Page 1: User Guide
WatchGuard ® Firebox SOHO 6 ® User Guide SOHO 6 - firmware version 6.3...
Page 2 • This appliance must accept any interference received, including interference that may cause undesired operation. CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European Union (EU).
Page 3 VCCI Notice Class A ITE User Guide...
Page 4 Declaration of Conformity WatchGuard Firebox SOHO 6...
Page 5 WatchGuard Technologies, Inc. ("WATCHGUARD") for the WATCHGUARD SOHO software product, which includes computer software (whether installed separately on a computer workstation or on the WatchGuard hardware product) and may include associated media, printed materials, and on-line or electronic documentation, and any updates or modifications thereto, including those received through the WatchGuard LiveSecurity service (or its equivalent) (the "SOFTWARE PRODUCT").
Page 6 4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer; (A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use.
Page 7 NO EVENT EXCEED THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT. THIS WILL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT...
Page 8 EULA, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession.
Page 9 AppLock®, AppLock®/Web, Designing peace of mind®, Firebox®, Firebox® 1000, Firebox® 2500, Firebox® 4500, Firebox® II, Firebox® II Plus, Firebox® II FastVPN, Firebox® III, Firebox® SOHO, Firebox® SOHO 6, Firebox® SOHO 6tc, Firebox® SOHO|tc, Firebox® V100, Firebox® V80, Firebox® V60, Firebox® V10, LiveSecurity®, LockSolid®, RapidStream®, RapidCore®, ServerLock®, WatchGuard®, WatchGuard®...
Page 10 (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. WatchGuard Firebox SOHO 6...
Page 11 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)"...
Page 12 For written permission, please contact apache@apache.org. 5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation. WatchGuard Firebox SOHO 6...
Page 13 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 14 MUVPN Mobile User Virtual Private Network Network Address Translation Point-to-Point Protocol PPPoE Point-to-Point Protocol over Ethernet Transfer Control Protocol User Datagram Protocol Universal Resource Locator Virtual Private Network Wide Area Network WSEP WatchGuard Security Event Processor WatchGuard Firebox SOHO 6...
Page 15: Table Of Contents
Package Contents How a Firewall Works How Information Travels on the Internet IP addresses Protocols Port numbers How the SOHO 6 Processes Information ...6 Services Network Address Translation (NAT) SOHO 6 Hardware Description SOHO 6 front and rear views Hardware operating specifications...
Page 16 Disabling the HTTP proxy setting of your Web browser Enabling your computer for DHCP Physically Connecting to the SOHO 6 Cabling the SOHO 6 for one to four appliances Cabling the SOHO 6 for more than four appliances SOHO 6 Basics CHAPTER 3 SOHO 6 System Status Page Factory Default Settings ...
Page 17 The System Security Page ... 49 System security SOHO 6 Remote Management Setting up VPN Manager Access Updating the Firmware Activating the SOHO 6 Upgrade Options Viewing the Configuration File Configure the Firewall Settings CHAPTER 6 Firewall Settings Configuring Incoming and Outgoing Services...
Page 18 WebBlocker Categories VPN—Virtual Private Networking CHAPTER 9 Why Create a Virtual Private Network? What You Need Enabling the VPN upgrade Setting Up Multiple SOHO 6 to SOHO 6 VPN Tunnels ... 95 xviii ... 68 ... 70 ... 73 ... 75 ...
Page 19 Creating a VPN Tunnel to a SOHO 6 with an IPSec-Compliant Appliance Special considerations Configuring Split Tunneling Using MUVPN Clients Viewing the VPN Statistics Frequently Asked Questions Why do I need a static external address? How do I get a static external IP address?
Page 20 ... 132 ... 133 ... 136 ... 138 ... 138 ... 142 ... 142 ... 143 ... 143 WatchGuard Firebox SOHO 6 ... 137 ... 138 ... 140 ... 144 ... 144 ... 145 ... 145 ... 145 ... 146 ...
Page 21 Network Configuring the Optional Network Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate Policy ... 151 Configuring the SOHO 6 Configuring the MUVPN client Defining the Security Policy settings Defining the My Identity settings Defining Phase 1 and Phase 2 settings...
Page 22 WatchGuard Firebox SOHO 6...
Page 23: Chapter 1 Introduction
Introduction CHAPTER 1 ® The purpose of this guide is to help users of the WatchGuard ® ® Firebox SOHO 6 and Firebox SOHO 6tc set up and configure these appliances for secure access to the Internet. User Guide...
Page 24 Chapter 1: Introduction In this guide, the name SOHO 6 refers to both the SOHO 6 as well as the SOHO 6tc. The only difference between these two appliances is the VPN feature. VPN is available as an upgrade option for the SOHO 6. The SOHO 6tc includes the VPN upgrade option.
Page 25: Package Contents
A firewall divides your internal network from the Internet to reduce this danger. The appliances on the trusted side of your SOHO 6 firewall are protected. The illustration below shows how the SOHO 6 physically divides your trusted network from the Internet.
Page 26: How Information Travels On The Internet
Chapter 1: Introduction The SOHO 6 controls all traffic between the external network (the Internet) and the trusted network (your computers). All suspicious traffic is stopped. The rules and policies that identify the suspicious traffic are shown in “Configuring Incoming and Outgoing Services”...
Page 27: Ip Addresses
An IP address identifies a computer on the Internet that sends and receives packets. Each computer on the Internet has an address. The SOHO 6 is also a computer and has an IP address. When you configure a service behind a firewall, you must include the trusted network IP address for the computer that supplies the service.
Page 28: How The Soho 6 Processes Information
Internet contains IP address information. Packets sent through the SOHO 6 with dynamic NAT include only the public IP address of the SOHO 6 and not the private IP address of the computer in the trusted network. Because only the IP address of the SOHO 6 is...
Page 29: Soho 6 Front And Rear Views
0 through 3, OPT and WAN. SOHO 6 front and rear views There are 14 indicator lights on the front panel of the SOHO 6. The illustration below shows the front view. PWR is lit while the SOHO 6 is connected to a power supply.
Page 30 Mode is lit while there is a connection to the Internet. There are six Ethernet ports, a reset button, and a power input on the rear of the SOHO 6. The picture below shows the rear view. OPT port The OPT port is for the optional network interface. This interface is activated when you purchase the Dual ISP Port upgrade or the VPNforce™...
Page 31: Hardware Operating Specifications
