Page 1: User Guide
WatchGuard ® Firebox X Edge e-Series ® User Guide Firebox X Edge e-Series - Firmware Version 8.6 All Firebox X Edge e-Series Standard and Wireless Models...
Page 2 Agreement carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT.
Page 3 (iii) you do not retain any copies of the SOFTWARE (E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT. 4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer: (A) Media.
Page 4 (C) THIS AGREEMENT AND THE PERFORMANCE OF THE ENTITY’S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD. Firmware Version: 8.6 Guide Version: 8.6...
Page 5: Table Of Contents
Contents Introduction to Network Security Network Security ...1 About Networks ...1 Clients and servers ...2 Connecting to the Internet Protocols ...2 How Information Travels on the Internet IP Addresses ...3 Network addressing ...4 About DHCP ...4 About PPPoE ...4 Default gateway ...4 Domain Name Service (DNS) Services and Policies ...4...
Page 6 Using MIBs ...42 Selecting HTTP or HTTPS for Management Changing the HTTP server port ...43 Setting up WatchGuard System Manager Access Renaming the Firebox X Edge e-Series ...44 Enabling centralized management with WSM v9.1 ...44 Enable remote management with WFS v7.3 or earlier ...45...
Page 7 Method 2: Installing software manually ...47 Activating Upgrade Options Upgrade options ...48 Adding a feature to your Firebox X Edge ...49 Enabling the Model Upgrade Option Viewing the Configuration File Network Settings Using the Network Setup Wizard Configuring the External Network If your ISP uses DHCP ...54 If your ISP uses static IP addresses ...55 If your ISP uses PPPoE ...56...
Page 8 Setting the fragmentation threshold ...83 Setting the RTS threshold ...83 Configuring Wireless Security Settings Setting the wireless authentication method ...84 Configuring encryption ...84 Allowing Wireless Connections to the Trusted Interface Allowing Wireless Connections to the Optional Interface Enabling a Wireless Guest Network Configuring Wireless Radio Settings Setting the operating region and channel ...88 Setting the wireless mode of operation ...89...
Page 9 Configuring the POP3 Proxy Setting access control options ...117 Setting proxy limits ...117 Filtering email content ...119 Using the SMTP Proxy Configuring the SMTP Proxy Setting access control options ...121 Setting proxy limits ...121 Deny Message ...122 Filtering email by address pattern ...123 Filtering email content ...123 Adding a Custom Proxy Policy Adding a custom SMTP proxy policy ...126...
Page 10 11 Logging and Certificates Viewing Log Messages Logging to a WatchGuard Log Server Logging to a Syslog Host About Certificates ...150 Creating a certificate or signing request ...150 Using OpenSSL to Generate a CSR Using Microsoft CA to Create a Certificate Sending the certificate request ...151...
Page 11 Blocking Additional Web Sites Bypassing WebBlocker 14 spamBlocker Understanding How spamBlocker Works spamBlocker categories ...186 spamBlocker actions ...186 spamBlocker exceptions ...186 Configuring spamBlocker Enabling spamBlocker ...187 Configuring spamBlocker Settings Creating exceptions ...188 Adding Trusted Email Forwarders ...189 Configuring Rules For Your Email Reader Sending spam or bulk email to special folders in Outlook ...189 15 Gateway AntiVirus and Intrusion Prevention Service Understanding Gateway AntiVirus Settings...
Page 12 Installing and configuring the IPSec MUVPN client ...218 Connecting and disconnecting the IPSec MUVPN client ...220 Monitoring the IPSec MUVPN Client Connection ...221 The ZoneAlarm Personal Firewall ...222 Using IPSec MUVPN on a Firebox X Edge e-Series Wireless network ...224 Troubleshooting Tips ...224 Configuring PPTP Mobile User VPN Enabling PPTP ...226...
Page 13: Introduction To Network Security
Introduction to Network Security Thank you for your purchase of the WatchGuard® Firebox® X Edge e-Series. This security device helps protect your computer network from threat and attack. This chapter gives you basic information about networks and network security. This information can help you when you configure the Firebox X Edge.
Page 14: Clients And Servers
Connecting to the Internet Clients and servers Clients and servers are components of a network. A server makes its resources available to the network. Some of these resources are documents, printers, and programs. A client uses the resources made available by the server. A computer can be a server or a client, or it can be a server for some functions and a client for other functions.
Page 15: Ip Addresses
order. To make sure that the packets get to the destination, address information is added to the pack- ets. The TCP and IP protocols are used to send and receive these packets. TCP disassembles the data and assembles it again. IP adds information to the packets, such as the sender, the recipient, and any spe- cial instructions.
Page 16: Network Addressing
A default gateway is a node on a computer network that serves as an access point to another network. Usually, the default gateway address is the IP address of the router that is between your network and the Internet. After you install the Firebox X Edge on your network, the Edge acts as the default gateway for all computers connected to its trusted or optional interfaces.
Page 17: Ports
Email uses Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP3 v3) • File transfer uses File Transfer Protocol (FTP) • Resolving a domain name to an Internet address uses Domain Name Service (DNS) • Remote terminal access uses Telnet or SSH (Secure Shell) •...
Page 18: Firewalls
Firewalls Firewalls A firewall separates your trusted computers on the internal network from the external network, or the Internet, to decrease risk of an external attack. The figure below shows how a firewall divides the trusted computers from the Internet. Firewalls use access policies to identify and filter different types of information.
Page 19: The Firebox X Edge And Your Network
Advanced customers can use integration features to connect an Edge to a larger wide area network. The Edge connects to a cable modem, DSL modem, or ISDN router. The web-based user interface of the Firebox X Edge lets you manage your network safely. You can manage your Edge from different locations and at different times.
Page 20 The Firebox X Edge and Your Network Firebox X Edge e-Series...
Page 21: Installation
Installation To install the WatchGuard® Firebox® X Edge e-Series in your network, you must complete these steps: Register your Firebox and activate the LiveSecurity® Service. • Identify and record the TCP/IP properties for your Internet connection. • Disable the HTTP proxy properties of your web browser.
Page 22: Registering Your Firebox & Activating Livesecurity Service
Registering Your Firebox & Activating LiveSecurity Service To enable all of the features on your Firebox® X Edge, you must first register on the Watchguard Live Security web site and retrieve your feature key. You have only one user license (seat license) until you apply your feature key.
Page 23: Identifying Your Network Settings
We recommend that you also download the latest software at this time. If a model upgrade key is included with your model, activate it at: http://www.watchguard.com/upgrade Identifying Your Network Settings To configure your Firebox® X Edge, you must know some information about your network. (For an overview of network basics, see “About Networks”...
Page 24: Tcp/Ip Properties
Identifying Your Network Settings PPPoE: An ISP also can use PPPoE (Point-to-Point Protocol over Ethernet) to assign you an IP • address. Usually, a PPPoE address is dynamic. You must have a user name and a password to use PPPoE. The ISP assigns a subnet mask (also known as the netmask) to a computer.
Page 25: Pppoe Settings
At the command prompt, type ipconfig /all and press Enter. Record the values that you see for the primary network adaptor. Finding your TCP/IP properties on Macintosh OS 9 Select the Apple menu > Control Panels > TCP/IP. The TCP/IP window appears. Record the values that you see for the primary network adaptor.
Page 26: Web Browser Pop-Up Blocking Settings
Web Browser Pop-up Blocking Settings Click the LAN Settings button. The Local Area Network (LAN) Settings window appears. Clear the check box labeled Use a proxy server for your LAN. Click OK two times. Disabling the HTTP proxy in Firefox 2.x Open the browser software.
Page 27: Connecting The Firebox X Edge
Click the Content icon. Make sure the Block pop-up windows option is not selected. Click OK. Disabling the pop-up blocker in Netscape 8.1 Open the browser software. Select Tools > Options. The Options window appears. Click the Site Controls icon. The Site Controls preference window appears.
Page 28: Connecting The Edge To More Than Four Devices
Connecting the Firebox X Edge Find the Ethernet cable between the modem and your computer. Disconnect this cable from your computer and connect it to the Edge external interface (labeled WAN 1). Find the green Ethernet cable supplied with your Edge. Connect this cable to a trusted interface (LAN0-LAN2) on the Edge.
Page 29: About User Licenses
Reboot the Edge to close all sessions. • For more information about user licenses, see the “User and Group Management” chapter. License upgrades are available from your reseller or from the WatchGuard® web site: http://www.watchguard.com/products/purchaseoptions.asp Setting Your Computer to Connect to the Edge Before you can use the Quick Setup Wizard, you must configure your computer to connect to the Fire- box®...
Page 30: Using A Static Ip Address
Setting Your Computer to Connect to the Edge Select the Obtain an IP address automatically and the Obtain DNS server address automatically options. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box. Click OK to close the Local Area Network Connection Properties dialog box. Close the Local Area Connection Status, Network Connections, and Control Panel windows.
Page 31: Using The Quick Setup Wizard
Paste the feature key text that you copied from the LiveSecurity web site into the empty field. The Quick Setup Wizard is complete The Quick Setup Wizard shows a link to the WatchGuard web site to register your product. After you complete the wizard, the Firebox X Edge restarts.
Page 32 Using the Quick Setup Wizard Firebox X Edge e-Series...
Page 33: Navigation
Navigation After you connect the WatchGuard® Firebox® X Edge e-Series to your network, you must configure the Edge. You can create firewall rules to enforce the security requirements of your company. You can also use the Edge configuration pages to create a user account, look at network statistics, and see the con- figuration of the Edge.
Page 34: Navigating The Firebox X Edge User Interface
Navigating the Firebox X Edge User Interface This warning will appear each time you use HTTPS to connect to the Firebox X Edge unless you permanently accept the certificate. Enter your user name and password to authenticate. The System Status page appears. If necessary, you can change the Firebox X Edge so that it uses HTTP connections for web management connections instead of HTTPS.
Page 35: System Status Page
You must enable JavaScript in your browser to use the navigation bar. Each menu item contains secondary menus that you use to configure the properties of that feature. To see these secondary menus, click the plus sign (+) to the left of the menu item. For example, if you click the plus sign adjacent to WebBlocker, these secondary menu items appear: Settings, Profiles, Allowed Sites, and Denied Sites.
Page 36: Firebox Users Page
Navigating the Firebox X Edge User Interface Firebox Users page The Firebox Users page shows statistics on active sessions and local user accounts. It also has buttons to close current sessions and to add, edit, and delete user accounts. This page also shows the MUVPN client configuration files that you can download. For more informa- tion, see the “User and Group Management”...
Page 37: Administration Page
Navigating the Firebox X Edge User Interface Administration page The Administration page shows whether the Firebox X Edge uses HTTP or HTTPS for its configuration pages, if the Edge is configured as a managed Firebox client, and which feature upgrades are enabled. It has buttons to change configurations, add upgrades, and see the configuration file.
Page 38: Firewall Page
