this information: • Miscellaneous system status counters • IP protocol stack counters • Network interface counters, in this order: - External interface - Trusted interface - Optional interface - Failover interface • Routing table for the Firebox WatchGuard Firebox X Edge...
Page 95: Registering With The Dynamic Dns Service
How do I set up Dynamic DNS? http://watchguard.com/support/AdvancedFaqs/ sogen_setupdyndns.asp You must log into your LiveSecurity Service account to see the FAQ. WatchGuard is not affiliated with DynDNS.org. Create a DynDNS.org account To set up your account, go to this web site: http://www.dyndns.org This site also has information about how Dynamic DNS operates.
Page 96 The Firebox connects to the IP address it finds for members.dyndns.org to register the current Firebox external interface IP address with the DynDNS service. The Firebox does not operate with other Dynamic DNS services, only DynDNS.org. WatchGuard Firebox X Edge...
Page 97: Enabling The Wan Failover Option
• The status of the link between the external interface and the device it is connected to (usually a router) • A ping command to a specified location The Firebox sends a ping to the default gateway or a computer specified by the administrator.
Page 98: Using The Wan Failover Setup Wizard
ISP. Identify the computers to connect Type the IP addresses of computers to which the Edge can connect. The WAN Failover Setup Wizard is complete You must restart your Edge to activate the WAN Failover feature. WatchGuard Firebox X Edge...
Page 99: Using The Network Page
Using the Network page From the navigation bar, select Network > WAN Failover. The WAN Failover page appears. Select the Enable failover using the Ethernet (WAN2)/Modem (serial port) interface check box. From the drop-down list, select the interface for the feature: Ethernet (WAN2) or Modem (serial port).
Page 100 If you do not have this information, speak with your ISP or corporate network administrator. Click Submit. If you selected PPPoE See “If your ISP uses PPPoE” on page 63 for information on PPPoE settings. Configure the WAN2 interface using that information. WatchGuard Firebox X Edge...
Page 101: If You Are Using An External Modem For Failover
If you are using an external modem for failover If failover occurs, the Edge can find a remote secondary host for sending traffic with a modem. We support these modems: • Hayes 56K V.90 serial fax modem • Zoom FaxModem 56K model 2949 •...
Page 102: Dial-Up Dns Settings
In the Inactivity time-out field, enter the number of seconds before time-out if no traffic goes through the modem. In the Speaker volume field, set your modem speaker volume. Click Submit, or select a different tab to change more settings. WatchGuard Firebox X Edge...
Page 103: Firebox X Edge Wireless Setup
Firebox X Edge CHAPTER 6 Wireless Setup Wireless networks use RF (radio frequency) signals to send and receive traffic from computers. The Firebox® X Edge Wireless protects the computers that are connected to your network and it protects your network wireless connections. The Firebox® X Edge Wireless obeys the 802.11b and 802.11g guidelines set by the Institute of Electrical and Electronics Engineers (IEEE).
Page 104: Chapter 6 Firebox X Edge Wireless Setup
The Wireless Network Wizard is a tool that you use to automatically configure your Firebox® X Edge wireless network. To start the wiz- ard, select Wizards from the navigation bar and click Go adjacent to the task: Configure the wireless network interface of the Firebox X Edge. WatchGuard Firebox X Edge...
Page 105: Configuring Basic Wireless Settings
Configuring Basic Wireless Settings If you do not use the Wireless Network Wizard, or if you want to change wireless settings manually, you can use the Firebox X Edge Wireless configuration page. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface.
Page 106: Setting The Ssid
IP addresses. To control access to the VPN, you can force Firebox users to authenticate. Setting the SSID The SSID (Service Set Identifier) is the unique name of your wireless network. To use the wireless network from a client computer, the WatchGuard Firebox X Edge...
Page 107: Setting The Operating Region And Channel
wireless network card in your computer must have the same SSID as the Firebox X Edge Wireless. To change the SSID of the Firebox X Edge Wireless, type a new name in the SSID field to uniquely identify your wireless network. Setting the operating region and channel There are eight options for operating region: Americas, Asia, Austra- lia, EMEA, France, Israel, Japan and the People’s Republic of China.
Page 108: Setting The Fragmentation Threshold
Configuring Wireless Security Settings The Firebox® X Edge uses two security protocol standards to protect your wireless network. They are WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access). WEP and WPA encrypt the transmis- WatchGuard Firebox X Edge...
Page 109 If you use an earlier version of Windows or a different operating system, it can be necessary to install other drivers to use WPA-PSK. If you cannot use WPA-PSK, WatchGuard recommends that you use Shared Key authentication with WEP encryption or MUVPN without WPA or WEP.
Page 110: Setting The Wireless Authentication Method
- A WEP 64-bit hexadecimal key must have 10 hexadecimal (0-f) characters. - A WEP 40-bit ASCII key must have 5 characters. - A WEP 128-bit hexadecimal key must have 26 hexadecimal (0-f) characters. - A WEP 128-bit ASCII key must have 13 characters. WatchGuard Firebox X Edge...
Page 111: Configuring Wireless Clients To Use Muvpn
If you typed more than one key, click the key to use as the default key from the Key Index drop-down list. The Firebox X Edge can use only one key at a time. If you select a key other than the first key in the list, you must also set your wireless client to use the same key.
Page 112 See “Finding your TCP/IP properties” on page 14 for more information. Look for the physical address of the wireless adapter. Click Add. Repeat steps 3–4 for each computer that can connect to the Edge. Click Submit WatchGuard Firebox X Edge...
Page 113: Configuring Wireless Guest Services
Configuring Wireless Guest Services The Firebox® X Edge Wireless includes a default local user account called “guest”. A guest is a wireless user that is not usually con- nected to the wireless network. A guest could be a business associ- ate visiting your organization and given temporary access to the Internet, or possibly to your trusted network.
Page 114: Setting Password Protection
