advertisement
▼
Scroll to page 2
of 546
® WatchGuard System Manager User Guide WatchGuard System Manager v9.1 Fireware® v9.1 Fireware® Pro v9.1 Revised: 09/24/2007 Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2007 WatchGuard Technologies, Inc. All rights reserved. Complete copyright, trademark, patent, and licensing information can be found in the appendix of this User Guide. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Management Software: 9.1 Appliance Software: Fireware® 9.1 and Fireware Pro 9.1 Document Version: 9.1-352-2832-001-2 ADDRESS: ABOUT WATCHGUARD WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are robust as well as easy to buy, deploy and manage. The company’s Firebox X family of expandable integrated security appliances is designed to be fully upgradeable as an SUPPORT: organization grows and to deliver the industry’s best combination of security, www.watchguard.com/support U.S. and Canada +877.232.3531 performance, intuitive interface and value. WatchGuard Intelligent Layered Security All Other Countries +1.206.521.3575 architecture protects against emerging threats effectively and efficiently and provides the flexibility to integrate additional security functionality and services offered SALES: through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895 Service subscription to help customers stay on top of the security landscape with vulnerability alerts, software updates, expert security instruction and superior customer care. For more information, please call (206) 613 6600 or visit www.watchguard.com. 505 Fifth Avenue South Suite 500 Seattle, WA 98104 ii WatchGuard System Manager Contents CHAPTER 1 Introduction ....................................................................................................................... 1 WatchGuard System Manager Tools ........................................................................... 2 About the WatchGuard System Manager Window .................................................... 2 Device Status ................................................................................................................ 2 Device Management ..................................................................................................... 4 About WatchGuard Servers ........................................................................................... 4 About Fireware and Fireware Pro ................................................................................ 5 CHAPTER 2 Getting Started ................................................................................................................ 7 Installing WatchGuard System Manager ..................................................................... 7 Installation requirements ............................................................................................... 8 Collecting network information ...................................................................................... 8 Selecting a firewall configuration mode ........................................................................ 9 Selecting where to install server software ................................................................... 11 Setting up the management station ............................................................................ 11 Backing up your previous configuration ...................................................................... 12 Quick Setup Wizard ...................................................................................................... 12 Quick Setup Wizard .................................................................................................... 13 Web Quick Setup Wizard ........................................................................................... 13 Putting the Firebox into Operation .............................................................................. 14 Starting WatchGuard System Manager ..................................................................... 15 Connecting to a Firebox .............................................................................................. 16 Disconnecting from a Firebox ..................................................................................... 16 Starting security applications ...................................................................................... 16 After Your Installation .................................................................................................... 17 Customizing your security policy ................................................................................. 17 Features of the LiveSecurity Service .......................................................................... 18 Upgrading to a New Version of Fireware ................................................................... 18 Downgrading to WSM 9.0 or Earlier .......................................................................... 19 User Guide iii Installation Topics .......................................................................................................... 19 Installing WSM and keeping an older version ............................................................. 19 Installing WatchGuard Servers on computers with desktop firewalls ......................... 19 Adding secondary networks to your configuration ...................................................... 20 Dynamic IP support on the external interface ............................................................. 20 Entering IP addresses ................................................................................................. 21 Installing the Firebox cables ....................................................................................... 22 CHAPTER 3 Service and Support ................................................................................................. 23 LiveSecurity Service Solutions .................................................................................... 23 LiveSecurity Service Broadcasts ................................................................................ 24 Activating LiveSecurity Service ................................................................................... 24 LiveSecurity Service Self Help Tools ......................................................................... 25 WatchGuard Users Forum ........................................................................................... 26 Product Documentation ................................................................................................ 26 Technical Support .......................................................................................................... 26 LiveSecurity Service technical support ....................................................................... 26 LiveSecurity Gold ........................................................................................................ 27 Firebox Installation Service ......................................................................................... 27 VPN Installation Service .............................................................................................. 27 Training and Certification ............................................................................................. 28 CHAPTER 4 Firebox Status Monitoring .................................................................................... 29 Starting Firebox System Manager .............................................................................. 29 Connecting to a Firebox .............................................................................................. 29 Opening Firebox System Manager ............................................................................. 30 Firebox System Manager Menus and Toolbar Setting refresh interval and pausing the display Basic Firebox and Network Status .......................................................... 31 ......................................................... 32 ............................................................................. 33 Using the Security Traffic display ................................................................................ 33 Monitoring status information ...................................................................................... 34 Setting the center interface ......................................................................................... 34 Monitoring traffic, load, and status .............................................................................. 34 Firebox and VPN tunnel status ................................................................................... 35 Firebox Traffic ................................................................................................................ 37 Setting the maximum number of log messages .......................................................... 37 Using color for log messages ...................................................................................... 38 Copying log messages ................................................................................................ 39 Learning more about a traffic log message ................................................................ 39 Bandwidth Usage .......................................................................................................... 39 Policies ............................................................................................................................ 41 Traffic and Performance Statistics .............................................................................. 43 Authenticated Users ..................................................................................................... 44 Blocked Sites ................................................................................................................. 45 Security Services .......................................................................................................... 46 HostWatch ...................................................................................................................... 48 iv WatchGuard System Manager The HostWatch window .............................................................................................. 48 Controlling the HostWatch window ............................................................................. 50 Changing HostWatch view properties ......................................................................... 50 Blocking a site from HostWatch .................................................................................. 51 Pausing the HostWatch display .................................................................................. 51 Performance Console ................................................................................................... 51 Types of counters ........................................................................................................ 51 Defining counters ........................................................................................................ 52 Viewing the performance graph .................................................................................. 54 Working with more than one Performance Console graph ......................................... 55 Certificates on the Firebox ........................................................................................... 55 Feature Keys on the Firebox ....................................................................................... 56 Communication Log ...................................................................................................... 57 Performing Operations in Firebox System Manager ............................................... 57 Synchronizing time ...................................................................................................... 57 Clearing the ARP cache .............................................................................................. 57 Clearing alarms ........................................................................................................... 58 Rekeying BOVPN tunnels ........................................................................................... 58 High Availability ........................................................................................................... 58 Changing passphrases ............................................................................................... 58 CHAPTER 5 Basic Firebox Administration Working with Feature Keys ............................................................................ 61 .......................................................................................... 61 Getting feature keys .................................................................................................... 61 Adding feature keys to the Firebox ............................................................................. 62 Deleting a feature key ................................................................................................. 63 Seeing the active features .......................................................................................... 63 Seeing the properties of a feature key ........................................................................ 64 Downloading a feature key ......................................................................................... 64 Setting NTP Servers ..................................................................................................... 64 Setting a Friendly Name and Time Zone ................................................................... 65 Working with SNMP ...................................................................................................... 65 Enabling SNMP polling ............................................................................................... 66 Enabling SNMP traps .................................................................................................. 66 Using MIBs .................................................................................................................. 67 Changing the Firebox Passphrases ........................................................................... 67 Recovering a Firebox ................................................................................................... 68 Resetting a Firebox X e-Series device ....................................................................... 68 Resetting a Firebox X Core or Peak (non e-Series) ................................................... 68 CHAPTER 6 Basic Configuration Setup Opening a Configuration File ................................................................................... 71 ...................................................................................... 71 Opening a working configuration file ........................................................................... 72 Opening a local configuration file ................................................................................ 73 Making a new configuration file ................................................................................... 74 Saving a Configuration File ......................................................................................... 74 Saving a configuration to the Firebox ......................................................................... 74 Saving a configuration to a local hard drive ................................................................ 75 User Guide v About Firebox Backup Images .................................................................................... 75 Creating a Firebox backup image ............................................................................... 75 Restoring a Firebox backup image ............................................................................. 76 Working with Aliases ..................................................................................................... 76 Alias members ............................................................................................................ 77 Creating an alias ......................................................................................................... 77 Using Global Settings ................................................................................................... 79 Defining ICMP error handling global settings ............................................................. 79 Enabling TCP SYN checking ...................................................................................... 80 Defining TCP maximum segment size adjustment global settings ............................. 80 Disabling Traffic Management and QoS ..................................................................... 80 Using Global VPN Settings .......................................................................................... 81 Creating Schedules ...................................................................................................... 82 Managing a Firebox from a Remote Location .......................................................... 83 CHAPTER 7 Logging and Notification ....................................................................................... 87 Setting Up the Log Server ........................................................................................... 87 Changing the Log Server encryption key .................................................................... 88 Setting up the Firebox for a Designated Log Server ............................................... 89 Adding a Log Server for a Firebox .............................................................................. 89 Setting Log Server priority .......................................................................................... 90 Activating syslog logging ............................................................................................. 90 Enabling advanced diagnostics .................................................................................. 91 Disabling performance statistic logging ...................................................................... 92 Starting and stopping the Log Server ......................................................................... 93 Setting Global Logging and Notification Preferences .............................................. 93 Log file size and rollover frequency ............................................................................ 93 Setting when log files rollover ..................................................................................... 94 Scheduling automated reports .................................................................................... 95 Controlling notification ................................................................................................. 95 Setting Logging and Notification Preferences in Policy Manager ......................... 96 Logging and Notification in Proxy Definitions ........................................................... 97 Configuring log messages and notification for a proxy policy ..................................... 98 Configuring log messages and alarms for a proxy rule .............................................. 98 About Log Messages ................................................................................................... 98 Types of log messages ............................................................................................... 98 Log file names and locations ...................................................................................... 99 Consolidating log files ................................................................................................. 99 Updating .wgl log files to .xml format ........................................................................ 100 Using LogViewer ......................................................................................................... 101 LogViewer settings .................................................................................................... 102 Creating a search rule ............................................................................................... 103 Searching in LogViewer ............................................................................................ 104 Viewing the current log file in LogViewer .................................................................. 105 Copying LogViewer data ........................................................................................... 105 CHAPTER 8 Network Setup and Configuration Configuring Firebox Interfaces vi ................................................................ 107 .................................................................................. 108 WatchGuard System Manager Configuring the external interface ............................................................................. 110 Adding Secondary Networks ..................................................................................... 113 Adding WINS and DNS Server Addresses ............................................................. 114 Configuring Dynamic DNS ......................................................................................... 115 Creating a DynDNS account ..................................................................................... 115 Setting up the Firebox for dynamic DNS .................................................................. 115 Configuring Routes ..................................................................................................... 116 Adding a network route ............................................................................................. 117 Adding a host route ................................................................................................... 117 Configuring Advanced Settings for an Interface ..................................................... 118 Setting Firebox Interface Speed and Duplex ............................................................ 118 Setting maximum bandwidth and marking type ........................................................ 119 Setting DF bit for IPSec (external interfaces only) .................................................... 119 Using a Firebox with a Drop-in Configuration Configuring related hosts ......................................................... 119 .......................................................................................... 120 Virtual Local Area Networks (VLANs) Tagging ...................................................................... 121 ...................................................................................................................... 122 Defining a New VLAN ................................................................................................ 122 Using DHCP .............................................................................................................. 125 Using DHCP relay ..................................................................................................... 125 Specifying VLANs for an Interface ............................................................................ 125 CHAPTER 9 Network Setup with Multiple External Interfaces .............................. 127 Multi-WAN Requirements and Conditions ............................................................... 127 Multi-WAN Options ...................................................................................................... 128 About the WAN Failover method .............................................................................. 128 About multi-WAN in round-robin order ..................................................................... 128 About multi-WAN with the routing table .................................................................... 128 About the Interface Overflow method ....................................................................... 129 Configuring the Multi-WAN Routing Table Option Looking at the Firebox route table .................................................. 130 ............................................................................ 130 Configuring the Multi-WAN Round-robin Option .................................................... 131 Configuring the Multi-WAN Failover Option ............................................................ 132 Configuring the Multi-WAN Interface Overflow Option .......................................... 134 Checking WAN Interface Status ................................................................................ 135 Configuring Advanced Multi-WAN Settings ............................................................ 137 Sticky Connections .................................................................................................... 137 Failback ..................................................................................................................... 138 CHAPTER 10 Network Address Translation (NAT) ........................................................... 141 Types of NAT ............................................................................................................... 141 Using Dynamic NAT .................................................................................................... 142 Adding firewall dynamic NAT entries ........................................................................ 142 Reordering dynamic NAT entries .............................................................................. 143 Using 1-to-1 NAT ......................................................................................................... 144 ......................................................................................... 144 Defining a 1-to-1 NAT rule User Guide vii Configuring firewall 1-to-1 NAT ................................................................................. 145 Configuring Policy-Based Dynamic or 1-to-1 NAT ................................................. 146 Configuring policy-based 1-to-1 NAT ........................................................................ 146 Configuring policy-based dynamic NAT .................................................................... 146 Configuring Static NAT ............................................................................................... 148 Server Load Balancing ............................................................................................... 149 Configuring Server Load Balancing ......................................................................... 149 CHAPTER 11 Authentication ............................................................................................................. 153 How User Authentication Works ............................................................................... 153 Using authentication from the external network ........................................................ 154 Using authentication through a gateway Firebox to another Firebox ....................... 154 About Authentication Timeout Values ...................................................................... 155 Defining global authentication timeouts .................................................................... 155 Closing a session before timeout occurs .................................................................. 155 Using a Custom Default Start Page ......................................................................... 156 Allowing Multiple Concurrent Logins ........................................................................ 156 Authentication Server Types ..................................................................................... 156 Using a backup authentication server ....................................................................... 157 Configuring the Firebox as an Authentication Server ............................................ 157 Authentication types .................................................................................................. 157 Defining a new user for Firebox authentication ........................................................ 159 Defining a new group for Firebox authentication ...................................................... 160 Using a local user account for Firewall user, PPTP, and MUVPN authentication .... 161 Configuring RADIUS Server Authentication ........................................................... 161 Configuring SecurID Authentication ......................................................................... 163 Configuring LDAP Authentication ............................................................................. 164 Using LDAP optional settings ................................................................................... 166 Configuring Active Directory Authentication Using Active Directory optional settings .......................................................... 168 ................................................................... 169 Defining Users and Groups for Policy Definitions .................................................. 169 Defining users and groups for Firebox authentication .............................................. 170 Defining users and groups for third-party authentication .......................................... 170 Using users and groups in policy definitions ............................................................. 171 CHAPTER 12 Firewall Intrusion Detection and Prevention Using Default Packet Handling Options ........................................ 173 .................................................................. 173 Spoofing attacks ........................................................................................................ 174 IP source route attacks ............................................................................................. 174 Port space and address space attacks ..................................................................... 175 Flood attacks ............................................................................................................. 175 Unhandled packets ................................................................................................... 175 Distributed denial of service attacks ......................................................................... 176 Setting logging and notification for packet handling ................................................. 176 Setting Blocked Sites .................................................................................................. 176 Blocking a site permanently ...................................................................................... 177 Blocking spyware sites .............................................................................................. 178 viii WatchGuard System Manager Using an external list of blocked sites ....................................................................... 178 Creating exceptions to the Blocked Sites list ............................................................ 179 Using an external list of blocked sites exceptions .................................................... 180 Setting logging and notification for blocked sites ...................................................... 180 Blocking sites temporarily with policy settings .......................................................... 180 Blocked sites and Traffic Monitor .............................................................................. 180 Blocking Ports .............................................................................................................. 181 Blocking a port permanently ..................................................................................... 182 Automatically blocking IP addresses that try to use blocked ports ........................... 182 Setting logging and notification for blocked ports ..................................................... 182 CHAPTER 13 Policies ............................................................................................................................. 183 Using Policies in your Network ................................................................................. 183 About Policy Manager ................................................................................................ 184 Opening Policy Manager ........................................................................................... 184 About the Policy Manager window ............................................................................ 184 Changing the Policy Manager View .......................................................................... 185 Selecting colors for Policy Manager text ................................................................... 187 Finding a policy ......................................................................................................... 188 Adding Policies to Policy Manager ........................................................................... 189 Seeing the list of policy templates ............................................................................. 189 Adding a policy from the list of policy templates ....................................................... 190 Adding more than one policy of the same type ......................................................... 191 Seeing and modifying policy templates .................................................................... 192 Disabling a policy ...................................................................................................... 192 Deleting a policy ........................................................................................................ 192 About Custom Policies ............................................................................................... 192 Creating a custom policy template ............................................................................ 193 Adding a custom policy from the list of policy templates .......................................... 194 Importing and exporting custom policy templates .................................................... 194 Setting Policy Properties ............................................................................................ 195 Setting sources and destinations for a policy ........................................................... 196 About policy-based routing ...................................................................................... 198 Setting a proxy action ................................................................................................ 200 Setting a custom idle timeout .................................................................................... 200 Setting logging properties ......................................................................................... 201 Configuring static NAT for a policy ............................................................................ 201 Configuring server load balancing for a policy .......................................................... 203 Setting an operating schedule .................................................................................. 203 Applying Traffic Management actions ....................................................................... 203 Setting ICMP error handling ...................................................................................... 204 Applying NAT rules ................................................................................................... 205 Using QoS Marking for a policy ................................................................................ 205 Setting traffic priority for a policy ............................................................................... 206 Enabling sticky connections for a policy ................................................................... 206 Setting Policy Precedence ......................................................................................... 207 Using automatic order ............................................................................................... 207 Setting precedence manually .................................................................................... 208 User Guide ix CHAPTER 14 Proxy Policies .............................................................................................................. 209 Working with WatchGuard Proxies ........................................................................... 209 About rules and rulesets ........................................................................................... 210 About proxy actions ................................................................................................... 210 Predefined and user-defined proxy actions .............................................................. 210 Adding a Proxy to your Firebox Configuration ........................................................ 211 SMTP Proxy ................................................................................................................. 213 SMTP proxy: General settings .................................................................................. 213 SMTP proxy: Greeting rules ...................................................................................... 215 SMTP proxy: ESMTP settings .................................................................................. 216 SMTP proxy: Authentication ..................................................................................... 217 SMTP proxy: Content types ...................................................................................... 217 SMTP proxy: File names ........................................................................................... 218 SMTP proxy: Mail From/Mail To ................................................................................ 219 SMTP proxy: Headers ............................................................................................... 219 SMTP proxy: Antivirus responses ............................................................................. 220 SMTP proxy: Deny message .................................................................................... 220 SMTP proxy: Intrusion prevention ............................................................................. 221 SMTP proxy: spamBlocker ....................................................................................... 221 SMTP proxy: Proxy and AV alarms ........................................................................... 221 SMTP proxy: Finishing and saving the configuration ............................................... 221 POP3 Proxy ................................................................................................................. 222 POP3 proxy: General settings .................................................................................. 222 POP3 proxy: Authentication ...................................................................................... 223 POP3 proxy: Content types ...................................................................................... 224 POP3 proxy: File names ........................................................................................... 225 POP3 proxy: Headers ............................................................................................... 226 POP3 proxy: Antivirus responses ............................................................................. 227 POP3 proxy: Deny message ..................................................................................... 228 POP3 proxy: Intrusion prevention ............................................................................. 229 POP3 proxy: spamBlocker ........................................................................................ 230 POP3 proxy: Proxy and AV alarms ........................................................................... 231 POP3 proxy: Finishing and saving the configuration ................................................ 232 FTP Proxy ................................................................................................................... 232 FTP proxy: General settings ..................................................................................... 233 FTP proxy: Commands ............................................................................................. 234 FTP proxy: Download ................................................................................................ 234 FTP proxy: Upload .................................................................................................... 235 FTP proxy: Antivirus responses ................................................................................ 235 FTP proxy: Intrusion prevention ................................................................................ 236 FTP proxy: Proxy and AV alarms .............................................................................. 236 FTP proxy: Finishing and saving the configuration ................................................... 237 HTTP Proxy .................................................................................................................. 237 HTTP requests: General settings .............................................................................. 238 HTTP requests: Request methods ............................................................................ 239 HTTP requests: URL paths ....................................................................................... 240 HTTP requests: Header fields ................................................................................... 240 HTTP requests: Authorization ................................................................................... 241 HTTP responses: General settings ........................................................................... 241 HTTP responses: Header fields ................................................................................ 242 x WatchGuard System Manager HTTP responses: Content types ............................................................................... 242 HTTP responses: Cookies ........................................................................................ 243 HTTP responses: Body content types ...................................................................... 243 HTTP proxy: Exceptions ........................................................................................... 244 HTTP proxy: Antivirus responses ............................................................................. 244 HTTP proxy: Deny message ..................................................................................... 244 HTTP proxy: Intrusion prevention ............................................................................. 246 HTTP proxy: Proxy and AV alarms ........................................................................... 246 Finishing and saving the HTTP configuration ........................................................... 246 DNS Proxy .................................................................................................................... 246 DNS proxy: General settings .................................................................................... 247 DNS proxy: OPcodes ................................................................................................ 247 DNS proxy: Query types ........................................................................................... 248 DNS proxy: Query names ......................................................................................... 249 DNS proxy: Intrusion prevention ............................................................................... 250 DNS proxy: Alarms .................................................................................................... 250 Finishing and saving the DNS configuration ............................................................. 250 TCP Proxy .................................................................................................................... 250 TCP proxy: General settings ..................................................................................... 250 TCP proxy: Intrusion prevention ............................................................................... 251 Finishing and saving the TCP configuration ............................................................. 251 Working with Rules and Rulesets ............................................................................. 251 Simple and advanced views ..................................................................................... 251 Adding rules (simple view) ........................................................................................ 253 Adding rules (advanced view) ................................................................................... 253 Cutting and pasting rule definitions ........................................................................... 254 Changing the order of rules ...................................................................................... 254 Modifying the default rule .......................................................................................... 255 Import and Export Functions for Proxies ................................................................. 255 Importing and exporting user-defined proxy actions ................................................. 256 Importing and exporting rulesets .............................................................................. 256 CHAPTER 15 Historical Reports ..................................................................................................... 259 Creating and Editing Reports .................................................................................... 259 Starting Historical Reports ......................................................................................... 259 Starting a new report ................................................................................................. 260 Editing an existing report .......................................................................................... 261 Deleting a report ........................................................................................................ 261 Viewing the reports list .............................................................................................. 261 Backing up report definition files ............................................................................... 262 Setting Report Properties .......................................................................................... 262 Specifying a report time span .................................................................................... 262 Specifying report sections ......................................................................................... 262 Consolidating report sections .................................................................................... 263 Setting report preferences ........................................................................................ 264 Viewing network interface relationships .................................................................... 265 Using Report Filters .................................................................................................... 265 Creating a new report filter ........................................................................................ 266 Editing a report filter .................................................................................................. 266 Deleting a report filter ................................................................................................ 267 User Guide xi Applying a report filter ............................................................................................... 267 Running Reports ......................................................................................................... 267 Exporting Reports ....................................................................................................... 267 Exporting reports to HTML format Exporting reports to NetIQ format ............................................................................. 268 ............................................................................. 268 Report Sections and Consolidated Sections .......................................................... 268 Report sections ......................................................................................................... 268 Consolidated sections ............................................................................................... 271 CHAPTER 16 Management Server Setup and Administration ................................. 273 Installing the Management Server ............................................................................ 273 WatchGuard Management Server Passphrases .................................................... 273 Setting Up the Management Server ......................................................................... 275 Changing the Management Server Configuration ................................................. 276 Adding or removing a Management Server license .................................................. 276 Recording diagnostic log messages for the Management Server ............................ 277 Configuring the Certificate Authority ........................................................................ 277 Configuring properties for the CA certificate ............................................................. 277 Configuring properties for client certificates .............................................................. 278 Configuring properties for the Certificate Revocation List (CRL) ............................. 279 Recording diagnostic log messages for the Certificate Authority service ................. 279 Backing up or Restoring the Management Server Configuration ........................ 280 Moving the WatchGuard Management Server to a New Computer .................... 280 Connecting to a Management Server ...................................................................... 280 CHAPTER 17 Device Management Setup ................................................................................ 283 Configuring Fireboxes as Managed Clients ............................................................ 283 Configuring a Firebox X Core or X Peak running Fireware as a managed client ..... 283 Configuring a Firebox III or Firebox X Core running WFS as a managed client ...... 285 Configuring Edges and SOHOs as Managed Clients ........................................... 286 Preparing a new or factory default Firebox X Edge for management ...................... 287 Importing Firebox X Edge devices into a Management Server ................................ 288 Preparing an installed Firebox X Edge for management .......................................... 288 Configuring a Firebox SOHO 6 as a managed client ............................................... 290 Adding Devices ............................................................................................................ 291 CHAPTER 18 Device Management Properties ..................................................................... 295 Viewing the Managed Devices .................................................................................. 295 Viewing the Device Management Page ................................................................... 296 Configuring Device Management Properties .......................................................... 297 Updating a Device ....................................................................................................... 302 Removing a Device ..................................................................................................... 302 Network Setup (Edge devices only) ......................................................................... 302 Adding a VPN Resource ............................................................................................ 303 xii WatchGuard System Manager Starting Firebox and Edge Tools ............................................................................... 303 VPN Tunnels ................................................................................................................ 304 Using the Firebox X Edge Policy Section ................................................................ 304 CHAPTER 19 Firebox X Edge Templates and Aliases .................................................... 305 Scheduling Firebox X Edge Firmware Updates Seeing and deleting firmware updates ..................................................... 305 ..................................................................... 307 Creating and Applying Edge Configuration Templates ......................................... 308 Adding a pre-defined policy with the Add Policy wizard ........................................... 310 Adding a custom policy with the Add Policy wizard .................................................. 310 Cloning an Edge Configuration Template ................................................................. 312 Applying an Edge Configuration Template to devices .............................................. 312 Removing an Edge from the device list .................................................................... 314 Using Aliases ............................................................................................................... 314 Naming aliases on the Management Server ............................................................. 315 Defining aliases on a Firebox X Edge ....................................................................... 316 CHAPTER 20 Managed BOVPN Tunnels ................................................................................... 319 About Managed BOVPN Tunnels ............................................................................. 319 VPN Failover ............................................................................................................. 319 Global VPN settings .................................................................................................. 320 VPN Resources and Templates ................................................................................ 320 Configuring a Firebox as a Managed Firebox Client ............................................. 320 Adding VPN Resources ............................................................................................. 320 Getting the current resources from a device ............................................................. 321 Creating a new VPN resource .................................................................................. 321 Adding more hosts or networks ................................................................................ 322 Adding VPN Firewall Policy Templates .................................................................... 322 Adding Security Templates ........................................................................................ 323 Making Tunnels Between Devices ........................................................................... 325 Editing a Tunnel ........................................................................................................... 326 Removing Tunnels and Devices ............................................................................... 327 Removing a tunnel Removing a device .................................................................................................... 327 .................................................................................................... 327 CHAPTER 21 Manual BOVPN Tunnels About Manual VPN Tunnels ....................................................................................... 329 ...................................................................................... 329 VPN and failover ....................................................................................................... 329 Global VPN settings .................................................................................................. 329 Configuring Gateways ................................................................................................ 330 Defining the credential method ................................................................................. 331 Defining gateway endpoints ...................................................................................... 332 Configuring mode and transforms (Phase 1 settings) .............................................. 334 Adding a Phase 1 transform ..................................................................................... 335 Editing and deleting gateways .................................................................................. 336 Making Tunnels between Gateway Endpoints User Guide ....................................................... 336 xiii Configuring routes for the tunnel ............................................................................... 337 Adding new routes .................................................................................................... 338 Configuring Phase 2 settings .................................................................................... 339 Adding a Phase 2 proposal ....................................................................................... 341 Editing and deleting a tunnel ..................................................................................... 342 Changing order of tunnels ......................................................................................... 342 Making a Tunnel Policy .............................................................................................. 343 Setting up Outgoing Dynamic NAT through a BOVPN Tunnel ............................ 343 About VPN Failover .................................................................................................... 344 Configuring multiple gateway pairs Forcing a BOVPN Tunnel Rekey ........................................................................... 345 .............................................................................. 346 To rekey one BOVPN tunnel ..................................................................................... 346 To rekey all BOVPN tunnels ...................................................................................... 347 CHAPTER 22 Certificates and the Certificate Authority ............................................... 349 Creating a New Certificate ......................................................................................... 349 Creating a certificate with Firebox System Manager ................................................ 349 Creating a certificate with CA Manager .................................................................... 351 Completing a Certificate Signing Request .............................................................. 352 Importing a Certificate ................................................................................................ 353 Firebox authentication ............................................................................................... 354 Mobile User VPN (MUVPN) tunnel authentication ................................................... 355 Branch Office VPN (BOVPN) authentication ............................................................ 356 Managing Certificates ................................................................................................. 356 Using the web-based CA Manager ........................................................................... 356 Using WSM to manage certificates ........................................................................... 358 Using FSM to manage certificates ............................................................................ 358 CHAPTER 23 Remote User VPN with PPTP ........................................................................... 361 Configuration Checklist Encryption levels .............................................................................................. 361 ....................................................................................................... 361 Configuring WINS and DNS Servers ....................................................................... 362 Enabling RUVPN with PPTP ..................................................................................... 363 Enabling RADIUS authentication .............................................................................. 364 Setting encryption for PPTP tunnels ......................................................................... 364 Defining timeout settings for PPTP tunnels .............................................................. 365 Adding IP Addresses for RUVPN Sessions ............................................................ 365 Adding New Users to the PPTP_Users Authentication Group ........................... 366 Configuring policies to allow RUVPN traffic Preparing the Client Computers .............................................................. 367 ............................................................................... 367 ........................................................................ 367 Installing MSDUN and service packs Creating and Connecting a PPTP RUVPN from a Windows Vista Client Establishing the PPTP connection .......... 368 ............................................................................ 369 Creating and Connecting a PPTP RUVPN on Windows XP ................................ 369 Creating and Connecting a PPTP RUVPN on Windows 2000 ............................ 369 Running RUVPN and Accessing the Internet ......................................................... 370 xiv WatchGuard System Manager Making outbound PPTP connections from behind a Firebox CHAPTER 24 WebBlocker ................................... 371 ................................................................................................................... 373 Installing the Feature Key .......................................................................................... 373 Getting Started with WebBlocker .............................................................................. 373 Automating WebBlocker database downloads ......................................................... 374 Activating WebBlocker ............................................................................................... 375 Configuring WebBlocker ............................................................................................ 378 Adding new servers ................................................................................................... 379 Selecting categories to block .................................................................................... 379 Defining advanced WebBlocker options ................................................................... 380 Defining WebBlocker Exceptions ............................................................................. 381 Components of exception rules ................................................................................ 382 Exceptions with part of a URL ................................................................................... 382 Adding exceptions ..................................................................................................... 382 Defining the action for sites that do not match exceptions ....................................... 384 Changing the order of exception rules ...................................................................... 384 Importing or exporting exception rules ...................................................................... 385 WebBlocker Actions .................................................................................................... 386 Adding WebBlocker actions to a policy ..................................................................... 387 Scheduling WebBlocker actions ............................................................................... 387 CHAPTER 25 spamBlocker ................................................................................................................. 389 About spamBlocker ..................................................................................................... 389 spamBlocker requirements ....................................................................................... 389 spamBlocker actions ................................................................................................. 390 spamBlocker tags ...................................................................................................... 390 spamBlocker categories ............................................................................................ 390 Installing the spamBlocker Feature Key .................................................................. 391 Activating spamBlocker .............................................................................................. 391 Configuring spamBlocker ........................................................................................... 393 Using spamBlocker Exception Rules ....................................................................... 395 Adding spamBlocker exception rules ........................................................................ 395 Changing the order of exception rules ...................................................................... 396 Importing or exporting exception rules ...................................................................... 396 Logging exceptions ................................................................................................... 397 Setting Global spamBlocker Parameters ................................................................ 398 Using an HTTP proxy server ..................................................................................... 399 Adding trusted email forwarders ............................................................................... 399 Creating Rules for Bulk and Suspect Email on Email Clients Sending spam or bulk email to special folders in Outlook .............................. 401 ........................................ 401 Reporting False Positives and False Negatives ..................................................... 402 Monitoring spamBlocker Activity ............................................................................... 402 Customizing spamBlocker Using Multiple Proxies ................................................. 402 User Guide xv CHAPTER 26 Quarantine Server ..................................................................................................... 403 About the Quarantine Server .................................................................................... 403 Starting the Quarantine Server ................................................................................. 404 Installing server components .................................................................................... 404 Running the setup wizard ......................................................................................... 404 Entering the server location ...................................................................................... 404 Configuring the Quarantine Server .......................................................................... 405 Setting general server parameters ............................................................................ 406 Configuring the expiration settings ............................................................................ 406 Adding and removing user domains ......................................................................... 407 Configuring the notification settings .......................................................................... 408 Configuring rules ....................................................................................................... 409 Managing Messages .................................................................................................. 410 Setting viewing options ............................................................................................. 411 Saving messages ...................................................................................................... 411 Manually deleting messages ..................................................................................... 412 Automatically deleting messages .............................................................................. 412 Managing Users .......................................................................................................... 412 Adding users ............................................................................................................. 413 Removing users ........................................................................................................ 414 Changing notification option for a user ..................................................................... 414 Getting Statistics on Quarantine Server Activity ..................................................... 414 Viewing statistics from specific dates ........................................................................ 415 Viewing specific types of messages ......................................................................... 415 Grouping data ........................................................................................................... 415 Exporting and printing statistics ................................................................................ 416 CHAPTER 27 Signature-Based Security Services ............................................................ 417 Installing and Updating Security Services ............................................................... 417 About Gateway AntiVirus ........................................................................................... 417 Activating Gateway AntiVirus .................................................................................... 418 Activating Gateway AV with a wizard ........................................................................ 418 Activating Gateway AV from proxy definitions .......................................................... 420 Configuring Antivirus Actions .................................................................................... 421 Creating alarms or log entries for antivirus actions .................................................. 423 Unlocking a file locked by Gateway AntiVirus ........................................................... 423 Global Gateway AntiVirus Settings .......................................................................... 424 Configuring Gateway AV engine settings ................................................................. 424 Configuring the update server ................................................................................... 424 Connecting to the update server through an HTTP proxy server ............................. 425 Activating Intrusion Prevention Service (IPS) ......................................................... 426 Configuring Intrusion Prevention .............................................................................. 429 Configuring intrusion prevention for HTTP or TCP ................................................... 430 Configuring Intrusion Prevention for FTP, SMTP, POP3, or DNS ............................. 432 Configuring the IPS update server ............................................................................ 432 Configuring signature exceptions .............................................................................. 432 Copying IPS settings to other policies ...................................................................... 433 xvi WatchGuard System Manager Getting Gateway AV/IPS Status and Updates ........................................................ 433 Seeing service status ................................................................................................ 433 Updating signatures or engines manually ................................................................. 434 Seeing the update history ......................................................................................... 435 CHAPTER 28 Dynamic Routing ....................................................................................................... 437 Routing Daemon Configuration Files ....................................................................... 437 Using RIP ..................................................................................................................... 438 RIP Version 1 RIP Version 2 Using OSPF ............................................................................................................ 438 ............................................................................................................ 440 ................................................................................................................. 442 OSPF daemon configuration ..................................................................................... 442 Configuring Fireware Pro to use OSPF .................................................................... 445 Using BGP .................................................................................................................... 446 CHAPTER 29 Traffic Management and Quality of Service About Traffic Management and QoS .......................................... 451 ........................................................................ 451 Guaranteeing bandwidth ........................................................................................... 451 Restricting bandwidth ................................................................................................ 452 QoS Marking ............................................................................................................. 452 Traffic priority ............................................................................................................. 452 Configuring Outgoing Interface Bandwidth ............................................................. 452 Using Traffic Management Actions .......................................................................... 453 Defining a Traffic Management action ...................................................................... 453 Applying the Traffic Management action to a policy ................................................. 454 Setting traffic priority in a policy ................................................................................ 455 Using Traffic Management actions in a multi-WAN environment ............................. 455 Setting Connection and Bandwidth Limits ............................................................... 456 About QoS Marking .................................................................................................... 456 Per-interface and per-policy QoS Marking ................................................................ 457 Marking types and values ......................................................................................... 457 Enabling QoS Marking for an interface ..................................................................... 458 Enabling QoS Marking for a policy ............................................................................ 459 QoS Marking and IPSec traffic .................................................................................. 460 CHAPTER 30 High Availability ......................................................................................................... 461 About WatchGuard High Availability ........................................................................ 461 High Availability Requirements ................................................................................. 462 Selecting a Primary High Availability Firebox ......................................................... 462 Configuring High Availability ...................................................................................... 463 Manually Controlling High Availability ...................................................................... 464 Backing up an HA configuration ................................................................................ 465 Upgrading Software in an HA Configuration ........................................................... 465 Using HA with Proxy Sessions .................................................................................. 465 User Guide xvii APPENDIX A Copyright and Licensing ..................................................................................... 467 WatchGuard Firebox Software End-User License Agreement ............................ 467 WatchGuard Technologies, Inc. Add-on Product/Service Customer Agreement/End-User License Agreement ........................................... 469 Copyright and Trademarks ........................................................................................ 471 Patents .......................................................................................................................... 471 Licenses ........................................................................................................................ 471 SSL Licenses ............................................................................................................ 472 Apache Software License, Version 2.0, January 2004 ............................................. 473 PCRE License ........................................................................................................... 474 GNU Lesser General Public License ........................................................................ 475 GNU General Public License .................................................................................... 479 Sleepycat License ..................................................................................................... 481 Sourcefire License .................................................................................................... 482 Expat-MIT HTML Parser Toolkit License .................................................................. 485 Curl Software MIT-X License .................................................................................... 485 APPENDIX B WatchGuard File Locations Default File Locations APPENDIX C Types of Policies ............................................................................... 487 ................................................................................................. 488 ........................................................................................................ 491 Packet Filter Policies .................................................................................................. 491 Any ............................................................................................................................ 491 archie ......................................................................................................................... 491 auth ........................................................................................................................... 492 BGP ........................................................................................................................... 492 Citrix .......................................................................................................................... 492 Clarent-Command ..................................................................................................... 492 Clarent-Gateway ....................................................................................................... 493 CU-SeeMe ................................................................................................................ 493 DHCP-Server or DHCP-Client .................................................................................. 494 DNS ........................................................................................................................... 494 Entrust ....................................................................................................................... 494 finger ......................................................................................................................... 494 FTP ............................................................................................................................ 494 Gopher ...................................................................................................................... 495 GRE ........................................................................................................................... 495 HBCI .......................................................................................................................... 495 HTTP ......................................................................................................................... 495 HTTPS ....................................................................................................................... 496 IDENT ........................................................................................................................ 496 IGMP ......................................................................................................................... 496 IMAP .......................................................................................................................... 496 IPSec ......................................................................................................................... 497 IRC ............................................................................................................................ 497 Intel Video Phone ...................................................................................................... 497 Kerberos v 4 and Kerberos v 5 ................................................................................. 497 L2TP .......................................................................................................................... 497 xviii WatchGuard System Manager LDAP ......................................................................................................................... 498 LDAP-SSL ................................................................................................................. 498 Lotus Notes ............................................................................................................... 498 MS-SQL-Monitor ....................................................................................................... 498 MS-SQL-Server ......................................................................................................... 498 MS-Win-Media .......................................................................................................... 499 NetMeeting ................................................................................................................ 499 NFS ........................................................................................................................... 499 NNTP ......................................................................................................................... 499 NTP ........................................................................................................................... 499 OSPF ......................................................................................................................... 500 pcAnywhere .............................................................................................................. 500 Ping ........................................................................................................................... 500 POP2 and POP3 ....................................................................................................... 500 PPTP ......................................................................................................................... 501 RADIUS and RADIUS-RFC ...................................................................................... 501 RADIUS-Accounting and RADIUS-Acct-RFC ........................................................... 501 RDP ........................................................................................................................... 501 RIP ............................................................................................................................ 502 RSH ........................................................................................................................... 502 RealPlayerG2 ............................................................................................................ 502 Rlogin ........................................................................................................................ 502 SecurID ..................................................................................................................... 502 SMB (Windows Networking) ..................................................................................... 503 SMTP ........................................................................................................................ 503 SNMP ........................................................................................................................ 503 SNMP-Trap ............................................................................................................... 503 SQL*Net .................................................................................................................... 504 SQL-Server ............................................................................................................... 504 SSH ........................................................................................................................... 504 SunRPC .................................................................................................................... 504 Syslog ........................................................................................................................ 504 TACACS .................................................................................................................... 505 TACACS+ .................................................................................................................. 505 TCP ........................................................................................................................... 505 TCP-UDP .................................................................................................................. 505 Telnet ......................................................................................................................... 505 Timbuktu .................................................................................................................... 506 Time ........................................................................................................................... 506 Traceroute ................................................................................................................. 506 UDP ........................................................................................................................... 506 UUCP ........................................................................................................................ 507 WAIS ......................................................................................................................... 507 WinFrame .................................................................................................................. 507 WG-Auth ................................................................................................................... 507 WG-Firebox-Mgmt ..................................................................................................... 508 WG-Logging .............................................................................................................. 508 WG-Mgmt-Server ...................................................................................................... 508 WG-SmallOffice-Mgmt .............................................................................................. 508 WG-WebBlocker ....................................................................................................... 508 WHOIS ...................................................................................................................... 509 X11 ............................................................................................................................ 509 Proxy Policies User Guide .............................................................................................................. 509 xix DNS-proxy FTP-proxy HTTP-proxy POP3-proxy SMTP-proxy TCP-proxy xx ................................................................................................................. 509 ................................................................................................................. 509 ............................................................................................................... 510 ............................................................................................................... 510 .............................................................................................................. 510 ................................................................................................................. 511 WatchGuard System Manager 1 Introduction WatchGuard® System Manager gives you an easy and efficient way to manage your network and keep it secure. With one computer as a management station, you can view, manage, and monitor each Firebox® device in your network. The basic components of WatchGuard System Manager are the WatchGuard System Manager window, and the four WSM server components. WatchGuard System Manager also provides access to other WatchGuard tools, including Policy Manager and Firebox System Manager. The diagram below shows the components of WatchGuard System Manager and how you can access and navigate among them. Components of WatchGuard System Manager User Guide 1 WatchGuard System Manager Tools WatchGuard System Manager Tools When you purchase a WatchGuard® Firebox® X Core or Peak, you get access to a full suite of management and monitoring tools. WatchGuard System Manager WatchGuard System Manager (WSM) is your primary application for connecting to and managing Firebox® devices and WatchGuard Management Servers. WSM supports mixed environments. You can manage different Firebox devices that use different versions of software. You can also centrally manage Firebox X Edge devices. Policy Manager Policy Manager is the user interface for firewall configuration tasks. Policy Manager includes a full set of preconfigured packet filters and proxies. You can also make a custom packet filter in which you set the ports, protocols, and other parameters. Other features of Policy Manager help you to stop attacks such as SYN Flood attacks, spoofing attacks, and port or address space probes. Firebox System Manager Firebox System Manager gives you one interface to monitor all components of your Firebox. From Firebox System Manager, you can see the real-time status of the Firebox and its configuration. About the WatchGuard System Manager Window The WatchGuard® System Manager window has menus and icons you can use to start other tools, as shown in the figure below. The WatchGuard System Manager window also has two tabs that you can use to monitor and manage your Firebox® devices and environment: Device Status and Device Management. Device Status Information about a device you connect to appears in the WatchGuard System Manager Device Status tab. The information that appears includes the status, IP address, and MAC address for each Ethernet 2 WatchGuard System Manager About the WatchGuard System Manager Window interface, and the installed certificates. It also includes the status of all virtual private network (VPN) tunnels that are configured in WSM. Expanded information for each Firebox includes the IP address and subnet mask of each Firebox interface. It also includes: • IP address and netmask of the default gateway (for external interfaces only). • Media Access Control (MAC) address of the interface. • Number of packets sent and received on each interface since the last Firebox restart. The Device Status tab also includes information on: Branch Office VPN Tunnels Below the Firebox Status is a section on branch office virtual private network (BOVPN) tunnels. There are two types of IPSec BOVPN tunnels: VPN tunnels built manually using Policy Manager (manual BOVPN tunnels) and VPN tunnels built using the Management Server (managed BOVPN tunnels). Mobile User VPN tunnels After the branch office VPN tunnels entry is an entry for Mobile User VPN tunnels. This entry shows the same information as for Branch Office VPN tunnels. It includes the tunnel name, the destination IP address, and the tunnel type. Packet information, the key expiration date, authentication, and encryption data also appear. PPTP VPN tunnels For PPTP RUVPN tunnels, WatchGuard System Manager shows only the quantity of sent and received packets. (The volume of bytes and total volume of bytes are not applicable to PPTP tunnels.) Connection status The tree view for each device shows one of four possible states. The status descriptions are: - Normal icon: Usual operation. The device is successfully sending data to WatchGuard System Manager. - Yellow question mark: The device has a dynamic IP address and has not yet contacted the Management Server. User Guide 3 About WatchGuard Servers - Red exclamation point and gray icon: WatchGuard System Manager cannot make a network connection to the device at this time. - No exclamation point and gray icon: The device is being contacted for the first time or has not been contacted yet. Device Management The Device Management tab shows a navigation pane and an information pane. The navigation pane shows the connected WatchGuard Management Servers and their devices, managed VPNs, and managed Firebox X Edge configurations. The information pane shows more detailed information for any item you select in the navigation pane. This tab also shows Management Servers connected directly to WatchGuard System Manager and the devices connected to those servers. A device managed by the Management Server can also appear on the Device Status tab if it is connected directly to WatchGuard System Manager. About WatchGuard Servers You use the WatchGuard® toolbar to start, stop, and configure the four types of WatchGuard server software: • Management Server • Log Server • Quarantine Server • WebBlocker Server The WatchGuard toolbar is one of the toolbars in the Windows System Tray at lower-right corner of your computer screen. (If you have not installed any WatchGuard server software on your management station, you do not see the WatchGuard toolbar.) From left to right, the icons on the toolbar manage these servers. Management Server The Management Server operates on a Windows computer. With this server, you can manage all firewall devices and create virtual private network (VPN) tunnels using a simple drag-and-drop function. The basic functions of the Management Server are: - Centralized management of VPN tunnel configurations - Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels - Centralized management of multiple Firebox and Firebox® X Edge devices For more information on the Management Server, see the “Management Server Setup and Administration” chapter. Log Server The Log Server collects log messages from each WatchGuard Firebox. The log messages are encrypted when they are sent to the Log Server. The log message format is XML (plain text). The information collected from firewall devices includes traffic log messages, event log messages, alarms, and diagnostic messages. For more information on the Log Server, see the “Logging and Notification” chapter. 4 WatchGuard System Manager About Fireware and Fireware Pro Quarantine Server The Quarantine Server collects and isolates email messages that are suspected to be email spam by spamBlocker. For more information on the Quarantine Server, see the “Quarantine Server” chapter. WebBlocker Server The WebBlocker Server operates with the Firebox HTTP proxy to deny user access to specified categories of web sites. During Firebox configuration, the administrator sets the categories of web sites to allow or block. For more information on the WebBlocker Server, see the “WebBlocker” chapter. About Fireware and Fireware Pro WatchGuard® Fireware® is the next generation of security appliance software available from WatchGuard. Appliance software is kept in the memory of your firewall hardware. The Firebox® uses the appliance software with a configuration file to operate. Your organization’s security policy is a set of rules that define how you protect your computer network and the information that passes through it. Fireware appliance software has advanced features to manage security policies for the most complex networks. Two versions of Fireware are available to WatchGuard customers: • Fireware—This is the default appliance software on Firebox X Core e-Series devices. This next generation appliance software enables WatchGuard to expand the number of features available to Firebox X customers. • Fireware Pro—This is the default appliance software on Firebox X Peak e-Series appliances.It enables customers with complex networks to more effectively protect their networks. Fireware Pro is available as an update for previously released Firebox X Core devices. The following features are available only with Fireware Pro: - High Availability - Traffic Management/Quality of Service (QoS) - VLANs - Dynamic routing - Policy-based routing - Server load balancing - The multi-WAN configuration options: Weighted Round-robin and Interface Overflow WatchGuard System Manager also includes the system tools you must have to configure and manage a Firebox X device that uses WFS appliance software. WFS appliance software is the default appliance software that shipped with earlier models of the Firebox X Core and Peak. For more information about WFS appliance software, see the WFS User Guide. After a Firebox is put in WSM management, the software automatically identifies which appliance software the Firebox uses. If you select the Firebox and then click an icon on the toolbar, it starts the correct management tool. These tools include: • Firebox System Manager • Policy Manager • HostWatch™ For example, if you add a Firebox X700 operating with WFS appliance software to the Devices tab of WFS and then click the Policy Manager icon on the WSM toolbar, Policy Manager for WFS automatically User Guide 5 About Fireware and Fireware Pro starts. If you add a Firebox X700 operating with Fireware appliance software and click the Policy Manager icon, Policy Manager for Fireware starts. 6 WatchGuard System Manager 2 Getting Started Historically, organizations used many tools, systems, and personnel to control the security of their networks. Different computer systems controlled access, authentication, virtual private networking, and network control. These expensive systems are not easy to use together or to keep up-to-date. WatchGuard® System Manager (WSM) supplies an integrated solution to manage your network and control security problems. This chapter tells you how to install WatchGuard System Manager into your network. Installing WatchGuard System Manager WatchGuard® System Manager (WSM) includes firewall appliance software and management software. Use the WSM software to configure and monitor the Firebox®. To install the WatchGuard System Manager software, you must: • Collect your network addresses and information. • Select a network configuration mode. • Select to install the Management Server, Log Server, WebBlocker Server, and Quarantine Server software on the same computer as your management software, or on a different computer. • Configure the management station. • Use a Quick Setup Wizard to make a basic configuration file. • Put the Firebox into operation on your network. This chapter gives the default information for a Firebox with a Firebox configuration with a trusted, external, and optional interface configured. To configure additional interfaces on your Firebox, use the configuration tools and procedures in the “Network Configuration” chapter. User Guide 7 Installing WatchGuard System Manager Installation requirements Before you install WatchGuard System Manager, make sure that you have these items: • WatchGuard Firebox security device • A serial cable (blue) • One crossover Ethernet cable (red) • One straight Ethernet cable (green) • Power cable • Feature key Collecting network information Firebox feature keys When you get a new Firebox, you must activate it on the LiveSecurity® web site and get a feature key. The feature key enables the features on your Firebox. You get a new feature key for any optional products when you purchase them. Network addresses We recommend that you make two tables when you configure your Firebox. Use the first table for your network IP addresses before you put the Firebox into operation. WatchGuard uses slash notation to show the subnet mask. Table 1: Network IP Addresses Without the Firebox Wide Area Network _____._____._____._____ / ____ Default Gateway _____._____._____._____ Local Area Network _____._____._____._____ / ____ Secondary Network (if applicable) Public Server(s) (if applicable) _____._____._____._____ / ____ _____._____._____._____ _____._____._____._____ _____._____._____._____ 8 WatchGuard System Manager Installing WatchGuard System Manager Use the second table for your network IP addresses after you put the Firebox into operation. External interface Connects to the external network (typically the Internet) that is not trusted. Trusted interface Connects to the private LAN (local area network) or internal network that you want to secure. Optional interface(s) Usually connects to the DMZ or the mixed trust area of your network. Use optional interfaces to create zones in the network with different levels of access. Table 2: Network IP Addresses With the Firebox Default Gateway _____._____._____._____ External Network _____._____._____._____ / ____ Trusted Network _____._____._____._____ / ____ Optional Network _____._____._____._____ / ____ Secondary Network (if applicable) _____._____._____._____ / ____ Selecting a firewall configuration mode You must decide how to install the Firebox into your network before you install WatchGuard System Manager. How you install the Firebox controls the interface configuration. To install the Firebox into your network, select the configuration mode—routed or drop-in—that matches the needs of your current network. Many networks operate best with a routed configuration, but we recommend the drop-in mode if: • You have already assigned a large number of static IP addresses and do not want to change your network configuration. • You cannot configure the computers on your trusted and optional networks that have public IP addresses with private IP addresses. This table and the descriptions below the table show three conditions that can help you to select a firewall configuration mode. User Guide Routed Configuration Drop-in Configuration All interfaces of the Firebox are on different networks. All interfaces of the Firebox are on the same network and have the same IP address. Trusted and optional interfaces must be on different networks. Each interface has an IP address on its network. The computers on the trusted or optional interfaces can have a public IP address. Use static NAT (network address translation) to map public addresses to private addresses behind the trusted or optional interfaces. The computers that have public access have public IP addresses. Thus, no NAT is necessary. 9 Installing WatchGuard System Manager Routed configuration Use the routed configuration when you have a small number of public IP addresses or when your Firebox gets its external IP address with PPPoE (point-to-point protocol over Ethernet) or DHCP (dynamic host configuration protocol). In a routed configuration, you install the Firebox with different subnets on each of its interfaces. The public servers behind the Firebox can use private IP addresses. The Firebox uses NAT to route traffic from the external network to the public servers. The requirements for a routed configuration are: • All interfaces of the Firebox must be configured on different subnets. The minimum configuration includes the external and trusted interfaces. You also can configure one or more optional interfaces. • All computers connected to the trusted and optional interfaces must have an IP address from that network. For example, a computer on a trusted interface in the previous figure could have an IP address of 10.10.10.200 but not 192.168.10.200, which is on the optional interface. Drop-in configuration In a drop-in configuration, the Firebox is configured with the same IP address on all interfaces. The drop-in configuration mode distributes the network’s logical address range across the Firebox interfaces. You can put the Firebox between the router and the LAN and not have to change the configuration of any local computers. This configuration is known as drop-in because the Firebox is “dropped in” to a network. In drop-in mode: • The same primary IP address is automatically assigned to all interfaces on your Firebox (external, trusted, and optional). • You can assign secondary networks on any interface. • You can keep the same IP addresses and default gateways for hosts on your trusted and optional networks, and add a secondary network address to the Firebox interface so the Firebox can correctly send traffic to the hosts on these networks. The public servers behind the Firebox can continue to use public IP addresses. The Firebox does not use network address translation to route traffic from outside your network to your public servers. 10 WatchGuard System Manager Installing WatchGuard System Manager The properties of a drop-in configuration are: • You must have a static external IP address to assign to the Firebox. • You use one logical network for all interfaces. • Drop-in mode does not support multi-WAN in Round-robin or Failover mode. For more information on these options, see the “Network Setup with Multiple External Interfaces” chapter. It is sometimes necessary to flush the ARP cache of each computer on the trusted network, but this is not common. Selecting where to install server software During installation, you can install the management station and WatchGuard System Manager server components on the same computer. Or you can use the same installation procedure to install the Log Server, WebBlocker Server, or Quarantine Server components on other computers to distribute server load or supply redundancy. The Management Server does not operate correctly on a computer that does not also have WSM software installed. To decide where to install server software, you must examine the capacity of your management station and select the installation method that matches your needs. If you install server software on a computer with an active desktop firewall other than Windows Firewall, you must open the ports necessary for the servers to connect through the firewall. Windows Firewall users do not have to change their desktop firewall configuration because the installation program opens the necessary ports through Windows Firewall automatically. See “Installing WatchGuard Servers on computers with desktop firewalls” on page 19 for more information. Setting up the management station You install WatchGuard System Manager (WSM) software on a computer that you designate as the management station. This software shows the traffic through the firewall. WatchGuard System Manager also shows connection and tunnel status. The WatchGuard Log Server records information it receives from the Firebox. You can get access to this data using tools on the management station. Select one computer on your network as the management station and install the management software. To install the WatchGuard System Manager software on your Windows-based management station, you must have administrative privileges. After installation, you can operate with Windows XP or Windows 2003 Power User privileges. User Guide 11 Quick Setup Wizard You can download the most current WatchGuard System Manager software at any time from https://www.watchguard.com/archive/softwarecenter.asp. You must log in with your LiveSecurity user name and password. If you are a new user, create a user profile and activate your product at http://www.watchguard.com/activate before you try to download the WSM software. 1 Download the latest WatchGuard System Manager (WSM) software. You must also download and install the latest Fireware appliance software to your management station. You use the WSM software with the Quick Setup Wizard to create a basic configuration file for your Firebox. Make sure that you write down the name and the path of the files when you save them to your hard drive. 2 Open the file and use the installation instructions. The Setup program includes a screen in which you select the components of the software or the upgrades to install. A different license is necessary when you install some software components. If your management station is operating with a Windows toolbar, some users find it necessary to close and restart the toolbar to see the new components installed for the WatchGuard Management System. Software encryption levels The management station software is available in two encryption levels. Base Supports 40-bit encryption for PPTP RUVPN tunnels. You cannot create an IPSec VPN tunnel with this level of encryption. Strong Supports 40-bit and 128-bit encryption for PPTP RUVPN. Also supports 56-bit and 168-bit DES, and 128-bit, 192-bit, and 256-bit AES. To use virtual private networking with IPSec, you must download the strong encryption software. Strong export limits apply to the strong encryption software. It is possible that it is not available for download. Backing up your previous configuration If you have a previous version of WatchGuard System Manager, make a backup of your security policy configuration before you install a new version. To create a backup of your configuration, see the “Basic Configuration Setup” chapter. Quick Setup Wizard You can use a Quick Setup Wizard to create a basic configuration for your Firebox® X. The Firebox uses this basic configuration file when it starts for the first time. This enables the Firebox to operate as a basic firewall. You can use this same procedure any time you want to reset the Firebox to a new basic configuration for recovery or other reasons. When you configure the Firebox with the Quick Setup Wizard, you set only the basic policies (TCP outgoing, FTP packet filter, ping, and WatchGuard) and interface IP addresses. If you have more software applications and network traffic for the Firebox to examine, you must: 12 • Configure the policies on the Firebox to let necessary traffic through • Set the approved hosts and properties for each policy • Balance the requirement to protect your network against the requirements of your users to get access to external resources WatchGuard System Manager Quick Setup Wizard Quick Setup Wizard The Quick Setup Wizard runs as a Windows application to help you make a basic configuration file. You can use the Quick Setup Wizard with any model of Firebox X Core or Peak. The Firebox uses this basic configuration file when it starts for the first time. This enables the Firebox to operate as a basic firewall. After the Firebox is configured with this basic configuration, you can use Policy Manager to expand or change the Firebox configuration. The Quick Setup Wizard uses a device discovery procedure to find the Firebox X model you are configuring. This procedure uses a UDP multicast. Software firewalls, including the firewall in Microsoft Windows XP SP2, can cause problems with device discovery. You can start the Quick Setup Wizard from the Windows desktop or from WatchGuard® System Manager. From the desktop, select: Start > All Programs > WatchGuard System Manager 9.1 > Quick Setup Wizard From System Manager, select: Tools > Quick Setup Wizard Setting the log encryption key In the Quick Setup Wizard, you must set a status and configuration passphrase for the Firebox. When you are ready to configure a Log Server to collect log messages from the Firebox, use the status passphrase you set in the Quick Setup Wizard as your default log encryption key. After your Log Server is configured, you can change your log encryption key if you want. For more information, see the “Logging and Notification” chapter. Web Quick Setup Wizard In addition to the Windows-based Quick Setup Wizard, you can also use the Web Quick Setup Wizard to configure your Firebox. You can use the Web Quick Setup Wizard with any model of Firebox X Core or Peak. If you have configured a Firebox X Core or X Peak before, you must understand that the Web Quick Setup Wizard operates differently than the Quick Setup Wizard that shipped with earlier Firebox X hardware models. With earlier Firebox X Core and Peak devices, the Quick Setup Wizard used device discovery to find a Firebox on the network to configure. With the Web Quick Setup Wizard, you must make a direct network connection to the Firebox and use a web browser to start the wizard. The Firebox uses DHCP from its interface 1 to give a new IP address to your management station to use during configuration. Before you start the Web Quick Setup Wizard, make sure you have: • Registered your Firebox with LiveSecurity® Service • Stored a copy of your Firebox feature key in a text file on your management station • Downloaded WSM and Fireware® software from the LiveSecurity Service web site to your management station • Installed the Fireware executable on your management station • Configured your management station to accept an IP address automatically (through DHCP) The HTTP connection made to the Firebox when you use the Web Quick Setup Wizard is not encrypted. We recommend that you connect your management station directly to the Firebox when you use the Web Quick Setup Wizard, because passphrases are sent in plain-text format. User Guide 13 Putting the Firebox into Operation Using the Web Quick Setup Wizard 1 Connect the red cross-over Ethernet cable that ships with your Firebox between the Ethernet port on your management station and the interface 1 on your Firebox. 2 Plug the power cord into the Firebox power input and into a power source. 3 On the front of the Firebox X, press the down arrow button while you turn on the power to the Firebox. The Firebox X boots into safe mode. While in this factory-default mode, the LCD shows the model number followed by the word “safe” in lower-case characters. 4 Make sure your management station is configured to accept DHCP-assigned IP addresses. For example, if your management station uses Windows XP: From your Windows Start menu, select All Programs > Control Panel > Network Connections > Local Area Connections. Click Properties. Select Internet Protocol (TCP/IP) and click Properties. Make sure Obtain an IP Address Automatically is selected. 5 Open a web browser and type: http://10.0.1.1:8080/ Make sure you type the preceding “http://” if you use Internet Explorer. This opens an HTTP connection between your management station and the Firebox X device. The Web Quick Setup Wizard starts automatically. If you leave the Web Quick Setup Wizard idle for 15 minutes or more, you must go back to step 3 and start again. After the Firebox is configured with this basic configuration, you can use Policy Manager to expand or change the Firebox configuration. Using the Web Quick Setup Wizard for recovery You can use the Web Quick Setup Wizard when you first configure your Firebox X device. You can also use the Web Quick Setup Wizard if you want to reset a Firebox with a new configuration because you forgot the password or because the Firebox is deploying in a new network. If you use the Web Quick Setup Wizard for recovery and you have purchased a Firebox hardware model upgrade, you must make sure that the feature key you put in the wizard is the feature key that you received with the model upgrade. Troubleshooting problems with the Web Quick Setup Wizard If the Web Quick Setup Wizard is unable to install Fireware appliance software on the Firebox, the wizard times out after six minutes. If you have problems with the wizard, check these things: • It is possible that the Fireware application software file you downloaded from the LiveSecurity web site is corrupted. If the software image is corrupted, you can sometimes see a message on the LCD interface: “File Truncate Error.” Download the software again and try the wizard once more. • If you use Internet Explorer 6, clear the file cache in your web browser and try again. To clear the cache, from the Internet Explorer toolbar select Tools > Internet Options > Delete Files. Putting the Firebox into Operation After you run the Quick Setup Wizard, you might need to wait a minute or so before your Firebox® is ready. This is particularly true with the Firebox X Peak models 5500e, 6500e, 8500e, and 8500e-F. When you finish with either Quick Setup Wizard, you have completed the installation of your Firebox. 