RESET button Push the reset button to reset the SOHO 6 to the factory default configuration. See “Resetting the SOHO 6 to the factory default settings” on page 26 for more information about this procedure. WAN port The WAN port is for the external network interface.
Page 32 Chapter 1: Introduction WatchGuard Firebox SOHO 6...
Page 33: Chapter 2 Installation
• Disable the HTTP proxy setting of your Web browser. • Enable your computer for DHCP. • Make a physical connection between the SOHO 6 and your network. See the SOHO 6 QuickStart Guide included with the SOHO 6 for a summary of this information. User Guide...
Page 34: Before You Begin
Make sure that the cables are of sufficient length to connect the modem or router to the SOHO 6 and the SOHO 6 to your computer. • The method of network address assignment used by your ISP.
Page 35 Microsoft Windows 2000 and Windows XP Select Start => Programs => Accessories = > Command Prompt. At the prompt, type Record the TCP/IP settings in the table provided. Click Cancel. Microsoft Windows NT Select Start => Programs => Command Prompt. At the prompt, type Record the TCP/IP settings in the table provided.
Page 36: Disabling The Http Proxy Setting Of Your Web Browser
Disabling the HTTP proxy setting of your Web browser To configure a SOHO 6, you must access the configuration pages in the SOHO 6 with your browser. If the HTTP proxy setting in your browser is enabled, you cannot open these pages to complete the configuration procedure.
Page 37 The following instructions show how to disable the HTTP proxy setting in three browser applications. If a different browser is used, use the help menus of the browser program to find the necessary information. Netscape 4.7 Open Netscape. Select Edit = > Preferences. The Preferences window appears.
Page 38: Enabling Your Computer For Dhcp
Clear all of the checkboxes. Click OK. Enabling your computer for DHCP To open the configuration pages for the SOHO 6, configure your computer to receive its IP address through DHCP. See “Network addressing” on page 31 for more information about network addressing and DHCP.
Page 39 Click Properties. The network connection properties dialog box appears. Double-click the Internet Protocol (TCP/IP) component. The Internet Protocol (TCP/IP) Properties dialog box appears. User Guide Before you Begin...
Page 40: Physically Connecting To The Soho 6
Click Close to close the network connection dialog box. Close the Control Panel window. Physically Connecting to the SOHO 6 The SOHO 6 protects one computer or a multi-computer network. The SOHO 6 also functions as a hub to connect other appliances. WatchGuard Firebox SOHO 6...
Page 41: Cabling The Soho 6 For One To Four Appliances
A maximum of four computers, printers, scanners, or other network peripherals can connect directly to the SOHO 6. These connections use the four numbered Ethernet ports (labeled 0-3). To connect a maximum of four appliances, use the SOHO 6 as a network hub. Shut down your computer.
Page 42: Cabling The Soho 6 For More Than Four Appliances
The indicator lights flash and then stop. The modem is ready for use. Attach the AC adapter to the SOHO 6. Connect the AC adapter to a power source. Restart the computer.
Page 43 Internet at the same time. There can be more than ten appliances on the trusted network, but the SOHO 6 will only allow ten Internet connections. A seat is in use when an appliance connects to the Internet and is free when the connection is broken.
Page 44 The indicator lights flash and then stop. The modem is ready for use. Attach the AC adapter to the SOHO 6. Connect the AC adapter to a power supply. Restart your computer.
Page 45: Chapter 3 Soho 6 Basics
SOHO 6 Basics CHAPTER 3 The configuration of the SOHO 6 is made through Web pages contained in the software of the SOHO 6. You can connect to these configuration pages with your Web browser. SOHO 6 System Status Page Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6.
Page 46 Chapter 3: SOHO 6 Basics The System Status page is the main configuration page of the SOHO 6. A display of information about the SOHO 6 configuration is shown. This information includes the following: • The firmware version • The serial number of the appliance •...
Page 47: Factory Default Settings
• Configuration information for firewall settings (incoming services and outgoing services) • A reboot button to restart the SOHO 6 If the external network is configured to use the PPPoE protocol, the System Status page displays a connect button or a disconnect button. Use these buttons to start or terminate the PPPoE connection.
Page 48: Resetting The Soho 6 To The Factory Default Settings
Resetting the SOHO 6 to the factory default settings Reset the SOHO 6 to the factory default settings if it is not possible to correct a configuration problem. A reset to the factory default settings is required if the system security passphrase is unknown or the firmware of the SOHO 6 is damaged by a power interruption.
Page 49: The Base Model Soho 6
Service is required to get the license keys for the upgrades that you purchase. You must have the serial number of your SOHO 6 to register. The SOHO 6 serial number is located on the bottom of the appliance. Record the serial number in the table below:...
Page 50: Rebootting The Soho 6
Password: Keep this information confidential. Rebootting the SOHO 6 To reboot a SOHO 6 located on the local network, use one of these methods: The SOHO 6 requires 30 seconds to reboot. The Mode indicator on the front of the SOHO 6 will go off and then come on.
Page 51 Click Reboot. Disconnect and reconnect the power supply. To reboot a SOHO 6 located on a remote system, use one of these methods: The remote SOHO 6 must be configured to allow incoming HTTP (Web) or FTP traffic from the Internet. See “Configuring Incoming and Outgoing Services”...
Page 52 Chapter 3: SOHO 6 Basics WatchGuard Firebox SOHO 6...
Page 53: Chapter 4 Configure The Network Interfaces
External Network Configuration When you configure the external network, you select the method of communication between the SOHO 6 and the ISP. Make this selection based on the method of network address distribution in use by your ISP. The possible methods are static addressing, DHCP, or PPPoE.
Page 54: Configuring The Soho 6 External Network For Dynamic Addressing
This system allows the ISP to use the billing, authentication, and security systems designed for dial-up, DSL modem, and cable modem service. When the SOHO 6 is configured to use PPPoE, a button on the System Status page controls the connection to the external network.
Page 55 ISP to communicate with the SOHO 6 and not your computer. Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Network = >...
Page 56: Configuring The Soho 6 External Network For Pppoe
SOHO 6. Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Network = >...
Page 57: Setting The Soho 6 External Network Link Speed