Navigating the Firebox X Edge User Interface Firewall page The Firewall page shows incoming and outgoing policies and proxies, blocked web sites, and other firewall settings. This page also has buttons to change these settings. For more information, see Chap- ter 7, “Firewall Policies.
Page 39: Logging Page
Logging page The Logging page shows the current event log, and the status of the Log Server and syslog logging. For more information, see Chapter 11, “Configuring Logging. ” WebBlocker page The WebBlocker page shows the WebBlocker settings, profiles, allowed sites, and denied sites. For more information, see the “WebBlocker”...
Page 40: Spamblocker Page
Navigating the Firebox X Edge User Interface spamBlocker page The spamBlocker page shows the spamBlocker settings and actions. It also has buttons to change the current settings. For more information, see the “spamBlocker” chapter. GAV/IPS page The GAV/IPS page shows the Gateway AntiVirus and Intrusion Prevention Service status and settings. It tells you which proxies are enabled for the service, and what version of the signature database you are using.
Page 41: Vpn Page
VPN tunnels. You can add the Firebox® X Edge e-Series to a Watchguard System Manager VPN network with the WSM Access page in Administration. For more information, see the “Branch Office Virtual Private Networks” chapter.
Page 42: Monitoring The Firebox X Edge
Monitoring the Firebox X Edge Monitoring the Firebox X Edge When you expand System Status on the navigation bar, you see a list of monitoring categories. With these pages, you can monitor all the components of the Edge and how they work. The Firebox®...
Page 43: Authentications
Mask If a netmask is associated with the entry, it is listed here. If not, an asterisk (*) is shown. Device Interface on the Edge where the hardware address for that IP address was found. The Linux kernel name for the interface is shown in parentheses. Authentications This status page shows the IP address, user name, start time, and idle time for every user that is cur- rently authenticated to the Edge.
Page 44: Components List
Monitoring the Firebox X Edge Expires in (secs) Number of seconds before the connection times out unless traffic is sent on the connection to restart the timer. Components List This status page shows the software that is installed on the Edge. Each attribute is shown separately: Name •...
Page 45: Dynamic Dns
Mounted on Where the partition is mounted in the system. Dynamic DNS This status page shows the state of the Dynamic DNS configuration. Last Last time the DNS was updated. Next Next time the DNS will be updated. Hostile Sites This status page shows the amount of time an IP address is blocked from access through the Firebox when they are added to the Blocked Sites list.
Page 46: Memory
Monitoring the Firebox X Edge Maximum use - maximum number of users allowed by the license • Reboot - shows if a reboot is necessary after a configuration change for that license • Expiration - shows when the license expires •...
Page 47: Security Services
Gateway Gateway that the network uses. Flags set for each route. Metric set for this route in the routing table. Mask Network mask for the route. TCP Maximum Transmission Unit. TCP window size for connections on this route. Number of references to this route. Security Services This status page shows basic reports on the activity of any enabled security service: Gateway AntiVirus, the Intrusion Prevention Service, WebBlocker, and spamBlocker.
Page 48: Vpn Statistics
Monitoring the Firebox X Edge Data Sent Number of bytes of data sent. Packets Sent Number of packets sent. Dropped Number of packets dropped. Overlimits Number of packets over the limit for each priority. VPN Statistics This status page shows VPN statistics such as: SA (Security Association) •...
Page 49: Configuration And Management Basics
Configuration and Management Basics After your Firebox® X Edge e-Series is installed on your network and operating with a basic configura- tion file, you can start to add custom configuration settings to meet the needs of your organization. This chapter describes some basic management and maintenance tasks, which include how to: Restore the Firebox X Edge to factory default settings •...
Page 50: Restoring The Firebox To The Factory Default Settings
If you do not start the Edge one more time, when you try to connect to the Edge you will see a web page that shows the message, “Your WatchGuard® Firebox X Edge is running from a backup copy of firmware.”...
Page 51: Local Restart
Local restart You can locally restart the Firebox X Edge e-Series with one of two methods: use the web browser, or disconnect the power supply. Using the web browser To connect to the System Status page, type https:// in the browser address bar, and then the IP address of the Firebox X Edge trusted network interface.
Page 52 Setting the System Time You can change the NTP server that the Edge uses, or you can set the time manually. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Administration >...
Page 53: Enabling The Edge For Snmp Polling
To the right of the date, set the time. - Type the hours in the first field. - Type the minutes in the second field. - Type the seconds in the third field. - Select AM or PM from the drop-down list. Click Submit.
Page 54: Using Mibs
Selecting HTTP or HTTPS for Management Click the Enable SNMP v3 check box if your SNMP server uses SNMP v3. You must type the User name and Password the SNMP server uses when it contacts the Edge. If the SNMP server that polls the Edge is located on the Edge trusted network, click the Trusted Access check box.
Page 55: Changing The Http Server Port
With WatchGuard System Manager v8.3.1 and above, you can manage policies, updates, and • VPNs for many Edge devices from one location. With WatchGuard System Manager v7.3 or below, you can use VPN Manager to create managed • VPN tunnels between a Firebox® X Edge and a different WatchGuard Firebox.
Page 56: Renaming The Firebox X Edge E-Series
When you use WatchGuard System Manager to manage many different Edge devices, you can rename the Firebox X Edge e-Series so that it shows a unique name in WatchGuard System Manager. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface.
Page 57: Enable Remote Management With Wfs V7.3 Or Earlier
Type a status passphrase for your Firebox X Edge and then type it again to confirm. Type a configuration passphrase for your Firebox X Edge and then type it again to confirm. These passphrases must match the passphrases you use when you add the device to WatchGuard System Manager, or the connection will fail.
Page 58: Allowing Traffic From A Management Server
Firebox X Edge. Select the Enable Managed VPN check box to configure the Firebox X Edge as a client to the WatchGuard DVCP server. In the DVCP Server Address text box, type the IP address of the DVCP server.
Page 59: Updating The Firebox X Edge Software
One advantage of your LiveSecurity® Service is continuous software updates. As new threats appear and WatchGuard® adds product enhancements, you receive alerts to let you know about new versions of your Firebox® X Edge e-Series software. To install any firmware on the Edge, you must have a current LiveSecurity subscription.
Page 60: Activating Upgrade Options
Activating Upgrade Options Type the name and location of the file that contains the new Firebox X Edge software in the Select file box, or click Browse to find the file on the network. Click Update and follow the instructions. The Firebox makes sure the software package is a legitimate software upgrade.
Page 61: Adding A Feature To Your Firebox X Edge
The default URL is https://192.168.111.1. Accept the security certificate. Type the Administrator User Name and Password when prompted. From the navigation bar on the left side, select Administration > Upgrade. The Upgrade window appears. User Guide https://www.watchguard.com/archive/upgradecenter.asp https://www.watchguard.com/archive/getcredentials.asp Activating Upgrade Options...
Page 62: Enabling The Model Upgrade Option
You can upgrade a Firebox X Edge e-Series 10e or a Firebox X Edge 20e to a higher model: Go to the upgrade site on the WatchGuard® web site (www.watchguard.com/upgrade) and log into your LiveSecurity service account. In the space provided, type the license key as it appears on your printed certificate or your online store receipt, including hyphens.
Page 63 Viewing the Configuration File From the navigation bar, select Administration > View Configuration. The configuration file is shown. User Guide...
Page 64 Viewing the Configuration File Firebox X Edge e-Series...
Page 65: Network Settings
Network Settings A primary component of the WatchGuard® Firebox® X Edge e-Series setup is the configuration of net- work interface IP addresses. At a minimum, you must configure the external network and the trusted network so that traffic can flow through the Edge. You do this when you use the Quick Setup Wizard after you install the Edge.
Page 66: Configuring The External Network
Configuring the External Network Configure the external interface of your Firebox Select the procedure your ISP uses to set your IP address. For detailed information, see the subsequent section in this guide, “Configuring the External Network” on page 54. You can choose one of these configurations: - DHCP: If your ISP uses DHCP, type the DHCP information that your ISP gave you.
Page 67: If Your Isp Uses Static Ip Addresses
From the Configuration Mode drop-down list, select DHCP Client. If your ISP makes you identify your computer to give you an IP address, type this name in the Optional DHCP Identifier field. Click Release if you want to give up the current DHCP-assigned IP address for the Edge. Click Renew to request a new DHCP-assigned IP address for the Edge from your DHCP server.
Page 68: If Your Isp Uses Pppoe
Configuring the External Network Type the IP address, subnet mask, default gateway, primary DNS, secondary DNS, and DNS domain suffix into the related fields. Get this information from your ISP or corporate network administrator. These DNS settings are used when the Edge must find the IP address of a domain. If you completed the table on “Identifying Your Network Settings”...
Page 69: External Network Advanced Settings
LCP echo requests. In most cases, the default setting of three is the best. Enable PPPoE debug trace WatchGuard® Technical Support uses this check box to troubleshoot PPPoE problems. With this option on, the Firebox X Edge makes a file that you can send to Technical Support. Use this option only when Technical Support tells you because it decreases Edge performance.
Page 70: Changing The Mac Address Of The External Interface
IP address. If your ISP uses this method to identify your computer, then you must change the MAC address of the Firebox X Edge external interface. Use the MAC address of the cable modem, DSL modem, or router that connected directly to the ISP in your original configuration. The MAC address must have these properties: The MAC address must use 12 hexadecimal characters.
Page 71: Configuring The Trusted Network
If the Override MAC address field is cleared and the Firebox X Edge is restarted, the Firebox X Edge uses the default MAC address for the external network. To decrease problems with MAC addresses, the Firebox X Edge makes sure that the MAC address you assign to the external interface is unique on your network.
Page 72: Using Dhcp On The Trusted Network
Configuring the Trusted Network Using DHCP on the trusted network The DHCP Server option allows the Firebox X Edge e-Series to give IP addresses to the computers on the trusted network. When the Edge receives a DHCP request from a computer on the trusted network, it gives the computer an IP address.
Page 73: Setting Trusted Network Dhcp Address Reservations
Setting trusted network DHCP address reservations You can manually give the same IP address to a specified computer on your trusted network each time that computer makes a request for a DHCP IP address. The Firebox X Edge identifies the computer by its MAC address.
Page 74: Using Static Ip Addresses For Trusted Computers
Configuring the Trusted Network To configure the Firebox X Edge as a DHCP Relay Agent for the trusted interface: Use your browser to connect to the System Status page. From the navigation bar, select Network > Trusted. The Trusted Network Configuration page appears. Select the Enable DHCP Relay check box.
Page 75: Allowing Wireless Connections To The Trusted Interface