You can set the level of network access a guest user has on the Wireless Guest Services configuration page. Guests can access the External Network When this check box is selected, all wireless guests can use the Firebox X Edge as their access point to use resources on the WatchGuard Firebox X Edge...
Page 115: Connecting To The Firebox As A Wireless Guest
Configuring the Wireless Card on Your Computer These instructions are for the Windows XP with Service Pack 2 oper- ating system. To see the installation instructions for other operating systems, go to: http://www.watchguard.com/support/sohoresources/ User Guide Configuring the Wireless Card on Your Computer...
Page 116 Computer to Connect to the Edge” on page 22. The Firebox X Edge Wireless is configured to protect the wired and wireless computers that are attached to it from security risks. The key is provided for me Connect again. WatchGuard Firebox X Edge...
Page 117: Configuring Firewall Settings
Configuring Firewall CHAPTER 7 Settings The Firebox® X Edge uses services and other firewall options to control the traffic between the trusted, optional, and external networks. The configuration of allowed services and firewall options set the level of security the Firebox applies to your network. About Services A Firebox®...
Page 118: Chapter 7 Configuring Firewall Settings
This section also has examples of how to use the optional network. Other sections show how to use the Blocked Sites feature and other firewall options: • Responding to pings • Creating log messages for all outgoing traffic WatchGuard Firebox X Edge...
Page 119: Configuring Incoming Services
• FTP access to the Firebox® • SOCKS • Changing the MAC address of the Firebox hardware Configuring Incoming Services You can control the traffic that goes to the trusted or optional net- works from the external network using incoming services. Usually, the Internet is the external network.
Page 120: Configuring Common Services For Incoming Traffic
Find the common service to allow into your trusted or optional network from the external network. From the Filter drop-down list adjacent to the service name, select Allow or Deny. By default, the Firebox does not allow incoming traffic to your network. WatchGuard Firebox X Edge...
Page 121: About Custom Services For Incoming Traffic
If you allow a service, enter the IP address of the service host. The service host is the computer on the trusted or optional network that receives the traffic. Click Submit. Repeat steps 1—5 to allow or deny more common services. If you set a common service to Allow, the Edge allows traffic that uses that service from any source on the external network.
Page 122: Adding A Custom Incoming Service Manually
The default URL is: https://192.168.111.1 From the navigation bar, select Firewall > Incoming. The Filter Incoming Traffic page appears. Scroll to the bottom of the page. Below Custom Services, click Add Service. The Custom Service page appears. WatchGuard Firebox X Edge...
Page 123 In the Service Name text box, type the name for your service. From the Protocol Settings drop-down list, select TCP Port, UDP Port, or Protocol. In the text box adjacent to the Port/Protocol drop-down list, type a port number or protocol number. To use a range of ports, type a port number in the second text box.
Page 124: Filtering Incoming Traffic For Services
From box to select Host IP Address, Network IP Address, or Host Range. To only limit which computers receive information, skip to step 5. WatchGuard Firebox X Edge...
Page 125: Configuring Outgoing Services
Classless Inter Domain Routing or CIDR notation). For more information on entering IP addresses in slash notation, see this FAQ: http://www.watchguard.com/support/advancedfaqs/general_slash.asp. Click Add. The From box shows the IP addresses you added. Repeat steps 2—4 until all of the address information for this custom service is set.
Page 126: Configuring Common Services For Outgoing Traffic
This is because the common service called Outgoing is set to Allow. When the Outgoing common service is set to Deny, all outgoing traffic is blocked. When the Outgoing common service is set to No Rule, traffic that is not specially permitted is blocked. WatchGuard Firebox X Edge...
Page 127: About Custom Services For Outgoing Traffic
The Outgoing common service and other common services are found on the Firewall > Outgoing page. • To allow all traffic from the trusted and optional networks to get to the external network, you must set the Outgoing common service to Allow. •...
Page 128: Adding A Custom Outgoing Service Manually
IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Firewall > Outgoing. Scroll to the bottom of the page. Below Custom Services, click Add Service. The Custom Service page appears. WatchGuard Firebox X Edge...
Page 129 In the Service Name text box, type the name for your service. From the Protocol drop-down list, select TCP Port, UDP Port, or Protocol. In the text box adjacent to the Protocol drop-down list, type a port number or protocol number. To use a range of ports, type a port number in the second text box.
Page 130: Filtering Incoming Traffic For Services
Wireless Access Point on the optional network. • You can use the optional network to have a different network IP address range that is allowed to communicate with the trusted network. See the section “Disabling Traffic Filters,” below. WatchGuard Firebox X Edge...
Page 131: Controlling Traffic From The Trusted To Optional Network
Controlling traffic from the trusted to optional network You can restrict the traffic that starts in the trusted network and goes to the optional network: To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface.
Page 132: Disabling Traffic Filters
When you select the Disable traffic filters check box, the trusted network is not protected from the optional network. All traffic can flow between optional and trusted network. WatchGuard Firebox X Edge...
Page 133: Blocking External Sites
Blocking External Sites A blocked site is an external IP address that is always blocked from connecting to computers behind the Edge. When hackers try to con- nect to your network, the Firebox® X Edge records data about the hacker. You can examine the data to identify attacks and stop fur- ther attacks from that address range.
Page 134: Configuring Firewall Options
Firebox settings. Select the Do not respond to PING requests received on External Network check box or the Do not respond to PING requests received on Trusted Network check box. Click Submit. WatchGuard Firebox X Edge...
Page 135: Denying Ftp Access To The Firebox X Edge