Select the Automatically restore lost connections checkbox. This option keeps a constant flow of traffic between the SOHO 6 and the PPPoE server. This option allows the SOHO 6 to keep the PPPoE connection open during a period of frequent packet loss. If the flow of traffic stops, the SOHO 6 reboots.
Page 58: Configuring The Trusted Network
Click Submit. Configuring the Trusted Network The DHCP Server option sets the SOHO 6 to assign IP addresses to the computers on the trusted network. The SOHO 6 uses DHCP to make the assignments. When the SOHO 6 receives a request from a new computer on the trusted network, the SOHO 6 assigns the computer an IP address.
Page 59 Type the IP address and the subnet mask in the applicable fields. Select the Enable DHCP Server on the Trusted Network checkbox. Type the first IP address that is available for the computers that connect to the trusted network in the applicable fields. Type the WINS Server address, DNS Server primary address, DNS Server secondary address, and DNS Domain server suffix in the applicable fields.
Page 60: Configuring Additional Computers On The Trusted Network
Chapter 4: Configure the Network Interfaces 10 Reboot the SOHO 6. The SOHO 6 will send all DHCP requests to the specified, remote DHCP server and relay the resulting IP addresses to the computers connected to the trusted network. If the SOHO 6 is unable to...
Page 61: Configuring The Trusted Network With Static Addresses
Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Network = >...
Page 62 From the Type drop-down list, select either Host or Network. Type the IP address and the gateway of the route in the applicable fields. The gateway of the route is the local interface of the router. WatchGuard Firebox SOHO 6...
Page 63: Viewing Network Statistics
Follow these instructions to access the Network Statistics page: Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Network = >...
Page 64: Configuring The Dynamic Dns Service
IP address. Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 WatchGuard is not affiliated with dyndns.org.
Page 65: Configuring The Opt Port Upgrades
The SOHO 6 receives the IP address of members.dyndns.org when it connects to the time server. Click Submit. Configuring the OPT Port Upgrades The optional (OPT) port of the SOHO 6 supports two upgrades: • Dual ISP Port upgrade • VPNforce Port upgrade To upgrade the SOHO 6, purchase an additional license and activate the new upgrade option.
Page 66 • If the external port (EXT) and optional port (OPT) connections fail, the SOHO 6 tries both ports until a connection is made. When the optional port (OPT) is in use, the SOHO 6 does not switch back to the external port (EXT) unless PPPoE is used to assign IP addresses.
Page 67 DSL modem, a cable modem, or a hub. Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Network = >...
Page 68: Configuring The Vpnforce™ Port
Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Network = >...
Page 69 To enable VPNforce, select the Enable Optional Network checkbox. Type the IP address, DHCP Server, and DHCP Relay for the optional interface in the applicable fields. This is the same process for configuring the trusted network. See “Configuring the Trusted Network” on page 36 for additional instructions about these fields.
Page 70 Chapter 4: Configure the Network Interfaces Click Submit. WatchGuard Firebox SOHO 6...
Page 71: Chapter 5 Administrative Options
SOHO 6. The System Security, SOHO 6 Remote Management feature, and VPN Manager Access are configured from the Administration page. The firmware updates, upgrade activation, and display of the SOHO 6 configuration file in a text format are done from the Administration page. The System Security Page The System Security page contains the settings that control access to the configuration of the SOHO 6.
Page 72: System Security
Follow these instructions to enable system security: Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Administration = >...
Page 73: Soho 6 Remote Management
Click Submit. SOHO 6 Remote Management Both the SOHO 6 and SOHO 6tc include the SOHO 6 Remote Management feature. This feature allows a remote computer on an unsecured network to manage the SOHO 6 with a secure connection.
Page 74 Here is another example of how the Remote Management feature can be used. Use a Pocket PC to connect to the SOHO 6 through the Internet. The Pocket PC client software creates an encrypted tunnel to the SOHO 6. The remote computer can now access the configuration pages of the SOHO 6 without compromising security.“System security”...
Page 75: Setting Up Vpn Manager Access
11 Right-click the icon and select Connect. The WatchGuard Mobile User Connect window appears. 12 Click Yes. 13 Type the IP address of the SOHO 6 external network in your browser window to connect to the System Status page. Setting up VPN Manager Access...
Page 76 Type the configuration passphrase and then type it again to confirm in the applicable fields. must These passphrases software or the connection will fail. Click Submit. match the passphrases used in the VPN Manager WatchGuard Firebox SOHO 6...
Page 77: Updating The Firmware
Administration = > Update. The Update page opens. If you configure your SOHO 6 from a computer that does not use the Windows operating system, such as Macintosh or Linux, you must update your firmware with this procedure. The WatchGuard installation programs supplied on CD-ROM are compatible only with Windows platforms.
Page 78: Activating The Soho 6 Upgrade Options
Copy the feature key from the LiveSecurity Service Web site. Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 WatchGuard Firebox SOHO 6...
Page 79 The Dual ISP Port upgrade adds redundant support for the external interface. VPNforce Port The VPNforce Port upgrade activates the SOHO 6 optional port (OPT) for connection to a second network on the trusted side. This option extends the protection of the...
Page 80: Viewing The Configuration File
Follow the instructions on the Web site. Viewing the Configuration File The contents of the SOHO 6 configuration file is available in text format from the View Configuration File page. Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6.
Page 81 From the navigation bar at left, select Administration = > View Configuration File. The View Configuration File page opens. User Guide Viewing the Configuration File...
Page 82 Chapter 5: Administrative Options WatchGuard Firebox SOHO 6...
Page 83: Chapter 6 Configure The Firewall Settings
CHAPTER 6 Firewall Settings Firewall Settings The configuration settings of the SOHO 6 control the flow of traffic between the trusted network and the external network. The configuration you select depends on the types of risks that are acceptable for the trusted network.
Page 84: Configuring Incoming And Outgoing Services
Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Firewall =>...