Ethernet hubs or switches with RJ-45 connectors to connect more than three computers. It is not nec- essary for the computers on the trusted network to use the same operating system. To add more than three computers to the trusted network: Make sure that each computer has a functional Ethernet card.
Page 76 Configuring the Trusted Network Select the Restrict Access by Hardware MAC Address check box. Click Scan to have the Edge find all known hardware addresses on the network. If you want the Edge to try to resolve host names for all Windows computers it finds during the scan process, make sure the Try to resolve Windows host names during scan check box is selected.
Page 77: Configuring The Optional Network
To manually add a hardware address and its host name to your configuration, click Add. The Add Allowed Address Control dialog box appears. Select the Log attempted access from MAC addresses not in the list check box if you want the Edge to generate a log message each time a computer whose hardware address is not in the list tries to get access to the Edge.
Page 78: Using Dhcp On The Optional Network
Configuring the Optional Network Select the Enable Optional Network check box. If necessary, you can change the optional network address. By default, the optional interface IP address is set to 192.168.112.1, so the trusted network and the optional networks are on two different subnets. The IP address of the optional network cannot be on the same subnet as the trusted network.
Page 79: Setting Optional Network Dhcp Address Reservations
If you have a WINS or DNS server, type the WINS Server Address, DNS Server Primary Address, DNS Server Secondary Address, and DNS Domain Suffix in the related fields. If you do not enter a value, the Firebox X Edge uses the same values as those used for the external network.
Page 80: Using Static Ip Addresses For Optional Computers
Firebox X Edge optional interface. Computers with static IP addresses on the optional network must use the optional interface IP address of the Edge as the default gateway or router. not get to the external network or the Internet.
Page 81: Restricting Access To The Edge Optional Interface By Mac Address
To configure the Edge to allow wireless connections through the optional interface, see the “Firebox X Edge e-Series Wireless Setup” chapter. Restricting access to the Edge optional interface by MAC address You can control access to the Firebox® X Edge e-Series optional interface by computer hardware (MAC) address.
Page 82: Making A Static Route
Type the destination IP address and the gateway in the related fields. The gateway is the local interface IP address of the router. The gateway IP address must be in the Firebox X Edge trusted, optional, or external network range.
Page 83 DynDNS configuration on the Edge or if you change the IP address of the default gateway con- figured for your Edge, it updates DynDNS.com immediately. WatchGuard is not affiliated with DynDNS.com. Creating a DynDNS.org account To set up your account, go to this web site: http://www.dyndns.com...
Page 84: Using The Wan Failover Option
Internet connection. The WAN Failover option is included in the X50 and X55 models. You can purchase an upgrade for other models at the WatchGuard online store: https://www.watchguard.com/store It is not necessary to configure new policies to use this option. The failover interface uses the same pol- icies and network properties as the external interface.
Page 85: Wan Failover And Dns
WAN Failover and DNS When you use WAN Failover, it is a good idea to enter two DNS server addresses when you configure DHCP settings for the trusted and optional networks. Some ISPs allow queries to their DNS servers only if the query comes from that ISP network.
Page 86 Using the WAN Failover Option Select the Enable failover using the Ethernet (WAN2) interface check box. Type the IP addresses of the hosts to ping for the WAN1 (external) and WAN2 (failover) interfaces. The Firebox X Edge will send pings to the IP addresses you type here. If pings to the host on that network are not successful, the Edge starts the failover.
Page 87 Configuring WAN Failover with a static connection If you use a static connection to the Internet, select Manual Configuration from the Configuration Mode drop-down list. Type the IP address, subnet mask, default gateway, primary DNS, secondary DNS, and DNS domain suffix. Click Submit.
Page 88: Configuring The Edge For Serial Modem Failover
IP address. If your ISP uses this method to identify your computer, then you must change the MAC address of the Firebox X Edge external interface. Use the MAC address of the cable modem, DSL modem, or router that connected directly to the ISP in your original configuration. The MAC address must have these properties: It must use 12 hexadecimal characters.
Page 89: Configuring Your Modem For Wan Failover
Select the Enable failover using the Ethernet (WAN2)/Modem (serial port) interface check box. From the drop-down list, select Modem (serial port). The Edge sends regular pings to an IP address you specify to check for interface connectivity. Type the IP addresses you want the Edge to ping for the WAN1 (external) and WAN2 (failover) interfaces in the correct fields.
Page 90: Dns Settings
Using the WAN Failover Option Select the Enable modem and PPP debug trace only if you have problems with your connection. When this option is selected, the Edge sends detailed logs for the serial modem failover feature to the event log file. Click Submit, or select a different tab to change more settings.
Page 91: Configuring Bids
Click Submit, or select a different tab to change more settings. Configuring BIDS Telstra customers in Australia must use client software to connect to the BigPond network. The Firebox® X Edge e-Series uses BIDS to make this connection. If you do not connect to the BigPond net- work, it is not necessary to use BIDS.
Page 92 Configuring BIDS Firebox X Edge e-Series...
Page 93: Firebox X Edge E-Series Wireless Setup
Firebox X Edge e-Series Wireless Setup The Firebox® X Edge e-Series Wireless can be configured as a wireless access point with three different security zones. You can enable wireless devices to connect to the Edge Wireless as part of the trusted network or part of the optional network.
Page 94: Understanding Wireless Configuration Settings
Understanding Wireless Configuration Settings It is a good idea to install the Edge Wireless away from other antennas or transmitters to • decrease interference. The default wireless authentication algorithm configured for each wireless security zone is not • the most secure authentication algorithm. We recommend that you increase the authentication level to WPA2 if you can be sure that the wireless devices that will connect to your Edge can operate correctly with WPA2.
Page 95: Controlling Ssid Broadcasts
Controlling SSID broadcasts Computers with wireless network cards send requests to see whether there are wireless access points to which they can connect. To configure an Edge wireless interface to send and answer these requests, select the Broadcast SSID and respond to SSID queries check box. For security, turn this option on only while you are configuring computers on your network to connect to the Edge.
Page 96: Setting The Wireless Authentication Method
Configuring Wireless Security Settings Setting the wireless authentication method Five authentication methods are available in the Firebox X Edge e-Series Wireless. We recommend that you use WPA2 if possible because it is the most secure. The five available methods, from least secure to most secure, are: Open System Open System authentication allows any user to authenticate with the access point.
Page 97: Allowing Wireless Connections To The Trusted Interface
Allowing Wireless Connections to the Trusted Interface If you enable wireless connections to the trusted interface, we recommend that you enable and use the Edge feature that allows you to restrict access to the trusted interface by MAC address. This prevents users from connecting to the Edge from unauthorized computers that could contain viruses or spy- ware.
Page 98: Allowing Wireless Connections To The Optional Interface
Allowing Wireless Connections to the Optional Interface Allowing Wireless Connections to the Optional Interface To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Network >...
Page 99: Enabling A Wireless Guest Network
select an encryption option with pre-shared keys, a random pre-shared key is generated for you. You can use this key, or type your own. Click Submit to save your configuration to the Firebox X Edge e-Series Wireless. Enabling a Wireless Guest Network To configure a wireless guest network, you can use the wireless guest network configuration wizard available on the Wizards page of your Edge configuration menu.
Page 100: Configuring Wireless Radio Settings
Configuring Wireless Radio Settings To configure the Edge to send DHCP requests to a DHCP server external to the Edge, select the Enable DHCP Relay check box. For more information about this feature, see the “Network Settings” chapter. If you use WebBlocker and want to apply a WebBlocker profile for all wireless connections that use the wireless guest network, select the profile you want to apply from the WebBlocker Profile drop-down list.
Page 101: Setting The Wireless Mode Of Operation
Setting the wireless mode of operation Most wireless cards can operate only in 802.11b (up to 11 MB/second) or 802.11g (54 MB/second) mode. To set the operating mode for the Firebox X Edge e-Series Wireless, select an option from the Wireless Mode drop-down list.
Page 102 Configuring the Wireless Card on Your Computer Firebox X Edge e-Series...
Page 103: Firewall Policies
Firewall Policies The Firebox® X Edge e-Series uses policies and other firewall options to control the traffic between the trusted, optional, and external networks. Usually the external network is the Internet. When your pri- vate network is connected to the Internet, you must be able to control that connection. The configura- tion of allowed policies and firewall options sets the level of security the Edge applies to your network.
Page 104: Incoming And Outgoing Traffic
Understanding Policies Incoming and outgoing traffic Traffic that comes from the external network is incoming traffic. Traffic that goes to the external net- work is outgoing traffic. By default, the Firebox X Edge e-Series denies incoming traffic to protect your trusted and optional networks.
Page 105: Enabling Common Packet Filter Policies
Enabling Common Packet Filter Policies You can control the traffic between the trusted, optional, and external networks using packet filter pol- icies. The Firebox® X Edge supplies a list of frequently used policies, called common policies, that you can use to easily allow or deny the most common traffic categories. You can use the default settings of the packet filters or you can edit them to meet your needs.
Page 106: Editing Common Packet Filter Policies
Editing Common Packet Filter Policies Find the common policy you want to allow or deny. From the Filter drop-down list adjacent to the policy name, select Allow, Deny, or No Rule. If you select No Rule, that policy is disabled and the Edge uses the default behavior, which is to deny incoming traffic and allow outgoing traffic.
Page 107: Incoming Settings
From the navigation bar, select Firewall > Incoming or Firewall > Outgoing. You can edit both incoming and outgoing traffic from either page. The Filter Traffic page appears. Find the common packet filter policy you want to edit and click Edit. Incoming settings From the Edit Policies page, select the Incoming tab.
Page 108: Outgoing Settings
Configuring Custom Packet Filter Policies Click Submit. Outgoing settings From the Edit Policies page, select the Outgoing tab. From the Outgoing Filter drop-down list, select the rule you want to apply. This rule affects only outgoing traffic. To specify which computers on your trusted and optional network can use this policy, in the From field, select Any and click Remove.
Page 109: Adding A Custom Policy Using The Wizard
You must create an additional packet filter for a policy. • You must change the port or protocol for a policy. • You can add a custom packet filter policy using one or more of these: TCP ports • UDP ports •...
Page 110: Filtering Incoming Traffic For A Custom Policy
