WatchGuard Fireware XTM WSM v11.9.5 User Guide

WatchGuard Fireware XTM WSM v11.9.5 User Guide
WatchGuard System
Manager 11.9 User
Guide
Fireware
XTM
WatchGuard System Manager
11.9 User Guide
WatchGuard XTM Devices
About this User Guide
The Fireware XTM WatchGuard System Manager User Guide is updated with each major product
release. For minor product releases, only the Fireware XTM WatchGuard System Manager Help
system is updated. The Help system also includes specific, task-based implementation examples that
are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM WatchGuard System Manager
Help on the WatchGuard web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Guide revised: 5/12/2014
Copyright, Trademark, and Patent Information
Copyright © 1998-2014 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM
line combines firewall, VPN, GAV, IPS, spam blocking and
URL filtering to protect your network from spam, viruses,
malware, and intrusions. The new XCS line offers email and
web content security combined with data loss prevention.
WatchGuard extensible solutions scale to offer right-sized
security ranging from small businesses to enterprises with
10,000+ employees. WatchGuard builds simple, reliable, and
robust security appliances featuring fast implementation and
comprehensive management and reporting tools. Enterprises
throughout the world rely on our signature red boxes to
maximize security without sacrificing efficiency and
productivity.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
For more information, please call 206.613.6600 or visit
www.watchguard.com.
ii
WatchGuard System Manager
Table of Contents
WatchGuard System Manager 11.9 User Guide
1
Introduction to Network Security
1
About Networks and Network Security
1
About Internet Connections
1
About Protocols
2
About IP Addresses
3
IPv4 Addresses
3
IPv6 Addresses
4
About Slash Notation
5
About Entering Addresses
6
Static and Dynamic IP Addresses
6
About DNS (Domain Name System)
7
About Firewalls
About Services and Policies
About Ports
Introduction to Fireware XTM
About Fireware XTM
8
9
10
11
11
Fireware XTM Components
12
WatchGuard System Manager
12
WatchGuard Server Center
13
Fireware XTM Web UI and Command Line Interface
14
Fireware XTM with a Pro Upgrade
15
Fireware XTM OS Version Compatibility
16
Fireware XTM on an XTMv Device
17
XTMv Device Limitations
17
Virtual Switch Configuration
17
Hyper-V Virtual Adapter Configuration
18
XTMv Device Installation
18
FIPS Support in Fireware XTM
19
About FIPS Mode
19
FIPS Mode Operation and Constraints
19
User Guide
iii
Service and Support
21
About WatchGuard Support
21
LiveSecurity Service
21
LiveSecurity Service Gold
22
Service Expiration
23
Getting Started
25
Before You Begin
25
Verify Basic Components
25
Get an XTM Device Feature Key
26
Gather Network Addresses
26
Select a Firewall Configuration Mode
27
Decide Where to Install Server Software
28
Install WatchGuard System Manager Software
28
Back up Your Previous Configuration
29
Download WatchGuard System Manager
29
About the Quick Setup Wizard
30
Run the Web Setup Wizard
32
Run the WSM Quick Setup Wizard
37
Complete Your Installation
39
Customize Your Security Policy
40
About LiveSecurity Service
40
Start WatchGuard System Manager
iv
40
Connect to an XTM Device
40
Start WSM Applications
42
Install WSM and Keep an Older Version
44
Install WatchGuard Servers on Computers with Desktop Firewalls
44
Downgrade to an Earlier Version of WSM
46
Step 1 — Uninstall the Current WSM Version
46
Step 2 — Restore the Earlier WSM Version Server and Database Files
46
Step 3 — Install the Earlier Version of WSM
46
Dynamic IP Support on the External Interface
47
About Connecting the XTM Device Cables
47
WatchGuard System Manager
Connect to an XTM Device with Firefox
Add a Certificate Exception to Mozilla Firefox
Disable the HTTP Proxy in the Browser
48
48
49
Disable the HTTP proxy in Internet Explorer 7.x, or 8.x
49
Disable the HTTP proxy in Firefox 3.x
50
Find Your TCP/IP Properties
50
Find Your TCP/IP Properties on Microsoft Windows XP, Windows 2003, and Windows 7
50
Find Your TCP/IP Properties on Microsoft Windows 8.
51
Find Your TCP/IP Properties on Macintosh OS X 10.x
51
Find Your TCP/IP Properties on Other Operating Systems (Unix, Linux)
51
Configuration and Management Basics
53
About Basic Configuration and Management Tasks
53
About Configuration Files
53
Open a Configuration File
53
Make a New Configuration File
57
Save the Configuration File
58
Run the XTM Configuration Report
60
Make a Backup of the XTM Device Image
60
Restore an XTM Device Backup Image
62
Use a USB Drive for System Backup and Restore
63
About the USB Drive
63
Save a Backup Image to a Connected USB Drive
63
Restore a Backup Image from a Connected USB Drive
64
Automatically Restore a Backup Image from a USB Drive
64
USB Drive Directory Structure
68
Save a Backup Image to a USB Drive Connected to Your Management Computer
69
Use a USB Drive to Save a Support Snapshot
69
Use an Existing Configuration for a New XTM Device Model
Upgrade a Non-e-Series Configuration File For Use With an e-Series or XTM Device
Configure a Replacement XTM Device
71
75
76
Save the Configuration from the Original XTM Device to a File
76
Get the Feature Key for the Replacement XTM Device
76
User Guide
v
Use the Quick Setup Wizard to Configure Basic Settings
77
Update the Feature Key in the Original Configuration File and Save to the New Device
77
Reset a Device
78
Start an XTM Device in Safe Mode
78
Reset a Firebox T10, XTM 2 Series or XTM 33 to Factory-Default Settings
78
Reset an XTMv VM to Factory-Default Settings
79
Run the Setup Wizard
80
Reset a Firebox X e-Series Device
Start a Firebox X Core or Peak e-Series Device in Safe Mode
80
Reset a Firebox X Edge e-Series to factory-default settings
81
Run the Quick Setup Wizard
81
About Factory-Default Settings
82
About Recovery Mode for XTM 5 and 8 Series
84
Step 1 — Install Fireware XTM OS v11.7.4 on the Management Computer
84
Step 2 — Start the XTM Device in Recovery Mode
85
Step 3 — Run the WSM Quick Setup Wizard
85
Step 4 — Upgrade Fireware XTM OS
86
Step 5 — Save a Configuration File to the Device
86
Step 6 — Reinstall XTM Device Certificates
87
About Feature Keys
88
See Features Available with the Current Feature Key
88
Enable Feature Key Synchronization
89
Verify Feature Key Compliance
89
Get a Feature Key for Your XTM Device
89
Manually Add a Feature Key to Your XTM Device
92
See the Details of a Feature Key
94
Enable Automatic Feature Key Synchronization
95
Download a Feature Key
95
Enable NTP and Add NTP Servers
96
Set the Time Zone and Basic Device Properties
97
About SNMP
98
SNMP Polls and Traps
vi
80
98
WatchGuard System Manager
Enable SNMP Polling
99
Enable SNMP Management Stations and Traps
100
About Management Information Bases (MIBs)
102
About WatchGuard Passphrases, Encryption Keys, and Shared Keys
103
Create a Secure Passphrase, Encryption Key, or Shared Key
103
Device Default Account Passphrases
104
User Passphrases
104
Server Passphrases
104
Encryption Keys and Shared Keys
105
Define Device Global Settings
106
Change the Web UI Port
107
Automatic Reboot
107
Device Feedback
108
Define ICMP Error Handling Global Settings
109
Configure TCP Settings
110
Enable or Disable Traffic Management and QoS
111
Manage Traffic Flow
112
Configure Fireware XTM OS Compatibility
113
Manage an XTM Device From a Remote Location
113
Upgrade to a New Version of Fireware XTM
116
Install the Upgrade on Your Management Computer
116
Upgrade the XTM Device
116
Use Multiple Versions of Policy Manager
118
Downgrade Fireware XTM OS
119
Use a Saved Backup Image to Downgrade
119
Downgrade Without a Backup Image
119
Use the Quick Setup Wizard to Downgrade Fireware XTM OS
121
About Upgrade Options
125
Subscription Services Upgrades
125
Appliance and Software Upgrades
126
How to Apply an Upgrade
126
About Subscription Services Expiration and Renewal
User Guide
126
vii
Subscription Renewal Reminders
127
Feature Key Compliance
127
Security Service Expiration Behavior
127
LiveSecurity Service
129
Subscription Expiration and FireCluster
129
Synchronize Subscription Renewals
130
Renew Subscription Services
Renew Subscriptions from Firebox System Manager
RemoteConfig and RapidDeploy
About RemoteConfig and RapidDeploy
131
132
133
RemoteConfig
133
RapidDeploy
133
Automatic Configuration Download
133
Use RemoteConfig
134
Use RapidDeploy
148
Use a USB Drive to Configure Interface Settings
154
Network Setup and Configuration
157
About Network Interface Setup
157
Network Modes
158
Interface Types
159
Wireless Interfaces
159
About Private IP Addresses
160
About Network Interfaces on the Edge e-Series
160
About IPv6 Support
160
Mixed Routing Mode
viii
130
163
Configure an External Interface
163
Configure a Trusted or Optional Interface
177
Configure the DHCPv6 Address Pool
188
Configure DHCPv6 Reservations
188
Enable Rapid Commit
189
Configure IPv6 Address Lifetimes
189
Configure a Custom Interface
192
WatchGuard System Manager
About the Dynamic DNS Service
193
Use Dynamic DNS
195
Drop-In Mode
196
Use Drop-In Mode for Network Interface Configuration
197
Configure Related Hosts
198
Configure DHCP in Drop-In Mode
199
Bridge Mode
203
Enable Bridge Mode
205
Allow Management Access from a VLAN
206
Common Interface Settings
207
Disable an Interface
208
Configure DHCP Relay
209
Restrict Network Traffic by MAC Address
210
Add WINS and DNS Server Addresses
211
Add a Secondary Network IP Address
213
About Advanced Interface Settings
216
Network Interface Card (NIC) Settings
216
Set Outgoing Interface Bandwidth
218
Set DF Bit for IPSec
219
PMTU Setting for IPSec
219
Use Static MAC Address Binding
220
Find the MAC Address of a Computer
221
About LAN Bridges
221
Create a Network Bridge Configuration
221
Assign a Network Interface to a Bridge
223
About Routing
225
Add a Static Route
225
Read the Route Tables
229
Add Static ARP Entries
231
About Virtual Local Area Networks (VLANs)
232
VLAN Requirements and Restrictions
232
About Tagging
233
User Guide
ix
About VLAN ID Numbers
233
Define a New VLAN
233
Assign Interfaces to a VLAN
239
About Link Aggregation
Requirements and Limitations
240
Link Aggregation Modes
240
Configure Link Aggregation
242
Monitor Link Aggregation Interfaces
249
Network Setup Examples
250
Configure Two VLANs on the Same Interface
250
Configure One VLAN Bridged Across Two Interfaces
254
Use the Broadband Extend or 3G Extend Wireless Bridge
258
Multi-WAN
About Using Multiple External Interfaces
261
261
Multi-WAN Requirements and Conditions
261
Multi-WAN and DNS
262
Multi-WAN and FireCluster
262
About Multi-WAN Options
263
Round-Robin Order
263
Failover
263
Interface Overflow
264
Routing Table
264
Modem (XTM 2 Series, 3 Series or 5 Series only)
265
Configure Round-Robin
266
Before You Begin
266
Configure the Interfaces
266
Find How to Assign Weights to Interfaces
268
Configure Failover
268
Before You Begin
268
Configure the Interfaces
268
Configure Interface Overflow
270
Before You Begin
x
240
270
WatchGuard System Manager
Configure the Interfaces
Configure Routing Table
270
271
Before You Begin
271
Routing Table mode and load balancing
271
Configure the Interfaces
272
About the XTM Device Route Table
273
When to Use Multi-WAN Methods and Routing
273
Configure Modem Failover
274
Enable Modem Failover
274
Account Settings
275
DNS Settings
277
Dial-Up Settings
278
Advanced Settings
278
Link Monitor Settings
278
Advanced Multi-WAN Settings
280
About Sticky Connections
280
Set a Global Sticky Connection Duration
280
Set the Failback Action
281
Set Notification Settings
282
About WAN Interface Status
283
Time Needed for the XTM Device to Update its Route Table
283
Define a Link Monitor Host
283
Network Address Translation (NAT)
About Network Address Translation
Types of NAT
About Dynamic NAT
285
285
286
286
Add Network Dynamic NAT Rules
288
Configure Policy-Based Dynamic NAT
291
About Dynamic NAT Source IP Addresses
294
About 1-to-1 NAT
296
About 1-to-1 NAT and VPNs
297
Configure Firewall 1-to-1 NAT
297
User Guide
xi
Configure Policy-Based 1-to-1 NAT
299
Configure NAT Loopback with Static NAT
301
Add a Policy for NAT Loopback to the Server
302
NAT Loopback and 1-to-1 NAT
303
About SNAT
306
Configure Static NAT
306
Configure Server Load Balancing
312
1-to-1 NAT Example
320
Wireless Device Setup
323
About Wireless Device Configuration
323
Wireless Settings in Fireware XTM OS v11.8.x and v11.9.x
323
Enable Wireless
324
Wireless Device Configuration Options
325
Wireless Device Configuration Options (Fireware XTM OS v11.9 and Later)
325
Wireless Device Configuration Options (Fireware XTM OS v11.8.x and Older)
326
Before You Begin
327
About Wireless Configuration Settings
329
Enable/Disable SSID Broadcasts
330
Change the SSID
330
Log Authentication Events
330
Change the Fragmentation Threshold
330
Change the RTS Threshold
331
About Wireless Security Settings
332
Set the Wireless Authentication Method
332
Use a RADIUS Server for Wireless Authentication
333
Use the XTM Device as an Authentication Server for Wireless Authentication
334
Set the Encryption Level
336
Enable Wireless Connections (Fireware XTM OS v11.9.x and Later)
338
Enable Wireless Connections (Fireware XTM OS v11.8.x and Older)
342
Enable a Wireless Guest Network (Fireware XTM OS v11.9.x and Later)
344
Wireless Guest and Policies
348
Enable a Wireless Guest Network (Fireware XTM OS v11.8.x and Older)
xii
348
WatchGuard System Manager
Enable a Hotspot on a Wireless Access Point
352
Configure Your External Interface as a Wireless Interface
353
Configure the Primary External Interface as a Wireless Interface
353
Configure a BOVPN tunnel for additional security
355
About Wireless Radio Settings
356
Country is Set Automatically
357
Select the Band and Wireless Mode
359
Select the Channel
360
Monitor Wireless Access Points and Clients
361
Configure the Wireless Card on Your Computer
362
Rogue Access Point Detection
362
Enable Rogue Access Point Detection
363
Add an XTM Wireless Device as a Trusted Access Point
368
Find the Wireless MAC Address of a Trusted Access Point
371
Rogue Access Point Scan Results
372
WatchGuard AP Device Setup
373
Wireless Access Point Types
373
About AP Device Configuration
374
SSID Configuration
374
AP Device Configuration
375
WatchGuard AP Device Requirements and Limitations
376
Requirements
376
Limitations
376
Plan your Wireless AP Device Deployment
377
Wireless Site Survey
378
Wireless Modes and Channels
380
Wireless Signal Strength and Noise Levels
383
Wireless Environmental Factors
384
Wireless Placement
385
WatchGuard AP Device Deployment Overview
387
Deploy AP Devices Without VLAN Tagging
388
Deploy AP Devices With VLAN Tagging Enabled
391
User Guide
xiii
Configure VLANs for WatchGuard AP Devices
394
When to Enable VLAN Tagging in SSIDs
394
Configure VLANs on the XTM Device
395
Configure VLANs on a Managed Switch
396
About AP Station Isolation
Station Isolation for a Single AP Device
398
Station Isolation for Multiple AP Devices
398
Example — Station Isolation and Roaming
399
About AP Device Activation
403
Automatic Activation
403
Manual Activation
403
About AP Device Passphrases
404
Pairing Passphrase
404
WatchGuard AP Passphrase
404
Passphrases and Pairing
404
Resolve a Passphrase Mismatch
405
Configure AP Devices in the Gateway Wireless Controller
xiv
398
406
Enable the Gateway Wireless Controller
406
Set the Diagnostic Log Level
407
Configure WatchGuard AP Device SSIDs
408
Configure SSID Security Settings
410
WatchGuard AP Device Discovery and Pairing
414
Configure AP Device Settings
416
Configure AP Device Radio Settings
421
Configure Gateway Wireless Controller Settings
425
Configure MAC Access Control
429
Unpair an AP Device
431
Monitor AP Device Status
432
See AP Connection Status and Uptime
432
See AP Radio Frequency and Channel
433
See the AP Activation Status
433
See AP Device Network Statistics
434
WatchGuard System Manager
See Log Messages on an AP Device
435
Flash the Power LED on the AP Device
435
Restart Wireless on the AP Device
435
Reboot an AP Device
436
Upgrade an AP Device
436
Perform a Site Survey
437
Monitor Wireless Clients
439
Enable a Hotspot on an AP Device
440
Reset the WatchGuard AP Device
440
Reset the WatchGuard AP Device with the Reset Button
441
Reset the WatchGuard AP Device from the Access Point Web UI
441
Unpair the WatchGuard AP Device
441
Update AP Device Firmware
442
See the Current Firmware Version
442
Options for AP Device Firmware Updates
442
Add an HTTPS Policy for Access Point Web UI Connections
443
Use the WatchGuard Access Point Web UI
443
Connect to the WatchGuard Access Point Web UI
444
Verify the Current AP Device Settings
445
Manage Network Settings
446
Change the Access Point Passphrase
447
Upgrade the AP Device Firmware
447
Save or Revert Configuration Changes
448
WatchGuard AP Device Deployment Examples
449
AP Device Deployment with a Single SSID
449
AP Device Deployment with Simple Roaming
453
AP Device Deployment with VLANs
457
Dynamic Routing
About Dynamic Routing
469
469
Dynamic Routing Protocols
469
Dynamic Routing Policies
470
Monitor Dynamic Routing
470
User Guide
xv
About Routing Daemon Configuration Files
470
About Routing Information Protocol (RIP and RIPng)
471
Configure IPv4 Routing with RIP
472
Configure IPv6 Routing with RIPng
478
About Open Shortest Path First (OSPF and OSPFv3) Protocol
482
Configure IPv4 Routing with OSPF
483
Configure IPv6 Routing with OSPFv3
491
OSPF Interface Cost Table
495
About Border Gateway Protocol (BGP)
496
Configure IPv4 and IPv6 Routing with BGP
496
BGP Commands
499
Sample BGP Routing Configuration File
503
FireCluster
507
About WatchGuard FireCluster
507
FireCluster Status
509
Use the Fireware XTM Web UI
509
About FireCluster Failover
xvi
509
Events that Trigger a Failover
509
What Happens When a Failover Occurs
510
FireCluster Failover and Server Load Balancing
511
FireCluster Failover and Dynamic Routing
511
Monitor the Cluster During a Failover
512
Features Not Supported for a FireCluster
512
FireCluster Network Configuration Limitations
512
FireCluster Management Limitations
513
Supported XTM Models for FireCluster
513
About FireCluster Management IP Addresses
513
Use the Management IP Address to Restore a Backup Image
515
Use the Management IP Address to Upgrade from an External Location
515
The Management IP Address and the WatchGuard Policy
516
About FireCluster on XTM Wireless Devices
517
Configure FireCluster
517
WatchGuard System Manager
FireCluster Requirements and Restrictions
519
Cluster Synchronization and Status Monitoring
519
FireCluster Device Roles
520
FireCluster Configuration Steps
520
Before You Begin
521
Connect the FireCluster Hardware
524
Switch and Router Requirements for an Active/Active FireCluster
525
Use the FireCluster Setup Wizard
532
Configure FireCluster Manually
539
Find the Multicast MAC Addresses for an Active/Active Cluster
547
Active/Passive Cluster ID and the Virtual MAC Address
548
Monitor and Control FireCluster Members
549
Monitor Status of FireCluster Members
550
Monitor and Control Cluster Members
550
Monitor Cluster Health
552
Discover a Cluster Member
553
Force a Failover of the Cluster Master
554
Reboot a Cluster Member
556
Shut Down a Cluster Member
556
Connect to a Cluster Member
557
Make a Member Leave a Cluster
558
Make a Member Join a Cluster
559
Remove or Add a Cluster Member
560
Remove a Device from a FireCluster
560
Add a New Device to a FireCluster
561
Update the FireCluster Configuration
561
Configure FireCluster Advanced Settings
563
Configure Logging and Notification
563
Change the Lost Heartbeat Threshold
563
Use Hardware Status as a Criteria for FireCluster Failover
563
About Feature Keys and FireCluster
See the Feature Keys and Cluster Features for a Cluster
User Guide
564
566
xvii
See or Update the Feature Key for a Cluster Member
567
See the FireCluster Feature Key in Firebox System Manager
569
Create a FireCluster Backup Image
570
Restore a FireCluster Backup Image
571
Make the Backup Master Leave the Cluster
571
Restore the Backup Image to the Backup Master
571
Restore the Backup Image to the Cluster Master
572
Make the Backup Master Rejoin the Cluster
572
Upgrade Fireware XTM for FireCluster Members
573
Disable FireCluster
575
Authentication
577
About User Authentication
577
User Authentication Steps
578
Manage Authenticated Users
580
Use Authentication to Restrict Incoming Traffic
581
Use Authentication Through a Gateway Firebox
About the WatchGuard Authentication (WG-Auth) Policy
583
Set Global Firewall Authentication Values
583
Specify Firewall Authentication Settings
583
Set Global Authentication Timeouts
584
Allow Unlimited Concurrent Login Sessions
585
Limit Login Sessions
585
Specify the Default Authentication Server in the Authentication Portal
587
Automatically Redirect Users to the Authentication Portal
587
Use a Custom Default Start Page
588
Set Management Session Timeouts
588
About Single Sign-On (SSO)
xviii
582
589
The WatchGuard SSO Solution
589
Example Network Configurations for SSO
593
Choose Your SSO Components
595
Before You Begin
596
Set Up SSO
596
WatchGuard System Manager
Install the WatchGuard Single Sign-On (SSO) Agent
596
Configure the SSO Agent
598
Use Telnet to Debug the SSO Agent
608
Install the WatchGuard Single Sign-On (SSO) Client
612
Install the WatchGuard SSO Exchange Monitor
613
Enable Single Sign-On (SSO)
615
About SSO Log Files
620
Install and Configure the Terminal Services Agent
622
About Single Sign-On for Terminal Services
623
Before You Begin
624
Install the Terminal Services Agent
624
Configure the Terminal Services Agent
625
Configure Terminal Services Settings
629
Authentication Server Types
631
About Third-Party Authentication Servers
631
Use a Backup Authentication Server
631
Configure Your XTM Device as an Authentication Server
632
Types of Firebox Authentication
632
Define a New User for Firebox Authentication
636
Define a New Group for Firebox Authentication
639
Customize the Authentication Portal Page
641
Configure RADIUS Server Authentication
644
Authentication Key
644
RADIUS Authentication Methods
644
Before You Begin
644
Use RADIUS Server Authentication with Your XTM Device
644
How RADIUS Server Authentication Works
646
Configure RADIUS Server Authentication with Active Directory Users and Groups For
Mobile VPN Users
649
WPA and WPA2 Enterprise Authentication
652
Configure VASCO Server Authentication
652
Configure SecurID Authentication
655
Configure LDAP Authentication
657
User Guide
xix
About LDAP Optional Settings
660
Configure Active Directory Authentication
661
Add an Active Directory Authentication Domain and Server
662
About Active Directory Optional Settings
666
Edit an Existing Active Directory Domain
666
Delete an Active Directory Domain
667
Find Your Active Directory Search Base
668
Change the Default Port for the Active Directory Server
669
Use Active Directory or LDAP Optional Settings
670
Before You Begin
670
Specify Active Directory or LDAP Optional Settings
670
Use a Local User Account for Authentication
675
Use Authorized Users and Groups in Policies
675
Define Users and Groups for Firebox Authentication
675
Define Users and Groups for Third-Party Authentication
675
Allow Unlimited Concurrent Login Sessions
677
Limit Login Sessions
677
Add Users and Groups to Policy Definitions
678
Enable a Hotspot
679
Configure User Timeout Settings
681
Select the Hotspot Type
681
Configure the Hotspot Custom Page
682
Connect to a Hotspot
684
See Hotspot Connections
685
About Hotspot External Guest Authentication
Before You Begin
688
Configuration
689
External Guest Authentication Example
689
Configure a Web Server for Hotspot External Guest Authentication
692
Configure the Hotspot for External Guest Authentication
699
Troubleshoot Hotspot External Guest Authentication
701
Policies
xx
688
703
WatchGuard System Manager
About Policies
703
Packet Filter and Proxy Policies
703
Add Policies to Your XTM device
704
About Policy Manager
704
Open Policy Manager
706
About Policy Manager Views
707
Change Colors Used for Policy Manager Text
711
Find a Policy by Address, Port, or Protocol
713
About the Outgoing Policy
713
Add Policies to Your Configuration
714
Use Policy Checker to Find a Policy
714
See the List of Policy Templates
714
Add a Policy from the List of Templates
716
Add More than One Policy of the Same Type
718
See Template Details and Modify Policy Templates
718
Disable or Delete a Policy
719
About Policy Tags and Filters
720
Create and Apply Policy Tags
720
Remove Policy Tags From Policies
724
Modify Policy Tags
725
Create and Apply a Filter
725
Modify a Filter
727
Clone a Filter
728
About Aliases
730
Alias Members
730
Create an Alias
732
About Policy Precedence
739
Automatic Policy Order
739
Policy Specificity and Protocols
739
Traffic Rules
740
Firewall Actions
740
Schedules
741
User Guide
xxi
Policy Types and Names
741
Set Precedence Manually
741
Create Schedules for XTM Device Actions
Set an Operating Schedule
About Custom Policies
743
744
Create or Edit a Custom Policy Template
745
Import and Export Custom Policy Templates
746
About Policy Properties
748
Policy Tab
748
Properties Tab
748
Advanced Tab
749
Proxy Settings
749
Set Access Rules for a Policy
749
Configure Policy-Based Routing
752
Set a Custom Idle Timeout
756
Set ICMP Error Handling
756
Apply NAT Rules
756
Set the Sticky Connection Duration for a Policy
757
Proxy Settings
About Proxy Policies and ALGs
xxii
742
759
759
Proxy Configuration
760
Proxy and AV Alarms
760
About Proxy Actions
761
About Rules and Rulesets
767
Use Predefined Content Types
776
Add a Proxy Policy to Your Configuration
777
About the DNS-Proxy
779
Policy Tab
779
Properties Tab
779
Advanced Tab
780
Configure the Proxy Action
780
DNS-Proxy: General Settings
781
WatchGuard System Manager
DNS-Proxy: OPcodes
782
DNS-Proxy: Query Types
785
DNS-Proxy: Query Names
787
About MX (Mail eXchange) Records
787
About the FTP-Proxy
790
Policy Tab
790
Properties Tab
790
Advanced Tab
791
Configure the Proxy Action
791
FTP-Proxy: General Settings
792
FTP-Proxy: Commands
794
FTP-Proxy: Content
795
FTP-Proxy: Data Loss Prevention
795
FTP-Proxy: APT Blocker
795
FTP-Proxy: AntiVirus
796
About the H.323-ALG
798
VoIP Components
798
ALG Functions
798
Policy Tab
799
Properties Tab
799
Advanced Tab
799
Configure the Proxy Action
799
H.323-ALG: General Settings
800
H.323-ALG: Access Control
802
H.323-ALG: Denied Codecs
804
About the HTTP-Proxy
806
Policy Tab
806
Properties Tab
807
Advanced Tab
807
Configure the Proxy Action
807
HTTP Request: General Settings
808
HTTP Request: Request Methods
810
User Guide
xxiii
HTTP Request: URL Paths
812
HTTP Request: Header Fields
812
HTTP Request: Authorization
813
HTTP Response: General Settings
814
HTTP Response: Header Fields
815
HTTP Response: Content Types
816
HTTP Response: Cookies
818
HTTP Response: Body Content Types
819
HTTP-Proxy: Exceptions
819
HTTP-Proxy: Data Loss Prevention
820
HTTP-Proxy: WebBlocker
821
HTTP-Proxy: AntiVirus
822
HTTP-Proxy: Reputation Enabled Defense
823
HTTP-Proxy: Deny Message
824
HTTP-Proxy: APT Blocker
825
Enable Windows Updates Through the HTTP-Proxy
826
Use a Caching Proxy Server
827
About the HTTPS-Proxy
Policy Tab
829
Properties Tab
829
Advanced Tab
830
Configure the Proxy Action
830
HTTPS-Proxy: General Settings
831
HTTPS-Proxy: Content Inspection
833
HTTPS-Proxy: Certificate Names
836
HTTPS-Proxy: WebBlocker
836
About the POP3-Proxy
xxiv
829
837
Policy Tab
837
Properties Tab
837
Advanced Tab
838
Configure the Proxy Action
838
POP3-Proxy: General Settings
839
WatchGuard System Manager
POP3-Proxy: Authentication
841
POP3-Proxy: Content Types
841
POP3-Proxy: Filenames
844
POP3-Proxy: Headers
845
POP3-Proxy: AntiVirus
846
POP3-Proxy: Deny Message
847
POP3-Proxy: spamBlocker
849
About the SIP-ALG
850
VoIP Components
850
Instant Messaging Support
850
ALG Functions
851
Policy Tab
851
Properties Tab
851
Advanced Tab
852
Configure the Proxy Action
852
SIP-ALG: General Settings
853
SIP-ALG: Access Control
856
SIP-ALG: Denied Codecs
857
About the SMTP-Proxy
859
Policy Tab
859
Properties Tab
859
Advanced Tab
860
Configure the Proxy Action
860
SMTP-Proxy: General Settings
861
SMTP-Proxy: Greeting Rules
864
SMTP-Proxy: ESMTP Settings
866
SMTP-Proxy: TLS Encryption
868
SMTP-Proxy: Authentication
871
SMTP-Proxy: Content Types
873
SMTP-Proxy: Filenames
877
SMTP-Proxy: Mail From/Rcpt To
878
SMTP-Proxy: Headers
879
User Guide
xxv
SMTP-Proxy: AntiVirus
880
SMTP-Proxy: Deny Message
881
SMTP-Proxy: Data Loss Prevention
882
SMTP-Proxy: spamBlocker
883
SMTP-Proxy: APT Blocker
883
Configure the SMTP-Proxy to Quarantine Email
884
Protect Your SMTP Server from Email Relaying
885
About the TCP-UDP-Proxy
Policy Tab
887
Properties Tab
887
Advanced Tab
887
Configure the Proxy Action
888
TCP-UDP-Proxy: General Settings
888
Traffic Management and QoS
About Traffic Management and QoS
xxvi
887
891
891
Enable Traffic Management and QoS
891
OS Compatibility
892
Guarantee Bandwidth
893
Restrict Bandwidth
893
QoS Marking
894
Traffic priority
894
Set Connection Rate Limits
895
About QoS Marking
895
Before You Begin
895
QoS Marking for Interfaces and Policies
896
QoS Marking and IPSec Traffic
896
Enable QoS Marking for an Interface
896
Enable QoS Marking or Prioritization Settings for a Policy
897
Enable QoS Marking for a Managed BOVPN Tunnel
899
Get Started with Traffic Management
902
Determine Available Bandwidth
902
Determine the Sum of Your Bandwidth
902
WatchGuard System Manager
Traffic Management and OS Compatibility
About Traffic Management in Fireware XTM v11.9 and Higher
902
903
Define a Traffic Management Action in v11.9
903
Add Traffic Management Actions to a Policy
906
Use Traffic Management with Application Control
908
Monitor Bandwidth by Traffic Management Action
911
About Traffic Management in Fireware XTM v11.8.x and Lower
913
Define a Traffic Management Action in v11.8.x and Lower
913
Add a Traffic Management Action to a Policy
914
Use Traffic Management for Managed BOVPN Tunnels
915
Traffic Management Examples
917
Default Threat Protection
919
About Default Threat Protection
919
About Default Packet Handling Options
920
Configure Default Packet Handling
920
Set Logging and Notification Options
922
About Spoofing Attacks
922
About IP Source Route Attacks
923
About Port Space and Address Space Probes
924
About Flood Attacks
926
About Unhandled Packets
928
About Distributed Denial-of-Service Attacks
930
About Blocked Sites
931
Permanently Blocked Sites
931
Auto-Blocked Sites/Temporary Blocked Sites List
931
Blocked Site Exceptions
932
See and Manage the Blocked Sites List
932
Block a Site Permanently
932
Create Blocked Site Exceptions
933
Import a List of Blocked Sites or Blocked Sites Exceptions
934
Block Sites Temporarily with Policy Settings
935
Change the Duration that Sites are Auto-Blocked
936
User Guide
xxvii
About Blocked Ports
936
Default Blocked Ports
937
Block a Port
939
WatchGuard Server Setup
941
About WatchGuard Servers
941
Set Up WatchGuard Servers
944
Before You Begin
944
Start the Wizard
944
General Settings
944
Management Server Settings
945
Log Server and Report Server Settings
945
Quarantine Server Settings
946
WebBlocker Server Settings
946
Review and Finish
946
About the Gateway Firebox
947
Find Your Management Server License Key
948
Monitor the Status of WatchGuard Servers
948
Configure Your WatchGuard Servers
951
Open WatchGuard Server Center
951
Stop and Start Your WatchGuard Servers
952
Install or Configure WatchGuard Servers from WatchGuard Server Center
954
Exit or Open WatchGuard Server Center
955
Management Server Setup and Administration
957
About the WatchGuard Management Server
957
Install the Management Server
957
Set Up and Configure the Management Server
958
Configure Settings for the Management Server
xxviii
958
Configure the Certificate Authority on the Management Server
960
Configure License Key, Device Monitoring, and Notification Settings
962
Enable and Configure Active Directory Authentication
965
Configure Logging Settings for the Management Server
969
Define Configuration History and Change Comment Settings
971
WatchGuard System Manager
Update the Management Server with a New Gateway Address
973
Change the IP Address of a Management Server
975
If Your Management Server is Configured with a Private IP Address
976
If Your Management Server is Configured with a Public IP Address
977
Update the Certificate Revocation List (CRL) Distribution IP Address
977
Update Managed XTM Devices
978
Change the Administrator Passphrase
978
Back Up or Restore the Management Server Configuration
980
Back up Your Configuration
980
Restore Your Configuration
981
Move the Management Server to a New Computer
981
Back up, Move, and Restore Your Management Server
981
Configure Other Installed WatchGuard Servers
982
Use WSM to Connect to your Management Server
982
Disconnect from the Management Server
Import or Export a Management Server Configuration
983
984
Export a Configuration
984
Import a Configuration
984
Configure a Management Server Cluster
984
Requirements
984
Set Up a Microsoft Failover Cluster
984
Install the Primary Management Server
985
Install the Secondary Management Server
985
Configure the Primary Management Server as a Failover Resource
986
Start the WatchGuard Web Services Servers
987
Run a Failover Test
987
Centralized Management
About WatchGuard System Manager
989
989
Device Status
989
Device Management
990
About the Device Management Page
993
Review Information for Managed Devices
995
User Guide
xxix
Verify the Connection Status of a Device
996
About WSM Options
997
Start WatchGuard System Manager Tools
999
Expire the Lease for a Managed Device
1000
About Centralized Management Modes
Change the Centralized Management Mode
Add Managed Devices to the Management Server
1002
1005
If You Know the Current IP Address of the Device
1006
If You Do Not Know the IP Address of the Device
1007
About RapidDeploy
1008
Register Your Management Server
1009
Change Your Management Server Registration
1010
Launch the WatchGuard Deployment Center
1011
Set Device Management Properties
1012
Connection Settings
1012
IPSec Tunnel Preferences
1014
Contact Information
1015
Schedule Tasks for Managed Devices
1016
Schedule OS Update
1017
Schedule Feature Key Synchronization
1020
Schedule Reboot
1022
Review, Cancel, or Delete Scheduled Tasks
1027
Update the Configuration For a Fully Managed Device
1030
Search Managed Devices
1031
Run a Text Search
1032
Use Search Results
1033
Clear Search Results
1035
About Filtered View
1035
Manage Server Licenses
1037
Review Current License Key Information
1037
Add or Remove a License Key
1037
Manage Customer Contact Information
xxx
1001
1038
WatchGuard System Manager
Add a Contact to the Management Server
1038
Edit a Contact in the Contact List
1038
Review and Manage the Monitored Report Servers List
1039
Add a Report Server to the List
1040
Edit Information for a Report Server
1040
Remove a Report Server from the List
1041
Add and Manage VPN Tunnels and Resources
1041
See VPN Tunnels
1041
Add a VPN Tunnel
1041
Edit a VPN Tunnel
1042
Remove a VPN Tunnel
1043
Add a VPN Resource
1043
Use Device Folders
1043
Create a Device Folder
1043
Add Devices to a Folder
1044
Complete Tasks for All Devices in a Folder
1045
View a Folder Device List
1045
Move Devices to a New Folder
1046
Configure an XTM Device as a Managed Device
1048
Edit the WatchGuard Policy
1048
Set Up the Managed Device
1049
Configure Management Tunnels
1052
Management Tunnel Configuration
1052
About Management Tunnels
1054
Select a Tunnel Type
1055
Deploy Remote XTM Devices
1055
Configure the Management Tunnel Gateway Firebox
1056
Configure the Management Tunnel Remote XTM Device
1060
Configure a Deployed Remote XTM Device for a Management Tunnel over SSL
1064
Verify the Status of the Management Tunnel
1065
Manage a Remote XTM Device
1066
About Edge (v10.x and Older) and SOHO Devices as Managed Devices