Page 85: Creating A Custom Service
Locate a pre-configured service, such as FTP, Web, or Telnet. Then select either Allow or Deny from the drop-down list. The previous illustration shows the HTTP service configured to allow incoming traffic. Type the trusted network IP address of the computer to which this rule applies in the applicable field.
Page 86 Follow these steps to configure a custom service: Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Firewall =>...
Page 87: Blocking External Sites
11 Click Submit. Blocking External Sites The default configuration of the SOHO 6: • Allows the transmission of all packets from the trusted network to the external network • Prevents the transmission of all packets from the external...
Page 88 Type a single host IP address, a network IP address, or the start and end of a range of host IP addresses in the applicable address field. Click Add. The address information appears in the Blocked Sites field. Click Submit. WatchGuard Firebox SOHO 6...
Page 89: Firewall Options
The Firewall Options page opens. Responding to ping requests from the external network You can configure the SOHO 6 to deny all ping packets received on the external interface. Select the Do not respond to PING requests received on External Network checkbox.
Page 90: Denying Ftp Access To The Trusted Network Interface
Click Submit. Denying FTP access to the trusted network interface You can configure the SOHO 6 to prevent FTP access to the computers on the trusted network by the computers on the external network. Select the Do not allow FTP access to Trusted Network checkbox.
Page 91 • If there is a selection of protocols or SOCKS versions, select SOCKS version 5. • Select port 1080. • Set the SOCKS proxy to the URL or IP address of the SOHO 6. The default IP address is: http://192.168.111.1. Disabling SOCKS on the SOHO 6 After a SOCKS-compatible application has connected through the SOHO 6, the SOCKS port stays open.
Page 92: Logging All Allowed Outbound Traffic
When in the default configuration, the SOHO 6 only records unusual events. For example, all denied traffic is recorded in the log file. You can change the configuration of the SOHO 6 to record all outbound traffic events. This option records an large number of log entries. WatchGuard recommends that you use this option as a problem-solving aid only.
Page 93: Creating An Unrestricted Pass Through
Click Submit. If the MAC address for the external network field is cleared and the SOHO 6 is rebooted, the SOHO 6 is reset to the factory-default MAC address for the external network. To prevent MAC address collisions, the SOHO 6 searches the external network periodically for the override MAC address.
Page 94 Ethernet segment as the trusted network. Do not use a pass through connection unless the effect of the pass through connection on the security of the trusted network is known. WatchGuard Firebox SOHO 6...
Page 95: Chapter 7 Configure Logging
A sequence of denied packets can show that an unauthorized person tried to access your network. The records in the SOHO 6 log are erased if the power supply is disconnected. User Guide...
Page 96: Viewing Soho 6 Log Messages
Chapter 7: Configure Logging Viewing SOHO 6 Log Messages The SOHO 6 event log records a maximum of 150 log messages. If a new entry is added when the event log is full, the oldest log message is removed. The log messages include the time synchronizations between the...
Page 97: Setting Up Logging To A Watchguard Security Event Processor Log Host
WSEP. Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Logging = >...
Page 98 Chapter 7: Configure Logging Select the Enable WatchGuard Security Event Processor Logging checkbox. Type the IP address of the WSEP server that is your log host in the applicable field. Type a passphrase in the Log Encryption Key field and confirm the passphrase in the Confirm Key field.
Page 99: Setting Up Logging To A Syslog Host
Setting up Logging to a Syslog Host This option sends the SOHO 6 log entries to a Syslog host. Follow these steps to configure a Syslog Host: Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6.
Page 100: Setting The System Time
Setting the System Time The SOHO 6 records the time of each log entry. The time recorded in the log entries is from the SOHO 6 system clock. Follow these steps to set the system time: Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6.
Page 101 Select a time zone from the drop-down list. Select the Adjust for daylight savings time checkbox. Click Submit. User Guide Setting the System Time...
Page 102 Chapter 7: Configure Logging WatchGuard Firebox SOHO 6...
Page 103: Chapter 8 Soho 6 Webblocker
WebBlocker checks each Web site request by users in the trusted network. The SOHO 6 sends to the database a request for the type of content found on the Web site. The SOHO 6 uses the rules...
Page 104: Bypassing The Soho 6 Webblocker
Web site in the WebBlocker database If the site is in the WatchGuard WebBlocker database, the SOHO 6 examines the configuration to see if that type of site is permitted. When the type of site is not permitted, the user is told that the site is not available. If the type of site is permitted, the Web browser opens the page.
Page 105: Purchasing And Activating The Soho 6 Webblocker
• Require that your Web users authenticate Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select WebBlocker = >...
Page 106 Follow these instructions to create WebBlocker groups: Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select WebBlocker = >...
Page 107 Configuring the SOHO 6 WebBlocker Click New to create a group name and profile. User Guide...
Page 108 Chapter 8: SOHO 6 WebBlocker Define a Group Name and select the types of content to filter for this group. Click Submit. A New Groups page opens that shows the configuration changes. To the right of the Users field, click New.
Page 109: Webblocker Categories
Use the Group drop-down list to assign the new user to a given group. Click Submit. To remove a user or group, make a selection and click Delete. WebBlocker Categories The WebBlocker database contains the following 14 categories: A Web site is only added to a category if the contents of the Web site advocate the subject matter of the category.
Page 110 Chapter 8: SOHO 6 WebBlocker online sports, or financial betting, including non-monetary dares. Militant/extremist Pictures or text advocating extremely aggressive or combative behavior or advocacy of unlawful political measures. Topic includes groups that advocate violence as a means to achieve their goals. It also includes pages devoted to “how to”...