Configuring Custom Packet Filter Policies In the Policy Name text box, type the name for your policy. From the Protocol Settings drop-down list, select TCP Port, UDP Port, or Protocol. In the text box adjacent to the Port/Protocol drop-down list, type a port number or protocol number.
Page 111: Filtering Outgoing Traffic For A Custom Policy
In the address text boxes, type the host or network IP address, or type the range of IP addresses that identify the computers on the external network that can send traffic to the service host. Type network IP addresses in “slash” notation. For more information on slash notation see “Sample VPN Address Information Table”...
Page 112: Configuring Policies For The Optional Network
Configuring Policies for the Optional Network Click Submit. Configuring Policies for the Optional Network By default, the Firebox® X Edge e-Series allows all traffic that starts in the trusted network and tries to go to the optional network, and denies all traffic that starts in the optional network and tries to go to the trusted network.
Page 113: Disabling Traffic Filters Between Trusted And Optional Networks
To allow all traffic from the trusted network, find the Outgoing policy and select Allow from the Filter drop-down list. To deny all traffic from the trusted network, find the Outgoing policy and select Deny from the Filter drop-down list. To deny some traffic, but allow all other traffic from the trusted network to the optional network, set the Outgoing policy to Deny from the Filter drop-down list.
Page 114 Configuring Policies for the Optional Network Firebox X Edge e-Series...
Page 115: Proxy Settings
The Firebox X Edge e-Series supplies proxy policy filters that monitor and examine HTTP, SMTP, POP3, and FTP connections. WatchGuard proxies also look for application protocol anomalies. If a packet is not built correctly, or contains content that is unexpected or does not match the rules in your Edge configuration, the proxy blocks it.
Page 116: Understanding The Ftp Proxy
Proxy Policies files, images, and other content. When the HTTP client starts a request, it establishes a Transmission Control Protocol (TCP) connection on port 80. An HTTP server listens for requests on port 80. When it receives the request from the client, the server replies with the requested file, an error message, or some other information.
Page 117: Using The Http Proxy
Using the HTTP Proxy To enable the HTTP proxy: To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Firewall > Outgoing. The Filter Outgoing Traffic page appears.
Page 118: Setting Access Control Options
Configuring the HTTP Proxy Setting access control options On the Outgoing tab, you can set rules that filter IP addresses, network addresses, or host ranges. This is the same functionality you have in packet filter policies. See Chapter 7, “Firewall Policies” for more information.
Page 119 HTTP requests When a user clicks on a hyperlink or types a URL into the web browser, it sends an HTTP request to a remote server to get the content. In most browsers, the status bar shows, "Contacting site..." or a similar message.
Page 120 Configuring the HTTP Proxy HTTP responses When the remote HTTP server accepts the connection request from the HTTP client, most browser sta- tus bars show, "Site contacted. Waiting for reply..." Then the HTTP server sends the appropriate response to the HTTP client. This is usually a file or series of files. The proxy uses valuable network resources to monitor the network connection to the web server.
Page 121: Filtering Web Content
WatchGuard web site, http:// www.watchguard.com, type If you want to allow all subdomains that contain “watchguard.com” you can use the asterisk (*) as a wild card. For example, to allow “watchguard.com” “www.watchguard.com” and “support.watchguard.com” to bypass the proxy, type: Click Add.
Page 122 Configuring the HTTP Proxy Content types When a web server sends HTTP traffic, it usually adds a MIME type, or content type, to the packet header that shows what kind of content is in the packet. The format of a MIME type is type/subtype. For example, if you wanted to allow JPEG images, you would add image/jpg.
Page 123: Using The Ftp Proxy
Using the FTP Proxy To enable the FTP proxy: To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Firewall > Outgoing. The Filter Outgoing Traffic page appears.
Page 124: Configuring The Ftp Proxy
Configuring the FTP Proxy Setting access control options On the Outgoing tab, you can set rules that filter IP addresses, network addresses, or host ranges. This is the same functionality you have in packet filter policies. See Chapter 7, “Firewall Policies” for more information.
Page 125: Filtering Content
Set the maximum username length to Sets a maximum length for user names on FTP sites. Set the maximum password length to Sets a maximum length for passwords used to log in to FTP sites. Set the filename length to Sets the maximum file name length for files to upload or download.
Page 126: Using The Pop3 Proxy
Using the POP3 Proxy In the Downloads text box, select the Deny these file types check box if you want to limit the types of files that a user can download. This check box is selected by default and restricts the types of files that users can download through the FTP proxy.
Page 127: Using The Pop3 Proxy
From the navigation bar, select Firewall > Outgoing. The Filter Outgoing Traffic page appears. Below Common Proxy Policies, select Allow from the drop-down list adjacent POP3 Proxy. Click Submit. Configuring the POP3 Proxy To configure the POP3 proxy filter, select Firewall > Outgoing from the navigation menu. Find the POP3 proxy and click Edit.
Page 128: Configuring The Pop3 Proxy
For a complete description of the actions the POP3 proxy takes and the results your users see when the POP3 proxy finds and blocks content, see the FAQs for the Edge at www.watchguard.com/support/faq/edge. http:// Firebox X Edge e-Series...
Page 129: Setting Access Control Options
Set the timeout to This setting limits the number of seconds that the email client tries to open a connection to the email server before the connection is closed. This prevents the proxy from using too many network resources when the email server is slow or cannot be reached. Set the maximum email line length to This setting prevents some types of buffer overflow attacks.
Page 130: Filtering Email Content
Configuring the POP3 Proxy Filtering email content Certain kinds of content embedded in email can be a security threat to your network. Other kinds of content can decrease the productivity of your users. On the POP3 Content tab, you limit content types, and block specified path patterns and URLs.
Page 131 card. For example, if you want to block all MP3 files, type *.mp3. If you read about a vulnerability in a LiveSecurity Service Alert that affects PowerPoint files and you want to deny them until you install the patch, type *.ppt. To add file name patterns to the blocked list, enter the pattern and click Add.
Page 132: Using The Smtp Proxy
Configuring the SMTP Proxy Setting access control options On the Incoming tab, you can set rules that filter IP addresses, network addresses, or host ranges. This is the same functionality you have in packet filter policies. See Chapter 7, “Firewall Policies” for more information.
Page 133: Deny Message
as large as 1MB (1000Kb) you must set this field to a minimum of 1.4MB (1400Kb) to make sure all email messages and their attachments get through. Maximum line length Set the maximum line length for lines in an SMTP message. Very long line lengths can cause buffer overflows on some email systems.
Page 134: Filtering Email By Address Pattern
Configuring the SMTP Proxy Filtering email by address pattern The options on the SMTP Addressing tab allow you to put limits on who can send email to your email server, and who can receive the email. Block email from unsafe senders Select this check box if you want to put limits on email to allow email into your network only from specified senders.
Page 135: Filtering Email Content
types, and block specified path patterns and URLs. You can use the asterisk (*) as a wild card. Allow only safe content types The headers for email messages include a Content Type header to show the MIME type of the email and of any attachments.
Page 136 Adding a Custom Proxy Policy Adding a Custom Proxy Policy If you want one HTTP, POP3, or FTP proxy policy for all users protected by your Firebox X Edge, use the Common Proxy Policy selections. If you want different rules for different parts of your network, you must create additional proxy policies.
Page 137: Adding A Custom Proxy Policy
The WatchGuard® spamBlocker™ option operates with the POP3 and SMTP proxies. It uses unique recurrent pattern detection technology from Commtouch® to block spam at your Internet gateway and keep it from getting to your email server.
Page 138: Using Additional Services For Proxies
Using Additional Services for Proxies Firebox X Edge e-Series...
Page 139: Intrusion Prevention
Intrusion Prevention The Firebox X Edge e-Series includes a set of default threat protection features designed to keep out network traffic from systems you know or think are a security risk. This set of features includes: Permanently blocked site The Blocked Sites list is a list of IP addresses you add manually to your configuration file. The IP addresses on this list cannot connect to or through the Edge on any port.
Page 140: Blocking Sites Temporarily
Blocking Sites Temporarily From the navigation bar, click Firewall > Intrusion Prevention. Click on the Blocked Sites tab. Use the drop-down list to select whether you want to enter a host IP address, a network address, or a range of IP addresses. Type the value in the adjacent text box and click Add. You cannot add internal IP or network addresses to the Blocked Sites list.
Page 141: Blocking Ports
Select the Auto-block hosts that send traffic that is denied by the default policy check box to add the IP addresses of any site denied by the Edge’s default firewall policy to the temporary Blocked Sites list. To understand your Edge’s default firewall policy, look at Firewall > Incoming. If you enable the auto-block feature, the source IP address of any traffic that is denied by the Edge because there is no rule to allow it will be added to the auto-blocked sites list.
Page 142: Avoiding Problems With Blocked Ports
Blocking Ports X Font Server (port 7100) Many versions of X-Windows operate X Font Servers. The X Font Servers operate as the super- user on some hosts. NFS (port 2049) NFS (Network File System) is a frequently used TCP/IP service where many users use the same files on a network.
Page 143: Preventing Denial-Of-Service Attacks
In the Ports text box, type the name of the port you want to block. Click Add. If you want the Edge to automatically block any external computer that tries to get access to a blocked port, select the Auto-block sites that attempt to use blocked ports check box. Preventing Denial-of-Service Attacks The Firebox X Edge e-Series includes an integrated denial-of-service (DoS) protection feature to pro- tect against some of the most common and frequent DoS and Distributed DoS (DDos) attacks used on...
Page 144: Distributed Denial-Of-Service Prevention
Preventing Denial-of-Service Attacks On the Firewall > Intrusion Prevention page, select the DoS Defense tab and set the packet/second threshold for these types of DoS flood attacks: IPSec flood attack A DoS attack where the attacker overwhelms a computer system with a large number of IPSec connections.
Page 145: Configuring Firewall Options
Configuring Firewall Options You can use the Firewall Options page to configure rules that increase your network security. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox® X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, click Firewall >...
Page 146 Configuring Firewall Options Do not respond to ping requests You can configure the Firebox X Edge e-Series to deny ping requests received on the trusted, external, or optional network. This option overrides all other Edge settings. Do not allow FTP access to the Edge You can configure the Firebox X Edge e-Series to not allow any FTP connections from the trusted or optional network.
Page 147: Traffic Management