Denying FTP access to the Firebox X Edge You can configure the Firebox X Edge to not allow any FTP connec- tions from the trusted network. This option overrides all other Fire- box settings. Select the Do not allow FTP access to the Edge from the Trusted Network check box.
Page 136 On the Firewall Options page, select the Disable SOCKS proxy check box. The SOCKS Proxy is disabled. Click Submit. To use the SOCKS-compatible application: Clear the Disable SOCKS proxy check box. The SOCKS proxy is enabled. Click Submit. WatchGuard Firebox X Edge...
Page 137: Logging All Allowed Outgoing Traffic
MAC address of the Firebox X Edge external interface. Use the MAC address of the cable modem, DSL modem, or router that con- nected directly to the ISP in your original configuration. The MAC address must have these properties: •...
Page 138 MAC address you assign to the external inter- face is unique on your network. If the Edge finds a device using the same MAC address, the Firebox changes back to the standard MAC address for the external interface. Then it restarts. WatchGuard Firebox X Edge...
Page 139: Configuring Logging And System Time
Configuring Logging CHAPTER 8 and System Time A log file is a list of all the events that occur on the Firebox® X Edge. An event is one activity, such as when the Firebox denies a packet. A log file records and saves information about these events. An event log message is an important part of a network security policy.
Page 140: Chapter 8 Configuring Logging And System Time
The Logging page appears with the Event Log at the bottom of the page. Log to a WatchGuard Log Server The WatchGuard® Log Server (previously known as the WatchGuard System Event Processor, or WSEP) is a component of the Watch- Guard System Manager.
Page 141 WatchGuard System Manager User Guide. Use these instructions to send your event logs to the Log Server. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface.
Page 142: Logging To A Syslog Host
Select the Enable Syslog output check box. Adjacent to Address of Syslog host, type the IP address of the syslog host. To include the local time in the syslog messages, select the Include local time in syslog message check box. WatchGuard Firebox X Edge...
Page 143: Setting The System Time
To include the Firebox X Edge serial number in the syslog messages, select the Include serial number in syslog messages check box. This setting is useful if you have more than one Edge sending syslog messages to the same syslog host. Click Submit.
Page 144 If you set the system time automatically, the Edge gets the current time from the selected server in the NTP Servers list. If a server is not available, the Edge uses the subsequent server. Adjust for daylight WatchGuard Firebox X Edge...
Page 145 - To add a time server, type the server name in the Add New Server field and click Add. - To remove a time server, select the server from the NTP Servers list and click Remove. - Click a server to select it as the default time server. To save your changes, skip to step 8.
Page 146 Configuring Logging and System Time WatchGuard Firebox X Edge...
Page 147: Managing Users And Groups
Managing Users and CHAPTER 9 Groups The Firebox® X Edge includes tools you can use to manage your net- work and your users. You can create users and manage access to the Internet or to your VPN tunnels with user authentication. Or, you can allow free access to the Internet and VPN tunnels to all users.
Page 148: Chapter 9 Managing Users And Groups
• The time between the last packet and the session expiration is known as the idle time. If the idle time is set to 0 hours and 0 minutes, the Firebox does not disconnect the session. WatchGuard Firebox X Edge...
Page 149: Stopping A Session
To stop the session, the user clicks the Logout button on the Login Status dialog box and closes all open browser windows. You can increase the number of sessions available with a license upgrade. For more information, see the FAQ: https://www.watchguard.com/support/AdvancedFaqs/ edge_seatlicense.asp User Guide Seeing Current Sessions and Users...
Page 150: Local User Accounts
If local user accounts are enabled, you also see information about Internet and VPN access rights . Editing a user account To edit a user account, click the Edit icon. For descriptions of the fields you can configure, see “Using Local Firebox Authentication,” on page 142. WatchGuard Firebox X Edge...
Page 151: About User Licenses
Deleting a user account To remove a user account, click the X adjacent to the account name. A dialog box appears. Click Yes to remove the account. About User Licenses The Firebox® X Edge comes with a set number of available user licenses.
Page 152: Setting Authentication Options For All Users
To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Firebox Users > Settings. The Settings page appears. WatchGuard Firebox X Edge...
Page 153 Use the definitions below to help you change your parameters. Click Submit. • Require User Authentication (Enable local user accounts): When you select this check box, all users must authenticate to the Firebox X Edge before they can access the external network. If you do not select this check box, there is no user-based control for access to the Internet or VPN tunnels.
Page 154: Configuring Muvpn Client Settings
The mobile user does not use a virtual adapter to connect with the MUVPN client. This is the default value. Preferred If the virtual adapter is in use or is not available, the mobile user does not use a virtual adapter to connect with the MUVPN client. WatchGuard Firebox X Edge...
Page 155: Authenticating To The Edge
Required The mobile user must use a virtual adapter to connect with the MUVPN client. You can also enter a WINS Server address and DNS Server address. Type the server IP addresses in the related field. For more information on configuring the Mobile User VPN client computer, see Chapter 10, “Configuring the MUVPN Client.”...
Page 156: Using Local Firebox Authentication
To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1. From the navigation bar, select Firebox Users. The Firebox Users page appears. WatchGuard Firebox X Edge...
Page 157 Below Local User Accounts, click Add. The New User page appears. It shows the Settings tab. In the Account Name field, type a name for the account. The user types this name when authenticating. The account name is case-sensitive. In the Full Name field, type the first and last name of the user. This is for your information only.
Page 158: Creating A Read-Only Administrative Account