14 WatchGuard System Manager Starting WatchGuard System Manager Complete these steps to put the Firebox into operation on your network: • Put the Firebox in its permanent physical location. • Make sure the management station and the rest of the trusted network use the IP address of the Firebox’s trusted interface as their gateway. • In WatchGuard® System Manager, use File > Connect To Device to connect the management station to the Firebox. • If you use a routed configuration, change the default gateway on all computers that you connect to the Firebox trusted IP address. • Set up the Management Server. See the “Management Server Setup and Administration” chapter in this guide. • Configure the Log Server to start recording log messages. See the “Logging and Notification” chapter in this guide. • Set up the WebBlocker Server. See the “WebBlocker” chapter in this guide. • Set up the Quarantine Server. See the “Quarantine Server” chapter in this guide. • Open Policy Manager to customize the configuration for your company’s own business and security needs. If you install server software on a computer with an active desktop firewall other than Windows Firewall, you must open the ports necessary for the servers to connect through the firewall. Windows Firewall users do not have to change their configuration. See the section “Installing WatchGuard Servers on computers with desktop firewalls” on page 19 for more information. Starting WatchGuard System Manager This section provides basic procedures to get you started using WatchGuard® System Manager. It also describes the information you see on the screen when you first connect to a Firebox®. From the Windows Desktop, select: Start > All Programs > WatchGuard System Manager 9.1 > WatchGuard System Manager. For basic information on WatchGuard System Manager, see “About WatchGuard Servers” on page 4. You can get access to all WatchGuard System Manager functionality through this main window, as User Guide 15 Starting WatchGuard System Manager described throughout this manual. It is useful to note you can use standard copy/paste procedures in most data fields throughout WatchGuard System Manager. Connecting to a Firebox 1 Select File > Connect to Device. or Right-click in the Device Status tab and select Connect to Device. or Click the Connect to Device icon on the WatchGuard System Manager toolbar. The icon is shown at left. The Connect to Firebox dialog box appears. 2 In the Firebox drop-down list, type the name or IP address of your Firebox. On subsequent connections, you can select the Firebox name or IP address from the Firebox drop-down list. You can also type the IP address or host name. When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key. 3 Type the Firebox status (read-only) passphrase. You use the status passphrase to monitor traffic and Firebox conditions. You must type the configuration passphrase when you save a new configuration to the Firebox. 4 If necessary, change the value in the Timeout field. This value sets the time (in seconds) that the management station listens for data from the Firebox before it sends a message that shows that it cannot get data from the device. If you have a slow network or Internet connection to the device, you can increase the timeout value. Decreasing the value decreases the time you must wait for a timeout message if you try to connect to a Firebox that is not available. 5 Click Login. The Firebox appears in the WatchGuard System Manager window. Disconnecting from a Firebox To disconnect, right-click the first line of information for the Firebox to disconnect from and select File > Disconnect. Or select the Firebox and then click the Disconnect icon shown at left. Starting security applications You can start these tools from WatchGuard System Manager using the icons on the taskbar and menu options: 16 WatchGuard System Manager After Your Installation Policy Manager Policy Manager lets you install, configure, and customize a network security policy. To configure or customize the security policy of a Firebox X Edge or Firebox SOHO, you must use the web user interface to connect to the device. Firebox System Manager WatchGuard Firebox System Manager lets you start many different security tools in one easy-to-use interface. You also can use Firebox System Manager to monitor real-time traffic through the firewall. For information on using Firebox System Manager, see the “Firebox Status Monitoring” chapter. HostWatch HostWatch™ shows the connections through a Firebox from the trusted network to the external network. It shows the current connections, or it can show historical connections from a log file. For information on using HostWatch, see the “Firebox Status Monitoring” chapter. LogViewer LogViewer shows a static view of a log file. It lets you: • Apply a filter by data type • Search for words and fields • Print and save to a file For more information on using LogViewer, see the “Logging and Notification” chapter in this guide. Historical Reports These HTML reports give data to use when you monitor or troubleshoot the network. The data can include: • Type of session • Most active hosts • Most used services • URLs For information on using Historical Reports, see the chapter “Historical Reports” in this guide. After Your Installation You have satisfactorily installed, configured, and put your new WatchGuard® System Manager into operation on your network. Here are some basic procedures and some more information to think about. Customizing your security policy Your security policy controls who can get into your network, where they can go, and who can get out. The configuration file of your Firebox® makes the security policy. The configuration file that you make with the Quick Setup Wizard is only a basic configuration. You can make a configuration file that aligns your security policy with your requirements. To do this, add packet filter and proxy policies to set what you let in and out of your network. Each policy can have an effect on your network. The policies that increase your network security can decrease access to your network. User Guide 17 Upgrading to a New Version of Fireware The policies that increase access to your network can put the security of your network at risk. When you select these policies, you must select a range of balanced policies based on your organization and the computer equipment that you protect. For a new installation, we recommend that you use only packet filter policies until all your systems operate correctly. As necessary, you can add proxy policies. Features of the LiveSecurity Service Your Firebox includes a subscription to LiveSecurity® Service. Your subscription: • Makes sure that you get the newest network protection with the newest software upgrades • Gives solutions to your problems with full technical support resources • Prevents service interruptions with messages and configuration help for the newest security problems • Helps you to find out more about network security through training resources • Extends your network security with software and other features • Extends your hardware warranty with advanced replacement Upgrading to a New Version of Fireware Occasionally, we make new versions of WatchGuard® System Manager (WSM) and Fireware® appliance software available to Firebox® users with active LiveSecurity® subscriptions. To upgrade from one version of WSM with Fireware to a new version of WSM with Fireware: 1 Back up your current Firebox configuration file and Management Server configuration files. For more information on how to create a backup image of your Firebox configuration, see “About Firebox Backup Images” on page 75. To back up the settings on your Management Server, use the Management Server Backup and Restore Wizard. For more information on this wizard, see the “Management Server Setup and Administration” chapter. 2 Use Windows Add or Remove Programs to uninstall your existing WatchGuard System Manager and WatchGuard Fireware installation. You can have more than one version of WatchGuard System Manager client software installed on your management station, but only one version of WatchGuard server software. 3 Launch the file or files that you downloaded from the LiveSecurity web site and use the onscreen procedure. 4 To save the upgrade to the appliance, use Policy Manager to open your Firebox X Core or Firebox X Peak configuration file and use the on-screen instructions to convert the configuration file to the newer version and save it to the Firebox. If you do not see on-screen instructions or have problems with this procedure, open Policy Manager and select File > Upgrade. Browse to your installation directory or C:\Program Files\Common Files\WatchGuard\resources\Fireware\9.1 and select the WGU file. Click OK. The upgrade procedure can take up to 15 minutes and automatically reboots the Firebox. If your Firebox has been operating for some time before you upgrade, it is possible you could have to restart the Firebox before you start the upgrade to clear the temporary memory on the Firebox. If, during the upgrade, you see an error message about \var\tmp2\cmm_upgrade_sys.tar, reboot your Firebox and start the upgrade again. 18 WatchGuard System Manager Downgrading to WSM 9.0 or Earlier Downgrading to WSM 9.0 or Earlier If you have problems when you upgrade your management station to 9.1, you can downgrade your Firebox® to an earlier version of Fireware®. You can downgrade a Firebox in two ways: • If you have a backup file created with an earlier version of Fireware, you can restore it to the Firebox. The backup file must have an .fxi file extension. The default location for backup files is C:\Documents and Settings\All Users\Shared WatchGuard\backups. • If you do not have a backup file, you can use an older version of WSM to save the matching version of Fireware to the Firebox, run the Quick Setup Wizard, and then save your configuration to the Firebox. If you have a backup file 1 Start WatchGuard® System Manager. The version must match the version used to save the backup file. 2 Connect to the Firebox and start Policy Manager. 3 Select File > Restore. 4 Navigate to the .fxi file and restore the Firebox. When the restore is complete, the Firebox reboots. It will run the version of Fireware it had at the time the backup file was saved. If you do not have a backup file 1 On your management station, install the version of Fireware that matches your version of WSM (for example v9.0). 2 Open Policy Manager v9.0 and select File > Upgrade to install Fireware v9.0. 3 Run the v9.0 Quick Setup Wizard and use it to save a basic configuration to the Firebox. 4 Open your policy in Policy Manager v9.0 and save it to the Firebox. Installation Topics This section gives additional information about setting up your Firebox®. Installing WSM and keeping an older version You can install the current version of WSM and keep the old version if you remove the server software (Management Server, Log Server, Quarantine Server, and WebBlocker Server) from the older version of WSM. Because you can have only one version of the servers installed, you must remove the previous version before you install the current WSM version along with the current server software. Installing WatchGuard Servers on computers with desktop firewalls Desktop firewalls can block the ports necessary for WatchGuard® server components to operate. Before you install the Management Server, Log Server, Quarantine Server, or WebBlocker Server on a computer with an active desktop firewall, you might need to open the necessary ports on the desktop firewall. Windows Firewall users do not need to change their configuration because the installation program opens the necessary ports in Windows Firewall automatically. User Guide 19 Installation Topics This table shows you the ports you must open on a desktop firewall. Server Type/Appliance Software Protocol/Port Management Server TCP 4109, TCP 4110, TCP 4112, TCP 4113 Log Server with Fireware® appliance software with WFS appliance software TCP 4115 TCP 4107 WebBlocker Server TCP 5003, UDP 5003 Quarantine Server TCP 4119, TCP 4120 Adding secondary networks to your configuration A secondary network is a different network that connects to a Firebox interface with a switch or hub. When you add a secondary network, you map a second IP address to the Firebox interface. You make (or add) an IP alias to the network interface. This secondary network address you set is the default gateway for all the computers on the secondary network. The secondary network also tells the Firebox that one more network is on the Firebox interface. To add a secondary network, do one of these procedures: Use a Quick Setup Wizard during installation If you configure the Firebox in drop-in mode, you can enter an IP address for the secondary network in the Quick Setup Wizard. This is the default gateway for your secondary private network. Add the secondary network after the Firebox installation is complete If you configure the Firebox in routed mode, or at any time after you use a Quick Setup Wizard, you can use Policy Manager to add secondary networks to an interface. For information on how to do this, see the “Network Setup and Configuration” chapter in this guide. Dynamic IP support on the external interface If you use dynamic IP addresses, you must configure your Firebox in routed mode when you use a Quick Setup Wizard. If you select DHCP, the Firebox tells a DHCP server controlled by your Internet service provider (ISP) to give the Firebox its IP address, gateway, and netmask. This server can also give DNS server information 20 WatchGuard System Manager Installation Topics for your Firebox. If it does not give you that information, you must add it manually to your configuration. If necessary, you can change the IP addresses that your ISP gives you. You also can use PPPoE. As with DHCP, the Firebox makes a PPPoE protocol connection to the PPPoE server of your ISP. This connection automatically configures your IP address, gateway, and netmask. If you use PPPoE on the external interface, you must have the PPP user name and password when you configure your network. If your ISP gives you a domain name to use, type your user name in the format “user@domain” when you use a Quick Setup Wizard. A static IP address is necessary for the Firebox to use some functions. When you configure the Firebox to receive dynamic IP addresses, the Firebox cannot use these functions: • High Availability (not available on Firebox 500) • Drop-in mode • 1-to-1 NAT on an external interface • MUVPN • RUVPN with PPTP If your ISP uses a PPPoE connection to give a static IP address, the Firebox allows you to enable MUVPN and RUVPN with PPTP because the IP address is static. Entering IP addresses When you enter IP addresses in a Quick Setup Wizard or WSM dialog boxes, type the digits and periods in the correct sequence. Do not use the TAB key, arrow key, spacebar, or mouse to put your cursor after the periods. For example, if you type the IP address 172.16.1.10, do not type a space after you type “16.” Do not try to put your cursor after the subsequent period to type “1.” Type a period directly after “16,” and then type “1.10.” Press the slash (/) key to move to the netmask. About slash notation Use slash notation to enter the netmask. In slash notation, one number shows how many bits of the IP address identify the network that the host is on. A netmask of 255.255.255.0 has a slash equivalent of 8+8+8=24. For example, an IP address 192.168.42.23/24 is equivalent to an IP address of 192.168.42.23 with a netmask of 255.255.255.0. This table shows the network masks and their slash equivalents. User Guide Network mask Slash equivalent 255.0.0.0 /8 255.255.0.0 /16 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 255.255.255.252 /30 21 Installation Topics Installing the Firebox cables Connect the power cable to the Firebox power input and to a power source. We recommend that you use a straight Ethernet cable (green) to connect your management station to a hub or switch. Use a different straight Ethernet cable to connect your Firebox to the same hub or switch. You also can use a red crossover cable to connect the Firebox trusted interface to the management station Ethernet port. 22 WatchGuard System Manager 3 Service and Support No Internet security solution is complete without regular updates and security information. New threats appear each day — from the newest hacker to the newest bug in an operating system — and each can cause damage to your network systems. LiveSecurity® Service sends security solutions directly to you to keep your security system in the best condition. Training and technical support are available on the WatchGuard® site to help you learn more about network security and your WatchGuard products. LiveSecurity Service Solutions The number of new security problems and the volume of information about network security continues to increase. We know that a firewall is only the first component in a full security solution. The WatchGuard® Rapid Response Team is a dedicated group of network security personnel who can help you to control the problem of too much security information. They monitor the Internet security web sites to identify new security problems. Threat responses, alerts, and expert advice After a new threat is identified, the WatchGuard Rapid Response Team sends you an email message to tell you about the problem. Each message gives full information about the type of security problem and the procedure you must use to make sure that your network is safe from attack. Easy software updates LiveSecurity® Service saves you time because you receive an email message when we release a new version of the WatchGuard System Manager software. Installation wizards, release notes, and a link to the software update make for a fast and easy installation. These continued updates make sure that you do not have to use your time to find new software. Access to technical support and training You can find information about your WatchGuard products quickly with our many online resources. You can also speak directly to one of the WatchGuard technical support personnel. Use our course materials available on the WatchGuard web site to learn more about the WatchGuard System Manager software, Firebox®, and network security, or to find a WatchGuard Certified Training Partner in your area. User Guide 23 LiveSecurity Service Broadcasts LiveSecurity Service Broadcasts The WatchGuard® Rapid Response Team regularly sends messages and software information directly to your computer desktop by email. We divide the messages into categories to help you to identify and make use of incoming information immediately. Information Alert Information Alerts give you a fast view of the newest information and threats to Internet security. The WatchGuard Rapid Response Team frequently recommends that you make a security policy change to protect against the new threat. When necessary, the Information Alert includes instructions on the procedure. Threat Response If a new security threat makes it necessary, the WatchGuard Rapid Response Team transmits a software update for your Firebox®. The Threat Response includes information about the security threat and instructions on how to download a software update and install it on your Firebox and management station. Software Update When necessary, WatchGuard updates the WatchGuard System Manager software. Product upgrades can include new features and patches. When we release a software update, you get an email message with instructions on how to download and install your upgrade. Editorial Each week, top network security personnel come together with the WatchGuard Rapid Response Team to write about network security. This continuous supply of information can help your network stay safe and secure. Foundations The WatchGuard Rapid Response Team also writes information specially for security administrators, employees, and other personnel that are new to this technology. Loopback At the end of each month LiveSecurity® Service sends you an email message with a summary of the information sent that month. Support Flash These short training messages can help you to operate WatchGuard System Manager. They are an added resource to the other online resources: - User forum - FAQs - Known Issues pages on the Technical Support web site Virus Alert WatchGuard has come together with antivirus vendor McAfee to give you the most current information about computer viruses. Each week, we send you a message with a summary of the virus traffic on the Internet. When a hacker releases a dangerous virus on the Internet, we send a special virus alert to help you protect your network. New from WatchGuard When WatchGuard releases a new product, we first tell you — our customers. You can learn about new features and services, product upgrades, hardware releases, and promotions. Activating LiveSecurity Service You can activate LiveSecurity® Service through the activation section of the LiveSecurity web pages. You can also find information about feature activation and the Quick Setup Wizard in the Quick Start Guide and in the “Getting Started” chapter of this book. 24 WatchGuard System Manager LiveSecurity Service Self Help Tools To activate LiveSecurity Service, you must enable JavaScript on your browser. To activate LiveSecurity Service through the Internet: 1 Make sure that you have your Firebox® serial number. This is necessary during the LiveSecurity activation procedure. You can find the Firebox serial number on a label on the rear side of the Firebox below the Universal Product Code (UPC), or on a label on the bottom of the Firebox. 2 Use your web browser to go to: www.watchguard.com/account/register.asp The Account page appears. 3 Complete the LiveSecurity Activation page. Use the TAB key or the mouse to move through the fields on the page. You must complete all the fields to activate correctly. This information helps WatchGuard to send you the information and software updates that are applicable to your products. 4 Make sure that your email address is correct. Your LiveSecurity emails about product updates and threat responses come to this address. After you complete the procedure, you get an email message that tells you that you activated LiveSecurity Service correctly. 5 Click Register. LiveSecurity Service Self Help Tools Online Self Help Tools enable you to get the best performance from your WatchGuard® products. You must activate LiveSecurity® Service before you can get access to online resources. Instant Answers Instant Answers is a guided Help tool designed to give solutions to product questions very quickly. Instant Answers asks you questions and then gives you the best solution based on the answers you give. Product FAQs FAQs (frequently asked questions) give you general information about the Firebox®, WatchGuard System Manager, and the Firebox appliance software. FAQs supply important information about configuration options and operation of systems or products. Known Issues This Known Issues tool monitors WatchGuard product problems and software updates. WatchGuard Users Forum The WatchGuard Technical Support team operates a web site where customers can help each other with WatchGuard products. Technical Support monitors this forum to make sure you get accurate information. Training Browse to the training section to learn more about network security and WatchGuard products. You can use training materials available online and get a certification in WatchGuard products. The training includes links to a wide range of documents and web sites about network security. The training is divided into parts, which lets you use only the materials you feel necessary. To learn more about training, browse to: http://www.watchguard.com/training/ Product Documentation The WatchGuard web site has a copy of each product user guide, including user guides for software versions that are no longer supported. The user guides are in .pdf format. User Guide 25 WatchGuard Users Forum To get access to the LiveSecurity Service Self Help Tools: 1 Start your web browser. In the address bar, type: http://www.watchguard.com/support 2 Under Self Help Tools, click the tool you want to use. You are asked to log in to LiveSecurity Service if you have not already done so. WatchGuard Users Forum The WatchGuard® Users Forum is an online group. It lets users of WatchGuard products exchange product information about: • Configuration • Connecting WatchGuard products and those of other companies • Network policies This forum has different categories that you can use to look for information. The Technical Support team controls the forum during regular work hours. You do not get special help from Technical Support when you use the forum. To contact Technical Support directly from the web, log in to your LiveSecurity account. Click on the Incidents link to send a Technical Support incident. Using the WatchGuard Users Forum To use the WatchGuard Users Forum you must first create an account. For instructions, browse to: http://www.watchguard.com/forum Product Documentation We post all user guides to the web site at: http://www.watchguard.com/help/documentation Technical Support Your LiveSecurity® Service subscription includes technical support for the WatchGuard® System Manager software and Firebox® hardware. To learn more about WatchGuard Technical Support, browse to the WatchGuard web site at: http://www.watchguard.com/support You must activate LiveSecurity Service before you can get technical support. LiveSecurity Service technical support All new Firebox products include the WatchGuard LiveSecurity Technical Support Service. You can speak with a member of the WatchGuard Technical Support team when you have a problem with the installation, management, or configuration of your Firebox. 26 WatchGuard System Manager Technical Support Hours WatchGuard LiveSecurity Technical Support operates from 6:00 AM to 6:00 PM in your local time zone, Monday through Friday. Telephone number 877.232.3531 (select option #2) in United States and Canada +1.206.613.0456 in all other countries Web site http://www.watchguard.com/support Service time We try for a maximum response time of four hours. Single Incident Priority Response Upgrade (SIPRU) and Single Incident After Hours Upgrade (SIAU) are also available. For more information about these upgrades, refer to the WatchGuard web site at: http://www.watchguard.com/support LiveSecurity Gold WatchGuard Gold LiveSecurity Technical Support adds to your standard LiveSecurity Service. We recommend that you get this upgrade if you use the Internet or VPN tunnels for most of your work. With WatchGuard Gold LiveSecurity Technical Support you get: • Technical support 24 hours a day, seven days a week, including holidays. • The Technical Support Team operates the support center from 7 PM Sunday to 7 PM Friday (Pacific Time). For weekend support for critical problems, use the on-call paging system. • We try for a maximum response time of one hour. • To create a support incident, call WatchGuard LiveSecurity Technical Support. A Customer Care representative records the problem and gives you an incident number. A Priority Support technician calls you as quickly as possible. If you have a critical problem when the support center is not open, use the LiveSecurity Technical Support phone number to page a technician. You can also send an incident on the web site at: http://www.watchguard.com/support/incidents/newincident.asp. Firebox Installation Service WatchGuard Remote Firebox Installation Service helps you to install and configure your Firebox. You can schedule two hours with a WatchGuard Technical Support team member. The technician helps you to: • Do an analysis of your network and security policy • Install the WatchGuard System Manager software and Firebox hardware • Align your configuration with your company security policy This service does not include VPN installation. VPN Installation Service WatchGuard Remote VPN Installation Service helps you through a full VPN installation. You can schedule a two-hour time with one of the WatchGuard Technical Support team. During this time, the technician helps: • User Guide Do an analysis of your VPN policy 27 Training and Certification • Configure your VPN tunnels • Do a test of your VPN configuration You can use this service after you correctly install and configure your Firebox devices. Training and Certification WatchGuard® product training is available through WatchGuard Certified Training Partners (WCTPs). You can install and configure the products with a qualified, experienced instructor to help you learn, and then take a WatchGuard technical certification exam. To find a training partner near you, go to http://www.watchguard.com/training/partners_locate.asp WatchGuard product training is also available online to help you learn more about network security and WatchGuard products. You can use these training materials to prepare for the certification exam. To find training materials, go to http://www.watchguard.com/training/courses.asp You must log into LiveSecurity to be able to download any of these courses. 28 WatchGuard System Manager 4 Firebox Status Monitoring WatchGuard® Firebox® System Manager (FSM) gives you one interface to monitor all components of a Firebox and the work it does. From FSM, you can monitor the current condition of the Firebox, or connect to the Firebox directly to update its configuration. You can see: • Status of the Firebox interfaces and the traffic that goes through the interfaces • Status of VPN tunnels and management certificates • Real-time graphs of Firebox bandwidth use or of the connections on specified ports • Status of any other security services you use on your Firebox Starting Firebox System Manager Before you start to use Firebox® System Manager, you must connect to a Firebox. Connecting to a Firebox 1 From WatchGuard® System Manager, click the Connect to Device icon. Or, you can select File > Connect To Device. The Connect to Firebox dialog box appears. User Guide 29 Starting Firebox System Manager 2 From the Name/IP Address drop-down list, select a Firebox. You can also type the IP address or name of the Firebox. 3 In the Passphrase box, type the Firebox status (read-only) passphrase. 4 Click Login. The Firebox appears in the WatchGuard® System Manager window. Opening Firebox System Manager 1 From WatchGuard System Manager, select the Device Status tab. 2 Select the Firebox to examine with Firebox System Manager. 3 Click the Firebox System Manager icon. Firebox System Manager appears. It may take a moment to connect to the Firebox to get information about the status and configuration. 30 WatchGuard System Manager Firebox System Manager Menus and Toolbar Firebox System Manager Menus and Toolbar Firebox® System Manager (FSM) commands are in the menus at the top of the window. The most common tasks are also available as buttons on the toolbar. The tables that follow tell you the function of the menus and the toolbar icons and buttons. Firebox System Manager Menus Menu Command Function File Settings Changes how Firebox System Manager shows status information in the displays. Disconnect Keeps Firebox System Manager open, but stops the connection to the monitored Firebox. Reset Stops the operating system components on the Firebox and restarts them (soft reboot). Reboot Starts the current Firebox again. Shutdown Turns off the Firebox. Close Closes the Firebox System Manager window. Certificates Lists the certificates on the Firebox and allows the user to list, add, and remove them. Feature Keys Lists the current Feature Keys on the Firebox. Communication Log Opens the communication log, which contains information such as the success or failure of logins, handshakes, and so on. These are connections between the Firebox and Firebox System Manager. Policy Manager Opens Policy Manager with the configuration of the selected Firebox. HostWatch™ Opens HostWatch connected to the current Firebox. Performance Console Opens the Performance Console, which shows graphs of performance aspects of the Firebox. Synchronize Time Synchronizes the time of the Firebox with the system time. Clear ARP Cache Empties the ARP cache of the selected Firebox. Clear Alarm Empties the alarm list on the selected Firebox. Rekey all BOVPN Tunnels Expires all BOVPN tunnels and forces them to be rebuilt. High Availability Allows you to manually control High Availability functions. Change Passphrases Changes the status and configuration passphrases. Firebox System Manager Help Opens the online Help files for this application. About Shows version and copyright information. VIew Tools Help User Guide 31 Firebox System Manager Menus and Toolbar Firebox System Manager Toolbar Icon Function Starts the display again. This icon appears only when you are not connected to a Firebox. Stops the display. This icon appears only when you are connected to a Firebox. Shows the management and VPN certificates saved on the Firebox. Shows the feature keys registered and installed for this Firebox. Starts Policy Manager. Use Policy Manager to make or change a configuration file. Starts HostWatch, which shows connections for this Firebox. Starts the Performance Console where you can configure graphs that show Firebox status. Shows the Communication Log dialog box to show connections between Firebox System Manager and the Firebox. Firebox System Manager Buttons Button Function Renew Now Appears in the upper-right part of the FSM window when a WSM feature or service has expired. To renew it, click the button. Force Failback Appears in the upper-right part of the FSM window when multiWAN failback occurs. Click the button to fail back to the other WAN interface. Setting refresh interval and pausing the display All tabs on Firebox System Manager have, at the bottom of the screen, a drop-down list to set the refresh interval, and a Pause button to stop the display: Refresh Interval The refresh interval is the polling interval; the time between refreshes of the display. You can change the interval of time (in seconds) that Firebox System Manager gets the Firebox information and sends updates to the user interface. You must balance how frequently you get information and the load on the Firebox. Be sure to examine the refresh interval on each tab. When a tab gets new information for its display, the text “Refreshing...” appears adjacent to the Refresh Interval drop-down list. A shorter time interval gives a more accurate display, but creates more load on the Firebox. From Firebox System Manager, use the Refresh Interval drop-down list to select a new duration between window refreshes. You can select 5 seconds, 10 seconds, 30 seconds, 60 seconds, 2 minutes, or 5 minutes. You can also type a custom value into this box. 32 WatchGuard System Manager Basic Firebox and Network Status Pause/Continue You can click the Pause button to temporarily stop Firebox System Manager from refreshing this window. After you click the Pause button, this button changes to a Continue button. Click Continue to continue to refresh the window. Basic Firebox and Network Status The Front Panel tab of Firebox® System Manager shows basic information about your Firebox, your network, and network traffic. Using the Security Traffic display Firebox System Manager initially has a group of indicator lights to show the direction and volume of the traffic between the Firebox interfaces. The display can be a triangle (below left) or a star (below center and right). Triangle display If a Firebox has only three configured interfaces, each corner of the triangle is one interface. If a Firebox has more than three interfaces, each corner of the triangle represents one type of interface. For example, if you have six configured interfaces with one external, one trusted, and four optional interfaces, the “All-Optional” corner in the triangle represents all four of the optional interfaces. Star display The star display shows all traffic in and out of the center interface. An arrow that moves from the center interface to a node interface shows that the Firebox is passing traffic. The traffic comes in through the center interface and goes out through the node interface. For example, if eth1 is at the center and eth2 is at a node, a green arrow shows that traffic flows from eth1 to eth2. There are two star displays — one for a Firebox X Core with 6 interfaces and one for Firebox X Peak with 10 interfaces. User Guide 33 Basic Firebox and Network Status To change the display, right-click it and select Triangle Mode or Star Mode. Monitoring status information The points of the star and triangle show the traffic that flows through the interfaces. A green point shows traffic is being allowed at that interface. A red point shows that traffic is being denied, or that the interface is denying some traffic and allowing other traffic. Each point shows incoming connections and outgoing connections with different arrows. When traffic flows between the two interfaces, the arrows light up in the direction of the traffic. In the star figure, the location where the points come together can show one of two conditions: • Red (deny)—The Firebox denies a connection on that interface. • Green (allow)—There is traffic between this interface and a different interface (but not the center) of the star. When there is traffic between this interface and the center, the point between these interfaces shows as green arrows that blink. In the triangle, the network traffic shows in the points of the triangle. The points show only the idle or deny condition. One exception is when there is a large quantity of VPN ”tunnel switching” traffic. Tunnel switching traffic refers to packets that are sent through a VPN to a Firebox configured as the default gateway for the VPN network. In this case, the Firebox System Manager traffic level indicator can show very high traffic, but you do not see green lights as more tunnel switching traffic comes in and goes out of the same interface. Setting the center interface If you use the star figure, you can customize the interface that appears in its center. Click the interface name or its point. The interface then moves to the center of the star. All the other interfaces move clockwise. If you move an interface to the center of the star, you can see all traffic between that interface and all other interfaces. The default display shows the external interface in the center. Monitoring traffic, load, and status Below the Security Traffic Display are the traffic volume indicator, processor load indicator, and basic status information (Detail). The two bar graphs show the traffic volume and the Firebox capacity. 34 WatchGuard System Manager Basic Firebox and Network Status Firebox and VPN tunnel status The section in Firebox System Manager to the right side of the front panel shows: • Status of the Firebox. This includes the Fireware version and patch string. • Warnings: Appear when updates for Security Services are available or when Subscription Services or other features are soon to expire. To renew, click the Renew Now button that appears in the upper-right part of the FSM window. • High Availability status, if applicable • Interfaces • Certificates • Branch office VPN tunnels • Mobile user and PPTP VPN tunnels • Security Services: Viruses, intrusions, spam email messages found, web requests denied Firebox, High Availability, and interfaces In the Firebox Status section, expand the entries to see: • If High Availability is configured, whether the HA peer is available. The time at which the configuration of the primary and secondary devices was last updated also appears. • The IP address of each Firebox interface and the configuration mode of the external interface. If you again expand the entries for each interface, you can see: • IP address, gateway, and netmask of each configured interface • Media Access Control (MAC) address of each interface • Number of bytes and packets sent and received since the last Firebox restart • Status of the physical link (an interface or link icon in color means an interface or link is configured, and a dark icon indicates the interface or link is down) User Guide 35 Basic Firebox and Network Status Certificates FSM shows certificates on the Firebox and their current status. For valid certificates, FSM shows the validity period and fingerprint. Branch Office VPN Tunnels Below the Firebox Status section is a section on BOVPN tunnels. Firebox System Manager shows the current tunnel status and gateway information for each VPN tunnel as well as data sent and received, creation and expiration information, type of authentication and encryption, and number of rekeys. Each BOVPN tunnel is shown in one of three states: Active The BOVPN tunnel is operational and passing traffic. Inactive The BOVPN tunnel has been created, but no tunnel negotiation has occurred. No traffic has been sent through the VPN tunnel. Expired The BOVPN tunnel was active, but is no longer active because the tunnel has no traffic or because the link between the gateways is lost. PPTP User VPN and Mobile User VPN tunnels For both types of tunnels, Firebox System Manager shows the user name, IP address information, and the quantity of sent and received packets. 36 WatchGuard System Manager Firebox Traffic Security Services Below Security Services, Firebox System Manager shows the number of viruses found, the number of intrusions, the number of email messages confirmed as spam, and the number of web requests denied by WebBlocker since the last restart. Expanding and closing tree views To expand a part of the display, click the plus sign (+) adjacent to the entry, or double-click the name of the entry. To close a part, click the minus sign (–) adjacent to the entry. When no plus or minus sign shows, no more information is available. Firebox Traffic To see Firebox® log messages, click the Traffic Monitor tab. You can change the size of the Traffic Monitor window to fit your screen. Setting the maximum number of log messages You can change the maximum number of log messages that you can keep and see on Traffic Monitor. When you get to the maximum number, the new log messages replace the first entries. If you have a slow processor or a small quantity of RAM, a high value in this field can slow your management system. User Guide 37 Firebox Traffic If it is necessary to examine a large volume of log messages, we recommend that you use LogViewer, as described in “Using LogViewer” on page 101. 1 From Firebox System Manager, select File > Settings. The Settings dialog box appears. 2 From the Maximum Log Messages drop-down list, select the number of log messages that you want to appear in Traffic Monitor. Click OK. The value you type gives the number of log messages in thousands. Using color for log messages In Traffic Monitor, you can make messages appear in different colors. You can use different colors to differentiate between types of information. 1 From Firebox System Manager, select File > Settings. Click the Traffic Monitor tab. 2 To disable or enable the display of colors, clear or select the Show Logs in Color check box. 3 On the Alarm, Traffic Allowed, Traffic Denied, Event, Debug, or Performance tab, click the field to appear in a color. The box next to Text Color on the right side of the tabs shows the color in use for the field. 4 To change the color, click the box next to Text Color. Select a color. A sample of how the color will look in Traffic Monitor appears at the bottom of the dialog box. Click OK to close the color control dialog box, or Reset to go back to the color used for text before you opened the color control dialog box. Click OK again to close the Settings dialog box. 5 You can also select a background color for Traffic Monitor. Click the box next to Background Color. Use the procedures described in the previous step to change the color. You can cancel the changes you make in this dialog box. Click Restore Defaults. 38 WatchGuard System Manager Bandwidth Usage Copying log messages To make a copy of a log message and paste it in a different software application, right-click the message and select Copy Selection. If you select Copy All, Firebox System Manager copies all the log messages. Open the other tool and paste the message or messages. To copy more than one, but not all, log messages, use LogViewer to open the log file, and then use the LogViewer copy function, as described in the “Logging and Notification” chapter. Learning more about a traffic log message To learn more about a traffic log message, you can: Copy the IP address of the source or destination Make a copy of the source or destination IP address of a traffic log message, and paste it into a different software application. To copy the source IP address, right-click the message, and select Source IP Address > Copy Source IP Address. To copy the destination IP address, right-click the message, and select Destination IP Address > Copy Destination IP Address. Ping the source or destination To ping the source or destination IP address of a traffic log message, do this: Right-click the message, and select Source IP Address > Ping or Destination IP Address > Ping. A pop-up window shows the results. Trace the route to the source or destination To use a traceroute command to the source or destination IP address of a traffic log message, do this: Right-click the message, and select Source IP Address > Trace Route or Destination IP Address > Trace Route. A pop-up window shows you the results of the traceroute operation. If the traceroute operation takes longer than two minutes, the Firebox returns an error. While the traceroute operation runs, information on other FSM tabs cannot refresh because management traffic to the Firebox is temporarily blocked. Temporarily block the IP address of the source or destination To temporarily block all traffic from a source or destination IP address of a traffic log message, do this: Right-click the message, select Source IP Address > Block: [IP address] or Destination IP Address > Block: [IP address]. The length of time that an IP address is temporarily blocked by this command is set in Policy Manager. To use this command you must give the configuration password. Bandwidth Usage Select the Bandwidth Meter tab to see the real-time bandwidth for all the Firebox® interfaces. The Y axis (vertical) shows the number of connections. The X axis (horizontal) shows the time. If you click any location on the chart, you can get more detailed information in a pop-up window about bandwidth User Guide 39 Bandwidth Usage use at that point in time. The meter shows VLAN interfaces, if any are defined, in addition to physical interfaces. To change how the bandwidth appears: 1 From Firebox System Manager, select File > Settings. Click the Bandwidth Meter tab. 2 Do one or more of the steps in the sections below. Changing the scale of the bandwidth display You can change the scale of the Bandwidth Meter tab. Use the Graph Scale drop-down list to select the value that is the best match for the speed of your network. You can also set a custom scale. Type the value in kilobytes for each second in the Custom Scale text box. Adding and removing lines in the bandwidth display 40 WatchGuard System Manager Policies • To add a line to the Bandwidth Meter tab, select the interface from the Hide list in the Color Settings section. Use the Text Color control to select a color for the line. Click Add. The interface name appears in the Show list with the color you selected. • To remove a line from the Bandwidth Meter tab, select the interface from the Show list in the Color Settings section. Click Remove. The interface name appears in the Hide list. Changing colors in the bandwidth display You can change the colors of the display of the Bandwidth Meter tab. Use the Background and Grid Line color control boxes to select a new color. Changing how interfaces appear in the bandwidth display One option is to change how the interface names appear on the left side of the Bandwidth Meter tab. The names can appear as a list. The display can also show an interface name adjacent to the line it identifies. Use the Show the interface text as a drop-down list to select List or Tags. Policies Select the Service Watch tab of Firebox® System Manager to see a graph of the policies that are configured in Policy Manager for a Firebox. The Y axis (vertical) shows the number of connections. The X axis (horizontal) shows the time. If you click any location on the chart, you can get more detailed information in a pop-up window about policy use at this point in time. 1 User Guide To change how the policies appear, select File > Settings. Click the Service Watch tab. 41 Policies 2 Do one or more of the steps in the sections below. Changing the scale of the policies display You can change the scale of the Service Watch tab. Use the Graph Scale drop-down list to select the value that is the best match for the volume of traffic on your network. You can also set a custom scale. Type the number of connections in the Custom Scale text box. Adding and removing lines in the policies display • To add a line to the Service Watch tab, select the policy from the Hide list in the Color Settings section. Use the Text Color control to select a color for the line. Click Add. The interface name appears in the Show list with the color you selected. • To remove a line from the Service Watch tab, select the policy from the Show list in the Color Settings section. Click Remove. The interface name appears in the Hide list. Changing colors in the policies display You can change the colors of the display of the Service Watch tab. Use the Background and Grid Line color control boxes to select a new color. Changing how policy names appear in the policies display You can change how the policy names appear on the left side of the Service Watch tab. The names can show as a list. The tab can also show an interface name adjacent to the line it identifies. Use the Show the policy labels as drop-down list to select List or Tags. 42 WatchGuard System Manager Traffic and Performance Statistics Traffic and Performance Statistics The Status Report tab gives you statistics about Firebox® traffic and performance. The Firebox Status Report contains this information: Uptime and version information Firebox uptime, the WatchGuard® Firebox System software version, the Firebox model, appliance software version, and patch, if applicable. There is also a list of the status and version of the product components on the Firebox. Log Servers IP addresses of all configured Log Servers. Logging options Log message options that are configured with the Quick Setup Wizard or Policy Manager. Memory and load average Statistics on the memory use (shown in bytes of memory) and load average of the Firebox. The load average has three values that typically show an average over the last minute, 5 minutes, and 15 minutes. Values over 1.00 (100%) indicate some threads are queued until resources are available. (A system load that exceeds 1.00 does not mean the system is overloaded.) Processes Process ID, the name of the process, and the status of the process. Network configuration Information about the network cards in the Firebox: the interface name, its hardware and software addresses, and its netmask. The display also includes local routing information, IP aliases, and reserved DHCP leases. Blocked Sites list, Blocked Sites exceptions Current manually blocked sites and any current exceptions. Temporarily blocked site entries appear on the permanent Blocked Sites tab. User Guide 43 Authenticated Users Interfaces Each Firebox interface, along with information about the type of interface it is configured as (external, trusted, or optional), its status, and packet count. Routes Firebox kernel routing table. You use these routes to find which Firebox interface is used for each destination address. ECMP groups and dynamic routes that have been accepted by the dynamic routing daemon appear here as well. ARP table ARP table on the Firebox. The ARP table is used to match IP addresses to hardware addresses. (When an appliance is in drop-in mode, use the contents of the ARP table only to troubleshoot connectivity over secondary networks on the interfaces.) Total Dynamic Network Address Translation (DNAT) entries Number of used and available entries. Multi-WAN status Information on gateways and sticky connections. Also includes the sticky connections table. DHCP client leases Information on DHCP client leases on the Firebox. Dynamic Routing Dynamic routing components in use on the Firebox, if any. DNS Servers Address information for DNS servers. Refresh interval Rate at which this display updates the information. Support Click Support to open the Support Logs dialog box. This is where you set the location to which you save the diagnostic log file. You save a support log in tarzipped (*.tgz) format. You create this file for troubleshooting, when asked by your support representative. Authenticated Users The Authentication List tab of Firebox® System Manager gives information about all the persons that are authenticated to the Firebox. Information about each authenticated user appears in these four columns: User The name the user gives he or she authenticates. Type The type of user who authenticated: Firewall, MUVPN, or PPTP. IP Address The internal IP address being used by the user. For MUVPN and PPTP users, the IP address shown here is the IP address assigned to them by the Firebox. From Address The IP address on the computer the user authenticates from. For MUVPN and PPTP users, the IP address shown here is the IP address on the computer they used to connect to the Firebox. For Firewall users, the IP Address and From Address are the same. 44 WatchGuard System Manager Blocked Sites You can click the column headers to sort users. You can also log the user off the Firebox. To do this, right-click their user name and then stop their authenticated session. Blocked Sites The Blocked Sites List tab of Firebox® System Manager shows the IP addresses of all the external IP addresses that are temporarily blocked. Many events can cause the Firebox to add an IP address to the Blocked Sites tab: a port space probe, a spoofing attack, an address space probe, or an event you configure. Adjacent to each IP address is the time when it comes off the Blocked Sites tab. You can use the Blocked Sites dialog box in Policy Manager to adjust the length of time that an IP address stays on the list. Adding and removing sites Add allows you to temporarily add a site to the Blocked Sites list. Click Change Expiration to change the time at which this site is deleted from the list. Delete removes the site from the Blocked Sites list. You can remove a site from the list only if you open the Firebox with the configuration passphrase. User Guide 45 Security Services Security Services The Security Services tab includes information about Gateway AntiVirus, Intrusion Prevention, and spamBlocker, if installed. Gateway AntiVirus This area of the dialog box gives information about the Gateway AntiVirus feature. Activity since last restart - Viruses found: Number of viruses found in scanned files since the last Firebox® restart. - Objects scanned/not scanned: Number of files scanned or not scanned for viruses since the last Firebox restart. Signatures - Installed version: Version number of the installed signatures. Last update: Date of the last signature update. Version available: If a new version of the signatures is available. Server URL: URL that the Firebox goes to see if updates are available, and the URL that updates are downloaded from. - History: Click to show a list of all the signature updates. You can right-click to copy information on a selected update, or on the entire list of updates. 46 WatchGuard System Manager Security Services - Update: Click to update your virus signatures. This button is active only if a new version of the virus signatures is available. Engine - Installed version: Version number of the installed engine. Last update: Date of the last engine update. Version available: If a new version of the engine is available. Server URL: URL that the Firebox goes to see if updates are available, and the URL that updates are downloaded from. - History: Click to show a list of all the engine updates. You can right-click to copy information on a selected update, or on the entire list of updates. - Update: Click to update your virus signatures. Intrusion Prevention Service This area of the dialog box gives information about the Signature-Based Intrusion Prevention Service feature. Activity since last restart - Scans performed: Number of files scanned for viruses since the last Firebox restart. - Intrusions detected: Number of intrusions found in scanned files since the last Firebox restart. - Intrusions prevented: Number of infected files deleted since the last Firebox restart. Signatures - User Guide Installed version: Version number of the installed signatures. Last update: Date of the last signature update. Version available: If a new version of the signatures is available. Server URL: URL that the Firebox goes to see if updates are available, and the URL that updates are downloaded from. 47 HostWatch - History: Click to show a list of all the signature updates. - Update: Click to update your intrusion prevention signatures. This button is active only if a new version of the intrusion prevention signatures is available. - Show: Click to download and show a list of all current IPS signatures. After you download the signatures, you can look for signatures by signature ID. spamBlocker Activity since last restart - Number of messages that are identified as confirmed spam, bulk email, suspected spam, or not spam. - Number of messages that are blocked, tagged, or sent to the Quarantine Server. - Number of messages that are blocked or allowed because of a spamBlocker exceptions list that you create (exceptions that you create to deny additional sites are sometimes known as a blacklist; exceptions that you create to allow additional sites are sometimes known as a whitelist). HostWatch HostWatch™ is a graphical user interface that shows the network connections between the trusted and external networks. HostWatch also gives information about users, connections, and network address translation (NAT). The line that connects the source host and the destination host uses a color that shows the type of connection. You can change these colors. The default colors are: • Red — The Firebox® denies the connection. • Blue — The connection uses a proxy. • Green — The Firebox uses NAT for the connection. Black — Normal connection (the connection has been accepted, and it does not use a proxy or NAT). Icons that show the type of service appear adjacent to the server entries for HTTP, Telnet, SMTP, and FTP. • Domain name server (DNS) resolution does not occur immediately when you start HostWatch. When HostWatch is configured for DNS resolution, it replaces the IP addresses with the host or user names. If the Firebox cannot identify the host or user name, the IP address stays in the HostWatch window. If you use DNS resolution with HostWatch, the management station can send a large number of NetBIOS packets (UDP 137) through the Firebox. The only method to stop this is to turn off NetBIOS over TCP/IP in Windows. To start HostWatch, click the HostWatch icon in Firebox® System Manager. Or select Tools > HostWatch. The HostWatch window The top part of the HostWatch window has two sides. You can set the interface for the left side. The right side shows all other interfaces. HostWatch shows the connections to and from the interface configured on the left side. 48 WatchGuard System Manager HostWatch Selecting an interface To select an interface, select View > Interface and select the interface you want to see. You can also right-click the current interface name and then select the new interface. If you want to specify the exact interface name or use a regular expression to match multiple interfaces, select Other from the list of interfaces when you select View > Interface. This is useful when you want to see VLANs in HostWatch. Seeing connections Double-click an item on one of the sides to get the Connections For dialog box for connections that involve that item. The dialog box shows information about the connection, and includes the IP addresses, port number, time, connection type, and direction. Although the top part of the window shows only the connections to and from the selected interface, the bottom of the HostWatch window shows all connections to and from all interfaces. The information is shown in a table with the ports and the time the connection was created. User Guide 49 HostWatch Controlling the HostWatch window You can change the HostWatch window to show only the necessary items. You can use this feature to monitor specified hosts, ports, or users. 1 From HostWatch, select View > Filter. 2 Click the tab to monitor: Policy List, External Hosts, Other Hosts, Ports, or Authenticated Users. 3 On the tab for each item you do not want to see, clear the check boxes in the dialog box. 4 On the tab for each item you do want to see, type the IP address, port number, or user name to monitor. Click Add. Do this for each item that HostWatch must monitor. You can also select each tab’s Show all check box to show all items in the category. 5 Click OK. Changing HostWatch view properties You can change how HostWatch shows information. For example, you can tell HostWatch to show host names instead of addresses. 1 50 From HostWatch, select View > Settings. WatchGuard System Manager Performance Console 2 Use the Display tab to change how the hosts appear in the HostWatch window. 3 Use the Line Color tab to change the colors of the lines between NAT, proxy, blocked, and normal connections. 4 Click OK to close the Settings dialog box. Blocking a site from HostWatch To block an IP address from HostWatch, right-click on the connection and use the pop-up window to select the IP address from the connection to add to the Blocked Sites list. You must set the time for the IP address to be blocked, and give the configuration passphrase. Pausing the HostWatch display You can use the Pause and Continue icons on the toolbar to temporarily stop and then restart the display. Or, use File > Pause and File > Continue. Performance Console The Performance Console is a Firebox® utility that you use to make graphs that show how different parts of the Firebox are operating. To get the information, you define the counters that identify the information that is used to make the graph. Types of counters You can monitor these types of performance counters: User Guide 51 Performance Console System Information Show how the CPU is used. Interfaces Monitor and report on the events of selected interfaces. For example, you can set up a counter that monitors the number of packets a specified interface receives. Policies Monitor and report on the events of selected policies. For example, you can set up a counter that monitors the number of packets that a specified policy examines. VPN Peers Monitor and report on the events of selected VPN policies. Tunnels Monitor and report on the events of selected VPN tunnels. Defining counters To identify a counter for any of the categories: 1 From Firebox System Manager, select the Performance Console icon. Or, select Tools > Performance Console. The Add Chart window appears. 2 52 From the Add Chart window, expand one of the counter categories that appears below Available Counters. Click the + sign adjacent to the category name to see the counters you can use in that category. WatchGuard System Manager Performance Console 3 Click a counter, such as CPU Utilization. The Counter Configuration fields automatically refresh, related to the counter you select. 4 From the Chart Window drop-down list, select <New Window> if you want the graph to appear in a new window. Or, if any are listed, select the name of an open window to add the graph to a window that is open. 5 From the Poll Interval drop-down list, select a time interval between five seconds and one hour. This is the frequency that the Performance Console checks for updated information from the Firebox. 6 Add configuration information that applies to the specified counter. Certain fields appear automatically according to which counter you select. Some of the fields are: - Type — Use the drop-down list to select the type of graph to create: rate, difference, or raw value. Suppose you want to graph value_1 and time_1, value_2 at time_2, and so on. If you create a graph by rate, you use the value difference divided by the time difference: (value_2-value_1)/ (time_2-time_1), (value_3-value_2)/(time_3-time_2), and so on. If you specify difference, you use the increase from the previous value to the new value: value_2-value_1, value_3-value_2, and so on. If you specify raw value, you use the value only: value_1, value_2, and so on. The raw values are generally counters of content such as bytes or packets. They can only increase, not decrease. - Interface — Use the drop-down list to select the interface to graph data for. - Policy — (If you select a Policy counter) Use the drop-down list to select a policy from your Firebox configuration to graph data for. You can update the policy list that appears in the Performance Console when you click the Refresh Policy List button. - Peer IP — (If you select a VPN Peers counter) Use the drop-down list to select the IP address of a VPN endpoint to graph data for. You can update the list of VPN endpoints that appears in the Performance Console when you click the Refresh Peer IP List button. - Tunnel ID — (If you select a Tunnels counter) Use the drop-down list to select the name of a VPN tunnel to graph data for. You can update the list of VPN tunnels that appears in the Performance Console when you click the Refresh Tunnel ID List button. If you do not know the tunnel ID for your VPN tunnel, check the Firebox System Manager Front Panel tab. 7 User Guide Select the Save Chart Data to File check box to save the data collected by the Performance Console to an XML data file or a comma-separated data file. For example, you can open an XML data file in Microsoft Excel to see the counter value recorded for each polling interval. You can use other tools to merge data from more than one chart. 53 Performance Console 8 Click OK to start a real-time graph of this counter. This performance graph shows CPU usage. You create graphs for other functions in the same way. Viewing the performance graph Graphs are shown in a real-time chart window. You can show one graph in each window, or show many graphs in one window. Graphs automatically scale to fit the data and refresh every 5 seconds. Click Stop Monitoring to stop the Performance Console from getting data for this counter. You can stop the monitor to save resources and restart it at different time. Click Close to close the chart window. 54 WatchGuard System Manager Certificates on the Firebox Working with more than one Performance Console graph The main Performance Console window shows a table with all configured and active performance counters. From this window, you can add a new chart or change the polling intervals for configured counters. Adding a new chart To add a new chart, click the + button on the Performance Console toolbar or select File > Add Chart. Changing the polling interval To change the polling interval for one performance console, select the chart name from the list. Use the polling interval drop-down list on the Performance Console toolbar to change the frequency for the polls. Deleting a chart To delete a chart, select the chart name from the list and use the X button on the Performance Console toolbar or select File > Delete Chart. Certificates on the Firebox From Firebox® System Manager, you can see the certificates that are installed on the Firebox, create a Certificate Request, view the details of a certificate, remove a certificate from the Firebox, or import a certificate or Certificate Revocation List (CRL). You can also see Pending Certificate Requests that have User Guide 55 Feature Keys on the Firebox not yet been signed and imported. For more information, see the “Certificates and the Certificate Authority” chapter in this guide. Feature Keys on the Firebox To see the feature keys that are installed on this Firebox®, select View > Feature Keys. The feature name, license identification number, and expiration date appear in the list. To see more information about a particular feature key, select it and click Detail. The Feature Key Detail dialog box shows a list of the features in the feature key. To see a list of all active features installed on the Firebox, click Show Active Features. This dialog box shows the following information: Feature Name of the feature. Capacity Capacity the feature enables. For some features, this is a number of users, or concurrent connections, or a speed in Mbps. For other features, this can be a “1,” indicating that the feature is licensed and usable, or another number, like a model number (such as 8500e). 56 WatchGuard System Manager Communication Log Status Whether the feature is enabled or disabled. Expiration If the feature expires, the expiration date is listed. Communication Log The communication log contains information such as the success or failure of logins, handshakes, and so on. These are connections between the Firebox® and Firebox System Manager. To see the log, from Firebox System Manager, select View > Communication Log. This log starts when initial login is successful, and shows information about the current management session. Performing Operations in Firebox System Manager You can perform several operations in Firebox® System Manager. Synchronizing time Use this command to synchronize the time of the Firebox with the system time. 1 From Firebox System Manager, select Tools > Synchronize Time. 2 Type the Firebox configuration passphrase. Click OK. Clearing the ARP cache The ARP (Address Resolution Protocol) cache on the Firebox® keeps the hardware addresses (also known as MAC addresses) of TCP/IP hosts. Before an ARP request starts, the system makes sure that a hardware address is in the cache. You must clear the ARP cache on the Firebox after installation when your network has a drop-in configuration. 1 User Guide From Firebox System Manager, select Tools > Clear ARP Cache. 57 Performing Operations in Firebox System Manager 2 Type the Firebox configuration passphrase. Click OK. This flushes the cache entries. When a Firebox is in drop-in mode, this procedure clears only the content of the ARP table and not the MAC table. The oldest MAC entries in the MAC table are removed if the table has more than 2000 entries. If you want to clear the MAC table, you must restart the Firebox. Clearing alarms Use this command to clear the alarm list on the Firebox. 1 From Firebox System Manager, select Tools > Clear Alarm. 2 Type the Firebox configuration passphrase. Click OK. Rekeying BOVPN tunnels Normally, the gateway endpoints of BOVPN tunnels must generate and exchange new keys after a quantity of time or amount of traffic passes. You might sometimes, particularly when you troubleshoot tunnels, want to immediately generate new keys instead of waiting for them to expire. The rekey options in Firebox System Manager expire BOVPN tunnels immediately. Tunnels are triggered by traffic; they are rebuilt when traffic starts to flow through them. If you rekey a tunnel and it has no traffic, it is not automatically rebuilt. To rekey one BOVPN tunnel On the front panel of Firebox System Manager, below the Branch Office VPN Tunnels heading, select the tunnel you want to rekey. Right-click and select Rekey Selected BOVPN Tunnel. When prompted, type the configuration passphrase for the Firebox to which Firebox System Manager is connected. To rekey all BOVPN tunnels From Firebox System Manager, right-click anywhere on the front panel of the window. Select Rekey All BOVPN Tunnels. When prompted, type the configuration passphrase for the Firebox to which Firebox System Manager is connected. or From Firebox System Manager, select Tools > Rekey All BOVPN Tunnels. When prompted, type the configuration passphrase for the Firebox to which Firebox System Manager is connected. High Availability You can perform several High Availability operations from Firebox System Manager. For more information, see “Manually Controlling High Availability” on page 464. Changing passphrases To change the Firebox® passphrases from Firebox System Manager, select Tools > Change Passphrases. A Firebox uses two passphrases: 58 • Status passphrase The read-only password or passphrase that allows access to the Firebox • Configuration passphrase The read-write password or passphrase that allows an administrator full access to the Firebox WatchGuard System Manager Performing Operations in Firebox System Manager To create a secure passphrase, we recommend that you: • Use a selection of uppercase and lowercase characters, numbers, and special characters (for example, Im4e@tiN9). • Do not use a word from standard dictionaries, even if you use it in a different sequence or in a different language. • Do not use a name. It is easy for an attacker to find a business name, familiar name, or the name of a famous person. An additional security measure is to change the Firebox passphrases at regular intervals. To do this, you must have the configuration passphrase. User Guide 59 Performing Operations in Firebox System Manager 60 WatchGuard System Manager 5 Basic Firebox Administration To operate correctly, your Firebox® must have the necessary information to apply your security policy to the traffic that goes through your network. Policy Manager gives you one user interface to configure basic Firebox settings in addition to your security policy. This chapter shows you how to: • Add, delete, and see feature keys • Set up the Firebox to use an NTP server • Set the Firebox time zone • Configure the Firebox for SNMP • Change the Firebox passphrases • Give the Firebox a name for easy identification (instead of an IP address) • Recover a Firebox Working with Feature Keys You increase the functionality of your Firebox® when you purchase an option and add a new feature key to your configuration file. When you purchase a new feature, make sure that you activate the new feature on the LiveSecurity® web site and add a new feature key to your Firebox. Getting feature keys Before you activate a new feature, you must have a license key certificate from WatchGuard® that is not already registered on the LiveSecurity web site. 1 Open a web browser and connect to: https://www.watchguard.com/activate 2 If you have not already logged in to LiveSecurity, you are directed to the LiveSecurity Log In page. Type your LiveSecurity user name and passphrase. User Guide 61 Working with Feature Keys 3 Type the serial number or license key for the product as it appears on your printed certificate, including the hyphens. You usually use the serial number to register a new Firebox, and the license key to register add-on features. 4 Click Continue. The Choose Product to Upgrade page appears. 5 From the drop-down list, select the Firebox to which you want to apply the upgrade or renewal. If you added a Firebox name when you registered your Firebox, that name appears in this list. After you select the Firebox, click Activate. 6 The Retrieve Feature Key page appears. From your Windows Start menu, open Notepad or any application into which you can save text. Copy the full feature key from this page to a text file and save it on your computer. Click Finish. Adding feature keys to the Firebox 1 From Policy Manager, select Setup > Feature Keys. The Firebox Feature Keys dialog box appears. This dialog box shows the licenses that are available. 2 Click Add. The Add Firebox Feature Key dialog box appears. We recommend that you remove the old feature key before you add a new feature key. 62 WatchGuard System Manager Working with Feature Keys 3 Click Import and find the feature key file or paste the contents of your feature key file into the dialog box. 4 Click OK two times. At this time, the features are available on the management station. In some instances, new dialog boxes and menu commands to configure the feature appear in Policy Manager. 5 Save the configuration to the Firebox. The feature does not operate on the Firebox until you save the configuration file to the Firebox. Deleting a feature key 1 From Policy Manager, select Setup > Feature Keys. The Firebox Feature Keys dialog box appears. 2 Expand Feature Keys, select the feature key you want to delete, and click Remove. 3 Click OK. 4 Save the configuration to the Firebox. Seeing the active features To see a list of all features on the Firebox, from the Firebox Feature Keys dialog box, select the feature key and click Active Features. The Active Features dialog box shows each feature along with its capacity and expiration. User Guide 63 Setting NTP Servers Seeing the properties of a feature key To see the properties of a feature key, from the Firebox Feature Keys dialog box, select the feature key and click Properties. The Feature Key Properties dialog box shows the serial number of the Firebox to which this feature key applies, along with its ID and name, the Firebox model and version number, and the available Firebox features. Downloading a feature key If your feature key file is not current, you can download a copy of any feature key file from the Firebox to your management station. To download feature keys from a Firebox, select the feature key and click Download. A dialog box appears for you to type the status passphrase of the Firebox. Setting NTP Servers Network Time Protocol (NTP) synchronizes computer clock times across a network. The Firebox® can synchronize its clock to an Internet NTP server. To use NTP, your Firebox configuration must have a DNS policy (included in the default configuration). 1 From Policy Manager, select Setup > NTP. The NTP Setting dialog box appears. 2 64 Select the Enable NTP check box. WatchGuard System Manager Setting a Friendly Name and Time Zone 3 In the box below the NTP Server Names/IPs list, type the IP addresses of the NTP servers you want to use. Click Add. The Firebox can use up to three NTP servers. 4 Click OK. Setting a Friendly Name and Time Zone You can give the Firebox® a friendly name to use in your log files and reports. Otherwise, the log files and reports use the IP address of the Firebox external interface. Many customers use a Fully Qualified Domain Name if they register such a name with the DNS system. You must give the Firebox a friendly name if you use the Management Server to configure VPN tunnels and certificates. The Firebox time zone controls the date and time that appear in the log file and on tools such as LogViewer, Historical Reports, and WebBlocker. Set the Firebox time zone to the time zone for the physical location of the Firebox. This time zone setting allows for the time to appear correctly in the log messages. The Firebox system time is set to Greenwich Mean Time (GMT) by default. 1 From Policy Manager, click Setup > System. The Device Configuration dialog box appears. 2 If necessary, use the drop-down lists to specify Firebox X Core or Firebox X Peak and the model number. 3 In the Name text box, type the friendly name you want for the Firebox. Click OK. A pop-up notification tells you if you use characters that are not allowed. 4 In the Location and Contact fields, type any information that could be helpful to identify and maintain the Firebox. 5 From the Time zone drop-down list, select the time zone you want. Click OK. Working with SNMP Simple Network Management Protocol (SNMP) is a set of tools for monitoring and managing networks. SNMP uses management information bases (MIBs) that give configuration information for the devices the SNMP server manages or monitors. With Fireware® appliance software, the Firebox® supports SNMPv1 and SNMPv2c. You can configure the Firebox to accept SNMP polls from an SNMP server. You can also configure the Firebox to send traps to an SNMP server. User Guide 65 Working with SNMP Enabling SNMP polling 1 From Policy Manager, select Setup > SNMP. 2 Type the Community String the Firebox must use when it connects to the SNMP server. Click OK. The community string allows access to the statistics of a device. It operates like a wireless SSID or group ID. This community string must be included with all SNMP requests. If the community string is correct, the device gives the requested information. If the community string is not correct, the device discards the request and does not respond. 3 Click OK. Save the configuration to the Firebox. The Firebox can now receive SNMP polls. Enabling SNMP traps An SNMP trap is an event notification the Firebox sends to the SNMP management system. The trap identifies when a specified condition occurs, such as a value that is more than its predefined threshold. To enable the Firebox to send SNMP traps: 1 From Policy Manager, select Setup > SNMP. 2 In the SNMP Settings dialog box, select the Enable SNMP Trap check box. 3 In the box below the SNMP Management Stations list, type the IP address of the SNMP server. Click Add. 4 Type the Community String the Firebox must use when it connects to the SNMP server. Click OK. The community string is like a user ID or password that allows access to the statistics of a device. This community string must be included with all SNMP requests. If the community string is correct, the device gives the requested information. If the community string is not correct, the device discards the request and does not respond. 5 Add an SNMP policy to the Firebox. To do this, from Policy Manager, select Edit > Add Policy (or click the “+” icon), expand Packet Filters, select SNMP, and click Add. The New Policy Properties dialog box appears. 6 Below the From box, click Add. From the Add Address dialog box that appears, click Add Other. The Add Member dialog box appears. 66 WatchGuard System Manager Changing the Firebox Passphrases 7 From the Choose Type drop-down list, select Host IP. In the Value field, type the IP address of your SNMP server computer. 8 Click OK twice to return to the Policy tab of the new policy. 9 Below the To box, click Add. 10 From the Add Address dialog box that appears, under Available Members, select Firebox. Click Add. 11 Click OK, OK, and Close. Save the configuration to the Firebox. You can make the Firebox send a trap for any policy in Policy Manager. To do this, double-click the policy icon shown in Policy Manager to edit the configuration. From the Edit Policy Properties dialog box, select the Properties tab. Click Logging and select the Send SNMP Trap check box. Using MIBs WatchGuard® System Manager with Fireware® appliance software supports two types of Management Information Bases (MIBs): • Public MIBs are used in the Fireware product and are copied on to your WatchGuard management station when you install Fireware. These MIBs include IETF standards and MIB2. • Private MIBs are MIBs created by WatchGuard to provide basic monitoring information for specific components in the Firebox, including CPU and memory utilization, and interface and IPSec metrics. When you install WatchGuard System Manager, MIBs are installed to My Documents\My WatchGuard\Shared WatchGuard\SNMP. Changing the Firebox Passphrases A Firebox® uses two passphrases: • Status passphrase The read-only password or passphrase that allows access to the Firebox • Configuration passphrase The read-write password or passphrase that allows an administrator full access to the Firebox To create a secure passphrase, we recommend that you: • Use a selection of uppercase and lowercase characters, numbers, and special characters (for example, Im4e@tiN9). • Do not use a word from standard dictionaries, even if you use it in a different sequence or in a different language. • Do not use a name. It is easy for an attacker to find a business name, familiar name, or the name of a famous person. An additional security measure is to change the Firebox passphrases at regular intervals. To do this, you must have the configuration passphrase. 1 From Policy Manager, open the configuration file on the Firebox. 2 Click File > Change Passphrases. The Change Passphrases dialog box appears. User Guide 67 Recovering a Firebox 3 From the Firebox Address or Name drop-down list, select a Firebox or type the IP address or name of the Firebox. Type the Firebox configuration (read/write) passphrase. 4 Type and confirm the new status (read-only) and configuration (read/write) passphrases. The status passphrase must be different from the configuration passphrase. 5 Click OK. Recovering a Firebox If you want to reset a Firebox® to its factory-default settings or reset a Firebox with a completely new configuration, you can use a Firebox recovery procedure. The procedure to recover a Firebox X Core or Peak e-Series device is different from the procedure to recover an earlier model of a Firebox X Core or Peak. Make sure you use the correct procedure for your Firebox. Resetting a Firebox X e-Series device To put a new configuration on a Firebox X Core or Peak e-Series device, use the Web Quick Setup Wizard. See the “Getting Started” chapter for more information on the Web Quick Setup Wizard. Resetting a Firebox X Core or Peak (non e-Series) With an earlier model Firebox X Core or Peak, you can use the Quick Setup Wizard to reset the Firebox with a completely new configuration. This is the easiest way to reset a Firebox and the most common procedure used. There are times, however, when you cannot use the Quick Setup Wizard to reset a Firebox. When you use the Quick Setup Wizard, you must be able to make a network connection to the Firebox from your management station and “discover” the Firebox on the network. If this is not possible, you can use the manual reset procedure described in this manual. 68 WatchGuard System Manager Recovering a Firebox To manually reset the Firebox: 1 Turn the Firebox off. On the front of the Firebox, find and press the up arrow. 2 Press the down arrow button while you turn on the Firebox, and continue to hold the button down until the LCD display shows the Firebox is running in safe mode. When the Firebox runs in safe mode, it is running in factory-default mode. In factory-default mode, the Firebox trusted interface is set to 10.0.1.1. 3 Connect a cross-over Ethernet network cable between your WatchGuard® management station and the trusted interface of the Firebox. The trusted interface is labeled interface 1 on the Firebox. We recommend that you ping the trusted interface from your management station to make sure you have an operational network connection. 4 Change the IP address on your management station to 10.0.1.2 (or another IP address from which you can connect to the Firebox trusted interface at 10.0.1.1). If your management station uses Windows XP: From your Windows Start menu, select Control Panel > Network Connections > Local Area Connections. Click Properties. Select Internet Protocol (TCP/IP) and click Properties. Open Policy Manager. You can open an existing configuration file, or create a new configuration file. Use the options available from the File drop-down menu. 5 Select Setup > Feature Keys. Click Add and paste a copy of your feature key in the text box, if necessary. You can also import a Firebox feature key by clicking Import. 6 When you are ready, select File > Save > To Firebox. Save your configuration to the Firebox at IP address 10.0.1.1, with the administrative passphrase “admin”. 7 After the Firebox restarts with its new configuration, we recommend that you change the passphrases for the Firebox. Select File > Change Passphrases to set new passphrases. 8 You can now put the Firebox back on to your network and connect to it with the IP addresses and passphrases you set in your new configuration. User Guide 69 Recovering a Firebox If you did not change the IP address or passphrase, you can connect to the trusted IP address 10.0.1.1 with the passphrase “admin”. 70 WatchGuard System Manager 6 Basic Configuration Setup After your Firebox® is installed on your network and operates with a basic configuration file, you can start to add custom configuration settings to align with your organization’s requirements. This chapter shows you how to do some basic configuration and maintenance tasks. Some of these tasks you complete many times as you work with your Firebox. Other tasks you do only one time. These basic configuration tasks include how to: • Open a configuration file on a local computer or from the Firebox • Save a configuration file to a local computer or the Firebox • Create and restore a Firebox backup image • Use aliases • Configure Firebox global settings • Set basic schedules to use in your policies later • Manage your Firebox from a remote location Opening a Configuration File Policy Manager for Fireware® or Fireware Pro is a WatchGuard® software tool that lets you make, change, and save configuration files. A configuration file, with the extension .xml, includes all configuration data, options, IP addresses, and other information that makes up your Firebox® security policy. When you use Policy Manager, you see a version of your configuration file that is easy to examine and change. When you work with Policy Manager, you can: • Open the current configuration file on your Firebox • Open a configuration file saved on your local hard drive • Make a new configuration file User Guide 71 Opening a Configuration File Opening a working configuration file A common task for a network administrator is to make a change to your current security policy. For example, your business purchases a new software application, and you must open a port and protocol to a server at a vendor location. For this task, you must change your configuration file with Policy Manager. Using WatchGuard System Manager 1 From the Windows desktop, click Start > All Programs > WatchGuard System Manager 9.1 > WatchGuard System Manager. WatchGuard System Manager 9.1 is the default name of the folder for the Start menu icons. You cannot change this folder name during installation, but you can change it through the Windows user interface if you want. 2 From WatchGuard System Manager, select File > Connect To Device. Or, Click the Connect to Device icon on the WatchGuard System Manager toolbar. The Connect to Firebox dialog box appears. 3 Use the drop-down list to select your Firebox, or type its trusted IP address. Type the status (readonly) passphrase. Click OK. The device appears in the WatchGuard System Manager Device Status tab. 4 Select the Firebox on the Device Status tab. Then, select Tools > Policy Manager. Or, Click the Policy Manager icon on the WatchGuard System Manager toolbar. Policy Manager opens, and it puts the configuration file in use on the selected Firebox. Using Policy Manager 1 From Policy Manager, click File > Open > Firebox. The Open Firebox dialog box appears. If you get an error message that tells you that you cannot connect, try again. 2 From the Firebox Address or Name drop-down list, select a Firebox. You can also type the IP address or host name. 3 72 In the Passphrase text box, type the Firebox status (read-only) passphrase. Use the status passphrase here. You must use the configuration passphrase to save a new configuration to the Firebox. WatchGuard System Manager Opening a Configuration File 4 Click OK. Policy Manager opens the configuration file and shows the settings. If you cannot open Policy Manager, try these steps: • If the Connect to Firebox dialog box immediately comes back after you enter the passphrase, make sure that Caps Lock is off and that you type the passphrase correctly. Remember that the passphrase is case-sensitive. • If the Connect to Firebox dialog box times out, make sure that you have a link on the trusted interface and on your computer. Make sure that you typed the correct IP address for the trusted interface of the Firebox. Also make sure that your computer IP address is in the same network as the trusted interface of the Firebox. Opening a local configuration file You can open configuration files that are on any network drive to which your management station can connect. If you want to use an existing configuration file for a Firebox in a factory-default state, we recommend that you first run the Quick Setup Wizard to create a basic configuration and then open the existing configuration file. However, if you do open a configuration file on an appliance in a factory-default state, make sure you change the status and configuration passphrases. 1 From WatchGuard System Manager, select Tools > Policy Manager (or click the Policy Manager icon). 2 Select File > Open > Configuration File. Or, Click the Open File icon on the Policy Manager toolbar. A standard Windows open file dialog box appears. User Guide 73 Saving a Configuration File 3 Use the Open dialog box to find and to select the configuration file. Click Open. Policy Manager opens the configuration file and shows the settings. Making a new configuration file The Quick Setup Wizard makes a basic configuration file for your Firebox. We recommend that you use this as the base for each of your configuration files. However, you can also use Policy Manager to make a new configuration file with only the default configuration properties. 1 From WatchGuard System Manager, select Tools > Policy Manager (or click the Policy Manager icon). 2 From Policy Manager, select File > New. The Select Firebox Model and Name dialog box appears. 3 Use the Model drop-down lists to select your Firebox model. Because some groups of features are unique to each model, select the same model as your hardware device. 4 Type a name for the Firebox. This name will be used as the name of the configuration file. 5 Click OK. Policy Manager makes a new configuration with the file name <name>.xml, where <name> is the name you gave the Firebox. Saving a Configuration File After you make a new configuration file or change the current configuration file, you can save it directly to the Firebox®. You can also save it to a local hard disk. Some network administrators find it helps to save more than one version of a Firebox configuration file. For example, if you have a new security policy to use, we recommend that you save the old configuration file to a local hard drive first. Then if you do not want the new configuration, you can restore the old version. Saving a configuration to the Firebox 1 From Policy Manager, click File > Save > To Firebox. The Save to Firebox dialog box appears. 2 74 From the Firebox Address or Name drop-down list, type an IP address or name, or select a Firebox. If you use a Firebox name, the name must resolve through DNS. WatchGuard System Manager About Firebox Backup Images When you type an IP address, type all the numbers and the periods. Do not use the TAB key or arrow key. 3 Type the Firebox configuration passphrase. You must use the configuration passphrase to save a file to the Firebox. 4 Click OK. Saving a configuration to a local hard drive 1 From Policy Manager, click File > Save > As File. You can also use CTRL-S. A standard Windows save file dialog box appears. 2 Type the name of the file. The default procedure is to save the file to the WatchGuard® directory. You can also browse to any folder to which you can connect from the management station. For better security, we recommend that you save the files in a safe folder with no access to other users. 3 Click Save. The configuration file saves to the local hard drive. About Firebox Backup Images A Firebox backup image is an encrypted and saved copy of the flash disk image from the Firebox flash disk. It includes the Firebox appliance software, configuration file, licenses, and certificates. You can save a backup image to your management station or to a directory on your network. We recommend that you regularly make backup files of the Firebox image. We also recommend that you create a backup image of the Firebox before you make significant changes to your Firebox configuration or upgrade your Firebox or its appliance software. Creating a Firebox backup image 1 From Policy Manager, select File > Backup. The Backup dialog box appears. 2 Type the configuration passphrase for your Firebox. The second part of the Backup dialog box appears. User Guide 75 Working with Aliases 3 Type and confirm an encryption key. This key is used to encrypt the backup file. If you lose or forget this encryption key, you will not be able to restore the backup file. 4 Select the directory in which to save the backup file. Click OK. The default location for a backup file with a “.fxi” extension is C:\Documents and Settings\All Users\Shared WatchGuard\backups\<Firebox IP address>-<date>.<wsm_version>.fxi. Restoring a Firebox backup image 1 From Policy Manager, select File > Restore. The Restore dialog box appears. 2 Type the configuration passphrase for your Firebox. Click OK. 3 Type the encryption key you used when you created the backup image. The Firebox restores the backup image and restarts. It uses the backup image on restart. Wait for two minutes before you connect to the Firebox again. If you cannot successfully restore your Firebox image, you can reset the Firebox with the procedure shown in “Recovering a Firebox” on page 68. Working with Aliases An alias is a shortcut that identifies a group of hosts, networks, or interfaces. When you use an alias, it is easy to create a security policy because the Firebox® allows you to use aliases when you create policies. The default aliases in Policy Manager that you can use are: 76 • Aliases that correspond to Firebox interfaces, such as Trusted or External. • Any-Trusted: An alias for all Firebox interfaces configured as “trusted” interfaces (as defined in Policy Manager: select Network > Configuration), and any network you can get access to through these interfaces. • Any-External: An alias for all Firebox interfaces of type “external” (as defined in Policy Manager: select Network > Configuration), and any network you can get access to through these interfaces. • Any-Optional: Aliases for all Firebox interfaces of type “optional” (as defined in Policy Manager: select Network > Configuration), and any network you can get access to through these interfaces. • Any-BOVPN: An alias for any BOVPN (IPSec) tunnel. WatchGuard System Manager Working with Aliases When you use the BOVPN Policy wizard to create a policy to allow traffic through a BOVPN tunnel, the wizard automatically creates “.in” and .out” aliases for the incoming and outgoing tunnels. • Alias names are different from user or group names used in user authentication. With user authentication, you can monitor a connection with a name and not as an IP address. The person authenticates with a user name and a password to get access to Internet protocols. For more information about user authentication, see “How User Authentication Works” on page 153. Alias members You can add the following to an alias: • Host IP • Network IP • A range of host IP addresses • DNS name for a host • Tunnel address: defined by a user or group, address, and name of the tunnel • Custom address: defined by a user or group, address, and Firebox interface • Another alias • An authorized user or group Creating an alias 1 From Policy Manager, select Setup > Aliases. The Aliases dialog box appears. Pre-defined aliases appear in blue and user-defined aliases appear in black. 2 Click Add. The Add Alias dialog box appears. User Guide 77 Working with Aliases 3 In the Alias Name text box, type a unique name to identify the alias. This name appears in lists when you configure a security policy. 4 In the Description field, type a description of the alias. If you want to add an address, address range, DNS name, or another alias to the alias 1 Click Add. The Add Member dialog box appears. 2 From the drop-down list, select the type of member you want to add. 3 In the Value text field, type the address or name. Click OK. The new member appears in the Alias Members block of the Add Alias dialog box. 4 Repeat steps 1 - 3 to add more members as needed. Or, use the next procedure to add users or groups. When you have all the users, groups, and members you want in the alias, in the Add Alias dialog box, click OK. If you want to add an authorized user or group to the alias 1 Click User. The Add Authorized Users or Groups dialog box appears. 78 2 In the Type box, select whether the user or group you want to add is authorized as a Firewall user or a PPTP user. 3 In the box to the far right of the Type box, select User if you want to add a user, or Group if you want to add a group. 4 If the user or group appears in the list at the bottom of the Add Authorized Users or Groups dialog box, select the user or group and click Select. If the user or group does not appear in the list, it is not yet defined as an authorized user or group. You must define it as an authorized user or group before you add it to an alias. For information on how to do this, see “Defining a new user for Firebox authentication” on page 159, “Defining a new group for Firebox authentication” on page 160, or “Defining users and groups for third-party authentication” on page 170. WatchGuard System Manager Using Global Settings 5 Repeat steps 1 - 4 to add more members as needed. Or, use the previous procedure to add an address, address range, DNS name, or another alias to the alias. When you have all the users, groups, and members you want in the alias, in the Add Alias dialog box, click OK. Using Global Settings In Policy Manager you can select settings that control the actions of many Firebox® features. You set basic parameters for: • ICMP error handling • TCP SYN checking • TCP maximum size adjustment • Authentication settings • Traffic management and QoS 1 From Policy Manager, select Setup > Global Settings. The Global Settings dialog box appears. 2 Configure the different categories of global settings as shown in the sections below. Defining ICMP error handling global settings Internet Control Message Protocol (ICMP) controls errors during connections. It is used for two types of operations: • To tell client hosts about error conditions. • To probe a network to find general characteristics about the network. The Firebox sends an ICMP error message each time an event occurs that matches one of the parameters you selected. These messages are good troubleshooting tools, but can also decrease security by exposing information about your network. If you deny these ICMP messages, you can increase security by preventing network probes, but this can also cause timeout delays for incomplete connections, User Guide 79 Using Global Settings which can cause application problems. The global ICMP error handling parameters and their descriptions are: Fragmentation Req (PMTU) Select this check box to allow ICMP Fragmentation Req messages. The Firebox uses these messages to find the MTU path. Time Exceeded Select this check box to allow ICMP Time Exceeded messages. A router usually sends these messages when a route loop occurs. Network Unreachable Select this check box to allow ICMP Network Unreachable messages. A router usually sends these messages when a network link is broken. Host Unreachable Select this check box to allow ICMP Host Unreachable messages. Your network usually sends these messages when it cannot use a host or service. Port Unreachable Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually sends these messages when a network service is not available or is not allowed. Protocol Unreachable Select this check box to allow ICMP Protocol Unreachable messages. Enabling TCP SYN checking TCP SYN checking makes sure that the TCP three-way handshake is done before the Firebox allows a data connection. Defining TCP maximum segment size adjustment global settings The TCP segment can be set to a specified size for a connection that must have more TCP/IP layer 3 overhead (such as PPPoE, ESP, AH, and so on). If this size is not correctly configured, users cannot get access to some web sites. The global TCP maximum segment size adjustment settings are: Auto Adjustment The Firebox examines all maximum segment size (MSS) negotiations and changes the MSS value to the applicable one. No Adjustment The Firebox does not change the MSS value. Limit to You set a size adjustment limit. Disabling Traffic Management and QoS To disable these features, select the Disable all traffic management and QoS features check box. You might want to disable these features if you do performance testing or network debugging. 80 WatchGuard System Manager Using Global VPN Settings Using Global VPN Settings You can select settings that apply to manual BOVPN tunnels, managed BOVPN tunnels, and MUVPN tunnels: 1 From Policy Manager, select VPN > VPN Settings. The VPN Settings dialog box appears. 2 Consider the settings explained below for your VPN tunnels. Enable IPSec Pass-through For a user to make IPSec connections to a Firebox® behind a different Firebox, you must keep the Enable IPSec Pass-through check box selected to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can use IPSec to make IPSec connections to their network. For the local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy to Policy Manager. When you specify or define a Phase 2 transform and plan to use the IPSec pass-through feature, you must specify ESP (Encapsulating Security Payload) as the proposal method. IPSec pass-through supports ESP but not AH (Authentication Header). For information on how to define a Phase 2 transform, see “Adding a Phase 2 proposal” on page 341. When you enable IPSec pass-through, a policy called WatchGuard IPSec is automatically added to Policy Manager. The policy allows traffic from Any-Trusted and Any-Optional, and the destination is set to Any. When you disable IPSec pass-through, the WatchGuard® IPSec policy is automatically deleted. Enable TOS for IPSec The Type of Service (TOS) bits are a set of four-bit flags in the IP header that can tell routing devices to give an IP datagram more or less priority than other datagrams. Fireware® gives you the option to allow IPSec tunnels to clear or maintain the settings on TOS-flagged packets. Some ISPs drop all packets that have TOS flags set. If you do not select the Enable TOS for IPSec check box, all IPSec packets have no TOS bits set. If the TOS bits were set before, when Fireware encapsulates the packet in an IPSec header, the TOS bits are cleared. When the Enable TOS for IPSec check box is selected, if the original packet has TOS bits set, then Fireware keeps the TOS bits set when it encapsulates the packet in an IPSec header. If the original packet does not have the TOS bits set, Fireware does not set the TOS bits when it encapsulates the packet in an IPSec header. User Guide 81 Creating Schedules Consider the setting of this check box if you want to apply QoS marking to IPsec traffic. QoS marking can involve the setting of the TOS bit. For more information on QoS marking, see “About QoS Marking” on page 456. Enable LDAP server for certificate verification When you create a VPN gateway, you specify a credential method for the two VPN endpoints to use when the tunnel is created. If you choose to use an IPSec Firebox certificate, you can identify an LDAP server to use to validate the certificate. Type the IP address for the LDAP server. You can also specify a port if you want to use a port other than 389. Creating Schedules You can use schedules to automate some Firebox® actions such as WebBlocker tasks. You can create a schedule for all days of the week, or create a different schedule for each day of the week. You can then use these schedules in policies that you create. For information on how to use schedules in policies, see the “Policies” chapter. 1 From Policy Manager, select Setup > Actions > Schedules. The Schedules dialog box appears. 2 Click Add. The New Schedule dialog box appears. 82 WatchGuard System Manager Managing a Firebox from a Remote Location 3 Type a schedule name and description. The schedule name appears in the Schedules dialog box. Make sure that the name is easy to remember. 4 From the Mode drop-down list, select the time increment for the schedule: one hour, 30 minutes, or 15 minutes. The chart on the left of the New Schedule dialog box shows your entry in the drop-down list. 5 The chart in the dialog box shows days of the week along the x-axis (horizontal) and increments of the day on the y-axis (vertical). Click boxes in the chart to change them between operational hours (when the policy is active) and non-operational hours (when the policy is not in effect). 6 Click OK to close the New Schedule dialog box. Click Close to close the Schedules dialog box. To edit a schedule, select the schedule name in the Schedule dialog box and click Edit. To create a new schedule from an existing one, select the schedule name and click Clone. Managing a Firebox from a Remote Location When you configure a Firebox® with the Quick Setup Wizard, a policy is created automatically that allows you to connect to and administer the Firebox from any computer on the trusted or optional networks. If you want to manage the Firebox from a remote location (any location external to the Firebox), then you must change your configuration to allow administrative connections from your remote location. The policy that controls administrative connections to the Firebox itself is called the WatchGuard® policy in Policy Manager. This policy controls access to the Firebox on these four TCP ports: 4103, 4105, 4117, 4118. When you allow connections in the WatchGuard policy, you allow connections to each of these four ports. Before you change a policy to allow connections to the Firebox from a computer external to your network, it is a good idea to consider the use of user authentication to restrict connections to the Firebox. It is also a good idea to restrict access from the external network to the smallest number of computers User Guide 83 Managing a Firebox from a Remote Location possible. For example, it is more secure to allow connections from a single computer than it is to allow connections from the alias “Any-External”. 1 From Policy Manager, double-click on the WatchGuard policy. You can also right-click the WatchGuard policy and select Edit. The Edit Policy Properties dialog box appears. 2 Below the From list, click Add. The Add Address dialog box appears. 3 84 To enter the IP address of the external computer that connects to the Firebox, click Add Other. Make sure Host IP is the selected type, and type the IP address. WatchGuard System Manager Managing a Firebox from a Remote Location To add a user name, from the Add Address dialog box, click Add User. The Add Authorized Users or Groups dialog box appears. For information on how to use this dialog box, see “If you want to add an authorized user or group to the alias” on page 78. User Guide 85 Managing a Firebox from a Remote Location 86 WatchGuard System Manager 7 Logging and Notification An event is one activity that occurs at the Firebox®. For example, denying a packet from going through the Firebox is an event. Logging is the recording of these events to a log host. A notification is a message sent to the administrator by the Firebox when an event occurs that is a possible security threat. Notification can be an email message or a pop-up window, or sent by way of an SNMP trap. For example, WatchGuard® recommends that you configure default packet handling to send a notification when the Firebox finds a port space probe. When this occurs, the log host sends notification to the network security administrator about the rejected packets. The network security administrator can examine the log files and make decisions about how to add more security to the organization’s network. Some possible changes are: • Block the ports on which the probe was used • Block the IP address that is sending the packets • Tell the ISP through which the packets are being sent Logging and notification are important to a good network security policy. Together, they make it possible to monitor your network security, identify attacks and attackers, and address security threats and challenges. Setting Up the Log Server The Log Server collects logs from each WatchGuard® Firebox® managed by WatchGuard System Manager. You can install the Log Server on the computer you are using as a management station. Or, you can install the Log Server software on a different computer using the WatchGuard System Manager installation program and selecting to install only the Log Server component. You can also add additional Log Servers for backup. If you install the Management Server, Log Server, Quarantine Server, or WebBlocker Server on a computer with a firewall other than Windows Firewall, you must open the ports necessary for the servers to connect User Guide 87 Setting Up the Log Server through the firewall. Windows Firewall users do not have to change their configuration. See “Installing WatchGuard Servers on computers with desktop firewalls” on page 19 for more information. 1 On the computer that has the Log Server software installed, select the Log Server icon from the WatchGuard toolbar. If the WatchGuard toolbar does not appear, right-click in the system tray and select Toolbars > WatchGuard. The Log Server Configuration wizard starts. 2 Type the encryption key to use for the secure connection between the Firebox and the Log Servers. The allowed range for the encryption key is 8–32 characters. You can use all characters but spaces and slashes (/ or \). 3 Confirm the encryption key. 4 Select a directory to keep all logs, reports, and report definition files. We recommend that you use the default location. 5 Click OK. 6 Click Start > Control Panel. Go to Power Options. Select the Hibernate tab and disable hibernation. This is to prevent the Log Server from shutting down when the computer hibernates. 7 Make sure the Log Server and the Firebox are set to the same system time. For information on setting system time, see the “Basic Firebox Administration” chapter. Changing the Log Server encryption key To change the encryption key on the Log Server: 88 1 Right-click the Log Server icon on the WatchGuard toolbar and select Status/Configuration. 2 Select File > Set Log Encryption Key. WatchGuard System Manager Setting up the Firebox for a Designated Log Server 3 Type the new log encryption key two times. 4 In Policy Manager, select Setup > Logging. 5 Find the Log Server for which you want to change the encryption key in the Log Server list and click Configure. Click on the Log Server name or IP address and click Edit. 6 Type and confirm the new log encryption key you want to use for this Log Server. 7 Click OK and save your changes to the Firebox. Setting up the Firebox for a Designated Log Server It is recommended that you have more than one Log Server to use WatchGuard® System Manager. You can select a different primary Log Server and one or more backup Log Servers. 1 From Policy Manager, select Setup > Logging. The Logging Setup dialog box appears. 2 Select the Log Server or servers you want to use. Click the Send log messages to the Log Servers at these IP addresses check box. Adding a Log Server for a Firebox 1 From Policy Manager, select Setup > Logging. The Logging Setup dialog box appears. User Guide 89 Setting up the Firebox for a Designated Log Server 2 Click Configure. Click Add. The Add Event Processor dialog box appears. 3 In the Log Server Address box, type the IP address of the Log Server you want to use. 4 In the Encryption Key and Confirm text boxes, type the Log Server encryption key that you set when you used the Log Server Configuration Wizard. The allowed range for the encryption key is 8–32 characters. You can use all characters but spaces and slashes (/ or \). 5 Click OK. Click OK to close the Configure Log Servers dialog box. Click OK to close the Logging Setup dialog box. 6 Save the changes to the Firebox® to begin logging. You can verify that the Firebox is logging correctly. From WSM, select Tools > Firebox System Manager. In the Detail section on the left, next to Log Server, you should see the IP address of the log host. Setting Log Server priority If the Firebox cannot connect to the Log Server with the highest priority, it connects to the subsequent Log Server in the priority list. If the Firebox examines each Log Server in the list and cannot connect, it tries to connect to the first Log Server in the list again. You can create a priority list for Log Servers. 1 From Policy Manager, select Setup > Logging. The Logging Setup dialog box appears. 2 Click Configure. The Configure Log Servers dialog box appears. 