User Guide
1066
xxxi
Prepare a Firebox X Edge (v10.x and Older) for Management
1067
Configure a Firebox SOHO 6 as a Managed Device
1071
Configure Network Settings (Edge Devices v10.x and Older Only)
1073
About the Configuration Template Section
1074
Manage Aliases for Firebox X Edge Devices
1074
Change the Name of an Alias
1075
Define Aliases on a Firebox X Edge Device
1076
Update or Reboot a Device, or Remove a Device from Management
Update a Device
1079
Reboot a Device
1080
Remove a Device from Management
1080
Create Device Configuration Templates
1081
Create a New Device Configuration Template
1082
Configure a Template for an XTM Device
1084
Review XTM Template Settings
1092
Apply an XTM Template to an XTM Device
1094
Change an XTM Configuration Template
1094
Configure a Template for a Managed Edge Device
1095
Add a Predefined Policy to an Edge Device Configuration Template
1096
Add a Custom Policy to an Edge Device Configuration Template
1097
Change the Name of a Device Configuration Template
1100
Clone a Device Configuration Template
1101
Configure an SNAT Action
1101
Create a Device Configuration Template from a Configuration File
1105
Apply Device Configuration Templates to Managed Devices
xxxii
1079
1110
Drag-and-Drop to Apply a Template
1110
Use the Apply Template Wizard for an XTM Device
1110
Configure Management Groups
1112
Create a Management Group
1113
Add a Device to a Management Group
1114
Open a Device Page From a Management Group
1115
Remove a Device From a Management Group
1116
WatchGuard System Manager
Apply a Template to a Group of Devices
1116
Complete Tasks for All Devices in a Management Group
1117
About Configuration History and Template Application History
1118
Review Configuration History and Application History Details
1118
Revert to an Earlier Configuration
1122
Review the Changes Between Revisions
1123
Remove a Device from Fully Managed Mode
Role-Based Administration
About Role-Based Administration
1125
1127
1127
Roles and Role Policies
1128
Audit Trail
1128
About Predefined Roles
1128
Manage Users and Roles on Your Device
1132
Add a New Device User
1133
Edit a Device User
1134
Delete a Device User
1134
Audit Device Management User Activity
1135
Use Role-Based Administration with an External Management Server
1136
Define or Remove Users or Groups
1137
Use WatchGuard System Manager to Configure Users or Groups
1137
Use WatchGuard Server Center to Configure Users or Groups
1139
Remove a User or Group
1140
Define Roles and Role Properties
1141
Define Roles in WatchGuard Server Center
1141
Define Roles in WatchGuard System Manager
1142
Configure Roles and Role Properties
1143
Remove a Role
1143
Assign Roles to a User or Group
1145
Assign Roles in WatchGuard System Manager
1145
Assign Roles in WatchGuard Server Center
1146
WatchGuard WebCenter
About WatchGuard WebCenter
User Guide
1149
1150
xxxiii
Connect to WatchGuard WebCenter
1151
Navigate WatchGuard WebCenter
1153
Logging and Reporting
1161
About Logging, Log Files, and Notification
About Log Messages
1161
Log Servers
1162
Logging and Notification in Applications and Servers
1162
Log Files
1163
Databases
1163
Performance and Disk Space
1163
Log Manager and Report Manager
1164
Traffic Monitor
1164
Types of Log Messages
1164
Log Message Levels
1165
About Notification
1166
Quick Start — Set Up Logging for Your Network
1167
Set Up Your Log Server
1170
Install the Log Server
1170
Before You Begin
1171
Configure System Settings
1172
Configure the Log Server
1172
Configure Database Size, Encryption Key, and Diagnostic Log Settings
1173
Configure Database Maintenance Settings
1175
Configure Notification Settings
1180
Configure Logging Settings for the Log Server
1183
Move the Log Data Directory
1186
Start and Stop the Log Server
1189
Configure Logging Settings for Your WatchGuard Servers
1190
Configure Logging to a WatchGuard Log Server
1191
Configure Logging to Windows Event Viewer
1192
Save Log Messages in a Log File
1192
Define Where the Device Sends Log Messages
xxxiv
1161
1193
WatchGuard System Manager
Add a Log Server
1195
Set Log Server Priority
1198
Configure Syslog Server Settings
1199
Include Performance Statistics in Log Messages
1202
Set the Diagnostic Log Level
1204
Monitor Hardware Health
1206
Configure Logging and Notification for a Policy
1206
Set Logging and Notification Preferences
1209
Use Scripts, Utilities, and Third-Party Software with the Log Server
1210
Back Up and Restore the Log Server Database Manually
1211
Use Crystal Reports with the Log Server
1212
About the Report Server
1213
Set Up Your Report Server
1214
Install the Report Server
1214
Before You Begin
1214
Configure the Report Server
1215
Configure Server Settings for the Report Server
1216
Configure Log Servers for the Report Server
1219
Configure Report Deletion Settings and Database Settings
1221
Configure Notification Settings for the Report Server
1228
Configure Report Generation Settings
1231
Configure Logging Settings for the Report Server
1238
Start or Stop the Report Server
1240
Back Up and Restore the Report Server Database
1240
Move the Report Directory
1242
Step 1 — Stop Services
1242
Step 2 — Move the Report Data
1242
Step 3 — Run the Setup Wizard
1243
Final Steps
1244
Predefined Reports List
Daily and Weekly Report Schedules
Use the Web Services API to Retrieve Log and Report Data
User Guide
1245
1254
1256
xxxv
Installation and Documentation
1256
Configure ConnectWise Integration
1257
Before You Begin
1257
Configure the ConnectWise PSA Client
1257
Configure the ConnectWise Settings for your WatchGuard Report Server
1271
Troubleshooting
1277
About HIPAA Compliance Reports
Generate HIPAA Compliance Reports
About PCI Compliance Reports
Generate PCI Compliance Reports
View Device Log Messages
1281
1282
1283
1283
Search Device Log Messages
1286
See a Timeslice Analysis
1286
Export Log Messages
1287
Search Device Log Messages
1288
View Server Log Messages
1292
Search Server Log Messages
1294
Search Server Log Messages
1294
View Reports in Report Manager
1296
See an Available Report for a Device
1296
See a Server Report
1299
View Compliance Reports
1300
Generate Per Client Reports
1302
Generate On-Demand Reports
1305
View Custom Time Range Reports
1306
Export a Report as a PDF
1307
Monitor Your Device
1309
About Firebox System Manager (FSM)
1309
Start Firebox System Manager
1310
Disconnect From and Reconnect To an XTM device
1311
Set the Refresh Interval and Pause Display
1311
Basic XTM Device and Network Status (Front Panel)
xxxvi
1278
1313
WatchGuard System Manager
Warnings and Notifications
1313
Expand and Close Tree Views
1314
Visual Display of Traffic Between Interfaces
1314
Traffic Volume, Processor Load, and Basic Status
1316
XTM Device Status
1319
Device Log Messages (Traffic Monitor)
1321
Sort and Filter Traffic Monitor Log Messages
1323
Change Traffic Monitor Settings
1323
Enable Notification for Specific Messages
1326
Copy Messages to Another Application
1327
View APT Threat Information
1327
Visual Display of Bandwidth Usage (Bandwidth Meter)
1329
Change Bandwidth Meter Settings
1330
Change the Scale
1331
Add and Remove Lines
1332
Change Colors
1332
Change Interface Appearance
1332
Visual Display of Policy Usage (Service Watch)
1332
Change Service Watch Settings
1333
Change the Scale
1335
Display Bandwidth Used by a Policy
1335
Add and Remove Lines
1335
Change Colors
1335
Change How Policy Names Appear
1336
Traffic and Performance Statistics (Status Report)
1336
Search the Status Report for Specific Details
1339
Change the Refresh Interval
1340
Review Packet Trace Information for Troubleshooting
1340
Save the Status Report
1340
Authenticated Users (Authentication List)
1341
Hotspot Clients
1344
Management Users
1345
User Guide
xxxvii
Manage the Blocked Sites List (Blocked Sites)
1348
Change the Block Sites List
1348
Copy Information From the Blocked Sites List
1350
Blocked Sites and Traffic Monitor
1350
Subscription Services Statistics (Subscription Services)
1352
Gateway AntiVirus Statistics
1354
Application Control and Intrusion Prevention Service Statistics
1355
spamBlocker Statistics
1356
Reputation Enabled Defense Statistics
1357
Data Loss Prevention Statistics
1358
Subscription Services Status and Manual Signatures Updates
1358
WatchGuard AP Device and Wireless Client Connections (Gateway Wireless Controller)
Summary
1363
Access Points
1363
Wireless Clients
1365
Traffic Management Statistics (Traffic Management)
1367
Change Traffic Management Settings
1369
Change the Scale
1370
Add and Remove Lines
1371
Change Colors
1371
About HostWatch
1371
DNS Resolution and HostWatch
1372
Start HostWatch
1372
Pause and start the HostWatch display
1372
Select Connections and Interfaces to Monitor
1373
Filter Content of the HostWatch Window
1375
Change HostWatch Visual Properties
1376
Visit or Block a Site from HostWatch
1377
About the Performance Console
xxxviii
1361
1378
Start the Performance Console
1378
Make Graphs with the Performance Console
1379
Types of Counters
1379
WatchGuard System Manager
Stop Monitoring or Close the Window
1379
Define Performance Counters
1380
Add Charts or Change Polling Intervals
1383
About Certificates and FSM
1384
Communication Log
1386
Use Firebox System Manager (FSM)
1387
See and Synchronize Feature Keys
1387
Hide Expired Service Warnings
1391
Synchronize the System Time
1392
Run Diagnostic Tasks to Learn More About Log Messages
1393
Clear the ARP Cache
1404
Clear Alarms
1406
Rekey BOVPN Tunnels
1406
Calculate the Fireware XTM Checksum
1408
Backup and Restore to a USB Drive
1409
Control FireCluster
1410
Reboot or Shut Down Your XTM Device
1410
Update the Wireless Region for an XTM Wireless Device
1411
Certificates and the Certificate Authority
About Certificates
1413
1413
Use Multiple Certificates to Establish Trust
1414
How the XTM Device Uses Certificates
1414
Certificate Lifetimes and CRLs
1415
Certificate Authorities and Signing Requests
1415
Certificate Authorities Trusted by the XTM Device
1417
Manage XTM Device Certificates
1429
Manage Certificates on the Management Server
1434
Create a Certificate with FSM or the Management Server
1441
Create a Certificate with FSM
1441
Create a Self-Signed Certificate with CA Manager
1444
Create a CSR with OpenSSL
Use OpenSSL to Generate a CSR
User Guide
1445
1445
xxxix
Sign a Certificate with Microsoft CA
1445
Send the Certificate Request
1446
Issue the Certificate
1446
Download the Certificate
1446
Use Certificates for Authentication
Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
1447
Certificates for Mobile VPN with IPSec Tunnel Authentication
1448
Certificates for Mobile VPN with L2TP Tunnel Authentication
1450
Configure the Web Server Certificate for Firebox Authentication
1452
Use Certificates for the HTTPS-Proxy
1454
Protect a Private HTTPS Server
1454
Examine Content from External HTTPS Servers
1455
Export the HTTPS Content Inspection Certificate
1456
Import the Certificates on Client Devices
1456
Troubleshoot Problems with HTTPS Content Inspection
1457
Import a Certificate on a Client Device
Import a PEM Format Certificate with Windows 7
Virtual Private Networks (VPNs)
1458
1458
1461
Introduction to VPNs
1461
Branch Office VPN
1461
Mobile VPN
1462
About IPSec VPNs
1462
About IPSec Algorithms and Protocols
1462
About IPSec VPN Negotiations
1465
About IPSec VPN Tunnel Authentication Methods
1468
Configure Phase 1 and Phase 2 Settings
1469
About Mobile VPNs
xl
1447
1470
Select a Mobile VPN
1470
Internet Access Options for Mobile VPN Users
1475
Mobile VPN Setup Overview
1476
Virtual IP Addresses and Mobile VPNs
1477
DNS and Mobile VPNs
1478
WatchGuard System Manager
VPN Tunnel Capacity and Licensing
1479
Find Your XTM Device Tunnel Capacity
1479
VPN License Enforcement
1480
Managed Branch Office VPN Tunnels
1481
About Managed Branch Office VPN Tunnels
1481
How to Create a Managed BOVPN Tunnel
1481
Tunnel Options
1482
VPN Failover
1482
Global VPN Settings
1482
BOVPN Tunnel Status
1483
Rekey BOVPN Tunnels
1483
Add VPN Resources
1483
Get the Current Resources from a Device
1483
Create a New VPN Resource
1484
Add a Host or Network
1486
Add VPN Firewall Policy Templates
1486
Set a Schedule for the Policy Template
1487
Use QoS Marking in a Policy Template
1488
Configure Traffic Management in a Policy Template
1488
Add Security Templates
1489
Make Managed Tunnels Between Devices
1492
Edit a Tunnel Definition
1493
Remove Tunnels and Devices
1493
Remove a Tunnel
1493
Remove a Device
1494
VPN Tunnel Status and Subscription Services
1494
Mobile VPN Tunnel Status
1495
Subscription Services Status
1495
Manual Branch Office VPN Tunnels
1497
What You Need to Create a Manual BOVPN
1497
About Manual Branch Office VPN Tunnels
1498
What You Need to Create a VPN
User Guide
1498
xli
BOVPN Tunnel Configuration Options
1499
Custom Tunnel Policies
1499
One-Way Tunnels
1500
VPN Failover
1500
Global VPN Settings
1500
BOVPN Tunnel Status
1501
Rekey BOVPN Tunnels
1501
Sample VPN Address Information Table
1502
Quick Start — Set Up a VPN Tunnel between Two Firebox or XTM Devices
1504
Branch Office VPN Terminology
1506
Configure Gateways
1509
Define Gateway Endpoints
1511
Configure Mode and Transforms (Phase 1 Settings)
1515
Edit and Delete Gateways
1520
Disable Automatic Tunnel Startup
1520
If Your XTM Device is Behind a Device That Does NAT
1520
Make Tunnels Between Gateway Endpoints
Define a Tunnel
1522
Add Routes for a Tunnel
1524
Configure Phase 2 Settings
1525
Add a Phase 2 Proposal
1527
Change Order of Tunnels
1529
About BOVPN Virtual Interfaces
1530
BOVPN Virtual Interface Configuration Scenarios
1531
Metric-based VPN Failover and Failback
1531
BOVPN Virtual Interface with Dynamic Routing
1532
BOVPN Virtual Interface with Policy-Based Routing
1533
Configure a BOVPN Virtual Interface
1536
Configure VPN Routes
1539
Assign BOVPN Virtual Interface IP Addresses
1542
Configure BOVPN Virtual Interface Multicast Settings
1544
Disable or Enable a Branch Office VPN
xlii
1522
1545
WatchGuard System Manager
Disable or Enable a BOVPN Gateway
1545
Disable or Enable a BOVPN Virtual Interface
1545
About Global VPN Settings
1546
Enable IPSec Pass-through
1546
Enable TOS for IPSec
1547
Enable the Use of Non-Default (Static or Dynamic) Routes to Determine if IPSec is Used 1547
Disable or Enable the Built-in IPSec Policy
1548
Remove VPN Routes for a BOVPN Virtual Interface
1548
Enable LDAP Server for Certificate Verification
1549
BOVPN Notification
1549
Configure Inbound IPSec Pass-through with SNAT
1549
Disable the Built-in IPSec Policy
1550
Add IPSec Policies
1550
Define a Custom Tunnel Policy
1552
Choose a Name for the Policies
1552
Select the Policy Type
1552
Select the BOVPN Tunnels
1552
Create an Alias for the Tunnels
1552
The BOVPN Policy Wizard has Completed Successfully
1552
Configure a Branch Office VPN for Failover from a Leased Line
1552
Requirements
1553
Configuration Overview
1553
How Failover to the Branch Office VPN Operates
1553
Set Up Outgoing Dynamic NAT Through a Branch Office VPN Tunnel
Configure the Endpoint Where All Traffic Must Appear to Come from a Single Address
(Site A)
1554
1554
Configure the Endpoint that Expects All Traffic to Come from a Single IP Address (Site B)1556
Use 1-to-1 NAT Through a Branch Office VPN Tunnel
1559
1-to-1 NAT and VPNs
1559
Other Reasons to Use 1-to-1 NAT Through a VPN
1559
Alternative to Using NAT
1560
How to Set Up the VPN
1561
Example
1561
User Guide
xliii
Define a Route for All Internet-Bound Traffic
1565
Configure the BOVPN Tunnel on the Remote XTM Device
1566
Configure the BOVPN Tunnel on the Central XTM Device
1566
Add a Dynamic NAT Entry on the Central XTM Device
1567
Mobile VPN Traffic Through a Branch Office VPN Tunnel
1569
Configure Mobile VPN Client Routes
1569
Configure Manual Branch Office VPN Routes
1570
Configure BOVPN Virtual Interface Routes
1571
Configure Policies to Allow the Connection
1571
Enable Multicast Routing Through a Branch Office VPN Tunnel
1573
About Helper Addresses
1573
Enable an XTM Device to Send Multicast Traffic Through a Tunnel
1574
Enable an XTM Device to Receive Multicast Traffic Through a Tunnel
1577
Enable an XTM Device to Send Multicast Traffic Through a BOVPN Virtual Interface
1577
Enable an XTM Device to Receive Multicast Traffic Through a BOVPN Virtual Interface 1578
Enable Broadcast Routing Through a Branch Office VPN Tunnel
1579
Enable Broadcast Routing for the Local XTM device
1580
Configure Broadcast Routing for the XTM Device at the Other End of the Tunnel
1582
Configure Name Resolution Through a Branch Office VPN Tunnel
Methods of Name Resolution Through a Branch Office VPN Tunnel
1582
Select the Best Method for Your Network
1582
Configure WINS or DNS for Name Resolution
1583
Use WINS and DNS Servers for Client Computers
1583
Configure an LMHOSTS File to Provide Name Resolution
1583
Edit an LMHOSTS File
1584
Branch Office VPN Tunnel Switching
1584
Configure VPN Failover
1586
Define Multiple Gateway Pairs
Configure VPN Modem Failover
xliv
1582
1587
1590
Before You Begin
1590
Branch Office VPN Configuration Requirements
1590
Configure a Branch Office VPN Gateway for Modem Failover
1591
WatchGuard System Manager
Configure a Branch Office VPN Virtual Interface for Modem Failover
1594
Configure the Gateway on the Remote Device
1594
Configure Tunnels
1595
About Modem Failover
1595
VPN Modem Failover and Multi-WAN
1596
Example 1 — Single WAN at Both Sites
1596
Example 2 — Multi-WAN at the Small Office
1597
Example 3 — Multi-WAN at the Central Office
1597
Multi-WAN at Both Sites
1598
Force a Branch Office VPN Tunnel Rekey
1598
To Rekey One BOVPN Tunnel
1598
To Rekey all BOVPN Tunnels
1599
Related Questions About Branch Office VPN Set Up
1599
Why do I Need a Static External Address?
1599
How do I Get a Static External IP Address?
1599
How do I Troubleshoot the Connection?
1599
Why is Ping not Working?
1600
Troubleshoot Branch Office VPN Tunnels
1600
Filter Branch Office VPN Log Messages
1600
Improve Branch Office VPN Tunnel Availability
1602
BOVPN Virtual Interface Examples
1606
BOVPN Virtual Interface with Dynamic Routing
1607
BOVPN Virtual Interface with Metric-Based Failover
1617
Mobile VPN with PPTP
1625
About Mobile VPN with PPTP
1625
Mobile VPN with PPTP Requirements
1625
Encryption Levels
Configure Mobile VPN with PPTP
1626
1627
Authentication
1628
Set Encryption for PPTP Tunnels
1628
MTU and MRU
1629
Define Timeout Settings for PPTP Tunnels
1629
User Guide
xlv
Add to the IP Address Pool
1629
Configure PPTP Policies
1630
Configure WINS and DNS Servers
1630
Add New Users to the PPTP-Users Group
1631
Options for Internet Access Through a Mobile VPN with PPTP Tunnel
1633
Default-Route VPN
1634
Split Tunnel VPN
1634
Default-Route VPN Setup for Mobile VPN with PPTP
1634
Split Tunnel VPN Setup for Mobile VPN with PPTP
1634
Configure Policies to Control Mobile VPN with PPTP Client Access
1636
Allow PPTP Users to Access a Trusted Network
1636
Use Other Groups or Users in a PPTP Policy
1640
Prepare Client Computers for PPTP
1641
Create and Connect a PPTP Mobile VPN for Windows 8
1641
Create and Connect a PPTP Mobile VPN for Windows 7
1642
Create and Connect a PPTP Mobile VPN for Windows Vista
1643
Create and Connect a PPTP Mobile VPN for Windows XP
1644
Make Outbound PPTP Connections from Behind an XTM Device
1645
Mobile VPN with IPSec
1647
About Mobile VPN with IPSec
xlvi
1647
Configure a Mobile VPN with IPSec Connection
1648
System Requirements
1648
Options for Internet Access Through a Mobile VPN with IPSec Tunnel
1650
About Mobile VPN Client Configuration Files
1650
Configure the XTM Device for Mobile VPN with IPSec
1652
Add Users to a Firebox Mobile VPN Group
1658
Modify an Existing Mobile VPN with IPSec Group Profile
1660
Configure WINS and DNS Servers
1671
Lock Down an End User Profile
1672
Save the Profile to a XTM Device
1672
Generate Mobile VPN with IPSec Configuration Files
1672
Configure Policies for Mobile VPN with IPSec
1673
WatchGuard System Manager
Distribute the Software and Profiles
1675
Additional Mobile VPN Topics
1678
Configure Mobile VPN with IPSec to a Dynamic IP Address
1680
About the XTM IPSec Mobile VPN Client
1682
Client Requirements
1682
Install the IPSec Mobile VPN Client Software
1682
Connect and Disconnect the Mobile VPN Client
1687
See Mobile VPN Log Messages
1690
Secure Your Computer with the Mobile VPN Firewall
1691
End-User Instructions for WatchGuard IPSec Mobile VPN Client Installation
1693
About the Shrew Soft VPN Client
1703
Shrew Soft VPN Client Limitations
1703
Shrew Soft VPN End-User Profile
1704
Install the Shrew Soft VPN Client Software
1704
Import Certificates to the Shrew Soft VPN Client
1705
Use the Shrew Soft VPN Client to Connect
1707
Troubleshoot the Shrew Soft VPN Client
1709
About the WatchGuard Mobile VPN App
1710
WatchGuard Mobile VPN App for Android
1711
WatchGuard Mobile VPN App for iOS
1711
Mobile VPN App End-User Profile
1711
Use the Mac OS X or iOS Native IPSec VPN Client
1713
Configure the XTM Device
1713
Configure the VPN Client on an iOS Device
1721
Configure the VPN Client on a Mac OS X Device
1722
Use Mobile VPN with IPSec with an Android Device
1723
Configure the XTM Device
1724
Configure the WatchGuard Mobile VPN App
1731
Configure the Native Android 4.x VPN Client
1732
Mobile VPN with SSL
1735
About Mobile VPN with SSL
1735
Configure the XTM Device for Mobile VPN with SSL
1735
User Guide
xlvii
Before You Begin
1736
Configure Connection Settings
1737
Configure the Networking and IP Address Pool Settings
1738
Configure Authentication Settings
1739
Configure Advanced Settings for Mobile VPN with SSL
1743
Configure Policies to Control Mobile VPN with SSL Client Access
1745
Options for Internet Access Through a Mobile VPN with SSL Tunnel
1748
Name Resolution for Mobile VPN with SSL
1749
Configure the External Authentication Server
1751
Install and Connect the Mobile VPN with SSL Client
1752
Client Computer Requirements
1752
Download the Client Software
1752
Install the Client Software
1754
Connect to Your Private Network
1755
Other Connection Options
1756
Mobile VPN with SSL Client Controls
1757
Manually Distribute and Install the Mobile VPN with SSL Client Software and
Configuration File
1757
Uninstall the Mobile VPN with SSL Client
1759
Use Mobile VPN with SSL with an OpenVPN Client
1760
Requirements
1760
Download the Mobile VPN with SSL Client Profile
1761
Import the Client Profile
1762
Mobile VPN with L2TP
1763
About Mobile VPN with L2TP
1764
Client Compatibility
1764
Authentication Server Compatibility
1764
Licensing
1764
Options for Internet Access Through a Mobile VPN with L2TP Tunnel
xlviii
1765
Default-Route VPN
1765
Split Tunnel VPN
1765
Default-Route VPN Setup for Mobile VPN with L2TP
1765
Split Tunnel VPN Setup for Mobile VPN with L2TP
1766
WatchGuard System Manager
About L2TP User Authentication
1768
Use the WatchGuard L2TP Setup Wizard
1769
Before you Begin
1769
Start the L2TP Setup Wizard
1769
Edit the Mobile VPN with L2TP Configuration
1774
Edit the Virtual IP Address Pool
1775
Edit Network Settings
1775
Edit Authentication Settings
1776
Edit L2TP IPSec Settings
1777
Add an L2TP IPSec Phase 1 Transform
1782
Configure L2TP IPSec Phase 1 Advanced Settings
1784
Add an L2TP IPSec Phase 2 Proposal
1785
About L2TP Policies
1787
Configure WINS and DNS Servers
1787
Configure Client Devices for Mobile VPN with L2TP
1789
Configure and Use L2TP on Windows 8
1789
Configure and Use L2TP on Windows 7
1791
Configure and Use L2TP on Windows XP
1793
Configure and Use L2TP on Mac OS X
1795
Configure and Use L2TP on Android
1797
About L2TP Connections from an iOS Device
1798
Configure Mobile VPN with L2TP for Use with iOS Devices
1799
Generate and Distribute the L2TP Mobile Client Profile
1802
Import the L2TP Configuration to the iOS VPN Client
1804
Manually Configure L2TP on an iOS Device
1805
Connect from an L2TP VPN Client
WebBlocker
About WebBlocker
1806
1807
1807
WebBlocker Server Options
1807
WebBlocker and Policies
1808
WebBlocker Licensing
1808
Set Up a WebBlocker Server
User Guide
1808
xlix
Install the WebBlocker Server Software
1808
Manage the WebBlocker Server
1809
Download the WebBlocker Database
1810
Update the WebBlocker Database
1811
Change the WebBlocker Server Port
1812
Copy the WebBlocker Database from One WebBlocker Server to Another
1814
Get Started with WebBlocker
Before You Begin
1816
Activate WebBlocker
1816
Select Policies for WebBlocker
1816
Identify the WebBlocker Servers
1817
Select Categories to Block
1820
Configure WebBlocker
1822
Configure WebBlocker Settings for a Policy
1822
Copy WebBlocker Settings from One Policy to Another
1824
Configure WebBlocker Servers
1824
Change Categories to Block
1827
About WebBlocker Websense Categories
1831
About WebBlocker SurfControl Categories
1832
Define Advanced WebBlocker Options
1835
Define WebBlocker Alarms
1838
About WebBlocker Exceptions
1838
Define the Action for Sites that do not Match Exceptions
1839
Components of Exception Rules
1839
Exceptions with Part of a URL
1839
Add WebBlocker Exceptions
1840
Change the Order of Exception Rules
1843
Import or Export WebBlocker Exception Rules
1843
Restrict Users to a Specific Set of Web Sites
1845
Use WebBlocker Actions in Proxy Definitions
l
1816
1849
Define Additional WebBlocker Actions
1849
Add WebBlocker Actions to a Policy
1849
WatchGuard System Manager
Schedule WebBlocker Actions
1850
About WebBlocker Subscription Services Expiration
1851
WebBlocker Examples
1852
Use WebBlocker Local Override
1852
Use a WebBlocker Server Protected by Another XTM Device
1853
Configure WebBlocker Policies for Groups with Active Directory Authentication
1861
Configure WebBlocker Policies for Groups with Firebox Authentication
1878
spamBlocker
About spamBlocker
1897
1897
spamBlocker Requirements
1898
spamBlocker Actions, Tags, and Categories
1898
Activate spamBlocker
1900
Apply spamBlocker Settings to Your Policies
1901
Create New Proxy Policies
1901
Configure spamBlocker
1903
About spamBlocker Exceptions
1905
Configure Virus Outbreak Detection Actions
1909
Configure spamBlocker to Quarantine Email
1910
About Using spamBlocker with Multiple Proxies
1910
Configure Global spamBlocker Settings
1911
Use an HTTP Proxy Server for spamBlocker
1912
Add Trusted Email Forwarders to Improve Spam Score Accuracy
1913
Enable and Set Parameters for Virus Outbreak Detection (VOD)
1914
About spamBlocker Proactive Patterns
1915
About spamBlocker Scan Limits
1915
Create Rules for Your Email Reader
1915
Send Spam to an Outlook Folder
1916
Monitor spamBlocker Statistics
1917
Report False Positives or Missed Spam
1917
Send Feedback to CYREN
1917
Report Feedback About a Confidential Message
1918
Find the Category a Message is Assigned To
1918
User Guide
li
Reputation Enabled Defense
About Reputation Enabled Defense
1919
Reputation Thresholds
1919
Reputation Scores
1920
Reputation Lookups
1920
Reputation Enabled Defense Feedback
1921
Configure Reputation Enabled Defense
1921
Before You Begin
1922
Enable Reputation Enabled Defense
1922
Configure the Reputation Thresholds
1923
Configure Alarm Notification for RED Actions
1924
Send Gateway AV Scan Results to WatchGuard
Gateway AntiVirus
About Gateway AntiVirus
1924
1925
1925
Install and Upgrade Gateway AV
1925
About Gateway AntiVirus and Proxy Policies
1926
Activate Gateway AntiVirus
1926
Activate Gateway AntiVirus with a Wizard from Policy Manager
1927
Activate Gateway AntiVirus from Proxy Definitions
1929
Configure Gateway AntiVirus Actions
1930
Configure Gateway AntiVirus Actions for a Proxy Policy
1932
Configure Gateway AntiVirus Actions in Policy Rulesets
1934
Configure Alarm Notifications for Antivirus Actions
1938
Unlock a File Locked by Gateway AntiVirus
1938
Configure Gateway AntiVirus to Quarantine Email
1939
About Gateway AntiVirus Scan Limits
1939
Update Gateway AntiVirus Settings
1940
If you Use a Third-Party Antivirus Client
1940
Configure Gateway AV Decompression Settings
1940
Configure the Gateway AV Update Server
1941
APT Blocker
About APT Blocker
lii
1919
1944
1944
WatchGuard System Manager
Supported Proxy Policies
1945
Supported File Types
1945
APT Threat Levels
1945
Enable and Configure APT Blocker
1947
APT Blocker and Other Security Services
1947
APT Blocker and Gateway AntiVirus
1947
APT Blocker and Reputation Enabled Defense (RED)
1947
APT Blocker and WebBlocker
1948
Configure APT Blocker
1948
APT Blocker and NTP
1949
Enable APT Blocker and Configure APT Blocker Actions
1949
Configure Other APT Blocker Settings
1950
Enable or Disable APT Blocker for a Proxy Policy
1950
Monitor APT Blocker Activity
1951
Traffic Monitor and APT Blocker
Intrusion Prevention Service
About Intrusion Prevention Service
1952
1953
1953
IPS Threat Levels
1953
Add the IPS Upgrade
1955
Keep IPS Signatures Updated
1955
See IPS Status
1955
Configure Intrusion Prevention
1955
Enable IPS and Configure IPS Actions
1955
Configure Other IPS Settings
1957
Configure the IPS Update Server
1957
Configure Automatic Signature Updates
1957
Connect to the Update Server Through an HTTP Proxy Server
1958
Block Access from the Trusted Network to the Update Server
1959
Update Signatures Manually
1959
Configure IPS Exceptions
1959
Find the IPS Signature ID
1959
Add an IPS Signature Exception
1959
User Guide
liii
Show IPS Signature Information
1961
Find IPS Signature Information in Firebox System Manager
1961
Disable or Enable IPS for a Policy
1962
Look Up IPS Signatures on the Security Portal
1964
Application Control
1965
About Application Control
Application Control Deny Message
1965
Add the Application Control Upgrade
1966
Keep Application Control Signatures Updated
1966
How Application Control Identifies Applications
1967
Application Control — Begin with Monitoring
1968
Monitor Application Use
1968
Application Control Reports
1969
Policy Guidelines for Application Control
1970
Global Application Control Action
1971
Configure Application Control Actions
1971
Connect to the XTM Device To Get The Latest Signatures
1972
Add or Edit Application Control Actions
1972
Remove Configured Applications From an Application Control Action
1975
Apply an Application Control Action to a Policy
1976
Clone an Application Control Action
1976
Remove Application Control Actions
1977
Use Application Categories
1978
Configure Application Control for Policies
1980
Enable Application Control in a Policy
1981
Edit or Clone Application Control Actions
Get Information About Applications
Application Control and Traffic Monitor
Configure the Application Control Update Server
liv
1965
1982
1982
1983
1983
Configure Signature Updates
1983
Connect to the Update Server Through an HTTP Proxy Server
1984
Block Access from the Trusted Network to the Update Server
1985
WatchGuard System Manager
Update Signatures Manually
1985
Application Control and Proxies
1985
Application Control and WebBlocker
1986
Manage SSL Applications
1986
Manage Evasive Applications
1986
Block User Logins to Skype
1987
Manage Applications that Use Multiple Protocols
1988
Example: Block FlashGet
1988
File Transfer Applications and Protocols
1989
Monitor Downloads and File Transfers
1991
Manage Facebook Applications
1992
Application Control Policy Examples
1994
Allow an Application For a Group of Users
1994
Block Applications During Business Hours
1995
Application Control and Policy Precedence
1996
Data Loss Prevention
About Data Loss Prevention
1997
1998
DLP Text Extraction and File Types
1998
Add the DLP Upgrade
2000
About DLP and Proxy Policies
2000
About DLP False Positives
2000
Configure Data Loss Prevention
2001
Enable DLP and Configure DLP Sensors
2001
Configure other DLP Settings
2001
Configure DLP Custom Rule
2002
Add a Custom Rule
2002
Add a Custom Rule to a DLP Sensor
2003
Configure DLP Sensors
2005
DLP and Device Performance
2005
Rules
2005
Actions
2006
Settings
2007
User Guide
lv
Sensor Types
2007
Add a Sensor
2007
Clone a Sensor
2011
Edit a Sensor
2011
Add or Edit Sensor Actions
2012
Reorder Sensor Actions
2014
Configure Sensor Scan Settings
2014
Delete a Sensor
2014
Configure DLP Scan Settings
2015
About DLP Scan Limits
2017
Configure DLP for Policies
2018
Enable DLP Sensors for Policies
2018
Select the DLP Sensor in a Proxy Action
2018
Configure the DLP Update Server
2019
Configure Signature Updates
2020
Connect to the Update Server Through an HTTP Proxy Server
2020
Block Access from the Trusted Network to the Update Server
2021
Update Signatures Manually
2021
Monitor DLP Activity
2022
Look Up DLP Rules on the Security Portal
2023
Unlock a File Locked by DLP
2023
Quarantine Server
About the Quarantine Server
2025
Set Up the Quarantine Server
2026
Install the Quarantine Server Software
2026
Run the WatchGuard Server Center Setup Wizard
2026
Configure the Quarantine Server Settings
2028
Configure the XTM Device to Quarantine Email
2028
Configure the Quarantine Server
lvi
2025
2029
Configure Database and SMTP Server Settings
2030
Configure Deletion Settings and Accepted Domains
2032
Configure User Notification Settings
2033
WatchGuard System Manager
Configure Logging Settings for the Quarantine Server
2035
Configure Quarantine Server Rules
2036
Define the Quarantine Server Location on the XTM Device
2037
About the Quarantine Server Client
2039
Manage Quarantined Messages
2041
Manage Quarantine Server Users
2044
Get Statistics on Quarantine Server Activity
2047
Configure User Notification with Microsoft Exchange Server 2003 or 2007
Configure User Notification if Your Microsoft Exchange Server Does Not Require
Authentication
2050
2050
Configure User Notification if Your Microsoft Exchange Server Requires Authentication 2051
User Management of Quarantined Messages
2053
Manage Quarantined Messages
2053
Change Quarantine Notification Settings
2054
User Guide
lvii
User Guide
lviii
1
Introduction to Network
Security
About Networks and Network Security
A network is a group of computers and other devices that are connected to each other. It can be two
computers in the same room, dozens of computers in an organization, or many computers around the
world connected through the Internet. Computers on the same network can work together and share
data.
Although networks like the Internet give you access to a large quantity of information and business
opportunities, they can also open your network to attackers. Many people think that their computers
hold no important information, or that a hacker is not interested in their computers. This is not correct. A
hacker can use your computer as a platform to attack other computers or networks. Information from
your organization, including personal information about users, employees, or customers, is also
valuable to hackers.
Your XTM device and LiveSecurity subscription can help you prevent these attacks. A good network
security policy, or a set of access rules for users and resources, can also help you find and prevent
attacks to your computer or network. We recommend that you configure your XTM device to match
your security policy, and think about threats from both inside and outside your organization.
About Internet Connections
ISPs (Internet service providers) are companies that give access to the Internet through network
connections. The rate at which a network connection can send data is known as bandwidth: for
example, 3 megabits per second (Mbps).
A high-speed Internet connection, such as a cable modem, DSL (Digital Subscriber Line), or fiber, is
known as a broadband connection. Broadband connections are much faster than dial-up connections.
The bandwidth of a dial-up connection is less than .1 Mbps, while a cable modem can be 5 Mbps or
more. The bandwidth of a fiber optic connection is even higher.
User Guide
1
Introduction to Network Security
Typical speeds for cable modems are usually lower than the maximum speeds, because each
computer in a neighborhood is a member of a LAN. Each computer in that LAN uses some of the
bandwidth. Because of this shared-medium system, cable modem connections can become slow
when more users are on the network.