Traffic Management The Firebox® X Edge e-Series supplies many different ways to manage the traffic on your network. You can limit the rate of traffic sent to the external or IPSec interface using QoS (Quality of Service) through Traffic Control. You can manage data transmission by giving more or less bandwidth to different traffic types.
Page 148: Traffic Categories
Traffic Categories Traffic Categories The Firebox® X Edge e-Series allows you to limit data sent through policies and Traffic Control filters. A policy can allow or deny all data of a specified type. Traffic Control does not allow or deny data, but cre- ates “filters”...
Page 149 pose.The Edge and other marking-capable external devices use these bits to control how a packet is handled as it is sent over a network. The use of marking procedures on a network requires that you do extensive planning. You can first identify theoretical bandwidth available and then determine which network applications are high pri- ority, particularly sensitive to latency and jitter, or both.
Page 150: Configuring Traffic Control
Configuring Traffic Control DSCP Value * Scavenger class is intended for the lowest priority traffic such as media sharing or gaming applica- tions. This traffic has a lower priority than Best-Effort. Configuring Traffic Control The Firebox® X Edge e-Series has many different traffic control options, including: Traffic control is off The Edge sends network traffic in the sequence it was received.
Page 151: Enabling Traffic Control
Enabling traffic control For information on configuring VPN Traffic Control, see “VPN Traffic Control” on page 205. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select Network >...
Page 152: Adding A Traffic Control Filter
Configuring Traffic Control If you want to use Traffic Control marking, select IP Precedence or DSCP from the Marking Type drop-down list. You can then select the mark you want applied for each traffic category with the Mark drop-down list at the top of each traffic category. Click Submit.
Page 153: Editing A Traffic Control Filter
In the Name text box, type a name for the traffic control filter. This name is used on the Traffic Control page to identify the filter. In the From text box, type the IP address or subnet of the traffic source or local network associated with this filter.
Page 154: Changing The Priority Of A Traffic Control Filter
Working with Firewall NAT Changing the priority of a traffic control filter Select an entry from any category. To select multiple entries, hold down the Control or Shift key. To make the traffic more important, click the Up button adjacent to the category list. To make the traffic less important, click the Down button.
Page 155: Nat Behavior
You can have only one trusted network, one optional network, and one external network. • You can use a router to connect more subnets to these networks. For more information, see “Connecting the Edge to more than four devices” on page 16.
Page 156 Working with Firewall NAT From the navigation bar, select Firewall > NAT. The NAT (Network Address Translation) page appears. Click Add. The Mapping page appears. In the Public Address text box, type a secondary external IP address. The address must be on the external network subnet. In the Private Address text box, type a private IP address from the trusted or optional network.
Page 157 To add a custom packet filter policy, click Add Packet Filter Policy. To add a custom SMTP proxy policy, click Add Incoming Proxy Policy. To add a custom HTTP, POP3, or FTP proxy policy, click Add Outgoing Proxy Policy. Use the instructions in Chapter 7, “Firewall Policies” and Chapter 8, “Proxy Settings” to configure the settings for your custom policy.
Page 158 Working with Firewall NAT Firebox X Edge e-Series...
Page 159: Logging And Certificates
The first part of this chapter describes how to view log messages and configure a Log Server. You can set up a connection to a WatchGuard or Syslog Log Server to monitor your Firebox X Edge e-Series.
Page 160: Logging To A Watchguard Log Server
The WatchGuard® Log Server (previously known as the WatchGuard System Event Processor, or WSEP) is a component of WatchGuard System Manager. If you have a Firebox® III, Firebox X Core, or Firebox X Peak, configure a primary Log Server to collect the log messages from your Firebox X Edge e-Series.
Page 161: Logging To A Syslog Host
Server installation must be WSM v8.3 or greater. If you select this option, the Edge generates log messages in native XML, which includes more detail for each log message. This allows the WSM administrator to create Historical Reports that include these details for the Edge. If you keep this check box unselected, the Edge sends log messages in the proprietary format used with WFS appliance software v7.x.
Page 162: About Certificates
About Certificates This setting is useful if you have more than one Firebox X Edge that sends syslog messages to the same syslog host. Click Submit. Because syslog traffic is not encrypted, syslog messages that are sent through the Internet decrease the security of the trusted network.
Page 163: Using Microsoft Ca To Create A Certificate
When you are prompted for the x509 Common Name attribute information, type your fully- qualified domain name (FQDN). Use other information as appropriate. Follow the instructions from your certificate authority to send the CSR. To create a temporary, self-signed certificate until the CA returns your signed certificate, type a the command line: openssl x509 -req -days 30 -in request.csr -key privkey.pem -out sscert.cert This command creates a certificate inside your current directory that expires in 30 days.
Page 164: Downloading The Certificate
Using Certificates on the Firebox X Edge Downloading the certificate Open your web browser. In the location or address bar, type the IP address of the server where the Certification Authority is installed, followed by certsrv. Example: http://10.0.2.80/certsrv Click the View the status of a pending certificate request link. Click the certificate request with the time and date you submitted.
Page 165: Examining A Certificate
Examining a certificate You can examine a certificate you have already imported to see its properties, including its expiration date, issuing authority, or other information. From the System Status page on the Firebox X Edge, select Administration > Certificates. Select the certificate you want to examine, and then click the adjacent Detail button. User Guide Using Certificates on the Firebox X Edge...
Page 166 Using Certificates on the Firebox X Edge Firebox X Edge e-Series...
Page 167: User And Group Management
• each user. The Edge Administrator can set a global session maximum timeout. • You must reboot the Edge to close all sessions. • License upgrades are available from your reseller or from the WatchGuard® web site: http://www.watchguard.com/products/purchaseoptions.asp User Guide...
Page 168: When A User License Is Used
About User Authentication When a user license is used User licensing works differently depending on whether Firebox User authentication is required to access the external network: When user authentication is not required to access the external network A user license is used when user authentication for access to the external network is not required and the Edge allows traffic to be passed from a computer on the trusted or optional network to the external network.
Page 169 Use the definitions below to help you change your parameters. Click Submit. Require user authentication (enable local user accounts) When you select this check box, all hosts must authenticate to the Firebox X Edge to send or receive network traffic. If you do not select this check box, there is no user-based control for access to the Internet or VPN tunnels.
Page 170: Using Local Firebox Authentication
Using Local Firebox Authentication Using Local Firebox Authentication When you create a local user for the Firebox® X Edge e-Series, you select the Administrative Access level for that user. You select access control for the external network and the Branch Office VPN tunnel, and time limits on this access.
Page 171: Authenticating To The Edge
In the Description field, type a description for the user. This is for your information only. A user does not use this description during authentication. In the Password field, type a password with a minimum of eight characters. Mix eight letters, numbers, and symbols.
Page 172 Using Local Firebox Authentication The user must enter his or her user name and password to authenticate. If you are using local authentication, you must type your name as it appears in the Firebox User list. If you use Active Directory or another LDAP server for authentication through the Firebox X Edge, you must include the domain name.
Page 173: Setting A Webblocker Profile For A User
Make sure you keep the administrator name and password in a safe location. You must have this infor- mation to see the configuration pages. If the system administrator name and password are not known, you must reset the Firebox X Edge to the factory default settings. For more information, see “Factory Default Settings”...
Page 174: Using Ldap/Active Directory Authentication
Using LDAP/Active Directory Authentication From the navigation bar, select Firebox Users. The Firebox Users page appears. Below Local User Accounts, click Edit for the account to change the password for. The Edit User page appears with the Settings tab visible. Click Change Identification.
Page 175 Group Attribute Name in the appropriate text boxes. These text boxes do not appear if you select Active Directory as the LDAP server type. The Login Attribute Name is the name of the login name attribute of user entries in the LDAP User Guide Using LDAP/Active Directory Authentication www.watchguard.com/...
Page 176: Using The Ldap Authentication Test Feature
Using LDAP/Active Directory Authentication directory. The Group Attribute Name is the name of the group membership attribute of user entries in the LDAP directory. Click Submit. Using the LDAP authentication test feature After the Firebox X Edge e-Series is configured to use LDAP authentication, you can use the LDAP authentication test feature to make sure the Edge can connect to the LDAP server.
Page 177: Setting A Webblocker Profile For A Group
In the Account Name text box, type the name of the new group. This name must match the name of a group in the LDAP directory. This name must contain only letters, numbers, and the underscore (_)or dash (-) characters. Spaces are not permitted. In the Description text box, you can enter a description of the group.
Page 178: Ldap Authentication And Muvpn
Seeing Current Sessions and Users LDAP authentication and MUVPN Because IPSec MUVPN settings cannot be assigned at the group level, you must create a local Firebox user account for the user and add MUVPN settings for the user on the MUVPN tab. See the Mobile User VPN chapter for more information.
Page 179: Local User Accounts
From the navigation bar, select Firebox Users. The Firebox Users page appears. In the Active Sessions list, click the Close button adjacent to the session you want to stop. To stop all sessions, click the Close All button. If user authentication is enabled for external network connections, a session stops when one of these events occurs: The idle timeout limit set for that account is reached.
Page 180: Allowing Internal Devices To Bypass User Authentication
Allowing Internal Devices to Bypass User Authentication Allowing Internal Devices to Bypass User Authentication You can make a list of internal devices that bypass user authentication settings. If a device is on this list, a user at that device does not have to authenticate to get access to the Internet. No WebBlocker rules apply to web traffic originating from devices on this list.
Page 181: Webblocker
Other companies restrict access to offensive web sites. You must purchase the WebBlocker upgrade to use this feature. For more information, visit the Watch- Guard LiveSecurity® web site at http://www.watchguard.com/store. How WebBlocker Works WebBlocker uses a database of web site addresses controlled by SurfControl®, a web filter company.
Page 182 Configuring Global WebBlocker Settings To configure WebBlocker: To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select WebBlocker > Settings. The WebBlocker Settings page appears.
Page 183: Creating Webblocker Profiles
