WatchGuard Firebox Vclass v5.0 User Guide
Add to my manuals
477 Pages
Watchguard Firebox Vclass is a network security appliance that provides comprehensive protection for your network against a wide range of threats. It offers a variety of features to help you keep your network safe, including firewall protection, intrusion prevention, and web filtering.
advertisement
WatchGuard
®
Firebox Vclass User
Guide
Vcontroller 5.0
ii
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard
Technologies, Inc.
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2003 WatchGuard Technologies, Inc. All rights reserved.
AppLock®, AppLock®/Web, Designing peace of mind®, Firebox®, Firebox® 1000,
Firebox® 2500, Firebox® 4500, Firebox® II, Firebox® II Plus, Firebox® II
FastVPN, Firebox® III, Firebox® SOHO, Firebox® SOHO 6, Firebox® SOHO 6tc,
Firebox® SOHO|tc, Firebox® V100, Firebox® V80, Firebox® V60, Firebox® V10,
LiveSecurity®, LockSolid®, RapidStream®, RapidCore®, ServerLock®,
WatchGuard®, WatchGuard® Technologies, Inc., DVCP™ technology, Enforcer/
MUVPN™, FireChip™, HackAdmin™, HostWatch™, Make Security Your Strength™,
RapidCare™, SchoolMate™, ServiceWatch™, Smart Security. Simply Done.™,
Vcontroller™, VPNforce™ are either registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and/or other countries.Smart
Security. Simply Done., SpamScreen, Vcontroller are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.
© Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009,
5126739, and 5146221 and other patents pending.
Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT® and
Windows® 2000 are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape
Communications Corporation in the United States and other countries.
RC2 Symmetric Block Cipher, RC4 Symmetric Stream Cipher, RC5 Symmetric Block
Cipher, BSAFE, TIPEM, RSA Public Key Cryptosystem, MD, MD2, MD4, and MD5 are either trademarks or registered trademarks of RSA Data Security, Inc. Certain materials herein are Copyright © 1992-1999 RSA Data Security, Inc. All rights reserved.
RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the United States and/or other countries.
Java and all Jave-based marks are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States and other countries. All right reserved.
© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved.
© 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
Vcontroller
5. Products derived from this software may not be called “OpenSSL” nor may
“OpenSSL” appear in their names without prior written permission of the OpenSSL
Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young
([email protected]). This product includes software written by Tim
Hudson ([email protected]).
© 1995-1998 Eric Young ([email protected])
All rights reserved.
This package is an SSL implementation written by Eric Young ([email protected]).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The
SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young ([email protected])” The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson ([email protected])”
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Firebox Vclass User Guide iii
iv
The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The detailed license information follows.
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
“This product includes software developed by Ralf S. Engelschall
<[email protected]> for use in the mod_ssl project (http://www.modssl.org/).”
4. The names “mod_ssl” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
5. Products derived from this software may not be called “mod_ssl” nor may
“mod_ssl” appear in their names without prior written permission of Ralf S.
Engelschall.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by Ralf S. Engelschall
<[email protected]> for use in the mod_ssl project (http://www.modssl.org/).”
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.
ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The Apache Software License, Version 1.1
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:
“This product includes software developed by the Apache Software Foundation (http:// www.apache.org/).” Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.
4. The names “Apache” and “Apache Software Foundation” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
Vcontroller
5. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their name, without prior written permission of the Apache Software
Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE
FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software
Foundation, please see <http://www.apache.org/>.
Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-
Champaign.
This product includes software developed by Ralf S. Engelschall
Copyright (c) 1999-2003 Ralf S. Engelschall <[email protected]>
Copyright (c) 1999-2003 The OSSP Project <http://www.ossp.org/>
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <[email protected]>."
4. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <[email protected]>."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND
ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S.
ENGELSCHALL OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
Firebox Vclass User Guide v
vi
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes the Expat XML parser
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
and Clark Cooper
Copyright (c) 2001, 2002 Expat maintainers.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
Regular expression support is provided by the PCRE library package,
which is open source software, written by Philip Hazel, and copyright
by the University of Cambridge, England.
Source code for the PCRE library can be obtained via ftp: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language.
Written by: Philip Hazel <[email protected]>
University of Cambridge Computing Service,
Cambridge, England. Phone: +44 1223 334714.
Copyright (c) 1997-2001 University of Cambridge
This product includes the SCEW wrapper for Expat.
SCEW is freely available for download under the terms of the GNU Lesser General
Public License (LGPL).
Copyright (C) 2002, 2003 Aleix Conchillo Flaque
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software
Foundation; either version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
License for more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite
330, Boston, MA 02111-1307 USA
Vcontroller
This product uses the Python language interpreter.
PSF LICENSE AGREEMENT FOR PYTHON 2.2.2
--------------------------------------
1. This LICENSE AGREEMENT is between the Python Software Foundation
("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 2.2.2 software in source or binary form and its associated documentation.
2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python 2.2.2
alone or in any derivative version, provided, however, that PSF's
License Agreement and PSF's notice of copyright, i.e., "Copyright (c)
2001, 2002 Python Software Foundation; All Rights Reserved" are retained in Python 2.2.2 alone or in any derivative version prepared by Licensee.
3. In the event Licensee prepares a derivative work that is based on or incorporates Python 2.2.2 or any part thereof, and wants to make the derivative work available to others as provided herein, then
Licensee hereby agrees to include in any such work a brief summary of the changes made to Python 2.2.2.
4. PSF is making Python 2.2.2 available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND
DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY
OR FITNESS
FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 2.2.2 WILL
NOT
INFRINGE ANY THIRD PARTY RIGHTS.
5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF
PYTHON 2.2.2 FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL
DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR
OTHERWISE USING PYTHON 2.2.2, OR ANY DERIVATIVE THEREOF, EVEN IF
ADVISED OF THE POSSIBILITY THEREOF.
6. This License Agreement will automatically terminate upon a material breach of its terms and conditions.
7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and
Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party.
8. By copying, installing or otherwise using Python 2.2.2, Licensee agrees to be bound by the terms and conditions of this License
Agreement.
PLEASE NOTE: Some components of the WatchGuard Vclass software incorporate source code covered under the GNU Lesser General Public License (LGPL). To obtain the source code covered under the LGPL, please contact WatchGuard Technical
Support at:
877.232.3531 in the United States and Canada
+1.360.482.1083 from all other countries
This source code is free to download. There is a $35 charge to ship the CD.
Firebox Vclass User Guide vii
viii
This product includes software covered by the LGPL.
GNU LESSER GENERAL PUBLIC LICENSE
Version 2.1, February 1999
Copyright (C) 1991, 1999 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
[This is the first released version of the Lesser GPL. It also counts
as the successor of the GNU Library Public License, version 2, hence
the version number 2.1.]
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public
Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.
This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the
Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.
When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.
To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.
For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.
We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.
To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.
Finally, software patents pose a constant threat to the existence of
Vcontroller
any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.
Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser
General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.
When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary
General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General
Public License permits more lax criteria for linking other code with the library.
We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General
Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.
For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.
In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.
Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.
The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a
"work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License").
Firebox Vclass User Guide ix
x
Each licensee is addressed as "you".
A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs
(which use some of those functions and data) to form executables.
The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the
Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the
Library.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
a) The modified work must itself be a software library.
b) You must cause the files modified to carry prominent notices
stating that you changed the files and the date of any change.
c) You must cause the whole of the work to be licensed at no
charge to all third parties under the terms of this License.
d) If a facility in the modified Library refers to a function or a
table of data to be supplied by an application program that uses
the facility, other than as an argument passed when the facility
is invoked, then you must make a good faith effort to ensure that,
in the event an application does not supply such function or
table, the facility still operates, and performs whatever part of
its purpose remains meaningful.
(For example, a function in a library to compute square roots has
Vcontroller
a purpose that is entirely well-defined independent of the
application. Therefore, Subsection 2d requires that any
application-supplied function or table used by this function must
be optional: if the application does not supply it, the square
root function must still compute square roots.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.
In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.
Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.
This option is useful when you wish to copy part of the code of the Library into a program that is not a library.
4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.
If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.
5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.
Firebox Vclass User Guide xi
xii
However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.
When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not.
Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.
If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the
Library will still fall under Section 6.)
Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.
You must give prominent notice with each copy of the work that the
Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
a) Accompany the work with the complete corresponding
machine-readable source code for the Library including whatever
changes were used in the work (which must be distributed under
Sections 1 and 2 above); and, if the work is an executable linked
with the Library, with the complete machine-readable "work that
uses the Library", as object code and/or source code, so that the
user can modify the Library and then relink to produce a modified
executable containing the modified Library. (It is understood
that the user who changes the contents of definitions files in the
Library will not necessarily be able to recompile the application
to use the modified definitions.)
b) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (1) uses at run time a
copy of the library already present on the user's computer system,
rather than copying library functions into the executable, and (2)
will operate properly with a modified version of the library, if
the user installs one, as long as the modified version is
interface-compatible with the version that the work was made with.
c) Accompany the work with a written offer, valid for at
least three years, to give the same user the materials
Vcontroller
specified in Subsection 6a, above, for a charge no more
than the cost of performing this distribution.
d) If distribution of the work is made by offering access to copy
from a designated place, offer equivalent access to copy the above
specified materials from the same place.
e) Verify that the user has already received a copy of these
materials or that you have already sent this user a copy.
For an executable, the required form of the "work that uses the
Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.
7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
a) Accompany the combined library with a copy of the same work
based on the Library, uncombined with any other library
facilities. This must be distributed under the terms of the
Sections above.
b) Give prominent notice with the combined library of the fact
that part of it is a work based on the Library, and explaining
where to find the accompanying uncombined form of the same work.
8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the
Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.
10. Each time you redistribute the Library (or any work based on the
Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further
Firebox Vclass User Guide xiii
xiv restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with this License.
11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time.
Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and
"any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free
Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status
Vcontroller
of all derivatives of our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE
LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE
QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE
LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION.
16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO
IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO
MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE,
BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH
ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCHDAMAGES.
END OF TERMS AND CONDITIONS
PLEASE NOTE: Some components of the WatchGuard Vclass software incorporate source code covered under the GNU General Public License (GPL). To obtain the source code covered under the GPL, please contact WatchGuard Technical Support at:
877.232.3531 in the United States and Canada
+1.360.482.1083 from all other countries
This source code is free to download. There is a $35 charge to ship the CD.
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free
Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General
Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
Firebox Vclass User Guide xv
xvi
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public
License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as
"you".
Activities other than copying, distribution and modification are not covered by this
License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a
Vcontroller
notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the
Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this
License. However, parties who have received copies, or rights, from you under this
License will not have their licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore,
Firebox Vclass User Guide xvii
xviii by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the
Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the
General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free
Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
Vcontroller
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS
IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS
WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE
COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO
IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO
MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE,
BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH
ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.
WatchGuard Technologies, Inc.
Firebox Vclass Software
End-User License Agreement
IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD
SOFTWARE:
This Firebox Vclass Software End-User License Agreement (‘AGREEMENT’) is a legal agreement between you (either an individual or a single entity) and WatchGuard
Technologies, Inc. (‘WATCHGUARD’) for the WATCHGUARD Firebox Vclass software product, which includes computer software components (whether installed separately on a computer workstation or on the WATCHGUARD hardware product or included on the
WATCHGUARD hardware product) and may include associated media, printed materials, and on-line or electronic documentation, and any updates or modifications thereto, including those received through the WatchGuard LiveSecurity Service (or its equivalent), (the ‘SOFTWARE PRODUCT’). WATCHGUARD is willing to license the
SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this
Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment, to the authorized dealer from whom you obtained the
SOFTWARE PRODUCT for a full refund of the price you paid.
1.
Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT are owned by WATCHGUARD or its licensors. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and
Firebox Vclass User Guide xix
xx
WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT.
Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty.
2.
Permitted Uses. You are granted the following rights to the SOFTWARE
PRODUCT:
(A) You may install and use the SOFTWARE PRODUCT on any single
WATCHGUARD hardware product at any single location and may install and use the
SOFTWARE PRODUCT on multiple workstation computers.
(B) To use the SOFTWARE PRODUCT on more than one WATCHGUARD hardware product at once, you must purchase an additional copy of the SOFTWARE PRODUCT for each additional WATCHGUARD hardware product on which you want to use it. To the extent that you install copies of the SOFTWARE PRODUCT on additional
WATCHGUARD hardware products in accordance with the prior sentence without installing the additional copies of the SOFTWARE PRODUCT included with such
WATCHGUARD hardware products, you agree that use of any software provided with or included on the additional WATCHGUARD hardware products that does not require installation will be subject to the terms and conditions of this AGREEMENT. You must also maintain a current subscription to the WatchGuard LiveSecurity Service (or its equivalent) for each additional WATCHGUARD hardware product on which you will use a copy of an updated or modified version of the SOFTWARE PRODUCT received through the WatchGuard LiveSecurity Service (or its equivalent).
(C) In addition to the copies described in Section 2(A), you may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only.
3.
Prohibited Uses. You may not, without express written permission from
WATCHGUARD:
(A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT;
(B) Use any backup or archival copy of the SOFTWARE PRODUCT (or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective;
(C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT;
(D) Transfer this license to another party unless
(i) the transfer is permanent,
(ii) the third party recipient agrees to the terms of this
AGREEMENT, and
(iii) you do not retain any copies of the SOFTWARE
PRODUCT; or
(E) Reverse engineer, disassemble or decompile the
SOFTWARE PRODUCT.
4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from
WATCHGUARD or an authorized dealer:
(A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to WATCHGUARD with a dated proof of purchase.
(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund, at their election.
Vcontroller
Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF
WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A)
AND 4(B) ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU
HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER
WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ITS
LICENSORS AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY
HAVE AGAINST WATCHGUARD AND ITS LICENSORS, EXPRESS OR IMPLIED,
ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY
NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING,
BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING
FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF
TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THE
SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY
OF UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION,
LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING
FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR
FAULT OF WATCHGUARD AND ITS LICENSORS AND ANY OBLIGATION,
LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED
BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).
Limitation of Liability. WATCHGUARD'S LIABILITY (WHETHER IN CONTRACT,
TORT, OR OTHERWISE; AND NOTWITHSTANDING ANY FAULT, NEGLIGENCE,
STRICT LIABILITY OR PRODUCT LIABILITY) WITH REGARD TO THE
SOFTWARE PRODUCT WILL IN NO EVENT EXCEED THE PURCHASE PRICE
PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE TRUE EVEN IN THE
EVENT OF THE FAILURE OF AN AGREED REMEDY. IN NO EVENT WILL
WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING
IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE
OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY
INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
(INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR
IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO
USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN
THE EVENT OF THE FAILURE OF AN AGREED REMEDY.
5.United States Government Restricted Rights. The SOFTWARE PRODUCT is provided with Restricted Rights. Use, duplication or disclosure by the U.S.
Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial
Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable.
Manufacturer is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite 500,
Seattle, WA 98104.
6.Export Controls. You agree not to directly or indirectly transfer the SOFTWARE
PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder.
7.Termination. This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession.
8.Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United
National Convention on Contracts for the International Sale of Goods, as amended.
This is the entire AGREEMENT between us relating to the SOFTWARE PRODUCT,
Firebox Vclass User Guide xxi
and supersedes any prior purchase order, communications, advertising or representations concerning the SOFTWARE PRODUCT AND BY USING THE
SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. IF THE SOFTWARE
PRODUCT IS BEING USED BY AN ENTITY, THE INDIVIDUAL INDICATING
AGREEMENT TO THESE TERMS REPRESENTS AND WARRANTS THAT (A)
SUCH INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON
BEHALF OF THE ENTITY AND TO BIND THE ENTITY TO THE TERMS OF THIS
AGREEMENT; (B) THE ENTITY HAS THE FULL POWER, CORPORATE OR
OTHERWISE, TO ENTER INTO THIS AGREEMENT AND PERFORM ITS
OBLIGATIONS UNDER THIS AGREEMENT AND; (C) THIS AGREEMENT AND
THE PERFORMANCE OF THE ENTITY’S OBLIGATIONS UNDER THIS
AGREEMENT DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH
THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD.
Part No: 0150-00 xxii Vcontroller
Contents
CHAPTER 1
Introduction
................................................1
Welcome to WatchGuard®
...............................................1
WatchGuard Firebox Vclass Components
Minimum Requirements for the WatchGuard Vcontroller
Software License Keys
......................................................5
WatchGuard Firebox Vclass Appliance Options
............................................................6
...........................................................6
About This Guide
.............................................................6
CHAPTER 2
Service and Support
...................................9
Benefits of LiveSecurity® Service
......................................9
LiveSecurity® Broadcasts
................................................10
Activating the LiveSecurity® Service ...............................12
LiveSecurity® Self Help Tools
..........................................14
Interactive Support Forum
..............................................15
Product Documentation
..................................................16
Assisted Support
............................................................16
LiveSecurity® Program .................................................16
LiveSecurity® Gold Program ..........................................17
User Guide xxiii
Firebox Vclass Installation Services
................................. 18
.............................................. 18
Training and Certification
Using the Online Help
............................................... 18
................................................... 19
CHAPTER 3
Getting Started
........................................ 21
Gathering Network Information
...................................... 22
Setting up the Management Station
............................... 23
Installing Vcontroller on a Windows workstation ................ 23
Installing Vcontroller on a Solaris workstation
Installing Vcontroller on a Linux workstation
Cabling the Appliance
................................................... 27
Start a Firebox Vclass Security Appliance
........................................................ 28
Using Appliance Discovery
............................................. 29
......................................... 30
If an appliance is discovered ......................................... 31
Setting the IP address of Interface 0 or the System IP ......... 32
Running the Vcontroller Installation Wizard
........................................................ 34
Starting the Installation Wizard
...................................... 35
......................................... 36
Configure the Interfaces in Router Mode
Configure Interface 2 and 3 (DMZ)
................................. 44
Configure the Interfaces in Transparent Mode
...................................................... 47
Define the DNS servers ................................................ 48
Define a Default Firewall Policy ...................................... 50
Using Dynamic Network Address Translation (DNAT)
.................................................. 54
Deploying the Firebox Vclass into your Network
CHAPTER 4
Firebox Vclass Basics
............................... 59
What is a Firebox Vclass Appliance?
............................... 59
Firebox Vclass Features
.................................................. 60
Where the Information is Stored
..................................... 61
xxiv Vcontroller
Launching the WatchGuard Vcontroller
............................62
The Vcontroller Main Page
..............................................64
..............................................64
..................................................65
......................................66
........................................................68
The status viewer ........................................................68
Logging out of Vcontroller ............................................69
Shutting Down and Rebooting
........................................70
...............................................72
Upgrading and Downgrading the Software Version
....................................................75
Transferring from Vcontroller to WatchGuard
Central Policy Manager (CPM)
................................76
CHAPTER 5
Router and Transparent Mode
................79
Router Mode
.................................................................79
Transparent Mode
..........................................................81
Unsupported features in Transparent Mode ......................82
Setting a Vclass Appliance to Transparent Mode
Setting an Appliance to Transparent Mode using Device
Discovery ...........................................................83
Setting an Appliance to Transparent Mode using the
Installation Wizard ................................................87
CHAPTER 6
System Configuration
..............................89
General Configuration
....................................................90
Interface Configuration
...................................................93
.................................................96
Configuring Interface 1 .................................................99
Configuring Interface 2 or 3 .........................................104
Configuring the HA Interfaces ......................................106
Routing Configuration
..................................................107
Configuring static routing ...........................................107
Configuring dynamic routing .......................................109
DNS Configuration
.......................................................112
User Guide xxv
SNMP Configuration
.................................................... 114
Log Configuration
....................................................... 116
Certificate Configuration
.............................................. 116
Importing a certificate or CRL file ................................. 123
LDAP Server Configuration
NTP Server Configuration
........................................... 125
............................................ 127
Advanced Configuration
.............................................. 129
Hacker Prevention Configuration
.................................. 132
CPM Management Configuration
................................. 136
License Configuration
.................................................. 137
.................................................. 137
Install licenses from a license package .......................... 140
VLAN Forwarding Option
Blocked Sites Configuration
............................................. 142
......................................... 145
High Availability Configuration
..................................... 148
CHAPTER 7
Using Account Manager
........................ 149
Configuring Accounts
.................................................. 149
End-user accounts for authentication ............................ 152
Managing accounts ................................................... 154
External Access for Remote Management
Account Access Conflicts
............................................. 156
............................................. 156
CHAPTER 8
About Security Policies
......................... 159
About Security Policies
................................................ 159
Security policy components ........................................ 160
Types of policies ....................................................... 161
Using Policy Manager
.................................................. 164
How policy order governs policy application .................. 173
Applying system-wide QoS port shaping
............................................... 175
................................................. 175
........................................................ 178
Defining a Security Policy
............................................. 178
Defining source and destination .................................. 179
xxvi Vcontroller
..........................................180
......................................................182
Defining the incoming interface ...................................185
Using Tenants
..............................................................186
About VLANs and tenants ...........................................187
User domain tenant authentication
...............................188
........................................................189
Using the Firewall Options
............................................192
..........................................193
Using Quality of Service (QoS)
......................................194
................................................196
Activating TOS marking ..............................................197
About NAT
..................................................................198
...............................................................198
Dynamic NAT ...........................................................199
About Load Balancing
..................................................200
Defining a NAT Action
..................................................200
Defining a Load-Balancing Action
.................................203
Using Policy Schedules
.................................................205
...................................................205
Using the Advanced Settings
........................................207
CHAPTER 9
Security Policy Examples
.......................211
Firewall Policy Examples
...............................................211
Example 1: Allowing Internet access
Example 2: Restricting Internet access
.............................211
...........................212
Example 3: Allowing unlimited access for authorized users 214
Example 5: Defining policies for an ISP ..........................218
Example 6: Controlling access at corporate headquarters ..219
VLAN Policy Examples
..................................................222
Using a Firebox Vclass appliance in a VLAN setting ..........224
Creating policies for user-domain tenants
An example of a user-domain policy in use
User Guide xxvii
QoS Policy Examples
................................................... 226
.............................................................. 226
Example 2: .............................................................. 226
Static NAT Policy Examples
.......................................... 227
Example 1: Translating IP addresses into aliases .............. 227
Example 2: Preventing conflicts between IP addresses ..... 228
Load Balancing Policy Examples
................................... 231
Configuring Load Balancing for a Web Server ................ 231
Configuring Load Balancing for an E-commerce Site ........ 232
CHAPTER 10
Using Proxies
......................................... 237
In This Chapter
............................................................ 238
Proxy Description
........................................................ 238
..................................................... 238
SMTP Proxy ............................................................. 239
Rules and Rulesets .................................................... 239
General Proxy Configuration
........................................ 241
Using a Proxy Action in the Policy Manager .................... 241
Creating a Proxy Action ............................................. 241
Editing an existing Proxy Action ................................... 243
Configuring proxy rules .............................................. 245
Ordering listed Rules in a Proxy Action .......................... 249
Proxy Parameters Reference
......................................... 251
..................................................... 251
................................................ 272
............................................... 286
Reference Sources
....................................................... 297
CHAPTER 11
Using Virtual Private Networks (VPN)
299
Tunneling Protocols
..................................................... 300
IPSec ...................................................................... 301
Authentication
............................................................. 301
Internet Key Exchange (IKE)
......................................... 302
NAT Traversal (UDP Encapsulation) ............................... 303
Firebox Vclass appliance VPN Solutions
...................................................... 304
xxviii Vcontroller
VPN to other IPSec compliant devices ...........................305
About VPN Policies
......................................................305
VPN policies and IPSec actions ....................................305
Using Authentication and Encryption .............................306
Defining an IKE Policy
..................................................307
................................................310
Defining a VPN Security Policy
......................................314
.............................................315
Using Tunnel Switching
.................................................323
Enabling tunnel switching ...........................................326
CHAPTER 12
Creating a Remote User VPN Policy
....327
About Remote User VPN
..............................................328
Configuring the Remote Users Authentication Policy
Using an internal authentication database
Using a RADIUS authentication database
Editing and deleting a user group profile
........................................338
Defining an IKE Policy and IKE Action
Defining an IKE action for RUVPN
............................339
.................................339
Defining an IKE policy ................................................341
Defining an RUVPN Security Policy and an IPSec Action
Defining an IPSec action for RUVPN
..............................343
Defining a security policy for RUVPN .............................345
Controlling a remote user’s access privileges ..................348
Monitoring Remote User Activity
...................................348
CHAPTER 13
Using Alarm Manager
............................351
Alarm Definitions
.........................................................352
Defining a single-condition alarm .................................354
Defining a multiple-condition alarm
..............................356
.........................................359
Responding to an Alarm Notification
.............................360
CHAPTER 14
Monitoring the Firebox Vclass
..............363
Using the Real-Time Monitor
.........................................363
Defining probes ........................................................365
User Guide xxix
Monitoring configured probes ..................................... 366
A Catalog of Real-time Monitor Probe Counters
...................................................... 368
Aggregate counters for all VPN end-point pairs
IPSec counters per VPN end-point pair
Policy counters for all policies
...................................... 375
........................................... 376
CHAPTER 15
Using Log Manager
............................... 379
Viewing the Logs
......................................................... 380
Filtering a current log ................................................ 382
Log Settings
................................................................ 383
Activating the remote logging feature ........................... 385
Log Archiving
.............................................................. 387
CHAPTER 16
System Information
............................... 389
General Information
..................................................... 389
VPN Tunnel Information
Traffic Information
............................................... 390
................................................ 392
........................................................ 393
Route Information
........................................................ 394
RAS User Information
................................................... 395
Viewing RAS user information and tunnel details ............. 396
Interface 1 (Public) Information
DHCP Server Information
..................................... 397
............................................. 398
Runtime Blocked IP List
................................................ 399
CHAPTER 17
Backing Up and Restoring
Configurations
...................................... 403
Create a Backup File
.................................................... 404
Restoring an Archived Configuration
............................. 405
Restoring to Factory Default
......................................... 407
Resetting an Appliance Completely
.............................. 408
......................................................... 408
Restoring the appliance ............................................ 408
Exporting and Importing Configuration Files
xxx Vcontroller
Importing a configuration file using Appliance Discovery
Editing an exported configuration file
............................412
CHAPTER 18
Using the Diagnostics/CLI Feature
.......415
Using Connectivity to Test Network Connections
Using the Support Features
..........................................417
Configuring debugging support ...................................418
Saving a Policy to a text file .........................................419
Executing a CLI Script
..................................................421
Saving Diagnostic Information
......................................422
CHAPTER 19
Setting Up a High Availability System
.425
High Availability Modes
................................................425
.........................................................426
............................................................426
In this chapter ...........................................................426
How High Availability works .........................................427
Prerequisites for a High Availability System
Connecting the Appliances
...........................................428
Configuring a Standby Appliance
Customizing HA System Parameters
..................................428
..............................432
Checking your HA System Status
...................................435
................................................435
Additional Preparation for Failover
................................436
Index .....................................................................437
User Guide xxxi
xxxii Vcontroller
CHAPTER 1
Introduction
Welcome to WatchGuard
®
The WatchGuard Firebox Vclass series of security appliances brings high speed network security to enterprise-class businesses, remote offices, service providers, and data centers.
In the past, a connected enterprise needed a complex set of tools, systems, and personnel for access control, authentication, virtual private networking, network management, and security analysis. These costly systems were difficult to integrate and not easy to update.
The WatchGuard Firebox Vclass appliance combines firewall security, VPN support, and powerful traffic management with Fast Ethernet and Gigabit Ethernet connections. The Vclass security ASIC architecture delivers scalable support up to 20,000 tunnels in a single rack space device (V100) or 40,000 VPN tunnels in a large enterprise device (V200). An Install Wizard and Device Discovery utility shorten the installation time to minutes. Firebox Vclass security appliances include an intuitive, multi-platform Java®-based GUI
Firebox Vclass User Guide 1
CHAPTER 1: Introduction management console for flexible and effective centralized management.
WatchGuard Firebox Vclass Components
All Firebox Vclass models are fully IPSec-compliant, with built-in core software and management tools designed to provide consistent network security. Every Firebox Vclass is a system made up of the following components:
Firebox Vclass appliance
The security appliance hardware.
WatchGuard Vcontroller
™
A comprehensive management and monitoring software suite.
LiveSecurity Service
A security-related broadcast service.
RapidCore™ hardware ensemble
A well-integrated chip set and memory system powers every Firebox Vclass appliance in its primary duties: protecting your network and efficiently managing legitimate data.
WatchGuard Firebox Vclass Operating System™ (OS)
Every Firebox Vclass security appliance is preinstalled with the latest version of the Firebox
Vclass Operating System–which is identified on the packaging by a version number. This operating system includes all the software resources that make the appliance fully functional.
WatchGuard Firebox Vclass administrative client applications
The WatchGuard Vcontroller (or the companion
WatchGuard CPM client software) gives you full control of all the customizable operating system parameters, including basic system configurations,
2 Vcontroller
Minimum Requirements for the WatchGuard Vcontroller security policies, maintenance, and activity logging.
Minimum Requirements for the WatchGuard
Vcontroller
This section describes the minimum hardware and software requirements necessary to successfully install, run, and administer the WatchGuard Vcontroller.
N OTE
For the most current information on Vclass hardware and operating system requirements, see the Readme file on the
Firebox Vcontroller CD. In addition, updates are frequently posted on the WatchGuard Web site.
Windows workstation
Operating System
Windows NT 4.0/2000/XP
CPU
Pentium II or later
Processor speed
500 MHz or faster
Memory
64 MB minimum (128 MB is recommended)
Input device
CD-ROM or DVD
Hard disk space
10 MB minimum
Additional space as required for log files
Additional space as required for backup and archive configuration files
Firebox Vclass User Guide 3
CHAPTER 1: Introduction
Network interface
Network Interface Cards (NICs) or embedded network connections
Linux workstation
Operating system
Linux kernel v2.2.12 and glibc v2.1.2-11 or later.
The officially supported Linux platform for JRE 1.4 is RedHat Linux 6.2. Because of localization issues involving Linux platforms, see the Sun Web site.
CPU
Pentium II or later
Processor speed
500 MHz or faster
Memory
64 MB minimum (128 MB is recommended)
Input device
CD-ROM or DVD
Hard disk space
10 MB minimum
Network interface
NICs or embedded network connections
Sun/Solaris workstation
Operating system
Solaris v2.6 or later
Memory
64 MB minimum (128 MB recommended)
Input device
CD-ROM or DVD
Hard disk space
10 MB minimum
Network interface
NICs or embedded network connections
4 Vcontroller
Software License Keys
Software License Keys
Keep track of your license key certificates. Your Watch-
Guard Firebox Vclass comes with a LiveSecurity Service key that activates your subscription to the LiveSecurity
Service. For more information on this service, see “Service and Support” on page 9.
Some features of the WatchGuard Firebox Vclass series of appliances must be licensed for use, and others can be expanded by licensing additional capacity. Licensing increases or extends the Firebox Vclass capability in three ways:
• Adding new functionality through optional products
• Increasing the capacity of a particular feature
• Extending the duration of a limited-term feature or service
High Availability and WatchGuard Mobile User VPN are optional products, and you receive those license keys upon purchase. For more information on optional products, see
lengthening the duration of a feature, see the WatchGuard
Web site.
For information on adding and managing software
licenses, see “License Configuration” on page 137.
WatchGuard Firebox Vclass Appliance Options
The WatchGuard Firebox Vclass appliance is enhanced by several optional products. For more information on any of these options, see the WatchGuard Web site at www.watchguard.com
.
Firebox Vclass User Guide 5
CHAPTER 1: Introduction
High Availability
WatchGuard High Availability software lets you install a second, standby Firebox on your network. If your primary
Firebox fails, the second Firebox automatically takes over to give your customers, business partners, and employees virtually uninterrupted access to your protected network.
Mobile User VPN
Mobile User VPN is the WatchGuard IPSec implementation of remote user virtual private networking. Mobile
User VPN connects an employee on the road or working from home to the trusted and optional networks behind a
Firebox Vclass using a standard Internet connection, without compromising security. VPN traffic is encrypted using
DES or 3DES.
About This Guide
The purpose of this guide is to help users of the Watch-
Guard Firebox Vclass appliance set up and configure a basic network security system and maintain, administer, and enhance the configuration of their network security.
The audience for this guide represents a wide range of experience and expertise in network management and security. The end user of the WatchGuard Firebox Vclass is generally a network administrator for a large enterprise with multiple offices around the world.
The following conventions are used in this guide:
• Within procedures, visual elements of the user interface, such as buttons, drop-down list items, dialog boxes, fields, and tabs, appear in boldface .
• Drop-down list items separated by arrows (=> ) are selected in sequence from subsequent drop-down lists.
For example, File => Open =>
6 Vcontroller
About This Guide
Configuration File means to select Open from the File drop-down list, and then Configuration File from the
Open drop-down list.
• URLs and email addresses appear in sans serif font; for example, [email protected]
.
• Code, messages, and file names appear in monospace font; for example: .wgl
and .idx
files
• In command syntax, variables appear in italics; for example: fbidsmate
import_passphrase
• Optional command parameters appear in square brackets.
Firebox Vclass User Guide 7
CHAPTER 1: Introduction
8 Vcontroller
CHAPTER 2
Service and Support
No Internet security solution is complete without systematic updates and security intelligence. From the latest hacker techniques to the most recently discovered operating system bug, the daily barrage of new threats poses a perpetual challenge to any network security solution. LiveSecurity
®
Service keeps your security system up-to-date by providing solutions directly to you.
In addition, the WatchGuard Technical Support team and Training department offer a wide variety of methods to answer your questions and assist you with improving the security of your network.
Benefits of LiveSecurity
®
Service
As the frequency of new attacks and security advisories continues to surge, the task of ensuring that your network is secure becomes an even greater challenge.
The WatchGuard Rapid Response Team, a dedicated
Firebox Vclass User Guide 9
CHAPTER 2: Service and Support group of network security experts, helps absorb this burden by monitoring the Internet security landscape for you in order to identify new threats as they emerge.
Threat alerts and expert advice
After a new threat is identified, you’ll receive a LiveSecurity broadcast via an email message from our Rapid
Response Team alerting you to the threat. Each alert includes a complete description of the nature and severity of the threat, the risks it poses, and what steps you should take to make sure your network remains continuously protected.
Easy software updates
Your WatchGuard LiveSecurity Service subscription saves you time by providing the latest software to keep your
WatchGuard Firebox Vclass up-to-date. You receive installation wizards and release notes with each software update for easy installation. These ongoing updates ensure that your WatchGuard Firebox Vclass remains state-ofthe-art, without your having to take time to track new releases.
Access to technical support and training
When you have questions about your WatchGuard Firebox
Vclass, you can quickly find answers using our extensive online support resources, or by talking directly to one of our support representatives. In addition, you can access
WatchGuard courseware online to learn about Watch-
Guard Vclass features.
LiveSecurity
®
Broadcasts
The WatchGuard LiveSecurity Rapid Response Team periodically sends broadcasts and software information directly to your desktop via email. Broadcasts are divided
10 Vcontroller
LiveSecurity® Broadcasts into channels to help you immediately recognize and process incoming information.
Information Alert
Information Alerts provide timely analysis of breaking news and current issues in Internet security combined with system configuration recommendations necessary to protect your network.
Threat Response
After a newly discovered threat is identified, the
Rapid Response Team transmits an update specifically addressing this threat to make sure your network is protected.
Software Update
You receive functional software enhancements on an ongoing basis that cover your entire
WatchGuard Firebox Vclass.
Editorial
Leading security experts join the WatchGuard
Rapid Response Team in contributing useful editorials to provide a source of continuing education on this rapidly changing subject.
Foundations
Articles specifically written for novice security administrators, non-technical co-workers, and executives.
Loopback
A monthly index of LiveSecurity Service broadcasts.
Support Flash
These technical tutorials provide tips for managing the WatchGuard Firebox Vclass. Support Flashes supplement other resources such as FAQs and
Known Issues on the Technical Support Web site.
Firebox Vclass User Guide 11
CHAPTER 2: Service and Support
Virus Alert
In cooperation with McAfee, WatchGuard issues weekly broadcasts that provide the latest information on new computer viruses.
New from WatchGuard
To keep you abreast of new features, product upgrades, and upcoming programs, WatchGuard first announces their availability to our existing customers.
Activating the LiveSecurity
®
Service
The LiveSecurity Service can be activated using the activation section of the WatchGuard LiveSecurity Web pages.
To activate the LiveSecurity Service:
1 Be sure that you have the Firebox Vclass serial number handy. You will need this during the activation process.
- The Firebox Vclass serial number is displayed in two locations: a small silver sticker on the outside of the shipping box, and a sticker on the back of the Firebox Vclass just below the UPC bar code
2 Using your Web browser, go to: http:\\www.watchguard.com\activate
N
OTE
You must have JavaScript enabled on your browser to be able to activate LiveSecurity Service.
3 Complete the Account Profile page.
All of the fields are required for successful registration. The profile information helps WatchGuard target information and updates to your needs.
4 Click Register .
The Product Selection page appears.
5 Select your product and click Next .
The Activation page appears.
12 Vcontroller
LiveSecurity® Broadcasts
6 Verify that your email address is valid. You will receive your activation confirmation mail and all of your
LiveSecurity broadcasts at this address.
7 Enter the serial number of your product.
8 Select the language you prefer.
9 Review the EULA and click Continue .
The Feature Key page appears.
10 The Feature Key page displays the unique feature key for your unit.
N
OTE
To enable VPN 3DES encryption for your unit, you must copy this feature key information into Vcontroller software. For information on copying the feature key into Vcontroller
software, see “Importing LiveSecurity Feature Key” on page 13.
11 Click Continue .
The Confirmation Web page appears.
Importing LiveSecurity Feature Key
To import a feature key from the LiveSecurity Service Web site to Vcontroller software:
1 Launch Vcontroller software.
2 Click System Configuration .
3 Click on the License tab.
4 Click Add .
The Import License window appears.
5 Copy the feature key information generated on Feature
Key page from the LiveSecurity Service Web site.
N
OTE
If you closed the Feature Key page, you can regenerate your
Feature Key by logging back into LiveSecurity Service on the
WatchGuard Web site at: https://www3.watchguard.com/archive/login.asp
Once logged into the LiveSecurity Service, you can regenerate your unit’s unique Feature Key by selecting Get
Feature Key.
Firebox Vclass User Guide 13
CHAPTER 2: Service and Support
6 Click Paste in the Import License window.
7 Click Import License to add the license.
You completed importing the LiveSecurity feature key.
Click Active Features to check what features are activated.
LiveSecurity
®
Self Help Tools
Online support services help you get the most out of your
WatchGuard products.
N OTE
You must register for LiveSecurity Service before you can access the online support services.
Advanced FAQs (frequently asked questions)
Detailed information about configuration options and interoperability.
Known Issues
Confirmed issues and fixes for current software.
Interactive Support Forum
A moderated Web board about WatchGuard products.
Online Training
Information on product training, certification, and a broad spectrum of publications about network security and WatchGuard products. These courses are designed to guide users through all components of WatchGuard products. These courses are modular in design, allowing you to use them in a manner most suitable to your learning objectives. For more information, go to: www.watchguard.com/training/courses_online.asp
Learn About
A listing of all resources available for specific products and features.
14 Vcontroller
Interactive Support Forum
Product Documentation
A listing of current product documentation from which you can open PDF files.
To access the online support services:
1 From your Web browser, go to http:// www.watchguard.com/ and select Support .
2 Log in to LiveSecurity Service.
Interactive Support Forum
The WatchGuard Interactive Support forum is an online group in which the users of the WatchGuard Firebox
Vclass and Firebox System exchange ideas, questions, and tips regarding all aspects of the product, including configuration, compatibility, and networking. This forum is categorized and searchable. The forum is moderated during regular business hours by WatchGuard engineers and
Technical Support personnel. However, this forum should not be used for reporting support issues to WatchGuard
Technical Support. Instead, contact WatchGuard Technical
Support directly via the Web interface or telephone.
Joining the WatchGuard users forum
To join the WatchGuard users forum:
1 Go to www.watchguard.com
. Click Support . Log into
LiveSecurity Service.
2 Under Self-Help Tools , click Interactive Support
Forum .
3 Click Create a user forum account .
4 Enter the required information in the form. Click
Create .
The username and password should be of your own choosing.
They should not be the same as that of your LiveSecurity Service.
Firebox Vclass User Guide 15
CHAPTER 2: Service and Support
5 When you are done, click anywhere outside the box to close it.
Product Documentation
WatchGuard products are fully documented on our
Web site at: h ttp://help.watchguard.com/documentation/default.asp.
Assisted Support
WatchGuard offers a variety of technical support services for your WatchGuard products. Several support programs, described throughout this section, are available through
WatchGuard Technical Support. For a summary of the current technical support services offered, please refer to the
WatchGuard Web site at: http://support.watchguard.com/aboutsupport.asp
N
OTE
You must register for LiveSecurity Service before you can receive technical support.
LiveSecurity
®
Program
WatchGuard LiveSecurity Technical Support is included with every new Firebox Vclass. This support program is designed to assist you in maintaining your enterprise security system involving our Firebox Vclass, Firebox System,
SOHO, ServerLock, AppLock, and VPN products.
Hours
WatchGuard LiveSecurity Technical Support business hours are 4:00 AM to 7:00 PM PST (GMT -
7), Monday through Friday.
16 Vcontroller
Assisted Support
(Exception: SOHO Program is 24 hours a day, 7 days a week.)
Phone Contact
877.232.3531 in U.S. and Canada
+1.360.482.1083 all other countries
Web Contact http://www.watchguard.com/support
Response Time
Four (4) business hours maximum target
Type of Service
Technical assistance for specific issues concerning the installation and ongoing maintenance of
Firebox Vclass, Firebox System, SOHO, and
ServerLock enterprise systems
Single Incident Priority Response Upgrade (SIPRU) and
Single Incident After-hours Upgrade (SIAU) are available.
For more information, please refer to WatchGuard Web site at: http://support.watchguard.com/lssupport.asp
LiveSecurity
®
Gold Program
This premium program is designed to meet the aggressive support needs of companies that are heavily dependent upon the Internet for Web-based commerce or VPN tunnels.
WatchGuard Gold LiveSecurity Technical Support offers support coverage 24 hours a day, seven days a week. Our
Priority Support Team is available continuously from 7 PM
Sunday to 7 PM Friday Pacific Time (GMT — 7), and can help you with any technical issues you might have during these hours.
We target a one-hour maximum response time for all new incoming cases. If a technician is not immediately available to help you, a support administrator will log your call in
Firebox Vclass User Guide 17
CHAPTER 2: Service and Support our case response system and issue a support incident number.
Firebox Vclass Installation Services
WatchGuard Remote Firebox Vclass Installation Services are designed to provide you with comprehensive assistance for basic Firebox Vclass installation. You can schedule a dedicated two-hour time slot with a WatchGuard technician to help you review your network and security policy, install the LiveSecurity software and Firebox Vclass hardware, and build a configuration in accordance with your company security policy. VPN setup is not included as part of this service.
VPN Installation Services
WatchGuard Remote VPN Installation Services are designed to provide you with comprehensive assistance for basic VPN installation. You can schedule a dedicated two-hour time slot with one of our WatchGuard technicians to review your VPN policy, help you configure your
VPN tunnels, and test your VPN configuration. This service assumes you have already properly installed and configured your Firebox Vclass appliances.
Training and Certification
WatchGuard offers training, certification, and a broad spectrum of publications to customers and partners who want to learn more about network security and Watch-
Guard products. No matter where you are located or which products you own, we have a training solution for you.
WatchGuard classroom training is available worldwide through an extensive network of WatchGuard Certified
Training Partners (WCTPs). WCTPs strengthen our rela-
18 Vcontroller
Using the Online Help tionships with our partners and customers by providing top-notch instructor-led training in a local setting.
WatchGuard offers product and sales certification, focusing on acknowledging the skills necessary to configure, deploy and manage enterprise security solutions.
Using the Online Help
Online help is available from almost all WatchGuard
Vcontroller windows. Because the online help uses
Web browsers for display, you should be aware of a problem in opening help in Netscape browsers. If you use a Netscape browser on a workstation running any
Microsoft Windows operating system, version 4.7.3 or later is required for online help to work properly.
Firebox Vclass User Guide 19
CHAPTER 2: Service and Support
20 Vcontroller
CHAPTER 3
Getting Started
The Firebox Vclass appliance acts as a barrier between your networks and the public Internet, protecting them from security threats. This chapter explains how to install the Firebox Vclass appliance into your network. You must complete the following steps in the installation process:
•
“Gathering Network Information” on page 22
•
“Setting up the Management Station” on page 23
•
“Cabling the Appliance” on page 27
•
“Start a Firebox Vclass Security Appliance” on page 27
•
“Using Appliance Discovery” on page 29
•
“Running the Vcontroller Installation Wizard” on page 34
•
“Deploying the Firebox Vclass into your
For a quick summary of this information, see the
WatchGuard Firebox Vclass QuickStart Guide included with your Firebox Vclass appliance.
Firebox Vclass User Guide 21
CHAPTER 3: Getting Started
This chapter is intended for new WatchGuard Firebox
Vclass installations only. If you have a previously installed appliance with a prior software version, connect to it with
Vcontroller, and then follow the upgrade instructions as
described in “Upgrading and Downgrading the Software
If you already have one or more operational Firebox Vclass appliances in your network with the current software version, you can shortcut the installation and configuration process on a new factory-default appliance. For more infor-
mation, see “Exporting and Importing Configuration Files” on page 410.
Before installing the Firebox Vclass appliance, verify the package contents. Consult the Firebox Vclass Hardware
Guide to make sure you have received all of the proper contents.
Gathering Network Information
One good way to set up your network is to write down two sets of basic network information: the first set of information describes your current network–before deploying the Firebox Vclass appliance–and the second set represents your network after the Firebox Vclass appliance is deployed.
N OTE
Gathering network information is important for appliances deployed in Router Mode. Appliances deployed in
Transparent Mode can integrate more easily into many areas of your existing network. For more information on these
deployment modes, see “Router and Transparent Mode” on page 79.
22 Vcontroller
Setting up the Management Station
Setting up the Management Station
The Management Station runs Vcontroller software, which is the primary administrative access to the appliance. The
Management Station can also be used to archive log messages generated by the Log Manager. For more informa-
tion on the Log Manager, see “Using Log Manager” on page 379.
You can use any computer or computers on your network as Management Stations.
Installing Vcontroller on a Windows workstation
Before you install Vcontroller software, make sure you gather all of the network addressing information that represents your new Firebox Vclass security appliance. Use
the notes you completed in the previous section, “Gathering Network Information” on page 22.