Click the Reset Event Log and Sync Time with Browser Now buttons on the Logging page. • Click the Synchronize Now button on the System Time page. • Click the Regenerate IPSec Keys button on the VPN page. WatchGuard Firebox X Edge...
Page 159: Setting A Webblocker Profile For A User
• Change the configuration mode on the Managed VPN page. • Launch configuration wizards from the Wizard page. If you try to do these things, you get a message that tells you that you have read-only access and cannot change the configuration file. To create a read-only user account, edit the user account.
Page 160: Changing A User Account Name Or Password
Type the old password and a new password. Confirm the new password. Click Submit. Using LDAP/Active Directory Authentication If you use LDAP authentication, you do not have to keep a separate user database on the Firebox®. You can configure the Firebox to for- WatchGuard Firebox X Edge...
Page 161: Configuring The Ldap/Active Directory Authentication Service
ward user authentication requests to a generic LDAP or Active Direc- tory server. You can use LDAP authentication and local Firebox authentication at the same time. With LDAP authentication, user privileges are controlled on a group basis. You can add the names of your existing LDAP or Active Direc- tory user groups to the Firebox configuration and assign privileges and a WebBlocker profile.
Page 162 .com, .net, .org, .biz, .gov, or .edu. For example, if your company URL is mycompany.com, type mycompany in the Domain Name text box. From the LDAP server type drop-down list, select the type of LDAP implementation you use in your organization: Active Directory or Generic LDAP. WatchGuard Firebox X Edge...
Page 163: Using The Ldap Authentication Test Feature
In LDAP Server Address text box, type the IP address of the LDAP server the Firebox X Edge will use for authentication requests. The LDAP server can be located on any Firebox interface or available through a VPN tunnel. In the LDAP Server Port text box, type the port number the Firebox X Edge will use for connections to the LDAP server.
Page 164: Configuring Groups For Ldap Authentication
To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1. From the navigation bar, select Firebox Users > New Group. WatchGuard Firebox X Edge...
Page 165 The Firebox Users New Group page appears. In the Account Name text box, type the name of the new group. This name must match the name of a group in the LDAP directory. This name must contain only letters, numbers, and the underscore (_)or dash (-) characters.
Page 166: Setting A Webblocker Profile For A User
Allowing Internal Hosts to Bypass User Authentication You can make a list of internal hosts that bypass user authentication settings. If a host is on this list, a user at that host does not have to WatchGuard Firebox X Edge...
Page 167 Allowing Internal Hosts to Bypass User Authentication authenticate to get access to the Internet. No WebBlocker rules apply to Web traffic originating from hosts on this list. From the navigation bar, select Firebox Users > Trusted Hosts. The Firebox Users Trusted Hosts page appears. In the Host IP Address text box, type the IP address of the computer on your trusted or optional network to allow to browse the Internet without authentication restrictions.
Page 168 Managing Users and Groups WatchGuard Firebox X Edge...
Page 169: Chapter 10 Configuring Webblocker
Configuring CHAPTER 10 WebBlocker WebBlocker is an option for the Firebox® X Edge that gives you control of the web sites that are available to your users. Some companies restrict access to some web sites to increase employee productivity. Other companies restrict access to offensive web sites. You must purchase the WebBlocker upgrade to use this feature.
Page 170 Set a rule for the Firebox action if the Firebox X Edge cannot connect to the WebBlocker server • Set a rule for the Firebox action if the WebBlocker license expires • Add a custom message for users to see when WebBlocker denies access to a web site WatchGuard Firebox X Edge...
Page 171 To configure WebBlocker: To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select WebBlocker > Settings. The WebBlocker Settings page appears. Select the Enable WebBlocker check box to turn on the WebBlocker feature.
Page 172 Internal Use Policy.” If a user tries to access a web site that is blocked by WebBlocker, the user’s browser will show: Request for URL http://www.some-denied- site.com/denied by WebBlocker: blocked for Adult/Sexually Explicit. This web site does not comply with our Internal Use Policy. 10 Click Submit. WatchGuard Firebox X Edge...
Page 173: Creating Webblocker Profiles
Creating WebBlocker Profiles A WebBlocker profile is a set of restrictions you apply to users or groups of users on your network. You can create different profiles, with different groups of restrictions. For example, you can create a profile for new employees, with more restrictions than for other employees.
Page 174 Profile drop-down list. Click Delete. If you do not use user authentication, the default WebBlocker profile is applied to all users. For more information about user authentication, see Chapter 9 “Managing Users and Groups”. WatchGuard Firebox X Edge...
Page 175: Webblocker Categories
WebBlocker Categories The WebBlocker database contains nine groups of categories with 40 individual categories. A web site is added to a category when the contents of the web site meet the correct criteria. Web sites that give opinion or educational material about the subject matter of the category are not included.
Page 176 • Online museums, galleries, artist sites (including sculpture, photography, etc.) • Celebrity fan sites • Horoscopes • Online greeting cards • Amusement/theme parks Chat • Web-based chat • Instant Message servers WatchGuard Firebox X Edge...
Page 177 Category Description of Content Computing • Reviews, information, computer buyer’s guides, computer parts and accessories, and software Internet • Computer/software/Internet companies, industry news, and magazines • Pay-to-surf sites • Downloadable (non-streaming) movie, video, or sound clips • Downloadable mobile phone/PDA software, including themes, graphics, and ringtones •...
Page 178 • Journals and magazines dedicated to online game playing Glamour • Lingerie, negligee or swimwear modeling & Intimate • Model fan pages; fitness models/sports celebrities Apparel • Fashion or glamour magazines online • Beauty and cosmetics • Modeling information and agencies WatchGuard Firebox X Edge...
Page 179 Category Description of Content Govern- • Government services such as taxation, armed forces, ment & customs bureuas, and emergency services Politics • Local government sites • Political debate, canvassing, election information, and results • Local, national, and international political sites •...