Page 111 Gross Depictions Pictures or text describing anyone or anything that is either crudely vulgar, grossly deficient in civility or behavior, or shows scatological impropriety. Topic includes depictions of maiming, bloody figures, and indecent depiction of bodily functions. Violence/profanity Pictures or text exposing extreme cruelty or profanity. Cruelty is defined as: physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain.
Page 112 Chapter 8: SOHO 6 WebBlocker Sexual Acts Pictures or text exposing anyone or anything involved in explicit sexual acts and/or lewd and lascivious behavior. Topic includes masturbation, copulation, pedophilia, as well as intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian, or homosexual encounters.
Page 113: Chapter 9 Vpn-Virtual Private Networking
VPN connection. A VPN tunnel gives the security necessary to use the public Internet for a virtual private connection. What You Need • A SOHO 6 with the VPN upgrade option installed and another IPSec-compatible appliance. User Guide...
Page 114 Chapter 9: VPN—Virtual Private Networking IPSec-compatible appliances include the Firebox SOHO 6, the Firebox II/III, and the Firebox Vclass. • The data from your ISP about the Internet connections for each of the two IPSec-compatible appliances: - IP address - Primary DNS IP address (optional)
Page 115 255.255.255.0 Local Network An address used to identify a local network. A Address local network address cannot be used as an external IP address. WatchGuard recommends that you use an address from one of the reserved ranges: 10.0.0.0/8 172.16.0.0/12—255.240.0.0 192.168.0.0/16—255.255.0.0 Site A: 192.168.111.0/24...
Page 116: Enabling The Vpn Upgrade
SHA1) Enabling the VPN upgrade To activate an upgrade option, you must enter a license key in the configuration of the SOHO 6. To receive a license key, purchase and activate an upgrade option at the LiveSecurity Service Web site.
Page 117: Setting Up Multiple Soho 6 To Soho 6 Vpn Tunnels
Setting Up Multiple SOHO 6 to SOHO 6 VPN Tunnels An administrator of a SOHO 6 can configure a maximum of six VPN tunnels to other SOHO 6 devices. The VPN Manager software can configure a larger number of SOHO 6 to SOHO 6 tunnels.
Page 118 To modify Phase 1 settings, complete the following steps: The Phase 1 settings must be the same on both appliances. Select the negotiation Mode for Phase 1 from the drop-down list. The mode selections are Main and Aggressive. If the WatchGuard Firebox SOHO 6...
Page 119 12 Select the Generate IKE Keep Alive Messages checkbox to keep the VPN tunnel open when there is no communication. Short packets are sent across the VPN tunnel at regular User Guide Setting Up Multiple SOHO 6 to SOHO 6 VPN Tunnels...
Page 120 Chapter 9: VPN—Virtual Private Networking intervals to maintain the connection. If the tunnel connection closes, the SOHO 6 does a rekey to open the tunnel again. The Generate IKE Keep Alive Messages checkbox is selected in the default configuration. Use the default Phase 2 settings, or change the Phase 2 settings as shown below: Make sure that the Phase 2 settings are the same on both appliances.
Page 121: Creating A Vpn Tunnel To A Soho 6 With An Ipsec-Compliant Appliance
Creating a VPN Tunnel to a SOHO 6 with an IPSec-Compliant Appliance Creating a VPN Tunnel to a SOHO 6 with an IPSec-Compliant Appliance Instructions that tell how to configure a VPN tunnel between a SOHO 6 and another IPSec-compatible appliance are available from the WatchGuard Web site: https://www.watchguard.com/support/AdvancedFaqs/sointerop_main.asp...
Page 122: Configuring Split Tunneling
The Add Gateway page opens. Configure the gateway. See “Setting Up Multiple SOHO 6 to SOHO 6 VPN Tunnels” on page 95 for information about the Add Gateway page. Type the network IP address of the local network and remote networks in the applicable fields.
Page 123: Viewing The Vpn Statistics
VPN tunnels to the local SOHO 6. If you purchase the VPNforce Port upgrade, you also receive one MUVPN connection to the optional network. Additional VPNforce Port user licenses can be purchased.
Page 124: How Do I Get A Static External Ip Address
From Site A, ping 192.168.111.1. If the VPN tunnel functions correctly, the remote SOHO 6 sends the ping back. If the ping does not come back, make sure the local settings are correct. Make sure that the local DHCP address ranges for the two networks connected by the VPN tunnel do not use any of the same IP addresses.
Page 125: How Do I Obtain A Vpn Upgrade License Key
You can purchase a license key for an upgrade from the WatchGuard Web site: http://www.watchguard.com/sales/buyonline.asp How do I enable a VPN tunnel? The instructions to help you enable a VPN tunnel are available from the WatchGuard Web site: https://support.watchguard.com/AdvancedFaqs/sointerop_main.asp User Guide...
Page 126 Chapter 9: VPN—Virtual Private Networking WatchGuard Firebox SOHO 6...
Page 127: Chapter 10 Muvpn Clients
Then a connection to the Internet is established on the remote computer. The user starts the MUVPN client, which creates an encrypted tunnel to the SOHO 6. The SOHO 6 connects the user to the trusted network. The employee now has remote access to the internal network and does not compromise the security of the network.
Page 128: Configuring The Soho 6 For Muvpn Clients
Follow these steps to configure your SOHO 6 for MUVPN clients: Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default trusted IP address is 192.168.111.1 From the navigation bar at left, select VPN = >...
Page 129 The options are MD5-HMAC and SHA1-HMAC. From the Encryption Algorithm drop-down list, select the type of encryption. The options are DES-CBC and 3DES-CBC. Select Mobile User from the VPN Client Type drop-down list. Click Submit. User Guide Configuring the SOHO 6 for MUVPN Clients...
Page 130: Preparing The Remote Computers To Use The Muvpn Client
WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the SOHO 6. To communicate with these servers, the remote computer must have the proper Windows components installed and configured.
Page 131: Windows 98/Me Operating System Setup
Preparing the Remote Computers to Use the MUVPN Client You cannot use the MUVPN virtual adapter. Make sure this is disabled. Windows 98/ME operating system setup This section describes how to install and configure the network components that are required for the Windows 98/ME operating system.
Page 132 VPN Adapter can be installed. If Dial-up Networking is not installed, follow these steps. From the Windows desktop: Select Start => Settings = > Control Panel. Double-click the Add/Remove Programs icon. The Add/Remove Properties window appears. WatchGuard Firebox SOHO 6...
Page 133 The remote computer must be able to communicate with the WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the SOHO 6. From the Windows desktop: Select Start => Settings = > Control Panel.
Page 134: Windows Nt Operating System Setup