N OTE
The installer installs a local copy of the correct version of the
Java Runtime Environment, to enable the software to run.
This installation of the JRE is independent of any other JRE or JDK you install on your system. For additional updates, check the WatchGuard Web site.
To install Vcontroller:
1 Remove the Vcontroller CD from the package and insert it in the workstation CD-ROM.
2 Locate and double-click the CD-ROM drive icon
(usually found in the My Computer window). If
AutoRun is enabled on the CD drive, the Installer launches automatically.
3 When the CD window contents appear, double-click the Windows folder.
Firebox Vclass User Guide 23
CHAPTER 3: Getting Started
4 When that window’s contents appear, double-click the setup.exe
icon to start the installation of the
Vcontroller software.
5 If the installer detects an older version of the software, it will prompt you to remove the older version.
Remove all installed components, and when the installer has finished removing the components, run setup.exe
again.
6 When the process is finished, a window appears, prompting you to start Vcontroller.
Installing Vcontroller on a Solaris workstation
Before you install Vcontroller software, make sure you gather all of the network addressing information that will represent your new Firebox Vclass security appliance. Use
the notes you completed in the previous section, “Gathering Network Information” on page 22.
N
OTE
Be sure to review the release notes that were included in this package for information about Solaris-Java issues, including the Solaris and JRE versions. For additional updates, check the WatchGuard Web site.
To install Vcontroller:
1 Insert the WatchGuard CD into the CD-ROM (in
Solaris, the CD should automatically mount at / cdrom).
2 Start the installer application by entering the following commands: cd /cdrom/watchguard
./setup.sh
3 The installer asks whether you have already installed the latest versions of the Java Run-time Environment
(JRE) and Java Software Development Kit (JDK). If you have, type Y and then type the pathways of the JRE and JDK directories.
24 Vcontroller
Setting up the Management Station
N
OTE
If you have an older version of the JDK, the installer asks whether you prefer to use it instead of a more recent version.
WatchGuard recommends that you install the most recent version.
4 If you have not installed JRE or JDK, type N . The installer quits, but provides information on where to obtain the most current versions of JRE and JDK software from the Sun Web site.
5 When the JRE and JDK software have been installed and any required Solaris updates are completed, execute the installer application again by entering the following commands: cd /cdrom/watchguard
./setup.sh
6 When asked by the installation script for the directory location of the JRE and JDK software, enter the appropriate pathway.
7 Vcontroller installation is complete. To launch
Vcontroller execute the following command:
Vcontroller
Be certain the directory containing Vcontroller software is listed in the PATH environment variable.
Installing Vcontroller on a Linux workstation
Before proceeding, make sure you have all of the network addressing information that represents your new Firebox
Vclass security appliance. Use the worksheet you filled out
in the previous section, “Gathering Network Information” on page 22.
N OTE
Be sure to review the release notes that were included in this package for information about Linux-Java issues, including the Linux and JRE versions. For additional updates, check the WatchGuard Web site.
Firebox Vclass User Guide 25
CHAPTER 3: Getting Started
To install Vcontroller:
1 Insert the WatchGuard CD into the CD-ROM.
2 Start the installer application by entering the following commands: mount /dev/cdrom -t iso9660 /mnt/cdrom cd /mnt/cdrom
./setup.sh
3 The installer asks whether you have already installed the latest versions of the Java Run-time Environment
(JRE) and JDK. If you have, type Y and then type the pathways of the JRE and JDK directories.
N
OTE
If you have an older version of JDK, the installer asks whether you prefer to use it instead of a more recent version.
WatchGuard recommends that you install the most recent version.
4 If you have not installed JRE or JDK, type N . The installer quits, but provides information on where to obtain the most current versions of JRE and JDK software from the Sun Web site.
5 When the JRE and JDK software has been installed and any required Linux updates are completed, start the installer application again by entering the following commands: cd /cdrom/watchguard
./setup.sh
6 When asked by the installation script for the directory location of the JRE and JDK, enter the appropriate pathway.
7 Vcontroller installation is complete. To launch
Vcontroller enter the following command:
Vcontroller
Be certain the directory containing Vcontroller software is listed in the PATH environment variable.
26 Vcontroller
Cabling the Appliance
N
OTE
Some versions of the JRE and JDK for Linux may display fonts incorrectly. In addition, you may encounter a “font not found” error.
Cabling the Appliance
The next procedure in the installation process is cabling the appliance to the Management Station. Refer to the Firebox
Vclass Hardware Guide to make sure you have received all of the necessary cables.
1 Remove the Firebox Vclass appliance from its packaging.
2 Place the appliance on any stable flat surface near the
Management Station.
3 Connect the appliance through interface 0 (Private) to the Management Station using the red crossover
Ethernet cable (or corresponding optical cable depending upon the Firebox model).
4 Connect the appliance to a nearby power source using the power cord. If connecting the appliance to a UPS device, be sure to use the WatchGuard-supplied cable to connect the two devices through their respective RS-
232 ports.
Start a Firebox Vclass Security Appliance
After you have placed the appliance on a surface near the
Management Station and have made the network connections, you can power up the Firebox Vclass appliance.
Firebox Vclass User Guide 27
CHAPTER 3: Getting Started
All models except the V10
After you have plugged in the appliance, start the appliance using the switch on the back. The Ready
LED will blink while the appliance initializes.
When the appliance is ready, the light will stop blinking and remain lit. This may take two or three minutes.
Firebox V10
Connect the appliance end of the power cable to the jack on the V10 before you connect the plug end of the power cable to the AC outlet.
When your appliance has been started and initialized, the following lights on the front of the device should be lit:
• The Power LED
• The Ready LED
• One of the Private, Public, and DMZ interface speed indicator lights, if those connections have been made.
If problems occur
If the expected lights are not lit, check the following:
• If the Power LED is not lit, disconnect and reconnect the power cord. For the V10, disconnect the power cord from the outlet, not from the appliance.
• If the Ready LED is still blinking after more than five minutes, use the power switch on the back of the appliance to turn off the power, and then restart the appliance and reinitiate the startup process.
• Make sure all data cables and the power cord are fully seated in their sockets.
28 Vcontroller
Using Appliance Discovery
Using Appliance Discovery
After the WatchGuard Vcontroller is installed on the Management Station, you can use Vcontroller to discover any new factory default appliance on the network.
This appliance must be connected to the same LAN segment or subnet as the Management Station through interface 0 (Private ) .
1 Launch Vcontroller.
The Vcontroller Login dialog box appears.
2 Click the binoculars icon to the right of the Server/IP
Name drop-down list.
The WatchGuard Security Appliance Discovery dialog box appears.
3 Click Find to start the process.
If the Management Station has more than one NIC, you must select the IP address of the appropriate card from the drop-down list before proceeding.
Firebox Vclass User Guide 29
CHAPTER 3: Getting Started
A status dialog box appears and remains displayed until the discovery process is complete.
If no appliance is discovered
If no appliances are discovered, a Devices Not Found dialog box appears.
30
Check the Firebox Vclass appliance for the following:
- Verify that the appliance has been properly connected to the network.
- Verify that all cable connections are secure.
- Make sure that the appliance is turned on. The
Ready LED should be lit.
Click Find Again to attempt another discovery.
Vcontroller
Using Appliance Discovery
If an appliance is discovered
When an appliance is discovered, the Devices Found dialog box appears, displaying all discovered appliances with their models and serial numbers.
This window provides the following features:
• A large list area that displays all of the appliances discovered in the local subnet. In this case, only your new Firebox Vclass appliance will be listed. You can set interface 0 (Private) IP addresses or import profiles into more than one appliance at the same time.
• A collection of options that enable you to set the identity of a selected appliance’s Private interface or import an existing appliance profile into a selected device.
You set the IP address of the Interface 0 as described in the following section. This is the task you perform with a new appliance.
Firebox Vclass User Guide 31
CHAPTER 3: Getting Started
N
OTE
If you have already installed and configured at least one
Firebox Vclass appliance, you can import its configuration information into a new factory default appliance using an
XML profile. For more information, see “Exporting and
Importing Configuration Files” on page 410.
Setting the IP address of Interface 0 or the
System IP
If you are deploying the Vclass appliance in Router Mode, you must now define a temporary IP address to interface 0
(Private) for use in the initial configuration. If you are deploying the device in Transparent Mode, you must set the System IP. After this is complete, you can log in with
Vcontroller and perform further configuration.
1 From the Devices Found field, select the appliance you want to configure.
2 Click the Set Interface IP button.
3 Click Router Mode or Transparent Mode to set the
System Mode.
4 For Router Mode , in the Interface 0 IP field, type an unused IP address from the same subnet as the
Management Station. This IP address will apply only to Interface 0 (Private).
32
In the Interface 0 Mask field, type the subnet mask for this IP address.
5 For Transparent Mode , in the System IP field, type an unused IP address from the same subnet as the
Management Station. This IP address will apply to all interfaces on the appliance.
Vcontroller
Using Appliance Discovery
In the System Mask field, type the subnet mask for this
IP address.
6 Click Update .
If more than one appliance is listed in this window, you can set an
IP address for each appliance at this time, prior to clicking Apply
All.
7 If there are no more appliances to be set, click Apply
All .
A confirmation window appears.
8 Click Yes .
The Result window appears.
Firebox Vclass User Guide 33
CHAPTER 3: Getting Started
9 Wait for the Result window to display “ALL DONE” and then click Close to return to the Set Interface window.
You can now use Vcontroller to edit the interface for this appliance and continue the installation process.
Running the Vcontroller Installation Wizard
This section guides you through the Installation Wizard , a component of the Vcontroller application. The Installation
Wizard provides the basic configuration for a new appliance and prepares the Vcontroller software for use with this and other Firebox Vclass appliances.
Before You Begin
To complete the initial installation of a new Firebox Vclass appliance, you need the following network address information:
• Unused IP addresses and network masks to assign to all interfaces of this appliance that you will use (Router
Mode), or a single unused IP address and network mask that will govern all interfaces on the appliance
(Transparent Mode)
• A domain name for this appliance
• Any basic network routing information (static and dynamic)
• The IP addresses of all DNS servers that will be used by this appliance
• The IP addresses of any SNMP management stations
• The VPN client user name and password (for Firebox
V10 setup)
If you need to make any changes to the configuration at a later date, you can do so with the System Configuration
34 Vcontroller
Running the Vcontroller Installation Wizard
window, as described in “System Configuration” on page 89.
Starting the Installation Wizard
1
Start the Firebox Vclass appliance (see “Start a Firebox
Vclass Security Appliance” on page 27).
2 Launch Vcontroller and click Login .
The Login dialog box appears.
3 Type the IP address or host name of the Firebox Vclass in the Server IP/Name field or select it from the dropdown list.
4 Type your administrator login name and password in the appropriate fields. The default name and password for the Firebox Vclass appliance is admin.
N OTE
All data traffic between the Management Station and the
Firebox Vclass appliance, including all configuration exchanges, is protected by SSL, using 128-bit RC4 and
SHA1.
5 Click OK .
The Installation Wizard Welcome page appears.
Firebox Vclass User Guide 35
CHAPTER 3: Getting Started
36
6 Read the qualifications and instructions.
Edit the General information
1 Click Next to proceed.
The General Information window appears.
Vcontroller
Running the Vcontroller Installation Wizard
2 In the System Name field, type either the assigned
DNS name for the appliance or another arbitrary name.
3 In the System Location field, type a description of where your appliance will be used. This can be a building, floor number, office name, or other simple description.
4 In the System Contact field, enter the name and phone number or email address of the principal administrator or department responsible for management of the appliance.
Changing the System Time, Date and Time Zone
Click Change to open the Date, Time, and Time Zone window. Make any necessary adjustments, and click OK .
Firebox Vclass User Guide 37
CHAPTER 3: Getting Started
38 Vcontroller
Running the Vcontroller Installation Wizard
Configure the Interfaces in Router Mode
This procedure describes how to configure an interface using the Installation Wizard for an appliance running in
Router Mode.
Configure Interface 0 (Private)
1 Click Next .
The Interface Information window appears. The appliance is in
Router Mode by default.
Firebox Vclass User Guide 39
CHAPTER 3: Getting Started
2 Double-click on Interface 0 to edit it. The Edit Interface window appears.
40
3 Enter the IP address and network mask for the interface in the appropriate fields. If you wish to change the size of the Maximum Transmission Unit
(MTU), type a number in the MTU field. This number represents the maximum size (in bytes) of a packet.
4 If you want to enable the appliance as a DHCP server, click Enable DHCP Server .
Vcontroller
Running the Vcontroller Installation Wizard
5 Enter the maximum number of potential clients that will be assigned IP addresses in the Number of Clients field.
6 Select either Days or Hours from the Leasing Time drop-down list, and type the number of hours or days that an IP address will be loaned to a DHCP client.
7 You can use a separate DHCP Server with the Vclass appliance using DHCP relay. This option makes the
Vclass act as a DHCP agent, requesting DHCP leases from a separate DHCP server. Click DHCP Relay to use this option.
A Remote DHCP Server IP field appears.
8 In the Remote DHCP Server IP field, type the appropriate IP address.
Firebox Vclass User Guide 41
CHAPTER 3: Getting Started
Configure Interface 1 (Public)
42
1 To configure Interface 1 (Public) for Static, DHCP, or
PPPoE addressing, choose the appropriate interface option and provide the relevant entries as follows:
Static IP
Enter the IP address and network mask in the appropriate fields.
DHCP
Enter the IP address or DNS host name of the
DHCP server assigned by your ISP in the Host ID field. (This entry is optional.)
PPPoE
Enter the user name and password assigned to you by your ISP in the appropriate fields.
Vcontroller
Running the Vcontroller Installation Wizard
2 Click Backup Connection to configure WAN Interface
Failover, if desired. This allows you to specify a backup
ISP to provide internet service to interface 1, in the event of a primary ISP failure.
The Edit Backup Connection screen appears.
3 Select the Enable Wan Interface Failover checkbox to enable failover to another ISP. Configure the interface as previously described, by clicking Static , DHCP , or
PPPoE and entering the required values.
For the Backup WAN connection, PPPoE is only available in an
Always On state. Dial-on-Demand is not available.
4 Establish Connection Failure Detection criteria.
This section of the screen allows you to enter 3 different IP addresses that the appliance should be able to ping, to determine whether the network is up or down, and timing values to determine when the ISP has failed.
5 Type up to three IP addresses for public, well-known and robust internet sites that allow ping . Examples include Yahoo, Google, and eBay. Do a DNS lookup for
Firebox Vclass User Guide 43
CHAPTER 3: Getting Started
IP addresses for these sites, and remember that they change frequently, so you might want to check that these addresses are valid periodically.
6 Type the Polling Interval in seconds to determine failover. This determines the amount of time between ping sessions to test the servers listed in the previous step. The default is 30 seconds.
7 Type the Polling Timeout in seconds to determine failover. The default is 5 seconds. If none of the listed servers respond to a ping request within this interval, the connection is considered failed, and a failover occurs.
Configure Interface 2 and 3 (DMZ)
1 To configure Interface 2 and 3 (if applicable), enter the
IP address and network mask in the appropriate fields.
2 When you have finished with the Interface window entries, click Next .
The Interface Change dialog box appears providing two options,
Save Only and Apply.
44
3 Click Save Only . Click OK to proceed.
WatchGuard recommends selecting Save Only in order to continue with the Installation Wizard.
If you select Apply , and then click OK, the Wizard prompts you to stop the installation process and restart the Firebox Vclass appliance to apply the changes. You
Vcontroller
Running the Vcontroller Installation Wizard will need to login again, using the new IP address information, to continue configuring the appliance. For information on configuring the appliance without
using the Installation Wizard, see “System
Configure the Interfaces in Transparent
Mode
In Transparent Mode, the Firebox Vclass is given a single
System IP and System Subnet Mask. These addresses are used for all interfaces on the system. For more information
on Transparent Mode, see “Router and Transparent Mode” on page 79.
To configure interfaces in Transparent Mode:
1 Click Next from the General window of the installation wizard, or click the Interfaces tab.
Firebox Vclass User Guide 45
CHAPTER 3: Getting Started
46
2 Click Transparent Mode .
The appliance must be in factory default configuration to switch to Transparent Mode. If the device has already been configured, you must restore it to factory default before taking this step. See
“Restoring to Factory Default” on page 407.
3 In the System IP field, type the IP address that will be used for all interfaces on the appliance.
4 In the System Mask field, type the Subnet Mask address that will be used for all interfaces on the appliance.
You can change the link speed and MTU (Maximum Transmission unit size) for each physical interface, or leave the defaults (Auto
Negotiate/1500 bytes).
5 To change the link speed and MTU values for an interface, double-click the interface entry in the table under System IP .
Vcontroller
Running the Vcontroller Installation Wizard
Configure Routing
1 From the Interface Information window, click Next .
The Routing screen appears.
N OTE
All entries made to configure routing are optional for completing the Installation Wizard and are dependent upon your network environment.
2 In the Specify Default Route field, type the IP address of the default gateway.
3 If you want to enter any additional network routes for this appliance, click Add .
The Add Route dialog box appears.
Firebox Vclass User Guide 47
CHAPTER 3: Getting Started
4 Type the destination IP address, network mask, and gateway of the route in the appropriate fields.
5 Select the interface–0, 1, 2, or 3–through which traffic will be exchanged, from the Interface/Port drop-down list.
6 Type the Metric number in the appropriate field.
7 Click OK .
8 Repeat this process as needed.
Define the DNS servers
1 When you have finished adding routes, click Next to proceed to the next step of the Installation Wizard. If you added any new routes, a confirmation window appears, click OK .
The Setup DNS Servers window appears.
48 Vcontroller
Running the Vcontroller Installation Wizard
N
OTE
All entries made to configure DNS servers are optional for completing the Installation Wizard, and will differ based on your network configuration.
1 Type the domain name of the Firebox Vclass appliance in the Domain Name field.
2 To add a DNS server, click Insert .
The DNS Server window appears.
Firebox Vclass User Guide 49
CHAPTER 3: Getting Started
3 Type the DNS server IP address in the appropriate field and then click Add .
Repeat this process if needed to add more DNS servers.
Define a Default Firewall Policy
1 When you have finished listing the DNS servers, click
Next to proceed.
The Default Firewall Policy window appears.
50
N
OTE
All entries made to configure the default firewall policy are optional for completing the Installation Wizard and are dependent upon your network environment.
2 Determine your default firewall policy or select the No
Change option.
3 If you decide to activate the default firewall policy, select the Select the predefined Firewall Policies
Vcontroller
Running the Vcontroller Installation Wizard checkbox and then determine which of the following predefined policies you want to enable.
Allow ping to the device
Allows ping traffic to the private interface of this appliance from other workstations within the network.
Allow all Out-bound traffic from the Private Port
Allows all internal network users to have unlimited access to all external network connections.
Deny all In-bound traffic from the Public Port
Blocks all incoming traffic from external networks to Interface 1 (Public). If you want to permit particular types of traffic to gain access to part or all of your network, activate the relevant policy.
You can later customize your firewall policies to provide further protections. For more information
on configuring firewall policies, see “About
Security Policies” on page 159.
N OTE
If you do not activate any predefined policy, you must configure a customized security policy. Otherwise, the
Firebox Vclass appliance will not permit any traffic to pass through in any direction.
4 To enable a variety of measures to counteract hackers, click the Hacker Prevention button at the bottom of the screen.
The Hacker Prevention dialog box appears.
Firebox Vclass User Guide 51
CHAPTER 3: Getting Started
52
Denial of service options
These options safeguard your servers from Denial of Service (DoS) attacks. Denial of Service attacks flood your network with requests for information, clogging your servers and possibly shutting down your sites.
ICMP Flood Attack
Protects against a sustained flood of ICMP pings.
Select this checkbox, then type the threshold number in the text field.
SYN Flood Attack
Protects against a sustained flood of TCP SYN requests without the corresponding ACK response.
Select this checkbox, then type the threshold number in the text field.
UDP Flood Attack
Protects against a sustained flood of UDP packets.
Select this checkbox, then type the threshold number in the text field.
Ping of Death
Protects against user-defined large data-packet pings.
Vcontroller
Running the Vcontroller Installation Wizard
IP Source Route
Protects against a flood of false client IP addresses, designed to bypass firewall security.
Distributed denial of service options
As a subset of Denial of Service attacks, Distributed
DoS (DDoS) attacks occur when hackers coordinate a number of compromised computers for malicious purposes and program them to simultaneously assault a network with information requests. If this type of attack is allowed to pass through, your servers can be overwhelmed, causing them to crash.
Per Server Quota
Safeguards your servers against attacks from any client to any single server. Select this checkbox, then type the threshold number in the text field.
The number here represents the maximum request capacity per second of the server. If more than the specified number of connection requests are received, the Firebox Vclass appliance drops the excess requests.
Per Client Quota
Restricts the number of connection requests from a single client in one second. Select this checkbox, then type the threshold number in the appropriate text field. This number represents the maximum number of requests per second from a single client.
If more than the specified number of connection requests are received, the Firebox Vclass appliance drops the excess requests.
For a brief overview of the distributed denial-of-service options, click How does this work?
An online Help window displays more information about these options.
Firebox Vclass User Guide 53
CHAPTER 3: Getting Started
Using Dynamic Network Address Translation
(DNAT)
1 When you have configured the preferred levels of hacker defense, click OK to close this window, and click Next to proceed.
If you enabled the Allow all outbound traffic from the Interface 0
(private) option, a DNAT window appears.
2 If you want to use dynamic NAT, click Yes .
A default dynamic NAT policy is added to the outbound traffic policy.
Change the Password
The Change Password screen appears. This step requires you to replace the default root admin account password with a new, secure password of your choosing.
54 Vcontroller
Running the Vcontroller Installation Wizard
1 In the Password field, type a new password.
Passwords must be between 6 and 20 characters, can include letters or numbers, and are case-sensitive.
2 Confirm the password by retyping it in the provided field.
3 Click Next to proceed.
The completion window appears.
Firebox Vclass User Guide 55
CHAPTER 3: Getting Started
56
4 Click Finish .
5 If you changed the IP address for interface 0 (Private), a window appears, asking if you want to restart the
Firebox Vclass appliance. Click Yes .
The Firebox Vclass appliance reboots and reinitializes itself.
Vcontroller
Deploying the Firebox Vclass into your Network
Deploying the Firebox Vclass into your
Network
After the appliance reboots, restart Vcontroller and perform a complete shutdown of the appliance. When the shutdown is complete, you can turn off the appliance and move it to a permanent network setting, if it is not already there.
1 Launch Vcontroller.
2 In the Server IP Name field, type the IP address of interface 0 (Router Mode), the System IP (Transparent
Mode), or the fully qualified host name.
Vcontroller remembers the IP addresses of all appliances and stores them in this drop-down list. You will, however, need to remember all the separate passwords.
3 In the Name field, type admin .
4 In the Password field, type your newly created secure password .
5 Click OK to connect to the appliance.
The main Vcontroller window appears.
6 Click Shut down .
7 When the shutdown confirmation window appears, click OK .
The appliance performs a full shutdown. The Ready LED blinks for a short interval and then turns off when shutdown is complete.
N OTE
Do not power down the appliance until the Power and Ready
LEDs have been off for 30 seconds.
8 Using the switch on the back of the appliance to turn off the Firebox;
–or–
Firebox Vclass User Guide 57
CHAPTER 3: Getting Started
If you have a V10, disconnect the power cord to turn off the appliance.
9 Disconnect all the cables and move the appliance to its permanent network setting.
After you place the appliance in its permanent location and make the necessary physical network connections, you can restart the appliance.
• Use the power cord to connect the appliance to a UPS device or to a protected outlet.
• For a V10, make sure that you connect the power cord to the V10 before you connect it to the AC outlet or the
UPS device. This will start the V10 appliance.
• For all other models, turn on the power with the switch on the back of the appliance.
When the appliance has started, the Ready LED blinks while the initialization process occurs. When initialization is complete, the Ready LED remains lit.
58 Vcontroller
CHAPTER 4
Firebox Vclass Basics
This chapter provides an overview of the Firebox
Vclass hardware and the companion Vcontroller software.
What is a Firebox Vclass Appliance?
Every Firebox Vclass appliance is a combination of powerful network-monitoring hardware and software policies that you, the administrator, set up and maintain. With every incoming or outgoing data stream that it detects, the appliance performs a two-stage task:
• It analyzes the initial packet for key traffic specifications, including source, destination, type of service, and specific appliance interface used by the data stream.
• If the data matches all the specifications established in a given policy, the appliance takes action–directing that packet and the stream that follows to the desired destination. It can also block
Firebox Vclass User Guide 59
CHAPTER 4: Firebox Vclass Basics traffic, deny traffic, or strip out offending parts of a message or stream.
A policy can also prompt the Firebox Vclass appliance to take other actions with the same data stream.
You can create policies for the Firebox Vclass that watch for varying combinations of traffic specifications. After a set of traffic specifications are defined, you can set up one or more actions that the Firebox Vclass appliance should take with any qualifying data.
You can create proxies for the Firebox Vclass that inspect the contents of packets, beyond the headers and traffic specifications, for a deeper level of security.
Firebox Vclass Features
The Firebox appliances provide the following features:
Firewall
Protects your network from unauthorized access and use.
Load balancing (except the V10 model)
Distributes incoming data to specific internal destinations.
Quality of Service
Makes data exchanges more efficient. Prioritizes and enhances user-specified data exchange.
Anti-hacker protection
Protects your network from a variety of potentially destructive hacker attacks.
VPN (Virtual Private Networking)
Provides secure communications with remote sites.
Dynamic NAT (Network Address Translation)
Also called IP masquerading. Maps outgoing private IP addresses to the Firebox’s external IP
60 Vcontroller
Where the Information is Stored address, meaning outgoing source IP addresses are translated into the IP address of the box’s external interface. This prevents outsiders from “seeing” your private internal IP addresses. Incoming packets are translated from the external interface's
IP address into the appropriate private IP address.
Static NAT (except the V10 model)
Also called port forwarding. Assigns a port specific to a given service (such as port 80 for HTTP) to another port internally, so that originators of incoming traffic never know which host is actually receiving the packets.
Multi-tenant domains (except the V10 model)
Manages traffic routed to and from both kinds of multiple-tenant virtual domains: user domains and
VLANs.
Where the Information is Stored
When you use Vcontroller to connect to a Firebox Vclass appliance, Vcontroller accesses a specialized database stored in the Firebox Vclass appliance. This storage capacity is an integral part of the appliance hardware. All your configuration and policy entries are stored in this database.
Certain files, such as backup configuration files, log files, and archive files, can be stored in a location of your choosing, such as the Management Station hard drive or a syslog server.
Changes or additions to the configuration settings in Vcontroller reside on the Management Station and are not automatically applied to the appliance.
Firebox Vclass User Guide 61
CHAPTER 4: Firebox Vclass Basics
Launching the WatchGuard Vcontroller
The WatchGuard Vcontroller can be used to administer one or more Firebox Vclass appliances as well as any legacy RapidStream security appliances. This Java application offers a basic set of system indicators and three collections of button-activated features that provide complete control over all the operations of a Firebox Vclass appliance.
N OTE
WatchGuard Vcontroller times out after 30 minutes of inactivity. If this occurs, you are prompted to log in again.
1 Launch Vcontroller according to the operating system you are using:
Microsoft Windows
Double-click the WatchGuard Vcontroller icon on the desktop, or select Start => Programs =>
WatchGuard Vcontroller => WatchGuard
Vcontroller .
Solaris/Linux
Navigate to the appropriate directory and type
Vcontroller at the command prompt.
Vcontroller launches and a login window appears.
62
If you have used Vcontroller before to access a Firebox Vclass appliance, the Server IP/Name field displays the IP address or host name of the last accessed appliance.
The IP addresses or host names of other previously accessed devices are listed in the Server IP/Name drop-down list.
Vcontroller
Launching the WatchGuard Vcontroller
2 Type the IP address or host name of the Firebox Vclass in the Server IP/Name field or select it from the dropdown list.
3 Type your administrator login name in the Name field.
N
OTE
For information on creating administrator accounts, see
“Using Account Manager” on page 149.
4 In the Password field, type the password for your administrator account.
5 Click OK .
The main Vcontroller window appears.
Firebox Vclass User Guide 63
CHAPTER 4: Firebox Vclass Basics
The Vcontroller Main Page
This section describes the buttons displayed in Vcontroller.
Activities column buttons
The Activities column contains a series of buttons that, when clicked, provide dialog boxes that update you on system activities. This includes outstanding alarms, recent events, and the current status of the appliance. You can also open a dialog box that displays system logs and another dialog box with a set of useful diagnostic tools.
Alarm
Click this button to open the Alarm Manager window, in which you can define a set of alarms that trigger when system or policy thresholds are exceeded. This window also allows you to view newly triggered alarms, diagnose alarm conditions, and clear resolved alarms. For more
information, see “Using Alarm Manager” on page 351.
Monitor
Click this button to open the Real-time Monitor window, which provides a detailed view of the security appliance activities. You can use existing probes, or create your own, to measure system activity as well as to gauge data and policy usage.
For more information, see “Monitoring the Firebox
Log Manager
Click this button to open the Log Manager window, which enables you to activate log files that record certain types and levels of system activity. You can also use this window to view a particular log, and then archive your logs as text files for future reference. For more information, see
“Using Log Manager” on page 379.
64 Vcontroller
The Vcontroller Main Page
System Information
Click this button to open the System Information window, which provides several distinct views of the current appliance’s status and activity. The various tabbed displays are detailed in separate chapters within this guide, depending upon your choice of view. For more information, see
“Monitoring the Firebox Vclass” on page 363.
Policy column buttons
The Policy column contains a series of buttons that, when clicked, enable you to create, apply, and manage the security policies used by the Firebox Vclass appliance. For more information on creating and configuring security policies,
see “About Security Policies” on page 159.
Security Policy
Click this button to open the Policy Manager window, which lists the current catalog of security policies. This window allows you to view, edit, add, and remove policies. The Policy Manager is also used to view, edit, add, and remove security proxies.
IKE Policy
Click this button to open another view of the Policy
Manager window that lists the current catalog of
IKE (Internet Key Exchange) policies.
Address Group
Click this button to open a window showing the existing address group objects. These are used by both security and IKE policies in determining traffic specifications.
IPSec Action
Click this button to open a window listing the existing IPSec actions, used by security policies to enforce encryption/authentication protections.
Firebox Vclass User Guide 65
CHAPTER 4: Firebox Vclass Basics
NAT/LB Action (Network Address Translation/Load
Balancing Action)
Click this button to open a window listing the existing NAT action objects, which are used in policies that affect dynamic IP, virtual IP, and other load-balancing actions on data.
N OTE
This button is grayed out and does not function in
Transparent Mode. NAT and Load Balancing are not supported in Transparent Mode. For more information on
Transparent Mode, see “Router and Transparent Mode” on page 79.
Remote Users
Click this button to open the RAS Configuration dialog box, which assists in the setup of remote access service (RAS) connections. This feature is not available on the V10 model.
Proxies
Click this button to open a dialog box that lists all existing Proxy Actions, and allows you to add, delete, and edit them. Proxies are a licensed feature, which are available on your system after you complete the initial LiveSecurity registration process.
Administration column buttons
This column lists a series of buttons that, when clicked, can help you customize, monitor, and maintain a Firebox
Vclass appliance.
System Configuration
Click this button to open the System
Configuration window, which helps you change the system configurations of a Firebox Vclass
appliance. For more information, see “System
66 Vcontroller
The Vcontroller Main Page
Install Wizard
Click this button to reopen the Installation Wizard, which you can use to reestablish the basic configuration for a Firebox Vclass appliance if
required. For more information, see “Getting
Account
Click this button to open the Account Manager window, which you can use to modify or add new administrative accounts, and end-user accounts to allow internal users to bypass any firewall policies
you create. For more information, see “Using
Backup/Restore
Click this button to open the Backup/Restore window, which enables you to back up the current system configuration. You can also use this window to restore previously archived configurations as needed. For more information,
see “Backing Up and Restoring Configurations” on page 403.
Upgrade
Click this button to open the Upgrade window, which allows you to view the current software version, download and install any recent upgrades, and view the recent upgrade history.
You can also use the features of this window to downgrade an appliance to a previous software version. For more information about the Upgrade
window, see “Upgrading and Downgrading the
Shutdown/Reboot
Click this button to open a window from which you can restart the software, reboot the appliance, or completely shut down the appliance. For more
information, see “Shutting Down and Rebooting” on page 70.
Firebox Vclass User Guide 67
CHAPTER 4: Firebox Vclass Basics
Diagnostics/CLI
Click this button to open the Diagnostics window, which includes testing tools, connectivity probes, and a workspace for importing CLI scripts. For
more information, see “Monitoring the Firebox
Page-top buttons
The page-top title area includes the Log Out and Help buttons, as well as an alarm indicator that is displayed when an alarm has been triggered.
Log Out
Click this button to log out of Vcontroller and disconnect the Management Station from the
Firebox Vclass appliance.
Help
Click this button to open the main online Help window. Right-click this button to see the Help version and copyright information.
Alarm Bell
If you see an animated ringing bell, this indicates that an alarm condition was triggered. Click the alarm bell icon to open the Alarm Manager
window. For more information, see “Using Alarm
The status viewer
When you log into Vcontroller, the status area in the lowerleft corner provides a snapshot of the system status, including interface link status and active VPN connections.
From the main Vcontroller window, look for the status indicators in the lower-left corner.
68 Vcontroller
The Vcontroller Main Page
The system name assigned to this appliance
The refresh button
The current status indicators for the interfaces—green indicates active, red indicates inactive
The total number of currently active tunnels
The total time this appliance has been in continuous operation
The names and IP addresses of the interfaces (Router Mode). In Transparent
Mode, only the System IP is listed.
This panel is automatically refreshed every sixty seconds; however, you can click the blue star button to refresh manually.
Logging out of Vcontroller
Make sure you properly log out of a Firebox Vclass appliance after you finish with administrative tasks. Otherwise, you may have trouble logging in later because a previous session may still be active.
1 From the Vcontroller main page, click Log Out .
The Logout confirmation dialog box appears.
2 Click Yes .
If you have made any changes, a Flush dialog box appears requesting to save these to the permanent data storage.
Firebox Vclass User Guide 69
CHAPTER 4: Firebox Vclass Basics
3 To save the changes, click Yes.
An Information dialog box appears indicating that the save was successful.
4 Click OK .
You can now exit Vcontroller or click Log In to reconnect to the
Firebox Vclass appliance.
Shutting Down and Rebooting
To perform a software shutdown prior to turning off the appliance:
1 From the main Vcontroller window, click Shutdown/
Reboot .
A Confirmation dialog box appears.
70 Vcontroller
Shutting Down and Rebooting
2 Click Shutdown the system and then click Yes .
This prompts the Firebox Vclass appliance to quit all software operations and perform a preliminary shutdown of the appliance.
While the appliance is shutting down, the Ready LED blinks.
After the Ready LED is off, wait 30 seconds.
N OTE
Do not disconnect the power before 30 seconds have elapsed.
Disconnecting the appliance too quickly can cause serious damage.
3 After 30 seconds have elapsed, use the power switch on the back to turn off the appliance. For the V10 model, simply disconnect the power cord.
4 Unplug the power cord from the Firebox Vclass appliance.
N
OTE
Do not remove the cover on the power supply switch on the back of any appliances and use that switch to cut power. This can damage the appliance.
Once you have fully shut down the Firebox Vclass appliance, you can restart it by following these steps:
• Connect the Firebox Vclass appliance to a power source.
• Use the Power switch on the back to start the appliance.
- The Power LED light illuminates, and the Ready
LED light starts to blink when the appliance is initializing.
- When the blinking has stopped and the Ready
LED remains lit, initialization is complete.
• You can now start Vcontroller and log into the appliance to perform any administrative work.
To restart the appliance software only:
• From the main Vcontroller window, click Shutdown/
Reboot .
Firebox Vclass User Guide 71
CHAPTER 4: Firebox Vclass Basics
• Click Restart the WatchGuard Security Appliance software only and then click Yes .
A status dialog box appears and remains on screen until the reboot is complete. After some time elapses, the Vcontroller
Login dialog box reappears.
To reboot an appliance without turning off the power:
• From the main Vcontroller window, click Shutdown/
Reboot .
• Click Reboot the system, including all software and then click Yes .
A status dialog box appears and remains on screen until the reboot is complete. After a long interval, the Vcontroller Login dialog box reappears.
Restarting the appliance
You can physically force a restart by inserting a straight pin into the recessed Reset button opening on the front of the appliance.
Upgrading and Downgrading the Software
Version
When new versions of the Firebox Vclass operating system software become available, Vcontroller provides a simple way to perform an upgrade procedure.
To upgrade the software version:
1 Verify that the Management Station has an active
Internet connection.
You need an Internet connection to check the WatchGuard Web site for the latest software updates.
2 From the main Vcontroller window, click Upgrade .
The Upgrade dialog box appears.
72 Vcontroller
Upgrading and Downgrading the Software Version
3 Note the current version number as reported in the
Upgrade tab.
4 Click Check our Web site to verify whether a more recent version of the Vcontroller software is available.
Your web browser appears and connects to the WatchGuard Web site.
5 When this connection is complete, you can quickly verify the version number of the latest available upgrade against the version number listed in the
Upgrade tab.
Do not upgrade your appliance until you have backed up the current configuration file. For information on backing up your
configuration, see “Backing Up and Restoring Configurations” on page 403.
6 Review the instructions on this Web page. If a newer upgrade is available, click Download .
7 When the download is complete, close the browser window and continue with the upgrade procedure.
8 Return to the Upgrade dialog box and click Upgrade
Now .
The Select the upgrading file dialog box appears.
Firebox Vclass User Guide 73
CHAPTER 4: Firebox Vclass Basics
9 Locate and select the downloaded upgrade file and then click Select .
When the upgrade is complete, a confirmation dialog box appears.
10 Click OK to proceed.
The Vclass appliance automatically restarts. When the restart is complete, you can log into the appliance and use Vcontroller to check the upgraded appliance.
To downgrade the software version:
1 Click the Downgrade tab.
74
2 Read the instructions on the screen and then click
Downgrade Now .
A confirmation dialog box appears.
Vcontroller
Upgrading and Downgrading the Software Version
3 Click OK .
The appliance performs the downgrade, and then reboots itself.
After the appliance reboots, the Login dialog box automatically appears.
At this time, to use your previous policies and configuration, you must restore the last backup of policies and configurations that you saved when this version of the software was in effect. Because a Firebox Vclass appliance stores a maximum of two versions of software, you can only downgrade to the previous version of the software.
After this downgrade is complete, your appliance will be using an earlier version of software with the configurations and policies that were in effect at that time. All subsequent entries and changes will be lost.
The Upgrade History
The Upgrade History tab notes the dates, times, and version numbers of all occasions when the Firebox Vclass appliance has been upgraded or downgraded. The upgrade history remains even if the Vclass appliance is restored to the factory default.
To view the upgrade history:
1 Launch Vcontroller and log into the appliance.
2 Click Upgrade .
The Upgrade dialog box appears.
3 Click the Upgrade History tab.
Firebox Vclass User Guide 75
CHAPTER 4: Firebox Vclass Basics
Transferring from Vcontroller to WatchGuard
Central Policy Manager (CPM)
If you need to transfer the management of the Firebox
Vclass from Vcontroller to the WatchGuard Central Policy
Manager (CPM), consider the following differences between the two environments:
• Vcontroller provides management access to more builtin functionality in Firebox Vclass appliances than CPM.
For example, you cannot use the Firebox Vclass appliance for RAS user authentication in CPM as you can with Vcontroller; only a RADIUS server can be used. However, if you have five or more Firebox Vclass appliances, CPM is the preferred global management tool.
• You cannot use both Vcontroller and CPM to manage the same appliances. If you use CPM to deploy a complete profile, any changes that are made later with
76 Vcontroller
Transferring from Vcontroller to WatchGuard Central Policy Manager (CPM)
Vcontroller will be erased when a new or updated profile is deployed to that appliance from CPM.
Firebox Vclass User Guide 77
CHAPTER 4: Firebox Vclass Basics
78 Vcontroller
CHAPTER 5
Router and
Transparent Mode
Vclass appliances can operate in two distinctly different modes–Router Mode and Transparent Mode.
Descriptions of these modes and configuration information are included in this chapter.
Router Mode
Router Mode is the default mode for Vclass appliances. Vclass appliances running in Router Mode integrate firewall, VPN, and routing functions in a single appliance. In this mode, the Vclass appliance func-
tions as a security gateway, as shown in Figure 6,
“Vclass Router Mode operation,” on page 80.
Depending on the Vclass model, up to four network interfaces are provided, which you can use to route traffic between a private network, the public network or Internet, and DMZ networks. Private and DMZ networks are considered to be trusted, and the public network is not trusted. Networks are on different subnets.
Firebox Vclass User Guide 79
CHAPTER 5: Router and Transparent Mode
In Router Mode, all interfaces are routable. Each individual interface is assigned an IP address on the subnet it is connected to. Packets crossing the Vclass appliance are managed by configured policies and proxies. Allowed packets are routed to their destinations. In this mode, the Vclass appliance only receives the packets that are addressed to it.
Packets sent out from the Vclass are marked with the
Vclass interface MAC as their source.
DMZ Network
80
Untrusted Trusted
Internet
Vclass
Private Network
Figure 6: Vclass Router Mode operation
No special configuration is required to set an appliance to
Router Mode. Vclass appliances are set to Router Mode by default. Use the instructions provided throughout this guide to configure your Router Mode appliance.
You can switch an appliance to Router Mode at any time, using Device Discovery, the Installation Wizard, the System Configuration window on the Interfaces page, or by importing a Router mode XML configuration.
Vcontroller
Transparent Mode
Transparent Mode
Internet
Not Trusted
Router
Existing Network
Not Trusted
Not Trusted Trusted
Internet
Router Vclass
Existing Network with a Transparent Mode Vclass appliance
Figure 7: Vclass Transparent Mode operation
Vclass Transparent Mode is designed to allow simple
“drop-in” integration of the Vclass appliance in an existing
scenario. In this scenario, the Vclass is placed between an existing router gateway and an internal network. Routing functions are handled by the router, and the Vclass provides firewall and VPN functions.
The main differences between Transparent and Router modes are:
• Transparent mode interfaces are promiscuous. A promiscuous interface receives not only the packets addressed to it (as in Router Mode), but also packets addressed to other hosts on the network. However, the
Vclass appliance passes packets without taking any action, if both the packet source and target are connected and reachable on the same interface.
Firebox Vclass User Guide 81
CHAPTER 5: Router and Transparent Mode
• In Transparent Mode, the Vclass appliance uses one IP address and one Subnet Mask for all interfaces. These addresses are called the System IP and the System Mask .
All interfaces on the Vclass appliance use these addresses.
• The System IP is used as the IPSec tunnel peer address.
• In contrast to Router Mode operation, in Transparent
Mode the Vclass switches a packet to its destination, if the packet is allowed. Like a typical network switch, the packet’s source MAC address is preserved.
Unsupported features in Transparent Mode
Not all features available in Router Mode are feasible or usable in Transparent Mode. Unsupported features are:
• Backup WAN connection (WAN Failover)
• DHCP Client and Server
• Proxies
• Dynamic Routing
• High Availability (Active/Standby or Active/Active)
• VLAN and Tenants
• NAT, including SNAT, DNAT, VIP
• PPPoE
• Secondary IP
• Spanning Tree Protocol
• Tunnel Switching
Setting a Vclass Appliance to Transparent
Mode
You can set a Vclass appliance to Transparent Mode using either Device Discovery, the Installation Wizard, or by importing a Transparent mode XML configuration. You can also start the process to switch an appliance to Trans-
82 Vcontroller
Setting a Vclass Appliance to Transparent Mode parent Mode from the Interfaces window in System Configuration, though this window allows you to restore to factory default in order to set the appliance to Transparent
Mode. Vclass appliance must be in Factory Default configuration to be set to Transparent Mode. To set the appliance
to the Factory Default configuration, see “Restoring to Factory Default” on page 407.
Setting an Appliance to Transparent Mode using Device Discovery
To use Device Discovery successfully, the appliance you are configuring must be connected to the same LAN segment or subnet as the Management Station through interface 0 (Private ) .
1 Launch Vcontroller.
The Vcontroller Login dialog box appears.
2 Click the binoculars icon to the right of the Server/IP
Name drop-down list.
The WatchGuard Security Appliance Discovery dialog box appears.
3 Click Find to start the process.
Firebox Vclass User Guide 83
CHAPTER 5: Router and Transparent Mode
If the Management Station has more than one Network
Interface Card (NIC), you must select the IP address of the appropriate card from the drop-down list before proceeding.
A status dialog box appears and remains open until the discovery process is complete.
If no appliance is discovered
If no appliances are discovered, a Devices Not Found dialog box appears.
84
Check the Firebox Vclass appliance for the following:
- Verify that the appliance has been properly connected to the network.
- Verify that all cable connections are secure.
- Make sure that the appliance is started. The
Ready LED should be lit.
Click Find Again to attempt another discovery.
Vcontroller
Setting a Vclass Appliance to Transparent Mode
If an appliance is discovered
If an appliance is discovered, the Devices Found dialog box appears, displaying all discovered appliances with their models and serial numbers.
This dialog box provides the following features:
• A large list area that displays all of the appliances discovered in the local subnet. In this case, only your new Firebox Vclass appliance will be listed. You can set
IP addresses or import profiles into more than one appliance in the same Discovery session.
• A collection of options that enable you to set the identity of a selected appliance’s interface 0 (Router
Mode), or System IP (Transparent Mode), or import an existing appliance profile into a selected device.
You set the IP address as described in the following section. This is the task you perform with a new appliance.
If you have already installed and configured at least one
Firebox Vclass appliance, you can import its configuration information into a new factory default appliance using an
XML profile. For more information, see “Exporting and
Importing Configuration Files” on page 410.
Firebox Vclass User Guide 85
CHAPTER 5: Router and Transparent Mode
Set the System IP address
If you are deploying the Vclass appliance in Router Mode, you must now assign a temporary IP address to interface 0
(Private) for use in the initial configuration. If you are deploying the device in Transparent Mode, you must set the System IP. After completing this step, you can log in with Vcontroller and perform further configuration.
1 From the Devices Found field, select the appliance you want to configure.
2 Click the Set Interface IP button.
3 To set the System Mode, click Router Mode or
Transparent Mode .