WebBlocker shows the HTTP proxy deny message in the user browser when it blocks a site. You can customize this message when you configure the HTTP proxy policy. For more information, see “Configuring the HTTP Proxy” on page 105. Creating WebBlocker Profiles A WebBlocker profile is a set of restrictions you apply to users or groups of users on your network.
Page 184 Creating WebBlocker Profiles In the Profile Name field, type a familiar name. Use this name to identify the profile during configuration. For example, give the name “90day” to a group of employees that have worked at your company for less than 90 days. In Blocked Categories, select the categories of web sites to block by selecting the check box adjacent to the category name.
Page 185: Webblocker Categories
WebBlocker Categories The WebBlocker database contains nine groups of categories with 40 individual categories. A web site is added to a category when the contents of the web site meet the correct criteria. Web sites that give opinions or educational material about the subject matter of the category are not included. For exam- ple, the drugs/drug culture category denies sites that tell how to use marijuana.
Page 186 WebBlocker Categories Category Computing and Internet Criminal Skills Drugs, Alcohol, & Tobacco Education Description of Content Reviews, information, computer buyer’s guides, computer • parts and accessories, and software Computer/software/Internet companies, industry news, • and magazines Pay-to-surf sites • Downloadable (non-streaming) movie, video, or sound •...
Page 187 Category Finance & Investment Food & Drink Gambling Games Glamour & Intimate Apparel Govern- ment & Politics User Guide Description of Content Stock quotes, stock tickers, and fund rates • Online stock or equity trading • Online banking and bill-pay services •...
Page 188 WebBlocker Categories Category Hacking Hate Speech Description of Content Promotion, instruction, or advice on the questionable or • illegal use of equipment and/or software for purpose of hacking passwords, creating viruses, or gaining access to other computers and/or computerized communication systems Sites that provide instruction or work-arounds for filtering •...
Page 189 Category Health & Medicine Hobbies & Recreation Hosting Sites Job Search & Career Develop- ment Kids’ Sites Lifestyle & Culture Motor Vehicles News User Guide Description of Content General health such as fitness and well-being • Alternative and complementary therapies, including yoga, •...
Page 190 WebBlocker Categories Category Personals & Dating Photo Searches Real Estate Reference Religion Remote Proxies Search Engines Education Shopping Sports Description of Content Singles listings, matchmaking and dating services • Advice for dating or relationships; romance tips and • suggestions Sites that provide resources for photo and image searches •...
Page 191 Category Streaming Media Travel Violence Weapons Web-based email Usenet/ Forums User Guide Description of Content Streaming media files or events (any live or archived audio or video file) Internet TV and radio Personal (non-explicit) Webcam sites Telephony sites that allow users to make calls by way of the Internet VoIP services Airlines and flight booking agencies...
Page 192: Determining A Category
Type the URL or IP address of the site to check. Click Test Site. The WatchGuard Test-a-Site Results page appears. Adding, removing, or changing a web site category If you receive a message that the URL you entered is not in the SurfControl list, you can submit it on the Test Results page.
Page 193: Allowing Certain Sites To Bypass Webblocker
Select whether you want to Add a site, Delete a site, or Change the category. Enter the site URL. If you want to request that the category assigned to a site is changed, select the new category from the drop-down menu. Click Submit.
Page 194: Blocking Additional Web Sites
Blocking Additional Web Sites Type the host IP address or domain name of the web site to allow. Repeat step 3 for each additional host or domain name that you want to add to the Allowed Sites list. The domain (or host) name is the part of a URL that ends with .com, .net, .org, .biz, .gov, or .edu. Domain names may also end in a country code, such as .de (Germany) or .jp (Japan).
Page 195: Bypassing Webblocker
From the drop-down list, select Host IP Address or Domain Name/URL Type the host IP address or domain name of the denied web site. Repeat step 3 for each additional host, IP address, or domain name you want to add to the Denied Sites list.
Page 196 Bypassing WebBlocker In the Host IP Address text box, type the IP address of the computer on your trusted or optional network to allow users to browse the Internet without authentication restrictions. Click Add. Repeat step 2 for other trusted computers. Click Submit.
Page 197: Spamblocker
Guard® spamBlocker™ uses industry-leading pattern detection technology from Commtouch to block spam at your Internet gateway and keep it from getting to your email server. You must purchase the spamBlocker upgrade to use this feature. For more information, visit the WatchGuard LiveSecurity™ web site at reseller. Understanding How spamBlocker Works There are many procedures that email filters use to find spam.
Page 198: Spamblocker Categories
Configuring spamBlocker spamBlocker categories spamBlocker puts spam email into three categories: Spam, Bulk and Suspect. spamBlocker assigns email messages to these categories using the spam score returned from a scoring request sent to the Commtouch Detection Center. The Spam category includes email messages that come from known spam senders. •...
Page 199: Enabling Spamblocker
Enabling spamBlocker To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select spamBlocker > Settings. The spamBlocker Settings page appears.
Page 200: Creating Exceptions
For example, if you type *@watchguard.com, the exception refers to any email address sent to the WatchGuard domain. You can also type only an asterisk in the text box if the exception applies to any sender.
Page 201: Adding Trusted Email Forwarders
You can highlight an exception and click Remove to remove the exception. You can change the precedence of the exception list. Select an exception, and then click Up or Down to adjust the precedence of that exception. Click Submit. Adding Trusted Email Forwarders On the spamBlocker Settings Common tab, you can enter one or more host names or domain names of email servers that you trust to forward email to your email server.
Page 202 Configuring Rules For Your Email Reader Before you start, make sure that you set the action for spam and bulk email to Add a subject tag. You can use the default tags, or create custom tags. The steps below describe how to create folders with the default tags.
Page 203: Gateway Antivirus And Intrusion Prevention Service
You must purchase the Gateway AV/IPS upgrade to use these services. For more information, visit the WatchGuard LiveSecurity® web site at reseller. WatchGuard cannot guarantee that Gateway AV/IPS can stop all viruses or intrusions, or prevent dam- age to your systems or networks from a virus or intrusion attack. Understanding Gateway AntiVirus Settings The Gateway AntiVirus Service works together with the SMTP, POP3, HTTP, and FTP proxies.
Page 204: Understanding Intrusion Prevention Service Settings
Understanding Intrusion Prevention Service Settings If you enable Gateway AntiVirus with the FTP proxy, it finds viruses in files that users try to • download from the external network. If a virus is found, the file is blocked. You can view the name of a virus or infected file that Gateway AV has blocked in the log records. Select Logging from the sidebar menu.
Page 205: Gateway Antivirus Settings
Gateway AntiVirus settings Select the Enable Gateway AntiVirus for HTTP check box to scan HTTP content, which your users try to download, for viruses. Select the Enable Gateway AntiVirus for FTP check box to scan file transfer traffic for viruses. Select the Enable Gateway AntiVirus for POP3 check box to scan email downloaded from the email server for viruses.
Page 206: Intrusion Prevention Service Settings
New viruses and intrusion methods appear on the Internet frequently. The Gateway AV/IPS service uses a database of signatures to check for viruses and intrusions. WatchGuard frequently publishes updates to the signature database to our customers as new signatures become known. Usually, new Gateway AV signatures are published several times a day.
Page 207 To update your Gateway AV/IPS signatures manually: Select GAV/IPS > Update from the navigation bar The GAV/IPS Update page appears. Decide if you want automatic updates or manual updates. If you want manual updates, clear the Enable automatic updates check box. If you want to update the signatures manually, compare the current signature database version to the version available for download.
Page 208 Updating Gateway AV/IPS Firebox X Edge e-Series...
Page 209: Branch Office Virtual Private Networks
The subsequent section tells you how to configure the Firebox X Edge to be the endpoint of a VPN tun- nel created and managed by a WatchGuard® Firebox X Core or Peak Management Server. This proce- dure is different for different versions of WatchGuard System Manager appliance software installed on the Firebox X Core or Peak.
Page 210: About Vpn Failover
- UDP Port 4500 (NAT traversal) - IP Protocol 50 (Encapsulating Security Payload or ESP) If the other side of the VPN tunnel is a WatchGuard Firebox X and each Firebox is under • WatchGuard System Manager management, you can use the Managed VPN option. Managed VPN is easier to configure than Manual VPN.
Page 211: Managed Vpns
To create a VPN tunnel manually to another Firebox® X Edge or to a Firebox III or Firebox X, or to config- ure a VPN tunnel to a device that is not a WatchGuard® device, you must use Manual VPN. Use this sec- tion to configure Manual VPN on the Edge.
Page 212 The numbers after the slashes indicate the subnet masks. /24 means that the subnet mask for the trusted network is 255.255.255.0. For more information on entering IP addresses in slash notation, see this FAQ: https://www.watchguard.com/support/ advancedfaqs/general_slash.asp Example: Site A: 192.168.111.0/24 Site B: 192.168.222.0/24...
Page 213: To Create Manual Vpn Tunnels On Your Edge
To create Manual VPN tunnels on your Edge To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface. The default URL is: https://192.168.111.1 From the navigation bar, select VPN > Manual VPN. The Manual VPN page appears.
Page 214 If your Firebox X Edge external interface has a private IP address instead of a public IP address, then your ISP or the Internet access device connected to the Edge’s external interface (modem or router) does Network Address Translation (NAT). See the instructions at the end of this section if your Edge’s external interface has a private IP address.
Page 215 Type the number of kilobytes and the number of hours until the IKE negotiation expires. To make the negotiation never expire, enter zero (0). For example, 24 hours and zero (0) kilobytes means that the phase 1 key is negotiated every 24 hours no matter how much data Select the group number from the Diffie-Hellman Group drop-down list.
Page 216: Phase 2 Settings
Manual VPN: Setting Up Manual VPN Tunnels ID. The remote device must identify your Firebox X Edge by domain name, and it must use the same public IP address as the domain name in its Phase 1 setup. Phase 2 settings Phase 2 negotiates the data management security association for the tunnel.
Page 217: Vpn Traffic Control
FAQ: http://www.watchguard.com/support/advancedfaqs/general_slash.asp Click Add. Repeat step 5 if you must add additional networks. Click Submit. VPN Traffic Control The Firebox® X Edge e-Series includes a separate Traffic Control feature for IPSec branch office VPN tun- nels. You can limit the rate of traffic sent through the IPSec interface using QoS (Quality of Service) through Traffic Control.
Page 218: Viewing Vpn Statistics
Viewing VPN Statistics From the navigation bar, select VPN > Keep Alive. The VPN Keep Alive page appears. Type the IP address of an echo host. Click Add. Repeat step 3 to add additional echo hosts. Click Submit. Viewing VPN Statistics You can monitor Firebox®...
Page 219: How Do I Troubleshoot The Connection
The number of VPN tunnels that you can create on your Firebox X Edge e-Series is set by the Edge model you have. You can purchase a model upgrade for your Edge to make more VPN tunnels. You can purchase a Firebox X Edge Model Upgrade from a reseller or from the WatchGuard® web site: http://www.watchguard.com/products/purchaseoptions.asp...