Page 180 • Hospital, medical insurance • Dentistry, optometry, and other medical-related sites • General psychiatry and mental well-being sites • Promoting self-healing of physical and mental abuses, ailments, and addictions • Psychology, self-help books, and organizations WatchGuard Firebox X Edge...
Page 181 Category Description of Content Hobbies & • Recreational pastimes such as collecting, gardening, or Recreation kit airplanes • Outdoor recreational activities such as hiking, camping, rock climbing • Tips or trends focused on a specific art, craft, or technique • Online publications on a specific pastime or recreational activity •...
Page 182 • Discussion sites on how to talk to your partner about diseases, pregnancy, and respecting boundaries Note: Not included in this category are commercial sites that sell sexual paraphernalia. These sites are filtered through the Adult category. WatchGuard Firebox X Edge...
Page 183 Category Description of Content Shopping • Department stores, retail stores, company catalogs, and other sites that allow online consumer shopping • Online auctions • Online downloadable product warehouses; specialty items for sale • Freebies or merchandise giveaways Sports • Team or conference web sites •...
Page 184 • Weblogs (blog) sites For information on how to see if a web site is included in the Surf- Control database, read the “How can I see a list of blocked sites?” topic in this FAQ: https://www.watchguard.com/support/AdvancedFaqs/web_main.asp WatchGuard Firebox X Edge...
Page 185: Allowing Certain Sites To Bypass Webblocker
Allowing Certain Sites to Bypass WebBlocker WebBlocker can deny a web site that is necessary for your work. You can override WebBlocker using the Allowed Sites feature. For example, employees in your company frequently use web sites that contain medical information. Some of these web sites are for- bidden by WebBlocker because they fall into the sex education cate- gory.
Page 186: Blocking Additional Web Sites
From the navigation bar, select WebBlocker > Denied Sites. The WebBlocker Denied Sites page appears. From the drop-down list, select a host IP address, network IP address, host range, or domain name. WatchGuard Firebox X Edge...
Page 187: Bypassing Webblocker
Type the host, network IP address, or domain name of the denied web site. If it is a range of IP addresses, type the start and end point of the range. Repeat step 3 for each additional host, IP address, or domain name you wish to add to the Denied Sites list.
Page 188 Internet without authentication restrictions. Click Add. Repeat step 2 for other trusted computers. Click Submit. To remove a computer from the list, select the address and click Remove. WatchGuard Firebox X Edge...
Page 189: Chapter 11 Configuring Virtual Private Networks
Create a VPN” on page 176. The subsequent section tells you how to configure the Edge to be the endpoint of a VPN tunnel created and managed by a WatchGuard® Firebox X Core or Firebox X Peak Management Server. This procedure is different for different versions of WatchGuard System Manager appli- ance software installed on the Firebox X.
Page 190: What You Need To Create A Vpn
- IP Protocol 50 (Encapsulating Security Payload or ESP) • If the other side of the VPN tunnel is a WatchGuard Firebox X and each Firebox is under WatchGuard System Manager management, you can use the Managed VPN option. Managed VPN is easier to configure than Manual VPN.
Page 191: Managed Vpn
• You must know if the IP address assigned to your Edge’s external interface is static or dynamic. To learn about IP addresses, see Chapter 2, “Installing the Firebox X Edge.” • Your Edge model tells you the number of VPN tunnels that you can create on your Edge.
Page 192: Manual Vpn: Setting Up Manual Vpn Tunnels
To create a VPN tunnel manually to another Firebox® X Edge or to a Firebox III or Firebox X, or to configure a VPN tunnel to a device that is not a WatchGuard® device, you must use Manual VPN. Use this section to configure Manual VPN on the Firebox X Edge.
Page 193 • You must know the authentication method for each end of the tunnel (MD5 or SHA1). Each VPN device must use the same authentication method. We recommend that you write down your Firebox X Edge configura- tion, and the related information for the other device. Use the Sam- ple VPN Address Information table on the subsequent page to record this information.
Page 194 The two devices must use the same encryption method. Site A: 3DES Site B: 3DES Authentication The two devices must use the same authentication method. Site A: MD5 (or SHA1) Site B: MD5 (or SHA1) Assign WatchGuard Firebox X Edge...
Page 195: Phase 1 Settings
To create Manual VPN tunnels on your Firebox X Edge To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1. From the navigation bar, select VPN > Manual VPN. The Manual VPN page appears.
Page 196 If your Edge’s external interface has a private IP address instead of a public IP address, then your ISP or the Internet access device connected to the Edge’s external interface (modem or router) does Network Address Translation (NAT). See the instructions at the end of this section if your Edge’s external interface has a private IP...
Page 197 24 hours no matter how much data Select the group number from the Diffie-Hellman Group drop- down list. WatchGuard supports group 1 and group 2. Diffie-Hellman groups securely negotiate secret keys through a public network. Group 2 is more secure than group 1, but uses more processing power and more time.
Page 198: Phase 2 Settings
The tunnel uses this phase to create IPSec tunnels and put data packets together. You can use the default Phase 2 settings to make configuration eas- ier. Make sure that the Phase 2 configuration is the same on the two devices. WatchGuard Firebox X Edge...
Page 199 You must enter network addresses in “slash” notation (also known as CIDR or Classless Inter Domain Routing notation). For more information on how to enter IP addresses in slash notation, see this FAQ: http://www.watchguard.com/support/advancedfaqs/general_slash.asp. Click Add. Repeat step 5 if you must add additional networks.
Page 200: Vpn Keep Alive
Firebox X Edge can send a ping to more than one host through different tunnels. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1. WatchGuard Firebox X Edge...
Page 201: Viewing Vpn Statistics