4 For Router Mode , in the Interface 0 IP field, type an unused IP address from the same subnet as the
Management Station. This IP address will apply only to Interface 0 (Private).
In the Interface 0 Mask field, type the subnet mask for this IP address.
5 For Transparent Mode , in the System IP field, type an unused IP address from the same subnet as the
Management Station. This IP address will apply to all interfaces on the appliance.
86
In the System Mask field, type the subnet mask for this
IP address.
Vcontroller
Setting a Vclass Appliance to Transparent Mode
6 Click Update .
If more than one appliance is listed in this window, you can set an
IP address for each appliance at this time, prior to clicking Apply
All.
7 If there are no more appliances to be set, click Apply
All .
A confirmation window appears.
8 Click Yes to proceed.
The Result window appears.
9 Wait for the Result window to display “ALL DONE” and then click Close to return to the Set Interface window.
10 You can now use Vcontroller to edit the interface for this appliance and continue the installation process.
Setting an Appliance to Transparent Mode using the Installation Wizard
You can set a factory default appliance to Transparent
Mode using the Installation Wizard. For instructions, see
Firebox Vclass User Guide 87
CHAPTER 5: Router and Transparent Mode
“Configure the Interfaces in Transparent Mode” on page 45.
88 Vcontroller
CHAPTER 6
System
Configuration
Use the System Configuration window to enter or edit system settings. This window, a key component of
Vcontroller, provides access to a wide spectrum of controls, ranging from network connection parameters to an array of hacker prevention options.
The following configuration functions are available in the System Configuration window.
•
“General Configuration” on page 90
•
“Interface Configuration” on page 93
•
“Routing Configuration” on page 107
•
“DNS Configuration” on page 112
•
“SNMP Configuration” on page 114
•
“Log Configuration” on page 116
•
“Certificate Configuration” on page 116
•
“LDAP Server Configuration” on page 125
•
“NTP Server Configuration” on page 127
•
“Advanced Configuration” on page 129
•
“Hacker Prevention Configuration” on page 132
•
“CPM Management Configuration” on page 136
Firebox Vclass User Guide 89
CHAPTER 6: System Configuration
•
“License Configuration” on page 137
•
“VLAN Forwarding Option” on page 142
•
“Blocked Sites Configuration” on page 145
•
“High Availability Configuration” on page 148
General Configuration
Use the General tab to fill in general information about the
Vclass name, location, and owner, and to set the system time.
1 From the main Vcontroller window, click System
Configuration .
The System Configuration window appears.
2 Click the General tab.
The General system settings are displayed.
90 Vcontroller
General Configuration
Configure the following system settings:
System Name
Type a name to represent this appliance.
System Location
Type the location of your Firebox Vclass appliance.
The location can be a building and floor number, or a simple identifier such as “LAN Room.”
System Contact
Type the name, phone number, or email address of the principal system administrator or the person responsible for maintenance of the Firebox Vclass system.
Firebox Vclass User Guide 91
CHAPTER 6: System Configuration
System Time
Displays the current date and time. To change the date and time currently displayed, click Change .
The Date, Time, and Time Zone dialog box appears.
92
- Click the Date & Time tab and then type the appropriate time and date for your system. Select
AM or PM from the drop-down list.
- Click the TimeZone tab to update the geographic location of your system. Select the appropriate location from the list and then click OK to return to the General tab.
When you have finished configuring the system settings, click one of the following options:
Reset
To return the settings to the previous configuration.
Apply
To immediately apply the settings to the Firebox
Vclass appliance.
Vcontroller
Interface Configuration
Interface Configuration
The Interface tab is used to make changes to the IP addresses and subnet masks of the interfaces. Different combinations of interfaces are displayed according to the model of Firebox Vclass appliance you are configuring. In addition, Interfaces appear differently depending on whether the appliance is deployed in Router Mode or
Transparent Mode.
N OTE
In Transparent Mode, the System IP and System Mask are set from the main Interface window. This IP applies to all interfaces on the appliance. The only configuration items you can change for specific interfaces are MTU size and Link
Speed.
• Click the Interface tab.
The Interface settings are displayed. In this example, the interfaces for the V60 and V80 models are shown.
Firebox Vclass User Guide 93
CHAPTER 6: System Configuration
94
• Both the Accelerated Interfaces and the HA (High
Availability) Interfaces are listed:
Router Mode/Transparent Mode
Indicates the System Mode in which this system is deployed. In addition, you can switch from
Transparent Mode to Router Mode here, but you cannot automatically switch from Router Mode to
Transparent Mode–you must restore the appliance to Factory Default first, a process which is started when you select Transparent Mode here.
In Transparent Mode, two more fields are visible in this window:
Vcontroller
Interface Configuration
System IP
This is the IP address that applies to all network interfaces on a Vclass appliance deployed in
Transparent Mode.
System Mask
This is the network mask for all interfaces on a
Vclass appliance deployed in Transparent Mode.
Interface 0
This represents interface 0, which should be used for all private, or trusted, network traffic.
Interface 1
This represents interface 1, which should be used for all public, or external, network traffic. Interface
1 supports the Backup WAN feature, which allows the connection to automatically switch over to a backup ISP in the event of a network failure.
N OTE
Backup WAN is not supported in Transparent Mode.
Interface 2
Interface 2 should be assigned to any DMZ network traffic. This interface is not available on the V10, V100, or V200 models.
Interface 3
Interface 3 should be assigned to any DMZ network traffic. This interface is not available on the V10, V100, or V200 models.
Interfaces HA1 and HA2
Certain Firebox Vclass appliance models include two HA ports, HA1 and HA2. HA ports are used with the High Availability feature, which allows
Firebox Vclass User Guide 95
CHAPTER 6: System Configuration for redundancy and transparent failover in the case of a hardware failure. HA ports are connected between Vclass appliances, and not to the network.
The HA2 ports can be connected to each other for greater redundancy, or you can use the HA2 ports as direct management connections. For more
information, see “Setting Up a High Availability
This interface is not available on the V10 model.
High Availability is not supported in Transparent
Mode.
If you need to make any changes to the configuration of the interfaces, use the following instructions.
Configuring Interface 0
To edit the interface settings:
1 Select the interface entry and then double-click.
The Edit Interface dialog box appears.
96 Vcontroller
Interface Configuration
2 In the IP Address and Network Mask fields, type the appropriate IP address.
The interface Hardware Address (MAC address) is displayed beneath these fields.
3 In the MTU field, type the MTU to determine the maximum size of each packet. The default is 1500 bytes.
Enable DHCP Server
4 If you want to enable the appliance as a DHCP server, click Enable DHCP Server .
The dialog box changes to show DHCP Server options. This option is not available if the appliance is configured for High
Availability, or the appliance is in Transparent Mode.
Firebox Vclass User Guide 97
CHAPTER 6: System Configuration
98
5 Type the maximum number of potential clients that will be assigned IP addresses in the Number of Clients field.
6 From the Leasing Time drop-down list, select either
Days or Hours .
7 Type the number of days or hours that an IP address will be loaned to a DHCP client.
DHCP Relay
8 To allow the Vclass appliance to request and relay
DHCP addresses from another DHCP server on your network, click DHCP Relay.
The dialog changes to show Remote DHCP Server IP options.
This option is not available if the appliance is configured for High
Availability, or the appliance is in Transparent Mode.
Vcontroller
Interface Configuration
9 In the Remote DHCP Server IP field, type the address for the remote DHCP server.
10 Click the Link Speed Configuration option you want to use for this interface. The default is Auto Negotiate .
Auto Negotiate is the only option available on the V100 and
V200 models.
11 Click OK to close the Edit Interface dialog box and return to the Interface tab.
Configuring Interface 1
To edit the interface settings:
1 Select the interface entry and then double-click.
The Edit Interface dialog box appears.
Firebox Vclass User Guide 99
CHAPTER 6: System Configuration
100
Interface 1 (Public) allows you to choose from three network addressing options.
2 Select the addressing option you want to use ( Static ,
DHCP , or PPPoE ).
Static
• In the IP Address and Network Mask fields, type the
IP address and network mask.
Vcontroller
Interface Configuration
DHCP
• In the Host ID field, type the host name or the IP address of your DHCP server .
This option is not available when using High Availability, or in
Transparent Mode.
PPPoE
• In the User Name and Password fields, type the user name and password. In the Confirm Password field, type the password again to confirm it. Select the
Always On or Dial-on-Demand option and then type the desired time interval in the appropriate field.
Firebox Vclass User Guide 101
CHAPTER 6: System Configuration
N OTE
This option is not available when using High Availability, or in Transparent Mode.
3 In the MTU field, type a new size for the MTU if you want to change it from the default size (1500 bytes).
4 Click the Link Speed Configuration option you want to use for this interface. The default is Auto Negotiate .
Auto Negotiate is the only option available on the V100 and
V200 models.
Backup Connection
1 Click Backup Connection to configure WAN Interface
Failover, if you are using this feature. WAN Interface
Failover allows you to specify a backup ISP to provide
Internet service to Interface 1, in the event of an ISP network outage.
The Edit Backup Connection dialog box appears.
102 Vcontroller
Interface Configuration
2 Select the Enable WAN Interface Failover checkbox to enable failover to another ISP. Configure the interface as previously described, by clicking Static, DHCP, or
PPPoE and entering the required values.
N OTE
If PPPoE is selected for the backup WAN, it must be configured as Always On. The Dial on Demand option is not available.
3 Establish Connection Failure Detection criteria.
This section of the window allows you to type up to three different
IP addresses that the appliance should be able to ping, to determine whether the WAN is up or down, and timing values to determine when the ISP has failed.
4 Type up to three IP addresses for public, well-known and robust internet sites that allow ping . Examples include Yahoo, Google, and eBay. Do a DNS lookup for
Firebox Vclass User Guide 103
CHAPTER 6: System Configuration
IP addresses for these sites, and remember that pingable addresses might change frequently.
5 In the Polling Interval field, type the polling interval in seconds to determine a failure. This value determines the amount of time between ping sessions to test the servers listed in the previous step. The default is 30 seconds.
6 In the Type Polling Timeout field, type the polling timeout in seconds to determine a failure. The default is 5 seconds. If none of the listed servers respond to a ping request within the specified interval, the connection is considered failed, and a failover occurs.
7 In the last field on this dialog, type the number of minutes you want to elapse between successive failovers. The default is 10 minutes.
Since each failover requires a system restart, processing is interrupted for a brief period during failover. If both your
Primary and Backup WAN connections are subject to frequent failure, this can lead to a lot of processing interruptions. This setting allows you to minimize downtime for the Firebox, with the tradeoff that the WAN or internet might not be available for longer periods of time.
8 Click Apply when you have finished configuring the
Interface.
Configuring Interface 2 or 3
To edit the interface settings:
1 Select the interface entry and then double-click.
The Edit Interface dialog box appears.
104 Vcontroller
Interface Configuration
2 In the IP Address and Network Mask fields, type the
IP address and network mask.
The interface Hardware Address (MAC address) is displayed beneath these fields.
3 In the MTU field, type a new size for the MTU if you want to change it from the default size (1500 bytes).
4 Click the Link Speed Configuration option you want to use for this interface. The default is Auto Negotiate.
Auto Negotiate is the only option available on the V100 and
V200 models.
5 Click OK to close the Edit Interface dialog box and return to the Interface tab.
Firebox Vclass User Guide 105
CHAPTER 6: System Configuration
Configuring the HA Interfaces
For more information on setting up and managing these
HA interfaces, see “Setting Up a High Availability System” on page 425.
To edit High Availability settings:
1 Select the interface entry and then double-click.
The Edit Interface dialog box appears.
106
2 There is usually no reason to change the IP addresses and Network Masks for the HA ports, though you can change them for internal reasons. In the IP address and
Network Mask fields, type the IP address and network mask.
The interface Hardware Address (MAC address) is displayed beneath these fields.
3 Click OK to close the Edit Interface dialog box and return to the Interface tab.
When you have finished configuring the interfaces, click one of the following options:
Reset
To return the settings to the previous configuration
Save Only
To save the settings to the Management Station and apply them to the Firebox Vclass appliance when it is restarted. When you are finished, click Close .
Vcontroller
Routing Configuration
Apply
To immediately commit the settings to the Firebox
Vclass appliance.
N
OTE
If you have only changed Link Speed, MTU, or the HA configuration, the system will not restart. If you have made any other changes to the Interface configuration for the appliance, a Warning dialog box appears alerting you that this action forces a restart of the system.
- Click Yes to proceed.
The appliance immediately restarts in order to apply the new interface configurations. The System Configuration dialog box closes and Vcontroller displays the Log In dialog box.
N
OTE
If you have changed the Interface 0 (Private) settings, be sure to use the new IP address when next logging in to
Vcontroller.
Routing Configuration
Use the Routing tab to record static routes or set up dynamic routing using several dynamic routing protocols.
Configuring static routing
To add static routes:
1 Click the Routing tab.
Both the static and dynamic routing settings are displayed.
Firebox Vclass User Guide 107
CHAPTER 6: System Configuration
108
2 To configure a static route, click Add .
The Add Route dialog box appears.
Vcontroller
Routing Configuration
3 Type the destination, network mask, gateway, and metric in the appropriate fields. Select the interface from the drop-down list and then click OK .
You cannot select the Interface in Transparent Mode.
4 Repeat this process to add other static route entries.
5 To modify an existing route, select the entry and click
Edit .
The Edit Route dialog box appears
6 Click OK .
Configuring dynamic routing
Firebox Vclass supports 3 dynamic routing protocols, which are built on GNU Zebra ( http://www.zebra.org
) routing software support:
• Routing Information Protocol (RIP) version 1 and 2
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)
N
OTE
Dynamic routing currently does not support MIBs, SNMP, multicast, or IPv6 routing protocols.
N OTE
Dynamic Routing is not supported in Transparent Mode.
To configure dynamic routing:
1 Click Enable Dynamic Routing .
If you later decide to disable dynamic routing, click this option again.
2 Select the routing protocols you are using.
Firebox Vclass User Guide 109
CHAPTER 6: System Configuration
3 For each routing protocol you enable, click the Edit button.
The Edit dialog for the routing protocol appears.
110
4 Click Paste to paste a preconfigured dynamic routing configuration file into the text field, or click Browse to locate the *.conf file on your management station.
To paste a file, it must first be copied to your system’s clipboard.
5 When you have pasted or loaded your routing configuration files, click Apply .
The Routing dialog now indicates that the protocols you configured are Running.
Vcontroller
Routing Configuration
It is possible that dynamic routing can fail. If this occurs, the Current Status displays “Not Running.”
1 Click Restart for the protocol.
A Confirmation dialog box appears.
2 Click Yes to restart.
When you have finished configuring routing, click one of the following options:
Reset
To return the settings to the previous configuration.
Save Only
To save the settings to the Management Station and apply them to the Firebox Vclass appliance when it is restarted. When you are finished, click Close .
Apply
To immediately commit the settings to the Firebox
Vclass appliance.
At this time, the Firebox Vclass checks your entries for accuracy. If the entry is correct, a green checkmark appears to the left of the new routing table entry. If the entry is incorrect, a red X appears.
Firebox Vclass User Guide 111
CHAPTER 6: System Configuration
If an entry displays a red X, click the Routing Table Edit button to open the Edit Route dialog box. The box allows you to check the text for errors.
DNS Configuration
Use the DNS tab to configure the Firebox Vclass appliance with a host domain name and DNS server entries.
To configure a system domain name:
1 Click the DNS tab.
The DNS settings are displayed.
112 Vcontroller
DNS Configuration
2 In the Domain Name field, type the domain name of the Firebox Vclass appliance.
To add a DNS server:
1 Click Insert .
The DNS Server dialog box appears.
2 Type the IP address in the appropriate field.
Firebox Vclass User Guide 113
CHAPTER 6: System Configuration
3 Click Add .
The DNS Server dialog box closes and the new server IP address appears in the DNS Server list.
To manage the DNS server entries:
• To edit a DNS server IP address, select the entry from the DNS Server List and click Edit .
• To delete a DNS server IP address, select the entry from the DNS Server List and click Delete .
• If you have more than one server in the list, you can reorganize the search order by choosing a server entry and then clicking Up or Down .
When you have finished configuring the DNS settings, click one of the following options:
Reset
To return the settings to the previous configuration.
Apply
To immediately apply the settings to the Firebox
Vclass appliance.
SNMP Configuration
Use the SNMP tab to add the IP addresses of management stations that will be monitoring this appliance. You also use these fields to record the relevant SNMP community string. For a complete list of supported MIBs for Firebox
Vclass appliances, review the MIB files that are stored on the WatchGuard CD.
Because Firebox Vclass appliances support the SNMP version 1 protocol, you can assign an SNMP community to this Firebox Vclass appliance so that it can be managed through SNMP management stations. You can also configure this appliance so that an SNMP trap will be sent to all related management stations when an alarm is triggered.
However, to retrieve SNMP MIB counters from a Firebox
114 Vcontroller
SNMP Configuration
Vclass appliance, you must first create and apply a security policy that allows SNMP traffic to pass through the appliance.
To configure SNMP traps:
1 Click the SNMP tab.
The SNMP settings are displayed.
2 Click Add .
The SNMP Management Station dialog box appears.
Firebox Vclass User Guide 115
CHAPTER 6: System Configuration
3 In the SNMP Station IP field, type the IP address.
4 Click Add .
Repeat this process to record the IP addresses of all other management stations.
5 Type the password that will identify the appliance to the Management Station or stations in the Community
String field.
This step is optional.
6 Click Enable SNMP Trap .
N OTE
Although no traps are sent if the Enable SNMP Trap option is disabled, triggered alarms are still logged by the appliance.
When you have finished configuring the SNMP management stations, click one of the following options:
Reset
To return the settings to the previous configuration.
Apply
To immediately commit the settings to the Firebox
Vclass appliance.
Log Configuration
Use the Log tab to configure the logging settings. For infor-
mation on configuring these settings, see “Log Settings” on page 383.
Certificate Configuration
If you plan to use this Firebox Vclass appliance to manage
VPN connections that incorporate automatic (IKE) key exchanges, you must purchase an x.509 authorization cer-
116 Vcontroller
Certificate Configuration tificate from a Certificate Authority (CA) server (such as
Verisign or Entrust ), and then import it into your Firebox
Vclass appliance. Use the Certificate tab to configure these certificates.
In addition, this tab assists in the importing of Certificate
Revocation Lists (CRLs), which the authorizing source will send to you on occasion. A CRL effectively cancels any certificates that have been compromised by hackers.
Before initiating a certificate request, you must obtain the following:
• The encryption key cosigning authority’s name and web site URL
• A payment method for all requested certificates, preferably credit card
• Any root certificates provided by this authority
To import certificates:
1 Click the Certificate tab.
The Certificate fields are displayed. A WatchGuard certificate is imported by default.
Firebox Vclass User Guide 117
CHAPTER 6: System Configuration
118
2 To request a new x.509 certificate, click Create Request .
The Certificate Request dialog box appears.
Vcontroller
Certificate Configuration
3 Type the following information:
Name
The name of the Firebox Vclass appliance. This is the same as the system name configured in the
General settings. See “General Configuration” on page 90.
Department Name
The group or department name that administers this appliance. This field is optional.
Company Name
The requesting company name.
Country
The name of the country in which this appliance and the certificate will be used.
4 Click Next.
The next certificate request dialog box appears, as shown in the following figure.
Firebox Vclass User Guide 119
CHAPTER 6: System Configuration
120
5 Fill in the following fields and then click Next .
Subject Name
This field is automatically updated with processed data from your first step entries. You can make any deletions or changes in this text field if you know the proper formatting for all the elements.
DNS Name
Type the appliance name or domain name–for example, “wg001.corporation.com”.
IP Address
Type the IP address of interface 0 (Public). This step is optional.
User Domain Name
Type the user name of this appliance. This step is optional.
Algorithm
Click the preferred option for this certificate.
Length
Click the preferred option.
Vcontroller
Certificate Configuration
Key Usage
Click the preferred option. (If you chose DSA as the algorithm, you can only select Signature for key usage.)
6 Click Next .
The Certificate Signing Request (CSR) is displayed.
7 Select the text in the dialog box and then press
Control+a .
8 Click Copy .
9 Open a Web browser and connect to the Web site of your key co-signing authority.
10 Open the key co-signing authority certificate request form and paste the text into the appropriate field.
11 Provide any other required payment information.
12 Submit the request and then close the browser window.
13 Return to the Certificate Request dialog box and click
Next .
The final step is displayed.
Firebox Vclass User Guide 121
CHAPTER 6: System Configuration
14 Review the information displayed in the Certificate
Request dialog box, and then click Finish .
The Certificate Request dialog box closes and the System
Configuration dialog box reappears. A new entry appears in the
Certificate list representing the pending certificate request.
To view specific information about a pending certificate:
1 Select the entry from the Certificates list.
2 Click Detail .
A Certificate dialog box appears that summarizes all the relevant certificate information.
122 Vcontroller
Certificate Configuration
3 Click Review CSR to view the Certificate Signing
Request.
The Review CSR dialog box appears.
4 Click Copy/Close to return to the Review CSR dialog box.
A copy of the CSR is sent to the clipboard.
5 Click OK .
You must wait for the certificate to arrive in the form of a text file from the co-signing authority. When you have received it, follow the instructions in the next procedure.
Importing a certificate or CRL file
If this is the first certificate you import, you must import the root certificate before importing the actual certificate, or the new x.509 certificate (and any others you subsequently import) will not be usable.
To import the root certificate:
1 Make sure that the root certificate file is present in a local directory.
2 Click Import Certificate/CRL .
The Import Certificate/CRL dialog box appears.
Firebox Vclass User Guide 123
CHAPTER 6: System Configuration
124
3 Click Load the certificate from a file .
4 Locate and select the root certificate file.
N OTE
If you prefer, you can also use a text editor to open the file.
Then copy and paste the text.
5 When the certificate text is displayed, click Import
Certificate .
This imports the certificate into the Firebox Vclass appliance.
After the import is complete, the dialog box closes and the newly imported certificate appears in the Certificates list.
6 Repeat this process to import any other certificates into the Firebox Vclass appliance.
At regular intervals, your key cosigning authority will issue a Certificate Revocation List (CRL), which nullifies any existing certificates that have been compromised. You can import these lists so that your system will not attempt to use any revoked certificates for key exchanges.
To import a CRL:
1 Click Import Certificate/CRL .
2 Click the Import a CRL tab.
The Import Certificate/CRL dialog box appears.
Vcontroller
LDAP Server Configuration
3 Click Browse .
4 Locate and select the appropriate CRL file.
5 When the file path appears in the File Name field, click
Import CRL .
This imports the CRL into the Firebox Vclass appliance. After the import is complete, the dialog box closes and the newly imported
CRL name appears in the Certificates list.
6 To remove an entry from the Certificate list, select the entry and click Remove .
LDAP Server Configuration
Use the LDAP tab to set up a connection between a Firebox
Vclass appliance and any LDAP server on which Certificate Revocation List (CRL) files are centrally stored. After this configuration is set up, the Firebox Vclass can verify every certificate it uses against the CRLs stored in the server. This provides additional protection against compromised certificates.
1 Click the LDAP tab.
The LDAP settings are displayed.
Firebox Vclass User Guide 125
CHAPTER 6: System Configuration
126
2 Select the Use LDAP Server checkbox.
3 In the Server IP/Name field, type the IP address or domain name of the LDAP server.
4 If the LDAP server is not using the default port number
389, type the correct port number in the Port Number field.
When you have finished configuring the LDAP server settings, click one of the following options:
Reset
To return the settings to the previous configuration.
Vcontroller
NTP Server Configuration
Apply
To immediately apply the settings to the Firebox
Vclass appliance.
NTP Server Configuration
Use the NTP tab to configure the Firebox Vclass to contact a NTP server. A NTP server uses Coordinated Universal
Time (UTC) to synchronize computer clock times.
To configure the NTP settings:
1 Click the NTP tab.
The page refreshes then displays the NTP Server settings.
Firebox Vclass User Guide 127
CHAPTER 6: System Configuration
128
2 Click Yes to enable NTP.
If you later decide to disable NTP, click No.
3 Enter the IP address of an NTP server.
It is possible that the connection to a NTP server can be broken. If this occurs, the Current NTP Status displays
“Not Running.”
1 Click Restart .
A Confirmation dialog box appears.
Vcontroller
Advanced Configuration
2 Click Yes to restart NTP.
When you have finished configuring the NTP server settings, click one of the following options:
Reset
To return the settings to the previous configuration.
Apply
To immediately commit the settings to the Firebox
Vclass appliance.
Advanced Configuration
The Advanced tab allows you to configure global policy settings. These settings will apply to all security policies you create. However, you can configure each policy to use a per-policy setting instead of these global settings. For more information regarding the configuration of the
advanced settings and security policies, see “Using the
Advanced Settings” on page 207.
• Click the Advanced tab.
The Advanced configuration settings are displayed.
Firebox Vclass User Guide 129
CHAPTER 6: System Configuration
130
The following global policy settings are displayed:
TCP Syn Checking
This option enables the inspection of a proper TCP three-way handshake. It provides an extra layer of protection against illegal TCP connections.
- To enable TCP SYN checking, select the Enable
Syn Checking checkbox.
VPN
These options concern the fragmentation of encrypted packets and the ability to allow IPSec users to connect to a different appliance.
Vcontroller
Advanced Configuration
- To ignore a DF bit (Don’t Fragment) during an
IPSec transmission, select the Ignore DF for
IPSec checkbox.
- To allow IPSec traffic to pass through to an internal address that is using NAT, select the
IPSec pass-through checkbox.
ICMP Error Handling
Regular network traffic may include various ICMP error messages. You can allow all of these messages or select the specific messages.
- Select Allow All ICMP Error Messages or Allow
Specified ICMP Error Messages .
- If you selected to allow only specified ICMP error messages, enable the error messages you want to allow.
TCP Maximum Segment Size Adjustment
This feature works in conjunction with the MTU settings to limit the size of packets, if configured.
This feature overcomes the following problems:
- Oversized packets can result in fragmentation, degrading VPN performance.
- Proxies may require MSS adjustment to prevent fragmentation.
- Some older systems do not support MTU to regulate packet size. This feature works along with MTU; it does not replace MTU.
The following settings are available:
Auto Adjustment
Auto adjustment calculates the MSS automatically, using the following calculations:
- Determining the lesser value of the input port
MTU and the output port MTU.
- Subtracting packet overhead, including IP and
TCP addressing, VLAN, ESP, PPPoE, AH, and
UDP encapsulation.
Firebox Vclass User Guide 131
CHAPTER 6: System Configuration
- The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet transmission.
The results of this calculation are used as the MSS for the connection.
Limit to N Bytes (40-1460)
This limits MSS to the specified size in bytes.
No Adjustment
This specifies that no change be made to the TCP header. If you select this option, packets may fragment.
When you have finished configuring the advanced settings, click one of the following options:
Reset
To return the settings to the previous configuration.
Apply
To immediately commit the settings to the Firebox
Vclass appliance.
Hacker Prevention Configuration
If you have not already used the Installation Wizard to set up hacker prevention options, you can do so now with the
Hacker Prevention tab. If you have made these entries, you can edit them by using this tab’s features.
1 Click the Hacker Prevention tab.
The Hacker Prevention settings are displayed.
132 Vcontroller
Hacker Prevention Configuration
2 You can customize and apply the following two groups of options at this time:
Denial-of-service settings : These options safeguard your servers from denial-of-service (DOS) attacks. These attacks flood your network with requests for information, clogging servers and possibly shutting down your network. After you activate these options and set thresholds, the Firebox Vclass appliance prevents such attacks. If more than the specified number of requests are received (per second), the
Firebox Vclass appliance drops the specified excess number of requests within the same second, while it permits the specified number of requests to pass
Firebox Vclass User Guide 133
CHAPTER 6: System Configuration through. This protects your servers from becoming overwhelmed by too many requests within a short period of time.
ICMP Flood Attack
Safeguards your network from a sustained flood of
ICMP pings. After selecting the checkbox, type the threshold number in the text field that will trigger the denial-of-service protection.
SYN Flood Attack
Safeguards your network from a sustained flood of
TCP SYN requests without the corresponding ACK response. After selecting the checkbox, type the threshold number in the text field that will trigger the denial-of-service protection.
UDP Flood Attack
Safeguards your network from a sustained flood of
UDP packets. After selecting the checkbox, type the threshold number in the text field that will trigger the denial-of-service protection.
Ping of Death
Safeguards your network from user-defined large data-packet pings. Select the checkbox to activate this denial-of-service protection.
IP Source Route
Safeguards your network from a flood of false client IP addresses, designed to bypass firewall security. Select the checkbox to activate this denialof-service protection.
Distributed Denial-of-service settings : As a subset of denial-of-service attacks, distributed DOS attacks occur when hackers coordinate a number of “borrowed” computers for malicious purposes and program them to simultaneously assault a network. If allowed to pass through, these requests can overwhelm and crash your
Web servers. Your options include the following:
134 Vcontroller
Hacker Prevention Configuration
Per Server Quota
Safeguards your servers from coordinated denialof-service attacks from any client to any single server. After selecting the checkbox, type a threshold number in the text field that represents the maximum request capacity (per second) of that server. If more than the specified number of connection requests are received within a second, the Firebox Vclass appliance drops the excess requests within that same second. This will protect your server from being overwhelmed by too many connection requests in a short period of time.
Per Client Quota
Restricts the number of connection requests from a single client within a second. After selecting the checkbox, type a threshold number in the text field that represents the maximum number of requests
(per second) from a single client. If more than the specified number of connection requests are received within a second, the Firebox Vclass appliance drops the excess requests within that same second.
When you have finished configuring the Hacker Prevention settings, click one of the following options:
Reset
To return the settings to the previous configuration.
Apply
To immediately apply the settings to the Firebox
Vclass appliance.
Firebox Vclass User Guide 135
CHAPTER 6: System Configuration
CPM Management Configuration
Use the CPM Management tab to allow a specified CPM server to manage the Firebox Vclass appliance.
1 Click the CPM Management tab.
The CPM Management settings are displayed.
136
2 Select the Enable CPM Management checkbox.
3 In the CPM Server IP Address field, type the CPM server IP address.
4 In the CPM Server Port field, type the CPM server port.
The default port is 7850.
Vcontroller
License Configuration
5 To change the CPM management password, click
Password .
The Change CPM Management Password dialog box appears.
6 In the Password field, type the new password. In the
Retype Password field, retype the password.
7 Click OK .
When you have finished configuring the CPM Management settings, click one of the following options:
Reset
To return the settings to the previous configuration.
Apply
To immediately apply the settings to the Firebox
Vclass appliance.
License Configuration
Use the Licenses tab to import licenses, which you obtain from WatchGuard, and add extra features. For more information about licensing additional features and capacity for your Firebox Vclass appliance, visit the WatchGuard Web site.
Add a single license
1 Click the Licenses tab.
The Licenses tab is displayed.
Firebox Vclass User Guide 137
CHAPTER 6: System Configuration
138
To import a new license:
2 Click Add .
The Import License dialog box appears.
Vcontroller
License Configuration
3 Click Load the license from a file .
4 Locate and select the license file.
N OTE
If you prefer, you can also use a text editor to open the file.
Then copy and paste the text.
5 When the license text is displayed, click Import
License .
This imports the license into the Firebox Vclass appliance. After the import is complete, the dialog box and the System
Configuration window close.
6 Repeat this process to import any other licenses into the Firebox Vclass appliance.
7 To remove a license, select the entry and click Remove .
A confirmation dialog box appears.
8 Click OK .
The entry is removed from the License list.
To view the details of a particular license:
1 Select an entry from the Licenses list.
2 Click Detail .
The License Detail dialog box appears.
Firebox Vclass User Guide 139
CHAPTER 6: System Configuration
3 Review the license information.
4 When you are finished, click Close .
To see which features are currently active:
1 Click Show Active Features .
The Active Features dialog box appears.
140
2 Review the active features along with their capacity and status.
3 Click Refresh to update the feature list.
4 When you are finished, click Close .
Install licenses from a license package
When you purchase licenses for multiple Vclass appliances, they are delivered in a License Package file. This is a gzipped tar (*.tgz) format file. Internally, the file includes license and serial number information, so when you install
Vcontroller
License Configuration licenses from a License Package file, only the licenses that apply to the current appliance (determined by the serial number) are applied. You must install the License Package separately to each appliance to apply or update all of your licenses.
To install a License Package:
1 Click the Licenses tab.
The Licenses list is displayed.
2 Click Install License Package .
The Open Bulk License File dialog appears.
Firebox Vclass User Guide 141
CHAPTER 6: System Configuration
3 Locate and select the bulk license file, and click Open .
The License Package is read by Vcontroller, and any licenses that apply to the current Vclass appliance are loaded.
4 There are three possible results for this action: the license installation is successful, in which case a success dialog appears; the license package does not include any valid licenses for the appliance, in which case a warning dialog appears; or the license package file is not valid, in which case an error dialog appears.
Click OK to accept the results of the dialog.
VLAN Forwarding Option
Your network may include a number of VLANs. As a result, you may need to create security policies to route traffic between two separate VLANs and this security appliance. In such a situation, which is known as VLAN forwarding , you can create security policies for VLAN traffic, but you must activate the related hardware functionality beforehand, as detailed in this section. This permits the appliance to manage traffic exchanges between two
VLANs sharing this appliance, or traffic routed between
142 Vcontroller
VLAN Forwarding Option two VLANs, one using this appliance, and another, separate VLAN behind another appliance, all connected to the same switch.
This function enables you to use an IT management workstation in VLAN 1 to connect through the local gateway appliance and to monitor and maintain a Web server assigned to VLAN 3–which entails inter-VLAN connections.
VLAN forwarding is a feature built into Firebox Vclass appliances, and is inactive by default.
N OTE
VLAN features are not available in Transparent Mode.
To activate VLAN forwarding:
1 Click the VLAN Forwarding tab.
The VLAN Forwarding fields are displayed.
Firebox Vclass User Guide 143
CHAPTER 6: System Configuration
144
N
OTE
If this tab is not visible, this Firebox Vclass appliance does not incorporate these VLAN-forwarding features.
2 Select the Enable Inter-VLAN Forwarding checkbox.
When you have finished configuring the VLAN Forwarding settings, click one of the following options:
Reset
To return the settings to the previous configuration.
Apply
To immediately apply the settings to the Firebox
Vclass appliance.
Vcontroller
Blocked Sites Configuration
Blocked Sites Configuration
The System Configuration Blocked Sites List allows you to create a permanent list of blocked IP addresses, and a permanent list of Exceptions, which are never blocked. When packets from a Blocked IP address reach the Vclass through the Public port, they are dropped. The Blocked Sites List also includes an Exception List, for IP addresses that are allowed.
N OTE
The System Configuration Blocked Sites List is static, and changes only when an administrator makes changes to it. You can block IPs dynamically (for a specified time period) using
the System Information Blocked IP List. See “Runtime
Blocked IP List” on page 399 for more information.
Firebox Vclass User Guide 145
CHAPTER 6: System Configuration
146
To Block an IP address:
1 Click the Blocked Sites tab.
The System Configuration Blocked Sites window appears.
2 To add a blocked site, click the Add button under the
Permanent Blocked Site IP List. To edit a blocked site entry, select the entry and click Edit .
The Add or Edit Site dialog appears.
Vcontroller
Blocked Sites Configuration
3 In the Site (IP) field, type the IP address to block, then click OK .
The new or edited site address is listed in the Blocked IP List.
To add an IP address to the exception list:
1 Click the Blocked Sites tab.
The System Configuration Blocked Sites window appears.
2 To add an exception, click the Add button under the exceptions list. To edit an exception list entry, select the entry and click Edit .
The Add or Edit Site dialog appears.
3 In the Site (IP) field, type the IP address exception, then click OK .
The new or edited site address is listed in the Exception List.
To delete a blocked site or exception list entry:
1 Click the Blocked sites tab.
The System Configuration Blocked Sites window appears.
2 Select an entry from the Blocked Sites List or the
Exceptions List, and click Delete .
You can select multiple IP addresses by holding the Shift key to select multiple contiguous IP addresses, or by clicking the
Control key and selecting multiple discontinuous IP addresses.
Firebox Vclass User Guide 147
CHAPTER 6: System Configuration
To find an IP address on the Blocked Sites or Exception
List:
1 Click Find under the applicable list.
The Find Site dialog appears.
2 In the Site (IP) field, type the IP address you want to find, then click OK to find the address. You can click
Cancel to return the Blocked Sites List.
High Availability Configuration
Use the High Availability tab to configure all of the necessary features to connect, link, and run a high-availability system using two HA-ready Firebox Vclass appliances.
This provides continuous network management in the event of a security appliance failure.
For complete information on using this tab, see “Setting Up a High Availability System” on page 425.
148 Vcontroller
CHAPTER 7
Using Account
Manager
This chapter shows you how to create three separate types of access accounts: admin, super admin, and end user.
Admin and super admin accounts enable users to connect to a Firebox Vclass appliance so that they can monitor and manage the system. A super admin account grants the user a wide range of controls over the appliance and policies, while the admin account restricts its user to status checks, the policy checker tool, and alarm resolution.
The end user account allows users to connect through a firewall to external networks or the Internet, where such access is blocked by the firewall. It primarily affects internal network users.
Configuring Accounts
Configure system access accounts for any number of users acting in three basic roles.
Firebox Vclass User Guide 149
CHAPTER 7: Using Account Manager super admin
This account has complete control of the entire system. When a user logs into Vcontroller as a super admin, they have access to all the Manager window features and can add to or edit all the settings and policies.
N OTE
Vcontroller provides one default super admin account with primary master privileges. Only one user can be logged in as default super admin at any time, and this connection bars all
other secondary super admin account users. See “Account
Access Conflicts” on page 156 for more information.
admin
This account is given read-only access to
Vcontroller features, with the exception of the
Outstanding Alarms feature. The user of an admin account can open Vcontroller to check on the status of the system but is not able to change or delete settings. If, however, an alarm is detected, the admin user can log in and both investigate and clear an active alarm. The admin user can also open and use the Policy Checker to help troubleshoot user problems.
For more information about prioritizing super
admin and admin accounts, see “Account Access
end user
This account is related to firewall access and can be used to grant internal users access to external networks or the Internet.
Use the following procedure to configure accounts:
1 From the main Vcontroller window, click Account .
The Account Manager window appears.
150 Vcontroller
Configuring Accounts
2 Click Add .
The account settings become active.
3 In the Account Name field, type an account name.
The account name must be between 2 and 8 characters.
4 In the Description field, type a brief description for the account . This field is optional.
5 Type the appropriate password in the Password field.
The password must be between 6 and 20 characters.
6 Retype the password in the Retype Password field.
7 Select the appropriate role from those displayed in the
Unselected list. Click Add to move the role to the
Selected column.
8 Click Apply .
A new account entry appears below the appropriate user account header on the left.
Firebox Vclass User Guide 151
CHAPTER 7: Using Account Manager
152
9 Repeat this process to add more accounts.
10 When you have finished, click Close .
End-user accounts for authentication
You can configure a security policy to block internal users from connecting through the Firebox Vclass appliance to the Internet or to other external networks. If, however, a number of inside users need external access, you can grant it to them by creating end-user accounts and configuring a policy to allow authenticated users to bypass the firewall.
For more information of creating security policies, see
“About Security Policies” on page 159.
Using a Web browser to authenticate
After you create end-user accounts, contact prospective users and provide them with their end-user account name and password. Communicate the following process for using a Web browser to make a connection.
1 Launch a Web browser.
Vcontroller
Configuring Accounts
2 Type the IP address of interface 0 (Private) of the
Firebox Vclass appliance as in this example: https://10.10.10.27
3 Press Return .
A Security Alert dialog box should appear, according to the browser used.
4 Click Yes/OK to accept the certificate.
A Login page appears in the Web browser, similar to this example:
5 Type the end-user account name in the User ID field.
6 Type the end-user password in the Password field.
7 Click Login .
If the entries are accepted, a status message appears in the browser, confirming the connection. The user can now connect to
Web sites.
N OTE
All end-user connections have an idle timeout of two hours. If the user does not maintain active connections for two hours, the end-user connection is disconnected, and the end user must log in again.
Firebox Vclass User Guide 153
CHAPTER 7: Using Account Manager
Managing accounts
Showing and hiding accounts
You can hide accounts in the Account Manager window by double-clicking the minus (—) box at the top of the role mini-icon.
154
This hides the list of accounts from view, and replaces the minus box with a plus box.
If you need to see the list of accounts at a later time, double-click the plus box.
The complete list of accounts appears in the Account Manager window. If needed, you can edit or delete any of the listed accounts, as described in the following sections.
Modifying an existing account
To change an account by adding or removing an access privilege:
1 Open the Account Manager, and expand the category list on the left.
2 Select the account to be edited.
The current access roles of this account appear in the Selected column to the right.
3 To add a new role to this account, select the appropriate role in the Unselected column, then click
Add to move that item into the Selected column.
Vcontroller
External Access for Remote Management
4 To remove a role from this account, select the appropriate role in the Selected column, then click
Delete .
5 When you have finished, click Apply .
The Account Manager window displays the results under each of the roles in the left-hand column.
6 Click Close to save your entries and close the Account
Manager.
To remove an access account:
1 Determine which account will be deleted. The default super admin account cannot be deleted.
2 Select the account and then click Delete .
3 When you have finished, click Close to save your changes and close the Account Manager.
External Access for Remote Management
In most instances, you use Vcontroller to manage a Firebox
Vclass appliance through the interface 0 (Private)–this is the default setup and requires the installation of Vcontroller on a Management Station located on the same private network as the appliance.
In certain settings, a Management Station may be located on a network external from the Firebox Vclass appliance and you must gain external access through interface 1
(Public). To enable remote management, you must create a security policy that allows incoming HTTPS traffic through the interface 1 (Public), while also creating an address group for the IP address of the Management Station. For
information on creating a security policy, see “About Security Policies” on page 159.
After a security policy has been configured, you can use an admin account for authentication to the Firebox Vclass just as you would an end-user account. When you have gained
Firebox Vclass User Guide 155
CHAPTER 7: Using Account Manager external access, you can then use Vcontroller to remotely manage the appliance.
Account Access Conflicts
If you create several super admin access accounts, remember that Firebox Vclass appliances allow only one super admin account to connect at any time with full administrative privileges. If another non-root super admin account user attempts to log in after a root super admin user has already logged in, the second user is granted access to the system, but with admin privileges only.
If someone logs in as a super admin user and a second person then attempts to log in as the default super admin, the second person is given the option of killing (logging out) the first non-default super admin user and taking over full super admin privileges.
Any number of non-super admin access accounts, which can only be used to check status and clear new alarms, can log in at the same time.
If you attempt to log in as a secondary admin user and the root super admin account is already in use, a warning window appears.
You can still click OK to complete the login, but when
Vcontroller appears, you do not have any super admin privileges.
Resolving login conflicts
You can, on occasion, try to log in as the default super admin, and see the Kill Login dialog box:
156 Vcontroller
Account Access Conflicts
This window appears in the following circumstances:
• You were recently logged in as a super admin user and your computer froze or crashed, terminating the administrative session, or you simply exited
Vcontroller and did not log out correctly.
• Another person was already logged in as a non-default super admin user when you attempted to log in with the default super admin account. The appliance gives you the opportunity to quit or to disconnect access for the other user.
You can click OK to close a previous session (or to bump a secondary super admin user) and to connect as the root super admin.
When Vcontroller appears, you have full access to all the features.
Firebox Vclass User Guide 157
CHAPTER 7: Using Account Manager
158 Vcontroller
CHAPTER 8
About Security
Policies
The purpose of a Firebox Vclass appliance is to determine whether data is to be passed or blocked and, if passed, what action will be taken with the data. The set of rules by which data is evaluated and managed is called a security policy .
About Security Policies
Every security policy operates in a similar way: it lists qualifications that the Firebox Vclass appliance uses as it analyzes the initial packets of a new stream of data.
The sources of data can be your internal network or any external networks including the Internet. Then, if the packets match the traffic specifications of a given policy, the appliance can take several types of actions: firewall actions, proxy actions, IPSec actions (involving manual-key or automatic-key encryption and authentication), a variety of NAT/load-balancing actions, and QoS actions.
Firebox Vclass User Guide 159
CHAPTER 8: About Security Policies
You can use Vcontroller to create and combine any number of policies on a Firebox Vclass appliance, enabling that appliance to fully protect and enhance your network traffic.
Security policy components
Every security policy is composed of two basic components: the traffic specifications and an action .
Traffic specifications
The traffic specification is one of the basic components of a security policy. It defines the source, destination, and other attributes of every data stream traveling through the Firebox.
Traffic specifications incorporate the following components:
Source
Refers to the origin of a stream of data whether it originates in your private network, the DMZ, or an external network.
Destination
Refers to the final destination for traffic that will be passed through the Firebox Vclass appliance by that policy. It can refer to a particular interface.
Service
The type of traffic in this data. For example, HTTP,
SMTP (email), FTP, or Telnet.
Incoming interface
Which interface on the Firebox Vclass appliance the data is coming into: Public, Private, or DMZ.
Tenant
Which tenant is affected, whether a VLAN or userdefined domain tenant.
160 Vcontroller
About Security Policies
Policy actions
A policy action prompts the Firebox Vclass appliance to perform certain management tasks with data that matches qualifying traffic specifications. Your appliance can take one or more of the following actions:
• Protect your private networks from unauthorized intrusions, if the traffic is external.
• Perform IP address swapping through dynamic and static Network Address Translation.
• Encrypt and authenticate your data for secure transmission through insecure networks.
• Enable various types of load balancing for designated servers.
• Provide various types of network address translation for internal networks.
• Apply Quality of Service (QoS) controls to qualifying data traffic.
You can often combine several actions in the same policy,
as described in “Policies with multiple actions” on page 163.
Types of policies
You can use Vcontroller to create as few or as many policies as are needed by your particular network, with each policy applying one or more compatible actions to qualifying traffic. The range of policies includes the following:
Firewall
Firewall policies block unwanted traffic (including hacker attacks) while permitting valid traffic to proceed to a destination inside your network. You can start with the default firewall policy that blocks every type of traffic, and then insert other policies that permit access by certain types of traffic to specific network destinations.
Firebox Vclass User Guide 161
CHAPTER 8: About Security Policies
VPN
Virtual Private Networks create secure tunnels through both internal networks or through the
Internet, so that encrypted data can be sent efficiently and securely from one device to the other. VPN policies can be applied to both site-tosite traffic and remote-client-to-site traffic.