DSL connections supply constant bandwidth, but they are usually slower than cable modem
connections. Also, the bandwidth is only constant between your home or office and the DSL central
office. The DSL central office cannot guarantee a good connection to a web site or network.
How Information Travels on the Internet
The data that you send through the Internet is cut into units, or packets. Each packet includes the
Internet address of the destination. The packets that make up a connection can use different routes
through the Internet. When they all get to their destination, they are assembled back into the original
order. To make sure that the packets get to the destination, address information is added to the
packets.
About Protocols
A protocol is a group of rules that allow computers to connect across a network. Protocols are the
grammar of the language that computers use when they speak to each other across a network. The
standard protocol when you connect to the Internet is the IP (Internet Protocol). This protocol is the
usual language of computers on the Internet.
A protocol also tells how data is sent through a network. The most frequently used protocols are TCP
(Transmission Control Protocol) and UDP (User Datagram Protocol). TCP/IP is the basic protocol
used by computers that connect to the Internet.
You must know some of the TCP/IP settings when you set up your XTM device. For more information
on TCP/IP, see Find Your TCP/IP Properties on page 50.
2
WatchGuard System Manager
Introduction to Network Security
About IP Addresses
To send ordinary mail to a person, you must know his or her street address. For one computer on the
Internet to send data to a different computer, it must know the address of that computer. A computer
address is known as an Internet Protocol (IP) address. All devices on the Internet have unique IP
addresses, which enable other devices on the Internet to find and interact with them.
Fireware XTM supports both IPv4 and IPv6 addresses. IPv6 addresses are supported only when the
XTM device is configured in mixed routing mode.
For more information about Fireware XTM support for IPv6, see About IPv6 Support.
IPv4 Addresses
An IPv4 address consists of four octets (8-bit binary number sequences) expressed in decimal format
and separated by periods. Each number between the periods must be within the range of 0 and 255.
Some examples of IPv4 addresses are:
n
n
n
206.253.208.100
4.2.2.2
10.0.4.1
Private Addresses and Gateways
Many companies create private networks that have their own address space. The addresses 10.x.x.x
and 192.168.x.x are reserved for private IP addresses. Computers on the Internet cannot use these
addresses. If your computer is on a private network, you connect to the Internet through a gateway
device that has a public IP address.
Usually, the default gateway is the router that is between your network and the Internet. After you
install the XTM device on your network, it becomes the default gateway for all computers connected to
its trusted or optional interfaces.
About Subnet Masks
Because of security and performance considerations, networks are often divided into smaller portions
called subnets. All devices in a subnet have similar IP addresses. For example, all devices that have
IP addresses whose first three octets are 10.0.1 would belong to the same subnet.
The subnet mask for a network IP address, or netmask, is a series of bits that mask sections of the IP
address that identify which parts of the IP address are for the network and which parts are for the host.
A subnet mask can be written in the same way as an IP address, or in slash or CIDR notation.
User Guide
3
Introduction to Network Security
IPv6 Addresses
IPv6 increases the IP address size from the 32 bits found in IPv4 to 128 bits. This allows for a more
structured hierarchy in addresses, and supports a much larger total number of addresses.
IPv6 Address Format
An IPv6 address contains eight groups of 16-bit hexadecimal values, separated by colons (:). The
hexadecimal digits are not case-sensitive. Some examples of IPv6 addresses are:
n
2561:1900:4545:0003:0200:F8FF:FE21:67CF
2260:F3A4:32CB:715D:5D11:D837:FC76:12FC
n
FE80:0000:0000:0000:2045:FAEB:33AF:8374
n
The first four groups of 16-bit hexadecimal values represent the network. The last four groups of 16-bit
hexadecimal values are the interface ID that uniquely identifies each networked device. This value is
usually derived from the MAC address of the device.
Shorten an IPv6 Address
There are two ways you can shorten the notation of an IPv6 address:
n
Remove leading zeros — In each 16-bit hexadecimal address group, you can remove the
leading zeros. For example, these two IPv6 addresses are equivalent:
2561:1900:4545:0003:0200:F8FF:FE21:67CF
2561:1900:4545:3:200:F8FF:FE21:67CF
n
Remove groups of zeros — If an IPv6 address contains adjacent groups of 16-bit
hexadecimal values that are all zeros (0000), you can replace one group of adjacent blocks of
zeros with two colons (::). For example, these two IPv6 addresses are equivalent:
FE80:0000:0000:0000:2045:FAEB:33AF:8374
FE80::2045:FAEB:33AF:8374
You can use two colons (::) only once in an IPv6 address to represent adjacent groups with all
zeros.
IPv6 Prefix
The IPv6 prefix indicates the subnet associated with an IPv6 address. The prefix is expressed as a
slash (/) followed by the prefix size, which is a decimal number between 1 and 128. The prefix size
indicates how many bits of the address make up the network identifier prefix. Examples of IPv6
prefixes are:
n
n
4
/64 — The prefix used for a single subnet
/48 — Prefix used for a site that could have multiple subnets
WatchGuard System Manager
Introduction to Network Security
About Slash Notation
Your XTM device uses slash notation, also known as CIDR (Classless Inter-Domain Routing)
notation, for many purposes, such as policy configuration. You use slash notation differently for IPv4
and IPv6 addresses.
IPv4
Slash notation is a compact way to show or write an IPv4 subnet mask. When you use slash notation,
you write the IP address, a forward slash (/), and the subnet mask number.
To find the subnet mask number:
1. Convert the decimal representation of the subnet mask to a binary representation.
2. Count each “1” in the subnet mask. The total is the subnet mask number.
For example, to write the IPv4 address 192.168.42.23 with a subnet mask of 255.255.255.0 in slash
notation:
1. Convert the subnet mask to binary.
In this example, the binary representation of 255.255.255.0 is:
11111111.11111111.11111111.00000000.
2. Count each 1 in the subnet mask.
In this example, there are twenty-four (24).
3. Write the original IP address, a forward slash (/), and then the number from Step 2.
The result is 192.168.42.23/24.
This table shows common network masks and their equivalents in slash notation.
Network Mask
Slash Equivalent
255.0.0.0
/8
255.255.0.0
/16
255.255.255.0
/24
255.255.255.128
/25
255.255.255.192
/26
255.255.255.224
/27
255.255.255.240
/28
255.255.255.248
/29
255.255.255.252
/30
User Guide
5
Introduction to Network Security
IPv6
In IPv6, slash notation is used to represent the network identifier prefix for an IPv6 network. The prefix
is expressed as a slash (/) followed by the prefix size, which is a decimal number between 1 and 128.
The CIDR notation works exactly the same as with IPv4, which means if you have a /48, that means
the first 48 bits of the address are the prefix.
This table shows common IPv6 network prefixes and the number of IPv6 subnets and IPv6 addresses
they support.
Prefix
Number of Subnets
/64
1 IPv6 subnet with up to 18,446,744,073,709,551,616 IPv6 host addresses
/56
256 /64 subnets
/48
65,536 /64 subnets
A network site that is assigned a /48 prefix can use prefixes in the range /49 to /64 to define valid
subnets.
About Entering Addresses
IPv4 Addresses
When you type IPv4 addresses in the Quick Setup Wizard or dialog boxes, type the digits and
decimals in the correct sequence. Do not use the TAB key, arrow keys, spacebar, or mouse to put your
cursor after the decimals.
For example, if you type the IP address 172.16.1.10, do not type a space after you type 16. Do not try
to put your cursor after the subsequent decimal to type 1. Type a decimal directly after 16, and then
type 1.10. Press the slash (/) key to move to the netmask.
IPv6 Addresses
When you type IPv6 addresses in a text box, simply type the IP address with the colons to separate
each group of numbers in the address. To shorten an IP address, you can remove leading zeros in each
group of numbers and you can use a double colon (::) to replace adjacent groups of zeros in the
address.
For more information about IPv6 addresses, see About IP Addresses.
Static and Dynamic IP Addresses
ISPs (Internet service providers) assign an IP address to each device on their network. The IP address
can be static or dynamic.
6
WatchGuard System Manager
Introduction to Network Security
Static IP Addresses
A static IP address is an IP address that always stays the same. If you have a web server, FTP
server, or other Internet resource that must have an address that cannot change, you can get a static
IP address from your ISP. A static IP address is usually more expensive than a dynamic IP address,
and some ISPs do not supply static IP addresses. You must configure a static IP address manually.
Dynamic IP Addresses
A dynamic IP address is an IP address that an ISP lets you use temporarily. If a dynamic address is
not in use, it can be automatically assigned to a different device. Dynamic IP addresses are assigned
using either DHCP or PPPoE.
About DHCP
Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that computers on a network use
to get IP addresses and other information such as the default gateway. When you connect to the
Internet, a computer configured as a DHCP server at the ISP automatically assigns you an IP address.
It could be the same IP address you had before, or it could be a new one. When you close an Internet
connection that uses a dynamic IP address, the ISP can assign that IP address to a different
customer.
You can configure your XTM device as a DHCP server for networks behind the device. You assign a
range of addresses for the DHCP server to use.
About PPPoE
Some ISPs assign IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE adds
some of the features of Ethernet and PPP to a standard dial-up connection. This network protocol
allows the ISP to use the billing, authentication, and security systems of their dial-up infrastructure
with DSL modem and cable modem products.
About DNS (Domain Name System)
You can frequently find the address of a person you do not know in the telephone directory. On the
Internet, the equivalent to a telephone directory is the DNS(Domain Name System). DNS is a network
of servers that translate numeric IP addresses into readable Internet addresses, and vice versa. DNS
takes the friendly domain name you type when you want to see a particular web site, such as
www.example.com, and finds the equivalent IP address, such as 203.0.113.2. Network devices need
the actual IP address to find the web site, but domain names are much easier for users to type and
remember than IP addresses.
A DNS server is a server that performs this translation. Many organizations have a private DNS server
in their network that responds to DNS requests. You can also use a DNS server on your external
network, such as a DNS server provided by your ISP (Internet Service Provider.)
User Guide
7
Introduction to Network Security
About Firewalls
A network security device, such as a firewall, separates your internal networks from external network
connections to decrease the risk of an external attack. The figure below shows how a firewall protects
the computers on a trusted network from the Internet.
Firewalls use access policies to identify and filter different types of information. They can also control
which policies or ports the protected computers can use on the Internet (outbound access). For
example, many firewalls have sample security policies that allow only specified traffic types. Users
can select the policy that is best for them. Other firewalls, such as XTM devices, allow the user to
customize these policies.
For more information, see About Services and Policies on page 9 and About Ports on page 10.
8
WatchGuard System Manager
Introduction to Network Security
Firewalls can be in the form of hardware or software. A firewall protects private networks from
unauthorized users on the Internet. Traffic that enters or leaves the protected networks is examined by
the firewall. The firewall denies network traffic that does not match the security criteria or policies.
In some closed, or default-deny firewalls, all network connections are denied unless there is a specific
rule to allow the connection. To deploy this type of firewall, you must have detailed information about
the network applications required to meet needs of your organization. Other firewalls allow all network
connections that have not been explicitly denied. This type of open firewall is easier to deploy, but it is
not as secure.
About Services and Policies
You use a service to send different types of data (such as email, files, or commands) from one
computer to another across a network or to a different network. These services use protocols.
Frequently used Internet services are:
n
n
n
n
n
World Wide Web access uses Hypertext Transfer Protocol (HTTP)
Email uses Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP3)
File transfer uses File Transfer Protocol (FTP)
Resolve a domain name to an Internet address uses Domain Name Service (DNS)
Remote terminal access uses Telnet or SSH (Secure Shell)
When you allow or deny a service, you must add a policy to your XTM device configuration. Each
policy you add can also add a security risk. To send and receive data, you must open a door in your
computer, which puts your network at risk. We recommend that you add only the policies that are
necessary for your business.
As an example of how you can use a policy, suppose the network administrator of a company wants to
activate a Windows terminal services connection to the company’s public web server on the optional
interface of the XTM device. He or she routinely administers the web server with a Remote Desktop
User Guide
9
Introduction to Network Security
connection. At the same time, he or she wants to make sure that no other network users can use the
Remote Desktop Protocol terminal services through the XTM device. The network administrator would
add a policy that allows RDP connections only from the IP address of his or her own desktop computer
to the IP address of the public web server.
When you configure your XTM device with the Quick Setup Wizard, the wizard adds only limited
outgoing connectivity. If you have more software applications and network traffic for your XTM device
to examine, you must:
n
n
n
Configure the policies on your XTM device to pass through necessary traffic
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to get
access to external resources
About Ports
Although computers have hardware ports you use as connection points, ports are also numbers used
to map traffic to a particular process on a computer. These ports, also called TCP and UDP ports, are
where programs transmit data. If an IP address is like a street address, a port number is like an
apartment unit number or building number within that street address. When a computer sends traffic
over the Internet to a server or another computer, it uses an IP address to identify the server or remote
computer, and a port number to identify the process on the server or computer that receives the data.
For example, suppose you want to see a particular web page. Your web browser attempts to create a
connection on port 80 (the port used for HTTP traffic) for each element of the web page. When your
browser receives the data it requests from the HTTP server, such as an image, it closes the
connection.
Many ports are used for only one type of traffic, such as port 25 for SMTP (Simple Mail Transfer
Protocol). Some protocols, such as SMTP, have ports with assigned numbers. Other programs are
assigned port numbers dynamically for each connection. The IANA (Internet Assigned Numbers
Authority) keeps a list of well-known ports. You can see this list at:
http://www.iana.org/assignments/port-numbers
Most policies you add to your XTM device configuration have a port number between 0 and 1024, but
possible port numbers can be from 0 to 65535.
Ports are either open or closed. If a port is open, your computer accepts information and uses the
protocol identified with that port to create connections to other computers. However, an open port is a
security risk. To protect against risks created by open ports, you can block ports used by hackers to
attack your network. For more information, see About Blocked Ports on page 936.
You can also block port space probes: TCP or UDP traffic that is sent by a host to a range of ports to
find information about networks and their hosts. For more information, see About Port Space and
Address Space Probes on page 924.
10
WatchGuard System Manager
2
Introduction to Fireware XTM
About Fireware XTM
Fireware XTM gives you an easy and efficient way to view, manage, and monitor each XTM device in
your network. The Fireware XTM solution includes four software applications:
n
n
n
n
WatchGuard System Manager (WSM)
Fireware XTM Web UI
Fireware XTM Command Line Interface (CLI)
WatchGuard Server Center
You can use one or more of the Fireware XTM applications to configure your network for your
organization. For example, if you have only one XTM 2 Series device, you can perform most
configuration tasks with Fireware XTM Web UI or Fireware XTM Command Line Interface. However,
for more advanced logging and reporting features, you must use WatchGuard Server Center. If you
manage more than one XTM device, or if you have purchased Fireware XTM with a Pro upgrade, we
recommend that you use WatchGuard System Manager (WSM). If you choose to manage and monitor
your configuration with Fireware XTM Web UI, there are some features that you cannot configure.
For more information about these limitations, see the Fireware XTM Web UI Help at
http://www.watchguard.com/help/docs/webui/11_XTM/en-US/index.html.
For more information on how to connect to your XTM device with Fireware XTM Web UI or Fireware
XTM Command Line Interface, see the Help or User Guide for those products. You can view and
download the most current documentation for these products on the Fireware XTM Product
Documentation page at http://www.watchguard.com/help/documentation/xtm.asp.
User Guide
11
Introduction to Fireware XTM
Fireware XTM Components
To start WatchGuard System Manager or WatchGuard Server Center from your Windows desktop,
select the shortcut from the Start Menu. You can also start WatchGuard Server Center from an icon in
the System Tray. From these applications, you can launch other tools that help you manage your
network. For example, from WatchGuard System Manager (WSM), you can launch Policy Manager or
HostWatch.
WatchGuard System Manager
WatchGuard System Manager (WSM) is the primary application for network management with your
XTM device. You can use WSM to manage many different XTM devices, even those that use different
software versions. WSM includes a comprehensive suite of tools to help you monitor and control
network traffic.
Policy Manager
You can use Policy Manager to configure your firewall. Policy Manager includes a full set of preconfigured packet filters, proxy policies, and application layer gateways (ALGs). You can also
make a custom packet filter, proxy policy, or ALG in which you set the ports, protocols, and
other options. Other features of Policy Manager help you to stop network intrusion attempts,
such as SYN Flood attacks, spoofing attacks, and port or address space probes.
For more information, see About Policy Manager on page 704.
Firebox System Manager (FSM)
Firebox System Manager gives you one interface to monitor all components of your XTM
device. From FSM, you can see the real-time status of your XTM device and its configuration.
For more information, see About Firebox System Manager (FSM) on page 1309.
12
WatchGuard System Manager
Introduction to Fireware XTM
HostWatch
HostWatch is a real-time connection monitor that shows network traffic between different XTM
device interfaces. HostWatch also shows information about users, connections, ports, and
services.
For more information, see About HostWatch on page 1371.
Log Manager
Log Manager is the WatchGuard WebCenter tool you use to see log file data collected from your
WatchGuard servers and your XTM devices.
For more information, see About Logging, Log Files, and Notification on page 1161.
Report Manager
Report Manager is the WatchGuard WebCenter tool you use to see Available Reports and to
generate On-Demand reports of the data collected from your Log Servers for all your XTM
devices.
For more information, see View Reports in Report Manager on page 1296.
CA Manager
The Certificate Authority (CA) Manager shows a complete list of security certificates installed
on your management computer with Fireware XTM. You can use this application to import,
configure, and generate certificates for use with VPN tunnels and other authentication
purposes.
WatchGuard Server Center
WatchGuard Server Center is the application where you configure and monitor all your WatchGuard
servers.
For more information about WatchGuard Server Center, see Set Up WatchGuard Servers on page 944.
Management Server
The Management Server operates on a Windows computer. With this server, you can manage
all firewall devices and create virtual private network (VPN) tunnels using a simple drag-anddrop function. The basic functions of the Management Server are:
n
n
n
Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
VPN tunnel configuration management
Management for multiple XTM devices
For more information on the Management Server, see About the WatchGuard Management
Server on page 957.
User Guide
13
Introduction to Fireware XTM
Log Server
The Log Server collects log messages from each XTM device. These log messages are
encrypted when they are sent to the Log Server. The log message format is XML (plain text).
The information collected from firewall devices includes these log messages: traffic, event,
alarm, debug (diagnostic), and statistic.
For more information, see Set Up Your Log Server on page 1170.
Report Server
The Report Server periodically consolidates data collected by your Log Servers from your XTM
devices, and then periodically generates reports. Once the data is on the Report Server, you
can use Report Manager to generate and see reports.
For more information about reports and the Report Server, see About the Report Server on page
1213.
Quarantine Server
The Quarantine Server collects and isolates email messages that spamBlocker suspects to be
email spam, or emails that are suspected to have a virus.
For more information, see About the Quarantine Server on page 2025.
WebBlocker Server
The WebBlocker Server operates with the XTM device HTTP proxy to deny user access to
specified categories of web sites. When you configure your XTM device, you specify the
categories of web sites to allow or block.
For more information on WebBlocker and the WebBlocker Server, see About WebBlocker on
page 1807.
Fireware XTM Web UI and Command Line Interface
Fireware XTM Web UI and the Command Line Interface are alternative management solutions that can
perform most of the same tasks as WatchGuard System Manager and Policy Manager. Some
advanced configuration options and features are not available in Fireware XTM Web UI or the
Command Line Interface.
14
WatchGuard System Manager
Introduction to Fireware XTM
Fireware XTM with a Pro Upgrade
The Pro upgrade to Fireware XTM provides several advanced features for experienced customers,
such as server load balancing and additional SSL VPN tunnels. The features available with a Pro
upgrade depend on the type and model of your XTM device.
The Fireware Pro upgrade is not available for Firebox T10 devices.
If you have an XTM 330, 5 Series (models 515, 525, 535, 545), 8 Series, 1050,1520, 2050, or 2520
device, your device has Fireware XTM with a Pro upgrade by default. If you have an XTM 2 Series or 5
Series (models 505, 510, 520, 530) device, you can purchase Fireware XTM with a Pro upgrade for
your device.
Feature
FireCluster3
XTM 2
Series
(Pro)1
XTM 3
Series and
330 (Pro)1
XTM 5
Series
(Pro) 1
XTM 8 Series, 800 Series, 1050,
1500 Series, 2050, and 2500 Series,
XTMv (Pro)
2
Maximum VLANs
Dynamic Routing
(OSPF and BGP)
Policy-Based
Routing
Server Load
Balancing
Maximum
SSL VPN Tunnels
MultiWAN Failover
Multi-WAN Load
Balancing
1 To purchase Fireware XTM with a Pro upgrade for an XTM 2 or 5 Series
device, contact your local
reseller.
2 The FireCluster feature is available for XTM 25 and XTM 26 (active/passive only for wireless
models).
3 For more information about which XTM device models you can use in a FireCluster, see
Supported XTM Models for FireCluster on page 513.
User Guide
15
Introduction to Fireware XTM
Fireware XTM OS Version Compatibility
This Help system describes the features available to users of WatchGuard System Manager v11.9 and
Fireware XTM OS v11.9. Though WatchGuard System Manager v11.9 can seamlessly manage
devices that run older versions of Fireware XTM OS, some features that are described in this Help
system might not be available if your XTM device runs a version of Fireware XTM OS older than v11.7.
If you have a WatchGuard XTM 21, 22, or 23 device, your device cannot run Fireware XTM OS v11.7
and later.
If you have a Firebox X e-Series device, your device cannot run Fireware XTM OS v11.4 and later.
Many features in this Help system might not be available for your device. For instructions to manage
your e-Series device, see the Fireware XTM WatchGuard System Manager v11.3.x Help at
http://www.watchguard.com/help/docs/wsm/11/en-US/index.html.
16
WatchGuard System Manager
Introduction to Fireware XTM
Fireware XTM on an XTMv Device
A WatchGuard XTMv device runs as a virtual machine in a VMware ESXi or Microsoft Hyper-V
environment. It does not run on WatchGuard XTM device hardware. You can use Fireware XTM Web
UI, WatchGuard System Manager, and Fireware XTM Command Line Interface (CLI) to configure and
monitor your WatchGuard XTMv device. Though you can use any of these programs to change an
XTMv device configuration file, there are several Fireware XTM features you cannot use on a
WatchGuard XTMv device.
XTMv Device Limitations
These features are not supported on WatchGuard XTMv devices:
n
n
n
n
n
n
n
Active/active FireCluster in an ESXi environment
FireCluster in a Hyper-V environment
Bridge mode network configuration
Hardware diagnostics — The CLI diagnose hardware command
Connect a USB drive to automatically create a support snapshot
Connect a USB drive to automatically restore a saved backup image
Use the device front panel buttons to start the device in safe mode or recovery mode
You can use the CLI command restore factory-default to start the device with factory default
settings.
n
Features that require the switch be configured in promiscuous mode are not supported for XTMv
on Hyper-V
For information about CLI commands, see the Fireware XTM Command Line Interface Reference on
the XTM Documentation page at http://www.watchguard.com/help/documentation/xtm.asp.
Virtual Switch Configuration
To work correctly, some Fireware XTM networking features require that you configure the virtual
switch on your network in promiscuous mode. These features are:
n
n
n
Drop-in mode network configuration
Network bridge
Mobile VPN with SSL with the Bridged VPN Traffic setting
To use these features on an XTMv device in an ESXi environment, configure the vSwitch to operate in
promiscuous mode.
Virtual switches in Microsoft Hyper-V do not support promiscuous mode, so these features are not
supported in a Hyper-V environment.
To use multiple VLANs on a single interface on an XTMv device in an ESXi environment, configure the
VSwitch for the XTMv VLAN interface to use VLAN ID 4095 (All).
FireCluster vSwitch Configuration
There are additional switch requirements for an active/passive FireCluster in an ESXi environment:
User Guide
17
Introduction to Fireware XTM
n
n
Configure the vSwitch that connects to the FireCluster management interface to operate in
promiscuous mode
Configure any vSwitch that connects to a FireCluster external interface to accept MAC address
changes
For detailed steps to set up two XTMv devices as a FireCluster, see the WatchGuard XTMv Setup
Guide available on the XTM Documentation page at
http://www.watchguard.com/help/documentation/xtm.asp.
Hyper-V Virtual Adapter Configuration
Hyper-V supports two types of virtual adapters:
n
n
Network adapters (Hyper-V supports a maximum of 8)
Legacy network adapters (Hyper-V supports a maximum of 4)
Though all XTMv editions support a maximum of 10 interfaces, the maximum number of interfaces you
can configure for an XTMv virtual machine in a Hyper-V environment is eight, because that is the
maximum number of network adapters Hyper-V supports. XTMv does not support the use of legacy
network adapters.
XTMv Device Installation
You must deploy the XTMv device in the ESXi or Hyper-V environment before you can configure the
XTMv virtual machine.
For detailed steps to set up an XTMv device, see the WatchGuard XTMv Setup Guide available on
the XTM Documentation page at http://www.watchguard.com/help/documentation/xtm.asp.
18
WatchGuard System Manager
Introduction to Fireware XTM
FIPS Support in Fireware XTM
The Federal Information Processing Standards Publication 140-2, Security Requirements for
Cryptographic Modules (FIPS 140-2), describes the United States Federal Government requirements
for cryptographic modules.
WatchGuard XTM devices are designed meet the overall requirements for FIPS 140-2 Level 2 security,
when configured in a FIPS-compliant manner.
About FIPS Mode
You must use the Command Line Interface (CLI) to enable FIPS mode on an XTM device. When the
XTM device operates in FIPS mode, each time the device is powered on, it runs a set of self-tests
required by the FIPS 140-2 specification. If any of the tests fail, the XTM device writes a message to
the log file and shuts down.
For more information about the CLI commands, see the Command Line Interface Reference at
http://www.watchguard.com/help/documentation.
If you start the device in safe mode or recovery mode, the device does not operate in FIPS mode.
FIPS Mode Operation and Constraints
The XTM device does not operate in FIPS mode by default.
To use your XTM device in FIPS mode:
n
n
n
n
n
n
n
n
n
n
n
Type the CLI command fips enable to enable FIPS mode operation.
Configure the Admin and Status administrative accounts to use passwords with a minimum of 8
characters.
When you configure VPN tunnels, you must choose only FIPS-approved authentication and
encryption algorithms (SHA-1, SHA-256, SHA-512, 3DES, AES-128, AES-192, AES-256).
When you configure VPN tunnels, you must choose Diffie-Hellman Group 2 or Group 5 for IKE
Phase 1 negotiation. Use a minimum of 1024-bits for all RSA keys.
Do not use a certificate that uses MD5, or any certificate that does not meet the requirements of
the FIPS 140-2 standard.
Do not configure FireCluster for high availability.
Do not use Mobile VPN with PPTP.
Do not use PPPoE.
Do not use WatchGuard System Manager to manage the XTM device.
For access to Fireware XTM Web UI, the web browser must be configured to use only TLS 1.0
and FIPS approved cipher suites.
For network access to the CLI, telnet and SSH clients must use SSH V2.0 protocol.
To determine if the XTM device has FIPS mode enabled, type the CLI command show fips .
When you use an XTM device in FIPS mode, your use of the device is subject to these limitations. We
recommend that you consider your requirements carefully before you decide to operate your
XTM device in FIPS mode. In some environments you could be required to use a FIPS-compliant
device, but you might not have to configure the device in a FIPS-compliant manner.
User Guide
19
Introduction to Fireware XTM
User Guide
20
3
Service and Support
About WatchGuard Support
WatchGuard® knows just how important support is when you must secure your network with limited
resources. Our customers require greater knowledge and assistance in a world where security is
critical. LiveSecurity® Service gives you the backup you need, with a subscription that supports you
as soon as you register your XTM device.
LiveSecurity Service
Your XTM device includes a subscription to our ground-breaking LiveSecurity Service, which
automatically activates when you activate your product. As soon as you activate, your LiveSecurity
Service subscription gives you access to a support and maintenance program unmatched in the
industry.
LiveSecurity Service comes with the following benefits:
Hardware Warranty with Advance Hardware Replacement
An active LiveSecurity subscription extends the one-year hardware warranty that is included
with each XTM device. Your subscription also provides advance hardware replacement to
minimize downtime in case of a hardware failure. If you experience a hardware failure, and a
certified WatchGuard technician approves your RMA, WatchGuard will ship a replacement unit
to you before you have to send back the original hardware.
Software Updates
Your LiveSecurity Service subscription gives you access to updates to current software and
functional enhancements for your WatchGuard products.
Technical Support
When you need assistance, our expert teams are ready to help:
User Guide
21
Service and Support
n
n
n
For LiveSecurity subscriptions, representatives are available from 6am - 6pm Monday
through Friday your local time zone.
For LiveSecurity Plus subscriptions, representatives are available 24/7, 365 days a year.
Online user forums are moderated by senior support engineers.
Support Resources and Alerts
Your LiveSecurity Service subscription gives you access to a variety of professionally produced
instructional videos, interactive online training courses, and online tools specifically designed to
answer questions you may have about network security in general or the technical aspects of
installation, configuration, and maintenance of your WatchGuard products.
Our Rapid Response Team, a dedicated group of network security experts, monitors the
Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you
specifically what you can do to address each new menace. You can customize your alert
preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you.
LiveSecurity Service Gold
LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium
support service gives expanded hours of coverage and faster response times for around-the-clock
remote support assistance. You can purchase LiveSecurity Service Gold for an individual device or as
an account level subscription.
22
WatchGuard System Manager
Service and Support
Service Expiration
To secure your organization, we recommend that you keep your LiveSecurity subscription active.
When your subscription expires, you lose up-to-the-minute security warnings and regular software
updates. This loss can put your network at risk. Damage to your network is much more expensive than
a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement
fee.
User Guide
23
Service and Support
User Guide
24
4
Getting Started
Before You Begin
Before you begin the installation process, make sure you complete the tasks described in the
subsequent sections.
In these installation instructions, we assume your XTM device has one trusted, one
external, and one optional interface configured. To configure additional interfaces on
your device, use the configuration tools and procedures described in the Network
Setup and Configuration topics.
Verify Basic Components
Make sure that you have these items:
n
n
n
n
n
n
A computer with a 10/100BaseT Ethernet network interface card and a web browser installed
A WatchGuard XTM device
A serial cable (blue)
One crossover Ethernet cable (red)
One straight Ethernet cable (green)
Power cable or AC power adapter
User Guide
25
Getting Started
Get an XTM Device Feature Key
To enable all of the features on your XTM device, you must register the device on the WatchGuard web
site and get your feature key. If you register your XTM device before you use the Quick Setup Wizard,
you can paste a copy of your feature key in the wizard. The wizard then applies it to your device. If you
do not paste your feature key into the wizard, you can still finish the wizard. Until you add your feature
key, the XTM device allows only one connection to an external network, such as the Internet.
You also get a new feature key to enable optional products or services when you purchase them. After
you register your XTM device or any new feature, you can synchronize your XTM device feature key
with the feature keys kept in your registration profile on the WatchGuard web site. You can use
WatchGuard System Manager (WSM) at any time to get your feature key.
To learn how to activate your XTM device and get a feature key, see Get a Feature Key for Your
XTM Device on page 89.
Gather Network Addresses
We recommend that you record your network information before and after you configure your XTM
device. Use the first table below for your network IP addresses before you put the device into
operation.
WatchGuard uses slash notation to show the subnet mask. For more information, see About Slash
Notation on page 5. For more information on IP addresses, see About IP Addresses on page 3.
Table 1: Network IP addresses without the XTM device
Wide Area Network
_____._____._____._____ / ____
Default Gateway
_____._____._____._____
Local Area Network
_____._____._____._____ / ____
Secondary Network (if applicable)
_____._____._____._____ / ____
Public Server(s) (if applicable)
_____._____._____._____
_____._____._____._____
_____._____._____._____
Use the second table for your network IP addresses after you put the XTM device into operation.
External interface
Connects to the external network (typically the Internet) that is not trusted.
Trusted interface
Connects to the private LAN (local area network) or internal network that you want to protect.
26
WatchGuard System Manager
Getting Started
Optional interface(s)
Usually connects to a mixed trust area of your network, such as servers in a DMZ (demilitarized
zone). You can use optional interfaces to create zones in the network with different levels of
access.
Table 2: Network IP addresses with the XTM device
Default Gateway
_____._____._____._____
External Interface
_____._____._____._____/ ____
Trusted Interface
_____._____._____._____ / ____
Optional Interface
_____._____._____._____ / ____
Secondary Network (if applicable)
_____._____._____._____ / ____
Select a Firewall Configuration Mode
You must decide how you want to connect the XTM device to your network before you run the Quick
Setup Wizard. The way you connect the device controls the interface configuration. When you connect
the device, you select the configuration mode—routed or drop-in—that is best suited to your current
network.
Many networks operate best with mixed routing configuration, but we recommend the drop-in mode if:
n
n
You have already assigned a large number of static IP addresses and do not want to change
your network configuration.
You cannot configure the computers on your trusted and optional networks that have public IP
addresses with private IP addresses.
This table and the descriptions below the table show three conditions that can help you to select a
firewall configuration mode.
Mixed Routing Mode
Drop-in Mode
All of the XTM device interfaces are on different
networks.
All of the XTM device interfaces are on
the same network and have the same IP
address.
Trusted and optional interfaces must be on different
networks. Each interface has an IP address on its
network.
The computers on the trusted or optional
interfaces can have a public IP address.
Use static NAT (network address translation) to map
public addresses to private addresses behind the
trusted or optional interfaces.
NAT is not necessary because the
computers that have public access have
public IP addresses.
For more information about drop-in mode, see Drop-In Mode on page 196.
For more information about mixed routing mode, see Mixed Routing Mode on page 163.
User Guide
27
Getting Started
The XTM device also supports a third configuration mode called bridge mode. This mode is less
commonly used. For more information about bridge mode, see Bridge Mode on page 203.
You can use the Web Setup Wizard or the WSM Quick Setup Wizard to create your
initial configuration. When you run the Web Setup Wizard, the firewall configuration is
automatically set to mixed routing mode. When you run the WSM Quick Setup
Wizard, you can configure the device in mixed routing mode or drop-in mode.
Decide Where to Install Server Software
When you run the WatchGuard System Manager Installer, you can install WatchGuard System
Manager and the WatchGuard servers on the same computer. You can also use the same installation
procedure to install the WatchGuard servers on different computers. This helps to distribute the server
load and supply redundancy. To ensure the Management Server operates correctly, you must install it
on a computer also has WSM installed. To decide where to install server software, you must examine
the capacity of your management computer and select the installation method that matches your
environment.
If you install server software on a computer with an active desktop firewall other than Windows
Firewall, you must open the ports necessary for the servers to connect through the firewall. Windows
Firewall users do not have to change their desktop firewall configuration because the installation
program opens the necessary ports through Windows Firewall automatically.
For more information, see Install WatchGuard Servers on Computers with Desktop Firewalls on page
44 .
To start the installation process, Install WatchGuard System Manager Software.
Install WatchGuard System Manager Software
You install WatchGuard System Manager (WSM) software on a computer that you designate as the
management computer. You can use the WSM tools on the management computer to manage your
XTM device and get access to information such as connection and tunnel status, statistics on traffic,
and log messages.
Select one Windows-based computer on your network as the management computer and install the
WSM management software. To install the WatchGuard System Manager software, you must have
administrative privileges on the management computer. After installation, you can use the WSM client
application and tools with Windows Power User privileges, but you must have administrative privileges
to use WatchGuard Server Center and manage your WatchGuard servers.
For more information about WatchGuard servers, see About WatchGuard Servers on page 941.
28
WatchGuard System Manager
Getting Started
You can install more than one version of WatchGuard System Manager on the same management
computer, as long as the versions of WSM are not in the same major release version. For example, you
can install both WSM v10.2 and WSM v11.8, but not WSM v11.7.4 and WSM v11.8. You can install
only one version of server software on a computer at a time. For example, you cannot have two
Management Servers on the same computer.
If you install WatchGuard System Manager behind your firewall, to use WatchGuard WebCenter, you
must have the WG-LogViewer-ReportMgr packet filter policy in your XTM device configuration to
open the correct ports.
For more information about how to add a policy to your configuration, see Add Policies to Your
Configuration on page 714.
Back up Your Previous Configuration
If you have a previous version of WatchGuard System Manager, make a backup of your security policy
configuration file before you install a new version. For instructions to make a backup of your
configuration file, see Make a Backup of the XTM Device Image on page 60.
Download WatchGuard System Manager
You can download the most current WatchGuard System Manager software at any time from the
WatchGuard Portal. If you are a new user, before you can download the WSM software, you must
create a user profile and activate your product at the WatchGuard Portal.
If you install one of the WatchGuard servers on a computer with a personal firewall
other than the Microsoft Windows firewall, you must open the ports for the servers to
connect through the firewall. To allow connections to the WebBlocker Server, open
UDP port 5003. It is not necessary to change your configuration if you use the
Microsoft Windows firewall. For more information, see Install WatchGuard Servers
on Computers with Desktop Firewalls on page 44.
Before you begin, make sure you have the correct license keys for the software components you want
to install.
To install the WatchGuard System Manager and WatchGuard servers:
1. On the management computer, download the latest version of WatchGuard System Manager
(WSM) software.
2. Run the WatchGuard System Manager Installer and follow the instructions on each page of the
installer.
3. On the Select Components page, select the software components or upgrades to install.
Make sure you select the check boxes for only the components you want to install.
To install the localized versions of WSM, select the check box for each language you want to
install.
User Guide
29
Getting Started
4. Complete the installer.
After your Management Server is installed, you can use it to manage your Firebox or XTM devices.
Before you add devices to your Management Server, make sure they are set up and configured
correctly. To set up each device, you must run the Quick Setup Wizard either from the web or as a
Windows application.
n For instructions to run the wizard from the web, see Run the Web Setup Wizard on page 32.
n For instructions to run the wizard as a Windows application, see Run the WSM Quick Setup
Wizard on page 37.