3 Select a Log Server from the list in the Configure Log Servers dialog box. Use the Up and Down buttons to change the order. Activating syslog logging Syslog is a log interface developed for UNIX but also used by a number of computer systems. You can configure the Firebox to send log information to a syslog server. A Firebox can send log messages to a Log Server and a syslog server at the same time, or send log messages to one or the other. Syslog log messages are not encrypted. We recommend that you do not select a host on the external interface. 1 From Policy Manager, select Setup > Logging. The Logging Setup dialog box appears. 2 Select the Send Log Messages to the Syslog server at this IP address check box. 3 In the address box, type the IP address of the syslog server. 4 Click Configure. The Configure Syslog dialog box appears. 90 WatchGuard System Manager Setting up the Firebox for a Designated Log Server 5 For each type of log message, select the syslog facility to which you want it assigned. For information on types of log messages, see “Types of log messages” on page 98. The syslog facility refers to one of the fields in the syslog packet and to the file syslog sends a log message to. You can use Local0 for high priority syslog messages, such as alarms. You can use Local1- Local 7 to assign priorities for other types of log messages (with lower numbers having greater priority). See your syslog documentation for more information on logging facilities. 6 Click OK. Click OK to close the Logging Setup dialog box. 7 Save your changes to the Firebox. Enabling advanced diagnostics You can select the level of diagnostic logging to write to your log file or to Traffic Monitor. We do not recommend that you set the logging level to the highest level unless a technical support representative tells you to while you troubleshoot a problem. It can cause the log file to fill up very quickly. It can also create a high load on the Firebox. 1 From Policy Manager, select Setup > Logging. The Logging Setup dialog box appears. User Guide 91 Setting up the Firebox for a Designated Log Server 2 Click Advanced Diagnostics. The Advanced Diagnostics dialog box appears. 3 Select a category from the category list. A description of the category appears in the Description box. 4 Use the slider below Settings to set the level of information that a log of each category includes in its log message. When the lowest level is set, diagnostic messages for that category are turned off. When the highest level is set, you can set the detail level for the diagnostic log messages. 5 To show diagnostic messages in Traffic Manager, select the Display diagnostic messages in Traffic Monitor check box. This can be useful to quickly diagnose a problem. Diagnostic messages can be sent to Traffic Monitor for all categories except the Policy Management Module (PMM). Messages for the Policy Management Module are sent to the log file only and cannot be seen in Traffic Monitor. 6 To have the Firebox collect a packet trace for IKE packets, select the Enable IKE packet tracing to Firebox internal storage check box. To see the packet trace information the Firebox collects, start Firebox System Manager and click the Status tab. Click Support to have Firebox System Manager get the packet trace information from the Firebox. 7 Remember to turn off diagnostic logging when done. Disabling performance statistic logging By default, the Firebox sends log messages about external interface performance and VPN bandwidth statistics to your log file. To disable this type of log message: 1 From Policy Manager, select Setup > Logging. The Logging Setup dialog box appears. 2 Click Performance Statistics. The Performance Statistics dialog box appears. 92 WatchGuard System Manager Setting Global Logging and Notification Preferences 3 Clear the External interface and VPN bandwidth statistics check box. 4 Click OK. Save the changes in your configuration to the Firebox. Starting and stopping the Log Server You can manually stop or start the Log Server: • To start the Log Server, right-click the Log Server icon on the toolbar and select Start Service. • To stop the Log Server, right-click the Log Server icon on the toolbar and select Stop Service. Setting Global Logging and Notification Preferences To see the Log Server status and configuration, click the Log Server icon on the WatchGuard® toolbar and select Status/Configuration. The status and configuration information appears. There are three control areas: Log Files tab To set the options for rolling your log file. Reports tab To schedule regular reports of log entries. Notification tab To configure email notification. Together, these controls set the general configuration for events and notifications. Log file size and rollover frequency You can control the log rollover by size or by time. When this rollover occurs, the Log Server closes the current log file and opens a new log file. The closed log file can be used for reports. Copy or move it to a different location to save it for archives. To find the best rollover size for your company, you must look at: • Storage space that is available • Number of days you want available • Size that is best to keep, open, and view • Number of event types that are recorded For example, a small company can get 10,000 entries in two weeks, and a large company with many policies enabled can easily have 100,000 entries in a day. • Traffic on the Firebox® User Guide 93 Setting Global Logging and Notification Preferences Number of reports to create To create a weekly report, it is necessary to have eight or more days of data. This data can be found in more than one log file, if the log files are in the same location. • We recommend that you monitor the new log files and adjust the configuration as necessary. Setting when log files rollover You can control when the log files rollover in the Log Files tab in the Log Server configuration interface. You also can manually start a rollover of the current log file. To do this, select File > Roll current log file from the Status/Configuration window. 1 To set when log files rollover, click the Log Files tab. 2 To roll the log file on a time interval, select the Roll Log Files By Time Interval check box. Set the time interval. From the Next Log Roll is Scheduled For drop-down list, select a date when the log file rolls. 3 To roll the log file based on the size of the log file, select the Roll Log Files By File Size check box. Type the maximum size for the log file before the file rolls, or use the spin control to set the number. 4 Click Save Changes or Close. The Log Server interface closes and saves your entries. The new configuration starts immediately. The Log Server restarts automatically. 94 WatchGuard System Manager Setting Global Logging and Notification Preferences Scheduling automated reports If you have created network activity reports using Historical Reports, you can schedule the Log Server component to automate the reports. You first must create a report in Historical Reports, or it does not appear in the Log Server interface. 1 Click the Reports tab. 2 Use the radio buttons to set the time interval for reports: daily, weekly, first day of the month, or at a custom time. 3 From the Next Scheduled Report drop-down list, select a date and time for the subsequent scheduled report. 4 Click Save Changes or Close. The Log Server interface closes and saves your entries. The new configuration starts immediately. The Log Server restarts automatically. Controlling notification You can configure the Firebox to send an email message when a specified event occurs. Use the Notification tab to configure the destination email address. 1 Click the Notification tab. 2 Type the email address and the mail host for notification email messages. Notification email messages have the format [friendly_name]@[domain_name] User Guide 95 Setting Logging and Notification Preferences in Policy Manager Where: friendly_name = the Firebox friendly name. (For information on how to set or change this, see “Setting a Friendly Name and Time Zone” on page 65.) domain_name = the name in the Mail Host field on this dialog box. Consider changing the default values. If the logging host does not resolve to an FQDN, and the receiving MX server does reverse lookups, the email might be discarded. 3 Click Test Email to send a test email to the email address specified. 4 Click Save Changes or Close. The Log Server interface closes and saves your entries. The new configuration starts immediately. The Log Server restarts automatically. Setting Logging and Notification Preferences in Policy Manager The settings for logging and notification are similar throughout all proxy and default packet handling definitions in Policy Manager, although not all of these definitions support all possible options. For each definition, most or all of the fields described below are available. Send log message When you select this check box, the Firebox® sends a log message when an event occurs. Send SNMP trap When you select this check box, the Firebox sends an event notification to the SNMP management system. Simple Network Management Protocol (SNMP) is a set of tools for monitoring and managing networks. An SNMP trap is an event notification the Firebox sends to the SNMP management system when a specified condition occurs. If you want to enable SNMP traps, you must select Setup > SNMP to configure SNMP parameters for your Firebox. Or, if you select the Send SNMP Trap check box and you have not yet configured SNMP, a dialog box appears and asks you if you want to do this. Click Yes to go to the SNMP Settings dialog box. For more information on the settings in the SNMP Settings dialog box, see “Working with SNMP” on page 65. 96 WatchGuard System Manager Logging and Notification in Proxy Definitions Send notification When you enable this check box, the Firebox sends a notification when a packet is denied because of your blocked port configuration. You can configure the Firebox to do one of these actions: • Email: The Log Server sends an email message when the event occurs. Set the email address in the Notification tab of the Log Server user interface. Notification email messages have the format [friendly_name]@[domain_name] Where: - friendly_name = the Firebox friendly name. (For information on how to set or change this, see “Setting a Friendly Name and Time Zone” on page 65.) - domain_name = the name in the Mail Host field on this dialog box. • Pop-up Window: The Firebox makes a dialog box appear on the management station when the event occurs. Setting Launch Interval and Repeat Count You can control the time of the notification, together with the Repeat Count, as follows: Launch Interval The minimum time (in minutes) between different notifications. This parameter prevents more than one notification in a short time for the same event. Repeat Count This counts how frequently an event occurs. When this gets to the selected value, a special repeat notifier starts. This notifier makes a repeat log entry about that specified notification. Notification starts again after this number of events. Here is an example of how to use these two values. The values are configured as: • Launch interval = 5 minutes • Repeat count = 4 A port space probe starts at 10:00 a.m. and continues each minute. This starts the logging and notification mechanisms. These are the times and the actions that occur: 1 10:00—Initial port space probe (first event) 2 10:01—First notification starts (one event) 3 10:06—Second notification starts (reports five events) 4 10:11—Third notification starts (reports five events) 5 10:16—Fourth notification starts (reports five events) The launch interval controls the time intervals between the events 1, 2, 3, 4, and 5. This was set to 5 minutes. Multiply the repeat count by the launch interval. This is the time interval an event must continue to start the repeat notifier. Logging and Notification in Proxy Definitions An alarm, log message, or notification is a mechanism to tell a network administrator about network traffic that does not match the criteria for allowed traffic. For example, if traffic is greater than a threshold value, you can configure the Firebox® to send an email message. You can set alarm, log message, and notification properties for each packet filter and proxy policy. User Guide 97 About Log Messages Configuring log messages and notification for a proxy policy 1 Double-click the policy icon to open the Policy Properties dialog box. 2 Click the Properties tab. Click Logging. The Logging and Notification dialog box appears. 3 Set the parameters to match your security policy. For information on the Logging and Notification dialog box, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. Configuring log messages and alarms for a proxy rule 1 Double-click the policy icon to open the Edit Policy Properties dialog box. 2 Click the Properties tab. From the Proxy Action drop-down list, select the proxy action to configure. Click the View/Edit icon directly to the right of the drop-down list. 3 Select Proxy and AV Alarms from the Category list. For more information about these parameters, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. About Log Messages WatchGuard® System Manager includes strong and flexible log message tools. An important feature of a good network security policy is to gather messages from your security systems, to examine those records frequently, and to keep them in an archive. You can use logs to monitor your network security and activity, identify any security risks, and address them. The WatchGuard® Firebox® X Core and Firebox X Peak send log messages to the Log Server. They also can send log messages to a syslog server or keep logs locally on the Firebox. You can choose to send logs to either or both of these locations. You can use Firebox System Manager to log messages in the Traffic Monitor tab. For more information, see the “Firebox Status Monitoring” chapter. You also can examine log messages with LogViewer. The log messages are kept in an XML file with a .wgl.xml extension in the WatchGuard directory on the Log Server. To learn more about the format of log messages, see the “Log Messages” chapter in the Reference Guide. Types of log messages The Firebox sends four types of log messages. The type appears in the text of the message. The four types of log messages are: • Traffic • Alarm • Event • Diagnostic Traffic log messages The Firebox sends traffic log messages as it applies packet filter and proxy rules to traffic that goes through the Firebox. Alarm log messages 98 WatchGuard System Manager About Log Messages Alarm log messages are sent when an event occurs that triggers the Firebox to do a command. When the alarm condition is matched, the Firebox sends an Alarm log message to the Traffic Monitor and Log Server and then it does the specified action. You can set some alarm log messages. For example, you can use Policy Manager to configure an alarm to occur when a specified value matches or is more than a threshold. Other alarm log messages are set by the appliance software, and you cannot change the value. For example, the Firebox sends an alarm log message when a network connection on one of the Firebox interfaces fails or when a Denial of Service attack occurs. For more information about alarm log messages, see the Reference Guide. There are eight categories of alarm log messages: System, IPS, AV, Policy, Proxy, Counter, Denial of Service, and Traffic. The Firebox does not send more than 10 alarms in 15 minutes for the same conditions. Event log messages The Firebox sends event log messages because of user activity. Actions that can cause the Firebox to send an event log message include: • Firebox start up and shut down • Firebox and VPN authentication • Process start up and shut down • Problems with the Firebox hardware components • Any task done by the Firebox administrator Diagnostic log messages Diagnostic log messages include information that you can use to help troubleshoot problems. There are 27 different product components that can send diagnostic log messages. You can select whether the diagnostic log messages appear in Traffic Monitor, as described in “Enabling advanced diagnostics” on page 91. Log file names and locations The Firebox sends log messages to a primary or backup Log Server. The default location for the log file is My Documents > My WatchGuard > Shared WatchGuard > logs. The name of the log file shows: • If the Firebox has a name, the format of the log file name is FireboxName-date.wgl.xml. • If the Firebox does not have a name, the name of the log files is FireboxIP-date.wgl.xml. Consolidating log files You can put together two or more log files into one file. You can then use this file in Historical Reports, LogViewer, or some other tool to examine log data for an extended time interval. To merge more than one log file into one file: • The log files must be from the same Firebox. • The log messages in the files must be in date and time order. • The log files must have been created with the same appliance software. You cannot merge a log file created with WFS appliance software with a log file created with Fireware® appliance software, even if they are from the same Firebox. User Guide 99 About Log Messages Right-click the Log Server icon on your Windows toolbar and select Merge Log Files. Or, from the Log Server Status/Configuration interface: 1 Click File > Merge log files. The Merge Logfiles dialog box appears. 2 Click Browse to find the files to put together. 3 Click Merge. The log files are put together and saved to a new file in the specified directory. Updating .wgl log files to .xml format When you migrate from an earlier version of WatchGuard® System Manager that you use with WFS appliance software to a version of WatchGuard System Manager that you use with Fireware® appliance software, you can convert log files from .wgl to .xml format. This is also helpful if you manage a mixed network with different versions of WSM. After converting, you can use LogViewer or report tools on log files created with WatchGuard Management System 7.3 or earlier. To help you understand the new log structure, or to integrate .xml-format logs into a third-party application, see the Logging section of the product FAQs available at: www.watchguard.com/support/faqs/fireware/ One FAQ gives an XML schema and Document Type Definition (DTD) for the WSM WatchGuard log file. These base schema and DTD files are meant as general reference information only. When you convert a log file from .wgl to .xml: • The XML file is usually smaller than the .wgl file. • If you open the new XML file in an XML editor, you can see some duplicate entries. This is a function of the way Historical Reports made reports in WSM 7.3 and earlier. It does not cause problems in LogViewer or in Historical Reports for WSM used with Fireware. To convert a log file from .wgl to .xml: 1 Right-click the Log Server icon on your Windows desktop tray and select Merge Log Files. The Merge Logfiles dialog box appears. This dialog box controls merges, and also updates, of log files. 100 WatchGuard System Manager Using LogViewer 2 Click Browse to find the location of the logfile.wgl to convert to XML. If you select more than one log file at one time, the utility converts all of the files you select and puts them together into one file. The new file has an .xml format. 3 Click Merge. The utility converts the log file and saves it to the specified folder. Using LogViewer LogViewer is the WatchGuard® System Manager tool you use to see the log file data. It can show the log data page by page, or search and display by key words or specified log fields. 1 Click the LogViewer icon on the WatchGuard System Manager toolbar or from WatchGuard System Manager, select Tools > Logs > LogViewer. 2 From LogViewer, select File > Open or click the Open File icon on the LogViewer toolbar. The default location of the logs is My Documents > My WatchGuard > Shared Watchguard > logs. User Guide 101 Using LogViewer 3 Browse to find the log file and click Open. LogViewer shows the log file you selected. A sample appears below. LogViewer settings You can adjust the content and the format of the LogViewer window. 1 From LogViewer, select View > Settings. The Settings dialog box appears. 2 102 The Settings dialog box has five tabs, each with the same fields. Use these tabs to set properties for the four types of messages that appear in log files: Alarms, Traffic, Event, and Diagnostic. WatchGuard System Manager Using LogViewer Show Logs in Color You can set the messages to appear in different colors based on the type of log message. If color is not enabled, log messages appear as white text on a black background. Show Columns For each type of log message, you can select which columns to show in the LogViewer window. Select the check box adjacent to each field to make it appear. Text Color Click Text Color to set the color for each type of log message. Background Color You can set the background color. If the background and text are the same color, you cannot see the text. Restore Defaults Click to set the format of the log messages to the default colors. Sample Shows a sample log message with format changes. Show traffic logs This check box is on each tab. If the check box is selected on a tab, the log messages for that type of log are included in the LogViewer display. To clear one type of log message from the display, clear the check box on the tab that matches the log type. Creating a search rule You can create rules to search through the data shown in LogViewer. 1 Select Edit > Find (or click the icon with the magnifying glass on it). The Find dialog box appears. 2 User Guide Use the Log Type drop-down list to select the type of log message to apply the search rule to. You can select: Traffic, Event, Alarm, Debug, or All. 103 Using LogViewer 3 Click on the Field column header and select Add. The Add Search Rule dialog box appears. 4 In the Choose Field drop-down list, select the field to search. 5 In the Enter Value text box, type the text or value to search for. 6 If the text you typed in the Enter Value text box is case-sensitive, select the Case sensitive check box. To find only entries that match the value precisely, select the Match exact string only check box. 7 Click OK. Searching in LogViewer After you make a search rule, you can use it to search the data shown in LogViewer. 1 Use the Log Type drop-down list to select which type of log messages appears in the window. 2 Use the Display Results drop-down list to select the method to show the results of the search. The options are: - Highlight in main window — The LogViewer window shows the same log message set, but changes the color of log messages that match the criteria. Use the F3 key to move through specified entries. - Main window — Only the log messages that match the search criteria appear in the primary LogViewer window. - New window - A new window opens to show log messages that match the search criteria. 3 Select from the options: - Match any — Show log messages that match any of the search criteria. - Match all — Show only log messages that match all of the search criteria. 4 104 Click OK to start the search. WatchGuard System Manager Using LogViewer Viewing the current log file in LogViewer You can open the current log file in LogViewer to examine the logs as they are written to the log file. LogViewer automatically updates its display with new log messages at 15-second intervals. If you have a LogViewer search window open with the current log file, it also updates every 15 seconds. Copying LogViewer data You can copy log file data from LogViewer to a different tool. Use copy to move specified log messages to a different tool. 1 Select the log messages to copy. Use the Shift key to select a group of entries. Use the Ctrl key to select more than one entry. 2 Select Edit > Copy. 3 Paste the data into any text editor. User Guide 105 Using LogViewer 106 WatchGuard System Manager 8 Network Setup and Configuration When you install the Firebox® in your network and complete the Quick Setup Wizard, you have a basic configuration file. You then use Policy Manager to make a new configuration file or to change the one you made with the Quick Setup Wizard. If you are new to network security, we recommend that you read through all the procedures in this chapter to make sure you configure all the components of your network. In this chapter, you learn how to use Policy Manager to: • Configure the Firebox interfaces • Add a secondary network • Add DNS and WINS server information • Configure Dynamic DNS • Configure network and host routes • Set Firebox interface speed and duplex • Configure VLANs User Guide 107 Configuring Firebox Interfaces Configuring Firebox Interfaces 1 From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears. 108 WatchGuard System Manager Configuring Firebox Interfaces 2 Select the interface you want to configure. Click Configure. The Interface Settings dialog box appears. 3 In the Interface Name (Alias) field, you can retain the default name or change it to one that more closely reflects your own network and its own trust relationships. Make sure the name is unique among interface names as well as all MUVPN group names and tunnel names. 4 (Optional) Enter a description of the interface in the Interface Description field. 5 In the Interface Type field, you can change the interface type from its default value. 6 You can change the interface IP address. Type the IP address in slash notation. When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key. 7 If you are configuring a trusted or optional interface, select Disable DHCP, Use DHCP Server, or Use DHCP Relay. See “Configuring the Firebox as a DHCP server” for the DHCP server option, and see “Configuring a DHCP relay” on page 110 for the DHCP relay option. If you are configuring the external interface, see “Configuring the external interface” on page 110. 8 Click OK. User Guide 109 Configuring Firebox Interfaces Configuring the Firebox as a DHCP server Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that makes it easier to control a large network. A computer you configure as the DHCP server automatically gives IP addresses to the computers on your network. You set the range of addresses. You can configure the Firebox® as a DHCP server for networks behind the Firebox. If you have a configured DHCP server, we recommend that you continue to use that server for DHCP. 1 Select Network > Configuration. The Network Configuration dialog box appears. 2 Select the trusted or an optional interface. 3 Click Configure and select the Use DHCP Server check box. 4 Add an address pool. Click Add next to the Address Pool box and specify starting and ending IP addresses on the same subnet. Click OK. The address pool must belong either to the interface’s primary or secondary IP subnet. You can configure a maximum of six address ranges. 5 To reserve a specific IP address for a client, click Add next to the Reserved Addresses box. Enter a name for the reservation, the IP address you want to reserve, and the MAC address of the client’s network card. Click OK. 6 By default, the Firebox gives out the DNS server information configured on the Network Configuration > WINS/DNS tab when it is configured as a DHCP server. If you want, you can specify a different DNS server for the Firebox to assign when it gives out IP addresses. Click Add next to the DNS servers box to add the IP address of the DNS server you want the Firebox to use. 7 Use the arrow buttons to change the Default Lease Time. This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When the time is near its limit, the client sends data to the DHCP server to get a new lease. Configuring a DHCP relay One method to get IP addresses for the computers on the Firebox trusted network or on an optional network is to use a DHCP server on a different network. The Firebox can send a DHCP request to a DHCP server at a different location than the DHCP client. When the Firebox gets the reply, it sends it to the computers on the Firebox trusted or optional network. 1 Select Network > Configuration. The Network Configuration dialog box appears. 2 Select the trusted or an optional interface. 3 Click Configure and click Use DHCP Relay. 4 Type the IP address of the DHCP server in the related field. Make sure to add a route to the DHCP server, if necessary. 5 Click OK and save your changes to the Firebox. Configuring the external interface The external interface can have a static or dynamic IP address. The Firebox can get a dynamic IP address for the external interface with Dynamic Host Configuration Protocol (DHCP) or PPPoE (Pointto-Point Protocol over Ethernet). With DHCP, the Firebox uses a DHCP server that is controlled by your Internet Service Provider (ISP) to get an IP address, gateway, and netmask. With PPPoE, the Firebox 110 WatchGuard System Manager Configuring Firebox Interfaces makes a PPPoE protocol connection to the PPPoE server of your ISP. Fireware® supports unnumbered and static PPPoE. 1 Select Network > Configuration. The Network Configuration dialog box appears. 2 Select an external interface. Click Configure. Using a static IP address 1 From the Interface Settings dialog box, select Static. 2 Type the IP address of the interface. 3 Type the IP address of the default gateway. 4 Click OK. Using PPPoE Some ISPs assign their IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE expands a standard dial-up connection to add some of the features of Ethernet and PPP. This system allows the ISP to use the billing, authentication, and security systems of their dial-up infrastructure with DSL modem and cable modem products. If your ISP uses PPPoE, you must enter the PPPoE information into your Firebox before it can send traffic through the external interface. 1 From the Interface Settings dialog box, select PPPoE. 2 Select one of the two options: - Get an IP address automatically - Use IP address (supplied by your Internet Service Provider) 3 If you selected Use IP Address, enter the IP address in the text box to the right. 4 Type the User Name and Password. You must type the password two times. Frequently, ISPs use the email address format for user names, such as [email protected]. User Guide 111 Configuring Firebox Interfaces 5 Click Advanced Properties to configure PPPoE parameters. The PPPoE Properties dialog box appears. Your ISP can tell you if it is necessary to change the timeout or LCP values. 6 Use the radio buttons to select when the Firebox connects with the PPPoE server. - Always On — The Firebox keeps a constant PPPoE connection. It is not necessary that network traffic go through the external interface. - Dial-on-Demand — The Firebox connects to the PPPoE server only when it gets a request to send traffic to an IP address on the external interface. If your ISP regularly resets the connection, select Dial-on-Demand. If you do not select Dial-on-Demand, you must manually restart the Firebox each time the connection resets. If you selected Always On, in the PPPoE Initialization Retry Interval field, use the arrows to set the number of seconds that PPPoE tries to initialize before it times out. If you selected Dial-on-Demand, in the Idle Timeout in field, set the length of time the user can stay connected when idle (not passing any traffic to the external network). 7 In the LCP echo failure in field, use the arrows to set the number of failed LCP echo requests allowed before the PPPoE connection is considered inactive and closed. 8 In the LCP echo timeout in field, use the arrows to set the length of time, in seconds, that the response to each echo timeout must be received. 9 In the Service Name field, type a PPPoE service name. This is either an ISP name or a class of service that is configured on the PPPoE server. Usually, this option is not used. Use this field only if there is more than one access concentrator or you know that you must use a specified service name. 10 In the Access Concentrator Name field, enter the name of a PPPoE access concentrator, also known as a PPPoE server. Usually, this option is not used. Use it only if you know there is more than one access concentrator. Using DHCP 1 112 From the Interface Settings dialog box, select Use DHCP Client. WatchGuard System Manager Adding Secondary Networks 2 If your DHCP server makes you use an optional identifier in your DHCP exchange, type this identifier in the Host Name text box. 3 Under Host IP, select the Obtain an IP automatically radio button if you want DHCP to assign an IP address to the Firebox. If you want to manually assign an IP address and use DHCP just to give this assigned address to the Firebox, select the Use IP address radio button and enter the IP address in the adjacent field. 4 IP addresses assigned by a DHCP server have a one-day lease, which means the address is valid for one day. If you want to change the leasing time, select the Leasing Time check box and select the value in the field adjacent to the check box. Adding Secondary Networks A secondary network is a network that shares one of the same physical networks as one of the Firebox® interfaces. When you add a secondary network, you make (or add) an IP alias to the interface. This IP alias is the default gateway for all the computers on the secondary network. The secondary network tells the Firebox that there is one more network on the Firebox interface. If your Firebox is configured with a static IP address, you can add an IP address on the same subnet as your primary external interface as a secondary network. You can then configure static NAT for more than one of the same type of server. For example, configure an external secondary network with a second public IP address if you have two public SMTP servers and you want to configure a static NAT rule for each. To use Policy Manager to configure a secondary network: 1 Select Network > Configuration. The Network Configuration dialog box appears. 2 Select the interface for the secondary network and click Configure. The Interface Settings dialog box appears. User Guide 113 Adding WINS and DNS Server Addresses 3 Select the Secondary tab. 4 Click Add. Type an unassigned IP address from the secondary network. When you type IP addresses, type all the numbers and the stops. Do not use the TAB or arrow key. 5 Click OK. Click OK again. Be careful to add secondary network addresses correctly. Policy Manager does not tell you if the address is correct. We recommend that you do not create a subnet as a secondary network on one interface that is a component of a larger network on a different interface. If you do this, spoofing can occur and the network cannot operate correctly. Adding WINS and DNS Server Addresses A number of the features of the Firebox® have shared Windows Internet Name Server (WINS) and Domain Name System (DNS) server IP addresses. These features include DHCP and Remote User VPN (RUVPN). Access to these servers must be available from the trusted interface of the Firebox. This information is used for two purposes: 114 • The Firebox uses the DNS server shown here to resolve names to IP addresses for IPSec VPNs and for the spamBlocker, Gateway AV, and IPS features to operate correctly. • The WINS and DNS entries are used by DHCP clients on the trusted or optional networks, MUVPN users, and PPTP RUVPN users to resolve DNS queries. WatchGuard System Manager Configuring Dynamic DNS Make sure that you use only an internal WINS and DNS server for DHCP and RUVPN. This helps to make sure that you do not create policies that have configuration properties that prevent users from connecting to the DNS server. 1 From Policy Manager, select Network > Configuration. Click the WINS/DNS tab. The information on the WINS/DNS tab appears. 2 Type the primary and secondary addresses for the WINS and DNS servers. You can specify up to three DNS servers. You can also type a domain suffix in the Domain Name text box for a DHCP client to use with unqualified names such as “watchguard_mail”. Configuring Dynamic DNS You can register the external IP address of the Firebox® with a dynamic Domain Name Server (DNS) service. A dynamic DNS service makes sure that the IP address attached to your domain name changes when your ISP gives your Firebox a new IP address. The Firebox supports one dynamic DNS provider: DynDNS. For more information on dynamic DNS, log on to the DynDNS web site: http://www.dyndns.com WatchGuard® is not affiliated with DynDNS. Creating a DynDNS account To set up your account, go to the DynDNS web site: http://www.dyndns.com Use the instructions on this web site to activate your account. You must do this before you configure the Firebox for dynamic DNS. Setting up the Firebox for dynamic DNS 1 From Policy Manager, select Network > Configuration. Click the WIN/DNS tab. 2 Make sure you have defined at least one DNS server. If you have not, use the procedure in “Adding WINS and DNS Server Addresses” on page 114 to define one. User Guide 115 Configuring Routes 3 Click the Dynamic DNS tab. 4 Select the external interface you want to configure dynamic DNS for and click Configure. The Per Interface Dynamic DNS dialog box appears. 5 To enable dynamic DNS, select the Enable Dynamic DNS check box. 6 Type the user name, password, and domain name you used to set up your dynamic DNS account. 7 In the Service Type drop-down list, select the system to use for this update: - dyndns sends updates for a Dynamic DNS host name. - statdns sends updates for a Static DNS host name. - custom sends updates for a Custom DNS host name. For more information on each option, see http://www.dyndns.com/services/ 8 In the Options field, you can type any of the options shown below. You must type an “&” character before and after each option you add. If you add more than one option, you must separate the options with the “&” character. For example: &backmx=NO&wildcard=ON& mx=mailexchanger backmx=YES|NO wildcard=ON|OFF|NOCHG offline=YES|NO For more information on options, see: http://www.dyndns.com/developers/specs/syntax.html 9 Use the arrows to set a time interval, in days, to force an update of the IP address. Configuring Routes A route is the sequence of devices through which network traffic must go to get from its source to its destination. A router is the device in a route that finds the subsequent network point through which to send the network traffic to its destination. Each router is connected to a minimum of two networks. A packet can go through a number of network points with routers before it gets to its destination. The Firebox® lets you create static routes to send traffic to specific hosts or networks. The router can then send the traffic to the correct destination from the specified route. If you do not add a route to a remote network, all traffic to that network is sent to the Firebox default gateway. 116 WatchGuard System Manager Configuring Routes The WatchGuard® Users Forum is a good source of data about network routes and routers. Use your LiveSecurity Service to find more information. Adding a network route Add a network route if you have a full network behind a router on your local network. Type the network IP address, with slash notation. 1 From Policy Manager, select Network > Routes. The Setup Routes dialog box appears. 2 Click Add. The Add Route dialog box appears. 3 Select Network IP from the drop-down list. 4 In the Route To text box, type the network address. Use slash notation. For example, type 10.10.1.0/24. A /24 network always has a zero for the last octet. 5 In the Gateway text box, type the IP address of the router. Make sure that you enter an IP address that is on one of the same networks as the Firebox. 6 Click OK to close the Add Route dialog box. The Setup Routes dialog box shows the configured network route. 7 Click OK again to close the Setup Routes dialog box. Adding a host route Add a host route if there is only one host behind the router or you want traffic to go to only one host. Type the IP address of that specified host, with no slash notation. 1 From Policy Manager, select Network > Routes. The Setup Routes dialog box appears. 2 Click Add. The Add Route dialog box appears. 3 Select Host IP from the drop-down list. 4 In the Route To text box, type the host IP address. 5 In the Gateway text box, type the IP address of the router. Make sure that you enter an IP address that is on one of the same networks as the Firebox. 6 Click OK to close the Add Route dialog box. The Setup Routes dialog box shows the configured host route. 7 User Guide Click OK again to close the Setup Routes dialog box. 117 Configuring Advanced Settings for an Interface Configuring Advanced Settings for an Interface Setting Firebox Interface Speed and Duplex You can configure the speed and duplex parameters for Firebox® interfaces to automatic or manual configuration. We recommend you keep the link speed configured for automatic negotiation. If you use the manual configuration option, you must make sure the device the Firebox connects to is also manually set to the same speed and duplex parameters as the Firebox. Use the manual configuration option only when you must override the automatic Firebox interface parameters to operate with other devices on your network. 118 1 Select Network > Configuration. Click the interface you want to configure, and then click Configure. 2 Select the Advanced tab. 3 From the Link Speed drop-down list, select Auto Negotiate if you want the Firebox to select the best network speed. You can also select one of the half-duplex or full-duplex speeds that you know is compatible with your equipment. WatchGuard System Manager Using a Firebox with a Drop-in Configuration 4 From the Maximum Transmission Unit (MTU) value control, select the maximum packet size, in bytes, that can be sent through the interface. We recommend that you use the default, 1500 bytes, unless your network equipment requires a different packet size. Setting maximum bandwidth and marking type You can set traffic management and QoS parameters on a per-interface basis. For more information, see the “Traffic Management and Quality of Service” chapter. Setting DF bit for IPSec (external interfaces only) When you configure the external interface, select one of the following radio buttons to determine the setting of the Don’t Fragment (DF) bit for IPSec: Clear Select to tell the Firebox to break the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting. Set Select to prevent the Firebox from fragmenting the frame regardless of the original bit setting. If a user must make IPSec connections to a Firebox from behind a different Firebox, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can make IPSec connections to their network using IPSec. For the local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy to Policy Manager. Copy The Type of Service (TOS) bits are a set of four-bit flags in the IP header that can tell routing devices to give an IP datagram more or less priority than other datagrams. Fireware® gives you the option to allow IPSec tunnels to pass TOS flagged packets. Some ISPs drop all packets that have TOS flags set. When the Copy check box is selected, if the original packet has TOS bits set, then Fireware keeps the TOS bits set when it encapsulates the packet in an IPSec header. If the original packet does not have the TOS bits set, Fireware does not set the TOS bits when it encapsulates the packet in an IPSec header. If you do not select the Copy check box, all IPSec packets have no TOS bits set. If the TOS bits were set before, when Fireware encapsulates the packet in an IPSec header, the TOS bits are cleared. Setting the PMTU for IPSec (external interfaces only) The PMTU (Path Maximum Transmission Unit) setting for an external interface controls the length of time that the Firebox lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a lower MTU setting on the Internet. We recommend that you keep the default settings. This can protect you from a router on the Internet with a very low MTU setting. Using a Firebox with a Drop-in Configuration In a drop-in configuration, the Firebox is configured with the same IP address on all interfaces. The drop-in configuration mode distributes the network’s logical address range across the Firebox interfaces. You can put the Firebox between the router and the LAN and not have to change the configuration of any local computers. This configuration is known as drop-in because the Firebox is “dropped in” to a network. In drop-in mode: • User Guide You must assign the same primary IP address to all interfaces on your Firebox (external, trusted, and optional). 119 Using a Firebox with a Drop-in Configuration • You can assign secondary networks on any interface. • You can keep the same IP addresses and default gateways for hosts on your trusted and optional networks, and add a secondary network address to the Firebox® interface so the Firebox can correctly send traffic to the hosts on these networks. The public servers behind the Firebox can continue to use public IP addresses. The Firebox does not use network address translation to route traffic from outside your network to your public servers. The properties of a drop-in configuration are: • You must have a static external IP address to assign to the Firebox. • You use one logical network for all interfaces. • You cannot configure more than one external interface when your Firebox is configured in dropin mode. Multi-WAN functionality is automatically disabled. It is sometimes necessary to flush the ARP cache of each computer on the trusted network, but this is not common. If you move an IP address from a computer located behind one Firebox interface to a computer located behind a different Firebox interface, it can take several minutes for traffic between that IP address and the Firebox itself to start to flow. The Firebox must update its internal routing table before traffic can pass. This affects only Firebox traffic such as logging, SNMP, and Firebox management connections. Configuring related hosts In a drop-in configuration, the Firebox is configured with the same IP address on each interface. The drop-in configuration mode distributes the network’s address range across the Firebox interfaces. Related hosts are sometimes required when you have configured your Firebox in drop-in mode and automatic host mapping is not functioning correctly. This sometimes happens because of interference with the Firebox trying to discover devices on an interface. When this occurs, turn off automatic host mapping and add related host entries for computers that share a network address with the Firebox. This creates a static routing relationship between the related host IP address and the interface designated for that IP address. When there are problems with dynamic/automatic host mapping, you must use related host entries. 1 From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears. 120 WatchGuard System Manager Virtual Local Area Networks (VLANs) 2 Click Properties. The Drop-In Mode Properties dialog box appears. 3 Disable automatic host mapping on any interface on which automatic host mapping is not operating correctly. 4 Click Add. Type the IP address of the computer for which you want to build a static route from the Firebox. 5 Click on the Interface Name column to select the interface the related host is connected to. 6 After you have added all related host entries, click OK. Save the configuration to the Firebox. Virtual Local Area Networks (VLANs) An 802.1Q VLAN (virtual local area network) is a collection of computers on a LAN or LANs that are grouped together in a single broadcast domain independent of their physical location. This allows the grouping of devices according to traffic patterns instead of physical proximity. Members of a VLAN can share resources as if they were connected to the same LAN. You can also use VLANs to split a switch into multiple segments. For example, suppose your company has full-time employees and contract workers on the same LAN. You want to restrict the contract employees to a subset of the resources used by the full-time employees. You also want to use a more restrictive security policy for the contract workers. In this case, you split the interface into two VLANs. Because VLANs use bridges and switches, broadcasts are more efficient because they go only to people in the VLAN, not everyone on the wire. Consequently, traffic across your routers is reduced, which means a coincidental reduction in router latency. VLANs allow you to segment your network with a logical, hierarchical structure or grouping instead of a physical one. Logical grouping helps free IT staff from the restrictions of their existing network design and cabling infrastructure. VLANs make designing, implementing, and managing your network easier. Because VLANs are software based, you can quickly and easily adapt your network to additions, relocations, and reorganizations. User Guide 121 Defining a New VLAN VLANs improve network performance by enabling you to more effectively segment your network. Effective segmentation means that traffic through your network’s routers is reduced. When you create VLANs, you can use bridges and switches instead of routers and hubs. Bridges and switches pass traffic more quickly than routers; you need to send traffic across a router only when you send data from one VLAN to another VLAN. VLANs have the following limitations: • You must have Fireware® Pro installed on your Firebox®. • VLANs are supported from trusted and optional interfaces only. The external interface does not allow VLAN configuration. • The WatchGuard® VLAN implementation does not support the spanning tree link management protocol. • If your Firebox is configured with a drop-in configuration, you cannot use VLANs. • One Firebox physical interface can be an untagged VLAN member of only one VLAN. For example, if eth0 is an untagged member of a VLAN named VLAN-1, it cannot be an untagged member of a different VLAN at the same time. • A Firebox interface can send untagged data to only one VLAN. • A Firebox interface can receive untagged data frames for only one VLAN. • Your Firebox model and license controls the number of VLANs you can add to the Firebox. To see the number of VLANs you can add to your Firebox, use Policy Manager to select Setup > Licensed Features. Click the Active Features button and find the row labeled VLAN. All network segments you want to add to a VLAN must have IP addresses on the VLAN network. If you define VLANs, you can ignore messages with the text “802.1d unknown version”. These occur because the WatchGuard VLAN implementation does not support spanning tree link management protocol. Tagging To enable VLANs, VLAN-capable switches must be deployed in each site. The switch interfaces insert tags at layer 2 of the data frame. These tags, which add an extra four bytes to the Ethernet header, identify the frame as belonging to a specific VLAN. Tagging is specified by the IEEE 802.1Q standard. The VLAN definition includes disposition of tagged and untagged data frames. You must specify whether the VLAN receives tagged, untagged, or no data from each interface enabled on the Firebox. The Firebox can insert tags for packets that are sent to a VLAN-capable switch. The Firebox can also remove tags from packets that are sent to a network segment that belongs to a VLAN which has no switch. Defining a New VLAN 1 From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears. 2 Click the VLAN tab. A table of existing user-defined VLANs and their settings appears: - You can click on a column header to sort the table based on the values in that column. - The table can be sorted in descending or ascending order. - The values in the Interface column show the physical interfaces that are members of this VLAN. 122 WatchGuard System Manager Defining a New VLAN - The interface number shown in bold is the interface that sends untagged data to that VLAN. User Guide 123 Defining a New VLAN 3 Click Add. The New VLAN Configuration dialog box appears. 124 4 In the Name (Alias) field, type a name for the VLAN you want to add. 5 In the Description field, type a description of the VLAN. This is optional and for your reference only. 6 Use the arrows in the VLAN ID field, or type a number into the field, to assign an integer value to the VLAN. 7 In the Security Zone field, select either Trusted or Optional. Security zones correspond to aliases for interface security zones. For example, VLANs of type “trusted” are handled by policies that use the alias "any-trusted" as a source or destination. VLANs can be defined as trusted or optional. 8 Enter the address of the VLAN gateway in the IP Address field. WatchGuard System Manager Specifying VLANs for an Interface Using DHCP You can configure the Firebox® as a DHCP server for the computers on your VLAN network. 1 Select the Use DHCP Server radio button to configure the Firebox as the DHCP server for your VLAN network. 2 To add an IP address range, click Add and type the first and last IP addresses assigned for distribution. Click OK. You can configure a maximum of six address ranges. 3 To reserve a specific IP address for a client, click Add next to the Reserved Addresses box. Enter a name for the reservation, the IP address you want to reserve, and the MAC address of the client’s network card. Click OK. 4 Use the arrow buttons next to Leasing Time to change the default lease time. This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When the time is near its limit, the client sends data to the DHCP server to get a new lease. Using DHCP relay The DHCP relay feature relays a request from a remote client to a DHCP server for an IP address. You can use DHCP relay when you define the Firebox in a drop-in configuration. 1 Select the Use DHCP Relay radio button. 2 Type the IP address of the DHCP server. Make sure to add a route to the DHCP server, if necessary. Specifying VLANs for an Interface When you create a new VLAN, you specify the type of data it receives from Firebox interfaces. However, you can also make an interface a member of a VLAN that is currently defined. You can also cancel an interface’s VLAN membership. 1 From the Interfaces tab, click an interface and click Configure. The Interface Settings dialog box appears. User Guide 125 Specifying VLANs for an Interface 2 Next to Interface Type, select VLAN. A table that shows all current VLANS appears. 126 3 You must specify what type of data VLANs receive from this interface. To define the VLANs that send and receive tagged data, select the Send and receive tagged traffic for selected VLANs radio button. Select the Member box of each VLAN to receive tagged data from this interface. To cancel membership, clear the Member box. 4 To make the interface receive untagged data, select the Make this interface an untagged switch port radio button. Select the Member box of computers connected to this interface to the selected LAN. To cancel membership, clear the Member box. 5 Click OK. WatchGuard System Manager 9 Network Setup with Multiple External Interfaces Fireware® appliance software gives you the option to configure multiple external interfaces (up to four), each on a different subnet. This allows you to connect the Firebox® to more than one Internet Service Provider (ISP). As soon as you configure a second external interface, multiple WAN support is automatically enabled with multi-WAN. The default multi-WAN option is the Routing Table method. Multi-WAN Requirements and Conditions When you use multi-WAN, you must remember: • If you have a policy configured with an individual external interface alias in its configuration, you must change the configuration to use the alias “Any-External” or another alias you configure for the Firebox’s external interfaces. If you do not do this, some traffic could be denied by your firewall policies. • Multi-WAN settings do not apply to incoming traffic. When you configure a policy for inbound traffic, you can ignore all multi-WAN settings. • You can override the multi-WAN configuration in any individual policy. On the Policy tab of a policy, select the Use policy-based routing check box and specify the external interface you want the Firebox® to use. For more information on policy-based routing, see “About policy-based routing” on page 198. • Map your company’s Fully Qualified Domain Name to the external interface IP address of the lowest order. If you add a multi-WAN Firebox to your Management Server configuration, you must add the Firebox using its lowest-ordered external interface to identify it. • You cannot use drop-in mode. • To use the Interface Overflow method, you must have a Fireware® Pro license and Fireware Pro installed on your Firebox. You must also have a Fireware Pro license if you use the Round-robin method and configure different weights for the Firebox’s external interfaces. Multi-WAN and DNS Make sure the DNS server can be reached through every WAN. Otherwise, you must modify your DNS policy such that: • User Guide The From list includes “Firebox”. 127 Multi-WAN Options • Select Use policy-based routing. If only one WAN can reach the DNS server, select that interface in the adjacent drop-down list. If more than one WAN can reach the DNS server, select any one of them, select Failover, select Configure, and select all the interfaces that can reach the DNS server. The order does not matter. Multi-WAN Options When you configure multiple external interfaces, you have four options to control which interface an outgoing packet uses. Some of these options require that you have Fireware® Pro installed on your Firebox.® About the WAN Failover method When you use the Failover method to route traffic through the Firebox’s external interfaces, you select one external interface to be the primary external interface. Other external interfaces are backup interfaces, and you set the order for the Firebox to use the backup interfaces. The Firebox monitors the primary external interface. If it goes down, the Firebox sends all traffic to the next external interface in its configuration. While the Firebox sends all traffic to the backup interface, it continues to monitor the primary external interface. When the primary interface is active again, the Firebox immediately starts to send all new connections through the primary external interface again. You control the action for the Firebox to take for existing connections; these connections can failback immediately, or continue to use the backup interface until the connection is complete. Multi-WAN Failover and High Availability are configured separately. Multi-WAN Failover caused by a failed connection to a link monitor host does not trigger HA failover. HA failover occurs only when the physical interface is down or does not respond. HA failover takes precedence over multi-WAN Failover. About multi-WAN in round-robin order When you configure multi-WAN with the Round-robin method, the Firebox looks at its internal routing table to check for specific static or dynamic routing information for each connection. If no specified route is found, the Firebox distributes the traffic load among its external interfaces. The Firebox uses the average of sent (TX) and received (RX) traffic to balance the traffic load across all external interfaces you specify in your round-robin configuration. If you use Fireware Pro, you can assign a weight to each interface used in your round-robin configuration. By default and for all Fireware users, each interface has a weight of 1. The weight refers to the proportion of load that the Firebox sends through an interface. If you have Fireware Pro and you assign a weight of 2 to an interface, you double the portion of traffic that will go through that interface compared to an interface with a weight of 1. For example, if you have three external interfaces with 6M, 1.5M, and .075M bandwidth and want to balance traffic across all three interfaces, you would use 8, 2, and 1 as the weights for the three interfaces. Fireware will try to distribute connections so that 8/11, 2/11, and 1/11 of the total traffic flows through each of the three interfaces. About multi-WAN with the routing table When you select the Routing Table option for your multi-WAN configuration, the Firebox uses the routes in its internal route table or routes it gets from dynamic routing processes to send packets through the correct external interface. To see whether a specific route exists for a packet’s destination, the Firebox examines its route table from the top to the bottom of the list of routes. You can see the list of routes in the Firebox route table on the Status tab of Firebox System Manager. 128 WatchGuard System Manager Multi-WAN Options If the Firebox does not find a specified route, it selects the route to use based on source and destination IP hash values of the packet, using the ECMP (Equal Cost Multipath Protocol) algorithm specified in: http://www.ietf.org/rfc/rfc2992.txt With ECMP, the Firebox uses an algorithm to decide which next-hop (path) to use to send each packet. This algorithm does not consider current traffic load. When to use the Routing Table method You must decide whether the Routing Table method is the correct multi-WAN method for your needs. The Routing Table method is a good choice if: • You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network advertise routes to the Firebox so that the Firebox can learn the best routes to external locations. • You must get access to an external site or external network through a specific route on an external network. Examples include: - You have a private circuit that uses a frame relay router on the external network. - You want all traffic to an external location to always go through a specific Firebox external interface. The Routing Table method is the fastest way to load balance more than one route to the Internet. After you enable this option, the ECMP algorithm manages all connection decisions. No additional configuration is necessary on the Firebox. Routing Table mode and load balancing It is important to note that the Routing Table option does not load balance connections to the Internet. The Firebox reads its internal route table from top to bottom. Static and dynamic routes that specify a destination appear at the top of the route table and take precedence over default routes. (A default route is a route with destination 0.0.0.0/0.) If there is no specific dynamic or static entry in the Firebox route table for a destination, the traffic to that destination is routed among the Firebox’s external interfaces through the use of ECMP algorithms. This may or may not result in even distribution of packets among multiple external interfaces. About the Interface Overflow method When you use the Interface Overflow multi-WAN configuration method, you select the order you want the Firebox to send traffic through external interfaces and configure each interface with a bandwidth threshold value. The Firebox starts to send traffic through the first external interface in its Interface Overflow configuration list. When the traffic through that interface reaches the bandwidth threshold you have set for that interface, the Firebox starts to send traffic to the next external interface you have configured in your Interface Overflow configuration list. This multi-WAN configuration method allows the amount of traffic sent over each WAN interface to be restricted to a specified bandwidth limit. To determine bandwidth, the Firebox examines the amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the interface bandwidth threshold for each interface, you must consider the needs of your network for this interface and set the threshold value based on these needs. For example, if your ISP is asymmetrical and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a high RX rate. If all WAN interfaces have reached their bandwidth limit, the Firebox uses the ECMP (Equal Cost MultiPath Protocol) routing algorithm to find the best path. You must have a Fireware Pro license to use this multi-WAN routing method. User Guide 129 Configuring the Multi-WAN Routing Table Option Configuring the Multi-WAN Routing Table Option To use the multiple WAN feature, you must have more than one external interface configured. If necessary, use the procedure described in “Configuring the external interface” on page 110. 1 From Policy Manager, select Network > Configuration and click the Multi-WAN tab. 2 From the drop-down list, select Routing table. By default, all external interface IP addresses are included in the configuration. If you want to remove external interfaces from the multi-WAN configuration, click Configure and clear the check box adjacent to the external interface you want to exclude from the multi-WAN configuration. You can have as few as one external interface included in your configuration. This can be useful if you want to use policy-based routing for specific traffic and keep only one WAN for default traffic. 3 To complete your configuration, you must add link monitor information as described in “Checking WAN Interface Status” on page 135. For information on advanced multi-WAN configuration options, see “Configuring Advanced Multi-WAN Settings” on page 137. Looking at the Firebox route table When you select the Routing Table configuration option, it is a good idea to know how to look at the routing table kept on the Firebox®. From WatchGuard® System Manager, open Firebox System Manager and select the Status Report tab. Scroll down until you see Kernel IP routing table. This shows the internal route table on the Firebox. The ECMP group information appears below the routing table. Routes in the internal route table on the Firebox include: 130 • The routes the Firebox learns from dynamic routing processes running on the Firebox (RIP, OSPF, and BGP) if you enable dynamic routing. • The permanent network routes or host routes you add to Policy Manager at Network > Routes. WatchGuard System Manager Configuring the Multi-WAN Round-robin Option The routes the Firebox automatically makes when it reads the network configuration information from Policy Manager at Network > Configuration. • If the Firebox detects that an external interface is down, it removes any static or dynamic routes that use that interface. This is true if the hosts specified on the Link Monitor tab become unresponsive and if the physical Ethernet link is down. Configuring the Multi-WAN Round-robin Option 1 To use the multiple WAN feature, you must have more than one external interface configured. If necessary, use the procedure described in “Configuring the external interface” on page 110. 2 From Policy Manager, select Network > Configuration. 3 Select the Multi-WAN tab. From the drop-down list, select Round-robin. 4 Adjacent to the drop-down list, click Configure. In the Include column, select the check box for each interface you want to use in the round-robin configuration. It is not necessary to include all external interfaces in your round-robin configuration. For example, you may have one interface User Guide 131 Configuring the Multi-WAN Failover Option that you want to use for policy-based routing that you do not want to include in your roundrobin configuration. 5 If you use Fireware® Pro appliance software on your Firebox and you want to change the weights assigned to one or more interfaces, click Configure. Use the value control to set an interface weight. The weight of an interface sets the percentage of load through the Firebox that will use that interface. When you are done, click OK. You can change the weight from its default of 1 only if you have a Fireware Pro license. Otherwise, you will see an error when you try to close the Network Configuration dialog box. 6 Click OK. 7 To complete your configuration, you must add link monitor information as described in “Checking WAN Interface Status” on page 135. For information on advanced multi-WAN configuration options, see “Configuring Advanced Multi-WAN Settings” on page 137. Configuring the Multi-WAN Failover Option 132 1 To use the multiple WAN feature, you must have more than one external interface configured. If necessary, use the procedure described in “Configuring the external interface” on page 110. 2 From Policy Manager, select Network > Configuration. WatchGuard System Manager Configuring the Multi-WAN Failover Option 3 Select the Multi-WAN tab. From the drop-down list, select Failover. 4 Click Configure to specify a primary external interface and select backup external interfaces for your configuration. In the Include column, select the check box for each interface you want to use in the failover configuration. Use the Move Up and Move Down buttons to set the order for failover. The first interface in the list is the primary interface. In the screenshot shown below, if you want to make External-2 the primary interface, click on the interface name and then click the Move Up button. It moves to the top of the list. 5 Click OK. 6 To complete your configuration, you must add link monitor information as described in “Checking WAN Interface Status” on page 135. For information on advanced multi-WAN configuration options, see “Configuring Advanced Multi-WAN Settings” on page 137. User Guide 133 Configuring the Multi-WAN Interface Overflow Option Configuring the Multi-WAN Interface Overflow Option 134 1 To use the multiple WAN feature, you must have more than one external interface configured. If necessary, use the procedure described in “Configuring the external interface” on page 110. 2 From Policy Manager, select Network > Configuration. 3 Select the Multi-WAN tab. From the drop-down list, select Interface Overflow. 4 Click Configure. In the Include column, select the check box for each interface you want to include in your configuration. In the screenshot shown below, if you want to make Interface 3 (External-2) the primary interface, click on the interface name and then click the Move Up button. It moves to the top of the list. WatchGuard System Manager Checking WAN Interface Status 5 To configure a bandwidth threshold for an external interface, select the interface from the list and click Configure. Use the drop-down list to select Mbps or Kbps as the unit of measurement for your bandwidth setting and type the threshold value for the interface. It is important to remember that the Firebox calculates bandwidth based on the higher value of sent or received packets. Click OK. 6 To complete your configuration, you must add information as described in “Checking WAN Interface Status” on page 135. For information on advanced multi-WAN configuration options, see “Configuring Advanced Multi-WAN Settings” on page 137. Checking WAN Interface Status Use the Link Monitor tab to set the method and frequency you want the Firebox® to use to check the status of each WAN interface. If you do not configure a specified method for the Firebox to use, it will ping the interface default gateway to check interface status. If a link monitor host does not respond, it can take from 40 – 60 seconds for the Firebox to update its route table. When the same Link Monitor host starts to respond again, it can take from 1– 60 seconds for the Firebox to update its route table. This process takes more time than when the Firebox detects a physical disconnect of the Ethernet port. When this occurs, the Firebox updates its route table immediately. When the Firebox detects the Ethernet connection is back up, it updates its route table within 20 seconds. User Guide 135 Checking WAN Interface Status To configure a link monitor host: 136 1 Highlight the interface in the External Interface column. The Settings information changes dynamically to show the settings for that interface. 2 Select the Ping check box to add an IP address or domain name for the Firebox to ping to check for interface status. You can also select the TCP check box to add the IP address or domain name of a computer that the Firebox can negotiate a TCP handshake with to check the status of the WAN interface. Select the Both ping and TCP must be successful to define the interface as active check box if you want the interface to be considered active unless both a ping and TCP handshake fail. Note that if an external interface is a peer in a High Availability configuration, a multi-WAN failover caused by a failed connection to a link monitor host does not trigger HA failover. HA failover occurs only when the physical interface is down or does not respond. If you add a domain name for the Firebox to ping and any one of the Firebox external interfaces has a static IP address, you must configure a DNS server, as described in “Adding WINS and DNS Server Addresses” on page 114. WatchGuard System Manager Configuring Advanced Multi-WAN Settings 3 Use the Probe Interval setting to configure the frequency you want the Firebox to use to check the status of the interface. By default, the Firebox checks every 15 seconds. 4 Use the Deactivate after setting to change the number of consecutive probe failures that must occur before failover. By default, after three probe failures, the Firebox starts to send traffic through the next specified interface in the multi-WAN failover list. 5 Use the Reactivate after setting to change the number of consecutive successful probes through an interface before an interface that was inactive becomes active again. 6 Repeat these steps for each external interface. 7 Click OK. Save your changes to the Firebox. Configuring Advanced Multi-WAN Settings Use the multi-WAN configuration Advanced tab to set your preferences for sticky connections, failback, and notification of multi-WAN events. Not all configuration options are available for all multiWAN configuration options. If a setting does not apply to the multi-WAN configuration option you selected, those fields are not active. Sticky Connections A sticky connection is a connection that continues to use the same WAN interface for a defined period of time. You can configure sticky connection parameters if you use the Round-robin or Interface Overflow configuration options for multi-WAN. Stickiness makes sure that, if a packet goes out through one external interface, any future packets between the source and destination address pair use the same external interface for a specified period of time. By default, sticky connections use the same interface User Guide 137 Configuring Advanced Multi-WAN Settings for three minutes. Use the Advanced tab to configure a global sticky connection duration for TCP connections, UDP connections, and connections that use other protocols. You can override the multi-WAN sticky connection settings in any individual policy. Open a policy for edit and select the Advanced tab to change the sticky connection settings for a policy. Failback Use the drop-down list in the Failback for Active Connections box to set the action you want the Firebox to take when a failover event has occurred and then the primary external interface becomes active again. When this occurs, all new connections immediately fail back to the primary external interface. You select the method you want to use for connections in process at the time of failback. Select Immediate failback if you want the Firebox to immediately stop all existing connections. Select Gradual failback if you want the Firebox to continue to use the failover interface for existing connections until each connection is complete. 138 WatchGuard System Manager Configuring Advanced Multi-WAN Settings This failback setting also applies to any policy-based routing configuration you set to use failover external interfaces. User Guide 139 Configuring Advanced Multi-WAN Settings 140 WatchGuard System Manager 10 Network Address Translation (NAT) Network Address Translation (NAT) was first developed as a solution for organizations that could not get enough registered IP network numbers from Internet Address Registrars for their increasing population of hosts and networks. NAT is generically used to describe any of several forms of IP address and port translation. At its most basic level, NAT changes the IP address of a packet from one value to a different value. The primary purposes of NAT are to increase the number of computers that can operate off a single publicly routable IP address, and to hide the private IP addresses of hosts on your LAN. You can apply NAT as a general firewall setting, or as a setting in a policy. Note that firewall NAT settings do not apply to BOVPN or MUVPN policies. If you have Fireware Pro, you can also access the configuration settings to set up the Server Load Balancing feature as part of a static NAT rule. The server load balancing feature is designed to help you increase the scalability and performance of a high-traffic network with multiple public servers protected by your Firebox. With server load balancing, you can have the Firebox control the number of sessions initiated to as many as ten servers for each firewall policy you configure. The Firebox controls the load based on the number of sessions in use on each server. The Firebox does not measure or compare the bandwidth that is used by each server. Types of NAT WatchGuard® System Manager supports three different types of NAT. Dynamic NAT Dynamic NAT is also known as IP masquerading. The Firebox® can apply its public IP address to the outgoing packets for all connections or for specified services. This hides the real IP address of the computer that is the source of the packet from the external network. Dynamic NAT is generally used to hide the IP addresses of internal hosts when they get access to public services. 1-to-1 NAT 1-to-1 NAT creates a mapping between IP addresses on one network and IP addresses on a different network. This type of NAT is often used to give external computers access to your public, internal servers. User Guide 141 Using Dynamic NAT Static NAT for a policy Also known as port forwarding, you configure static NAT when you configure policies, as described in “Setting Policy Properties” on page 195. Static NAT is a port-to-host NAT. A host sends a packet from the external network to a port on an external interface. Static NAT changes this IP address to an IP address and port behind the firewall. It is possible that, in your configuration, you use more than one type of NAT. Using Dynamic NAT Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outgoing connection to the public IP address of the Firebox. Outside the Firebox, you see only the external interface IP address of the Firebox on outgoing packets. Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more security for internal hosts that use the Internet, because it hides the IP addresses of hosts on your network. With dynamic NAT, all connections must start from behind the Firebox. Malicious hosts cannot start connections to the computers behind the Firebox when the Firebox is configured for dynamic NAT. In most networks, the recommended security policy is to apply NAT to all outgoing packets. With Fireware®, dynamic NAT is enabled by default in the Network > NAT dialog box. It is also enabled by default in each policy you create. You can override the firewall setting for dynamic NAT in your individual policies. Adding firewall dynamic NAT entries The default configuration of dynamic NAT enables dynamic NAT from all private IP addresses to the external network. The default entries are: • 192.168.0.0/16 - Any-External • 172.16.0.0/12 - Any-External • 10.0.0.0/8 - Any-External These three network addresses are the private networks reserved by the Internet Engineering Task Force (IETF) and usually are used for the IP addresses on LANs. To enable dynamic NAT for private IP addresses other than these, you must add an entry for them. The Firebox applies the dynamic NAT 142 WatchGuard System Manager Using Dynamic NAT rules in the sequence that they appear in the Dynamic NAT Entries list. We recommend that you put the rules in a sequence that matches the volume of traffic the rules apply to. 1 From Policy Manager, select Network > NAT. The NAT Setup dialog box appears. 2 On the Dynamic NAT tab of the NAT Setup dialog box, click Add. The Add Dynamic NAT dialog box appears. 3 Use the From drop-down list to select the source of the outgoing packets. For example, use the trusted host alias to enable NAT from all of the trusted network. For more information on built-in Firebox aliases, see “Working with Aliases” on page 76. 4 Use the To drop-down list to select the destination of the outgoing packets. 5 To add a host or a network IP address, click the Add Address button shown at the right. Use the drop-down list to select the address type. Type the IP address or the range. You must type a network address in slash notation. When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key. 6 Click OK. The new entry appears in the Dynamic NAT Entries list. Reordering dynamic NAT entries To change the sequence of the dynamic NAT entries, select the entry to change. Then click Up or Down. You cannot change a dynamic NAT entry. If a change is necessary, you must delete the entry with Remove. Use Add to enter it again. User Guide 143 Using 1-to-1 NAT Using 1-to-1 NAT When you enable 1-to-1 NAT, the Firebox® changes and routes all incoming and outgoing packets sent from one range of addresses to a different range of addresses. A 1-to-1 NAT rule always has precedence over dynamic NAT. 1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that must be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You do not have to change the IP address of your internal servers. When you have a group of similar servers (for example, a group of email servers), 1-to-1 NAT is easier to configure than static NAT for the same group of servers. To understand how to configure 1-to-1 NAT, we give this example: Company ABC has a group of five privately addressed email servers behind the trusted interface of their Firebox X Peak. These addresses are: 10.1.1.1 10.1.1.2 10.1.1.3 10.1.1.4 10.1.1.5 Company ABC selects five public IP addresses from the same network address as the external interface of their Firebox, and creates DNS records for the email servers to resolve to. These addresses are: 50.1.1.1 50.1.1.2 50.1.1.3 50.1.1.4 50.1.1.5 Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static, bi-directional relationship between the corresponding pairs of IP addresses. The relationship looks like this: 10.1.1.1 <--> 50.1.1.1 10.1.1.2 <--> 50.1.1.2 10.1.1.3 <--> 50.1.1.3 10.1.1.4 <--> 50.1.1.4 10.1.1.5 <--> 50.1.1.5 When the 1-to-1 NAT rule is applied, the Firebox creates the bi-directional routing and NAT relationship between the pool of private IP addresses and the pool of public addresses. Defining a 1-to-1 NAT rule In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also configure: Interface The name of the Firebox® Ethernet interface on which 1-to-1 NAT is applied. The Firebox will apply 1-to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is applied to the external interface. 144 WatchGuard System Manager Using 1-to-1 NAT NAT base When you configure a 1-to1 NAT rule, you configure the rule with a “from” and a “to” range of IP addresses. The NAT base is the first available IP address in the “to” range of addresses. The NAT base IP address is the address that the real base IP address changes to when the 1-to-1 NAT is applied. You cannot use the IP address of one of your FIrebox interfaces as your NAT base. In our example above, the NAT base is 50.1.1.1. Real base When you configure a 1-to-1 NAT rule, you configure the rule with a “from” and a “to” range of IP addresses. The Real base is the first available IP address in the “from” range of addresses. It is the IP address assigned to the physical Ethernet interface of the computer to which you will apply the 1-to-1 NAT policy. When packets from a computer with a real base address go through the interface specified, the 1-to-1 action is applied. In our example above, the Real base is 10.1.1.1. Number of hosts to NAT (for ranges only) The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The second real base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is applied. This is repeated until the “Number of hosts to NAT” is reached. In our example above, the number of hosts to apply NAT to is five. You can also use 1-to-1 NAT to solve the problem when you must create a VPN tunnel between two networks that use the same private network address. When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network address ranges. If the network range on the remote network is the same as on the local network, you can configure both gateways to use 1-to-1 NAT. Then, you can create the VPN tunnel and not change the IP addresses of one side of the tunnel. 1-to-1 NAT for a VPN tunnel is configured when you configure the VPN tunnel and not in the Network > NAT dialog box. Configuring firewall 1-to-1 NAT 1 From Policy Manager, click Network > NAT. Click the 1-to-1 NAT tab. 2 Click Add. The 1-1 Mapping dialog box appears. 3 In the Map Type drop-down list, select Single IP, IP range, or IP subnet if you want to map to one host, a range of hosts, or a subnet. If you select IP range or IP subnet, do not include more than 256 IP addresses in that range or subnet. If you have more than 256 IP addresses you want to apply 1-to-1 NAT to, you must create more than one rule. 4 In the NAT base text box, type the address you want your real base IP address to be changed to. 5 Complete all the information. Click OK. User Guide 145 Configuring Policy-Based Dynamic or 1-to-1 NAT 6 Repeat steps 2 – 4 for each 1-to-1 NAT entry. When you are done, click OK to close the NAT Setup dialog box. Save the changes to the Firebox. After you configure a global 1-to-1 NAT rule, you must configure the NAT base IP addresses in the appropriate policies. In the example given above, we must configure our SMTP policy to allow SMTP traffic from Any to 50.1.1.1-50.1.1.5. To connect to a computer located on a different Firebox interface that uses 1-to-1 NAT, you must use that computer’s private (NAT base) IP address. If this is a problem, you can disable 1-to-1 NAT and use static NAT. Configuring Policy-Based Dynamic or 1-to-1 NAT Both dynamic and 1-to-1 NAT can be applied to individual policies. If traffic matches both 1-to-1 NAT and dynamic NAT policies, the 1-to-1 NAT gets precedence. Configuring policy-based 1-to-1 NAT With this type of NAT, the Firebox® uses the private and public IP ranges that you set when you configured global 1-to-1 NAT, but the rules are applied to an individual policy. 1-to-1 NAT is enabled in the default configuration of each policy. If traffic matches both 1-to-1 NAT and dynamic NAT policies, the 1-to-1 NAT gets precedence. Enabling policy-based 1-to-1 NAT Because policy-based 1-to-1 NAT is enabled by default, you do not need to do anything else to enable it. Disabling policy-based 1-to-1 NAT 1 From Policy Manager, right-click a policy and select Modify Policy. The Edit Policy Properties dialog box appears. 2 Click the Advanced tab. 3 Clear the 1-to-1 NAT check box to turn NAT off for the traffic this policy controls. 4 Click OK. Save the change to the Firebox. Configuring policy-based dynamic NAT With this type of NAT, the Firebox maps private IP addresses to public IP addresses. Dynamic NAT is enabled in the default configuration of each policy. For policy-based dynamic NAT to work correctly, use the Policy tab of the Edit Policy Properties dialog box to make sure the policy is configured to allow traffic out through only one Firebox interface. 1-to-1 NAT rules have higher precedence than dynamic NAT rules. 1 From Policy Manager, right-click a policy and select Modify Policy. The Edit Policy Properties dialog box appears. 146 WatchGuard System Manager Configuring Policy-Based Dynamic or 1-to-1 NAT 2 Click the Advanced tab. 3 Select Use Network NAT Settings if you want to use the dynamic NAT rules set for the Firebox. Select All traffic in this policy if you want to apply NAT to all traffic in this policy. 4 If you selected All traffic in this policy, you can set a dynamic NAT source IP address for any policy that uses dynamic NAT. Select the Set source IP check box to do this. This makes sure that any traffic that uses this policy shows a specified address from your public or external IP address range as the source. You would most often do this to force outgoing SMTP traffic to show your domain’s MX record address when the IP address on the Firebox’s external interface is not the same as your MX record IP address. This source address must be on the same subnet as the interface you specified for outgoing traffic. If you do not select the Set source IP check box, the Firebox changes each packet’s source IP address to the IP address of the interface from which the packet is sent out. We recommend that you do not use the Set source IP option if you have more than one external interface configured on your Firebox. 5 Click OK. Save the changes to the Firebox. Disabling policy-based dynamic NAT 1 From Policy Manager, right-click a policy and select Modify Policy. The Edit Policy Properties dialog box appears. 2 Click the Advanced tab. 3 Clear the check box in front of Dynamic NAT to turn NAT off for the traffic this policy controls. 4 Click OK. Save the change to the Firebox. User Guide 147 Configuring Static NAT Configuring Static NAT Static NAT, also known as port forwarding, is a port-to-host NAT. A host sends a packet from the external network to a port on an external interface. Static NAT changes this IP address to an IP address and port behind the firewall. If a software application uses more than one port and the ports are selected dynamically, you must use 1-to-1 NAT or check whether a proxy on the Firebox® will manage this kind of traffic. When you use static NAT, you use an external IP address of your Firebox instead of the IP address of a public server. You could do this because you choose to, or because your public server does not have a public IP address. For example, you can put your SMTP email server behind the Firebox with a private IP address and configure static NAT in your SMTP policy. The Firebox receives connections on port 25 and makes sure that any SMTP traffic is sent to the real SMTP server behind the Firebox. Because of how static NAT works, it is available only for policies that use a specified TCP or UDP port. A policy that has another protocol cannot use incoming static NAT. If you have a policy that uses a protocol other than TCP or UDP, the NAT button in the Properties dialog box of that policy is disabled. You also cannot use static NAT with the Any policy. 1 Double-click a policy icon in the Policy Manager window. 2 From the Connections are drop-down list, select Allowed. To use static NAT, the policy must let incoming traffic through. 3 Below the To list, click Add. The Add Address dialog box appears. 4 Click Add NAT. The Add Static NAT dialog box appears. 5 From the External IP Address drop-down list, select the public IP address to use for this service. 6 Type the internal IP address. The internal IP address is the destination on the trusted or optional network. 7 If necessary, select the Set internal port to a different port than this policy check box. This enables port address translation (PAT). You usually do not use this feature. It enables you to change the packet destination not only to a specified internal host but also to a different port. If you select this check box, type the different port number or use the arrow buttons in the Internal Port box. 8 Click OK to close the Add Static NAT dialog box. The static NAT route appears in the Members and Addresses list. 9 148 Click OK to close the Add Address dialog box. Click OK to close the Properties dialog box of the service. WatchGuard System Manager Server Load Balancing Server Load Balancing You must have Fireware Pro to use the Server Load Balancing feature. The server load balancing feature in Fireware Pro is designed to help you increase the scalability and performance of a high-traffic network with multiple public servers. With server load balancing, you can have the Firebox control the number of sessions initiated to as many as 10 servers for each firewall policy you configure. The Firebox controls the load based on the number of sessions in use on each server. The Firebox does not measure or compare the bandwidth that is used by each server. You configure server load balancing as part of a static NAT rule. The Firebox can balance connections among your servers with two different algorithms. When you configure server load balancing, you must choose the algorithm you want the Firebox to apply: Round-robin If you select this option, the Firebox distributes incoming sessions among the servers you specify in the policy in round-robin order. The first connection is sent to the first server specified in your policy. The next connection is sent to the next server in your policy, and so on. Least Connection If you select this option, the Firebox sends each new session to the server in the list that currently has the lowest number of open connections to the Firebox. The Firebox cannot tell how many connections the server has open on other interfaces. If you want to, you can apply weights to your servers in the server load balancing configuration to make sure that your most powerful servers are given the heaviest load. By default, each interface has a weight of one. The weight refers to the proportion of load that the Firebox sends to a server. If you assign a weight of 2 to a server, you double the number of sessions that the Firebox sends to that server, compared to a server with a weight of 1. When you configure server load balancing, it is important to know: • You can configure server load balancing for any policy to which you can apply static NAT. • If you apply server load balancing to a policy, you cannot set policy-based routing or other NAT rules in the same policy. • When you apply server load balancing to a policy, you can add a maximum of 10 servers to the policy. • If you use High Availability and server load balancing, no real-time synchronization occurs when a failover event occurs. The secondary Firebox sends connections to all servers in the server load balancing list to see which servers are available. It then applies the server load balancing algorithm to all available servers. Configuring Server Load Balancing 1 From Policy Manager, find the policy to which you want to apply server load balancing and double-click to open it for edit. Or, highlight the policy and select Edit > Modify Policy. To create a new policy and enable server load balancing in that policy, select Edit > Add Policy. User Guide 149 Configuring Server Load Balancing 2 Below the To field, click Add. The Add Address dialog box appears. 3 Click Add NAT. The Add Static NAT/Server Load Balancing dialog box appears. 150 WatchGuard System Manager Configuring Server Load Balancing 4 From the Type drop-down list, select Server Load Balancing. 5 From the External IP address drop-down list, select the external IP address or alias you want to use in this policy. For example, you can have the Firebox apply server load balancing for this policy for packets received on only one external IP address. Or, you can have the Firebox apply server load balancing for packets received on any external IP address if you select the AnyExternal alias. 6 From the Method drop-down list, select the algorithm you want the Firebox to use for server load balancing. You can choose from Round-robin or Least Connection. 7 Click Add to add the IP addresses of your internal servers for this policy. You can add a maximum of 10 servers in a policy. You can also add a weight to the server. By default, each interface has a weight of 1. The weight refers to the proportion of load that the Firebox sends to a server. If you assign a weight of 2 to a server, you double the number of sessions that the Firebox sends to that server, compared to a server with a weight of 1. 8 A sticky connection is a connection that continues to use the same server for a defined period of time. Stickiness makes sure that all packets between a source and destination address pair are User Guide 151 Configuring Server Load Balancing sent to the same server for a time period you specify. Select the Enable sticky connection check box if you want to set sticky connections for your internal servers. 9 152 Click OK and save your changes to the Firebox. WatchGuard System Manager 11 Authentication User authentication allows a user name to be associated with an IP address to help you monitor connections through the Firebox®. When you use user authentication, a Firebox administrator can see user names and IP addresses when he or she monitors connections through the Firebox. Without authentication, you see only the IP address of each connection. With authentication, users can log in to the network from any computer, but see only the information for which they are authorized. All the connections that start from that IP address also transmit the session name while the user is authenticated. The Firebox allows you to create policies that include group and user names. As a result, the policy is applied to any computer a person uses to log in. You monitor by user name: • If you use Dynamic Host Configuration Protocol (DHCP). DHCP can cause the IP address of a computer to change. • If many different users can use the same IP address in a day, such as in a university or computer lab environment. In these cases, authentication gives you more information about the user actions. How User Authentication Works An HTTPS server operates on the Firebox® to accept authentication requests. To authenticate, a user must connect to the authentication web page on the Firebox. The address is: https://IP address of a Firebox interface:4100/ or https://Host name of the Firebox:4100 An authentication web form appears. The user must type his or her user name and password, and select the authentication server from the drop-down list if more than one type of authentication is configured. The Firebox sends the name and password to the authentication server using PAP (Password Authentication Protocol). When the user is authenticated, the user is then allowed to use the approved network resources. User Guide 153 How User Authentication Works Because Fireware uses a self-signed certificate, you see a security warning from your web browser when you authenticate. You can safely ignore this security warning. Using authentication from the external network One function of the authentication tool is to authenticate outgoing traffic. You can also use it to restrict incoming network traffic. When you have an account on the Firebox, you can always authenticate to the Firebox from a computer external to the Firebox. For example, you can type this address in your browser at home: https://IP address of Firebox external interface:4100/ After you authenticate, you can use the policies that are configured for you on the Firebox. Use this procedure to let a remote user authenticate from the external network. This lets the person use resources through the Firebox. 1 From Policy Manager, double-click the WatchGuard Authentication policy icon. This policy appears after you add a user or group to a policy configuration. You see a warning to be careful when you edit an automatically configured policy. 2 From the WG-Auth connections are drop-down list, make sure Allowed is selected. 3 Below the From box, click Add. Select Any from the list and click Add. Click OK. 4 The To box should contain Firebox. If it does not, below the To box, click Add. Select Firebox from the list and click Add. Click OK. Using authentication through a gateway Firebox to another Firebox To send an authentication request through a gateway Firebox to a different Firebox, it can be necessary to add a policy that allows the authentication traffic on the gateway Firebox. If authentication traf- 154 WatchGuard System Manager About Authentication Timeout Values fic is denied on the gateway Firebox, use Policy Manager to add the WatchGuard® Authentication policy. This policy controls traffic on TCP port 4100. Configure the policy to allow traffic to the IP address of the destination Firebox. About Authentication Timeout Values Users are authenticated for some time after they close their last authenticated connection. This timeout is set either in the Authentication Settings dialog box (described in the next section), or in the Setup Firebox User dialog box (described in “Defining a new user for Firebox authentication” on page 159). The Firebox® User setting overrides the global setting. The global setting is used only if no Firebox User value is defined. For users authenticated by third-party servers, the timeouts set on those servers also override the global authentication timeouts. Authentication timeout values do not apply to PPTP users. Defining global authentication timeouts To define global authentication timeouts, select Setup > Authentication > Authentication Settings. The Authentication Settings dialog box appears. The global authentication timeouts are: Session Timeout Maximum length of time the user can send traffic to the external network. If you set this field to zero (0) seconds, minutes, hours, or days, no session timeout is used and the user can stay connected for any length of time. Idle Timeout Maximum length of time the user can stay authenticated when idle (not passing any traffic to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, no idle timeout is used and the user can stay idle for any length of time. Closing a session before timeout occurs To close an authenticated session before the timeout occurs, a user can click Logout on the Authentication web page. If the page is closed, the user must open it again to disconnect. To prevent a user from authenticating, the administrator must disable that user’s account on the authentication server. User Guide 155 Using a Custom Default Start Page Using a Custom Default Start Page Normally, the Firebox web authentication page appears as the start page of your web browser. If you want the browser to go to a different page after your users successfully log in, you can use the Authentication Settings dialog box to define a redirect. Allowing Multiple Concurrent Logins From the Authentication Settings dialog box, select the Allow multiple concurrent firewall authentication logins from the same account check box to allow more than one user to authenticate, with the same user credentials at the same time, to one authentication server. This is useful for guest accounts or in laboratory environments. This feature is supported only if you use the Firebox® as an authentication server. For MUVPN and PPTP users, multiple concurrent logins from the same account are always supported regardless of whether this check box is selected. MUVPN users must log in from different IP addresses if they want to do concurrent logins, which means that they cannot use the same account to log in if they are behind a Firebox that uses NAT. PPTP users do not have this restriction. Authentication Server Types With Fireware®, there are five authentication methods: • Firebox • RADIUS • SecurID • Generic LDAP (Lightweight Directory Access Protocol) • Active Directory You can configure one or more authentication server types for a Firebox. If you use more than one type of authentication server, the user must select the authentication server type from a drop-down list when they authenticate. For the Firebox administrator, the difference is that the user database can be on the Firebox or on a dedicated authentication server. 156 WatchGuard System Manager Configuring the Firebox as an Authentication Server When you use an authentication server, you configure it with the instructions from its manufacturer. You install the server with access to the Firebox and put it behind the Firebox for security. Using a backup authentication server You can configure a primary and backup authentication server with all types of third-party authentication. If the Firebox cannot connect to the primary authentication server after three attempts, the primary server is marked as dead and an alarm message is generated. The Firebox then connects to the backup authentication server. If the Firebox cannot connect to the backup authentication server, it waits ten minutes, and then tries to connect to the primary authentication server again. The dead server is marked as active after the dead time interval is reached. Configuring the Firebox as an Authentication Server If you do not use a third-party authentication server, you can use the Firebox® as an authentication server. This procedure divides your company into groups and users for authentication. The group to which you assign a person is controlled by the tasks they do and information they use. For example, you can have an accounting group, a marketing group, and a research and development group. You can also have a new employee group, with controlled access to the Internet. In a group, you set the authentication procedure for the users, the system type, and the information to which they have access. A user can be a network or a computer. If your company changes, you can add or remove users or systems from your groups. The Firebox authentication server is enabled by default. You do not need to do anything to enable it. Authentication types You can configure the Firebox to authenticate users for three different types of authentication: • Firewall authentication • PPTP connections • MUVPN connections When the authentication is successful, the Firebox makes a mapping between these items: • User name • Firebox User group (or groups) of which the user is a member • IP address on the user’s computer when the user authenticates • Virtual IP address on the user’s computer if the user is connected with RUVPN Firewall authentication When a user authenticates to the Firebox, the user credentials and IP address of the user’s computer are both used to find whether a policy applies to the traffic starting from or going to that user’s computer. To create a Firebox user account, see “Defining a new user for Firebox authentication” on page 159. After you create the user account, you can make a Firebox User group and put the user in that group. User Guide 157 Configuring the Firebox as an Authentication Server Next, create a policy that allows traffic only to or from a list of Firebox user names or a list of Firebox groups. This policy is applied only if a packet comes from or goes to the authenticated user’s IP address. A user authenticates with an HTTPS connection to the Firebox over port 4100 by typing: https://IP address of a Firebox interface:4100/ If the user name and password are valid, the user is authenticated. PPTP connections To configure the Firebox to host PPTP VPN sessions, select VPN > Remote Users and click the PPTP tab. If you do not select the check box Use Radius Authentication to authenticate remote users, then the Firebox authenticates the PPTP session. The Firebox checks to see whether the user name and password the user enters into the VPN connection box matches the user name and password in the Firebox User database. If the credentials supplied by the user match an account in the Firebox User database, the user is authenticated for a PPTP session. Next, create a policy that allows traffic only from or to a list of Firebox user names, or a list of Firebox groups. The Firebox does not look at this policy unless traffic comes from or goes to the authenticated user’s virtual IP address. The user makes the PPTP connection that uses the PPTP feature included in their computer operating system. Because the Firebox allows the PPTP connection from any Firebox user that gives the correct credentials, it is important that you make a policy for PPTP sessions that includes only users you want to allow to send traffic over the PPTP session. Or, put these users into a Firebox User group and make a policy that allows traffic only from this group. The Firebox creates a pre-configured group for this called “PPTP-Users”. MUVPN connections You can configure the Firebox to host Mobile User VPN (MUVPN) IPSec sessions. To do this, select VPN > Remote Users and click the Mobile User VPN tab. You can find more information and instructions for MUVPN in the MUVPN Administrator Guide, available at: www.watchguard.com/help/documentation You create the MUVPN group using the Add Mobile User VPN wizard. When the wizard is finished, Policy Manager does two things: • Makes a client configuration profile (called a .wgx file) and puts it on the management station computer that created the MUVPN account. The user must have this .wgx file to configure the MUVPN client computer. • Automatically adds an “Any” policy to the Mobile User VPN tab that allows traffic to pass to and from the authenticated MUVPN user. When the user’s computer is correctly configured, the user makes the MUVPN connection. If the user name and password the user enters into the MUVPN authentication dialog box match an entry in the Firebox User database, and if the user is in the MUVPN group you create, the MUVPN session is authenticated. Policy Manager automatically makes a policy that allows any traffic from the authenticated 158 WatchGuard System Manager Configuring the Firebox as an Authentication Server user. To restrict the ports the MUVPN client can access, delete the Any policy and add policies for those ports to the Mobile User VPN tab. To learn how to add policies, see “About Policy Manager” on page 184. Defining a new user for Firebox authentication 1 From Policy Manager, select Setup > Authentication > Authentication Servers. The Authentication Servers dialog box appears. 2 From the Firebox tab of the Authentication Servers dialog box, click Add below the Users list. The Setup Firebox User dialog box appears. User Guide 159 Configuring the Firebox as an Authentication Server 3 Type the name and (optional) a description of the new user. 4 Type, and type again to confirm, the passphrase you want the person to use to authenticate to the Firebox. When this passphrase is set, you cannot see the passphrase in simple text again. If you lose the passphrase, you must set a new passphrase. 5 In the Session Timeout field, set the maximum length of time the user can send traffic to the external network. If you set this field to zero (0) seconds, minutes, hours, or days, no session timeout is used and the user can stay connected for any length of time. 6 In the Idle Timeout field, set the length of time the user can stay authenticated when idle (not passing any traffic to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, no idle timeout is used and the user can stay idle for any length of time. For both timeout fields, the global authentication timeouts for the Firebox are used if the values are not defined in the Setup Firebox User dialog box. For more information, see “About Authentication Timeout Values” on page 155. 7 To add the user to a group, select the user name in the Available list. Click the double arrow that points left to move the name to the Member list. You can also double-click the group name. 8 After you add the user to selected groups, click OK. The user is added to the user list. You can then add more users. 9 To close the Setup Firebox User dialog box, click OK. The Firebox Users tab appears with a list of the new users. Defining a new group for Firebox authentication 1 From the Firebox tab of the Authentication Servers dialog box, click Add below the User Groups list. The Setup Firebox Group dialog box appears. 2 Type the group name that you want. 3 (Optional) Type a description for the new group. 4 To add a user to the group, select the user name in the Available list. Click the double arrow that points left to move the name to the Member list. You can also double-click the group name. 160 WatchGuard System Manager Configuring RADIUS Server Authentication 5 After you add all necessary users to the group, click OK. At this time, you can use the users and groups to configure policies and authentication, as described in “Using users and groups in policy definitions” on page 171. Using a local user account for Firewall user, PPTP, and MUVPN authentication Any user can authenticate as a Firewall user, PPTP user, or MUVPN user, and open a PPTP or MUVPN tunnel if PPTP or MUVPN is enabled on the Firebox. However, after an authentication or tunnel has been successfully established, users can send traffic through the VPN tunnel only if the traffic is allowed by a policy on the Firebox. For example, an MUVPN-only user can send traffic through an MUVPN tunnel, but not a PPTP tunnel even though the user can authenticate and bring up a PPTP tunnel. If you use Active Directory authentication and a user’s group membership does not match your MUVPN policy, you can see an error message that says “decrypted traffic does not match any policy.” If you see this error message, make sure that the user is in a group with the same name as your MUVPN group. Configuring RADIUS Server Authentication Remote Authentication Dial-In User Service (RADIUS) authenticates the local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database. The authentication messages to and from the RADIUS server always use an authentication key. This authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key, hackers cannot get to the authentication messages. Note that RADIUS sends a key, and not a password, during authentication. For web and MUVPN authentication, RADIUS supports only PAP (not CHAP) authentication. For authentication with PPTP, RADIUS supports only MSCHAPv2. To use RADIUS server authentication with the Firebox®, you must: • Add the IP address of the Firebox to the RADIUS server, as described in the RADIUS vendor documentation. • Enable and specify the RADIUS server in your Firebox configuration. • Add RADIUS user names or group names into the policies in Policy Manager. User Guide 161 Configuring RADIUS Server Authentication To enable RADIUS Server Authentication: 162 1 From Policy Manager, select Setup > Authentication > Authentication Servers. Click the RADIUS Server tab. 2 To enable the RADIUS server and enable the fields on this dialog box, select the Enable RADIUS server check box. 3 In the IP Address box, type the IP address of the RADIUS server. 4 In the Port box, make sure that the port number RADIUS uses for authentication appears. The default port number is 1812. Older RADIUS servers might use port 1645. 5 In the Secret box, type the shared secret between the Firebox and the RADIUS server. Retype the shared secret in the Confirm Secret box. The shared secret is case-sensitive, and it must be the same on the Firebox and the RADIUS server. 6 To set the timeout value, use the Timeout value control to set the value you want. The timeout value is the amount of time the Firebox waits for a response from the authentication server before it tries to connect again. 7 To set how many connection attempts the Firebox makes, use the Retries value control to set the number you want. This is the number of times the Firebox tries to connect to the authentication server (using the timeout specified above) before it reports a failed connection for one authentication attempt. 8 To set the group attribute, use the Group Attribute value control to set the attribute you want. The default group attribute is FilterID, which is RADIUS attribute 11. The group attribute value is used to set which attribute carries the User Group information. You must configure the RADIUS server so that, when it sends a message to the Firebox that a user is authenticated, it also sends a FilterID string; for example, “engineerGroup” or “financeGroup”. This information is then used for access control; it matches the FilterID string to the group name configured in the Firebox policies. WatchGuard System Manager Configuring SecurID Authentication 9 To add a backup RADIUS server, select the Secondary Server Settings tab, and select the Enable a secondary RADIUS server check box. Enter the information in the required fields. Make sure the shared secret is the same on the primary and backup RADIUS server. 10 To set a time after which a dead server is marked as active again, enter it in the Dead Time field. After an authentication server has not responded for a period of time, it is marked as dead. Subsequent authentication attempts will not try this server until it is marked as active again. 11 Click OK. Configuring SecurID Authentication To use SecurID authentication, you must configure both the RADIUS and ACE/Server servers correctly. The users must also have an approved SecurID token and a PIN (personal identification number). Refer to the RSA SecurID instructions for more information. 1 From Policy Manager, select Setup > Authentication > Authentication Servers. Click the SecurID Server tab. 2 To enable the SecurID server and enable the fields on this dialog box, select the Enable SecurID server check box. 3 In the IP Address box, type the IP address of the RADIUS server. 4 In the Port box, use the value control to select the port number to use for SecurID authentication. The default number is 1812. 5 In the Secret box, type the shared secret between the Firebox® and SecurID server. The shared secret is case-sensitive and must be the same on the Firebox and SecurID server. 6 To set the timeout value, use the Timeout value control to set the value you want. User Guide 163 Configuring LDAP Authentication The timeout value is the amount of time the Firebox waits for a response from the authentication server before it tries to connect again. 