Network Address Translation
Network Address Translation (NAT), has three key applications in a Firebox Vclass appliance:
Dynamic NAT allows you to set up a single IP address so that a large number of internal network users can gain access to the Internet.
S tatic NAT policies allow you to substitute an alias
IP address for a real IP address. For example, you could mask a Web server IP address behind an alias with Static NAT, so that the alias is the only network ID visible to external users.
Virtual IP load balancing uses a single legitimate IP address, and then evenly distributes data requests to any number of servers all mirroring the same information. Your assets are not limited to a single server with a single IP address.
Traffic Shaping
Quality of Service policies assign priorities to qualified data. This can be useful if, for example, an executive wants a particularly fast Web browsing experience. You can create a policy that prioritizes
HTTP traffic going to his or her computer’s IP address while scaling down the capacity of other traffic.
Hacker Defense
Your Firebox Vclass appliance comes with a suite of options to protect your network against coordinated floods of malicious data requests. You can set threshold values for different types of protection so that the Firebox Vclass appliance
162 Vcontroller
About Security Policies automatically dumps the excess traffic and protects your systems from stalling or crashing.
Multi-tenant
You can route VLAN traffic through a Firebox
Vclass appliance, including inter-VLAN forwarding, or you can establish a number of user domains to virtually define restricted groups of network tenants and then route traffic to and from the members of that domain.
Scheduling
You can establish hours and days for specific actions that your appliance will take with certain data, while allowing other data to pass unimpeded or unaffected.
Policies with multiple actions
You can combine one or more actions in a policy. For example, suppose you created a VPN policy that permits two server-farm sites to share data with one another. You might also want to implement load balancing, so that the data is distributed equally among several servers. The required policy would focus on the two gateway appliances as source and destination and then apply both an IPSec action and a load-balancing action.
Firewall
IPSec
Virtual IP/
NAT a
Dynamic
NAT
Not all actions can be combined. The following table shows the combinations of actions that can be applied in a single policy.
QoS Firewall IPSec Virtual
IP/NAT na
YES
YES
YES na
YES
YES
YES na
Dynamic
NAT
YES
YES
NO
Static
NAT
YES
YES
NO
YES
YES
YES
YES YES NO na NO YES
Firebox Vclass User Guide 163
CHAPTER 8: About Security Policies
Static
NAT
QoS a.
YES
YES
YES
YES
NO
YES
NO
YES na
YES
YES na
Using Policy Manager
Policy Manager allows you to create and edit a detailed security policy. Within the security policy, you can create a variety of actions as well as define schedules, address groups, tenants, and other components for security policies. You can also use the Policy Checker to make sure you have defined your policy correctly.
From the main Vcontroller window, click Security Policy .
The Policy Manager window appears.
164 Vcontroller
Using Policy Manager
• Click Address Group to view the list of defined entries.
The Address Group dialog box appears.
- To create a new Address Group, click New . For
instructions on defining the entry, see “Defining an address group” on page 180.
- To edit an address group, select the entry and click Edit .
- To delete an address group, select the entry and click Delete .
- When you are finished, click Close .
Firebox Vclass User Guide 165
CHAPTER 8: About Security Policies
• Click Service to view the list of defined entries.
The Service dialog box appears.
166
- To create a new Service, click New . For
instructions on defining the entry, see “Defining a service” on page 182.
- To edit a service, select the entry and click Edit .
- To delete a service, select the entry and click
Delete .
- When you are finished, click Close .
Vcontroller
Using Policy Manager
• Click IPSec Action to view the list of defined entries.
The IPSec Action dialog box appears.
- To create a new IPSec action, click New . For
instructions on defining the entry, see “Defining an IPSec action” on page 315.
- To edit an IPSec action, select the entry and click
Edit .
- To delete an IPSec action, select the entry and click Delete .
- When you are finished, click Close .
Firebox Vclass User Guide 167
CHAPTER 8: About Security Policies
• Click Proxy Action to view the list of defined entries.
The Proxy Action dialog box appears.
168
- To create a new Proxy action, click New . For
instructions on defining the entry, see “Creating a
- To edit a Proxy action, select the entry and click
Edit .
- To delete a Proxy action, select the entry and click
Delete .
- When you are finished, click Close .
Vcontroller
Using Policy Manager
• Click QoS Action to view the list of defined entries.
The QoS Action dialog box appears.
- To create a new QoS action, click New . For
instructions on defining the entry, see “Defining a
- To edit a QoS action, select the entry and click
Edit .
- To delete a QoS action, select the entry and click
Delete .
- When you are finished, click Close .
Firebox Vclass User Guide 169
CHAPTER 8: About Security Policies
• Click NAT/LB Action to view the list of defined entries.
The NAT/LB Action dialog box appears.
170
- To create a new NAT or Load Balancing action, click New . For instructions on defining the entry,
see “About Load Balancing” on page 200.
- To edit a NAT or Load Balancing action, select the entry and click Edit .
- To delete a NAT or Load Balancing action, select the entry and click Delete .
- When you are finished, click Close .
Vcontroller
Using Policy Manager
• Click Schedule to view the list of defined entries.
The Schedule dialog box appears.
- To create a new schedule, click New . For
instructions on defining the entry, see “Defining a
- To edit a schedule, select the entry and click Edit .
- To delete a schedule, select the entry and click
Delete .
- When you are finished, click Close .
Firebox Vclass User Guide 171
CHAPTER 8: About Security Policies
• Click Tenant to view the list of defined entries.
The Tenant dialog box appears.
172
- To create a new tenant, click New . For
instructions on defining the entry, see “Defining tenants” on page 189.
- To edit a tenant, select the entry and click Edit .
- To delete a tenant, select the entry and click
Delete .
- When you are finished, click Close .
• To create a duplicate entry, select a policy and click
Clone .
• To edit a particular entry, select the policy and click
Edit .
• To delete a particular entry, select the policy and click
Delete .
Vcontroller
Using Policy Manager
• To save the settings to the Management Station and apply them to the Firebox Vclass appliance when it is restarted, click OK .
• To close the Policy Manager window without saving or applying any changes, click Cancel .
• To immediately commit the settings to the Firebox
Vclass appliance, click Apply .
The Commit dialog box appears.
- To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit .
• Click Help to launch the online help system within your browser window.
• Click Security Policy or IKE Policy to toggle between these two displays.
How policy order governs policy application
Vcontroller applies policies to new data in the order you set. This order can be critical to the proper operation of your Firebox Vclass appliance. For example, suppose you define a policy that admits HTTP packet streams, and you list this policy second in order. However, suppose the first policy in the list blocks all HTTP traffic from entry. Because the first policy blocks all HTTP traffic, the second policy is not applied.
Because policies can make use of wildcards or nested address groups, make sure you define and list all of your policy rules in the proper order.
Firebox Vclass User Guide 173
CHAPTER 8: About Security Policies
After you have created a number of policies and tested them, you may need to move one or more policies out of their current place to another, to permit them to be used before or after other existing policies. To do this, use the arrow buttons to the left of the policy list in the Policy Manager window.
• Select the policy to be moved, as shown below in row 1.
• Click the Up or Down arrow key, as shown above, depending on which direction the move is to occur.
• Continue to click until the selected policy appears in the desired location, as shown here. This illustration shows the selected policy has been moved from row 1 to row 4.
174
Applying system-wide QoS port shaping
If your Firebox Vclass appliance sends data to a network device–such as a modem, router, or hub–that has a lower throughput speed, you may want to adjust the throughput speed of the Firebox Vclass appliance, so that it does not flood the other device with excessive data. You can set bandwidth constraints for both Private and Public interfaces. This only affects outgoing packets.
This system-wide setting does not directly affect any QoS actions that you may define. Port-shaping settings control
Vcontroller
Using Policy Manager overall outgoing throughput, while individual policy actions prioritize specific data.
To apply system-wide QoS port shaping:
1 Click System QoS .
The System QoS dialog box appears.
2 To configure QoS for either the Public or Private interfaces, select the Enable QoS checkbox.
3 Select either Kbps or Mbps from the drop-down lists.
4 Click Done .
Using tunnel switching
For information on using tunnel switching with VPN poli-
cies, see “Using Tunnel Switching” on page 323.
Using Policy Checker
As you compile and insert new policies in the Policy Manager window, you can use the Security Policy Checker window to find and apply the correct policy. This limited test verifies that the policy is in the proper sort order and that it will be activated when qualifying data is detected.
To test a security policy:
1 Click Security Policy. The Policy Manager window appears. Click the Policy Checker button on the left
Firebox Vclass User Guide 175
CHAPTER 8: About Security Policies side of the window. The Security Policy Checker dialog box appears.
176
2 In the Source field, type the IP address of the external device from which the expected source traffic will arrive.
3 In the Destination field, type the IP address of the internal device to which the expected source traffic will arrive.
4 Select the appropriate interface at which the expected traffic will arrive from the Incoming Interface dropdown list.
5 From the Preference drop-down list, select one of the following:
Use Service Group
If you select this item, the Service drop-down list is your only active option.
Use Protocol and Port
If you select this item, the Protocol and Service Port features become active (and the Service drop-down list becomes inactive.)
Vcontroller
Using Policy Manager
6 From the Service drop-down list (if active), select the service this policy should check for.
7 From the Protocol drop-down list (if active), select the protocol to be used.
8 In the Server Port field (if active), type the port number for this protocol.
9 If this test will verify a policy for multi-tenant domain traffic, type an ID in the Tenant ID field.
10 Click Done .
The Policy Checker starts at the top of the policy list and checks your test parameters against every rule. If it finds a match, the first policy affected by such traffic is highlighted in the Policy Manager list. This is particularly helpful when you have a long list of policies and you want to:
• Change the order of policies.
• Edit each policy to change any overlapping settings
If no match is found, either your newly created policy contained errors, or the test scenario you hoped to validate had errors in the settings. To examine the rule and its settings:
1 Resort the policies in the window and use the Security
Policy Checker again to test the sort order (after verifying your test traffic entries).
2 If no matching policy is found, select the policy that should have been applied to the test traffic, and double-click Edit .
The Edit Security Policy dialog box appears.
3 Because this dialog box has the same features as the
Insert Security Policy dialog box, you can check all the configuration options, drop-down lists, text fields, and checkboxes to find the incorrect entry.
4 After you are finished, reopen the Security Policy
Checker dialog box, re-enter the test scenario settings, and try again.
Firebox Vclass User Guide 177
CHAPTER 8: About Security Policies
Default policies
When you first install Vcontroller, three preinstalled policies are put into effect.
PRIVATE_HTTPS
Permits incoming HTTPS traffic access to interface
0 (Private). Vcontroller uses HTTPS traffic, so this policy allows management connections to the private interface.
Allow_PING_FROM_PVT
Permits you to ping interface 0 (Private). This allows you to troubleshoot your connection to the private interface.
HOST_OUT
Permits all outgoing traffic, regardless from which internal interface the traffic originates, access to external networks such as the Internet.
Defining a Security Policy
The Insert Security Policy dialog box allows you to combine traffic specifications and policy actions. You use this dialog box to define all security policies regardless of type.
1 Select an entry point among the list of policies and then click Insert . The Insert Security Policy dialog box appears, with the General page displayed. This page allows you to type a name and a description for the policy.
178 Vcontroller
Defining a Security Policy
2 Click the Traffic Specs tab to view and edit traffic information for the policy.
3 Click the Actions tab to view and edit actions performed by the policy.
4 When you have finished, click Done .
Defining source and destination
Source and destination information for a security policy are defined in the Traffic Specs page of the Insert Security
Policy dialog box. To see this page, click the Traffic Specs tab on the Insert Security Policy dialog box.
N
OTE
When you are editing a policy that already exists, this dialog is called the Edit Security Policy dialog box. However, the functionality is the same.
The default sources and destinations are as follows:
ANY
This represents any possible source or destination.
It is useful when selecting sources or destinations outside your network.
Firebox Vclass User Guide 179
CHAPTER 8: About Security Policies
PRIVATE_PORT_IP
The IP address of the Private interface.
PUBLIC _PORT_IP
The IP address of the Public interface.
DMZ_PORT_IP
The IP address of the DMZ interface.
DMZ2_PORT_IP
The IP address of the second DMZ interface.
INTERFACE_IPS
The IP addresses of all interfaces.
If none of the listed items represent the source or destination you want to use for a policy, you must define a new address group, as described in the next section.
Defining an address group
To create an address group:
1 On the Traffic Specs tab, click New , next to the Source or Destination drop-down lists.
You can also define an Address Group by clicking Address Group in the Policy Manager, then clicking New on the Address Group dialog box. The New Address Group dialog box appears.
180 Vcontroller
Defining a Security Policy
2 In the Name and Description fields, type a name and brief description for the address group. The
Description field is optional.
3 Click New .
The New Address Group Member window appears.
4 From the Type drop-down list, select the category of members that will be the source or destination of traffic. The options include the following:
Host IP Address
A single host (or a single networked device).
IP Network Address
A particular subnet.
IP Address Range
A series of sequentially numbered IP addresses.
Address Group
An existing address group.
5 If you chose Host IP Address , in the Host IP Address text field, type the host computer’s IP address.
If you chose IP Network Address , type the subnet address and subnet mask for this network.
Firebox Vclass User Guide 181
CHAPTER 8: About Security Policies
If you chose IP Address Range , type the starting and ending IP addresses for the range.
If you chose Address Group , from the Address Group drop-down list, select the appropriate item. This dropdown list lists every address group created for use with the Firebox Vclass appliance.
6 When you are finished, click Done .
The new member name is displayed in the Address Group
Members list of the New Address Group dialog box.
7 Repeat this process until you have defined all the required members.
8 After you have added all the required group members, click Done to close the New Address Group dialog box.
When the Insert New Policy dialog box reappears, the Source or
Destination drop-down list automatically displays the newly created address group.
N
OTE
You can nest address groups as “members” within other address groups, as suggested by the Address Group dropdown list in the New Address Group Member dialog box. This does require, however, the creation of each group before you can do so. For example, you could create an address group representing employee departments or employees within a subnet, then, in a separate process, create a master address group, “Employees,” that contains, as members, all the other staff address groups.
Defining a service
The service component of a traffic specification enables you to designate one or more network protocols that will be used by the source device for a particular data stream.
Your service selection will be a service group , which can consist of any combination of the following attributes:
• A single service for a particular type of data traffic, which includes a single protocol and port number.
• A range of port numbers used by a single service or application.
182 Vcontroller
Defining a Security Policy
• An existing service group, which includes two more related services.
You can assemble a service group of one or more services for use in a single policy to save you from having to create a separate policy for each service. Although a comprehensive set of protocols is included in the Service drop-down list, you can create a new service group using the procedure in the next section.
To create a new service group:
1 Click New .
The New Service dialog box appears.
2 In the Name and Description fields, type a name and brief description for the service. The Description field is optional.
3 Click New .
The New Service Item dialog box appears.
Firebox Vclass User Guide 183
CHAPTER 8: About Security Policies
184
4 From the Type drop-down list, select the appropriate option.
5 To create a service group combining a protocol and port number:
- Select Single Service from the Type drop-down list.
- From the Protocol drop-down list, make the appropriate selection.
- In the Server Port field, type the port number used by this protocol.
- Click Done .
6 To create a service group containing a single protocol and a range of port numbers:
- Select Service Range from the Type drop-down list.
- From the Protocol drop-down list, make the appropriate selection.
- In the Start Server Port field, type the lowest port number used by this protocol.
- In the End Server Port field, type the highest port number.
Vcontroller
Defining a Security Policy
- Click Done .
7 To combine two or more existing services into a convenient group:
- Select Service Group from the Type drop-down list.
- From the Protocol drop-down list, select the first service you want to add to this group.
- The New Service dialog box reappears, listing your new service group.
- Click New , and repeat the Type and Service
Group selection process to add another service to this group.
- Repeat this process until all your intended services appear in the Service Items list in the
Service Items field.
8 When the group is complete, click Done .
When the Insert Security Policy dialog box reappears, the
Service drop-down list automatically displays this new group as your selection.
N OTE
If this group is for use in a policy that blocks traffic of some type, remember that blocking a service group effectively blocks all the service items in that group. Before doing so, you must make sure this is indeed your intent. You’ll only rarely need to block an entire service group; instead, you should block only the relevant service items.
Defining the incoming interface
The final component of a traffic specification is the incoming interface , which represents the actual Ethernet interface at which data packets are detected by the Firebox Vclass appliance. The choices for the incoming interface are as follows:
0 (Private)
Also considered the “trusted” interface. This interface receives traffic originating from your internal networks.
Firebox Vclass User Guide 185
CHAPTER 8: About Security Policies
1 (Public)
Also considered the “external” interface. This interface receives traffic originating from external networks, such as the Internet.
2 (DMZ)
Also considered an “optional” interface. This interface receives traffic originating from both external networks as well as your internal networks. This interface is not available on the V10 or V100 models.
3 (DMZ2)
Also considered an “optional” interface. This interface receives traffic originating from both external networks as well as your internal networks. This interface is not available on the V10 or V100 models.
Internal
The traffic originates from within the appliance itself. For example, you would use this option if you created a policy that permits RADIUS query traffic to go to a VLAN network.
Using Tenants
Using Vcontroller, you can create policies that direct traffic in a multi-tenant network environment. Generally used in a service provider environment, a customer’s tenant assets are segregated into separate Virtual LANs (VLANs). This provides a secured environment for tenants because all network traffic between different VLANs is separated by
VLAN switches.
All Vclass security appliances support IEEE 802.1q VLAN packets, which allows a network administrator to create separate policies for each tenant using a single shared secu-
186 Vcontroller
Using Tenants rity appliance. This reduces the cost of providing firewall and VPN services to all tenants.
In addition to VLAN-type tenants, all Vclass security appliances allow administrators to apply security policies to VLAN-like tenants in a non-VLAN environment. This type of tenancy is called a user domain . By logging on and providing a user ID, password, and domain name to a
Vclass security appliance, an end user can access the Internet or use VPN policies defined for his or her specified domain. Creating user-domain tenant policies is an easy way to achieve multi-tenant application without the need for VLAN hardware. This is especially useful when tenants cannot be distinguished by different IP subnets.
N OTE
VLANs and VLAN Tenants are not supported in Transparent
Mode.
About VLANs and tenants
VLANs have become increasingly popular for both corporate networks and service providers as a way of partitioning a network into discrete regions. VLANs can also be used to segregate a number of users who need to remain separate from one another.
The Firebox Vclass appliance permits you to use VLAN tags or IDs as part of the traffic specification in a policy, so that your appliance can route traffic to and from a VLAN segment by means of a VLAN switch. This permits bidirectional traffic from the VLAN segment to other segments, network regions, or to the Internet.
To assist network administrators in creating security policies for use in a VLAN-enabled environment, Vcontroller allows definitions of VLAN tenants , which can be used as part of the traffic specification in security policies. The
VLAN tenant entry represents the VLAN ID embedded in a data stream packet that will be used by the VLAN switch.
Firebox Vclass User Guide 187
CHAPTER 8: About Security Policies
Conceptually, security policies that incorporate the same
VLAN object will be grouped into the same policy domain.
Although Vcontroller does not require all policies with the same VLAN object to be grouped together in the Policy
Manager security policy table, WatchGuard recommends that you do so for better policy management.
N OTE
The current line of Firebox Vclass appliances recognize
VLAN/802.1Q headers in data for routing purposes.
188
User domain tenant authentication
Two types of tenant authentication can be applied in a user domain multi-tenant policy:
Manual authentication
The client user supplies three required entries by means of a Web browser form: a user name, a password, and a domain name.
Certificate-based authentication
A pre-installed VPN certificate automatically supplies the client user name and domain name.
The password must be manually entered by the user. This certificate must be imported by an IT administrator into the client system’s Web browser
(which is required for all secure access).
After the three entries are supplied to the Firebox Vclass appliance, the appliance initiates a RADIUS system authentication request to check the user name and password. Note, however, that Firebox Vclass appliances cannot perform tenant authentication because they have no database for this purpose.
After a user domain tenancy is established for relevant users, and the RADIUS system is loaded with authentication data for the potential users, the actual network connections are managed in this manner:
• The user opens his or her browser and attempts to connect to the Firebox Vclass appliance.
Vcontroller
Using Tenants
• When the connection is made, a Login form appears in the browser.
• The user clicks in each of the three text entry fields and types the required information.
• The browser displays either a Confirmation message, indicating that the connection is complete and ready for use, or an Invalid Entry alert, allowing the user to try reentering his or her login information.
• The user can now perform any network tasks with this connection.
Defining tenants
To create VLAN tenants:
1 Click New next to the Tenant drop-down list.
The New Tenant dialog box appears.
Firebox Vclass User Guide 189
CHAPTER 8: About Security Policies
2 In the Tenant Name and Description fields, type a name and brief description for the tenant. The
Description field is optional.
3 In hte Public Interface IP and Public Interface Mask fields, type the IP address and netmask of the public interface, or select the Use Default checkbox to use the default IP address and netmask.
The default address and netmask is the IP address and netmask of the Public port (Interface 1).
4 Click either VLAN or User Domain .
The dialog box refreshes and fields are displayed relevant to the
VLAN or User Domain option enabled.
To configure the VLAN option:
1 Type the pre-assigned number (between 1 and 4094) that will identify this VLAN traffic in the VLAN ID field.
2 Select the interface that connects to the VLAN network from the Interface drop-down list.
3 In the VLAN IP field, type the IP address that is assigned to the interface on the specified VLAN network.
This IP address can also be used as a default gateway address for the devices on the specified VLAN network.
4 In the VLAN Mask field, type the mask associated with the VLAN IP address.
5 In the Gateway field, type the gateway IP address for traffic destined for the VLAN tenant.
If the destination of the packets that are forwarded to this VLAN tenant is not on the same subnet (as defined by VLAN IP and netmask), these packets will be forwarded to the default gateway.
The gateway IP address should be in the same subnet as the
VLAN IP. If you leave this field empty, routing will occur based on the routing table.
6 Click Done .
7 Repeat this process as needed to create additional
VLAN tenant entries.
To configure the User Domain option:
190 Vcontroller
Using Tenants
1 In the Tenant ID field, type a number (5001 or higher) to identify this particular tenant’s traffic.
2 In the Idle Time Out field, type the number of minutes a tenant user’s connection can remain idle before it is automatically terminated.
3 In the RADIUS IP field, type the IP address of the
RADIUS server.
4 In the RADIUS Secret field, type the password used by this Firebox to gain access to the RADIUS system. In the Confirm Secret field, retype the same RADIUS password.
5 If the RADIUS server is not using the default UDP port
(shown in the RADIUS Port field), clear the Use
Default checkbox. In the RADIUS Port field, type the correct port number.
Firebox Vclass User Guide 191
CHAPTER 8: About Security Policies
6 In the Request Time Out field, type the number of seconds that determine when an unanswered authentication request to the RADIUS system will be dropped. Two seconds is the recommended value.
7 In the Request Retry field, type the number of retries that this appliance will make in requesting authentication from the RADIUS system if the initial attempts go unanswered.
8 In the Secondary RADIUS IP field, type the IP address of any available backup RADIUS server. This step is optional.
9 In the Secondary RADIUS Secret field, type the password used by this Firebox to gain access to any available backup RADIUS system. In the Confirm
Secret field, retype the same RADIUS password. This step is optional.
10 If the Secondary RADIUS server is not using the default UDP port (shown in the Backup RADIUS Port field), clear the Use Default checkbox. In the Backup
RADIUS Port field, type the correct port number. This step is optional.
11 Click Done .
12 Repeat the process as needed to additional userdomain tenants.
Using the Firewall Options
A Firebox Vclass security appliance protects network assets by means of a firewall policy . This type of policy blocks unwanted traffic while permitting valid traffic to enter your network. For example, you can define a firewall policy to block all types of service requests, such as FTP, while permitting authorized external traffic to a group of servers connected to interface 2 (DMZ).
192 Vcontroller
Using the Firewall Options
You can define multiple firewall policies to work in conjunction with each other. For example, in addition to the policy described previously, you could define a separate policy that grants HTTP access to the Internet for internal users.
You can also define a firewall policy for internal traffic, to block internal network users from unauthorized Internet access, such as Web browsing.
Defining the firewall action
The firewall action is defined in the Actions page of the
Insert Security Policy dialog box. To see and configure firewall actions, click the Actions tab.
Select one of the following options to define what you want the firewall to do with the traffic defined by the traffic specification.
Pass
Permits all qualifying external traffic through the firewall.
Firebox Vclass User Guide 193
CHAPTER 8: About Security Policies
Block
Prevents all qualifying traffic from gaining access to your network.
Reject
Blocks incoming traffic from the source and sends a
TCP reset message back to that source’s interface.
Proxy
Inserts a proxy action to provide content filtering.
When this is selected, you can select from the list of available proxy actions, create a new proxy action, or edit an existing proxy action. For more
information on Proxies, see “Using Proxies” on page 237. Remember to select a matching Service
type (HTTP for the HTTP Client Proxy, or SMTP for the SMTP Incoming or Outgoing).
Enable User Authentication (with Pass or Proxy)
Requires that internal users authenticate to the
Firebox Vclass appliance before they are granted access through the firewall to external networks.
This option is available if you select Pass or Proxy as the action for the Policy.
If you select the User Authentication option, you must create end user accounts for use by authorized users. For more instructions on using the User Authentication
option, see “End-user accounts for authentication” on page 152.
Using Quality of Service (QoS)
In an extensive network with a large number of host computers, the volume of data moving through the Internet can be immense. When the traffic is more than the network can sustain, data packets are simply dropped as a result of congestion. In short, the network does not have enough bandwidth to deliver all the traffic when it enters the net-
194 Vcontroller
Using Quality of Service (QoS) work. When severe network congestion occurs, all traffic is affected equally.
The Firebox Vclass security appliance offers two Qualityof-Service (QoS) features that enable you to assign more bandwidth to your most valuable traffic.
The QoS features implemented in Firebox Vclass appliances include Weighted Fair Queuing (WFQ), Type of Service (TOS) marking, and port shaping.
The WFQ algorithm
This data queueing technique allows you to assign a relative bandwidth ratio for specific types of traffic with different weights. For example, data exchanges between the corporate center and branch offices can be allotted a weight of 20 while
Internet traffic is given a weight of 4. During periods of extreme network congestion, the traffic between HQ and branch offices will benefit from five times more bandwidth than that allowed to outbound Internet data.
TOS marking
This allows you to overwrite the TOS byte value in the IP header of qualified packets. These TOS values can be used by routers that recognize TOS precedence/DTR bits or by routers that implement
Differentiate Services Code Point (DCP) so that they can prioritize packets during routing.
Port shaping
This allows you to restrict the bandwidth of outgoing traffic directed through interface 0 or interface 1. Typically, interface 0 is connected to the private network with higher capacity connections than interface 1, which is usually connected to the
Internet through a lower-capacity T1 line. In such a case, packets in outgoing traffic are dropped due to the physical limitations of the internal-to-external connection. With port shaping, you can restrict the overall capacity of interface 1 to match the actual
Firebox Vclass User Guide 195
CHAPTER 8: About Security Policies bandwidth of the physical connection. If a huge volume of traffic comes from the private network to interface 1, packets are transmitted according to the weight defined in a QoS policy action–with no unnecessary loss of packets.
Defining a QoS action
To define a QoS action:
1 Click New , next to the QoS Action drop-down list.
The New QoS Action dialog box appears.
196
2 In the Name and Description fields, type a name and brief description for the QoS action. The Description field is optional.
3 From the QoS Type drop-down list, select Weighted
Fair Queue . This is the only selection available at this time.
4 In the Bandwidth Weight field, type the percentage of bandwidth you want to assign to qualifying data.
You can type a value ranging from 1 to 100. Note that traffic with a weight of 20 will be given five times more bandwidth than traffic with weight of 4 during periods of network congestion.
5 Click Done .
Vcontroller
Using Quality of Service (QoS)
Activating TOS marking
You can now activate and customize the TOS Marking values, which enables this policy to overwrite the TOS byte in the IP header of qualified incoming packets. Before doing so, make sure you know the direction of traffic that will be affected by this policy, so you can determine whether marking will be forward, reverse, or both.
To activate TOS marking:
1 Click TOS Marking .
The TOS Marking dialog box appears.
2 Click one of the following TOS marking options: TOS
Precedence , TOS Precedence and DTR , or DiffServe
CodePoint .
3 Click either Forward , Reverse , or both.
Forward
The policy will mark the packets that are transmitted in the same direction as this policy.
Reverse
The policy will mark packets sent in the reverse direction of this policy.
4 Depending on your TOS choice, a number of Bit fields become active. If TOS Precedence is your choice, the first three fields (0, 1, and 2) become active. If you selected either of the remaining TOS options, the first six fields–0 through 5–become active.
Firebox Vclass User Guide 197
CHAPTER 8: About Security Policies
To toggle a particular field’s bit to ON, click the 0 in a field, which will automatically turn into a 1. To reverse this setting, click the 1 to restore it to 0.
5 Click Done .
About NAT
Network address translation (NAT)–also called IP masquerading or port forwarding–takes IP addresses used on one network and translates them into IP addresses used within another network. You use NAT to hide network addresses from hosts on another network. Hosts elsewhere only see outgoing packets from the Firebox Vclass appliance itself. You can improve security by mapping inside
(private or trusted) addresses to outside (public or optional) addresses. Using NAT also conserves the number of global IP addresses your company needs. More importantly, with NAT you can use a single public IP address for all outgoing and incoming communication, which keeps your trusted addresses secure.
Static NAT
You may have situations in which you want a subnet, a server, or a group of users to be associated with a different
IP address than the one actually assigned to them. Whether you want to maintain privacy for a number of client users or hide internal assets from external view, you can do so with static network address translation ( static NAT ).
The most important parameters necessary for creation of a static NAT policy are:
• The internal IP address of the private network asset/ client
• The external IP address to which this internal device’s
IP address will be mapped
198 Vcontroller
About NAT
You can apply one-to-one, many-to-many, or subnet-tosubnet static NAT policies to qualifying traffic. All types of static NAT action are described in this section.
Before you proceed, you should be aware of the following constraints on static NAT policies as applied by a Firebox
Vclass appliance:
• Static NAT policies are limited in that they can translate only IP addresses.
• Static NAT policies do not support VIP load balancing.
• If a VPN policy includes a static NAT action, the peer tunnel IP address cited in the IPSec action must be the primary interface 0 IP address, not any of the secondary addresses assigned to this interface.
• If IP addresses that are to be mapped are not in the same subnet as interface 1 (Public), proper routing must be configured to ensure that traffic to these mapped IP addresses is routed to interface 1 of this appliance.
Dynamic NAT
If you have a number of employees or other private network users whose client computers have been assigned IP addresses for internal use, you can grant all of them full access to the Internet using dynamic Network Address
Translation ( dynamic NAT ).
You can insert policies into a Firebox Vclass security appliance that apply dynamic NAT to qualified traffic in the following ways:
Public IP
This action substitutes the IP address of the 0
(Public) interface on the appliance for all internal use IP addresses. This allows internal users to gain one-way access to the Internet using the IP address of the appliance’s Public interface.
Firebox Vclass User Guide 199
CHAPTER 8: About Security Policies
User assigned IP
This action substitutes a publicly routable IP address of your choosing for internal use IP addresses. This option is particularly useful if this appliance will be managing more than 55,000 simultaneous sessions using the IP address of the
Public interface.
About Load Balancing
As an efficient traffic management scheme, load balancing enables you to distribute incoming data requests to an array of servers. Additionally, you can fine-tune the distribution, directing a percentage of the overall traffic to specific servers according to the capacity of those devices.
With Vcontroller and a security appliance, you can create a policy that lists each server, and then assigns a percentage of total requests to that server (based on its capacity in comparison to other servers). After you apply this policy to your network traffic, your Firebox Vclass security appliance distributes new data requests to additional servers in the queue after previous servers have been fully utilized.
Load balancing also makes use of a virtual IP address (a form of dynamic Network Address Translation), to which all requests are directed, and through which the security appliance will distribute the overall load. All load balancing policies must use the Public interface of the Firebox
Vclass appliance.
Defining a NAT Action
To create a Dynamic NAT action using a Public IP address:
• Select Dynamic NAT from the NAT/Load Balancing drop-down list. This automatically establishes the IP
200 Vcontroller
Defining a NAT Action address of interface 1 (Public) of the Firebox Vclass appliance as the translation address.
To create a Dynamic NAT action using a user-defined IP address:
1 Select either 0 (Private), 2 (DMZ), or 3 (DMZ2) from the
Incoming Interface drop-down list.
You cannot apply dynamic NAT to interface 1 (Private).
2 If a VLAN or user domain tenant is affected by this action, select the appropriate entry from the Tenant drop-down list.
3 Select Dynamic NAT from the NAT/Load Balancing drop-down list.
4 Click New from the right of the NAT/Load Balancing drop-down list.
The New Load Balancing/NAT Action dialog box appears.
5 In the Name and Description fields, type a name and brief description for the dynamic NAT action. The
Description field is optional.
6 Select Dynamic NAT from the NAT Type drop-down list.
7 Click New .
The New Mapping dialog box appears.
Firebox Vclass User Guide 201
CHAPTER 8: About Security Policies
8 Type the publicly routable IP address in the IP
Address field.
9 Click Done to close the New Mapping dialog box and return to the New Load Balancing/NAT Action dialog box.
10 Click Done to close the New Load Balancing/NAT
Action dialog box.
To configure a Static NAT action:
1 Click New from the right of the NAT/Load Balancing drop-down list.
The New Load Balancing/NAT Action dialog box appears.
2 In the Name and Description fields, type a name and brief description for the dynamic NAT action. The
Description field is optional.
3 Select Static NAT from the NAT Type drop-down list.
4 Click New .
The New Mapping dialog box appears.
202
5 Select an address group from the External Address
Group and Internal Address Group drop-down lists.
6 If you have not yet created an address group for the external or internal address, click New .
For information on creating an address group, see “Defining an address group” on page 180.
Vcontroller
Defining a Load-Balancing Action
7 Click Done to close the New Mapping dialog box and return to the New Load Balancing/NAT dialog box.
The new mapping entry is displayed.
8 Click Done .
Defining a Load-Balancing Action
To define a load-balancing action:
1 Click New .
The New Load Balancing/NAT Action dialog box appears.
2 In the Name and Description fields, type a name and brief description for the load balancing action. The
Description field is optional.
3 Select Virtual IP from the NAT Type drop-down list.
4 Select one of the following options from the Load
Balancing Algorithm drop-down list:
Round Robin
Each server is treated with equal priority.
Weighted Round Robin
Each server is given priority based on its ability to deliver specific applications.
Random
Traffic is randomly distributed to a series of servers.
Weighted Random
Algorithm weights are assigned to servers based on server capacity limitations.
Least Connection
When new traffic is sent to the servers, an algorithm determines which server has the least number of connections.
Firebox Vclass User Guide 203
CHAPTER 8: About Security Policies
Weighted Least Connection
When new traffic is sent to the servers, an algorithm determines the least number of connection and weights that can be assigned.
If you chose Weighted Round Robin , Weighted Random , or Weighted Least Connection from the Load Balancing drop-down list, you can assign specific weights to particular IP addresses or address groups.
To assign weights:
1 Click New .
The New Mapping dialog box appears and the Weight field is active.
204
2 Choose one of these options and follow these instructions:
Address Group
Select an option from the drop-down list.
IP Address
Type the IP address of a server in this field.
3 In the Port field, type a port number.
4 Type the number that represents the percentage of load you want to direct to this server in the Weight field.
The percentages should be related to the total number of servers and their individual capacities.
5 Click Done .
6 Repeat this process as needed to distribute traffic loads to other servers.
Up to 16 servers can be included in a single load-balancing policy.
7 When you are finished, click Done to close the New
Load Balancing/NAT Action dialog box.
Vcontroller
Using Policy Schedules
Using Policy Schedules
After a policy is defined and applied, it is in effect immediately, 24 hours a day, seven days a week. However, you can modify a policy such that it is active only during specific times of the day or certain days of the week. For any given day in a week, you can choose up to four periods that a policy will be activated. Outside of that time period, the
Firebox Vclass appliance will not apply this policy. Schedules can be formulated within a policy while you create it, or created separately and applied to an existing policy.
Defining a Schedule
To define a schedule:
1 Click New.
The New Schedule dialog box appears.
2 In the Name and Description fields, type a name and brief description for the schedule. The Description field is optional.
Firebox Vclass User Guide 205
CHAPTER 8: About Security Policies
3 If you do not want the policy scheduler to make use of these schedules right away, clear the Enable Scheduler checkbox. You can reopen this schedule and reactivate the Scheduler at a later time.
To create weekly schedules:
1 Select Weekly .
2 Select the appropriate day you want to schedule.
3 Click Edit Day Schedule .
The Edit (Day) Schedule dialog box appears.
206
4 Select the Period 1 checkbox.
5 Type the values in the From and To fields, or use the arrow buttons to adjust the values.
N
OTE
Remember to type afternoon and evening hours in military time. For example, 1:00 PM must be entered as 13:00.
6 Repeat this process for the remaining periods, as needed.
Vcontroller
Using the Advanced Settings
7 Click Done .
8 Repeat this process until a complete week’s schedule has been recorded.
9 Click Done .
If you want to create a daily schedule that affects every day of the week:
1 Select Daily .
2 Click Edit Day Schedule .
The Edit Day Schedule dialog box appears.
3 Select the Period 1 checkbox.
4 Type the values in the From and To fields, or use the arrow buttons to adjust the values.
N OTE
Remember to type afternoon and evening hours in military time. For example, 1:00 PM must be entered as 13:00.
5 Repeat this process for the remaining periods, as needed.
6 Click Done to close the Edit Day Schedule dialog box and return to the New Schedule dialog box.
7 Click Done .
Using the Advanced Settings
Use the advanced policy settings to create global settings or per policy settings for ICMP error message handling as well as a per policy logging.
To configure the advanced settings:
1 Click Advanced .
The Advanced Policy Settings dialog box appears.
Firebox Vclass User Guide 207
CHAPTER 8: About Security Policies
208
2 Click one of the following options:
Use Global Settings
Selecting this option enables the ICMP error handling global policy settings configured using the System Configuration button. For more
information, see “Advanced Configuration” on page 129.
Use Per-Policy Settings
Selecting this option allows you to define ICMP error handling parameters particularly for this security policy, effectively overriding any global settings you may have configured. Click one of the following options: Allow All ICMP Errors or
Allow Specified ICMP Errors . Selecting the latter allows you to define which ICMP error messages will be allowed through the Firebox Vclass appliance.
3 Click the Log tab.
Vcontroller
Using the Advanced Settings
4 To enable the Firebox Vclass appliance to log for this particular security policy, click Enable Per-policy Log .
The traffic log setting
must also be enabled. For more
information on configuring logging, see “Log Settings” on
5 Click the MSS tab.
6 To enable per-Policy TCP MSS (Maximum Segment
Size), click Use Per-policy Settings .
Firebox Vclass User Guide 209
CHAPTER 8: About Security Policies
This feature works in conjunction with the MTU settings, but on a per-policy basis, to limit the size of packets, if configured. This feature overcomes the following problems:
• Oversized packets can result in fragmentation, degrading VPN performance.
• Proxies may require MSS adjustment to prevent fragmentation.
• Some older systems do not support MTU to regulate packet size. This feature works along with MTU; it does not replace MTU.
The following settings are available:
Auto Adjustment
Auto adjustment calculates the MSS automatically, using the following calculations:
- Determining the lesser value of the input port
MTU and the output port MTU.
- Subtracting packet overhead, including IP and
TCP addressing, VLAN, ESP, PPPoE, AH, and
UDP encapsulation.
- The result is then rounded down to the next lower multiple of 8 bits (8-bit aligned) to determine the size in bytes that is required for packet transmission.
The results of this calculation are used as the MSS for the connection.
Limit to N Bytes (40-1460)
This limits MSS to the specified size in bytes.
No Adjustment
This specifies that no change be made to the TCP header. In this case, fragmentation can happen.
7 When you have finished, click Done .
210 Vcontroller
CHAPTER 9
Security Policy
Examples
This chapter includes examples of Vclass Firewall policies, VLAN policies, Quality of Service policies, NAT policies, and Load Balancing policies. You can use these polices as a guide when designing your system security policies.
Firewall Policy Examples
The following sections describe different types of networks and how to create firewall policies to meet their security objectives.
Example 1: Allowing Internet access
Westchester Inc. has a small branch office with a limited number of publicly routable IP addresses. This office requires a simple set of firewall policies that allows users to access the Internet while protecting the network from external traffic.
Firebox Vclass User Guide 211
CHAPTER 9: Security Policy Examples
The following illustration shows the internal, private network (with private IP addresses assigned to the three computers) as connected to the Private interface of the Firebox
Vclass appliance. This interface has its own IP address, and the Public interface (through which all communications with the external networks are routed) has a separate IP address.
You can meet Westchester’s requirements by doing the following:
1 Create two firewall policies with these parameters:
# Name Src Dst Srvc
1 Allow_
Private
2 Deny_
Public
ANY ANY ANY
ANY ANY ANY
Intrfc Action NAT/LB
0 Pass DYNAMIC_NAT
1 Block
2 Have all the users in the private network reconfigure their computers’ default gateway to the IP address of the Private interface on the Firebox Vclass appliance.
Note that Dynamic NAT is applicable only to firewall policies for outgoing traffic.
Example 2: Restricting Internet access
Stillbrook Corporation has a branch office similar to that in example 1: it has a limited number of public IP addresses.
212 Vcontroller
Firewall Policy Examples
However, this company also wants to set the following restrictions on how internal users access the Internet:
• No web surfing (HTTP traffic) during office hours
• Only Web services and email traffic are passed by the
Firebox Vclass appliance to the Internet
This example uses the firewall policies created in Example
1. Dynamic NAT provides Internet access for internal users, while another policy protects the private network from external users.
This network also requires two new policies. The first additional policy denies HTTP traffic from the private network using a schedule such that the policy action takes effect only from 9am to 5pm. The second new policy uses the same traffic specifications but passes all HTTP traffic
(using dynamic NAT) without any schedule restrictions.
N OTE
If you create a security policy that applies an action according to a schedule, it is a good practice to create an exact duplicate of that policy, with the opposite firewall action without a schedule, that is listed immediately following the scheduled policy. Having such a pair of policies ensures that the same traffic is permitted after the specified schedule expires.
1 Using the Insert Security Policy dialog box, set up the following policies, one at a time.
Firebox Vclass User Guide 213
CHAPTER 9: Security Policy Examples
1
Name Src
Deny_
HTTP
Dest Service In Firewall NAT/LB Schd
ANY ANY HTTP 0 Block DNAT 9to5
M-F
ANY ANY HTTP 0 Pass DNAT 2 Allow_
HTTP
3 Allow_
ANY ANY POP3 0 Pass DNAT
4 Deny_
Private
5 Deny_
Public
ANY ANY ANY
ANY ANY ANY
0 Block
1 Block
2 Create a schedule with these parameters:
NAME
9 to 5, Monday - Friday
DESCRIPTION
Schedule for 9:00am - 5:00pm, Monday - Friday
ENABLE SCHEDULER
Checked
TYPE
Weekly
DAYS/HOURS
Monday - Friday, From 9:00 To 17:00
Example 3: Allowing unlimited access for authorized users
Chambers Enterprises, like the company in the previous example, wants to block Internet access during working hours. However, it wants to make exceptions for certain authorized users.
To achieve this, you would make use of the user-authentication firewall feature and replace the “Deny_HTTP” policy with a scheduled “Allow_User” policy. When this revised policy is in effect (during office hours), only autho-
214 Vcontroller
Firewall Policy Examples rized users are allowed to gain external access. Unauthorized users are still blocked.
1 Use the Account Manager to create end-user access accounts for each individual to be allowed Internet access during working hours.
3 Create an “Allow_User” firewall policy using the
Name Src parameters shown below.
:
Dest Service In Firewall NAT/LB Schd
Allow_
User
Allow_
HTTP
ANY ANY HTTP
ANY ANY HTTP
0 Pass/
Authenticate
0 Pass
Dynamic
NAT
Dynamic
NAT
9to5
M-F
Allow_
Deny_
Private
Deny_
Public
2 Distribute login IDs, passwords, and connection instructions to these users so that they can connect through the firewall.
ANY ANY POP3
ANY ANY ANY
ANY ANY ANY
0 Pass
0 Block
0 Block
Dynamic
NAT
4 Add the “9to5M-F” schedule from Example 2 to this policy so that it takes effect only between 9am and
5pm, Monday through Friday. This permits the
“Allow_HTTP” policy to be active outside the specified office hours, at which time all users can surf the
Internet.
5 Before this group of authorized users can access the
Internet, they must first authenticate their access request so that they can proceed through the firewall.
They would do so by entering the following URL in their Web browser: https://126.20.20.1/user.html
In this URL, the “126.20.20.1” entry represents the IP address of interface 0.
Firebox Vclass User Guide 215
CHAPTER 9: Security Policy Examples
Example 4: Allowing communication between branch offices
Appleby Incorporated has two branch offices, each with a separate Firebox Vclass appliance. These branch offices need separate sets of firewall policies to enable all users in the offices to communicate with the other branch office.
To achieve such control over inter-branch traffic, you must create policies on both Firebox Vclass appliances. The following figure illustrates this situation.
216
A separate policy must be created on each Firebox Vclass appliance so that the users in the private net of the first branch office can access the computers in the private network of the second branch office. The policy on Firebox
Vclass appliance 1 specifies the traffic coming in from the private interface, while the policy on Firebox Vclass appliance 2 specifies the traffic coming in from the public interface. Also note that the source, destination, and service have to be exactly the same in both policies.