About the Quick Setup Wizard
You can use the Quick Setup Wizard to create a basic configuration for your XTM device. The device
uses this basic configuration file when it starts for the first time. This enables it to operate as a basic
firewall. You can use this same procedure at any time to reset the device to a new basic configuration.
This is helpful for system recovery.
When you configure your XTM device with the Quick Setup Wizard, you set only the basic policies
(TCP and UDP outgoing, FTP packet filter, ping, and WatchGuard) and interface IP addresses. If you
have more software applications and network traffic for the device to examine, you must:
n
n
n
Configure the policies on the XTM device to let the necessary traffic through
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to
connect to external resources
You can run the Quick Setup Wizard from a web browser or as a Windows application.
For instructions to run the wizard from a web browser, see Run the Web Setup Wizard on page 32.
30
WatchGuard System Manager
Getting Started
For instructions to run the wizard as a Windows application, see Run the WSM Quick Setup Wizard on
page 37.
User Guide
31
Getting Started
Run the Web Setup Wizard
You can use the Web Setup Wizard to set up a basic configuration on any WatchGuard Firebox or XTM
device. The Web Setup Wizard automatically configures the XTM device for mixed routing mode.
For a video demonstration of the Web Setup Wizard, see the Web Setup Wizard
video tutorial (30 minutes).
To use the Web Setup Wizard, you must make a direct network connection to the Firebox or XTM
device and use a web browser to start the wizard. When you connect to the device, it uses DHCP to
send a new IP address to your management computer.
Before you start the Web Setup Wizard, make sure you:
n
n
Activate your device on the WatchGuard web site
Save a copy of your XTM device feature key in a text file on your management computer
Start the Web Setup Wizard
1. Connect your computer to interface number 1 of your XTM device with an Ethernet cable. This
is the trusted interface.
2. Use the green Ethernet cable that ships with your device (or any Ethernet cable) to connect
interface 0 to a router or network that provides Internet access. This is the external interface.
The external interface automatically uses DHCP to request an IP address on the network it
connects to.
3. Connect the power cord to the XTM device power input and to a power source.
4. Start the XTM device in factory default mode. This is also known as safe mode. A new device
automatically starts in this mode.
For more information, see Reset a Device on page 78.
5. Make sure your management computer is configured to accept a DHCP-assigned IP address.
If your management computer uses Windows 7:
n
n
n
n
In the Windows Start menu, select Control Panel > Network and Internet > Network
and Sharing > Change Adapter Settings > Local Area Connection.
Click Properties.
Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Make sure Obtain an IP Address Automatically is selected.
5. If your browser uses an HTTP proxy server, you must temporarily disable the HTTP proxy
setting in your browser.
For more information, see Disable the HTTP Proxy in the Browser on page 49.
6. Open a web browser and type https://10.0.1.1:8080 to connect to the device.
This opens a secure HTTP connection between your management computer and the XTM
device.
The Web Setup Wizard starts automatically.
32
WatchGuard System Manager
Getting Started
7. Log in with the default administrator account credentials:
Username: admin
Passphrase: readwrite
User Guide
33
Getting Started
8. Complete the subsequent screens of the wizard.
The Web Setup Wizard includes the steps to set up the device with a basic configuration. Click
More Information on any wizard page to see more information about how to complete the
current step.
If you leave the Web Setup Wizard idle for 15 minutes or more, you must go back to
Step 3 and start again.
The Web Setup Wizard helps you to complete these steps:
Select a configuration type
Select whether to create a new configuration or restore a configuration from a saved
backup image.
License agreement
Accept the End-User License Agreement.
Configure the External Interface
Select and configure the method you want your device to use to set an external IP address.
The choices are:
n
n
n
DHCP — Type the DHCP identification as supplied by your ISP.
PPPoE — Type the PPPoE information as supplied by your ISP.
Static — Type the static IP address and gateway IP address, as supplied by your
ISP.
For more information about these methods, see Configure an External Interface.
Configure the DNS and WINS Servers (Optional)
Configure the Domain DNS and WINS server addresses you want the XTM device to use.
34
WatchGuard System Manager
Getting Started
Configure the Trusted Interface
Type the IP address of the trusted interface. (Optional) If you want the XTM device to
assign IP addresses to computers that connect to the trusted network, you can enable the
DHCP server and assign a range of IP addresses on the same subnet as the interface
IP address.
Create passphrases for your device
Set new passphrases for the status (read only) and admin (read/write) built-in user
accounts.
Enable remote management (Optional)
Enable remote management if you want to manage this device from the external interface.
Add contact information for your device
You can type a device name, location, and contact information to save management
information for this device. By default, the device name is set to the model number of your
device. We recommend that you choose a unique name that you can use to easily identify
this device, especially if you use remote management. The location and contact
information are optional.
Set the Time Zone
Select the time zone where the XTM device is located.
Retrieve Feature Key, Apply Feature Key, Feature key options
The wizard can use one of three methods to apply a feature key to your device:
Automatic Activation — If the device already has a feature key, or if the device has been
previously activated, the wizard automatically retrieves the device feature key from the
WatchGuard web site. If automatic activation is successful, the wizard does not show a
page for the activation step.
Online Activation — If the device has not yet been activated, you can use Online
Activation in the wizard to activate the device in your account on the WatchGuard web site.
The device then automatically retrieves and applies the feature key to the device. To use
Online Activation, your device must have a connection to the Internet.
Manual Activation — If you previously activated your device and have a copy of the
feature key on your computer, you can choose to skip online activation, and instead paste
the text of the feature key into the wizard.
If the XTM device does not have an Internet connection when you run the wizard, you can
also choose to skip activation entirely and apply the feature key later. For more information
about how to apply the feature key outside the wizard, see Get a Feature Key for Your
XTM Device.
User Guide
35
Getting Started
Device functionality is limited until you apply a feature key. Without a feature key, the
device allows only one user to access the Internet.
Completion
After you review and apply your configuration settings, the XTM device saves the
configuration to the device.
After the Wizard Finishes
After you complete the wizard, the device is set up with a basic configuration that allows outbound
TCP, UDP, and ping, traffic, and blocks all unrequested traffic from the external network. You can log
in to the Fireware XTM Web UI using the user name admin, and the configuration passphrase you set
in the Wizard.
If you change the IP address of the trusted interface, you must change your network
settings to make sure your IP address matches the subnet of the trusted network
before you connect to the device. If you use DHCP, restart your computer. Or you
can use the ipconfig/release and ipconfig/renew commands on your computer to
force it to request a new IP address.
You can use Policy Manager to expand or change the configuration for your device.
n
n
36
For information about how to complete the installation of your device after the Web Setup
Wizard is finished, see Complete Your Installation on page 39.
For information about how to start WatchGuard System Manager, see Start WatchGuard
System Manager on page 40.
WatchGuard System Manager
Getting Started
If You Have Problems with the Wizard
If you leave the Web Setup Wizard idle for 15 minutes or more, the wizard times out, and you must use
the same steps to log in and start it again.
For other problems with the wizard, it can help to clear the browser cache before you try again. To clear
the cache in Internet Explorer select Tools > Internet Options > Delete > History.
Run the WSM Quick Setup Wizard
The Quick Setup Wizard runs as a Windows application to help you make a basic configuration file.
This basic configuration file allows your device to operate as a basic firewall when you start it for the
first time. After you run the Quick Setup Wizard, you can use Policy Manager to expand or change the
configuration.
The Quick Setup Wizard uses a device discovery procedure to find the XTM device model you want to
configure. This procedure uses UDP multicast. Software firewalls (for example, the firewall in
Microsoft Windows XP SP2) can cause problems with device discovery.
Before You Begin
Before you start the Quick Setup Wizard, make sure you:
n
n
n
n
n
Register your XTM device with LiveSecurity Service.
Store a copy of your feature key in a text file on your management computer.
Download WSM and Fireware XTM installation files from the LiveSecurity Service web site to
your management computer.
Install the WSM and Fireware XTM software on your management computer.
Configure the management computer with a static IP address on the same network as the
trusted interface of your device. Or, configure the management computer to accept an IP
address assigned with DHCP.
Start the Quick Setup Wizard
1. Use the red, crossover Ethernet cable that ships with your XTM device to connect the
management computer to the trusted interface (interface number 1) of your XTM device.
2. From the Windows Start Menu, select All Programs > WatchGuard System Manager 11.x >
Quick Setup Wizard.
Or, from WatchGuard System Manager, select Tools > Quick Setup Wizard.
The Quick Setup Wizard starts.
3. Complete the wizard to set up your XTM device with a basic configuration. The steps include:
Identify and discover your device
Follow the instructions for device discovery. You might need to select your XTM device
model or reconnect the crossover Ethernet cable. After the wizard discovers the XTM
device, you give it a name that identifies this device in WatchGuard System Manager, log
files, and reports.
User Guide
37
Getting Started
Select a setup procedure
Select whether you want to install the Fireware XTM OS and create a new configuration, or
if you want to only create a new configuration for your XTM device.
Add a feature key
Follow the instructions to download the feature key from the LiveSecurity Service web site,
or browse to the location of the feature key file you previously downloaded.
Configure the external interface
You can configure the external interface with a static IP address, or you can configure it to
use an IP address assigned with DHCP or PPPoE. You must also add an IP address for
the default gateway of the XTM device. This is the IP address of your gateway router.
Configure the internal interfaces
Select the IP addresses to use for the trusted and optional interfaces. If you want to
configure the XTM device in drop-in mode, you can also use the external interface IP
address for these interfaces.
For more information about drop-in mode, see Drop-In Mode on page 196.
Set passphrases
You must create two passphrases for connections to the XTM device: a status passphrase
for read-only connections and a configuration passphrase for read-write connections. Both
passphrases must be at least 8 characters long, and they must be different from each
other.
4. Click Finish to close the wizard.
The wizard saves the basic configuration to the XTM device and to a local configuration file.
38
WatchGuard System Manager
Getting Started
After the Wizard Finishes
After you complete the wizard, the XTM device restarts. If you changed the IP address of your
management computer to run the Quick Setup Wizard, you might need to change the IP address back
again after you complete the wizard.
After the XTM device restarts, it uses a basic configuration that includes five policies (TCP and UDP
outgoing, FTP packet filter, ping, WatchGuard, and WatchGuard Web UI) and the interface IP
addresses you specified. You can use Policy Manager to change this basic configuration.
n
n
For information about how to complete the installation of your XTM device after the Quick Setup
Wizard is finished, see Complete Your Installation on page 39.
For information about how to start WatchGuard System Manager, see Start WatchGuard
System Manager on page 40.
Complete Your Installation
After you are finished with either the Web Setup Wizard or the WSM Quick Setup Wizard, you must
complete the installation of your XTM device on your network.
1. Put the XTM device in its permanent physical location.
2. Make sure the gateway of management computer and the rest of the trusted network is the IP
address of the trusted interface of your XTM device.
3. To connect the management computer to your XTM device, open WatchGuard System
Manager and select File > Connect To Device.
You must use the status (read-only) passphrase to connect to the XTM device.
4. If you use a routed configuration, make sure you change the default gateway on all the
computers that connect to your XTM device to match the IP address of the XTM device trusted
interface.
5. Customize your configuration as necessary for the security purposes of your business.
For more information, see the subsequent Customize your security policy section.
6. If you installed one or more WatchGuard servers, Set Up WatchGuard Servers.
If you installed WatchGuard server software on a computer with an active desktop
firewall other than Windows Firewall, you must open the ports necessary for the
servers to connect through the firewall. Windows Firewall users do not have to
change their configuration. For more information, see Install WatchGuard Servers on
Computers with Desktop Firewalls on page 44.
User Guide
39
Getting Started
Customize Your Security Policy
Your security policy controls who can get into and out of your network, and where they can go in your
network. The configuration file of your XTM device manages the security policies.
When you completed the Quick Setup Wizard, the configuration file that you made was only a basic
configuration. You can modify this configuration to align your security policy with the business and
security requirements of your company. You can add packet filter and proxy policies to set what you let
in and out of your network. Each policy can have an effect on your network. The policies that increase
your network security can decrease access to your network. And the policies that increase access to
your network can put the security of your network at risk. For more information on policies, see About
Policies on page 703.
For a new installation, we recommend that you use only packet filter policies until all your systems
operate correctly. As necessary, you can add proxy policies.
About LiveSecurity Service
Your XTM device includes a subscription to LiveSecurity Service. Your subscription:
n
n
n
n
n
n
Makes sure that you get the newest network protection with the newest software upgrades
Gives solutions to your problems with full technical support resources
Prevents service interruptions with messages and configuration help for the newest security
problems
Helps you to find out more about network security through training resources
Extends your network security with software and other features
Extends your hardware warranty with advanced replacement
For more information about LiveSecurity Service, see About WatchGuard Support on page 21.
Start WatchGuard System Manager
On the computer where you installed WatchGuard System Manager (WSM):
Select Start > All Programs > WatchGuard System Manager 11.x > WatchGuard System
Manager 11.x.
Replace 11.x in the program path with the current version of WSM you have installed.
WatchGuard System Manager appears.
For information on how to use WatchGuard System Manager (WSM), see About WatchGuard System
Manager on page 989.
Connect to an XTM Device
1. Start WatchGuard System Manager.
2. Click
.
Or, select File > Connect to Device.
Or, right-click anywhere on the WSM Device Status tab and select Connect To > Device.
The Connect to Firebox dialog box appears.
40
WatchGuard System Manager
Getting Started
3. In the IP Address or Name text box, type or select the name or IP address of your XTM
device.
On subsequent connections, you can select the XTM device name or IP address from the
IP Address or Name drop-down list.
4. In the User Name and Passphrase text boxes, type the credentials for a Device Monitor (readonly) user account.
You use a Device Monitor user account to monitor traffic and XTM device conditions.
You must use a Device Administrator account when you save the configuration to the
device.
5. From the Authentication Server drop-down list, select the correct authentication server for the
user account you specified.
6. If you use an Active Directory server for authentication, in the Domain text box, type the
domain name of your Active Directory server.
7. (Optional) Change the value in the Timeout text box. This value sets the time (in seconds) that
the management computer listens for data from the XTM device before it sends a message that
shows that it cannot get data from the device.
If you have a slow network or Internet connection to the device, you can increase the timeout
value. If you decrease the value, the time you must wait for a timeout message decreases if you
try to connect to a XTM device that is not available.
8. Click Login.
The XTM device appears in WatchGuard System Manager.
Disconnect from an XTM Device
1. Select the Device Status tab.
2. Select the device.
User Guide
41
Getting Started
3. Click
.
Or, select File > Disconnect.
Or, right-click and select Disconnect.
Disconnect from all XTM Devices
If you are connected to more than one XTM device, you can disconnect from them all at the same time.
1. Select the Device Status tab.
2. Select File > Disconnect All.
Or, right-click and select Disconnect All.
Start WSM Applications
You can start these tools from WatchGuard System Manager.
Policy Manager
You can use Policy Manager to install, configure, and customize network security policies for your
XTM device.
For more information on Policy Manager, see About Policy Manager on page 704.
To start Policy Manager:
Click .
Or, select Tools > Policy Manager.
Firebox System Manager
With Firebox System Manager, you can start many different security tools in one easy-to-use
interface. You can also use Firebox System Manager to monitor real-time traffic through the firewall.
For more information on Firebox System Manager, see About Firebox System Manager (FSM) on page
1309.
To start Firebox System Manager:
Click
.
Or, select Tools > Firebox System Manager.
HostWatch
HostWatch shows the connections through a XTM device from the trusted network to the external
network, or from and to other interfaces or VLANs you choose. It shows the current connections, or it
can show historical connections from a log file.
For more information on HostWatch, see About HostWatch on page 1371.
42
WatchGuard System Manager
Getting Started
To start HostWatch:
Click
.
Or, select Tools > HostWatch.
Log Manager
Log Manager is an interactive tool in WatchGuard WebCenter that you can use to see information in
the log message files from your XTM devices and WatchGuard servers. You can view individual log
messages or reports that have been generated from the log messages. You can also generate OnDemand Reports, Per Client Reports, and Custom Time Range Reports.
To start Log Manager from WSM to view log files:
Click .
Or, select Tools > Log Manager.
You can also connect to WatchGuard WebCenter in a web browser to start Log Manager. For more
information about Log Manager, see View Device Log Messages on page 1283 and About WatchGuard
WebCenter on page 1150.
Report Manager
Report Manager is an interactive tool in WatchGuard WebCenter that you can use to see and generate
reports from the log message from your XTM devices and WatchGuard servers. You can view reports
that have already been generated from the log messages, or you can generate new On-Demand
Reports, Per Client Reports, and Custom Time Range Reports.
To start Report Manager:
Click
.
Or, select Tools > Report Manager.
You can also connect to WatchGuard WebCenter in a web browser to start Report Manager. For more
information about Report Manager, see View Reports in Report Manager on page 1296 and About
WatchGuard WebCenter on page 1150.
Quick Setup Wizard
You can use the Quick Setup Wizard to create a basic configuration for your XTM device. The XTM
device uses this basic configuration file when it starts for the first time. This enables the device to
operate as a basic firewall. You can use this same procedure any time you want to reset the XTM
device to a new basic configuration for recovery or other reasons.
For more information on the Quick Setup Wizard, see About the Quick Setup Wizard on page 30.
To start the Quick Setup Wizard:
Click .
Or, select Tools > Quick Setup Wizard.
User Guide
43
Getting Started
CA Manager
The management computer where the Management Server is installed also operates as a certificate
authority (CA). The CA gives certificates to managed XTM device clients when they contact the
Management Server to receive configuration updates. CA Manager is an interactive tool in
WatchGuard WebCenter that you can use to manage certificates.
Before you can use the Management Server as a CA, you must configure the certificate authority.
To start CA Manager:
Click .
Or, select Tools > CA Manager.
For information about how to set up or change the parameters of the certificate authority, see Configure
the Certificate Authority on the Management Server on page 960.
You can also connect to WatchGuard WebCenter in a web browser to start CA Manager. For more
information about CA Manager, see About WatchGuard WebCenter on page 1150.
Install WSM and Keep an Older Version
You can install the current version of WSM (WatchGuard System Manager) on the same management
computer where you have an older version installed and keep the old version, as long as the versions of
WSM are not in the same major release version. For example, you can install both WSM v10.2 and
WSM v11.8, but not WSM v11.7.4 and WSM v11.8.
You cannot, however, install more than one version of the WatchGuard server software (Management
Server, Log Server, Report Server, Quarantine Server, and WebBlocker Server). For example, you
cannot have two Management Servers on the same computer.
Because you can have only one version of the servers installed, you must either remove the server
software from the older version of WSM or install the new version of WSM without the server software.
We recommend you remove the previous version of the server software before you install the current
WSM version together with the current server software.
For more information about WSM installation, see Install WatchGuard System Manager Software on
page 28.
Install WatchGuard Servers on Computers with
Desktop Firewalls
Desktop firewalls can block the ports necessary for WatchGuard server components to operate.
Before you install the Management Server, Log Server, Report Server, Quarantine Server, or
WebBlocker Server on a computer with an active desktop firewall, you might need to open the
necessary ports on the desktop firewall. Windows Firewall users do not have to change their
configurations because the installation program opens the necessary ports in Windows Firewall
automatically.
This table shows you the ports you must open on a desktop firewall.
44
WatchGuard System Manager
Getting Started
Server Type/Appliance Software
Protocol/Port
Management Server
TCP 4109, TCP 4110, TCP 4112, TCP 4113
Log Server
TCP 4115
WebBlocker Server
TCP 5003, UDP 5003
Quarantine Server
TCP 4119, TCP 4120
Report Server
TCP 4122
Log Server
TCP 4121
WatchGuard WebCenter
TCP 4130
User Guide
45
Getting Started
Downgrade to an Earlier Version of WSM
To downgrade from your current version of WatchGuard System Manager (WSM) to an earlier version
of WSM, you must uninstall the currently installed version of WSM and then install the earlier WSM
version.
Before you begin, make sure that you have the server and database backup files that you created when
the earlier WSM version was installed on your management computer. You must also have the
Administrator passphrase and the Log Server encryption key for the earlier Management Server and
Log Server database files.
Step 1 — Uninstall the Current WSM Version
To uninstall WSM:
1. Navigate to the Windows Uninstall or change a program page.
2. From the program list, select WatchGuard System Manager and click Uninstall.
The WatchGuard System Manager uninstaller starts.
3. Click Next to run the uninstaller.
4. On the Uninstall message that asks if you want to delete the server database and configuration
files, click Yes.
5. Complete the uninstaller.
Step 2 — Restore the Earlier WSM Version Server and Database
Files
After the current WatchGuard System Manager version server database and configuration files are
deleted, you must restore the server database and configuration files that you backed up before you
upgraded WSM.
On the management computer, copy the files to the appropriate location for each server you want to
install. You do not have to copy the files for the Management Server. Instead, follow the instructions
referenced in Step 3 to restore the Management Server configuration.
For more information about database and configuration file locations for the other WatchGuard servers,
see:
n
n
n
Log Server — Configure Database Maintenance Settings
Report Server — Configure Report Deletion Settings and Database Settings
WebBlocker Server — Download the WebBlocker Database
Step 3 — Install the Earlier Version of WSM
Because this is the same version of WSM as the server database and configuration files that you
restored in the previous step, the installer should detect the server configuration and try to restart your
servers when you finish the installation.
To install the earlier WSM version:
1. Run the WatchGuard System Manager installer for the earlier version of WSM.
For more information about how to install WSM, see Install WatchGuard System Manager
46
WatchGuard System Manager
Getting Started
Software.
2. Complete the installer.
3. On the Finish page, click Restart All Servers Now to start all the installed WatchGuard
servers.
4. If you installed the Management Server, from WatchGuard Server Center, restore the backup
Management Server configuration you created before you upgraded WSM.
For more information, see Back Up or Restore the Management Server Configuration.
5. In WatchGuard Server Center, from the left navigation menu, select Servers and verify that all
the installed WatchGuard servers are running.
Dynamic IP Support on the External Interface
If you use dynamic IP addresses, you must configure your XTM device in routed mode when you use
the Quick Setup Wizard.
If you select DHCP, your XTM device connects to the DHCP server controlled by your Internet service
provider (ISP) to get its IP address, gateway, and netmask. This server can also give DNS server
information for your XTM device. If it does not give you that information, you must add it manually to
your configuration. If necessary, you can change the IP addresses that your ISP gives you.
You also can use PPPoE. As with DHCP, the XTM device makes a PPPoE protocol connection to the
PPPoE server of your ISP. This connection automatically configures your IP address, gateway, and
netmask.
If you use PPPoE on the external interface, you must have the PPP user name and password when
you configure your network. If your ISP gives you a domain name to use, type your user name in the
format [email protected] when you use the Quick Setup Wizard.
A static IP address is necessary for the XTM device to use some functions. When you configure the
XTM device to receive dynamic IP addresses, the device cannot use these functions:
n
n
n
n
FireCluster
Drop-in mode
1-to-1 NAT on an external interface
Mobile VPN with PPTP
If your ISP uses a PPPoE connection to give a static IP address, the XTM device
allows you to enable Mobile VPN with PPTP because the IP address is static.
About Connecting the XTM Device Cables
Use these guidelines when you connect cables to your XTM device.
n
n
n
Connect the power cable to the XTM device power input and to a power source.
Use a straight Ethernet cable (green) to connect your management computer to a hub or switch.
Use a different straight Ethernet cable to connect your XTM device to the same hub or switch.
User Guide
47
Getting Started
n
Use a red crossover cable to connect the XTM device trusted interface to the management
computer Ethernet port.
For XTM 5 Series devices, Interface 0 does not support Auto-MDIX, which automatically senses the
cable polarity. Use these guidelines to decide which type of Ethernet cable to use with Interface 0:
n
n
n
To connect Interface 0 to an interface on a switch or router that supports Auto-MDIX, you can
use either Ethernet cable.
To connect Interface 0 to an interface on an older switch or router that does not support AutoMDIX, use the green Ethernet cable. Your switch or router might be set to a different polarity. If
the green Ethernet cable does not work, try the red cross-over Ethernet cable.
To connect Interface 0 to a PC, use the red cross-over Ethernet cable.
Connect to an XTM Device with Firefox
Web browsers use certificates to ensure that the device on the other side of an HTTPS connection is
the device you expect. Users see a warning when a certificate is self-signed, or when there is a
mismatch between the requested IP address or host name and the IP address or host name in the
certificate. By default, your XTM device uses a self-signed certificate that you can use to set up your
network quickly. However, when users connect to the XTM device with a web browser, a Secure
Connection Failed warning message appears.
To avoid this warning message, we recommend that you add a valid certificate signed by a CA
(Certificate Authority) to your configuration. This CA certificate can also be used to improve the
security of VPN authentication. For more information on the use of certificates with XTM devices, see
About Certificates on page 1413.
If you continue to use the default self-signed certificate, you can add an exception for the XTM device
on each client computer. Current versions of most Web browsers provide a link in the warning
message that the user can click to allow the connection.
Actions that require an exception include:
n
n
n
n
About User Authentication
Install and Connect the Mobile VPN with SSL Client
Run the Web Setup Wizard
About Edge (v10.x and Older) and SOHO Devices as Managed Devices
Common URLs that require an exception include:
https://IP address or host name of an XTM device interface:8080
https://IP address or host name of an XTM device interface:4100
https://IP address or host name of an XTM device:4100/sslvpn.html
Add a Certificate Exception to Mozilla Firefox
If you add an exception in Firefox for the XTM device certificate, the warning message does not appear
on subsequent connections. You must add a separate exception for each IP address, host name, and
port used to connect to the XTM device. For example, an exception that uses a host name does not
operate properly if you connect with an IP address. Similarly, an exception that specifies port 4100
does not apply to a connection where no port is specified.
48
WatchGuard System Manager
Getting Started
A certificate exception does not make your computer less secure. All network traffic
between your computer and the XTM device remains securely encrypted with SSL.
In Firefox, you can add certificate exceptions in the advanced options.
1. In Firefox, select Firefox > Options > Options.
The Options dialog box appears.
2. Select Advanced.
3. Click the Encryption tab, then click View Certificates.
The Certificate Manager dialog box opens.
4. Click the Servers tab, then click Add Exception.
5. In the Location text box, type the URL to connect to the XTM device. The most common URLs
are listed above.
6. Click Get Certificate.
7. When the certificate information appears in the Certificate Status area, click Confirm
Security Exception.
8. Click OK.
9. To add more exceptions, repeat Steps 4–7.
Disable the HTTP Proxy in the Browser
Many web browsers are configured to use an HTTP proxy server to increase the download speed of
web pages. To manage or configure the XTM device with the Web UI, your browser must connect
directly to the device. If you use an HTTP proxy server, you must temporarily disable the HTTP proxy
setting in your browser. You can enable the HTTP proxy server setting in your browser again after you
set up the XTM device.
Use these instructions to disable the HTTP proxy in Mozilla Firefox or Internet Explorer. For other
browsers, use the browser Help system to find the necessary information. Many browsers
automatically disable the HTTP proxy feature.
Disable the HTTP proxy in Internet Explorer 7.x, or 8.x
1. Open Internet Explorer.
2. Select Tools > Internet Options.
The Internet Options dialog box appears.
3. Select the Connections tab.
4. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
5. Clear the Use a proxy server for your LAN check box.
6. Click OK to close the Local Area Network (LAN) Settings dialog box.
7. Click OK to close the Internet Options dialog box.
User Guide
49
Getting Started
Disable the HTTP proxy in Firefox 3.x
1. Open Firefox.
2. Select Tools > Options.
The Options dialog box appears.
3.
4.
5.
6.
Click Advanced.
Select the Network tab.
Click Settings.
Click Connection Settings.
The Connection Settings dialog box appears.
7. For Firefox 2.x, make sure the Direct Connection to the Internet option is selected.
For Firefox 3.x, make sure the No proxy option is selected.
8. Click OK to close the Connection Settings dialog box.
9. Click OK to close the Options dialog box.
Find Your TCP/IP Properties
To learn about the properties of your network, look at the TCP/IP properties of your computer or any
other computer on the network. You must have this information to install your XTM device:
n
n
n
n
IP address
Subnet mask
Default gateway
Whether your computer has a static or dynamic IP address
If your ISP assigns your computer an IP address that starts with 10, 192.168, or
172.16 to 172.31, then your ISP uses NAT (Network Address Translation) and your
IP address is private. We recommend that you get a public IP address for your XTM
device external IP address. If you use a private IP address, you can have problems
with some features, such as virtual private networking.
To find the TCP/IP properties for your computer operating system, use the instructions in the
subsequent sections .
Find Your TCP/IP Properties on Microsoft Windows XP,
Windows 2003, and Windows 7
1. Select Start > All Programs > Accessories > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
50
WatchGuard System Manager
Getting Started
Find Your TCP/IP Properties on Microsoft Windows 8.
1. On the Windows 8 Start page, type command .
2. In the Apps search results list, click Command Prompt.
The Command Prompt dialog box appears.
3. At the command prompt, type ipconfig /all and press Enter.
4. Write down the values that you see for the primary network adapter.
Find Your TCP/IP Properties on Macintosh OS X 10.x
1. Select the Apple menu > System Preferences, or select the icon from the Dock.
The System Preferences dialog box appears.
2. Click the Network icon.
The Network preference pane appears.
3. Select the network adapter you use to connect to the Internet.
4. Write down the values that you see for the network adapter.
Find Your TCP/IP Properties on Other Operating Systems (Unix,
Linux)
1. Read your operating system guide to find the TCP/IP settings.
2. Write down the values that you see for the primary network adapter.
User Guide
51
Getting Started
User Guide
52
5
Configuration and Management
Basics
About Basic Configuration and Management
Tasks
After your XTM device is installed on your network and is set up with a basic configuration file, you can
start to add custom configuration settings. The topics in this section help you complete these basic
management and maintenance tasks.
About Configuration Files
A configuration file includes all configuration data, options, IP addresses, and other information that
makes up the security policy for your XTM device. Configuration files have the extension .xml.
Policy Manager is a WatchGuard software tool that lets you make, change, and save configuration
files. You can use Policy Manager to easily examine and change your configuration file.
When you use Policy Manager, you can:
n
n
n
n
Open a Configuration File , either open the configuration file currently in use on the XTM device,
or a local configuration file (a configuration file saved on your hard drive)
Make a New Configuration File
Save the Configuration File
Make changes to existing configuration files
Open a Configuration File
Network administrators often need to make changes to their network security policies. Perhaps, for
example, your company purchased a new software application, and you must open a port and protocol
User Guide
53
Configuration and Management Basics
to a server at a vendor location. Your company might have also purchased a new feature for your XTM
device or hired a new employee who needs access to network resources. For all of these tasks, and
many more, you must open your configuration file, use Policy Manager to modify it, and then save the
configuration file.
Open the Configuration File with WatchGuard System Manager
1. On your Windows desktop, select Start > All Programs > WatchGuard System Manager
11.x > WatchGuard System Manager 11.x.
WatchGuard System Manager 11.x is the default name of the folder for the Start menu icons. You
cannot change this folder name when you run the installer, but you can change it through the
Windows user interface.
2. Click
.
Or, select File > Connect To Device.
The Connect to Firebox dialog box appears.
3. From the IP Address or Name drop-down list, type or select the IP address for the trusted
interface of your XTM device.
4. In the User Name text box, type the user name for a user account that is assigned the Device
Monitor role.
The status account is used by default.
5. Type the passphrase for the user account. Click OK.
The device appears in the WatchGuard System Manager Device Status tab.
6. On the Device Status tab, select the XTM device. Click .
Or, select Tools > Policy Manager.
Policy Manager opens with the configuration file that is in use on the selected device. The
changes you make to the configuration do not take effect until you save the configuration to the
XTM device.
54
WatchGuard System Manager
Configuration and Management Basics
Open a Local Configuration File
You can open configuration files that are saved on any local drive or any network drive to which your
management computer can connect.
If you want to use an existing configuration file for a XTM device in a factory-default state, we
recommend that you first run the Quick Setup Wizard to create a basic configuration and then open the
existing configuration file.
1. In WatchGuard System Manager, click
Or, select Tools > Policy Manager.
.
The Policy Manager dialog box appears.
2. Select Open configuration file and click Browse.
3. Select the configuration file.
4. Click Open.
The configuration file appears in Policy Manager.
Open a Configuration File with Policy Manager
1. Select File > Open > Firebox.
The Open Firebox dialog box appears.
2. From the IP Address or Name drop-down list, select an XTM device.
You can also type the IP address or host name.
3. In the User Name and Passphrase text boxes, type the credentials for a Device Monitor (readonly) user account.
4. From the Authentication Server drop-down list, select the correct authentication server for the
user account you specified.
5. If you use an Active Directory server for authentication, the Domain text box appears. Type the
domain name of your Active Directory server.
6. Click OK.
The configuration file appears in Policy Manager.
User Guide
55
Configuration and Management Basics
You use a Device Monitor user account to monitor traffic and XTM device conditions.
You must use a Device Administrator account when you save the configuration to the
device.
If you cannot connect to the XTM device, try these steps:
n
n
56
If the Connect to Firebox or Open Firebox dialog box immediately appears after you type the
passphrase, make sure that Caps Lock is off and that you typed the passphrase correctly. The
passphrase is case-sensitive.
If the Connect to Firebox or Open Firebox dialog box times out, make sure that you have a
link on the trusted interface and on your computer. Make sure that you typed the correct IP
address for the trusted interface of the XTM device. Also make sure that your computer IP
address is in the same network as the trusted interface of the XTM device.
WatchGuard System Manager
Configuration and Management Basics
Make a New Configuration File
The Quick Setup Wizard makes a basic configuration file for your XTM device. We recommend that
you use this as the base for each of your configuration files. You can also use Policy Manager to make
a new configuration file with only the default configuration properties.
1. In WatchGuard System Manager, before you connect to a device, click
Or, select Tools > Policy Manager.
.
The Policy Manager dialog box appears.
2. Select Create a new configuration file for.
3. From the Firebox drop-down list, select the type of XTM device for which you want to make a
new configuration file.
4. Click OK.
The Select Firebox Model and Name dialog box appears.
5. In the Model drop-down lists, select your XTM device model. Because some groups of features
are unique to specific models, select the same model as your hardware device.
6. In the Name text box, type the name for the device configuration file. This name is also used to
identify the device if it is managed by a WatchGuard Management Server, and for logging and
reporting.
7. The For v11.4 or later check box is selected by default. To create a configuration file for a
device that uses Fireware XTM v11.0 - v11.3.x, clear this check box.
8. Click OK.
Policy Manager makes a new configuration with the file name <name>.xml , where <name> is the name
you gave the device.
User Guide
57
Configuration and Management Basics
Save the Configuration File
If you make a new configuration file or change a current configuration file and want your changes to
take effect on the XTM device, you must save the configuration file directly to the XTM device.
You can also save the current configuration file to any local drive or any network drive to which your
management computer can connect. If you plan to make one or more major changes to your
configuration file, we recommend that you save a copy of the old configuration file first. If you have
problems with your new configuration, you can restore the old version.
Save a Configuration File Directly to the Device
You can use Policy Manager to save your configuration file directly to the XTM device.
1. Select File > Save > To Firebox.
The Save to Firebox dialog box appears.
2. In the IP Address or Name text box, type or select an IP address or name. If you use a name,
the name must resolve through DNS.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or
arrow keys.
3. In the Administrator User Name and Administrator Passphrase text boxes, type the
credentials for a Device Administrator (read-write) user account.
4. From the Authentication Server drop-down list, select the correct authentication server for the
user account you specified.
5. If you use an Active Directory server for authentication, in the Domain text box, type the
domain name of your Active Directory server.
6. Click OK.
Save a Configuration File to a Local or Network Drive
You can use Policy Manager to save your configuration file to a local or network drive.
1. Select File > Save > As File.
You can also use CTRL-S. A standard Windows save file dialog box appears.
2. Type the name of the file.
58
WatchGuard System Manager
Configuration and Management Basics
The default location is the My Documents\My WatchGuard\configs directory. You can also
save the file in any folder you can connect to from the management computer. For better
security, we recommend that you save the files in a safe folder that no other users can get
access to.
3. Click Save.
The configuration file is saved to the directory you specify.
Automatically Create Configuration File Backups
Each time you save configuration changes to a local file, the file replaces the previous copy of the file.
You can configure Policy Manager to automatically save a backup copy of the configuration file each
time you save changes to a file. The backup copy includes a timestamp in the file name. This makes it
easier for you to keep a record of the configuration changes made over time. This backup option is not
enabled by default.
To enable the automatic creation of backup configuration files:
1. Select File > Save.
2. Select Always create a backup.
Adjacent to Always create a backup, a check mark appears.
3. To verify the feature is enabled, select File > Save.
4. Make sure a check mark appears adjacent to the Always create a backup menu item.
A check mark appears only when the option is enabled.
After you enable the backup option, each time you save the configuration to a file, Policy Manager
saves a second copy of the configuration file in the same location, with the date and timestamp added
to the file name. The backup file name includes the original file name, plus the date (year-month-day)
and the time (hour-minute-second).
For example, if you save a configuration file named HQ-XTM1050 on March 30, 2011 at 11:30 AM ,
Policy Manager saves two files:
HQ-XTM1050.xml
HQ-XTM1050_2011-3-15_11-30-00.xml
A backup file is automatically created only when you select File > Save > As File to save the
configuration to a file. Policy Manager does not create a backup file when you select File > Save > To
Firebox.
To disable the creation of automatic backup configuration files:
Select File > Save > Always create a backup.
The checkmark is removed and automatic backup configuration files are no longer saved when you
save configuration changes.
User Guide
59
Configuration and Management Basics
Run the XTM Configuration Report
You can use the XTM Configuration Report to see many XTM device configuration settings in an easy
to read, printable format. To generate the XTM configuration report, use the Fireware XTM Web UI or
the Fireware XTM command line interface.
For more information about the XTM Configuration Report, see the Fireware XTM Web UI Help at
http://www.watchguard.com/help/documentation/.