Chapter 10: MUVPN Clients The DNS server on the private network behind the SOHO 6 must be the first server in the list. Click the WINS Configuration tab and then select the Enable WINS Resolution checkbox. Type the IP address of the WINS server in the WINS Server Search Order text field and then click Add.
Page 135 The remote computer must be able to communicate with the WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the SOHO 6. From the Windows desktop: Select Start => Settings = > Control Panel.
Page 136: Windows 2000 Operating System Setup
Enter the IP address of your DNS server in the applicable field. To add additional DNS servers, repeat steps 5 and 6. The DNS server on the private network behind the SOHO 6 must be the first server in the list.
Page 137 Preparing the Remote Computers to Use the MUVPN Client - File and Printer Sharing for Microsoft Networks - Client for Microsoft Networks Installing the Internet Protocol (TCP/IP) network component From the connection window, Networking tab: Click Install. The Select Network Component Type window appears. Double-click the Protocol network component.
Page 138 Add. To add additional DNS servers, repeat steps 3 and 4. The DNS server on the private network behind the SOHO 6 must be the first server in the list. Select the Append these DNS suffixes (in order) checkbox and then click Add.
Page 139: Windows Xp Operating System Setup
Preparing the Remote Computers to Use the MUVPN Client Click OK to close the Advanced TCP/IP Settings window, click OK to close the Internet Protocol (TCP/IP) Properties window, and then click OK. 10 Click Cancel to close the connection window. Windows XP operating system setup This section describes how to install and configure the network components that are required for the Windows XP operating...
Page 140 The remote computer must be able to communicate with the WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the SOHO 6. From the connection window, Networking tab: Select the Internet Protocol (TCP/IP) component.
Page 141 Add. To add additional DNS servers, repeat steps 4 and 5. The DNS server on the private network behind the SOHO 6 must be the first server in the list. Select the Append these DNS suffixes (in order) checkbox and then click Add.
Page 142: Installing And Configuring The Muvpn Client
Chapter 10: MUVPN Clients Installing and Configuring the MUVPN Client The MUVPN installation files are available at the WatchGuard Web site: http://www.watchguard.com/support To install and configure the MUVPN client, you must have local administrator rights on the remote computer. Installing the MUVPN client Follow these steps to install the MUVPN client: Copy the MUVPN installation file to the remote computer.
Page 143: Configuring The Muvpn Client
ZoneAlarm, see “The ZoneAlarm Personal Firewall” on page 139. Configuring the MUVPN client When the computer restarts, the WatchGuard Policy Import window opens. Click Cancel. From the Windows desktop system tray: Right-click the MUVPN client icon and then select Activate Security Policy.
Page 144 Select the Secure option. This is the default setting. Select the Only Connect Manually checkbox. Select the IP Subnet option from the ID Type drop-down list. The Remote Party Identity and Addressing fields are updated. WatchGuard Firebox SOHO 6...
Page 145 The addresses you type in the Subnet and Mask fields must be identical to the Virtual IP Address you typed on the Add MUVPN Client page. See “Configuring the SOHO 6 for MUVPN Clients” on page 106. Select All from the Protocol drop-down list.
Page 146 Select Aggressive Mode. Make sure the Enable Perfect Forward Secrecy (PFS) checkbox is clear and the Enable Replay Detection checkbox is selected. Close the Security Policy dialog box. Select My Identity. The My Identity and Internet Interface settings appear to the right. WatchGuard Firebox SOHO 6...
Page 147 Select Options = > Global Policy Settings. The Global Policy Settings window appears. Select the Allow to Specify Internal Network Address checkbox and then click OK. The Internal Network IP Address field appears in the My Identity section. User Guide Installing and Configuring the MUVPN Client...
Page 148 Select None from the Select Certificate drop-down list. Select E-mail Address from the ID Type drop-down list and then enter the user name defined on the SOHO 6 in the applicable field. 10 Select Disabled from the Virtual Adapter drop-down list.
Page 149: Defining Phase 1 And Phase 2 Settings
Both the pre-shared key and the e-mail address must exactly match the system passphrase and system administrator name settings of the SOHO 6. If they do not match, the connection will fail. Defining Phase 1 and Phase 2 settings Follow these steps to define the Phase 1 and Phase 2 settings. These values must match the settings of the SOHO 6.
Page 150 Phase 1 values must be as specified in the following steps. Phase 2 values must match the settings of the Firebox SOHO 6. Select DES from the Encrypt Alg drop-down list and then select SHA-1 from the Hash Alg drop-down list.
Page 151 14 Select a value for the Encrypt Alg and Hash Alg drop-down lists. The encrypted and hash values must match the settings of the SOHO 6. If the settings do not match, the connection will fail. 15 Select Tunnel from the Encapsulation drop-down list.
Page 152: Uninstalling The Muvpn Client
Chapter 10: MUVPN Clients Uninstalling the MUVPN client Follow these directions to uninstall the MUVPN client. WatchGuard recommends that you use the Windows Add/ Remove Programs tool. Disconnect all existing tunnels and dial-up connections. Reboot the remote computer. Perform these steps from the Windows desktop: Select Start =>...
Page 153: Configuring The Soho 6 For Muvpn Clients Using Pocket Pc
Start menu. Configuring the SOHO 6 for MUVPN Clients Using Pocket PC In order to create a MUVPN tunnel between the SOHO 6 and your Pocket PC, you must configure the MUVPN Clients feature on the SOHO 6.
Page 154: Connecting And Disconnecting The Muvpn Client
The options are DES-CBC and 3DES-CBC. Select Pocket PC from the VPN Client Type drop-down list. Click Submit. For additional information about configuring your Pocket PC to serve as an MUVPN client, go to the WatchGuard Web site: https://www.watchguard.com/support/sohoresources/soinstallhelp.asp Connecting and Disconnecting the MUVPN Client The MUVPN client software makes a secure connection from a remote computer to your protected network through the Internet.
Page 155: The Muvpn Client Icon
“The MUVPN client icon” on page 133. From the Windows desktop: Select Start => Programs => Mobile User VPN = > Connect. The WatchGuard Mobile User Connect window appears. Click Yes. The MUVPN client icon The MUVPN icon appears in the Windows desktop system tray.
Page 156 Chapter 10: MUVPN Clients The MUVPN client is ready to establish a secure, MUVPN tunnel connection. The red bar on the right of the icon indicates that the client is transmitting unsecured data. WatchGuard Firebox SOHO 6...