1 Configure all computers in Branch 1 to use the Private interface of Firebox Vclass appliance 1 as the default gateway.
2 Configure all computers in Branch 2 to use the Private interface of Firebox Vclass appliance 2 as the default gateway.
Vcontroller
Firewall Policy Examples
3 Create two separate address groups to represent the computers in each branch office, using the following entries in the New Address Group dialog box:
Address Group 1:
Name: Branch_1, Member type: IP Network,
Addresses: 128.100.1.0, Subnet mask: 255.255.255.0
Address Group 2:
Name: Branch_2, Member type: IP Network,
Addresses: 176.14.1.0, Subnet mask: 255.255.255.0
4 Create the following policy on Appliance 1:
Name
Branch_1to2
Src Dest Service In Firewall
Branch_1 Branch_2 ANY 0 Pass
5 Create the following policy on Appliance 2:
Name
Branch_1to2
Src Dest Service In Firewall
Branch_1 Branch_2 ANY 1 Pass
6 If you want to allow the users in the private network of branch 2 office to access the computers in the private network of branch 1 office, create two more policies on that appliance to permit such traffic. The final list of policies used by the appliances should look like this:
Policies on Appliance 1
Name Src Dest Service Incoming Firewall
Branch_1to2 Branch_1 Branch_2 ANY
Branch_2to1 Branch_2 Branch_1 ANY
0
1
Pass
Pass
Policies on Appliance 2
Name Src Dest Service Incoming Firewall
Branch_1to2 Branch_1 Branch_2 ANY 1 Pass
Branch_2to1 Branch_2 Branch_1 ANY 0 Pass
Firebox Vclass User Guide 217
CHAPTER 9: Security Policy Examples
Example 5: Defining policies for an ISP
ConnectYouUp.com is an ISP with a firewall that both protects all internal private network assets while permitting access by subscribers to servers in a DMZ, reading and sending email, surfing the Internet, and taking advantage of FTP services.
218
In such a network environment, you may want to create a number of complementary policies that permit access by certain users to a limited set of assets (servers), while permitting free external access to all internal users.
1 Open the System Configuration dialog box and use the Route tab features to add a new route to the appliance. The new route represents the default gateway, which is the remote access server/router.
.
Destination Net Mask Gateway Interface Metric
0.0.0.0
0.0.0.0
128.100.0.1
1 1
Vcontroller
Firewall Policy Examples
2 Reconfigure all of the computers in the private network to use a default gateway corresponding to interface 0 of the Firebox Vclass appliance. In this example, the gateway is 126.20.20.1.
3 Create three separate policies, permitting access to different servers in the DMZ network.
4 Define an email service for the DMZ interface, enabling subscribers to send email.
5 Create a policy to allow all employees on the Private interface to access the Internet.
When you have finished, the complete set of policies should resemble this list, and be listed in exactly this order in the Policies table:
Src Dest Srvc In Action Name
Allow_Public_
Webserver
Allow_Subscribers_
Allow_DMZ_
SendMail
Allow_Subscribers_
FTP
Allow_Outbound
ANY
ANY
127.10.10.3
*
ANY
ANY
127.10.10.4
*
127.10.10.3
*
ANY
127.10.10.2
*
ANY
HTTP 1 Pass
Email 1 Pass
Email 2 Pass
FTP
ANY
1 Pass
0 Pass
N OTE
IP addresses are shown for these examples. You must define a separate address group entry for each policy.
Example 6: Controlling access at corporate headquarters
Lubec Corporation wants to augment an existing corporate firewall to provide the following access controls:
• Only authorized internal network users can surf the
Internet during working hours. All other users have access only during non-work hours.
Firebox Vclass User Guide 219
CHAPTER 9: Security Policy Examples
• All other types of Internet connections are permitted.
• Everyone from the outside world can send email to the
Mail server (accessible through interface 2).
220
1 Open the System Configuration dialog box and use the Route tab features to add a new route to the appliance. The new route represents the default gateway, which will be the remote access server.
Destination
0.0.0.0
Netmask
0.0.0.0
Gateway
128.100.0.1
Interface
1
Metric
1
2 All of the computers in the private network must be reconfigured with a default gateway that represents the Private interface of the Firebox Vclass appliance, which in the example is 126.20.20.1.
3 Create a new address group that represents the subnet connected to the private interface of the Firebox Vclass appliance, using these specifications.
Address group 1
Name: HQ
Vcontroller
Firewall Policy Examples
Member type
IP Network Addresses
Address
126.20.20.0
Subnet mask
255.255.255.0
4 Create a schedule called “9to5M-F”, as described in
“Example 2: Restricting Internet access” on page 212.
5 Create the necessary end-user accounts for all of the
authorized users, as described in “Example 3:
Allowing unlimited access for authorized users” on page 214.
1 Allow_
User_ http
2 Allow_
All_
HTTP
3 Allow_
Private_
Any
4 Allow_
Public_
5 Deny_
Public
Name
6 Create the following security policies in the exact order shown. Note that the user-authenticated firewall policy
(the first one to be created) will apply policy actions only to authorized users, while blocking all unauthorized users who are sources of the same type of traffic.
.
Src Dest Service In Firewall Schd
HQ ANY HTTP 0 Pass/
Authenticate
9to5
M-F
HQ ANY
ANY ANY
HTTP
ANY
ANY 127.10.10.3
ANY ANY ANY
0 Pass
0 Pass
1 Pass
1 Block
Firebox Vclass User Guide 221
CHAPTER 9: Security Policy Examples
VLAN Policy Examples
The following figure shows how a Firebox Vclass appliance can manage traffic to and from a typical VLAN.
222
This example consists of an ASP site that hosts two customers’ assets:
• Customer ABC’s servers are in network 10.1.1.0/
255.255.255.0, which has been assigned VLAN ID 3.
• Customer XYZ’s servers are in network 10.1.2.0/
255.255.255.0, which has been assigned VLAN ID 25.
To make this work, the needed VPN policies are applied in the ASP’s security appliance to allow Company ABC and
XYZ to access their assets in the ASP through secure VPN tunnels. Because the ASP should not be allowed to access
Company ABC and XYZ’s private networks, uni-directional VPN policies on the WatchGuard appliances are necessary.
The following address groups and VLAN objects for use by that appliance are required:
Vcontroller
VLAN Policy Examples
Address groups
ABC_Net
XYZ_Net:
Tenant_ABC:
Tenant_XYZ:
IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
IP Address: 205.118.17.0
Subnet Mask: 255.255.255.0
IP Address: 10.1.1.0
Subnet Mask: 255.255.255.0
IP Address: 10.1.2.0
Subnet Mask: 255.255.255.0
VLAN tenant entries
ABC:
XYZ:
VLAN id = 3 interface 0 (Private)
VLAN IP/mask: 10.1.1.1/255.255.255.0
VLAN id = 25 interface 0 (Private)
VLAN IP/mask: 10.1.2.1/255.255.255.0
The requisite VPN policies on “ASP” should have the following parameters:
SRC Dest Srvc In Tenant Firewall IPSec
ABC_Net Tenant_ABC ANY 1 ABC
XYZ_Net Tenant_XYZ ANY 1 XYZ
Pass
Pass
> ipsec_ABC
> ipsec_XYZ
At the Company ABC site, a new policy should be applied to “ABC” with the following parameters:
SRC Dest Srvc In Tenant Firewall IPSec
ABC_Net Tenant_ABC ANY 0 Pass < ipsec_ABC
At the Company XYZ site, a new policy should be applied to “XYZ” with the following parameters:
Src Dest Srvc In Tenant Firewall IPSec
XYZ_Net Tenant_XYZ ANY 0 Pass < ipsec_XYZ
Firebox Vclass User Guide 223
CHAPTER 9: Security Policy Examples
Using a Firebox Vclass appliance in a VLAN setting
If your SNMP management stations, DNS servers, OSPF routers, RADIUS servers, and mail servers are located in a
VLAN-enabled network, you must explicitly define separate policies that allow Firebox Vclass appliances to send traffic to those devices. Otherwise, some Firebox Vclass features, such as SNMP trap notification and DNS lookup, will not work. Here is an example of a policy that allows
SNMP traps sent from a Firebox Vclass security appliance to a SNMP management station in VLAN 20.
Src
PRIVATE_
PORT_IP
Dest
SNMP_
STATION
Srvc
SNMP trap
In Tenant Firewall
Internal VLAN_20 Pass
224
Creating policies for user-domain tenants
In addition to VLAN tenant-specific policies, Vcontroller permits you to set up user domain—specific policies, which enable the appliance to perform traffic management for multi-tenant domains without the attendant VLAN hardware.
The concept behind the definition of a user domain tenant involves identifying the tenant and establishing the means of authenticating that tenant. For example, the Vcontroller administrator first defines a new user domain tenant (as described in this section). At this time, the administrator must link this entry to the relevant RADIUS system to provide authentication services. Next, the administrator can create the policies necessary for this user domain (and the tenants).
When a user domain tenant wants to initiate an Internet or other external network connection through the Firebox
Vclass appliance, he or she would first log into the appliance using the user name, password, and domain name previously defined in the tenant record. After this is veri-
Vcontroller
VLAN Policy Examples fied by the RADIUS system, the Firebox appliance associates the user (IP address) to the relevant domain. Any traffic from the user will then be covered by policies that incorporate that domain.
An example of a user-domain policy in use
As noted previously, the key element in user-domain tenant policies is user authentication , which is how traffic pertaining to a specific tenant is identified. For example:
• The Vcontroller administrator creates a user-domain tenant record for “Engineering” domain users that uses a RADIUS server for user authentication.
• Policies are created to manage traffic for an external network, originating from “Engineering.”
• When one of the tenant users wants to make an external connection, he or she opens a Web browser and logs into the Firebox appliance. The user’s IP address is also noted by the appliance.
• After the user provides a user name, password, and domain name (specified in the Tenant entry as referenced by the policy), his or her name and password are validated by the RADIUS system.
• The user is granted access to the external network.
• The appliance now classifies packets from the user’s computer as traffic from the “Engineering” domain tenant.
• Finally, after a set idle time expires, the connection is broken, and that user will have to log in and reauthenticate before being granted access to the external network again.
One of the advantages of creating and applying userdomain tenants to policies is that there is no strict relationship between a tenant and the originating computer’s IP address. The computer used by a tenant user is noted dynamically by the appliance during the authentication process; the user name, password, and domain are the key,
Firebox Vclass User Guide 225
CHAPTER 9: Security Policy Examples and the IP address simply becomes a temporary location for the duration of the connection.
QoS Policy Examples
When using QoS actions within your policies to prioritize your network traffic, remember that any traffic streams not included in explicit QoS actions will be affected by a default QoS action with WFQ set to 5. The following example shows how this works in conjunction with other QoS policies.
Example 1:
Policy 1: QoS action A with WFQ weight = 5
Policy 2: No QoS
Policy 3: No QoS
Policy 4: QoS action B with WFQ weight = 10
Policy 5: No QoS
In this case, the ratio between all three QoS actions is 5
(default), 5 (QoS A), and 10 (QoS B). When the network bandwidth is fully utilized, policy 1 traffic will use 25% of the bandwidth, policy 4 will use 50%, and all other traffic will share the remaining 25%.
Example 2:
Policy 1: QoS action A with WFQ weight = 15
Policy 2: No QoS
Policy 3: No QoS
Policy 4: QoS action B with WFQ weight = 5
Policy 5: No QoS
226 Vcontroller
Static NAT Policy Examples
Policy 6: QoS action B with WFQ weight = 5
In this case, the ratio between all three QoS actions is 5
(default), 15 (QoS A), and 5 (QoS B) which is a 1:3:1 ratio.
Therefore, when the network capacity is fully utilized, policy 1 traffic will use 60% of the total bandwidth (3/5), policy 4 and policy 6 traffic will share 20% (1/5) of the bandwidth, and all other traffic will share the remaining
20% (1/5) of bandwidth.
Static NAT Policy Examples
The following sections describe different examples of static
NAT applications.
Example 1: Translating IP addresses into aliases
If one region of your network is protected from unauthorized internal use connections, it may rely on a pool of internal-use IP addresses that are also used in other network regions. You can set up a static NAT policy that translates the existing IP addresses into aliases, for use in establishing connections with other regions of the network without fear of IP address conflicts.
192.168.24.(X)
192.168.12.(X) 192.168.12.(X)
192.168.12.(X)
Firebox Vclass User Guide 227
CHAPTER 9: Security Policy Examples
The policies would incorporate these entries:.
Name
1 Inbound static NAT
2 Outbound static NAT
Source
ANY
Internal_Net
Dest
Alias
ANY
Srvc In Static
NAT action
ANY 1
ANY 0 static
NAT_1 static
NAT_1
The two address groups would include these entries:
Internal_net
192.168.12.0/24
Alias
192.168.24.0/24
The static NAT action would reflect these entries: static NAT_1
Internal = Internal_net
External = Alias
Example 2: Preventing conflicts between IP addresses
If your extended network relies on VPN connections between gateway appliances at remote sites, you can set up address translation to prevent conflicts between the common pools used in the internal networks behind each appliance.
228 Vcontroller
Static NAT Policy Examples
144.120.55.11
144.120.55.12
144.120.55.13
144.120.55.14
144.120.55.15
192.168.12.11
192.168.12.12
192.168.12.13
192.168.12.14
192.168.12.15
192.168.12.11
192.168.12.12
192.168.12.13
192.168.12.14
192.168.12.15
These address groups must first be entered in Vcontroller in the respective locations:
For Site A
For Site B:
Net_A: 192.168.12.0/24
Alias_A: 212.12.3.0/24
Net_B: 144.120.55.0/24
Net_B: 192.168.12.0/24
Alias_B: 144.120.55.0/24
Net_A: 212.12.3.0/24
The following static NAT actions must be entered in Vcontroller in the respective locations:
For Site A
For Site B static NAT_A
Internal: Net_A
External: Alias_A static NAT_B
Internal: Net_B
External: Alias_B
The policies in the Site A security appliance would include these settings:
Firebox Vclass User Guide 229
CHAPTER 9: Security Policy Examples
Name
SITE_
A-B
Src Dest Srvc In Static
NAT action
Net_A Net_B ANY 0 (pvt) static
NAT_A
IPSec_A-B
(<->)
The policies in the Site B security appliance would include these settings:
Name
SITE_
B-A
Src Dest Srvc In static
NAT action
Net_B Net_A ANY 0 (pvt) static
NAT_b
IPSec_A-B
(<->)
230 Vcontroller
Load Balancing Policy Examples
Load Balancing Policy Examples
Configuring Load Balancing for a Web
Server
1 After starting Vcontroller application, click Security
Policy in the Policy column.
The Policy Manager window appears.
2 Click any existing policy entries (or click the last row) in the Security Policies list.
Your new policy appears in the row you selected and moves the existing policy down a row.
N OTE
If your Firebox Vclass appliance is already using a “block all external traffic” firewall policy, this new load-balancing policy must be listed above the firewall policy.
3 Click the Insert button at the bottom of the window.
The Insert Security Policy dialog box appears.
4 In the Name and Description fields, type a name and brief description for the policy. The Description field is optional.
Firebox Vclass User Guide 231
CHAPTER 9: Security Policy Examples
Configuring Load Balancing for an Ecommerce Site
The following example shows how a Firebox Vclass appliance can function as a load balancing accessory to evenly distribute data requests to a series of Web servers. This scenario can be adapted to full effect in e-commerce sites that use a large number of servers to manage the growing number of consumers.
An e-commerce site may get several hundred thousand hits a day. A Firebox Vclass appliance can be strategically placed in the network to function as both a firewall that protects internal network assets and a load balancer for the
Web servers.
232
In this scenario, any number of external client users will be trying to connect to a Web site with a URL that points solely to a single, publicly routable IP address, 128.100.0.2.
This address cannot be shared by all the existing Web servers, each of which has its own internal IP address. The
Vcontroller
Load Balancing Policy Examples challenge is to evenly distribute each new data request to a different server, although the requests originally expect
128.100.0.2 to answer.
1 Open the System Configuration dialog box and use the Route tab to either add a default gateway or change the existing default gateway to 128.100.0.1.
2 Open the Insert Security Policy dialog box and make the following entries.
Name Source Destination Srvc
Allow_HTTP ANY 127.10.10.0
HTTP
Incoming
1
Firewall
Pass
Consider what would happen if the above firewall policy is the only one implemented. Clients attempting to access
Web servers in the DMZ network will endure long wait times. The existing Web servers cannot share the total load of HTTP requests. If one of the Web servers is overloaded with requests, the other two Web servers will not pick up the excess requests automatically.
A load balancing policy fixes these problems. Because all clients use the publicly routable IP address (128.100.0.2), the Firebox Vclass appliance automatically receives all such requests and distributes them to the Web servers in the DMZ net, regardless of what IP addresses each Web server is assigned.
In this example, the site’s publicly routable IP address will be assigned to the appliance’s Public interface. The resulting load balancing policy will distribute HTTP requests to each of the Web servers in turn:
1 Reopen the firewall policy.
2 Change the Destination to 128.100.0.2
.
3 Click the New button to the right of the NAT/LB
Action drop-down list.
4 When the New NAT Action dialog box appears, enter a name for the new action, such as Web-load .
5 From the NAT Type drop-down list, select Virtual IP .
Firebox Vclass User Guide 233
CHAPTER 9: Security Policy Examples
6 From the Load Balancing Algorithm , select Weighted
Least Connection .
The Firebox Vclass appliance will route incoming HTTP traffic to the Web server that has the least number of active requests among the three servers.
7 Click New to the right of the Servers list.
8 When the New Server dialog box appears, select IP
Address and type 127.10.10.2
in the accompanying text field.
9 In the Port field, type 80 , unless there is another port number for this server.
10 In the Weight field, type 1 .
Weight establishes the load/capacity of all the Web servers in proportion to each other. The specific number can be determined using the following formula, as shown in these two examples:
Load/Capacity
First Web server1
Second Web server2 (twice as much as the first Web server)
Third Web server3 (three times as much as the first Web server)
The weight distribution for these Web servers would be
1:2:3.
Load/Capacity
First Web server1
Second Web server1 (same as the first Web server)
Third Web server2 (twice as much as the first Web server)
The weight distribution for these Web servers would be
1:1:2.
11 Click Done to save the new server entry.
12 Repeat the New Server dialog box process two more times and enter the separate IP addresses of the other two Web servers. Use the Weight numbers 2 and 3 in each case.
13 When you have saved all three server entries, click
Done to save this NAT/LB action.
234 Vcontroller
Load Balancing Policy Examples
Name
Allow_HTT
P
14 Save your new policy and then apply it in the Policy
Manager window.
The final load balancing policy will have these settings:
Src Dest Service In Firewall NAT/LB
ANY 128.100.0.2 HTTP 1 Pass Web-Load
Firebox Vclass User Guide 235
CHAPTER 9: Security Policy Examples
236 Vcontroller
CHAPTER 10
Using Proxies
Proxy filtering goes a step beyond packet filtering by examining a packet’s content, not just the packet’s header. Consequently, the proxy determines whether a forbidden content type is hidden or embedded in the data payload. For example, an SMPT Incoming proxy examines all incoming SMTP packets (email) to determine whether they contain forbidden content types, such as executable programs or items written in scripting languages. Such items are common methods of transmitting computer viruses. The SMTP proxy knows these content types are not allowed, while a packet filter would not detect the unauthorized content in the packet’s data payload.
Proxies work at the application level, while other policies work at the network and transport protocol level.
In other words, each packet processed by a proxy is stripped of all network wrapping, analyzed, rewrapped, and forwarded to the intended destination. This adds several layers of complexity and processing beyond the packet filtering process. What this means, of course, is that proxies use more processing bandwidth than packet filters. On the other hand, they
Firebox Vclass User Guide 237
CHAPTER 10: Using Proxies catch dangerous content types in ways that packet filters cannot.
In This Chapter
This chapter includes the following topics:
•
“Proxy Description” on page 238
•
“General Proxy Configuration” on page 241
•
“Proxy Parameters Reference” on page 251
•
“Reference Sources” on page 297
Proxy Description
The Firebox Vclass supports two proxy types:
• HTTP Client Proxy
• SMTP Proxy (Outbound and Inbound)
HTTP Client Proxy
The HTTP Client Proxy is a versatile, high-performance content-filtering method that you can use to selectively filter and protect your web clients and web servers from potentially hostile entities on the Internet.
The HTTP proxy offers the following features:
• Can be used to force strict RFC compliance for the web server and clients
• Allows MIME content-type filtering
• Allows configurable screening for Java, ActiveX, and other code types
• Performs HTTP header checking
238 Vcontroller
Proxy Description
The HTTP proxy sits between the sending Web server and your receiving Web client, much like a standard proxy server. It processes the HTTP line-by-line for any potentially harmful content before passing it to the internal Web client. It also acts as a buffer between your Web server and potentially harmful Web clients, enforcing HTTP RFC compliance for GET and POST operations.
SMTP Proxy
The SMTP proxy can be used to limit or prevent potentially harmful email content. The proxy scans SMTP messages for a number of filtered parameters, and compares them against the configuration and rulesets specified in the proxy action. Email messages containing suspect attachments can be stripped of their attachments and then sent to the intended recipient, denied entirely, or Blocked (denied, with the Sender IP added to the Blocked Sites List).
The Outbound SMTP proxy can be used to prevent malicious SMTP messages that originate within your network from passing through the Vclass appliance, and out to the internet or WAN. The Inbound SMTP proxy is used to prevent malicious messages or code from reaching destinations within your network.
Rules and Rulesets
Proxy actions are configured using a set of general parameters, and several sets of rules.
Rules
• Rules specify a type of content, pattern, or expression that the proxy action should identify.
• Rules specify actions (allow, strip or strip, drop, or
Block) that are taken when content matches a rule.
• Rules allow for independent alarm notification.
• Rules allow for independent logging.
Firebox Vclass User Guide 239
CHAPTER 10: Using Proxies
Rulesets
Every rule is part of a ruleset. A ruleset can include factory-configured rules and user-defined rules. Every ruleset
Rule
Category
240
Figure 11: Ruleset description
Rule processing occurs as follows:
• Rules are processed in order from the top to the bottom of the window.
• Rules can be ordered using the rule ordering arrows.
• Once a filtered item matches a rule, it is processed according to the specified action specified.
• Content can match multiple listed rules or the default rule. However, only the first rule matched is used.
Vcontroller
General Proxy Configuration
• All content of the specified type that does not match a listed rule is processed according to the default rule.
• The default rule is always the last step for content filtering. The action in the default rule is applied to all content in a rule Category that does not match a listed rule.
See “Proxy Action Rule ordering example” on page 250 for
an example of how rule ordering works.
General Proxy Configuration
Proxies are configured as proxy actions from the Policy
Manager. Vcontroller includes three default proxies, preconfigured for the three available proxy types. In addition to these preconfigured proxies, you can create your own customized proxies, or copy and edit the defaults.
Using a Proxy Action in the Policy Manager
Proxy actions are implemented and ordered in the Policy
Manager in the same way as other policies. See “Defining a
Security Policy” on page 178 for more information.
Creating a Proxy Action
To create a new proxy action:
1 Launch Vcontroller, and log in.
2 Click Proxies .
The Proxy Actions window appears.
Firebox Vclass User Guide 241
CHAPTER 10: Using Proxies
3 Click New .
The Add Proxy Action dialog appears.
242
4 Select an existing proxy action to use as the base for the new proxy action from the Based On drop-down list.
Click OK . The proxy action Details window appears.
This window is different for each type of proxy. The following figure shows the initial window for a new proxy action based on the Default HTTP-Outgoing proxy action.
Vcontroller
General Proxy Configuration
5 Adjust the values and rulesets using the tabs, according to your preference.
A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter. See
“Proxy Parameters Reference” on page 251 for more
information.
Editing an existing Proxy Action
To edit an existing proxy action:
1 Launch Vcontroller, and log in.
2 Click Proxies .
The Proxy Actions window appears.
Firebox Vclass User Guide 243
CHAPTER 10: Using Proxies
3 Select a proxy action from the list, and click Edit .
N OTE
Note that you cannot save changes to the three default proxy actions.
The Add Proxy Action dialog appears.
244 Vcontroller
General Proxy Configuration
4 Adjust the values and rulesets using the tabs, according to your preference.
A complete reference for the parameters and configuration of the preconfigured proxies is included later in this chapter. See
“Proxy Parameters Reference” on page 251 for more
information.
5 When you have finished configuring the proxy action, click OK to save your changes, or click Cancel to close the proxy action without saving your changes.
Configuring proxy rules
To create and configure proxy rules:
1 Create or edit a proxy action.
2 Navigate to the tab where you are creating the rule.
In this example, a proxy rule is created in the HTTP Client
Response Headers dialog. The Header Fields Category is selected.
Firebox Vclass User Guide 245
CHAPTER 10: Using Proxies
246
3 Edit or Add a rule.
• To edit a rule, double-click the rule, or select the rule and click Edit .
The Edit Rule dialog box appears.
• To add a new rule, click Add .
The New Rule dialog box appears.
Vcontroller
General Proxy Configuration
4 In the Name field, type a name for the rule.
5 Select the type of matching to use with this rule from the pull-down menu.
Rule matching options are:
Exact Match
Select this to match an exact (case-insensitive) string. For example, you can use this to match the exact e-mail address “[email protected]” or the hexadecimal representation for a Java file,
“%0xCAFEBABE%”.
Pattern Match
Select this to match a “glob” style pattern. This field is case-insensitive.
Character Usage
*
?
a wildcard used to match 0 to many characters a wildcard used to match any single character
Example
*.vbs
will match any filename that includes the extension “.vbs” www.example.???
This will match the domains
“www.example.com,”
“www.example.net,”
“www.example.org,” and
“www.example.biz.”
It will not match “www.example.tv” or
“www.example.net.org.”
Regular Expression
Select this to match a pattern employing full regular expression syntax. This field is case
Firebox Vclass User Guide 247
CHAPTER 10: Using Proxies sensitive. Substring is the default; explicit anchoring is required otherwise, using
“^(regexp)$”. For example, “(\.bat|\.exe)$” will match anything ending in “.bat” or “.exe”.
For more information consult a reference book, such as O’Reilly’s Mastering Regular Expressions .
6 From the Action drop-down list, select the action the the proxy takes when a match occurs.
Action options are:
Action Description
Allow
Deny or Strip This option denies or strips a specific request, but maintains the connection, if possible. When this option is strip, the content is dropped and replaced with the strip message. When this option is strip, all applicable filtered content is removed and dropped, but the rest of the message is allowed through, subject to further proxy filtering.
Drop
This option allows the connection to proceed as normal.
Block
This action denies the specific request and drops the connection.
This action denies the specific request, drops the connection, and adds the originating host to the Runtime Blocked Sites list.
7 Use the Alarm drop-down list to select whether to trigger an alarm for this event.
8 Use the Log drop-down list to select whether to write this event to the event log.
9 Click OK to complete the rule.
248 Vcontroller
General Proxy Configuration
Ordering listed Rules in a Proxy Action
Rules are processed in order from top to bottom of the window. The default rule is always the last step for filtered content in a proxy action.
To order listed rules:
1
Edit a proxy action. See “Editing an existing Proxy
Action” on page 243 for this procedure.
2 Locate the ruleset you want to order.
3 Select the rule you want to move, and use the up or down arrows to change its position in the list.
Repeat this process for each rule that needs to be re-ordered.
Firebox Vclass User Guide 249
CHAPTER 10: Using Proxies
Proxy Action Rule ordering example
This example describes how you can use proxy action rule ordering to strip a specific MIME subtype, while still allowing the rest of the master MIME type. This example uses the SMTP-Inbound proxy action, with the default settings.
250
In this example, the strip rule for the MIME subtype
(image/tiff) is ordered so it is above the allow rule for the
MIME type (image).
The image/tiff rule is an exact match rule for the MIME type “image/tiff,” and the image/* rule is a pattern match rule for the master type “image/*.” At runtime, the proxy processes the image/tiff rule first, so images of type TIF are identified and stripped. However, all other “image” subtypes do not match the TIF rule, and pass on to subsequent rules. When they reach the rule that allows the master type
(image/*), they are identified and allowed.
Vcontroller
Proxy Parameters Reference
Proxy Parameters Reference
This parameter reference describes the fields you can configure for proxy actions. Settings for the three factory default proxy actions are also described.
The following default proxy actions are described:
•
“HTTP Client Proxy” on page 251
•
“SMTP Incoming Proxy” on page 272
•
“SMTP Outgoing Proxy” on page 286
HTTP Client Proxy
Info tab
This tab allows you to type a name and description for the
HTTP proxy action.
Firebox Vclass User Guide 251
CHAPTER 10: Using Proxies
Name
A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than
30 characters, the name is truncated to 30 characters.
Description
A description of the proxy, for your reference.
The proxy action should be used with the following services
The default services for the HTTP proxy are TCP
Ports 80, 8000, and 8080. This section is informational only. The proxy will filter all content of the specified type, regardless of the port used.
252 Vcontroller
Proxy Parameters Reference
Request General tab
This tab allows you to configure content filtering for clientside general HTTP Request parameters.
Client Connection Idle Timeout
Specifies the time in seconds the proxy waits before dropping an idle connection. Default is 110 seconds.
Maximum Allowed URL Length
Specifies the maximum length in bytes of an allowed outbound HTTP URL. Default is 1024 bytes. Some sites may use longer URLs than this; however, the longer the URL, the greater the chance that some systems may be vulnerable to certain attacks.
Firebox Vclass User Guide 253
CHAPTER 10: Using Proxies
Log Connections / Maximum Log URL Length
Enables or disables logging of HTTP outbound connections. When enabled, you can specify a maximum Log URL length in bytes. The default is
1024 bytes.
Category
Specifies the category of HTTP request rules.
The Request Methods ruleset specifies HTTP request methods that the proxy allows. Note that the ruleset is configured to allow the listed rules, and deny all other methods.
The most commonly used HTTP request methods are Get, Head, Post, and Put. Some of the less frequently used Request Methods may be vulnerable to certain exploits and hacks.
Get
The GET method retrieves the information entity identified by the Request-URI. This is the most frequently used request method (
RFC 2616
).
Head
The HEAD method is identical to GET except that the server must not return a message-body in the response. The metainformation contained in the
HTTP headers in response to a HEAD request is identical to the information sent in response to a
GET request. This method can be used for obtaining metainformation about an entity without transferring the body. This method is often used for link testing ( RFC 2616 ).
Post
The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the
Request-URI in the Request-Line. POST allows a uniform method for:
- Annotation of existing resources
254 Vcontroller
Proxy Parameters Reference
- Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles
- Providing a block of data, such as the result of submitting a form, to a data-handling process
- Extending a database through an append operation
The actual function performed by the POST method is determined by the server and is usually dependent on the Request-URI ( RFC 2616 ).
Put
The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the
Request-URI refers to an already existing resource, the enclosed entity should be considered as a modified version of the existing resource. If the
Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI
(
RFC 2616
).
Link
The LINK entity-header field provides a means for describing a relationship between two resources, generally between the requested resource and another resource. An entity may include multiple LINK values. LINKS at the metainformation level typically indicate relationships like hierarchical structure and navigation paths ( RFC 2068 section 19.6.2.4
).
Unlink
The UNLINK method removes one or more LINK relationships from the existing resource identified by the Request-URI. These relationships may have been established using the LINK method or by any other method supporting the Link header. The removal of a link to a resource does not imply that
Firebox Vclass User Guide 255
CHAPTER 10: Using Proxies the resource ceases to exist or becomes inaccessible for future references (
RFC 2068 section 19.6.1.3
).
Trace
The TRACE method is used to invoke a remote, application-layer loop-back of the request message.
The final recipient of the request reflects the message received back to the client as the body of a
200 (OK) response. A TRACE request must not include an entity ( RFC 2616 ).
Patch
The PATCH method is similar to PUT except that the entity contains a list of differences between the original version of the resource identified by the
Request-URI and the desired content of the resource after the PATCH action has been applied.
The list of differences is in a format defined by the media type of the entity (for example,
“application/diff”), and must include sufficient information to allow the server to recreate the changes necessary to convert the original version of the resource to the desired version ( RFC 2068 section 19.6.1.1
).
Options
The OPTIONS method requests information about the communication options available on the request/response chain identified by the Request-
URI. This method allows the client to determine the options or requirements associated with a resource, or the capabilities of a server, without implying a resource action or retrieving a resource
(
RFC 2616
).
Delete
The DELETE method requests that the origin server delete the resource identified by the
Request-URI (
RFC 2616
).
256 Vcontroller
Proxy Parameters Reference
Checkin
A CHECKIN request can be applied to a checkedout, version-controlled resource, to produce a new version whose content and dead properties are copied from the checked-out resource. If a
CHECKIN request fails, the server state preceding the request is restored (
RFC 3253 section 4.4
).
Checkout
A CHECKOUT request can be applied to a checked-in version-controlled resource, to allow modifications to the content and dead properties of that version-controlled resource. If a CHECKOUT request fails, the server state preceding the request is restored (
RFC 3253 section 4.3
).
URL Paths
URL Paths is a ruleset that allows you to filter the content of an HTTP path. The path is everything after the initial slash. For example, in www.server.com/cgi/index.html, the path content is “cgi/index.html.”
The current ruleset implementation is set to catch and strip common executable program file extensions for Windows (*.exe and *.dll). By default this ruleset allows all URL path information except for the listed rules.
N
OTE
One possible use for a URL Paths rule is to create pattern match rules to match the content *ad/* and *ads/*. Though not guaranteed to work, this can function as a simple, effective screening tool to reduce the amount of online
Firebox Vclass User Guide 257
CHAPTER 10: Using Proxies advertising users see. Check the URLs of popup windows or banner ads you or your users find on the Web for other ideas.
Windows EXE
A pattern match rule that denies URL path content with the extension “.exe.” This effectively prevents users from accessing common Windows applications using HTTP. Installable programs are often EXE files, so in some scenarios this rule can cause problems.
Windows DLL
A pattern match rule that denies URL path content with the extension “.dll.” This effectively prevents users from accessing some Windows applications across HTTP. DLLs are sometimes use for web applications such as banners or tickers. However,
DLLs can pose a threat to your systems and network. Exercise caution when changing this rule.
N
OTE
Blocking *.exe files in URLs prevents Windows users on your network from downloading executables over HTTP. This might inconvenience users who need access to software downloads. In addition, blocking *.dll files in URLs prevents some web applications from working.
258 Vcontroller
Proxy Parameters Reference
Request Headers tab
This tab allows you to configure content filtering for clientside HTTP Request Headers.
Maximum Total Length
The maximum total length of the HTTP Request
Header. Some systems may be vulnerable to overflow attacks if the header field is too large. The default value is 0, which means there is no maximum.
Maximum Line Length
The maximum length of each line of characters in the HTTP Request Header. Some systems may be vulnerable to exploits that use very long lines. The default value is 1024 bytes.
Firebox Vclass User Guide 259
CHAPTER 10: Using Proxies
Category
This specifies the ruleset category–Header Fields or Authorization.
Header Fields
This ruleset provides content filtering for HTTP
Header fields. The ruleset uses exact matching rules to strip Via , Referer , and From headers, and allows all other headers by default.
Via
The Via general-header field must be used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests, and between the origin server and the client on responses. It is intended to be used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of all senders along the request/ response chain. ( RFC 2616 )
Referer
The Referer request-header field allows the client to specify the address (URI) of the resource from which the Request-URI was obtained, for the benefit of the server ( RFC 2616 ).
From
The From request-header field, if provided, contains an Internet e-mail address for the human user who controls the requesting user agent
(
RFC 2616
).
260 Vcontroller
Proxy Parameters Reference
Authorization
This ruleset provides content filtering for HTTP
Request Header authorization fields. A user agent that wishes to authenticate itself with a server does so by including an Authorization request-header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.
This ruleset is designed to allow NTLM , Digest , and
Basic authorization, and to strip all other authorization by default.
Basic
The Basic authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm. The realm value is an opaque string that can only be compared for equality with other realms on that server. The server services the request only if it can validate the user-ID and password for the protection space of the Request-URI. There are no optional authentication parameters (
RFC 2617
).
Digest
Like Basic Access Authentication, the Digest scheme is based on a simple challenge-response paradigm. The Digest scheme challenges using a nonce value. A valid response contains a checksum
(by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI. The password is never sent in the clear (
RFC 2617
).
NTLM
Windows NT LAN Manager (NTLM), also known as Windows NT Challenge/Response, is the authentication protocol used on networks that
Firebox Vclass User Guide 261
CHAPTER 10: Using Proxies include systems running the Windows NT operating system, and on stand-alone systems.
NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user’s password over the wire.
Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials (
Microsoft
).
262 Vcontroller
Proxy Parameters Reference
Response General tab
This tab allows you to configure general content filtering for server-side HTTP Response parameters.
Server Connection Idle Timeout
Specifies the amount of time, in seconds, that the connection to the server is allowed to idle before the connection is dropped. Default is 110 seconds.
Body Content Type
This ruleset specifies rules for filtering content in an HTTP Response. The ruleset is configured to strip Windows OCX , Windows CAB , and Java applets .
The default rule allows all other response body content types.
Windows OCX
Windows ActiveX controls (OCX) can be used to execute code on client machines. This rule specifies
Firebox Vclass User Guide 263
CHAPTER 10: Using Proxies a pattern match for the Windows OCX signature:
%0x5a4d00900003000000040000ffff0000%*.
Windows CAB
A cabinet (.cab) file is a library of compressed files stored as a single file. Cabinet files are used to organize installation files. A CAB file can contain malicious code that can be executed on a client system. This rule specifies a pattern match for the
Windows CAB signature:
%0x4d53434600000000%*.
Java applet
Java applets are widely used in many safe applications on the Web. However, Java applets can be used to maliciously attack or exploit a client.
This rule specifies a pattern match for the Java applet signature: %0xcafebabe%*.
Response Headers tab
This tab allows you to configure content filtering for server-side HTTP Response Headers.
264 Vcontroller
Proxy Parameters Reference
Maximum Total Length
Specifies the maximum total length of the HTTP
Response Headers, in bytes. Set this to 0 to specify no limit. Some systems might be vulnerable to overflow exploits that use very large headers. If the total header size exceeds this limit, the entire HTTP
Response is denied. The default value is 0 (no limit).
Maximum Line Length
This specifies the maximum allowed length of a line of characters in the HTTP Response Headers.
Some systems might be vulnerable to buffer overflows with very long lines, so you can adjust this setting according to the capabilities of your systems. The default value is 1024 bytes.
Firebox Vclass User Guide 265
CHAPTER 10: Using Proxies
Category
This specifies the ruleset category–Header Fields,
Content-Type, or Cookies.
Header Fields
This ruleset specifies rules for filtering content in
HTTP Response Header Fields. The ruleset is configured to allow a number of typical Header
Fields. The default rule strip all other Response
Header Fields.
The allowed Header Fields are:
- Accept (
RFC 2616
)
- Accept-Charset (
RFC 2616
)
- Accept-Encoding ( RFC 2616 )
- Accept-Language ( RFC 2616 )
- Accept-Ranges (
RFC 2616
)
- Age (
RFC 2616
)
- Allow ( RFC 2616 )
- Alternates ( RFC 2068 19.6.2.1
)
- Authorization (
RFC 2616
)
- Cache-Control (
RFC 2616
)
- Connection ( RFC 2616 )
- Content-Base ( RFC 2068 14.11
)
- Content-Disposition (RFC 1806)
- Content-Encoding (
RFC 2616
)
- Content-Language ( RFC 2616 )
- Content-Length (
RFC 2616
)
- Content-Location (
RFC 2616
)
- Content-MD5 (
RFC 2616
)
- Content-Range ( RFC 2616 )
- Content-Type ( RFC 2616 )
- Content-Version (
RFC 2068 19.6.2.2
)
- Cookie (
RFC 2965
)
- Date ( RFC 2616 )
266 Vcontroller
Proxy Parameters Reference
- Derived-From ( RFC 2068 19.6.2.3
)
- ETag ( RFC 2616 )
- Expires (
RFC 2616
)
- From (
RFC 2616
)
- Host ( RFC 2616 )
- If-Match ( RFC 2616 )
- If-Modified-Since (
RFC 2616
)
- If-None-Match (
RFC 2616
)
- If-Range ( RFC 2616 )
- If-Unmodified-Since ( RFC 2616 )
- Keep-Alive (
RFC 2068 19.7.1.1
)
- Last-Modified (
RFC 2616
)
- Link ( RFC 1945 D.2.6
)
- Location ( RFC 2616 )
- Mime-Version (
RFC 1945 D.2.7
)
- Max-Forwards (
RFC 2616
)
- Pragma ( RFC 2616 )
- Proxy-Authenticate ( RFC 2616 )
- Proxy-Authorization (
RFC 2616
)
- Proxy-Connection ( undocumented – Functionality is same as Connection, but applies only to proxies. This can cause problems with proxies that do not support it.)
- Public ( HTTP [1992] )
- Range (
RFC 2616
)
- Referer (
RFC 2616
)
- Retry-After ( RFC 2616 )
- Server ( RFC 2616 )
- Set-Cookie (
RFC 2109
)
- Transfer-Encoding (
RFC 2616
)
- UA-CPU (non-standard header sent by Internet
Explorer to specify CPU type)
Firebox Vclass User Guide 267
CHAPTER 10: Using Proxies
- UA-Color (non-standard header sent by Internet
Explorer to specify color depth)
- UA-OS (non-standard header sent by Internet
Explorer to specify operating system)
- UA-Pixels (non-standard header sent by Internet
Explorer to specify screen pixel size)
- URI ( RFC 1945 D.2.10
)
- Upgrade ( RFC 2616 )
- User-Agent (
RFC 2616
)
- Vary (
RFC 2616
)
- Via ( RFC 2616 )
- Warning ( RFC 2616 )
- WWW-Authenticate (
RFC 2616
)
268
Content-Types
This ruleset specifies rules for filtering Content-
Type (MIME type) content in HTTP Response
Headers. The ruleset is configured to allow some
“safe” Content-Types, and strip MIME content that has no specified Content-Type. The default rule strips all Content-Types that do not match the listed rules.
N OTE
You might want to allow JavaScript content, depending on your organization’s needs. JavaScript is not allowed by the default rule. To allow JavaScript, create a new rule in this category, and specify an exact match for application/xjavascript. Set the rule to allow content.
Vcontroller
Proxy Parameters Reference
WebLogic Server
This rule allows Web Logic Server content, by identifying the MIME Content-Type “application/ x-WebLogic.” The rule uses an exact match for application/x-WebLogic.
Video
This rule allows all MIME video types, by identifying the MIME Content-Type “video.” The rule uses a pattern match for video/*.
Text-based
This rule allows all MIME text types, by identifying the MIME Content-Type “text.” The rule uses a pattern match for text/*.
No Content-Type present
This rule allows all MIME text types, by identifying the MIME Content-Type “text.” The rule uses a pattern match for text/*.
Images
This rule allows all MIME text types, by identifying the MIME Content-Type “image.” The rule uses a pattern match for image/*.
Audio
This rule allows all MIME audio types, by identifying the MIME Content-Type “audio.” The rule uses a pattern match for audio/*.
Firebox Vclass User Guide 269
CHAPTER 10: Using Proxies
Cookies
This ruleset specifies rules for filtering Cookies in
HTTP Responses. The ruleset can be configured to strip cookies, based on your network needs. The default rule allows all cookies.
When you configure a rule to strip a Cookie, use pattern matching, then type * cookiedomain.com
* as the pattern to match.
Deny Message tab
This tab allows you to customize a Deny Message. The
Deny Message replaces content that is denied.
270
You can customize the Deny Message with standard
HTML. The first line of the Deny message is part of the
HTTP header. There must be a blank line between the first line and the body of the message?
Vcontroller
Proxy Parameters Reference
You can also change the character set, for non-English text, and you can call values from the proxy action to describe why content was removed.
The following values can be called from the proxy action:
%(method)%
This inserts the proxy rule that identified the content to strip.
%(reason)%
This inserts a plain text reason that the content was stripped.
%(transaction)%
This inserts transaction information for the stripped content.
%(url-host)%
This inserts the server address from which the stripped content originated.
%(url-path)%
This inserts the URL of the stripped content.
Firebox Vclass User Guide 271
CHAPTER 10: Using Proxies
SMTP Incoming Proxy
Info tab
This tab allows you to type a name and description for the
SMTP Incoming proxy action.
272
Name
A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than
30 characters, the name is truncated to 30 characters.
Description
A description of the proxy, for your reference.
The proxy action should be used with the following services
The default service for the SMTP proxy is TCP
Ports 25. This section is informational only. The
Vcontroller
Proxy Parameters Reference proxy will filter all content of the specified type, regardless of the port used.
General tab
This tab allows you to specify general values for incoming
SMTP content filtering.
Maximum Recipients
Specifies the maximum number of email recipients to which a message can be sent. This acts as a counter, and allows the specified number of messages through, then drops the remaining addresses. For example, if the default setting of 50 is used, and a message is addressed to 52 recipients, the first 50 addressees receive the email message, and the last two addressees are dropped.
Distribution lists that appear as a single SMTP email address (for example,
Firebox Vclass User Guide 273
CHAPTER 10: Using Proxies [email protected]) are counted as a single address.
Maximum Message Size
Specifies the maximum size of an incoming SMTP message. Note that most email is sent as 7-bit
ASCII text, with the exceptions of Binary MIME and 8bit MIME. 8-bit content (for example, MIME attachments) are encoded using standard algorithms (Base64 or quote-printable encoding) to enable them to be sent over 7-bit email systems.
These types of encoding causes an increase in size of approximately 1/3 for encoded files. Therefore, if you want to allow messages of up to 1000 bytes, you should set this field to a minimum of 1334 bytes to ensure that all mail gets through.
The default is 3,000,000 bytes (3 million bytes).
Maximum Address Length
Specifies a maximum length for addressee email addresses. Restricting email address size can prevent some buffer overflow exploits from being used. The default is 50 bytes.
Maximum Line Length
Specifies the maximum line length for lines in an
SMTP message. Very long line lengths can cause overflow conditions on some mail systems. Most email clients and systems send relatively short line lengths, but some web-based email services send very long lines. The default is 1024.
Connection Idle Timeout
Specifies the amount of time an incoming SMTP connection can idle before the connection is timed out. The default is 600 seconds (10 minutes).
Address Validation (RFC-822 Compliance)
Allowable Characters : Allows you to specify all of the characters that are allowed in incoming email addresses. If there are particular characters that
274 Vcontroller
Proxy Parameters Reference you do not allow, remove them from this field. All allowed 7-bit ASCII characters are listed by default.
The percentage sign (%) is listed twice (%%) to represent itself. The percentage sign is used as an escape character in the Proxy windows, to enclose hex code and high ASCII characters, but the Proxy windows read two percentage signs in a row as a single percentage sign character. The “commercial at” character (@) is not included, because this list specifies only the characters on either side of the @, as email addresses cannot be specified without it.
Allow Source-Routed Addresses : Allows sourcerouted addresses. This is an old UUCP convention that is not used much today, except in the proliferation of spam email. This field is disabled by default. It is recommended that you do not enable this field.
HELO/EHLO Greeting Hostname
These commands are used to identify the SMTP receiver to the SMTP server. The argument field contains the fully-qualified domain name of the
SMTP host, if it is available. A Host is a computer attached to the Internet that supports the SMTP protocol.