Page 220 Frequently Asked Questions Firebox X Edge e-Series...
Page 221: Mobile User Virtual Private Networks
Mobile User Virtual Private Networks Mobile User VPN (MUVPN) lets remote users connect to your internal network through a secure, encrypted channel. The Firebox X Edge supports two types of mobile user VPN: IPSec Mobile User VPN The IPSec MUVPN client is an optional software application that is installed on a remote computer.
Page 222: Using Ipsec Muvpn
(.wgx file). You must get this .wgx configuration file from the Edge. You also must download the MUVPN installation program from the WatchGuard® support site. See “Distributing the software and the .wgx file” on page 213 for information about how to get these items and how to give them securely to the remote user.
Page 223 You can choose to make the .wgx file read-only so that the user cannot change the security policy file. To do this, select the Make the MUVPN client security policy read-only check box. Set how the virtual adapter operates on the client (Disabled, Preferred, or Required). The remote MUVPN computers can use a virtual adapter to get network settings, an IP address, and WINS and DNS address assignments.
Page 224: Enabling Muvpn Access For A Firebox User Account
Configuring IPSec Mobile User VPN names to IP addresses. The trusted interface of the Edge must have access to these servers. Type a DNS server and WINS server IP address in the text boxes near the bottom of the Mobile User page. Enabling MUVPN access for a Firebox user account Add a new Firebox user or edit a Firebox user, as described in “Using Local Firebox Authentication”...
Page 225: Distributing The Software And The .Wgx File
Distributing the software and the .wgx file You must give the remote user the MUVPN software installer and the end-user profile, or .wgx file. Get the MUVPN installation files from the WatchGuard web site You must log in to the LiveSecurity® Service at software.
Page 226: Preparing Remote Computers For Ipsec Muvpn
No other IPSec VPN client software can be on the computer. Remove any other software from the • user’s computer before you try to install the WatchGuard® MUVPN software. We recommend that you install the most current service packs for each operating system.
Page 227: Windows 2000 Setup
If the MUVPN client does not use the virtual adapter, the remote computer must have your network’s private WINS and DNS server IP addresses listed in the Advanced TCP/IP Properties of the primary Inter- net connection. Windows 2000 setup Use this section to install and configure the network components for the Windows 2000 operating sys- tem.
Page 228: Windows Xp Setup
Configuring IPSec Mobile User VPN Select the Client for Microsoft Networks network client and click OK. Configuring WINS and DNS settings on Windows 2000 The remote computer must be able to connect to the WINS and DNS servers. These servers are on the trusted network protected by Firebox X Edge e-Series.
Page 229 Installing the Internet Protocol (TCP/IP) Network Component on Windows From the connection window Networking tab: Click Install. The Select Network Component Type window appears. Double-click the Protocol network component. The Select Network Protocol window appears. Below the Microsoft manufacturer, select the Internet Protocol (TCP/IP) network protocol and click OK.
Page 230: Installing And Configuring The Ipsec Muvpn Client
Installing the MUVPN client No other IPSec VPN client software can be active on the remote computer. Remove any other IPSec VPN software from the user’s computer before you install the WatchGuard® MUVPN software. Copy the MUVPN installation program and the .wgx file to the remote computer.
Page 231: Uninstalling The Muvpn Client
The InstallShield wizard looks for a user profile. Use the Browse button to find and select the folder containing the .wgx file. Click Next. You can click Next at this step if you do not have the .wgx file at this time. You can import the .wgx file later.
Page 232: Connecting And Disconnecting The Ipsec Muvpn Client
For information about the MUVPN icon, see “The MUVPN client icon” on page 220. From the Windows desktop, select Start > Programs > Mobile User VPN > Connect. The WatchGuard Mobile User Connect window appears. Click Yes. The MUVPN client icon The MUVPN icon appears in the Windows desktop system tray.
Page 233: Monitoring The Ipsec Muvpn Client Connection
Activated, Connected, and Transmitting both Secured and Unsecured Data The IPSec MUVPN client started one or more secure MUVPN tunnels. The green and red bars on the right of the icon tell you that the client is sending either secure or not secure data. Allowing the MUVPN client through a personal firewall To create the IPSec MUVPN tunnel, you must allow these programs through the personal firewall: MuvpnConnect.exe...
Page 234: The Zonealarm Personal Firewall
Configuring IPSec Mobile User VPN Using Connection Monitor Connection Monitor shows statistical and diagnostic information for connections in the security policy. This window shows the security policy settings and the security association (SA) information. The mon- itor records the information that appears in this window during the phase 1 IKE negotiations and the phase 2 IPSec negotiations.
Page 235: Allowing Traffic Through Zonealarm
For more information about the features and configuration of ZoneAlarm, use the ZoneAlarm help sys- tem. To get access to the help system, select Start > Programs > Zone Labs > ZoneAlarm Help. Allowing traffic through ZoneAlarm When a software application tries to get access through the ZoneAlarm personal firewall, a New Pro- gram alert appears.
Page 236: Using Ipsec Muvpn On A Firebox X Edge E-Series Wireless Network
Select the check box Require encrypted MUVPN connections for wireless clients. Click Submit. Troubleshooting Tips You can get more information about the IPSec MUVPN client from the WatchGuard® web site: http://www.watchguard.com/support This section includes the answers to some frequently asked questions about the IPSec MUVPN client: My computer hangs immediately after installing the IPSec MUVPN client.
Page 237 Right-click the ZoneAlarm icon shown at right. Select Shutdown ZoneAlarm. The ZoneAlarm dialog box appears. Click Yes. I am asked for my network login information even when I am not connected to the network. When you start your computer, you must type your Windows network user name, password, and domain.
Page 238: Configuring Pptp Mobile User Vpn
Configuring PPTP Mobile User VPN I am sometimes prompted for a password when I am browsing the company network. Because of a Windows networking limitation, remote user VPN products can allow access only to a sin- gle network domain. If your company has more than one network connected together, you can browse only your own domain.
Page 239 To enable PPTP, select the Activate remote user VPN with PPTP check box. Select the Enable drop from 128-bit to 40-bit check box to allow the tunnels to drop from 128- bit to 40-bit encryption for connections that are less reliable. The Firebox X Edge always tries to use 128-bit encryption first.
Page 240: Enabling Pptp Access For Firewall Users
Configuring PPTP Mobile User VPN Enabling PPTP access for firewall users When you enable PPTP on your Edge, you must make sure to enable PPTP access for each remote user who uses PPTP to connect to the Edge. To connect to the System Status page, type https:// in the browser address bar, and the IP address of the Firebox X Edge trusted interface.
Page 241 Click Virtual Private Network Connection. Click Next. Give the new connection a name, such as “Connect with RUVPN. ” Click Next. Select to not dial (for a broadband connection), or to automatically dial (for a modem connection) this connection. Click Next. The wizard includes this screen if you use Windows XP SP2.
Page 242: Using Pptp And Accessing The Internet
Configuring PPTP Mobile User VPN Type the user name and password for the connection and click Connect. The first time you connect you must select a Network Location. Select Public location. Creating and connecting a PPTP VPN from a Windows 2000 client To prepare a Windows 2000 remote host, you must configure the network connection.
Page 243: Firebox X Edge E-Series Hardware
Appendix A Firebox X Edge e-Series Hardware The WatchGuard® Firebox® X Edge e-Series is a firewall for small organizations and branch offices. The Firebox X Edge e-Series product line includes: Firebox X Edge e-Series • Firebox X Edge e-Series Wireless •...
Page 244: Specifications
Specifications Specifications The specifications for the Firebox® X Edge e-Series and the Firebox X Edge e-Series Wireless are: Processor X Scale (ARM) 266 MHz Memory: Flash 64 MB Memory: RAM 128 MB Ethernet interfaces 6 each 10/100 Serial ports 1 DB9 Power supply 12V/1.2A Operating temperature...
Page 245: Hardware Description
Hardware Description The Firebox® X Edge e-Series has a simple hardware architecture. All indicator lights are on the front panel of the device, and all ports and connectors are on the rear panel. Front panel The front panel of the Firebox X Edge e-Series has 18 indicator lights to show link status. The top indi- cator light in each pair comes on when a link is made and flashes when traffic goes through the related interface.
Page 246: Rear View
Hardware Description Status The status indicator shows a management connection to the Firebox X Edge e-Series. The light goes on when you use your browser to connect to the Firebox X Edge e-Series configuration pages. The light goes off a short time after you close your browser. Mode The mode indicator shows the status of the external network connection.
Page 247: Ac Power Adapter
AC power adapter The AC power adapter supplies power for the Firebox X Edge e-Series. You must use the correct plug for the AC power adapter for the power source used in your country. The international plug kit includes four plugs: Q-NA (North America), Q-UK (United Kingdom), Q-EU (European Union), and Q-SAA (Asia).
Page 248: Signal Attenuation
About the Firebox X Edge e-Series Wireless. radiation pattern similar to a sphere that is squashed in the center. If the antenna points up, the gain is largest in the horizontal direction and less in the vertical direction. Signal attenuation Signal attenuation refers to the loss of signal power.
Page 249: Legal Notifications
Copyright© 1998 - 2007 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc.
Page 250 Copyright, Trademark, and Patent Information Version 2, June 1991 Copyright © 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Page 251 Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty;...
Page 252 Copyright, Trademark, and Patent Information received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.
Page 253 If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 254 Copyright, Trademark, and Patent Information Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.] Preamble The licenses for most software are designed to take away your freedom to share and change it.
Page 255 Because of this blurred distinction, using the ordinary General Public License for libraries did not effec- tively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves.
Page 256 Copyright, Trademark, and Patent Information - You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. - You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.
Page 257 However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
Page 258 Copyright, Trademark, and Patent Information library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: - Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities.
Page 259: Gnu Lesser General Public License
The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number.
Page 260 Copyright, Trademark, and Patent Information Preamble The licenses for most software are designed to take away your freedom to share and change it. By con- trast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.
Page 261 allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.
Page 262 Copyright, Trademark, and Patent Information - You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. - You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.
Page 263 However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
Page 264 Copyright, Trademark, and Patent Information It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other...