Page 157 Activated and Connected The MUVPN client has established at least one secure, MUVPN tunnel connection, but is not transmitting data. Activated, Connected and Transmitting Unsecured Data The MUVPN client has established at least one secure, MUVPN tunnel connection. The red bar on the right of the icon indicates that the client is only transmitting unsecured data.
Page 158: Allowing The Muvpn Client Through The Personal Firewall
MUVPN tunnel, you must allow these programs through the personal firewall: • MuvpnConnect.exe • IreIKE.exe The personal firewall will detect when these programs attempt to access the Internet. A New Program alert window appears to request access for the MuvpnConnect.exe program. WatchGuard Firebox SOHO 6...
Page 159: Disconnecting The Muvpn Client
From the New Program alert window: Select the Remember this answer the next time I use this program checkbox and the click Yes. With the option selected, the ZoneAlarm personal firewall will allow this program to access the Internet each time you attempt to make a MUVPN connection.
Page 160: Monitoring The Muvpn Client Connection
An icon appears to the left of the connection name: • SA indicates that the connection only has a phase 1 SA. A phase 1 SA is assigned in the following situations: - for a connection to a secure gateway tunnel WatchGuard Firebox SOHO 6...
Page 161: The Zonealarm Personal Firewall
- when a phase 2 SA connection has not yet been made - when a phase 2 SA connection cannot be made • A key indicates that the connection has a phase 2 SA. This connection may also have a phase 1 SA. •...
Page 162: Allowing Traffic Through Zonealarm
When an application requires access through the ZoneAlarm personal firewall, a New Program alert will be displayed on the Windows desktop. This alert tells the user which program requires access. The name of the program may not clearly indicate which application requires access. WatchGuard Firebox SOHO 6...
Page 163 The ZoneAlarm Personal Firewall In the example above, the Internet Explorer Web browser application has been launched. The application attempts to access the user’s home page. The program that actually needs to pass through the firewall is “IEXPLORE.EXE”. To allow this program access to the Internet each time the application is started, select the Remember the answer each time I use this program checkbox.
Page 164: Shutting Down Zonealarm
Select Start = > Programs = > Zone Labs = > Uninstall ZoneAlarm. The Confirm Uninstall dialog box appears. Click Yes. The ZoneLabs TrueVector service dialog box appears. Be Allowed be Allowed IreIKE.exe MuvpnConnect.exe CmonApp.exe ViewLog.exe OUTLOOK.exe IEXPLORE.exe netscp6.exe Opera.exe lsass.exe services.exe svchost.exe winlogon.exe WatchGuard Firebox SOHO 6...
Page 165: Troubleshooting Tips
Click OK to reboot your system. Troubleshooting Tips Additional information about how to configure the MUVPN client is available from the WatchGuard Web site: www.watchguard.com/support The answers to several frequently asked questions about the MUVPN client are answered below.
Page 166: I Have To Enter My Network Login Information Even When I'm Not Connected To The Network
This is probably caused by the ZoneAlarm personal firewall application. This program is very good at what it does. ZoneAlarm keeps your computer secure from unauthorized incoming and outgoing traffic. Unfortunately, it may prevent your computer from broadcasting its network information. This prevents the WatchGuard Firebox SOHO 6...
Page 167: Is The Muvpn Tunnel Working
transmission of the login information. Make sure you deactivate ZoneAlarm each time you disconnect the MUVPN connection. Is the MUVPN tunnel working? The MUVPN client icon appears in the Windows desktop system tray once the application has been launched. The MUVPN client displays a key in the icon when the client is connected.
Page 168: I Am Sometimes Prompted For A Password When I Am Browsing The Company Network
I lost the connection to my ISP, and now I can’t use the company network... If your Internet connection is interrupted, the connection to the MUVPN tunnel may be lost. Follow the procedure to close the tunnel. Reconnect to the Internet. Restart the MUVPN client. WatchGuard Firebox SOHO 6...
Page 169: Chapter 11 Using Vpnforce
CHAPTER 11 The VPNforce upgrade activates the SOHO 6 optional interface. The optional interface is labeled OPT on the SOHO 6 appliance. The optional interface provides remote users with a separate network, called the optional network, behind the SOHO 6. The optional network has secure access to the corporate network.
Page 170: Configuring The Optional Network
Chapter 11: Using VPNforce To use this upgrade option, you must access your corporate network through a VPN tunnel from the SOHO 6 to a WatchGuard Firebox appliance or other IPSec compliant appliance. For information about the VPN upgrade option, see “VPN—Virtual Private Networking” on page 91.
Page 171 Using VPNforce to Connect to your Corporate Network Select the Enable Optional Network checkbox. Type the IP address and the subnet mask of the optional interface in the appropriate fields. Make sure that this network is different from that of the trusted network. To configure the DHCP server, select the Enable DHCP Server on the Optional Network checkbox.
Page 172 12 Select the Require encrypted MUVPN connections on this interface checkbox. 13 Click Submit. The page refreshes and you are prompted to reboot the SOHO 6 to activate the changes. 14 Click Reboot. 15 Connect one end of a straight-through Ethernet cable into the Ethernet port labeled OPT on the SOHO 6.
Page 173: Using Vpnforce And The Muvpn Client Upgrades To Enforce Your Corporate Policy
These procedures will also allow you to enforce your corporate security policies for remote users. The first procedure describes how to configure the SOHO 6. The second procedure describes how to configure the MUVPN clients. You must activate the upgrade option before you can configure the MUVPN clients on the SOHO 6.
Page 174 The Edit MUVPN Client page appears. Type a user name and a passphrase in the applicable fields. The user name is used as the e-mail address and the passphrase is used as the pre-shared key for the MUVPN client. WatchGuard Firebox SOHO 6...
Page 175: Configuring The Muvpn Client
Select Mobile User from the VPN Client Type drop list. Select the All traffic uses tunnel (0.0.0.0/0 Subnet) checkbox. 10 Click Submit. The page refreshes and you are prompted to reboot the SOHO 6 to activate the changes. 11 Click Reboot.
Page 176 Type 0.0.0.0 in both the Subnet and Mask fields. These are the default values. Select All from the Protocol drop list. This is the default setting. Select the Connect using checkbox and select Secure Gateway Tunnel from the drop list. WatchGuard Firebox SOHO 6...