Allowable Characters : Allows you to specify the characters that can be used in the HELO/EHLO greeting hostname. By default, this includes the 26 letters of the alphabet in upper and lower case, the numbers 0—9, the period (.) and the dash (-).
Firebox Vclass User Guide 275
CHAPTER 10: Using Proxies
Content Checking tab
This tab allows you to specify values for Incoming SMTP content filtering.
276
Category
This specifies the ruleset category–Content Types or Address Patterns.
Content Types
This ruleset allows six common MIME types, and all of their subtypes. The default rule strips all other MIME types.
This ruleset does not, by default, allow any
“application” or “model” MIME types. Depending on your network needs, you might want to allow certain application MIME types. To find MIME types that you might want to allow or strip, refer to
Vcontroller
Proxy Parameters Reference the current master list of MIME types, located at http://www.iana.org/assignments/media-types/
. audio/*
This rule allows all MIME audio types, by identifying the MIME Content-Type “audio.” The rule uses a pattern match for audio/*.
image/*
This rule allows all MIME image types, by identifying the MIME Content-Type “image.” The rule uses a pattern match for image/*.
message/*
This rule allows all MIME message types, by identifying the MIME Content-Type “message.”
The rule uses a pattern match for message/*.
multipart/*
This rule allows all MIME multipart types, by identifying the MIME Content-Type “multipart.”
The rule uses a pattern match for multipart/*.
Note that if you do not allow multipart MIME, your users might lose a lot of messages and attachments. Multipart is used frequently to create messages that include attachments.
text/*
This rule allows all MIME text types, by identifying the MIME Content-Type “text.” The rule uses a pattern match for text/*. video
This rule allows all MIME video types, by identifying the MIME Content-Type “video.” The rule uses a pattern match for video/*.
Firebox Vclass User Guide 277
CHAPTER 10: Using Proxies
Attachment Filenames
This ruleset allows three common attachment filename extensions. The default rule strips all other filename content.
Word document
This rule allows attachments with the standard
Microsoft Word .doc file extension. The rule uses a pattern match for *.doc.
Text file
This rule allows standard text attachments with the
.txt file extension. The rule uses a pattern match for
*.txt.
Excel spreadsheet
This rule allows attachments with the standard
Microsoft Excel spreadsheet .xls file extension. The rule uses a pattern match for *.xls.
Address Patterns tab
This tab allows you to specify values for Incoming Address
Pattern filtering.
278 Vcontroller
Proxy Parameters Reference
Category
This specifies the ruleset category–Mail From or
Mail To.
Mail From
This ruleset contains no listed rules from the factory. The default rule is allow. In this configuration, mail from all senders is allowed into your network.
Mail To
This ruleset contains no listed rules from the factory. The default rule is allow. In this configuration, mail addressed to any recipient is allowed into your network.
Firebox Vclass User Guide 279
CHAPTER 10: Using Proxies
Headers tab
This tab allows you to specify values for incoming SMTP
Header filtering.
280
Header Rules
This ruleset allows a number of SMTP Headers.
The default rule strips all other SMTP headers. As there are hundreds of possible SMTP headers, it might be useful or necessary to allow other SMTP headers in your system.
The Headers that are allowed include:
- Approved-By
- Bcc
- Cc
- Comments
- Content-Description
Vcontroller
Proxy Parameters Reference
- Content-Disposition
- Content-ID
- Content-Language
- Content-Length
- Content-MD5
- Content-Transfer-Encoding
- Content-Type
- Date
- Encoding
- Encrypted
- From
- In-Reply-To
- Keywords
- MIME-Version
- Message-ID
- Precedence
- References
- Reply-To
- Resent-Bcc
- Resent-Cc
- Resent-Date
- Resent-From
- Resent-Message-ID
- Resent-Reply-To
- Resent-To
- Status
- Subject
- To
Firebox Vclass User Guide 281
CHAPTER 10: Using Proxies
ESMTP tab
The ESMTP tab allows you to specify the filtering for
ESMTP content. Although SMTP is widely accepted and widely used, some parts of the Internet community have found a need to extend SMTP to allow more functionality.
ESMTP provides a means for functional extensions to
SMTP, and for clients who support extended features to recognize each other. For RFC documentation sources on
extensions to SMTP, see “Reference Sources” on page 297.
282
Allow BDAT/CHUNKING
Allows BDAT and CHUNKING, if enabled on the
SMTP host and client. BDAT and CHUNKING enable large messages to be sent more easily over
SMTP connections ( RFC 3030 ).
Allow Remote Message Queue Starting
Allows Remote Message Queue Starting, if enabled on the SMTP host and client. This is an extension to
Vcontroller
Proxy Parameters Reference the SMTP service that allows an SMTP client and server to interact to start the processing of message queues for a given host (
RFC 1985
).
Allow 8bit-MIME
Allows 8bit-MIME, if the client and host support the extension. The 8bit-MIME extension allows a client and host to exchange messages made up of text containing octets outside of the US-ASCII octet range (hex 00-7F, or 7-bit ASCII) using SMTP
(
RFC 1652
).
Allow Binary MIME
Allows the Binary MIME extension, if the sender and receiver support it. Binary MIME avoids the overhead of base64 and quoted-printable encoding of binary objects sent using the MIME message format over SMTP ( RFC 3030 ).
N
OTE
BDAT/CHUNKING must be allowed for Binary MIME to work.
Authentication Rules
This ruleset allows a number of ESMTP
Authentication types. The default rule denies all other Authentication types.
Allowed Authentication types include:
- CRAM-MD5
- DIGEST-MD5
- GSSAPI
- LOGIN
- LOGIN (old style)
- NTLM
- PLAIN
The SMTP service extension for Authentication is described in RFC 2554 .
Firebox Vclass User Guide 283
CHAPTER 10: Using Proxies
Masquerading tab
This tab allows you to masquerade domain names and message-IDs for incoming SMTP messages.
Masquerading domains allows you to present all email as if it originates from a single domain. Masquerading message-IDs allows you to replace the message-ID SMTP
Header with new IDs.
Masquerading is generally only useful for outgoing SMTP.
284
Domain Name
Type a domain name here to replace the domain names for incoming messages with the specified domain. For example, if you type
“watchguard.com,” then to your users it will appear that all incoming email is from senders at watchguard.com.
Vcontroller
Proxy Parameters Reference
Masquerade Message IDs
Select this checkbox to replace the Message-ID
Header field in all incoming messages. Note that this may disrupt message threading.
Deny Message tab
This tab allows you to customize a Deny Message. The
Deny Message replaces inline content that is stripped.
You can customize the Deny Message with standard text.
You can also change the character set, for non-English text, and you can call values from the proxy action to describe why content was removed.
The following values can be called from the proxy action:
%(type)%
This inserts the Content-Type for the content that is stripped.
Firebox Vclass User Guide 285
CHAPTER 10: Using Proxies
%(filename)%
This inserts the filename of the stripped content.
%(rulename)%
This inserts the name of the rule that stripped the content.
SMTP Outgoing Proxy
Info tab
This tab allows you to type a name and description for the
SMTP Outgoing proxy action.
286
Name
A name for the proxy. This field is limited to 30 characters. If the name you specify is longer than
30 characters, the name is truncated to 30 characters.
Vcontroller
Proxy Parameters Reference
Description
A description of the proxy, for your reference.
The proxy action should be used with the following services
The default service for the SMTP proxy is TCP
Ports 25. This section is informational only. The proxy will filter all content of the specified type, regardless of the port used.
General tab
This tab allows you to specify general values for Incoming
SMTP content filtering.
Maximum Recipients
Specifies the maximum number of email recipients to which a message can be sent. This acts as a counter, and allows the specified number through, then drops the remaining addresses. For example,
Firebox Vclass User Guide 287
CHAPTER 10: Using Proxies if the default setting of 50 is used, and a message is addressed to 52 recipients, the message is sent to the first 50 addressees, and the last two addressees are dropped.
Distribution lists that appear as a single SMTP email address (for example, [email protected]) are counted as a single address.
Maximum Message Size
Specifies the maximum size of an outgoing SMTP message. Note that most email is sent as 7-bit
ASCII text, with the exceptions of Binary MIME and 8bit MIME. 8-bit content (for example, MIME attachments) are encoded using standard algorithms (Base64 or quote-printable encoding) to enable them to be sent over 7-bit email systems.
These types of encoding causes an increase in size of approximately 1/3 for encoded files. Therefore, if you want to allow messages of up to 1000 bytes, you should set this field to a minimum of 1334 bytes to ensure that all mail gets through.
The default is 3000000 bytes (3 million bytes).
Maximum Address Length
Specifies a maximum length for addressee email addresses. Restricting email address size can prevent some buffer overflow exploits from being used. The default is 50 bytes.
Maximum Line Length
Specifies the maximum line length for lines in an
SMTP message. Very long line lengths can cause overflow conditions on some mail systems. Most email clients and systems send relatively short line lengths, but some web-based email services send very long lines. The default is 1024.
288 Vcontroller
Proxy Parameters Reference
Connection Idle Timeout
Specifies the amount of time an outgoing SMTP connection can idle before the connection is timed out. The default is 600 seconds (10 minutes).
Address Validation (RFC-822 Compliance)
Allowable Characters : Allows you to specify all of the characters that are allowed in outgoing email addresses. If there are particular characters that you do not allow, remove them from this field. All allowed 7-bit ASCII characters are listed by default.
The percentage sign (%) is listed twice (%%) to represent itself. The percentage sign is used as an escape character in the Proxy windows, to enclose hex code and high ASCII characters, but the Proxy windows read two percentage signs in a row as a single percentage sign character. The “commercial at” character (@) is not included, because this list specifies only the characters on either side of the @, as email addresses cannot be specified without it.
Allow Source-Routed Addresses : Allows sourcerouted addresses. This is an old UUCP convention that is not used much today, except in the proliferation of spam email. This field is disabled by default. It is not recommended that you enable this field.
HELO/EHLO Greeting Hostname
These commands are used to identify the SMTP senders to the SMTP host. The argument field contains the fully-qualified domain name of the
SMTP host, if it is available. A Host is a computer attached to the Internet that supports the SMTP protocol.
Allowable Characters : Allows you to specify the characters that can be used in the HELO/EHLO
Greeting hostname. By default, this includes the 26 letters of the alphabet in upper and lower case, the numbers 0—9, the period (.) and the dash (-).
Firebox Vclass User Guide 289
CHAPTER 10: Using Proxies
Content Checking tab
This tab allows you to specify values for Incoming SMTP content filtering.
290
Category
This specifies the ruleset category–Content Types or Address Patterns.
Content Types
This ruleset does not include any factory-defined rules. The default rule is set to allow.
Attachment Filenames
This ruleset does not include any factory-defined rules. The default rule is set to allow.
Vcontroller
Proxy Parameters Reference
Address Patterns tab
This tab allows you to specify values for Incoming Address
Pattern filtering.
Category
This specifies the ruleset category–Mail From or
Mail To.
Mail From
This ruleset contains no listed rules from the factory. The default rule is allow. In this configuration, mail from all senders is allowed out of your network.
Mail To
This ruleset contains no listed rules from the factory. The default rule is allow. In this configuration, mail addressed to any recipient is allowed to leave your network.
Firebox Vclass User Guide 291
CHAPTER 10: Using Proxies
Headers tab
This tab allows you to specify values for outgoing SMTP
Header filtering.
292
Header Rules
This ruleset includes no factory-defined rules. The default rule allows all SMTP headers.
Vcontroller
Proxy Parameters Reference
ESMTP tab
The ESMTP tab allows you to specify the filtering for
ESMTP content. Although SMTP is widely accepted and widely used, some parts of the Internet community have found a need to extend SMTP to allow more functionality.
ESMTP provides a means for functional extensions to
SMTP, and for clients who support extended features to recognize each other. For RFC documentation sources on
extensions to SMTP, see “Reference Sources” on page 297.
Allow BDAT/CHUNKING
Allows BDAT and CHUNKING, if enabled on the
SMTP host and receiver. BDAT and CHUNKING enable large messages to be sent more easily over
SMTP connections ( RFC 3030 ).
Allow Remote Message Queue Starting
Allows Remote Message Queue Starting, if enabled on the SMTP host and receiver. This is an extension
Firebox Vclass User Guide 293
CHAPTER 10: Using Proxies to the SMTP service that allows an SMTP client and server to interact to start the processing of message queues for a given host (
RFC 1985
).
Allow 8bit-MIME
Allows 8bit-MIME, if the receiver and host support the extension. The 8bit-MIME extension allows a sender and receiver to exchange messages made up of text containing octets outside of the US-ASCII octet range (hex 00-7F, or 7-bit ASCII) using SMTP
(
RFC 1652
).
Allow Binary MIME
Allows the Binary MIME extension, if the sender and receiver support it. Binary MIME avoids the overhead of base64 and quoted-printable encoding of binary objects sent using the MIME message format over SMTP ( RFC 3030 ).
N
OTE
BDAT/CHUNKING must be allowed for Binary MIME to work.
Authentication Rules
This ruleset allows a number of ESMTP
Authentication types. The default rule denies all other Authentication types.
Allowed Authentication types include:
- CRAM-MD5
- DIGEST-MD5
- GSSAPI
- LOGIN
- LOGIN (old style)
- NTLM
- PLAIN
The SMTP service extension for Authentication is described in
RFC 2554
.
294 Vcontroller
Proxy Parameters Reference
Masquerading tab
This tab allows you to masquerade domain names and message-IDs for outgoing SMTP messages.
Masquerading domains allows you to present all email as if it originates from a single domain. Masquerading message-IDs allows you to replace the message-ID SMTP
Header with new IDs.
Domain Name
Type a domain name here to replace the domain names for outgoing messages with the specified domain. For example, if you type
“watchguard.com,” then all messages originating from your network will appear to originate from
“username@ watchguard.com.”
Firebox Vclass User Guide 295
CHAPTER 10: Using Proxies
Masquerade Message IDs
Select this checkbox to replace the Message-ID
Header field in all outgoing messages. Note that this may disrupt message threading.
Deny Message tab
This tab allows you to customize a Deny Message. The
Deny Message replaces messages that are denied.
296
You can customize the Deny Message with standard text.
You can also change the character set, for non-English text, and you can call values from the proxy action to describe why content was removed.
The following values can be called from the proxy action:
%(type)%
This inserts the Content-Type for the content that is stripped.
Vcontroller
Reference Sources
%(filename)%
This inserts the filename of the stripped content.
%(rulename)%
This inserts the name of the rule that stripped the content.
Reference Sources
Throughout this Reference, material is adapted from–and linked to–information from Internet standards bodies, relevant corporations and groups.
In all possible cases, the most recent available definition for a parameter is used.
Reference sources include:
• HTTP: a Protocol for Networked Information [1992] http://www.w3.org/Protocols/HTTP/HTTP2.html
• RFC 822, Standard for the Format of ARPA Internet Text
Messages http://www.ietf.org/rfc/rfc0822.txt
.
• RFC 1652, SMTP Service Extension for 8bit-
MIMEtransport http://www.ietf.org/rfc/rfc1652.txt
• RFC 1806, Communicating Presentation Information in
Internet Messages: The Content-Disposition Header http://www.ietf.org/rfc/rfc1806.txt
• RFC 1869, SMTP Service Extensions http://www.ietf.org/rfc/rfc1869.txt
• RFC 1945, Hypertext Transfer Protocol -- HTTP/1.0
http://www.w3.org/Protocols/rfc1945/rfc1945.txt
• RFC_1985, SMTP Service Extension for Remote Message
Queue Starting http://www.ietf.org/rfc/rfc1985.txt
Firebox Vclass User Guide 297
CHAPTER 10: Using Proxies
• RFC 2068, Hypertext Transfer Protocol -- HTTP/1.1
[January 1997] http://www.w3.org/Protocols/rfc2068/rfc2068.txt
• RFC 2518, HTTP Extensions for Distributed Authoring --
WEBDAV http://www.ietf.org/rfc/rfc2518.txt
• RFC 2554, SMTP Service Extension for Authentication http://www.ietf.org/rfc/rfc2554.txt
• RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1 [June
1999] http://www.w3.org/Protocols/rfc2616/rfc2616.html
• RFC 2821, Simple Mail Transfer Protocol [April 2001] http://www.ietf.org/rfc/rfc2821.txt
• RFC 2965, HTTP State Management Mechanism http://www.ietf.org/rfc/rfc2965.txt
(also RFC 2109 )
• RFC 3030, SMTP Service Extensions for Transmission of
Large and Binary MIME Messages http://www.ietf.org/rfc/rfc3030.txt
• RFC 3253, Versioning Extensions to WebDAV (Web
Distributed Authoring and Versioning) http://www.ietf.org/rfc/rfc3253.txt
• MIME Media Types http://www.iana.org/assignments/media-types/
298 Vcontroller
CHAPTER 11
Using Virtual Private
Networks (VPN)
The Internet is a technical and social development that puts a vast quantity of information at your fingertips.
The benefits of using the Internet to exchange information and conduct business are enormous. Unfortunately, so are the risks. Because data packets traveling the Internet are transported in plain text, anyone can potentially read them and place the security of your network in jeopardy.
Firebox Vclass User Guide 299
CHAPTER 11: Using Virtual Private Networks (VPN)
Virtual private networking technology counters this threat by using the Internet’s vast capabilities while reducing its security risk. A virtual private network (VPN) allows communication to flow across the Internet between two networks or between a host and a network in a secure manner.
The networks and hosts at the endpoints of a VPN are typically corporate headquarters, branch offices, remote users, telecommuters, and traveling employees. User authentication verifies the identity of both the sender and the receiver. Data sent by way of the Internet is encrypted so that only the sender and the receiver of the message can see it in a clearly readable state.
For more information on VPN technology, see the online support resources at http://support.watchguard.com
. The main page contains links to basic FAQs, advanced FAQs, and the WatchGuard User’s Forum.
Tunneling Protocols
Tunneling—the foundation of VPN implementations—is the transmission of private data through a public network,
300 Vcontroller
Authentication generally the Internet. Tunneling involves encrypting and encapsulating data and protocol information within units called IP packets. The “tunnel” is the path that the IP packets travel over the Internet. A tunnel is also defined by its start and end points, the type of authentication and encryption used, and the users allowed to use it. Tunneling protocols provide the infrastructure of virtual private networking. These protocols govern how data transmission occurs. The tunneling protocol used with the Firebox
Vclass appliances is the Internet Protocol Security (IPSec).
IPSec
The Internet Engineering Task Force (IETF) developed the
IPSec protocol suite as a security mechanism to ensure the confidentiality and authenticity of IP packets. IPSec functionality is based on modern cryptographic technologies, providing extremely strong data authentication and privacy. IPSec makes secure communication possible over the
Internet, and IPSec standards allow interoperability between VPN solutions.
A major benefit of IPSec is its interoperability. Instead of specifying a proprietary method for performing authentication and encryption, it works with many systems and standards.
IPSec includes two protocols that address issues of data integrity and confidentiality when securing data across the
Internet. The AH (Authentication Header) protocol handles data integrity, and the ESP (Encapsulated Security
Payload) protocol solves both data integrity and confidentiality issues.
Authentication
An important aspect of security for a VPN is confirming the identity of all communicating parties. Two ways of
Firebox Vclass User Guide 301
CHAPTER 11: Using Virtual Private Networks (VPN) ensuring identity are password authentication (also called shared secrets) and digital certificates. A shared secret is a password that is the same on both ends of a given tunnel.
The data is encrypted using a session key, which is derived from the shared secret. The gateways can encrypt and decrypt the data correctly only if they share the same secret. Digital certificates use public key-based cryptography to provide identification and authentication of end gateways.
In addition to identifying the user, authentication also defines the resources a user can access. A user must present specified credentials before they can access certain network locations.
Authentication can either take place through a firewall or through an external authentication server such as Remote
Authentication Dial-In User Service (RADIUS). An authentication server is a trusted third party that provides authentication services to other systems on a network.
Internet Key Exchange (IKE)
As the number of VPN tunnels between WatchGuard appliances and other IPSec compliant devices grow, maintaining the large number of session keys used by tunnels becomes a challenge. Keys must also change frequently to ensure the security of each VPN connection.
Internet Key Exchange (IKE)–the key management protocol used with IPSec–automates the process of negotiating and changing keys. IKE implements a security protocol called Internet Security Association and Key Management
Protocol (ISAKMP), which uses a two-phase process for establishing an IPSec tunnel. During Phase 1, two gateways establish a secure, authenticated channel for communica-
302 Vcontroller
Internet Key Exchange (IKE) tion. Phase 2 involves an exchange of keys to determine how the data between the two will be encrypted.
Diffie-Hellman is an algorithm used in IKE to negotiate keys required for data encryption. Diffie-Hellman groups are collections of parameters used to achieve the negotiation. These groups allow two peer systems that have no prior knowledge of one another to publicly exchange and agree on a shared secret key. Group 1 is a 768-bit prime modulus group, and group 2 is a 1024-bit prime modulus group. The difference is in the number of bits used for exponentiation to generate private and public keys. Group
2 is more secure than group 1, but requires more time to compute the keys.
NAT Traversal (UDP Encapsulation)
A problem occurs with IPSec-encrypted packets crossing
NAT devices. The IPsec authentication header (AH) protects entire IP packets, including IP headers, from modification. NAT modifies the IP header, causing an inherent incompatibility. The IPsec Encapsulating Security Payload
(ESP) encrypts IP packets. NAT cannot modify TCP and
UDP ports when these values are encrypted. NAT is therefore incompatible with ESP.
The solution for this problem is UDP encapsulation , or NAT traversal . UDP encapsulation wraps an IPsec packet inside a
UDP/IP header. This allows NAT to function, without modifying the encapsulated IPsec packet.
Original
IP Header
UDP
Header
Zero
Pad
ESP
Header
TCP/UDP Original Payload ESP Trail ESP Auth
Encrypted
Authenticated
Figure 12: UDP Encapsulation
Encapsulation requires “decapsulation.” ESP-wrapped packets are exchanged between IKE peers: gateway-to-
Firebox Vclass User Guide 303
CHAPTER 11: Using Virtual Private Networks (VPN) gateway, client-to-gateway, and client-to-client. Peers must support the same method of UDP ESP encapsulation.
NAT traversal is enabled per IKE policy. It is not a global setting. If NAT traversal is enabled for an IKE policy, and an IKE peer has NAT traversal capability but the peer’s policy has not enabled NAT traversal, Vclass will not perform NAT traversal negotiation with the remote peer.
After the tunnel is established, IKE sends a keep-alive message to the remote peer at a fixed interval. The default interval is 20 seconds, but this value can be changed.
Firebox Vclass appliance VPN Solutions
The WatchGuard Firebox System offers several methods to provide secure tunnels:
• Mobile User VPN (Remote User VPN)
• VPN to other IPSec compliant devices
Mobile User VPN
Mobile User VPN (MUVPN) requires configuration of both the Firebox Vclass appliance and the remote client computers. However, the Firebox Vclass administrator has considerable control over the client configuration. MUVPN users authenticate either to the Firebox Vclass appliance or to a
RADIUS authentication server. Authentication takes place either by using shared keys or certificates.
The complete procedure for using MUVPN is documented in the Vclass Mobile User VPN Administration Guide and the operating system-specific MUVPN end-user brochures. For information on configuring the Firebox Vclass appliance to
use MUVPN, see Chapter 13, “Creating a Remote User
304 Vcontroller
About VPN Policies
VPN to other IPSec compliant devices
This method uses IPSec to establish encrypted tunnels between a Firebox Vclass appliance and any other IPSeccompliant security device, regardless of brand, that may be in service protecting branch office, trading partner, or supplier locations. VPN with IPSec is available with the
WatchGuard medium encryption version at DES (56-bit) strength, and with the WatchGuard strong encryption versions at both DES (56-bit) and Triple DES (168-bit) strengths.
A main advantage of VPN with IPSec is that you can order and prioritize routing policies to specify which VPN tunnel to use for certain traffic. For example, you can use DES encryption for VPN traffic originating from your sales team, and the stronger Triple DES encryption for all data transmitted from your finance department.
About VPN Policies
To establish VPN connections between your present site and other remote sites, you must create and apply VPN policies. These policies specify the required levels of authentication and encryption to protect the data.
VPN policies and IPSec actions
A VPN security policy always includes an IPSec action , regardless of whether you are creating a manual key or automatic key policy. The IPSec action determines what type of authentication and encryption is used to protect traffic governed by this policy. VPN policies can incorporate different kinds of keys (manual or automatic) and different types of encryption and authentication algorithms to be applied to the data stream. If a VPN policy has no IPSec action, the data will be sent as clear text.
Firebox Vclass User Guide 305
CHAPTER 11: Using Virtual Private Networks (VPN)
Three major qualifications are established in an IPSec action:
Mode
Tunnel mode is used when Firebox Vclass appliances act as security gateways on both ends or when a remote Firebox Vclass VPN client connects to a Firebox Vclass security appliance. Data packets are encrypted and sent from one appliance to the other, where decryption takes place and the data is forwarded to its final destination. You must specify the IP address of each tunnel peer.
Transport mode is usually applied in end-to-end secured communications.
Key Management
This specifies whether the key is created automatically or manually. Automatic key management is done in accordance with IKE, an
IETF standard protocol. Using IKE, encryption keys are automatically negotiated and selected by two connected security appliances. This provides the easiest, most efficient wat to manage keys.
Encryption/authentication
Two principal types of security protocols protect data packets in Internet communications. The AH
(Authentication Header) protocol is applied to IP packets for authentication, while ESP
(Encapsulating Security Payload) can be applied to
IP packets for both encryption and authentication.
Using Authentication and Encryption
The Firebox Vclass security appliance supports the following algorithms:
Authentication Header (AH)
MD5, SHA
Encapsulating Security Payload (ESP)
DES, 3DES
306 Vcontroller
Defining an IKE Policy
When an automatic key is configured in an IPSec action, authentication and encryption must be selected. These keys are created by the administrator. Using a manual key provides more flexibility regarding which authentication methods and encryption algorithms are used.
This flexibility is expressed in the form of proposals incorporated into the IPSec action. For example, one proposal may use ESP with 3DES for encryption and SHA for authentication. A second proposal may use ESP with DES for encryption and AH with MD5 for authentication. When a Firebox Vclass appliance negotiates with another appliance to select an automatic key, the initiating appliance sends a list of proposals to the other appliance, starting a negotiation process at the end of which a protocol and algorithm are chosen and used.
N
OTE
You must activate your LiveSecurity Service to enable 3DES encryption. To activate your LiveSecurity Service, go to: http:\\www.watchguard.com\activate
For more information on LiveSecurity Service, see “Service and Support” on page 9.
Defining an IKE Policy
To define an IKE policy:
1 From the main Vcontroller window, click IKE Policy .
The IKE Policy dialog box appears.
Firebox Vclass User Guide 307
CHAPTER 11: Using Virtual Private Networks (VPN)
2 Select an entry point from the list of policies and then click Insert .
The Insert IKE Policy dialog box appears.
308 Vcontroller
Defining an IKE Policy
3 In the Name and Description fields, type a name and brief description for the IKE policy. The Description is optional.
4 Select a preconfigured address group from the Peer
Address Group drop-down list or click New to create a new address group.
For information on creating an address group, see “Defining an address group” on page 180.
5 Select a preconfigured IKE Action from the dropdown list, or click New to create a new IKE action.
For information on creating an IKE action, see “Defining an IKE action” on page 310.
6 From the Peer Authentication ID field, select one of the following options:
Address Group
Select the address group of the remote gateway from the drop-down list, or click New to create a new address group. For information on creating an
address group, see “Defining an address group” on page 180.
Domain Name
Type the domain name of the remote gateway.
User Domain Name
Type the user domain name of the remote gateway.
X.500 Name
Type the X.500 certificate name used by the remote gateway.
Any
This allows any traffic from the remote gateway to initiate the IKE policy. No ID will be verified.
7 If you previously selected an IKE action that incorporates RSA or DSA as the authentication type, the Local Certificates options become active and the
RSA or DSA drop-down lists become active. From the drop-down list, select the appropriate certificate.
Firebox Vclass User Guide 309
CHAPTER 11: Using Virtual Private Networks (VPN)
8 Select the Local ID Type from the drop-down list.
This should be a Local ID type that the peer system can validate with a copy of your certificate sent to the peer system as well as settings in their own policy.
9 If you previously selected an IKE action that incorporates the pre-shared key authentication type, the Pre-Shared Key options become active.
N OTE
This key will be shared among all participating peer IKE systems. If a remote peer does not use the same key, or if a different authentication is used, negotiations will fail.
10 Click either String or Hex , and then type and confirm the key in the fields.
The key can consist of any combination of letters and numbers, but it cannot contain blank spaces.
11 Click Done .
Defining an IKE action
Your choice of IKE action defines how IKE peers authenticate each other and which encryption method is used to protect the negotiation process.
1 Click New .
The New IKE Action dialog box appears.
310 Vcontroller
Defining an IKE Policy
2 In the Name and Description fields, type a name and brief description for the IKE action.
The Description field is optional.
3 From the Mode drop-down list, select one of these options:
Main
A slower mode that provides greater security. This is the recommended mode.
Aggressive
A faster, less secure mode. If you choose this mode, you can include only one IKE transform.
4 Select the Enable NAT Traversal checkbox. NAT
Traversal is enabled by default.
For more information, see “NAT Traversal (UDP
5 If you want to change the NAT Traversal keep-alive time, click Advanced .
The NAT Traversal Advanced Settings dialog box appears.
Firebox Vclass User Guide 311
CHAPTER 11: Using Virtual Private Networks (VPN)
6 In the Keep-Alive message field, type the number of seconds between keep-alive messages.
7 If you selected the Main from the Mode drop-down list, you can select the Enable Extended User
Authentication checkbox.
8 Select an IKE transform from the list or click New to create a new IKE transform.
The New IKE Transform dialog box appears.
312
.
9 From the Authentication Type drop-down list, select the Authentication Type.
10 From the DH Group drop-down list, select a DH group type.
DH (Diffie-Helman) groups enable two peer systems to publicly exchange and agree on a shared secret key. The numbers available on the drop-down list (768 and 1024) are the number of bits used for exponentiation to generate private and public keys. The larger the number, the greater the protection.
Vcontroller
Defining an IKE Policy
11 From the Encryption Algorithm drop-down list, select an encryption algorithm.
12 From the Hash Algorithm drop-down list, select a hash algorithm.
13 In the Lifetimes field, type the number of hours or minutes that the transform will remain active.
14 From the Lifetime drop-down list, select Hours or
Minutes .
15 In the Life Length field, type the maximum size in kilobytes.
This field is optional.
16 Click Done .
The transform is added to the IKE transforms list .
17 Repeat this process to add any other transforms.
Aggressive mode permits only a single transform.
18 When all the required transforms are listed, you can shuffle the order, if necessary, by selecting a transform and clicking the Up or Down arrows to the left of the list.
The order in which transforms are listed establishes the preference order of all listed transforms during phase one negotiations.
19 Click Done .
Firebox Vclass User Guide 313
CHAPTER 11: Using Virtual Private Networks (VPN)
Defining a VPN Security Policy
This section provides information on defining a VPN security policy that creates a VPN connection between two Firebox Vclass appliances.
N OTE
If you want to permit connections that exchange traffic in both directions, you must create a single bidirectional VPN policy. You cannot create two mirroring unidirectional VPN policies, one that permits inbound traffic and one for outbound traffic.
1 In the Vcontroller window, click Security Policy .
The Security Policy dialog box appears.
2 Select an entry point from the list of policy list, then click Insert .
The Insert Security Policy dialog box appears.
3 In the Name and Description fields, type a name and brief description for the security policy. The
Description field is optional.
4 From the Source drop-down list, select a preconfigured address group that corresponds to the remote appliance, or click New to create a new address group.
For information on creating an address group, see “Defining an address group” on page 180.
5 From the Destination drop-down list, select a preconfigured address group that corresponds to the local appliance, or click New to create a new address group.
For information on creating an address group, see “Defining an address group” on page 180.
6 From the Service drop-down list, select a predefined service, or click New to create a new service.
For information on creating a service, see “Defining a service” on page 182.
7 From the Incoming Interface drop-down list, select the incoming interface.
314 Vcontroller
Defining a VPN Security Policy
N
OTE
If this a bidirectional policy, make sure that the incoming interface selection is 0 or 2, and not 1.
Defining an IPSec action
To define an IPSec action:
1 Click New .
The New IPSec Action dialog box appears.
2 In the Name and Description fields, type a name and brief description for the IPSec action. The Description field is optional.
3 From the Mode drop-down list, select Tunnel or
Transport .
Firebox Vclass User Guide 315
CHAPTER 11: Using Virtual Private Networks (VPN)
Tunnel
This policy prompts the Firebox Vclass appliance to hide any information about the original sender of data, representing the Firebox Vclass as the original sender. This option is preferred for site-tosite connections, in which the traffic goes through the Firebox Vclass appliance.
Transport
No additional identity masking is applied. This option is generally used in secured communication directed to this Firebox Vclass appliance, such as
SNMP traffic.
4 If you selected Tunnel , you have two options:
- Click Peer Tunnel Address Group and then select the address group that represents the peer
IP address of the tunnel from the drop-down list.
- Click Peer Tunnel IP Address peer IP address.
and then type the
5 From the Key Management drop-down list, select one of the following options:
Automatic (IKE)
This key management process regularly replaces existing keys with randomly generated keys are created by the Firebox Vclass. For information on creating an automatic key, see “Defining an automatic key” on page 317.
Manual
Manual key mode requires that the administrator of each security appliance manually enter the text of a key on each system that exactly matches the other system’s key. The drawbacks to manual keys are potential errors in entry, the need to manually replace keys on a regular basis, and the vulnerability of a fixed key to hacking attempts.
For information on creating a manual key, see
“Defining a manual key” on page 321.
316 Vcontroller
Defining a VPN Security Policy
6 If you want to permit connections initiated in both directions, select the Gateway to Gateway VPN checkbox.
N OTE
If this a bidirectional policy, make sure that the incoming interface selection is 0 or 2, and not 1.
7 For information on configuring the remaining options of the policy (QoS action, TOS Marking, NAT/Load
Balancing, Scheduling, and the Advanced Settings) see
those sections in chapter 7, “About Security Policies” on page 159.
8 Click Done .
9 When you have finished configuring VPN policies, click Apply to save the settings to the Firebox Vclass appliance.
Defining an automatic key
Automatic key mode requires use of the IKE protocol to generate new keys as necessary. Keys, encryption, and authentication algorithms are negotiated, and then chosen and used by the two participating security appliances.
To define an automatic key:
1 From the Key Management drop-down list, select
Automatic (IKE) .
2 Select the Perfect Forward Secrecy checkbox, if you want to use this option.
If you select this checkbox, this policy uses new key material every time it generates a replacement key. If you do not select this checkbox, key replacement uses the source key material that generated previous keys.
3 If you selected Perfect Forward Secrecy, select a DH
Group from the drop-down list.
DH (Diffie-Helman) groups enable two peer systems to publicly exchange and agree on a shared secret key. The numbers available on the drop-down list (768 and 1024) are the number of bits used for exponentiation to generate private and public keys. The larger the number, the greater the protection.
Firebox Vclass User Guide 317
CHAPTER 11: Using Virtual Private Networks (VPN)
4 Review the default encryption options listed in the
Unselected Proposals list, select any options that your new IPSec action requires, and then click Add .
The proposal is displayed in the Selected Proposals field.
If none of the unselected proposals meets the requirements of this automatic key IPSec action, you can create your own proposals.
1 Click New .
The New IPSec Proposal dialog box appears.
318
2 In the Name and Description fields, type a name and brief description for the IPSec proposal. The
Description field is optional.
3 From the Anti-Replay window, select an anti-replay option.
These options can protect your system from replay attacks.
You can now add an ESP transform, AH transform, or both.
A transform defines the encryption and authentication algorithms used by the Firebox Vclass appliance. A transform also sets the lifetime of any given key. ESP transforms are
Vcontroller
Defining a VPN Security Policy recommended because they incorporate both encryption and authentication of your data.
To define an ESP transform:
1 Select the ESP checkbox.
2 Click the New button to the right of the ESP transforms list.
The New ESP Transform dialog box appears
3 In the Lifetime field, type the number of hours or minutes a key will be in effect.
If you type zero, this key will have an unlimited lifetime.
4 From the the Lifetime drop-down list, select either
Hours or Minutes .
5 In the Life Length field, type the maximum number of kilobytes of traffic that would be encrypted by this key before it expires.
If you type zero, there is no maximum limit to the amount of traffic encrypted by this key.
N OTE
Either Lifetime or Life Length must be a non-zero entry.
6 In the Encryption Algorithm drop-down list, select an encryption algorithm.
7 In the Authentication Algorithm drop-down list, select an authentication algorithm.
8 Click Done .
Firebox Vclass User Guide 319
CHAPTER 11: Using Virtual Private Networks (VPN)
N
OTE
You cannot choose None for both encryption and authentication when creating an ESP transform.
9 Repeat this process to create additional ESP transforms.
10 You can use the arrow keys to the left of the transforms list to reorganize the transforms into the proper order of application. Click the transform you want, and then click the up or down arrow to move the transform.
The order of transforms represents the preference of the encryption/authentication algorithm and lifetime of keys in this security protocol. Only one of the transforms is chosen when negotiation is complete. If none of the transforms are matched by the peer appliance, the proposal is rejected.
11 When you are finished, click Done .
To define an AH transform:
1 Enable the AH checkbox.
2 Click New to open the New AH Transform dialog box.
320
3 In the Lifetime field, type the number of hours or minutes a key will be in effect.
If you type zero, this key will have an unlimited lifetime.
4 From the Lifetime drop-down list, select either Hours or Minutes .
5 Type the maximum number of kilobytes of traffic that can be encrypted by this key before it expires in the
Life Length field.
If you type zero, there is no maximum limit to the amount of traffic encrypted by this key.
Vcontroller
Defining a VPN Security Policy
N
OTE
Either Lifetime or Life Length must be a non-zero entry.
6 From the Encryption Algorithm drop-down list, select an encryption algorithm.
7 From the Authentication Algorithm drop-down list, select an authentication algorithm.
8 Click Done .
9 Repeat this process to create additional AH transforms.
10 You can use the arrow keys to reorganize the transforms into the proper order of application. Click a transform you want to move and click the up or down arrow until it appears in the proper place.
The order of transforms represents the preference of the encryption/authentication algorithm and lifetime of keys in this security protocol. Only one of the transforms is chosen when negotiation is complete. If none of the transforms are matched by the peer appliance, the proposal is rejected.
11 Click Done .
Defining a manual key
To define a manual key:
1 from the Key Management drop-down list, select
Automatic (IKE).
2 Click Manual Key .
The New Manual Key dialog box appears.
Firebox Vclass User Guide 321
CHAPTER 11: Using Virtual Private Networks (VPN)
322
You can configure the manual key to use ESP (Encapsulated Security Payload), AH (Authenticated Headers), or both.
1 Enable the ESP checkbox.
2 In the Local SPI (Security Parameter Index) field, type a unique number between 256 and 65535.
This SPI entry is used to identify this manual key in the local
Firebox Vclass appliance.
3 In the Peer SPI field, type the unique number of the remote appliance.
4 From the Encryption Algorithm drop-down list, select the encryption algorithm.
5 Click String or Hex for the encryption key to specify the key text to be used, either character or hexadecimal notation.
6 Type and confirm the key in the appropriate fields.
7 Select the Authentication Algorithm from the dropdown list.
8 Select either String or Hex for the Authentication
Key to specify the key text to be used, either character or hexadecimal notation.
9 In the Key and Confirm Key fields, type and confirm the key.
Vcontroller
Using Tunnel Switching
10 Select the AH checkbox.
11 In the Local SPI (Security Parameter Index) field, Type a unique number between 256 and 65535.
This SPI entry is used to identify this manual key in the local
Firebox Vclass appliance.
12 In the Peer SPI field, type the unique number of the remote appliance.
N OTE
If both ESP and AH are activated for this manual key, the local SPI for both ESP and AH must share the same unique number. Similarly, the peer SPI of both ESP and AH must also share a unique number.
13 From the Authentication Algorithm drop-down list, select the authentication algorithm.
14 Click either String or Hex to specify the type of key text to be used.
15 In the Key and Confirm Key fields, type and confirm the key.
Using Tunnel Switching
Maintaining and managing VPN tunnels can be complicated and labor-intensive. This is particularly true when using a fully meshed topology in which a VPN tunnel is created between all sites. As the number of VPN sites increases, managing and maintaining tunnels among all the sites becomes much more difficult. The situation gets even more complicated after remote users establish their own VPN connections to the corporate network and to branch offices. The following figure depicts a fully meshed configuration.
Firebox Vclass User Guide 323
CHAPTER 11: Using Virtual Private Networks (VPN)
324
A more efficient way to manage a complex corporate VPN with numbers of sites and remote users is to use a hub-andspoke configuration, in which all branch offices connect to corporate headquarters (or any centralized site) with a single VPN tunnel. All communications between branch offices pass through the designated central site. Remote users, too, can dial into headquarters to access branch offices without the need to establish additional VPN tunnels. This topology, shown in the following figure, dramatically reduces the effort of managing a VPN.
Vcontroller
Using Tunnel Switching
To make such a hub-and-spoke topology effective and efficient, Firebox Vclass appliances provide tunnel switching capabilities. Such a setup means that Site A can communicate with site B by sending traffic to the central office, which then switches this traffic from one tunnel (site A / central office) to another tunnel (site B / central office). All tunnel switching is performed by the Firebox Vclass appliance, which prevents any degradation of network performance.
The greatest benefit gained from tunnel switching is the reduced cost of managing corporate VPNs. If a new branch office is added to the corporate VPN network, the administrator only needs to add a new policy in the Firebox Vclass appliance at headquarters. No additional configuration is needed for the branch offices.
Before you enable tunnel switching, make sure you have:
• Certificates for both ends of the IKE exchange, if RSA or DSS authentication is used.
• Agreements on other exchange parameters.
Firebox Vclass User Guide 325
CHAPTER 11: Using Virtual Private Networks (VPN)
N
OTE
Tunnel switching is not available on the V10 model, or in
Transparent Mode.
Enabling tunnel switching
Before you set up individual VPN policies for site-to-site tunnel switching, you must activate tunnel switching in the Firebox Vclass appliance hardware (which is disabled by default). To do so:
1 Open the Policy Manager window.
2 Click the Tunnel Switch button in the left margin (this button is not available on the V10 or in Transparent
Mode).
The System Tunnel Switching dialog box appears.
3 Select the Enable Tunnel Switching checkbox.
4 Click OK .
326 Vcontroller
CHAPTER 12
Creating a Remote
User VPN Policy
Remote User VPN (RUVPN), also labeled as Remote
Access Service (RAS), requires configuration of both the Firebox Vclass appliance and the remote client computers. The complete procedure for using RUVPN is documented in the Vclass Mobile User VPN Administration Guide and the operating system-specific
MUVPN end-user brochures. However, this chapter provides the Firebox Vclass appliance procedures you need to perform before using these other guides.
Firebox Vclass User Guide 327
CHAPTER 12: Creating a Remote User VPN Policy
About Remote User VPN
Telecommuters and traveling employees who need access to the corporate network are common fixtures in today’s business environment. RUVPN creates an IPSec tunnel between an unsecured remote host and your trusted and optional networks using a standard Internet dial-up or broadband connection–without compromising security.
This type of VPN requires only one Firebox Vclass appliance for the private network and the Mobile User VPN software client, which is an optional feature of the Firebox
Vclass appliances.
RUVPN uses IPSec with DES or 3DES-CBC to encrypt incoming traffic and MD5 or SHA-1 to authenticate data packets. You create a security policy and distribute it along with the RUVPN software to each telecommuter. After the software is installed on the telecommuters’ computers, they can securely access corporate resources. RUVPN users can modify their security policy. You can also restrict
RUVPN users fo that they they have read-only access to the policy.
Remote User VPN is available on all Firebox Vclass models except the V10. The Firebox Vclass appliance models V200,
V100, V80, V60, and V60L come with 20 Remote User VPN licenses, upgradeable in increments of 20, 100, 500, or 1,000.
Configuring the Remote Users Authentication
Policy
Before creating a security policy to allow RUVPN traffic, you must first choose the user authentication database your appliance will use.
RUVPN users authenticate either to the user authentication database on the Firebox Vclass appliance or to a RADIUS authentication server that you have previously configured.
328 Vcontroller
Configuring the Remote Users Authentication Policy
Authentication takes place either by using shared keys or certificates.
To configure the general settings of the RUVPN authentication policy:
1 From the main Vcontroller window, click Remote
Users .
The RAS Configuration dialog box appears.
2 To the right of the Default User Group drop-down list, click New .
The New User Group Profile dialog box appears.
Firebox Vclass User Guide 329
CHAPTER 12: Creating a Remote User VPN Policy
330
3 In the Name and Description fields, type a name and brief description for the user group. The Description field is optional.
4 From the Address Assignment drop-down list, select one of the following options:
None
Remote users belonging to this group will not be assigned an internal IP address when a connection is made.
Internal
Each remote user will be assigned an internal IP address when a connection is made. You must then select a preconfigured address group from the
Address Pool drop-down list or click New to create a new address group. For information on creating
an address group, see “Defining an address group” on page 180.
5 In the DNS Server field, type the IP address of the
DNS server to be assigned to remote users .
6 In the WINS Server field, type the IP address of the
WINS server to be assigned to remote users.
Vcontroller
Configuring the Remote Users Authentication Policy
7 In the Session Time Limit field, type the appropriate number or hours or minutes until a user session expires.
8 From the Session Time Limit drop-down list, select either Hours or Minutes .
9 In the Idle Timeout field, type the appropriate number of hours or minutes.
10 From the I dle Timeout drop-down list, select either
Hours or Minutes .
11 In the Concurrent Logins field, type the maximum number of logins to be permitted.
12 Click Done .
This new user group profile is displayed in the User Group entry list.
Firebox Vclass User Guide 331
CHAPTER 12: Creating a Remote User VPN Policy
13 Click Apply .
The Commit dialog box appears.
14 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit .
To continue configuring the remote users authentication policy, select an authentication method:
Internal database
For information on using this option to authenticate remote users, see “Using an internal authentication database,” below.
RADIUS Server
For information on using this option to
authenticate Remote Users, see “Using a RADIUS authentication database” on page 335.
332 Vcontroller
Configuring the Remote Users Authentication Policy
Using an internal authentication database
To set up an internal authentication database:
1 Enable the Internal database option.
2 Click the Internal Database tab.
The RAS users list is displayed.
.
3 To create a new user entry, click New .
The New RAS User dialog box appears.