7 To set how many connection attempts the Firebox makes, use the Retry value control. This is the number of times the Firebox tries to connect to the authentication server (using the timeout specified above) before it reports a failed connection for one authentication attempt. 8 Select the group attribute. We recommend that you do not change this value. The group attribute value is used to set which attribute carries the User Group information. When the SecurID server sends a message to the Firebox that a user is authenticated, it also sends a User Group string; for example, “engineerGroup” or “financeGroup”. This information is then used for access control. 9 To add a backup SecurID server, select the Secondary Server Settings tab, and select the Enable a secondary SecurID server check box. Enter the information in the required fields. Make sure the shared secret is the same on the primary and backup SecurID server. 10 To set a time after which a dead server is marked as active again, enter it in the Dead Time field. After an authentication server has not responded for a period of time, it is marked as dead. Subsequent authentication attempts will not try this server until it is marked as active again after the dead time value is reached. 11 Click OK. Configuring LDAP Authentication You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate your users to the Firebox®. LDAP is an open-standard protocol for using online directory services, and it operates with Internet transport protocols, such as TCP. Before you configure your Firebox for LDAP 164 WatchGuard System Manager Configuring LDAP Authentication authentication, make sure you check your LDAP vendor documentation to see if your installation requires case-sensitive attributes. 1 From Policy Manager, select Setup > Authentication > Authentication Servers. Select the LDAP tab. 2 To enable the LDAP server and enable the fields on this dialog box, select the Enable LDAP server check box. 3 In the IP Address box, type the IP address of the primary LDAP server for the Firebox to contact with authentication requests. The LDAP server can be located on any Firebox interface. You can also configure your Firebox to use an LDAP server through a VPN tunnel. 4 From the Port drop-down list, select the TCP port number for the Firebox to use to connect to the LDAP server. The default port number is 389. We do not support LDAP over TLS. 5 Type the Search Base. The standard format for the search base setting is: ou=organizational unit,dc=first part of distinguished server name,dc=any part of the distinguished server name that appears after the dot. You set a search base to put limits on the directories on the authentication server the Firebox searches in for an authentication match. For example, if your user accounts are in an OU (organizational unit) you refer to as “accounts” and your domain name is kunstlerandsons.com, your search base is: “ou=accounts,dc=kunstlerandsons,dc=com”. 6 Type the Group String. This attribute string holds user group information on the LDAP server. On many LDAP servers, the default group string is “uniqueMember”; on other servers it is “member”. 7 In the DN of Searching User field, type the distinguished name (DN) for a search operation. You can enter any user DN with the privilege to search LDAP/Active Directory, such as “Administrator.” A weaker user DN with only searching privilege is usually sufficient, and some administrators create a user with searching privileges but limited permissions to use in this field. User Guide 165 Configuring LDAP Authentication 8 In the Password of Searching User field, type the password associated with the distinguished name for a search operation. 9 In the Login Attribute field, type the LDAP login attribute to use for authentication. The login attribute is the name used for the bind to the LDAP database. The default login attribute is uid. If you use uid, the DN of Searching User field and the DN of Searching Password field can be empty. 10 To add a backup LDAP server, select the Backup Server Settings tab, and select the Enable a secondary LDAP server check box. Enter the information in the required fields. Make sure the shared secret is the same on the primary and backup LDAP server. 11 To set a time after which a dead server is marked as active again, enter it in the Dead Time field. After an authentication server has not responded for a period of time, it is marked as dead. Subsequent authentication attempts will not try this server until it is marked as active again. Using LDAP optional settings Fireware can get additional information from the directory server (LDAP or Active Directory) when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user’s session, such as timeouts and MUVPN address assignments. Because the data comes from LDAP attributes associated with individual user objects, you can set these parameters for each individual user instead of being limited to global settings in Policy Manager. You must perform several steps to use these optional settings: • Extend the directory schema to add new attributes for these items. • Make the new attributes available to the object class that user accounts belong to. • Give values to the attributes for the user objects that should use them. You should do careful planning and testing before you extend your directory schema. Additions to the Active Directory schema, for example, are generally permanent and cannot be undone. Use the Microsoft web site to get resources for planning, testing, and implementing changes to an Active Directory schema. Consult the documentation from your LDAP vendor before extending the schema for other directories. To specify additional attributes for Fireware® to look for in the directory server’s search response, click Optional Settings on the LDAP tab or the Active Directory tab at Setup > Authentication > Authentication Servers. Fireware looks for the attributes you type in this dialog box in the list of attributes it gets from the search result, and uses the attribute’s value as follows: 166 WatchGuard System Manager Configuring LDAP Authentication IP Attribute String This field applies only to MUVPN clients. Type the name of the attribute Fireware should use to assign the MUVPN client a virtual IP address. This should be a single-valued attribute. The attribute’s value should be a normal dotted-decimal IP address. The IP address must be within the pool of virtual IP addresses you specify when you create the MUVPN Group. If the Firebox does not see the IP attribute in the search response, or if you do not specify an attribute in Policy Manager, it assigns the MUVPN client a virtual IP address from the virtual IP address pool you create when you make the MUVPN Group. Netmask Attribute String This field applies only to MUVPN clients. Type the name of the attribute for Fireware to use to assign a subnet mask to the MUVPN client’s virtual IP address. This should be a single-valued attribute. The attribute’s value should be a normal dotted-decimal subnet mask. The MUVPN software automatically assigns a netmask if the Firebox does not see the netmask attribute in the search response, or if you do not specify one in Policy Manager. DNS Attribute String This field applies only to MUVPN clients. Type the name of the attribute Fireware should use to assign the MUVPN client one or more DNS addresses for the duration of the MUVPN session. This can be a multi-valued attribute. Each value for the attribute should be a normal dotted-decimal IP address. If the Firebox does not see the DNS attribute in the search response, or if you do not specify an attribute in Policy Manager, it uses the DNS addresses you enter if you select Network > Configuration in Policy Manager and click the WINS/DNS tab. WINS Attribute String This applies only to MUVPN clients. Type the name of the attribute Fireware should use to assign the MUVPN client one or more WINS addresses for the duration of the MUVPN session. This can be a multi-valued attribute. Each value for the attribute should be a normal dotted-decimal IP address. If the Firebox does not see the WINS attribute in the search response or if you do not specify an attribute in Policy Manager, it uses the WINS addresses you enter if you select Network > Configuration in Policy Manager and click the WINS/DNS tab. Lease Time Attribute String This can apply to MUVPN clients and to clients that use Firewall Authentication. Type the name of the attribute for Fireware to use to control the absolute amount of time a user can stay authenticated (session timeout). After this amount of time, Fireware removes the user from its list of authenticated users. This should be a single-valued attribute. Fireware interprets the attribute’s value as a decimal number of seconds. It interprets zero as “never time out.” Idle Timeout Attribute String This applies to MUVPN clients and to clients that use Firewall Authentication. Type the name of the attribute Fireware should use to control the amount of time a user can stay authenticated with no traffic passing to the Firebox from the user (idle timeout). If no traffic passes to the Firebox for this amount of time, Fireware removes the user from its list of authenticated users. This should be a single-valued attribute. Fireware interprets the attribute’s value as a decimal number of seconds. It interprets zero as “never time out.” User Guide 167 Configuring Active Directory Authentication Configuring Active Directory Authentication You can use an Active Directory authentication server to authenticate your users to the Firebox®. You must configure the Firebox and configure the Active Directory server. 168 1 From Policy Manager, select Setup > Authentication > Authentication Servers. Select the Active Directory tab. 2 Select the Enable Active Directory Server check box. 3 Type the IP address of the primary Active Directory server. The Active Directory server can be located on any Firebox interface. You can also configure the Firebox to use an Active Directory server available through a VPN tunnel. 4 Select the TCP port number for the Firebox to use to connect to the Active Directory server. The default port number is 389. If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, see the Authentication section of the Fireware FAQs at www.watchguard.com/support/faqs. 5 In the Search Base field, type the location in the directory to begin the search. The standard format for the search base setting is: ou=organizational unit,dc=first part of distinguished server name,dc=any part of the distinguished server name that appears after the dot. You set a search base to put limits on the directories on the authentication server the Firebox searches in for an authentication match. For example, if your user accounts are in an OU (organizational unit) you refer to as “accounts” and your domain name is HQ_main.com, your search base is: “ou=accounts,dc=HQ_main,dc=com”. 6 In the Group String field, type the attribute string that is used to hold user group information on the Active Directory server. If you have not changed your Active Directory schema, the group string is always “memberOf”. 7 In the DN of Searching User field, type the distinguished name (DN) for a search operation. It is not necessary to enter anything in this text box if you keep the login attribute of WatchGuard System Manager Defining Users and Groups for Policy Definitions sAMAccountName. If you change the login attribute, you must add a DN of Searching User to your configuration. You can enter any user DN with the privilege to search LDAP/Active Directory, such as “Administrator.” However, a weaker user DN with only searching privilege is usually sufficient. 8 In the DN of Searching Password field, type the password associated with the distinguished name for a search operation. 9 In the Login Attribute field, type an Active Directory login attribute to use for authentication. The login attribute is the name used for the bind to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, the DN of Searching User field and the DN of Searching Password field can be empty. 10 To set a time after which a dead server is marked as active again, enter it in the Dead Time field. After an authentication server has not responded for a period of time, it is marked as dead. Subsequent authentication attempts will not try this server until it is marked as active again. 11 To add a backup Active Directory server, select the Backup Server Settings tab, and select the Enable a secondary Active Directory server check box. Enter the information in the required fields. Make sure the shared secret is the same on the primary and backup Active Directory server. 12 If you want, enter Active Directory user properties as described in the next section. Click OK. Using Active Directory optional settings Fireware can get additional information from the directory server (LDAP or Active Directory) when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user’s session, such as timeouts and MUVPN address assignments. Because the data comes from LDAP attributes associated with individual user objects, you can set these parameters for each individual user instead of being limited to global settings in Policy Manager. You must perform several steps of you want to use these optional settings: • Extend the directory schema to add new attributes for these items. • Make the new attributes available to the object class that user accounts belong to. • Give values to the attributes for the user objects that should use them. You should do careful planning and testing before you extend your directory schema. Additions to the Active Directory schema, for example, are generally permanent and cannot be undone. Use the Microsoft web site to get resources for planning, testing, and implementing changes to an Active Directory schema. To specify additional attributes for Fireware to look for in the directory server’s search response, click Optional Settings on the LDAP tab or the Active Directory tab at Setup > Authentication > Authentication Servers. You can find more information about each field in “Using LDAP optional settings” on page 166. Defining Users and Groups for Policy Definitions When you configure the Firebox® to use an authentication server, you can start to use specified user and group names when you create policies in Policy Manager. For example, you can define all policies User Guide 169 Defining Users and Groups for Policy Definitions such that connections are allowed only for authenticated users. Or, you can limit connections on a policy to particular users. The term “authorized users and groups” refers to users and groups that are allowed to access network resources. Defining users and groups for Firebox authentication If you use the Firebox as an authentication server and want to define users and groups that will authenticate through the Firebox, see “Defining a new user for Firebox authentication” on page 159 and “Defining a new group for Firebox authentication” on page 160. Defining users and groups for third-party authentication 1 Create a group on your third-party authentication server that contains all the user accounts on your system. 2 In Policy Manager, select Setup > Authentication > Authorized Users/Groups. The Authorized Users and Groups dialog box appears. 3 Click Add. The Define New Authorized User or Group dialog box appears. 170 4 Type a user or group name you created on the authentication server. 5 (Optional) Type a description of the user or group. 6 Select the Group or User radio button. 7 From the Auth Server drop-down list, select either RADIUS (for authentication through a RADIUS server) or Any (for authentication through any other server). Click OK. WatchGuard System Manager Defining Users and Groups for Policy Definitions Using users and groups in policy definitions Any user or group that you want to use in your policy definitions must be added as an authorized user. All users and groups you create for Firebox authentication and all MUVPN users are automatically added to the list of authorized users and groups on the Authorized Users and Groups dialog box. You can add any users or groups from third-party authentication servers to the authorized user and group list with the above procedure. You are then ready to add users and groups into your policy configuration. 1 From Policy Manager, double-click the icon for the policy definition. The Edit Policy Properties dialog box appears. 2 Below the From box, click Add. The Add Address dialog box appears. 3 Click Add User. The Add Authorized Users or Groups dialog box appears. 4 In the Type box, select whether the user or group is authorized as a Firewall user or a PPTP user. For more information on these authentication types, see “Authentication types” on page 157. 5 In the box to the far right of the Type box, select either User or Group. 6 If you user or group appears in the list below, select the user or group and click Select. The Add Address dialog box reappears with the user or group in the Selected Members or Addresses box. Click OK to close the Edit Policy Properties dialog box. If the user or group does not appear in the list in the Add Authorized Users or Groups dialog box, see “Defining a new user for Firebox authentication” on page 159, “Defining a new group for Firebox authentication” on page 160, or “Defining users and groups for third-party authentication” on page 170. After you add a user or group to a policy configuration, WatchGuard® System Manager automatically adds a WatchGuard Authentication policy to your Firebox configuration. Use this policy to control access to the authentication web page. For information on modifying this policy, see “Using authentication from the external network” on page 154. User Guide 171 Defining Users and Groups for Policy Definitions 172 WatchGuard System Manager 12 Firewall Intrusion Detection and Prevention WatchGuard® Fireware® and the policies you create in Policy Manager give you strict control over access to your network. A strict access policy helps keep hackers out of your network. But, there are other types of attacks that a strict policy cannot defeat. Careful configuration of the Firebox® default packet handling options can stop attacks such as SYN flood attacks, spoofing attacks, and port or address space probes. With default packet handling, a firewall examines the source and destination of each packet it receives. It looks at the IP address and port number and monitors the packets to look for patterns that show your network is at risk. If there is a risk, you can configure the Firebox to automatically block against the possible attack. This proactive method of intrusion detection keeps attackers out of your network. You can also purchase an upgrade for your Firebox to use signature-based intrusion prevention. For more information, see the chapter “Signature-Based Intrusion Detection and Prevention” in this manual. Using Default Packet Handling Options The firewall examines the source and destination of each packet it receives. It looks at the IP address and the port number. The firewall also monitors the packets to look for patterns that can show that your network is at risk. Default packet handling: • Rejects a packet that can be a security risk, including packets that could be part of a spoofing attack or SYN flood attack • Can automatically block all traffic to and from a source IP address • Adds an event to the log file • Sends an SNMP trap to the SNMP management server • Sends a notification of possible security risks User Guide 173 Using Default Packet Handling Options You set all default packet handling options with the Default Packet Handling dialog box. 1 From Policy Manager, select Setup > Intrusion Prevention > Default Packet Handling. Or, Click the default packet handling icon on the Policy Manager toolbar. The Default Packet Handling dialog box appears. 2 Select the check box for the traffic patterns you want to prevent, as explained in the sections that follow. Spoofing attacks One procedure that attackers use to get access to your network is to make an “electronic false identity.” With this “IP spoofing” procedure, the attacker sends a TCP/IP packet that uses a different IP address than the host that first sent it. With anti-spoofing enabled, the Firebox® checks to make sure that the source IP address of a packet is from a network on that interface. To protect against spoofing attacks, select the Drop Spoofing Attacks check box from the Default Packet Handling dialog box. IP source route attacks Attackers use IP source route attacks to send an IP packet to find the route that the packet uses to go through the network. The attacker can then see the response to the packets and get information about the operating system of the target computer or network device. To protect against IP source route attacks, select the Drop IP Source Route check box from the Default Packet Handling dialog box. 174 WatchGuard System Manager Using Default Packet Handling Options Port space and address space attacks Attackers use probes to find information about networks and their hosts. Port space probes examine a host to find the services that it uses. Address space probes examine a network to see which hosts are on that network. To protect against port space and address space attacks, select the Block Port Space Probes and the Block Address Space Probes check boxes from the Default Packet Handling dialog box. You then use the arrows to select the maximum allowed number of IP addresses or port probes per second for each source IP address. For example, if you enter 8 in the dest Ports/src IP field for port space probes, a source is blocked if it initiates connections to eight different ports within one second on the same host. If you enter 8 in the dest IPs/src IP field for address space probes, a source is blocked if it initiates connections to eight hosts within one second. Flood attacks In a flood attack, attackers send a very high volume of traffic to a system so it cannot examine and allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives sufficient ICMP ping commands that it uses all of its resources to send reply commands. The Firebox can protect against these types of flood attacks: • IPSec flood attacks • IKE flood attacks • ICMP flood attacks • SYN flood attacks • UDP flood attacks Flood attacks are also known as Denial of Service (DoS) attacks. You can use the Default Packet Handling dialog box to configure the Firebox to protect against these attacks. Select the check boxes for the flood attacks you want to prevent. Use the arrows to select the maximum allowed number of packets each second. About the SYN flood attack setting For SYN flood attacks, you set the threshold for the Firebox to report that a SYN flood attack may be taking place. But, no packets are dropped if only that number of packets is received. At twice the threshold, all SYN packets are dropped. At any level between the threshold you define and twice that level, if a packet's src_IP, dst_IP, and total_length are the same as the previous packet received, then it will always be dropped; otherwise 25 percent of the new packets received are dropped. For example, suppose you define the threshold at 18 packets per second. When you receive that amount, the Firebox warns you that a SYN flood attack may be taking place but it drops no packets. If you receive 20 packets per second, the FB drops 25% of the packets (5 packets). If you receive 36 or more, the last 18 or more packets are dropped. Unhandled packets An “unhandled” packet is a packet that does not match any rule created in Policy Manager. The Firebox always denies the packet, but you can also select to always automatically block the source. This adds the IP address that sent the packet to the temporary Blocked Sites list. You can also send a TCP reset or ICMP error back to the client when an unhandled packet is received by the Firebox. User Guide 175 Setting Blocked Sites Distributed denial of service attacks Distributed Denial of Service (DDoS) attacks are almost the same as flood attacks. In a DDoS, many connections are sent to one computer system to try to flood the system and to prevent legitimate users from using the targeted system. You can use the Default Packet Handling dialog box to configure the Firebox to protect against DDoS attacks. Use the arrow keys to set the maximum allowed number of connections per second from a source IP address protected by the Firebox (Per Client Quota) or to a destination IP address protected by the Firebox (Per Server Quota). Connections that exceed this quota are dropped. Setting logging and notification for packet handling The default Firebox® configuration tells the Firebox to send a log message when one of these events as specified in the Default Packet Handing dialog box occurs. To configure an SNMP trap or notification for default packet handling: 1 From the Default Packet Handing dialog box, click Logging. The Logging and Notification dialog box appears. 2 Set the parameters to comply with your security policy. For more information about these parameters, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. Setting Blocked Sites The Blocked Sites feature helps protect your network from systems you know or think are a security risk. After you find the source of suspicious traffic, you can block all connections with that IP address. You can also configure the Firebox to send a log message each time the source tries to connect to your network. From the log file, you can see the services that the sources use to attack. A blocked site is an IP address that cannot make a connection through the Firebox. If a packet comes from a system that is blocked, it does not get through the Firebox®. There are two different types of blocked IP addresses: 176 • Permanently blocked sites — IP addresses on a list in the configuration file that you set manually. This is known as the Blocked Sites list. • Auto-blocked sites — IP addresses that the Firebox adds to a temporary blocked site list. The Firebox uses the packet handling rules that are specified for each policy. For example, suppose you configure the Firebox to block the IP addresses that try to connect to a blocked port. These addresses are then blocked for a specified time. This is known as the Temporary Blocked Sites list. WatchGuard System Manager Setting Blocked Sites Blocking a site permanently You use Policy Manager to permanently block a host that you know is a security risk. For example, a university computer that hackers use frequently is a good host to block. 1 From Policy Manager, select Setup > Intrusion Prevention > Blocked Sites. The Blocked Sites Configuration dialog box appears. 2 Click Add. The Add Site dialog box appears. 3 Use the Choose Type drop-down list to select a member type. The selections are Host IP, Network IP, Host Range, or Host Name (DNS lookup). 4 Type the member value. The member type shows whether this is an IP address or a range of IP addresses. When you type an IP address, type all the numbers and the period. Do not use the tab or the arrow key. You cannot add internal IP or network addresses to the Blocked Sites list. If you must block an address range that includes one or more internal IP addresses, you must first add the internal IP addresses to the Blocked Sites Exceptions list. (To add exceptions, see “Creating exceptions to the Blocked Sites list” on page 179.) 5 (Optional) Type a comment to provide information on the site or why you want to block it. User Guide 177 Setting Blocked Sites 6 Select OK. The new site appears in the Blocked Sites list. Blocking spyware sites You can block spyware by configuring categories of spyware sites to block. 1 From the Blocked Sites dialog box, select the Enable Antispyware Blocklist blocking check box. 2 By default, the Firebox blocks all categories of spyware when you select the check box in the previous step. To choose which categories of spyware you want to block, click Configure. The Antispyware Blocklist Categories dialog box appears. 3 Select or clear the following check boxes to enable or disable antispyware blocking for these categories. To enable or disable all categories, select or clear the All Spyware Categories check box: Adware A software application in which advertising banners are shown while the program is in operation. It sometimes includes code that records a user’s personal information and sends it to third parties, without the user's authorization or knowledge. Dialer A software application that can hijack a user’s modem and dial toll numbers that get access to inappropriate web sites. Downloader A program that gets and installs other files. Most are configured to get files from a designated web or FTP site. Hijacker A type of malware program that changes your computer’s browser settings and redirects you to web sites that you did not plan to browse to. Trackware Any software that uses a computer’s Internet connection to send personal information without the user’s permission. Using an external list of blocked sites If you manage several Fireboxes and want to block the same sites for each of them, you can list the sites to block in an external file and import the file into each Firebox. This file must be a text (.txt) file. The IP addresses in the text file must be separated by spaces or line breaks. Use slash notation to spec- 178 WatchGuard System Manager Setting Blocked Sites ify networks. To indicate a range of addresses, separate the start and end addresses with a hyphen. An example text import file might look like this: 2.2.2.2 5.5.5.0/24 3.3.3.3-3.3.3.8 6.6.6.6 7.7.7.7 To import the file into the current Firebox: 1 In the Blocked Sites Configuration dialog box, click Import. 2 Find the file. Double-click it, or select it and click Open. The sites in the file appear in the Blocked Sites list. Creating exceptions to the Blocked Sites list A host that is a blocked sites exception does not appear in the Blocked Sites list. The automatic rules do not apply for this host. 1 From Policy Manager, select Setup > Intrusion Prevention > Blocked Sites. Click the Blocked Sites Exceptions tab. 2 Click Add. 3 Use the Choose Type drop-down list to select a member type. The selections are Host IP, Network IP, Host Range, or Host Name (DNS lookup). 4 Type the member value. The member type shows whether this is an IP address or a range of IP addresses. When you type an IP address, type all the numbers and the period. Do not use the TAB or the arrow key. 5 User Guide Select OK. 179 Setting Blocked Sites Using an external list of blocked sites exceptions If you manage several Fireboxes and want to use the same blocked sites exceptions for each of them, you can list the exceptions in an external file and import the file into each Firebox. The procedure is the same as the one for blocked sites, as described in “Using an external list of blocked sites” on page 178. Setting logging and notification for blocked sites You can configure the Firebox to make a log entry when a host tries to use a blocked site. You can also set up notification for when a host tries to get access to a blocked site. 1 From the Blocked Sites dialog box, select Logging. The Logging and Notification dialog box appears. 2 Set the parameters to comply with your security policy. For more information about these parameters, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. Blocking sites temporarily with policy settings You can use the policy configuration to block sites that try to use a denied service: 1 From Policy Manager, double-click the policy icon. The Edit Policy Properties dialog box appears. 2 On the Policy tab, make sure you set the Connections Are drop-down list to Denied. 3 On the Properties tab, select the check box Automatically block sites that attempt to connect. IP addresses from the denied packets are added to the Temporary Blocked Sites list for 20 minutes (by default). You can change this time interval on the Auto-Blocked tab in the Blocked Sites Configuration dialog box. 4 You can use the Temporary Blocked Sites list with log messages to help you make decisions about which IP addresses to block permanently. In the policy definition, click the Properties tab, and then click the Logging button. For information on how to define logging in a proxy definition, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. Blocked sites and Traffic Monitor When an IP address is on the Blocked Sites list, a traffic log message that involves this address shows the destination interface as unknown. (To see the destination interface, from Firebox® System Manager, select the Traffic Monitor tab, select the message, right-click, and select Destination IP 180 WatchGuard System Manager Blocking Ports Address.) Fireware tries to save computation cycles by not identifying the destination interface of a packet if its source or destination address is blocked. Blocking Ports You can block the ports that you know can be used to attack your network. This stops specified external network services. When you block a port, you override all of the policy definitions you create in Policy Manager (as described in the “Policies” and “Proxy Policies” chapter. You can block a port because: • Blocking ports protects your most sensitive services. The feature helps protect you from errors in your Firebox® configuration. • Probes against sensitive services can make independent log entries. With the default configuration, the Firebox blocks some destination ports. This gives a basic configuration that you usually do not have to change. It blocks TCP and UDP packets for these ports: X Window System (ports 6000-6005) The X Window System (or X-Windows) client connection is not encrypted and is dangerous to use on the Internet. X Font Server (port 7100) Many versions of X-Windows operate X Font Servers. The X Font Servers operate as the superuser on some hosts. NFS (port 2049) NFS (Network File System) is a frequently used TCP/IP service where many users use the same files on a network. New versions have important authentication and security problems. To supply NFS on the Internet can be very dangerous. The portmapper frequently uses the port 2049 for NFS. If you use NFS, make sure that NFS uses the port 2049 on all your systems. rlogin, rsh, rcp (ports 513, 514) These services give remote access to other computers. They are a security risk and many attackers probe for these services. RPC portmapper (port 111) The RPC Services use port 111 to find which ports a given RPC server uses. The RPC services are easy to attack through the Internet. port 8000 Many vendors use this port, and many security problems are related to it. port 1 The TCPmux service uses Port 1, but not frequently. You can block it to make it more difficult for the tools that examine ports. port 0 This port is always blocked by the Firebox. You cannot allow traffic on port 0 through the Firebox. If you must allow traffic through for the types of software applications that use recommended blocked ports, we recommend that you allow the traffic only through an IPSec VPN tunnel or use ssh to get access to the port. User Guide 181 Blocking Ports Avoiding problems with blocked ports Be very careful if you block port numbers higher than 1023. Clients frequently use these source port numbers. Blocking a port permanently 1 From Policy Manager, select Setup > Intrusion Prevention > Blocked Ports. The Blocked Ports dialog box appears. 2 Type the port number. Click Add. The new port number appears in the Blocked Ports list. Automatically blocking IP addresses that try to use blocked ports You can configure the Firebox to automatically block an external host that tries to get access to a blocked port. In the Blocked Ports dialog box, select the Automatically block sites that try to use blocked ports check box. Setting logging and notification for blocked ports You can configure the Firebox to make a log entry when a host tries to use a blocked port. You can also set up notification for when a host tries to get access to a blocked port. 1 From the Blocked Ports dialog box, click Logging. The Logging and Notification dialog box appears. 2 182 Set the parameters to comply with your security policy. For more information about these parameters, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. WatchGuard System Manager 13 Policies WatchGuard® System Manager uses two categories of policies to filter network traffic: packet filters and proxies. A packet filter examines each packet’s IP and TCP/UDP header. If the packet header information is legitimate, then the Firebox® allows the packet. Otherwise, the Firebox drops the packet. A proxy also examines the header information, but it also examines the content. When you activate a proxy, the Firebox uses deep packet inspection to make sure that connections are secure. It opens each packet in sequence, removes the network layer header, and examines the packet’s payload. Finally, the proxy puts the network information back on the packet and sends it to its destination. Policy Manager shows each packet filter and proxy as an icon. You configure the source and destination for the traffic, and whether the traffic is allowed or denied. You also set rules for logging and notification and configure the ports, protocols, and other parameters of the packet filter or proxy. WatchGuard Fireware® includes many pre-configured packet filters and proxies. For example, if you want a packet filter for all Telnet traffic, you add a pre-defined Telnet policy that you can modify for your needs. You can also make a custom packet filter or proxy for which you set the ports, protocols, and other parameters. In this guide, we refer to packet filters and proxies together as policies. Unless we tell you differently, the procedures refer to both proxies and packet filters. Procedures that apply only to proxies are described in the next chapter. Using Policies in your Network The security policy of your organization is a set of rules that define how you protect your computer network and the information that goes through it. The Firebox® denies all packets that are not specially approved. This security policy helps to protect your network from: • Attacks that use new or different IP protocols • Unknown applications When you configure the Firebox with the Quick Setup Wizard, the wizard adds only four basic policies (TCP/UDP outgoing, FTP packet filter, ping, and WatchGuard) and interface IP addresses. If you have more software applications and network traffic for the Firebox to examine, you must: • User Guide Configure the policies on the Firebox to let necessary traffic through 183 About Policy Manager • Set the approved hosts and properties for each policy • Balance the requirement to protect your network against the requirements of your users to get access to external resources We recommend that you set limits on outgoing access when you configure your Firebox. As an example of how a policy might be used, suppose the network administrator of a company wants to activate a Windows terminal services connection to the company’s public web server on the optional interface of the Firebox. He or she routinely administers the web server with a Remote Desktop connection. At the same time, he or she wants to make sure that no other network users can use the Remote Desktop Protocol terminal services through the Firebox. The network administrator would add a policy that allows RDP connections only from the IP address of his or her own desktop computer to the IP address of the public web server. About Policy Manager You add policies with Policy Manager. Policy Manager can show either icons or a list to identify the policies that you configure on the Firebox®. For each policy you can: • Set allowed traffic sources and destinations • Make filter rules • Enable or disable the policy • Configure properties such as Traffic Management, NAT, schedules, and logging Opening Policy Manager To bring up the Policy Manager window, from the WatchGuard® System Manager window: • Select the Firebox whose Policy Manager you want to see and select Tools > Policy Manager or the Policy Manager icon (shown below). or • Select Tools > Policy Manager or the Policy Manager icon and then specify, in the dialog box that appears, which Firebox you want to create or edit a policy for. About the Policy Manager window The Policy Manager window contains icons for the policies that are defined on the Firebox. You can double-click them if you want to edit the properties for that policy. The appearance of the icons shows their status and type: • Enabled policies that allow traffic appear with a green bar on top with a check mark. • Enabled policies that deny traffic have a red bar on top with an X. • Disabled policies have a black bar. • An icon that contains a shield symbol on the left side is an enabled proxy policy. The others are packet filter policies. The names of policies appear in color based on traffic type: • 184 Managed policies appear in gray with a white background. WatchGuard System Manager About Policy Manager • BOVPN policies (such as BOVPN-allow.out) appear in green with a white background. • Mixed BOVPN and firewall policies (such as Ping, MUVPN, or Any-PPTP) appear in blue with a white background. • All other policies appear in black. To change these default colors, see “Selecting colors for Policy Manager text” on page 187. Policy Manager has two tabs. The Firewall tab shows policies that are used for general firewall traffic on the Firebox. The Firewall tab also shows BOVPN policies so you can see the order in which the Firebox examines network traffic and applies a policy rule. (To change the order, see “Setting precedence manually” on page 208). The Mobile User VPN tab shows policies that are used with Mobile User VPN (MUVPN) tunnels. Changing the Policy Manager View Large Icons View Policy Manager has two views: Large Icons and Details. The default Large Icons view shows each policy as an icon. To change to the Details view, select Details from the View menu. In the Details view, each policy is a row of information divided among several columns. You can see configuration information, including source and destination, and logging and notification parameters. User Guide 185 About Policy Manager Details View The following information appears for each policy: Order Order in which the policies are sorted, and traffic flows through the policies. Policy Manager automatically sorts policies from the most specific to the most general. If you want to switch to manual-order mode, select View > Auto-order mode so that the checkmark disappears. Then, select the policy whose order you want to change and drag it to its new location. Action The action taken by the policy for traffic that matches the specification. The symbol in this field also indicates whether the policy is a packet filter policy or a proxy policy. Green checkmark =policy is a packet filter policy and traffic is allowed Red X = policy is a packet filter policy and traffic is denied. Circle with line = policy is a packet filter policy and the action for traffic is not configured. Green shield with checkmark = policy is a proxy policy and traffic is allowed. Red shield with X = policy is a proxy policy and traffic is allowed. Gray shield = policy is a proxy policy and the action for traffic is not configured. Policy Name Name of the policy, as defined in the Name field in the New Policy Properties dialog box. (For more information, see “Adding a policy from the list of policy templates” on page 190.) Policy Type Packet filter policies are listed according to policy name. Proxy policies are listed according to proxy name followed by “-proxy”. Traffic Type Type of traffic the policy examines: firewall or VPN. Log Whether logging is enabled for the policy. Alarm Whether alarms are configured for the policy. 186 WatchGuard System Manager About Policy Manager From Addresses from which traffic for this policy applies (source addresses). To Addresses to which traffic for this policy applies (destination addresses). PBR Indicates whether the policy uses policy-based routing. If it does, and failover is not enabled, the interface number appears. If policy-based routing and failover are enabled, a list of interface numbers appear, with the primary interface listed first. Port Protocols and ports used by the policy. Selecting colors for Policy Manager text The default setup for Policy Manager is for the names of policies (or the entire row in Details view) to appear highlighted in color based on traffic type: • Managed policies appear in gray with a white background. • BOVPN policies (such as BOVPN-allow.out) appear in green with a white background. • Mixed BOVPN and firewall policies (such as Ping, MUVPN, or Any-PPTP) appear in blue with a white background. • All other policies (normal policies) are not highlighted. They appear in black. You can use default colors or colors that you select. You can also disable policy highlighting. 1 From Policy Manager, select View > Policy Highlighting. The Policy Highlighting dialog box appears. 2 To turn policy highlighting off or on, clear or select the Highlight Firewall policies based on traffic type check box. 3 To select different colors for the text or background of the policy names for normal, managed, BOVPN, or mixed policies, click the block adjacent to Text Color or Background Color. The Select Text Color or Select Background Color dialog box appears. User Guide 187 About Policy Manager 4 Use one of the three tabs, Swatches, HSB, or RGB to specify the color you want: - Swatches: Click one the small swatches of the available colors. - HSB: Select the H (hue), S (saturation), or B (brightness) radio button and then either use the slider or type numbers into the adjacent fields. - RGB: Use the Red, Green, or Blue sliders or type numbers into the adjacent fields. When you specify a color, a sample of what it will look like appears in the Sample block at the bottom of the dialog box. When you are satisfied with the color, click OK. 5 Click OK on the Policy Highlighting dialog box for the changes to take effect. Finding a policy You can do a search for configured policies by address, port, or protocol. 1 From Policy Manager, select Edit > Find. The Find Policies dialog box appears. 2 188 Select the Address, Port Number, or Protocol radio button to specify the policy component you are searching for. WatchGuard System Manager Adding Policies to Policy Manager 3 Next to Search all configured policies for, type the string to search for. For address and protocol searches, Policy Manager performs a partial string search. You can type only a partial string, and Policy Manager will show all policies that contain the string. 4 Click Find. Policy Manager displays policies that match the criteria in the Policies found box. Adding Policies to Policy Manager To add a policy, you choose from the list of policy templates in Policy Manager. A policy template contains the policy name, a short description of the policy, and the protocol/port used by the policy. When you create an actual policy from the template, you define rules to: • Set allowed traffic sources and destinations • Make filter rules • Enable or disable the policy • Configure properties such as Traffic Management, NAT, schedules, and logging Seeing the list of policy templates 1 In Policy Manager, click the plus (+) sign on the Policy Manager toolbar. You can also select Edit > Add Policies. The Add Policies dialog box appears. 2 Click the plus (+) sign on the left side of the folder to expand the Packet Filters or Proxies folders. A list of templates for packet filters or proxies appears. To see basic information about a policy template, select it. The policy icon appears in the area below the buttons on the right side of the dialog box. Also, the Details box shows the basic information about the policy. User Guide 189 Adding Policies to Policy Manager Adding a policy from the list of policy templates 1 If you have not already done so, from the Add Policies dialog box, expand the Packet Filters or Proxies folders. A list of templates for packet filters or proxies appears. 2 Select the name of the policy you want to add. Click Add. The New Policy Properties dialog box appears. 190 WatchGuard System Manager Adding Policies to Policy Manager 3 You can change the name of the policy here. This information appears in the Policy Manager Details view. To change the name, type a new name in the Name text box. 4 Set the access rules and properties for the policy, as described in “Setting Policy Properties” on page 195. 5 Click OK to close the Properties dialog box. You can add more than one policy while the Policies dialog box is open. 6 Click Close. The new policy appears in Policy Manager. You can now set policy properties, as shown in “Setting Policy Properties” on page 195. Adding more than one policy of the same type If your security policy requires it, you can add the same policy more than one time. For example, you can set a limit on web access for most users, while you give full web access to your management team. To do this, you make two different policies with different properties: 1 Add the first policy. 2 Change the name of the policy to a name that matches your security policy and add the related information. In this example, you can name the first policy “restricted_web_access.” 3 Click OK. The Properties dialog box of the policy appears. Set the properties as described in “Setting Policy Properties” on page 195. 4 Add the second policy. 5 Click OK. The Properties dialog box of the policy appears. Set the properties as described in “Setting Policy Properties” on page 195. User Guide 191 About Custom Policies Seeing and modifying policy templates To see a policy template, select it on the Add Policies dialog box and click Edit. You normally do not need to see the actual template because relevant information from the template appears in the Details box when you select the policy template on the Add Policies dialog box. With pre-defined policies (those listed under Packet Filters and Proxies in the Add Policies dialog box), you can edit only the Description field on the policy template. You also cannot delete pre-defined policies. You can, however, perform both of these operations on custom policy templates. For more information on custom policies, see “About Custom Policies,” below. Disabling a policy To disable a policy, you can right-click it in the Policy Manager window and select Disable. When a policy is disabled, the menu choice changes to Enable, which you can use to reenable the policy. You can also clear the Enable check box at the top of the Edit Policy Properties dialog box to disable a policy. If you want to reenable the policy, select the Enable check box. Deleting a policy As your security policy changes, you sometimes have to remove one or more policies. To remove a policy, you first remove it from Policy Manager. Then you save the new configuration to the Firebox®. 1 From Policy Manager, click the policy. 2 In Policy Manager, click the X button on the Policy Manager toolbar. You can also select Edit > Delete Policy. 3 When asked to confirm, click Yes. 4 Save the configuration to the Firebox and start the Firebox again. Select File > Save > To Firebox. Type the configuration passphrase. Select the Save to Firebox check box. Click Save. About Custom Policies Policy Manager includes many packet filter policies. You can also add custom policies, which allow the WatchGuard® Firebox® to safely accommodate new services. 192 WatchGuard System Manager About Custom Policies A custom policy definition includes ports and protocols that are unique to one type of network traffic. You can add a custom policy that uses: • TCP ports • UDP ports • An IP protocol that is not TCP or UDP, such as GRE, AH, ESP, ICMP, IGMP, OSPF, and IP. You identify an IP protocol that is not TCP or UDP with the IP protocol number. Creating a custom policy template The first step when you create a new policy is to make a template for it. The template is added to the Add Policies dialog box. You can then add it to Policy Manager and configure it as you would a predefined policy. 1 In Policy Manager, click the plus (+) sign on the Policy Manager toolbar. You can also select Edit > Add Policies. The Add Policies dialog box appears. 2 Click New. The New Policy Template dialog box appears. 3 In the Name text box, type the name of the custom policy. The name appears in Policy Manager as the policy type. A unique name helps you to find the policy when you want to change or remove it. This name must not be the same as any name in the list in the Add Policy dialog box. 4 In the Description text box, type a description of the policy. This appears in the Details section when you click the policy name in the list of User Filters. 5 Select the type of policy: Packet Filter or Proxy. 6 To add protocols for this policy, click Add. The Add Protocol dialog box appears. User Guide 193 About Custom Policies 7 From the Type drop-down list, select Single Port or Port Range. 8 From the Protocol drop-down list, select the protocol for this new policy. For more information about network protocols, see the Reference Guide or online help system. When you select Single Port, you can select: - TCP - UDP - GRE - AH - ESP - ICMP - IGMP - OSPF - IP - Any When you add an IGMP policy to your Fireware® configuration, Fireware does not pass IGMP multicast traffic through the Firebox or between Firebox interfaces. It passes IGMP multicast traffic only between an interface and the Firebox. When you select Port Range, you can select TCP or UDP. 9 From the Server Port drop-down list, select the port for this new policy. If you selected Port Range, select a starting server port and an ending server port. 10 Click OK. Policy Manager adds the values to the New Policy Template dialog box. Make sure that the name, information, and configuration of this policy are correct. If necessary, click Add to configure more ports for this policy. Repeat steps 6 – 10 until you configure all ports for the policy. 11 Click OK. The Add Policy dialog box appears with the new policy in the Custom folder. Adding a custom policy from the list of policy templates You use the same procedure to add a custom policy to Policy Manager as you would a pre-defined policy, as described in “Adding a policy from the list of policy templates” on page 190. Importing and exporting custom policy templates If you manage several Fireboxes and have custom policies for them, you can use the policy import/ export function to save time. You can define the templates on one Firebox, export them to an ASCII file, and then import them to another Firebox. 194 WatchGuard System Manager Setting Policy Properties The Firebox where you created the policies must run the same version of WSM as the version of Policy Manager you use to import the policies. You cannot import a template from an old version into the current version. 1 On the first Firebox, define custom policy templates for the policies you need. 2 Click Export. You do not need to select the custom policies. The Export function automatically exports all custom policies regardless of which policy is actually selected. 3 In the Save dialog box, select where you want to save the policy templates file. Type a name for the file and click Save. The default location is My Documents > My WatchGuard. 4 From Policy Manager on a different Firebox, on the Add Policies dialog box, click Import. 5 Find the file you created in step 3 and click Open. 6 If custom policy templates are already defined in the current Policy Manager, you are asked whether you want to replace the existing templates or append the imported templates to the existing templates. Click Replace or Append. If you click Replace, the existing templates are deleted and replaced with the new templates. If you click Append, both the existing and the imported templates are listed in alphabetical order under Custom. Setting Policy Properties After you add a policy, you can configure it for your company’s needs. You define rules to: • Set allowed traffic sources and destinations • Make filter rules • Enable or disable the policy User Guide 195 Setting Policy Properties • Configure properties such as Traffic Management, NAT, schedules, and logging To set properties for a policy, double-click the policy icon to open the Edit Policy Properties dialog box. Setting sources and destinations for a policy You use the Policy tab of the Edit Policy Properties dialog box to configure access rules for a given policy. The Policy tab shows: • A From list (or “source”) that specifies who can send (or cannot send) network traffic with this policy. • A To list (or “destination”) that specifies who the Firebox can route traffic to if the traffic matches the policy specifications. For example, you could configure a ping packet filter to allow ping traffic from all computers on the external network to one web server on your optional network. Note, however, that the destination network is made vulnerable whenever you open it to connections over the port or ports that the policy controls. Make sure you use care when you configure your policies. The source and destination can be a host IP address, host range, host name, network address, user name, alias, VPN tunnel, or any combination of those objects. For more information on the aliases that appear as options on the From and To list, see “Working with Aliases” on page 76. Access rules do not specify only source and destinations that are allowed; you can also use the rules to deny traffic. You use these settings to configure how traffic is handled: Allowed The Firebox allows traffic that uses this policy if it matches the rules you set in the policy. Denied The Firebox denies all traffic that matches the rules in this policy. You can configure it to record a log message when a computer tries to use this policy. It can also automatically add a computer or network that tries to start a connection with this policy to the Blocked Sites list (configured on the Properties tab). Denied (send reset) The Firebox denies all traffic that matches the rules in this policy. It can also automatically add a computer or network that tries to start a connection with this policy to the Blocked Sites list 196 WatchGuard System Manager Setting Policy Properties (configured on the Properties tab). The Firebox also sends a reset (RST) packet to tell the client that the session is refused and closed. 1 From the Policy tab, specify whether connections are Allowed, Denied, or Denied (send reset). 2 To add members to your access specifications, click Add for the From or the To member list. The Add Address dialog box appears. 3 The Available Members list contains the aliases you can add to the From or To lists. Select an alias and click Add, or double-click an alias in this window. If you want to add hosts, users, aliases or tunnels to the policy that do not appear in the Available Members list, see the next section, “Adding new members.” 4 Repeat the previous step to add other members and addresses. Your policy can have more than one object in the From or To field. Click OK. Adding new members 1 If you want to add a user or group to the Available Members list, click Add User. If you want to add hosts, aliases, or tunnels to the Available Members list, click Add Other. 2 If you selected Add Other, the Add Member dialog box appears. From the Choose Type dropdown list, select the host range, host IP address, or network IP address to add. In the Value text box, type the correct network address, range, or IP address. Click OK. The member or address appears in the Selected Members and Addresses list. 3 User Guide If you selected Add User, the Add Authorized Users or Groups dialog box appears. Select the type of user or group, select the authentication server, and whether you want to add a user or group. Click OK. 197 Setting Policy Properties About policy-based routing To send network traffic, a router usually examines the destination address in the packet and looks at the routing table to find the next-hop destination. In some cases, you want to send traffic to a different path than the default route specified in the routing table. You can configure a policy with a specific external interface to use for all outbound traffic that matches that policy. This technique is known as policy-based routing. Policy-based routing can be used when you have more than one external interface and have configured your Firebox for multi-WAN. With policy-based routing, you can make sure that all traffic for a policy always goes out through the same external interface, even if your multi-WAN configuration is set to send traffic in a round-robin configuration. When you use policy-based routing along with multi-WAN failover, you can specify whether traffic that matches the policy uses another external interface when failover occurs. The default is that the traffic is dropped until the interface is available again. Policy-based routing takes precedence over other multi-WAN settings. Also, failback settings (defined on the Multi-WAN tab of the Network Configuration dialog box) apply to policy-based routing. If a failover event occurs, and the original interface later becomes available, the Firebox can send active connections to the failover interface or it can fail back to the original interface. New connections are sent to the original interface. Note the following restrictions on policy-based routing: • Policy-based routing is available only if multi-WAN is enabled. If you enable multi-WAN, the Edit Policy Properties dialog box automatically includes fields for configuring policy-based routing. By default, policy-based routing is not enabled. • Policy-based routing does not apply to IPSec traffic, or to traffic destined for the trusted or optional network (incoming traffic). Configuring policy-based routing 1 In Policy Manager, double-click the icon of the policy for which you want to define policy-based routing. The Edit Policy Properties dialog box appears. 198 WatchGuard System Manager Setting Policy Properties 2 At the bottom of the Edit Policy Properties dialog box, select the Use policy-based routing check box to enable policy-based routing. 3 To specify the interface to send outbound traffic that matches the policy, select the interface name from the adjacent drop-down list. You must make sure that the interface you select is a member of the alias or network that you set in the To field of your policy. For example, in the screenshot above, the interface named “External” is a member of the Any-External alias. 4 (Optional) Configure policy-based routing with multi-WAN failover as described in the next section. 5 Click OK. Configuring policy-based routing with failover 1 Configure policy-based routing, as described in the previous section. 2 From the Edit Policy Properties dialog box, select Failover if you want to set the interface you specified for this policy as the primary interface and define other external interfaces as backup interfaces for all non-IPSec traffic. If you do not select Failover and the interface you set for this policy is not active, traffic is dropped until link monitoring establishes that the interface is available again. 3 Click Configure to specify backup interfaces for this policy. If the primary interface you set for this policy is not active, traffic is sent to the backup interface or interfaces you specify here. The Policy Failover Configuration dialog box appears. User Guide 199 Setting Policy Properties 4 In the Include column, select the check box for each interface you want to use in the failover configuration. Use the Move Up and Move Down buttons to set the order for failover. The first interface in the list is the primary interface. 5 When you have selected the interfaces you want to use and set the order you want, click OK. 6 Click OK to close the Edit Policy Properties dialog box. 7 Save your configuration to the Firebox. Setting a proxy action If you create a proxy policy, you can use the Properties tab of the Policy Properties dialog box to set a proxy action. For more information, see the “Proxy Policies” chapter. Setting a custom idle timeout To set an idle timeout for a specific policy: 200 1 On the Properties tab of the Policy Properties dialog box, click Specify Custom Idle Timeout. 2 Click the arrows to set the number of seconds before timeout. WatchGuard System Manager Setting Policy Properties Setting logging properties Use the Properties tab of the Policy Properties dialog box to set logging properties for a policy. You can configure the Firebox to record a log message when a policy denies packets. You can also set up notification when packets are allowed or denied. 1 From the Properties tab, click Logging. The Logging and Notification dialog box appears. 2 Set the parameters to comply with your security policy. For more information about these parameters, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. One policy manages either allowed or denied traffic, but not both. If you want the Firebox to send log messages for both allowed and denied traffic, you must use different policies for each. Configuring static NAT for a policy Static NAT is also known as port forwarding. Static NAT is a port-to-host NAT. A host sends a packet from the external network to a specified public address and port. Static NAT changes this address to an User Guide 201 Setting Policy Properties address and port behind the firewall. For more information on NAT, see the “Network Address Translation” chapter in this guide. Because of how static NAT operates, it is available only for policies that use a specified port, which includes TCP and UDP. A policy that uses a different protocol cannot use incoming static NAT. The NAT button in the Properties dialog box of that policy does not operate. You also cannot use static NAT with the Any policy. Using NAT with SMTP To help fight spam, many servers that receive email do a reverse lookup of the source IP address the mail comes from. The receiving server does this to make sure that the sending server (the server sending the email) is an authorized mail server for that domain. Because of this, we recommend that you use the external IP address of your Firebox as the MX record for your domain. An MX, or Mail exchange, record is a type of DNS record that sets how email is routed through the Internet. MX records show the servers to send an email message to, and which server to send an email message to first, by priority. Usually, connections that start from a trusted or optional network and go to the Internet show the external IP address of the Firebox as the source IP address of the packets. If the Firebox external IP address is not your domain’s MX record IP address, some remote servers reject email that you send. They do this because the SMTP session does not show your MX DNS record as the source IP address for the connection. If your Firebox does not use your MX record IP address as the external interface IP address, you can use a 1-to-1 NAT mapping to make outgoing email connections show the correct source IP address. See the “Network Address Translation” chapter for more information on 1-to-1 NAT. 1 In Policy Manager, double-click the policy icon. 2 From the Connections are drop-down list, select Allowed. To use static NAT, the policy must let incoming traffic through. 3 Below the To list, click Add. The Add Address dialog box appears. 4 Click Add NAT. The Add Static NAT/Server Load Balancing dialog box appears. 5 Make sure the Type drop-down list is set to Static NAT. 6 From the External IP Address drop-down list, select the “public” address to use for this policy. 7 Type the internal IP address. The internal IP address is the destination on the trusted or optional network. 8 If necessary, select the Set internal port to a different port check box. You usually do not use this feature. It enables you to change the packet destination not only to a specified internal host, but also to a different port. If you select the check box, type the different port number or use the arrow buttons. 9 Click OK to close the Add Static NAT dialog box. The static NAT route appears in the Members and Addresses list. 202 WatchGuard System Manager Setting Policy Properties 10 Click OK to close the Add Address dialog box. Click OK to close the Properties dialog box of the policy. Configuring server load balancing for a policy If you have Fireware® Pro, you can use the server load balancing feature to help you increase the scalability and performance of a high-traffic network with multiple public servers protected by your Firebox. With server load balancing, you can have the Firebox control the number of sessions initiated to as many as 10 servers for each firewall policy you configure. The Firebox controls the load based on the number of sessions in use on each server. For information on how to configure server load balancing, see “Server Load Balancing” on page 149. Setting an operating schedule You can set an operating schedule for the policy. You can use the schedule templates in the Schedule drop-down list or create a custom schedule. For information, see the “Basic Configuration Setup” chapter in this guide. Note that schedules can be shared by more than one policy. Applying Traffic Management actions If you have Fireware Pro on your Firebox, you can assign a Traffic Management action to the policy. Use the button on the far right to create a new Traffic Management action. After you create a new Traffic Management action, it appears in the Traffic Management drop-down list. For more information, see “About Traffic Management and QoS” on page 451. User Guide 203 Setting Policy Properties Note that these actions can be shared by more than one policy. Setting ICMP error handling You can set the ICMP error handling settings associated with the policy. These settings override the global ICMP error handling settings. From the ICMP Error Handling drop-down list, select: Use global setting Use the global ICMP error handling setting set for the Firebox. For information on this global setting, see “Defining ICMP error handling global settings” on page 79. Specify setting Configure a parameter that overrides the global setting. Click ICMP Setting. From the ICMP Error Handling Settings dialog box, select the check boxes to configure individual settings. For information on these settings, see “Defining ICMP error handling global settings” on page 79. 204 WatchGuard System Manager Setting Policy Properties Applying NAT rules You can apply Network Address Translation (NAT) rules to a policy. From the Advanced tab of the Edit Policy Properties dialog box, select one of the following options: 1-to-1 NAT With this type of NAT, the Firebox uses private and public IP ranges that you set, as described in “Using 1-to-1 NAT” on page 144. Dynamic NAT With this type of NAT, the Firebox maps private IP addresses to public IP addresses. All policies have dynamic NAT enabled by default. Select Use Network NAT Settings if you want to use the dynamic NAT rules set for the Firebox. Select All traffic in this policy if you want to apply NAT to all traffic in this policy. You can use the Set Source IP field to set a dynamic NAT source IP address for any policy that uses dynamic NAT. This makes sure that any traffic that uses this policy shows a specified address from your public or external IP address range as the source. You would most often do this to force outgoing SMTP traffic to show your domain’s MX record address when the IP address on the Firebox’s external interface is not the same as your MX record IP address. 1-to-1 NAT rules have higher precedence than dynamic NAT rules. Using QoS Marking for a policy QoS Marking creates different classes of service for different kinds of outbound network traffic. When you “mark” traffic, you change up to six bits on packet header fields defined for this purpose. QoS-capable external devices can make use of this marking and provide appropriate handling of a packet as it travels from one point to another in a network. You can use QoS Marking on a per-interface or per-policy basis. When you define QoS Marking for an interface, packets leaving that interface are marked. QoS Marking for a policy marks traffic that uses the policy. 1 From the Edit Policy Properties dialog box, click the Advanced tab. 2 Midway down the dialog box, select the QoS tab. 3 Select the Override per-interface settings check box to make the QoS Marking for a policy override any QoS Marking set on an interface. For information on how to use QoS Marking, see “About QoS Marking” on page 456. User Guide 205 Setting Policy Properties Setting traffic priority for a policy Traffic priority can be set at the interface level, but you can override this setting for individual policies: 1 To override the setting at the interface level, select the Override per-interface settings check box. 2 In the Prioritize Traffic Based On drop-down list, select either QoS Marking or Custom Value. 3 If you chose Custom Value, in the Value field, select a value from 0 (Best Effort) to 7 (highest priority). Enabling sticky connections for a policy A sticky connection is a connection that continues to use the same interface for a defined period of time. Stickiness makes sure that, if a packet goes out through one external interface, any future packets between the source and destination address pair use the same external interface for a specified period of time. By default, sticky connections use the same interface for 3 minutes. The Sticky Connections tab appears only if multi-WAN is enabled. The sticky connection setting for a policy overrides the setting, if any, at the interface level. 1 206 From the Advanced tab of the Policy Properties dialog box, click the Sticky Connection tab. WatchGuard System Manager Setting Policy Precedence 2 Keep the Override Multi-WAN sticky connection setting check box clear if you want the sticky connection configured on the Network > Configuration > Multi-WAN tab to apply. Select this check box if you want to set a custom sticky connection for this policy. 3 If you want to set a custom sticky connection for this policy, select the Enable sticky connection check box. 4 Enter the amount of time to maintain the connection. Setting Policy Precedence Precedence is the sequence in which the Firebox® examines network traffic and applies a policy rule. The Firebox routes the traffic according to the rules for the first policy that the traffic matches. Fireware® Policy Manager automatically sorts policies from the most specific to the most general. You can also manually set the precedence. Using automatic order Unless you manually set precedence, Policy Manager gives the highest precedence to the most specific policies and the lowest to the least specific. Policy Manager examines specificity of the following criteria in this order. If it cannot determine the precedence from the first criterion, it moves to the second, and so on. 1 The policy itself. For example, an Any policy is less specific than policies that allow only specific traffic. 2 Protocols set for the policy type. For example, a policy that specifies many ports for a given protocol is less specific than a policy with fewer ports. 3 Traffic rules of the To field. Most specific to least specific are: rules specifying IP address ranges, users, groups, interfaces. 4 Traffic rules of the From field. Most specific to least specific are: rules specifying IP address ranges, users, groups, interfaces. 5 Firewall action applied to the policies. Most specific to least specific is: Denied or Denied (send reset), Allowed (proxy policy), Allowed (packet filter policy). 6 Schedules applied to the policies. Most to least specific is: Always off, Sometimes on, Always on. 7 Alphanumeric sequence based on policy type. User Guide 207 Setting Policy Precedence 8 Alphanumeric sequence based on policy name. Setting precedence manually To switch to manual-order mode, select View > Auto-order mode so that the checkmark disappears. You are asked to confirm if you want to switch to manual-order mode. If you switch to manual-order mode, the Policy Manager window changes to the Details view. You cannot change the order of policies if you are in Large Icons view. To change the order of a policy, select it and drag it to its new location. 208 WatchGuard System Manager 14 Proxy Policies All WatchGuard® policies, whether they are packet filter policies or proxy policies, are important tools for network security. While a packet filter examines each packet’s IP and TCP/UDP header, a proxy monitors and scans whole connections. It examines the commands used in the connection to make sure they are in the correct syntax and order. It also uses deep packet inspection to make sure that connections are secure. A proxy opens each packet in sequence, removes the network layer header, and examines the packet’s payload. It then puts the network information back on the packet and sends it to its destination. As a result, a proxy can find forbidden content hidden or embedded in the data payload. For example, an SMTP proxy examines all incoming SMTP packets (email) to find forbidden content, such as executable programs or files written in scripting languages. Attackers frequently use these methods to send computer viruses. The SMTP proxy can enforce a policy that forbids these content types, while a packet filter cannot detect the unauthorized content in the packet’s data payload. If you have purchased and enabled additional security services (Gateway AntiVirus, Intrusion Prevention Service, spamBlocker, WebBlocker), proxies can apply these services. WatchGuard System Manager supports the following proxies: HTTP, FTP, SMTP, POP3, DNS, and TCP. Working with WatchGuard Proxies When you add a proxy policy to Policy Manager for your Firebox®, you specify types of content that the proxy must look for as it filters traffic. If the content matches (or does not match) the criteria you set in the proxy definition, the proxy takes a certain action, such as denying a packet or stripping content from it. The procedures you use to define proxies are often very similar regardless of the type of proxy. Three concepts are consistent throughout all proxy definitions: • Rules and rulesets • Proxy actions • Predefined and user-defined proxy actions User Guide 209 Working with WatchGuard Proxies About rules and rulesets A major portion of the work you do to configure a proxy policy involves creating or modifying rules, which are sets of criteria to which the proxy compares traffic. A rule consists of a type of content, pattern, or expression, and the action the Firebox does when a component of the packet’s content matches that content, pattern, or expression. Rules also include settings for when the Firebox sends alarms or if it sends events to the log file. A ruleset is a group of rules based on one feature of a proxy such as the content types or filenames of email attachments. The process to create and modify rules is consistent throughout all Fireware® proxies. The Firebox includes default sets of rules for each proxy policy included in the Firebox configuration. Separate sets of rules are provided for clients and servers—to protect both your trusted users and your public servers. You can use these rules without changing them, or you can customize them to meet your business needs. For more information on how to work with, create, and modify rules, see “Working with Rules and Rulesets” on page 251. About proxy actions Because your configuration can include several instances of each proxy, each instance is linked to a specific group of settings or rulesets called a proxy action. For each proxy, you typically have separate proxy actions for clients and servers. For example, you would use one proxy action for packets sent to a POP3 server protected by the Firebox® and a different proxy action to apply to email messages retrieved by POP3 clients. You can create more than one proxy action for each type of proxy, but you can assign only one proxy action to each proxy policy. For example, a POP3 proxy icon that appears in the Policy Manager main window is linked to only one proxy action; for example, a POP3-Client action. If you want to create a POP3 proxy for a POP3 server, or an additional policy for POP3 clients, you must add a new POP3 policy to Policy Manager. Predefined and user-defined proxy actions The Firebox has predefined client and server proxy actions for each proxy. These predefined actions are configured to balance the accessibility requirements of a typical company with the need to protect your computer assets from attacks. You cannot change the settings of predefined proxy actions. If you want to make changes to the configuration, you must clone (copy) the existing definition and save it as a user-defined proxy action. For example, if you want to change a setting in the HTTP-Client proxy action, you must save it with a different name, such as HTTP-Client.1. Note that this is necessary only when you make changes to rulesets. If you make changes to general settings such as the allowed sources or destinations or NAT settings for a policy, you do not need to save it under a new name. Seeing available proxy actions on your Firebox To see all available proxy actions on your Firebox, whether they are currently in use or not, from Policy Manager, select Setup > Actions > Proxies. The Proxy Actions dialog box appears. 210 WatchGuard System Manager Adding a Proxy to your Firebox Configuration Predefined proxy actions appear in blue, and user-defined proxy actions appear in black. Any userdefined proxy actions that are not currently used are followed by the text “not used.” You can use the buttons on the right side of the Proxy Actions dialog box to clone (copy and edit under a new name), edit, remove, import, or export proxy actions. (For information on the import and export functionality, see “Import and Export Functions for Proxies” on page 255.) You can remove only user-defined proxy actions. You cannot remove predefined proxy actions. Adding a Proxy to your Firebox Configuration To add a proxy policy to your Firebox® configuration: 1 In Policy Manager, click the plus (+) sign on the Policy Manager toolbar. You can also select Edit > Add Policies. The Add Policies dialog box appears. 2 Click the plus (+) sign on the left side of the folder to expand the Proxies folder. A list of proxies appears. 3 Click the name of the proxy you want to add. Click Add. The New Policy Properties dialog box appears. User Guide 211 Adding a Proxy to your Firebox Configuration 4 If you choose, you can change the name of the proxy policy. To change the name, type a new name in the Name text box. 5 Use the From and To sections of the dialog box to define hosts, networks, or tunnels that can send or receive the proxy traffic through the Firebox. For detailed information on how to do this, see “Setting Policy Properties” on page 195. 6 Click the Properties tab. The New Policy Properties dialog box appears. 7 In the Proxy action drop-down list, select whether you want to define an action for a client or server. For information about proxy actions, see “About proxy actions” on page 210. 8 212 Click the View/Edit Proxy icon. WatchGuard System Manager SMTP Proxy 9 When you configure a proxy, you can see the rulesets for that proxy in the Categories list on the left side of the dialog box. Go to the section in this chapter on the specific proxy you want to define. SMTP Proxy SMTP (Simple Mail Transport Protocol) is a protocol used to send email messages between email servers and also between email clients and email servers. It usually uses a TCP connection on port 25. You use the SMTP proxy to control email messages and email content. The proxy scans SMTP messages for a number of filtered parameters, and compares them against the rules in the proxy configuration. When you use incoming static NAT with SMTP, you might see packets that come from the remote mail server being denied with destination port 113. In these cases, you can add an IDENT policy to Policy Manager. Configure IDENT to allow incoming connections to: Firebox. This enables outgoing mail messages from behind the Firebox to the few SMTP servers on the Internet that use IDENT. To add the SMTP proxy to your Firebox configuration, see “Adding a Proxy to your Firebox Configuration” on page 211. Then, if you choose, modify the rulesets for the proxy, as described in subsequent sections. SMTP proxy: General settings On the General Settings page (the page that first appears after you click the View/Edit Proxy icon), you can set basic SMTP proxy parameters such as idle timeout and message limits. User Guide 213 SMTP Proxy Idle timeout You can set the length of time an incoming SMTP connection can idle before the connection times out. The default value is 10 minutes. Maximum email recipients With the Set the maximum email recipients to check box, you can set the maximum number of email recipients to which a message can be sent. The Firebox® counts and allows the specified number of addresses through, and then drops the other addresses. For example, if you set the value to 50 and there is a message for 52 addresses, the first 50 addresses get the email message. The last two addresses do not get a copy of the message. A distribution list appears as one SMTP email address (for example, [email protected]). The Firebox counts this as one address. You can use this feature to decrease spam email because spam usually includes a large recipient list. Be careful when you do this because you can also deny legitimate email. Maximum address length With the Set the maximum address length to check box, you can set the maximum length of email addresses. Maximum email size With the Set the maximum email size to check box, you can set the maximum length of an incoming SMTP message. Most email is sent as 7-bit ASCII text. The exceptions are Binary MIME and 8-bit MIME. 8-bit MIME content (for example, MIME attachments) is encoded with standard algorithms (Base64 or quote-printable encoding) to enable them to be sent through 7-bit email systems. Encoding can increase the length of files by as much as one third. To allow messages as large as 10 KB, you must set this field to a minimum of 1334 bytes to make sure all email gets through. 214 WatchGuard System Manager SMTP Proxy Maximum email line length With the Set the maximum email line length to check box, you can set the maximum line length for lines in an SMTP message. Very long line lengths can cause buffer overflows on some email systems. Most email clients and systems send short line lengths, but some web-based email systems send very long lines. Hide Email Server Select the Message ID and Server Replies check boxes to replace MIME boundary and SMTP greeting strings in email messages. These are used by hackers to identify the SMTP server vendor and version. If you have an email server and use the SMTP-Incoming proxy action, you can have the SMTP proxy replace the domain shown in your SMTP server banner with a domain name you select. To do this, next to Rewrite Banner Domain, type the domain name you want to use in your banner in the text box that appears. For this to occur, you must also have the Server Replies check box selected. If you use the SMTP-Outgoing proxy action, you can have the SMTP proxy replace the domain shown in the HELO or EHLO greetings. A HELO or EHLO greeting is the first part of an SMTP transaction, when your email server announces itself to a receiving email server. To do this, next to Rewrite HELO Domain, type the domain name you want to use in your HELO or EHLO greeting in the text box that appears. Allow uuencoded attachments Select this check box if you want the SMTP proxy to allow uuencoded attachments to email messages. Uuencode is an older program used to send binary files in ASCII text format over the Internet. UUencode attachments can be security risks because they appear as ASCII text files but can actually contain executables. Allow BinHex attachments Select this check box if you want the SMTP proxy to allow BinHex attachments to email messages. BinHex, which is short for binary-to-hexadecimal, is a utility that converts a file from binary format to ASCII. Auto-block sources of invalid commands Select this check box to add senders of invalid SMTP commands to the Blocked Sites list. Invalid SMTP commands often indicate an attack on your SMTP server. Turn on logging for Historical Reports Select to send a log message for each connection request through SMTP. For Historical Reports to create accurate reports on SMTP traffic, you must select this check box. 10 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: Greeting rules The proxy examines the initial HELO/EHLO responses during the SMTP session initialization. The default rules for the SMTP-Incoming proxy action make sure that packets with greetings that are too long, or include characters that are not correct or expected, are denied. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 1 From the Categories section, select Greeting Rules. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. User Guide 215 SMTP Proxy 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: ESMTP settings You use the ESMTP Settings fields to set the filtering for ESMTP content. Although SMTP is widely accepted and widely used, some parts of the Internet community have found a need to extend SMTP to allow more functionality. ESMTP gives a method for functional extensions to SMTP, and for servers and clients who support extended features to be identified. 1 From the Categories section, select ESMTP Settings. Enable ESMTP Select to enable the fields below. If you clear this check box, all check boxes below are disabled. However, their settings are saved, and they are restored if this check box is selected again. Allow BDAT/CHUNKING Select to allow BDAT/CHUNKING. This enables large messages to be sent more easily through SMTP connections. Allow ETRN (Remote Message Queue Starting) This is an extension to SMTP that allows an SMTP client and server to interact to start the exchange of message queues for a given host. Allow 8-Bit MIME Select to allow 8-bit MIME, if the client and host give support to the extension. The 8-bit MIME extension allows a client and host to exchange messages made up of text that has octets which are not of the US-ASCII octet range (hex 00-7F, or 7-bit ASCII) that SMTP uses. 216 WatchGuard System Manager SMTP Proxy Allow Binary MIME Select to allow the Binary MIME extension, if the sender and receiver accept it. Binary MIME prevents the overhead of base64 and quoted-printable encoding of binary objects sent that use the MIME message format with SMTP. We do not recommend you select this option as it can be a security risk. Log denied ESMTP options Select to log, or clear to disable, logging of unknown ESMTP options that are stripped by the SMTP proxy. 2 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: Authentication This ruleset allows these ESMTP authentication types: DIGEST- MD5, CRAM-MD5, PLAIN, LOGIN, LOGIN (old style), NTLM, and GSSAPI. The default rule denies all other authentication types. The RFC that tells about the SMTP authentication extension is RFC 2554. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 1 From the Categories section, select Authentication. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: Content types Certain kinds of content embedded in email can be a security threat to your network. Other kinds of content can decrease the productivity of your users. You use the ruleset for the SMTP-Incoming proxy action to set values for incoming SMTP content filtering. You use the ruleset for the SMTP-Outgoing proxy action to set values for outgoing SMTP content filtering. The SMTP proxy allows these content types: text/*, image/*, multipart/*, and message/*. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 1 From the Categories section, select Content Types. Select the Enable content type auto detection check box for the SMTP proxy to examine content to determine content type. Otherwise, the SMTP proxy uses the value stated in the email header, which clients sometimes set incorrectly. As an example, an attached .pdf file might have a content type stated as application/octetstream. If you enable content type auto detection, the SMTP proxy recognizes the .pdf file and uses the actual content type, application/pdf. If the proxy does not recognize the content type User Guide 217 SMTP Proxy after it examines the content, it uses the value stated in the email header, as it would if content type auto detection were not enabled. Because hackers often try to disguise executable files as other content types, we recommend that you enable content type auto detection to make your installation more secure. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. Adding common content types 1 For your convenience, the proxy definition lists several common content types that you can easily add to the Content Type ruleset. To bring up the list of common content types, click the Predefined button. The Select Content Type dialog box appears. 2 To add a content type to the ruleset, select it and click OK. To select a range of content types, click the first in the range, press the Shift key, and click the last content type in the range. To select multiple content types that are not in a range, hold down Ctrl as you select content types. SMTP proxy: File names You use the ruleset for the SMTP-Incoming proxy action to put limits on file names for incoming email attachments. You use the ruleset for the SMTP-Outgoing proxy action to put limits on file names for outgoing email attachments. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 218 1 From the Categories section, select Filenames. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or WatchGuard System Manager SMTP Proxy If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: Mail From/Mail To Use the Mail From ruleset to put limits on email and allow email into your network only from specified senders. The default configuration is to allow email from all senders. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. The Mail To ruleset can limit the email that goes out of your network to only specified recipients. The default configuration allows email to all recipients out of your network. On an SMTP-Incoming proxy action, you can use the Mail To ruleset to prevent people from using your email server for email relaying. To do this, make sure that all domains your email server accepts email for appear in the rule list. Then, make sure the Action to Take if None Matched is set to Deny. Any email with an address that does not match the listed domains is denied. You can also use the Rewrite As feature included in this rule configuration dialog box to have the Firebox change the From and To components of your email address to a different value. This feature is also known as “SMTP masquerading.” There are two more options available in the Mail From and Mail To rulesets: Block source-routed addresses Select this check box to block a message when the sender address or recipient address contains source routes. A source route identifies the path a message must take when it goes from host to host. The route can identify which mail routers or “backbone” sites to use. For example, @backbone.com:[email protected] means that the host named Backbone.com must be used as a relay host to deliver mail to [email protected]. By default, this option is enabled for incoming SMTP packets and disabled for outgoing SMTP packets. Block 8-bit characters Select this check box to block a message that has 8-bit characters in the sender user name or recipient user name. This allows an accent on an alphabet character. By default, this option is enabled for incoming SMTP packets and disabled for outgoing SMTP packets. 1 From the Categories section, select Mail From or Mail To. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: Headers Header rulesets allow you to set values for incoming or outgoing SMTP header filtering. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 1 User Guide From the Categories section, select Headers. 219 SMTP Proxy 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: Antivirus responses If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set the actions necessary if a virus is found in an email message. It also sets actions for when an email message contains an attachment that the Firebox cannot scan. Although you can use the proxy definition screens to activate and configure Gateway AntiVirus, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the antivirus screens in the proxy definition, see the chapter “Signature-Based Security Services.” SMTP proxy: Deny message The Firebox gives a default deny message that replaces denied content. You can replace that deny message with one that you write. The first line of the deny message is a section of the HTTP header. You must include an empty line between the first line and the body of the message. 1 From the Categories section, select Deny Message. 2 In the Deny Message block, you can write a custom plain text message with standard HTML that will appear in the recipient email when the proxy blocks that email. You can use these variables: %(reason)% Puts the cause for the Firebox to deny the content. %(type)% Puts the type of content that was denied. %(filename)% Puts the file name of the denied content. %(virus)% Puts the name or status of a virus, for Gateway AntiVirus users only. %(action)% Puts the name of the action taken: lock, strip, and so on. %(recovery)% Puts whether you can recover the attachment. 3 220 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For WatchGuard System Manager SMTP Proxy more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: Intrusion prevention If you have purchased and enabled the Intrusion Prevention feature, the fields in the Intrusion Prevention category set the actions necessary to find and stop intrusions. Although you can use the proxy definition screens to activate and configure IPS, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the IPS screens in the proxy definition, see the chapter “Signature-Based Security Services.” SMTP proxy: spamBlocker Unwanted email, also known as spam, fills the average inbox at an astonishing rate. A large volume of spam decreases bandwidth, degrades employee productivity, and wastes network resources. The WatchGuard® spamBlocker option increases your capacity to catch spam at the edge of your network when it tries to come into your system. If you have purchased and enabled the spamBlocker feature, the fields in the spamBlocker category set the actions for email messages identified as spam. Although you can use the proxy definition screens to activate and configure spamBlocker, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the spamBlocker screens in the proxy definition, see the chapter “spamBlocker.” SMTP proxy: Proxy and AV alarms You can set the action the Firebox does when proxy or antivirus (AV) alarm events occur: 1 From the Categories section, select Proxy and AV Alarms. 2 For information on fields in the Proxy/AV Alarm Configuration section, see “Logging and Notification in Proxy Definitions” on page 97. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. SMTP proxy: Finishing and saving the configuration 1 When you are done with all changes for all categories of the proxy, click OK to close the New Policy Properties or Edit Policy Properties dialog box. 2 Save the configuration to the Firebox. To do this, select File > Save > To Firebox. The Save dialog box appears with the default location for configuration files. You can change the name of the configuration file if you choose. 3 Click Save. 4 You are prompted for the configuration passphrase. Type it and click OK. User Guide 221 POP3 Proxy POP3 Proxy POP3 (Post Office Protocol v.3) is a protocol that moves email messages from an email server to an email client on a TCP connection on port 110. Most Internet-based email accounts use POP3. With POP3, an email client contacts the email server and checks for any new email messages. If it finds a new message, it downloads the email message to the local email client. After the message is received by the email client, the connection is closed. To add the POP3 proxy to your Firebox configuration, see “Adding a Proxy to your Firebox Configuration” on page 211. Then, if you choose, modify the rulesets for the proxy, as described in subsequent sections. POP3 proxy: General settings On the General Settings page (the page that first appears after you click the View/Edit Proxy icon), you can adjust time out and line length limits as well as other general parameters for the POP3 proxy: 1 If you are not already on this page, from the Categories section, select General Settings. 2 Change any of these settings to meet your business needs: Set the timeout to Use this setting to limit the number of minutes that the email client tries to open a connection to the email server before the connection is closed. This prevents the proxy from using too many network resources when the POP3 server is slow or cannot be reached. 222 WatchGuard System Manager POP3 Proxy Set the maximum email line length to Use this setting to prevent some types of buffer overflow attacks. Very long line lengths can cause buffer overflows on some email systems. Most email clients and systems send relatively short lines, but some web-based email systems send very long lines. However, it is unlikely that you will need to change this setting unless it prevents access to legitimate mail. Hide server replies Select this check box if you want to replace the POP3 greeting strings in email messages. These strings can be used by hackers to identify the POP3 server vendor and version. Allow uuencoded attachments Select this check box if you want the POP3 proxy to allow uuencoded attachments to email messages. Uuencode is an older program used to send binary files in ASCII text format over the Internet. UUencoded attachments can be security risks because they appear as ASCII text files but can actually contain executable files. Allow BinHex attachments Select this check box if you want the POP3 proxy to allow BinHex attachments to email messages. BinHex, which is short for binary-to-hexadecimal, is a utility that converts a file from binary format to ASCII. Turn on logging for Historical Reports Select this check box if you want the POP3 proxy to send a log message for each connection request through POP3. If you want to use Historical Reports to create reports on POP3 traffic, you must select this check box. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. POP3 proxy: Authentication A POP3 client must authenticate to a POP3 server before they exchange information. On the Authentication page, you can set the types of authentication for the proxy to allow and the action to take for types that do not match the criteria. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 1 From the Categories section, select Authentication. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 After you are finished modifying the ruleset, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. Enter a name for the new action and click OK. The New Policy Properties dialog box appears. 4 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For User Guide 223 POP3 Proxy more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. POP3 proxy: Content types The headers for email messages include a Content Type header to show the MIME type of the email and of any attachments. The content type or MIME type tells the computer the types of media the message contains. Certain kinds of content embedded in email can be a security threat to your network. Other kinds of content can decrease the productivity of your users. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. On the Content Types page, you can set values for content filtering and the action to take for content types that do not match the criteria. For the POP3-server proxy action, you set values for incoming content filtering. For the POP3-client action, you set values for outgoing content filtering. 224 1 From the Categories section, select Content Types. 2 Select the Enable content type auto detection check box for the POP3 proxy to examine content to determine content type. Otherwise, the POP3 proxy uses the value stated in the email header, which clients sometimes set incorrectly. As an example, an attached .pdf file might have a content type stated as application/octetstream. If you enable content type auto detection, the POP3 proxy recognizes the .pdf file and uses the actual content type, application/pdf. If the proxy does not recognize the content type after it examines the content, it uses the value stated in the email header, as it would if content type auto detection were not enabled. Because hackers often try to disguise executables files as other content types, we recommend that you enable content type auto detection to make your installation more secure. 3 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. WatchGuard System Manager POP3 Proxy 4 The format of a MIME type is type/subtype. For example, if you want to allow JPEG images, you add image/jpg. You can also use the asterisk (*) as a wildcard. To allow any image format, you add image/* to the list. 5 Several predefined content types are available for you to add. Click the Predefined button to see a list of content types, along with short descriptions of the content types. 6 After you are finished with your changes to the ruleset, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. Enter a name for the new action and click OK. The New Policy Properties dialog box appears. 7 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. POP3 proxy: File names You use this ruleset in a POP3-server proxy action to put limits on file names for incoming email attachments. You use the ruleset for the POP3-client proxy action to put limits on file names for outgoing email attachments. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. 1 From the Categories section, select Filenames. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. User Guide 225 POP3 Proxy 3 After you are finished with your changes to the ruleset, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. Enter a name for the new action and click OK. The New Policy Properties dialog box appears. 4 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. POP3 proxy: Headers The POP3 proxy examines email headers to find patterns common to forged email messages as well as those from legitimate senders. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 226 1 From the Categories section, select Headers. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For WatchGuard System Manager POP3 Proxy more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. 4 If you want to change settings for one or more other categories, go to the section in this document on that category. POP3 proxy: Antivirus responses If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set the actions necessary if a virus is found in an email message. It also sets actions for when an email message contains an attachment that the Firebox cannot scan. User Guide 227 POP3 Proxy Although you can use the proxy definition screens to activate and configure Gateway AntiVirus, it is easier to use the Tasks menu in Policy Manager. For more information on how to do this, or to use the antivirus screens in the proxy definition, see the “Signature-Based Security Services” chapter. POP3 proxy: Deny message The Firebox gives a default deny message that replaces denied content. You can replace that deny message with one that you write. The first line of the deny message is a section of the HTTP header. You must include an empty line between the first line and the body of the message. 1 From the Categories section, select Deny Message. 2 In the Deny Message block, you can write a custom plain text message with standard HTML that will appear in the recipient email when the proxy blocks that email. You can use these variables: %(reason)% Puts the cause for the Firebox to deny the content. %(type)% Puts the type of content that was denied. %(filename)% Puts the file name of the denied content. %(virus)% Puts the name or status of a virus, for Gateway AntiVirus users only. %(action)% Puts the name of the action taken: lock, strip, and so on. 228 WatchGuard System Manager POP3 Proxy %(recovery)% Puts whether you can recover the attachment. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. POP3 proxy: Intrusion prevention If you have purchased and enabled the Intrusion Prevention feature, the fields in the Intrusion Prevention category set the actions necessary to find and stop intrusions. User Guide 229 POP3 Proxy Although you can use the proxy definition screens to activate and configure IPS, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the IPS screens in the proxy definition, see the “Signature-Based Security Services” chapter. POP3 proxy: spamBlocker Unwanted email, also known as spam, fills the average inbox at an astonishing rate. A large volume of spam decreases bandwidth, degrades employee productivity, and wastes network resources. The WatchGuard spamBlocker option increases your capacity to catch spam at the edge of your network when it tries to come into your system. If you have purchased and enabled the spamBlocker feature, the fields in the spamBlocker category set the actions for email messages identified as spam 230 WatchGuard System Manager POP3 Proxy Although you can use the proxy definition screens to activate and configure spamBlocker, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the spamBlocker screens in the proxy definition, see the “spamBlocker” chapter. POP3 proxy: Proxy and AV alarms With WatchGuard System Manager, you can create custom alarm rules for each policy. These rules tell the Firebox the events for which it must trigger a notification message. Notification can occur through email, a pop-up window on the WatchGuard management station, or with a Simple Network Management Protocol (SNMP) trap. An SNMP trap is a notification event issued by a managed device to the network SNMP manager when a significant event occurs. You can set the action the Firebox does when proxy or antivirus (AV) alarm events occur: 1 From the Categories section, select Proxy and AV Alarms. 2 For information on fields in the Proxy/AV Alarm Configuration section, see “Logging and Notification in Proxy Definitions” on page 97. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For User Guide 231 FTP Proxy more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. POP3 proxy: Finishing and saving the configuration 1 When you are done with all changes for all categories of the proxy, click OK to close the New Policy Properties or Edit Policy Properties dialog box. 2 Save the configuration to the Firebox. To do this, select File > Save > To Firebox. The Save dialog box appears with the default location for configuration files. You can change the name of the configuration file if you choose. 3 Click Save. 4 You are prompted for the configuration passphrase. Type it and click OK. FTP Proxy File Transfer Protocol (FTP) is used to send files from one computer to a different computer over a TCP/ IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the same network or on a different network. The FTP client can be in one of two modes for data transfer: active or passive. In active mode, the server starts a connection to the client on source port 20. In passive mode, the client uses a previously negotiated port to connect to the server. The Fireware FTP proxy monitors and scans these FTP connections between your users and FTP servers they connect to. To add the FTP proxy to your Firebox configuration, see “Adding a Proxy to your Firebox Configuration” on page 211. Then, if you choose, modify the rulesets for the proxy, as described in subsequent sections. 232 WatchGuard System Manager FTP Proxy FTP proxy: General settings On the General page (the page that first appears after you click the View/Edit Proxy icon), you can set basic FTP parameters including maximum user name length. 1 From the Categories section, select General. 2 To set limits for FTP parameters, select the applicable check boxes. These settings help to protect your network from buffer overflow attacks. Use the arrows to change the limits: Set the maximum user name length to Sets a maximum length for user names on FTP sites. Set the maximum password length to Sets a maximum length for passwords used to log in to FTP sites. Set the maximum file name length to Sets the maximum file name length for files to upload or download. Set the maximum command line length to Sets the maximum length for command lines used on FTP sites. Set the maximum number of failed logins per connection to Allows you to limit the number of failed connection requests to your FTP site. This can protect your site against brute force attacks. 3 For each setting, you can set or clear the Auto-block check box next to it. If someone tries to connect to an FTP site and exceeds a limit whose Auto-block check box is selected, the computer that sent the commands is added to the temporary Blocked Sites list. 4 To create a log message for each transaction, select the Turn on logging for Historical Reports check box. You must select this option to get detailed reports on FTP traffic with Historical Reports. User Guide 233 FTP Proxy 5 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. FTP proxy: Commands FTP has a number of commands to manage files. You can configure rules to put limits on some FTP commands. Use the FTP-Server proxy action to put limits on commands that can be used on an FTP server protected by the Firebox. Use the FTP-Client proxy action to put limits on commands that users protected by the Firebox can use when they connect to external FTP servers. The default configuration of the FTP-Client is to allow all FTP commands. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. You usually should not block these commands, because they are necessary for the FTP protocol to work correctly. Protocol Command Client Command Description USER n/a Sent with login name PASS n/a Sent with password PASV pasv Select passive mode for data transfer SYST syst Print the server’s operating system and version. FTP clients use this information to correctly interpret and show a display of server response. 1 From the Categories section, select Commands. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. FTP proxy: Download Download rules control the files that users can use FTP to download. Use the FTP-Server proxy action to control download rules for an FTP server protected by the Firebox. Use the FTP-Client proxy action to set download rules for users connecting to external FTP servers. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 234 1 From the Categories section, select Download. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. WatchGuard System Manager FTP Proxy 3 If you want downloaded files to be scanned for viruses by Gateway AntiVirus, set one or more Actions to take fields to AV Scan. FTP proxy: Upload Upload rulesets control the files that users can use FTP to upload. Use the FTP-Server proxy action to control upload rules for an FTP server protected by the Firebox. Use the FTP-Client proxy action to set upload rules for users who connect to external FTP servers. The default configuration of the FTP-Client is to allow all files to be uploaded. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 1 From the Categories section, select Upload. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want uploaded files to be scanned for viruses by Gateway AntiVirus, set one or more Actions to take fields to AV Scan. 4 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. FTP proxy: Antivirus responses If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set the actions necessary if a virus is found in a file that is uploaded or downloaded. Although you can use the proxy definition screens to activate and configure Gateway AntiVirus, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the antivirus screens in the proxy definition, see the chapter “Signature-Based Security Services.” User Guide 235 FTP Proxy FTP proxy: Intrusion prevention If you have purchased and enabled the Intrusion Prevention feature, the fields in the Intrusion Prevention category set the actions necessary to find and stop intrusions. Although you can use the proxy definition screens to activate and configure IPS, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the IPS screens in the proxy definition, see the chapter “Signature-Based Security Services.” FTP proxy: Proxy and AV alarms An alarm is a mechanism to tell a network administrator when network traffic matches criteria for suspicious traffic or content. When an alarm event occurs, the Firebox takes an action that you configure. For example, you can set a threshold value for file length. If the file is larger than the threshold value, the Firebox can send a log message to the Log Server. 1 From the Categories section, select Proxy and AV Alarm. 2 For information on fields in this section, see “Logging and Notification in Proxy Definitions” on page 97. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. 