Page 265 If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 266 Copyright, Trademark, and Patent Information 3. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 4. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
Page 267 spam, anti-virus and anti-phishing) are provisioned on the CommtouchÂ® DeteCommtouch.s OEM partners using a single license key code. Most host applications come with their own license key and it is common for ctengine partners to their products. The Detection Center requires ctengine to pass the Commtouch license key in the connection string. If the host application has its own application license code, it is recommended that you concatenate this code (up to 35 alphanumeric characters) using colon delimiters.
Page 268 Copyright, Trademark, and Patent Information 3. Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software. The source code must either be included in the distribution or be available for no more than the cost of distribution plus a nominal fee, and must be freely redistributable under reasonable conditions.
Page 269 Copyright, Trademark, and Patent Information 3. Neither the name of The Internet Software Consortium nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 270 Copyright, Trademark, and Patent Information The DNS resolver code, taken from BIND 4.9.5, is copyrighted both by UC Berkeley and by Digital Equipment Corporation. The DEC portions are under the following license: Portions Copyright © 1993 by Digital Equipment Corporation. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies, and that the name of Digital Equipment Corporation not be used in advertising or publicity pertaining to distribution of the document or software without specific,...
Page 271 The file if_ppp.h is under the following CMU license: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Page 272 Copyright, Trademark, and Patent Information THIS SOFTWARE IS PROVIDED BY ITS AUTHORS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 273 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer in this position and unchanged.
Page 274 Copyright, Trademark, and Patent Information - Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution. - Neither the names of Campus Information Technologies and Educational Services, University of Illinois at Urbana-Champaign, nor the names of its contributors may be used to endorse or promote products derived from this Software without specific prior written permission.
Page 275 Intel hereby grants Recipient and Licensees a non-exclusive, worldwide, royalty-free patent license under Licensed Patents to make, use, sell, offer to sell, import and otherwise transfer the Software, if any, in source code and object code form. This license shall include changes to the Software that are error corrections or other minor changes to the Software that do not add functionality or features when the Software is incorporated in any version of an operating system that has been distributed under the GNU General Public License 2.0 or later.
Page 276 Copyright, Trademark, and Patent Information JFFS2 is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. As a special exception, if other files instantiate templates or use macros or inline functions from these files, or you compile these files and link them with other works to produce a work based on these files, these files do not by themselves cause the resulting work to be covered by the GNU General Public License.
Page 277 Copyright, Trademark, and Patent Information NO WARRANTY THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 278 Copyright, Trademark, and Patent Information ncftp The Clarified Artistic License Preamble The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications.
Page 279 are the equivalent of input as in Paragraph 6, provided these subroutines do not change the language in any way that would cause it to fail the regression tests for the language. 8. Aggregation of the Standard Version of the Package with a commercial distribution is always permitted provided that the use of this Package is embedded;...
Page 280 Copyright, Trademark, and Patent Information DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Page 281 Copyright, Trademark, and Patent Information THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 282 Copyright, Trademark, and Patent Information Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. openntpd This is a summary of the licences for the files that make up Portable OpenNTPD. Apart from the exceptions listed below, all of the files are under an ISC-style licence with the following copyright holders, first for the files from OpenBSD's ntpd: Henning Brauer, Alexander Guy.
Page 283: Openssl License
Copyright, Trademark, and Patent Information Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Page 284 Copyright, Trademark, and Patent Information Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Page 285 Copyright, Trademark, and Patent Information Cambridge, England. Phone: +44 1223 334714. Copyright © 1997-2005 University of Cambridge. All rights reserved. THE C++ WRAPPER FUNCTIONS Contributed by: Google Inc. Copyright © 2005, Google Inc. All rights reserved. THE "BSD" LICENCE Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 286 Copyright, Trademark, and Patent Information See the respective source files to find out which copyrights apply. Copyright © 2002 Roaring Penguin Software Inc. Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies and supporting documentation, the name of Roaring Penguin Software Inc.
Page 287 Copyright, Trademark, and Patent Information Copyright © 1995 Eric Rosenquist. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Page 288 Copyright, Trademark, and Patent Information 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 289 Copyright, Trademark, and Patent Information 3. The names of the authors of this software must not be used to endorse or promote products derived from this software without prior written permission. 4. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Pedro Roque Marques <pedro_m@yahoo.com>"...
Page 290 Copyright, Trademark, and Patent Information 1.5. "Executable" means Covered Code in any form other than Source Code. 1.6. "Initial Developer" means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A. 1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License.
Page 291 Copyright, Trademark, and Patent Information version remains available even if the Electronic Distribution Mechanism is maintained by a third party. You are responsible for notifying the Initial Developer of the Modification and the location of the Source if a contact means is provided. Red Hat will be acting as maintainer of the Source and may provide an Electronic Distribution mechanism for the Modification to be made available.
Page 292 Copyright, Trademark, and Patent Information 5. APPLICATION OF THIS LICENSE This License applies to code to which the Initial Developer has attached the notice in Exhibit A, and to related Covered Code. Red Hat may include Covered Code in products without such additional products becoming subject to the terms of this License, and may license such additional products on different terms from those contained in this License.
Page 293 Copyright, Trademark, and Patent Information The Covered Code is a "commercial item," as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer software" and "commercial computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995).
Page 294 Copyright, Trademark, and Patent Information OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Page 295 Copyright © 1988,1990,1992 Dan Nydick, Carnegie-Mellon University. Anyone may use this code for non-commercial purposes as long as my name and copyright remain attached. viewlib Copyright 2003, 2004 Ian Searle. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 296: Certifications And Notices
WEEE statutes, and that the recovery of our product per the specific EU country legislative requirements is seamless for our product’s end users. If you have a WatchGuard product that is at its end of life and needs to be disposed of, please contact WatchGuard Customer Care Department at: U.S.
Page 297 Connection to Party Line Service is subject to state tariffs. CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European...
Page 298: Industry Canada
Certifications and Notices Industry Canada This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel broulleur du Canada. CANADA RSS-210 The term “IC:”...
Page 299 Certifications and Notices Class A Korean Notice VCCI Notice Class A ITE Taiwanese Class A Notice Taiwanese Wireless Notice User Guide...
Page 300: Declaration Of Conformity
WatchGuard Technologies, Inc. ("WatchGuard") and you agree as set forth below or on the reverse side of this card, as applicable: 1.
Page 301 Limited Hardware Warranty This warranty does not apply to any Product that has been: (i) altered, repaired or modified by any party other than WatchGuard except for the replacement or inclusion of specified components authorized in and performed in strict accordance with documentation provided by WatchGuard;...
Page 302 Limited Hardware Warranty Firebox X Edge e-Series...
Page 303 Index Symbols .wgx files described distributing viewing available Numerics 1-to-1 NAT. See NAT, 1-to-1 abbreviations used in guide Active Directory authentication Add Gateway page Add Route page Add Traffic Control dialog box Administration page Administrative Access levels administrator account Aggressive Mode Allow access to the External Network check box Allow access to VPN check box Allowed Sites pages...
Page 304 DHCP address reservations setting on the optional network setting on the trusted network DHCP Address Reservations page DHCP leases used by Edge, viewing DHCP relay configuring the optional network configuring the trusted network DHCP server configuring Firebox as Diffie-Hellman groups Digital Subscriber Line (DSL) Distributed DoS prevention feature and WAN Failover...
Page 305 enabling filtering content setting limits Gateway AntiVirus and FTP proxy and HTTP proxy configuring described settings for updating with POP3 proxy with SMTP proxy gateway, default GAV/IPS page GAV/IPS Update page hardware description – hardware information hardware specifications hosts, trusted HTTP proxy and deny messages and Gateway AV...
Page 306 management server, allowing traffic from Manual VPN page manual VPNs. See VPNs, manual MIBs, using model upgrades – monitoring the Edge MUVPN client allowing through personal firewall – configuring connecting described disconnecting – icon for installing – monitoring preparing remote computers for –...
Page 307 configuring described enabling filtering email content setting access control options setting proxy limits pop-up blockers ports blocking described numbered numbering trusted network power adapter power cable clip power input PPPoE advanced settings for described settings for PPTP mobile user VPN –...
Page 308 making removing Submit A Site page subnet mask SurfControl syslog host, logging to Syslog Logging page syslog, described system configuration pages. See configuration pages System Status page described information on navigation bar refreshing System Time page system time, setting TCP (Transmission Control Protocol) TCP/IP described –...
Page 309 WAN Failover and DNS configuring configuring advanced settings for described WAN Failover page WAN ports WatchGuard Firebox System (WFS), enabling remote management with WatchGuard Logging page WatchGuard Security Event Processor WatchGuard System Manager enabling centralized management with setting up access to...
Page 310 Firebox X Edge e-Series...

This manual is also suitable for:

Firebox x55e Firebox x55e-w Firebox x20e-w Firebox x10e-w Firebox x10e Firebox x edge e-series

Watchguard Firebox X20E User Manual

1 Introduction to Network Security

2 Installation

3 Navigation

4 Configuration and Management Basics

5 Network Settings

6 Firebox X Edge E-Series Wireless Setup

7 Firewall Policies

8 Proxy Settings

9 Intrusion Prevention

10 Traffic Management

11 Logging and Certificates

12 User and Group Management

13 Webblocker

14 Spamblocker

15 Gateway Antivirus and Intrusion Prevention Service

Quick Links

User Guide

Need help?

Questions and answers

Related Manuals for Watchguard Firebox X20E

Summary of Contents for Watchguard Firebox X20E