Firebox Vclass User Guide 333
CHAPTER 12: Creating a Remote User VPN Policy
4 Type a name in the User Name field.
User names are case-sensitive and must consist of 1 – 15 characters.
5 In the Full Name and Description fields, type the full name of the RAS user and a brief description. The
Description field is optional.
6 From the User Group Profile drop-down list, select a user group profile.
7 Type a password and then retype to confirm it.
Passwords are case-sensitive and consist of six to eight characters.
8 You can override the Password Expiry , Account
Expiry , and Concurrent Logins default values by typing values you want.
N
OTE
The Enabled checkbox in the New RAS User dialog box controls whether or not this user account is active. If you need to temporarily disable an entry, select the user from the list of entries and click Edit. Click to clear the Enabled checkbox. You can reactivate this account at any time by clicking the Enabled checkbox again.
9 Click Done .
This entry is displayed among the RAS users entry list.
Repeat steps 3—9 to add other RAS users to the internal database.
10 Click Apply .
The Commit dialog box appears.
11 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit .
12 To edit a RAS user entry, select the entry and click Edit .
13 To delete a RAS user entry, select the entry and click
Delete .
334 Vcontroller
Configuring the Remote Users Authentication Policy
Using a RADIUS authentication database
To use a database stored on a RADIUS server:
1 From the main Vcontroller window, click Remote
Users .
The RAS Configuration dialog box appears.
2 Click RADIUS Server .
3 To the right of Primary Radius , click Edit .
The RADIUS Server dialog box appears.
4 In the IP Address field, type the IP address of the
RADIUS server.
5 In the Secret and Confirm Secret fields, type the secret and confirm it.
Firebox Vclass User Guide 335
CHAPTER 12: Creating a Remote User VPN Policy
6 To change the port number, clear the Use default port checkbox, and then type the number in the Port field.
7 Click Done .
Repeat the previous steps to configure a connection to a backup
RADIUS server.
8 From the Authentication Method drop-down list, select either PAP or SecurID and then click Done .
The IP address of the server is displayed.
9 Click Apply .
The Commit dialog box appears.
10 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit .
N OTE
Depending on how the RADIUS servers area is configured, you might encounter a situation where the internal IP address and DNS server IP address information might be available on both the RADIUS server and the Firebox Vclass security appliance. In this case, the Firebox Vclass appliance automatically yields precedence to the RADIUS server when a user is being authenticated.
Resetting an expired password
After a remote user account password has expired, you can reset or replace it by following these steps:
1 Click the Internal Database tab.
Any users with expired passwords show a checkmark under the
Password Expired column.
336
2 Select the RAS user entry, and click Edit .
The Edit RAS User dialog box appears. The Password fields are inactive.
Vcontroller
Configuring the Remote Users Authentication Policy
3 Select the Reset Password checkbox.
The password fields become active.
4 In the Password and Confirm Password fields, type a password and confirm it.
Passwords are case-sensitive and consist of six to eight characters.
5 Click Done .
6 Click Apply .
The Commit dialog box appears.
7 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit .
Reactivating an expired user
After a remote user account has expired, you can reactivate it by resetting the account expiration.
1 Click the Internal Database tab.
Any expired users are labeled as such under the Status column.
2 Select the expired user and then click Account
Renewal .
3 Click Done .
4 Click Apply .
The Commit dialog box appears.
5 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit .
Editing and deleting a user group profile
You can reopen an existing user group profile and change any of the settings by selecting an existing user group profile and clicking Edit . However, if any address management parameters are changed (from None to Internal or
Firebox Vclass User Guide 337
CHAPTER 12: Creating a Remote User VPN Policy vice versa), then all existing user connections belonging to this user group are disconnected. Any changes made to a policy are enforced immediately.
Similarly, if the address group used to store internal-use IP addresses is changed, then all user connections currently using IP addresses that are no longer valid are disconnected immediately. However, any change of the default idle timeout will not affect existing user connections.
Removing the backup server
a Firebox Vclass appliance to both a primary and backup
RADIUS server. The backup server may at some time become unavailable–temporarily or permanently. In this situation, you should remove the backup server setting.
1 From the main Vcontroller window, click Remote
Users .
The RAS Configuration dialog box appears.
2 Click Clear .
A confirmation window appears.
338
3 Click OK .
The Backup RADIUS status message reads “Not configured”.
4 Click Apply .
The Commit dialog box appears.
5 To flush any active connections that may be affected by the changes, click the appropriate checkbox and then click Commit .
If the backup server is made available at a later time, you
can repeat the process described in “Configuring the
Remote Users Authentication Policy” on page 328 to re-
Vcontroller
Defining an IKE Policy and IKE Action establish the Firebox Vclass appliance connection to this server.
Defining an IKE Policy and IKE Action
After configuring an authentication policy, you must define IKE and Security policies.
Defining an IKE action for RUVPN
To define an IKE action:
1 From the main Vcontroller window, click IKE Policy .
The Policy Manager window appears.
2 Click IKE Action .
The New IKE Action dialog box appears.
3 In the Name and Description fields, type a name and brief description for the IKE action.
The Description field is optional.
Firebox Vclass User Guide 339
CHAPTER 12: Creating a Remote User VPN Policy
4 From the Mode drop-down list, select Main .
5 Select Enable Extended User Authentication .
6 Disable NAT Traversal, if necessary (NAT Traversal is
enabled by default). For more information, see “NAT
Traversal (UDP Encapsulation)” on page 303.
7 Select an IKE transform from the list or click New to create a new IKE transform.
The New IKE Transform dialog box appears.
340
.
8 From the Authentication Type drop-down list, select the Authentication Type.
9 From the DH Group drop-down list, select a DH group type.
DH (Diffie-Helman) groups enable two peer systems to publicly exchange and agree on a shared secret key. The numbers available on the drop-down list (768 and 1024) are the number of bits used for exponentiation to generate private and public keys. The larger the number, the greater the protection.
10 From the Encryption Algorithm drop-down list, select an encryption algorithm.
11 From the Hash Algorithm drop-down list, select a hash algorithm.
12 In the Lifetimes field, type the number of hours or minutes that the transform will remain active.
Vcontroller
Defining an IKE Policy and IKE Action
13 From the Lifetime drop-down list, select Hours or
Minutes .
14 In the Life Length field, type the maximum size in kilobytes.
This field is optional.
15 Click Done .
The transform is added to the IKE transforms list .
16 Repeat this process to add any other transforms.
17 When all the required transforms are listed, you can shuffle the order, if necessary, by selecting a transform and clicking the Up or Down arrows to the left of the list.
The order in which transforms are listed establishes the preference order of all listed transforms during phase one negotiations.
18 Click Done .
For more information on configuring IKE actions, see
“Defining an IKE action” on page 310.
Defining an IKE policy
To define an IKE policy:
1 Select an entry point among the list of IKE policies below all other policies and then click
The Insert IKE Policy dialog box appears.
Insert .
Firebox Vclass User Guide 341
CHAPTER 12: Creating a Remote User VPN Policy
342
2 In the Name and Description fields, type a name and brief description for the IKE policy. The Description is optional.
3 Select a preconfigured address group from the Peer
Address Group drop-down list or click New to create a new address group.
For information on creating an address group, see “Defining an address group” on page 180.
4 Select a preconfigured IKE Action from the dropdown list, or click New to create a new IKE action.
For information on creating an IKE action, see “Defining an IKE action” on page 310.
5 From the Peer Authentication ID field, select Any .
6 If you previously selected an IKE action that incorporates RSA or DSA as the authentication type, the Local Certificates options become active and the
RSA or DSA drop-down lists become active. From the
Vcontroller
Defining an RUVPN Security Policy and an IPSec Action drop-down list, select the appropriate certificate. Next, select the Local ID Type from the drop-down list. This should be one that the peer system can validate with a copy of your certificate sent to the peer system as well as settings in their own policy.
For more information on using certificates, see the
User VPN Guide .
Vclass Mobile
7 If you previously selected an IKE action that incorporates the pre-shared key authentication type, the Pre-Shared Key options become active.
8 Click String and then type and confirm the key in the appropriate fields.
The key can consist of any combination of letters and numbers, but it cannot contain blank spaces.
9 Click Done .
For more information on configuring IKE policy, see
“Defining an IKE Policy” on page 307.
Defining an RUVPN Security Policy and an
IPSec Action
After defining IKE actions and IKE policies, you must define Security policies for the remote users and IPSec actions.
Defining an IPSec action for RUVPN
To define an IPSec action:
1 From the main Vcontroller window, click IPSec Action .
The Policy Manager window and IPSec Action dialog box appear.
2 Click New .
The New IPSec Action dialog box appears.
Firebox Vclass User Guide 343
CHAPTER 12: Creating a Remote User VPN Policy
344
3 In the Name and Description fields, type a name and brief description for the IPSec action. The Description field is optional.
4 From the Mode drop-down list, select Tunnel .
5 Click Peer Tunnel Address Group or Peer Tunnel IP
Address .
Peer Tunnel Address Group
Then select the address group that represents the
IP address remote user from the drop-down list.
Peer Tunnel IP Address
Then type the remote user IP address.
6 From the Key Management drop-down list, select
Automatic (IKE) .
Vcontroller
Defining an RUVPN Security Policy and an IPSec Action
7 Click Perfect Forward Secrecy .
8 Select an option from the Unselected Proposals list, and then click Add .
The proposal is displayed in the Selected Proposals field.
For more information on configuring IPSec actions, see
“Defining an IPSec action” on page 315.
Defining a security policy for RUVPN
To define a security policy:
1 On the left side of the Policy Manager window, click
Security Policy , or on the main Vcontroller window, click Security Policy .
The Policy Manager window refreshes and the Security Policy list is displayed.
2 Select an entry point from the list of policies and then click Insert .
The Insert Security Policy dialog box appears, showing the
General tab.
3 In the Name and Description fields, type a name and brief description for the security policy. The
Description field is optional.
Firebox Vclass User Guide 345
CHAPTER 12: Creating a Remote User VPN Policy
4 Click the Traffic Specs tab.
The Traffic Specs page appears.
346
5 Select one of the following options from the Source drop-down list:
- If no internal IP addresses are to be assigned to remote users, the Source should be an address group with a membership of ANY.
- If internal IP addresses will be automatically assigned to all remote users, the Source should then be the address group you created earlier in the User Group Profile dialog box.
6 Select a preconfigured address group from the
Destination drop-down list corresponding to the local appliance or click New to create a new address group.
For information on creating an address group, see
“Defining an address group” on page 180.
The Destination will be only those network resources accessible by remote access users.
Vcontroller
Defining an RUVPN Security Policy and an IPSec Action
7 From the Service drop-down list select New to create a new service. For information on creating a service, see
“Defining a service” on page 182.
The Services will be limited to those that remote users will use, whether a few or a wide range of services.
8 From the Incoming Interface drop-down list, select 1
(Public) .
9 Click the Actions tab.
The Actions page appears.
10 Click Pass .
11 from the IPSec drop-down list, select a previously created IPSec action.
12 Click Done .
13 When you have finished configuring RUVPN policies, click Apply to save the settings to the Firebox Vclass appliance.
Form more information on configuring security policies,
see “Defining a Security Policy” on page 178.
Firebox Vclass User Guide 347
CHAPTER 12: Creating a Remote User VPN Policy
Controlling a remote user’s access privileges
In addition to authenticating remote users, Firebox Vclass appliances can also be configured to assign a temporary internal IP address to a remote user. Typically, a remote user can be assigned to a specific user group. Each user group can be associated with an address group, which provides a pool of IP addresses for assignment.
After a remote user has been assigned an IP address, this address is subject to the security policies defined within the Policy Manager. Therefore, by controlling the network address assignment for a group of users, a network administrator can establish different levels of access privileges for whole groups of users.
Associating an address group to a user group allows you to control which part of the corporate networks can be accessed by users in a particular user group. This capability allows network administrators to set up different user groups for different levels of remote access.
Monitoring Remote User Activity
WatchGuard recommends that you take advantage of the
Log Manager features. You can track and record remote access connections and system use.
348 Vcontroller
Monitoring Remote User Activity
You can also view a basic summary of the recent connection history of a particular user, though not the current one, by opening the RAS Configuration dialog box and clicking the Internal Database tab, select a listed user, and click Details .
Firebox Vclass User Guide 349
CHAPTER 12: Creating a Remote User VPN Policy
A RAS User Detail dialog box appears, summarizing the most recent connection history of that user.
350
• Click Active Users to monitor currently active users.
The System Information dialog box appears displaying a list of active RAS users. For more information on monitoring active
RAS users, see “RAS User Information” on page 395.
Vcontroller
CHAPTER 13
Using Alarm
Manager
The Vcontroller Alarm Manager allows you to define alarms that can alert the appropriate parties when certain system or policy conditions occur.
You can configure alarm notifications for basic system processes such as the log file reaching a certain size, or you can configure alarms that alert the on-duty system administrator when critical conditions have been detected. You can establish single-condition or multiple-condition alarms for any level of complexity that your system might encounter.
You can also use the Alarm Manager window to view the current status of the system and clear all current alarms.
Firebox Vclass User Guide 351
CHAPTER 13: Using Alarm Manager
Alarm Definitions
To define a specific alarm condition:
1 From the main Vcontroller window, click Alarm .
The Alarm Manager window appears.
352
2 Click the Alarm Definitions tab to view the current list of alarm definitions.
This tab lists pre-defined default alarms along with indications of their severity and whether or not they have been enabled.
Vcontroller
Alarm Definitions
3 Click Add .
The Alarm Definition dialog box appears.
4 In the Alarm Name field, type a name for the alarm.
5 Click and move the Severity slider to the point on the scale that matches the value of this alarm: Low ,
Medium , or High .
Firebox Vclass User Guide 353
CHAPTER 13: Using Alarm Manager
6 Decide whether the alarm will have more than one triggering condition.
Defining a single-condition alarm
1 Click the Condition(s) to trigger the Alarm field where
<counter> appears. This field acts as a button.
The Select a Counter dialog box appears.
354
2 From the Probe Category drop-down list, select
System , Policy , or VPN End-point Pairs .
The display changes depending upon your choice of Probe
Category.
Policy
Select the policy of your choice and then select the counter you want to use for the alarm. Selecting
For All Policies displays a different list of counters.
System
Select the counter you want to use for the alarm.
VPN End-point Pairs
Select the IPSec pair of your choice and then select the counter you want to use for the alarm.
Vcontroller
Alarm Definitions
3 Click Select.
For more information about the counters and their capabilities,
see “A Catalog of Real-time Monitor Probe Counters” on page 368.
4 From the Alarm Definition drop-down list, select the option you want.
<
>
=
<=
Indicates “less than”
Indicates “greater than”
Indicates “equal to”
Indicates “less than or equal to”
>=
!=
Indicates “greater than or equal to”
Indicates “not equal to becomes” becomes > Condition will be true if the counter value becomes greater than the threshold value becomes < Condition will be true if the counter value becomes less than the threshold value becomes = Condition will be true if the counter value becomes equal to the threshold value
5 Delete the text in the <threshold> field and type a number value. This value can be a whole number or a percentage.
6 Click Alarm Log to keep a record of all instances of this alarm.
7 Click SNMP Trap to initiate an SNMP trap. When this alarm is triggered, a message is sent to the
Management Station.
Firebox Vclass User Guide 355
CHAPTER 13: Using Alarm Manager
8 Click Email Notification to activate email notification.
Type the email address in the appropriate field. To send an email notification to more than one email address, type each address using a space to separate them.
9 Click OK .
The new alarm definition appears in the list of Alarm Definitions.
Repeat this process to create other single-condition alarms.
Defining a multiple-condition alarm
1 Click the Alarm Definitions tab and then click Add .
2 Click More .
Two condition options appear.
3 Click Add .
The Select Condition dialog box appears.
356
4 Click the text field where <counter> appears. This field acts as a button.
The Select a Counter dialog box appears.
5 From the Probe Category drop-down list, select
System , Policy , or VPN End-point Pairs .
The display changes depending upon your choice of Probe
Category.
Vcontroller
Alarm Definitions
Policy
Select the policy of your choice and then select the counter you want to use for the alarm. Selecting
For All Policies displays a different list of counters.
System
Select the counter you want to use for the alarm.
VPN End-point Pairs
Select the IPSec pair of your choice and then select the counter you want to use for the alarm.
6 Click Select.
For more information about the counters and their capabilities,
see “A Catalog of Real-time Monitor Probe Counters” on page 368.
The selected conditions appear in the Select Condition dialog box.
7 Select the condition.
8 Delete the text in the <threshold> field, type either a whole number or a percentage for this counter, and then click OK .
The newly created condition appears in the Counter/Instance list.
9 Repeat this process to define more conditions for this specific alarm.
As a result, more than one condition will be listed in the Counter/
Instance list
Firebox Vclass User Guide 357
CHAPTER 13: Using Alarm Manager
10 Once you complet the list of conditions,click All conditions must hold to trigger the alarm or Any condition holds to trigger the alarm .
358
11 Select the Alarm Log checkbox to keep a record of all instances of this alarm.
12 Select the SNMP Trap checkbox to initiate an SNMP trap.
When this alarm is triggered, a message is sent to the
Management Station.
13 Select the Email Notification checkbox to activate email notification, enable the response option. Type the email address in the field that appears to the right of the checkbox. To send an email notification to more than one email address, type multiple addresses separated by spaces.
Vcontroller
Alarm Definitions
14 Click OK .
The new alarm definition appears in the list of Alarm Definitions.
Repeat this process to create other multi-condition alarms.
Managing alarm definitions
You can update an alarm definition, enable or disable a current alarm, or delete an alarm definition that is no longer needed in the Alarm Manager window.
To Update an alarm definition:
1 Open the Alarm Manager window, and click the Alarm
Definitions tab.
2 Select the alarm that is to be updated and click Edit .
The Alarm Definition dialog box appears.
3 Make the changes to the severity and response options.
4 Click OK when finished to return to the Alarm
Manager window.
5 Click Close .
Firebox Vclass User Guide 359
CHAPTER 13: Using Alarm Manager
To enable or disable an alarm:
1 Open the Alarm Manager window, and click the Alarm
Definitions tab.
2 Locate the alarm to enable or disable. Enable or Disable the alarm by clicking the box.
3 Click Close when finished.
To delete an unwanted alarm definition:
1 Open the Alarm Manager window, and click the Alarm
Definitions tab.
2 Select the alarm that to delete and click Delete .
The alarm definition is removed from the list.
3 Click Close when finished.
Responding to an Alarm Notification
Alarm notifications come in several forms:
• An animated alarm bell icon appears at the top of the
WatchGuard Vcontroller main page.
• The red Alarm LED illuminates on the front of the
Firebox Vclass appliance.
• A notice appears in the Outstanding Alarms tab of the
Alarm Manager window.
• You receive a SNMP trap message.
• You receive an email or pager notification.
The relative severity of the alarm determines which contact method is used. If the alarm trigger is low, you may want to let the appliance display a notice in the Alarm Manager window and merely add it to the Alarm log. However, if the alarm trigger is serious, you can configure the Firebox
Vclass to add an SNMP trap or send an email notification.
In every alarm situation, the animated alarm bell appears in the upper-right corner of the Vcontroller main page to
360 Vcontroller
Responding to an Alarm Notification give administrators instant notice of a new alarm condition.
To view outstanding alarms:
1 From the Vcontroller main page, click the animated alarm bell or click the Alarm button.
The Alarm Manager window appears, listing the current alarms at the Outstanding Alarms tab.
2 Review the list of alarm notices. To view more information about a specific alarm notice, double-click the notice or select the notice and click Detail .
The Alarm Details dialog box appears.
Firebox Vclass User Guide 361
CHAPTER 13: Using Alarm Manager
3 Review the information displayed.
4 Click OK to close the Alarm Detail dialog box.
5 To clear an outstanding alarm, select the alarm notice and click Clear . To clear all outstanding alarms, click
Clear All .
The Alarm Manager removes the alarm notice from the
Outstanding Alarms tab.
362 Vcontroller
CHAPTER 14
Monitoring the
Firebox Vclass
You can use the Real-time Monitor to view the status of your Firebox Vclass appliance
You can activate the self-reporting capabilities by setting up and applying custom probes in the Real-time
Monitor window. Then you can open the Real-time
Chart window and watch the custom probes as they dynamically track the activities of the appliance and its network traffic.
Using the Real-Time Monitor
The Real-time Monitor window provides a set of probes, which you can customize and apply, that generate real-time reports on system usage. The probes can then be viewed in a graphic display in the Realtime Chart window, which provides a visual “cardiogram” of the system’s health.
A real-time probe measures specific activity in a Firebox Vclass appliance, by using counters. To review a
Firebox Vclass User Guide 363
CHAPTER 14: Monitoring the Firebox Vclass
detailed catalog of available counters, see “A Catalog of
Real-time Monitor Probe Counters” on page 368.
From the main Vcontroller window, click Monitor .
The Real-time Monitor window appears.
364
The following categories of system activity can be defined and monitored:
Policy
Policy probes observe and report on the activities of selected policies. For example, you can set up a probe to monitor the number of packets governed by a specific policy.
System
System probes provide snapshots of the operational status. For example, you can create separate probes that track both CPU and memory use, total throughput for the entire system, and amount of free space available for log files.
VPN End-point Pair
VPN End-point Pair probes report on specific encryption and authentication activity, as well as
Vcontroller
Using the Real-Time Monitor assessing traffic between a designated pair of security appliances. A “VPN End-point Pair” indicates a pair of appliances actively exchanging traffic through any number of IPSec tunnels, whether one or several.
Interface
Interface probes observe and report on the activities of selected interfaces. For example, you can set up a probe to monitor the number of packets received by a specific interface.
Defining probes
To define a probe for any of the categories:
1 Click Add .
The Select Probe window appears.
2 From the Probe Category drop-down list, select a category.
After you select a probe category, the window refreshes and displays fields relevant to the category you select.
3 From the Polling Time Interval drop-down list, select the probe interval of between 5 and 60 seconds.
4 Select the Enabled checbox to active this probe as soon as you close the window. Otherwise, the probe will not be active.
A checkmark appears.
Firebox Vclass User Guide 365
CHAPTER 14: Monitoring the Firebox Vclass
5 Click Add when you are finished configuring this probe.
The Select Probe window closes and the new probe is displayed in the appropriate tab list.
6 Repeat these steps to add more probes.
7 Click Done when you are finished.
To edit the settings of an existing probe:
1 Select the probe and click Edit .
2 When the Select Counter window appears, you can use its features to switch counters as needed. If you need to add a second counter to monitor a specific policy, you may need to click Add to create an new probe.
3 When the probe has been edited, test it by clicking
Show Monitor (in the Real-time Monitor window) and then click Start Monitoring to activate the graphic display.
To disable an existing probe:
1 Click the tab for the probe you want to disable.
2 Select the Enabled checkbox.
The checkmark disappears. Disabling a probe is temporary; you can re-enable a probe at any time.
To delete an existing probe:
1 Click the relevant tab for the probe you want to delete.
2 Select the probe you want to delete and then click
Delete .
Monitoring configured probes
To view the actual level of activity of all the listed probes in one of the tabs:
1 Click the tab for the probes you want to monitor.
2 Click Show Monitor .
The Real-time Charts window appears.
366 Vcontroller
Using the Real-Time Monitor
3 Click Start Monitoring .
After a brief pause, which reflects the Interval times previously selected, the activity measured by each probe is displayed. The graph changes according to the per second interval you configured.
4 When you are finished monitoring, click Stop
Monitoring .
5 Click Close .
Firebox Vclass User Guide 367
CHAPTER 14: Monitoring the Firebox Vclass
To conserve system resources, you can temporarily disable any probes until the next time you want to monitor that particular system activity. At that time, you can re-enable the probe and observe the results in the Real-Time Chart window.
A Catalog of Real-time Monitor Probe
Counters
System Counters
Counter Name
CPU Util. (%)
Memory Util. (%)
Interface 1(Public)Status (1=up)
Function
System CPU utilization
System memory utilization
Interface 1 status (1-up; 0-down)
Interface 0(Private)Status (1=up) Interface 0 status (1-up; 0-down)
Interface 2(DMZ)Status (1=up) Interface 2 status (1-up; 0-down)
System Throughput bytes/sec
Packets Recv/sec
Number of bytes processed per second
Packets received rate (packets/second)
Packets Sent/sec
IPSec Throughput bytes/sec
IPSec Packets/sec
Total IPSec Tunnels
Interface 1(Public)Recv.
(Bytes)
Packets sent rate (packets/second)
IPSec traffic throughput (bytes/sec)
IPSec traffic throughput (packets/sec)
Total number of active IPSec tunnels
Number of bytes received from Interface
1 (bytes)
368 Vcontroller
Counter Name
Interface 1(Public)Sent
(Bytes)
Interface 1(Public)Recv.
(Packets)
Interface 1(Public)Sent
(Packets)
Interface 1(Public)Recv
Throughput, (Bytes/sec)
Interface 1(Public)Sent
Throughput, (Bytes/sec)
Interface 1(Public)Recv
Throughput, (Packets/sec)
Interface 1(Public)Sent
Throughput, (Packets/sec)
Interface 0(Private)
Received (Bytes)
Interface 0(Private)
Sent (Bytes)
Interface 0(Private) Recv.
(Packets)
Interface 0(Private) Sent
(Packets)
Interface 0(Private) Recv.
Throughput, (Bytes/sec)
Interface 0(Private) Sen
Throughput, (Bytes/sec)
Interface 0(Private) Recv.
Throughput, (Packets/sec)
A Catalog of Real-time Monitor Probe Counters
Function
Number of bytes sent from Interface 1
(bytes)
Number of packets received from
Interface 1 (packets)
Number of packets sent from Interface 1
(packets)
Rate of bytes received from Interface 1
(bytes/sec)
Rate of bytes sent from Interface 1
(bytes/sec)
Rate of packets received from Interface
1 (packets/sec)
Rate of packets sent from Interface 1
(packets/sec)
Number of bytes received from Interface
0 (bytes)
Number of bytes sent from Interface 0
(bytes)
Number of packets received from
Interface 0 (packets)
Number of packets sent from Interface 0
(packets)
Rate of bytes received from Interface 0
(bytes/sec)
Rate of bytes sent from Interface 0
(bytes/sec)
Rate of packets received from Interface
0 (packets/sec)
Firebox Vclass User Guide 369
Counter Name
Interface 0(Private) Sent
Throughput, (Packets/sec)
Interface 2(DMZ)Recv.
(Bytes)
Interface 2(DMZ)Sent
(Bytes)
Interface 2(DMZ)Recv.
(Packets)
Interface 2(DMZ)Sent
(Packets)
Interface 2(DMZ)Recv.
Throughput, (Bytes/sec)
Interface 2(DMZ)Sent
Throughput, (Bytes/sec)
Interface 2(DMZ)Recv.
Throughput, (Packets/sec)
Interface 2(DMZ)Sent
Throughput, (Packets/sec)
Log Disk Total (KB)
Log Disk Used (KB)
Log Disk Free (KB)
Log Disk Used (%)
Log Disk Free (%)
Log Directory Size(KB)
CHAPTER 14: Monitoring the Firebox Vclass
Function
Rate of packets sent from Interface 0
(packets/sec)
Number of bytes received from Interface
2 (bytes)
Number of bytes sent from Interface 2
(bytes)
Number of packets received from
Interface 2 (packets)
Number of packets sent from Interface 2
(packets)
Rate of bytes received from Interface 2
(bytes/sec)
Rate of bytes sent from Interface 2
(bytes/sec)
Rate of packets received from Interface
2 (packets/sec)
Rate of packets sent from Interface 2
(packets/sec)
Total disk space for log files in Kbytes
Total disk space used for log files in
Kbytes
Total disk space available for log files in
Kbytes
Percentage of disk space used for log files
Percentage of disk space available for log files
Total size of the directory containing log files in Kbytes
370 Vcontroller
Counter Name
Event Log Size (KB)
Traffic Log Size (KB)
Alarm Log Size (KB)
Event Log Increment (KB)
Traffic Log Increment (KB)
Alarm Log Increment (KB)
Event Log Growth
Rate (KB/sec)
Traffic Log Growth
Rate (KB/sec)
Alarm Log Growth
Rate (KB/sec)
Phase One SA Log
Size (KB)
Phase Two SA Log
Size (KB)
Remote User Log
Size (KB)
Incoming Stream Requests
Interface 1(Public)
Stream Requests
Interface 0(Private)
Stream Requests
Interface 2(DMZ)
Stream Requests
Incoming Stream
Req./sec
A Catalog of Real-time Monitor Probe Counters
Function
Event log file size in Kbytes
Traffic log file size in Kbytes
Alarm log file size in Kbytes
Event log file size increment per interval
Traffic log file size increment per interval
Alarm log file size increment per interval
Event log file size increment rate
(Kbytes/second)
Traffic log file size increment rate
(Kbytes/second)
Alarm log file size increment rate
(Kbytes/second)
Phase one SA log file size in Kbytes
Phase two SA log file size in Kbytes
Remote user log file size in Kbytes
Number of incoming stream requests
Number of incoming stream requests from Interface 1
Number of incoming stream requests from Interface 0
Number of incoming stream requests from Interface 2
Rate of incoming stream requests
Firebox Vclass User Guide 371
CHAPTER 14: Monitoring the Firebox Vclass
Counter Name
Interface 1(Public)
Stream Req./sec
Interface 0(Private)
Stream Req./sec
Interface 2(DMZ)
Stream Req./sec
Incoming Stream
Requests Denied
Interface 1(Public)
Stream Requests
Denied
Interface 0(Private) Stream
Requests Denied
Interface 2(DMZ)Stream
Requests Denied
Incoming Stream Req.
Denied/sec
Interface 1(Public)Stream
Requests Denied/sec
Interface 0(Private)Stream
Requests Denied/sec
Interface 2(DMZ)Stream
Requests Denied/sec
Total Bytes Recv.
Total Bytes Sent
Total Packets Recv.
Total Packets Sent.
Function
Rate of incoming stream requests from
Interface 1
Rate of incoming stream requests from
Interface 0
Rate of incoming stream requests from
Interface 2
Number of denied stream requests
Number of denied stream requests from
Interface 1
Number of denied stream requests from
Interface 0
Number of denied stream requests from
Interface 2
Rate of denied stream requests
Rate of denied stream requests from
Interface 1
Rate of denied stream requests from
Interface 0
Rate of denied stream requests from
Interface 2
Number of bytes received
Number of bytes sent
Number of packets received
Number of packets sent
372 Vcontroller
Counter Name
Total IPSEC
Traffic (bytes)
Total IPSEC Packets
Total Tunnel Mode SA
Total Transport Mode SA
Total ESP SA
Total AH SA
Total Manual Key SA
Total Auto Key SA
Total Expired SA
HA1 Port Status (1=up)
HA2 Port Status (1=up)
Active User Sessions
Remote Users Logon
Remote Users Logoff
Remote Users
Authentication Failed
A Catalog of Real-time Monitor Probe Counters
Function
IPSEC traffic in bytes
IPSEC packets
Number of tunnel mode SA in the system currently
Number of transport mode SA in the system currently
Number of ESP protocol SA in the system currently
Number of AH protocol SA in the system currently
Number of SA using manual key in the system currently
Number of SA using auto (IKE) key in the system currently
Total number of expired SA since start of system
HA1 interface status (1=up; 0=down)
HA2 interface status (1=up; 0=down)
Number of remote users’ sessions
Number of remote user logon’s since last poll
Number of remote user logoff’s since last poll
Number of remote user logon’s failed since last poll
Firebox Vclass User Guide 373
CHAPTER 14: Monitoring the Firebox Vclass
Aggregate counters for all VPN end-point pairs
Counter Name Description of Counter’s Function
Total Inbound SA Total number of inbound SA
Total Outbound SA Total number of outbound SA
Total SA Total number of SA
Total Inbound Bytes/sec Traffic rate through inbound SA
Total Outbound Bytes/sec Traffic rate through outbound SA
Total Inbound Pkts/sec Packet rate through inbound SA
Total Outbound Pkts/sec
Total Inbound SA
Packet rate through outbound SA
Total Decryption Error Rate (%) Total Decryption Error Packet Rate
Total Authentication Error Rate (%) Total Authentication Error Packet Rate
Total number of inbound SA
IPSec counters per VPN end-point pair
Counter Name
Inbound SA
Outbound SA
Inbound Bytes/sec
Outbound Bytes/sec
Description of Counter’s Function number of inbound SA of a VPN endpoint pair number of outbound SA of a VPN endpoint pair
Traffic rate through inbound SA of a
VPN end-point pair
Traffic rate through outbound SA of a
VPN end-point pair
374 Vcontroller
A Catalog of Real-time Monitor Probe Counters
Counter Name Description of Counter’s Function
Inbound Pkts/sec Traffic rate through inbound SA of a
VPN end-point pair
Outbound Pkts/sec Traffic rate through outbound SA of a
VPN end-point pair
Decryption Error Rate (%) Decryption error packet rate of a VPN end-point pair
ESP Authentication Error Rate (%) ESP authentication error packet rate of a VPN end-point pair
AH Authentication Error Rate (%) AH authentication error packet rate of a
VPN end-point pair
Replay Error Rate (%) Replay error packet rate of a VPN endpoint pair
Inbound Bytes Number of inbound bytes of a VPN endpoint pair
Outbound Bytes Number of outbound bytes of a VPN endpoint pair
Inbound Packets Number of inbound packets of a VPN end-point pair
Outbound Packets Number of outbound packets of a VPN end-point pair
Policy counters for all policies
Counter Name
Number of Policies
Packets Disc. by Firewall
Packets Disc. at
Interface 1(Public)(%)
Description of Counter’s Function
Total number of policies
Total number of packets discarded by
Firewall policies
Percentage of packets discarded at
Interface 1
Firebox Vclass User Guide 375
CHAPTER 14: Monitoring the Firebox Vclass
Counter Name Description of Counter’s Function
Packets Disc. at
Interface 0(Private)(%)
Percentage of packets discarded at
Interface 0
Packets Disc. at Interface
2(DMZ)(%)
Packets Disc. by Decryption
Error (%)
Percentage of packets discarded at
Interface 2
Packets Disc. by IPSEC Error (%) Percentage of packets discarded by
IPSEC errors (decryption error, authentication error, replay error).
Percentage of packets discarded by
Decryption errors
Packets Disc. by Authentication
Error (%)
Percentage of packets discarded by
Authentication errors
Packets Disc. by Replay Error (%) Percentage of packets discarded by
Replay errors
Policy counters per policy
Counter Name
Traffic (Bytes)
Traffic (Packets)
Throughput (Bytes/sec)
Throughput (Pkts/sec)
Number of SA
Packet Disc. (%)
Decryption Error Packets
Authentication Error Packets
Description of Counter’s Function
Number of bytes handled by a policy
Number of packets handled by a policy
Throughput in bytes/sec of a policy
Throughput packets/sec of a policy
Number of SA belongs to a policy
Packet discarded rate of a policy
Number of packets handled by a policy with decryption error
Number of packets handled by a policy with authentication error
376 Vcontroller
Counter Name
Replay Error Packets
Decryption Error Rate (%)
Authentication Error Rate (%)
Replay Error Rate (%)
A Catalog of Real-time Monitor Probe Counters
Description of Counter’s Function
Number of error packets handled by a policy with replay error.
Decryption error rate of a policy
Authentication error rate of a policy
Replay error rate of a policy
Firebox Vclass User Guide 377
CHAPTER 14: Monitoring the Firebox Vclass
378 Vcontroller
CHAPTER 15
Using Log Manager
Vcontroller can log an extensive array of system activities and save all logs as text files that can be saved for future reference. You can activate logging to record the following categories of system activities:
Event log
Records all the events such as key negotiation activities, denial-of-service attacks, device failures, and administrative activities.
Traffic log
Records all the traffic going through the appliance, and whether or not this data is passed or blocked according to the current set of policies.
Alarm log
Records a history of all alarms that have been triggered by various events or occurrences.
RAS User log
Records a history of every RAS client connection made through this appliance, including user name, origin of the connection,
Firebox Vclass User Guide 379
CHAPTER 15: Using Log Manager when the user logged in (and out), and a summary of connection statistics.
Phase One SA and Phase Two SA logs
Records the creation and expiration histories for each phase of security associations pertaining to
VPN tunnels established in the system.
A Firebox Vclass appliance has a limited file-storage capacity. Log files are limited to 200 KB, except the Traffic log, which can be as large as 1 MB.
When a log file exceeds the preset limit, the oldest entries are deleted. To help you manage your log files to prevent losing any entries, a predefined alarm,
“LOG_FILE_FULL,” alerts you when a specific log file is getting too big. At that time, you can back up the log file for future reference.
WatchGuard recommends the use of remote logging, using
syslog, as described in “Activating the remote logging feature” on page 385.
Viewing the Logs
Use Log Manager to view your logs at any time. When the
Log Manager window is opened, Vcontroller contacts the
Firebox Vclass appliance and extracts the latest logs. The
500 most recent entries are listed.
1 From the main Vcontroller window, click Log
Manager .
The Log Manager window appears.
380 Vcontroller
Viewing the Logs
2 Click each tab to review the entries for that category.
3 If the log has more than 500 entries, as noted in the status message in the lower-left corner, click Next to download the next group of records.
4 Click Prev to display earlier listings.
5 To update the screen with the latest entries, click
Refresh .
6 To increase or decrease the number of entries displayed, click Number of Entries in the lower-right corner of this window.
A counter pop-up appears in the tab.
Firebox Vclass User Guide 381
CHAPTER 15: Using Log Manager
- Move the slider to the desired number and then click outside of the pop-up to close it.
Filtering a current log
When viewing a log, you may see entries that seem irrelevant. You can use the Filter feature to view only those records that you want to see.
1 After selecting the appropriate tab, right-click a specific column header to open the Filter pop-up window.
Right-clicking different column headers displays different filter choices relevant to the header.
382
2 Select a search option or type a text string in the Search field and then click Filter . You can use shift+select for more than one search option.
Vcontroller filters out only those records matching the search options and displays them in the tab. The column header you filtered displays an asterisk to the left of the title.
Vcontroller
Log Settings
N
OTE
Following a filtering action, you can right-click other column headings and repeat this process to further filter the entries until you have the exact records that you want.
3 To undo the filtering, reopen the Filter pop-up and click Disable Filter.
Vcontroller restores the previously visible log entries that were filtered out of view.
Log Settings
You can use four separate log files to monitor and record almost any level of Firebox Vclass system activities.
To configure the logging settings:
1 Click Settings .
The System Configuration dialog box appears displaying the log settings.
Firebox Vclass User Guide 383
CHAPTER 15: Using Log Manager
384
2 To enable traffic logging, click the Enable Traffic
Logging checkbox.
The Firebox Vclass appliance begins logging traffic.
N OTE
If you leave this option disabled, you can still use the Log
Manager window to view information about other system
activity. For more information, see “Viewing the Logs” on page 380.
3 To enable the EvSelect the Enable Event Logging checkbox to enable the Traffic log.
4 To change the amount of information recorded in the
Event log, click the Event Log Level options slider and move it to the logging level you want.
N OTE
The system purges the oldest log files when they reach a certain size. The more events you include, the more
Vcontroller
Log Settings frequently the log content is deleted. Vcontroller provides a default alarm that notifies you when a log file is almost full.
Activating the remote logging feature
If you have a syslog server accessible through the network, you can designate that server as the default destination for all future log archive files. This is the preferred method for storing log files.
The Firebox Vclass appliance can record all the event, alarm, RAS user, phase one and phase two SA, and traffic logs to any designated remote server that supports the remote syslog mechanism. To make this possible, the remote logging features on the Firebox Vclass appliance must be linked to the log server, as described in the following instructions. In addition, the syslog daemon process on the server must be set to enable log traffic from other systems. The user documentation for the server should provide information on configuring such a link.
To store your log files on a remote server:
1 Select the Remote Logging checkbox.
2 Type the IP address of the syslog server in the appropriate field.
3 Click Detail .
The Remote Log Detail dialog box appears.
Firebox Vclass User Guide 385
CHAPTER 15: Using Log Manager
4 Select the Facility and Priority from the drop-down lists for each log category. To use the default settings, click Default .
5 Click Done .
6 When you have finished configuring, click Reset or
Apply.
Reset
To return the settings to the previous configuration.
Apply
To immediately commit the settings to the Firebox
Vclass appliance.
7 Click Close .
The System Configuration dialog box closes.
386 Vcontroller
Log Archiving
Log Archiving
When your log files are full or nearly full, or if your organizational archiving policy dictates, you can archive your log files to a text file. This file will be archived to a specific directory on your workstation:
Windows workstations: c:\WatchGuard\log
UNIX workstations: users home directory
Log files are assigned a name in this format:
<type>_<date>.rsl
For example, a traffic log file that was archived at 10:30 am on May 19, 2001 would be named: traffic_20010519_1030.rsl
To archive your log files:
1 From the main Vcontroller window, click Log
Manager .
The Log Manager window appears.
2 Click the Log Archiving tab.
Firebox Vclass User Guide 387
CHAPTER 15: Using Log Manager
3 To select the log category you want archived, archived, select all of the appropriate checkboxes– Alarms ,
Events , Traffic, RAS Users, Phase One SA, and Phase
Two SA .
4 Click Archive Now to archive a file to the default directory location: C:\WatchGuard\Log\ or click
Browse to select a different directory.
When the archiving is complete, a dialog box appears.
5 Click OK .
N
OTE
You cannot set up the Firebox Vclass appliance to automatically archive logs.
388 Vcontroller
CHAPTER 16
System Information
The System Information window provides accurate and up-to-date information on your system’s current status. This dialog box contains a number of tabs that provide information on a variety of system components.
General Information
For general information on Firebox Vclass appliance status, use the System Information window General tab.
1 From the main Vcontroller window, click System
Information .
The System Information dialog box appears.
2 Click the General tab.
Firebox Vclass User Guide 389
CHAPTER 16: System Information
You can use this tab allows you to view general information, such as the model number, current system software version, serial number, system mode (Router or Transparent), IP address for Interface 0 or the
System IP, contact person, and location of the appliance.
3 Click Close .
VPN Tunnel Information
You can view tunnels and traffic statistics, delete specific tunnels, or delete all tunnels and purge the appliance of all residual tunnel records. Remember that tunnels are not always closed when the connection is broken.
1 From the main Vcontroller window, click System
Information .
The System Information dialog box appears.
2 Click the Tunnels tab.
3 Click one of the following two display categories:
390 Vcontroller
VPN Tunnel Information
By IPSec Peers
Displays a list of currently active IPSec peers. The total count of tunnels may include some that are not in active use, but are still on record within the database.
By Policies
Displays a list of all policies you have created and the number of VPN tunnels established by each policy.
Firebox Vclass User Guide 391
CHAPTER 16: System Information
4 to view the traffic statistics and the associated tunnels for a particular IPSec peer or policy, select the entry from the IPSec Peer list.
The display refreshes and the statistics are displayed on the right. if there are any tunnels associated with this entry, the tunnel list displays them.
5 Click Delete Tunnels to remove all established tunnels associated with this IPSec peer or policy and force the creation of new tunnels. If there are no established tunnels this button is unavailable.
6 Click Refresh to remove the Statistics information from the IPSec Peer List field.
7 To delete a specific tunnel associated with an IPSec
Peer or Policy and force the creation of a new tunnel, select the entry from the tunnel list and click Delete .
8 To update the tunnel list with the most recent information, click Refresh .
9 Click Close .
Viewing tunnel details
To view a detailed report of a specific tunnel:
1 Select an entry from the tunnel list and then click
Details .
The Detail Tunnel Information dialog box appears.
2 Click Refresh to update the current SAs list with the most recent information. When you are finished, click
Close to return to the System Information dialog box,
Tunnels tab.
392 Vcontroller
Traffic Information
Traffic Information
To view traffic activity information:
1 From the main Vcontroller window, click System
Information .
The System Information dialog box appears.
2 Click the Traffic tab.
The following information is displayed on the Traffic tab:
Total Packets
Total number of packets processed since the last reboot of this appliance. This includes packets that pass through this appliance and those that are discarded by firewall policies.
Total Bytes
Data traffic in total bytes processed through this appliance since the last reboot.
IPSec Packets
IPSec activity in total number of packets that have been encrypted or decrypted, since the last system startup.
Firebox Vclass User Guide 393
CHAPTER 16: System Information
IPSec Bytes
IPSec encryption/decryption activity in bytes.
Total Tunnels
Number of VPN tunnels.
3 Click Refresh to update the display with the most recent information.
4 Click Reset Connections to disconnect all current connections. This will flush the Firebox Vclass appliance of all residual data connections that may be hampering performance.
5 Click Close .
Route Information
To view the routing table information:
1 Click the Routes tab.
394
2 Click Refresh to update the display with the most recent information.
Vcontroller
RAS User Information
3 When you are finished, click Close .
N OTE
Interfaces are not listed in this table in Transparent Mode.
RAS User Information
After you have set up Remote Access Service (RAS) and implemented VPN policies, you can monitor and manage the current remote user connections using the System
Information window.
1 Click the RAS User tab.
This currently active RAS users are displayed.
2 Click Disconnect to break the selected user connection, including any established tunnels. If an internal IP address was assigned to this user, it will be returned to the system for future use.
3 Click Refresh to update the Active RAS Users display with the most recent information.
4 When you are finished, click Close .
Firebox Vclass User Guide 395
CHAPTER 16: System Information
Viewing RAS user information and tunnel details
You can view a real-time snapshot of a user connection, including information about the properties of a user, properties of tunnels being used by this user, and detailed traffic statistics.
1 Select a user entry from the Active RAS Users list and then click Detail .
The RAS User Information dialog box appears.
396
The User Information and Statistics areas provide extensive information about this user and the current connection. The Tunnel List catalogs the tunnels currently in use.
2 Click Refresh to update the Statistics display with the most recent information.
Vcontroller
Interface 1 (Public) Information
3 Click Disconnect to break the selected user connection, including any established tunnels. If an internal IP address was assigned to this user, it will be returned to the system for future use.
4 To delete a specific tunnel associated with a RAS user and force the creation of a new tunnel, select the entry from the tunnel list and click Delete .
5 To update the tunnel list with the most recent information, click Refresh .
6 To view a detailed report of a specific tunnel, select an entry from the tunnel list and then click Details . Most of the time, a RAS User connection will have only a single tunnel.
The Detail Tunnel Information dialog box appears.
- Click Refresh to update the Current SAs list with the most recent information. When you are finished, click Close to return to the System
Information, Tunnels tab.