From the navigation bar, select VPN > Keep Alive. The VPN Keep Alive page appears. Type the IP address of an echo host. Click Add. Repeat step 3 to add additional echo hosts. Click Submit. Viewing VPN Statistics You can monitor Firebox® X Edge VPN traffic and troubleshoot the VPN configuration with the VPN Statistics page.
Page 202 The number of VPN tunnels that you can create on your Firebox X Edge is set by the Edge model you have. You can purchase a model upgrade for your Edge to make more VPN tunnels. You can purchase WatchGuard Firebox X Edge...
Page 203 Frequently Asked Questions a Firebox X Edge Model Upgrade from a reseller or from the Watch- Guard® Web site: http://www.watchguard.com/products/purchaseoptions.asp User Guide...
Page 204 Configuring Virtual Private Networks WatchGuard Firebox X Edge...
Page 205: Chapter 12 Configuring The Muvpn Client
Configuring the CHAPTER 12 MUVPN Client Mobile User VPN lets remote users connect to your internal network through a secure, encrypted channel. The MUVPN client is a software application that is installed on a remote computer. The client makes a secure connection from the remote computer to your protected net- work through an unsecured network.
Page 206: About This Chapter
Edge creates a configuration file (.wgx file). You must get this .wgx configuration file from the Edge. You must also download the MUVPN installation program from the WatchGuard support site. Read the section “Distributing the Software and the .wgx File” on page 196 for information about how to get these items and how to give them securely to the remote user.
Page 207: Enabling Muvpn For Edge Users
Wireless Network” on page 213 for information about how to make the wireless computers use MUVPN on the Edge’s wireless network. • If you want to use a Pocket PC device to make a VPN connection to the Edge, see “Tips for Configuring the Pocket PC”...
Page 208: Enabling Muvpn Access For A Firebox User Account
Firebox X Edge. From the Authentication Algorithm drop-down list, select the type of authentication. The options are MD5-HMAC and SHA1-HMAC. From the Encryption Algorithm drop-down list, select the type of encryption. The options are DES-CBC and 3DES-CBC. WatchGuard Firebox X Edge...
Page 209 Set MUVPN key expiration in kilobytes and/or hours. The default values are 8192 KB and 24 hours. To remove a size and/or time expiration, set the value to zero (0). Select Mobile User from the VPN Client Type drop-down list if the remote user is connecting from a desktop or laptop computer instead of a handheld device such as a Pocket PC.
Page 210: Configuring The Firebox For Muvpn Clients Using A Pocket Pc
Follow the previous procedure, but select Pocket PC from the VPN Client Type drop-down list. WatchGuard does not distribute a MUVPN software package for Pocket PCs. You must examine the software manufacturer’s instructions to configure their software and the Pocket PC. For more information about configuring your Pocket PC as an MUVPN client, see “Tips for Configuring the Pocket PC”...
Page 211: Preparing Remote Computers For Muvpn
- Microsoft Windows XP: 64 MB • No other IPSec VPN client software can be on the computer. Remove any other software from the user’s computer before you try to install the WatchGuard MUVPN software. User Guide Preparing Remote Computers for MUVPN...
Page 212: Wins And Dns Servers
From the Windows desktop, select Start > Settings > Control Panel. Double-click the Network icon. The Network window appears. Click the Services tab and click the Add button. Select Remote Access Services and click OK. The Windows NT Setup dialog appears. WatchGuard Firebox X Edge...
Page 213 Type the path to the Windows NT installation files, or put your system installation CD in the computer and click OK. The Remote Access Setup window appears. Click Yes to add a RAS device, and then click Add. Complete the Install New Modem wizard. If there is no modem installed, select the check box marked Don't detect my modem;...
Page 214: Windows 2000 Setup
(TCP/IP) network protocol and click OK. Installing the File and Printer Sharing for Microsoft Networks From the connection window Networking tab: Click Install. The Select Network Component Type window appears. Double-click the Services network component. The Select Network Service window appears. WatchGuard Firebox X Edge...
Page 215 Below the Microsoft manufacturer, select the File and Printer Sharing for Microsoft Networks network service and click OK. Installing the Client for Microsoft Networks From the connection window Networking tab: Click Install. The Select Network Component Type window appears. Double-click the Client network component. The Select Network Protocol window appears.
Page 216: Windows Xp Setup
From the connection window Networking tab: Click Install. The Select Network Component Type window appears. Double-click the Protocol network component. The Select Network Protocol window appears. Below the Microsoft manufacturer, select the Internet Protocol (TCP/IP) network protocol and click OK. WatchGuard Firebox X Edge...
Page 217 Installing the File and Printer Sharing for Microsoft Networks From the connection window Networking tab: Click Install. The Select Network Component Type window appears. Double-click the Services network component. The Select Network Service window appears. Below the Microsoft manufacturer, select the File and Printer Sharing for Microsoft Networks network service and click OK.
Page 218: Installing And Configuring The Muvpn Client
No other IPSec VPN client software can be active on the remote computer. Remove any other IPSec VPN software from the user’s computer before installing the WatchGuard® MUVPN software. Copy the MUVPN installation program and the .wgx file to the remote computer.
Page 219 The Software License Agreement appears. Click Yes to accept the license agreement. The Setup Type window appears. Select the type of installation. WatchGuard recommends that you use the Typical installation. Click Next. On a Windows 2000 computer, the InstallShield looks for the Windows 2000 L2TP (Later 2 Tunneling Protocol) component.
Page 220: Uninstalling The Muvpn Client
To remove these settings, delete the contents of the appropriate directory. 11 When the computer restarts, select Start > Programs. 12 Right-click Mobile User VPN and select Delete to remove this selection from your Start menu. WatchGuard Firebox X Edge...
Page 221: Connecting And Disconnecting The Muvpn Client
207. From the Windows desktop, select Start > Programs > Mobile User VPN > Connect. The WatchGuard Mobile User Connect window appears. Click Yes. The MUVPN client icon The MUVPN icon appears in the Windows desktop system tray. The icon image gives information about the status of the connection.