Page 177: Defining The Security Policy Settings
Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate 10 Select IP Address from the ID Type drop list and then type the IP address of the Optional interface in the available field. Defining the Security Policy settings Follow these instructions to define the Security Policy settings.
Page 178 Chapter 11: Using VPNforce Select My Identity. The My Identity and Internet Interface settings appear to the right. Select Options = > Global Policy Settings. The Global Policy Settings dialog box appears. WatchGuard Firebox SOHO 6...
Page 179 Select None from the Select Certificate drop list. Select E-mail Address from the ID Type drop list and then enter the username defined on the SOHO 6 in the available field. Select Disabled from the Virtual Adapter drop list.
Page 180: Defining Phase 1 And Phase 2 Settings
Chapter 11: Using VPNforce 12 Type the exact text of the MUVPN client passphrase entered on the Firebox SOHO 6 appliance and then click OK. Defining Phase 1 and Phase 2 settings Follow these instructions to define the Phase 1 and Phase 2 settings.
Page 181 Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate Select Pre-Shared Key from the Authentication Method drop list. These values must match exactly those entered in the Firebox SOHO 6 appliance. Select DES from the Encrypt Alg drop list and select SHA-1 from the Hash Alg drop list.
Page 182 Seconds field and 8192 in the KBytes field. 11 Select None from the Compression drop list. This is the default setting. The SOHO 6 Firebox appliance does not support compression. 12 Select the Encapsulation (ESP) checkbox and then select a value for the Encrypt Alg and Hash Alg drop lists.
Page 183: Using The Muvpn Client To Secure A Wireless Network
LAN ports of the appliance. Refer to the user documentation of your WAP for additional information. Connect an Ethernet cable from a computer to the SOHO 6 to access the configuration pages. Configure the MUVPN clients upgrade on the SOHO 6 and install and configure the MUVPN client on your computers.
Page 184 Chapter 11: Using VPNforce WatchGuard Firebox SOHO 6...
Page 185: Chapter 12 Support Resources
What do the PWR, Status, and Mode lights signify on the SOHO 6? When the PWR light is lit, the SOHO 6 is connected to a power source. When the Status light is lit, there is a management connection to the SOHO 6. When the MODE light is lit, the SOHO 6 is operational.
Page 186 The SOHO 6 cannot connect to the external network. Possible causes of this problem include: • The SOHO 6 did not receive an IP address for the external interface from the DHCP server. • The WAN port is not connected to another appliance.
Page 187 The link indicators (0-3) are for the four Ethernet ports of the trusted network. These indicators show if the SOHO 6 is connected to a computer or hub. If the indicators are not lit, the SOHO 6 is not connected to the computer or hub. Make sure that the cable is connected and the computer or hub is connected to a power supply.
Page 188: Configuration
Internet? If you can access the configuration pages, but not the Internet, there is a problem with the connection from the SOHO 6 to the Internet. • Make sure the cable modem or DSL modem is connected to the SOHO 6 and the power supply.
Page 189 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Network = > Trusted.
Page 190 How do I set up and disable WebBlocker? Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select WebBlocker = >...
Page 191 IP protocol. Follow these steps: Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 From the navigation bar at left, select Firewall =>...
Page 192: Vpn Management
Chapter 12: Support Resources SOHO 6 configuration file. These steps apply to using a command prompt with Windows 2000 or XP. Configure the firewall settings of the SOHO 6 to allow an incoming FTP service to the trusted IP address of the appliance.
Page 193 Make sure that the two appliances use the same encryption and authentication method. How do I set up my SOHO 6 for VPN Manager Access? This requires the add-on product, WatchGuard VPN Manager, which is purchased separately and used with the WatchGuard Firebox System software.
Page 194: Contacting Technical Support
WatchGuard Web Site: https://support.watchguard.com/AdvancedFaqs/ Special notices The online help system is not yet available on the WatchGuard Web site. Click on the Help link at the top of the System Status page to connect to the WatchGuard Product Documentation page, which has links to more information sources.
Page 195 Internet Protocol (TCP/IP) Network Connection Network Connection Security Policy Dial-Up Networking, installing Diffie-Hellman groups DNS service, dynamic DSL modems, and SOHO 6 Dual ISP Options page Dual ISP Port upgrade Dynamic DNS client page dynamic DNS service, configuring Dynamic Host Configuration Protocol.
Page 196 7, 163, 164 link indicator link speed, setting LiveSecurity Service registering with renewing subscription log host, setting WSEP log messages contents of viewing Log Viewer logging to a WSEP host to Syslog host Logging page logging, configuring WatchGuard Firebox SOHO 6 73–79...
Page 197 MAC address of SOHO 6 MAC address override Macintosh operating system Manual VPN page 95, 100 Mode indicator MODE light MUVPN client adding allowing through firewall and VPNforce option and wireless networks configuring configuring SOHO 6 for connecting described disconnecting icon for 133–135...
Page 198 131– creating custom creating custom incoming described sites, blocking SOCKS configuring configuring for SOHO 6 described disabling SOHO 6 and DSL modems and Macintosh operating and SOCKS base model 7, 163 40, 46 63–65...
Page 199 VPNs between troubleshooting 163–171 upgrade options viewing configuration file viewing log messages for SOHO 6 Administration page SOHO remote management split tunneling static address assignments, enabling static IP addresses and VPNs obtaining static IP addressing, configuring...
Page 200 MUVPN client described using to connect to corporate network VPNforce Port upgrade VPNs and SOHO 6, SOHO 6 tc and static IP addresses between two SOHO 6s configuring with SOHO 6 described enabling tunnels encryption for...

Watchguard Firebox SOHO 6 User Manual

CHAPTER 1 Introduction

CHAPTER 2 Installation

CHAPTER 3 SOHO 6 Basics

CHAPTER 4 Configure the Network Interfaces

CHAPTER 5 Administrative Options

CHAPTER 6 Configure the Firewall Settings

CHAPTER 7 Configure Logging

CHAPTER 8 SOHO 6 Webblocker

CHAPTER 9 VPN-Virtual Private Networking

CHAPTER 10 MUVPN Clients

CHAPTER 11 Using Vpnforce

CHAPTER 12 Support Resources

Quick Links

User Guide

Troubleshooting

Related Manuals for Watchguard Firebox SOHO 6

Summary of Contents for Watchguard Firebox SOHO 6

Table of Contents