236 WatchGuard System Manager HTTP Proxy FTP proxy: Finishing and saving the configuration 1 When you are done with all changes for all categories of the proxy, click OK to close the New Policy Properties or Edit Policy Properties dialog box. 2 Save the configuration to the Firebox. To do this, select File > Save > To Firebox. The Save dialog box appears with the default location for configuration files. You can change the name of the configuration file if you choose. 3 Click Save. 4 You are prompted for the configuration passphrase. Type it and click OK. HTTP Proxy Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The HTTP client is usually a web browser. The HTTP server is a remote resource that keeps or creates HTML files, images, and other content. When the HTTP client starts a request, it establishes a Transmission Control Protocol (TCP) connection on port 80. An HTTP server listens for requests on port 80. When it receives the request from the client, the server replies with the requested file, an error message, or some other information. The HTTP proxy is a high performance content filter. It examines web traffic to identify suspicious content which can be a virus, spyware, or other type of intrusion. It can also protect your web server from attacks from the external network. To add the HTTP proxy to your Firebox configuration, see “Adding a Proxy to your Firebox Configuration” on page 211. Then, if you choose, modify the rulesets for the proxy, as described in subsequent sections. User Guide 237 HTTP Proxy HTTP requests: General settings On the General Settings page (the page that first appears after you click the View/Edit Proxy icon), you can set basic HTTP parameters such as idle time out and URL length. Set the connection idle timeout to Select this check box to control how long the HTTP proxy waits for the web client to make a request for something from the external web server after it starts a TCP/IP connection or after the earlier request, if there was one, for the same connection. If it goes longer than the setting, the HTTP proxy closes the connection. In the adjacent field, enter the number of minutes before the proxy times out. Set the maximum URL path length to Select to set a maximum length for the path component of a URL. This does not include the “http:\\” or host name. Control of the URL length can help to prevent buffer overflow attacks. In the adjacent field, enter the number of bytes for the maximum URL length. Allow range requests through unmodified Select to allow range requests through the Firebox. Range requests allow a client to request subsets of the bytes in a web resource instead of the full content. For example, if you want only some sections of a large Adobe file but not the whole file, the download occurs more quickly and prevents the download of unnecessary pages if you can request only what you need. However, range requests can be a risk for your network. If you allow range requests through the Firebox and download a file infected with a virus whose signature is divided between two pages, antivirus software will not detect the virus. Select Log this action if you want to add a traffic log message when the proxy takes the action indicated in the check box for range requests. 238 WatchGuard System Manager HTTP Proxy Turn on logging for Historical Reports Creates a traffic log message for each transaction. This option creates a large log file, but this information is very important if your firewall is attacked. If you do not select this check box, you do not see detailed information about HTTP proxied connections in Historical Reports. 5 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP requests: Request methods Most browser HTTP requests are in one of two categories: GET and POST operations. Browsers usually use GET operations to download objects such as a graphic, HTML data, or Flash data. More than one GET is usually sent by a client computer for each page, because web pages usually contain many different elements. The elements are put together to make a page that appears as one page to the end user. Browsers usually use POST operations to send data to a web site. Many web pages get information from the end user such as location, email address, and name. If you disable the POST command, the Firebox denies all POST operations to web servers on the external network. This feature can prevent your users from sending information to a web site on the external network. If webDAV extensions (described below) are not enabled, the HTTP proxy supports request methods: HEAD, GET, POST, OPTIONS, PUT, and DELETE. For HTTP-Server, the proxy supports these request methods by default: HEAD, GET, and POST. OPTIONS, PUT, and DELETE are added but are disabled by default. 1 From the Categories section, select Request Methods. 2 Web-based Distributed Authoring and Versioning (webDAV) is a set of HTTP extensions that allows users to edit and manage files on remote web servers. WebDAV is compatible with Outlook Web Access (OWA). Select the Enable webDAV check box if you want to allow your users to use these extension. Many extensions to the base webDAV protocol are also available. If you enable webDAV, from the adjacent check box, select whether you want to enable only the extensions described in RFC 2518 or if you want to include an additional set of extensions to maximize interoperability. 3 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 4 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. User Guide 239 HTTP Proxy or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP requests: URL paths You use URL path rules to filter the content of the host, path, and query-string components of a URL. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. Here are examples of how to block content using HTTP request URL paths: • To block all pages that have the host name www.test.com, type the pattern: www.test.com* • To block all paths containing the word “sex”, on all web sites: *sex* • To block URL paths ending in “*.test”, on all web sites: *.test Usually, if you filter URLs with the HTTP request URL path ruleset, you must configure a complex pattern that uses full regular expression syntax from the advanced view of a ruleset. It is easier and gives better results to filter based on header or body content type than it is to filter by URL path. 1 From the Categories section, select URL paths. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP requests: Header fields This ruleset supplies content filtering for the full HTTP header. By default, the HTTP proxy uses exact matching rules to strip Via and From headers, and allows all other headers. This ruleset matches against the full header, not only the name. Thus, to match all values of a header, type the pattern: “[header name]:*”. To match only some values of a header, replace the asterisk (*) wildcard with a pattern. If your pattern does not start with an asterisk (*) wildcard, include one space between the colon and the pattern when typing in the Pattern text box. For example, type: [header name]: [pattern] and not [header name]:[pattern]. Note that the default rules do not strip the Referer header, but do include a disabled rule to strip this header. To enable the rule, select Change View. Some web browsers and software applications must use the Referer header to operate correctly. 240 1 From the Categories section, select Header Fields. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or WatchGuard System Manager HTTP Proxy If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP requests: Authorization This rule sets the criteria for content filtering of HTTP Request Header authorization fields. When a web server starts a “WWW-Authenticate” challenge, it sends information about which authentication methods it can use. The proxy puts limits on the type of authentication sent in a request. It uses only the authentication methods that the web server accepts. With a default configuration, the Firebox allows Basic, Digest, NTLM, and Passport1.4 authentication, and strips all other authentication. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 1 From the Categories section, select Authorization. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP responses: General settings You use the General Settings fields to configure basic HTTP parameters such as idle time out and limits for line and total length. 1 From the Categories section, select General Settings. 2 To set limits for HTTP parameters, select the applicable check boxes. Use the arrows to set the limits: Set the timeout to Controls how long the Firebox HTTP proxy waits for the web server to send the web page. Set the maximum URL length to Controls the maximum allowed length of a line of characters in the HTTP response headers. Use this property to protect your computers from buffer overflow exploits. Because URLs for many commerce sites continue to increase in length over time, you may need to adjust this value in the future. Set the maximum total length to Controls the maximum length of the HTTP response headers. If the total header length is more than this limit, the HTTP response is denied. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For User Guide 241 HTTP Proxy more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP responses: Header fields This ruleset controls which HTTP response header fields the Firebox allows. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. RFC 2616 describes many of the HTTP response headers that are allowed in the default configuration. For more information, see: http://www.ietf.org/rfc/rfc2616.txt 1 From the Categories section, select Header Fields. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP responses: Content types When a web server sends HTTP traffic, it usually adds a MIME type to the response. The HTTP header on the data stream contains this MIME type. It is added before the data is sent. This ruleset sets rules for the content type (MIME type) allowed in HTTP response headers. By default the Firebox allows some safe content types, and denies MIME content that has no specified content type. Some web servers supply incorrect MIME types to get around content rules. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules: 1 From the Categories section, select Content Types. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 The HTTP proxy includes a list of commonly used content types that you may want to add to the ruleset. To add content types, click the Predefined button. The Select Content Type dialog box appears. Select the type or types you want to add, and click OK. The new types appear in the Rules box. For a list of current, registered MIME types, go to www.iana.org/assignments/media-types 4 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. 242 WatchGuard System Manager HTTP Proxy HTTP responses: Cookies HTTP cookies are small files of alphanumeric text put by web servers on web clients. Cookies monitor the page a web client is on to enable the web server to send more pages in the correct sequence. Web servers also use cookies to collect information about an end user. Many web sites use cookies for authentication and other legitimate functions and cannot operate correctly without cookies. This ruleset gives you control of the cookies in HTTP responses. You can configure rules to strip cookies, based on your network requirements. The default rule for the HTTP-Server and HTTP-Client proxy action allows all cookies. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. The Cookies ruleset looks for packets based on the domain associated with the cookie. The domain can be specified in the cookie. If there is no domain in the cookie, the proxy uses the host name in the first request. Thus, to block all cookies for nosy-adware-site.com, add a rule with the pattern: “*.nosyadware-site.com”. 1 From the Categories section on the left, select Cookies. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP responses: Body content types This ruleset gives you control of the content in an HTTP response. The Firebox is configured to deny Java bytecodes, Zip archives, Windows EXE/DLL files, and Windows CAB files. The default proxy action for outgoing HTTP requests (HTTP-Client) allows all other response body content types. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. We recommend that you examine the file types that are used in your organization and allow only those file types that are necessary for your network. 1 From the Categories section, select Body Content Types. 2 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. User Guide 243 HTTP Proxy HTTP proxy: Exceptions You can add host names or host name patterns for which proxy actions are not taken even if the site matches a rule. For example, if you block all web sites that end in “,test” but want to allow your users to go to the site www.abc.test, you can add “www.abc.test” as an HTTP proxy exception. 1 From the Categories section, select HTTP Proxy Exceptions. 2 In the field to the left of the Add button, type the host name or host name pattern. Click Add. Repeat for additional exceptions you want to add. 3 If you want to add a traffic log message each time the HTTP proxy takes an action on a proxy exception, select the Log each transaction that matches an HTTP proxy exception check box. 4 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. HTTP proxy: Antivirus responses If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set the actions necessary if a virus is found in a web site or when the Firebox cannot scan a web site. Although you can use the proxy definition screens to activate and configure Gateway AntiVirus, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the antivirus screens in the proxy definition, see the chapter “Signature-Based Security Services.” HTTP proxy: Deny message The Firebox gives a default deny message that replaces the content that is denied. You can replace that deny message with one that you write. You can customize the deny message with standard HTML. You 244 WatchGuard System Manager HTTP Proxy can also use UTF-8 in the deny message. The first line of the deny message is a component of the HTTP header. You must include an empty line between the first line and the body of the message. 1 From the Categories section, select Deny Message. 2 Type the deny message in the deny message box. You can use these variables: %(transaction)% Puts “Request” or “Response” to show which side of the transaction caused the packet to be denied. %(reason)% Puts the reason the Firebox denied the content. %(method)% Puts the request method from the denied request. %(url-host)% Puts the server host name from the denied URL. If no host name was included, the IP address of the server is given. %(url-path)% Puts the path component of the denied URL. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. User Guide 245 DNS Proxy HTTP proxy: Intrusion prevention If you have purchased and enabled the Intrusion Prevention feature, the fields in the Intrusion Prevention category set the actions necessary to find and stop intrusions. Although you can use the proxy definition screens to activate and configure IPS, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the IPS screens in the proxy definition, see the chapter “Signature-Based Security Services.” HTTP proxy: Proxy and AV alarms Use these settings to set criteria for a notification event: 1 From the Categories section, select Proxy and AV Alarms. 2 For information on fields in the Proxy/AV Alarm Configuration section, see “Logging and Notification in Proxy Definitions” on page 97. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. Finishing and saving the HTTP configuration 1 When you are done with all changes for all categories of the proxy, click OK to close the New Policy Properties or Edit Policy Properties dialog box. 2 Save the configuration to the Firebox. To do this, select File > Save > To Firebox. The Save dialog box appears with the default location for configuration files. You can change the name of the configuration file if you choose. 3 Click Save. 4 You are prompted for the configuration passphrase. Type it and click OK. DNS Proxy With the Domain Name System (DNS), you can get access to a web site with an easy-to-remember “dotcom” name. DNS finds the Internet domain name (for example WatchGuard.com) and changes it to an IP address. The DNS proxy protects your DNS servers from TSIG, NXT, and other DNS attacks. To add the DNS proxy to your Firebox configuration, see “Adding a Proxy to your Firebox Configuration” on page 211. Then, if you choose, modify the rulesets for the proxy, as described in subsequent sections. 246 WatchGuard System Manager DNS Proxy DNS proxy: General settings On the General page (the page that first appears after you click the View/Edit Proxy icon) you can change the settings of two protocol anomaly detection rules. Not of class Internet Select the action to do when the proxy examines DNS traffic that is not of the Internet (IN) class. The default action is to deny this traffic. We recommend that you do not change this default action. Badly formatted query Select the action when the proxy examines DNS traffic that does not use the correct format. Alarm An alarm is a mechanism to tell users when a proxy rule applies to network traffic. Select the Alarm check box to configure an alarm for this event. To set the options for the alarm, select Proxy Alarm from the Categories list on the left side of a Proxy Configuration window. You can send an SNMP trap, send email, or open a pop-up window. Log Select this check box to write a message to the traffic log for this event. Turn on logging for Historical Reports Creates a traffic log message for each transaction. This option creates a large log file, but this information is very important if your firewall is attacked. If you do not select this check box, you do not see detailed information about HTTP proxied connections in Historical Reports. If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. DNS proxy: OPcodes DNS OPcodes (operation codes) are commands given to the DNS server that tell it to do some action, such as a query (Query), an inverse query (IQuery), or a server status request (STATUS). They operate on items such as registers, values in memory, values stored on the stack, I/O ports, and the bus. If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules. You can allow, deny, drop, or block specified DNS OPcodes. 1 From the Categories section, select OPCodes. 2 For the rules listed, select the Enabled check box to enable a rule. Clear the Enabled check box to disable a rule. User Guide 247 DNS Proxy If you use Active Directory and your Active Directory configuration requires dynamic updates, you must allow DNS OPcodes in your DNS-Incoming proxy action rules. This is a security risk, but can be necessary for Active Directory to operate correctly. Adding a new OPcodes rule 1 Click Add. The New OPCodes Rule dialog box appears. 2 Type a name for the rule. Rules can have no more than 31 characters. 3 DNS OPcodes have an integer value. Use the arrows to set the OPCode value. For more information on the integer values of DNS OPcodes, see RFC 1035. 4 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 5 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. DNS proxy: Query types A DNS query type can configure a resource record by type (such as a CNAME or TXT record) or as a custom type of query operation (such as an AXFR Full zone transfer). If the default Query Type ruleset does not meet all of your business needs, you can add, delete, or modify rules. You can allow, deny, drop, or block specified DNS query types. 248 1 From the Categories section, select Query Types. 2 To enable a rule, select the Enabled check box adjacent to the action and name of the rule. WatchGuard System Manager DNS Proxy Adding a new query types rule 1 To add a new query types rule, click Add. The New Query Types Rule dialog box appears. 2 Type a name for the rule. Rules can have no more than 31 characters. 3 DNS query types have a resource record (RR) value. Use the arrows to set the value. For more information on the values of DNS query types, see RFC 1035. 4 Add, delete, or modify rules, as described in “Working with Rules and Rulesets” on page 251. 5 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. DNS proxy: Query names A DNS query name refers to a specified DNS domain name, shown as a fully qualified domain name (FQDN). If the default Query Name ruleset does not meet all of your business needs, you can add, delete, or modify rules. 1 From the Categories section, select Query Names. 2 To add more names, or to delete or modify them, see “Working with Rules and Rulesets” on page 251. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. User Guide 249 TCP Proxy DNS proxy: Intrusion prevention If you have purchased and enabled the Intrusion Prevention feature, the fields in the Intrusion Prevention category set the actions necessary to find and stop intrusions. Although you can use the proxy definition screens to activate and configure IPS, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the IPS screens in the proxy definition, see the chapter “Signature-Based Security Services.” DNS proxy: Alarms Use these settings to set criteria for a notification event: 1 From the Categories section, select Proxy Alarm. 2 For information on how to configure notification, see “Logging and Notification in Proxy Definitions” on page 97. 3 If you want to change settings for one or more other categories in this proxy, go to the section in this document on the next category you want to modify. or If you are finished with your changes to this proxy definition, click OK. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a new action. (For more information on predefined user actions, see “Predefined and user-defined proxy actions” on page 210.) Enter a name for the new action and click OK. The New Policy Properties dialog box appears. Finishing and saving the DNS configuration 1 When you are done with all changes for all categories of the proxy, click OK to close the New Policy Properties or Edit Policy Properties dialog box. 2 Save the configuration to the Firebox. To do this, select File > Save > To Firebox. The Save dialog box appears with the default location for configuration files. You can change the name of the configuration file if you choose. 3 Click Save. 4 You are prompted for the configuration passphrase. Type it and click OK. TCP Proxy Transmission Control Protocol (TCP) is the primary protocol in TCP/IP networks. The IP protocol controls packets while TCP enables hosts to start connections and to send and receive data. The TCP proxy monitors all TCP connections and applies IPS and HTTP-client proxy actions to TCP traffic. This is particularly useful for filtering HTTP traffic on non-standard ports (ports other than port 80). To add the TCP proxy to your Firebox configuration, see “Adding a Proxy to your Firebox Configuration” on page 211. Then, if you choose, modify the rulesets for the proxy, as described in subsequent sections. TCP proxy: General settings On the General page (the page that first appears after you click the View/Edit Proxy icon), you set basic parameters for the TCP proxy. 250 WatchGuard System Manager Working with Rules and Rulesets HTTP proxy action Select the HTTP proxy action to use for TCP connections. The TCP proxy applies the HTTP proxy ruleset to all traffic that it identifies as HTTP traffic. Turn on logging for Historical Reports Creates a traffic log message for each transaction. This option creates a large log file, but this information is very important if your firewall is attacked. If you do not select this check box, you do not see detailed information about HTTP proxy connections in Historical Reports. TCP proxy: Intrusion prevention If you have purchased and enabled the Intrusion Prevention feature, the fields in the Intrusion Prevention category set the actions necessary to find and stop intrusions. Although you can use the proxy definition screens to activate and configure IPS, it is easier to use the Tasks menu in Policy Manager to do this. For more information on how to do this, or to use the IPS screens in the proxy definition, see the chapter “Signature-Based Security Services.” Finishing and saving the TCP configuration 1 When you are done with all changes for all categories of the proxy, click OK to close the New Policy Properties or Edit Policy Properties dialog box. 2 Save the configuration to the Firebox. To do this, select File > Save > To Firebox. The Save dialog box appears with the default location for configuration files. You can change the name of the configuration file if you choose. 3 Click Save. 4 You are prompted for the configuration passphrase. Type it and click OK. Working with Rules and Rulesets A rule includes a type of content, pattern, or expression to which the proxy compares traffic, and the action the Firebox® does when a component of the packet’s content matches those criteria. A ruleset is a group of rules based on one feature of a proxy such as the content types or filenames of email attachments. For basic information on rules and rulesets, see “About rules and rulesets” on page 210. When you configure a proxy, you can see the rulesets for that proxy in the Categories list. The rulesets you see change when you change the proxy action on the Properties tab of a proxy configuration window. For example, the rules for the FTP-Client action have different settings than the rules for the FTPServer action. WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for most installations. If a default ruleset does not meet all of your business needs, you can add, delete, or modify rules. Simple and advanced views You can see rules in two ways. The simple view is shown below. You use this view to configure wildcard pattern matching with simple regular expressions. User Guide 251 Working with Rules and Rulesets To see the advanced view of the current rules, click Change View. This view shows the action for each rule. It also has buttons you can use to edit, clone (use an existing rule definition to start a new one), delete, or reset rules. You use the advanced view to configure exact match and Perl-compatible regular expressions. To go back to the simple view, click Change View again. Note that you cannot go back to simple view if the enabled rules have different action, alarm, or log settings. You must continue to use the advanced view. For example, if most rules are set to Allow but one is set to Deny, you must use the advanced view. 252 WatchGuard System Manager Working with Rules and Rulesets Adding rules (simple view) From the simple view, do these steps to add new rules: 1 In the Pattern text box, type a pattern that uses simple regular expression syntax. The wildcard for zero or more than one character is “*”. The wildcard for one character is “?”. 2 Click Add. The new rule appears in the Rules box. 3 In the Actions to take section, the If matched drop-down list sets the action to do if the contents of a packet match one of the rules in the list. The None matched drop-down list sets the action to do if the contents of a packet do not match a rule in the list. Below is a list of all possible actions. Different ones appear for different proxies or for different features of a particular proxy. For example, the actions Strip and Lock apply only to signature-based intrusion prevention actions. The AV Scan action applies to all proxies except DNS. Allow Allows the connection. Deny Denies a specific request but keeps the connection if possible. Sends a response to the sender. Drop Denies the specific request and drops the connection. Does not send a response to the sender. Quarantine Sends the email message to the Quarantine Server. (For more information, see the “Quarantine Server” chapter. Consider this option as an alternative to Lock, below. Applies only to the SMTP proxy used with spamBlocker. Block Denies the request, drops the connection, and adds the source host to the Blocked Sites list. For more information on blocked sites, see “Setting Blocked Sites” on page 176. Strip Removes an attachment from a packet and discards it. The other parts of the packet are sent through the Firebox to its destination. Lock Locks an attachment, and wraps it so that it cannot be opened by the user. Only the administrator can unlock the file. AV Scan Scans the attachment for viruses. If you select this option, Gateway AntiVirus is enabled for the policy. 4 An alarm is a mechanism to tell users when a proxy rule applies to network traffic. Use the Alarm check box to configure an alarm for this event. To set the options for the alarm, select Proxy Alarm from the Categories list on the left side of a Proxy Configuration window. You can send an SNMP trap, send email, or open a pop-up window. 5 Use the Log check box to write a message to the traffic log for this event. Adding rules (advanced view) You use the advanced view to configure exact match and Perl-compatible regular expressions. For more information about the use of regular expressions in proxy rules, see the product FAQs on the product support web site at: User Guide 253 Working with Rules and Rulesets http://www.watchguard.com/support/faqs/fireware 1 In the Proxy Action Configuration dialog box, click Add. The New <ruletype> Rule dialog box appears. The dialog box is different for different types of rules, but it generally looks like the figure below. 2 Configure the fields as follows: Rule Name Name of the rule. This field is blank if you are adding a rule, can be edited if you clone a rule, and cannot be changed if you are editing a rule. Rule Settings To match the rule text exactly, select Exact Match from the drop-down list. To match a pattern of text using wildcard characters, select Pattern Match. To match a pattern of text with a regular expression, select Regular Expression. Rule Text Type the text of the rule. If you selected Pattern Match as the rule setting, use an asterisk (*), a period (.), or a question mark (?) as wildcard characters. Action, Alarm, Log Set these fields as described in the previous section for adding rules with the simple view. Cutting and pasting rule definitions You can copy and paste text in enterable fields from one proxy definition to another. For example, suppose you write a custom deny message for the POP3 proxy. You can select the deny message, copy it, and paste it into the Deny Message box for the SMTP proxy. When you copy between proxy definitions, you must make sure the field you copy is compatible with the proxy you paste it into. Changing the order of rules The order that rules are shown in the Rules list is the same as the order in which traffic is compared to the rules. The proxy compares traffic to the first rule in the list and continues in sequence from top to bottom. When traffic matches a rule, the Firebox performs the related action. It performs no other actions, even if the traffic matches a rule later in the list. To change the sequence of rules, you must use the advanced view: 1 254 Click Change View to see the advanced view of created rules. WatchGuard System Manager Import and Export Functions for Proxies 2 Select the rule whose order you want to change. Click the Up or Down button to move the rule up or down in the list. Modifying the default rule If traffic does not match any of the rules you have defined for a proxy category, the Firebox uses the default rule. This rule appears at the bottom of any list of rules when you use the advanced view. To modify the default rule: 1 Select it and click Edit. The Edit Default Rule dialog box appears. 2 You can change the action for the default rule, and whether the action triggers an alarm or a log message. You cannot change the name “Default” or the order of the rule. It must be the last rule in the list. 3 Click OK. Import and Export Functions for Proxies WatchGuard proxies support several import and export functions. You can import and export policy actions and rulesets. User Guide 255 Import and Export Functions for Proxies Importing and exporting user-defined proxy actions If you manage several Fireboxes and have user-defined proxy actions for them, you can use the policy action import/export function to save time. You can define custom proxy actions on one Firebox, export them to an ASCII file, and then import them to another Firebox. The Firebox for which you created the policies must run the same version of WSM as the version of Policy Manager you use to import the proxy actions. You cannot import a proxy action from an old version into the current version. 1 On the first Firebox, create the user-defined proxy actions that you need. 2 From the Proxy Actions dialog box, click Export. You do not need to select the user-defined actions. The Export function automatically exports all custom actions regardless of which proxy action is actually selected. 3 In the Save dialog box, select where you want to save the proxy actions file. Type a name for the file and click Save. The default location is My Documents > My WatchGuard. 4 From Policy Manager on a different Firebox, from the Proxy Actions dialog box, click Import. 5 Find the file you created in step 3 and click Open. 6 If user-defined proxy actions are already defined in the current Policy Manager, you are asked whether you want to replace the existing actions or append the imported actions to the existing ones. Click Replace or Append. If you click Replace, the existing user-defined proxy actions are deleted and replaced with the new actions. If you click Append, both the existing and the imported actions are listed in on the dialog box. Importing and exporting rulesets If you want to copy rulesets between or within proxies, you can define the rules once for one proxy or category, export them to an XML file, and then import them to a new proxy or category. For example, you can export the Content Types ruleset of an HTTP proxy action, and then import it to the Content Types ruleset of an SMTP proxy action. Or, you can export the SMTP Mail From ruleset to the SMTP Mail To ruleset. You can copy rulesets only between proxies or categories within these four groups. Other combinations are not compatible. Content Types Filenames Addresses Authentication HTTP Content Types SMTP Content Types POP3 Content Types FTP Download FTP Upload HTTP URL Paths SMTP Filenames POP3 Filenames SMTP Mail From SMTP Mail To SMTP Authentication POP3 Authentication 1 Create the rulesets that you need for one proxy or category. 2 If necessary, click Change View to see the advanced view of the ruleset. Click Export. In the Save dialog box, select where you want to save the XML file. Type a name for the file and click Save. The default location is My Documents > My WatchGuard. 256 WatchGuard System Manager Import and Export Functions for Proxies 3 From the new proxy or category, click Import. 4 Find the file you created in step 2 and click Open. 5 If rules are already defined in the new category or proxy, you are asked whether you want to clear the old ruleset first. If you click Yes, the existing rules are deleted and replaced with the new ones. If you click No, both the existing and the imported rules are included in the ruleset. User Guide 257 Import and Export Functions for Proxies 258 WatchGuard System Manager 15 Historical Reports Historical Reports is a tool that makes summaries and reports from the data kept in Firebox® log files. You can use these reports to learn about Internet usage. You also can measure bandwidth and see which users and software applications use the most bandwidth. Historical Reports creates reports from the log files that are recorded on the WatchGuard® Log Server. With the advanced features of Historical Reports, you can: • Set a specified time period for a report. • Customize the report with data filters. • Consolidate different log files to create a report for a group of Fireboxes. • Show the report data in different formats. Creating and Editing Reports When you make a report, you configure a group of settings that is used to create a report on a schedule that you select. This section shows you how to create, edit, and delete reports, and how to create a backup file of your report settings. Starting Historical Reports 1 From the WatchGuard System Manager toolbar, click the Historical Reports icon. You can also select Tools > Logs > Historical Reports. The Historical Reports dialog box appears. User Guide 259 Creating and Editing Reports Starting a new report 1 From Historical Reports, click Add. The Report Properties dialog box appears. 2 Type the report name. The report name appears in Historical Reports and in the name of the output file. 3 Use the text box in the Log Directory to give the location of the log files. The default location for the log files is the path: C:\Documents and Settings\WatchGuard\logs. 4 If you want to search subdirectories of the folder specified in the previous steps, select the Search subdirectories for matching Firebox logs check box. 5 Use the text box in the Output Directory to give the location of the output files. The default location for the output files is C:\Documents and Settings\WatchGuard\reports. 6 If you want to use a filter instead of displaying all data, select the filter. For more information on the filters, refer to “Using Report Filters” on page 265. 7 To select the output type used when you export the report, click HTML Report or NetIQ Export. For more information on output types, refer to “Exporting Reports” on page 267. 260 8 To show the report in your default web browser after the report is created, select the Execute Browser Upon Completion check box. 9 Click the Firebox tab. WatchGuard System Manager Creating and Editing Reports 10 If you want to run a report for a Firebox® that uses Fireware appliance software, type the Firebox host name and click Add. If you want to run a report for a Firebox that uses WFS appliance software, type the IP address of the Firebox and click Add. When you create a report with consolidated sections, you must use only WFS Fireboxes or Fireboxes using Fireware®. You cannot run a report that includes data from both WFS and Fireware in one report. To find your Firebox host name, from Policy Manager select Setup > System and look at the Name text box. If you type an IP address, type all the numbers and the periods. Do not use the TAB or the arrow key. 11 Use the other tabs to set the report properties. For more information, see “Setting Report Properties” on page 262. 12 When you are done with the report configuration, click OK. The name of the report appears in the list of the reports. Editing an existing report You can change the definition of a report. 1 From Historical Reports, select the report to change. Click Edit. The Report Properties dialog box appears. 2 Change the report definition. For more information, see “Setting Report Properties” on page 262. To see the function of a specific item, right-click it, and then click What’s This?. Deleting a report You can remove a report from the list of available reports. From Historical Reports, select the report to change. Click Remove. This removes the <report name>.rep file from the path: C:\Documents and Settings\WatchGuard\report-defs. Viewing the reports list To see all the reports, click Reports Page. The reports appear in your default browser. You can move through all the reports in the list. User Guide 261 Setting Report Properties Backing up report definition files Report definition files contain the settings for the reports you create. It is a good idea to create regular, frequent backup files of your report definition files. This can save you time later if you want to move your Log Server to a different computer. To create a backup file of your report definitions, copy the contents of the Documents and Settings\WatchGuard\report-defs folder to an archive file. Keep it in a safe place. Setting Report Properties You use the Report Properties dialog box to configure many properties of reports. Specifying a report time span When you create a report, the report includes data from the full log file, unless you change the time span. On the Time Filters dialog box, use the drop-down list to select a time span, for example “yesterday” or “today.” You also can manually configure the start and end time. To make the report include data from only the specified time span: 1 In the Report Properties dialog box, click the Time Filters tab. 2 Select the time-stamp to appear on your report: Local Time or GMT. 3 From the Time Span drop-down list, select the time interval for the report. 4 If you did not select Specify Time Filters in the Time Span drop-down list, click OK. If you did select Specify Time Filters, click the Start and the End drop-down lists and select a start and an end time. Click OK. Specifying report sections You can select the information to show in the report using the Sections tab on the Report Properties dialog box. 1 262 From Historical Reports, click the Sections tab. WatchGuard System Manager Setting Report Properties 2 Select the check boxes for the sections to include in the report. To see the contents of each section, refer to the “Report Sections and Consolidated Sections” on page 268. 3 (Optional) To include the authentication names for the IP addresses of Firebox authenticated users, select the Authentication Resolution on IP addresses check box. You must have user authentication enabled to create reports with resolution from IP address to user name. More time is necessary to create a report with resolution enabled. 4 (Optional) To include DNS names for IP addresses, select the DNS Resolution on IP addresses check box. This information is included only for IP addresses for which DNS information can be resolved. Consolidating report sections In the Consolidated Sections tab you can select which information to include in a report. You can get: • A vertical look at data, for each of a group of Fireboxes • A horizontal or cumulative look at data, put together for a group of Firebox devices. To consolidate report sections: 1 In the Report Properties dialog box, select the Consolidated Sections tab. The tab has a list of report sections that you can put together. For descriptions of the contents of these sections, see “Report Sections and Consolidated Sections” at the end of this chapter. 2 Select the check boxes adjacent to the sections to include in the report. Clear the check boxes for the sections to not include. 3 Click OK. User Guide 263 Setting Report Properties Setting report preferences Reports have Summary sections and Detail sections. You can control how each type of section looks to best show the information that is important to you. A report summary section can show both text and graphs. 1 From the Report Properties dialog box, select the Preferences tab. 2 In the Elements to Graph text box, type the number of data points (items) to show as a graph in the report. As an example, if you have 45 hosts, graph the top 10 and list the remaining hosts as “other”. The default number is 10. 3 In the Elements to Rank text box, type the number of items to put in the table. The default number is 100. 4 Select the type of graph to use in the report. 5 Select how to sort the proxied summary data: by bandwidth or by connections. 6 Type the number of records to show on each page of the detail sections. The default number is 1,000 records. 7 264 Click OK. WatchGuard System Manager Using Report Filters Viewing network interface relationships On the Inbound Traffic tab, you see all possible network interface relationships that the Firebox considers to be incoming. For example, traffic that comes from the optional network to the trusted network is considered incoming traffic. If you want to remove a relationship from the list, select it and click Remove. You also can add your own source and destination pair to the list. Click Add and type the new source and destination you want to set as incoming. Using Report Filters A report includes data from the full log file unless you create and use report filters. You can use a report filter to show only data about specified hosts, services, or users. A filter can be one of two types: Include To make a report that includes records with the properties set in the Host, the Service, or the User Report Filters tabs. Exclude To make a report that does not include records with the properties set in the Host, the Service, or the User Report Filters tabs. You can set a filter to Include or Exclude data in a report with three properties: Host Host IP address Port Service name or port number User Authenticated user name User Guide 265 Using Report Filters Creating a new report filter Use Historical Reports to make a new report filter. Filters are stored in the WatchGuard® installation directory at C:\Documents and Settings\Watchguard\report-defs with the file extension.ftr. 1 From Historical Reports, click Filters. The Filters dialog box appears. 2 Click Add. The Add Report Filter dialog box appears. 3 Type the name of the filter. This name appears in the Filter drop-down list on the Report Properties tab. 4 Select the filter type. As an example, if you have 45 hosts, graph the first 10 and list the remaining hosts as “other.” For a description of include and exclude, see above. 5 Complete the Filter tabs. To see the function of each item, right-click it, and then click What’s This?. 6 When finished, click OK. The name of the filter appears in the list of the filters. The Filter Name.ftr file is in My Documents\My WatchGuard\Shared WatchGuard\report-defs. Editing a report filter You can change the properties of a filter. From the Filters dialog box in Historical Reports: 1 Select the filter to change. Click Edit. The Add Report Filter dialog box appears. 2 Change the filter properties. To see the function of each property, right-click it, and then click What’s This?. 266 WatchGuard System Manager Running Reports Deleting a report filter To remove a filter from the list of filters, select the filter. Click Delete. This removes the .ftr file from the \report-defs directory. Applying a report filter Each report can use only one filter. To apply a filter, open the report properties. 1 From Historical Reports, select the report to apply a filter to. Click Edit. 2 Use the Filter drop-down list to select a filter. Only if you make a filter in the Filters dialog box will it appear in the drop-down list. For more information, see “Creating a new report filter” on page 266. 3 Click OK. Save the new report to the ReportName.rep file in the report-defs directory. When you run the report, the filter is applied. Running Reports 1 From Historical Reports, select the check box adjacent to each report that you want to run. 2 Click Run. If the Turn on logging for Historical Reports check box in each proxy action is not selected, you do not see detailed information about proxied connections in your reports. See the “Proxy Policies” chapter for more information. Exporting Reports You can export a report to two formats: HTML and NetIQ. You can find all reports in the path C:\Documents and Settings\WatchGuard\reports. User Guide 267 Report Sections and Consolidated Sections Exporting reports to HTML format If you select HTML Report from the Setup tab on the Report Properties dialog box, the report output is in HTML. You can go to each report section through a JavaScript menu. For this, you must enable JavaScript on your browser. The figure below shows how the report can appear in the browser. Exporting reports to NetIQ format NetIQ supplies system and security management solutions, including full reports about how the Internet is used by an organization. It measures data differently than WatchGuard® Historical Reports. To calculate Internet use report data, Historical Reports counts the number of HTTP protocol transactions. NetIQ calculates the number of URL requests. The WatchGuard HTTP proxy logging must be set to ON to supply NetIQ’s reporting tools with the information that is necessary to run a report. You can find the report in: C:\Documents and Settings\WatchGuard\reports\webtrends Report Sections and Consolidated Sections You can use Historical Reports to create a report with one or more sections. Each section includes a different type of information about network traffic. You can put together specified sections to create a summary. You can then create a report on the event log messages of a group of Firebox® devices. Report sections There are two basic types of Report sections: 268 WatchGuard System Manager Report Sections and Consolidated Sections • Summary — The sections that rank data by bandwidth or connections. • Detailed — The sections that show all traffic and events with no summary graph or rank. A list of the different types of the report sections and the consolidated sections is shown below: Firebox Statistics A summary of the statistics on one or more log files for one Firebox. Authentication Detail A list of authenticated users in the sequence of connection time. The text boxes include: - Authenticated user - Host - Start date and start time of the authenticated session - End time of the authenticated session - Length of the session Time Summary — Packet Filtered A table, and an optional graph, of all the accepted connections that is divided by user-defined intervals and time. The default time interval is each day, but you can select a different time interval. Host Summary — Packet Filtered A table, and an optional graph, of the internal and the external hosts that send packet-filtered traffic through the Firebox. The hosts show in the sequence of the volume of bytes or the number of connections. Service Summary A table, and an optional graph, of the traffic for each service in the sequence of the connection count. Session Summary — Packet Filtered A table, and an optional graph, of the top incoming and outgoing sessions. The sessions show in sequence of the volume of bytes or the number of connections. The format of the session is: client > server: service. Historical Reports tries to look up the server port with a table to show the service name. If this does not work, Historical Reports shows the port number. Time Summary — Proxied Traffic A table, and an optional graph, of all the accepted connections divided by user-defined intervals and in the sequence of the time. The default time interval is each day, but you can select a different time interval. Host Summary — Proxied Traffic A table, and an optional graph, of the internal and the external hosts that send traffic with a proxy through the Firebox. The hosts show in the sequence of the volume of bytes or the number of connections. Proxy Summary The proxies in the sequence of bandwidth or connections. Session Summary — Proxied Traffic A table, and an optional graph, of the top incoming sessions and outgoing sessions. The sessions show in the sequence of the volume of bytes or the number of connections. The format of the session is: client -> server: service. The service shows in all uppercase letters. HTTP Summary Tables, and an optional graph, of the top external domains and hosts that users connect to through the HTTP proxy. The domains and the hosts show in the sequence of the byte count or number of connections. User Guide 269 Report Sections and Consolidated Sections HTTP Detail Tables for incoming and outgoing HTTP traffic in the sequence of the time stamp. The fields are Date, Time, Client, URL Request, and Bytes Transferred. SMTP Summary A table, and an optional graph, of the top incoming and outgoing email addresses in the sequence of the volume of bytes or the number of connections. SMTP Detail A table of the incoming and the outgoing SMTP proxy traffic in the sequence of the time stamp. The fields are: Date, Time, Sender, Recipient(s), and Bytes Transferred. FTP Detail Tables for incoming and outgoing FTP traffic, in the sequence of the time stamp. The fields are Date, Time, Client, Server, FTP Request, and Bandwidth. Denied Outgoing Packet Detail A list of denied outgoing packets, in the sequence of the time. The fields are: Date, Time, Type, Client, Client Port, Server, Server Port, Protocol, and Duration. Denied Incoming Packet Detail A list of denied incoming packets, in the sequence of the time. The fields are Date, Time, Type, Client, Client Port, Server, Server Port, Protocol, and Duration. Denied Packet Summary In this section there are different tables. Each table shows the data on the host that denied packets. The data has the time of the first and the last try, the type, the server, the port, the protocol, and the number of tries. If there is only one try, the last field has no data. Denied Service Detail A list of events in which a user was denied use of a service. This list includes Incoming and Outgoing requests. WebBlocker Detail A list of URLs denied because of WebBlocker, in the sequence of time. The fields are Date, Time, User, Web Site, Type, and Category. Denied Authentication Detail A list of each denied authentication, in the sequence of the time. The fields are Date, Time, Host, and User. IPS Blocked Sites A list of the IPS blocked sites. Alarms Available for Fireware® users only, this report shows all device alarms and the problem found with each alarm. AV Detail A list of the source, sender, and virus detail for Gateway AntiVirus actions. This section is available to Fireware users who subscribe to the Gateway AV/Intrusion Prevention service. AV Summary A summary of Gateway AntiVirus actions. The fields include sender, virus detail, if the virus was cleaned, and attachment size of the email. This section is available to Fireware users who subscribe to the Gateway AV/Intrusion Prevention service. IPS Detail A list of all Intrusion Prevention Service (IPS) actions, including source, protocol, and signature detail. This section is available to Fireware users who subscribe to the Gateway AV/Intrusion Prevention service. 270 WatchGuard System Manager Report Sections and Consolidated Sections IPS Summary A summary of Intrusion Prevention Service (IPS) actions, showing percentage traffic type, source IP address, and signature category. This section is available to Fireware users who subscribe to the Gateway AV/Intrusion Prevention service. Spam Summary (Available to Fireware users who subscribe to spamBlocker) A summary of spam activity that shows the percentage of message type by spam level (confirmed/suspect/bulk/non-spam) and by action (allowed, blocked, tagged, quarantined, WB list). Also includes a list of the top 10 spam senders and spam recipients. POP3 Summary A table, and an optional graph, of incoming and outgoing POP3 traffic in the sequence of the volume of bytes or the number of connections. POP3 Detail A table of the incoming and the outgoing POP3 proxy traffic in the sequence of the time stamp. The fields are: Date, Time, Sender, Recipient(s), and Bytes Transferred. Consolidated sections Network Statistics A summary of the statistics on one or more log files for all the Fireboxes that are monitored. Time Summary — Packet Filtered A table, and an optional graph, of all accepted connections divided by user-defined intervals and in the sequence of time. The default time interval is each day, but you can select a different time interval. Host Summary — Packet Filtered A table, and an optional graph, of the internal and external hosts that send packet-filtered traffic through the Firebox. The hosts show in the sequence of the volume of bytes or the number of connections. Service Summary A table, and an optional graph, of the traffic for all services in the sequence of the connection count. Session Summary — Packet Filtered A table, and an optional graph, of the top incoming and outgoing sessions. The sessions show in the sequence of the volume of bytes or the number of connections. The format of the session is: client -> server: service. Historical Reports tries to look up the server port with a table to show the service name. If this does not work, Historical Reports shows the port number. Time Summary — Proxied Traffic A table, and an optional graph, of all the accepted connections divided by user-defined intervals and in the sequence of the time. The default time interval is each day, but you can select a different time interval. Host Summary — Proxied Traffic A table, and an optional graph, of the internal and external hosts that send traffic with a proxy through the Firebox. The hosts show in the sequence of the volume of bytes or the number of connections. Proxy Summary The proxies in the sequence of bandwidth or connections. Session Summary — Proxied Traffic A table, and an optional graph, of the top incoming sessions and outgoing sessions. The sessions show in the sequence of the volume of bytes or the number of connections. The format of the session is: client -> server: service. The service shows in all uppercase letters. User Guide 271 Report Sections and Consolidated Sections HTTP Summary Tables, and an optional graph, of the top external domains and hosts that users connect to through the HTTP proxy. The domains and the hosts show in the sequence of the byte count or the number of connections. 272 WatchGuard System Manager 16 Management Server Setup and Administration The WatchGuard® Management Server manages the VPN tunnels of a distributed enterprise from one easy-to-use management interface. The Management Server also allows you to centrally manage multiple Firebox and Firebox® X Edge devices. After you complete the setup procedures in this chapter, you can use the WatchGuard Management Server to configure and manage a Firebox device that is connected to the Management Server. You can open the correct tools from the Management Server device page to manage Firebox X Core, Firebox X Peak, Firebox III, Firebox X Edge, and SOHO 6 devices. Installing the Management Server You can install the Management Server on your management station during installation. Or, you can use the same installation procedure to install the Management Server on another computer that uses the Windows operating system. We recommend that you install the Management Server software on a computer with a static IP address that is behind a Firebox with a static external IP address. Otherwise, the Management Server may not operate correctly. WatchGuard Management Server Passphrases The WatchGuard® Management Server uses a number of passwords to protect sensitive information on its hard disk and to secure data with client systems. After you install the WatchGuard Management Server software, you must use the Management Server Setup Wizard to configure the Management Server. This wizard prompts for these passphrases: • Master passphrase • Management Server passphrase The Management Server passphrase and other automatically created passphrases are kept in a passphrase file. Master passphrase The first passphrase that you set with the Setup Wizard is the master passphrase. This passphrase protects all passphrases in the passphrase file. User Guide 273 WatchGuard Management Server Passphrases The master passphrase is used to encrypt all other passphrases that are on the hard drive of the Management Server. This prevents a person with access to the hard drive or its archived contents from getting the passphrases and using them to get access to other sensitive data on the hard drive. Select and secure the master passphrase carefully. Make sure that the master passphrase and the Management Server passphrase are not the same. You use the master passphrase when you: • Migrate the Management Server data to a new system • Restore a lost or corrupt master key file • Change the master passphrase The master passphrase is not used frequently. We recommend that you write it down and lock it in a secure location. Management Server passphrase The second passphrase that the Setup Wizard prompts for is the Management Server passphrase. This passphrase is used frequently by the administrator. You use this passphrase to connect to the Management Server and the Quarantine Server in WatchGuard System Manager. Password and key files The Management Server passphrase and all the automatically created passphrases are kept in a passphrase file. The passphrase data in this file is protected by the master passphrase. The master passphrase is not kept on the hard drive. An encryption key is created from the master passphrase. The default locations for the password file and encryption key are: • C:\Documents and Settings\WatchGuard\wgauth\wgauth.ini • C:\Documents and Settings\WatchGuard\wgauth\wgauth.key Note that these files are used by the Management Server software and must not be modified directly by an administrator. Microsoft SysKey utility The password file is protected by the master key. This key is protected by an encryption key, which is protected by the Windows system key. Windows operating systems use a system key to protect the Security Accounts Management (SAM) database. This is a database of the Windows accounts and passwords on the computer. By default, the system key data is hidden in the registry. The system is protected, and the system key is created from the registry during the startup procedure. If you want a more secure system, you can remove the system key data from the registry so that this sensitive data is not on the system at all. You can use the SysKey utility to: • Move the system key to a floppy disk • Make the administrator type a password at start time • Move the system key from the floppy disk to the system If you move the startup key to a floppy disk, then that disk must be inserted in the drive for the system to start. If you make the administrator type a startup password, the administrator must type in the password each time the system starts. To configure SysKey options, click Start > Run, type syskey, and click OK. 274 WatchGuard System Manager Setting Up the Management Server Setting Up the Management Server The Management Server Setup wizard creates a new Management Server on your workstation. If you used earlier versions of WatchGuard® System Manager and VPN Manager, you can also use the wizard to migrate a DVCP Server that is installed on a Firebox® to a new Management Server on a workstation. To move a Management Server off a Firebox, see the WFS to Fireware Pro Migration Guide. This procedure shows the steps you must use to successfully set up a new Management Server. 1 Right-click the Management Server icon in the WatchGuard toolbar on the Windows taskbar. You do not see this icon if you have not installed the Management Server. 2 Select Start Service. 3 The Management Server Setup wizard starts. Click Next. 4 A master passphrase is necessary to control access to the WatchGuard management station. (For more information on the master passphrase, see “Master passphrase” on page 273.) Type a passphrase that has a minimum of eight characters and then type it again to confirm. Click Next. Make sure you keep this passphrase in a safe place. 5 Type the Management Server passphrase to use when you configure and monitor the WatchGuard Management Server. (For more information on the Management Server passphrase, see “Management Server passphrase” on page 274.) Use a passphrase that has a minimum of eight characters and then type it again to confirm. Click Next. 6 Type the external IP address and passphrases for your gateway Firebox. The gateway Firebox protects the Management Server from the Internet. When you add an IP address, the wizard does three things: - The wizard uses this IP address to configure the gateway Firebox to allow connections to the Management Server. If you do not type an IP address here, you must configure any firewall between the Management Server and the Internet to allow connections to the Management Server on TCP ports 4110, 4112, and 4113. - If you have an earlier version of WatchGuard System Manager, and have a Firebox configured as a DVCP server, the wizard gets the DVCP server information from the gateway Firebox and moves these settings to your Management Server. See the Migration Guide for more information. - The wizard sets the IP address for the Certificate Revocation List (CRL). The devices you add as managed clients use this IP address to connect to the Management Server. This IP address must be the public IP address your Management Server shows to the Internet. If you do not type an IP address here, the wizard uses the current IP address on your Management Server computer for the CRL IP address. If this is not the IP address your computer shows to the Internet because it is behind a device that does network address translation (NAT), you must edit the CRL and type the public IP address your Management Server uses. For more information, see “Changing the Management Server Configuration” on page 276. 7 Type the license key for the Management Server. Click Next. For more information on Management Server license keys, see the Management Server section of the Fireware FAQs at: www.watchguard.com/support/faqs/fireware/ 8 Type the name of your organization. Click Next. This name is used for the Certificate Authority on the Management Server. 9 An information screen that shows the information for your server appears. Click Next. The wizard configures the server. User Guide 275 Changing the Management Server Configuration 10 Click Finish. When an interface whose IP address is bound to the Management Server goes down and then restarts, we recommend that you restart the Management Server. Changing the Management Server Configuration The Management Server Setup Wizard configures your Management Server. It is not usually necessary to change the properties of your Management Server configuration after you use the wizard. If you must change the Management Server configuration, you can access the configuration properties on the Management Server itself. From the computer configured as a Management Server, right-click the Management Server icon in the WatchGuard® toolbar and select Configure. The Management Server Configuration dialog box appears. Adding or removing a Management Server license To add a Management Server license, click the Management tab. Type or paste the Management Server license key into the field. Click Add. To remove a Management Server license, click the Management tab. Select the license to remove, and click Remove. Click OK when you finish the configuration. 276 WatchGuard System Manager Configuring the Certificate Authority For more information on Management Server license keys, see the Management Server section of the Fireware FAQs at: www.watchguard.com/support/faqs/fireware/. Recording diagnostic log messages for the Management Server To have the Management Server send diagnostic log messages to the Windows Event Viewer, click the Management tab. Select the Debug Management Server Service log messages check box. To see the diagnostic log messages, open the Windows Event Viewer. From the Windows desktop, select Start > Run. Type eventvwr. Look in the Application section of the Event Viewer to see the log messages. Configuring the Certificate Authority You can configure the Certificate Authority (CA) on the WatchGuard® Management Server. Use the Certificate Authority to: • Configure the properties of the CA certificate • Configure the properties of the client certificate • Configure properties for the Certificate Revocation List (CRL) • Write CA Service diagnostic log messages to the Windows Event Viewer Configuring properties for the CA certificate Usually, Firebox administrators do not change the properties of the CA certificate. If you must change these settings: 1 User Guide From the computer configured as the Management Server, right-click the Management Server icon in the WatchGuard toolbar and select Configure. 277 Configuring the Certificate Authority 2 Click the Certificates tab. 3 In the Common Name text box, type the name you want to appear in the CA certificate. 4 In the Organization text box, type an organization name for the CA certificate. 5 In the Certificate Lifetime text box, type the number of days after which the CA certificate will expire. A longer certificate lifetime could give an attacker more time to attack it. 6 From the Key Bits drop-down list, select the strength to apply to the certificate. The higher the number in the Key Bits setting, the stronger the cryptography that protects the key. 7 Click OK when you finish the configuration. Configuring properties for client certificates 278 1 From the computer defined as the Management Server, right-click the Management Server icon in the WatchGuard toolbar and select Configure. 2 Click the Certificates tab. WatchGuard System Manager Configuring the Certificate Authority 3 In the Client section of the dialog box, in the Certificate Lifetime field, type the number of days after which the client certificate will expire. A longer certificate lifetime could give an attacker more time to attack it. 4 From the Key Bits drop-down list, select the strength to apply to the certificate. The higher the number in the Key Bits setting, the stronger the cryptography that protects the key. 5 Click OK when you complete the configuration. Configuring properties for the Certificate Revocation List (CRL) 1 From the computer on which you installed the Management Server software, right-click the Management Server icon in the WatchGuard toolbar and select Configure. 2 Click the Certificates tab. 3 In the Certificate Revocation List section of the dialog box, the Distribution IP Address box contains a list of IP addresses. You can select an address from the list, or click Add to add a new address. (You can also select an address and click Remove if you no longer need it.) By default, the distribution IP address is the address of the gateway Firebox. This is also the IP address the remote managed Firebox clients use to connect to the Management Server. If the external IP address of your Firebox changes, you must change this value. 4 Type the Publication Interval for the CRL in hours. This is the period after which the CRL is automatically published. The default setting is zero (0), which means that the CRL is published every 720 hours (30 days). The CRL is also updated after a certificate is revoked. 5 Click OK when you complete the configuration. Recording diagnostic log messages for the Certificate Authority service To have the Management Server send diagnostic log messages to the Windows Event Viewer, click the Certificates tab. Select the Debug CA Service log messages check box. To see the log messages, open the Windows Event Viewer. User Guide 279 Backing up or Restoring the Management Server Configuration Backing up or Restoring the Management Server Configuration The Management Server contains the configuration information for all managed Firebox® X Edge and VPN tunnels. It is a good idea to create regular and frequent backup files for the Management Server and keep them in a safe place. You can use this backup file to restore the Management Server in case of hardware failure. You can also use this backup file if you want to move the Management Server to a new computer. To use the backup file after it is created, you must know the master key. The master key is set when you first configure the Management Server. 1 From your Windows toolbar, right-click the Management Server icon and select Stop Service. 2 From your Windows toolbar, right-click the Management Server icon and select Backup/Restore. The Management Server Backup/Restore Wizard starts. Use the onscreen instructions to create a backup file or restore a Management Server configuration from a backup file. 3 When the procedure is complete, right-click the Management Server icon on your Windows toolbar and select Start Service. Backing up the Management Server for troubleshooting Use the File > Export to File option to create a plain-text version of your Management Server configuration, which includes all information about managed devices and templates. This should be used only when you troubleshoot an issue with Technical Support. Moving the WatchGuard Management Server to a New Computer To move the Management Server to a new computer, you must know the master key. You must also make sure that the new Management Server is given the same IP address as the former Management Server. 1 Use the Management Server Backup/Restore Wizard to create a backup file of your current Management Server configuration. 2 Use the WatchGuard® System Manager installation file and install the Management Server software on the new Management Server. 3 Run the Restore wizard and select the backed-up file. 4 From the Windows toolbar, right-click the Management Server icon and select Start Service. Connecting to a Management Server 1 280 Select File > Connect to Server. or Click the Connect to Server icon on the WatchGuard® System Manager toolbar. WatchGuard System Manager Connecting to a Management Server or Right-click anywhere in the WatchGuard System Manager window and select Connect to > Server. 2 From the Management Server drop-down list, select a server by its host name or IP address. You can also type the IP address or host name if necessary. When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow keys. 3 Type the passphrase for the Management Server. 4 If necessary, change the value in the Timeout field. This value sets the time (in seconds) that Watchguard System Manager listens for data from the Management Server before it sends a message that it cannot connect. If you have a slow network or Internet connection to the device, you can increase the timeout value. If you decrease the value, it decreases the time you must wait for a timeout message if you try to connect to a Management Server that is not available. 5 If you are using the server only to monitor traffic, select the Log in with read-only privileges check box. Do not select this check box if you must configure the server or its managed devices. 6 Click OK. The server appears in the WatchGuard System Manager window. In some previous versions of WatchGuard security products, the WatchGuard Management Server was called the DVCP Server. Disconnecting from the Management Server To disconnect, click on the Management Server name and select File > Disconnect. Or select the Management Server in the tree view and then click the Disconnect icon. User Guide 281 Connecting to a Management Server 282 WatchGuard System Manager 17 Device Management Setup After you have set up and configured the Management Server, you can use it to manage multiple Firebox® devices. The procedures you use to prepare devices for management depend on which type of device you use. To prepare Fireboxes for management, see the next section. To prepare Firebox X Edge and SOHO devices, see “Configuring Edges and SOHOs as Managed Clients” on page 286. After you prepare devices for management, you add them to the Management Server. For all devices, use the procedure in “Adding Devices” on page 291. Configuring Fireboxes as Managed Clients To manage a Firebox with the Management Server, you must: • Make sure the Firebox allows management connections from the Management Server. • For any Firebox that has a dynamic external IP address, manually enable the Firebox as a managed client. • Add the Firebox to the Management Server configuration. The procedures you use are different if you use different Firebox appliance software or a different Firebox model. The instructions can also be different if the managed Firebox client has a dynamic IP address. When you look at the sections below, make sure you find the information that matches your Firebox model and configuration. Configuring a Firebox X Core or X Peak running Fireware as a managed client 1 Open Policy Manager for the Firebox you want to enable as a managed client. 2 Double-click the WatchGuard policy to open it for editing. The Edit Policy Properties dialog box for the WatchGuard® policy appears. 3 Make sure the WG-Firebox-Mgmt connections are drop-down list is set to Allowed. 4 Below the From dialog box, click Add. Click Add Other. User Guide 283 Configuring Fireboxes as Managed Clients 5 Make sure the Choose Type drop-down list is set to Host IP. In the Value field, type the IP address of the external interface of the gateway Firebox or where the computer runs WSM. If you do not have a gateway Firebox that protects the Management Server from the Internet, type the static IP address of your Management Server. 6 Click OK. Click OK again. 7 Make sure the To dialog box includes an entry of either Firebox or Any. If the Firebox you want to manage has a static IP address on its external interface, or if it is dynamic and you know the current IP address, you can stop here. Save the configuration to this Firebox. You can now add the device to your Management Server configuration as described in “Adding Devices” on page 291. When you add this Firebox to the Management Server configuration, the Management Server automatically connects to the static IP address and configures the Firebox as a managed Firebox client. If the Firebox you want to manage has a dynamic IP address and you do not know the current IP address, go on to step 8. 8 From Policy Manager, select VPN > Managed Client. The Managed Client Setup dialog box appears. 9 To set up a Firebox as a managed device, select the Enable this Firebox as a Managed Client check box. 10 In the Client Name box, type the name you want to give the Firebox when you add it to the Management Server configuration. This name is case-sensitive and must match the name you use when you add the device to the Management Server configuration. 11 To enable the managed client to send log messages to the Log Server, select the Enable diagnostic logs check box. (We recommend this option only to perform troubleshooting.) 284 WatchGuard System Manager Configuring Fireboxes as Managed Clients 12 In the Management Server address box, select the IP address of the Management Server if it has a public IP address. Or, select the public IP address of the Firebox that protects the Management Server. If you need to add an address, click Add. The Firebox that protects the Management Server automatically monitors all ports used by the Management Server and will forward any connection on these ports to the configured Management Server. When you use the Management Server Setup Wizard, the wizard adds a WG-Mgmt-Server policy to your configuration to handle these connections. If you did not use the Management Server Setup Wizard on the Management Server, or, if you skipped the “Gateway Firebox” step in the wizard, you must manually add the WG-Mgmt-Server policy to the configuration of your gateway Firebox. 13 In the Shared Secret box, type the shared secret. Type it again to confirm. The shared secret you type here must match the shared secret you type when you add the Firebox to the Management Server configuration. 14 Click the Import button and import the CA-Admin.pem file as your certificate. This file is in \My Documents\My WatchGuard\certs\[firebox_ip]. 15 Click OK. When you save the configuration to the Firebox, the Firebox is enabled as a managed client. The managed Firebox client tries to connect to the IP address of the Management Server on TCP port 4110. Management connections are allowed from the Management Server to this managed Firebox client. You can now add the device to your Management Server configuration as described in “Adding Devices” on page 291. Configuring a Firebox III or Firebox X Core running WFS as a managed client 1 Open Policy Manager for the Firebox you want to enable as a managed client. 2 Double-click the WatchGuard service to open it for editing. The Edit Service Properties dialog box for the WatchGuard policy appears. 3 On the Incoming tab, make sure that incoming WatchGuard connections are set to Enabled and Allowed. 4 Below the From dialog box, click Add. Click Add Other. 5 Make sure the Choose Type drop-down list is set to Host IP Address. In the Value field, type the IP address of the external interface of the gateway Firebox that protects the Management Server from the Internet. If you do not have a gateway Firebox that protects the Management Server from the Internet, type the static IP address of your Management Server. 6 Click OK. Click OK again. 7 Make sure the To dialog box includes an entry of either Firebox or Any. If the Firebox you want to manage has a static IP address on its external interface, you can stop here. Save the configuration to this Firebox. You can now add the device to your Management Server configuration. When you add this Firebox to the Management Server configuration, the Management Server automatically connects to the static IP address and configures the Firebox as a managed Firebox client. If the Firebox you want to manage has a dynamic IP address, go on to step 8. 8 From Policy Manager, select Network > DVCP Client. 9 Select the check box Enable this Firebox as a DVCP Client. User Guide 285 Configuring Edges and SOHOs as Managed Clients 10 In the Firebox Name field, give the name of the Firebox. The Firebox name is case-sensitive. The name you type here must match the name you type when you add this Firebox to the Management Server configuration. 11 To send log messages for the managed client, select the check box Enable debug log messages for the DVCP Client. (WatchGuard recommends this option only to do troubleshooting.) 12 Click Add to add the Management Server the Firebox connects to. In the DVCP Server address box, type the IP address of the Management Server if it has a public IP address. Or, type the public IP address of the Firebox that protects the Management Server. Type the Shared Secret to use to connect to the Firebox. The shared secret you type here must match the shared secret you type when you add this device to the Management Server configuration. A Firebox can be a client of only one Management Server. The Firebox that protects the Management Server automatically monitors all ports used by the Management Server and will forward any connection on these ports to the configured Management Server. The Firebox protecting the Management Server is configured to do this when you run the Management Server Setup Wizard. If you did not use the Management Server Setup Wizard on the Management Server, or, if you skipped the “Gateway Firebox” step in the wizard, configure the gateway Firebox to forward TCP ports 4110, 4112, and 4113 to the private IP address of the Management Server. Click OK. When you save the configuration to the Firebox, the Firebox is enabled as a managed client. The managed Firebox client tries to connect to the IP address of the Management Server on TCP port 4110. Management connections are allowed from the Management Server to this managed Firebox client. You can now add the device to your Management Server configuration as described in “Adding Devices” on page 291. Configuring Edges and SOHOs as Managed Clients You can use the WatchGuard® Management Server to configure and manage many Firebox® X Edge and SOHO devices. For Firebox X Edge devices, you can enable centralized management with WatchGuard System Manager, which means you can manage policies, updates, and VPNs for many Edge devices from one location. For both Edge and SOHO devices, you can use them as endpoints for managed BOVPN tunnels. Each Firebox X Edge and SOHO must be configured for management by the Management Server. Then you Insert or Add the devices to the Management Server. 286 WatchGuard System Manager Configuring Edges and SOHOs as Managed Clients You can Import one or more Firebox X Edge devices that have already been configured with the Quick Setup Wizard into the Management Server. This is the fastest procedure to provision and add a group of Firebox X Edge devices to the Management Server. You can Add a Firebox X Edge device that is already configured or installed using the Add Device Wizard. You must configure values to identify the device to the Management Server. You can add only one device at a time. • For a new or factory default Firebox X Edge device, configure the device with the procedure “Preparing a new or factory default Firebox X Edge for management” on page 287. Next, import the device with the procedure “Importing Firebox X Edge devices into a Management Server” on page 288. • For a Firebox X Edge that is already installed, configure the device for management with the procedure “Preparing an installed Firebox X Edge for management” on page 288. Next, add the device to the Management Server with the procedure “Adding Devices” on page 291. You can now add the device to your Management Server configuration as described in “Adding Devices” on page 291. Use the WG-SmallOffice-Mgmt packet filter to allow connections between the Management Server and the managed Firebox X Edge devices. If you have another firewall, make sure that you have a policy to allow traffic from managed Edge devices on TCP port 4109. Preparing a new or factory default Firebox X Edge for management To prepare a new or factory default Firebox X Edge for management with the Management Server, you must be able to physically connect the Firebox X Edge to an Ethernet interface on your computer. To prepare the Firebox X Edge: 1 On the computer that runs WatchGuard System Manager, change the IP address to 192.168.111.x/24. 2 Start WatchGuard System Manager and select Tools > Quick Setup Wizard. The Quick Setup Wizard starts. 3 Read the Welcome page and click Next. 4 Select Firebox X Edge as the type of Firebox and click Next. 5 Connect the network interface on your computer to any LAN port on the Firebox X Edge, and click Next. Use one of the green Ethernet cables included with the Firebox X Edge. (If no green cable is included with your Firebox X Edge, try the red cable.) 6 Use the instructions on the subsequent page of the wizard to start the Firebox X Edge in safe mode. 7 Use the instructions on the wizard page, and click Next. 8 Use the instructions on the Wait for the Firebox and The Wizard found this Firebox pages. Click Next after each page. 9 Accept the License Agreement and click Next. 10 Configure the external (WAN 1) interface of the Firebox X Edge. Select DHCP, PPPoE, or Static IP addressing, and click Next. (For detailed information on how to configure the Edge interfaces, see the Firebox X Edge User Guide.) 11 Click Next after you configure the interface. User Guide 287 Configuring Edges and SOHOs as Managed Clients 12 Configure the Edge internal interface and click Next. 13 Create a status passphrase and a configuration passphrase for your Edge and click Next. You must type each passphrase two times. This is the passphrase that is used by WatchGuard System Manager to connect to and configure the device. 14 Type a user name and passphrase for the device, and click Next. You must type the passphrase two times. This is the user name and passphrase that you can use to connect to and configure the device with a web browser. 15 Select the time zone settings and click Next. 16 Configure the Management Server settings. Type the IP address of the gateway Firebox that protects the Management Server, the name to identify the Firebox in the Management Server interface, and the shared key. Click Next. The shared key is used by the Management Server to create VPN tunnels between Fireboxes. You do not have to remember this key. 17 Review the configuration for the Edge and click Next. 18 To set up another Edge, select the check box. Click Finish. If you select this check box, the Quick Setup Wizard populates the fields with the same values as this configuration, so you can easily set up similar Edge devices. You can now add the device to your Management Server configuration as described in “Adding Devices” on page 291. Importing Firebox X Edge devices into a Management Server Firebox X Edge devices that are configured with the Quick Setup Wizard can be imported into the Management Server. You must connect from the computer from which you ran the Quick Setup Wizard. Also, you must connect to the same Management Server that you configured for the device when you ran the Quick Setup Wizard. 1 Start WatchGuard System Manager, and connect to the Management Server for which you configured Edge devices. 2 Select File > Import Device. The WatchGuard System Manager dialog box appears. 3 Select the check boxes in front of each Edge you want to import. Click Import. The Firebox X Edge devices are imported into the Management Server. The devices appear in the Imported Devices folder for the Management Server. Preparing an installed Firebox X Edge for management 1 To connect to the Firebox X Edge System Status page, type https:// in the browser address bar, and the IP address of the Edge trusted interface. The default URL is: https://192.168.111.1 288 WatchGuard System Manager Configuring Edges and SOHOs as Managed Clients 2 From the navigation bar, select Administration > WSM Access. The WatchGuard Management Access page appears. 3 Select the Enable remote management check box. 4 From the Management Type drop-down list, select WatchGuard Management System. 5 To enable centralized Edge management through WatchGuard System Manager, select the Use Centralized Management check box. When the Firebox X Edge is under centralized management, access to the Edge configuration pages is set to read-only. The only exception is access to the WSM Access configuration page. If you disable the remote management feature, you get read-write access to the Edge configuration again. Do not select the Use Centralized Management check box if you are using WatchGuard System Manager only to manage VPN tunnels. 6 Type a status passphrase for your Firebox X Edge and then type it again to confirm in the correct fields. 7 Type a configuration passphrase for your Firebox X Edge and then type it again to confirm in the correct fields. These passphrases must match the passphrases you use when you add the device to the Management Server or the connection will fail. If the Firebox X Edge you want to manage has a static IP address on its external interface, you can stop here. Save the configuration to this Firebox. You can now add the device to your Management Server configuration. When you add this Edge to the Management Server configuration, the Management Server automatically connects to the static IP address and configures the Edge as a managed Firebox client. If the Edge you want to manage has a dynamic IP address, go on to step 7. 8 In the Management Server Address text box, type the IP address of the Management Server if it has a public IP address. If the Management Server has a private IP address, type the public IP address of the Firebox that protects the Management Server. The Firebox that protects the Management Server automatically monitors all ports used by the Management Server and will forward any connection on these ports to the configured Management Server. No special configuration is necessary for this to occur. User Guide 289 Configuring Edges and SOHOs as Managed Clients 9 Type the Client Name to identify the Edge in the Management Server configuration. This name is case-sensitive and must match the name you use for the Edge when you add it to the Management Server configuration. 10 Type the Shared Key. The shared key is used to encrypt the connection between the Management Server and the Firebox X Edge. This shared key must be the same on the Edge and the Management Server. You must get the shared key from your Management Server administrator. 11 Click Submit to save this configuration to the Firebox X Edge. When you save the configuration to the Edge, the Edge is enabled as a managed client. The managed Firebox client tries to connect to the IP address of the Management Server. Management connections are allowed from the Management Server to this managed Firebox client. You can now add the device to your Management Server configuration as described in “Adding Devices” on page 291. Configuring a Firebox SOHO 6 as a managed client 1 Start your web browser. Type the IP address of the SOHO 6. 2 If the SOHO 6 must have a login and passphrase, type the login and passphrase. 3 Below Administration, click VPN Manager Access. The VPN Manager Access page appears. 4 In the left navigation pane below VPN, click Managed VPN. Select the Enable VPN Manager Access check box. 5 Type the status passphrase for VPN Manager access. Type the status passphrase again to confirm the passphrase. 6 Type the configuration passphrase for VPN Manager access. Type the configuration passphrase again to confirm the passphrase. If the Firebox SOHO you want to manage has a static IP address on its external interface, you can stop here. Click Submit to save your configuration to the SOHO. You can now add the device to your Management Server configuration. When you add this SOHO to the Management Server configuration, the Management Server automatically connects to the static IP address and configures the SOHO as a managed Firebox client. If the SOHO you want to manage has a dynamic IP address, go on to step 7. 290 7 Select the Enable Managed VPN check box. 8 From the Configuration Mode drop-down list, select SOHO. WatchGuard System Manager Adding Devices 9 In the DVCP Server Address text box, type the IP address of the Management Server if it has a public IP address. If the Management Server has a private IP address, type the public IP address of the Firebox that protects the Management Server. The Firebox that protects the Management Server automatically monitors all ports used by the Management Server and will forward any connection on these ports to the configured Management Server. No special configuration is necessary for this to occur. 10 Type the Client Name to give your Firebox SOHO. This name is case-sensitive and must match the name you use for the device when you add it to the Management Server configuration. 11 In the Shared Key field, type the key used to encrypt the connection between the Management Server and the Firebox SOHO. This shared key must be the same on the SOHO and the Management Server. You must get the shared key from your Management Server administrator. 12 Click Submit. When you save the configuration to the Firebox SOHO, the SOHO is enabled as a managed client. The managed SOHO client tries to connect to the IP address of the Management Server. Management connections are allowed from the Management Server to this managed SOHO client. You can now add the device to your Management Server configuration as described in the next section. Adding Devices You can use the Management Server to manage Firebox® devices, including Firebox III and Firebox X Core devices that use WFS appliance software, Firebox X devices that use Fireware® appliance software, Firebox X Edge devices, and Firebox SOHO devices. A device with a dynamic IP address must also be configured as a managed client from Policy Manager for the device. See the previous sections for these instructions. If your device has multiple external interfaces, do not change the interface configuration after you add the device to the Management Server. 1 In WatchGuard® System Manager, connect to the Management Server. Select File > Connect to Server, or select the Device Status tab. Or Right-click anywhere in the window and select Connect to > Server. 2 Type or select the IP address of the Management Server, type the configuration passphrase, and click Login. 3 Click the Device Management tab. User Guide 291 Adding Devices 4 Select the Management Server from the list at the left of the window. The Management Server page appears. 5 Expand the Devices folder. All devices managed by this Management Server are shown here. 6 Select Edit > Insert Device, or right-click in the left frame of this window and select Insert Device. The Add Device wizard starts. 292 WatchGuard System Manager Adding Devices 7 Click Next to see the first configuration screen. 8 If the device is either static or dynamic and you know the device’s IP address, type it (or the host name) along with the status and configuration passphrase. If the device has a dynamic IP address but does not use the Dynamic DNS service, type a unique name for the device. The name you type here must match the name you enter in Policy Manager for that device (if the device is a Firebox III, Firebox X Core, or Firebox X Peak). If the device is a Firebox X Edge, this name must match the name you give the device when you enable it as a managed client with the web configuration manager. If you do not know the device’s IP address, click the appropriate radio button. At any time after you complete the wizard, you can manually configure the device for management. When the device is configured for management, it will contact the Management Server. 9 Click Next. The wizard performs a device discovery. 10 Enter a name for the device, if you want to use a name other than the default name. Type the shared secret. The name and shared secret must match the name you give the device when you enable it as a managed client. From the Device Type drop-down list, select the device type. Click Next. 11 Type the device’s status and configuration passphrases. Click Next. 12 Specify authentication for the device. Click Next. 13 Click Next. The Configure the Device screen appears. Click Next on this screen to configure the device with the new management settings and add it to the Management Server. If the device is already managed by another server, or configured for management by this server, a warning dialog box appears. Click Yes to continue. 14 Click Close to close the Add Device wizard. If traffic is very heavy, the Add Device wizard cannot connect because of SSL timeout. Try again later when the system has less load. User Guide 293 Adding Devices 294 WatchGuard System Manager 18 Device Management Properties When a Firebox® or Edge device is added to a Management Server, you can use the information and fields on the Device Management tab to configure settings on the device. For more information about how to add a device to the Management Server, see “Adding Devices” on page 291. Viewing the Managed Devices When you select the Devices folder, you can see a list of devices and the following information for each one. Name The name of the managed Firebox®. Type The type of device or appliance software installed on the managed Firebox. IP Address The IP address used to identify the Firebox. If the Firebox has not reported into the server, the field shows “n/a”. User Guide 295 Viewing the Device Management Page Lease Time The Management Server lease time is the time interval at which the managed client contacts the Management Server for updates. The default is 60 minutes. The lease time is configured as part of the Device Properties, on the Connection Settings tab (described in “Connection settings” on page 298). Last Download The time of the most recent update of the managed device from the Management Server. The field can also show Never if it has never been updated, or Pending if an update is in progress. Last Modified The time of the most recent configuration file change on the managed Firebox. The field can also show Never if it has never been updated, or Pending if an update is in progress. Viewing the Device Management Page You can use the management page to configure management settings on the device. 1 Expand Devices on the left side of the WatchGuard® System Manager Device Management tab. A list of managed devices appears. 296 WatchGuard System Manager Configuring Device Management Properties 2 Select a device. The management page for the device appears. Configuring Device Management Properties You configure three categories of Firebox® management properties: connection settings, IPSec tunnel preferences, and contact information. User Guide 297 Configuring Device Management Properties Connection settings 1 On the Firebox management page, click Configure. The Device Properties dialog box appears. 298 2 In the Display Name field, enter the name for the device that will appear in WSM. 3 From the Firebox Type drop-down list, select the device hardware and, if applicable, the appliance software installed on it. 4 If the device has a static IP address, from the Hostname/IP Address box, select or type the entry for your device. This box contains the external IP addresses of all devices managed by the Management Server. WatchGuard System Manager Configuring Device Management Properties 5 If the device has a dynamic IP address, select the Device has dynamic external IP address check box. In the Client Name field, enter the name of the device. (For information on how to set up a device manually for management, see the “Device Management Setup” chapter.) 6 Enter the status and configuration passphrases for the Firebox. 7 In the Shared Secret field, enter the shared secret between the device and the Management Server. 8 Use the arrow buttons next to Lease Time to change the Management Server lease time. This is the time interval at which the managed client contacts the Management Server for updates. The default is 60 minutes. User Guide 299 Configuring Device Management Properties IPSec tunnel preferences 300 1 On the Device Properties dialog box, click the IPSec Tunnel Preferences tab. 2 From the Tunnel Authentication drop-down list, select either Shared Key or IPSec Firebox Certificate. The second option uses the certificate for the Firebox. For more information about certificates, see the “Certificates and the Certificate Authority” chapter. 3 Type the primary and secondary addresses for the WINS and DNS servers if you want your managed client to get its WINS and DNS settings through the IPSec BOVPN tunnel. Otherwise, you can leave these fields blank. You can also type a domain suffix in the Domain Name text box for a DHCP client to use with unqualified names such as “kunstler_mail”. WatchGuard System Manager Configuring Device Management Properties Contact information 1 On the Device Properties dialog box, click the Contact Information tab. 2 A list of contact information for remote devices appears. To add to the contact list or edit an existing entry, click Contact List. 3 From the contact list that appears, click Add or select an entry you want to edit or delete. The Contact Information dialog box appears. 4 User Guide Make any changes you want and click OK. 301 Updating a Device Updating a Device 1 On the device management page, click Update Device. The Update Device dialog box appears. 2 Select the Download Trusted and Optional Network Policies check box to download the policies on the managed device to the Management Server for the trusted and optional networks. We recommend you do this to make sure you have the latest policies when you edit the device configuration and have not connected to the device in a long time. 3 If the device does not receive the update, refresh the Management Server configuration: Select the Reset Server Configuration check box to refresh the Management Server IP address, hostname, shared secret, and lease time on the device. If you have made any changes to the device properties, make sure you select this check box. 4 Select the Expire Lease check box to expire the Management Server lease for the managed client and download any VPN or configuration changes. 5 Select the Issue/Reissue Firebox’s IPSec Certificate and CA’s Certificate check box to issue or reissue the IPSec certificate for the Firebox and the Certificate Authority’s certificate. 6 Click OK. Removing a Device To remove a device so that it is no longer managed by the Management Server and no longer appears on the Management Server window: 1 On the left side of the Management Server window, click the icon for the device you want to remove and select Edit > Remove. 2 On the confirmation dialog box, click Yes. 3 Go to Policy Manager for that device, select VPN > Managed Client, and clear the Enable this Firebox as a Managed Client check box. Network Setup (Edge devices only) With WatchGuard® Management Server, you can configure the network settings for a group of Firebox® X Edge devices. You can use WatchGuard System Manager to configure the unique network settings for each Firebox X Edge. Note that this procedure loads the current network settings for the Edge and enables central management of the device. 302 WatchGuard System Manager Adding a VPN Resource All Firebox X Edge network settings can be configured with the Edge web interface. For detailed information on these configuration options, see the Firebox X Edge User Guide. 1 Click the Device Management tab on WatchGuard System Manager. 2 Expand Devices, and click on a Firebox X Edge device. The Edge configuration appears in the right pane. 3 Below Network Settings, click Configure. The Network Settings dialog box appears. 4 To configure network settings, click each category of settings in the left pane of the dialog box and provide information in the fields that appear. For information on these fields and how to configure them, see the Firebox X Edge User Guide. Adding a VPN Resource For a VPN, you can configure (and put a limit to) the networks that have access through the tunnel. You can make a VPN between hosts or networks. To configure the networks that are available through a given VPN device, you define VPN resources. The Device Management tab lists VPN resources currently defined. To add more VPN resources, see “Adding VPN Resources” on page 320. Starting Firebox and Edge Tools The Device Management tab allows you to start other tools for device configuration and monitoring. For Firebox® devices, you can start: • Policy Manager • Firebox System Manager • HostWatch™ • Ping For Edge devices, you can start: Edge Web Manager (Firebox X Edge only). Use Internet Explorer 6.0 or later. This link provides secure web access to the device’s web user interface without the need to open any ports on the device. • User Guide • Policy Manager (SOHO 6 only) • Firebox System Manager • HostWatch • Ping 303 VPN Tunnels VPN Tunnels You can see all tunnels that include the device in the Tunnels section. You can also add a VPN tunnel in this section. 1 On the Firebox X Edge or SOHO management page, find the VPN Tunnels section. This section shows all tunnels in which this device is a VPN endpoint. 2 Click Add to add a new VPN tunnel. The Add VPN wizard starts. Configure the VPN to match your requirements. For more information about the Add VPN wizard, see “Making Tunnels Between Devices” on page 325. Using the Firebox X Edge Policy Section The management page for a SOHO 6 does not have the Policy section. This section shows the Edge Configuration Template to which this Firebox® X Edge is subscribed. If no template has been applied, you can drag the device to one of the Edge Configuration Templates. You can use the Configure link in this section to configure an existing Edge Configuration Template. For information about Edge Configuration Templates, see “Creating and Applying Edge Configuration Templates” on page 308. 304 WatchGuard System Manager 19 Firebox X Edge Templates and Aliases WatchGuard® System Manager includes a number of features specifically for centralized management of Firebox® X Edge devices. You can easily manage many Firebox X Edge devices and make changes to the security policy for more than one Firebox X Edge device at one time, and still have individual control over the configuration of each Firebox X Edge device. With a Management Server, you can also: • Manage Firebox X Edge firmware updates. These updates can be scheduled and installed by the Management Server. • Create Edge Configuration Templates for a group of Firebox X Edge devices. You create a configuration template on the Management Server, and install it on many Firebox X Edge devices. If you make a change to the policy, the policy is automatically updated on all subscribed Firebox X Edge devices. • Use aliases to define a common destination for policy configuration on individual Firebox X Edge devices. You can also manage Firebox SOHO 6 and SOHO 5 devices from WatchGuard System Manager. You cannot create configuration templates for the Firebox SOHO, or edit the network configuration with WatchGuard System Manager. This chapter describes how to use WatchGuard System Manager to manage Firebox X Edge devices. For detailed information on configuring the Firebox X Edge, see the Firebox X Edge User Guide. Scheduling Firebox X Edge Firmware Updates Firmware updates for Firebox® X Edge devices must be installed on the Management Server. You can then use a single operation to update firmware on groups of Edge devices, either immediately or on a schedule. Current status of firmware updates appear on the Device Management tab, in the Firmware Update Status section. User Guide 305 Scheduling Firebox X Edge Firmware Updates You get firmware updates from LiveSecurity. You can download Edge firmware updates whenever you update the WSM software. 1 In the Device Management tab in WatchGuard® System Manager, select the Management Server. The Management Server settings page appears. 2 Scroll down to the Firmware Update Status section. If any firmware updates are scheduled, they are shown here. 3 Click Schedule Firmware Update. The Update Firmware wizard starts. 306 4 Read the Welcome screen and click Next. 5 Select the device type from the list and click Next. WatchGuard System Manager Scheduling Firebox X Edge Firmware Updates In this version of WatchGuard System Manager, the only device types you can select are Firebox X Edge and Firebox X Edge e-Series. 6 Select the check box in front of each Firebox X Edge that you want to update. Click Next. 7 Select the firmware version to use. Click Next. The Select the Time and Date page appears. 8 To update firmware immediately, select Update firmware immediately. To schedule the update for a time in the future, select Schedule firmware update. 9 If you selected Schedule firmware update, select the date from the Date field, and set the time in the Time field. 10 Click Next. 11 Click Next. Click Close. The Firmware is updated if you selected Update firmware immediately, or scheduled if you selected Schedule firmware update. Seeing and deleting firmware updates 1 User Guide In the Device Management tab, click Scheduled Firmware Updates below the Management Server. 307 Creating and Applying Edge Configuration Templates The Scheduled Firmware Updates page appears. All scheduled firmware updates are shown. Firmware updates are shown separately for each device, even if more than one device is included in the same firmware update. For this reason, when you select a device, all devices included in that scheduled firmware update are also selected. • To delete a scheduled firmware update, right-click a device and select Remove Scheduled Update. All devices in that firmware update task are removed from the schedule. • To cancel a scheduled firmware update, right-click a device and select Cancel Scheduled Update. The task stays in the schedule, but its status changes to Cancelled. • To add a scheduled firmware update, click Add. Or, right-click and select Add Scheduled Update. The Update Firmware wizard starts. Creating and Applying Edge Configuration Templates When you use Firebox® X Edge devices with the WatchGuard® Management Server, you can create Edge Configuration Templates on the Management Server. You can then apply those Edge Configuration Templates to Edge devices. With Edge Configuration Templates, you can easily configure standard firewall filters, change the Blocked Sites list, change your WebBlocker configuration, or change other policy settings for one or many managed Edge devices. Edge Configuration Templates have the following restrictions: • Edge Configuration Templates can be used with the Firebox X Edge only. • Each Edge can have only one Edge Configuration Template. • An Edge must have firmware version 7.5 or later to use Edge Configuration Templates. You must use separate templates for Edges that run firmware versions 7.5, 8.0, 8.5, or 8.6. You can make changes to an Edge Configuration Template or to the list of devices to which the policy has been applied at any time. The Management Server automatically makes the changes. 308 1 Start WatchGuard System Manager and connect to the Management Server. 2 Click the Device Management tab. WatchGuard System Manager Creating and Applying Edge Configuration Templates You can expand the list of Edge Configuration Templates to see any Edge Configuration Templates that have been created. If you have not created any Edge Configuration Templates, this list is empty. 3 Right-click the Edge Configuration Templates heading. 4 Select Insert Edge Configuration Template. The Product Version dialog box appears. 5 Select the product line and version from the drop-down list. Click OK. The Edge Configuration: Edge Template window appears. 6 Type a name for the template. 7 To configure the policy, click each category of settings in the left pane of the dialog box and type information in the fields that appear. The categories listed depend on which version of the Edge you are defining the template for. For information on the fields that appear, see the Firebox X Edge User Guide. 8 Click OK to close the Edge Configuration Template. The policy is saved to the Management Server, and an update is sent to all Firebox X Edge devices to which this policy is applied. User Guide 309 Creating and Applying Edge Configuration Templates Adding a pre-defined policy with the Add Policy wizard 1 From the Device Management tab, right-click Edge Configuration Templates and select Insert Edge Configuration Template. The Product Version dialog box appears. 2 Select the product line and version from the drop-down list. Click OK. The Edge Configuration Edge Template appears. 3 Select Firewall Policies and click Add. The Add Policy wizard starts. 4 The Welcome page appears. Click Next. The Select a policy type page appears. 5 To use a pre-defined policy, select Choose a pre-defined policy from this list and select the policy to use from the list. 6 Click Next. 7 If you use a pre-defined policy, select the traffic direction. 8 Select to deny or allow traffic for this policy and direction. Adding a custom policy with the Add Policy wizard 1 310 Start the Add Policy wizard. To do this, on the Firewall Policies page, click Add in the Edge Configuration dialog box. WatchGuard System Manager Creating and Applying Edge Configuration Templates 2 The Welcome page appears. Click Next. 3 To create and use a custom policy, select Create and use a new custom policy. 4 Click Next. The Specify Protocols page appears. 5 Type a name for the protocol. 6 To add a protocol, click Add. The Add protocol dialog box appears. 7 Select to filter the TCP, UDP, or IP protocol. 8 Select one port or a range. 9 Type the port number or numbers, or the IP protocol number. Click OK to add the protocol. 10 Click Add to add another protocol. Click Next when all the protocols for this policy are added. 11 Select the traffic direction. Select Incoming, Outgoing, or Optional. 12 Select Allow or Deny for the filter action. If the action is Allow, add the From and To destinations as required. 13 Click Next. 14 Click Finish to finish the wizard and return to the Edge Configuration dialog box. User Guide 311 Creating and Applying Edge Configuration Templates Cloning an Edge Configuration Template To clone (copy) a template is useful when you have devices that use similar configurations, with slight variations. You can make one Edge Configuration Template, and then clone that policy for each variation, and make changes to those cloned templates. 1 Expand Edge Configuration Templates in the Device Management pane. 2 Right-click the Edge Configuration Template to be cloned, and select Clone. A copy of the Edge Configuration Template appears in the list of Edge Configuration Templates. 3 Edit the cloned policy. Applying an Edge Configuration Template to devices You can apply an Edge Configuration Template to any number of Firebox X Edge devices. You cannot apply more than one Edge Configuration Template to the same Edge. Applying the template using drag-and-drop You can add an Edge Configuration Template to a Firebox X Edge device by drag-and-drop. Click the Edge device in the Devices list. Drag the Edge over the Edge Configuration Template in the Edge Configuration Templates list, and drop it on the policy. You can also drag a template and drop it on a device. The policy is added to the Edge. If you have a folder of devices, you can drag the folder over the Edge Configuration Template to apply the Edge Configuration Template to all Edge devices in the folder. All other devices are skipped. Applying the policy to devices in the device list 1 312 In the WatchGuard System Manager Device Management tab, expand the list of Edge Configuration Templates. WatchGuard System Manager Creating and Applying Edge Configuration Templates 2 Select the template to add to a device. The template appears in the right frame of the window. 3 Click the Configure link below the Devices section. The Manage Device List appears. 4 Click Add to add a device or devices to the list. The Select Devices dialog box appears. 5 Select one or more devices from the list. 6 Click OK. Click OK again. The managed devices you select are subscribed to the Edge Configuration Template. User Guide 313 Using Aliases Removing an Edge from the device list 1 To remove an Edge from the device list, in the WatchGuard System Manager Device Management tab, expand the list of Edge Configuration Templates. 2 Click the Configure link below the Devices section. The Manage Device List appears. 