Make a Backup of the XTM Device Image
An XTM device backup image is an encrypted and saved copy of the flash disk image from the XTM
device flash disk. It includes the XTM device OS, configuration file, feature keys, Device Management
users, passphrases, DHCP leases, and certificates. The backup image also includes any event
notification settings that you configured in Traffic Monitor. You can save a backup image to your
management computer, to a directory on your network, or to other connected storage device.
The backup image is unique to each device and includes the serial number, certificates, and private
keys unique to that device.
Do not restore a backup image created from one XTM device to a different XTM
device, even if both devices are the same model.
We recommend that you regularly make backup files of the XTM device image. We also recommend
that you create a backup image of the XTM device before you make significant changes to your
configuration file, or before you upgrade your XTM device or its OS. You can use Policy Manager to
make a backup of your device image.
1. Select File > Backup.
The Backup dialog box appears.
2. In the Administrator User Name and Administrator Passphrase text boxes, type the
credentials for a Device Administrator (read-write) user account.
3. From the Authentication Server drop-down list, select the correct authentication server for the
user account you specified.
60
WatchGuard System Manager
Configuration and Management Basics
4. If you use an Active Directory server for authentication, in the Domain text box, type the
domain name of your Active Directory server.
5. Click OK.
A second Backup dialog box appears.
6. Type and confirm an encryption key. This key is used to encrypt the backup file. If you lose or
forget this encryption key, you cannot restore the backup file.
7. Click Browse to select the directory in which to save the backup file.
The default location for a backup file with an .fxi extension is:
n Windows XP — C:\Documents and Settings\All Users\Shared
n
WatchGuard\backups\<XTM device IP address>-<date>.<wsm_version>.fxi
Windows 7 and 8 — C:\Users\Public\Shared WatchGuard\backups\<XTM device IP
address>-<date>.<wsm_version>.fxi
8. Click OK.
User Guide
61
Configuration and Management Basics
Restore an XTM Device Backup Image
You can use Policy Manager to restore a previously created backup image to your XTM device. You
can only restore a backup image that came from the same device.
If your device is centrally managed, you must open Policy Manager for your device from your
Management Server to restore a backup image to your device.
For more information about how to update the configuration of a Fully Managed device, see Update the
Configuration For a Fully Managed Device on page 1030.
Do not try to restore a backup image created from a different XTM device. Each
backup image is unique to a single device; it includes the serial number, certificates,
and private keys for that device.
After the backup image is successfully restored, the device must reboot.
To restore the backup image:
1. Select File > Restore.
The Restore dialog box appears.
2. In the Administrator User Name and Administrator Passphrase text boxes, type the
credentials for a Device Administrator (read-write) user account..
3. From the Authentication Server drop-down list, select the correct authentication server for the
user account you specified.
4. If you use an Active Directory server for authentication, in the Domain text box, type the
domain name of your Active Directory server.
5. Click OK.
6. Type the encryption key you used when you created the backup image.
The XTM device restores the backup image. It restarts and uses the backup image.
7. Select the location and file name of the saved backup image file created for this device.
8. Click OK.
Make sure you wait two minutes before you connect to the XTM device again.
The default location for a backup file with an .fxi extension is:
n
Windows XP — C:\Documents and Settings\All Users\Shared
n
WatchGuard\backups\<XTM device IP address>-<date>.<wsm_version>.fxi
Windows 7 — C:\Users\Public\Shared WatchGuard\backups\<XTM device IP
address>-<date>.<wsm_version>.fxi
If you cannot successfully restore your XTM device image, you can reset the XTM device. Depending
on the XTM device model you have, you can reset an XTM device to its factory-default settings or
rerun the Quick Setup Wizard to create a new configuration.
For more information, see Reset a Device on page 78.
62
WatchGuard System Manager
Configuration and Management Basics
Use a USB Drive for System Backup and Restore
A WatchGuard XTM device backup image is a copy of the flash disk image from the XTM device that
is encrypted and saved. The backup image file includes the XTM device OS, configuration file, feature
key, and certificates.
For XTM devices, you can attach a USB drive or storage device to the USB port on the XTM device for
system backup and restore procedures. When you save a system backup image to a connected USB
drive, you can restore your XTM device to a known state more quickly.
About the USB Drive
The USB drive must be formatted with the FAT or FAT32 file system. If the USB drive has more than
one partition, Fireware XTM only uses the first partition. Each system backup image can be 70 MB or
larger. We recommend you use a USB drive large enough to store several backup images.
Save a Backup Image to a Connected USB Drive
For this procedure, a USB drive must be connected to your XTM device.
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB drive dialog box appears.
3. In the New backup image section, type a Filename for the backup image.
Or you use the default filename provided.
4. Type and confirm an Encryption key. This key is used to encrypt the backup file. If you lose or
forget this encryption key, you cannot restore the backup file.
5. Click Save to USB Drive.
The saved image appears on the list of Available device backup images after the save is complete.
User Guide
63
Configuration and Management Basics
Restore a Backup Image from a Connected USB Drive
For this procedure, a USB drive must be connected to your XTM device.
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB drive dialog box appears.
3.
4.
5.
6.
7.
From the Available backup images list, select a backup image file to restore.
Click Restore Selected Image.
Type the Encryption key you used when you created the backup image.
Type the configuration passphrase for your XTM device. Click OK.
Click Restore.
The XTM device restores the backup image. It restarts and uses the backup image.
Automatically Restore a Backup Image from a USB Drive
If a USB drive (storage device) is connected to a WatchGuard Firebox or XTM device in recovery
mode, the device can automatically restore a previously backed up image from the USB drive. To use
the auto-restore feature, you must first select a backup image on the USB drive as the one you want to
use for the restore process. You must use Fireware XTM Web UI, Firebox System Manager, or
Fireware XTM command line interface to select this backup image. This feature is not supported on
XTMv devices.
64
WatchGuard System Manager
Configuration and Management Basics
Do not use a backup image created from a different Firebox or XTM device for autorestore. The backup image is unique to a single device, and includes the serial
number, certificates, and private keys unique to that device.
User Guide
65
Configuration and Management Basics
Select the Backup Image to Auto-Restore
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB Drive dialog box appears.
3.
4.
5.
6.
From the Available backup images list, select a backup image file.
Click Use Selected Image for Auto-Restore.
Type the Encryption Key used to create the backup image. Click OK.
Type the configuration passphrase for your XTM device. Click OK.
The XTM device saves a copy of the selected backup image as the auto-restore image autorestore.fxi. This image is saved in the auto-restore directory on the USB drive, and is encrypted with
a random encryption key that can only be used by the automatic restore process.
If you had a previous auto-restore image saved, the auto-restore.fxi file is replaced with a copy of the
backup image you selected.
If your XTM device has used a version of the Fireware XTM OS lower than v11.3, you
must update the recovery mode software image on the device to v11.3 for the autorestore feature to operate. See the Fireware XTM 11.3 Release Notes for upgrade
instructions.
Auto-Restore the Backup Image for an XTM Device with an LCD Display
For an XTM device with an LCD display, use the arrow buttons near the LCD for this procedure.
66
WatchGuard System Manager
Configuration and Management Basics
1.
2.
3.
4.
Connect the USB drive with the auto-restore image to a USB interface on the XTM device.
Power off the XTM device.
Press and hold the up arrow on the device front panel while you power on the device.
Continue to hold down the up arrow button until Recovery Mode starting appears on the LCD
display.
The device restores the backup image from the USB drive, and automatically uses the restored
image after it reboots.
If the USB drive does not contain a valid auto-restore image for this XTM device model family, the
device does not reboot and is instead started in recovery mode. If you restart the device again, it uses
your current configuration. When the device is in recovery mode, you can use the WSM Quick Setup
Wizard to create a new basic configuration.
For information about the WSM Quick Setup Wizard, see Run the WSM Quick Setup Wizard on page
37.
Auto-Restore the Backup Image for a Firebox T10, XTM 33 or XTM 2
Series Device
1. Attach the USB drive with the auto-restore image to a USB interface on the XTM 2 Series
device.
2. Disconnect the power supply.
3. Press and hold the Reset button on the back of the device.
4. Continue to hold down the Reset button and connect the power supply.
5. After 10 seconds, release the Reset button.
The device restores the backup image from the USB drive and automatically uses the restored
image after it reboots.
If the USB drive does not contain a valid auto-restore image, the auto-restore fails and the device does
not reboot. If the auto-restore process is not successful, you must disconnect and reconnect the power
supply to start the device with factory-default settings.
For information about factory default settings, see About Factory-Default Settings.
User Guide
67
Configuration and Management Basics
USB Drive Directory Structure
The USB drive contains directories for backup images, configuration files, feature key, certificates and
diagnostics information for your XTM device.
When you save a backup image to a USB drive, the file is saved in a directory on the USB drive with
the same name as the serial number of your XTM device. This means that you can store backup
images for more than one XTM device on the same USB drive. When you restore a backup image, the
software automatically retrieves the list of backup images stored in the directory associated with that
device.
For each device, the directory structure on the USB device is as follows, where sn is replaced by the
serial number of the XTM device:
\sn\flash-images\
\sn\configs\
\sn\feature-keys\
\sn\certs\
The backup images for a device is saved in the \sn\flash-images directory. The backup image file
saved in the flash-images directory contains the Fireware XTM OS, the device configuration, feature
keys, and certificates. The \configs , \feature-keys and \certs subdirectories are not used for any
USB drive backup and restore operations. You can use these to store additional feature keys,
configuration files, and certificates for each device.
There is also one directory at the root level of the directory structure which is used to store the
designated auto-restore backup image.
\auto-restore\
When you designate a backup image to use for automatic restore, a copy of the selected backup image
file is encrypted and stored in the \auto-restore directory with the file name auto-restore.fxi . You
can have only one auto-restore image saved on each USB drive.
You must use the Firebox System Manager Tools > USB Drive command to create an auto-restore
image. If you manually copy and rename a backup image and store it in this directory, the automatic
restore process does not operate correctly.
There is also another directory at the root level of the directory structure which is used to store the
support snapshot that can be used by WatchGuard technical support to help diagnose issues with your
XTM device.
\wgdiag\
For more information about the support snapshot, see Use a USB Drive to Save a Support Snapshot
on page 69.
68
WatchGuard System Manager
Configuration and Management Basics
Save a Backup Image to a USB Drive Connected to Your
Management Computer
You can use Policy Manager to save a backup image to a USB drive or storage device connected to
your management computer. If you save the configuration files for multiple devices to the same USB
drive, you can attach the USB drive to any of those XTM devices for recovery.
If you use the Firebox System Manager Tools > USB Drive command to do this, the files are
automatically saved in the proper directory on the USB drive. If you use the Policy Manager File >
Backup command, or if you use Windows or another operating system to manually copy configuration
files to the USB device, you must manually create the correct serial number and flash-image
directories for each device (if they do not already exist).
Before You Begin
Before you begin, it important that you understand the USB Drive Directory Structure used by the USB
backup and restore feature. If you do not save the backup image in the correct location, the device
cannot find it when you attach the USB drive to the device.
Save the Backup Image
To save a backup image to a USB drive connected to your management computer, follow the steps in
Make a Backup of the XTM Device Image. When you select the location to save the file, select the
drive letter of the USB drive attached to your computer. If you want the backup image you save to be
recognized by the XTM device when you attach the USB drive, make sure to save the backup in the
\flash-images folder, in the directory that is named with the serial number of your XTM device.
For example, if your XTM device serial number is 70A10003C0A3D , save the backup image file to this
location on the USB drive:
\70A10003C0A3D\flash-images\
Designate a Backup Image for Auto-restore
To designate a backup image for use with the auto-restore feature, you must connect the USB drive to
the device and designate the backup image to use for auto-restore, as described in Use a USB Drive
for System Backup and Restore. If you manually save a backup image to the auto-restore directory,
the automatic restore process does not operate correctly.
Use a USB Drive to Save a Support Snapshot
A support snapshot is a file that contains a recent copy of your device configuration, log files, and other
information that can help WatchGuard technical support troubleshoot issues with your device. To use
the support snapshot feature, your device must use Fireware XTM v11.4 or later.
This feature is not supported on XTMv devices.
User Guide
69
Configuration and Management Basics
If you connect a USB drive to one of the XTM device USB interfaces, the XTM device automatically
generates a new support snapshot and saves the snapshot to the USB drive as an encrypted file. This
happens automatically when the device is powered on and a USB drive is connected to the device.
Any time you connect a USB drive, the XTM device automatically saves a current support snapshot in
the \wgdiag directory on the USB drive.
When the XTM device detects a connected USB drive, it automatically completes these actions:
n
n
n
If the \wgdiag directory does not exist on the USB drive, the XTM device creates it.
If the \wgdiag directory already exists on the USB drive, the XTM device deletes and recreates
it.
The XTM device saves the new support snapshot in the \wgdiag directory with the filename
support1.tgz .
Each time you connect the USB drive or restart the XTM device, any files in the \wgdiag directory are
removed and a new support snapshot is saved.
If you want to keep a support snapshot, you can either rename the \wgdiag directory
on the USB drive or copy the support1.tgz file from the USB drive to your computer
before you reconnect the USB drive to the XTM device.
Status messages about USB diagnostics file generation appear as Info level messages in the log file.
These log messages contain the text USB Diagnostic. For XTM devices that have an LCD display,
messages also appear on the LCD while the USB diagnostic file is written, and when a USB drive is
connected or removed.
By default, the XTM device saves only a single support snapshot per USB drive when the USB drive is
first detected. You can use the usb diagnostic command in the Command Line Interface to enable
the XTM device to automatically save multiple support snapshots to the USB drive periodically while
the device is in operation. If the XTM device is configured to save multiple support snapshots, the
number at the end of the file name is incrementally increased each time a new snapshot is saved, so
that you can see a sequence of support snapshots. For example, the file names for the first two
support snapshots would be support1.tgz and support2.tgz . If enabled, the USB diagnostics
stores a maximum of 48 support snapshots on the USB drive.
For more information about how to use the usb diagnostic command, see the Fireware
XTM Command Line Interface Reference.
70
WatchGuard System Manager
Configuration and Management Basics
Use an Existing Configuration for a New XTM
Device Model
When you replace your Firebox or XTM device with a different XTM device model, you can continue to
use the same configuration file. When you import a new feature key to your existing configuration file,
Policy Manager automatically updates the existing configuration file so that it operates correctly with
the new XTM device model specified in the feature key.
To move a configuration file from one Firebox X e-Series or XTM device to another device model, you
must complete these steps in Policy Manager:
n
n
n
n
Remove feature key for the old model from the configuration file.
Add the feature key for the new model to the configuration file.
Review the network interface configuration, and update it if necessary.
Save the configuration to the new XTM device.
If your old device is a Firebox X Core or Firebox X Peak device that is not an e-Series
model, the upgrade steps are different. For more information, see Upgrade a Non-eSeries Configuration File For Use With an e-Series or XTM Device.
User Guide
71
Configuration and Management Basics
To update your configuration file:
1. If you have not already done so, Get a Feature Key for Your XTM Device for your new XTM
device.
2. For your existing Firebox or XTM device configuration, Open Policy Manager.
3. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
4. Click Remove to remove the current feature key.
5. Click Import.
The Import Firebox Feature Key dialog box appears.
72
WatchGuard System Manager
Configuration and Management Basics
6. When you got a feature key for your new XTM device, you copied the full feature key to a text
file and saved it on your computer. Open this file and paste the contents of the feature key file
for the new XTM device into the Import Firebox Feature Key dialog box.
7. Click OK.
The model information and features from the new feature key appears in the Firebox Feature Key
dialog box.
8. Click OK.
If your new XTM device model has a different number of interfaces than the old device model,
Policy Manager displays a message that advises you to verify the configuration of the network
interfaces.
9. Select Setup > System to verify that the device model is correct. If the device model is not
correct, select the correct device model and model number from the Firebox Model drop-down
lists.
10. Select Network > Configuration to review the network interface configuration.
If you have a third-party certificate installed on your XTM device and receive an error message when
you try to import a feature key, the certificate might have expired or be invalid. You must select a
different certificate to proceed. For more information, see Configure the Web Server Certificate for
Firebox Authentication on page 1452 or Manage XTM Device Certificates.
To save the updated configuration to the new XTM device:
1.
2.
3.
4.
Connect your computer to a trusted or optional network interface on the new XTM device.
In Policy Manager, select File > Save > To Firebox.
In the IP Address or Name text box, type the IP address of the new XTM device.
In the User Name and Passphrase text boxes, type the credentials of a user with Device
Administrator privileges on the new XTM device.
If the new device uses the default configuration, the User Name is admin , and the Passphrase
is readwrite .
User Guide
73
Configuration and Management Basics
5. From the Authentication Server drop-down list, select the correct authentication server for the
user account you specified.
If the new device uses the default configuration, the Authentication Server is Firebox-DB.
6. If you use an Active Directory server for authentication, in the Domain text box, type the
domain name of your Active Directory server.
7. Click OK.
8. In the File Name text box, type the file name to save the configuration file.
9. Click Save.
10. If the IP address you typed in the Firebox Address or Name text box in step 3 does not match
any of the IP addresses in the configuration file, Policy Manager displays a warning. Click Yes
to confirm that you want to save the file.
If you save a configuration file that changes the IP address of the XTM device
interface your computer is connected to, you must make sure your computer has an
IP address on the same network as the new XTM device interface IP address, before
you can connect to the device.
74
WatchGuard System Manager
Configuration and Management Basics
Upgrade a Non-e-Series Configuration File For Use With an eSeries or XTM Device
You cannot use Fireware XTM v11.x with Firebox X Core and Firebox X Peak devices that are not eSeries models. WatchGuard System Manager provides an upgrade path for you to move an existing
configuration to a new e-Series or XTM device that is supported by Fireware XTM v11.x. This
procedure applies only to these Firebox X Core or Firebox X Peak devices (not e-Series):
n
n
Firebox X Core models — X500, X700, X1000, X2500
Firebox X Peak models — X5000, X6000, X8000
The procedure to move a configuration file from a Firebox X e-Series device to an
XTM device model is different. For more information, see Use an Existing
Configuration for a New XTM Device Model.
Before You Begin
Before you can use an upgraded configuration file from a Firebox X Core or Peak device that is not an
e-series device on your new XTM device, you must set up your new XTM device with a basic
configuration file. You can then follow the subsequent procedure to convert your existing configuration
file to v11.x and save it to your new XTM device.
Upgrade the Configuration File
To upgrade an existing v10.x configuration file from a device that is not an e-Series device for use with
a new e-Series or XTM device:
1. Start Policy Manager v10.x for the v10.x device that is not an e-Series device.
2. Select File > Save > As File.
3. In WatchGuard System Manager v11.x, start Policy Manager, and select Open configuration
file.
4. Open the v10.x configuration file you saved in Step 2.
The Upgrade Available dialog box appears. If your management computer has both v10.x and v11.x
WatchGuard System Manager installed, you have a choice about whether to upgrade or to use the
older version of Policy Manager.
5. Select Upgrade device to v11.x. Click OK.
A confirmation dialog box appears.
6. Click OK to confirm that you want to update the configuration file.
The Import Firebox Feature Key dialog box appears.
7. If you have the feature key file for the new XTM device, select Feature key.
Click Browse to find the feature key file.
Or, copy the text of the feature key file and click Paste to insert it in the text box.
User Guide
75
Configuration and Management Basics
If you do not have the feature key for the new XTM device, select Device model.
From the Model drop-down lists, select the model name and number of the new XTM device.
8. Click Upgrade Configuration File.
A message appears when the configuration file has been updated.
9. Click OK to dismiss the success message.
The converted configuration appears in Policy Manager.
If your new XTM device model has a different number of interfaces than the old device model,
you must review the configuration of the network interfaces after the configuration upgrade.
10. To review the network interface configuration, select Network > Configuration.
11. If you did not add the feature key during the upgrade, select Setup > Feature Keys to add the
feature key for the new device.
For more information, see Manually Add a Feature Key to Your XTM Device.
12. To save the upgraded configuration file to the new XTM device, select File > Save > To
Firebox.
If the new XTM device use Fireware XTM OS v11.x, Policy Manager must complete one more
step to upgrade the configuration to v11.x. An upgrade message appears.
13. To complete the upgrade of the configuration file to v11.x, click Yes.
Configure a Replacement XTM Device
If your XTM device hardware fails during the warranty period, WatchGuard may replace it with an RMA
(Return Merchandise Agreement) unit of the same model. When you exchange an XTM device for an
RMA replacement, WatchGuard Customer Care transfers the licenses from the original XTM device
serial number to the new XTM device serial number. All the features that were licensed to the original
XTM device are transferred to the replacement XTM device.
To set up your new XTM device to use the configuration from your original XTM device, follow the
steps in the subsequent sections.
Save the Configuration from the Original XTM Device to a File
For this procedure, you must have a saved configuration file from your original XTM device. The
configuration file is saved by default to the My Documents\My WatchGuard\configs directory.
For instructions to save the configuration to a local file, see Save the Configuration File on page 58.
Get the Feature Key for the Replacement XTM Device
Because your replacement XTM device has a different serial number, you must get a new feature key
for it from the Support section of the WatchGuard web site. The replacement XTM device is listed in
your activated products list with the same Product Name as the original XTM device, but with the serial
number of the replacement XTM device. For instructions to get the feature key, see Get a Feature Key
for Your XTM Device on page 89.
76
WatchGuard System Manager
Configuration and Management Basics
Use the Quick Setup Wizard to Configure Basic Settings
Just as with any new XTM device, you must use the Quick Setup Wizard to create a basic
configuration for the replacement XTM device. The Quick Setup Wizard runs either from the web or as
a Windows application.
For information about how to run the wizard from the web, see Run the Web Setup Wizard on page 32.
For information about how to run the wizard as a Windows application, see Run the WSM Quick Setup
Wizard on page 37.
Update the Feature Key in the Original Configuration File and
Save to the New Device
1.
2.
3.
4.
5.
6.
7.
8.
9.
In WatchGuard System Manager, select Tools > Policy Manager.
Select Open configuration file.
Click Browse and select the saved configuration file from the original XTM device.
Click Open. Click OK.
Open Policy Manager for the new device.
Select Setup > Feature Keys.
Click Removeand remove the original feature key.
Click Import and import the new feature key.
Click Browse and select the replacement feature key file you downloaded from the
LiveSecurity site.
Or, click Paste and paste the contents of the feature key for the replacement unit.
10. Click OK twice to close the Firebox Feature Key dialog boxes.
11. Select File > Save > To Firebox and save the configuration to the replacement XTM device.
Configuration of the replacement XTM device is now complete. The replacement XTM device now
uses all the policies and configuration settings from the original XTM device.
User Guide
77
Configuration and Management Basics
Reset a Device
If your Firebox or XTM device has a configuration problem, or you just want to create a new
configuration file for your XTM device, you can reset the device to its factory-default settings. For
example, if you do not know the configuration passphrase, or if a power interruption causes damage to
the Fireware XTM OS, you can use the Quick Setup Wizard to build your configuration again or restore
a saved configuration.
After you perform this reset procedure:
n
n
n
n
n
n
The XTM device is reset to factory-default settings
The installed feature key is not removed
All the Device Management accounts you added are removed, and only the default user
accounts are available, with the default passphrases
Fireware XTM Web UI automatically starts the Web Setup Wizard when you connect to the
XTM device
The XTM device is discoverable by the Quick Setup Wizard
The XTM device is discoverable as a new FireCluster member (if the device supports
FireCluster)
For a description of the factory-default settings, see About Factory-Default Settings on page 82.
For more information about FireCluster device discovery, see Discover a Cluster Member.
For instructions to reset a Firebox X e-Series device, see Reset a Firebox X e-Series Device.
Start an XTM Device in Safe Mode
To restore the factory-default settings for a WatchGuard XTM device with an LCD display, you must
start the XTM device in safe mode.
1. Power off the XTM device.
2. Press the down arrow on the device front panel while you power on the XTM device.
3. Continue to press the down arrow button until the message Safe Mode Starting appears on
the LCD display.
When the device is started in safe mode, the LCD display shows the model number followed by the
word safe. When you start a device in safe mode:
n
n
n
The device temporarily uses the factory-default network and security settings.
The current feature key is not removed. If you run the Quick Setup Wizard to create a new
configuration, the wizard uses the feature key you previously imported.
Your current configuration is deleted only when you save a new configuration file to the
XTM device. If you restart the XTM device before you save a new configuration, the device
uses your current configuration.
Reset a Firebox T10, XTM 2 Series or XTM 33 to Factory-Default
Settings
When you reset a Firebox T10. XTM 2 Series, or XTM 33 device, the original configuration settings are
replaced by the factory-default settings. The current feature key is removed.
78
WatchGuard System Manager
Configuration and Management Basics
To reset the device to factory-default settings:
1.
2.
3.
4.
Disconnect the power supply.
Press and hold the Reset button on the back of the device.
Continue to press the Reset button and reconnect the power supply.
If the Attn indicator begins to flash, you can release the Reset button. Do not disconnect the
power.
It takes between 30 and 60 seconds for the Attn indicator to flash. For some devices, the Attn
indicator does not flash.
5. If the Attn indicator does not flash, continue to press the Reset button until the Attn indicator is
lit. Then release the Reset button.
It can take between two and four minutes to complete this step, depending you your device model.
6. After the Attn light stays lit and does not flash, disconnect the power supply.
7. Connect the power supply again.
The Power Indicator lights and your device is reset.
Make sure that you complete all of the steps. You must complete Steps 6 and 7 to
restart your device again before you can connect to it.
Reset an XTMv VM to Factory-Default Settings
For an XTMv VM (virtual machine), you cannot use the physical hardware to start the virtual machine in
safe mode. Instead, to reset the virtual machine to factory-default settings, you must use the Fireware
XTM CLI command restore factory-default .
To reset an XTMv VM on ESXi:
1.
2.
3.
4.
5.
6.
Log in to the vSphere client.
Select the XTMv VM from the inventory.
Select the Summary tab.
Click Open Console.
Log in with the admin account credentials.
Type the command restore factory-default .
To reset an XTMv VM on Hyper-V:
1.
2.
3.
4.
5.
Log in to the Hyper-V server.
Right click the XTMv VM.
From the drop-down menu, select Connect.
Log in with the admin account credentials.
Type the command restore factory-default .
For more information about how to use the command line interface, see the Fireware XTM Command
Line Interface Reference.
User Guide
79
Configuration and Management Basics
Run the Setup Wizard
After you restore the factory-default settings, you can use the Quick Setup Wizard or Web Setup
Wizard to create a basic configuration or restore a saved backup image.
For more information, see About the Quick Setup Wizard on page 30.
Reset a Firebox X e-Series Device
Use these steps to restore the factory-default settings of a Firebox X e-Series device.
After you perform this reset procedure:
n
n
n
n
The device is reset to factory-default settings
The Fireware XTM Web UI automatically starts the Web Setup Wizard when you connect
The device is discoverable by the Quick Setup Wizard
The device is discoverable as a new FireCluster member (if the device supports FireCluster)
Start a Firebox X Core or Peak e-Series Device in Safe Mode
To restore the factory-default settings for a Firebox X Core or Peak e-Series device, you must first start
the Firebox in safe mode.
1. Power off the Firebox.
2. Press the down arrow on the device front panel while you power on the Firebox.
3. Keep the down arrow button depressed until the device startup message WatchGuard
Technologies appears on the LCD display:
When the device is in safe mode, the LCD display shows the model number followed by the
word "safe".
When you start a Firebox X Core or Peak e-Series device in safe mode:
n
n
n
80
The device temporarily uses the factory-default network and security settings.
The current feature key is not removed. If you run the Quick Setup Wizard to create a new
configuration, the wizard uses the feature key you previously imported.
Your current configuration is deleted only when you save a new configuration. If you restart the
Firebox before you save a new configuration, the device uses your current configuration again.
WatchGuard System Manager
Configuration and Management Basics
Reset a Firebox X Edge e-Series to factory-default settings
When you reset a Firebox X Edge e-Series device, the original configuration settings are replaced by
the factory-default settings. To reset the device to factory-default settings:
1.
2.
3.
4.
Disconnect the power supply.
Press and hold the Reset button on the back of the device.
While you continue to hold down the Reset button, connect the power supply.
Continue to hold down the Reset button until the yellow Attn indicator stays lit. This shows that
the device successfully restored the factory-default settings.
This process can take 45 seconds or more.
5. Release the Reset button.
You must start the device again before you can connect to it. If you do not restart,
when you try to connect to the device, a web page appears with this message: Your
device is running from a backup copy of firmware. You can also see this message if
the Reset button is stuck in the depressed position. If you continue to see this
message, check the Reset button and restart the device.
6. Disconnect the power supply.
7. Connect the power supply again.
The Power Indicator lights and your device is reset.
Run the Quick Setup Wizard
After you restore the factory-default settings, you can use the Quick Setup Wizard to create a basic
configuration or restore a saved backup image.
For more information, see Run the WSM Quick Setup Wizard.
Firebox X e-Series devices run Fireware XTM v11.3.x or earlier. If the menu items
and dialog box elements in WatchGuard System Manager or Policy Manager are
different from what is described in this Help system, you can use the instructions in
the appropriate Help system for your version of WatchGuard System Manager on the
WatchGuard web site at http://www.watchguard.com/help/docs/wsm/11/enUS/index.html.
User Guide
81
Configuration and Management Basics
About Factory-Default Settings
The term factory-default settings refers to the configuration on the XTM device when you first receive it
before you make any changes. You can also reset the XTM device to factory-default settings as
described in Reset a Device on page 78.
The default network and configuration properties for the XTM device are:
Trusted network
Interface 1 (Eth1) is configured as a trusted interface.
The default IP address for the trusted network interface is 10.0.1.1 with a subnet mask of
255.255.255.0.
The default IP address and port for the Fireware XTM Web UI is https://10.0.1.1:8080 .
The XTM device is configured to give IP addresses to computers on the trusted network through
DHCP. By default, these IP addresses can be from 10.0.1.2 to 10.0.1.254.
External network
Interface 0 (Eth0) is configured as an external interface.
The XTM device is configured to get an IP address with DHCP.
Optional network
The optional network is disabled.
Default Device Administrator (read/write) user account credentials
User name: admin
Passphrase: readwrite
Default Device Monitor (read-only) user account credentials
User name: status
Passphrase: readonly
Firewall settings
All incoming traffic is denied. The outgoing policy allows all outgoing traffic. Ping requests
received from the external network are denied.
System Security
Each Firebox or XTM device has two default Device Management user accounts that you can
use to manage and monitor your device:
n
n
82
admin — Device Administrator role with read-write access
status — Device Monitor role with read-only access.
WatchGuard System Manager
Configuration and Management Basics
When you first run the Quick Setup Wizard to configure the device, you set the passphrases for
these two user accounts. After you complete the Quick Setup Wizard, you can log in to
Fireware XTM Web UI with either the admin or status user account. For full Device
Administrator access, log in with the admin user name and passphrase. For read-only access,
log in with the status user name and passphrase.
By default, the XTM device is set up for local management from the trusted network only.
Additional configuration changes must be made to allow administration from the external
network.
Upgrade Options
To enable upgrade options such as WebBlocker, spamBlocker, and Gateway AV/IPS, you
must paste or import the feature key that enables these features into the configuration page, or
use the Get Feature Key option to activate upgrade options. If you start the XTM device in safe
mode, you do not have to import the feature key again.
User Guide
83
Configuration and Management Basics
About Recovery Mode for XTM 5 and 8 Series
You can start your WatchGuard XTM device in recovery mode if you want the Quick Setup Wizard to
force a Fireware XTM v11.x OS installation regardless of the version that is currently installed. For
most XTM device models, if you run the Quick Setup Wizard to configure a device that is in recovery
mode, the Quick Setup Wizard finds the latest version of Fireware XTM OS installed on the
management computer, and installs it on the XTM device. The Quick Setup Wizard also removes all
existing settings and feature keys.
When you start an XTM device in recovery mode, the device uses the version of Fireware XTM OS
that was originally installed when the device was manufactured. Some XTM device models are
manufactured with a version of Fireware XTM OS that cannot be upgraded directly to Fireware
XTM v11.8 or higher. These models are:
n
n
XTM 5 Series (XTM 505, 510, 515, 520, 525, 530, and 535)
XTM 8 Series (XTM 810, 820, 830, and 830F)
When the Quick Setup Wizard discovers one of these models in recovery mode, it looks for the latest
version of Fireware XTM OS v11.7.x or earlier on the management computer, and installs that on the
XTM device. Before you use the Quick Setup Wizard to reinstall Fireware XTM OS, you must first
install Fireware XTM OS v11.7.4 or earlier on the management computer. After device recovery is
complete, you can use Policy Manager to upgrade the XTM device software to Fireware XTM v11.8.x.
The Quick Setup Wizard can reinstall Fireware XTM OS v11.7.4 or earlier on an XTM
5 Series or 8 Series device. We recommend that you use Fireware XTM OS v11.7.4,
because this is the minimum version the device must use before you upgrade it to
Fireware XTM OS v11.8 or higher.
Step 1 — Install Fireware XTM OS v11.7.4 on the Management
Computer
If necessary, download and install Fireware XTM OS v11.7.4 file for your XTM device model on the
management computer. The Fireware XTM OS installer installs the files that the Quick Setup Wizard
uses to install the software on the XTM device.
To see which versions of Fireware XTM OS for your device are installed on the management computer:
1. In WatchGuard System Manager, select Help > About WatchGuard.
The About WatchGuard Software dialog box appears.
84
WatchGuard System Manager
Configuration and Management Basics
2. In the Installed OS Versions list, look at the software versions installed for your XTM 5 Series
or 8 Series device.
n For XTM 510, 520, 530, look for: XTM OS appliance software for XTM5 (Language),
v11.7.4
n For XTM 810, 820, 830, look for: XTM OS appliance software for XTM8 (Language),
v11.7.4
If Fireware XTM OS v11.7.4 for your XTM device model is not installed, download the Fireware
XTM OS installer for your device from the WatchGuard Portal on the WatchGuard web site at
http://www.watchguard.com, and install it on the management computer.
If you have previously installed Fireware XTM OS v11.8 or higher for your device on the management
computer, you do not need to uninstall it.
Step 2 — Start the XTM Device in Recovery Mode
To start an XTM device with an LCD display in recovery mode:
1. Power off the XTM device.
2. Press and hold the up arrow on the device front panel while you turn the power on.
3. Keep the button depressed until "Recovery Mode starting" appears on the LCD display.
When the XTM device is in recovery mode, it is ready to be discovered by the WSM Quick Setup
Wizard.
Step 3 — Run the WSM Quick Setup Wizard
After you start the device in recovery mode, you can use the WSM Quick Setup Wizard to reinstall the
software.
User Guide
85
Configuration and Management Basics
1.
2.
3.
4.
5.
6.
Connect the management computer to XTM device interface 1.
Make sure the management computer gets an IP address on the 10.0.1.0 network.
In WatchGuard System Manager, select Tools > Quick Setup Wizard.
Select Yes, my device is ready to be discovered.
Click Next to start device discovery.
Provide the information to create a basic device configuration, and add the feature key.
For a description of the configuration steps, see Run the WSM Quick Setup Wizard.
The final page of the Quick Setup Wizard shows the version of Fireware XTM installed on the device.
After the XTM device restarts, it uses Fireware XTM v11.7.4, with a basic configuration that includes
five policies (TCP and UDP outgoing, FTP packet filter, ping, WatchGuard, and WatchGuard Web UI)
and the interface IP addresses you specified. You can use Policy Manager to change this basic
configuration or to save an existing configuration file to the device, as described in Step 5.
Step 4 — Upgrade Fireware XTM OS
After the Quick Setup Wizard has reinstalled Fireware XTM v11.7.4, you can use Policy Manager to
upgrade the device to a later version. For more information, see Upgrade to a New Version of Fireware
XTM.
Step 5 — Save a Configuration File to the Device
If you have previously saved a Fireware XTM v11.8 or higher device configuration to a file, you can use
Policy Manager to save that configuration to the device.
1. Open the saved v11.8 or higher configuration file you want to use in Policy Manager.
2. Make sure the configuration file has the correct feature key for this device.
3. Save the configuration file to the XTM device.
86
WatchGuard System Manager
Configuration and Management Basics
Step 6 — Reinstall XTM Device Certificates
When you use the Quick Setup Wizard for a device in recovery mode, any certificates installed on the
device are removed. If your XTM device had certificates installed, you must reinstall any certificates
on the device after the downgrade. For more information, see Manage XTM Device Certificates.
User Guide
87
Configuration and Management Basics
About Feature Keys
A feature key is a license that enables you to use a set of features on your XTM device. You increase
the functionality of your device when you purchase an option or upgrade and get a new feature key.
When you purchase a new feature for your XTM device, you must activate the new feature on the
WatchGuard web site, and add the feature key your XTM device. For more information, see Get a
Feature Key for Your XTM Device.
See Features Available with the Current Feature Key
Your XTM device always has one currently active feature key. To see the features available with this
feature key:
1. Open Policy Manager.
2. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
The Summary section includes:
n
n
n
n
88
The device model number and serial number
The licensed software edition (Fireware XTM or Fireware XTM Pro)
A signature that uniquely identifies the feature key
For some feature keys, an expiration date for the entire feature key
WatchGuard System Manager
Configuration and Management Basics
If an expiration date appears in the Summary section, this is the date that the key
expires. When the feature key expires, some licensed features and capacities revert
back to the values they had before the feature key was applied, and the XTM device
allows only one connection to the external network.
The Features section shows:
n
n
n
n
n
A list of available features
Whether the feature is enabled
Value assigned to the feature such as the number of VLAN interfaces allowed
Expiration date of the feature, if any
Current status on expiration, such as how many days remain before the feature expires
Enable Feature Key Synchronization
You can optionally select the Enable automatic feature key synchronization check box to enable
the device to automatically download the latest feature key from the WatchGuard web site when a
feature is about to expire. For more information, see Enable Automatic Feature Key Synchronization.