Page 222: Allowing The Muvpn Client Through A Personal Firewall
Allowing the MUVPN client through a personal firewall To create the MUVPN tunnel, you must allow these programs through the personal firewall: • MuvpnConnect.exe WatchGuard Firebox X Edge...
Page 223: Disconnecting The Muvpn Client
• IreIKE.exe The ZoneAlarm personal firewall detects when these programs try to get access to the Internet. A New Program alert window appears to request access for the MuvpnConnect.exe program. From the New Program alert window: Select the Remember this answer the next time I use this program check box, then click Yes.
Page 224: Using Log Viewer
The Connection Monitor window appears. An icon appears to the left of the connection name: • SA tells you that the connection only has a phase 1 SA. A phase 1 SA is assigned in these situations: WatchGuard Firebox X Edge...
Page 225: The Zonealarm Personal Firewall
- for a connection to a secure gateway tunnel - when a phase 2 SA connection has not been made at this time - when a phase 2 SA connection cannot be made • A key tells you that the connection has a phase 2 SA. This connection can also have a phase 1 SA.
Page 226: Shutting Down Zonealarm
The ZoneLabs TrueVector service dialog box appears. Click Yes. The Select Uninstall Method window appears. Make sure Automatic is selected and then click Next. Click Finish. IreIKE.exe MuvpnConnect.exe CmonApp.exe ViewLog.exe OUTLOOK.exe IEXPLORE.exe netscp6.exe Opera.exe lsass.exe services.exe svchost.exe winlogon.exe WatchGuard Firebox X Edge...
Page 227: Using Muvpn On The Edge Wireless Network
The Remove Shared Component window can appear. During the initial installation of ZoneAlarm, some files were installed that can be shared by other programs on the system. Click Yes to All to completely remove all of these files. The Install window appears and tells you to restart the computer.
Page 228: Tips For Configuring The Pocket Pc
Click Submit. Tips for Configuring the Pocket PC WatchGuard does not supply a Mobile User VPN software package for the Pocket PC platform. You must use the software manufac- turer’s instructions to configure their software and the Pocket PC.
Page 229 Here are some configuration tips for the Pocket PC. Phase 1 configuration of the Pocket PC’s VPN software • The Pocket PC’s “IPSec Peer Gateway Address” must be the Edge’s external IP address if the Pocket PC is connecting from the Internet.
Page 230: Troubleshooting Tips
Restart your computer. Right-click the MUVPN client icon and select Deactivate Security Policy. The MUVPN client icon with a red bar appears to show that the security policy is not active. Right-click the ZoneAlarm icon shown at right. WatchGuard Firebox X Edge...
Page 231 Select Shutdown ZoneAlarm. The ZoneAlarm dialog box appears. Click Yes. I must enter my network login information even when I am not connected to the network. When you start your computer, you must type your Windows net- work user name, password, and domain. It is very important that you type this information correctly.
Page 232 I lost the connection to my ISP, and now I cannot use the company network. If your Internet connection is interrupted, the connection to the MUVPN tunnel could stop. Follow the procedure to close the tunnel. Reconnect to the Internet, then restart the MUVPN client. WatchGuard Firebox X Edge...
Page 233: Appendix A Firebox X Edge Hardware
Firebox X Edge APPENDIX A Hardware The WatchGuard® Firebox® X Edge is a firewall for small organizations and branch offices. The WatchGuard Firebox X Edge Wireless can con- nect to computers with a wireless network interface card. Package Contents and Specifications The Firebox®...
Page 234 Wall mount plate (wireless models only) • Two antennae (wireless models only) Processor Memory - Flash Memory - RAM Ethernet interfaces Serial ports Power supply 64 bit MIPS 266 MHz 16 MB 64 MB 10 each 10/100 1 DB9 12V DC WatchGuard Firebox X Edge...
Page 235: Hardware Description
Operating Temperature Environment Dimensions Weight Hardware Description The Firebox® X Edge has a simple hardware architecture. All indicator lights appear on the front panel while all ports and connectors are on the rear panel of the device. Front panel The front panel of the Firebox X Edge has 24 indicator lights to show the link status.
Page 236 Attn Reserved for future use. Power Shows that the Firebox X Edge is on. RESET button Use the procedure to reset the Firebox X Edge to “Factory Default Settings” on page 41. WatchGuard Firebox X Edge...
Page 237: Rear View
Rear view Serial port (DB9) Use the serial port to connect an external modem to the Edge. Ethernet interfaces 0 through 6 The seven Ethernet interfaces with the marks 0 through 6 are for the trusted network. OPT interface This Ethernet interface is for the optional network. WAN interfaces 1 and 2 The WAN1 and WAN2 interfaces are for external networks.
Page 238: About Ieee 802.11G/B Wireless
Blue-Tooth transmitter must be very near to an 802.11b receiver.) • Industrial, scientific, and medical equipment that can also operate in this frequency range. ⎛ × ---------------------------------------------------------------------- - ChannelBandwidth ⎝ WatchGuard Firebox X Edge ⎞ SignalStrength ⎠ NoiseLevel...
Page 239: Signal Strength (Watts)
Signal strength (Watts) The signal strength is set by these factors: • Power of the RF signal that is sent and received • Amount of directional antenna gain at the transmitter and the receiver • Signal attenuation (path-loss) between the transmitter and receiver Antenna directional gain Antenna directional gain is calculated from the degree to which the...
Page 240: Channel Bandwidth
5.5 Mbps), DQPSK (2 Mbps), and DBPSK (1 Mbps) modulation schemes. 802.11g devices use OFDM. The Firebox X Edge automati- cally selects the modulation procedure that gives the lowest Packet Error Rate (PER). The PER is not allowed to be more than eight per- WatchGuard Firebox X Edge...
Page 241 About IEEE 802.11g/b Wireless cent. When a different modulation scheme is selected, the data rate changes. User Guide...
Page 242 WatchGuard Firebox X Edge...
Page 243: Appendix B Legal Notifications
WatchGuard, the WatchGuard logo, Firebox, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries.
Page 244 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related. WatchGuard Firebox X Edge...
Page 245 Copyright, Trademark, and Patent Information 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 246 Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. WatchGuard Firebox X Edge...