3 Select the device you want to delete and click Remove. The device is removed from the list, and from centralized management by WSM. Using Aliases Aliases are used with managed Firebox® X Edge devices to define a common destination for policy configuration on the Management Server. For example, with aliases, you can create an Edge Configuration Template for a mail server, and define that policy to operate with your mail server. Because the mail server can have a different IP address on each Firebox X Edge network, you create an alias on the Management Server called MailServer. When you create the Edge Configuration Template for the mail server, you use this alias as the destination. Then you define that alias as either the source or destination, depending on the direction of the policy. In this example you can configure an incoming SMTP Allow policy with MailServer as the destination. To make the Edge Configuration Template operate correctly on Edge devices that use the policy, you configure the MailServer alias in the Network Settings for each Firebox X Edge device. Alias configuration is done in two steps: 314 • Naming aliases on the Management Server • Defining alias IP addresses on the Firebox X Edge WatchGuard System Manager Using Aliases Naming aliases on the Management Server 1 In the Device Management tab in WatchGuard® System Manager, select the Management Server. The Management Server settings page appears. User Guide 315 Using Aliases 2 Click Manage Aliases. The Aliases dialog box appears. 3 Select an alias and click Edit to edit the name. 4 Type a name for the alias and click OK. 5 Repeat this procedure for all aliases that you must define. 6 Click OK when all aliases are configured. Defining aliases on a Firebox X Edge 1 In the Device Management tab in WatchGuard System Manager, select a Firebox X Edge. The Management Server settings page appears. 316 WatchGuard System Manager Using Aliases 2 Click Configure under the Network Settings section. The Network Settings dialog box appears. 3 Click Aliases. The aliases appear. The aliases you named on the Management Server appear with those names in this dialog box. 4 Select an alias to define and click Edit. The Local Alias Setting dialog box appears. 5 Type the IP address for the local alias on the network of this Firebox X Edge. Click OK. 6 Repeat the procedure for each alias to define. 7 Click OK when you have defined all aliases that you need. User Guide 317 Using Aliases 318 WatchGuard System Manager 20 Managed BOVPN Tunnels WatchGuard® System Manager supplies speed and reliability when you create IPSec VPN tunnels through the drag-and-drop procedure, an automatic wizard, and the use of templates. You can make in minutes IPSec tunnels that use authentication and encryption. You can be sure that these tunnels operate with other tunnels and security policies. These tunnels are called managed BOVPN tunnels. Another type of tunnel is a manual BOVPN tunnel, which is a BOVPN tunnel that you use dialog boxes to define. Like manual tunnels, managed tunnels are shown in the Device Status tab for each Firebox®. About Managed BOVPN Tunnels You perform the following steps to create a managed BOVPN tunnel: • Configure a WatchGuard® Management Server and Certificate Authority (CA) (described in the “Certificates and the Certificate Authority” chapter). • Add Fireboxes or Firebox® X Edge devices to the Management Server, as described in “Adding Devices” on page 291. • (Dynamic devices only) Configure the Firebox as a managed client. • If necessary, create VPN Resources, Policy Templates, and Security Templates. Or, you can use those that are currently defined. • Create tunnels between the devices, as described in “Making Tunnels Between Devices” on page 325. VPN Failover VPN Failover, described in “About VPN Failover” on page 344, is supported with managed BOVPN tunnels. If you have multi-WAN configured, and create managed tunnels, WSM automatically sets up gateway pairs that include the external interfaces of both ends of your tunnel. No other configuration is necessary. Global VPN settings Global VPN settings on your Firebox apply to all manual BOVPN tunnels, managed tunnels, and MUVPN tunnels. You can use these settings to: User Guide 319 VPN Resources and Templates • Enable IPSec pass-through. • Clear or maintain the settings of packets with Type of Service (TOS) bits set. • Use an LDAP server to verify certificates. To change these settings, from Policy Manager, select VPN > VPN Settings. For more information on these settings, see “Using Global VPN Settings” on page 81. VPN Resources and Templates You can use the following to simplify tunnel creation, especially if you need to create large numbers of tunnels: VPN Resources The networks that can connect through VPN tunnels. If a VPN endpoint device has a static IP address, the Management Server automatically creates a default VPN resource for the device that includes all trusted networks. If the trusted network behind the device has many routed or secondary networks configured, consider adding your own VPN resource, as described below in “Adding VPN Resources”. VPN Firewall Policy Templates Sets of one or more bidirectional firewall policies that restrict the type the traffic allowed across a VPN. If you do not select a Policy Template for a tunnel, the default “Any” policy applies to the tunnel. Security Templates Sets of encryption types, authentication types, and renegotiation lifetimes to be applied to VPNs. WSM includes default Security Templates, but you can modify them or create new ones. Later sections in this chapter describe how to create and use these objects. Configuring a Firebox as a Managed Firebox Client To allow WatchGuard® System Manager to manage a Firebox® or Edge, or SOHO with a dynamic IP address, you must enable it as a managed Firebox client. For instructions on how to enable a Firebox as a managed client, see the “Device Management Setup” chapter. Adding VPN Resources For a VPN, you can configure (and put a limit to) the networks that have access through the tunnel. You can make a VPN between hosts or networks. To configure the networks that are available through a given VPN device, you define VPN resources. 320 WatchGuard System Manager Adding VPN Resources Getting the current resources from a device Before you add more VPN resources, get the current resources from the device. This is most important for dynamic devices because the Firebox® automatically adds a network resource for static devices. Before you update a device, make sure that it is configured as a managed Firebox client. 1 In WatchGuard® System Manager on the Device Management tab, select a managed client, and then select Edit > Update Device. The Update Device dialog box appears. 2 Select the Download Trusted and Optional Network policies check box. 3 Click OK. Creating a new VPN resource To make a VPN resource, on the Device Management tab: 1 2 Select the device for which you want to configure a VPN resource. Right-click and select Insert VPN Resource or click the Insert VPN Resource icon The VPN Resource dialog box for that device appears. 3 User Guide In the Policy Name box, type a name for the policy. This name will appear in the Device Management window and in the Add VPN wizard. 321 Adding VPN Firewall Policy Templates 4 If you want to create a VPN resource for a Firebox X Core, Firebox X Peak, or WFS device, the Disposition field appears. From the Disposition drop-down list, select one of the following options: secure Encrypt traffic to and from this resource. This is the most commonly used option. bypass Sends the traffic in cleartext. You might use this option if one Firebox is in drop-in mode and the tunnel routes traffic to the drop-in network. In this case, the drop-in IP address must be bypassed but not blocked or the tunnel cannot negotiate. block Do not allow the traffic through the VPN. You might use this option to exclude one or more IP addresses from using a VPN that allows a full subnet, but only when given a higher precedence than the full subnet. If you want to create a VPN resource for a Firebox X Edge, the Disposition field does not appear because only the secure option is supported. 5 Add, edit, or delete resources. Click Add to add an IP address or a network address. Click Edit to edit a resource that you have selected in the list. Select a resource in the Resources list and click Remove to delete a resource. 6 Click OK. Adding more hosts or networks 1 From the VPN Resource dialog box, click Add. The Resource dialog box appears. 2 From the Allow to/from drop-down list, select the resource type, and then type the IP address or network address in the adjacent address box. 3 Click OK. Adding VPN Firewall Policy Templates You use VPN Firewall Policy templates to create a set of one or more bidirectional firewall policies that restrict the type the traffic allowed across a VPN. Note that Policy Templates do not support proxy policies. If you use the default “Any” VPN firewall policy, a log message is generated for all traffic through the managed VPN tunnel. If you want to control what traffic is recorded in the logs, you must create your own VPN firewall policy template and use the Enable logging for this traffic check box. You cannot turn off logging for the default “Any” VPN firewall policy or change it in any way. 1 On the left side (tree view) of the Device Management tab, expand Managed VPNs, and click VPN Firewall Policy Templates. A list of currently defined policy templates, if any, appears on the right side of the screen. 322 WatchGuard System Manager Adding Security Templates 2 In the upper-right corner of the screen, click Add. The VPN Firewall Policy Template dialog box appears. 3 In the Name field, type a name for the Policy Template. This name will appear in the Device Management tree view and in the Add VPN wizard. 4 To add a policy to the template, click Add. The Add Policy wizard starts. 5 Select from a list of pre-defined policies or create a custom policy. If you select to create a custom policy, use the wizard’s next screen to type a name and select a port and protocol for the policy. 6 After you add the policy, you can repeat the procedure to add additional policies, if needed. Click OK when you are done. Adding Security Templates A Security Template is a set of configuration information to be used when you create tunnels. When you use Security Templates, you do not need to individually create settings each time you create a tunnel. These templates include Phase 1 and Phase 2 settings. For more information on these settings, see “Configuring mode and transforms (Phase 1 settings)” on page 334 and “Configuring Phase 2 settings” on page 339. Default Security Templates are supplied for the available encryption types. You can use these settings to create secure tunnels that work correctly for most networks. However, if your network has special User Guide 323 Adding Security Templates requirements, you can modify the existing templates or make new templates. To make a Security Template: 1 On the Device Management tab, right-click in the window, and select Insert Security Template or click the Insert Security Template icon. The Security Template dialog box appears. 324 2 In the Template Name box, type a name for the template. This name will appear in the Device Management tree view and in the Add VPN wizard. 3 Click the Phase 1 Settings tab. 4 To have the Firebox send messages to its IKE peer to keep the VPN tunnel open, select the IKE Keep-alive check box. To set the Message Interval, type the number of seconds or use the value control to select the number of seconds you want. 5 To set the maximum number of times the Firebox tries to send an IKE keep-alive message before it tries to negotiate Phase 1 again, type the number you want in the Max failures box. WatchGuard System Manager Making Tunnels Between Devices 6 From the Authentication and Encryption drop-down lists, select the authentication method and encryption method. 7 From the Key Group drop-down list, select the Diffie-Hellman group you want. Diffie-Hellman groups determine the strength of the master key used in the key exchange process. The higher the group number, the greater the security but the more time is required to make the keys. 8 To change the SA (security association) life, type a number in the SA Life fields to define the amount of time or traffic that must pass before the SA expires. 9 Click the Phase 2 Settings tab. 10 From the Authentication drop-down list, select the authentication method for Phase 2. 11 From the Encryption drop-down list, select the encryption method. 12 To force the key to expire, select the Force Key Expiration check box. In the fields below, enter a quantity of time and a number of bytes after which the key expires. If Force Key Expiration is disabled, or if it is enabled and both the time and kilobytes are set to zero, the Firebox tries to use the key expiration time set for the peer. If this is also disabled or zero, the Firebox uses a key expiration time of 8 hours. You can set the time up to one year. 13 Click OK. Making Tunnels Between Devices You configure a tunnel with the Add VPN wizard. Dynamic Fireboxes and Firebox® X Edge devices must have networks that are configured before you can use this procedure. You must also get the policies from any new dynamic devices before you configure tunnels (use the procedure “Getting the current resources from a device” on page 321 to do this). On the Device Management tab: 1 On one of the tunnel endpoints, click the device name. Drag-and-drop the name to the device name at the other tunnel endpoint. The Add VPN wizard starts. User Guide 325 Editing a Tunnel Or, from the Device Management tab, select Edit > Create a new VPN or click the Create New VPN icon. The Add VPN wizard starts. 2 Click Next. 3 If you used the drag-and-drop procedure in Step 1, the screen shows the two endpoint devices you selected with drag-and-drop, and the VPN resource that the tunnel uses. If you did not use drag-and-drop, select the endpoints from the drop-down list. 4 From the drop-down list, select a VPN resource for each device. For more information on VPN resources, see “VPN Resources and Templates” on page 320 and “Adding VPN Resources” on page 320. Click Next. Select Hub Network to make a null-route VPN tunnel to force all traffic through a VPN. Use this setting as the VPN resource for the device that hosts the null-route VPN. The remote device then sends all traffic through the VPN to the device that has Hub Network as the local resource. 5 Select the Security Template applicable for the type of security and type of authentication to use for this tunnel. For more information on Security Templates, see “VPN Resources and Templates” on page 320 and “Adding Security Templates” on page 323. Use the check boxes to specify the DNS and WINS servers you want to use. Click Next. 6 Select the VPN Firewall Policy Template applicable for the type of traffic you want to allow through this tunnel. If no VPN Firewall Policy Templates have been defined, the default “Any” policy applies to the tunnel. For more information on VPN Firewall Policy Templates, see “VPN Resources and Templates” on page 320 and “Adding VPN Firewall Policy Templates” on page 322. 7 Click Next. The wizard shows the configuration. 8 Select the Restart devices now to download VPN configuration check box. Click Finish to start the devices again and deploy the VPN tunnel. Editing a Tunnel You can see all your tunnels on the Device Management tab of WatchGuard® System Manager (WSM). WSM lets you change the tunnel name, Security Template, endpoints, and the policy you use. If you want to change the Policy Template or the Security Template for the tunnel, you can drag-anddrop the template name from the tree view at the left side of the Device Management tab to the VPN name in the tree view. The new template is applied. For other changes, or to use a dialog box to change a template: 1 On the Device Management tab, expand the tree to see the device to change and its policy. 2 Select the tunnel you want to change. 3 Right-click and select Properties. The VPN Properties dialog box appears. 4 326 Make the changes you want to the tunnel. The fields on this dialog box are explained in previous sections. WatchGuard System Manager Removing Tunnels and Devices 5 Click OK to save the changes. When the tunnel is renegotiated, the changes are applied. Removing Tunnels and Devices To remove a device from WatchGuard® System Manager (WSM), you must first remove the tunnels for which that device is an endpoint. Removing a tunnel 1 From WSM, click the Device Management tab. 2 Expand the Managed VPNs folder to show the tunnel you want to remove. 3 Right-click the tunnel. 4 Select Remove. Click Yes to confirm. 5 You may have to restart the devices that use the tunnel you want to remove. Click Yes. Removing a device 1 From System Manager, click the Device Status or Device Management tab. Device Status Tab User Guide 327 Removing Tunnels and Devices Device Management Tab 328 2 If you use the Device Management tab, expand the Devices folder to show the device to remove. 3 Right-click the device. 4 Select Remove. Click Yes. WatchGuard System Manager 21 Manual BOVPN Tunnels Branch Office Virtual Private Networking (BOVPN) enables businesses to deliver secure, encrypted connectivity between geographically separated offices. These communications often contain the types of critical data exchanged inside the corporate firewall. In this scenario, a BOVPN ensures confidential connections between these offices, streamlining communication, reducing the cost of dedicated lines, and retaining security at each end. Manual BOVPN tunnel refers to a BOVPN tunnel that you use dialog boxes to define. The other type of VPN tunnel is a managed BOVPN tunnel, which you create with a drag-and-drop procedure, an automatic wizard, and the use of templates. About Manual VPN Tunnels The basic procedure for creating a manual tunnel involves configuring gateway endpoints—connection points on both the local and remote sides of the tunnel—configuring routes for the tunnel, specifying how the devices control security, and making a policy for the tunnel. Note that the two ends of the tunnel must use the same encryption and authentication method. VPN and failover VPN tunnels automatically fail over to the backup WAN interface during a WAN failover. You can configure BOVPN tunnels such that they fail over to a backup peer endpoint. In the event of a dead peer, the tunnel can fail over to a backup endpoint. You can also use the VPN Failover feature as described in “About VPN Failover” on page 344. Global VPN settings Global VPN settings on your Firebox® apply to all manual BOVPN tunnels, managed tunnels, and MUVPN tunnels. You can use these settings to: • Enable IPSec pass-through. • Clear or maintain the settings of packets with Type of Service (TOS) bits set. • Use an LDAP server to verify certificates. User Guide 329 Configuring Gateways To change these settings, from Policy Manager, select VPN > VPN Settings. For more information on these settings, see “Using Global VPN Settings” on page 81. Configuring Gateways A gateway is a connection point for one or more tunnels. To create a tunnel, you must set up gateways on both the local and remote devices. To configure these gateways, you specify: • Credential method—either pre-shared keys or an IPSec Firebox certificate. • Location of local and remote gateway endpoints, either by IP address or domain information. • Settings for Phase 1 of the Internet Key Exchange (IKE) negotiation. This phase defines the security association—protocols and settings that the gateway endpoints will use to communicate—to protect data that is passed during the negotiation. 1 From Policy Manager, click VPN > Branch Office Gateways. The Gateways dialog box appears 330 WatchGuard System Manager Configuring Gateways 2 To add a gateway, click Add. The New Gateway dialog box appears. 3 In the Gateway Name text box, type a name to identify this gateway in Policy Manager for this Firebox. Defining the credential method 1 From the New Gateway dialog box, select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication procedure to use. If you selected Pre-Shared Key Type the shared key. You must use the same shared key on the remote device. This shared key must use only standard ASCII characters. If you selected Use IPSec Firebox Certificate From the table below the radio button, select the certificate to be used for the gateway. Certificates for the devices at each gateway endpoint must use the same algorithm. Either both must use DSS or both must use RSA. You must start the Certificate Authority if you select certificate-based authentication. For information on this, see the “Certificates and the Certificate Authority” chapter in this manual. Also, if you use certificates you must use the WatchGuard® Log Server for log messages. We do not support third-party certificates. User Guide 331 Configuring Gateways Defining gateway endpoints A set of gateway endpoints is known as a gateway pair. 1 In the Gateway Endpoints section of the New Gateway dialog box, click Add. The New Gateway Endpoints Settings dialog box appears. 2 Specify the location of the local gateway. If you want to use the IP address - Select the By IP Address radio button. - Select the address from the IP Address drop-down list. All configured Firebox IP addresses appear in the list. - In the External Interface field, select whether to use the backup or main external interface. Click OK. If you want to use domain information - Select the By Domain Information radio button. Click Configure. - In the Configure Domain for Gateway ID dialog box that appears, select either By Domain Name, By User ID on Domain, or By X500 Name to specify the method of domain configuration and external interfaces for tunnel gateway authentication. - Type either the domain name, user and domain name (UserName@DomainName), or x500 name according to which radio button you selected in the previous step. Click OK. The X500 option is available only if you have Fireware® Pro installed on your Firebox. 332 WatchGuard System Manager Configuring Gateways - In the External Interface field, select whether to use the backup or main external interface. Click OK. 3 Specify the way the remote gateway obtains an IP address. If it has a static IP address - Select the Static IP address radio button. - Enter the IP address in the IP Address field. If it has a dynamic IP address - Select the Dynamic IP address radio button. 4 Specify the remote gateway location for tunnel authentication. If you want to use the IP address - Select the By IP Address radio button. - Select the address from the IP address drop-down list. All configured Firebox IP addresses appear in the list. If you want to use domain information - Make sure the Firebox is configured with DNS servers that can resolve the domain name. - Select the By Domain Information radio button. Click Configure. - From the Configure Domain for Gateway ID dialog box that appears, select either By Domain Name, By User ID on Domain, or By X500 Name to specify the method of domain configuration and external interfaces for tunnel gateway authentication. - Type either the domain name, user and domain name (UserName@DomainName), or x500 name according to which radio button you selected in the previous step. Click OK. - User Guide 333 Configuring Gateways If the remote VPN endpoint uses DHCP or PPPoE to get its external IP address, set the ID type of the remote gateway to Domain Name. Set the peer name field to the fully qualified domain name of the remote VPN endpoint. The Firebox uses the IP address and domain name to find the VPN endpoint. Make sure the DNS server used by the Firebox can identify the name. 5 Click OK to close the New Gateway Endpoints Settings dialog box. The New Gateway dialog box appears. The gateway pair you defined appears in the list of gateway endpoints. 6 Go to the next section if you want to use Phase 1 settings other than the default values. Otherwise, click OK. Configuring mode and transforms (Phase 1 settings) Phase 1 of establishing an IPSec connection is where the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA). A Phase 1 exchange can use either Main Mode or Aggressive Mode. The mode determines the type and number of message exchanges that take place during this phase. A transform is a set of security protocols and algorithms to protect data. During IKE negotiation, the peers make an agreement to use a certain transform. You can define a tunnel such that it offers a peer more than one transform for negotiation, as described in “Adding a Phase 1 transform” on page 335. 334 1 On the New Gateway dialog box, select the Phase1 Settings tab. 2 From the Mode drop-down list, select Main, Aggressive, or Main fallback to Aggressive. WatchGuard System Manager Configuring Gateways Main Mode More secure; Uses three separate message exchanges (total of six messages). The first two negotiate policy; the next two exchange Diffie-Hellman data, and the last two authenticate the Diffie-Hellman exchange. Main Mode supports Diffie-Hellman groups 1, 2, and 5. This mode also enables you to use multiple transforms, as described in “Adding a Phase 1 transform” on page 335. Aggressive Mode Quicker because it uses only three messages, which exchange Diffie-Hellman data and identify the two VPN endpoints. The latter makes Aggressive Mode less secure. Main fallback to aggressive The Firebox attempts Phase 1 exchange with Main Mode. If the negotiation fails, it uses Aggressive Mode. 3 If you want to build a BOVPN tunnel between the Firebox and another device that is behind a NAT device, select the NAT Traversal check box. NAT Traversal, or UDP Encapsulation, allows traffic to get to the correct destinations. To set the Keep-alive interval, type the number of seconds or use the value control to select the number of seconds you want. 4 To have the Firebox send messages to its IKE peer to keep the VPN tunnel open, select the IKE Keep-alive check box. To set the Message Interval, type the number of seconds or use the value control to select the number of seconds you want. 5 To set the maximum number of times the Firebox tries to send an IKE keep-alive message before it tries to negotiate Phase 1 again, type the number you want in the Max failures box. 6 The Firebox contains one default transform set, which appears in the Transform Settings list. This transform specifies SHA1 authentication, 3DES encryption, and the Diffie-Hellman group 1. You can either: - Use this default setting. - Remove it and replace it with a new one. - Add an additional setting, as explained in the next section. Adding a Phase 1 transform You can define a tunnel such that it offers a peer more than one transform for negotiation. For example, one transform might bundle SHA1-DES-DF1 ([authentication method]-[encryption method]-[key group]) and a second transform might consist of MD5-3DES-DF2, with the SHA1-DES-DF1 transform having a higher priority than MD53DES-DF2. When traffic passes through the tunnel, the security association can use either SHA1DES-DF1 (first priority) or MD5-3DES-DF2 (second priority) depending on which of the transforms match the peer’s transform. User Guide 335 Making Tunnels between Gateway Endpoints You can include a maximum of nine transforms. You must specify Main Mode in step 2 of the previous procedure to use multiple transforms. 1 From the Phase 1 Settings tab of the New Gateway dialog box, click Add. The Phase1 Transform dialog box appears. 2 From the Authentication drop-down list, select SHA1 or MD5 as the type of authentication. 3 From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the type of encryption. 4 To change the SA (security association) life, type a number in the SA Life field, and select Hour or Minute from the drop-down list. 5 From the Key Group drop-down list, select the Diffie-Hellman group you want. WatchGuard supports groups 1, 2, and 5. Diffie-Hellman groups determine the strength of the master key used in the key exchange process. The higher the group number, the greater the security but the more time is required to make the keys. 6 You can add up to nine transforms. You can select a transform and select the Up or Down key to change the priority of transforms. 7 Click OK. Editing and deleting gateways To change a gateway, select VPN > Branch Office Gateways. Or, right-click on a tunnel icon in the BOVPN tab of Policy Manager, and select Gateway Property. 1 Select the gateway you want and click Edit. The Edit Gateway dialog box appears. 2 Make the changes and click OK. To delete a gateway, select the gateway and click Remove. You can also select multiple gateways and click Remove to delete them all at once. Making Tunnels between Gateway Endpoints After you define gateway endpoints, you can make tunnels between them. The process for making a tunnel includes specifying: 336 • Routes—local and remote endpoints for the tunnel • Settings for Phase 2 of the Internet Key Exchange (IKE) negotiation. This phase sets up security associations for the encryption of data packets. WatchGuard System Manager Making Tunnels between Gateway Endpoints Configuring routes for the tunnel 1 From Policy Manager, select VPN > Branch Office Tunnels. The Branch Office IPSec Tunnels dialog box appears. 2 Click Add. The New Tunnel dialog box appears. 3 In the Tunnel Name box, type a name for the tunnel. Make sure the name is unique among tunnel names as well as all MUVPN group names and interface names. 4 From the Gateway list, select the gateway for this tunnel to use. User Guide 337 Making Tunnels between Gateway Endpoints If you want to edit existing gateways, select the name and click the Edit button. Follow the procedures described in “Editing and deleting gateways” on page 336. If you want to add a new gateway, click the New button. Follow the procedure described in “Configuring Gateways” on page 330. 5 Select the Add this tunnel to the BOVPN-Allow policies check box at the bottom of the dialog box if you want to add the tunnel to the BOVPN-Allow.in and BOVPNAllow.out policies. These policies allow all traffic that matches the tunnel’s routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy wizard (as described in “Making a Tunnel Policy” on page 343) to create policies for types of traffic that you want to allow through the tunnel. Adding new routes 1 On the New Tunnel dialog box, click Add. The Tunnel Route Settings dialog box appears. 338 2 From the Local drop-down list, select the local address you want. You can also click the button adjacent to the Local drop-down list to enter a host IP address, network address, a range of host IP addresses, or a DNS name. 3 In the Remote box, type the remote network address. You can also click the adjacent button to enter a host IP address, network address, a range of host IP addresses, or a DNS name. 4 From the Direction drop-down list, select the direction for the tunnel. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel. 5 You can enable 1-to-1 NAT and dynamic NAT for the tunnel, depending on the address types and tunnel direction you select for the tunnel. Select the 1:1 NAT check box or the DNAT check box. 6 If you selected the 1:1 NAT check box, click the adjacent button to enter the address you want to change. You can specify a host IP address, network address, a range of host IP addresses, or a DNS name. If you want to use dynamic NAT, you must set a unidirectional tunnel from LAN1 to LAN2 where you want all LAN1 servers to connect to LAN2 servers but appear as only one IP address on LAN2. For information on how to do this, see “Setting up Outgoing Dynamic NAT through a BOVPN Tunnel” on page 343. 7 Click OK. WatchGuard System Manager Making Tunnels between Gateway Endpoints Configuring Phase 2 settings Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what it should do with the traffic between the endpoints. Parameters in the SA can include: • Encryption and authentication algorithms used. • Lifetime of the SA (in seconds or number of bytes, or both). • IP address of the device for which the SA is established (the device that handles IPSec encryption and decryption on the other side of the VPN, not the computer behind it that sends or receives traffic). • Source and destination IP addresses of traffic to which the SA applies. • Direction of traffic to which the SA applies (there is one SA for each direction of traffic, incoming and outgoing). 1 From the New Tunnel dialog box, select the Phase2 Settings tab. 2 Select the PFS check box to enable Perfect Forward Secrecy (PFS). If you enable PFS, select the Diffie-Hellman group. Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure. Diffie-Hellman Group 1 uses a 768-bit group to create the new key exchange, Diffie-Hellman Group 2 uses a 1024-bit group, and Diffie-Hellman Group 5 uses a 1536-bit group. 3 The Firebox® contains one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES encryption, and SHA1 authentication. You can either: User Guide 339 Making Tunnels between Gateway Endpoints - Use this default proposal. - Remove it and replace it with a new one. - Add an additional proposal, as explained in “Adding a Phase 2 proposal” on page 341. If you plan to use the IPSec pass-through feature, you must use a proposal that specifies ESP (Encapsulating Security Payload) as the proposal method. IPSec pass-through supports ESP but not AH. For more information on IPSec pass-through, see “Using Global VPN Settings” on page 81. Using advanced Security Association (SA) settings 1 From the Phase2 Settings tab of the New Tunnel dialog box, click Settings. The Advanced SA Settings dialog box appears. 2 Define addressing and service usage for the SA: Create one SA that includes all tunnel routes This check box controls whether or not a unique SA is created for each Local/Remote address pair in your VPN tunnel definition. We recommend you keep this check box cleared. Most IPSec devices create an SA for each Local/Remote address pair. This is compliant with the RFC and increases Firebox interoperability with other vendors’ IPSec devices, but can affect your BOVPN license count as each SA is equal to one BOVPN tunnel. Select this check box only if you know that the other VPN endpoint can put all Local/Remote address pairs into one SA. If you want to use Any as the source address, destination address, or both, select Use Any for source address in selector or Use Any for destination address in selector. Create one SA that includes all ports and protocols This check box specifies, when selected, that all ports/protocols will use the same SA. If you clear this check box, one SA will be created for each unique port/protocol pair. We recommend you keep this check box selected because many IPSec devices cannot make an SA that includes port and protocol information. This is compliant with the RFC and increases Firebox interoperability with other vendors’ IPSec devices. You can still filter the traffic that the Firebox allows to go through the VPN tunnel with the firewall policies on your Firebox. The Firebox sends traffic to the IPSec module only if there is a firewall policy to allow the traffic. Even if an SA is for all ports and protocols, your firewall policies control what is allowed in and out of your network. Clear this check box only if you know that the other VPN endpoint can make an SA that can 340 WatchGuard System Manager Making Tunnels between Gateway Endpoints select traffic by port or protocol. If you do this, you must control what port is used by each SA in your firewall policies. Adding a Phase 2 proposal You can define a tunnel such that it offers a peer more than one proposal for Phase 2 of the IKE. For example, you might specify ESP-3DES-SHA1 in one proposal, and ESP-DES-MD5 for second proposal. When traffic passes through the tunnel, the security association can use either ESP3DES-SHA1 (first priority) or ESP-DES-MD5 (second priority) depending on which of the proposals match the peer's transform. You can include a maximum of nine proposals. 1 To add a new proposal, from the Phase2 Settings tab of the New Tunnel dialog box, click the Add button. The New Phase2 Proposal dialog box appears. Adding an existing proposal 1 Select the Use an existing Phase 2 proposal check box. 2 From the drop-down list, select the proposal you want to add. Click OK. Creating a new proposal 1 If you are on the New Phase2 Proposal dialog box, select the Create a new Phase 2 proposal check box. or From Policy Manager, select VPN > Phase2 Proposals. The Phase2 Proposals dialog box appears. Click Add. 2 Type a name for the new proposal. From the Type drop-down list, select ESP or AH as the proposal method. We recommend that you use ESP (Encapsulating Security Payload). The differences between ESP and AH (Authentication Header) are: User Guide 341 Making Tunnels between Gateway Endpoints - ESP is authentication with encryption. AH is authentication only. - ESP authentication does not include the protection of the IP header, while AH does. - IPSec pass-through supports ESP but not AH. If you plan to use the IPSec pass-though feature, you must specify ESP as the proposal method. For more information on IPSec pass-through, see “Using Global VPN Settings” on page 81. 3 From the Authentication drop-down list, select SHA1, MD5, or None for the authentication method. 4 (If you selected ESP from the Type drop-down list) From the Encryption drop-down list, select the encryption method. The options are DES, 3DES, and AES 128, 192, or 256 bit, which appear in the list from the most simple and least secure to most complex and most secure. 5 To make the gateway endpoints generate and exchange new keys after a quantity of time or amount of traffic passes, select the Force Key Expiration check box. In the fields below, enter a quantity of time and a number of bytes after which the key expires. If Force Key Expiration is disabled, or if it is enabled and both the time and kBytes are set to zero, the Firebox tries to use the key expiration time set for the peer. If this is also disabled or zero, the Firebox uses a key expiration time of 8 hours. You can set the time up to one year. 6 Click OK. Editing or cloning a proposal To “clone” a proposal is to copy an existing proposal to a new name and make changes. You must do this if you want to edit a predefined proposal because you can edit only user-defined proposals. 1 From Policy Manager, select VPN > Phase2 Proposals. The Phase2 Proposals dialog box appears. 2 Select a proposal and click Edit or Clone. 3 Make changes to the fields as described in the previous section. Click OK. Editing and deleting a tunnel To change a tunnel, select VPN > Branch Office Tunnels. Or, right-click on a tunnel icon in the Branch Office VPN tab of Policy Manager, and select Tunnel Property. 1 Select the tunnel and click Edit. The Edit Tunnel dialog box appears. 2 Make the changes and click OK. To delete a tunnel from the Branch Office IPSec Tunnels dialog box, select the tunnel and click Remove. You can also select multiple tunnels and click Remove to delete them all at once. Changing order of tunnels Order of tunnels is particularly important when more than one tunnel uses the same routes or when the routes overlap. A tunnel higher in the list of tunnels on the Branch Office IPSec Tunnels dialog box takes precedence over a tunnel below it when traffic matches tunnel routes of multiple tunnels. You can change the order in which the Firebox attempts connections: 1 From Policy Manager, select VPN > Branch Office Tunnels. The Branch Office IPSec Tunnels dialog box appears. 342 WatchGuard System Manager Making a Tunnel Policy 2 Select a tunnel and click Move Up or Move Down to move it up or down in the list. Making a Tunnel Policy Tunnel policies are sets of rules that apply to tunnel connections. By default, a new VPN tunnel is automatically added to the BOVPN-Allow.in and BOVPN-Allow.out policies, which allow all traffic to use the tunnel. You can configure the tunnel such that it is not added to this policy (as explained at the end of “Configuring routes for the tunnel” on page 337) and then create a custom VPN policy to allow specified policy types. You can also keep the default setting of adding the tunnel to BOVPN-Allow.in and BOVPN-Allow.out and then add other policies for other types of traffic, such as HTTP proxy. 1 From Policy Manager, select VPN > Create BOVPN Policy. The BOVPN Policy wizard starts. 2 Click through the wizard and add the information it asks for. The wizard has these screens: Choose a name for the policies The name is prepended to “.in” and “.out” to create the firewall policy names for incoming and outgoing tunnels, respectively. For example, if you use “williams” as the name base, the wizard creates the policies “williams.in” and “williams.out.” Select the policy type Specify the traffic type allowed to pass through the BOVPN tunnel. Select the BOVPN tunnels Specify the tunnels to which the policy will apply. Create an alias for the tunnels (Optional) As with the policy name, the name you specify is prepended to “.in” and “.out” to create the alias names for incoming and outgoing tunnels, respectively. You can use these aliases in other policies as well. You should consider creating an alias when you create policies for many BOVPN tunnels. Include those tunnels in the alias. You can then modify the alias as you add or remove tunnels instead of regenerating the policy. The BOVPN Policy Wizard has completed successfully The final screen tells you which policies and aliases were created by the wizard. Setting up Outgoing Dynamic NAT through a BOVPN Tunnel You can use dynamic NAT through BOVPN tunnels. Dynamic NAT acts as unidirectional NAT, and keeps the VPN tunnel open in one direction only. This can be helpful when you make a BOVPN to a remote site where all VPN traffic comes from one public IP address. For example, suppose you want to create a BOVPN tunnel to a business partner so you can get access to their database server, but you do not want this company to get access to any of your resources. Your User Guide 343 About VPN Failover business partner wants to allow you access, but only from a single IP address so they can monitor the connection. You must have the external IP address and the trusted network address of each VPN endpoint to do this procedure. If you enable dynamic NAT though a BOVPN tunnel, you cannot use the VPN Failover feature for that VPN tunnel. 1 From Policy Manager at your site, select VPN > Branch Office Tunnels. Select Add to add a new BOVPN tunnel. 2 Give the BOVPN tunnel a name. 3 Select the New Gateway icon (button at the far right of the Gateway field). The New Gateway dialog box appears. 4 Create a new gateway, as described in the beginning of “Configuring Gateways” on page 330. 5 Click OK to return to the New Tunnel dialog box. 6 On the Addresses tab, click Add. Use the procedure that starts with “From the Local drop-down list” on page 338 to add a new tunnel route. Make sure you select the DNAT check box. 7 Click OK. Save these changes to the Firebox®. 8 From Policy Manager at the remote site, select VPN > Branch Office Tunnels. Select Add to add a new BOVPN tunnel. 9 Do steps 2 – 7 at the remote site, but do not select the DNAT check box. When the Firebox at the remote site restarts, the two Firebox devices negotiate a VPN tunnel. Your Firebox applies dynamic NAT to all traffic destined for the trusted network of the remote site. When this traffic reaches the remote site, it arrives as traffic that originated on your external interface. About VPN Failover When you have multi-WAN failover configured, VPN tunnels automatically fail over to a backup external interface if a failure occurs. You can also configure VPN tunnels to fail over to a backup endpoint if the primary endpoint becomes unavailable. VPN Failover occurs when one of these two events occur: • A physical link is down. The Firebox® monitors the status of the VPN gateway and the devices identified in the multi-WAN link monitor configuration. If the physical link is down, VPN failover occurs. • The Firebox detects the VPN peer is not active. When failover occurs, IKE continues to send Phase 1 keep-alive packets to the peer. When it gets a response, IKE triggers failback to the primary VPN gateway. When a failover event occurs, most new and existing connections failover automatically. For example, if you start an FTP “PUT” command and the primary VPN path goes down, the existing FTP connection continues on the backup VPN path. The connection is not lost, but there is some delay. Note that VPN Failover can occur only if: 344 • Fireboxes at each tunnel endpoint have Fireware v9.1 installed. • Multi-WAN failover is configured, as described in the chapter “Network Configuration with Multiple External Interfaces.” WatchGuard System Manager About VPN Failover The interfaces of your Firebox are listed as gateway pairs on the remote Firebox. If you have already configured multi-WAN failover, your VPN tunnels will automatically fail over to the backup interface. • VPN Failover does not occur for branch office VPN tunnels with dynamic NAT enabled as part of their tunnel configuration. For non-NAT BOVPN tunnels, VPN Failover occurs and the BOVPN session continues. With MUVPN tunnels, the session does not continue. You must authenticate your MUVPN client again to make a new MUVPN tunnel. Configuring multiple gateway pairs To configure VPN tunnels to fail over to a backup endpoint, you must configure more than one set of local and remote endpoints (gateway pairs) for each gateway. For complete failover functionality for a VPN configuration, you must define gateway pairs for each combination of external interfaces on each side of the tunnel. For example, suppose your primary local endpoint is 205.122.1.1/24 with a backup of 205.122.2.1/24. Your primary remote endpoint is 50.50.1.1/24 with a backup of 50.50.2.1/24. For complete VPN Failover, you would need to define these four gateway pairs: 205.122.1.1 - 50.50.1.1 205.122.1.1 - 50.50.2.1 205.122.2.1 - 50.50.1.1 205.122.2.1 - 50.50.2.1 1 User Guide Select VPN > Branch Office Gateways. Click Add to add a new gateway. Give the gateway a name and define the credential method, as described in“Configuring Gateways” on page 330. 345 Forcing a BOVPN Tunnel Rekey 2 In the Gateway Endpoints section of the New Gateway dialog box, click Add. The New Gateway Endpoints Settings dialog box appears. 3 Specify the location of the local and remote gateways. Select the external interface name that matches the local gateway IP address or domain name you add. You can add both a gateway IP address and gateway ID for the remote gateway. This can be necessary if the remote gateway is behind a NAT device and requires more information to authenticate to the network behind the NAT device. 4 Click OK to close the New Gateway Endpoints Settings dialog box. The New Gateway dialog box appears. The gateway pair you defined appears in the list of gateway endpoints. 5 Repeat this procedure to define additional gateway pairs. You can add up to nine gateway pairs. You can select a pair and select the Up or Down key to change the order in which the Firebox attempts connections. 6 Click OK. Forcing a BOVPN Tunnel Rekey Normally, the gateway endpoints must generate and exchange new keys after a quantity of time or amount of traffic passes, as defined in Force Key Expiration field in the Phase2 Proposals dialog box. You might sometimes, particularly when you troubleshoot tunnels, want to immediately generate new keys instead of waiting for them to expire. To rekey one BOVPN tunnel You can rekey a tunnel either from the front panel of Firebox® System Manager or from the Device Status tab of WatchGuard® System Manager. Under the Branch Office VPN Tunnels heading, 346 WatchGuard System Manager Forcing a BOVPN Tunnel Rekey select the tunnel you want to rekey. Right-click and select Rekey Selected BOVPN Tunnel. When prompted, type the configuration passphrase for the Firebox to which Firebox System Manager is connected. To rekey all BOVPN tunnels From Firebox System Manager, right-click anywhere on the front panel of the window. Select Rekey All BOVPN Tunnels. When prompted, type the configuration passphrase for the Firebox to which Firebox System Manager is connected. or From Firebox System Manager, select Tools > Rekey All BOVPN Tunnels. When prompted, type the configuration passphrase for the Firebox to which Firebox System Manager is connected. or From the Device Status tab of WatchGuard System Manager, right-click the Branch Office VPN Tunnels heading or any tunnel below the heading. Select Rekey All BOVPN Tunnels. User Guide 347 Forcing a BOVPN Tunnel Rekey 348 WatchGuard System Manager 22 Certificates and the Certificate Authority When you use local authentication to connect to your Firebox® over secure HTTP, your session is secured using a certificate. You can also use certificates for managed, branch office, or remote user VPN authentication. Certificates are files that use a digital signature to match the identity of a person or organization with an encryption key. Certificates use a security component called a key pair, which consists of two mathematically related numbers. The user keeps one number, the private key, secret. The user can supply the other number, known as the public key, to other users. The private key has the ability to “unlock” data that was encrypted using the public key. To create a certificate, you place a private key in a certificate signing request (CSR) and send the CSR to a certificate authority. A certificate authority (CA) is an organization or application that gives certificates to clients. In WatchGuard® System Manager, the workstation that is configured as the Management Server also operates as a CA. The CA gives certificates to managed Firebox clients when they contact the Management Server to receive configuration updates. Each certificate has a lifetime set when it is created. When the end date and time set for the certificate lifetime is reached, the certificate expires and can no longer be used. Sometimes, certificates are revoked before their lifetime expiration. The Firebox keeps a current list of these revoked certificates, called the Certificate Revocation List (CRL). The CRL is published to each Firebox when the Firebox connects to the Management Server. Creating a New Certificate If you have not prepared a certificate, you can create a certificate signing request (CSR) using Firebox® System Manager. You can also create a new certificate for an MUVPN using the built-in Certificate Authority (CA) Manager on your Management Server. Creating a certificate with Firebox System Manager 1 From Firebox System Manager, select View > Certificates. 2 Click Create Request. The Certificate Request wizard starts. User Guide 349 Creating a New Certificate 350 3 Click Next. 4 Enter your name, your department, the name of your company, and the city, state or province, and country you are working in. These entries are used to create the subject name. Click Next. 5 The wizard creates a subject name based on what you entered in the previous screen. Enter the appropriate information in the DNS name, IP address, and user domain name fields. Click Next. 6 If your VPN gateway requires DSA encryption or a 512-bit key length, select the appropriate radio buttons. Click Next. WatchGuard System Manager Creating a New Certificate 7 After you type the configuration passphrase, click OK to see the finished CSR. 8 Click Copy to copy the Certificate Signing Request to the Windows clipboard. You must send this CSR to a certificate authority for signature before you can use it with your Firebox. Click Next. 9 To close the wizard, click Finish. To import a certificate, click Import Now. Creating a certificate with CA Manager 1 From WatchGuard® System Manager, connect to the Management Server. You must type the configuration passphrase to connect. 2 Click the Device Management tab for the Management Server. 3 From the Tools menu, select CA Manager. Or, click the CA Manager icon on the WatchGuard System Manager toolbar. 4 Click Generate a New Certificate. 5 Type the subject’s common name, password, and certificate lifetime. - For MUVPN users, the common name must agree with the user name of the remote user. - For Firebox users, the common name must agree with the Firebox identifying information (normally, its IP address). - For a generic certificate, the common name is the name of the user. 6 If this certificate is for MUVPN users only, type the subject’s organizational unit. The organizational unit must appear in this format: GW:<vpn gateway name> If you do not know the VPN gateway name, use the value of config.watchguard.id in the configuration file of the gateway Firebox. 7 To download the certificate after it is generated, select the Download Cert check box. 8 Click Generate. User Guide 351 Completing a Certificate Signing Request Completing a Certificate Signing Request Each certificate signing request (CSR) must be signed by a certificate authority (CA) before it can be used for authentication. When you do this procedure yourself, you act as the CA and digitally sign your own request. For compatibility reasons, however, we recommend that you instead send your CSR to a widely known CA, such as Verisign or GeoTrust. Because the root certificates for these organizations are installed by default with most major Internet browsers, you do not have to distribute the root certificates yourself. You can use Windows Server 2003 to complete a CSR. Send the certificate request 1 Open your web browser. In the location or address bar, type the IP address of the server where the Certification Authority is installed, followed by certsrv. Example: http://10.0.2.80/certsrv 2 Click the Request a Certificate link. 3 Click the advanced certificate request link. 4 Click Submit a certificate. 5 Paste the contents of your CSR file into the Saved Request text box. Click OK. 6 Close your web browser. Issue the certificate 1 Connect to the server where the Certification Authority is installed, if necessary. 2 Select Start > Control Panel > Administrative Tools > Certification Authority. 3 From the Certification Authority (Local) tree in the left navigation pane, select Your Domain Name > Pending Requests. 4 Select the CSR in the right navigation pane. 5 From the Action menu, select All Tasks > Issue. 6 Close the Certification Authority window. Download the certificate 1 Open your web browser. In the location or address bar, type the IP address of the server where the certification authority is installed, followed by certsrv. Example: http://10.0.2.80/certsrv 2 Click the View the status of a pending certificate request link. 3 Click the certificate request with the time and date you submitted. 4 Select the Base 64 encoded radio button to choose the PKCS10 or PKCS7 format. Click Download certificate to save the certificate on your hard drive. Certification Authority is distributed with Windows Server 2003 as a component. If the Certification Authority is not installed in the Administrative Tools folder of the Control Panel, follow the manufacturer’s instructions to install it. 352 WatchGuard System Manager Importing a Certificate Importing a Certificate You must import certificates before you can use them for local Firebox® or VPN authentication. You can use Firebox System Manager to import CA root certificates, certificates in PEM format that include a private key, or a certificate that matches the private key used to create the last certificate signing request (CSR). 1 From Firebox System Manager, select View > Certificates. 2 Click Import Certificate/CRL. 3 Click the Import a Certificate tab. 4 Paste the contents of the certificate into the text box, or click Load the certificate from a file to browse to a certificate file. Click Import Certificate. Your certificate must be in Base64 format. 5 User Guide Type the Firebox configuration (read/write) passphrase. 353 Importing a Certificate Using Certificates for Authentication You can use certificates for: • Firebox® authentication (such as local or LDAP) • MUVPN and BOVPN tunnel authentication Third-party or self-signed certificates can be used only for BOVPN and Firebox authentication. When you perform any of these procedures, we recommend that you connect to the Firebox directly so Policy Manager can download the list of currently installed certificates. If you save changes from a local configuration file and the new settings do not match the certificates on the Firebox, your Firebox may not operate correctly. Firebox authentication When users connect to the Firebox with a web browser, they often see a security warning. This warning occurs because the default certificate does not match the IP address or domain name used for authentication. To remove this warning, you can use a third-party certificate, or create a custom certificate that matches the IP or domain name. To configure the web server certificate for Firebox authentication: 1 In Policy Manager, select Setup > Authentication > Web Server Certificate. 2 To use the default certificate, select the Default certificate signed by Firebox radio button. Skip to step 7. 3 To use a certificate you have previously imported, select the Third-party certificate radio button. Select a certificate from the drop-down list. Skip to step 7. This certificate must be recognized as a “Web”-type certificate by Firebox System Manager. 4 354 If you want to create a custom certificate signed by the Firebox, select the Custom certificate signed by Firebox radio button. WatchGuard System Manager Importing a Certificate 5 Click the Add Domain Names button, or the Add Interface IP Addresses button. 6 Type a domain name or IP address of an interface on your Firebox in the field at the bottom of the dialog box. Click Add. When you have added all the domain names you want, click OK. 7 Click OK to save your changes. Mobile User VPN (MUVPN) tunnel authentication When a Mobile User VPN tunnel is created, the IPSec protocol checks the identity of each endpoint using a pre-shared key (PSK). This key can be a passphrase known by both endpoints, or a certificate from the Management Server. The Firebox must be a managed client to use a certificate for MUVPN authentication. To use certificates for a new MUVPN tunnel: 1 In Policy Manager, select VPN > Remote Users. 2 Click the Add button. 3 On the third screen of the wizard, select the Use an RSA certificate issued by your WatchGuard Management Server radio button. 4 Type the IP address and administration passphrase of your Management Server. 5 Finish the wizard. To change an existing MUVPN tunnel to use certificates for authentication: 1 In Policy Manager, select VPN > Remote Users. 2 Select the MUVPN tunnel you want to change. Click Edit. 3 Click the IPSec Tunnel tab of the Edit Extended MUVPN Authentication Group window. 4 Select the Use a certificate radio button. 5 Type the IP address of the Management Server. If necessary, adjust the connection timeout. 6 Click OK. User Guide 355 Managing Certificates When you use certificates, you must give each MUVPN user three files: • The end-user MUVPN profile (.wgx) • The client certificate (.p12) • The CA root certificate (.pem) When an MUVPN user opens the .wgx file, the root and client certificates contained in the cacert.pem and the .p12 files are automatically loaded. For more information on MUVPN, see the MUVPN Administrator Guide on the WatchGuard web site. Branch Office VPN (BOVPN) authentication When a Mobile User VPN tunnel is created, the IPSec protocol checks the identity of each endpoint using a pre-shared key (PSK). This key can be a passphrase known by both endpoints, or a certificate imported and stored on the Management Server. To add a new gateway or change an existing gateway: 1 In Policy Manager, select VPN > Branch Office Gateways. 2 Click the Add button to create a new gateway, or select an existing gateway and click Edit. 3 Select the Use IPSec Firebox Certificate radio button. Click the certificate you want to use. This certificate must be recognized as an “IPSec”-type certificate by Firebox System Manager. 4 Set other parameters as necessary. Click OK. Managing Certificates You can manage certificates with the web-based CA Manager on the Management Server, WatchGuard® System Manager, or Firebox System Manager. Using the web-based CA Manager 1 From WatchGuard System Manager, connect to the Management Server. You must type the configuration passphrase to connect. 2 Click the Device Management tab for the Management Server. 3 Select Tools > CA Manager. Or, click the CA Manager icon on the WatchGuard System Manager toolbar. The web-based CA Manager has several options you can choose from. Certificate Authority CA Certificate Shows the CA (root) certificate. You can save the certificate to a file, or copy its contents to the Windows clipboard. Management Server CA Certificate Shows the Management Server CA certificate. You can save the certificate to a file, or copy its contents to the Windows clipboard. 356 WatchGuard System Manager Managing Certificates Generate a New Certificate Use this option to create a new certificate, as described in “Creating a certificate with CA Manager” on page 351. Find and Manage Certificates On this page, you can search for certificates by serial number, common name, or organizational unit. You can then view details for, revoke, reinstate, or destroy the certificates returned in the search results. List and Manage Certificates To see the full certificate, click its number in the Serial column. This page shows detailed information about the certificate, such as its signature algorithm and issuer. To change the status of one or more certificates, select the check box adjacent to each certificate. At the bottom of the page, select an action from the drop-down list. Click Go. When you revoke a certificate, it is added to the Certificate Revocation List (CRL) and cannot be used for authentication. When you reinstate a certificate, it is removed from the CRL and can be used again. If you remove or destroy a certificate, it is not added to the CRL, but it cannot be used for authentication. The CRL is published to each Firebox when the Firebox connects to the Management Server. Upload Certificate Request Use this page to sign a certificate request from a different device. Type in the common name and organizational unit used in the certificate, and then click Browse to find the CSR (Certificate Signing Request) file. When you are finished, click Upload. Publish a Certificate Revocation List (CRL) This option publishes the CRL to each Firebox connected to the Management Server. Any VPN tunnels that use newly expired certificates stop operating when the Firebox receives the new list. User Guide 357 Managing Certificates Using WSM to manage certificates From WSM, select File > Certificates. The Certificate Maintenance dialog box shows a list of the certificates used by WatchGuard System Manager. To remove a certificate, select it and click Remove. If the certificate is currently used by the Management Server, you must first disconnect from the Server before you delete the certificate. When you delete a Management Server certificate, you do not delete certificates in Microsoft Internet Explorer. Using FSM to manage certificates You can do the following from Firebox® System Manager: • See a list of the current Firebox certificates and details on any of them. • Remove a certificate from the Firebox. • Make a certificate request. • Import a third-party CA certificate and store it in the certificate trust list. Seeing current certificates To see the current list of certificates, select View > Certificates. 358 WatchGuard System Manager Managing Certificates In this window, you can see a list of all certificates and certificate signing requests (CSRs). The list includes this information: • The status and type of the certificate. The certificate marked with an asterisk is the currently active Firebox web server certificate. (For more information on options for the web server certificate, see the previous section, “Using Certificates for Authentication”.) • The algorithm used by the certificate. • The subject name or identifier of the certificate. To see additional information on a certificate in the list, select the certificate and click Details. The Certificate Details window includes information about which CA signed the certificate and the certificate fingerprint. Use this information to troubleshoot or uniquely identify certificates. Deleting a certificate To remove a certificate from the Firebox, select the certificate in the Certificates dialog box and click Delete. You must provide the Firebox configuration (read/write) passphrase to remove a certificate. Certificates you delete can no longer be used for authentication. Importing a CRL from a file You can import a certificate revocation list (CRL) from a file on your local computer. This is useful when you must restore a Firebox from a backup. 1 From Firebox System Manager, select View > Certificates. 2 From the Certificate dialog box, click Import Certificate/CRL. User Guide 359 Managing Certificates 3 Click the Import a CRL tab. Click Browse to find the file. 4 At the prompt, type the configuration passphrase. Click OK. The CRL you specified is appended to the CRL on your Firebox. Retrieving the CRL from an LDAP server You can retrieve a CRL from an LDAP server if you have access to the server. You must have LDAP account information provided by a third-party CA service. 1 From Policy Manager, select VPN > VPN Settings. The VPN Settings dialog box appears. 2 Select the Enable LDAP server for certificate verification check box. 3 Enter the name or address of the LDAP server. 4 (Optional) Enter the port number. 5 Click OK. Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested. 360 WatchGuard System Manager 23 Remote User VPN with PPTP Remote User Virtual Private Networking (RUVPN) uses Point-to-Point Tunneling Protocol (PPTP) to make a secure connection. It supports as many as 50 users at the same time for each Firebox®. RUVPN users can authenticate to the Firebox or to a RADIUS authentication server. You must configure the Firebox and the remote host computers of the remote user. Configuration Checklist Before you configure a Firebox® to use RUVPN, make sure you have this information: • The IP addresses for the remote client to use for RUVPN sessions. For RUVPN PPTP tunnels, the Firebox gives each remote user a virtual IP address. These IP addresses cannot be addresses that the network behind the Firebox uses. The safest procedure to give addresses for RUVPN users is to install a “placeholder” secondary network with a range of IP addresses. Then, select an IP address from that network range. For example, create a new subnet as a secondary network on your trusted network 10.10.0.0/24. Select the IP addresses in this subnet for your range of PPTP addresses. • The IP addresses of the DNS and WINS servers that resolve host names to IP addresses. • The user names and passphrases of users that are allowed to connect to the Firebox with RUVPN. Encryption levels For RUVPN with PPTP, you can select to use 128-bit encryption or 40-bit encryption. U.S. domestic versions of Windows XP have 128-bit encryption enabled. You can get a strong encryption patch from Microsoft for other versions of Windows. The Firebox always tries to use 128-bit encryption first. It uses 40-bit encryption (if enabled) if the client cannot use the 128-bit encrypted connection. For information on how to enable the drop from 128-bit to 40-bit, see “Preparing the Client Computers” on page 367. If you do not live in the U.S. and you want to have strong encryption allowed on your LiveSecurity™ Service account, send an email message to [email protected] and include in it: • Your LiveSecurity Service key number • Date of purchase User Guide 361 Configuring WINS and DNS Servers • Name of your company • Company mailing address • Telephone number and name • Email address If you live in the U.S. and are not already using WSM with strong encryption, you must download the strong encryption software from your archive page in the LiveSecurity Service web site. Go to www.watchguard.com, click Support, log in to your LiveSecurity Service account, and then click Latest Software. Download WatchGuard® System Manager with strong encryption. Then, uninstall WatchGuard System Manager, and install WatchGuard System Manager with strong encryption software from the downloaded file. To keep your current Firebox configuration, do not use the Quick Setup Wizard when you install the new software. Open WatchGuard System Manager, connect to the Firebox, and save your configuration file. Configurations with a different encryption version are compatible. Configuring WINS and DNS Servers RUVPN clients use shared Windows Internet Naming Service (WINS) and Domain Name System (DNS) server addresses. DNS changes host names into IP addresses, while WINS changes NetBIOS names to IP addresses. The trusted interface of the Firebox® must have access to these servers. 1 From Policy Manager, select Network > Configuration. Click the WINS/DNS tab. The information for the WINS and DNS servers appears. 2 362 In the IP address text boxes, type the addresses for the WINS and DNS servers. You can type three addresses for DNS servers, and two addresses for WINS servers. Type a domain name for the DNS server. WatchGuard System Manager Enabling RUVPN with PPTP Enabling RUVPN with PPTP Remote User Virtual Private Networking (RUVPN) uses Point-to-Point Tunneling Protocol (PPTP) to make a secure connection. It supports as many as 50 users at the same time for each Firebox®. RUVPN users can authenticate to the Firebox or to a RADIUS authentication server. 1 From Policy Manager, click VPN > Remote Users. Click the PPTP tab. 2 Select the Activate Remote User VPN with PPTP check box. This allows PPTP remote users to be configured and automatically creates a WatchGuard PPTP policy to allow PPTP traffic to the Firebox. We recommend that you do not change the default properties of the WatchGuard® PPTP policy. User Guide 363 Enabling RUVPN with PPTP Enabling RADIUS authentication RUVPN with extended authentication lets users authenticate to a RADIUS authentication server as an alternative to the Firebox®. 1 Select the Use RADIUS Authentication to authenticate remote users check box. If you do not select this check box, the Firebox database is used to authenticate users. 2 Configure the RADIUS server in the Authentication Servers dialog box. Refer to “Configuring RADIUS Server Authentication” on page 161. 3 On the RADIUS server, create a PPTP-Users group and add names or groups of PPTP users. Setting encryption for PPTP tunnels U.S. domestic versions of Windows XP have 128-bit encryption enabled. You can get a strong encryption patch from Microsoft for other versions of Windows. 364 • Select the Require 128-bit encryption if you want to require 128-bit encryption for all PPTP tunnels. We recommend that you use 128-bit encryption for VPN. • Select the Allow Drop from 128-bit to 40-bit check box to allow the tunnels to drop from 128bit to 40-bit encryption for connections that are less reliable. The Firebox always tries to use 128bit encryption first. It uses 40-bit encryption if the client cannot use the 128-bit encrypted connection. Usually, only customers outside the United States use this check box. • Select the Do not require encryption check box to allow traffic that is not encrypted through the VPN. WatchGuard System Manager Adding IP Addresses for RUVPN Sessions Defining timeout settings for PPTP tunnels You can define two timeout settings for PPTP tunnels: Session Timeout Maximum length of time the user can send traffic to the external network. If you set this field to zero (0) seconds, minutes, hours, or days, no session timeout is used and the user can stay connected for any length of time. Idle Timeout Maximum length of time the user can stay authenticated when idle (not passing any traffic to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, no idle timeout is used and the user can stay idle for any length of time. Adding IP Addresses for RUVPN Sessions RUVPN with PPTP supports as many as 50 users at the same time. The Firebox® gives an open IP address to each incoming RUVPN user from a group of available addresses. This goes on until all the addresses are in use. After a user closes a session, the address is put back in the available group. The subsequent user who logs in gets this address. You must configure two or more IP addresses for PPTP to operate correctly. From the PPTP tab on the Remote Users Configuration dialog box: 1 Click Add. The Add Address dialog box appears. 2 From the Choose Type drop-down list, select Host IP (for a single IP address) or Host Range (for a range of IP addresses). You can configure 50 addresses. If you select Host IP, you must add at least two IP addresses. If you select Host Range and add a range of IP addresses that is larger than 50 addresses, RUVPN with PPTP uses the first 50 addresses in the range. 3 In the Value text box, type the host IP address. If you selected Host Range, type the first and last IP address in the range. Click OK. Type IP addresses that are not in use that the Firebox can give to clients during RUVPN with PPTP sessions. The IP address appears in the list of addresses available to remote clients. 4 Do the procedure again to configure all the addresses for use with RUVPN with PPTP. User Guide 365 Adding New Users to the PPTP_Users Authentication Group Adding New Users to the PPTP_Users Authentication Group To create a PPTP VPN tunnel with the Firebox®, a remote user types their user name and password to authenticate. WatchGuard® System Manager software uses this information to authenticate the user to the Firebox. When you enable PPTP in your Firebox configuration, a default user group is created automatically. This user group is called pptp_users. You see this group name when you create a new user or add user names to policies. For more information on Firebox groups, see the “Authentication” chapter in this guide. 1 From Policy Manager, click Setup > Authentication Servers. The Authentication Servers dialog box appears. 2 Click the Firebox tab. 3 To add a new user, click the Add button below the Users list. The Setup Firebox User dialog box appears. 366 WatchGuard System Manager Preparing the Client Computers 4 Type a user name and passphrase for the new user. Type the passphrase again to confirm it. The new user is put on the Users list. The Authentication Servers dialog box stays open so you can add more users. 5 To close the Authentication Servers dialog box, click OK. You can use the users and groups to configure policies. See the subsequent section. Configuring policies to allow RUVPN traffic RUVPN users have no access privileges through a Firebox. You must add user names or the full PPTPUsers group as sources and definitions in individual policy definitions to give remote users access to specified network resources. To use WebBlocker to control the access of remote users, add PPTP users or groups to a proxy policy that controls WebBlocker, such as HTTP-proxy. Preparing the Client Computers You must first prepare each computer that you use as an RUVPN with PPTP remote host with Internet access. Then, do these procedures using the instructions in the subsequent sections: • Install the necessary version of Microsoft Dial-Up Networking and the necessary service packs • Prepare the operating system for VPN connections • Install a VPN adapter (not necessary for all operating systems) Installing MSDUN and service packs It can be necessary to install these options for the correct configuration of RUVPN: • MSDUN (Microsoft Dial-Up Networking) upgrades • Other extensions • Service packs User Guide 367 Creating and Connecting a PPTP RUVPN from a Windows Vista Client For RUVPN with PPTP, you must have these upgrades installed: Encryption Platform Application Base Windows NT 40-bit SP4 Strong Windows NT 128-bit SP4 Base Windows 2000 40-bit SP2* Strong Windows 2000 128-bit SP2 *40-bit encryption is the default for Windows 2000. If you upgrade from Windows 98, with strong encryption, Windows 2000 will automatically set strong encryption for the new installation. To install these upgrades or service packs, go to the Microsoft Download Center web site at: http://www.microsoft.com/downloads/ Creating and Connecting a PPTP RUVPN from a Windows Vista Client To prepare a Windows Vista client computer, you must configure the PPTP connection. From the Windows Desktop of the client computer: 1 Click Start > Settings > Control Panel. The Start button in Windows Vista is located in the lower-left corner of the screen. 2 Click Network and Internet. This opens the Network and Sharing Center. 3 In the left column, below Tasks, click Connect to a network. The New Connection Wizard starts. 4 Click Connect to a workplace. Click Next. The “Connect to a workplace” window appears. 5 Click No, create a new connection. Click Next. The “How do you want to connect” window appears. 6 Click Use my Internet connection (VPN). The “Type the Internet address to connect to” window appears. 7 In the Internet address text box, type the host name or IP address of the Firebox® external interface. 8 In the Destination name text box, type a name, such as “PPTP to Firebox.” 9 Select whether you want other people to be able to use this connection. 10 Select the Don’t connect now; just set it up so I can connect later check box so that the client computer does not try to connect at this time. 11 Click Next. The “Type your user name and password” window appears. 12 Type the User name and Password for this client. 13 Click Create. “The connection is ready to use” window appears. If you want to test the connection, you can click Connect now. 368 WatchGuard System Manager Creating and Connecting a PPTP RUVPN on Windows XP Establishing the PPTP connection These instructions are written for the Vista client end user. Replace [name of the connection] with the actual name you used when configuring the PPTP connection. The user name and password refers to one of the users you added to the PPTP-Users group (see the “Adding New Users to the PPTP-Users group” section above). Make sure you have an active connection to the Internet before you start. 1 Click Start > Settings > Network Connections > [name of the connection] The Windows Vista Start button is located in the lower-left corner of your screen. 2 Type the user name and password for the connection and click Connect. 3 The first time you connect you must select a network location. Select Public location. Creating and Connecting a PPTP RUVPN on Windows XP To prepare a Windows XP remote host, you must configure the network connection. From the Windows Desktop of the client computer: 1 Click Start > Control Panel > Network Connections. The Network Connection wizard appears. 2 Click Create a new connection from the menu on the left. The New Connection wizard starts. Click Next. 3 Click Connect to the network at my workplace. Click Next. 4 Click Virtual Private Network Connection. Click Next. 5 Give the new connection a name, such as “Connect with RUVPN.” Click Next. 6 Select to not dial (for a broadband connection), or to automatically dial (for a modem connection) this connection. Click Next. The wizard includes this screen if you use Windows XP SP2. Not all Windows XP users see this screen. 7 Type the host name or IP address of the Firebox® external interface. Click Next. 8 Select who can use this connection profile. Click Next. 9 Select Add a shortcut to this connection to my desktop. Click Finish. 10 To connect with your new VPN connection, first make an Internet connection through a dial-up network, or directly through a LAN or WAN. 11 Double-click the shortcut to the new connection on your desktop. Or, select Control Panel > Network Connections and look in the Virtual Private Network list for the connection you created. 12 Type the user name and passphrase for the connection. This information was given when you added the user to pptp_users. See “Adding New Users to the PPTP_Users Authentication Group” on page 366. 13 Click Connect. Creating and Connecting a PPTP RUVPN on Windows 2000 To prepare a Windows 2000 remote host, you must configure the network connection. User Guide 369 Running RUVPN and Accessing the Internet From the Windows Desktop of the client computer: 1 Click Start > Settings > Network Connections > Create a New Connection. The New Connection wizard appears. 2 Click Next. 3 Select Connect to the network at my workplace. Click Next. 4 Click Virtual Private Network connection. 5 Give the new connection a name, such as “Connect with RUVPN.” Click Next. 6 Select to not dial (for a broadband connection), or to automatically dial (for a modem connection) this connection. Click Next. 7 Type the host name or IP address of the Firebox® external interface. Click Next. 8 Select Add a shortcut to this connection to my desktop. Click Finish. 9 To connect with your new VPN connection, first make an Internet connection through a dial-up network, or directly through a LAN or WAN. 10 Double-click the shortcut to the new connection on your desktop. Or, select Control Panel > Network Connections and look in the Virtual Private Network list for the connection you created. 11 Type the user name and passphrase for the connection. This information was given when you added the user to pptp_users. See “Adding New Users to the PPTP_Users Authentication Group” on page 366. 12 Click Connect. Running RUVPN and Accessing the Internet You can enable remote users to get access to the Internet through a RUVPN tunnel. But this option has an effect on security, because Internet traffic is not filtered or encrypted. This risky configuration is less vulnerable when all of the Internet traffic of the remote user goes through a VPN tunnel to the Firebox®. From the Firebox, the traffic is then sent back out to the Internet (tunnel switching). With this configuration the Firebox examines all traffic and gives better security. When you use tunnel switching, a dynamic NAT policy must include the outgoing traffic from the remote network. This allows the remote users to browse the Internet when they send all traffic to the Firebox. Split tunneling decreases security, but it does increase performance. If you use split tunneling, remote users must have personal firewalls for computers behind the VPN endpoint. 370 1 When you set up your connection on the client computer, use the Advanced TCP/IP Settings dialog box to select the Use default gateway on remote network check box. To open the Advanced TCP/IP Settings dialog box on Windows XP or Windows 2000, right-click the VPN connection in Control Panel > Network Connections. Select Properties and click the Network tab. Find Internet Protocol in the list box and click Properties. On the General tab, click Advanced. 2 Make sure that the IP addresses you have added to the PPTP address pool are included in your dynamic NAT configuration. To make sure, from Policy Manager, select Network > NAT. 3 Edit your policy configuration to allow connections from PPTP-Users through the external interface. If you use WebBlocker to control remote user web access, add PPTP-Users to the policy that controls WebBlocker (such as HTTP-proxy). WatchGuard System Manager Running RUVPN and Accessing the Internet If you use the “route print” or “ipconfig” commands after you start a PPTP RUVPN tunnel on a computer with Microsoft Windows installed, you see incorrect default gateway information. You will see correct information if you look at the Details tab of the Virtual Private Connection Status dialog box. Making outbound PPTP connections from behind a Firebox If necessary, you can make a PPTP connection to a Firebox from behind a different Firebox. For example, a remote user goes to a customer office that has a Firebox. The user can make PPTP connections to their network with PPTP. For the local Firebox to correctly allow the outgoing PPTP connection, add the PPTP policy and allow PPTP to Any-External. For information on enabling policies, see the “Policies” chapter of this guide. User Guide 371 Running RUVPN and Accessing the Internet 372 WatchGuard System Manager 24 WebBlocker WebBlocker is an option for WatchGuard® Fireware® that gives you control over the web sites that are available to your users. You can restrict access to offensive web sites or those that decrease employee productivity. WebBlocker uses a database of web site addresses controlled by SurfControl, a leading web filter company. When a user on your network tries to connect to a web site, the Firebox® examines the WebBlocker database. If the web site is not in the database or is not blocked, the page opens. If the web site is in the WebBlocker database and is blocked, a notification appears and the web site is not displayed. If you have not configured the HTTP proxy, it is automatically enabled when you configure the WebBlocker service. WebBlocker works with the HTTP proxy to filter web browsing. Because WebBlocker works with only this proxy, you cannot use WebBlocker to stop access to web sites using HTTPS. Installing the Feature Key To install WebBlocker, you must have a WebBlocker license key and register it on the LiveSecurity® web site. After you register the license key, LiveSecurity gives you a new feature key. For information on working with feature keys, see “Working with Feature Keys” on page 61. Getting Started with WebBlocker You can install the WebBlocker Server on your WatchGuard® management station when you first do the setup for WatchGuard System Manager. You can also install the WebBlocker Server software on a different computer. To do this, use the same method as you used to install the WatchGuard System Manager software, but select only the WebBlocker Server component. Operating systems that are supported for the WebBlocker Server are Windows 2000, Windows 2003, and Windows XP. User Guide 373 Getting Started with WebBlocker If you install one of the WSM Servers on a computer with a personal firewall other than the Microsoft Windows firewall, you must open the ports for the servers to connect through the firewall. To allow connections to the WebBlocker Server, open UDP port 5003. It is not necessary to change your configuration if you use the Microsoft Windows firewall. See the “Getting Started” chapter for more information. Before you configure WebBlocker, you must download the WebBlocker database. 1 Right-click the WebBlocker Server icon in the toolbar at the bottom of the screen. (The WebBlocker Server icon is the one on the right.) 2 Select Get Full Database. The Download WebBlocker Database dialog box appears. 3 If you want to use a folder other than the default C:\Documents and Settings\WatchGuard\wbserver\db as the destination folder for the database, click Browse and select a new folder. You cannot save the WebBlocker database to a root directory, such as c:\. 4 Select Download to download the new database. The WebBlocker database has more than 140 MB of data. Your connection speed sets the download speed, and the download can be more than 30 minutes. Make sure the hard disk drive has a minimum of 200 MB of free space. You can use the WebBlocker utility at any time to: • Download a new version of the database • See the database status • Start or stop the server To get an incremental update of the WebBlocker database, you must first stop the WebBlocker Server service. To stop the service, right click the WebBlocker Server icon on the WatchGuard toolbar and select Stop Service. Automating WebBlocker database downloads The best procedure to keep your WebBlocker database updated is to use Windows Task Scheduler. You can use Windows Task Scheduler to schedule the “updatedb.bat” process, which is created automatically for you in your WSM9/bin directory. 374 1 Open Scheduled Tasks. To open the Task Scheduler using Windows XP, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks. 2 Click Add Scheduled Task. 3 The Scheduled Tasks wizard starts. Click Next. WatchGuard System Manager Activating WebBlocker 4 The screen shows a list of programs. Click Browse. 5 Go to C:\Program Files\WatchGuard\wsm9.1\bin. Select updatedb.bat. 6 Select the time interval at which to do this task. We recommend that you update your database each day. You can update less frequently if you have low bandwidth. Click Next. 7 Type the time and frequency to start the procedure. Because you must stop the WebBlocker Server to do the update, we recommend that you schedule updates outside your usual hours of operation. 8 Select a start date. Click Next. 9 Type the user name and the password to use this procedure. Make sure that this user has access to the necessary files. Click Next. 10 Click Finish. Activating WebBlocker Before you use WebBlocker in an HTTP proxy policy, you must use the Activate WebBlocker wizard to activate the feature and create a basic configuration. To do this: 1 From WatchGuard® System Manager, select the Firebox® to use WebBlocker. 2 Select Tools > Policy Manager. Or, you can click the Policy Manager icon on the WatchGuard System Manager toolbar. 3 From Policy Manager, select Tasks > WebBlocker > Activate. The Activate WebBlocker Wizard starts. 4 Click Next. 5 Click through the wizard and add the information it asks for. The wizard has these screens: User Guide 375 Activating WebBlocker Select policies for WebBlocker This screen does not appear if you have not yet defined any HTTP proxy policies. In this case, the wizard will create an HTTP proxy policy for you. If HTTP proxy policies are already created on your Firebox, this screen shows them in a list. From the list, select the proxy policies you want to enable WebBlocker for. If no policy is selected, a new HTTP proxy policy is created with a WebBlocker action. Identify the WebBlocker Servers You must configure a minimum of one WebBlocker Server. To add a WebBlocker Server, click Add. Next to Server IP, type the IP address of the WebBlocker Server. If necessary, change the port number. You can add more than one WebBlocker Server so the Firebox can fail over to a backup server if it cannot connect to the primary server. The first server in the list is the primary server. To move a server higher in the list, select it and click Move Up. To move it lower, select it and click Move Down. To add a WebBlocker Server after you complete the wizard, go to Setup > Actions > WebBlocker. Click Add, and click the Servers tab. 376 WatchGuard System Manager Activating WebBlocker Select categories to block Select the check box adjacent to the categories of web sites you want to block. To read a description of the category, click on it. The description appears in the box at the bottom of the screen. You can also find a full list and description of all categories in the Reference Guide. Categories are grouped under a main heading. For example, the Computers heading includes Chat, Computing and Internet, Hosting Sites, Remote Proxies, and Web-based Email. If you want to select all the sites under the Computers heading, you can select just the check box next to Computers. All the sites under it are automatically selected. If you want to select only one or a few categories under Computers but not all of them, clear the Computers check box and select only the categories you want to restrict. If you want to block access to web sites that match any category, select Deny All Categories. You can also choose to not use the categories at all and instead use exception rules only to restrict web site access. To do this, do not select any categories. See “Defining WebBlocker Exceptions” on page 381, and make sure you select the Deny website access radio button, as described in the “Defining the action for sites that do not match exceptions” on page 384. To stop users from going to anonymizer web sites to try to avoid WebBlocker, select to block the Remote Proxies category in WebBlocker. User Guide 377 Configuring WebBlocker Configuring WebBlocker After you use the Activate WebBlocker Wizard to activate WebBlocker and create a basic configuration, you can configure more WebBlocker settings. 1 From Policy Manager, select Tasks > WebBlocker > Configure. The Configure WebBlocker dialog box appears and shows the HTTP policies that were already created. 2 Select the policy you want to configure and click Configure. The WebBlocker Configuration dialog box for that policy appears. 378 WatchGuard System Manager Configuring WebBlocker The WebBlocker Configuration dialog box includes tabs to configure WebBlocker Servers, web site categories, WebBlocker exceptions, and advanced settings. Adding new servers You can add more than one WebBlocker Server so the Firebox® can fail over to a backup server if it cannot connect to the primary server. The first server in the list is the primary server. You cannot add more than five WebBlocker Servers to a configuration. 1 To add a server, click Add. The Add WebBlocker Server dialog box appears. 2 Next to Server IP, type the IP address of the WebBlocker Server. If necessary, change the port number. 3 You can change the order of the servers to define the order in which the Firebox fails over to backup servers. To move a server higher in the list, select it and click Move Up. To move it lower, select it and click Move Down. 4 Click OK. Selecting categories to block When you used the Activate WebBlocker wizard, you selected categories of web sites you want to block. Click the Categories tab on this dialog box to make changes to your original configuration. This dialog box is same as the wizard screen described in “Select categories to block” on page 377. The one difference is that categories are grouped under a main heading. For example, the Computers heading includes Chat, Computing and Internet, Hosting Sites, Remote Proxies, and Web-based Email. If you want to select all the sites under the Computers heading, you can select just the check box next to Computers. All the sites under it are automatically selected. If you want to select only one or a few cat- User Guide 379 Configuring WebBlocker egories under Computers but not all of them, clear the Computers check box and select only the categories you want to restrict. Defining advanced WebBlocker options 1 380 To configure advanced WebBlocker options, click the Advanced tab. WatchGuard System Manager Defining WebBlocker Exceptions 2 You can adjust the Cache size setting to improve WebBlocker performance. Use the arrows to change the number of entries in the cache or type in a number. 3 You can set a timeout value and an action to occur when the WebBlocker Server times out. 4 Use the If your Firebox cannot connect to the WebBlocker server in field to set the number of seconds to try to connect to the server before the Firebox times out. 5 If you want to allow the web site if the WebBlocker Server times out, select Allow the user to view the website. To deny access if the server times out, select Deny access to the website. The Firebox attempts to reach the WebBlocker Server even when it is unavailable. If you allow web traffic when the server is unavailable, each user who sends a web request must wait the amount of time in the above field to try to connect to the WebBlocker Server and time out. After this number of seconds, the Firebox allows access to the web site. When the Firebox can connect to the WebBlocker Server again, it will starts to apply WebBlocker rules again. Defining WebBlocker Exceptions You can override a WebBlocker action with an exception. A web site normally denied by WebBlocker can be defined as an exception to allow users to access it. For example, suppose employees in your company frequently use web sites that contain medical information. Some of these web sites are forbidden by WebBlocker because they fall into the sex education category. To override WebBlocker, you write an exception rule that specifies the web site’s IP address or its domain name. You can also write exception rules to deny sites that WebBlocker normally allows. Exception rules apply only to HTTP traffic. If you deny a site with an exception rule, the site is not automatically added to the Blocked Sites list. User Guide 381 Defining WebBlocker Exceptions Components of exception rules Exception rules are based on IP addresses or a pattern based on IP addresses. You can have the Firebox block a URL with an exact match. Usually, it is more convenient to have the Firebox look for URL patterns. The URL patterns do not include the leading "http://". To match a URL path on all web sites, the pattern must have a trailing “/*”. The host in the URL can be the host name specified in the HTTP request, or the IP address of the server. Network addresses are not supported at this time, though you can use subnets in a pattern (for example, 10.0.0.*). For servers on port 80, do not include the port. For servers on ports other than 80, add “ :port”, for example: 10.0.0.1:8080. You can also use a wildcard for the port—for example,10.0.0.1:*—but this does not apply to port 80. Exceptions with part of a URL You can create WebBlocker exceptions with the use of any part of a URL. You can set a port number, path name, or string that must be blocked for a special web site. For example, if it is necessary to block only www.sharedspace.com/~dave because it has inappropriate photographs, you type “www.sharedspace.com/~dave/*”. This gives the users the ability to browse to www.sharedspace.com/~julia, which could contain content you want your users to see. To block URLs that contain the word “sex” in the path, you can type “*/*sex*”. To block URLs that contain “sex” in the path or the host name, type “*sex*”. You can block ports in an URL. For example, look at the URL http://www.hackerz.com/warez/index.html:8080. This URL has the browser use the HTTP protocol on TCP port 8080 instead of the default method that uses TCP 80. You can block the port by matching *8080. Adding exceptions 1 382 To create exceptions to the WebBlocker categories, click the Exceptions tab. WatchGuard System Manager Defining WebBlocker Exceptions 2 Click Add to add a new exception rule. The New WebBlocker Exception dialog box appears. 3 In the Match Type field, select one of these options: Pattern match Pattern matches match a pattern in the URL or address, for example “pattern” in www.pattern.com. Be sure to drop the leading “http://” and include “/* at the end. Use the User Guide 383 Defining WebBlocker Exceptions wildcard symbol, *, to match any character. You can use more than one wildcard in one pattern. For example, the pattern www.somesite.com/* will match all URL paths on the www.somesite.com web site. To enter a network address, use a pattern match that ends in a wildcard. For example, to match all the web sites at 1.1.1.1 on port 8080, set the directory to “*”. Exact match Exact matches match an exact URL or IP address, character by character. You cannot use wildcards, and you must type each character exactly as you want it to be matched. For example, if you enter an exception to allow www.yahoo.com as an exact match only, and a user types “www.yahoo.com/news”, the request is denied. Regular expression Regular expression matches use a Perl-compatible regular expression to make a match. For example, \.[onc][eor][gtm] matches .org, .net, .com, or any other three-letter combination of one letter from each bracket, in order. Be sure to drop the leading “http://” Supports wild cards used in shell script. For example, the expression “(www)?\.watchguard\.[com|org|net]” will match URL paths including www.watchguard.com, www.watchguard.net, and www.watchguard.org. The expression 1.1.1.[1-9] will match all IP addresses from 1.1.1.1 to 1.1.1.9. 4 In the Type field, enter the web site type: URL or Host IP Address. 5 If you chose URL in the previous field, enter the pattern, value, or expression, depending on the value in the Match Type field. If you chose Host IP Address in the previous field, enter the address, port, and directory to be matched. 6 Click OK to close the New WebBlocker Expression dialog box. 7 Click the Action column to get access to the Action drop-down list. Select to have WebBlocker allow or deny the exception. 8 Type a name for the exception in the Name text box. The default name is WB Rule[number]. 9 You can use the drop-down lists for the Match Type and Pattern fields if you want to change the settings you made in the New WebBlocker Exception dialog box. 10 Click the Log check box if you want a log message when an action is taken on a WebBlocker exception. 11 To disable a exception but keep it in your configuration for possible use at a later time, clear the Enabled check box. Defining the action for sites that do not match exceptions In the Use category list section below the list of exception rules, you can configure the action to occur if the URL does not match the exceptions you configure. The default setting is that the Use the WebBlocker category list to determine accessibility radio button is selected, and WebBlocker compares sites against the categories you selected on the Categories tab to determine accessibility. You can also choose to not use the categories at all and instead use exception rules only to restrict web site access. To do this, click the Deny website access radio button. Select the Log the denied action check box below the radio button to send a log message for that action. Changing the order of exception rules The order that the exception rules are listed in the dialog box shows the order in which sites are compared to the rules. WebBlocker compares messages to the first rule in the list and continues in 384 WatchGuard System Manager Defining WebBlocker Exceptions sequence from top to bottom. When a messages matches a rule, WebBlocker performs the related action. It performs no other actions, even if a site matches a rule or rules later in the list. To change the order of rules, select the rule whose order you want to change. Click the Up or Down button to move the rule up or down in the list. Importing or exporting exception rules If you manage several Fireboxes or use WebBlocker with more than one proxy definition, you can import and export exception rules between them. This saves time because you must define the rules only once. You can transfer exception rules between proxies or Fireboxes in two ways. You can write an ASCII file that defines the rules and import it to other Fireboxes or proxies. Or, you can use the WebBlocker user interface to define the exception rules, export the file to an ASCII file, and import that file into another Firebox configuration file or proxy definition. Writing rulesets in an ASCII file You can write rules in a normal ASCII file that uses the standard UTF-8 character set. You must include only one rule per line. The syntax for rules is: [rule_name, action, enabled|disabled, log|no log, match_type,] pattern_value where: rule_name is the name of the rule as it appears in the exception list. The default is WB Rule n. action = Allow or Deny. The default action is Allow. enabled|disabled = Whether the rule is currently enabled or disabled. The default is enabled. log|no log = Specifies whether you want a log message when the action is taken. The default is no log. match_type = Specifies the type of match: exact match, regular expression or pattern match. The default is pattern match. value = value to be matched. The fields enclosed in brackets are optional. If you omit them, the default values are used. To add comments to a file, precede the comment with a number sign (#). Make sure the comment is on its own line. Below is an example exceptions file. # # Here are five exception rules # AllowFB, allow, enabled, No Log,*.firebox.net/* deny, disabled, Log, very.badsite.com/* ExceptionRule1,*.goodsite.com/" exact match, 10.0.0.1 *.xyz.*/ The next section, “Importing an ASCII exceptions file”, shows how the above file would look if imported into WebBlocker. User Guide 385 WebBlocker Actions Importing an ASCII exceptions file 1 From the Exceptions tab of the WebBlocker Configuration dialog box, click Import. 2 Find the ASCII file and click Open. 3 If exceptions are already defined in WebBlocker, you are asked whether you want to replace the existing rules or append the imported rules to the list of existing rules. Click Replace or Append. If you click Append, the imported rules appear in the Exceptions block beneath any existing rules. If you want to change the order of the exception rules, see “Changing the order of exception rules” on page 384. If the example file in the previous section is imported into WebBlocker it appears like this. Exporting rules to an ASCII file When you export exception rules from a proxy definition, the Firebox saves the current rules to an ASCII text file in the format described in “Writing rulesets in an ASCII file” on page 385. 1 From the Exceptions tab of the WebBlocker Configuration dialog box, define exceptions as described in “Adding exceptions” on page 382. 2 Click Export. 3 In the Open dialog box, select where you want to save the exceptions file and click Save. You can now open another HTTP proxy definition in the same or in a different Firebox configuration file and import the exceptions file. WebBlocker Actions The basic configuration you created with Tasks > WebBlocker > Configure is a WebBlocker action—a set of WebBlocker settings—that you can apply to an HTTP proxy definition. You can define additional WebBlocker actions if you want to apply different settings to different proxies. Defining additional WebBlocker actions 1 From Policy Manager, select Setup > Actions > WebBlocker. The WebBlocker Configurations dialog box appears. 386 WatchGuard System Manager WebBlocker Actions 2 Click Add. Or if you want to define a new action based on an existing one, select that action and click Clone. 3 Configure the WebBlocker action as described in “Configuring WebBlocker” on page 378. Adding WebBlocker actions to a policy 1 Double-click the HTTP policy icon to open the Edit Policy Properties dialog box. 2 Select the Properties tab. 3 Click the View/Edit Proxy icon. The HTTP Proxy Action Configuration dialog box appears. 4 From the WebBlocker drop-down list, select the WebBlocker action you want to apply. Scheduling WebBlocker actions You can set an operating schedule for the policy. You can use the predefined settings in the dropdown list or create custom schedules. You use these time periods to set rules for when to block different web sites. For example, you can block sports web sites during usual business hours of operation, but allow users to browse at lunch time, evenings, and weekends. To set a schedule for a policy: 1 Open the policy to edit it, and click the Advanced tab. 2 Select a schedule from the drop-down list, or click the New/Clone icon to make a new schedule. For more information, see “Creating Schedules” on page 82. 3 Configure an HTTP policy that uses the schedule. You can also configure two HTTP policies, but create a schedule for only one of them. Each policy uses one of the HTTP proxy actions. Each of these HTTP proxy actions points to one of at least two WebBlocker actions. User Guide 387 WebBlocker Actions 388 WatchGuard System Manager 25 spamBlocker Unwanted email, also known as spam, fills the average inbox at an astonishing rate. A large volume of spam decreases bandwidth, degrades employee productivity, and wastes network resources. The WatchGuard® spamBlocker option uses industry-leading pattern detection technology from Commtouch to block spam at your Internet gateway and keep it from getting to your email server. About spamBlocker Commercial mail filters use many methods to find spam. Blacklists keep a list of domains that are used by known spam sources or are open relays for spam. Content filters search for key words in the header and body of the email message. URL detection compares a list of domains used by known spam sources to the advertised link in the body of the email message. However, all of these procedures scan each individual email message. Attackers can easily bypass those fixed algorithms. They can mask the sender address to bypass a blacklist, change key words, embed words in an image, or use multiple languages. They can also create a chain of proxies to disguise the advertised URL. spamBlocker uses the Recurrent-Pattern Detection (RPD) solution created by Commtouch to detect these hard-to-find spam attacks. RPD is an innovative method that searches the Internet for spam outbreaks in real time. RPD finds the patterns of the outbreak, not only the pattern of individual spam messages. Because it does not use the content or header of a message, it can identify spam in any language, format, or encoding. To see an example of real-time spam outbreak analysis, visit the Commtouch Outbreak Monitor at: http://www.commtouch.com/Site/ResearchLab/map.asp spamBlocker works with the WatchGuard® POP3 and SMTP proxies to scan your email. If you have not configured the POP3 or SMTP proxy, they are enabled when you configure the spamBlocker service. If you have more than one proxy policy for POP3 or for SMTP, spamBlocker works with all of them. spamBlocker requirements Before you install spamBlocker, you must have: • spamBlocker feature key • SMTP or POP3 email server behind the Firebox® User Guide 389 About spamBlocker • DNS configured on the Firebox that will apply spamBlocker rules. From Policy Manager, select Network > Configuration. Click the WINS/DNS tab and type the IP addresses of the DNS servers your Firebox uses to resolve host names. • Connection to the Internet spamBlocker actions The Firebox uses spamBlocker actions to apply decisions about the delivery of an email message that is spam. spamBlocker can take the following actions: • Allow — Let the email message go through the Firebox normally. • Add subject tag — Let the email message go through the Firebox, but insert text in the subject line of the email message to mark it as spam or possible spam. You can keep the default tags for or you can customize them. See the next section for more information on spamBlocker tags. • Quarantine — (SMTP only) Send the email message to the Quarantine Server. Note that the Quarantine option is supported only if you use spamBlocker with the SMTP proxy. The POP3 proxy does not support this option. For more information on the Quarantine Server, see the “Quarantine Server” chapter in this guide. • Deny — (SMTP only) Stop the email message from being delivered to the mail server. The Firebox sends this 571 SMTP message to the sending email server: “Delivery not authorized, message refused”. Note that the Deny option is supported only if you use spamBlocker with the SMTP proxy. The POP3 proxy does not support this option. • Drop — (SMTP only) Drop the connection immediately. The Firebox does not give any error message to the sending server. Note that the Drop option is supported only if you use spamBlocker with the SMTP proxy. The POP3 proxy does not support this option. spamBlocker tags The Firebox can add spamBlocker tags to the subject line of the email message. You can use the default tags provided, or you can create a custom tag. This example shows the subject line of an email message that was found to be spam. The tag added is the default tag: ***SPAM***. Subject: ***SPAM*** Free auto insurance quote This example shows a custom tag: [SPAM] Subject: [SPAM] You've been approved! spamBlocker categories The Commtouch Recurrent-Pattern Detection (RPD) solution classifies spam attacks in its Anti-Spam Detection Center database according to severity. spamBlocker queries this database and assigns a category to each email message. spamBlocker has three categories: Confirmed spam, Bulk, and Suspect. spamBlocker assigns email messages to these categories based on the number of patterns found in the email message. 390 • The Confirmed spam category includes email messages that come from known spammers. We recommend you use the Deny action for this type of email if you use spamBlocker with the SMTP proxy; Add subject tag if you use spamBlocker with the POP3 proxy. • The Bulk category includes email messages that do not come from known spammers, but do match some known spam structure patterns. We recommend that you use the Add subject tag action for this type of email, or the Quarantine action if you use spamBlocker with the SMTP proxy. WatchGuard System Manager Installing the spamBlocker Feature Key The Suspect category includes email messages that look like they could be associated with a new spam attack. Frequently, these messages are legitimate email messages. We recommend that you use the Allow action for this type of email. • Installing the spamBlocker Feature Key To install spamBlocker, you must have a spamBlocker feature key and register it on the LiveSecurity® web site. After you register it, LiveSecurity gives you a new Firebox® key that contains the spamBlocker feature key. To install this feature key: 1 From Policy Manager, select Setup > Feature Keys. The Firebox Feature Keys dialog box appears. 2 Expand Feature Keys to see the current features key, which consists of 16 alphanumeric characters. Select it. 3 Click Remove to remove the current feature key. You must remove the entire feature key before you install the new one that includes spamBlocker. 4 Click Add. 5 In the Add Firebox Feature Key dialog box, type or paste your feature key. You can click Import to find it on your computer or network. Click OK. The feature key appears on the Firebox Feature Keys dialog box. Activating spamBlocker You use a wizard to enable the spamBlocker feature in the SMTP proxy, the POP3 proxy, or both. You can also use this wizard to add a new SMTP proxy or POP3 proxy to your Firebox configuration with spamBlocker enabled. 1 Make sure you have met all requirements for spamBlocker, as described in “spamBlocker requirements” on page 389. 2 From WatchGuard® System Manager, select the Firebox® that will use spamBlocker. User Guide 391 Activating spamBlocker 3 Select Tools > Policy Manager or click the Policy Manager icon on the WatchGuard System Manager toolbar. 4 From Policy Manager, select Tasks > spamBlocker > Activate. The Activate spamBlocker wizard starts. 5 Click through the wizard and add the information it asks for. The wizard has either one or two screens depending on how your Firebox is currently configured. Apply spamBlocker settings to your policies This screen appears if you already have one or more SMTP or POP3 policies defined on your Firebox. From the list, select the proxy policies for which you want to enable spamBlocker. The Select check box for any policies that have spamBlocker already enabled is dimmed. Create new proxy policies This screen appears if your Firebox does not yet have policies created for either SMTP or POP3, or if your Firebox has either SMTP or POP3 but not both. The wizard will create one or both of these policies for you. For either policy, you must have at least one external interface with a static IP address. - To create a POP3 policy, select the POP3 check box. - To create an SMTP policy, select the Incoming SMTP check box. Enter the email server IP address. - The SMTP policy created by this wizard contains “Any-External” for the From field and a static NAT entry for the To field. The static NAT entry uses the first static external IP address configured on the Firebox. It enables static NAT for the email server IP address you enter in the wizard. If this default static NAT SMTP policy is not the best choice for your organization, you can use Policy Manager to create an SMTP policy before you use the wizard. - You can click the check box at the bottom of the screen to begin to configure spamBlocker, as described in the next section. 392 WatchGuard System Manager Configuring spamBlocker Configuring spamBlocker After you use the Activate spamBlocker Wizard to activate spamBlocker, you can set other configuration parameters. 1 If you did not click the check box in the previous procedure to begin to configure spamBlocker, you can do this from Policy Manager. Select Tasks > spamBlocker > Configure. The spamBlocker dialog box appears with a list of the SMTP and POP3 proxies on your Firebox and whether spamBlocker is enabled for each one. 2 Select the policy you want to configure and click Configure. The spamBlocker Configuration page for that policy appears. User Guide 393 Configuring spamBlocker 394 3 Set the actions spamBlocker applies for each category of email in the drop-down lists next to Confirmed spam, Bulk, and Suspect. For information on spamBlocker actions, see “spamBlocker actions” on page 390. If you select Add subject tag for any category, you change the default tag that appears in the text box to the right of the drop-down list. For more information on spamBlocker tags, see “spamBlocker tags” on page 390. 4 If you want to record a log message each time spamBlocker takes an action, select the Send log message check box for the action. If you do not want to record log messages for an action, clear this check box. 5 The When the spamBlocker server is unavailable, access to POP3/SMTP email is check box specifies how the Firebox handles incoming email when the spamBlocker server is down. We recommend you use the default Allowed action. If you configure spamBlocker to deny POP3 or SMTP email when it cannot contact the spamBlocker server, it causes a conflict with Microsoft Outlook. When Outlook starts a connection to the email server, spamBlocker tries to contact the spamBlocker server. If the spamBlocker server is not available, spamBlocker stops the email download. When this happens, a cycle starts. Outlook tries to download email and spamBlocker stops the download. This continues until the Firebox can connect to the spamBlocker server, until the request is dropped because the proxy times out, or until you cancel the request. If you set this option to Denied with the SMTP proxy, the Firebox sends this 450 SMTP message to the sending email server: “Mailbox is temporarily unavailable.” 