Verify Feature Key Compliance
To make sure all features on your XTM device are correctly enabled on your feature key:
1. Open Policy Manager.
2. Click .
The Feature Key Compliance dialog box appears.
The Description includes a message to indicate if a feature is in compliance with the feature key, or if
any feature has expired.
To get a new feature key:
1. In the Feature Key Compliance dialog box, click Add Feature Key.
The Firebox Feature Key dialog box appears.
2. Either Manually Add a Feature Key to Your XTM Device or Download a Feature Key.
Get a Feature Key for Your XTM Device
When you purchase a new feature or upgrade for your XTM device, or when you renew a subscription
service, you must activate a license key on the WatchGuard web site. When you activate the license
key, you select which registered device to apply the key to. Then the WatchGuard web site generates
a new feature key that enables the activated feature for the device you selected. The feature is enabled
on the device after you add the updated feature key to the device.
Activate the License Key for a Feature
To activate a license key and get the feature key for the activated feature:
User Guide
89
Configuration and Management Basics
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. On the Support Home tab, click Activate a Product.
The Activate Products page appears.
4. Type the serial number or license key for the product or service. Make sure to include any
hyphens.
Use the serial number to register a new XTM device, and the license key to register add-on
features.
5. Click Continue.
The Choose Product to Upgrade page appears.
6. In the drop-down list, select the device to upgrade or renew.
If you added a device name when you registered your XTM device, that name appears in the
list.
7. Click Activate.
The Retrieve and Apply Key page appears.
8. Copy the contents of the feature key to a text file and save it on your computer.
9. Click Finish.
Even though the XTM device can download the feature key from the WatchGuard
web site, it is a good idea to save the feature key contents to a local file, in case you
need to manually add the feature key to the XTM device when the device does not
have Internet access.
Add the Current Feature Key To The XTM Device
You can use Fireware XTM Web UI or Firebox System Manager to retrieve the current feature key from
the WatchGuard web site and add it directly to your XTM device. Or, you can log in to the WatchGuard
web site to download a current feature key to a file.
To use Firebox System Manager (FSM) to retrieve the current feature key:
90
WatchGuard System Manager
Configuration and Management Basics
1. Start Firebox System Manager.
2. Select Tools > Synchronize Feature Key.
The Synchronize Feature Key dialog box appears. If you are connected to your device with only the
Status passphrase, you must provide the Configuration passphrase for your device.
If you are connected to your device through your Management Server, you do not have to provide
the Configuration passphrase.
3. If you are connected to your device with the Status passphrase, in the Passphrase text box,
type the Configuration Passphrase and click OK.
If you are connected to your Management Server, click Yes to synchronize your feature key.
The XTM device gets the feature key from the LiveSecurity web site and updates it on the XTM
device.
To manually retrieve the current feature key from the WatchGuard web site:
1.
2.
3.
4.
5.
6.
Open a web browser and go to http://www.watchguard.com/.
Log in with your WatchGuard account user name and password.
On the Support Home tab, click My Products.
In the list of products, select your device.
Use the on-screen instructions to download and save a local copy of the feature key to a file.
To manually add the feature key to the XTM device, see Manually Add a Feature Key to Your
XTM Device.
User Guide
91
Configuration and Management Basics
Manually Add a Feature Key to Your XTM Device
If you purchase a new option or upgrade your XTM device, you can use Policy Manager to manually
add a new feature key to enable the new features. Before you install the new feature key, you must
completely remove the old feature key.
For detailed steps to update the feature keys for a FireCluster, see About Feature
Keys and FireCluster.
To manually import the feature key from a local file to your XTM device:
1. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
The features that are available with this feature key appear in this dialog box.
2. To remove the current feature key, click Remove.
All feature key information is cleared from the dialog box.
3. Click Import.
The Import Firebox Feature Key dialog box appears.
92
WatchGuard System Manager
Configuration and Management Basics
4. Click Browse to find the feature key file.
Or, copy the text of the feature key file and click Paste to insert it in the text box.
5. Click OK.
The Import a Firebox Feature Key dialog box closes and the new feature key information appears in
the Firebox Feature Key dialog box.
6. Click OK.
In some instances, new dialog boxes and menu commands to configure the feature appear in Policy
Manager.
7. Save the Configuration File.
The feature key does not operate on the XTM device until you save the configuration file to the
device.
Remove a Feature Key
1. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
2. Click Remove.
A confirmation dialog box appears.
All feature key information is cleared from the dialog box.
3. Save the Configuration File.
User Guide
93
Configuration and Management Basics
See the Details of a Feature Key
From Policy Manager, you can review the details of your current feature key.
The available details include:
n
n
n
n
Serial number of the XTM device to which this feature key applies
XTM device ID and name
Device model and version number
Available features
To review the details of your feature key:
1. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
2. Click Details.
The Feature Key Details dialog box appears.
3. Use the scroll bar to review the details of your feature key.
94
WatchGuard System Manager
Configuration and Management Basics
Enable Automatic Feature Key Synchronization
By default, your XTM device does not automatically update the feature key when features expire. You
can optionally enable automatic feature key synchronization. This enables the device to automatically
download the latest feature key from your account on the WatchGuard web site when a feature is
expired or about to expire.
When you enable automatic feature key synchronization:
n
n
n
n
The XTM device immediately checks the expiration dates in the feature key, and continues to
check once per day.
If any feature is expired, or will expire within three days, the XTM device automatically
downloads the latest feature key from WatchGuard once per day, until it successfully
downloads a feature key that does not have expired features.
In a FireCluster, the cluster master synchronizes the feature keys for all cluster members.
If the XTM device attempts to synchronize the feature key and fails to retrieve a feature key
from the WatchGuard server, the device sends an error to the log file. The error log includes
information about the type of failure.
To enable automatic feature key synchronization:
1. Open Policy Manager.
2. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
3. Select the Enable automatic feature key synchronization check box.
Download a Feature Key
You can use Policy Manager to download a copy of your current feature key from the XTM device to
your management computer.
1. Select Setup > Feature Keys.
The Feature Keys dialog box appears.
2. Click Download.
The Get Firebox Feature keys dialog box appears.
3. In the User Name and Passphrase text boxes, type the credentials for a Device Monitor (readonly) user account.
4. From the Authentication Server drop-down list, select the correct authentication server for the
user account you specified.
5. Click OK.
You can also use Firebox System Manager to download a current feature key from the WatchGuard
web site to the XTM device.
1. Start Firebox System Manager.
2. Select Tools > Synchronize Feature Key.
The XTM device contacts the WatchGuard web site and downloads the current feature key to your
device.
User Guide
95
Configuration and Management Basics
Enable NTP and Add NTP Servers
Network Time Protocol (NTP) synchronizes computer clock times across a network. Your XTM device
can use NTP to get the correct time automatically from NTP servers on the Internet. Because the XTM
device uses the time from its system clock for each log message it generates, the time must be set
correctly. You can change the NTP server that the XTM device uses. You can also add more
NTP servers or delete existing ones, or you can set the time manually.
To use NTP, your XTM device configuration must allow DNS. DNS is allowed in the default
configuration by the Outgoing policy. You must also configure DNS servers for the external interface
before you configure NTP.
For more information about these addresses, see Add WINS and DNS Server Addresses on page 211.
1. Select Setup > NTP.
The NTP Setting dialog box appears.
2. Select the Enable NTP check box.
3. To add an NTP server, type the IP address or host name of the NTP server you want to use in
the text box and click Add.
You can configure up to three NTP servers.
4. To delete a server, select the server entry in the NTP Server Names/IPs list and click
Remove.
5. Click OK.
96
WatchGuard System Manager
Configuration and Management Basics
Set the Time Zone and Basic Device Properties
When you run the Quick Setup Wizard, you set the time zone and other basic device properties.
To change the basic device properties:
1. Open Policy Manager.
2. Click Setup > System.
The Device Configuration dialog box appears.
3. Configure these options:
Firebox Model
The XTM device model and model number, as determined by Quick Setup Wizard. You
normally do not need to change these settings. If you add a new feature key to the XTM
device with a model upgrade, the XTM device model in the device configuration is
automatically updated.
Name
The friendly name of the XTM device. You can give the XTM device a friendly name that
appears in your log files and reports. Otherwise, the log files and reports use the IP address
of the XTM device external interface. Many customers use a Fully Qualified Domain Name
as the friendly name if they register such a name with the DNS system. You must give the
XTM device a friendly name if you use the Management Server to configure VPN tunnels
and certificates.
Location, Contact
Type any information that could be helpful to identify and maintain the XTM device. These
fields are filled in by the Quick Setup Wizard if you entered this information there. This
information appears on the Front Panel tab of Firebox System Manager.
Time zone
Select the time zone for the physical location of the XTM device. The time zone setting
controls the date and time that appear in the log file and in tools such as WatchGuard
WebCenter and WebBlocker.
4. Click OK.
User Guide
97
Configuration and Management Basics
About SNMP
SNMP (Simple Network Management Protocol) is used to monitor devices on your network. SNMP
uses management information bases (MIBs) to define what information and events are monitored. You
must set up a separate software application, often called an event viewer or MIB browser, to collect
and manage SNMP data.
There are two types of MIBs: standard and enterprise. Standard MIBs are definitions of network and
hardware events used by many different devices. Enterprise MIBs are used to give information about
events that are specific to a single manufacturer.
Your XTM device supports these MIBs:
Standard MIBs
Enterprise MIBs
IF-MIB
IPSEC-ISAKMP-IKE-DOI-TC
IP-MIB
WATCHGUARD-CLIENT-MIB
RFC1155 SMI-MIB
WATCHGUARD-INFO-SYSTEM-MIB
RFC1213-MIB
WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
SNMPv2-MIB
WATCHGUARD-IPSEC-SA-MON-MIB-EXT
SNMPv2-SMI
WATCHGUARD-IPSEC-TUNNEL-MIB
TCP-MIB
WATCHGUARD-POLICY-MIB
UDP-MIB
WATCHGUARD-PRODUCTS-MIB
WATCHGUARD-SMI
WATCHGUARD-SYSTEM-CONFIG-MIB
WATCHGUARD-SYSTEM-STATISTICS-MIB
SNMP Polls and Traps
You can configure your XTM device to accept SNMP polls from an SNMP server. The XTM device
reports information to the SNMP server, such as the traffic count from each interface, device uptime,
the number of TCP packets received and sent, and when each network interface on the XTM device
was last modified.
An SNMP trap is an event notification your XTM device sends to an SNMP management station. The
trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your XTM device can send a trap for any policy in Policy Manager. A trap is sent only once,
and the receiver does not send any acknowledgment when it gets the trap.
An SNMP inform request is similar to a trap, but the receiver sends a response. If your XTM device
does not get a response, it sends the inform request again until the SNMP manager sends a response.
98
WatchGuard System Manager
Configuration and Management Basics
Enable SNMP Polling
You can configure your XTM device to accept SNMP polls from an SNMP server. Your XTM device
reports information to the SNMP server such as the traffic count from each interface, device uptime,
the number of TCP packets received and sent, and when each network interface was last modified.
1. Select Setup > SNMP.
2. Select the version of SNMP to use: v1/v2c or v3.
If you chose v1/v2c, type the Community String your XTM device must use when it connects
to the SNMP server.
If you chose v3:
n
n
n
n
n
User Name — Type the user name for SNMPv3 authentication and privacy protection.
Authentication Protocol — Select MD5 (Message Digest 5) or SHA (Secure Hash
Algorithm).
Authentication Password — Type and confirm the authentication password.
Privacy Protocol — Select DES (Data Encryption Standard) to encrypt traffic or None to
not encrypt SNMP traffic.
Privacy Password — Type and confirm a password to encrypt outgoing messages and
decrypt incoming messages.
3. Click OK.
User Guide
99
Configuration and Management Basics
To enable your XTM device to receive SNMP polls, you must add an SNMP policy.When you
configure SNMP, Policy Manager automatically prompts you to add an SNMP policy.
In the New Policy Properties dialog box:
1. In the From section, click Add.
The Add Address dialog box appears.
2. Click Add Other.
The Add Member dialog box appears.
3.
4.
5.
6.
From the Choose Type drop-down list, select Host IP.
In the Value text box, type the IP address of your SNMP server computer.
Click OK to close the Add Member dialog box.
Click OK to close the Add Address dialog box.
The Policy tab of the new policy appears.
7. In the To section, click Add.
The Add Address dialog box appears.
8. From the Available Members list, select Firebox. Click Add.
XTM device appears in the Selected Members and Addresses list.
9. Click OK to close the Add Address dialog box.
10. Click OK to close the New Policy Properties dialog box.
11. Click Close.
Enable SNMP Management Stations and Traps
An SNMP trap is an event notification your XTM device sends to an SNMP management station. The
trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your XTM device can send a trap for any policy.
An SNMP inform request is similar to a trap, but the receiver sends a response. If your XTM device
does not get a response, it sends the inform request again until the SNMP manager sends a response.
A trap is sent only once, and the receiver does not send any acknowledgement when it gets the trap.
An inform request is more reliable than a trap because your XTM device knows whether the inform
request was received. However, inform requests consume more resources. They are held in memory
until the sender gets a response. If an inform request must be sent more than once, the retries increase
traffic. Because each sent receipt increases the amount of memory in use on the router and the amount
of network traffic, we recommend that you consider whether it is necessary to send a receipt for every
SNMP notification.
To enable SNMP inform requests, you must use SNMPv2 or SNMPv3. SNMPv1 supports only traps,
not inform requests.
100
WatchGuard System Manager
Configuration and Management Basics
Configure SNMP Management Stations
1. Select Setup > SNMP.
The SNMP Settings window appears.
2. From the SNMP Traps drop-down list, select a trap or inform.
SNMPv1 supports only traps, not inform requests.
3. In the SNMP Management Stations text box, type the IP address of your SNMP management
station. Click Add.
The IP address appears in the SNMP Management Stations list.
4. (Optional) To add more SNMP management stations, repeat Steps 2–3 .
5. Click OK.
Add an SNMP Policy
To enable your XTM device to receive SNMP polls, you must also add an SNMP policy.
1. Click
.
Or, select Edit > Add Policy.
The Add Policies dialog box appears.
2. Expand the Packet Filters list and select SNMP. Click Add.
The New Policy Properties dialog box appears.
3. In the From section, click Add.
The Add Address dialog box appears.
User Guide
101
Configuration and Management Basics
4. Click Add Other.
The Add Member dialog box appears.
5.
6.
7.
8.
From the Choose Type drop-down list, select Host IP.
In the Value text box, type the IP address of your SNMP server computer.
Click OK to close the Add Member dialog box.
Click OK to close theAdd Address dialog box.
The Policy tab of the new policy appears.
9. In the To section, click Add.
The Add Address dialog box appears.
10. In the Available Members list, select Firebox. Click Add.
11. Click OK on each dialog box to close it. Click Close.
12. Save the configuration.
Send an SNMP Trap for a Policy
Your XTM device can send an SNMP trap when traffic is filtered by a policy. You must have at least
one SNMP management station configured to enable SNMP traps.
1. Double-click a policy.
In the Edit Policy Properties dialog box.
2. Select the Properties tab.
3. Click Logging.
The Logging and Notification dialog box appears.
4. Select the Send SNMP Trap check box.
5. Click OK to close the Logging and Notification dialog box.
6. Click OK to close the Edit Policy Properties dialog box.
About Management Information Bases (MIBs)
Fireware XTM supports two types of Management Information Bases (MIBs).
Standard MIBs
Standard MIBs are definitions of network and hardware events used by many different devices.
Your XTM device supports these standard MIBs:
n
n
n
n
n
n
n
n
IF-MIB
IP-MIB
RFC1155 SMI-MIB
RFC1213-MIB
SNMPv2-MIB
SNMPv2-SMI
TCP-MIB
UDP-MIB
These MIBs include information about standard network information, such as IP addresses and
network interface settings.
102
WatchGuard System Manager
Configuration and Management Basics
Enterprise MIBs
Enterprise MIBs are used to give information about events that are specific to a single
manufacturer. Your XTM device supports these enterprise MIBs:
n
n
n
n
n
n
n
n
n
n
n
IPSEC-ISAKMP-IKE-DOI-TC
WATCHGUARD-CLIENT-MIB
WATCHGUARD-INFO-SYSTEM-MIB
WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
WATCHGUARD-IPSEC-SA-MON-MIB-EXT
WATCHGUARD-IPSEC-TUNNEL-MIB
WATCHGUARD-POLICY-MIB
WATCHGUARD-PRODUCTS-MIB
WATCHGUARD-SMI
WATCHGUARD-SYSTEM-CONFIG-MIB
WATCHGUARD-SYSTEM-STATISTICS-MIB
These MIBs include more specific information about device hardware.
If you want to install all MIBs, you must run the Fireware XTM OS installer for all XTM models you use.
You can find the Fireware XTM OS installer on the WatchGuard Portal.
About WatchGuard Passphrases, Encryption Keys,
and Shared Keys
As part of your network security solution, you use passphrases, encryption keys, and shared keys.
This topic includes information about most of the passphrases, encryption keys, and shared keys you
use for WatchGuard products. It does not include information about third-party passwords or
passphrases. Information about restrictions for passphrases, encryption keys, and shared keys is also
included in the related procedures.
Create a Secure Passphrase, Encryption Key, or Shared Key
To create a secure passphrase, encryption key, or shared key, we recommend that you:
n
n
n
Use a combination of uppercase and lowercase ASCII characters, numbers, and special
characters (for example, [email protected]).
Do not use a word from standard dictionaries, even if you use it in a different sequence or in a
different language.
Do not use a name. It is easy for an attacker to find a business name, familiar name, or the
name of a famous person.
As an additional security measure, we recommend that you change your passphrases, encryption
keys, and shared keys at regular intervals.
User Guide
103
Configuration and Management Basics
Device Default Account Passphrases
A Firebox or XTM device has two built-in user accounts and passphrases that you can use to connect
to your device:
Status passphrase
The built-in read-only password or passphrase that allows access to the device with the status
user account. The status user account is assigned the Device Monitor role. When you log in
with the status user account, you can review your configuration, but you cannot save changes
to the XTM device.
Configuration passphrase
The built-in read-write password or passphrase that allows an administrator full access to the
device with the admin user account. The admin user account is assigned the Device
Administrator role. You must use this passphrase to save configuration changes to your
device,or to change your device passphrases, if you do not create additional Device
Administrator user accounts.
Each of these passphrases must be at least 8 characters.
User Passphrases
You can create user names and passphrases to use with Firebox authentication and role-based
administration.
User Passphrases for Firebox authentication
After you set this user passphrase, the characters are masked and it does not appear in simple
text again. If the passphrase is lost, you must set a new passphrase. The allowed range for this
passphrase is 8–32 characters.
User Passphrases for role-based administration
After you set this user passphrase, it does not appear again in the User and Group Properties
dialog box. If the passphrase is lost, you must set a new passphrase. This passphrase must be
at least 8 characters.
Server Passphrases
Administrator passphrase
The Administrator passphrase is used to control access to the WatchGuard Server Center. You
also use this passphrase when you connect to your Management Server from WatchGuard
System Manager (WSM). This passphrase must be at least 8 characters. The Administrator
passphrase is associated with the user name admin.
104
WatchGuard System Manager
Configuration and Management Basics
Authentication server shared secret
The shared secret is the key the XTM device and the authentication server use to secure the
authentication information that passes between them. The shared secret is case-sensitive and
must be the same on the XTM device and the authentication server. RADIUS, SecurID, and
VASCO authentication servers all use a shared key.
Encryption Keys and Shared Keys
Log Server encryption key
The encryption key is used to create a secure connection between the XTM device and the Log
Servers, and to avoid man-in-the-middle attacks. The allowed range for the encryption key is 8–
32 characters. You can use all characters except spaces and slashes (/ or \).
Backup/Restore encryption key
This is the encryption key you create to encrypt a backup file of your XTM device configuration.
When you restore a backup file, you must use the encryption key you selected when you
created the configuration backup file. If you lose or forget this encryption key, you cannot
restore the backup file. The encryption key must be at least 8 characters, and cannot be more
than 15 characters.
VPN shared key
The shared key is a passphrase used by two devices to encrypt and decrypt the data that goes
through the tunnel. The two devices use the same passphrase. If the devices do not have the
same passphrase, they cannot encrypt and decrypt the data correctly.
User Guide
105
Configuration and Management Basics
Define Device Global Settings
From Policy Manager, you can specify the settings that control the actions of many Firebox or
XTM device features. You can configure the basic parameters for:
n
n
n
n
n
n
n
n
ICMP error handling
TCP SYN checking
TCP connection idle timeout
TCP maximum size adjustment
Traffic management and QoS
Web UI port
External console connections through the serial port
Automatic device reboot
To configure the global settings:
1. Select Setup > Global Settings.
The Global Settings dialog box appears.
2. On the General tab, configure settings for these global categories, as described in the
subsequent sections:
n Web UI Port
n Automatic Reboot
n Device Feedback
106
WatchGuard System Manager
Configuration and Management Basics
3. On the Networking tab, configure settings for these global categories, as described in the
subsequent sections:
n ICMP Error Handling
n TCP Settings
n Traffic Management and QoS
n Traffic Flow
4. Click OK.
5. Save the configuration file to your device.
Change the Web UI Port
By default, Fireware XTM Web UI uses port 8080.
To change the default port:
1. In the Web UI Port text box, type or select a different port number.
2. Use the new port to connect to Fireware XTM Web UI and test the connection with the new
port.
Automatic Reboot
You can schedule your XTM device to automatically reboot at the day and time you specify.
To schedule an automatic reboot for your device:
User Guide
107
Configuration and Management Basics
1. Select the Schedule time for reboot check box.
2. In the adjacent drop-down list, select Daily to reboot at the same time every day or select a day
of the week for a weekly reboot.
3. In the adjacent text boxes, type or select the hour and minute of the day (in 24-hour time format)
that you want the reboot to start.
Device Feedback
When you create a new configuration file for your XTM device, or upgrade your XTM device to Fireware
XTM OS v11.7.3 or higher, by default, your XTM device is configured to send feedback to
WatchGuard. This feedback helps WatchGuard to improve products and features. It includes
information about how your device is used and issues you encounter with your XTM device, but does
not include any information about your company or any company data that is sent through the XTM
device. Because of this, your device data is anonymous. All device feedback that is sent to
WatchGuard is encrypted.
This feature is only available for XTM devices that run Fireware XTM v11.7.3 or
higher.
WatchGuard uses the information from the device feedback data to understand the geographic
distribution of Fireware XTM OS versions. The data WatchGuard collects includes summarized
information about which features and services are used on XTM devices, about threats that are
intercepted, and about device health and performance. This information helps WatchGuard to better
determine which areas of the product to enhance to provide the most benefits to customers and users.
When device feedback is enabled, feedback is sent to WatchGuard once every six days and each time
the device reboots.
Device feedback includes this information:
n
n
n
108
Device details
o XTM device serial number
o Fireware XTM OS version and build number
o Firebox or XTM device model
o Device uptime since the last restart
Device sizing details
o Count of policies
o Number of enabled interfaces
o Number of BOVPN tunnels
o Number of VLANs
o Configuration file size
Performance details
o Maximum number of sessions
o Maximum number of proxy connections
o Maximum CPU usage
o Maximum memory usage
WatchGuard System Manager
Configuration and Management Basics
n
n
n
Feature usage details
o Whether the device is under Centralized Management and the management mode for the
device
o The number of Access Points (AP) configured on the device
o The authentication options configured on the device
o Whether the device is a member of a FireCluster and in Active/Active or Active/Passive
mode
o Whether VoIP security feature is enabled
o Whether Intrusion Prevention Service (IPS) is enabled
o The logging options configured on the device
Security Services details
o Intrusion Prevention Service (IPS)
o Gateway AntiVirus (GAV)
o WebBlocker
o spamBlocker
o Data Loss Prevention (DLP)
o APT Blocker
Access Point details
o Whether the Gateway Wireless Controller is enabled
o The number of AP devices configured on the device
o The number of SSIDs configured on the device
o Whether the Wireless Hotspot is enabled
Use of the device feedback feature is entirely voluntary. You can disable it at any time.
To disable device feedback:
Clear the Send device feedback to WatchGuard check box.
Define ICMP Error Handling Global Settings
Internet Control Message Protocol (ICMP) settings control errors in connections. You can use it to:
n
n
Tell client hosts about error conditions
Probe a network to find general characteristics about the network
The XTM device sends an ICMP error message each time an event occurs that matches one of the
parameters you selected. These messages are good tools to use when you troubleshoot problems, but
can also decrease security because they expose information about your network. If you deny these
ICMP messages, you can increase security if you prevent network probes, but this can also cause
timeout delays for incomplete connections, which can cause application problems.
Settings for global ICMP error handling are:
Fragmentation Req (PMTU)
Select this check box to allow ICMP Fragmentation Req messages. The XTM device uses
these messages to find the MTU path.
Time Exceeded
Select this check box to allow ICMP Time Exceeded messages. A router usually sends these
messages when a route loop occurs.
User Guide
109
Configuration and Management Basics
Network Unreachable
Select this check box to allow ICMP Network Unreachable messages. A router usually sends
these messages when a network link is broken.
Host Unreachable
Select this check box to allow ICMP Host Unreachable messages. Your network usually sends
these messages when it cannot use a host or service.
Port Unreachable
Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually
sends these messages when a network service is not available or is not allowed.
Protocol Unreachable
Select this check box to allow ICMP Protocol Unreachable messages.
To override these global ICMP settings for a specific policy, from Policy Manager:
1. On the Firewall tab, select the specific policy.
2. Double-click the policy to edit it.
The Edit Policy Properties dialog box appears.
3. Select the Advanced tab.
4. From the ICMP Error Handling drop-down list, select Specify setting.
5. Click ICMP Setting.
The ICMP Error Handling Settings dialog box appears.
6. Select only the check boxes for the settings you want to enable.
7. Click OK.
Configure TCP Settings
Enable TCP SYN checking
To enable TCP SYN checking to make sure that the TCP three-way handshake is completed
before the XTM device allows a data connection, select this option.
TCP connection idle timeout
The amount of time that the TCP connection can be idle before a connection timeout occurs.
Specify a value in seconds, minutes, hours, or days. The default setting is 3600 seconds.
You can also configure a custom idle timeout for an individual policy. For more information, see
Set a Custom Idle Timeout on page 756.
If you configure this global idle timeout setting and also enable a custom idle timeout for a
policy, the custom idle timeout setting takes precedence over the global idle timeout setting for
only that policy.
TCP maximum segment size control
The TCP segment can be set to a specified size for a connection that must have more TCP/IP
layer 3 overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured,
users cannot get access to some web sites.
110
WatchGuard System Manager
Configuration and Management Basics
The global TCP maximum segment size adjustment settings are:
n
n
n
Auto Adjustment— This option enables the XTM device to examine all maximum
segment size (MSS) negotiations and changes the MSS value to the applicable one.
No Adjustment— The XTM device does not change the MSS value.
Limit to— Type or select a size adjustment limit.
Enable or Disable Traffic Management and QoS
For performance testing or network debugging purposes, you can disable the Traffic Management and
QoS features.
To enable these features:
Select the Enable all traffic management and QoS features check box.
To disable these features:
Clear the Enable all traffic management and QoS features check box.
User Guide
111
Configuration and Management Basics
Manage Traffic Flow
By default, your XTM device does not close active connections when you modify a static NAT action
used by a policy. You can override this default setting and enable your XTM device to close any active
connections through a policy that uses an SNAT action that you modify.
To override the default Traffic Flow setting and enable this feature, in the Traffic Flow section:
Select the When an SNAT action changes, clear active connections that use that SNAT
action check box.
112
WatchGuard System Manager
Configuration and Management Basics
Configure Fireware XTM OS Compatibility
Some features are supported only in Fireware XTM v11.9, or operate very differently in Fireware
XTM v11.9 than in previous versions. Because Policy Manager can manage devices that use different
versions of Fireware XTM OS, you must select the Fireware XTM version the device uses before you
configure some features.
To configure OS compatibility:
1. Select Setup > OS Compatibility.
The OS Compatibility dialog box appears.
2. In the For Fireware XTM version drop-down list, select the OS version that the XTM device
uses.
3. Click OK.
If you have not yet configured the OS compatibility setting, and attempt to configure a feature that
requires a specific Fireware XTM version, the OS Compatibility dialog box appears automatically. You
must select the Fireware XTM version before you can configure the feature.
For more information about features changed or added in each OS version, see the product Release
Notes available with your Fireware XTM OS software download.
Manage an XTM Device From a Remote Location
When you configure an XTM device with the Quick Setup Wizard, the WatchGuard policy is created
automatically. This policy allows you to connect to and administer the XTM device from any computer
on the trusted or optional networks. To manage the XTM device from a remote location (any location
external to the XTM device), then you must modify the WatchGuard policy to allow administrative
connections from the IP address of your remote location.
The WatchGuard policy controls access to the XTM device on these TCP ports: 4105, 4117, 4118.
When you allow connections in the WatchGuard policy, you allow connections to each of these ports.
Before you modify the WatchGuard policy, we recommend that you consider connecting to the XTM
device with a VPN. This greatly increases the security of the connection. If this is not possible, we
recommend that you allow access from the external network to only certain authorized users and to the
smallest number of computers possible. For example, your configuration is more secure if you allow
connections from a single computer instead of from the alias Any-External.
1. Double-click the WatchGuard policy.
Or, right-click the WatchGuard policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
User Guide
113
Configuration and Management Basics
2. In the From section, click Add.
The Add Address dialog box appears.
114
WatchGuard System Manager
Configuration and Management Basics
3. To add the IP address of the external computer that connects to the XTM device, click Add
Other,
make sure Host IP is the selected type, and type the IP address.
4. To give access to an authorized user, in the Add Address dialog box, click Add User.
The Add Authorized Users or Groups dialog box appears.
For information about how to create an alias, see Create an Alias on page 732.
User Guide
115
Configuration and Management Basics
Upgrade to a New Version of Fireware XTM
Periodically, WatchGuard makes new versions of WatchGuard System Manager (WSM) and Fireware
XTM OS available to XTM device users with active LiveSecurity subscriptions. To upgrade from one
version of WSM and Fireware XTM OS to a new version of WSM and Fireware XTM OS, use the
procedures in the subsequent sections.
Install the Upgrade on Your Management Computer
To install an upgrade of WatchGuard System Manager and the Fireware XTM OS installation file:
1. Download the updated Fireware XTM and WatchGuard System Manager software from the
WatchGuard Portal on the WatchGuard web site at http://www.watchguard.com.
2. Back up your current XTM device configuration file and Management Server configuration files.
For more information on how to create a backup image of your XTM device configuration, see
Make a Backup of the XTM Device Image on page 60.
To back up the settings on your Management Server, see Back Up or Restore the Management
Server Configuration on page 980.
3. Use Windows Add or Remove Programs to uninstall the currently installed versions of
WatchGuard System Manager and Fireware XTM OS. You can have more than one version of
the WatchGuard System Manager client software installed on your management computer, but
only one version of WSM server software.
For more information,see Install WSM and Keep an Older Version on page 44.
4. Start the installer file or files that you downloaded from the LiveSecurity web site.
5. Follow the instructions in the installer to install the Fireware XTM OS upgrade file on your
management computer.
Upgrade the XTM Device
1. To save the upgrade to the XTM device, use Policy Manager to open your XTM device
configuration file.
If the device uses an OS version older than v11.x, WatchGuard System Manager detects that the
configuration file is for an older version, and displays an upgrade dialog box.
116
WatchGuard System Manager
Configuration and Management Basics
2. Click Yes to upgrade the configuration file.
3. Follow the on-screen instructions to convert the configuration file to the newer version.
The upgrade dialog box looks different if you have multiple versions of WatchGuard
System Manager installed on your management computer. For more information, see
Use Multiple Versions of Policy Manager on page 118.
If you do not see the upgrade dialog box when you open Policy Manager:
1. Select File > Upgrade.
The Upgrade dialog box appears.
2. Type the configuration passphrase. Click OK.
The default path to the upgrade image appears.
3. If you want to install an upgrade from a different location, click Browse to change the path to the
upgrade image.
4. Click OK.
An upgrade confirmation message appears.
5. Click Yes to upgrade now.
A prompt that asks if you want to create a backup image appears.
User Guide
117
Configuration and Management Basics
We recommend that you always create a backup image before you upgrade. You
must have the backup image and the associated encryption key if you want to
downgrade the device to the previous version and configuration in the future. For
more information about the backup image, see Make a Backup of the XTM Device
Image.
6.
7.
8.
9.
Click Yes to create a backup image if you do not already have one.
Type and confirm the Encryption Key for the backup image.
Click Browse if you want to change the location to save the backup image.
Click OK to create the backup image.
Policy Manager creates the backup image, and then upgrades the Fireware XTM OS on the device.
The upgrade procedure can take up to 15 minutes and automatically reboots the XTM device.
If your XTM device has been in operation for some time before you upgrade, you might have to restart
the device before you start the upgrade to clear the temporary memory.
Use Multiple Versions of Policy Manager
In WatchGuard System Manager v11.x, if you open a configuration file created by an older version of
Policy Manager, and if the older version of WatchGuard System Manager is also installed on the
management computer, the Upgrade Available dialog box appears. You can choose to launch the
older version of Policy Manager or to upgrade the configuration file to the newer version.
If you do not want WatchGuard System Manager to display this dialog box when you open an older
configuration file, select the Do not show this message again check box.
To enable the Upgrade Available dialog box if you disabled it:
1. In WatchGuard System Manager, select Edit > Options.
The Options dialog box appears.
2. Select the Show upgrade dialog when launching Policy Manager check box.
3. Click OK.
118
WatchGuard System Manager
Configuration and Management Basics
Downgrade Fireware XTM OS
Use these procedures to downgrade the version of Fireware XTM OS to an earlier version.
It is not necessary to downgrade WatchGuard System Manager when you
downgrade Fireware XTM OS, because WatchGuard System Manager can manage
XTM devices that use earlier versions of Fireware XTM OS.
Use a Saved Backup Image to Downgrade
The recommended method to downgrade an XTM device to an older version of Fireware XTM OS is to
use the saved backup image that you created before the most recent Fireware XTM OS upgrade on the
device. If you have a backup image, there are two procedures you can use to downgrade an
XTM device to an earlier version of Fireware XTM OS:
Restore the full backup image you created for the device before the last Fireware XTM OS upgrade.
For more information, see Restore an XTM Device Backup Image.
Use the USB backup file you created before the upgrade as your auto-restore image on a USB
drive.
For more information, see Automatically Restore a Backup Image from a USB Drive.
Downgrade Without a Backup Image
If you do not have a backup image for your XTM device, there are two other methods you can use to
downgrade Fireware XTM OS to an earlier version:
Use the Quick Setup Wizard in WatchGuard System Manager to downgrade an XTM device in
recovery mode.
This downgrade requires that you create a new basic configuration. It removes the feature key
and certificates. After the downgrade, you can use Policy Manager to save a different
configuration file to the device.
For more information, see Use the Quick Setup Wizard to Downgrade Fireware XTM OS.
Use the Upgrade feature in the Fireware XTM Web UI to install an older version of Fireware
XTM OS.
Use this method only to downgrade a device from Fireware XTM OS v11.7 or later. Because
newer features are not all compatible with older OS versions, this downgrade procedure resets
the configuration to factory-default settings. It does not change the device passphrases and
does not remove the feature keys and certificates.
User Guide
119
Configuration and Management Basics
If you use the Web UI Upgrade feature to downgrade, the device configuration is
reset to factory-default settings.
For more information, see the Fireware XTM Web UI Help or User Guide.
120
WatchGuard System Manager
Configuration and Management Basics
Use the Quick Setup Wizard to Downgrade Fireware XTM OS
You can use the Quick Setup Wizard in WatchGuard System Manager to downgrade the version of
Fireware XTM on a Firebox or XTM device in recovery mode. When you use the Quick Setup Wizard to
configure a device in recovery mode, the Quick Setup Wizard finds the latest version of Fireware
XTM OS installed on the management computer and installs that version of Fireware XTM OS on the
device, regardless of the version that is currently installed. The Quick Setup Wizard removes all
existing settings, certificates, and feature keys. You can use this procedure to downgrade the version
of Fireware XTM on a device if you do not have a saved backup image.
If you have a saved backup image, the recommended method to downgrade a device
to an earlier version of Fireware XTM OS is to restore the device backup image. For
more information, see Downgrade Fireware XTM OS.
Step 1 — Save the Current Configuration File
If you do not have a saved configuration file that you want to use after the downgrade, use Policy
Manager to save the current device configuration to a file before you downgrade. You can edit the
configuration file and save it to the device after the downgrade.
Step 2 — Uninstall Newer Versions of Fireware XTM OS
If you want to use the Quick Setup Wizard to install an older version of Fireware XTM OS, you must
uninstall any newer versions of Fireware XTM OS from the management computer. You also must
make sure that the latest installed version of Fireware XTM on the management computer is the one
you want to downgrade to. Do not uninstall WatchGuard System Manager.
1. In Windows Control Panel, find the list of installed programs.
For each version of Fireware XTM OS you have installed for each XTM device model there is a
separate WatchGuard Fireware XTM OS program.
2. Find the installed program called WatchGuard Fireware XTM OS for the XTM device model
you want to downgrade.
3. For your Firebox or XTM device model, uninstall any Fireware XTM OS version newer than the
one you want to downgrade to.
User Guide
121
Configuration and Management Basics
4. Verify that the latest installed version of Fireware XTM OS is the version you want to install on
the device.
5. If necessary, download and install the older version of Fireware XTM OS on your management
computer. You can download the Fireware XTM OS installer from the WatchGuard Portal on the
WatchGuard web site at http://www.watchguard.com.