Page 247: Certifications And Notices
CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European Union (EU).
Page 248 10, 11, 12, 13 as defined by IEEE 802.11g/b. Use of the product outdoors, or on any other channel, is illegal in France. Class A Korean Notice VCCI Notice Class A ITE WatchGuard Firebox X Edge...
Page 249 Certifications and Notices Taiwanese Notices User Guide...
Page 250: Declaration Of Conformity
Declaration of Conformity WatchGuard Firebox X Edge...
Page 251: Limited Hardware Warranty
WatchGuard; or (ii) damaged or destroyed by accidents, power spikes or similar events or by any intentional, reckless or negligent acts or omissions of any party. You may have additional warranties with respect to the Product from the manufacturers of Product components.
Page 252 THE USE OF OR INABILITY TO USE THE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF ANY AGREED REMEDY. 5. MISCELLANEOUS PROVISIONS. This Warranty will be governed by the laws of the state of Washington, U.S.A., without reference to its choice of law rules.
Page 253 Symbols .wgx files described distributing viewing available Add Gateway page Add Route page Administration page described subpages of Administrative Access levels administrator account Aggressive Mode Allow access to the External Network check box Allow access to VPN check box Allowed Sites pages antenna directional gain authentication.
Page 254 Digital Subscriber Line (DSL) DNS service, dynamic DNS settings, and WAN failover DNS, described DVCP, described Dynamic DNS client page dynamic DNS service, registering with Dynamic Host Configuration Protocol. See DHCP dynamic IP addresses described – WatchGuard Firebox X Edge...
Page 255 Dynamic VPN Configuration Protocol, described echo host Enable DHCP Relay check box Enable DHCP Server on the Trusted Network check box Enable Optional Network check box event, described external network described if ISP uses DHCP if ISP uses PPPoE if ISP uses static addressing External Network Configuration page factory default settings described...
Page 256 HTTP/HTTPS, using for Firebox management incoming service, creating custom indicator lights installation determining TCP/IP settings disabling TCP/IP proxy settings setting your computer to connect to Edge TCP/IP properties installation requirements installing the Firebox X Edge Internet – WatchGuard Firebox X Edge...
Page 257 how information travels on Internet connection, required for Firebox X Edge Internet Protocol (TCP/IP) Network Component and Windows XP Internet Protocol (TCP/IP) network component, installing Internet Protocol (TCP/IP) Properties dialog box IP addresses described giving your computer static static lights on front panel LiveSecurity Service and software updates registering with...
Page 258 Network Address Translation (NAT), and the Edge network addressing, described network interfaces, configuring Network page described – subpages of network security, described Network Setup Wizard Network Statistics page network statistics, viewing networks, types of New User page – – WatchGuard Firebox X Edge...
Page 259 noise level numbered ports optional network assigning static IP addresses on changing IP address of – configuring configuring additional computers on described enabling setting DHCP address reservations on using DHCP on using DHCP relay on Optional Network Configuration page options model upgrade MUVPN Clients seat license upgrade...
Page 260 System Time Trusted Hosts Trusted Network Configuration Upgrade VPN Keep Alive VPN Manager Access VPN Statistics WAN Failover WatchGuard Security Event Processor Logging WebBlocker WebBlocker Settings Wireless Network Configuration passphrases, described path-loss Perfect Forward Secrecy Phase 1 settings Phase 2 settings...
Page 261 entering settings profiles – creating WebBlocker protocols described TCP, UDP TCP/IP Quick Setup Wizard and viewing configuration pages described running read-only administrative account – rebooting Remote Access Services, installing RESET button resetting to factory default Restrict Access by Hardware Address check box routes configuring static viewing...
Page 262 Syslog host, logging to Syslog Logging page Syslog, described system configuration pages. See configuration pages System Security page System Status page described green triangle on information show on navigation bar system time setting System Time page WatchGuard Firebox X Edge...
Page 263 TCP (Transmission Control Protocol) TCP/IP properties TCP/IP settings, determining TCP/IP, described time zone, setting traffic, logging all outbound Trusted Hosts page trusted network assigning static IP addresses on changing IP address of –?? configuring configuring additional computers on described Trusted Network Configuration page UDP (User Datagram Protocol) Uniform Resource Locator (URL) updating software...
Page 264 WAN Failover page WAN Failover Setup Wizard WAN ports WAN1 port WAN2 port WatchGuard Security Event Processor WatchGuard Security Event Processor Logging page Web sites blocking specific blocking using WebBlocker bypassing WebBlocker WebBlocker allowing sites to bypass ??–...
Page 265 –?? categories – creating profiles database defining profile WebBlocker page described –?? subpages of WebBlocker Settings page Wide Area Network (WAN), described Windows 2000 preparing for MUVPN clients Windows 98/ME preparing for MUVPN clients Windows NT preparing for MUVPN clients Windows XP installing File and Printer Sharing for Microsoft Networks on installing Internet Protocol (TCP/IP) Network Component on...
Page 266 ZoneAlarm allowing traffic through described icon for shutting down uninstalling WatchGuard Firebox X Edge...

This manual is also suitable for:

Firebox x50 Firebox x5 Firebox x15-w Firebox x5-w Firebox x50-w Firebox x edge series ... Show all

Watchguard Firebox X15 User Manual

CHAPTER 1 Introduction to Network Security

CHAPTER 2 Installing the Firebox X Edge

CHAPTER 3 Navigating the Firebox X Edge Configuration

CHAPTER 4 Configuration and Management Basics

CHAPTER 5 Changing Your Network Settings

CHAPTER 6 Firebox X Edge Wireless Setup

CHAPTER 7 Configuring Firewall Settings

CHAPTER 8 Configuring Logging and System Time

CHAPTER 9 Managing Users and Groups

CHAPTER 10 Configuring Webblocker

CHAPTER 11 Configuring Virtual Private Networks

CHAPTER 12 Configuring the MUVPN Client

APPENDIX A Firebox X Edge Hardware

APPENDIX B Legal Notifications

Quick Links

User Guide

Need help?

Questions and answers

Related Manuals for Watchguard Firebox X15

Summary of Contents for Watchguard Firebox X15