- When you are finished, click Close to return to the RAS User Information window.
Interface 1 (Public) Information
This tab displays the status of interface 1 (Public) and the
IP addressing mode in use–Static, DHCP, or PPPoE. This tab is not available in Transparent Mode.
1 From the main Vcontroller window, click System
Information .
The System Information dialog box appears.
2 Click the Interface 1 (Public) tab.
The Interface 1 (Public) information is displayed.
Firebox Vclass User Guide 397
CHAPTER 16: System Information
3 Click Refresh to update the display with the most recent information.
4 If the Backup WAN feature is enabled, you can switch between the Primary and Backup configurations by clicking the Switch to button.
This button always lists the name of the currently inactive WAN.
If Primary is the current configuration, the Switch To option is
Backup. If the Backup connection is active, the Switch To option is Primary.
5 When you are finished, click Close .
DHCP Server Information
If you have configured the Firebox Vclass appliance to act as a DHCP server, you can use this tab to view the DHCP lease information.
This tab is not available in Transparent Mode.
1 From the main Vcontroller window, click System
Information .
The System Information dialog box appears.
398 Vcontroller
Runtime Blocked IP List
2 Click the DHCP Server tab.
THe DHCP server lease information is displayed.
3 Click Refresh to update the display with the most recent information.
4 When you are finished, click Close .
Runtime Blocked IP List
The Blocked IP List in the System Information window allows you to temporarily block sites by IP address. Sites that are automatically blocked by a proxy action are also added to this list. This is a “runtime” list, and the list is discarded upon a system reboot. To permanently block IP addresses, use the Blocked Sites list in the System Configuration window.
1 From the main Vcontroller window, click System
Information .
The System Information dialog box appears.
Firebox Vclass User Guide 399
CHAPTER 16: System Information
2 Click the Blocked IP List tab.
The Runtime Blocked Site List dialog appears.
3 Click Add to add a blocked site.
The Add Blocked Site dialog appears.
400
4 In the IP Address field, type the IP address that you want to block.
5 In the Expiration Time field, type an expiration time for this site in minutes.
The maximum time you can block a runtime site for is 100,000 minutes, or approximately 70 days.
6 Click Apply to add the site to the list, or Cancel to return to the window without adding a site.
Vcontroller
Runtime Blocked IP List
To change expiration time for a runtime blocked site:
1 Select the Blocked site on the list.
2 Click Change Expiration .
The Change Expiration Time dialog appears.
3 In the IP Address field, type a new expiration period for the IP address, and then click Apply , or click
Cancel to return to the Runtime Blocked Site List.
To delete an entry from the Runtime Blocked Site list:
1 Select the entry and click Delete .
A warning dialog appears.
2 Click OK to delete the entry, or Cancel to return to the
Runtime Blocked IP List.
N OTE
You can Shift-click to select multiple contiguous sites from the list, or Control-click to select multiple non-contiguous sites.
Firebox Vclass User Guide 401
CHAPTER 16: System Information
To refresh the Runtime Blocked IP List:
• Click Refresh . The List of Runtime Blocked IP addresses is refreshed. New sites that have been blocked by Proxy Actions since the last refresh of the window now appear. Sites that have expired since the last refresh of the window are no longer listed.
402 Vcontroller
CHAPTER 17
Backing Up and
Restoring
Configurations
The WatchGuard Vcontroller offers an array of built-in archiving and data restoration capabilities. You can save all your configuration settings and policies in anticipation of a severe data loss, and then reapply that data, when needed, to restore a system.
N OTE x.509 certificates and software licenses are not archived. You must reimport the original files into an appliance when necessary.
Three scenarios require that you restore your security appliance database:
• The Firebox Vclass appliance crashes and corrupts the current set of configurations and policies.
• A recently modified set of policies is compromised.
• You create and apply a different configuration, and then later restore the previous configuration.
Unless you establish a regular schedule of Vcontroller database backups, you risk having to re-create all your
Firebox Vclass User Guide 403
CHAPTER 17: Backing Up and Restoring Configurations configuration entries or policies. Make a habit of keeping regular archive sets available.
Create a Backup File
1 From the main Vcontroller window, click Back Up/
Restore .
The Backup/Restore dialog box appears.
404
2 Click the Backup tab.
3 To use the default file name and directory, click
Backup Now .
4 To use a different directory of your choosing, click
Browse .
The Select Backup File dialog box appears.
Vcontroller
Restoring an Archived Configuration
5 Browse to the directory, type a file name of your choosing in the appropriate field, and then click Select .
The newly created file path appears in the file name field.
6 Click Backup Now .
It is strongly recommended that you copy the archived file into a safe location.
Restoring an Archived Configuration
You can restore the Vclass configuration from any previous configuration that you have backed up, as long as it is backed up with the same Vclass software version (for example, 5.0). Be careful when restoring configurations to restore the correct configuration to the appropriate appliance. For example, a backup configuration for a V80 model cannot be used to restore a V60 model.
To restore an archived configuration file:
1 Click the Restore tab.
Firebox Vclass User Guide 405
CHAPTER 17: Backing Up and Restoring Configurations
406
2 Click Browse .
The Select the file to restore dialog box appears. This dialog box should automatically open to the directory containing all previous archived files.
3 Select the appropriate backup file and then click Select .
The backup file name appears in the File Name field.
4 Click Restore Now .
A Warning dialog box appears.
5 To restore the appliance, click OK ; otherwise, click
Cancel .
After the restoration is complete, another dialog box appears.
6 Click OK to proceed.
Another dialog box appears reporting that the server is restarting. This dialog box closes itself when restart is complete.
7 Click the Log In button to log into your newly restored
Firebox Vclass appliance.
Vcontroller
Restoring to Factory Default
Restoring to Factory Default
Vcontroller enables you to revert a Firebox Vclass appliance to the initial factory configuration, so you start over with an appliance as if it just came out of the box.
N OTE
Perform this task only when all other diagnostics or troubleshooting efforts fail. Factory default configuration is also required for some configuration changes, such as changing an appliance from Router Mode to Transparent
Mode.
1 Click the Factory Default tab.
2 Read the displayed text. If you want to complete the process, click Restore to Factory Default .
A confirmation dialog box appears, asking if you want to erase all the current settings and policies.
3 If you want to continue, click OK .
The Firebox Vclass appliance applies the original factory default settings and reboots.
For information on configuring a Firebox Vclass appliance
in a factory default state, see “Getting Started” on page 21.
Firebox Vclass User Guide 407
CHAPTER 17: Backing Up and Restoring Configurations
Resetting an Appliance Completely
In the event that you either lose the superadmin login or password to the box, or you have a configuration problem that you cannot fix in any other way, you may want to completely reset the Vclass appliance.
N
OTE
This procedure is for the V60, V60L, V80, or V100.
This procedure will reset the V60 or V80 to factory defaults. This procedure should be followed if you lose the password to the unit or have a configuration problem with the unit where you cannot otherwise remedy the configuration. After this process completes:
• All ethernet interfaces will revert back to their default addresses
• The superadmin username and password will revert back to “admin”
• The policy database and all other configuration data will be erased
What you need
• A PC with a terminal emulator program, for example
Hyperterminal
• The RJ45 to RJ45 “null modem” serial cable and DB9 serial adapter supplied with the Vclass unit
• The serial number from the V60, V60L, V80, or V100 appliance
Restoring the appliance
1 Connect the null modem serial cable from the PC’s serial port to the Console port on the Vclass appliance.
2 Launch the terminal emulator program. Set the terminal emulator to use the serial port you are
408 Vcontroller
Resetting an Appliance Completely connected to (e.g. COM1, COM2). Use the following settings to connect to the Vclass device:
- Bits per Second: 9600
- Data Bits: 8
- Parity: None
- Stop Bits: 1
- Flow Control: None
3 Reset the device, and wait until you see the following text:
Loading linux-wg...
4 Press Escape immediately. If you miss it and see the line
Continue Booting...
reset the device and try again.
5 You will see the following message:
Please Enter Serial Number -->
Enter the system serial number. This field is case sensitive. Enter the system serial number again when prompted.
6 The following message appears:
SUCCESS: Database and password were reset to factory default.
Continue Booting...
7 Wait five minutes, turn off the device, then start the system again.
The Vclass device is now completely reset. The login and password for the device is reset to “admin/admin,” the interfaces are reset to default addresses, and all configuration data is deleted.
Firebox Vclass User Guide 409
CHAPTER 17: Backing Up and Restoring Configurations
Exporting and Importing Configuration Files
You can export a complete, ready-to-use profile (in XM format) from an active, fully configured Firebox Vclass appliance. You can use this file as an efficient way to store your settings, and later import it to restore your Vclass configuration. After this is done, you may need to make a few adjustments to the file and import any needed CA certificates.
1 Click the Export/Import tab.
410
To export an XML file containing the complete configuration settings and policies:
1 Click Export .
A Save dialog box appears.
2 Open the destination directory and name the export file.
3 Click Save .
When the process is complete, a confirmation dialog box appears.
4 Click OK .
Vcontroller
Exporting and Importing Configuration Files
To import an XML file containing the complete configuration settings and policies:
1 Click Import .
An Open dialog box appears.
2 Locate and select the appropriate file.
3 Click Open .
When the process is complete, a confirmation dialog box appears.
4 Click OK .
The Firebox Vclass appliance reboots.
Importing a configuration file using
Appliance Discovery
Instead of the usual configuration and setup process, you can import a complete appliance profile as part of the device discovery process.
N
OTE
No international or high ASCII characters can be extracted and incorporated into the XML file. Only ASCII characters or numbers are permitted in a Firebox Vclass appliance’s
XML profile.
1 When the Devices Found dialog box appears, select the entry of the appliance to configure.
2 Click Import XML Profile .
Some additional options are displayed in the dialog box, as shown in the following illustration.
3 Select the System Mode (Router or Transparent) that the appliance will be running in after the profile is
Firebox Vclass User Guide 411
CHAPTER 17: Backing Up and Restoring Configurations imported. This System Mode must match the System
Mode of the Profile you are importing.
4 Click Browse .
The Open dialog box appears.
5 Locate and select the XML configuration file you want to apply to this appliance.
Only files with “.xml” extensions are displayed in this dialog box.
6 If needed, in both the Temporary IP and Mask fields, type the appropriate entries. This temporary IP address must be in the same subnet as your administrative workstation.
The Temporary IP and Mask entries are used to configure interface 0 (Private) of the target Vclass appliance so that the
XML file can be transferred to that appliance. The entries are temporary because the interface will be reconfigured with the IP address information defined in the XML file after the appliance has been restarted.
7 Click Update .
After the profile is imported, the Results dialog box appears.
8 Review the messages and then click Close .
9 When the Devices Found dialog box reappears, click
Cancel to close it.
10 You can now use the Login dialog box to log in to this appliance using the newly assigned IP address.
Editing an exported configuration file
If the exported file is intended for use in other Firebox
Vclass appliances, you can make changes to its contents, as described in this section. Because the configuration file is in
XML format, you can open it with any text or XML editor to make changes to the contents. After this is done and you have saved the changes, you can then import the configuration file into a Firebox Vclass appliance.
N OTE
Do not attempt to alter or delete the login/TEXT password text. This text is encrypted during the export process. You must use Vcontroller to change your password after the import has been successfully concluded.
412 Vcontroller
Exporting and Importing Configuration Files
The following example shows the beginning of a typical configuration file in an XML format.
<?xml version="1.0" standalone="yes"?>
<!--DOCTYPE rs-profile SYSTEM "profile.dtd"--
>
<profile>
<product-grade>2</product-grade>
<rs-version>1055360192</rs-version>
<using-cpm-profile>0</using-cpm-profile>
<for-version>5.0</for-version>
<for-model>V60</for-model>
<xml-purpose>1</xml-purpose>
The contents are organized within pairs of parameter tags.
You can edit included text as required, though you should edit carefully. An erroneous entry can make the appliance unreliable or inoperable.
If the policies include VPN or IPSec policies that rely on automatic IKE exchanges, you must use the System Configuration dialog box to initiate a new certificate request process. When the certificate is delivered, import the new certificate into Vcontroller. Edit the IKE policies to incorporate the new certificate. The IKE exchanges are now enabled.
If you have imported a configuration file into a Firebox
Vclass appliance that contains certificates, a default IKE action is automatically inserted into the configuration file.
Any IKE policies that refer to the missing certificate will use a default PSK instead.
The default values of the IKE action are as follows:
Name
DEFAULT_PSK
Description
Default PSK-only IKE action
Firebox Vclass User Guide 413
CHAPTER 17: Backing Up and Restoring Configurations
Preshared Key
Default
Mode
Main
PFS
Yes
IKE transform
--------
Authentication
Preshared key
Encryption algorithm
DES
Authentication algorithm
MD5
Lifetime
8 hours
414 Vcontroller
CHAPTER 18
Using the
Diagnostics/CLI
Feature
This chapter describes a variety of useful troubleshooting features that can help you identify and resolve problems.
Using Connectivity to Test Network
Connections
If network connections appear to be broken, you can use the Firebox Vclass appliance to test the hardware and cabling:
1 From the main Vcontroller window, click
Diagnostics/CLI .
The Diagnostics dialog box appears.
Firebox Vclass User Guide 415
CHAPTER 18: Using the Diagnostics/CLI Feature
416
2 Click the Connectivity tab.
3 In the IP Address/Name field, type the IP address or
DNS host name.
4 Click Ping .
The Ping History table displays the result. This entry describes the time of the test, the address you attempted to ping and the result, either OK or Failed.
Vcontroller
Using the Support Features
5 If this test has verified that the device is responding to
Ping packets from the Firebox Vclass appliance, the physical connection is working.
If this test fails, check all physical connections, cables, hubs, and other hardware components.
N
OTE
To obtain WatchGuard Technical Support, visit the
WatchGuard Web site at the following URL: http://www.watchguard.com
For more information on technical support, see “Service and
Using the Support Features
The debugging support features are helpful in troubleshooting possible malfunctions, but only in conjunction with technical support. A technical support representative may ask you to use these features and then forward the results to WatchGuard for analysis.
Firebox Vclass User Guide 417
CHAPTER 18: Using the Diagnostics/CLI Feature
Configuring debugging support
1 From the main Vcontroller window, click Diagnostics/
CLI .
The Diagnostics dialog box appears.
2 Click the Support tab.
3 Click Configuration .
The Debugging Support dialog box appears.
418 Vcontroller
Using the Support Features
4 Under the direction of technical support, move the sliders to the requested locations.
5 Click Apply .
6 Click Save Debug Information .
The Select the File dialog box appears.
7 Browse to the proper directory and then click Save .
A confirmation dialog box appears.
8 Click OK .
Saving a Policy to a text file
1 From the main Vcontroller window, click Diagnostics/
CLI .
The Diagnostics dialog box appears.
2 Click the Support tab.
Firebox Vclass User Guide 419
CHAPTER 18: Using the Diagnostics/CLI Feature
3 Click Save Policy .
The Select the file dialog box appears.
4 Browse to the proper directory and click Select .
A confirmation dialog box appears.
5 Click OK .
420 Vcontroller
Executing a CLI Script
Executing a CLI Script
The CLI (Command Line Interface) feature in Vcontroller can be used to execute an update, maintenance, or other script on your Vclass device.
N OTE
This is not an actual command line interface window.
After you have received the script from a network administrator or other personnel and stored it on your file system, you can follow these steps to execute it on your appliance.
1 From the main Vcontroller window, click Diagnostics/
CLI .
The Diagnostics dialog box appears.
2 Click the CLI tab.
3 Click Open .
The Open dialog box appears.
Firebox Vclass User Guide 421
CHAPTER 18: Using the Diagnostics/CLI Feature
4 Browse to the proper directory and select the CLI script.
5 Click Open to execute the script.
Saving Diagnostic Information
Saving diagnostic information is helpful in troubleshooting possible malfunctions, but only in conjunction with technical support. A technical support representative may ask you to save diagnostic information and then forward the file to WatchGuard for analysis.
1 From the main Vcontroller window, click Diagnostics/
CLI .
The Diagnostics dialog box appears.
2 Click the Diagnostic Information tab.
422 Vcontroller
Saving Diagnostic Information
3 Click Save .
The Save dialog box appears.
4 Browse to the proper directory and select the appropriate file.
5 Click Select .
A confirmation dialog box appears.
6 Click OK .
Firebox Vclass User Guide 423
CHAPTER 18: Using the Diagnostics/CLI Feature
424 Vcontroller
CHAPTER 19
Setting Up a High
Availability System
In a WatchGuard High Availability (HA) system, two
Firebox Vclass appliances are connected so that one serves as a ready backup to the other if the main appliance fails while managing network traffic. This chapter guides you in connecting, linking, and running such a high availability (HA) system using two Firebox Vclass appliances in a primary and standby relationship.
N OTE
High Availability is not available in Transparent Mode.
High Availability Modes
There are two High Availability modes: Active/
Standby and Active/Active.
•
• Active/Active requires the purchase of a software upgrade license, and requires V80 or V100 hardware. Please refer to the WatchGuard Web
Firebox Vclass User Guide 425
CHAPTER 19: Setting Up a High Availability System site for information on purchasing software upgrade licenses: https://www.watchguard.com/upgrade
Active/Standby
Active/Standby means that when a primary appliance fails, the passive appliance comes online with a full copy of the state table, to provide maximum uptime and network availability.
Active/Standby is available for all models that have an HA interface (this feature is available on the V60L as an optional upgrade). The license for this feature is provided to you when you register with the LiveSecurity service.
Active/Active
The Active/Active option works with two Vclass appliances paired together using redundant High Availability
(HA) Ethernet ports. Active/Active uses transparent state failover, which provides a seamless transition if one of the boxes fails and the other must take over. System configuration, policies and firewall, and VPN connections are shared between the two active appliances, so if one fails, the other is fully aware of the state of all connections and can continue carrying the load without dropping any packets.
Active/Active requires the purchase of a software upgrade license, and requires V80 or V100 hardware. Please refer to the WatchGuard Web site for information on purchasing software upgrade licenses: https://www.watchguard.com/upgrade
In this chapter
This chapter discusses High Availability Active/Standby mode .
To learn about High Availability Active/Active mode, see the High Availability Guide that comes with the license key when you purchase the HA Active/Active upgrade option.
426 Vcontroller
Prerequisites for a High Availability System
In HA Active/Standby mode, you configure the standby appliance to mirror the primary appliance. The standby appliance will be functionally inactive, waiting for a signal from the primary that it has failed. If this occurs, the standby appliance takes over all network management tasks within a very short interval, replacing the failed device.
How High Availability works
The WatchGuard High Availability (HA) system is both automatic and transparent. Switching to a backup appliance occurs almost instantaneously.
When active, the primary appliance regularly sends a
“heartbeat” to the standby appliance. If the primary appliance fails, the heartbeat ceases. When the standby appliance detects three consecutive missed heartbeats, it assumes full network functions and operations within a few seconds.
Prerequisites for a High Availability System
To set up a High Availability Active/Standby system, you need the following:
• Two Firebox Vclass appliances of the same model, running the same software version.
• The appliance you use as the standby appliance must be in the factory default configuration. If you just unpacked this appliance, it is in a factory default state.
If the appliance that will be used as the standby device has already been configured, you must reset it to the factory default configuration using Vcontroller or the
Command Line Interface. For more information, see
“Restoring to Factory Default” on page 407.
Firebox Vclass User Guide 427
CHAPTER 19: Setting Up a High Availability System
Connecting the Appliances
To set up a high availability system, you must connect two
Firebox Vclass appliances through the HA port.
• Connect the private interface (0) of the primary appliance to a hub or switch.
• Connect the private interface (0) of the standby appliance to the same hub or switch.
• Connect all other interfaces that are being used in the same way. Every interface connection from the primary appliance to a hub or switch must be matched with a connection from the standby appliance to the same hub or switch.
• Connect the HA interfaces with crossover cables.
Connect HA1 to HA1, and HA2 to HA2.
• Connect the Management Station to a hub that is connected to interface 0 (private) on both appliances.
The Management Station can also be connected to an
HA2 port.
Configuring a Standby Appliance
Use the High Availability tab to configure the standby appliance.
1 From the main Vcontroller window, click System
Configuration .
The System Configuration dialog box appears.
2 Click the High Availability tab.
The High Availability settings are displayed.
428 Vcontroller
Configuring a Standby Appliance
3 Select the Enable High Availability checkbox.
4 Select the Active/Standby checkbox.
The following HA options are displayed.
Firebox Vclass User Guide 429
CHAPTER 19: Setting Up a High Availability System
430
These default HA settings include the following:
- All of the appliance’s interfaces will be monitored. If any interface is detected as “LINK-
DOWN,” the standby appliance will take over.
- The HA heartbeat interval is set to one beat every second.
- The HA Group ID, which uniquely identifies this group (pair) of Firebox Vclass appliances currently backing each other up, is recorded as 3.
- The HA heartbeat is sent through the HA1 interface.
Vcontroller
Configuring a Standby Appliance
- The appliance you are currently logged into will be configured as the primary.
N
OTE
Make sure that the connection links both HA1 ports on the primary and secondary appliances, and that you are using a crossover cable. If the appliance cannot detect the secondary appliance, check the connection and restart the secondary appliance. When this is done, click the Refresh button to redetect the secondary appliance.
5 In the System Name field, type the name of the primary appliance.
6 If desired, click Encrypt all HA Communication , and type and confirm a shared secret.
This feature is optional, and can be left blank if you do not need to encrypt information sent between these appliances during normal operation. Encryption is not necessary if the HA1 interfaces are connected directly with a crossover cable.
N
OTE
For better performance, leave the HA secret blank. This shared secret is used to encrypt HA state-sync information.
VPN tunnel information is always encrypted, even if this encryption is disabled.
7 From the far right of the Interface list, select the
Monitoring checkboxes to active monitoring on specific interfaces. You may have to scroll the Interfaces list to see this column.
8 To apply the default HA configuration to the primary appliance, click Apply .
9 If you need to perform Advanced configuration tasks, such as setting up HA2 as an HA port, or changing the default primary and standby appliance HA port IP addresses, click Advanced
System Parameters” on page 432 for more information.
10 Click HA Sync to copy the entire configuration and policy database from the primary appliance to the standby appliance.
This button is active only if the status indicator in the High
Availability tab displays an “OK” message. If this button is not
Firebox Vclass User Guide 431
CHAPTER 19: Setting Up a High Availability System active, make sure that the standby appliance has been turned on and that all HA interface connections are secure.
A status dialog box appears. When the synchronization is complete, a confirmation dialog box appears. Both appliances are now ready for standby protection.
N
OTE
The first time you perform an HA Sync, the standby appliance must be in factory default configuration.
N OTE
Remember to perform HA Sync every time you make any changes to configurations or to the policy database, to assure total operational consistency between primary and standby appliances.
Customizing HA System Parameters
You can customize a number of HA parameters using the
Advanced HA Parameters dialog box. At this level, you can configure the following:
• Send the HA heartbeat to the secondary appliance’s
HA2 management interface.
• Change the HA group ID.
In addition, you can manually trigger a Failover or Restart event on the primary or standby appliance.
To change any of these settings:
1 Click Advanced .
The Advanced HA Parameters dialog box appears.
432 Vcontroller
Customizing HA System Parameters
2 To activate monitoring through the HA ports, select the
Enable HA on HA1 Port checkbox. You can also optionally select the Enable HA on HA2 Port checkbox .
Note that if HA is enabled on the HA2 interface, that interface cannot be used for management access. If you already configured the HA2 interface for management access in the Interface tab of the System Configuration dialog box, reopen that dialog box and undo those entries.
Note that even if HA is enabled on the HA2 Port, the HA1 ports must still be connected.
3 If specific IP addresses have been assigned to the HA ports, type the IP addresses and netmasks in each of the two HA Interface fields–primary and standby.
Otherwise the default addresses are adequate.
You can enter different IP addresses so these ports can be accessed through your local area network.
Firebox Vclass User Guide 433
CHAPTER 19: Setting Up a High Availability System
4 If you plan to set up more than one primary/Standby system in this subnet, delete the 3 in the HA Group ID field and type a number that uniquely identifies this system within the network context. (The number can range between 3 and 255.)
HA Group IDs are used to identify High Availability Active/ standby pairs on your network. Each HA Active/Standby pair should have a separate Group ID. You need to change this number only if other devices are running the VRRP protocol (using the same VRRP ID) on the networks connected to this appliance.
VRRP allows both HA security appliances to share the same
MAC and IP addresses.
5 Click OK to save the parameter entries and close the
Advanced HA Parameters dialog box.
6 When the High Availability tab reappears, click HA
Sync to synchronize your appliances.
7 Click Apply to apply the settings, or Reset to reset the settings.
8 Click Close .
434 Vcontroller
Checking your HA System Status
Checking your HA System Status
The HA monitor tells you which appliance you are logged into, whether it is primary or standby, and whether it is
Active or Failover.
Detailed system status
Detailed HA system status is shown in the System Configuration/High Availability dialog box. This status includes the HA role, status, DB timestamp, and failure reason (if one exists) for both systems.
Active
Standby
Failed
To view detailed system status, open the System Configuration dialog box and click the High Availability tab. You can view the HA status of both the primary and standby appliances at the same time. The following list describes the possible Status messages you might see.
The current appliance is active
The current appliance is standing by
The current appliance has failed (for example, the link is down)
Firebox Vclass User Guide 435
CHAPTER 19: Setting Up a High Availability System
Takeover
Admin
The peer appliance has failed and the current system takes over
Administration mode
Unavailable When then current appliance cannot detect its peer appliance, it shows this state in the peer HA status
Additional Preparation for Failover
Make sure, in anticipation of a failover, that you open and edit the existing Event Alarm definition so that you are notified by an SNMP trap, email alert, or both. You should also make sure that all SNMP stations have been registered in the appliances, as can be done in the System Configuration dialog box’s SNMP tab.
For more information on defining alarms, see “Using
436 Vcontroller
Index
A
access privileges adding
for remote users
Account button
Account Manager window
account manager, using
accounts changing existing
types of (see also admin, super user, and end user accounts)
Active Features dialog box 140
Add Route dialog box
Address Group dialog box
address groups
nesting
admin accounts described
Advanced HA Parameters dialog box
Advanced Policy Settings dialog box
AH
Alarm button
Alarm Definition dialog box 353, 359
Alarm Details dialog box
Alarm log
alarms activating email notification
changing definition of
clearing
defining
defining severity of
defining single-condition
setting SNMP trap for
Allow
appliances, configuring standby
Authentication Header
automatic key mode
automatic key VPN policies authentication type
perfect forward secrecy
protecting against replay attacks
B
Backup Connection
Enter Server IPs
polling timeout
backup connection
Backup/Restore button
backups
when required
Block
blocked sites
buttons
Account
Alarm
Help
IKE Policy
Log Manager
Monitor
NAT/LB Action
Security Policy
Shutdown/Reboot
System Configuration
System Information
Upgrade
User Guide 437
C cabling
Certificate Request dialog box 118
Certificate Revocation List,
certificates
nullifying
requesting
requirements for requesting
changing date and time
CLI update script, importing 421
configuration files exporting, importing
importing using appliance discovery
restoring
context-sensitive help
creating a Proxy Action
CRL, importing
D date & time, changing
Date, Time, and Time Zone dialog box
Debugging Support dialog box 418
debugging support options, using 417,
Default Firewall Policy tab
denial-of-service options
Detail Tunnel Information dialog box
Device Discovery
Devices Found dialog box
Devices Not Found dialog box
DHCP server, enabling
diagnostic information, saving
Diagnostics dialog box
dialog boxes
Alarm Definition
Alarm Details
Debugging Support
Detail Tunnel Information 392,
Diagnostics
Edit (Name) Schedule
Edit Interface
IKE Policy
Import License
Insert IKE Policy
Insert Security Policy
Kill Login
License Detail
Login
NAT/LB Action
New Address Group Member
New ESP Transform
New IKE Action
New IKE Transform
New IPSec Proposal
New Load Balancing/NAT
New Mapping
New RAS User dialog box
New Schedule
New Service Item
New Tenant
New User Group Profile
438 Vcontroller
RAS Configuration
RAS User Detail
RAS User Information
Remote Log Detail
Results
Schedule
Select Backup File
Select Condition
Service
System QoS
System Tunnel Switching
Tenant
TOS Marking
Upgrade
Vcontroller Login
Diffie-Hellman groups
distributed denial-of-service attacks
DNS options, configuring
DNS Server dialog box
DNS servers, adding
dynamic NAT described
example firewall policy for 212
dynamic NAT policies user-defined IP
dynamic routes, configuring
E
Edit (Name) Schedule dialog box 206
Edit Daily Schedule dialog box
Edit RAS User dialog box
Edit Security Policy dialog box
editing a Proxy Action
email screening with SMTP proxy
email notification of alarm
Enable User Authentication option
Encapsulating Security Payload
encryption
end user accounts delivering to users
ESP
Event log
examples load balancing policy
static NAT policy
F
factory defaults, restoring to 407
failover appliance, configuring
FAQs
features, viewing currently
Firebox Installation Services
Firebox Vclass components of
options
Firebox Vclass appliances,
Firebox Vclass Operating System
Fireboxes assigning name to
discovering
enabling as DHCP server
forcing a restart
installing
location of
logging off
managing remotely
monitoring
moving to permanent location
resetting all connections of 394
User Guide 439
restoring to factory defaults 407
turning on
turning on all models except
V10
turning on V10
firewall policies
corporate HQ policy example
defining policy actions for
described
multiple
using schedules with
G
Global Policy settings
H
HA2/Management interface, configuring
Hacker Prevention dialog box
hacker prevention options denial-of-service options
distributed denial-of-service
ICMP flood attack
ping of death attack
hardware requirements
Help button
Active/Active
prerequisites for
additional preparation for failover
checking system status
configuring options for
configuring standby appliance 428
connecting appliances for
connecting appliances to network
customizing parameters for
default settings
HTTP Proxy
hub-and-spoke configuration
I
ICMP flood attack
IKE policies creating
for remote users
IKE Policy dialog box
Import Certificate/CRL dialog
Import License dialog box
incoming data interface,
Insert IKE Policy dialog box
Insert Security Policy dialog box
Install Wizard button
Installation Wizard default gateway
gathering information for
interface 1 entries
Interface page
starting
interface promiscuous
interface 1 backup connection
Internet Key Exchange protocol. See
IP addresses
setting private interface with
Device Discovery
setting System IP with Device
Discovery
440 Vcontroller
IP source route attack
IPSec Action dialog box
K
Kill Login dialog box
known issues
L
LDAP servers, configuring options for
Least Connection
license key certificates
licenses
viewing current
Linux installing Vcontroller onto
LiveSecurity Gold Program
LiveSecurity Service activating
benefits of
load balancing
described
load balancing policies creating
described
location, moving Firebox to permanent
log files
Log Manager button
Log Manager window
logging configuring
logging off
Login dialog box
logs
filtering entries
M
Management Station
manual key mode
manual key VPN policies overview
maximum segment size
Maximum Segment Size (MSS)
Microsoft Windows, starting
Vcontroller with
monitoring
multi-tenant policies authentication
MUVPN
N
Nat Traversal
NAT/LB Action button
NAT/LB Action dialog box
network connections, testing
New Address Group dialog box
New Address Group Member dialog
New ESP Transform dialog box
New IKE Action dialog box
New IKE Transform dialog box
User Guide 441
New IPSec Action dialog box
New IPSec Proposal dialog box
New Load Balancing/NAT Action dialog box
New Mapping dialog box
New QoS Action dialog box
New Service dialog box
New Service Item dialog box
New User Group Profile dialog box
Number of IP Addresses field
O online support services accessing
described
optional products
P passwords changing
resetting for remote users 336
Perfect Forward Secrecy
Phase One SA log
Ping History table
ping of death attack
Policy
Enable User Authentication
policy actions for firewall policies
for Web server load balancing policy
Policy Checker
policy database, backing up 404
port shaping applying
V10
PPPoE, IP address assigned using
probes defining
promiscuous interface
proxies
creating a Proxy Action
HTTP
Proxies button
proxy
Proxy Action
Allow
Block
configuring Rules
creating
Deny
Drop
edit a rule
editing
Q
QoS policies defining action
Quality-of-Service policies. See QoS policies
R
RADIUS server
442 Vcontroller
removing appliance from backup
RADIUS Server dialog box
Random (load balancing
Rapid Response Team
RapidCore hardware ensemble
RAS Configuration dialog box
RAS User Detail dialog box
RAS User Information dialog box
RAS User log
RAS users, monitoring
Real-time Chart window
real-time monitor probe counters
Real-time Monitor window 363, 364
described
Remote Log Detail dialog box
385 remote logging, activating 385
remote user VPN policies creating IKE policy
disabling an account
disconnecting from backup
idle timeout for
331 maximum number of users for 331
session time limit for
using internal authentication
remote users controlling access privileges of
editing user group profile 337 reactivating expired account 337
reviewing connections of
viewing activity of
replay attacks, protecting against
requirements, system
Results dialog box
Router Mode
routes adding
configuring dynamic
described
routing, options
Rule
edit
Exact Match 247 matching options 247
Pattern Match
Regular Expression
Rule sets
Rules
S
Schedule dialog box
schedules
creating weekly
security policies actions
components of
creating text file of
defining
exporting, importing
preinstalled
schedules for
search order
testing
traffic specifications. See also
with multiple actions
Security Policy button
Security Policy Checker dialog
Security Policy dialog box
segregating tenants into user domains creating VLAN tenant
Select Backup File dialog box 404
Select Condition dialog box 356
Select Probe window
User Guide 443
Select the File dialog box 419
Server/IP Name window
Service dialog box
service groups blocking
creating new 184 with range of port numbers 184
services
Shutdown/Reboot button
shutting down a Firebox
SMTP Proxy
SNMP Management Station dialog box
SNMP trap, setting alarm for
software upgrades, checking for
Solaris, installing Vcontroller onto
Solaris, starting Vcontroller with
static NAT and VPNs
described
static NAT policies constraints on
described
Strip
super admin accounts conflicts with
described
system configuration
System Configuration button
System Configuration dialog box 89–
System Contact field
System Information button
System Information dialog box 389,
System Location field
System Modes
Transparent Mode
System QoS dialog box
system time, setting
System Tunnel Switching dialog
T
TCP MSS
Technical Support
Firebox Installation Services
frequently asked questions
LiveSecurity Gold Program
LiveSecurity Program
Tenant dialog box
tenants
time zones
time, setting
TOS Marking dialog box
Traffic log
traffic shaping. See load balancing
traffic specifications and VLANs
components of
incoming data interface
sources and destinations
transforms, described
Transparent Mode
troubleshooting
tunnel switching
requirements for
Type of Service marking
U
UDP Encapsulation
UDP flood attack
444 Vcontroller
Upgrade dialog box
upgrade history
V
Vcontroller described
installing (Linux)
installing (Solaris)
installing (Windows)
launching
user interface
Vcontroller Login dialog box
Vcontroller-CPM conflicts
VLAN forwarding activating
described
enabling
VLAN tenants creating
described
VLANs and traffic specifications
described
VPN policies and IPSec actions
described
key management
transport mode
VPN tunnels
reviewing details about
viewing existing
VPNs and static NAT
described
fully meshed topology
W
WAN Interface Failover
Enter Serve IPs
polling timeout
WAN interface failover
WatchGuard users forum
Web server load balancing policy creating
weighted fair queuing
Weighted Least Connection
Weighted Random
Weighted Round Robin
What’s This? help
Windows
windows
Account Manager
User Guide 445
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Key Features
- Blocks unauthorized access to your network
- Prevents malware and other threats from entering your network
- Filters web content to protect users from inappropriate or harmful content
- Provides real-time monitoring and reporting of network activity
- Offers a wide range of configuration options to meet your specific needs
- Easy to install and manage
Related manuals
Frequently Answers and Questions
What are the benefits of using Watchguard Firebox Vclass?
What types of threats does Watchguard Firebox Vclass protect against?
Is Watchguard Firebox Vclass easy to use?
advertisement
Table of contents
- 23 Contents
- 33 CHAPTER 1 Introduction
- 33 Welcome to WatchGuard®
- 34 WatchGuard Firebox Vclass Components
- 35 Minimum Requirements for the WatchGuard Vcontroller
- 37 Software License Keys
- 37 WatchGuard Firebox Vclass Appliance Options
- 38 High Availability
- 38 Mobile User VPN
- 38 About This Guide
- 41 CHAPTER 2 Service and Support
- 41 Benefits of LiveSecurity® Service
- 42 LiveSecurity® Broadcasts
- 44 Activating the LiveSecurity® Service
- 46 LiveSecurity® Self Help Tools
- 47 Interactive Support Forum
- 48 Product Documentation
- 48 Assisted Support
- 48 LiveSecurity® Program
- 49 LiveSecurity® Gold Program
- 50 Firebox Vclass Installation Services
- 50 VPN Installation Services
- 50 Training and Certification
- 51 Using the Online Help
- 53 CHAPTER 3 Getting Started
- 54 Gathering Network Information
- 55 Setting up the Management Station
- 55 Installing Vcontroller on a Windows workstation
- 56 Installing Vcontroller on a Solaris workstation
- 57 Installing Vcontroller on a Linux workstation
- 59 Cabling the Appliance
- 59 Start a Firebox Vclass Security Appliance
- 60 If problems occur
- 61 Using Appliance Discovery
- 62 If no appliance is discovered
- 63 If an appliance is discovered
- 64 Setting the IP address of Interface 0 or the System IP
- 66 Running the Vcontroller Installation Wizard
- 66 Before You Begin
- 67 Starting the Installation Wizard
- 68 Edit the General information
- 71 Configure the Interfaces in Router Mode
- 76 Configure Interface 2 and 3 (DMZ)
- 77 Configure the Interfaces in Transparent Mode
- 79 Configure Routing
- 80 Define the DNS servers
- 82 Define a Default Firewall Policy
- 86 Using Dynamic Network Address Translation (DNAT)
- 86 Change the Password
- 89 Deploying the Firebox Vclass into your Network
- 91 CHAPTER 4 Firebox Vclass Basics
- 91 What is a Firebox Vclass Appliance?
- 92 Firebox Vclass Features
- 93 Where the Information is Stored
- 94 Launching the WatchGuard Vcontroller
- 96 The Vcontroller Main Page
- 96 Activities column buttons
- 97 Policy column buttons
- 98 Administration column buttons
- 100 Page-top buttons
- 100 The status viewer
- 101 Logging out of Vcontroller
- 102 Shutting Down and Rebooting
- 104 Restarting the appliance
- 104 Upgrading and Downgrading the Software Version
- 107 The Upgrade History
- 108 Transferring from Vcontroller to WatchGuard Central Policy Manager (CPM)
- 111 CHAPTER 5 Router and Transparent Mode
- 111 Router Mode
- 113 Transparent Mode
- 114 Unsupported features in Transparent Mode
- 114 Setting a Vclass Appliance to Transparent Mode
- 115 Setting an Appliance to Transparent Mode using Device Discovery
- 119 Setting an Appliance to Transparent Mode using the Installation Wizard
- 121 CHAPTER 6 System Configuration
- 122 General Configuration
- 125 Interface Configuration
- 128 Configuring Interface 0
- 131 Configuring Interface 1
- 136 Configuring Interface 2 or 3
- 138 Configuring the HA Interfaces
- 139 Routing Configuration
- 139 Configuring static routing
- 141 Configuring dynamic routing
- 144 DNS Configuration
- 146 SNMP Configuration
- 148 Log Configuration
- 148 Certificate Configuration
- 155 Importing a certificate or CRL file
- 157 LDAP Server Configuration
- 159 NTP Server Configuration
- 161 Advanced Configuration
- 164 Hacker Prevention Configuration
- 168 CPM Management Configuration
- 169 License Configuration
- 169 Add a single license
- 172 Install licenses from a license package
- 174 VLAN Forwarding Option
- 177 Blocked Sites Configuration
- 180 High Availability Configuration
- 181 CHAPTER 7 Using Account Manager
- 181 Configuring Accounts
- 184 End-user accounts for authentication
- 186 Managing accounts
- 187 External Access for Remote Management
- 188 Account Access Conflicts
- 188 Resolving login conflicts
- 191 CHAPTER 8 About Security Policies
- 191 About Security Policies
- 192 Security policy components
- 193 Types of policies
- 196 Using Policy Manager
- 205 How policy order governs policy application
- 206 Applying system-wide QoS port shaping
- 207 Using tunnel switching
- 207 Using Policy Checker
- 210 Default policies
- 210 Defining a Security Policy
- 211 Defining source and destination
- 212 Defining an address group
- 214 Defining a service
- 217 Defining the incoming interface
- 218 Using Tenants
- 219 About VLANs and tenants
- 220 User domain tenant authentication
- 221 Defining tenants
- 224 Using the Firewall Options
- 225 Defining the firewall action
- 226 Using Quality of Service (QoS)
- 228 Defining a QoS action
- 229 Activating TOS marking
- 230 About NAT
- 230 Static NAT
- 231 Dynamic NAT
- 232 About Load Balancing
- 232 Defining a NAT Action
- 235 Defining a Load-Balancing Action
- 237 Using Policy Schedules
- 237 Defining a Schedule
- 239 Using the Advanced Settings
- 243 CHAPTER 9 Security Policy Examples
- 243 Firewall Policy Examples
- 243 Example 1: Allowing Internet access
- 244 Example 2: Restricting Internet access
- 246 Example 3: Allowing unlimited access for authorized users
- 248 Example 4: Allowing communication between branch offices
- 250 Example 5: Defining policies for an ISP
- 251 Example 6: Controlling access at corporate headquarters
- 254 VLAN Policy Examples
- 256 Using a Firebox Vclass appliance in a VLAN setting
- 256 Creating policies for user-domain tenants
- 257 An example of a user-domain policy in use
- 258 QoS Policy Examples
- 258 Example 1:
- 258 Example 2:
- 259 Static NAT Policy Examples
- 259 Example 1: Translating IP addresses into aliases
- 260 Example 2: Preventing conflicts between IP addresses
- 263 Load Balancing Policy Examples
- 263 Configuring Load Balancing for a Web Server
- 264 Configuring Load Balancing for an E- commerce Site
- 269 CHAPTER 10 Using Proxies
- 270 In This Chapter
- 270 Proxy Description
- 270 HTTP Client Proxy
- 271 SMTP Proxy
- 271 Rules and Rulesets
- 273 General Proxy Configuration
- 273 Using a Proxy Action in the Policy Manager
- 273 Creating a Proxy Action
- 275 Editing an existing Proxy Action
- 277 Configuring proxy rules
- 281 Ordering listed Rules in a Proxy Action
- 283 Proxy Parameters Reference
- 283 HTTP Client Proxy
- 304 SMTP Incoming Proxy
- 318 SMTP Outgoing Proxy
- 329 Reference Sources
- 331 CHAPTER 11 Using Virtual Private Networks (VPN)
- 332 Tunneling Protocols
- 333 IPSec
- 333 Authentication
- 334 Internet Key Exchange (IKE)
- 335 NAT Traversal (UDP Encapsulation)
- 336 Firebox Vclass appliance VPN Solutions
- 336 Mobile User VPN
- 337 VPN to other IPSec compliant devices
- 337 About VPN Policies
- 337 VPN policies and IPSec actions
- 338 Using Authentication and Encryption
- 339 Defining an IKE Policy
- 342 Defining an IKE action
- 346 Defining a VPN Security Policy
- 347 Defining an IPSec action
- 355 Using Tunnel Switching
- 358 Enabling tunnel switching
- 359 CHAPTER 12 Creating a Remote User VPN Policy
- 360 About Remote User VPN
- 360 Configuring the Remote Users Authentication Policy
- 365 Using an internal authentication database
- 367 Using a RADIUS authentication database
- 369 Editing and deleting a user group profile
- 370 Removing the backup server
- 371 Defining an IKE Policy and IKE Action
- 371 Defining an IKE action for RUVPN
- 373 Defining an IKE policy
- 375 Defining an RUVPN Security Policy and an IPSec Action
- 375 Defining an IPSec action for RUVPN
- 377 Defining a security policy for RUVPN
- 380 Controlling a remote user’s access privileges
- 380 Monitoring Remote User Activity
- 383 CHAPTER 13 Using Alarm Manager
- 384 Alarm Definitions
- 386 Defining a single-condition alarm
- 388 Defining a multiple-condition alarm
- 391 Managing alarm definitions
- 392 Responding to an Alarm Notification
- 395 CHAPTER 14 Monitoring the Firebox Vclass
- 395 Using the Real-Time Monitor
- 397 Defining probes
- 398 Monitoring configured probes
- 400 A Catalog of Real-time Monitor Probe Counters
- 400 System Counters
- 406 Aggregate counters for all VPN end-point pairs
- 406 IPSec counters per VPN end-point pair
- 407 Policy counters for all policies
- 408 Policy counters per policy
- 411 CHAPTER 15 Using Log Manager
- 412 Viewing the Logs
- 414 Filtering a current log
- 415 Log Settings
- 417 Activating the remote logging feature
- 419 Log Archiving
- 421 CHAPTER 16 System Information
- 421 General Information
- 422 VPN Tunnel Information
- 424 Viewing tunnel details
- 425 Traffic Information
- 426 Route Information
- 427 RAS User Information
- 428 Viewing RAS user information and tunnel details
- 429 Interface 1 (Public) Information
- 430 DHCP Server Information
- 431 Runtime Blocked IP List
- 435 CHAPTER 17 Backing Up and Restoring Configurations
- 436 Create a Backup File
- 437 Restoring an Archived Configuration
- 439 Restoring to Factory Default
- 440 Resetting an Appliance Completely
- 440 What you need
- 440 Restoring the appliance
- 442 Exporting and Importing Configuration Files
- 443 Importing a configuration file using Appliance Discovery
- 444 Editing an exported configuration file
- 447 CHAPTER 18 Using the Diagnostics/CLI Feature
- 447 Using Connectivity to Test Network Connections
- 449 Using the Support Features
- 450 Configuring debugging support
- 451 Saving a Policy to a text file
- 453 Executing a CLI Script
- 454 Saving Diagnostic Information
- 457 CHAPTER 19 Setting Up a High Availability System
- 457 High Availability Modes
- 458 Active/Standby
- 458 Active/Active
- 458 In this chapter
- 459 How High Availability works
- 459 Prerequisites for a High Availability System
- 460 Connecting the Appliances
- 460 Configuring a Standby Appliance
- 464 Customizing HA System Parameters
- 467 Checking your HA System Status
- 467 Detailed system status
- 468 Additional Preparation for Failover
- 469 Index