Step 3 — Start the XTM Device in Recovery Mode
To start an XTM device with an LCD display in recovery mode:
1. Power off the XTM device.
2. Press the up arrow on the device front panel while you turn the power on.
3. Keep the button depressed until "Recovery Mode starting" appears on the LCD display.
To start an XTM 2 Series, XTM 33, or Firebox T10 device in recovery mode:
1.
2.
3.
4.
Disconnect the power supply.
Press and hold the Reset button on the back of the device.
Connect the power supply while you continue to hold down the Reset button.
After 10 seconds, release the Reset button.
When the device is in recovery mode, it is ready to be discovered by the WSM Quick Setup Wizard.
Step 4 — Run the WSM Quick Setup Wizard
After you start the device in recovery mode, you can use the WSM Quick Setup Wizard to downgrade
it.
1. Connect the management computer to device interface 1.
2. In WatchGuard System Manager, select Tools > Quick Setup Wizard.
122
WatchGuard System Manager
Configuration and Management Basics
3. Select Yes, my device is ready to be discovered.
4. Click Next to start device discovery.
5. Provide the information to create a basic device configuration. For a description of the
configuration steps, see Run the WSM Quick Setup Wizard.
The final page of the Quick Setup Wizard shows the version of Fireware XTM installed on the device.
After the device restarts, it uses a basic configuration that includes five policies (TCP and UDP
outgoing, FTP packet filter, ping, WatchGuard, and WatchGuard Web UI) and the interface IP
addresses you specified. You can use Policy Manager to change this basic configuration or to save an
existing configuration file to the device, as described in the next section.
Step 5 — Save a Configuration File to the Downgraded Device
After you downgrade the device, you can use Policy Manager to save an existing configuration file to
the device. Before you save a configuration file to the device, make sure that you disable any features
that are not supported on the version of Fireware XTM installed on the device.
1. Open the saved configuration file you want to use in Policy Manager.
2. Make sure the configuration file has the correct feature key for this device.
3. Disable any features that are not supported in the version of Fireware XTM installed on the
device. For example, if you downgrade from Fireware XTM OS v11.7.x to Fireware
XTM OS v11.6.x, you must disable Link Aggregation, Mobile VPN with L2TP, WebBlocker with
Websense, and other features not supported in Fireware XTM v11.6.x.
4. Save the configuration file to the device.
If the configuration file you save has an enabled feature that is not supported by the version of Fireware
XTM on the device, Policy Manager shows an error message to tell you about the feature that is not
supported. You must disable the feature before you can save the configuration file to the device.
User Guide
123
Configuration and Management Basics
Step 6 — Reinstall XTM Device Certificates
When you use the Quick Setup Wizard for a device in recovery mode, any certificates installed on the
device are removed. If your device had certificates installed, you must reinstall any certificates on the
device after the downgrade. For more information, see Manage XTM Device Certificates.
124
WatchGuard System Manager
Configuration and Management Basics
About Upgrade Options
You can add upgrades to your XTM device to enable additional subscription services, features, and
capacity.
For a list of available upgrade options, see www.watchguard.com/products/options.asp.
Subscription Services Upgrades
Application Control
Enables you to monitor and control the use of applications on your network.
For more information, see About Application Control.
WebBlocker
Enables you to control access to web content based on content categories.
For more information, see About WebBlocker on page 1807.
spamBlocker
Enables you to filter spam and bulk email.
For more information, see About spamBlocker on page 1897.
Intrusion Prevention Service (IPS)
Enables you to prevent intrusion attempts by hackers.
For more information, see About Intrusion Prevention Service.
Gateway AntiVirus
Enables you to identify and block known spyware and viruses.
For more information, see About Gateway AntiVirus on page 1925.
Reputation Enabled Defense
Enables you to control access to web sites based on their reputation score.
For more information, see About Reputation Enabled Defense.
Data Loss Prevention
Enables you to detect, monitor, and prevent accidental unauthorized transmission of
confidential information outside your network or across network boundaries.
For more information, see About Data Loss Prevention.
User Guide
125
Configuration and Management Basics
Appliance and Software Upgrades
Pro
The Pro upgrade to Fireware XTM provides several advanced features for experienced
customers, such as server load balancing and additional SSL VPN tunnels. The features
available with a Pro upgrade depend on the type and model of your XTM device.
For more information, see Fireware XTM with a Pro Upgrade on page 15.
Model upgrades
For some XTM device models, you can purchase a license key to upgrade the device to a higher
model in the same product family. A model upgrade gives your XTM device the same functions
as a higher model.
To compare the features and capabilities of different XTM device models, go to
http://www.watchguard.com/products/compare.asp.
How to Apply an Upgrade
When you purchase an upgrade, you register the upgrade on the WatchGuard LiveSecurity web site.
Then you download a feature key that enables the upgrade on your XTM device.
For information about feature keys, see About Feature Keys on page 88.
About Subscription Services Expiration and
Renewal
The XTM subscription services need regular updates to operate effectively. The subscription services
are:
n
n
n
n
n
n
n
n
Gateway AntiVirus
Intrusion Prevention Service
WebBlocker
spamBlocker
Reputation Enabled Defense
Application Control
Data Loss Prevention
APT Blocker
In addition, an initial LiveSecurity subscription is activated when you register your product. Your
LiveSecurity subscription gives you access to technical support, software updates, and feature
enhancements. It also extends the hardware warranty of your WatchGuard device and provides
advance hardware replacement.
We recommend that you renew your subscription services before they expire. WatchGuard charges a
reinstatement fee for any subscriptions that are allowed to lapse.
126
WatchGuard System Manager
Configuration and Management Basics
Subscription Renewal Reminders
The Firebox or XTM device sends you reminders to renew your subscriptions. When you save a
configuration to your Firebox or XTM device, Policy Manager warns you if a subscription will expire.
These warnings appear 60 days before, 30 days before, 15 days before, and one day before the
expiration date.
You can also use Firebox System Manager to monitor your subscription services. If a subscription
service is about to expire or is expired, a warning appears on the front panel of Firebox System
Manager and Renew Now appears at the upper-right corner of the window. Click Renew Now to go to
the LiveSecurity Service web site to renew the subscription.
In the Fireware XTM Web UI, you can see the subscription service expiration dates in the License
Information section of the System page.
Feature Key Compliance
When you save a configuration to the device from Policy Manager (File > Save > To Firebox), Policy
Manager checks to see if any configured services are expired. You cannot save any configuration
changes from Policy Manager to the Firebox or XTM device when a configured subscription service is
expired. If you try to save a configuration to the device, the Feature Key Compliance dialog box
appears, with a list of all configured services that are expired. You must either add a feature key with a
later expiration date for the expired services, or you must select each service and click Disable to
disable the service. After you disable the expired services, Policy Manager saves the updated
configuration to the device.
If the LiveSecurity subscription on your device is expired, you can save configuration changes to the
device, but you cannot upgrade or reinstall any version of Fireware XTM OS on the device.
Security Service Expiration Behavior
When a subscription service expires, that service does not operate, and the configuration options are
disabled. The specific expiration behaviors for each subscription service are described below.
Gateway AntiVirus
When the Gateway AntiVirus subscription expires:
n
n
n
n
Gateway AntiVirus signature updates stop immediately.
Gateway AntiVirus stops detecting and blocking viruses immediately. If the device attempts a
Gateway AV scan when Gateway AV is enabled but expired, the device takes the same action
as when a scan error occurs, as configured in the AntiVirus proxy action settings. A scan error
is also sent to the log file.
Gateway AntiVirus configuration options are disabled in Policy Manager, except for the ability to
disable Gateway AntiVirus for a policy that has it enabled.
Gateway AntiVirus configuration options are disabled in the Fireware XTM Web UI.
User Guide
127
Configuration and Management Basics
Intrusion Prevention Service (IPS)
When the IPS subscription expires:
n
n
n
n
n
n
IPS signature updates stop immediately.
IPS stops detecting and blocking intrusions immediately.
For Fireware XTM v11.0 - v11.3.x, if the device attempts an IPS scan when IPS is enabled but
expired, the device allows the content and sends a scan error to the log file.
For Fireware XTM v11.4 and later, IPS configuration options are disabled in Policy Manager
For Fireware XTM v11.0 - v11.3.x, IPS configuration options are disabled in Policy Manager,
except for the ability to disable IPS for a policy that has it enabled.
IPS configuration options are disabled in the Fireware XTM Web UI.
WebBlocker
When the WebBlocker subscription expires:
n
n
n
Updates to the WebBlocker Server stop immediately.
WebBlocker stops scanning web content immediately.
The License Bypass setting in the WebBlocker configuration controls whether policies that
have WebBlocker enabled allow or deny access to all web sites when WebBlocker is expired.
By default, policies that have WebBlocker enabled deny access to all web sites when the
WebBlocker service is expired.
If your WebBlocker subscription expires, and you did not change the default License Bypass
setting before the service expired, WebBlocker blocks access to all web sites. You cannot
change the License Bypass setting after the service has expired. If your service is expired and
WebBlocker blocks access to all web sites, you must either disable WebBlocker for each policy
that had it enabled, or renew the WebBlocker service and import an updated feature key.
n
n
WebBlocker configuration options are disabled in Policy Manager, except for the ability to
disable WebBlocker for a policy that has it enabled.
WebBlocker configuration options are disabled in the Fireware XTM Web UI.
spamBlocker
When the spamBlocker subscription expires:
n
n
n
spamBlocker stops blocking spam immediately.
spamBlocker configuration options are disabled in Policy Manager, except for the ability to
disable spamBlocker for a policy that has it enabled.
spamBlocker configuration options are disabled in the Fireware XTM Web UI.
Reputation Enabled Defense
When the Reputation Enabled Defense subscription expires:
n
n
128
Reputation Enabled Defense stops checking reputation immediately.
Reputation Enabled Defense configuration options are disabled in Policy Manager, except for
WatchGuard System Manager
Configuration and Management Basics
n
the ability to disable Reputation Enabled Defense for a policy that has it enabled.
Reputation Enabled Defense configuration options are disabled in the Fireware XTM Web UI.
Application Control
When the Application Control subscription expires:
n
n
n
n
Application Control signature updates stop immediately.
Application Control stops identifying and blocking applications immediately.
Application Control configuration options are disabled in Policy Manager.
Application Control configuration options are disabled in the Fireware XTM Web UI.
Data Loss Prevention (DLP)
When the DLP subscription expires:
n
n
n
n
DLP signature updates stop immediately.
DLP stops identifying DLP violations immediately.
DLP configuration options are disabled in Policy Manager.
DLP configuration options are disabled in the Fireware XTM Web UI.
APT Blocker
When the APT Blocker subscription expires:
n
n
n
APT Blocker stops detecting and blocking APT malware immediately.
APT Blocker configuration options are disabled in Policy Manager.
APT Blocker configuration options are disabled in the Fireware XTM Web UI.
LiveSecurity Service
When the LiveSecurity subscription expires:
n
n
n
n
n
You cannot upgrade or reinstall Fireware XTM OS on your device, even if it is a Fireware
XTM OS version that was released before the LiveSecurity expiration date.
WatchGuard does not provide telephone and web-based support, software updates and
enhancements, or hardware replacement (RMA).
All other functionality, including Fireware XTM Pro upgrade features, VPN features, logging,
and management functions, continue to operate.
You can manage your device and save configuration changes to your device from Policy
Manager or the Web UI.
You can save a backup image of your configuration from Policy Manager or the Web UI.
Subscription Expiration and FireCluster
These requirements and behaviors are the same for an active/active or an active/passive FireCluster.
n
A LiveSecurity Service subscription applies to a single device, even when that device is
configured as a member of a cluster. You must have an active LiveSecurity Service
subscription for each device in the cluster. If the LiveSecurity subscription expires for a cluster
member, you cannot upgrade the Fireware XTM OS on that device.
User Guide
129
Configuration and Management Basics
n
n
If a subscription service is active (not expired) on at least one member of a FireCluster, you can
configure the feature in Policy Manager and you can save configuration changes to the
FireCluster.
If a subscription service is expired on one member of a cluster, the combined feature key, on the
Cluster Features tab (in Policy Manager > Setup > Feature Key), shows the service is
expired.
The requirements for subscription service licensing and the service expiration behavior are different for
an active/passive cluster than they are for an active/active cluster. These differences apply to all
subscription services except LiveSecurity.
Active/Passive Cluster
n
n
The active cluster member uses the configured subscription services that are active in the
feature key of either cluster member.
If a subscription service does not exist or is expired for both cluster members, the service is not
active for the active cluster member. The service expiration behavior is the same as when the
subscription service is expired for a single device.
Active/Active Cluster
n
n
You must enable the same service subscriptions in the feature key for both devices. Each
cluster member uses the configured subscription service only if the subscription is active (not
expired) in its own feature key.
If a subscription service expires on one member of an active/active cluster, the service does not
function for that member only. For example, if a WebBlocker subscription expires on one
member of an active/active cluster, both devices continue to handle web traffic, but the web
requests handled by the cluster member that has an expired WebBlocker service are not filtered
by WebBlocker.
For an active/active cluster it is very important to renew subscription services for both cluster
members for your subscription services to remain effective.
Synchronize Subscription Renewals
If you have many subscriptions with different expiration dates, your WatchGuard reseller can create a
custom renewal quote that synchronizes the renewal dates for multiple subscription services. Contact
WatchGuard or your WatchGuard reseller for details.
Renew Subscription Services
WatchGuard subscription services must get regular updates to operate effectively.
Your XTM device gives you reminders to renew your subscriptions when you save changes to a
configuration file. WatchGuard System Manager reminds you that your subscription is about to expire
60 days before, 30 days before, 15 days before, and the day before the expiration date.
When your subscriptions expire, you cannot save any changes to your configuration until you either
renew or disable the expired subscription. You can use Policy Manager to update the feature key for
your subscriptions.
1. Select File > Save > To Firebox.
You see a message that tells you to update your feature key.
130
WatchGuard System Manager
Configuration and Management Basics
2. Click OK.
The Feature Key Compliance dialog box appears.
3. Select the expired subscription.
4. If you already have the new feature key, click Add Feature Key. Paste your new feature key.
You cannot right-click to paste. You must press CTRL+V on your keyboard or click Paste.
If you do not already have your new feature key, you must click Disable even if you plan to
renew later. You do not lose your settings if you disable the subscription. If you renew your
subscription at a later time, you can reactivate the settings and save them to the XTM device.
5. Click OK.
Renew Subscriptions from Firebox System Manager
If a subscription is to expire soon, a warning appears on the front panel of Firebox System Manager and
Renew Now appears at the upper-right corner of the window. Click Renew Now to go to the
LiveSecurity Service web site and renew the subscription.
User Guide
131
RemoteConfig and RapidDeploy
5
132
RemoteConfig and RapidDeploy
WatchGuard System Manager
RemoteConfig and RapidDeploy
About RemoteConfig and RapidDeploy
RemoteConfig and RapidDeploy are two methods you can use to set up an XTM device in a remote
location where you might not have trained IT staff present to help with the initial configuration of your
XTM device. Both the RemoteConfig and RapidDeploy methods enable you to send your XTM devices
to remote locations around the world, before you have configured each device.
RemoteConfig
RemoteConfig enables you to remotely configure a single XTM device that has been activated on the
WatchGuard web site. You can use RemoteConfig to remotely configure a new XTM device, or a
device that has been reset to factory default settings.
To use RemoteConfig, you must use Policy Manager to create a configuration file for the device. You
can then upload that configuration file to the Product Details page for that XTM device on the
WatchGuard web site.
For more information about RemoteConfig, see Use RemoteConfig .
RapidDeploy
RapidDeploy enables you to remotely configure multiple XTM devices for management by a
WatchGuard Management Server. You can use RapidDeploy for XTM devices that have never been
activated or for devices that have already been activated, but must either be activated again or
assigned to another Management Server.
To use RapidDeploy, you must register your Management Server with the WatchGuard Deployment
Center, and then connect to the WatchGuard Deployment Center from your WatchGuard Management
Server. In the WatchGuard Deployment Center, you add information for your Management Servers and
the XTM devices you want to activate remotely.
For more information about RapidDeploy, see Use RapidDeploy on page 148.
Automatic Configuration Download
To complete either of these automated configuration processes, a remote user must connect the XTM
device to power and to the Internet. The XTM device automatically contacts a WatchGuard server to
download a configuration file, if one is available. The XTM device checks for the availability of a
RemoteConfig or RapidDeploy configuration file. Because the RemoteConfig process takes priority
over the RapidDeploy process, if you activate a device with RapidDeploy, and also upload a
RemoteConfig configuration file for the same device, the device downloads the RemoteConfig file and
does not complete the RapidDeploy process.
User Guide
133
RemoteConfig and RapidDeploy
Use RemoteConfig
RemoteConfig is a quick and efficient way to automatically configure an XTM device in a remote
location without the need to have trained IT staff present at the remote site. Before the XTM device is
connected to the network at the remote site, you create and upload a device configuration file to the
Product Details page on the WatchGuard web site. When the XTM device is powered on with factory
default settings, it automatically connects to your account on the WatchGuard web site to download its
configuration.
For a RemoteConfig video demonstration, see the WatchGuard XTM: Remote
Config video tutorial (13 minutes).
Requirements for RemoteConfig:
n
n
n
The remote XTM device must be manufactured with Fireware XTM v11.6.3 or later, and must
use factory default settings. XTM devices that support RemoteConfig have a small Ready
sticker on the outer carton.
You must have WatchGuard System Manager to create or edit the configuration file.
If the device uses a version of Fireware XTM lower than v11.7.3 Update 1, the network where
you connect the remote XTM device must use DHCP to dynamically assign an IP address to
the external interface of the device. For more information, see Connect the Remote
XTM Device.
XTM devices originally manufactured with a version of Fireware XTM OS lower than
v11.6.3 do not support RemoteConfig, even if you upgrade the device to use a newer
version of Fireware XTM OS.
RemoteConfig is a four step process:
1. Activate the XTM device and any add-on features on the WatchGuard web site.
For more information, see Get a Feature Key for Your XTM Device.
2. Use Policy Manager to create a configuration file for the XTM device.
For more information, see Create a RemoteConfig File.
3. Upload the configuration file to the RemoteConfig section of the Product Details page for this
device, and set the device passphrases.
For more information, see Manage Your RemoteConfig File.
4. Connect the device at the remote site.
n For a new XTM device, connect the XTM device to power and to a network with Internet
access.
n For a previously configured XTM device, reset the device to factory default settings.
For more information, see Connect the Remote XTM Device.
134
WatchGuard System Manager
RemoteConfig and RapidDeploy
Any time a device that supports RemoteConfig starts with factory default settings, the device
automatically tries to download the RemoteConfig file, feature key, and passphrases.
User Guide
135
RemoteConfig and RapidDeploy
RemoteConfig File Version Requirements
Each Fireware XTM device configuration file has a version number associated with it. For an XTM
device to use a RemoteConfig file, the version of the configuration file must be higher than 11.4.0, but
not higher than the version of Fireware XTM OS installed on the device.
The remote XTM device rejects a RemoteConfig file if:
n
n
The configuration file version is higher than the version of Fireware XTM OS installed on the
device.
The configuration file version number is 11.4.0 or lower.
Before you create a configuration file, it is important to know the version of Fireware XTM OS installed
on the remote XTM device, and also to understand how the configuration file version is set in Policy
Manager.
Determine the Fireware XTM OS Version on the Remote XTM Device
At the top of the Product Details page, you can see the version of Fireware XTM OS installed on the
device when it was first manufactured by WatchGuard. This is the maximum configuration file version
that you can use for RemoteConfig when you configure a new XTM device for the first time.
If the remote XTM device has been upgraded to a newer version of Fireware XTM OS, you can upload
a RemoteConfig file with a version that is newer than the version shown on the Product Details page,
as long as the version is not higher than the version of Fireware XTM OS currently installed on the
remote XTM device.
If you are not sure what version of Fireware XTM is on a remote device, use a
configuration file with a version that is less than or equal to the version of Fireware
XTM OS manufactured on the device.
How the Configuration File Version Is Set
Policy Manager is a component of the WatchGuard System Manager software you use to configure
XTM devices. You can use Policy Manager to open the configuration file from an XTM device or to
create a new XTM device configuration file. When you use Policy Manager to create a new
configuration file, the initial configuration file version depends on which version of WatchGuard System
Manager (WSM) you used to create it.
n
n
136
In WSM v11.7 and higher, Policy Manager sets the configuration file version to 11.7.0 by
default.
In WSM v11.4.x - 11.6.x, Policy Manager sets the configuration file version to 11.4.0 by
default.
WatchGuard System Manager
RemoteConfig and RapidDeploy
Version 11.4.0 configuration files are not supported for RemoteConfig.
When you open a configuration file in Policy Manager, the configuration file version appears in the
lower right corner of the Policy Manager window.
You cannot directly change the configuration file version in Policy Manager. To change a configuration
file version, you must use Policy Manager to save the configuration to a connected XTM device that
uses the version of Fireware XTM OS you want to set in the file. When you save a configuration file to
an XTM device, Policy Manager validates the configuration settings for the version of Fireware
XTM OS on the device, and updates the version in the configuration file to match the version on the
device.
Recommendations
We recommend that you upload a configuration file with a version that is 11.6.3 or higher for
RemoteConfig.
For a basic 11.6.3 configuration file that you can download and edit to create your
RemoteConfig file, see the article RemoteConfig Configuration File in the
WatchGuard Knowledge Base.
If the RemoteConfig file has a lower version than the version of Fireware XTM installed on the remote
XTM device, the remote XTM device automatically converts the configuration file to the correct version
as part of the RemoteConfig deployment process.
User Guide
137
RemoteConfig and RapidDeploy
Create a RemoteConfig File
A RemoteConfig file is an XTM device configuration file that you create with Policy Manager. It is
exactly the same as any other device configuration file you create with Policy Manager, and is stored
as an XML file. To use a configuration file for RemoteConfig, the remote XTM device and configuration
file must meet three requirements.
n
n
n
The remote XTM device must support RemoteConfig.
The XTM device model in the configuration file must match the remote XTM device.
The configuration file version must be higher than 11.4.0, but not higher than the version of
Fireware XTM OS installed on the remote XTM device.
For more information about how Policy Manager sets the configuration file version, see RemoteConfig
File Version Requirements.
Before You Begin
Before you begin, log in to your account on the WatchGuard web site, and go to the Product Details
page for the XTM device you want to remotely configure.
On the Product Details page:
1. In the Your RemoteConfig File section, make sure the XTM device supports RemoteConfig.
2. At the top of the page, check the version of Fireware XTM OS manufactured on the device.
This determines the version requirement for the configuration file you upload.
3. If you want to configure add-on features, such as security services, activate the features and
download the device feature key. Policy Manager requires the feature key to enable
configuration of the licensed upgrades or services.
n
n
To activate an add-on feature, click Activate a Product on the WatchGuard portal.
To get the feature key, click Get your feature key on the Product Details page.
Create the Configuration File
Policy Manager is a component of the WatchGuard System Manager software you use to configure
XTM devices. You can use Policy Manager to open the configuration file from an XTM device or to
create a new XTM device configuration file. You might need to add a feature key to the configuration to
enable the configuration of licensed features. The feature key you use in the configuration file is not
included in the configuration file you upload to the WatchGuard web site for RemoteConfig.
To create a configuration file that meets the version requirements for RemoteConfig, we recommend
that you use a configuration file that has been previously saved to an XTM device that uses the same
version of Fireware XTM OS as the device you want to remotely configure. Then change the model
number, policies, and settings in the configuration file to the settings you want the remote XTM device
to use.
138
WatchGuard System Manager
RemoteConfig and RapidDeploy
For a default 11.6.3 configuration file that you can download and edit to create your
RemoteConfig file, see the article RemoteConfig Configuration File in the
WatchGuard Knowledge Base.
To create a configuration file to use with RemoteConfig:
1. From WatchGuard System Manager, open a configuration in Policy Manager.
We recommend that you edit a configuration file that has been previously saved to an XTM device
that uses the same version of Fireware XTM OS as the XTM device you want to remotely configure.
2. Make sure the version number that appears in the lower right corner of the main Policy Manager
window is higher than 11.4.0, but is not higher than the version of Fireware XTM OS installed on
the XTM device you want to remotely configure.
For information about how to set the configuration file to a specific version, see RemoteConfig
File Version Requirements.
3. Select Setup > System to change the XTM device model in the configuration to match the
model number of the remote XTM device you want to configure.
4. If necessary to enable configuration of licensed add-on features, manually add the feature key
for the device.
n Select Setup > Feature Keys.
n Click Import.
n Paste the feature key you saved from the Product Details page.
5. Configure the policies and settings you want to use on the remote device.
6. If you want the ability to remotely manage the device from WatchGuard System Manager, edit
the WatchGuard policy in the configuration to allow management connections from the external
interface.
For more information, see Manage an XTM Device From a Remote Location.
7. If you want the ability to remotely connect to the Fireware XTM Web UI, edit the WatchGuard
Web UI policy in the configuration to allow management connections from the external
interface. To do this, add the alias Any-External, or the alias of an external interface to the
From section of the WatchGuard Web UI policy.
8. Select File > Save > As File to save the configuration to an XML configuration file.
When you save a configuration to a file, Policy Manager saves two files, one for the configuration, and
another for the feature key. For example, if you save a configuration to a file called XTM_33-remote,
Policy Manager saves two files:
n
n
XTM_33-remote.xml — This is the configuration file you upload for RemoteConfig
XTM_33-remote_lic.zip — This is the feature key used in the configuration file. You do not
upload the feature key for RemoteConfig.
Next, you can upload this file to the Product Details page for the device you want to remotely
configure.
For information about how to upload the file, see Manage Your RemoteConfig File.
User Guide
139
RemoteConfig and RapidDeploy
Manage Your RemoteConfig File
After you have created a configuration file, you can upload it to the Product Details page for the device
in your account on the WatchGuard web site. From the Product Details page you can also delete or
download a configuration file you have previously uploaded.
For instructions to create the configuration file, see Create a RemoteConfig File.
Upload the Configuration File
On the Product Details page, you can upload the configuration for the device. When you upload a
configuration file for a remote device, the file is called the RemoteConfig file. When you upload a
configuration file, the feature key you used to create the configuration file is not uploaded. WatchGuard
already has the correct feature key for the device, and sends the correct feature key to the remote
device when the device requests the configuration file.
Because the configuration file does not include the management passphrases, you must also set the
passphrases to use on the device when you upload the file.
After the remote device downloads the configuration file, the factory default
passphrases are changed to the passphrases you set when you upload the file. The
password reset occurs even if the device rejects the configuration file. For more
information, see Connect the Remote XTM Device
To upload the RemoteConfig file:
1. Go to the Product Details page for the device.
2. In the Your RemoteConfig File section, click Upload.
A dialog box appears where you can choose the file and set the device management passphrases.
3. Click Choose File or Browse to select the configuration file to upload.
The button name depends on the browser you use.
4. Browse to and select the .xml file you created with Policy Manager.
5. Type and confirm the passphrase you want the device to use for read-only administrative
access.
6. Type and confirm the passphrase you want the device to use for read-write administrative
access.
7. Click Upload.
The file is uploaded and validated.
140
WatchGuard System Manager
RemoteConfig and RapidDeploy
If the file you select is not a valid XML configuration file, or if the model number in the
configuration file does not match this product, an error message appears, and the file
is not uploaded. Make sure that you select a valid XML configuration file for this
device model.
After you upload a configuration file, the Your RemoteConfig File section of the Product Details
page shows the name of the configuration file you uploaded, and whether or not the XTM device has
contacted WatchGuard to request the file.
After the XTM device requests the file, the right column shows the date and time that the file was sent
to the XTM device, and the IP address and Fireware XTM OS version of the device it was sent to.
The RemoteConfig file is stored on the WatchGuard site for two years from the date you upload it,
unless you delete it. Any time the XTM device starts with factory default settings, it automatically
contacts WatchGuard to retrieve this configuration file.
If a configuration file has already been uploaded, you can click Upload again to replace the previously
uploaded configuration file with a new configuration file.
Delete the Configuration File
Any time the device is reset to factory defaults, it automatically downloads and uses the
RemoteConfig file, if one is present on the Product Details page. If you do not want the XTM device to
use the RemoteConfig file when it is reset to factory defaults, you must remove the configuration file
from the Product Details page.
To delete a RemoteConfig file for a device:
1. Go to the Product Details page for the device.
2. In the My RemoteConfig File section, click Delete.
3. Click OK to confirm that you want to delete the file.
Download the Configuration File
After you have uploaded a RemoteConfig file, you can download a local copy of the configuration file to
your computer. This does not send the file to the XTM device.
To download the configuration file:
User Guide
141
RemoteConfig and RapidDeploy
1. Go to the Product Details page for the device.
2. In the My RemoteConfig File section, click Download.
To open the configuration file you downloaded, you must use Policy Manager.
142
WatchGuard System Manager
RemoteConfig and RapidDeploy
Connect the Remote XTM Device
After you upload a RemoteConfig file to the Product Details page, the XTM device can automatically
download the file.
External Interface IP Address
To use RemoteConfig to set up an XTM device, the external interface (interface 0), must be able to
connect to the Internet. There are two methods the remote XTM device can use to get an external
IP address.
DHCP
For an XTM device with factory-default settings, interface 0 uses DHCP to request an IP
address for the external interface. For an XTM device to use RemoteConfig, the remote site
must have a DHCP server that can assign an IP address to the external interface.
For a device that uses a version of Fireware XTM OS lower than v11.7.3 Update 1, this is the
only method to configure the external IP address.
Static or PPPoE
If the remote XTM device uses Fireware XTM OS v11.7.3 Update 1 or higher, and the remote
network does not have a DHCP server, you can use a file on a USB drive to configure the XTM
device to either use a static IP address or use PPPoE to get an IP address. To configure your
XTM device to use one of these options, you create a CSV (comma-separated values) file on a
USB drive, and then insert the USB drive in the XTM device before you power it on.
For more information, see Use a USB Drive to Configure Interface Settings.
Use RemoteConfig to Configure the Device
To use RemoteConfig for a new XTM device, someone must connect and power on the device at the
remote site:
1. Use the included green Ethernet cable to connect interface 0 to a switch or router that connects
to the Internet.
Step 1 in the Quick Start Guide that ships with the device includes a diagram that shows how to do
this.
2. If the device uses Fireware XTM OS v11.7.3 Update 1 or higher, and you have created a CSV
file to configure the external interface, connect the USB drive to the XTM device.
3. Connect power to the device.
4. Power on the device.
The new XTM device starts with factory default settings.
User Guide
143
RemoteConfig and RapidDeploy
To use RemoteConfig to configure an XTM device that has been previously
configured, you must reset the device to factory default settings. The steps to do this
depend on the XTM device model. For more information, see Reset a Device.
When the XTM device starts with factory default settings, it automatically uses DHCP to request an
IP address for interface 0. After the device receives an IP address, it tries to contact the WatchGuard
server to see if a RemoteConfig file is available. If a configuration file has been uploaded to the
Product Details page for the device, the XTM device automatically downloads the configuration file,
the device feature key, and passphrases.
The XTM device compares the configuration file version to the version of Fireware XTM that is
installed, and takes action based on the result of that comparison:
Configuration File
Version
XTM Device RemoteConfig Action
Matches the installed
version of Fireware
XTM OS
n
Is lower than installed
version of Fireware
XTM OS
n
n
n
Is higher than the
installed version of
Fireware XTM OS
n
Is 11.4.0 or lower
n
n
n
The device uses the new configuration.
The status and admin passphrases on the device are set to the
passphrases specified when the RemoteConfig file was
uploaded to the Product Details page.
The device converts the new configuration file to match the
version of Fireware XTM OS on the device, and then uses the
new configuration.
The status and admin passphrases on the device are set to the
passphrases specified when the RemoteConfig file was
uploaded to the Product Details page.
The device rejects the configuration file and continues to use
factory default settings.
The status and admin passphrases on the device are set to the
passphrases specified when the RemoteConfig file was
uploaded to the Product Details page.
The device rejects the configuration file and continues to use
factory default settings.
The status and admin passphrases on the device are set to the
passphrases specified when the RemoteConfig file was
uploaded to the Product Details page.
If the XTM device does not find a RemoteConfig file to download, or if the device rejects the
configuration file, you can upload a new RemoteConfig file to the Product Details page. Then power
the XTM device off and then on again so the device retries to download the configuration file.
144
WatchGuard System Manager
RemoteConfig and RapidDeploy
If the XTM device cannot connect to the WatchGuard site (for example, if the device is not assigned a
dynamic IP address, or the device is not connected to the Internet), the device keeps all factory default
settings.
Connect other Networks to the Device
After you use RemoteConfig to configure the remote device, someone at the remote site must use
Ethernet cables to connect the other configured XTM device interfaces to local network devices as
required for your network configuration.
See RemoteConfig Status
After the XTM device requests the configuration file, the Product Details page shows the IP address
the file was sent to, and the date and time the file was sent.
The status on the Product Details page tells you whether the device contacted WatchGuard to
retrieve the configuration file, but it does not tell you whether the configuration file was successfully
used to remotely configure the device.
Verify RemoteConfig Success
After you verify that the remote XTM device contacted WatchGuard, you can test connectivity through
the remote device, to determine whether the RemoteConfig file was successfully applied.
To verify that the device is using the configuration file:
Try to remotely connect to the device with WatchGuard System Manager
If the WatchGuard policy in the configuration file allows management connections from the
external interface, you can use WatchGuard System Manager to remotely connect to the
external interface IP address of the device.
Try to remotely connect to the Fireware XTM Web UI
If the WatchGuard Web UI policy in the configuration file allows connections to the Web UI from
an external interface, you can use a web browser to connect to the Fireware XTM Web UI.
By default, the port used for the Web UI is 8080. The URL to connect to the Web UI in your
browser is:
https://<xtm-ip-address>:8080
Where <xtm-ip-address> is the IP address assigned to the external interface.
Test whether users at the remote site can connect to the Internet
After someone at the remote site has connected the trusted and optional interfaces to the local
network, test whether a user can connect to the Internet.
n
User Guide
If users can successfully connect to the Internet, this shows that the RemoteConfig file
was successfully applied.
145
RemoteConfig and RapidDeploy
n
If users cannot connect to the Internet, it does not necessarily mean that RemoteConfig
failed. It could also be caused by other issues, such as incorrect cabling, DHCP
configuration, or other configuration problems.
For your network configuration, there may be other methods you can use to test the configuration. For
example, you could test whether configured branch office VPN tunnels are functioning, or whether the
device accepts connections from configured Mobile VPN users.
If you cannot verify that the RemoteConfig file was successfully applied, you can try to troubleshoot
the problem.
For more information, see Troubleshoot RemoteConfig.
146
WatchGuard System Manager
RemoteConfig and RapidDeploy
Troubleshoot RemoteConfig
In the Product Details page, the RemoteConfig section shows whether the remote XTM device has
contacted the WatchGuard web site to look for a RemoteConfig file. After you upload a configuration
file, the RemoteConfig section shows either:
n
n
The device has not yet contacted WatchGuard to request a configuration file
The time and date that the device contacted WatchGuard to request a configuration file, the
IP address the request came from, and the version of Fireware XTM OS currently installed on
the device
If the Product Details page shows that the device has not contacted WatchGuard, and you have
already followed the instructions in Connect the Remote XTM Device, make sure the network that the
XTM device external interface is connected to has Internet access.and the external interface of the
device is connected to a network that has a DHCP server. If the external interface is not assigned an
IP address, the device cannot connect to the Internet.
Then, try again:
1. Restart the device with factory default settings.
n For a new XTM device, connect the XTM device to power and to a network with Internet
access.
n For a previously configured XTM device, reset the device to factory default settings.
2. Make sure the device has a reliable power source and Internet connection while the download
and configuration is in progress.
Troubleshoot the Configuration File Version
After the device has successfully downloaded the RemoteConfig file, the XTM device tries to use the
file to update the device configuration.
In the Product Details page, the RemoteConfig section shows whether the configuration file
downloaded by the device has a version that can be used for RemoteConfig.
Version
Status
Example RemoteConfig Status Message
Configuration
file version is
compatible
The configuration file was sent to 203.0.113.100 at 6/7/2013 4:05:43 PM UTC.
Fireware XTM 11.6.5 is installed. The configuration file was created for Fireware
XTM 11.6.3.
Configuration
file version is
too low
The configuration file was sent to 203.0.113.100 at 6/7/2013 4:05:43 PM UTC.
Fireware XTM 11.6.5 is installed. The configuration file was created for Fireware
XTM 11.4.0. Configuration file versions 11.4 and earlier are not supported by
RemoteConfig.
Configuration
file version is
too high
The configuration file was sent to 203.0.113.100 at 6/7/2013 4:05:43 PM UTC.
Fireware XTM 11.6.5 is installed. The configuration file was created for Fireware
XTM 11.7.0. The configuration file version cannot be higher than the installed
version.
User Guide
147
RemoteConfig and RapidDeploy
If you see a status message that indicates the configuration file version is too low or too high, this
means the remote device could not use the RemoteConfig file to update its configuration. To resolve a
configuration file problem, create and upload a configuration file that has a version higher than 11.4, but
not higher than the version of Fireware XTM currently installed on the device.
For more information about how to create a configuration file for a specific version of Fireware
XTM OS, see RemoteConfig File Version Requirements.
After you upload a new configuration file, restart the remote device with factory default settings. The
device automatically downloads the latest RemoteConfig file.
For more information, see Connect the Remote XTM Device.
Use RapidDeploy
WatchGuard Deployment Center is the online web UI where you use the WatchGuard RapidDeploy
tool. RapidDeploy is a quick and efficient process you can use to deploy XTM devices in remote
locations where you might not have trained IT staff present to help with the initial configuration of your
XTM device. With RapidDeploy, you can send your XTM devices to remote locations around the world,
before you have configured each device. You can use RapidDeploy for XTM devices that have never
been activated or for devices that have already been activated, but must either be activated again or
assigned to another Management Server.