6 The Send log message for each email classified as not spam check box specifies whether a message is added to the log if an email message is scanned by spamBlocker but is not WatchGuard System Manager Using spamBlocker Exception Rules designated as Confirmed Spam, Bulk, or Suspect. Select this check box if you want to add a message to the log in this situation. 7 (Optional) Add spamBlocker exception rules, as described in the next section. 8 Click OK. If you have any perimeter firewall between the Firebox that uses spamBlocker and the Internet, it must not block HTTP traffic. The HTTP protocol is used to send requests from the Firebox to the spamBlocker server. Using spamBlocker Exception Rules You can create an exception list to the general spamBlocker actions that is based on the sender’s address. For example, if you want to allow a newsletter that spamBlocker identifies as Bulk email, you can add that sender to the exception list and use the Allow action regardless of the spamBlocker category the sender is assigned to. Or, if you want to apply a tag to a sender that spamBlocker designates as safe, you can add that to the exceptions list as well. You can also add exception rules by writing them in an ASCII file and importing them into your Firebox configuration, as described in “Writing rulesets in an ASCII file” on page 396 and “Importing an ASCII exceptions file” on page 396. Adding spamBlocker exception rules 1 From the Exceptions block of the spamBlocker Configuration dialog box, click Add. The Add Exception Rule dialog box appears. 2 Select a rule action: Allow, Add subject tag, Quarantine, Deny, or Drop. (Remember that the POP3 proxy supports only the Allow and Add subject tag actions in spamBlocker.) 3 Type a sender, recipient, or both. You can type the full email name or use wildcards. Make sure you use the sender’s actual address that is listed in the “Mail-From” field in the email message header, which may not match the address in the “From:” field that you see at the top of the email message. To get the actual address for an exception, get the full email message header (from Microsoft Outlook, with the message open, select View > Options and look in the Internet headers box). The addresses of the sender and recipient are in these lines: X-WatchGuard-Mail-From: X-WatchGuard-Mail-Recipients: Use care when you add wildcards to an exception. Spammers can spoof header information. The more specific the addresses in your exception list, the more difficult it will be to spoof them. User Guide 395 Using spamBlocker Exception Rules Changing the order of exception rules The order that the exception rules are listed in the dialog box shows the order in which email messages are compared to the rules. The proxy compares messages to the first rule in the list and continues in sequence from top to bottom. When a message matches a rule, the Firebox performs the related action. It performs no other actions, even if the message matches a rule or rules later in the list. To change the order of rules, select the rule whose order you want to change. Click the Up or Down button to move the rule up or down in the list. Importing or exporting exception rules If you manage several Fireboxes or use spamBlocker with more than one proxy definition, you can import and export exception rules between them. This saves time because you must define the rules only once. You can transfer exception rules between proxies or Fireboxes in two ways. You can write an ASCII file that defines the rules and import it to other Fireboxes or proxies. Or, you can use the spamBlocker user interface to define the exception rules, export the file to an ASCII file, and import that file into another Firebox configuration file or proxy definition. Writing rulesets in an ASCII file You can write rules in a normal ASCII file that uses the standard UTF-8 character set. You must include only one rule per line. The syntax for rules is: [action, <tag>,] sender [, recipient] where: action = Allow, Add subject tag <tag>, Quarantine, Deny, or Drop. (Quarantine, Deny, and Drop are not supported by the POP3 proxy.) The default action is Allow. tag = The identifier you want to add to the email messages. The identifier must be enclosed in angle brackets. sender = Email address ([email protected]) or pattern (*@firebox.net). The default is all senders. recipient = Email address ([email protected]) or pattern (*@firebox.net). The default is all recipients. The fields enclosed in brackets are optional. If you omit them, the default values are used. To add comments to a file, precede the comment with a number sign (#). Make sure the comment is on its own line. Here is an example of a spamBlocker exception rules file: # allow all email from firebox.net *@firebox.net # use **SPAM** tag on all email from xyz.com Add subject tag, <**SPAM**>, *@xyz.com # deny all email from unknown.com to [email protected] Deny, *@unknown.com, [email protected] Importing an ASCII exceptions file 396 1 From the Exceptions block of the spamBlocker Configuration dialog box, click Import. 2 Find the ASCII file and click Open. WatchGuard System Manager Using spamBlocker Exception Rules 3 If exceptions are already defined in spamBlocker, you are asked whether you want to replace the existing rules or append the imported rules to the list of existing rules. Click Replace or Append. If you click Append, the imported rules appear in the Exceptions block under any existing rules. If you want to change the order of the exception rules, see “Changing the order of exception rules” on page 396. If you import a rule with the Deny exception into the POP3 proxy, you will get an error message. If you import a rule with the Quarantine action into the POP3 proxy, it is converted to Allow. Exporting rules to an ASCII file When you export exception rules from a proxy definition, the Firebox saves the current rules to an ASCII text file in the format described in “Writing rulesets in an ASCII file” on page 396. 1 From the Exceptions block of the spamBlocker Configuration dialog box, define exceptions as described in “Adding spamBlocker exception rules” on page 395. 2 Click Export. 3 In the Open dialog box, select where you want to save the exceptions file and click Save. You can now open another SMTP or POP3 proxy definition in the same or in a different Firebox configuration file and import the exceptions file. Logging exceptions Select the Send log message for each email that matches one of the above exceptions check box if you want a message written to the log each time an email message matches an exception rule. User Guide 397 Setting Global spamBlocker Parameters Setting Global spamBlocker Parameters You can use global spamBlocker settings to optimize spamBlocker for your own installation. Because most of these parameters affect the amount of memory that spamBlocker uses on the Firebox®, you must balance good spamBlocker performance with the needs of other Firebox functionality. 1 From the spamBlocker dialog box, click Settings. The spamBlocker Settings dialog box appears. 398 2 spamBlocker creates a thread for each message it processes. The thread includes information about the message that is used to generate its spam score. spamBlocker sets a default maximum number of threads that can be simultaneously buffered according to your Firebox appliance model. You can use the Maximum number of threads field to increase or decrease this value. If the amount of traffic handled by your proxy policies is low, you can increase the number of supported threads for spamBlocker without affecting performance. If you have memory problems related to your use of proxies on the Firebox, you might want to decrease the value in this field. 3 Use the Maximum file size to scan field to set the number of bytes of an email message to be passed to spamBlocker to be scanned. Usually, 20–40K is sufficient for spamBlocker to correctly detect spam. However, if image-based spam is a problem for your organization, you can increase the maximum file size to block more image-based spam. 4 In the Cache size field, enter the number of entries spamBlocker caches locally for messages that have been categorized as spam and bulk. A local cache can improve performance because no network traffic to Commtouch is required. Usually, you do not have to change this value. You can set the Cache size field to 0 to force all email to be sent to Commtouch. This is generally used only for troubleshooting. 5 Clear the Enabled check box next to Proactive Patterns if you want to disable the Commtouch CTEngine Proactive Patterns feature. This feature is automatically enabled on e-Series and WatchGuard System Manager Setting Global spamBlocker Parameters Firebox X Peak models. It requires large amounts of disk space while the local database is updated. If you have limited memory or processor resources, consider disabling this feature. 6 The Connection string override text box is used only when you must troubleshoot a spamBlocker problem with a technical support representative. Do not change this value unless you are asked to give additional debug information for a technical support problem. 7 (Optional) Define an HTTP proxy server and add trusted email forwarders, as described in the next two sections. 8 Click OK. Using an HTTP proxy server Select the Contact the spamBlocker server using an HTTP proxy server check box if spamBlocker must use an HTTP proxy server to connect to the CommTouch server through the Internet. Use the remaining fields in this dialog box to set up parameters for the proxy server, which include the address of the proxy server, the port the Firebox must use to contact the proxy server, and authentication credentials for the Firebox to use for proxy server connections (if required by the proxy server). Adding trusted email forwarders Part of the spam score for an email message is calculated using the IP address of the server that the message was received from. If an email forwarding service is used, the IP address of the forwarding server is used to calculate the spam score. Because the forwarding server is not the initial source email server, the spam score can be inaccurate. User Guide 399 Setting Global spamBlocker Parameters To improve spam scoring accuracy, you can enter one or more host names or domain names of email servers that you trust to forward email to your email server. With this feature, spamBlocker ignores the trusted email forwarder in the email message headers. The spam score is calculated using the IP address of the source email server. To add trusted email forwarders, on the spamBlocker Settings dialog box, click the Trusted Email Forwarders tab. Type a host or domain name in the text field at the bottom of the dialog box and click Add. If you add a domain name, make sure you add a leading period (.) to the name, as in .firebox.net. 400 WatchGuard System Manager Creating Rules for Bulk and Suspect Email on Email Clients Creating Rules for Bulk and Suspect Email on Email Clients Many network administrators allow email that is not confirmed as spam to be delivered to the email recipient. They set up rules in their email client software to have any email tagged and put into a special folder on the email client. The procedure below gives instructions on how to configure the Microsoft Outlook email client. For information about how to use this procedure on other types of email clients, look at the user documentation for those products. If you use spamBlocker with the SMTP proxy, you can have spam email sent to the Quarantine Server. For more information on the Quarantine Server, see the “Quarantine Server” chapter in this guide. Sending spam or bulk email to special folders in Outlook This procedure shows you the steps to create rules for bulk and suspect email in Microsoft Outlook. You can have email with a “spam” or “bulk” tag delivered directly to special folders in Outlook. When you create these folders, you keep possible spam email out of your usual Outlook folders, but you can get access to the email if it becomes necessary. If you use another email client, check your user documentation for that product. Before you start, make sure that you set the action for confirmed spam and bulk email to Add Subject Tag. You can use the default tags, or create custom tags. The steps below describe how to create folders with the default tags. 1 From your Outlook Inbox, select Tools > Rules and Alerts. 2 Click New Rule to start the Rules wizard. 3 Select Start from a blank rule. 4 Select Check messages when they arrive. Click Next. 5 Select the condition check box: when specific words in the subject. Then, in the bottom pane, edit the rule description by clicking on the specific words. In the Search Text dialog box, type the spam tag as ***SPAM***. If you use a custom tag, type it here instead. Click Add. Click OK. 6 Click Next. 7 The wizard asks what you want to do with the message. Select the move it to the specified folder check box. Then, in the bottom pane, click the word specified to select the destination folder. 8 In the Choose a Folder dialog box, click New. In the folder name field, type Spam. Click OK. 9 Click Next two times. 10 To finish the rule setup, type a name for your spam rule. Click Finish. 11 Click Apply. 12 Repeat these steps to create a rule for bulk email, using the bulk email tag. You can send bulk email to the same folder, or create a separate folder for bulk email. User Guide 401 Reporting False Positives and False Negatives Reporting False Positives and False Negatives A false positive email message is a legitimate message that spamBlocker incorrectly identifies as spam. A false negative email message is a spam message that spamBlocker does not correctly identify as spam. If you find a false positive or false negative email message, you can report the classification error directly to Commtouch. You must have access to the email message to submit the report. For information on how to submit a report for a false positive or false negative, see the spamBlocker section of the product FAQs available at: www.watchguard.com/support/faqs/fireware/ You must log in with your LiveSecurity Service user name and passphrase. Monitoring spamBlocker Activity You can use Firebox® System Manager to monitor spamBlocker activity. 1 From WatchGuard® System Manager, select the Firebox whose spamBlocker activity you want to monitor. 2 Select Tools > Firebox System Manager. Or, you can click the Firebox System Manager icon on the WatchGuard System Manager toolbar. 3 From Firebox System Manager, click the Security Services tab. The counters for spamBlocker appear at the bottom of the screen. If you reboot the Firebox, all counters reset to zero. Customizing spamBlocker Using Multiple Proxies You can configure more than one SMTP or POP3 proxy service to use spamBlocker. This lets you create custom rules for different groups in an organization. For example, you can allow all email to your management and use a spam tag for the marketing team. If you want to use more than one proxy service with spamBlocker, your network must use one of these configurations: 402 • Each proxy policy must send email to a different internal email server. or • You must set the external source or sources that can send email for each proxy policy. WatchGuard System Manager 26 Quarantine Server The WatchGuard® Quarantine Server provides a safe, full-featured quarantine mechanism for spam, bulk mail, and any email messages suspected to be spam. This repository receives email messages from the SMTP proxy and filtered by spamBlocker. Granular control allows you to configure preferences for mail disposition, storage allocations, and other parameters. The Quarantine Server operates only with the SMTP proxy and spamBlocker. If you do not use spamBlocker, or if you use spamBlocker with the POP3 proxy and not the SMTP proxy, you cannot use the Quarantine Server. About the Quarantine Server The Quarantine Server provides tools for both users and administrators. Users get periodic email messages from the Quarantine Server that tell them they have email stored on the Quarantine Server. Users can then click a URL in the email message to go to the Quarantine Server. On the Quarantine Server, they see the sender and the subject of the suspicious email messages. They can release any email messages they choose to their email inbox and delete the others. Administrators can configure the Quarantine Server to automatically delete future messages from a specific domain or sender, or those that contain specific text in the subject line. You can see statistics on Quarantine Server activity, such as the number of messages quarantined during a specific range of dates or the number of suspected spam messages. The Quarantine Server has several classifications for quarantined messages: • Suspected spam: Could be spam, but not enough information to decide. • Confirmed spam: Definitely spam. • Bulk: The message is part of a commercial bulk mailing. User Guide 403 Starting the Quarantine Server Starting the Quarantine Server To start the Quarantine Server, you install server components for WatchGuard® System Manager and then run the Quarantine Server Setup Wizard. Installing server components When you run the WatchGuard System Manager Installation application, you are asked which client and server components you want to install. Under server components, make sure you select to install the Quarantine Server. Running the setup wizard The Quarantine Server and the WatchGuard Management Server share the same master passphrase and server manager passphrase (called the Management Server passphrase if you define it when you set up the Management Server.). If you set up the Management Server first, you do not have to set the passphrase again when you set up the Quarantine Server. If you have used the Management Server Setup Wizard or the Quarantine Server Setup Wizard, and try to run the Quarantine Server Setup Wizard again, the wizard sets up the Quarantine Server with no input required. 1 Right-click the Quarantine Server icon in the System Tray and select Start Service. The Quarantine Server Setup Wizard starts. If you have already set up a Management Server If you have already run the Management Server Setup Wizard to set up and start the Management Server, the Quarantine Server Setup Wizard shows only a screen that tells you the wizard is configuring your server. You can then go to the next section, “Entering the Server Location.” If you have not set up a Management Server If you have not yet run the Management Server wizard to start the Management Server, the Quarantine Server Setup Wizard shows the screens listed below. Click through the wizard and add the information it asks for. Create a master passphrase The master passphrase encrypts all Management Server data. Create a server manager passphrase You will be prompted for this passphrase whenever you click a menu choice to configure the server and its users. Identify your organization name The Quarantine Server Setup Wizard is complete You can now define the server location, as described in the next section. Entering the server location You must tell the Firebox® where the Quarantine Server is located. The Firebox will send spam email messages to this location. 1 From Policy Manager, select Tasks > Quarantine Server. The Quarantine Server dialog box appears. 404 WatchGuard System Manager Configuring the Quarantine Server 2 Enter the IP address for the Quarantine Server. We do not recommend that you change the Quarantine Server port unless you are working with a technical support representative to troubleshoot a specific problem. 3 To send all email messages that spamBlocker handles to the Quarantine Server, select the Enable debugging for SMTP check box. If an email message is not handled by spamBlocker because it matches a spamBlocker exception, it is not sent to the Quarantine Server. 4 If you want to cancel the changes you made in this dialog box and return to the default entries, click the Restore Defaults button. Configuring the Quarantine Server When you configure the Quarantine Server, you set or change the default values for: • Server size • When to delete or how long to keep messages • The message sent to users that tells them they have messages on the Quarantine Server • Rules that determine messages to automatically delete To bring up the Quarantine Server Configuration dialog box: 1 Right-click the Quarantine Server icon and select Configure. 2 Type the server management passphrase. This is the server management passphrase you created in the second screen of the Quarantine Server Setup Wizard or when you configured your Management Server. The Quarantine Server Configuration dialog box appears. User Guide 405 Configuring the Quarantine Server 3 Follow the directions in the sections below for information on the four tabs in this dialog box. Setting general server parameters 1 To change the default maximum database size of 10000 MB, enter a new value in the Maximum database size field. The current database size and available space appear to the right of this field. When the Quarantine Server runs out of drive space, it refuses to accept new messages and drops any subsequent spam email messages it receives. 2 You can specify that you want to be warned when the database approaches its limit. Select the Send a warning if the database reaches the warning threshold check box. Use the arrows to specify the warning threshold, and enter the email address of the person to receive the warning in the Send warning message to field. For example, if you select the check box, use the default warning threshold of 90%, and use the default maximum database size of 10000 MB, the Quarantine Server sends the warning message when 9000 MB have been used and only 1000 MB are available. 3 In the Outgoing email server field, enter the address of the outgoing SMTP email server. 4 If your email server requires authentication, select the User login information for the email server check box and type the user name and password for the email server. If the user name and password are not required for your SMTP server, keep the fields blank. Configuring the expiration settings 1 406 From the Quarantine Server Configuration dialog box, click the Expiration Settings tab. WatchGuard System Manager Configuring the Quarantine Server 2 In the Retain messages for field, specify the number of days to maintain messages on the Quarantine Server. 3 In the Delete expired messages at field, enter the time of day to delete expired messages after the period of time in the previous field. Adding and removing user domains The Expiration Settings tab of the Quarantine Server Configuration dialog box shows the domain names for which the Quarantine Server will accept email messages. Only users in the domains that are in the list can have messages sent to the Quarantine Server for them. Messages sent to users that are not in one of these domains are deleted. 1 To add or remove a domain name from the server, click Update. The Add Domains dialog box appears. User Guide 407 Configuring the Quarantine Server 2 To add a domain, type it in the top field and click Add. To remove a domain, select it from the list and click Remove. Configuring the notification settings Users receive periodic email messages on their email client that include a list of the messages currently stored for them on the Quarantine Server. You can specify the account from which these messages are sent. You can also specify the title and body of the message. You can configure the interval for which the Quarantine Server sends notifications, although it cannot be more than once a day. You can also set the hour and minute of the day. 1 From the Quarantine Server Configuration dialog box, click the User Notification Settings tab. 2 In the Send email from field, type the full email address of the account you want to send from. 3 In the Subject field, enter a name for the subject of the notification messages. The default is “WatchGuard Quarantine Server Notification.” 4 In the Body field, type the body of the notification message. You can use either plaintext or HTML to specify the message body. 5 Next to Send user notification, enter a time interval for notification and the time of day you want the notifications sent. 6 If you want to immediately send notifications to all users, click Send Now. Some email readers might flag the notification message sent by the Quarantine Server as a “scam” or phishing attempt. This is because these readers classify any URL that uses an IP address as suspect. The URL that gives users access to the Quarantine Server includes the IP address of the Quarantine Server instead of a host name. 408 WatchGuard System Manager Configuring the Quarantine Server Configuring rules You set up rules to automatically remove certain messages if they come from a specific domain or sender, or if they contain specific text strings in the subject line. Note the following restrictions on modifying rules: • Rules do not support wildcards. For example, you cannot enter the rule “Auto-Remove messages from *.gov” to auto-remove all domains with the .gov extension. • When you remove a domain, sender, or string, the Quarantine Server deletes only subsequent email messages that match this rule. It does not delete current messages in the database. • Rules that auto-block messages with a specific text string apply only to text in the subject line. If the specified text is contained in the body of the message, but not in the subject line, the message is not removed. To modify rules: 1 From the Quarantine Server Configuration dialog box, click the Rules tab. 2 To modify a rule, select it. The description of the rule appears in the Rules Description block. 3 Click the underlined words in the rule to add a specific domain, sender, or text string in the subject line. The Edit AutoRemove Rule dialog box appears. User Guide 409 Managing Messages 4 To add a new domain, sender, or string, type it in the top box and click Add. To remove a domain, sender, or string, select it in the bottom box and click Remove. Managing Messages You can see all messages on the Quarantine Server in a dialog box. You can sort messages by user, quarantine status, sender, subject, and date/time received. You can only have one Quarantine Server dialog box open at a time in this release of WatchGuard System Manager. After you are done with one Quarantine Server dialog box, you must close it before you open a new one. 1 Right-click the Quarantine Server icon and select Manage Messages. 2 Type the server management passphrase. The Quarantine Server Message and User Management dialog box appears. 410 WatchGuard System Manager Managing Messages Setting viewing options You can use the Filter By drop-down list to see all messages or only those with a particular quarantine status. To see the body of a message, select the View message body check box. Select any message. A second pane appears at the bottom of the dialog box that shows the message body. You can also select any message and select Edit > View Message Body or right-click any message and select View Message Body. Saving messages If you want to keep a message on the Quarantine Server, you save it to a file. 1 On the Messages tab of the Quarantine Server Message and User Management dialog box, select the message you want to save. You can save only one message at a time. 2 Select File > Save As. or Right-click the message and select Save As. or Click the Save Selected Message icon. User Guide 411 Managing Users 3 Browse to the location where you want to save the file. Click Save. Manually deleting messages 1 On the Messages tab of the Quarantine Server Message and User Management dialog box, select the message or messages you want to delete. To select a range of messages, click the first in the range, press the Shift key, and click the last message in the range. To select multiple messages that are not in a range, hold down Ctrl as you select messages. To select all messages, select Edit >Select All. Or, right-click any message and select Select All. 2 Select Edit > Delete. or Right-click the message and select Delete. or Click the Delete Message(s) icon. Automatically deleting messages You can specify to automatically delete all future email messages from a particular domain or sender, or that contain certain text in the subject line. All subsequent email to any user with this characteristic is automatically deleted before it is sent to the Quarantine Server. 1 On the Messages tab of the Quarantine Server Message and User Management dialog box, select the message or messages associated with the characteristic you want to automatically delete. To select a range of messages, click the first in the range, press the Shift key, and click the last message in the range. To select multiple messages that are not in a range, hold down Ctrl as you select messages. To select all messages, select Edit >Select All. Or, right-click any message and select Select All. 2 Select Edit > Auto-Remove > Sender Domain or Edit > Auto-Remove > Sender, or Edit > Auto-Remove > Subject. or Right-click and select Auto-Remove > Sender Domain, Auto-Remove > Sender, or AutoRemove > Subject. or Use the equivalent icons. Managing Users You add, delete, and configure users from the Users tab of the Quarantine Server Message and User Management dialog box. This dialog box shows: 412 • Email addresses of users that can have email messages sent to the Quarantine Server. • Whether users are notified when they have email on the Quarantine Server. • Whether users are validated or unvalidated. A user is validated when he or she gets a message in an email client about messages on the Quarantine Server, and the user clicks the link to go to the Quarantine Server. Many “users” shown on the Quarantine Server will never be validated because the email address is created by a spammer and does not match an actual user. WatchGuard System Manager Managing Users The number of messages currently on the Quarantine Server that are addressed to that user. If you want to see only validated or unvalidated users, from the Filter by drop-down list, select Validated Users or Unvalidated Users. • Adding users Users are automatically added when messages are sent to the Quarantine Server for them. Use this procedure to manually add users: 1 From the Quarantine Server Message and User Management dialog box, click the Users tab. Select Edit > Add User. The Add User dialog box appears. 2 User Guide Type the full email address of the user such as [email protected]. 413 Getting Statistics on Quarantine Server Activity 3 Select the Send notification for this user or Do not send notification radio button to specify whether you want the user to be notified whenever the Quarantine Server receives a message for him or her. Click OK. Removing users 1 From the Quarantine Server Message and User Management dialog box, click the Users tab. 2 Select the user you want to delete and select Edit > Delete. Or, click the Remove User icon, as shown below. If you remove a user, all email messages stored on the Quarantine Server for that user are also deleted. Changing notification option for a user You can set or change whether you want to notify users when they have email messages on the server. 1 From the Quarantine Server Message and User Management dialog box, click the Users tab. 2 Select the user and select Edit > Notify User > Yes to notify the user. Or, click the Turn Notification On icon, as shown below. 3 Select the user and select Edit > Notify User > No if you do not want to notify the user. Or, click the Turn Notification Off icon, as shown below. Getting Statistics on Quarantine Server Activity You can only have one Quarantine Server dialog box open at a time in this release of WatchGuard System Manager. After you are done with one Quarantine Server dialog box, you must close it before you open a new one. 1 Right-click the Quarantine Server icon and select View Statistics. 2 Type the server management passphrase. The Quarantine Server Statistics dialog box appears. 414 WatchGuard System Manager Getting Statistics on Quarantine Server Activity Viewing statistics from specific dates You can limit the statistics to those from a specific range of dates: 1 From the Quarantine Server Statistics dialog box, select the Select dates radio button. 2 Type the start and end dates in the From and To fields. Viewing specific types of messages You can specify whether you want to see statistics only for messages that are suspected spam, confirmed spam, or part of bulk mailings. Select the Select only these messages radio button and then choose the type or types of messages you want to see. Grouping data By default, only summary data is shown. You can specify that you want the data grouped by month, week, or day. 1 From the Quarantine Server Statistics dialog box, select the Break the data into groups radio button. 2 Select either the By Month, by Week, or By Day radio button. User Guide 415 Getting Statistics on Quarantine Server Activity Exporting and printing statistics To export Quarantine Server statistics to a Microsoft Excel spreadsheet (.xls format): • From the Quarantine Server Statistics dialog box, select File > Export to Excel. To export Quarantine Server statistics to comma-separated values (CSV) format: • From the Quarantine Server Statistics dialog box, select File > Export to Csv. To print Quarantine Server statistics: • 416 From the Quarantine Server Statistics dialog box, select File > Print. WatchGuard System Manager 27 Signature-Based Security Services Hackers use many methods to attack computers on the Internet. These attacks (called intrusions in this chapter) are created to cause damage to your network, get sensitive information, or use your computers to attack other networks. WatchGuard® offers the Gateway AntiVirus/Intrusion Prevention Service (Gateway AV/IPS) that can work with WatchGuard proxy policies to identify and stop a possible intrusion. When a new virus or intrusion is identified, the features that make the virus or intrusion unique are recorded. These recorded features are known as the signature. Gateway AV/IPS uses these signatures to find viruses and intrusions. WatchGuard cannot guarantee that the product can stop all viruses or intrusions, or prevent damage to your systems or networks from a virus or intrusion. Installing and Updating Security Services To install Gateway AntiVirus and Intrusion Prevention Service, you must get a feature key for each of them and add the feature keys to the Firebox. For information on how to do this, see “Working with Feature Keys” on page 61. New viruses and intrusion methods appear on the Internet frequently. To make sure that Gateway AV/IPS gives you the best protection, you must update the signatures frequently. You can configure the Firebox® to update the signatures automatically from WatchGuard, as described in “Configuring the update server” on page 424. You can also update the signatures manually, as described in “Updating signatures or engines manually” on page 434. About Gateway AntiVirus WatchGuard® Gateway AntiVirus (Gateway AV) stops viruses before they get to computers on your network. Gateway AV operates with the WatchGuard SMTP, POP3, HTTP, FTP, and TCP proxies. When you enable Gateway AV, the SMTP, POP3, HTTP, FTP, or TCP proxy looks at various types of traffic and performs an action that you specify, such as dropping the connection or blocking the packet and adding its source address to the Blocked Sites list. User Guide 417 Activating Gateway AntiVirus Gateway AntiVirus scans different types of traffic according to which proxy or proxies you use the feature with: • If you enable Gateway AntiVirus with the SMTP or POP3 proxy, it finds viruses encoded with frequently used email attachment methods. These include base64, binary, 7-bit, 8-bit encoding, and uuencoding. • If you enable Gateway AntiVirus with the HTTP proxy, it finds viruses in web pages that users try to download. • Gateway AntiVirus works with the TCP proxy to scan HTTP traffic on dynamic ports. It recognizes that traffic and forwards it to the default or user-defined HTTP proxy to perform antivirus scanning. • If you enable Gateway AntiVirus with the FTP proxy, it finds viruses in uploaded or downloaded files. Each proxy that uses Gateway AntiVirus is configured with options that are special to that proxy. For example, if you use Gateway AntiVirus with the FTP proxy, you can limit file scanning up to a specified kilobyte count. Signatures for Gateway AV are not automatically updated by default. To make sure Gateway AV has current signatures, either enable automatic updates for the Gateway AV server, (as described in “Configuring the update server” on page 424) or use the Security Services tab of Firebox System Manager to manually update the signatures. Activating Gateway AntiVirus You can activate Gateway AntiVirus in two ways: with the Activate Gateway AntiVirus wizard or through the definitions of proxies you want to use with the feature. When you use the Activate Gateway AntiVirus wizard, you can create proxies in one step and enable Gateway AntiVirus for several proxies at the same time. If you plan to use Gateway AntiVirus for more than one proxy, you may save time if you use the wizard. Activating Gateway AV with a wizard 418 1 From WatchGuard® System Manager, select the Firebox® on which you want to use Gateway AntiVirus. 2 Select Tools > Policy Manager. Or, click the Policy Manager icon on the WatchGuard System Manager toolbar. WatchGuard System Manager Activating Gateway AntiVirus 3 From Policy Manager, select Tasks > Gateway AntiVirus > Activate. The Activate Gateway AntiVirus wizard starts. 4 Click Next. 5 Complete the wizard. The wizard shows different screens depending on whether you already have proxy policies in your configuration. If you do not, the wizard helps you create one or more proxy policies. The wizard has some or all of following screens depending on your current configuration. Apply Gateway AntiVirus settings to your policies This screen includes a list of proxy policies that are already on your Firebox. From the list, select the proxy policies for which you want to enable Gateway AntiVirus. The Select check boxes for any policies that are disabled or that have Gateway AntiVirus already enabled appear dimmed. You can also automatically enable Gateway AntiVirus for the SMTP, POP3, HTTP, FTP, or TCP proxies if you change settings in the proxy definition, as described in the “Activating Gateway AV from proxy definitions” section, below. User Guide 419 Activating Gateway AntiVirus Create new proxy policies This screen appears if your Firebox does not yet have policies created for Incoming SMTP, POP3, TCP, FTP, or HTTP Client. To create a policy, select the corresponding check box. If you select SMTP, enter the mail server IP address. If you select to create an SMTP policy, the wizard creates a default SMTP policy, which is a static NAT policy. To create this default SMTP policy, you must have at least one external interface with a static IP address or PPPoE. Only one policy is created even if you have more than one external interface. The To field of the policy is a static NAT entry (the static IP address of the first external interface to the specified mail service IP address). If this default policy does not meet your requirements, you can create an SMTP policy in Policy Manager before you run this wizard. Activating Gateway AV from proxy definitions You can activate Gateway AntiVirus from proxy definitions instead of the Activate Gateway AntiVirus wizard. 420 1 Add an SMTP, POP3, HTTP, FTP, or TCP proxy you want to use with Gateway AntiVirus. For information on how to add policies, see the “Policies” chapter. For information on special procedures for defining proxies, see the “Proxy Policies” chapter. 2 Gateway AV can scan traffic that matches rules in several categories for each proxy. For example, for the SMTP and POP3 proxies, Gateway AV can scan traffic that matches rules in the Content Types and File Names categories. From the Categories list on the left side of the Proxy Configuration window, click one of the following categories. FTP Proxy SMTP Proxy POP3 Proxy HTTP Proxy TCP Proxy (HTTP traffic on dynamic ports) Download Content Types Content Types Requests: URL Paths Requests: URL Paths Upload File names File names Responses: Content Types Responses: Content Types Responses: Body Content Types Responses: Body Content Types WatchGuard System Manager Configuring Antivirus Actions 3 Select AV Scan from the If matched or None matched drop-down lists if you want traffic that matches, or does not match, a given rule to be scanned for viruses. (For information on how to configure rules in a proxy definition, see “Adding rules (simple view)” on page 253.) Gateway AntiVirus is automatically activated and enabled for the proxy. To use Gateway AntiVirus with other proxies, you must repeat this procedure for each one. Configuring Antivirus Actions When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in an email message (SMTP or POP3 proxies), web page (HTTP or TCP proxies), or uploaded or downloaded file (FTP proxy). The options for antivirus actions are: Allow Allows the packet to go to the recipient, even if the content contains a virus. Lock (SMTP and POP3 proxies only) Locks the attachment. This is a good option for files that cannot be scanned by the Firebox®. A file that is locked cannot be opened easily by the user. Only the administrator can unlock the file. The administrator can use a different antivirus tool to scan the file and examine the content of the attachment. For information on how to unlock a file locked by Gateway AntiVirus, see “Unlocking a file locked by Gateway AntiVirus” on page 423. Remove (SMTP and POP3 proxies only) Removes the attachment and allows the message through to the recipient. Drop (not supported in POP3 proxy) Drops the packet and drops the connection. No information is sent to the source of the message. Block (not supported in POP3 proxy) Blocks the packet, and adds the IP address of the sender to the Blocked Sites list. If you set the configuration to allow attachments, your configuration is less secure. User Guide 421 Configuring Antivirus Actions 1 From Policy Manager, select Tasks > Gateway AntiVirus > Configure. The Gateway AntiVirus dialog box appears, which lists the proxies that have already been created. 2 Select the policy you want to configure and click Configure. The General Gateway Antivirus Settings page for that policy appears. Or, instead of step 1 and 2, you can go to the same page from the proxy definition screens. From the Categories section in the proxy definition, select AntiVirus. 3 422 The When a virus is detected drop-down list on this dialog box sets the action for the Firebox to take if a virus is detected in an email message, file, or web page. See the beginning of this section for a description of the proxy actions. WatchGuard System Manager Configuring Antivirus Actions 4 The When a scan error occurs drop-down list sets the action when the Firebox cannot scan an object or attachment. Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that we do not support such as password-protected Zip files. See the beginning of this section for a description of the proxy actions. 5 (FTP proxy only) You can limit file scanning up to a specified kilobyte count. Any additional bytes in the file are not scanned. This allows the proxy to partially scan very large files without a large effect on performance. Enter the limit in the Limit scanning to first field. Creating alarms or log entries for antivirus actions An alarm is a mechanism to tell users when a proxy rule applies to network traffic. Use the Alarm check box on the AntiVirus page of a proxy definition to create an alarm when the adjacent action occurs. If you do not want an alarm for the antivirus action, clear the Alarm check box for that action. To use the alarm feature successfully, you must also configure the type of alarm to use in each proxy policy. To configure the alarm type to use, use the Proxy and AV Alarms category for the proxy. For information about the settings for this category, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. If you want to record log messages for a proxy action, select the Log check box for the antivirus response. If you do not want to record log messages for an antivirus response, clear the Log check box. Unlocking a file locked by Gateway AntiVirus WatchGuard® System Manager provides an executable to unlock attachments locked by Gateway AntiVirus: C:\Program Files\WatchGuard\wsm9.1\bin\unlock.exe User Guide 423 Global Gateway AntiVirus Settings To open a locked file: 1 Open a command prompt. 2 Type: Unlock <path to locked file> Global Gateway AntiVirus Settings The Firebox® uses several global settings for Gateway AntiVirus regardless of which proxy it is configured to work with. Signatures for Gateway AV are not automatically updated by default. To make sure Gateway AV has current signatures, either enable automatic updates for the Gateway AV server, (as described in “Configuring the update server” on page 424) or use the Security Services tab of Firebox System Manager to manually update the signatures. Configuring Gateway AV engine settings 1 From Policy Manager, select Tasks > Gateway AntiVirus > Configure. 2 From the Gateway AntiVirus dialog box, click Settings. 3 To scan inside compressed attachments, select the Enable Decompression check box. Select or type the number of compression levels to scan. We recommend that you keep the default setting of three levels, unless your organization must use a larger value. If you specify a larger number, your Firebox could send traffic too slowly. Gateway AntiVirus supports up to six levels. If Gateway AntiVirus detects that the archive depth is greater than the value set in this field, it will generate a scan error for the content. Compressed attachments that cannot be scanned include encrypted files or files that use a type of compression that we do not support such as password-protected Zip files. To set the action for the Firebox when it finds a message it cannot scan, select an action for “When a scan error occurs” in the General category of the policy configuration. 4 Click Restore Defaults if you want to reset the user interface to default settings. To apply the default settings, make sure you click OK. Configuring the update server 1 424 From Policy Manager, select Tasks > Gateway AntiVirus > Configure. WatchGuard System Manager Global Gateway AntiVirus Settings 2 From the Gateway AntiVirus dialog box, click Update Server. The Update Server dialog box appears. 3 Automatic updates for Gateway AV are not enabled by default. To enable automatic updates for the Gateway AV server, select the Enable automatic update check box. Enter the number of hours between automatic updates in the Interval drop-down list. - If you want the Firebox to download a new set of Gateway AV signatures at this interval, select the GAV Signatures check box. - If you want the Firebox to download a new set of IPS signatures at this interval, select the IPS Signatures check box. - If you want to check for updates to the Gateway AV engine at this interval, select the GAV Engine check box. 4 Do not change the URL of the update server for Gateway AV or IPS unless you are told to do so by WatchGuard. If you change the URL accidentally or incorrectly, click Restore Defaults to return to the default setting. 5 Click OK. Connecting to the update server through an HTTP proxy server If your Firebox must connect through an HTTP proxy to get to the Gateway AV/IPS update server, you must add information about the HTTP proxy server to your Gateway AV/IPS configuration. 1 From the Gateway AntiVirus dialog box, click Update Server. 2 Select the Contact the GAV/IPS update server using an HTTP proxy check box. User Guide 425 Activating Intrusion Prevention Service (IPS) 3 From the Server address drop-down list, select whether you identify your HTTP proxy server by host name or IP address. Type the host name or IP address in the adjacent field. 4 Most HTTP proxy servers receive requests on port 8080. If your HTTP proxy uses a different port, enter it in the Server port field. 5 From the Server authentication drop-down list, select the type of authentication your HTTP proxy server uses. Select NoAuth if your HTTP proxy does not require authentication. If your HTTP proxy server requires NTLM or Basic authentication, enter your user name, user domain, and password in the correct fields. Activating Intrusion Prevention Service (IPS) Hackers use many methods to attack computers on the Internet. The function of these attacks is to cause damage to your network, get sensitive information, or use your computers to attack other networks. These attacks are known as intrusions. You use the Firebox® Intrusion Prevention Service (IPS) with the WatchGuard® proxies to find and stop intrusions. IPS examines DNS, FTP, HTTP, POP3, and SMTP traffic. It uses the TCP proxy to scan other TCP-based traffic. Before you use IPS in a proxy policy, you must run the Activate Intrusion Prevention wizard to activate the feature and create a basic configuration: 1 426 From WatchGuard System Manager, select the Firebox that will use IPS. WatchGuard System Manager Activating Intrusion Prevention Service (IPS) 2 Select Tools > Policy Manager or, click the Policy Manager icon on the WatchGuard System Manager toolbar. 3 From Policy Manager, select Tasks > Intrusion Prevention > Activate. The Activate Intrusion Prevention wizard starts. 4 Click Next. 5 Click through the wizard and add the information it asks for. The wizard shows different screens depending on whether you already have proxy policies in your configuration. If you do not, the wizard helps you create a proxy policy. You can then use the wizard again to configure IPS, or see the instructions in the subsequent section. The wizard has the following screens. Select proxy policies to enable This screen shows a list of proxy policies that are already defined on your Firebox. From the list, select the proxy policies you want to enable IPS for. The Select check boxes for any policies that are disabled or that have Gateway AntiVirus already enabled appear dimmed. User Guide 427 Activating Intrusion Prevention Service (IPS) Create new proxy policies This screen shows the proxy types whose corresponding policies do not currently exist. If, for example, you have already created an SMTP policy, it does not appear in the list. To create a policy, select the corresponding check box. If you select SMTP, enter the mail server IP address. This wizard creates a default SMTP policy, which is a static NAT policy. To create this default SMTP policy, you must have at least one external interface with a static IP address or PPPoE. Only one policy is created even if you have more than one external interface. The To field of the policy is a static NAT entry (the static IP address of the first external interface to the specified mail service IP address). If this default policy does not meet your requirements, you can create an SMTP policy in Policy Manager before you run this wizard. Select Advanced Intrusion Prevention settings (HTTP and TCP only) If you use the wizard to add an HTTP or TCP policy, you can select protection against Instant Messaging (IM), Peer-to-Peer (P2P), and Spyware. 428 WatchGuard System Manager Configuring Intrusion Prevention Configuring Intrusion Prevention After you use the Activate Intrusion Prevention wizard to activate IPS and create a basic configuration, you can further refine the configuration. 1 From Policy Manager, select Tasks > Intrusion Prevention > Configure. The Intrusion Prevention dialog box appears, which lists the policies that have already been created. 2 Select the policy you want to configure and click Configure. The General Intrusion Prevention Settings page for that policy appears. About intrusion severity levels The proxy settings for intrusion prevention generally use three separate security levels. These three intrusion severity levels look for the following: High Vulnerabilities that allow remote access or execution of code, such as buffer overflows, remote command execution, password disclosure, backdoors, and security bypass. Medium Vulnerabilities that allow access, disclose server-side source code to attackers, and deny access to legitimate users. Examples are directory traversal, file/source disclosure, DoS, SQL injection, and cross-site scripting. Low Vulnerabilities that do not allow the attacker to directly get access, but allow the attacker to get information that can be used in an intrusion. For example, an attacker can send a command that gets information about the operating system, IP addresses, or topology of a network. Signatures that get access to software applications with vulnerabilities (such as signatures that do not have very specific content) also get this level of severity. Some signatures that would usually be in the High or Medium level are put in lower levels if their content is not very detailed. They are also put in lower levels if they have a wide scope that could cause false positives. User Guide 429 Configuring Intrusion Prevention Configuring intrusion prevention for HTTP or TCP The HTTP and TCP proxies include options to prevent Instant Messaging (IM), Peer to Peer (P2P), and spyware use. 1 Select the Enable Intrusion Prevention check box. 2 (HTTP only) Under Signatures, click one or both check boxes to use a more accurate list of signatures for HTTP client endpoints, HTTP server endpoints, or both. 3 In the Actions section, use the drop-down lists to select the Firebox® action for each severity level. Allow Allows the packet to go to the recipient, even if the content matches a signature. Deny Drops the packet and sends a TCP reset packet to the sender. Drop Drops the packet and drops the connection. No information is sent to the sender. Block Blocks the packet, and adds the source of the IP address to the Blocked Sites list. Preventing Instant Messaging (IM) use The HTTP Proxy has options to prevent Instant Messaging (IM) use. It finds these IM services: 430 • AOL Instant Messenger (AIM) • ICQ • IRC (available for the TCP proxy only) • MSN Messenger WatchGuard System Manager Configuring Intrusion Prevention Yahoo! Messenger • 1 From the Intrusion Prevention Services fields of the HTTP proxy, click the IM tab. 2 Select the action the Firebox will take when it detects IM: Allow, Drop, Deny, or Block. 3 Select IM Signature Categories to enable sets of signatures for different IM services. You can then unselect individual services. Preventing Peer to Peer (P2P) use The HTTP Proxy has options to prevent Peer to Peer (P2P) use. It finds these types of P2P services: • BitTorrent • eDonkey2000 (Ed2k) • Gnutella • IRC (available for the TCP proxy only) • Kazaa • Napster • Phatbot 1 From the Intrusion Prevention Services fields of the HTTP proxy, click the P2P tab. 2 Select the action the Firebox will take when it detects IM: Allow, Drop, Deny, or Block. 3 Select P2P Signature Categories to enable sets of signatures for different P2P services. You can then unselect individual services. Blocking spyware The HTTP and TCP proxies provide these antispyware categories: Adware A software application in which advertising banners are shown while the program is in operation. It sometimes includes code that records a user's personal information and sends it to third parties, without the user's authorization or knowledge. Dialer A software application that can hijack a user’s modem and dial toll numbers that get access to inappropriate web sites. Downloader A program that gets and installs other files. Most are configured to get files from a designated web or FTP site. Hijacker A type of malware program that changes your computer's browser settings and redirects you to web sites that you did not plan to browse to. Trackware Any software that uses a computer’s Internet connection to send personal information without the user’s permission. 1 From the Intrusion Prevention Services fields of the HTTP proxy, click the Antispyware tab. 2 Select the action the Firebox will take when it detects spyware: Allow, Drop, Deny, or Block. User Guide 431 Configuring Intrusion Prevention Configuring Intrusion Prevention for FTP, SMTP, POP3, or DNS 1 Select the Enable Intrusion Prevention check box. 2 For each severity level, select one of the following actions. Allow Allow the transaction, even if the content matches a signature. Deny Deny the transaction and send a deny message to the sender. Drop Drop the connection to stop the message and drop the connection. No information is sent to the source of the message. Block Drop the connection and add the IP address of the sender to the Blocked Sites list. If you set the configuration to allow attachments, your configuration is less secure. Configuring the IPS update server 1 For information on how to automatically update the IPS server and change the server’s URL, see “Configuring the update server” on page 424. Automatic updates for IPS are not enabled by default. To enable automatic updates for the IPS server, select the Enable automatic update check box. Enter the number of hours between automatic updates in the Interval drop-down list. Configuring signature exceptions Each signature used by IPS has a unique ID number. You can find the ID number for a signature using the Firebox System Manager tool. Open Firebox System Manager and select the Show Signatures 432 WatchGuard System Manager Getting Gateway AV/IPS Status and Updates option on the Security Services tab. If you have a signature that you want the IPS service to ignore, you can add it as an exception. 1 From the Intrusion Prevention dialog box, click Signature Exceptions. The Signature ID Exceptions dialog box appears. 2 Type or use the value control button to enter the signature that you want to disable. Click Add. Copying IPS settings to other policies After configuring IPS for one proxy, you can copy the same configuration to other proxies. However, you can copy IPS settings only between policies with compatible IPS configurations: • Between FTP, DNS, POP3, and SMTP policies • Between multiple TCP policies • Between multiple HTTP policies 1 From the Intrusion Prevention dialog box, select the proxy whose configuration you want to copy, right-click, and select Copy IPS Configuration. 2 From the same dialog box, select the proxy or proxies you want to copy the configuration to, right-click, and select Paste IPS Configuration. Getting Gateway AV/IPS Status and Updates You can see the status and get updates for Gateway AV/IPS on the Security Services tab in Firebox® System Manager. Seeing service status The Security Services tab in Firebox® System Manager shows you whether protection is active. You can also see information about the signature versions. User Guide 433 Getting Gateway AV/IPS Status and Updates To see service status: 1 From WatchGuard® System Manager, select the Firebox. Select Tools > Firebox System Manager or, click the Firebox System Manager icon on the WatchGuard System Manager toolbar. 2 Click the Security Services tab. The window shows the status for the installed security services. Licenses for these features must be installed to see status information. Updating signatures or engines manually Security services can be configured to update signatures and the engine automatically, as described in “Configuring the update server” on page 424. You can also update signatures or the engine manually. If the signatures or engine on the Firebox are not current, you are not protected from the latest viruses and intrusions. To update the services manually: 1 Start Firebox System Manager. 2 Click the Security Services tab. Security service status appears. 3 434 Click Update for the service you want to update. You must type your configuration passphrase. WatchGuard System Manager Getting Gateway AV/IPS Status and Updates The Firebox downloads the most recent available signature update or the most recent available engine for Gateway AntiVirus or Intrusion Protection Service. You see information about the update in Traffic Monitor. Seeing the update history From the Security Services tab, click History to see a list of updates of services and engines. User Guide 435 Getting Gateway AV/IPS Status and Updates 436 WatchGuard System Manager 28 Dynamic Routing The OSPF and BGP dynamic routing protocols are available only in Fireware® Pro. Only Routing Information Protocol (RIP) is available with Fireware. A routing protocol is the language a router speaks with other routers to share information about the status of network routing tables. With static routing, routing tables are set and do not change. If a router on the remote path fails, a packet cannot get to its destination. Dynamic routing lets routing tables in routers change as the routes change. If the best path to a destination cannot be used, dynamic routing protocols change routing tables when necessary to keep your network traffic moving. Fireware Pro supports RIP v1 and v2, OSPF, and BGP v4 dynamic routing protocols. Fireware supports only RIP v1 and v2. Routing Daemon Configuration Files To use any of the dynamic routing protocols with Fireware®, you must import or type a dynamic routing configuration file for the routing daemon you choose. This configuration file includes information such as a password and log file name. To see configuration templates for each of the routing protocols, see the Dynamic Routing section of the product FAQs at: www.watchguard.com/support/faqs/fireware/ You can find a list of supported configuration commands for each routing protocol in the sections below. The command sections below appear in the order they must go in an operating configuration file. Notes about configuration files: • The “!” and the “#” characters are comment characters. If the first character of the word is one of the comment characters, then the rest of the line is interpreted as a comment. If the comment character is not the first character of the word, it is interpreted as a command. • Usually, you can use the word “no” at the beginning of the line to disable a command. For example: “no network 10.0.0.0/24 area 0.0.0.0” disables the backbone area on the specified network. User Guide 437 Using RIP Using RIP Support for this protocol is available in both Fireware® and Fireware Pro. RIP (Routing Information Protocol) is used to manage router information in a self-contained network, such as a corporate LAN or a private WAN. With RIP, a gateway host sends its routing table to the closest router each 30 seconds. This router, in turn, sends the contents of its routing tables to neighboring routers. RIP is best for small networks. This is because the transmission of the full routing table each 30 seconds can put a large traffic load on the network, and because RIP tables are limited to 15 hops. OSPF is a better alternative for larger networks. RIP Version 1 RIP V1 uses a UDP broadcast over port 520 to send updates to routing tables. To create or modify a routing configuration file, here is a table of supported routing commands. The sections must appear in the configuration file in the same order they appear in this table. You can also use the sample RIP configuration file in the Dynamic Routing section of the Fireware FAQs at: http://www.watchguard.com/support/faqs/fireware/ Section Command Description Set simple password or MD5 authentication on an interface interface eth[N] Begin section to set authentication type for interface ip rip authentication string [PASSWORD] Set RIP authentication password key chain [KEY-CHAIN] Set MD5 key chain name key [INTEGER] Set MD5 key number key-string [AUTH-KEY] Set MD5 authentication key ip rip authentication mode md5 Use MD5 authentication ip rip authentication mode key-chain [KEY-CHAIN] Set MD5 authentication keychain Configure RIP routing daemon router rip Enable RIP daemon version [1|2] Set RIP version to 1 or 2 (default version 2) ip rip send version [1|2] Set RIP to send version 1 or 2 ip rip receive version [1|2] Set RIP to receive version 1 or 2 no ip split-horizon Disable split-horizon; enabled by default Configure interfaces and networks no network eth[N] passive-interface eth[N] passive-interface default network [A.B.C.D/M] neighbor [A.B.C.D/M] 438 WatchGuard System Manager Using RIP Section Command Description Distribute routes to RIP peers and inject OSPF or BGP routes to RIP routing table default-information originate Share route of last resort (default route) with RIP peers redistribute kernel Redistribute firewall static routes to RIP peers redistribute connected Redistribute routes from all interfaces to RIP peers redistribute connected routemap [MAPNAME] Redistribute routes from all interfaces to RIP peers, with a route map filter (mapname) redistribute ospf Redistribute routes from OSPF to RIP redistribute ospf route-map [MAPNAME] Redistribute routes from OSPF to RIP, with a route map filter (mapname) redistribute bgp Redistribute routes from BGP to RIP redistribute bgp route-map [MAPNAME] Redistribute routes from BGP to RIP, with a route map filter (mapname) Configure route redistribution filters with route maps and access lists access-list [PERMIT | DENY] [LISTNAME] [A.B.C.D/M | ANY] Create an access list to allow or deny redistribution of only one IP address or for all IP addresses route-map [MAPNAME] permit [N] Create a route map with a name and allow with a priority of N match ip address [LISTNAME] Configuring Fireware or Fireware Pro to use RIP v1 1 From Policy Manager, select Network > Dynamic Routing. The Dynamic Routing Setup dialog box appears. User Guide 439 Using RIP 2 Click Enable Dynamic Routing and Enable RIP. 3 Click Import to import a routing daemon configuration file, or type your configuration file in the text box. Click OK. Allowing RIP v1 traffic through the Firebox You must add and configure a policy to allow RIP broadcasts from the router to the network broadcast IP address. You must also add the IP address of the Firebox® interface to the To field. 1 From Policy Manager, select Edit > Add Policies. From the list of packet filters, select RIP. Click Add. 2 In the New Policy Properties dialog box, configure the policy to allow traffic from the IP or network address of the router that uses RIP to the Firebox interface it connects to. You must also add the network broadcast IP address. (For information on how to set the source and destination addresses for a policy, see “Setting sources and destinations for a policy” on page 196.) Click OK. RIP Version 2 RIP v2 uses multicast to send routing table updates. To create or modify a routing configuration file, refer to the table of supported RIP routing commands in the previous section on RIP Version 1. Any command that uses a network IP address must include the subnet mask or RIP v2 will not operate. The sections must appear in the configuration file in the same order they appear in this table. 440 WatchGuard System Manager Using RIP Configuring Fireware to use RIP v2 1 In Policy Manager, select Network > Dynamic Routing. The Dynamic Routing Setup dialog box appears. 2 Click Enable Dynamic Routing and Enable RIP. 3 Click Import to import a routing daemon configuration file, or type your configuration parameters in the text box. Click OK. Allowing RIP v2 traffic through the Firebox You must add and configure a policy to allow RIP v2 multicasts from the routers that have RIP v2 enabled to the reserved multicast IP address for RIP v2. 1 From Policy Manager, select Edit > Add Policies. From the list of packet filters, select RIP. Click Add. The New Policy Properties window appears for RIP. User Guide 441 Using OSPF 2 In the New Policy Properties window, configure the policy to allow traffic from the IP or network address of the router that uses RIP to the multicast address 224.0.0.9. (For information on how to set the source and destination addresses for a policy, see “Setting sources and destinations for a policy” on page 196.) Click OK. Using OSPF Support for this protocol is available only in Fireware® Pro. OSPF (Open Shortest Path First) is an interior router protocol used in larger networks. With OSPF, a router that sees a change to its routing table or that detects a change in the network immediately sends a multicast update to all other routers in the network. OSPF is different from RIP because: • OSPF sends only the part of the routing table that has changed in its transmission. RIP sends the full routing table each time. • OSPF sends a multicast only when its information has changed. RIP sends the routing table every 30 seconds. Also, note the following about OSPF: • If you have more than one OSPF area, one area must be area 0.0.0.0 (the backbone area). • All areas must be adjacent to the backbone area. If they are not, you must configure a virtual link to the backbone area. OSPF daemon configuration To create or modify a routing configuration file, here is a catalog of supported routing commands. The sections must appear in the configuration file in the same order they appear in this table. You can also use the sample OSPF configuration file found in the Dynamic Routing section of the Fireware FAQs at: http://www.watchguard.com/support/faqs/fireware/ Section Command Description Configure Interface 442 ip ospf authentication-key [PASSWORD] Set OSPF authentication password interface eth[N] Begin section to set properties for interface ip ospf message-digest-key [KEY-ID] md5 [KEY] Set MD5 authentication key ID and key ip ospf cost [1-65535] Set link cost for the interface (see OSP Interface Cost table below) ip ospf hello-interval [1-65535] Set interval to send hello packets; default is 10 seconds ip ospf dead-interval [1-65535] Set interval after last hello from a neighbor before declaring it down; default is 40 seconds WatchGuard System Manager Using OSPF Section Command Description ip ospf retransmit-interval [1-65535] Set interval between link-state advertisements (LSA) retransmissions; default is 5 seconds ip ospf transmit-delay [1-3600] Set time required to send LSA update; default is 1 second ip ospf priority [0-255] Set router priority; high value increases eligibility to become the designated router (DR) Configure OSPF Routing Daemon router ospf Enable OSPF daemon ospf router-id [A.B.C.D] Set router ID for OSPF manually; router will determine its own ID if not set ospf rfc 1583compatibility Enable RFC 1583 compatibility (can lead to routing loops) ospf abr-type [cisco|ibm|shortcut|standard] More information about this command can be found in draftietf-abr-alt-o5.txt passive interface eth[N] Disable OSPF announcement on interface eth[N] auto-cost reference bandwidth [0-429495] Set global cost (see OSPF cost table below); do not use with “ip ospf [COST]” command timers spf [0-4294967295][0-4294967295] Set OSPF schedule delay and hold time Enable OSPF on a Network *The “area” variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z]. network [A.B.C.D/M] area [Z] Announce OSPF on network A.B.C.D/M for area 0.0.0.Z Configure Properties for Backbone Area or Other Areas *The “area” variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z]. area [Z] range [A.B.C.D/M] Create area 0.0.0.Z and set a classful network for the area (range and interface network and mask settings should match) area [Z] virtual-link [W.X.Y.Z] Set virtual link neighbor for area 0.0.0.Z area [Z] stub Set area 0.0.0.Z as a stub area [Z] stub no-summary area [Z] authentication Enable simple password authentication for area 0.0.0.Z area [Z] authentication message-digest Enable MD5 authentication for area 0.0.0.Z Redistribute OSPF Routes default-information originate User Guide Share route of last resort (default route) with OSPF 443 Using OSPF Section Command Description default-information originate metrics [0-16777214] Share route of last resort (default route) with OSPF, and add a metric used to generate the default route default-information originate always Always share the route of last resort (default route) default-information originate always metrics [0-16777214] Always share the route of last resort (default route), and add a metric used to generate the default route redistribute connected Redistribute routes from all interfaces to OSPF redistribute connected metrics Redistribute routes from all interfaces to OSPF, and a metric used for the action Configure Route Redistribution with Access Lists and Route Maps access-list [LISTNAME] permit [A.B.C.D/M] Create an access list to allow distribution of A.B.C.D/M access-list [LISTNAME] deny any Restrict distribution of any route map not specified above route-map [MAPNAME] permit [N] Create a route map with name [MAPNAME] and allow with a priority of [N] match ip address [LISTNAME] OSPF Interface Cost table The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors such as interface link speed, the number of hops between points, and other metrics. By default, OSPF uses the actual link speed of a device to calculate the total cost of a route. You can set the interface cost manually to help maximize efficiency if, for example, your gigabyte-based firewall is connected to a 100M router. Use the numbers in the OSPF Interface Cost table to manually set the interface cost to a value different than the actual interface cost. 444 Interface Type Bandwidth in bits/second Bandwidth in bytes/second OSPF Interface Cost Ethernet 1G 100M 1 Ethernet 100M 10M 10 Ethernet 10M 1M 100 Modem 2M 200K 500 Modem 1M 100K 1000 Modem 500K 50K 2000 Modem 250K 25K 4000 Modem 125K 12500 8000 Modem 62500 6250 16000 Serial 115200 9216 10850 WatchGuard System Manager Using OSPF Interface Type Bandwidth in bits/second Bandwidth in bytes/second OSPF Interface Cost Serial 57600 4608 21700 Serial 38400 3072 32550 Serial 19200 1636 61120 Serial 9600 768 65535 Configuring Fireware Pro to use OSPF 1 From Policy Manager, select Network > Dynamic Routing. The Dynamic Routing Setup dialog box appears. 2 Click the OSPF tab. 3 Click Enable Dynamic Routing and Enable OSPF. 4 Click Import to import a routing daemon configuration file, or type your configuration parameters in the text box. Click OK. User Guide 445 Using BGP Allowing OSPF traffic through the Firebox You must add and configure a policy to allow OSPF multicasts from the routers that have OSPF enabled to the reserved multicast addresses for OSPF. 1 From Policy Manager, select Edit > Add Policies. From the list of packet filters, select OSPF. Click Add. The New Policy Properties window appears for OSPF. 2 In the New Policy Properties window, configure the policy to allow traffic from the IP or network address of the router using OSPF to the IP addresses 224.0.0.5 and 224.0.0.6. (For information on how to set the source and destination addresses for a policy, see “Setting sources and destinations for a policy” on page 196.) Click OK. Using BGP Support for this protocol is available only in Fireware® Pro. Border Gateway Protocol (BGP) is a scalable dynamic routing protocol used on the Internet by groups of routers to share routing information. BGP uses route parameters or “attributes” to define routing policies and create a stable routing environment. This protocol allows you to advertise more than one path to and from the Internet to your network and resources, which gives you redundant paths and can increase your uptime. Hosts that use BGP use TCP to send updated routing table information when one host finds a change. The host sends only the part of the routing table that has the change. BGP uses classless interdomain routing (CIDR) to reduce the size of the Internet routing tables. The size of the BGP routing table in Fireware Pro is set at 32K. The size of the typical WatchGuard® customer wide area network (WAN) is best suited for OSPF dynamic routing. A WAN can also use external border gateway protocol (EBGP) when more than one gateway to the Internet is available. EBGP allows you to take full advantage of the redundancy possible with a multi-homed network. 446 WatchGuard System Manager Using BGP To participate in EBGP with an ISP you must have an autonomous system number (ASN). You must get an ASN from one of the regional registries in the table below. After you are assigned your own ASN, you must contact each ISP to get their ASNs and other necessary information. Region Registry Name Web Site North America ARIN www.arin.net Europe RIPE NCC www.ripe.net Asia Pacific APNIC www.apnic.net Latin America LACNIC www.lacnic.net Africa AfriNIC www.afrinic.net BGP daemon configuration To create or modify a routing configuration file, here is a catalog of supported routing commands. The sections must appear in the configuration file in the same order they appear in this table. You can also use the sample BGP configuration file found in the Dynamic Routing section of the Fireware FAQs at: www.watchguard.com/support/faqs/fireware/ Do not use BGP configuration parameters that you do not get from your ISP. Section Command Description Configure BGP Routing Daemon router bgp [ASN] Enable BGP daemon and set autonomous system number (ASN); this is supplied by your ISP network [A.B.C.D/M] Announce BGP on network A.B.C.D/M no network [A.B.C.D/M] Disable BGP announcements on network A.B.C.D/M Set Neighbor Properties User Guide neighbor [A.B.C.D] remote-as [ASN] Set neighbor as member of remote ASN neighbor [A.B.C.D] ebgp-multihop Set neighbor on another network using EBGP multi-hop neighbor [A.B.C.D] version 4+ Set BGP version (4, 4+, 4-) for communication with neighbor; default is 4 neighbor [A.B.C.D] update-source [WORD] Set the BGP session to use a specific interface for TCP connections neighbor [A.B.C.D] default-originate Announce default route to BGP neighbor [A.B.C.D] neighbor [A.B.C.D] port 189 Set custom TCP port to communicate with BGP neighbor [A.B.C.D] neighbor [A.B.C.D] send-community Set peer send-community 447 Using BGP Section Command Description neighbor [A.B.C.D] weight 1000 Set a default weight for neighbor’s [A.B.C.D] routes neighbor [A.B.C.D] maximum-prefix [NUMBER] Set maximum number of prefixes allowed from this neighbor Community Lists ip community-list [<1-99>|<100-199>] permit AA:NN Specify community to accept autonomous system number and network number separated by a colon Peer Filtering neighbor [A.B.C.D] distribute-list [LISTNAME] [IN|OUT] Set distribute list and direction for peer neighbor [A.B.C.D] prefix-list [LISTNAME] [IN|OUT] To apply a prefix list to be matched to incoming advertisements or outgoing advertisements to that neighbor neighbor [A.B.C.D] filter-list [LISTNAME] [IN|OUT] To match an autonomous system path access list to incoming routes or outgoing routes neighbor [A.B.C.D] route-map [MAPNAME] [IN|OUT] To apply a route map to incoming or outgoing routes Redistribute Routes to BGP redistribute kernel Redistribute static routes to BGP redistribute rip Redistribute RIP routes to BGP redistribute ospf Redistribute OSPF routes to BGP Route Reflection bgp cluster-id A.B.C.D To configure the cluster ID if the BGP cluster has more than one route reflector neighbor [W.X.Y.Z] route-reflector-client To configure the router as a BGP route reflector and configure the specified neighbor as its client Access Lists and IP Prefix Lists 448 ip prefix-list PRELIST permit A.B.C.D/E Set prefix list access-list NAME [deny|allow] A.B.C.D/E Set access list route-map [MAPNAME] permit [N] In conjunction with the “match” and “set” commands, this defines the conditions and actions for redistributing routes match ip address prefix-list [LISTNAME] Matches the specified access_list set community [A:B] Set the BGP community attribute match community [N] Matches the specified community_list set local-preference [N] Set the preference value for the autonomous system path WatchGuard System Manager Using BGP Configuring Fireware Pro to use BGP 1 From Policy Manager, select Network > Dynamic Routing. The Dynamic Routing Setup dialog box appears. 2 Click the BGP tab. 3 Click Enable Dynamic Routing and Enable BGP. 4 Click Import to import a routing daemon configuration file, or type your configuration parameters in the text box. 5 Click Select a BGP Configuration file. Click OK. User Guide 449 Using BGP Allowing BGP traffic through the Firebox You must add and configure a policy to allow BGP traffic to the Firebox® from the approved networks. These networks must be the same networks you defined in your BGP configuration file. 1 From Policy Manager, select Edit > Add Policies. From the list of packet filters, select BGP. Click Add. The New Policy Properties window appears for BGP. 2 450 In the New Policy Properties dialog box, configure the policy to allow traffic from the IP or network address of the router that uses BGP to the Firebox interface it connects to. (For information on how to set the source and destination addresses for a policy, see “Setting sources and destinations for a policy” on page 196.) Click OK. WatchGuard System Manager 29 Traffic Management and Quality of Service To use the features described in this chapter, you must have Fireware® Pro installed on your Firebox®. In a large network with many computers, the volume of data that moves through the firewall can be very large. A network administrator can use Traffic Management and Quality of Service (QoS) actions to prevent data loss for important business applications and to make sure mission-critical applications take priority over other traffic. About Traffic Management and QoS Traffic Management and QoS provide a number of benefits. You can: • Guarantee or limit bandwidth • Control the rate at which the Firebox® sends packets to the network • Prioritize when to send packets to the network To apply traffic management to policies, you define a Traffic Management action, which is a collection of settings that you can apply to one or more policy definitions. This way you do not need to configure the traffic management settings separately in each policy. You can define additional Traffic Management actions if you want to apply different settings to different policies. Guaranteeing bandwidth Bandwidth reservation prevents connection timeouts. A traffic management queue with reserved bandwidth and low priority can give bandwidth to real-time applications with higher priority when necessary without disconnecting. Other traffic management queues can take advantage of unused reserved bandwidth when it becomes available. For example, suppose your company has an FTP server on the external network and you want to guarantee that FTP always has at least 200 Kilobytes per second through the external interface. You might also consider setting a minimum bandwidth from the trusted interface to make sure that the connection has end-to-end guaranteed bandwidth. To do this, you would create a Traffic Management action that defines a minimum of 200 kbps for FTP traffic on the external interface. You would then create an User Guide 451 Configuring Outgoing Interface Bandwidth FTP policy and apply the Traffic Management action. This will allow “ftp put” at 200 kbps. If you want to allow “ftp get” at 200 kbps, you must configure the FTP traffic on the trusted interface to also have a minimum of 200 kbps. As another example, suppose your company uses multimedia materials (streaming media) for training external customers. This streaming media uses RTSP over port 554. You have frequent FTP uploads from the trusted to external interface, and you do not want these uploads to compete with your customers receiving streaming media. You would apply a Traffic Management action to the external interface for the streaming media port to guarantee sufficient bandwidth. Restricting bandwidth The guaranteed bandwidth setting works with another setting configured for each external interface, Outgoing Interface Bandwidth, to make sure you do not guarantee more bandwidth than actually exists. This setting also helps you make sure the sum of guaranteed bandwidth settings does not fill the link such that non-guaranteed traffic cannot pass. For example, suppose the link is 1 Mbps and you try to use a Traffic Management action that guarantees 973 Kbps (0.95 Mbps) to the FTP policy on that link. With these settings, the FTP traffic could prevent other types of traffic from using the interface. If you try to configure the Firebox this way, Policy Manager warns you that you are approaching the Outgoing Interface Bandwidth setting for that interface. QoS Marking QoS Marking creates different classes of service for different kinds of outbound network traffic. When you “mark” traffic, you change up to six bits on packet header fields defined for this purpose. QoS-capable external devices can make use of this marking and provide appropriate handling of a packet as it travels from one point to another in a network. You can use QoS Marking on a per-interface or per-policy basis. When you define QoS Marking for an interface, packets leaving that interface are marked. QoS Marking for a policy marks traffic that uses the policy. Traffic priority You can assign different levels of priority either to policies or for traffic from a particular interface. Traffic prioritization at the firewall allows you to manage multiple class of service (CoS) queues and reserve the highest priority for real-time or streaming data. A policy with high priority can take bandwidth away from existing low priority connections when the link is congested and traffic is competing for bandwidth. Configuring Outgoing Interface Bandwidth Before you use Traffic Management features, you must give each interface a bandwidth limit, known as Outgoing Interface Bandwidth, for traffic sent from that interface to the network segment to which it is connected. After you set this limit, Fireware® will refuse packets that exceed the limit. Also, Policy Manager gives a warning if you allocate too much bandwidth as you create or adjust traffic management actions. If you keep the Outgoing Interface Bandwidth setting for any interface at its default value of 0, it is set to the auto-negotiated link speed for that interface. 1 From Policy Manager, select Setup > Global Settings. The Global Settings dialog box appears. 452 WatchGuard System Manager Using Traffic Management Actions 2 At the bottom of the dialog box, make sure the Disable all traffic management and QoS features check box is cleared. If it is not, clear it. Click OK. You might want to disable these features at a later time if you do performance testing or network debugging. 3 From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears. 4 Select the interface for which you want to set bandwidth limits and click Configure. The Interface Settings dialog box appears. 5 Click the Advanced tab. 6 In the Outgoing Interface Bandwidth field, enter the amount of bandwidth provided by the network. Use your Internet connection upload speed (in Kbps rather than KBps) as the limit for external interfaces. Set your LAN interface bandwidth based on the minimum link speed supported by your LAN infrastructure. Using Traffic Management Actions Traffic Management actions can enforce an absolute maximum connection rate and bandwidth for groups of policies. Traffic Management actions can also guarantee minimum bandwidth for groups of policies per interface. This allows you to control how much bandwidth is reserved for connections from trusted to external independently from those between trusted and optional where more bandwidth might be available. All policies that use a given Traffic Management action share its connection rate and bandwidth settings. When they are created, policies automatically belong to the default Traffic Management action, which enforces no restrictions or reservations. If you create a Traffic Management action to set a maximum bandwidth of 10 Mbps and apply it to an FTP and an HTTP policy, all connections handled by those policies must share 10Mbps. If you later apply the same Traffic Management action to a Citrix policy, all three must share 10 Mbps. This logic applies to connection rate limits and guaranteed minimum bandwidth as well. Unused guaranteed bandwidth reserved by one Traffic Management action can be used by others. Defining a Traffic Management action 1 User Guide From Policy Manager, select Setup > Actions > Traffic Management. Click Add. or 453 Using Traffic Management Actions From Policy Manager, double-click the icon of the policy for which you want to guarantee a minimum bandwidth. Click the Advanced tab. Click the New/Clone Traffic Management icon to the far right of Traffic Management. The New Traffic Management Action Configuration dialog box appears. 2 In the Guaranteed Minimum Bandwidth box, click Add. 3 Under Outgoing Interface, select the interface for which you want to set a minimum bandwidth. 4 Under Minimum Bandwidth, set the minimum Kilobytes per second through that interface. Click OK. 5 If you started defining the traffic action from a policy definition, the new traffic action now appears in Traffic Management on the Advanced tab. If you started defining the traffic actions from selecting Setup > Actions > Traffic Management, you must apply the setting to a policy, as explained in the next section, for it to take effect on your network. Applying the Traffic Management action to a policy After you have created Traffic Management actions, you can apply them to the policies you have configured in Policy Manager. To apply a Traffic Management action: 1 From Policy Manager, double-click the icon of the policy for which you want to guarantee a minimum bandwidth. Click the Advanced tab. 2 From the Traffic Management drop-down list, select a Traffic Management action to apply to the policy. 3 Click OK to close the Edit Policy Properties dialog box. Save your changes to the Firebox. You will get a warning message if the sum of all guaranteed bandwidths for an interface approaches or exceeds the bandwidth limit you set for the interface. The new action appears in the Traffic Management Actions dialog box. 454 WatchGuard System Manager Using Traffic Management Actions Setting traffic priority in a policy Many different algorithms can be used to prioritize network traffic. Fireware uses a high performance, class-based queueing method based on the Hierarchical Token Bucket algorithm. Prioritization in Fireware is applied per policy and is equivalent to CoS (class of service) levels 0 to 7 where 0 is normal priority (default) and 7 is the highest priority. Use the table below as a guideline when you assign priorities. Level 5 is commonly used for streaming data such as VoIP or video conferencing. Reserve levels 6 and 7 for policies that allow system administration connections to make sure they are always available and avoid interference from other high priority network traffic. Priority Description 0 Routine (HTTP, FTP) 1 Priority 2 Immediate (DNS) 3 Flash (Telnet, SSH, RDP) 4 Flash Override 5 Critical (VoIP) 6 Internetwork Control (Remote router configuration) 7 Network Control (Firewall, router, switch management) To configure traffic priority for a policy: 1 From the Edit Policy Properties dialog box, click the Advanced tab. 2 Firebox interfaces may be defined to prioritize traffic based on QoS Marking. You must override any per-interface QoS Marking if you want to set traffic priority in a policy. To do this, select the Override per-interface settings check box. 3 From the drop-down list next to Prioritize Traffic Based On, select Custom Value. 4 From the Value drop-down list, select a priority level. Use the table in this section as a guide. Click OK. Using Traffic Management actions in a multi-WAN environment When a Traffic Management action is applied on a multiple WAN policy with the multi-WAN feature set up in round-robin mode, the maximum bandwidth and connection rate settings in the Traffic Management action control the total throughput and connection rate across all interfaces. This includes all external interfaces that are configured to route traffic. User Guide 455 Setting Connection and Bandwidth Limits When a Traffic Management action is applied on a multiple WAN policy with multi-WAN set up in WAN failover mode, the maximum bandwidth and connection rate settings in the Traffic Management action control the throughput and connection rate across the one external interface that is currently sending packets. Setting Connection and Bandwidth Limits You can define an alarm to occur when network capacity is exceeded according to the parameters that you specify. You can configure the alarm to make the Firebox® send an event notification to the SNMP management system, or to send a notification in the form of an email message or a pop-up window on the management station. 1 Start to define the Traffic Management action, as described in steps 1 and 2 of “Defining a Traffic Management action” on page 453. 2 Use the Connection Rate drop-down list to set a maximum number of connections per second that can occur before Traffic Management actions start. The default configuration puts no limits on the connection rate. If you select Custom, you can type the maximum connection rate. When this limit is reached, the Traffic Management action starts. 3 If you want to set an alarm when the connection rate is exceeded, select the Alarm when capacity exceeded check box. Click Notification and set the notification parameters, as described in “Setting logging and notification for blocked sites” on page 180. 4 Use the Maximum Bandwidth drop-down list to set or remove the bandwidth limits for this action. Use No Limit to remove bandwidth restrictions for important traffic, or select a maximum kilobytes per second bandwidth. When the maximum bandwidth limit is reached, the extra traffic will be dropped and a log message will be shown in Traffic Monitor. 5 Click OK. The new action appears in the Traffic Management Actions dialog box. 6 If you started defining the Traffic Management action from a policy definition, the new action now appears in Traffic Management on the Advanced tab. If you started to define the action from selecting Setup > Actions > Traffic Management, you must apply the setting to a policy, as explained in “Applying the Traffic Management action to a policy” on page 454. About QoS Marking Today’s networks often consist of many kinds of network traffic that compete for bandwidth. All traffic, whether of prime importance or negligible importance, has an equal chance of reaching its destination in a timely manner. Quality of Service (QoS) Marking gives critical traffic preferential treatment to make sure it is delivered quickly and reliably. QoS functionality must be able to differentiate the various types of data streams that flow across your network. It must then “mark” data packets. The Fireware feature called QoS Marking creates different classifications of service for different kinds of network traffic. When you mark traffic, you change up to six bits on packet header fields defined for this purpose. The Firebox and other QoS-capable external devices can make use of this marking and provide appropriate handling of a packet as it travels from one point to another in a network. 456 WatchGuard System Manager About QoS Marking Make sure your LAN equipment supports QoS Marking and handling. You might also need to make sure your ISP supports QoS. The use of QoS procedures on a network requires that you do extensive planning. You can first identify theoretical bandwidth available and then determine which network applications are high priority, particularly sensitive to latency and jitter, or both. The networking industry has many different algorithms to prioritize network traffic. Fireware uses a high performance, class-based queueing method based on the Hierarchical Token Bucket algorithm. Prioritization in Fireware is equivalent to CoS levels 0 to 7 where 0 is normal priority (default) and 7 is the highest priority. Per-interface and per-policy QoS Marking You can use QoS Marking on a per-interface or per-policy basis. When you define QoS Marking for an interface, packets leaving that interface are marked. QoS Marking for a policy marks traffic that uses the policy. The QoS Marking for a policy overrides any QoS Marking set on an interface. For example, suppose your Firebox receives QoS-marked traffic from the external network and sends it to the trusted network. However, you want only the traffic to your executive team from external to trusted to be differentiated by QoS Marking. You set the QoS Marking for the trusted interface to Clear. Then, you add a policy with QoS Marking set for the traffic to your executive team. Marking types and values Fireware supports two types of QoS Marking: IP Precedence marking (also known as Class of Service) and Differentiated Service Code Point (DSCP) marking. IP Precedence marking affects only the first three bits in the IP type of service (TOS) octet. DSCP marking expands marking to the first six bits in the IP TOS octet. Both methods allow you to either preserve the bits in the header, which may have been marked previously by an external device, or change them to a new value. DSCP values can be expressed in numeric form or by special keyword names that correspond to perhop behavior (PHB). Per-hop behavior is the priority applied to a packet when traveling from one point to another in a network. Fireware DSCP marking supports three types of per-hop behavior: • Best-Effort Best-Effort is the default type of service and is recommended for traffic that is not critical or realtime. All traffic falls into this class if you do not use QoS Marking. • Assured Forwarding (AF) Assured Forwarding is recommended for traffic that needs better reliability than the best-effort service. • Expedited Forwarding (EF) This type has the highest priority. It is generally reserved for mission-critical and real-time traffic. Within the Assured Forwarding (AF) type of per-hop behavior, traffic can be assigned to three classes: Low, Medium, and High. Class-Selector (CSx) code points are defined to be backward compatible with IP Precedence values. CS1 through CS7 are identical to IP Precedence values 1 through 7. The following table shows the DSCP values you can select, the corresponding IP Precedence value (which is the same as the CS value), and the description in PHB keywords. User Guide 457 About QoS Marking DSCP Value Equivalent IP Precedence value (CS values) 0 8 Description: Per-hop Behavior keyword Best-Effort (same as no marking) 1 Scavenger* 10 AF Class 1 - Low 12 AF Class 1- Medium 14 AF Class 1- High 16 2 18 AF Class 2 - Low 20 AF Class 2- Medium 22 AF Class 2- High 24 3 26 AF Class 3 - Low 28 AF Class 3- Medium 30 AF Class 3- High 32 4 34 AF Class 4 - Low 36 AF Class 4- Medium 38 40 AF Class 4- High 5 46 EF 48 6 Internet Control 56 7 Network Control * Scavenger class is intended for the lowest priority traffic such as media sharing or gaming applications. This traffic has a lower priority than Best-Effort. For more information on DSCP values, see the following RFC: http://www.rfc-editor.org/rfc/rfc2474.txt Enabling QoS Marking for an interface Use this procedure to set the default marking behavior as traffic goes out of an interface. These settings can be overridden by settings defined for a policy. 1 From Policy Manager, select Setup > Global Settings. The Global Settings dialog box appears. 2 At the bottom of the dialog box, clear the Disable all traffic management and QoS features check box. Click OK. You might want to disable these features at a later time if you do performance testing or network debugging. 3 From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears. 4 Select the interface for which you want to enable QoS Marking and click Configure. The Interface Settings dialog box appears. 458 WatchGuard System Manager About QoS Marking 5 Click the Advanced tab. 6 From the Marking Type drop-down list, select either DSCP or IP Precedence. 7 Set the marking method: Preserve: Do not change the bit’s current value. The Firebox prioritizes the traffic based on this value. Assign: Assign the bit a new value. Clear: Clear the bit (set it to zero). 8 If you selected Assign in the previous step, select a marking value. If you chose the IP precedence marking type you can select values from 0 (normal priority) through 7 (highest priority). If you selected the DSCP marking type, the values are 0 - 56. For more information these values, see “Marking types and values” on page 457. 9 Select the Prioritize traffic based on QoS Marking check box. 10 Click OK. Enabling QoS Marking for a policy In addition to marking the traffic that leaves a Firebox interface, you can also mark traffic on a per-policy basis. The marking action you select is applied to all traffic that uses the policy. Multiple policies that use the same marking actions have no effect on each other. 1 From Policy Manager, select Setup > Global Settings. The Global Settings dialog box appears. 2 At the bottom of the dialog box, clear the Disable all traffic management and QoS features check box. Click OK. 3 From Policy Manager, double-click the icon for the policy whose traffic you want to mark. The Edit Policy Properties dialog box appears. 4 User Guide Click the Advanced tab. Click the QoS tab halfway down the dialog box. 459 About QoS Marking 5 Firebox interfaces may have their own QoS Marking settings. To enable QoS Marking for a policy, you must override any per-interface QoS Marking. To do this, select the Override per-interface settings check box. 6 Configure QoS Marking as described in steps 6 - 8 of the previous procedure. We recommend that you assign a priority higher than 5 only to WatchGuard administrative policies, such as the WatchGuard® policy, the WG-Logging policy, or the WG-Mgmt-Server policy. Give high priority business traffic a priority of 5 or lower. QoS Marking and IPSec traffic If you want to apply QoS to IPsec traffic, you must create a specific firewall policy for the corresponding IPsec policy and apply QoS Marking to that policy. Consider also the setting of the Enable TOS for IPSec check box in the VPN Settings dialog box. If you select this check box, any existing marking is preserved when the packet is encapsulated in an IPSec header. If the check box is cleared, the TOS bits are reset and no marking is preserved. 460 WatchGuard System Manager 30 High Availability To use the features described in this chapter, you must have Fireware® Pro installed on your Firebox. High Availability (HA) refers to the ability of a network to operate when hardware or software fails. When you add redundancy to your network, you remove one point of vulnerability. This chapter includes two methods to configure High Availability. Use the first method if the Firebox devices to configure for High Availability are Firebox X Core or Peak e-Series devices. If the two Firebox devices are Firebox X Core or Peak devices and not e-Series appliances, you can use either the first or second method. About WatchGuard High Availability The WatchGuard® High Availability feature enables the installation of two Firebox® devices in a failover configuration. The configuration includes one Firebox we identify as the primary device and the other we identify as the secondary device. One of these devices is always in active mode and the other in standby mode. These two Fireboxes are known as peers. They constantly send messages to each other to communicate their status. HA failover occurs when the internal heartbeat is lost or when an HA-monitored physical interface is down. When a failover event occurs, the standby system becomes active. After a Firebox becomes active, it stays active until it goes offline and the standby Firebox starts as the active unit. When High Availability is enabled, WSM continues to support: • Secondary networks on external, trusted, or optional interfaces • Multi-WAN connections, with the limitation that a multi-WAN failover caused by a failed connection to a link monitor host does not trigger HA failover. HA failover occurs only when the physical interface is down or does not respond. HA failover takes precedence over multi-WAN failover. • VLANs When High Availability is enabled, the following connections are disconnected when a failover event occurs: User Guide 461 High Availability Requirements • RUVPN with PPTP • MUVPN with IPsec • Proxy connections Users must manually reestablish these connections after a failover. When a High Availability Firebox becomes active, its non-HA interfaces get a new MAC address with the format 00:00:5E:00:01:xy. The non-HA interfaces of the standby Firebox keep their original MAC addresses, which start with 00:90:7F. High Availability Requirements Here are the requirements for the High Availability feature: • One Firebox® in each HA pair is the primary Firebox. We recommend that you use the Firebox with the most licensed features and capacities as the primary HA device. • The two Fireboxes in an HA configuration must be the same model and must use the same software version. If the software versions are different, you must upgrade the Firebox with the old version to match the other Firebox. The Firebox with the old software must have a license for the upgraded software. • Each active interface on the primary HA Firebox must connect to the same hub or switch as its matching active interface on the secondary HA Firebox. High availability requires an interface or interfaces dedicated specifically for HA synchronization. Selecting a Primary High Availability Firebox When you activate High Availability, each Firebox® in the pair must have a Fireware® feature key that enables the same version of the Fireware appliance software. We recommend that you select the Firebox with the most features as the primary Firebox. If you purchase an upgrade for your High Availability pair, you must apply the upgrade to the serial number of the primary Firebox when you activate the upgrade on the LiveSecurity® web site. Both Fireboxes in the High Availability pair will use the licensed features of the primary Firebox. 462 WatchGuard System Manager Configuring High Availability Configuring High Availability 1 From Policy Manager, select Network > High Availability. The High Availability dialog box appears. 2 Select the Enable High Availability check box. 3 The HA1 check box is automatically selected when you enable High Availability. If you want to change the interface you use for HA1, select an interface number from the Interface drop-down list. 4 In the Primary Box IP text box, you can change the default IP address. This IP address should be from a reserved or unassigned network. This becomes the permanent IP address for that interface. 5 In the Secondary Box IP text box, type an IP address from the same subnet as the interface with High Availability enabled on the active Firebox®. 6 Select the HA2 check box to enable the HA2 interface. The HA2 interface is optional. 7 In the Monitor Interfaces box, you can select the interfaces you want to monitor for physical link status. The Firebox monitors the selected interfaces and, if the interface is not active, starts an HA failover. Select the check box adjacent to the interface name to enable monitoring. Clear the check box adjacent to the interface name to turn off monitoring of an interface. It is a good idea to monitor all enabled interfaces. 8 If you want to configure notification settings for HA failover and failback events, select Notification. For information on this dialog box, see “Setting Logging and Notification Preferences in Policy Manager” on page 96. 9 Use the Group ID value control to identify this HA group on the network. If you use more than one HA pair on the same network, this number must be different for each pair. User Guide 463 Manually Controlling High Availability 10 Click the Yes radio button to encrypt all HA traffic between the Fireboxes. This is usually not necessary, and uses more resources. or Click the No radio button to not encrypt HA traffic between the Fireboxes. 11 If you selected Yes to encrypt HA traffic, in the Shared Secret field, type a shared secret to encrypt HA traffic between the Fireboxes. Type the shared secret again in the Confirm field. 12 Save this configuration to the active Firebox. 13 Close Policy Manager. 14 Use a crossover cable to connect the HA1 interface on one Firebox to the HA1 interface on the other Firebox. If HA2 is enabled, connect both HA2 interfaces as well. 15 Put the secondary unit in safe mode. To do this: If your device is a Firebox X Core or Peak e-Series device, turn the Firebox off, and then turn it back on while you press and hold the down arrow button on the Firebox front panel. If your device is a Firebox X Core or Peak (not an e-Series device), turn the Firebox off, and then turn it back on while you press and hold the up arrow button on the Firebox front panel. Up arrow button Down arrow button 16 Start Firebox System Manager and connect to the primary Firebox. 17 Select Tools > High Availability > Synchronize Configuration. When prompted, type the configuration passphrase. You see a message that says High Availability is enabled. Manually Controlling High Availability Although High Availability operations usually occur automatically, you can do some of the functions manually if you want to or if you are troubleshooting a technical problem. These options are available in Firebox System Manager. Enabling the current Firebox as a standby peer To manually make the current Firebox® the standby peer in a High Availability configuration: From Firebox System Manager, select Tools > High Availability > Enable as Secondary Synchronizing the configuration You must synchronize the configuration when one Firebox configuration changes while the other is disconnected from the HA peer or turned off. From Firebox System Manager, select Tools > High Availability > Synchronize Configuration Forcing a failover You can cause a failover to occur on the current Firebox. The peer becomes active immediately and the current Firebox becomes standby. From Firebox System Manager, select Tools > High Availability > Force Failover 464 WatchGuard System Manager Upgrading Software in an HA Configuration Forcing a failover and transferring management to peer The Force Admin option is similar to Force Failover except that it transfers the management of High Availability from the current Firebox to the peer. The current Firebox is put into a state where it cannot become active. If the peer is available, the peer becomes active. The current Firebox cannot become active again unless you restart it (or the active Firebox issues the Restart Peer command) and then a failover occurs or you force a failover back to the original Firebox. From Firebox System Manager, select Tools > High Availability > Force Admin Restarting the peer When you connect to an HA configuration, you communicate only to the active Firebox. To restart the peer Firebox, you must send the command from the active Firebox: From Firebox System Manager, select Tools > High Availability > Restart Peer. When the Firebox is in a high CPU or traffic condition and you use Firebox System Manager to control HA operations, you can get an incorrect “timeout” message. In this case, the operation may have completed, and it is possible the timeout message is not correct. Backing up an HA configuration When a Firebox is in a High Availability pair, you can back up the flash image of the Firebox only when it is the active Firebox. To create a backup image (.fxi) of the active Firebox: 1 From Policy Manager, select File > Backup. 2 Type the configuration passphrase. Click OK. 3 Type and confirm an encryption key. This key is used to encrypt the backup file. Type a strong encryption key that is easy to remember. 4 Browse or type the location for the backup file. Click OK. The backup file is created. 5 Click OK when the backup is complete. Upgrading Software in an HA Configuration If you install the software on the active Firebox®, the standby Firebox in the HA configuration does not automatically upgrade. You must upgrade each Firebox. Upgrade the active Firebox first. The Firebox restarts when the upgrade is complete. When this occurs, the standby Firebox becomes the active Firebox. You can then upgrade that Firebox. You cannot upgrade the software on a Firebox that is in standby mode. Using HA with Proxy Sessions When High Availability is activated and a failover event occurs, all outgoing TCP sessions are disconnected. Users must manually reestablish all interactive or persistent sessions. This is because proxy session state is not retained between HA peers. Consider adding specific packet filter policies to your configuration for telnet, ssh, or any other policy for which you want failover. Note that IPS does not operate with these new policies. If you use proxy policies with signature-based Gateway AV/IPS and a failover event occurs, the standby Firebox becomes the active Firebox and checks automatically for signature updates. User Guide 465 Using HA with Proxy Sessions 466 WatchGuard System Manager Appendix A Copyright and Licensing WatchGuard Firebox Software End-User License Agreement IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE: This Firebox Software End-User License Agreement ("AGREEMENT") is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. ("WATCHGUARD") for the WATCHGUARD Firebox software product, which includes computer software components (whether installed separately on a computer workstation or on the WATCHGUARD hardware product or included on the WATCHGUARD hardware product) and may include associated media, printed materials, and on-line or electronic documentation, and any updates or modifications thereto, including those received through the WatchGuard LiveSecurity Service (or its equivalent), (the "SOFTWARE PRODUCT"). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing or using the SOFTWARE PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, (1) if the SOFTWARE PRODUCT was bundled with a hardware product, promptly return the SOFTWARE PRODUCT and hardware product, along with proof of payment, to the authorized dealer from whom you obtained the SOFTWARE PRODUCT and hardware product for a full refund of the price you paid or (2) if the SOFTWARE PRODUCT was sold separately, promptly return any license key for the SOFTWARE PRODUCT, along with proof of payment, to (i) the authorized dealer from whom you obtained the SOFTWARE PRODUCT or (ii) if purchased directly from WATCHGUARD, to WATCHGUARD for a full refund of the price you paid. The WATCHGUARD hardware product is subject to a separate agreement and limited hardware warranty included with the WATCHGUARD hardware product packaging and/or in the associated user documentation. 1. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and NOT an agreement for sale. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT are owned by WATCHGUARD or its licensors. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and WATCHGUARD retains all rights not expressly granted to you in this AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty. 2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any single WATCHGUARD hardware product at any single location and may install and use the SOFTWARE PRODUCT on multiple workstation computers. (B) To use the SOFTWARE PRODUCT on more than one WATCHGUARD hardware product at once, you must purchase an additional copy of the SOFTWARE PRODUCT for each additional WATCHGUARD hardware product on which you want to use it. To the extent that you install copies of the SOFTWARE PRODUCT on additional WATCHGUARD hardware products in accordance with the prior sentence without installing the additional copies of the SOFTWARE PRODUCT included with such WATCHGUARD hardware products, you agree that use of any software provided with or included on the additional WATCHGUARD hardware products that does not require installation will be subject to the terms and conditions of this AGREEMENT. You must also maintain a current subscription to the WatchGuard LiveSecurity Service (or its equivalent) for each additional WATCHGUARD User Guide 467 WatchGuard Firebox Software End-User License Agreement hardware product on which you will use a copy of an updated or modified version of the SOFTWARE PRODUCT received through the WatchGuard LiveSecurity Service (or its equivalent). (C) In addition to the copies described in Section 2(A), you may make a single copy of the SOFTWARE PRODUCT for backup or archival purposes only. 3. Prohibited Uses. You may not, without express written permission from WATCHGUARD: (A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT; (B) Use any backup or archival copy of the SOFTWARE PRODUCT (or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective; (C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT; (D) Transfer this license to another party unless (i) the transfer is permanent, (ii) the third party recipient agrees to the terms of this AGREEMENT, and (iii) you do not retain any copies of the SOFTWARE PRODUCT; or (E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT. 4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer: (A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to WATCHGUARD with a dated proof of purchase. (B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund, at their election. Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD, AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ITS LICENSORS AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD AND ITS LICENSORS, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY THAT THE SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ITS LICENSORS AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR CONTRIBUTED TO BY, THE SOFTWARE PRODUCT). Limitation of Liability. WATCHGUARD'S LIABILITY (WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND NOTWITHSTANDING ANY FAULT, NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY) WITH REGARD TO THE SOFTWARE PRODUCT WILL IN NO EVENT EXCEED THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. IN NO EVENT WILL WATCHGUARD BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. 5.United States Government Restricted Rights. The SOFTWARE PRODUCT is provided with Restricted Rights. Use, duplication or disclosure by the U.S. Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Inc., 505 5th Ave. South, Suite 500, Seattle, WA 98104. 6.Export Controls. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration Act and the regulations issued thereunder. 7.Termination. This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the SOFTWARE PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession. 8.Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the SOFTWARE PRODUCT, and supersedes any prior purchase order, 468 WatchGuard System Manager WatchGuard Technologies, Inc. Add-on Product/Service Customer Agreement/End-User License Agreement communications, advertising or representations concerning the SOFTWARE PRODUCT AND BY USING THE SOFTWARE PRODUCT YOU AGREE TO THESE TERMS. IF THE SOFTWARE PRODUCT IS BEING USED BY AN ENTITY, THE INDIVIDUAL INDICATING AGREEMENT TO THESE TERMS REPRESENTS AND WARRANTS THAT (A) SUCH INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON BEHALF OF THE ENTITY AND TO BIND THE ENTITY TO THE TERMS OF THIS AGREEMENT; (B) THE ENTITY HAS THE FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS AGREEMENT AND PERFORM ITS OBLIGATIONS UNDER THIS AGREEMENT AND; (C) THIS AGREEMENT AND THE PERFORMANCE OF THE ENTITY'S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD. Version: 050309 WatchGuard Technologies, Inc. Add-on Product/Service Customer Agreement/End-User License Agreement IMPORTANT: READ CAREFULLY. THIS ADD-ON PRODUCT/SERVICE CUSTOMER AGREEMENT/END-USER LICENSE AGREEMENT (THE "AGREEMENT") IS A LEGAL AGREEMENT BETWEEN YOU THE CUSTOMER ("CUSTOMER"), AND WATCHGUARD TECHNOLOGIES, INC. ("WATCHGUARD"). TO ACTIVATE THE WATCHGUARD ADD-ON PRODUCT/SERVICE DESCRIBED BELOW (THE "ADD-ON PRODUCT/SERVICE"), OR RENEW/UPGRADE YOUR ADD-ON PRODUCT/SERVICE, YOU MUST FIRST READ THIS AGREEMENT AND AGREE TO ACCEPT ITS TERMS BY INDICATING YOUR ACCEPTANCE AS PROMPTED BY THE TEXT ASSOCIATED WITH THE PRESENTATION OF THIS AGREEMENT. IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, YOUR ACTIVATION/ RENEWAL/UPGRADE REQUEST WILL NOT BE ACCEPTED AND YOU WILL NOT HAVE ACCESS TO THE ADD-ON PRODUCT/SERVICE OR YOUR RENEWAL/UPGRADE REQUEST WILL NOT BE ACCEPTED. IF YOU WISH TO DECLINE ACCEPTANCE, YOU MAY INDICATE THAT YOU DECLINE AS PROMPTED BY THE TEXT ASSOCIATED WITH THE PRESENTATION OF THIS AGREEMENT. IF YOU DO NOT ACCEPT THIS AGREEMENT, YOUR PURCHASE WILL NOT BE COMPLETED OR YOU MAY PROMPTLY RETURN THE LICENSE KEY FOR THE ADD-ON PRODUCT/SERVICE (DEFINED BELOW), ALONG WITH PROOF OF PAYMENT, TO THE AUTHORIZED DEALER or, if purchased directly from WATCHGUARD, to WATCHGUARD, FOR A FULL REFUND OF THE PRICE YOU PAID. WatchGuard and Customer hereby agree as follows: 1 Definitions. As used herein, the following capitalized terms shall have the following meanings: "Add-on Product/Service" means the software license and renewable subscription service made generally available by WatchGuard to its customers purchasing the equivalent product/service (including level of service, if applicable) as indicated on the License Key, which may include the provision of/ access to Software, Threat Signatures, information or other items/services, and which is subject to change by WatchGuard from time to time. "Software" means any WatchGuard software, which includes computer software components (whether installed separately on a computer workstation or on a WatchGuard hardware product or included/pre-installed with a WatchGuard hardware product) and may include associated media, printed materials, and on-line or electronic documentation, and any updates or modifications thereto, including those received through the WatchGuard LiveSecurity Service (or its equivalent) or the Add-on Product/Service. “License Key” means the license key or other written or online documentation provided to Customer evidencing Customer's purchase or renewal/upgrade (as applicable) of the Add-on Product/Service. “Threat Signatures” means information used to scan for and identify known cyber-threats that fall into specific classes (e.g., virus signatures or intrusion prevention signatures). 2 Add-on Product/Service. WatchGuard will make the Add-on Product/Service available to Customer during the Term. Customer agrees that (i) an Add-on Product/Service (and all benefits associated with the Add-on Product/Service) may only be used in conjunction with that number of WatchGuard products as expressly provided for in the License Key and that additional Add-on Product/Service licenses/subscriptions must be purchased for additional WatchGuard products that are to receive any benefits of the Add-on Product/Service and (ii) a renewal/upgrade to an Add-on Product/Service (and all benefits associated with the Add-on Product/Service renewal/upgrade) may only be used in conjunction with that number of WatchGuard products as expressly provided for in the renewal/upgrade License Key and that additional renewals/upgrades must be purchased for additional WatchGuard products that are to receive any benefits of the renewal/upgrade. 3 Add-on Product/Service Fees. Customer will pay to WatchGuard the applicable Add-on Product/Service fee and any and all applicable Add-on Product/Service renewal/upgrade fees for Add-on Product/Service renewals/upgrades purchased, each as established by WatchGuard from time to time. The Add-on Product/Service and Add-on Product/Service renewal/upgrade fees are non-refundable to Customer, even in the event of the termination of this Agreement pursuant to Section 6 prior to the expiration of the initial Term, or any renewal of the Term. 4 Term. The term of this Agreement ("Term") shall commence upon acceptance of this Agreement and activation of the Add-on Product/Service or Add-on Product/Service renewal/upgrade by Customer, and shall end upon expiration of the term specified in the applicable License Key, unless renewed in accordance with Section 5 or sooner terminated in accordance with Section 6. The term of the WatchGuard Firebox Software End-User License Agreement applicable to all Software associated with the Add-on Product/Service as described below shall be as stated in such end-user license agreement. User Guide 469 WatchGuard Technologies, Inc. Add-on Product/Service Customer Agreement/End-User License Agreement 5 Renewal. WatchGuard may establish different renewal options from time to time that will be effective as a renewal pursuant to this Section 5 once payment is made in accordance with such option. Notwithstanding the foregoing, renewals may not be available to Customers with WatchGuard products that have been discontinued or that WatchGuard no longer supports for purposes of the Add-on Product/Service. 6 Termination. Either party may terminate this Agreement if the other party is in material breach and fails to cure such breach within fifteen (15) days of receipt of written notice of such breach, except that WatchGuard may terminate this Agreement immediately upon Customer's failure to pay any applicable fees when due. 7 Software License. Customer expressly agrees that use of all Software associated with the Add-on Product/Service shall be governed solely by the terms and conditions of the WatchGuard Firebox Software End-User License Agreement as a “SOFTWARE PRODUCT”or, if applicable, the WatchGuard software end-user license agreement associated with such Software, and such terms and conditions are incorporated herein by reference. 8 Disclaimer and Release. Warranty Disclaimer. WatchGuard warrants that the Add-on Product/Service will be provided to Customer in accordance with all the requirements of this Agreement. WATCHGUARD MAKES NO OTHER GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING, BUT NOT LIMITED TO, ANY EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE OR PURPOSE, WITH RESPECT TO THE ADD-ON PRODUCT/SERVICE OR THE ACCURACY, RELIABILITY, OR COMPLETENESS OF ANY THREAT SIGNATURES, INFORMATION OR OTHER ITEM/SERVICE (OR UPDATES THERETO) PROVIDED OR MADE AVAILABLE AS PART OF OR IN CONNECTION WITH THE ADD-ON PRODUCT/SERVICE. WATCHGUARD SHALL NOT BE LIABLE FOR ANY DAMAGES INCURRED AS A RESULT OF ANY USE OF OR RELIANCE UPON THE ADD-ON PRODUCT/ SERVICE OR ANY THREAT SIGNATURES, INFORMATION OR OTHER ITEM/SERVICE PROVIDED OR MADE AVAILABLE AS PART OF OR IN CONNECTION WITH THE ADD-ON PRODUCT/SERVICE. THE WARRANTY CONTAINED IN THE FIRST SENTENCE OF THIS PARAGRAPH 8 IS EXCLUSIVE AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO THE ADD-ON PRODUCT/SERVICE OR THE ACCURACY, RELIABILITY, OR COMPLETENESS OF ANY THREAT SIGNATURES, INFORMATION OR OTHER ITEM/SERVICE (OR UPDATES THERETO) PROVIDED OR MADE AVAILABLE AS PART OF OR IN CONNECTION WITH THE ADDON PRODUCT/SERVICE (INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE CAUSED BY OR CONTRIBUTED TO BY, THE ADD-ON PRODUCT/SERVICE). Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusions may not apply to Customer. This limited warranty gives Customer specific legal rights, and Customer may also have other legal rights, which vary from jurisdiction to jurisdiction. 9 Limitation of Liability. WATCHGUARD'S LIABILITY TO CUSTOMER (WHETHER ARISING IN TORT, CONTRACT OR OTHERWISE; AND NOTWITHSTANDING ANY FAULT, NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY) UNDER THIS AGREEMENT OR WITH RESPECT TO THE ADD-ON PRODUCT/SERVICE WILL IN NO EVENT EXCEED THE PURCHASE PRICE PAID BY SUBCRIBER FOR THE ADD-ON PRODUCT/SERVICE. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. IN NO EVENT SHALL WATCHGUARD OR ITS SUPPLIERS BE LIABLE TO CUSTOMER OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OR FAILURE TO PERFORM THE ADD-ON PRODUCT/SERVICE, EVEN IF WATCHGUARD OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY. Some jurisdictions do not allow these limitations or exclusions, so they may not apply to Customer. 10 Reservation of Rights. WatchGuard and its licensors hereby reserve ownership of and all rights in the Threat Signatures, information and other items/services provided or made available as part of or in connection with the Add-on Product/Service and all copyrights, trademarks and other proprietary rights associated with such Threat Signatures, information and other items/services. Except as provided for in this Agreement or as expressly authorized by WatchGuard in writing (including by publishing the terms and conditions of use by WatchGuard of any Threat Signatures subject to “open source” licensing), you may not reproduce, republish, post, transmit or distribute the Threat Signatures, information or other items/services provided as part of the Add-on Product/Service. 11 Entire Agreement. This Agreement, together with the WatchGuard License Key, the WatchGuard Firebox Software End-User License Agreement, any software end-user license agreements accompanying the Software licensed to Customer, and any agreement between Customer and WatchGuard explicitly stating that the terms of such agreement control over the terms of any of the agreements listed in this sentence in the case of any conflict or inconsistency, constitutes the entire Agreement between WatchGuard and Customer and supersedes any and all prior or contemporaneous statements, representations and agreements, written or oral, with regard to the Add-on Product/Service. If the Customer has purchased the right to utilize the Add-on Product/Service on additional WatchGuard products, this Agreement will therefore supersede all prior customer agreements/end-user license agreements applicable to the same Add-on Product/Service and the terms of this Agreement shall govern all uses of this Add-on Product/Service by Customer. This Agreement may be amended or modified only by a written instrument executed by both parties or by Customer accepting a subsequent customer agreement for this Add-on Product/ Service provided by WatchGuard. 470 WatchGuard System Manager Copyright and Trademarks THIS AGREEMENT SHALL BE GOVERNED BY AND CONSTRUED UNDER THE LAWS OF THE STATE OF WASHINGTON, WITHOUT REFERENCE TO ITS CONFLICT OF LAW PRINCIPLES. The parties consent to the personal and exclusive jurisdiction of courts located in Washington, King County. Customer may not assign this Agreement (by operation of law or otherwise) without the prior written consent of WatchGuard. This Agreement will be binding upon and will inure to the benefit of the parties' permitted successors and/or assignees. Waiver by either party of a breach or any provision of this Agreement or the failure by either party to exercise any right hereunder shall not operate or be construed as a waiver of any subsequent breach of that right or as a waiver of any other right. Neither party shall be considered to be in breach of this Agreement on account of any delay or failure to perform any obligation hereunder (other than a delay or failure in the payment of money) as a result of any cause or condition beyond such party's reasonable control. IF YOU AGREE TO THE TERMS OF THIS AGREEMENT, INDICATE YOUR ACCEPTANCE AS PROMPTED BY THE TEXT ASSOCIATED WITH THE PRESENTATION OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, INDICATE THAT YOU DECLINE AS PROMPTED BY THE TEXT ASSOCIATED WITH THE PRESENTATION OF THIS AGREEMENT. BY ACCEPTING THIS AGREEMENT, YOU REPRESENT AND WARRANT THAT: (A) THE INDIVIDUAL INDICATING THEIR ACCEPTANCE TO THIS AGREEMENT IS DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON CUSTOMER'S BEHALF AND TO BIND CUSTOMER TO THE TERMS OF THIS AGREEMENT; (B) CUSTOMER HAS THE FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS AGREEMENT AND PERFORM ITS OBLIGATIONS UNDER THIS AGREEMENT AND; (C) THIS AGREEMENT AND THE PERFORMANCE OF CUSTOMER'S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO WHICH CUSTOMER IS A PARTY. Version: 050309 Copyright and Trademarks Copyright© 1998 - 2007 WatchGuard Technologies, Inc. All rights reserved. © Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and 5146221 and other patents pending. Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT®, Windows® 2000, Windows® 2003, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the United States and other countries. RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks, Inc. in the United States and/or other countries. Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All rights reserved. Jcchart copyright® 1999 by KL Group Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, LiveSecurity, and any other mark listed as a trademark in the “Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their respective owners. Patents U.S. Patent Nos. 6,493,752; 6,597,661; 6,618,755; D473,879. Other Patents Pending. Licenses Some components of the WatchGuard System Manager software distribute with source code covered under one or more third party or open source licenses. We include below the full text of the licenses as required by the terms of each license. To get the source code covered under these licenses, please contact WatchGuard Technical Support at: • 877.232.3531 in the United States and Canada • +1.360.482.1083 from all other countries This source code is free to download. There is a $35 charge to ship the CD. User Guide 471 Licenses SSL Licenses This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. OpenSSL License © 1998-2003 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)” 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)” THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Original SSLeay License This product includes cryptographic software written by Eric Young ([email protected]) and includes software written by Tim Hudson ([email protected]). © 1995-2003 Eric Young ([email protected]) All rights reserved. This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscapes’ SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young ([email protected])” The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related. 4. If you include any Windows specific code (or a derivative thereof ) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson ([email protected])” THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License.] 472 WatchGuard System Manager Licenses The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The detailed license information follows. Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/).” 4. The names “mod_ssl” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. 5. Products derived from this software may not be called “mod_ssl” nor may “mod_ssl” appear in their names without prior written permission of Ralf S. Engelschall. 6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http://www.modssl.org/).” THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Apache Software License, Version 2.0, January 2004 Some components of the WatchGuard System Manager software are distributed with a version of the Apache web server and other source code under the Apache software license. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. User Guide 473 Licenses 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. PCRE License Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. The PCRE is a library of 474 WatchGuard System Manager Licenses functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself. Written by: Philip Hazel <[email protected]> University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Copyright (c) 1997-2004 University of Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. GNU Lesser General Public License Some components of the WatchGuard System Manager software distribute with source code covered under the GNU Lesser General Public License (LGPL). Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc.59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. User Guide 475 Licenses Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the “Lesser” General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a “work based on the library” and a “work that uses the library”. The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called “this License”). Each licensee is addressed as “you”. A “library” means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The “Library”, below, refers to any such software library or work which has been distributed under these terms. A “work based on the Library” means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term “modification”.) “Source code” for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. 476 WatchGuard System Manager Licenses (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a “work that uses the Library”. Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a “work that uses the Library” with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a “work that uses the library”. The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a “work that uses the Library” uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a “work that uses the Library” with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable “work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system rather than copying library functions into the executable, and (2) operate properly with a modified version of the library, if the user installs one, as long as the modified version is interfacecompatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. User Guide 477 Licenses e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. 478 WatchGuard System Manager Licenses GNU General Public License Some components of the WatchGuard System Manager software distribute with source code covered under the GNU General Public License (GPL). Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) User Guide 479 Licenses These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. 480 WatchGuard System Manager Licenses Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Sleepycat License Some components of the WatchGuard System Manager software are distributed with a version of the BerkeleyDB covered under the Sleepycat software license. Copyright (c) 1990-2004 Sleepycat Software. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software. The source code must either be included in the distribution or be available for no more than the cost of distribution plus a nominal fee, and must be freely redistributable under reasonable conditions. For an executable file, complete source code means the source code for all modules it contains. It does not include source code for modules or files that typically accompany the major components of the operating system on which the executable file runs. THIS SOFTWARE IS PROVIDED BY SLEEPYCAT SOFTWARE ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT, ARE DISCLAIMED. IN NO EVENT SHALL SLEEPYCAT SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1990, 1993, 1994, 1995 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, User Guide 481 Licenses SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1995, 1996 The President and Fellows of Harvard University. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY HARVARD AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL HARVARD OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Sourcefire License In addition to the copyright and license information found earlier in this Appendix, signature updates provided as part of the Gateway AV/IPS Subscription are subject to this license agreement: SOURCEFIRE,INC. VERSION 1.1.1 THE VRT CERTIFIED RULES ARE MADE AVAILABLE TO YOU BY SOURCEFIRE, INC. ("SOURCEFIRE") UNDER THE TERMS OF THIS VRT CERTIFIED RULES LICENSE AGREEMENT (THE "AGREEMENT"). BY CLICKING THE "ACCEPT" BUTTON BELOW, OR BY INSTALLING OR USING THE VRT CERTIFIED RULES, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT CLICK THE "ACCEPT" BUTTON, AND DO NOT INSTALL OR USE ANY PART OF THE VRT CERTIFIED RULES. 1. Definitions 1.1. "Commercial Purpose" means the use, reproduction or distribution of (i) the VRT Certified Rules or any Modification, or any portion of the foregoing, (ii) a Compilation that includes, in whole or in part, the VRT Certified Rules or any Modification that in either case is intended to result in a direct or indirect pecuniary gain or any other consideration or economic benefit to any person or entity involved in such use, reproduction or distribution. Examples of a Commercial Purpose, include without limitation, (v) integrating the VRT Certified Rules with other software or hardware for sale, (w) licensing the VRT Certified Rules for a fee, (x) using the VRT Certified Rules to provide a service to a third party, (y) selling the VRT Certified Rules, or (z) distributing the VRT Certified Rules for use with other products or other services. 1.2. "Compilation" means a work which combines the VRT Certified Rules or any Modification or portions thereof with any services, programs, code or other products not governed by the terms of this Agreement. 1.3. "Improvements" shall mean a Modification to a VRT Certified Rule (or to a modified VRT Certified Rule) that corrects a bug, defect, or error in such rule without affecting the overall functionality of such VRT Certified Rule (or Modification thereof ). 1.4. "Modifications" means any alteration, addition to or deletion from the substance or structure of the VRT Certified Rules or any Modifications of such, including, without limitation, (a) any addition to or deletion from the contents of a file containing Original Code or previous Modifications of either; (b) any derivative of the VRT Certified Rule or of any Modification; or (c) any new file that contains any part of the VRT Certified Rule or Modifications. 1.5. "Permitted Use" shall have the meaning given such term in Section 2.1. 1.6. "Restricted Activities" shall have the meaning given such term in Section 2.1. 1.7. "Snort® Registered User" shall mean an individual who has registered or subscribed on www.snort.org to use the VRT Certified Rules. 1.8. "VRT Certified Rules" means those Snort® rules (in text form, source code form, object code form and all documentation related thereto) that have been created, developed, tested and officially approved by Sourcefire. These rules are designated with SIDs of 3465 - 1,000,000, except as otherwise noted in the license file. 1.9. "You" (or "your") means an individual exercising rights under this Agreement issued under Section 7. For legal entities, "you'' includes any entity which controls, is controlled by, or is under common control with you or any such entity you are acting on behalf of. For purposes of this definition, "control'' means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than forty percent (40%) of the outstanding shares or beneficial ownership of such entity. 482 WatchGuard System Manager Licenses 2. Sourcefire License Grant. 2.1. Grant of License; Permitted Use. Subject to the terms and conditions of this Agreement, Sourcefire hereby grants you a world-wide, non-exclusive license to do any of the following with respect to the VRT Certified Rules: (a) use and deploy the VRT Certified Rules on management consoles and sensors that you manage (over which you have administrative control); (b) use and deploy the VRT Certified Rules on behalf of your employer on its internal management consoles and sensors (e.g., where a valid employer-employee relationship exists between you and a legal entity); (c) modify the VRT Certified Rules and use those Modifications consistent with paragraphs (a) and (b) above; (d) distribute those VRT Certified Rules and any Modifications generally available to Snort® Registered Users on a limited basis to other Snort® Registered Users; (e) distribute any Improvement generally available to Snort® Registered Users on mailing lists commonly used by the Snort® user community as a whole; (f ) reproduce the VRT Certified Rules as strictly necessary in exercising your rights under this Section 2.1; and (g) Make the VRT Certified Rules (or any Modification) available to your or your employer's consultants, agents and subcontractors for the limited purpose of exercising your rights under this Section 2.1 provided that such use is in compliance with this Agreement. Paragraphs (a) through (g) are collectively referred to as the "Permitted Uses". All rights not granted under this Agreement are reserved by Sourcefire. 2.2. Limitations on License; Restricted Activities. You recognize and agree that the VRT Certified Rules are the property of Sourcefire, contain valuable assets and proprietary information and property of Sourcefire, and are provided to you under the terms and conditions of this Agreement. Notwithstanding anything to the contrary in this Agreement, You agree that you shall NOT do any of the following without Sourcefire's prior written consent: (a) use, deploy, perform, modify, license, display, reproduce or distribute the VRT Certified Rules or Modifications (even if merged with other materials as a Compilation) other than as allowed under a Permitted Use; (b) sell, license, transfer, rent, loan, use, modify, reproduce or disclose the VRT Certified Rules or any Modifications thereto (in whole or in part and whether done independently or as part of a Compilation) for a Commercial Purpose; (c) post or make generally available any VRT Certified Rule (in whole or in part or any Modifications thereto) to individuals or a group of individuals who have not agreed to the terms and conditions of this Agreement, provided, however, that nothing in this Section 2.2(c) shall preclude the Permitted Use in Section 2.1(e); (d) share any user authentication information and/or password provided to you by Sourcefire with any third party to allow such party access your snort.org account or to otherwise access the VRT Certified Rules; (e) alter or remove any copyright notice or proprietary legend contained in or on the VRT Certified Rules. Paragraphs (a) though (e) of this Section 2.2 are collectively referred to as the "Restricted Activities"). 2.3. Reproduction Obligations. You agree that any embodiment of the VRT Certified Rules permitted under this Agreement will contain the notices set forth in Exhibit A. In addition, to the extent you make any copies of or distribute the VRT Certified Rules or any Modifications under this Agreement, you agree to ensure that any and all such copies of shall contain: (a) a copy of an appropriate copyright notice and all other applicable proprietary legends; (b) a disclaimer of any warranty consistent with this Agreement; and (c) any and all notices referencing this Agreement and absence of warranties. 3. Modifications; Derivative Works. In the event you create a Modification, the use, reproduction and distribution of such Modifications shall be governed by the terms and conditions of this Agreement. Additionally, you hereby grant Sourcefire and any other licensee of the VRT Certified Rules an irrevocable, perpetual, fully paid-up, world-wide, royalty-free, non-exclusive license to use, reproduce, modify, display, perform and distribute such Modifications (and the source code thereto), provided, however, that you and any recipient of such Modifications must include: (a) the original copyright notice and all other applicable proprietary legends; (b) the original warranty disclaimer; (c) the original notices referencing this Agreement and absence of warranties; and (d) a prominent notice stating that you changed the VRT Certified Rulese (or any Modification thereto) and the date of any change. 4. Distribution Obligations. 4.1. General. The source code version of the VRT Certified Rules (or any Modification thereof ) may be distributed only under the terms of this Agreement, and you must include a copy of this Agreement with every copy of the VRT Certified Rules you distribute. 4.2. Required Notices. You must duplicate the notice in Exhibit A in each file of the source code. If it is not possible to put such notice in a particular source code file due to its structure, then you must include such notice in a location (such as a relevant directory) where a user would be likely to look for such a notice. If you created one or more Modification(s) you may add your name as a contributor to the notice described in Exhibit A. You must also duplicate this Agreement in any documentation for the source code where you describe recipients' rights or ownership rights relating to the VRT Certified Rules. To the extent you offer additional warranty, support, indemnity or liability obligations, you may do so only on your own behalf, and not on behalf of Sourcefire. You must make it absolutely clear that any such warranty, support, indemnity or liability obligation is offered by you alone, and you hereby agree to indemnify and hold Sourcefire harmless for any liability incurred by Sourcefire as a result of any warranty, support, indemnity or liability terms you offer. 5. Inability to Comply Due to Statute or Regulation. If it is impossible for you to comply with any of the terms of this Agreement with respect to some or all of the Original Code due to statute, judicial order, or regulation then you must: (a) comply with the terms of this Agreement to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 6. Application of this Agreement. User Guide 483 Licenses This Agreement also applies to code to which Sourcefire has attached the notice in Exhibit A and to related Modifications created in Section 3. 7. Versions of the Agreement. 7.1. New Versions. Sourcefire may publish revised and/or new versions of the Agreement from time to time. Each version will be given a distinguishing version number. 7.2. Effect of New Versions. Once VRT Certified Rules has been published under a particular version of the Agreement, you may always continue to use it under the terms of that version. You may also choose to use such VRT Certified Rules under the terms of any subsequent version of the Agreement published by Sourcefire. No one other than Sourcefire has the right to modify the terms applicable to Original Code. 8. DISCLAIMER OF WARRANTY. THE VRT CERTIFIED RULES AND MODIFICATIONS ARE PROVIDED UNDER THIS AGREEMENT ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE VRT CERTIFIED RULES OR THE MODIFICATIONS ARE FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NONINFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE VRT CERTIFIED RULES AND MODIFICATIONS IS WITH YOU. SHOULD ANY VRT CERTIFIED RULES OR MODIFICATIONS PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT SOURCEFIRE) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. NO USE OF ANY VRT CERTIFIED RULE OR ANY MODIFICATION IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. 9. Termination. 9.1. This Agreement and the rights granted hereunder will terminate automatically if you fail to comply with any or all of the terms herein and fail to cure such breach within 30 days of becoming aware of the breach. All sublicenses to the VRT Certified Rules which are properly granted shall survive any termination of this Agreement. Provisions which, by their nature, must remain in effect beyond the termination of this Agreement shall survive. 10. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU OR SOURCEFIRE BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, SECURITY BREACHES OR FAILURES, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATIONS. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. 11. License Compliance. You may be requested by Sourcefire to provide a certificate, signed by your authorized representative, that you are using the VRT Certified Rules consistent with a Permitted Use. In the event your use of the VRT Certified Rules is not in compliance with a Permitted Use, or if you otherwise violate the terms of this Agreement, Sourcefire may, since remedies at law may be inadequate, in addition to its other remedies: (a) demand return of the VRT Certified Rules; (b) forbid and enjoin your further use of the VRT Certified Rules; (c) assess you a use fee appropriate to your actual use of the VRT Certified Rules. 12. United States Government Users. If the VRT Certified Rules or Modifications are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the Government's rights in the VRT Certified Rules and Modifications shall be subject to Sourcefire's standard commercial terms and only as set forth in this Agreement; and only with "Limited Rights" and "Restricted Rights" as defined the federal regulations if the commercial terms are deemed not to apply. 13. Miscellaneous. This Agreement represents the complete agreement concerning subject matter hereof. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement shall be governed by Maryland law provisions (except to the extent applicable law, if any, provides otherwise), excluding its conflict-of-law provisions. Any litigation relating to this Agreement shall be subject to the jurisdiction of the state and Federal Courts serving Greenbelt, Maryland, with the losing party responsible for costs, including without limitation, court costs and reasonable attorneys' fees and expenses. You hereby submit to jurisdiction and venue in such courts. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not apply to this Agreement. Headings and section references are used for reference only and shall not be used to define, limit or describe such section. EXHIBIT A - VRT Certified Rules License Agreement The contents of this file are subject to the VRT Certified Rules License Agreement 1.1 (the "Agreement"). You may not use this file except in compliance with the Agreement. You may obtain a copy of the Agreement here. Software distributed under the Agreement is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the Agreement for the specific language governing rights and limitations under the Agreement. The developer of the VRT Certified Rules is Sourcefire, Inc., a Delaware Corporation. 484 WatchGuard System Manager Licenses Expat-MIT HTML Parser Toolkit License Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Curl Software MIT-X License COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2006, Daniel Stenberg, <[email protected]>. All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. All other trademarks or trade names mentioned herein, if any, are the property of their respective owners. User Guide 485 Licenses 486 WatchGuard System Manager Appendix B WatchGuard File Locations This appendix gives the locations where common data files are kept by the WatchGuard® System Manager software. Because it is possible to configure the Windows operating system (OS) to put these directories on different disk drives, you must know the correct location of these files based on the configuration of Windows on your computer. It is also possible to configure log files to be kept in a different directory than other installation files. If you change the default location of log files, these default locations do not apply. If you are using an OS version that is not English, you must translate directory names (such as “Documents and Settings” or “Program Files”) to match the OS language you use. Common Data Files File Type Location User-created data My Documents\My WatchGuard (User-created data includes files such as Firebox configuration files, license files, and certificates. In many cases, the WSM software creates subfolders in the My WatchGuard folder to keep these files.) User-created data (shared) C:\Documents and Settings\All Users\Shared WatchGuard Firebox® configuration files My Documents\My WatchGuard\configs Firebox log files C:\Documents and Settings\WatchGuard\logs Report files C:\Documents and Settings\WatchGuard\reports Certificates My Documents\My WatchGuard\certs\<IP Address of Management Server> WatchGuard applications C:\Program Files\WatchGuard\wsm9.1 Shared application libraries C:\Program Files\Common Files\WatchGuard\wsm9.1 Management Server data C:\Documents and Settings\WatchGuard\wmserver Quarantine Server data C:\Documents and Settings\WatchGuard\wqserver Log Server data C:\Documents and Settings\WatchGuard\wlserver Certificate Authority data C:\Documents and Settings\WatchGuard\wgca WebBlocker Server data C:\Documents and Settings\WatchGuard\wbserver Future product upgrade images C:\Program Files\Common Files\WatchGuard\resources\Fireware\9.1 User Guide 487 Default File Locations File Type Location Help files (Fireware®) C:\Program Files\WatchGuard\wsm9.1\help\fireware Help files (WSM) C:\Program Files\WatchGuard\wsm9.1\help\wsm Help files (WFS) C:\Program Files\WatchGuard\wsm9.1\help\wfs Default File Locations These tables give the default locations where the WatchGuard® software applications and servers look for their data files or for data files created by users (such as Firebox® configuration files). In some cases, the default location changes based on where the software application opened a file of a similar type. In these cases, the software application remembers the last place the file was read/written and looks in that location first. Because it is possible to configure the Windows operating system (OS) to put these directories on different disk drives, you must determine the exact location of these files based on the configuration of Windows on your computer. It is also possible to configure log files to be kept in a different directory than other installation files. If you change the default location of log files, these default locations do not apply. If you are using an OS version that is not English, you must translate directory names (such as “Documents and Settings” or “Program Files”) to match the OS language you use. Policy Manager for Fireware Appliance Software 488 Operation File Type Default Location Read/ Write Firebox backups C:\Documents and Settings\All Users\Shared WatchGuard\backups Read Product upgrade images C:\Program Files\Common Files\WatchGuard\Resources\Fireware\9.1 Read Blocked Sites My Documents\My WatchGuard Read Blocked Sites exceptions My Documents\My WatchGuard Read/ Write Firebox configuration files My Documents\My WatchGuard\configs Read/ Write Firebox license files My Documents\My WatchGuard\configs Read Initial license import My Documents\My WatchGuard Write MUVPN .wgx file C:\Documents and Settings\All Users\Shared WatchGuard\ muvpn WatchGuard System Manager Default File Locations Policy Manager for WFS Appliance Software Operation File Type Default Location Read Logging Notification Current working directory Read Spam rules import Current working directory Write Saved backups C:\Documents and Settings\All Users\Shared WatchGuard\ backups Write MUVPN SPDs (.wgx) C:\Documents and Settings\All Users\Shared WatchGuard\ muvpn Read Blocked Sites imports Current working directory Flash Disk Management for WFS Appliance Software Operation File Type Default Location Read/ Write Backup image C:\Documents and Settings\All Users\Shared WatchGuard\ backups Historical Reports Operation File Type Default Location Read/ Write Report definitions C:\Documents and Settings\WatchGuard\report-defs Read/ Write Reporting graphics C:\Program Files\WatchGuard\wsm9.1\reports\graphics\ <report .jpg/.gif files> User Guide 489 Default File Locations 490 WatchGuard System Manager Appendix C Types of Policies This chapter gives a list of the pre-defined policies included with Fireware® appliance software, their protocols, and their ports. It also gives special information about circumstances that could have an effect on the security of some policies. In this chapter, policies are divided into two groups—policies that are controlled by a packet filter and policies that are controlled by a proxy. Packet Filter Policies Packet filter policies examine the source and destination headers of each packet. Packets are allowed or denied based on if the headers appear to come from and go to trusted addresses. Any Use an Any policy only to allow all traffic between two specified trusted IP or network addresses. An Any policy opens a “hole” through the Firebox®, and allows all traffic to flow freely between specified hosts. We recommend that the Any policy be used only for traffic through a VPN. The Any policy is different from other policies. For example, if you allow FTP only to a specified host, all other FTP sessions to other hosts are denied by that policy (unless you have also configured other FTP policies). The Any policy does not deny like other policies. You also cannot use an Any policy unless specified IP addresses, network addresses, host aliases, group names, or user names are used in the From or To lists. If not, the Any policy does not operate. Characteristics • Internet Protocol(s): Any • Port Number(s): Any port archie archie is a search protocol used to find files on FTP servers. We recommend that you use the available web interfaces to archie. A current list of archie servers is available through anonymous FTP from: User Guide 491 Packet Filter Policies ftp://microlib.cc.utexas.edu/microlib/mac/info/archie-servers.txt External hosts can be spoofed. The Firebox cannot make sure that these packets were sent from the correct location. You can configure your Firebox to add the source IP address to the Blocked Sites list when an incoming archie connection is denied. You can use all of the usual log options with archie. Characteristics • Internet Protocol(s): UDP • Port Number(s): 1525 auth The Authentication Server protocol (AUTH) has a new name. It is now called the Identification Protocol (IDENT). Refer to IDENT for more information about this policy. BGP Border Gateway Protocol (BGP) is the routing protocol used across most of the Internet. It is a highly configurable protocol that can add redundancy to links to and from the Internet for LANs. We recommend that you use this service only if you have enabled and configured BGP in the dynamic routing processes in the Fireware® configuration. Characteristics • Internet Protocol(s): TCP • Port Number(s): 179 Citrix Citrix, or Independent Computing Architecture (ICA), is an application protocol used by Citrix software applications such as Winframe and Metaframe Presentation Server (MPS). Winframe gives access to a Windows computer from different types of clients that use TCP port 1494. Citrix MPS 3.0 uses ICA with Session Reliability over TCP port 2598. If you use Citrix MPS, you must add a custom policy for TCP port 2598. If you add the Citrix policy, you could put your network security at risk because it allows remote access to computers through the firewall without authentication. The threat to a Winframe or MPS server includes denial-of-service attacks. We recommend that you use VPN options to give more security for ICA connections. You can use all of the usual log options with WinFrame. Characteristics • Internet Protocol(s): TCP • Port Number(s): 1494 Clarent-Command Clarent Corporation supplies IP telephone technology to mainstream carriers and service providers. Clarent products allow voice-over-IP between Clarent gateways across the Internet. This policy gives support to the Clarent v3.0 product and later. Clarent products use two sets of ports, one for gateway-to-gateway communications (UDP ports 4040, 4045, and 5010) and one for gateway-to-command center communications (UDP ports 5001 and 5002). Use the Clarent-command policy for the gateway-to-command center communications. 492 WatchGuard System Manager Packet Filter Policies Allow incoming connections only from specified external gateways to your gateway or command center. Clarent also gives support for the use of PCAnywhere for management. Refer to the PCAnywhere policy notes for more information. The Clarent-command policy could put network security at risk because it allows traffic inside the firewall based only on network address. This is not a trusted method of authentication. In addition, your Clarent server could receive denial-of-service attacks in this configuration. Where possible, we recommend that you use VPN options to give more security for Clarent-command connections. Characteristics: • Internet Protocol(s): UDP • Port Numbers(s): 5001, 5002 Clarent-Gateway Clarent Corporation supplies IP telephone technology to mainstream carriers and service providers. Clarent products allow voice-over-IP between Clarent gateways across the Internet. This policy gives support to the Clarent v3.0 product and later. Clarent products use two sets of ports, one for gateway-to-gateway communications (UDP ports 4040, 4045, and 5010) and one for gateway-to-command center communications (UDP ports 5001 and 5002). Use the Clarent-command policy for the gateway-to-command center communications. Allow incoming connections only from specified external gateways to your gateway or command center. Clarent also gives support for the use of PCAnywhere for management. Refer to the PCAnywhere policy notes for more information. The Clarent-gateway policy could put network security at risk because it allows traffic inside the firewall based only on network address. This is not a trusted method of authentication. In addition, your Clarent server could receive denial-of-service attacks in this configuration. Where possible, we recommend that you use VPN options to give more security for Clarent-gateway connections. Characteristics • Internet Protocol(s): UDP • Port Number(s): 4040, 4045, 5010 CU-SeeMe CU-SeeMe is a software application used to do video conferencing through the Internet. For CU-SeeMe to operate through the Firebox, you must make sure that you are not on a network that uses outgoing dynamic NAT. The CU-SeeMe protocol makes you configure this policy for traffic going in to and out of your network. The CU-SeeMe policy uses the correct ports to allow the use of CU-SeeMe versions 2.X and 3.X. CUSeeMe Version 2.X operates on UDP port 7648. Version 3.X operates on UDP port 7648, UDP port 24032 (for H.323 conferences), and TCP port 7648 (video conference directories). Characteristics • User Guide Internet Protocol(s): TCP and UDP 493 Packet Filter Policies • Port Numbers(s): UDP 7648, UDP 24032, TCP 7648 DHCP-Server or DHCP-Client Dynamic Host Configuration Protocol (DHCP) gives a way to allocate dynamic IP addresses to devices on a network. Characteristics • Internet Protocol(s): TCP • DHCP-Server Port Number(s): 67 • DHCP-Client Port Number(s): 68 DNS Domain Name Service (DNS) matches host names to IP addresses. The DNS policy allows UDP DNS traffic, as well as TCP zone transfers to occur as specified. All of the usual log options can be used with DNS. Characteristics • Internet Protocol(s): Multi: TCP (for server-server zone transfers) and UDP (for client-server lookups) • Port Number(s): TCP 53 and UDP 53 Entrust The Entrust Authority Public Key distribution application protocol passes public keys to a trusted thirdparty organization for verification. Characteristics • Internet Protocol(s): TCP • Port Number(s): 709, 710 finger finger is an application protocol used to get information about users on a given host. It is easy for a hacker to use this information against you. We do not recommend that you put finger servers on the trusted interface. Characteristics • Internet Protocol(s): TCP • Port Number(s): 79 FTP File Transfer Protocol (FTP) is used to move files across the Internet. An FTP packet filter will not apply the FTP proxy rule set to any traffic. To proxy FTP traffic, use the FTP proxy policy. We recommend that incoming FTP be allowed only to public FTP servers located behind the Firebox®. External hosts can be spoofed. WatchGuard® cannot verify that these packets were actually sent from the correct location. You can configure the Firebox to add the source IP address to the Blocked Sites list whenever an FTP connection to a computer protected by the Firebox is denied. The packet filter and 494 WatchGuard System Manager Packet Filter Policies proxy policy included in WatchGuard Policy Manager both handle the data channel for active and passive FTP sessions. All of the usual log options can be used with FTP. Characteristics • Internet Protocol(s): TCP • Port Number(s): 21 Gopher Gopher is a data-retrieval protocol developed at the University of Minnesota. Gopher is not frequently used, as most users use HTML. Characteristics • Internet Protocol(s): TCP • Port Number(s): 70, but servers can be configured to use other ports GRE Generic Routing Encapsulation Protocol (GRE) is used together with Point-to-Point Tunneling Protocol (PPTP) to create virtual private networks (VPNs) between clients or between clients and servers. Characteristics • Internet Protocol(s): GRE • Protocol Number(s): 47 HBCI The Home Banking Computer Interface (HBCI) is a standard created for bank customers and manufacturers of banking products. Characteristics • Internet Protocol(s): TCP • Port Number(s): 3000 HTTP An HTTP packet filter will not apply the HTTP proxy rule set to any traffic. To proxy HTTP traffic, use the HTTP proxy policy. We recommend that HTTP be allowed only to public HTTP servers located behind the Firebox. External hosts can be spoofed. WatchGuard cannot verify that these packets were actually sent from the correct location. You can configure the Firebox to add the source IP address to the Blocked Sites list whenever an HTTP connection to a computer protected by the Firebox is denied. All of the usual log options can be used with HTTP. Characteristics • Internet Protocol(s): TCP • Port Number(s): 80 User Guide 495 Packet Filter Policies HTTPS HTTPS is a secure and encrypted version of the HTTP protocol. The client and the web server set up an encrypted session on TCP port 443. Because this session is encrypted, the proxy cannot examine packet contents using a proxy. This policy uses a packet filter to examine the connection. Characteristics • Internet Protocol(s): TCP • Port Number(s): 443 IDENT The Identification Protocol (IDENT) is a protocol used to match TCP connections to a user name. It is used most frequently by large public SMTP and FTP servers. It is used for logs, but you cannot trust the information it gives, as attackers can change their servers to have them send back incorrect information. IDENT uses false information to hide internal user information. When you use incoming static NAT with SMTP, you might see packets that come from the remote mail server being denied with destination port 113. In these cases, you can add an IDENT policy to Policy Manager. Configure IDENT to allow incoming connections to: Firebox. This enables outgoing mail messages from behind the Firebox to the few SMTP servers on the Internet that use IDENT. If you are not using dynamic NAT, allow IDENT to the IP address of your email server. We recommend that IDENT policies be allowed to and from the Firebox, but know that hackers can use IDENT to collect user names. Characteristics • Internet Protocol(s): TCP • Port Number(s): 113 IGMP The Internet Group Management Protocol (IGMP) is the standard for IP multicasting on the Internet. It is used to control host memberships in multicast groups on a single network. When you add an IGMP policy to your Fireware configuration, Fireware does not pass IGMP multicast traffic through the Firebox or between Firebox interfaces. It only passes IGMP multicast traffic between an interface and the Firebox. Characteristics • Internet Protocol(s): IGMP IMAP Internet Mail Access Protocol (IMAP) is an application layer protocol for getting email or bulletin board messages on a remote email server as if the messages were local. You can get access to email stored on an IMAP server from many locations (such as home, work, or laptop) without moving messages. Characteristics 496 • Internet Protocol(s): TCP • Port Number(s): 143 WatchGuard System Manager Packet Filter Policies IPSec Internet Protocol Security (IPSec) is a framework for a set of protocols for security at the network or packet layer of network communications. It is a VPN tunneling protocol with encryption. Characteristics • Internet Protocol(s): UDP, encapsulated security payload (ESP), and authentication header (AH) • Port Number(s): UDP 500 and UDP 4500 IRC Internet Relay Chat (IRC) is a system for Internet chatting. To use IRC you must have an IRC client and Internet access. The IRC client is a software application on your computer that sends and receives messages to and from an IRC server. The IRC server makes sure that all messages are sent to all users in the chat session. Characteristics • Internet Protocol(s): TCP • Port Number(s): 6667 Intel Video Phone Intel Video Phone is a real-time multimedia application based on H.323. H.323 is an international standard for conferencing over TCP/IP networks. This policy does not filter for dangerous content. It does not support rsvp protocol, and it does not support NAT. Characteristics • Internet Protocol(s): TCP • Port Number(s): 1720, 522 Kerberos v 4 and Kerberos v 5 The Kerberos network authentication protocol is an authentication system developed by the Massachusetts Institute of Technology (MIT). Kerberos enables two computers to exchange private information across an open network using authentication for security. Characteristics • Internet Protocol(s): TCP and UDP • Kerberos v 4 Port Numbers(s): UDP 750 • Kerberos v 5 Port Number(s): TCP 88 and UDP 88 L2TP Layer 2 Tunneling Protocol (L2TP) is an extension to the PPP protocol that enables ISPs to operate virtual private networks. Characteristics • Internet Protocol(s): UDP • Port Number(s): 1701 User Guide 497 Packet Filter Policies LDAP Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for using online directory services. The protocol operates with Internet transport protocols, such as TCP. You can use LDAP to get access to stand-alone directory servers or X.500 directories. Characteristics • Internet Protocol(s): TCP • Port Number(s): 389 LDAP-SSL Lightweight Directory Access Protocol over TLS/SSL (LDAP-SSL) is used with Windows 2000 to give more security when you access Active Directory. Characteristics • Internet Protocol(s): TCP • Port Number(s): 636 Lotus Notes Lotus Notes is a client/server platform for conferencing, databases, and email. It is also used to create and use documents. This policy enables the proprietary Lotus Notes protocol. Because the protocol uses encapsulation and tunneling, and gives access to internal data, we do not recommend the Lotus Notes policy for addresses out of your trusted networks. Characteristics • Internet Protocol(s): TCP and UDP • Port Number(s): TCP 1352, UDP 1352 MS-SQL-Monitor Microsoft SQL Monitor is used to monitor Microsoft SQL databases. Characteristics • Internet Protocol(s): TCP and UDP • Port Number(s): TCP 1434, UDP 1434 MS-SQL-Server Microsoft SQL Server is usually used to make a remote connection to a Microsoft SQL database. Characteristics 498 • Internet Protocol(s): TCP and UDP • Port Number(s): TCP 1433, UDP 1433 WatchGuard System Manager Packet Filter Policies MS-Win-Media Microsoft Windows Media Server is a proprietary protocol developed by Microsoft to supply unicast streams. It enables bidirectional connections that enable users to go forward, go back, or pause the playback of unicast streams. Characteristics • Internet Protocol(s): TCP • Port Number(s): 1755, 80 NetMeeting NetMeeting is a product developed by Microsoft Corporation that enables groups to teleconference across the Internet. It is included with Microsoft’s Internet Explorer web browser. This policy is based on the H.323 protocol and does not filter for dangerous content. It does not support rsvp protocol, and it does not support NAT. Characteristics • Internet Protocol(s): TCP • Port Number(s): 1720, 389 NFS The Network File System (NFS) protocol is a client server software application created by Sun Microsystems to allow all network users to get access to shared files kept on computers of different types. Characteristics • Internet Protocol(s): TCP and UDP • Port Number(s): TCP 2049, UDP 2049 NNTP Network News Transfer Protocol (NNTP) is used to transmit Usenet news articles. The best procedure to use NNTP is to set internal hosts to internal news servers and external hosts to news feeds. In most conditions NNTP must be enabled in two directions. If you operate a public newsfeed, you must allow NNTP connections from all external hosts. WatchGuard cannot make sure that these packets were sent from the correct location. You can configure the Firebox to add the source IP address to the Blocked Sites list when an incoming NNTP connection is denied. All of the usual log options can be used with NNTP. Characteristics • Internet Protocol(s): TCP • Port Number(s): 119 NTP Network Time Protocol (NTP) is a protocol built on TCP/IP that controls local timekeeping. It synchronizes computer clocks with other clocks located on the Internet. User Guide 499 Packet Filter Policies Characteristics • Internet Protocol(s): UDP and TCP • Port Number(s): TCP 123 and UDP 123 OSPF Open Shortest Path First (OSPF) is a routing protocol developed for IP networks based on the link-state algorithm. OSPF is quickly replacing the use of RIP on the Internet because it gives smaller, more frequent updates to routing tables and makes networks more stable. Characteristics • Internet Protocol(s): OSPF • Protocol Number(s): 89 pcAnywhere pcAnywhere is a software application used to get remote access to Windows computers. To enable this protocol, add the PCAnywhere policy. Then, allow access from the hosts on the Internet that must get access to internal pcAnywhere servers, and to the internal pcAnywhere servers. pcAnywhere is not a very secure policy and can put network security at risk, because it allows traffic through the firewall without authentication. Also, your pcAnywhere server can receive denial-of-service attacks. We recommend that you use VPN options to give more security. Characteristics • Internet Protocol(s): UDP and TCP • Port Number(s): UDP 22, UDP 5632, TCP 5631, TCP 65301 Ping You can use ping to confirm if a host can be found and is operating on the network. To find DOS-based or Windows-based traceroute packets, configure a ping policy. Outgoing ping is a good tool for troubleshooting. We do not recommend you allow ping connections to your trusted network. Characteristics • Internet Protocol(s): ICMP • Protocol Number(s): 1 POP2 and POP3 POP2 and POP3 (Post Office Protocol) are email transport protocols, usually used to get a user’s email from a POP server. Characteristics 500 • Internet Protocol(s): TCP • Port Number(s): 109 (POP2), and 110 (POP3) WatchGuard System Manager Packet Filter Policies PPTP PPTP is a VPN tunnel protocol with encryption. It uses one TCP port (for negotiation and authentication of a VPN connection) and one IP protocol (for data transfer) to connect the two peers in a VPN. Configure the PPTP policy to allow access from Internet hosts to an internal network PPTP server. PPTP cannot get access to hosts’ static NAT because NAT cannot forward IP protocols. Because this policy enables a tunnel to the PPTP server and the Firebox cannot examine packets in the tunnel, use of this policy must be controlled. Be sure to use the most current version of PPTP. Characteristics • Transport Protocol(s): TCP • Internet Protocol(s): GRE • PPTP Negotiation Port Number(s): 1723 RADIUS and RADIUS-RFC The Remote Authentication Dial-In User Service (RADIUS) supplies remote users with secure access to corporate networks. RADIUS is a client-server system that keeps authentication information for users, remote access servers, and VPN gateways in a central user database that is available to all servers. Authentication for the network occurs from one location. RADIUS uses an authentication key that identifies an authentication request to the RADIUS client. In RFC 2865, the server port used by RADIUS changed from port 1645 to 1812. Make sure you select the policy that matches your implementation. Characteristics • Internet Protocol(s): UDP • RADIUS policy Port Number(s): UDP 1645 • RADIUS-RFC policy Port Number(s): UDP 1812 RADIUS-Accounting and RADIUS-Acct-RFC The Remote Authentication Dial-In User Service (RADIUS) Accounting policy supplies accounting information to administrators of networks that use RADIUS authentication. RADIUS is a client-server system that keeps authentication information for users, remote access servers, and VPN gateways in a central user database that is available to all servers. The RADIUS server is also notified when the authenticated session starts and stops. This information can be helpful for accounting. In RFC 2866, the server port used by RADIUS changed from port 1646 to 1813. Make sure you select the policy that matches your implementation. Characteristics • Internet Protocol(s): UDP • RADIUS-Accounting policy Port Number(s): UDP1646 • RADIUS-ACCT-RFC policy Port Number(s): UDP 1813 RDP The Microsoft Remote Desktop Protocol (RDP) supplies remote display and input abilities over network connections for Windows software applications that operate on a server. User Guide 501 Packet Filter Policies Characteristics • Internet Protocol(s): TCP • Port Number(s): 3389 RIP Routing Information Protocol (RIP) is a link state routing protocol developed in the early years of routing. Its limitations make it inappropriate for use in the Internet, but it can be useful in small networks. We recommend that you use this service only if you have enabled and configured RIP in the dynamic routing processes in the Fireware configuration. Characteristics • Internet Protocol(s): UDP • Port Number(s): 520 RSH Remote Shell (RSH) is used to get access to the command line of a remote host computer. Because it is not encrypted, we do not recommend you allow any RSH connections to computers protected by the Firebox without the use of a VPN. Characteristics • Internet Protocol(s): TCP • Port Number(s): 514 RealPlayerG2 Media streaming protocol v7 and v8. Characteristics • Internet Protocol(s): TCP • Port Number(s): 554, 80 Rlogin Remote login (RLogin) is a UNIX command that allows an approved user to log in to other UNIX computers on a network. After the login, the user can do all the operations the host has approved, such as read, edit, or delete files. Because it does not use encryption, we recommend you do not allow Rlogin connections to computers protected by the Firebox. Characteristics • Internet Protocol(s): TCP • Port Number(s): 513 SecurID RSA SecurID Two-Factor Authentication give more security to the user authentication procedure. Created by Security Dynamics Technologies, Inc., it uses SecurID tokens to generate codes and ACE/Server software to corroborate the codes. 502 WatchGuard System Manager Packet Filter Policies Characteristics • Internet Protocol(s): TCP and UDP • Port Number(s): TCP 5510, UDP 5500 SMB (Windows Networking) Windows uses Server Message Block (SMB) to share files, computers, printers, and other network resources. If you set up replication, you can see many tries to use the port mapper service on port 135. When this fails, SMB begins to use port 42. Refer to the RFC for DCE for more instructions. SMB through the Firebox is not secure and we do not recommend it, unless used through a VPN connection. These configuration settings are to be used only if there is no other alternative, and policy settings must specify internal and external hosts. Characteristics • Internet Protocol(s): TCP and UDP • Port Number(s): UDP 137, UDP 138, TCP 139, TCP 445, UDP 445 SMTP The SMTP packet filter policy allows SMTP traffic (email) without using the SMTP proxy. Characteristics • Internet Protocol(s): TCP • Port Number(s): 25 SNMP Simple Network Management Protocol (SNMP) is used to collect information about and configure remote computers. This can be dangerous. Many Internet attacks use SNMP. Because SNMP can cause changes in a network if enabled, carefully review alternatives and record logs for all connections. Characteristics • Internet Protocol(s): UDP • Port Number(s): 161 SNMP-Trap Simple Network Management Protocol (SNMP) traps are notification messages that an SNMP agent (for example, a router) sends to a network management station. These messages usually report an important event that must be examined. Characteristics • Internet Protocol(s): UDP • Port Number(s):162 User Guide 503 Packet Filter Policies SQL*Net Oracle uses one port for its sql*net software. By default, this port is 1526/tcp or port 1521/tcp. Or, edit the tnsnames.ora file to change the port. To allow sql*net through the Firebox, set up a policy for the port that your sql*net server uses, with a protocol of tcp, and a client port of ignore. Then set up incoming access from the allowed external hosts to the sql*net server. Characteristics • Internet Protocol(s): TCP • Port Number(s): 1521, 1526 SQL-Server The SQL-Server policy is used to give access to Sybase Central and SQL Advantage software. Characteristics • Internet Protocol(s): TCP • Port Number(s): 10000 SSH Secure Shell (ssh) is a free application protocol that allows remote login, command control, and the movement of files between computers. It gives strong authentication and secure (encrypted) connections. We recommend the use of ssh because it is more secure than more vulnerable protocols such as telnet, rssh, and rlogin. UNIX versions are available from www.ssh.com, and information on versions for Windows can be found at F-Secure (http://www.f-secure.com). Characteristics • Internet Protocol(s): TCP • Port Number(s): 22 SunRPC Sun Remote Procedure Call (Sun RPC) was developed by Sun Microsystems for connections between clients and servers in the Sun network file system. Characteristics • Internet Protocol(s): TCP and UDP • Port Number(s): TCP 111, UDP 111 Syslog syslog is a policy used to record operating system events on UNIX hosts. Syslog data is usually enabled on a firewall to collect data from a host outside the firewall. The syslog port is blocked in the default Firebox configuration. To allow one log host to collect logs from more than one Firebox: • 504 Remove port 514 from the Blocked Ports list WatchGuard System Manager Packet Filter Policies • Add the WatchGuard® Logging policy to Policy Manager It is usually not secure to allow syslog traffic through the Firebox. It is possible for hackers to fill syslogs with log entries. If the syslog is full, it is more difficult to see an attack. Also, the disk frequently fills up and the attack is not recorded. Characteristics • Internet Protocol(s): UDP • Port Number(s): 514 TACACS TACACS user authentication is a system that uses user accounts to authenticate users into a dial-up modem pool. This removes the need to keep copies of accounts on a UNIX system. TACACS does not support TACACS+ or RADIUS. Characteristics • Internet Protocol(s): UDP • Port Number(s): 49 TACACS+ TACACS+ user authentication is a system that uses user accounts to authenticate users into a dial-up modem pool. This eliminates the need to keep copies of accounts on a UNIX system. TACACS+ supports RADIUS. Characteristics • Internet Protocol(s): TCP • Port Number(s): 49 TCP This policy serves as the default policy for all TCP connections, and other policies override it. TCP connections that do not match specified policies in Policy Manager do not complete unless TCP-UDP, TCP, or the TCP Proxy are also configured in Policy Manager. This policy does not enable FTP, which operates only with an FTP policy. TCP-UDP This policy serves as the default policy for all TCP and UDP connections, and other policies override it. Connections that do not match specified policies in Policy Manager do not complete unless TCP-UDP, TCP and UDP, or the TCP Proxy are also configured in Policy Manager. This policy does not enable active mode FTP, which operates only with an FTP policy. Telnet The telnet policy is used to log in to a remote computer. It is almost the same as dial-up access, but the connection is made across a network. Characteristics • User Guide Internet Protocol(s): TCP 505 Packet Filter Policies • Port Number(s): 23 Timbuktu Timbuktu Pro is remote control and file transfer software used to get access to Windows computers. The protocol uses TCP port 1417 and UDP port 407. Add the Timbuktu policy and allow access from the hosts on the Internet that must get access to internal Timbuktu servers, and to the internal Timbuktu servers. Timbuktu is not a very secure software application and can put network security at risk. It allows traffic inside the firewall without authentication. In addition, the Timbuktu server can receive denial-of-service attacks. We recommend that you use VPN options for more security. Characteristics • Internet Protocol(s): TCP, UDP • Port Number(s): UDP 407, TCP 1417 Time The Time policy is almost the same as NTP. It is used to synchronize clocks between hosts on a network. Time is usually less accurate and less efficient than NTP across a WAN. We recommend that you use NTP. Characteristics • Internet Protocol(s): TCP, UDP • Port Number(s): TCP 37, UDP 37 Traceroute Traceroute is a software application that creates maps of networks. It is used for network troubleshooting, network route troubleshooting, and finding the Internet service provider of a site. The WatchGuard traceroute policy controls UNIX-based, UDP-style traceroute only. For a DOS-based or Windows-based traceroute packet filter, use the ping policy (see “ping” on page 42). Traceroute uses ICMP and UDP packets to create paths across networks. It uses the UDP TTL field to send back packets from each router and computer between a source and a destination. If you allow traceroute to computers protected by your Firebox®, this can enable a hacker to create a map of your private network. Characteristics • Internet Protocol(s): UDP • Port Number(s): 33401-65535 • This policy serves as the default policy for all UDP connections, and other policies override it. UDP connections that do not match specified policies in Policy Manager do not complete unless UDP, TCP-UDP, or the TCP Proxy are also configured in Policy Manager. UDP 506 WatchGuard System Manager Packet Filter Policies UUCP Unix-to-Unix Copy (UUCP) is a UNIX tool and protocol that enables one computer to send files to another computer. This tool is not used frequently, as users more often use FTP, SMTP, and NNTP to transfer files. Characteristics • Internet Protocol(s): TCP • Port Number(s): 540 WAIS Wide Area Information Services (WAIS) is a protocol you can use to find documents on the Internet. Thinking Machines Incorporated first developed WAIS. Some web sites use WAIS to look for searchable indices, but it is not used frequently. WAIS is created on the ANSI Z39.50 search protocol, and the words Z39.50 and WAIS refer to the same technology. Characteristics • Internet Protocol(s): TCP • Port Number(s): 210, but servers can be (and frequently are) configured on other ports, much like HTTP servers WinFrame Citrix ICA is a protocol used by Citrix for its software applications, which includes the Winframe product. Winframe gives access to Windows from different types of clients. Citrix uses TCP port 1494 for its ICA protocol. Citrix MPS 3.0 uses Session Reliability by default. This changes the ICA protocol to use TCP 2598. If you use Citrix MPS, you must add a policy for TCP port 2598. A WinFrame policy could put your network security at risk because it allows traffic through the firewall without authentication. In addition, your Winframe server can receive denial-of-service attacks. We recommend that you use VPN options to give more security for ICA connections. You can use all of the usual log options with WinFrame. Characteristics • Internet Protocol(s): TCP • Port Number(s): 1494 WG-Auth The WatchGuard Authentication policy allows users to authenticate to the Firebox. Characteristics • Internet Protocol(s): TCP • Port Number(s): 4100 User Guide 507 Packet Filter Policies WG-Firebox-Mgmt The WatchGuard Firebox Management policy allows configuration and monitoring connections to be made to the Firebox. We recommend that you allow this policy only to the management station. The policy is usually set up on the trusted interface. Characteristics • Internet Protocol(s): TCP • Port Number(s): 4103, 4105, 4117, 4118 WG-Logging The WatchGuard Logging policy is necessary only if a second Firebox must get access to a Log Server on the trusted interface of a Firebox. If there is only one Firebox, this policy is not necessary. Characteristics • Internet Protocol(s): TCP • Port Number(s): 4107, 4115 WG-Mgmt-Server When you use the WatchGuard Management Server Setup wizard to configure a Management Server, the wizard automatically adds this policy to the gateway Firebox. It controls incoming connections to the Management Server. Characteristics • Internet Protocol(s): TCP • Port Number(s): 4110, 4112, 4113 WG-SmallOffice-Mgmt The WatchGuard Small Office Management policy allows you to make a secure connection to SOHO and Firebox X Edge devices from WatchGuard System Manager. Characteristics • Internet Protocol(s): TCP • Port Number(s): TCP 4109 WG-WebBlocker The WatchGuard WebBlocker policy allows connections to the WebBlocker Server. Characteristics 508 • Internet Protocol(s): TCP, UDP • Port Number(s): TCP 5003, UDP 5003 WatchGuard System Manager Proxy Policies WHOIS The WHOIS protocol gives information about the administrator of web sites and networks. It is frequently used to find the administrator of a different web site. To filter WHOIS traffic, add a WHOIS policy that allows connections to the WHOIS server (such as rs.internic.net). Characteristics • Internet Protocol(s): TCP • Port Number(s): 43 X11 The X Windows System Protocol has components that are used to create graphic desktops, which include windows, colors, displays, and screens. X11 also supplies a flow of events that show the interaction between a user and a computer input device (such as a mouse, keyboard, and so on). Characteristics • Internet Protocol(s): TCP • Port Number(s): 6000-6063 Proxy Policies This section reviews the proxy policies supplied by the WatchGuard® System Manager. A proxy policy opens packets, strips out forbidden data types in the packet content, and assembles the packets again using the source and destination headers of the proxy. You configure and activate proxies the same way you add packet filter policies. DNS-proxy Domain Name Service (DNS) matches host names to IP addresses. The DNS proxy policy examines the contents of DNS packets to help protect your DNS servers from hackers. It puts limits on the type of operations allowed in a DNS query and can look for specified patterns in query names. Characteristics • Internet Protocol(s): TCP and UDP • Port Number(s): TCP 53 and UDP 53 FTP-proxy File Transfer Protocol (FTP) is used to send files from one computer to a different computer over a TCP/ IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the same network or on a different network. The FTP client can be in one of two modes for data transfer: active or passive. In active mode, the server starts a connection to the client on source port 20. In passive mode, the client uses a previously negotiated port to connect to the server. The Fireware FTP proxy monitors and scans these FTP connections between your users and FTP servers they connect to. Characteristics User Guide 509 Proxy Policies • Internet Protocol(s): TCP • Port Number: 21 HTTP-proxy Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The HTTP client is usually a web browser. The HTTP server is a remote resource that keeps or creates HTML files, images, and other content. When the HTTP client starts a request, it establishes a Transmission Control Protocol (TCP) connection on port 80. An HTTP server listens for requests on port 80. When it receives the request from the client, the server replies with the requested file, an error message, or some other information. The WatchGuard policy “HTTP Proxy” is not the same as an HTTP caching proxy. An HTTP caching proxy controls the caching of Web data. If you use an external caching proxy, you must enable (by adding policies) any outgoing policies that are necessary for your organization. If you do not, outgoing TCP connections do not operate correctly. Characteristics • Internet Protocol(s): TCP • Port Number(s): 80 (but servers can operate on any port, a common alternative is 8080, and Secure Socket Layer (SSL) connections are usually served on port 443) POP3-proxy Post Office Protocol v.3 (POP3) is a protocol that moves email messages from an email server to an email client on a TCP connection on port 110. Most Internet-based email accounts use POP3. With POP3, an email client contacts the email server and checks for any new email messages. If it finds a new message, it downloads the email message to the local email client. After the message is received by the email client, the connection is closed. Characteristics • Internet Protocol(s): TCP • Port Number(s): 110 SMTP-proxy Simple Mail Transfer Protocol (SMTP) is the Internet standard protocol used to transmit and receive email messages. Usually SMTP servers are public servers. You use the SMTP proxy to control email messages and email content. The proxy scans SMTP messages for a number of filtered parameters, and compares them against the rules set in the proxy configuration. When you use incoming static NAT with SMTP, you might see packets that come from the remote mail server being denied with destination port 113. In these cases, you can add an IDENT policy to Policy Manager. Configure IDENT to allow incoming connections to: Firebox. This enables outgoing mail messages from behind the Firebox to the few SMTP servers on the Internet that use IDENT. If you do not want to use the SMTP proxy but want to use SMTP, but have SMTP operate correctly, add a packet filter SMTP policy that uses TCP protocol and port 25. Characteristics 510 • Internet Protocol(s): TCP • Port Number(s): 25 WatchGuard System Manager Proxy Policies TCP-proxy The TCP Proxy policy gives configuration options for HTTP on port 80 and adds a rule that allows TCP connections from networks behind the Firebox® to networks external to the Firebox by default. The TCP Proxy rule makes sure that all HTTP traffic from behind the Firebox on all ports is proxied with the HTTP proxy rules. We recommend that you allow HTTP only to any public HTTP servers kept behind the Firebox. External hosts can be spoofed. WatchGuard cannot make sure that these packets were sent from the correct location. Configure WatchGuard to add the source IP address to the Blocked Sites list when an HTTP connection to a host behind your Firebox is denied. Configure the parameters and MIME types the same as you do for the HTTP Proxy. User Guide 511 Proxy Policies 512 WatchGuard System Manager Index Symbols .cfg file. See configuration file .ftr files 266 .wgl files converting to .xml format 100 described 99 Numerics 1-1 Mapping dialog box 145 1-to-1 NAT. See NAT, 1-to-1 A Activate Gateway AntiVirus wizard 419 Activate Intrusion Prevention wizard 426–428 Activate spamBlocker wizard 392–?? Activate WebBlocker wizard 375–378 active connections on Firebox, viewing 48 Active Directory authentication 168 active features, viewing 63 Add Address dialog box 148, 202, 365 Add Alias dialog box 77 Add Device wizard 292 Add Dynamic NAT dialog box 143 Add Event Processor dialog box 90 Add Exception Rule dialog box 395 Add Firebox Feature Key dialog box 62 Add Firebox License Key dialog box 391 Add Policies dialog box 189, 190 Add Policy wizard adding custom Edge Configuration Templates with 310 adding existing Edge Configuration Templates with 310 Add Protocol dialog box 193, 311 Add Route dialog box 117 Add Search Rule dialog box 104 Add Site dialog box 177 Add Static NAT dialog box 148, 202 Add VPN wizard 304, 325, 326 Add WebBlocker Server dialog box 379 Advanced Diagnostics dialog box 92 alarms and FTP 236 configuring for proxy rules 98 User Guide configuring proxy and antivirus 221 described 247, 253 aliases and managed Firebox X Edge devices 314 creating 77 default 76 defining on Firebox X Edge 316 described 76 for IP addresses 20 naming on Management Server 316 Aliases dialog box 77, 316 allow (proxy action) 253 ANSI Z39.50 507 Antispyware Blocklist Categories dialog box 178 Any policy described 491 Any-External alias 76 Any-Optional alias 76 Any-Trusted alias 76 Archie policy 491 ARP cache, flushing 57 attacks about SYN flood setting 175 address space 175 DDoS 176 Denial of Service (DoS) 175 flood 175 IPsource route 174 port space 175 stopping 173–176 auth (ident) policy 492 authentication Active Directory 168 and ssh 504 defining groups for 157 described 77, 153 from external interface 154 from outside Firebox 154 of remote users 158 through Firebox to other Firebox 154 Authentication List tab (Firebox System Manager) 44 authentication servers and policies 169 LDAP 164 RADIUS 161 SecurID on RADIUS server 163 types of 156 types supported 364 using backup 157 using Fireboxes as 157 Authentication Servers dialog box 159, 366 513 Authorized Users or Groups dialog box 170 Auto Adjustment setting, TCP segment size 80 B Backup dialog box 75 backup images creating 75 described 75 restoring 76 backup of configuration file 12 Bandwidth Meter tab adding/removing lines in 41 changing colors in 41 changing interface names in 41 changing scale of 40 described 40 bandwidth usage, viewing 39 base encryption 12 block (proxy action) 253 blocked ports blocking sites that use 182 default 181 permanent 182 reasons for 181 Blocked Ports dialog box 182 Blocked Ports list 182 blocked sites auto-blocked 176 blocking with policy settings 180 described 176 dynamic 180 exceptions to 179 logging and notification for 180 permanent 176, 177 spyware sites 178 temporary 180 viewing current 43 Blocked Sites Configuration dialog box 177 Blocked Sites list adding sites from HostWatch 51 adding/removing sites from 45 and Gateway AntiVirus 421, 430 described 176 exceptions to 179 using proxy definitions for 253 viewing 45 Border Gateway Protocol (BGP) configuring Fireware to use 449 daemon configuration 447–448 described 446, 492 BOVPN with Manual IPSec and strong encryption 12 configuring a gateway 330 creating tunnel policies 343 listed on Device Status tab 319 outgoing dynamic NAT and 343 specifying authentication method 331, 336 specifying encryption type 336 BOVPN with WatchGuard System Manager adding security templates 323, 324 defining Fireboxes as managed clients 320 editing tunnels 326 removing devices/tunnels 327 Branch Office IPSec Tunnels dialog box 337 514 C CA. See Certificate Authority cables, installing 22 Certificate Authority configuring certificate for 277 described 277 recording diagnostic log messages for 279 Certificate Revocation List (CRL) configuring properties for 279 publishing 357 certificates described 349 generating new 351 importing 353 printing to the screen 356 Citrix ICA policy 492 Clarent-command policy 492 Clarent-gateway policy 493 clock, synchronizing to NTP server 64 communication log 57 configuration file and Policy Manager 71 backing up 12 customizing 17 making a new 74 opening 71 opening local 73 saving 74 saving to Firebox 74 saving to local drive 75 configuration modes, described 9 configuration passphrase described 16, 58, 67 setting 13 Configure Log Servers dialog box 90 Configure Syslog dialog box 90 Connect to Device dialog box 16 Connect to Firebox dialog box described 29 troubleshooting 73 connection status, viewing 3 Connections For dialog box 49 cookies 243 CPU use, graphing 52 CU-SeeMe policy 493 custom idle time-out for policies, setting 200 D DDoS attacks 176 default gateways and drop-in configuration 10, 120 for secondary private networks 20 viewing IP address of 3, 35 default packet handling and address space attacks 175 and address space probes 175 and DDoS attacks 176 and Denial of Service (DoS) attacks 175 and flood attacks 175 and IP source route attacks 174 and port space attacks 175 and port space probes 175 and spoofing attacks 174 described 173 WatchGuard System Manager options for 173 Default Packet Handling dialog box 174 Define New Authorized User or Group dialog box 170 Defining a New LAN 124 Denial of Service (DoS) attacks 175 deny (proxy action) 253 Device Configuration dialog box 65 Device Management Page for Firebox 296, 298 updating device 302 Device Management tab configuring settings on 295 described 4 removing a device from 327 starting other tools from 303 Device Policy dialog box 322 Device Properties dialog box 298 Device Status tab and BOVPN with Manual IPSec 319 described 4 removing a device from 327 devices, removing from WatchGuard System Manager 327 devices. See also Firebox, SOHO, etc. DHCP 110 DHCP relay, configuring 110 DHCP server configuring Firebox as 110 default lease time for 110, 125, 299 described 110 using for external interface addressing 113 using server remote from client 110 DHCP support on external interface 20, 110 DHCP-Server policy 494 diagnostic log file, setting location for 44 diagnostic logging described 99 for Certificate Authority 279 for Management Server 277 selecting level of 91 Diffie-Hellman groups described 325, 336 DMZ (Demilitarized Zone) 9 DNS policy for 494 DNS proxy adding new query types rules 249 and Intrusion Prevention Service 426, 432 configuring 246–250 configuring DNS query types 248 described 246, 509 OPcodes, configuring 247 DNS servers addresses for 114 configuring 362 Domain Name System. See DNS Download WebBlocker Database dialog box 374 drop (proxy action) 253 drop-in configuration characteristics of 11, 120 configuring related hosts 120 described 9, 10 multi-WAN not supported in 11, 120, 127 Drop-In Mode Properties dialog box 121 duplex parameters, setting 118 DVCP Server. See Management Server User Guide dynamic DNS creating a DynDNS account 115 described 115 dynamic NAT. See NAT, dynamic dynamic routes, viewing 44 dynamic routing described 437 protocols for 437 routing daemon configuration files 437 using Border Gateway Protocol (BGP) 446–450 using OSPF 442–446 using RIP (Routing Information Protocol) 438 using RIP (Routing Information Protocol) V1 438– 440 using RIP (Routing Information Protocol) V2 440– 442 Dynamic Routing Setup dialog box 439, 441, 445, 449 dynamically blocked sites 180 E Edge Configuration Templates adding with Add Policy wizard 310–311 applying to devices 312–313 cloning 312 creating/applying 308–309 described 308 Edge Network Settings dialog box 303 Edit Gateway dialog box 336 Edit Policy Properties dialog box 84, 283 Edit Service Properties dialog box 285 Edit Tunnel dialog box 342 e-mail addresses, setting maximum length for 214 e-mail attachments, limiting file names for 218 e-mail messages 221 actions for attachments 421, 430 and the SMTP proxy 213, 510 as notification 95, 97 creating rules for bulk or suspect 401 hiding server data for 215 restricting recipients 219 restricting senders 219 scanning compressed attachments in 424 setting maximum line length for 215 setting maximum recipients for 214 setting maximum size for 214 setting responses for viruses in 220 spam. See spamBlocker unlocking attachments 423 Enable TOS for IPSec option 119 encryption and management software 12 and RUVPN with PPTP 361 base, described 12 strong, activating 361 strong, and BOVPN with Manual IPSec 12 strong, described 12 encryption key for creating backup image 76 log. See log encryption key Entrust policy 494 ESMTP configuring authentication rules 217 configuring parameters for 216 described 216 extended authentication defining groups for 364 515 external interface configuring 110–113 configuring multiple. See multi-WAN support described 9 dynamic addressing on 110 dynamic IP support on 20 using a static IP address for 111 using DHCP for addressing 113 using PPPoE on 111 F feature keys 62 adding to Firebox 62 deleting 63 obtaining 61 viewing 56, 63 features, activating 61 finger policy 494 Firebox Feature Keys dialog box 62, 63 Firebox Installation Services 27 Firebox interfaces changing address of 108 configuring 108–116 described 9 monitoring traffic through 33 see also individual listings for interfaces viewing IP addresses of 3, 35 Firebox passphrases. See passphrases Firebox running Fireware, configuring as managed client 283 Firebox running WFS, configuring as managed client 285 Firebox System Manager and Intrusion Prevention Service 434 Authentication List tab 44 Bandwidth Meter tab 39 Blocked Sites list 45 described 2, 17, 29 Firebox and VPN tunnel status 35 front panel 34 Front Panel tab 33 menus and toolbars in 31 monitoring spamBlocker activity with 402 monitoring tunnels in 36 opening 30 pausing 33 Performance Console 51–55 Security Services tab 46, 402, 433 Service Watch tab 41 setting refresh interval for 32 star display 33 starting 29 Status Report tab 43–44 Traffic Monitor tab 37–39 triangle display 33 viewing bandwidth usage 39 viewing Firebox traffic 33 Firebox X Edge configuring as managed client 288 defining aliases on 316 importing into Management Server 288 managing 305 modifying configuration template for 304 preparing new unit for management 287 scheduling firmware updates for 305–307 using aliases with 314 Firebox X e-Series 516 resetting 68 Fireboxes backup image of 75 cables for 22 configuring as DHCP server 110 configuring for RUVPN with PPTP 361 configuring management properties for 297 configuring to accept SNMP polls 65, 96 connecting to 16, 29 defining as managed clients 320 designating Log Server for 89 disconnecting from 16 friendly names in log files, reports 65 global settings 79 hosting PPTP sessions 158 interfaces. See Firebox interfaces making outbound PPTP connections from behind 371 managing from remote location 83 monitoring status 29 obtaining IP addresses dynamically 21 opening configuration file 71 package contents 8 recovering 68 resetting passphrases 67 resetting to factory-default 68 saving configuration file to 74 setting time zone for 65 synchronizing clock to NTP server 64 timeout value 16, 281 using as authentication servers 157 viewing active connections on 48 viewing bandwidth usage 39 viewing kernel routing table for 44 viewing load average of 43 viewing memory use of 43 viewing model of 43 viewing network card information 43 viewing processes of 43 viewing traffic and performance 43 viewing traffic through 33 Fireware described 5 upgrading 18 Fireware Pro described 5 firmware updates, viewing/deleting 308 flood attacks 175 Front Panel tab (Firebox System Manager) 33 FSM. See Firebox System Manager FTP policy 494 FTP proxy and Intrusion Prevention Service 426, 432 configuring general settings 233, 234, 235, 236, 237 described 232, 509 setting download rules for 234 setting upload rules for 235 FTP servers, and archie policy 491 G Gateway AntiVirus and the HTTP proxy 418 and the SMTP proxy 418 applying settings to policies 419 configuring engine settings for 424 configuring signature server for 425 WatchGuard System Manager described 417 enabling automatic virus signature updates 418, 424, 425, 432 installing 417 unlocking an attachment 423 updating signatures manually 434 viewing engine version 47 viewing information on 46 viewing recent activity 46 viewing signature information 46 Gateway AntiVirus dialog box 422, 424 gateways default. See default gateways for tunnels, configuring 330–?? for tunnels, editing/deleting 336 Gateways dialog box 330 Generic Routing Encapsulation Protocol (GRE) policy 495 global settings for authentication 155 for ICMP error handing 79 for TCP SYN checking 80 TCP segment size 80 using for Firebox 79 Global Settings dialog box 79 gopher policy 495 groups (authentication) assigning users to 160 components of 157 described 157, 366 H HELO/EHLO responses, examining 215 High Availability (HA) and proxy sessions 465 backing up configuration 465 configuring (non e-Series) 463–464 described 461 forcing a failover 464 requirements for 462 restarting the peer 465 selecting primary Firebox for 462 synchronizing the configuration 464 upgrading software in HA configuration 465 viewing status of 35 High Availability dialog box 463 Historical Reports and SMTP traffic 215 applying a filter 267 automating reports with Log Server 95 creating report filter 266 creating/editing 259–264 deleting a filter 267 deleting reports 261 described 17, 259 editing a filter 266 editing existing reports 261 running a report 267 starting 259 starting new reports 260 time spans for 262 time zone for 65 Home Banking Computer Interface (HBCI) policy 495 host routes, configuring 117 hosts User Guide related, configuring 120–121 viewing in HostWatch 50 HostWatch changing view properties 50 choosing colors for display 51 described 17, 48 display 48 pausing 51 setting display properties 50 starting 48 viewing authenticated users 50 viewing hosts 50 viewing ports 50 HTTP caching proxy 510 HTTP policy 495, 510 HTTP proxy and Gateway AntiVirus 418, 422 and Intrusion Prevention Service 426, 428, 430 and range requests 238 and WebBlocker 376 changing deny message 244 described 237, 510 sending log messages per transaction 239, 247, 251 setting body content types 243 setting content types for responses 242 setting idle timeout for 238, 241 setting length of response headers 241 setting maximum line length of response headers 241 setting maximum URL length 238 setting request authorization 241 setting request header fields 240 HTTPS policy 496 I ICMP error handling settings for Firebox 79 in policies 204 Identification Protocol (IDENT) policy 496 idle time-out for policies, setting 200 IGMP policy 496 Ignore DF for IPSec setting 119 IKE and Diffie-Hellman group 325, 336 IMAP policy 496 installation procedures 7–22 Instant Messaging (IM) use, preventing 430 Intel Video Phone policy 497 Interface Settings dialog box 109, 113 interfaces changing IP address of 108 configuring 108–116 graphing events on 52 setting speed and duplex 118 viewing configuration of 44 Internet accessing through PPTP tunnel 370 threats from hackers on 417, 426 virus traffic on 24 Internet Group Management Protocol (IGMP) policy 496 Internet Mail Access Protocol (IMAP) policy 496 Internet Relay Chat (IRC) policy 497 Intrusion Prevention dialog box 429, 433 517 Intrusion Prevention Service activating 426–428 and DNS proxy 426, 432 and FTP proxy 426, 432 and HTTP proxy 426, 428, 430 and SMTP proxy 432 and TCP proxy 426, 428, 430 configuring 429–433 configuring signature exceptions 432 copying settings to other policies 433 creating new proxy policies 428 described 417, 426 installing 417 intrusion severity levels 429 selecting proxy policies to enable 427 viewing information on 46 viewing recent activity 47 viewing signature information 47 intrusion severity levels (High, Medium, Low) 429 intrusions described 417 see also Intrusion Prevention Service viewing number found 37 IP addresses and routed configuration 10 default gateways 3, 35 entering 21 entering for RUVPN with PPTP 365 netmask 3, 35 of Firebox interfaces 35 WINS/DNS servers 115, 300 IP alias 20 IP source route attacks 174 IPS. See Intrusion Prevention Service IPSec pass through setting 119 policy for 497 types of tunnels that use 3 IRC policy 497 ISAKMP and Diffie-Hellman groups 325, 336 K Kerberos policies 497 kernel routing table, viewing 44 known issues 25 L L2TP policy 497 launch interval, setting 97 LDAP policy for 498 LDAP authentication 164 LDAP-SSL policy 498 license keys downloading 64 seeing properties of 64 Limit to setting, TCP segment size 80 link speed, setting 118 LiveSecurity Gold Program 27 LiveSecurity Service activating 24 benefits of 23 518 broadcasts 24 described 18 Rapid Response Team 24 technical support 26 load average of Firebox, viewing 43 Local Alias Setting dialog box 317 lock (proxy action) 253 log encryption key changing 88 default 13 setting 88 setting for new servers 90 log files consolidating 99 converting from .wgl to .xml format 100 copying entries 105 creating a search rule 103 default location for 99 merging 99 names of 99 searching 104 setting Firebox names used in 65 setting location for diagnostic 44 setting rollover frequency for 93 setting size for 93 viewing with LogViewer 99 log messages blocking source/destination of 39 configuring for proxies 98 configuring for rules 98 copying address of 39 copying to another application 39 pinging source/destination 39 sending for HTTP transactions 239, 247, 251 setting maximum number of 37 showing in color 38 tracing route to 39 Log Servers adding 89 and log files 99 and reports 259 automating reports using 95 changing encryption key for 88 described 4, 87 installing on computers with desktop firewalls 19 locations for 87 setting designated for Firebox 89 setting priority for 90 setting up 87 starting/stopping 93 viewing IP addresses of 43 where to install 11 logging alarm log messages 99 configuring for policies 201 configuring for proxies 98 described 87, 98 diagnostic log messages 99 enabling advanced diagnostics 91 enabling syslog 90 event log messages 99 for blocked ports 180, 182 global preferences for 93 spamBlocker responses 394 traffic log messages 98 where to view messages 98 Logging and Notification dialog box 98, 180, 182, 201 Logging Setup dialog box 89, 90, 91, 92 WatchGuard System Manager LogViewer copying log data 105 creating a search rule 103 described 17, 101 exporting log file data 105 resetting to default colors 103 searching by keyphrase 102 searching for entries 104 seeing sample log message 103 selecting columns to display 103 setting background color 103 setting color for message type 103 setting preferences 102 showing logs 103 showing messages in color 103 starting 101 time zone for 65 viewing current file in 105 viewing files with 99 Lotus Notes policy 498 M MAC addresses of interfaces, viewing 3, 35 stored on Firebox 57 main menu button 57, 58 managed client configuring Firebox running Fireware as 283 configuring Firebox running WFS as 285 configuring Firebox X Edge as 288 defining Firebox as 320 described 283 enabling to send log messages 284 SOHO 6 as 290 Managed Client Setup dialog box 284 Management Information Bases, location of 67 Management Page for Firebox 296, 298 updating device 302 Management Server adding/removing license for 276 backing up/restoring configuration of 280 changing configuration of 276 connecting to 280 creating new 275 described 4, 273 Device Management page. See Device Management page disconnecting from 281 importing Firebox X Edge devices into 288 installing 273 license keys for 277 managing devices with ??–291 master encryption key 273 moving to a new computer 280 naming aliases on 315 passphrase 274 passphrases for 273 recording diagnostic log messages for 277 using only to monitor 281 using Setup wizard 275 where to install 11 Management Server Backup/Restore Wizard 280 Management Server Configuration dialog box 276 Management Server settings page 306, 315, 316 management station and software encryption levels 12 User Guide setting up 11 master encryption key described 273, 274 setting 275 when to use 274 memory use of Firebox, viewing 43 Merge Logfiles dialog box 100 MIBs, location of 67 Microsoft SysKey Utility 274 MS Win Media policy 499 MSDUN, and RUVPN 367 MSSQL-Monitor policy 498 MSSQL-Server policy 498 multi-WAN support and NAT 146 and network configuration 11 described 127 in round-robin order 128 limitations of 127 routing table option 128 MUVPN and WINS/DNS server addresses 114 configuring Firebox to host 158 MX records 202 N NAT 1-to-1 and VPN tunnels with same IP address 145 configuring 145 configuring policy-based 146 defining rules for 144 described 141, 144 using 144 using in policies 205 and tunnel switching 370 described 141 dynamic adding entries 142 allowing through BOVPN tunnel 343 changing entry order 143 described 141, 142 enabling 142 using in policies 146, 205 SMTP and 202 static configuring a policy for 201 configuring for a policy 148 described 142 types of 141 NAT Setup dialog box 143 NAT Traversal 335 netmask, viewing address of 3, 35 NetMeeting policy 499 network address translation. See NAT network cards, viewing information about 43 Network Configuration dialog box 108, 110, 113, 120 Network Connection wizard 369, 370 Network File System 181 Network File System (NFS) policy 499 network routes. See routes Network Time Protocol (NTP) policy 499 Network Time Protocol server, synchronizing Firebox clock to 64 networks, secondary. See secondary networks 519 New Gateway dialog box 331, 344 New Gateway Endpoints Settings dialog box 346 New Policy Properties dialog box 190 New Policy Template dialog box 193 New Schedule dialog box 82 New Tunnel dialog box 337 NFS policy 499 NNTP policy 499 No Adjustment setting, TCP segment size 80 notation, slash 21 notification configuring for proxies 98 for blocked ports 180, 182 global preferences for 93 sending e-mail messages for 95 setting launch interval 97 setting repeat count 97 NTP policy 499 NTP server, synchronizing Firebox clock to 64 NTP Setting dialog box 64 O online support services accessing 26 described 25 Open Firebox dialog box 72 optional interface and DHCP 110 and DHCP relay 110 configuring 108 described 9 OSPF (Open Shortest Path First) allowing traffic through the Firebox 446 configuring Fireware to use 445 daemon configuration 442 described 442 Interface Cost table 444 OSPF policy 500 Outgoing Interface Bandwidth 452 P packet filters 183, 209 packet handling, default. See default packet handling packets unhandled 175 viewing number sent and received 3, 35 passphrases and SysKey utility 274 changing 59, 67 configuration, changing 58, 67 configuration, described 16 for authenticating to Firebox 160 location of 274 Management Server 274 resetting for Firebox 67 setting in Quick Setup Wizard 13 status, changing 58, 67 status, described 16 tips for creating 59, 67 types of 58, 67 passwords file containing 274 520 PCAnywhere policy 493, 500 Peer to Peer (P2P) use, preventing 431 Per Interface Dynamic DNS dialog box 116 Perfect Forward Secrecy 339 Performance Console adding a new chart to 55 changing polling interval for 55 defining counters for 52 deleting a chart 55 described 51 monitoring VPN events 52 multiple graphs 55 showing events of selected policies 52 showing interface events 52 showing system information 52 viewing graph 54 PFS 339 Phase2 Proposal dialog box 341 ping command for source of messages 39 ping policy 500 Point-to-Point Protocol over Ethernet. See PPPoE policies adding several of same type 191 and your security policy 17 configuring for incoming static NAT 201 configuring notification for 201 configuring static NAT for 142, 148 configuring to allow RUVPN traffic 367 creating custom 192 deleting 192 described 183 graphing events regarding 52 ICMP error handling in 204 setting destinations for 196 setting logging properties for 201 setting precedence for 207–208 setting schedules for 203 setting time-out for 200 types of 491 user authentication and 169 viewing icons for 184 viewing number of connections by 41 well-known 491 policy highlighting 188 Policy Manager as view of configuration file 71 described 2, 17, 71 displaying detailed view 185 opening a configuration file from 71 using to modifying configuration file 107–113 Policy Properties dialog box 98 policy-based 1-to-1 NAT 146 policy-based routing 198 POP2 policy 500 POP3 policy 500 POP3 proxy 222 port space probes 175 ports blocking 181 monitoring 50 restricting for MUVPN clients 159 speed and duplex settings 118 viewing in HostWatch 50 PPP user name and password 21 PPPoE and 1-to-1 NAT 21 described 111 setting parameters for 112 WatchGuard System Manager support on external interface 21, 111 PPPoE parameters dialog box 112 PPPoE support on external interface 111 PPTP policy for 501 PPTP_Users group, adding new users to 366–367 private LAN 9 processes, viewing information on 43 processor load indicator 34 Properties dialog box 180 proxied policies. See proxies proxies categories list 251 configuring logging/notification for 98 described 183 preconfigured 183 See also individual names of proxies proxy rules. See rules Q QoS Marking policies and 205 values for 457 Quality of Service (QoS) applying actions to policies 203 creating actions for 456 described 451 using in a multi-WAN environment 455 Quarantine Server configuring 405 described 5, 403 managing messages on 410 managing users for 412 rules for, configuring 409 starting 404 Quarantine Server Setup Wizard 404 Quick Setup Wizard described 12 launching 13 non-Web 13 Web described 13 troubleshooting 14 using 14 using for recovery 14 R RADIUS policy 501 RADIUS server authentication 161 RADIUS-Accounting policy 501 Rapid Response Team 23, 24 rcp 181 RDP policy 501 RealPlayer G2 policy 502 recovery and Web Quick Setup Wizard 14 procedure for 68 red exclamation point in WatchGuard System Manager 4 refresh interval for Firebox System Manager 32 related hosts, configuring 120 Remote Desktop Protocol (RDP) policy 501 User Guide remote location, managing Firebox from 83 Remote Proxies category (WebBlocker) 377 repeat count, setting 97 Report Filter dialog box 266 Report Properties dialog box 260, 261, 262, 263, 264 reports and network interface relationships 265 applying a filter 267 authentication details 269 automating with Log Server 95 backing up 262 consolidating sections 263, 268, 271 creating filters 266 creating/editing 259–265 deleting 261 deleting a filter 267 denied incoming/outgoing packet detail 270 denied packet summary 270 denied service detail 270 described 259 detail sections 264 editing 261, 262 editing filters 266 exporting to HTML 268 Firebox statistics 269 FTP detail 270 host summary 269 HTTP detail 270 HTTP summary 269, 272 including DNS names for IP addresses 263 location of 267 NetIQ format 268 network statistics 271 proxy summary 269 running 267 sections in 262, 268 service summary 269 session summary 269 setting Firebox names used in 65 SMTP summary 270 specifying sections for 262 starting new 260 summary sections 264 time spans for 262 time summary 269, 271 using filters 265 viewing list of 261 WebBlocker detail 270 Resource dialog box 322 RIP (Routing Information Protocol) described 438, 502 Version 1 allowing broadcasts through Firebox 440 configuring Fireware to use 439 described 438 Version 2 allowing multicasts of 441 configuring Fireware to use 441 described 440 RIP policy 502 rlogin 181 Rlogin policy 502 root certificate, publishing 356 round-robin order, multiWAN 128 routed configuration characteristics of 10 described 9, 10 routes adding to tunnel definitions 338 521 configuring 116, 117 described 116 host 117 network 117 viewing 44 RPC portmapper 181 rsh 181 RSH policy 502 rules changing precedence of 254 components of 210, 251 configuring alarms for 98 configuring log messages for 98 rulesets adding 253 categories of 251 RUVPN with PPTP accessing the Internet with 370 activating 363 and MSDUN 367 and WINS/DNS server addresses 114 configuration checklist 361 configuring policies to allow 367 configuring shared servers for 362 described 361 encryption levels 361 entering IP addresses for 365 IP addressing 361 making connections from behind Firebox 371 preparing client computers for 367 preparing Windows 2000 remote host 369 preparing Windows Vista remote host 368 preparing Windows XP remote host 369 running 370 S Save to Firebox dialog box 74 schedules creating 82 described 82 for WebBlocker actions 387 using for policies 203 Schedules dialog box 82 secondary networks adding 20, 113 and Web Quick Setup Wizard 20 described 20 SecurID authentication 163 SecurID policy 502 security policy customizing 17 described 17 See also configuration file Security Services tab (Firebox System Manager) 46 Security Template dialog box 324 security templates adding 323–325 described 320, 323 Select Device dialog box 313 Select Firebox Model and Name dialog box 74 Select the Time and Date page 307 server load balancing 149 service properties, using to block sites 180 Service Watch tab adding/removing lines in 42 522 changing colors in 42 changing policy names in 42 changing scale of 42 described 41 Settings dialog box 38, 102 Setup Firebox Group dialog box 159, 160 Setup Firebox User dialog box 366 Setup Routes dialog box 117 Simple Mail Transfer Protocol 510 Simple Network Management Protocol. See SNMP sites, blocked. See blocked sites. slash notation 21 SMB policy 503 SMTP NAT and 202 SMTP packet filter policy 503 SMTP proxy and Gateway AntiVirus 418, 422 and Intrusion Prevention Service 426, 432 and spamBlocker 392 configuring 213–221 configuring authentication rules 217 configuring content filtering 217 configuring ESMTP parameters 216 configuring general settings 213 defining antivirus responses 220, 227 defining content type rules 217 defining file name rules 218 described 213, 510 examining HELO/EHLO responses 215 hiding e-mail server data 215 idle timeout for 214 logging connection requests through 215 restricting e-mail senders/recipients 219 setting maximum e-mail recipients 214 setting values for header filtering 219 SNMP configuring Firebox to accept polls from server 65, 96 described 65, 96, 503 enabling polling for 66 policy for 503 SNMP Settings dialog box 66 SNMP traps configuring for default packet handling 176 enabling 66, 96 SNMP-Trap policy 503 software upgrades and High Availability 465 and LiveSecurity Service 18, 24 and Quick Setup WIzard 12 Fireware 18 software version, viewing 43 SOHO managing 305 SOHO 5, managing 305 SOHO 6 as managed client 290 spam messages and reverse lookup of source IP 202 viewing number blocked 37 spamBlocker actions (Deny, Tag, Allow) 390 adding exceptions 395 adding tags to e-mail subject line 390 categories (Spam, Bulk, Suspect) 390 configuring 393–395 creating proxy policies for 392 WatchGuard System Manager customizing using multiple proxies 402 described 221, 389 installing license for 391 logging responses 394 monitoring activity of 402 reporting false positives/negatives 402 selecting policies for 392 viewing recent activity 48 spamBlocker dialog box 393 speed and duplex parameters, setting 118 split tunneling with PPTP, enabling 370 spoofing attacks 174 spyware sites, blocking 178 spyware, blocking 431 SQL*Net policy 504 SQL-Server policy 504 ssh policy 504 star display, Firebox System Manager 33 static NAT. See NAT, static status passphrase as log encryption key 13 described 16, 58, 67 setting 13 Status Report tab (Firebox System Manager) 43–44 Step 4 124 sticky connections for policies 206 strip (proxy action) 253 strong encryption. See encryption, strong Sun RPC policy 504 Support Logs dialog box 44 support services, online 25 SurfControl 373 SYN flood attacks 175 syslog described 504 facility 91 logging, enabling 90 policy 504 system files, location of 487 third-party authentication server. See authentication or name of third-party server Timbuktu policy 506 Time Filters dialog box 262 Time policy 506 time zone for Firebox, setting 65 timeout duration for Firebox 16 timeout, authentication 155 toolbar. See WatchGuard toolbar traceroute command for source of messages 39 traceroute policy 506 traffic viewing Firebox 33 volume indicator for 34 Traffic Management actions 453 described 451 disabling 80 Traffic Monitor blocking source/destination of message 39 copying messages in 39 issuing ping and traceroute command in 39 limiting messages 37 Traffic Monitor tab (Firebox System Manager) 37–39 training and certification 28 Transmission Control Protocol (TCP) 250 triangle display, Firebox System Manager 33 trusted interface and WINS/DNS servers 114 cabling and 69 configuring 108 described 9 tunnel switching 370 tunnels changing order of 342 monitoring 3, 36 rekeying 346 viewing status of 35 Type of Service (TOS) bits 81, 119 T UDP policy 506 unhandled packets 175 unlocking e-mail attachments 423 Update Device dialog box 302, 321 Update Firmware wizard 306 upgrades and High Availability 465 and LiveSecurity Service 18, 24 and Quick Setup WIzard 12 Fireware 18 user authentication. See authentication users and Active Directory authentication 168 and Firebox authentication 157 and LDAP authentication 164 and SecurID authentication 163 assigning to authentication groups 157, 160 authenticating remote 158 configuring a policy for authentication of 170– TACACS policy 505 TACACS+ policy 505 TCP connections 505 TCP policy 505 TCP proxy and Gateway AntiVirus 422 and High Availability 465 and Intrusion Prevention Service 426, 428, 430 configuring 250–251 described 511 TCP segment adjustment, setting 80 TCPmux service 181 TCP-UDP policy 505 Technical Support assisted support 26 Firebox Installation Services 27 LiveSecurity Gold Program 27 LiveSecurity Service 26 users forum 26 VPN Installation Services 27 telnet policy 505 User Guide U 171 list of authenticated 44 online forum for 26 viewing in HostWatch 50 users forum 26 523 UUCP policy 507 V viruses defending against. See Gateway AntiVirus information about new 24 seeing number found 37 VLANs defining new 122 described 121 tagging 122 VPN Failover 319 VPN Installation Services 27 VPN Properties dialog box 326 VPN Resource dialog box 321 VPN resources creating new 321 VPN tunnels and gateways 330 changing order of 342 creating policies for 343 creating with WatchGuard System Manager 319, 329 editing 326 policies for 343 rekeying 346 removing from WatchGuard System Manager 327 VPNs and Any policy 491 graphing events regarding 52 managed. See BOVPN with WatchGuard System Manager manually configured. See BOVPN with Manual IPSec null route 326 using 1-to-1 NAT when networks use same IP 145 W WAIS policy 507 WatchGuard Firebox System and managed clients 285 and Management Server 291 described 5 documentation for 5 log files created with 99 ports for Log Server 20 WatchGuard Log Server Configuration dialog box 88 WatchGuard Management Server. See Management Server WatchGuard System Manager described 1 Device Management tab 4 installing 7–22 location of data files for 487 monitoring tunnels in 3 package contents 8 servers 1 setting up management station 11 starting 15 user interface 1 viewing connection status in 3 524 WatchGuard toolbar and Log Server 88 and Management Server 275 and WebBlocker Server 374 described 4, 5 WatchGuard users forum 26 Web Quick Setup Wizard and secondary networks 20 described 13 troubleshooting 14 using 14 using for recovery 14 web sites allowing/denying access when WebBlocker down 381 anonymizer 377 selecting categories to block 379 viruses in 418 WebBlocker actions, defined 386 actions, defining additional 386 adding servers 376 adjusting cache size for 381 automatically downloading database 374 configuring 378–381 creating exceptions for 381–384 database 373 downloading database 374 installing license for 373 prerequisites 373 scheduling an action for 387 scheduling hours 387 selecting policies for 376 selecting site categories to block 379 setting timeout value 381 time zone for 65 WebBlocker Configuration dialog box 378 WebBlocker Server adding additional 376 adding new 379 described 5 installing 373 installing on computers with desktop firewalls 19 where to install 11 WebBlocker utility 37
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project