To use RapidDeploy, you must have:
n
n
One or more XTM devices with Fireware XTM OS v11.6.3 or later
One or more WatchGuard Management Servers v11.6.3 or later
The initial RapidDeploy procedure is a two-part process:
1. You add information to the WatchGuard Deployment Center for your Management Servers and
the XTM devices you want to activate remotely.
2. A remote user connects each XTM device to power and to the Internet. Each XTM device
automatically contacts the Deployment Center for an initial, basic configuration file with
information about the Management Server, and then contacts the Management Server for
additional configuration.
This diagram of the RapidDeploy process illustrates the steps that occur at the different points in each
part of the process.
148
WatchGuard System Manager
RemoteConfig and RapidDeploy
1 — From WatchGuard System Manager, register your Management Server with the WatchGuard Portal. Log in to the
WatchGuard Deployment Center to verify your Management Server registration was successful.
2 — In the Deployment Center, import your XTM device list CSV file and activate the devices.
3 — Connect the XTM device to power and to the Internet. The XTM device contacts the Deployment Center to
download a basic configuration file with the Management Server information.
4 — The XTM device contacts the Management Server. The Management Server contacts the Deployment Center to
verify that the XTM device has been activated and assigned to it.
5 — In the Deployment Center, verify the deployment status of each XTM device to see which devices have been sent
a basic configuration file.
After the RapidDeploy procedure is complete, and your XTM devices have contacted your
Management Server, you must connect to the devices and complete the network configuration for each
device. You can follow the usual network configuration and Centralized Management processes to
configure the network settings, change to Fully Managed Mode, and apply a Device Configuration
Template to each XTM device.
For more information, see Common Interface Settings, About Centralized Management Modes, and
Apply Device Configuration Templates to Managed Devices.
Launch the Deployment Center
From the WatchGuard Deployment Center, you can verify the status of your Management Server
registration and complete the RapidDeploy procedure to activate your XTM devices.
To launch the Deployment Center from WSM:
1. Open WSM and connect to your Management Server.
2. Select File > RapidDeploy > Deployment Center.
Or, from the Management Server page, in the RapidDeploy section, select Deployment
Center.
The WatchGuard Deployment Center launches in your default web browser.
User Guide
149
RemoteConfig and RapidDeploy
Activate Your XTM Devices
Step 2 of the RapidDeploy process is to activate your XTM devices. To complete activation, you
create and import a device list to the Deployment Center and then activate the XTM devices in the
device list. The device list is a UTF-8 encoded CSV file in this format: XTM Device Serial Number,
XTM Device Friendly Name, Management Server IP Address.
Import a Device List
From the Deployment Center, you can download a CSV file to use as a template for your device list. If
you open the template CSV file in a spreadsheet program such as Microsoft Excel or Apple Numbers,
you can simply replace the data in the list with the correct details for your XTM devices and
Management Servers. Whether you use the template file or create your own CSV file, make sure that
the CSV file includes a header row. The template CSV file includes this header row: XTM Device
Serial Number,XTM Device Friendly Name,Management Server IP Address . Each device list
CSV file can only include 50 XTM devices. If your Management Server has more than one IP address
in the Distribution IP Address list, make sure to use the first IP address in the list. In the CSV file
header row, the XTM Device Friendly Name is the unique name that appears in the Device field in
WatchGuard System Manager for each device. This name also identifies the device in your account on
the WatchGuard web site. You must use a different friendly name for each XTM device. You can
change the friendly name of an activated device on the Product Details page in the WatchGuard
Portal. For more information, see the My Products Help.
After you create your device list CSV file, you can import the device list in the Deployment Center and
use RapidDeploy to activate your XTM devices. If you close the browser before the device list import
is complete, the device list and any error messages are cleared from the Deployment Center, and you
must start the import process again.
To download and create a CSV file:
1. Connect to the Deployment Center.
A. Open WSM and connect to your Management Server.
B. Select File > RapidDeploy > Deployment Center.
The WatchGuard Deployment Center launches in your default web browser.
2. In the Deployment Center, select RapidDeploy > Device Activation.
The Device Activation page appears.
3. Click the link to download the sample CSV file and save it to your computer with a descriptive
file name.
4. Open the CSV file and for each XTM device you want to activate with RapidDeploy, type the
serial number, device friendly name, and the IP address of the Management Server you want to
manage this device.
Before you import the device list, make sure that the Management Servers you specified in the CSV
file are registered in the Deployment Center. If you specify an incorrect Management Server IP
address or an unregistered Management Server for an XTM device, an error appears after the import
process is complete. For more information about how to verify that your Management Server is
registered, see Verify Management Server Registration on page 154.
150
WatchGuard System Manager
RemoteConfig and RapidDeploy
Also make sure that you specify the correct Management Server for each XTM device included in the
CSV file. If you import a CSV file with an XTM device that was already assigned to a different
Management Server, the XTM device is registered again. A new deployment package is created for
that XTM device with the IP address of the new Management Server, and replaces the first deployment
package in the Deployment Center.
To import the device list, on the Device Activation page:
1. Click Browse and select the CSV file you created.
2. Click Import.
The device list is imported to the Deployment Center. If your device list includes a large number of
XTM devices, it can take some time to complete the import of the CSV file.
When the device list is imported, the Deployment Center checks the data included in the CSV file to
verify that the data is correct. If you have included an incorrect serial number for a device, or an IP
address for a Management Server that is not registered, you see an error when the file import is
complete.
If there are any problems in the device list CSV file you imported, an error list appears on the Device
Activation page. The error list includes the lines in the CSV file where the errors occurred and a
description of the errors. If your CSV file has an error, you can fix the error and import the file again.
When the import is complete and successful, the device list appears on the Device Activation page.
You can review this list to make sure that all the necessary devices were imported.
Activate Devices
After you have successfully imported the device list CSV file, you can activate the XTM devices
included in the device list.
1.
2.
3.
4.
Read the terms of the End User License Agreement.
Select the I accept the terms of the End User License Agreement check box.
Review the information in the XTM Device List.
Click Activate.
The Deployment Center activates the XTM devices in the Device List and any other XTM devices that
have not already been activated.
If you close the browser before activation is complete, the device list and any error messages
are cleared from the Deployment Center, and you must start the import process again.
When your XTM devices have successfully completed the activation process, the Deployment Status
page appears with a list of all the XTM devices you have deployed.
For more information about the Deployment Status page and the next steps to complete after your
XTM devices are activated, see Review the Deployment Status of Your XTM Devices on page 152.
User Guide
151
RemoteConfig and RapidDeploy
Review the Deployment Status of Your XTM Devices
After you have imported a device list and activated your XTM devices, the Deployment Center
prepares a basic configuration file for each device that you activated with RapidDeploy. Each basic
configuration file includes:
n
n
n
n
n
n
Management Server IP address and credentials
Randomly generated Status and Configuration passphrases
Randomly generated shared secret
Policy to allow inbound traffic from the specified Management Server IP address
Feature key for the XTM device
Friendly name for the XTM device
By default, before a device contacts the Deployment Center to download a configuration file, the
device interfaces are configured to use DHCP to get an IP address. If you have an XTM device that
must have a static IP address, you can insert a USB drive with the static IP address information into
the XTM device before you power it on. Then, when you power on the XTM device, it uses a static
IP address to connect to the Deployment Center and download the configuration file. For more
information, see Use a USB Drive to Configure Interface Settings.
After an XTM device in factory default mode that you activated with RapidDeploy is powered on and
connected to the Internet, it contacts the Deployment Center to get its basic configuration file. The
basic configuration file is applied to the XTM device, and the device restarts. The XTM device then
contacts the Management Server specified in the basic configuration file, and is added to management
so that you can finish the configuration of the XTM device. We recommend that you first complete the
network configuration settings for the XTM device. After the network configuration settings for the
XTM device are completed, you can change the XTM device to Fully Managed Mode and apply one or
more configuration templates to the device.
For more information, see Common Interface Settings, About Centralized Management Modes, and
Apply Device Configuration Templates to Managed Devices.
The Deployment Center keeps a record of whether each device has contacted the Deployment Center,
and when the basic configuration file is sent to each XTM device.
To see the deployment status of your activated XTM devices:
1. Connect to the Deployment Center.
A. Open WSM and connect to your Management Server.
B. Select File > RapidDeploy > Deployment Center.
The WatchGuard Deployment Center launches in your default web browser.
2. Select Status.
The Deployment Status page appears with a list of your activated XTM devices and the deployment
status of each device.
152
WatchGuard System Manager
RemoteConfig and RapidDeploy
The Deployment Status column in the Deployment Status list shows the current status for each
device. If the XTM device has not yet contacted the Deployment Center to get the basic configuration
file, XTM device not yet deployed appears. If the XTM device has contacted the Deployment Center to
get the basic configuration file, the date the XTM device made contact appears with the IP address that
the XTM device used to contact the Deployment Center.
If a row in the Deployment Status list is shaded, the XTM device in that row was included in the CSV
file that you just imported, but had already been activated for the same Management Server. When an
XTM device is activated again, a new deployment package is created for the XTM device. Then, when
the XTM device contacts the Deployment Center, the new deployment package is sent to that
XTM device.
If the Deployment Status list is empty, you either do not have any activated XTM devices, or your
activated XTM devices contacted the Deployment Center for their basic configuration files more than
30 days ago.
XTM devices that have been activated but have not contacted the Deployment Center for their
configuration files are included in the Deployment Status list for two years. After an XTM device
contacts the Deployment Center for a configuration file, that XTM device remains in the list for 30 days
from the date the configuration file is sent to the device.
If an activated XTM device tries to contact the Deployment Center, but cannot make contact, the XTM
device receives an error message and tries to contact the Deployment Center again. The XTM device
automatically continues to try to make contact with the Deployment Center at regularly diminished
intervals until it successfully makes contact and gets the basic configuration file. If the XTM device
contacts the Deployment Center, but cannot retrieve the basic configuration file, either because the
device has not yet been activated or because another error occurs, the XTM device does not try to
automatically contact the Deployment Center again. If this occurs, you must complete the device list
import and activation process in the Deployment Center, and then reset the XTM device and reconnect
the device to power and the Internet.
User Guide
153
RemoteConfig and RapidDeploy
Verify Management Server Registration
After you have registered your Management Servers from WatchGuard System Manager, you can
verify that they were successfully registered. You can also remove Management Servers from the
Registered Management Servers list.
Before you import a device list CSV file, verify that all Management Servers included in the device list
appear in the Registered Management Servers list.
To verify the registration for a Management Server:
1. Connect to the Deployment Center.
A. Open WSM and connect to your Management Server.
B. Select File > RapidDeploy > Deployment Center.
The WatchGuard Deployment Center launches in your default web browser.
2. Select Management Servers.
The Registered Management Servers page appears with a list of your registered Management
Servers.
Cancel Registration for a Management Server
To cancel registration for a Management Server, you must remove it from the Registered
Management Servers list in the Deployment Center. You cannot cancel registration for a
Management Server from WatchGuard System Manager. Also, you cannot cancel registration for a
Management Server that is linked to XTM devices that have been activated, but that have not already
contacted the Management Server.
On the Registered Management Servers page:
1. Review the list of registered Management Servers and find the Management Server to remove
from the list.
2. Adjacent to the Management Server, click Cancel Registration.
The registration for the selected Management Server is canceled and the Management Server is
removed from the list.
Use a USB Drive to Configure Interface Settings
When your XTM device uses the factory default configuration, the external interface of the device uses
DHCP to get an IP address. If your XTM device runs Fireware XTM OS v11.7.3 Update 1 or later and
cannot use DHCP to get an IP address, you can still connect to the Deployment Center to use
RapidDeploy, or to the MyProducts web page to use RemoteConfig, for your XTM device, but you
must use another method to assign an IP address to the external interface. You can use a USB drive to
configure the XTM device to either use a static IP address or use PPPoE to get an IP address. To
configure your XTM device to use one of these options, you create a CSV (comma-separated values)
file on a USB drive, and then insert the USB drive in the XTM device before you power it on.
The USB drive must support the vfat file system and be writable.
154
WatchGuard System Manager
RemoteConfig and RapidDeploy
Create the CSV File
You can create one CSV file with the interface settings for multiple XTM devices. For each device, you
can specify either Static or PPPoE for the address type in a single line in the CSV file. The details that
you specify in the CSV file for each XTM device are not case sensitive.
You can use a program such as Microsoft Excel to create the CSV file with the customized interface
settings for your XTM devices. When you use Microsoft Excel, or a similar program, to create the CSV
file, make sure to save the file as the CSV (Comma Delimited) (*.csv) file type so that the CSV file
has the correct encoding, particularly for any special characters in the file.
If you use a text editor to create the CSV file, you must separate each information element with a
comma and manually format the file for special characters. If you set the address type to PPPoE, and
the user name or password includes a comma or quotation marks, you must use two quotation marks
and put quotation marks around that user name or password. For example, "my,password" or
"my""password" .
To create a CSV file with the interface settings for your XTM device:
1. Create a new CSV file with the name rapid_ip.csv .
2. In a single line or row, type this information for each XTM device:
n Serial number
n Interface number (for example, 0 )
n Interface type — ext (External)
External is the only available option.
n
IP address type:
o
o
Static
PPPoE
If you set the address type to Static, type this information:
o IP address with subnet mask
o Default gateway IP address
o Primary DNS server IP address
o Secondary DNS server IP address (optional)
n If you set the address type to PPPoE, type this information:
o User name
o Password
o IP address (optional)
3. Save the file to the USB drive in the root directory of the first partition.
n
To use the same CSV file for more than one XTM device, repeat Steps 2–3 and add the information for
the other XTM devices to the CSV file.
Here is an example of two lines in a CSV file. One line configures an XTM device to use to a static IP
address for the External interface, and the other configures a second XTM device to use PPPoE to get
an IP address:
70XX00777X777,0,ext,Static,69.164.168.168/24,69.164.168.254,202.106.0.20
80XX00888X888,0,ext,PPPoE,myname,mypassword,192.168.0.101
User Guide
155
RemoteConfig and RapidDeploy
Use the USB Drive
After you have created the CSV file and saved it to the USB drive, the XTM device can get its external
interface settings from the connected USB drive.
Before you use the USB drive, make sure that it is writable. If an error occurs when you try to use the
CSV file, a file that includes a description of the error is saved in the root directory on the USB drive.
The file name for this error file is rapid_ip.err.<serial number of the XTM device>. For example, rapid_
ip.err.70XX00777X777 . If the USB drive is not writable, the error file cannot be saved to the USB
drive.
To use the USB drive to specify the interface configuration for a device:
1. Connect the power cord and interface cables to the XTM device, but do not power on the XTM
device.
2. Insert the USB drive with the CSV file into the USB port on the XTM device.
3. Power on the XTM device.
The XTM device gets the interface settings from the CSV file.
156
WatchGuard System Manager
6
Network Setup and
Configuration
About Network Interface Setup
A primary component of your XTM device setup is the configuration of network interface IP addresses.
When you run the Quick Setup Wizard, the external and trusted interfaces are set up so traffic can flow
from protected devices to an outside network. You can use the procedures in this section to change the
configuration after you run the Quick Setup Wizard, or to add other components of your network to the
configuration. For example, you can set up an optional interface for public servers such as a web
server.
Your XTM device physically separates the networks on your Local Area Network (LAN) from those on
a Wide Area Network (WAN) like the Internet. Your device uses routing to send packets from networks
it protects to networks outside your organization. To do this, your device must know what networks are
connected on each interface.
We recommend that you record basic information about your network and VPN configuration in the
event that you need to contact technical support. This information can help your technician resolve
your problem quickly.
User Guide
157
Network Setup and Configuration
Network Modes
Your XTM device supports several network modes:
Mixed routing mode
In mixed routing mode, you can configure your XTM device to send network traffic between a
wide variety of physical and virtual network interfaces. This is the default network mode, and
this mode offers the greatest amount of flexibility for different network configurations. However,
you must configure each interface separately, and you may have to change network settings for
each computer or client protected by your XTM device. The XTM device uses Network Address
Translation (NAT) to send information between network interfaces.
For more information, see About Network Address Translation on page 285.
The requirements for mixed routing mode are:
n
n
All interfaces of the XTM device must be configured on different subnets. The minimum
configuration includes the external and trusted interfaces. You also can configure one or
more optional interfaces.
All computers connected to the trusted and optional interfaces must have an IP address
from that network.
Drop-in mode
In a drop-in configuration, your XTM device is configured with the same IP address on all
interfaces. You can put your XTM device between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in
because your XTM device is dropped in to an existing network. Some network features, such as
bridges and VLANs (Virtual Local Area Networks), are not available in this mode.
For drop-in configuration, you must:
n
n
n
Assign a static external IP address to the XTM device.
Use one logical network for all interfaces.
Not configure multi-WAN in Round-robin or Failover mode.
For more information, see Drop-In Mode on page 196.
Bridge mode
Bridge mode is a feature that allows you to place your XTM device between an existing network
and its gateway to filter or manage network traffic. When you enable this feature, your XTM
device processes and forwards all incoming network traffic to the gateway IP address you
specify. When the traffic arrives at the gateway, it appears to have been sent from the original
device. In this configuration, your XTM device cannot perform several functions that require a
public and unique IP address. For example, you cannot configure an XTM device in bridge mode
to act as an endpoint for a VPN (Virtual Private Network).
For more information, see Bridge Mode on page 203.
158
WatchGuard System Manager
Network Setup and Configuration
Interface Types
You use four interface types to configure your network in mixed routing or drop-in mode:
External Interfaces
An external interface is used to connect your XTM device to a network outside your
organization. Often, an external interface is the method by which you connect your XTM device
to the Internet.
When you configure an external interface, you must choose the method your Internet service
provider (ISP) uses to give you an IP address for your XTM device. If you do not know the
method, get this information from your ISP or network administrator.
Trusted Interfaces
Trusted interfaces connect to the private LAN (local area network) or internal network of your
organization. A trusted interface usually provides connections for employees and secure
internal resources.
Optional Interfaces
Optional interfaces are mixed-trust or DMZ environments that are separate from your trusted
network. Examples of computers often found on an optional interface are public web servers,
FTP servers, and mail servers.
Custom Interfaces
Custom interfaces are connected to the internal network of your organization. You can use a
custom interface when you want to configure a security zone that is separate from the trusted or
optional security zones. For more information about custom interfaces, see Configure a Custom
Interface.
In mixed routing mode, you can also configure Bridge, VLAN, and Link Aggregation interfaces. Each of
these interface types must be in the External, Trusted, Optional, or Custom security zone. For more
information about settings that apply to all interface types, see Common Interface Settings on page
207.
For a Firebox T10, XTM 2 Series, 3 Series, or 5 Series device, you can configure failover to an external
modem. For more information, see Configure Modem Failover on page 274.
When you configure the interfaces on your XTM device, you must use slash notation to denote the
subnet mask. For example, you would enter the IPv4 network range 192.168.0.0 subnet mask
255.255.255.0 as 192.168.0.0/24. A trusted interface with the IPv4 address of 10.0.1.1/16 has a
subnet mask of 255.255.0.0.
For more information on slash notation, see About Slash Notation on page 5.
Wireless Interfaces
After you enable at least one wireless access point on a Firebox or XTM wireless device that uses
Fireware XTM v11.9 or higher, the interface list includes three interfaces that correspond to the
wireless access points.
User Guide
159
Network Setup and Configuration
n
n
n
ath1 — Access point 1
ath2 — Access point 2
ath3 — Access Point 3
From the Network Configuration dialog box you can enable, disable, and configure the wireless
interfaces. The settings are the same as the settings you configure for a wireless access point in the
Network > Wireless settings.
For information about wireless interface configuration settings, see Enable Wireless Connections
(Fireware XTM OS v11.9.x and Later).
About Private IP Addresses
When you configure a trusted or optional interface, we recommend that you use an IP address in one of
the three IP address ranges reserved by the Internet Engineering Task Force (IETF) for private
networks on LANs.
n
n
n
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
By default, the XTM device enables dynamic NAT for outbound traffic from addresses in these ranges
to any external interface.
For more information about dynamic NAT, see About Dynamic NAT.
About Network Interfaces on the Edge e-Series
When you use WatchGuard System Manager to manage a Firebox X Edge e-Series device, the
network interface numbers that appear in WatchGuard System Manager do not match the network
interface labels printed below the physical interfaces on the device. Use the table below to understand
how the interface numbers in WatchGuard System Manager map to the physical interfaces on the
device.
Interface number in WSM
Interface label on the Firebox X Edge e-Series hardware
0
WAN 1
1
LAN 0, LAN 1, LAN 2
2
Opt
3
WAN 2
You can consider the interfaces labeled LAN 0, LAN 1, and LAN 2 as a three interface network hub that
is connected to a single Firebox interface. In Fireware XTM, you configure these interfaces together as
Interface 1.
About IPv6 Support
Fireware XTM supports many features for IPv6 traffic.
160
WatchGuard System Manager
Network Setup and Configuration
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
IPv6 addressing — You can add a static IPv6 address to the External, Trusted, Optional, or
Custom interfaces when the device is configured in mixed routing mode. This includes VLAN,
Bridge, and Link Aggregation interfaces.
For more information, see Enable IPv6 for an External Interface and Enable IPv6 for a Trusted
or Optional Interface.
IPv6 DNS servers — You can use an IPv6 address to specify a DNS server.
IPv6 static routes — You can add an IPv6 host or network static route.
IPv6 Dynamic routing (RIPng, OSPFv3, and BGP
IPv6 BOVPN virtual interface routes — You can add an IPv6 route through an IPv4 BOVPN
virtual interface
IPv6 device management — You can use the static IPv6 address to connect to Fireware
XTM Web UI or the CLI for device management. You cannot use the static IPv6 address to
connect to the XTM device from WatchGuard System Manager.
Diagnostic logging — You can set the diagnostic log level for IPv6 advertisements.
For information about how to configure diagnostic log levels, see Set the Diagnostic Log Level.
IPv6 Ping — You can ping IPv6 addresses in Firebox System Manager Diagnostic tasks.
Packet filter policies — You can use IPv6 addresses in packet filter policies.
MAC access control — Applies to both IPv6 and IPv4 traffic.
Inspection of traffic received and sent by the same interface — Applies to both IPv6 and IPv4
traffic.
Blocked sites and exceptions — You can use an IPv6 address to define a blocked site or
exception.
Blocked ports — Applies to both IPv6 and IPv4 traffic.
TCP SYN checking — The TCP SYN checking setting in Global Settings applies to both IPv6
and IPv4 traffic.
Application Control
Intrusion Prevention Service
DHCPv6
FireCluster
Flood attack prevention — The Default Packet Handling settings to block flood attacks apply to
both IPv6 and IPv4 traffic.
Authentication — IPv6 addresses are supported for Firewall authentication.
All other networking and security features are not yet supported for IPv6 traffic. This includes:
n
n
n
n
n
n
n
n
n
n
n
n
n
Proxy policies
Authentication — Single Sign-On, Terminal Services, VPN support, fully qualified domain
names for RADIUS and SecurID servers, automatic redirect of users to the Authentication page
WebBlocker
Gateway AV
spamBlocker
APT Blocker
Reputation Enabled Defense
Default packet handling other than flood protection
Multi-WAN
Server load balancing
Traffic Management and QoS
Drop-in mode
Bridge mode
User Guide
161
Network Setup and Configuration
n
n
n
n
n
NAT
MAC/IP address binding
Branch Office VPN
Mobile VPN
Wireless and modem
Any other feature not in the list of supported IPv6 features is not supported for IPv6 traffic.
WatchGuard continues to add more IPv6 support to Fireware XTM for all XTM device models. For
more information about the WatchGuard IPv6 roadmap, see
http://www.watchguard.com/ipv6/index.asp.
162
WatchGuard System Manager
Network Setup and Configuration
Mixed Routing Mode
In mixed routing mode, you can configure your XTM device to send network traffic between many
different types of physical and virtual network interfaces. Mixed routing mode is the default network
mode. While most network and security features are available in this mode, you must carefully check
the configuration of each device connected to your XTM device to make sure that your network
operates correctly.
A basic network configuration in mixed routing mode uses at least two interfaces. For example, you
can connect an external interface to a cable modem or other Internet connection, and a trusted
interface to an internal router that connects internal members of your organization. From that basic
configuration, you can add an optional network that protects servers but allows greater access from
external networks, configure VLANs, and other advanced features, or set additional options for
security like MAC address restrictions. You can also define how network traffic is sent between
interfaces.
To get started on interface configuration in mixed routing mode, see Common Interface Settings on
page 207.
It is easy to forget IP addresses and connection points on your network in mixed routing mode,
especially if you use VLANs (Virtual Local Area Networks), secondary networks, and other advanced
features. We recommend that you record basic information about your network and VPN configuration
in the event that you need to contact technical support. This information can help your technician
resolve your problem quickly.
Configure an External Interface
An external interface is used to connect your XTM device to a network outside your organization.
Often, an external interface is the method by which you connect your device to the Internet.
When you configure an external interface, you must choose the method your Internet service provider
(ISP) uses to give you an IPv4 address for your device. If you do not know the method, get this
information from your ISP or network administrator. In addition to the IPv4 address, you can optionally
configure an IPv6 address.
For information about methods used to set and distribute IP addresses, see Static and Dynamic IP
Addresses on page 6.
For information about IPv6 configuration, see Enable IPv6 for an External Interface.
User Guide
163
Network Setup and Configuration
Use a Static IPv4 Address
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. On the IPv4 tab, select Use Static IP.
4. In the IP address text box, type or select the IP address of the interface.
5. In the Default Gateway text box, type or select the IP address of the default gateway.
6. Click OK.
Use PPPoE Authentication to get an IPv4 Address
If your ISP uses PPPoE, you must configure PPPoE authentication before your device can send traffic
through the external interface. Fireware XTM supports the PAP, EAP, CHAP, MS-CHAP and MSCHAPv2 PPPoE authentication methods.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. On the IPv4 tab, select Use PPPoE.
4. Select an option:
n Obtain an IP address automatically
n Use IP address (supplied by your Internet Service Provider)
5. If you selected Use IP Address, in the adjacent text box, type or select the IP address.
6. Type the User Name and Password.Type the password again.
ISPs use the email address format for user names, such as [email protected]
164
WatchGuard System Manager
Network Setup and Configuration
7. To configure PPPoE options, click Advanced Properties.
The PPPoE Properties dialog box appears. Your ISP can tell you if you must change the timeout or
LCP values.
8. If your ISP requires the Host-Uniq tag for PPPoE discovery packets, select the Use Host-Uniq
tag in PPPoE discovery packets check box.
For a secondary PPPoE interface, this check box is always selected.
9. Select when the device connects to the PPPoE server:
n Always-on — The XTM device keeps a constant PPPoE connection. It is not necessary for
network traffic to go through the external interface.
If you select this option, type or select a value in the PPPoE initialization retry every text
box to set the number of seconds that PPPoE tries to initialize before it times out.
User Guide
165
Network Setup and Configuration
Dial-on-demand — The XTM device connects to the PPPoE server only when it gets a
request to send traffic to an IP address on the external interface.
If your ISP regularly resets the connection, select this option.
If you select this option, in the Idle timeout in text box, set the length of time a client can
stay connected when no traffic is sent.
If you do not select this option, you must manually restart the XTM device each time the
connection resets.
10. To use LCP echo requests to detect lost PPPoE connections, select the Use LCP echo
requests to detect lost PPPoE connections check box.
n
This is enabled by default.
11. In the LCP echo failure in text box, type or select the number of failed LCP echo requests
allowed before the PPPoE connection is considered inactive and closed.
12. In the LCP echo timeout in text box, type or select the length of time, in seconds, that the
response to each echo timeout must be received.
13. To configure the XTM device to automatically restart the PPPoE connection on a daily or
weekly basis, select the Schedule time for auto restart check box.
14. From the Schedule time for auto restart drop-down list, select Daily to restart the connection
at the same time each day, or select a day of the week to restart weekly. Select the hour and
minute of the day (in 24 hour time format) to automatically restart the PPPoE connection.
15. In the Service Name text box, type a PPPoE service name.
This is either an ISP name or a class of service that is configured on the PPPoE server.
Usually, this option is not used. Select it only if there is more than one access concentrator, or
you know that you must use a specified service name.
16. In the Access Concentrator Name text box, type the name of a PPPoE access concentrator,
also known as a PPPoE server. Usually, this option is not used. Select it only if you know there
is more than one access concentrator.
17. In the Authentication retries text box, type or select the number of times that the XTM device
can try to make a connection.
The default value is three (3) connection attempts.
18. In the Authentication timeout text box, type a value for the amount of time between
connection attempt retries.
The default value is 20 seconds between each connection attempt.
19. If you configure the PPPoE settings to use a static IP address, you can select one of three
options for PPPoE IP address negotiation:
n Send PPPoE client static IP address during PPPoE negotiation — This option
configures the XTM device to send the PPPoE client IP address to the PPPoE server during
PPPoE negotiation. This is the default setting.
n Don't send PPPoE client static IP address during PPPoE negotiation — This option
configures the XTM device not to send the PPPoE client IP address to the PPPoE server.
n Send and enforce PPPoE client static IP address during PPPoE negotiation — This
option configures the XTM device to send the PPPoE client IP address to the
PPPoE server, and use the configured IP address even if another IP address is obtained
from the PPPoE server. To use this option, the XTM device must use Fireware XTM v11.8.1
or higher.
20. To configure the XTM device to negotiate DNS with the PPPoE server, select the Negotiate
DNS with PPPoE Server check box. This is enabled by default. Clear this check box if you do
not want the XTM device to negotiate DNS.
21. Click OK.
166
WatchGuard System Manager
Network Setup and Configuration
Use DHCP to Get an IPv4 IP Address
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. On the IPv4 tab, select Use DHCP Client.
4. If your ISP or external DHCP server requires a client identifier, such as a MAC address, in the
Client text box, type this information.
5. To specify a host name for identification, in the Host Name text box, type the host name.
6. To enable DHCP to assign an IP address to the XTM device, in the Host IP section, select
Obtain an IP automatically.
To manually assign an IP address and use DHCP to give this assigned address to the
XTM device, select Use IP address and type the IP address in the adjacent text box.
IP addresses assigned by a DHCP server have an eight hour lease by default, which means the
address is valid for eight hours.
7. To change the lease time, select the Leasing Time check box and select the lease time value
from the adjacent drop-down list.
You can optionally enable the DHCP Force Renew option. This feature enables the XTM device to
handle a FORCERENEW message from your ISP or DHCP provider. The DHCP server sends a
FORCERENEW message to request that the DHCP client renew it's leased IP address sooner than it
ordinarily would, based on the configured lease time. If your ISP or DHCP provider requests that you
enable this option, they might also specify a shared key. The shared key is optional, but
recommended. If you specify a shared key, it must match the shared key in the
FORCERENEW message. If you do not specify a shared key, the XTM device responds to any
FORCERENEW message, whether a shared key is present or not.
The DHCP Force Renew option is supported in Fireware XTM v11.8.1 and higher.
User Guide
167
Network Setup and Configuration
To enable the XTM device to handle a DHCP FORCERENEW request:
1. Select the DHCP Force Renew check box.
2. (Optional) In the Shared Key text box, type the shared key.
The shared key is encrypted and stored in the configuration file.
Enable IPv6 for an External Interface
You can configure the external interface with an IPv6 address in addition to the IPv4 address. IPv6 is
not enabled on any interface by default. When you enable IPv6 for an external interface, you can
configure the interface with one or more static IPv6 addresses, and you can configure the interface to
use DHCP to get an IPv6 address. You can also enable IP address autoconfiguration.
Enable IPv6
To enable IPv6 for an external interface:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. Select the IPv6 tab.
168
WatchGuard System Manager
Network Setup and Configuration
4. Select the Enable IPv6 check box.
Next you can add static IPv6 IP addresses, enable the interface to use DHCPv6, or both.
Add a Static IPv6 Address
To add a static IPv6 address:
1. Adjacent to the Static IPv6 Addresses list, click Add.
The Add Static IPv6 Address dialog box appears.
2. Type the IPv6 IP address and the routing prefix size.
3. Click OK.
The IP address is added to the list
User Guide
169
Network Setup and Configuration
Use DHCPv6 to get an IPv6 Address
You can configure the interface to use DHCPv6 to get an IP address. To get IPv6 addresses from a
server, the DHCPv6 client can use a rapid two-message exchange (solicit, reply) or a four-message
exchange (solicit, advertise, request, reply). By default, the DHCPv6 client uses the four-message
exchange. To use the two-message exchange, enable the Rapid Commit option on the XTM device
and on the DHCPv6 server.
To enable DHCPv6 for the interface:
1. Select Enable DHCPv6 Client.
2. Select the Rapid Commit check box to use a rapid two-message exchange to get an IPv6
address.
Use IPv6 Address Autoconfiguration
IPv6 address autoconfiguration enables the XTM device to automatically assign an IPv6 link-local
address to this interface. When you enable IP address autoconfiguration, the external interface is
automatically enabled to receive IPv6 router advertisements. With IPv6 address configuration enabled,
it is not necessary to specify a default gateway.
To enable IPv6 Address Autoconfiguration:
Select the IP Address Autoconfiguration check box in the IPv6 tab.
For more information about IPv6 stateless address autoconfiguration, see RFC 4862.
Configure the Default Gateway
When you enable IPv6 for an external interface, if you do not enable IPv6 address autoconfiguration,
you must specify the default IPv6 gateway.
To specify the default gateway:
In the Default Gateway text box, type the IPv6 address of the default gateway.
170
WatchGuard System Manager
Network Setup and Configuration
Configure a Secondary PPPoE Interface
When you configure an external interface to use PPPoE, you can optionally add up to 25 secondary
PPPoE interfaces. This enables the XTM device to establish multiple PPPoE sessions on the same
external interface. Each secondary PPPoE interface must be associated with an external interface that
is configured to use PPPoE. The external interface is the primary PPPoE interface. The primary
PPPoe interface must be a physical interface. You cannot associate a secondary PPPoE interface
with a Link Aggregation or VLAN interface.
You can use a PPPoE secondary interface in most of the same ways that you use a physical interface.
For example, you can use it in the configuration of policies, multi-WAN, VPN, and NAT.
A secondary PPPoE interface cannot be a member of a Bridge, VLAN, or Link
Aggregation interface.
Add a Secondary PPPoE Interface
1. In Policy Manager, select Network > Configuration.
2. Make sure at least one external interface is configured to use PPPoE.
For more information, see Configure an External Interface.
3. Select the PPPoE tab.
A list of configured primary and secondary PPPoE interfaces appears.
4. Click Add.
The New PPPoE Properties dialog box appears.
User Guide
171
Network Setup and Configuration
5. In the Name (Alias) text box, type a name for this interface.
6. (Optional) In the Description text box, type a description for this interface.
7. In the Associated Interface drop-down list, select an external interface.
Only external interfaces that are configured to use PPPoE appear in the list.
8. Select an IP address option:
n Obtain an IP address automatically
n Use IP address (supplied by your Internet Service Provider)
5. If you selected Use IP Address, in the adjacent text box, type or select the IP address.
6. Type the User Name and Password. Type the password again.
ISPs use the email address format for user names, such as [email protected]
7. Click OK.
The new secondary PPPoE interface is added to the PPPoE tab.
172
WatchGuard System Manager
Network Setup and Configuration
The primary PPPoE interface appears in the list of interfaces on the PPPoE tab, but
you cannot edit it from there. To edit the settings for the primary PPPoE interface,
select the Interfaces tab and edit the external interface settings.
Configure MTU Settings
To change the Maximum Transmission Unit for a secondary PPPoE interface:
1. In the PPPoE tab, select the PPPoE secondary interface to edit.
2. Click Edit.
3. In the Maximum Transmission Unit (MTU) text box, select the maximum packet size, in
bytes, that can be sent through the interface. We recommend that you use the default, 1500
bytes, unless your network equipment requires a different packet size.
You can set the MTU from a minimum of 68 to a maximum of 9000.
4. Click OK.
Configure QoS Settings
Before you can configure QoS settings for a PPPoE secondary interface, you must first enable QoS in
the global settings. For more information, see About Traffic Management and QoS
To configure QoS for a secondary PPPoE interface:
1. In the PPPoE tab, select the PPPoE secondary interface to edit.
2. Click Edit.
3. In the Marking Type drop-down list, select either DSCP or IP Precedence.
User Guide
173
Network Setup and Configuration
4. In the Marking Method drop-down list, select the marking method:
n Preserve — Do not change the current value of the bit. The XTM device prioritizes the traffic
based on this value.
n Assign — Assign the bit a new value.
n Clear — Clear the bit value (set it to zero).
8. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from 0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 0–56.
9. Select the Prioritize traffic based on QoS Marking check box.
10. Click OK.
Configure PPPoE Options
The PPPoE options you can configure for a secondary PPPoE interface are the same as for a primary
external PPPoE interface. Your ISP can tell you if you must change the timeout or LCP values.
To configure PPPoE options for a secondary PPPoE interface:
1. In the PPPoE tab, select the PPPoE secondary interface to edit.
2. Click Edit.
3. To configure PPPoE options, click Advanced Properties.
174
WatchGuard System Manager
Network Setup and Configuration
4. If your ISP requires the Host-Uniq tag for PPPoE discovery packets, select the Use Host-Uniq
tag in PPPoE discovery packets check box.
For a secondary PPPoE interface, this check box is always selected.
5. Select when the device connects to the PPPoE server:
n Always-on — The XTM device keeps a constant PPPoE connection. It is not necessary for
network traffic to go through the external interface.
If you select this option, type or select a value in the PPPoE initialization retry every text
box to set the number of seconds that PPPoE tries to initialize before it times out.
n Dial-on-demand — The XTM device connects to the PPPoE server only when it gets a
request to send traffic to an IP address on the external interface.
If your ISP regularly resets the connection, select this option.
If you select this option, in the Idle timeout in text box, set the length of time a client can
stay connected when no traffic is sent.
If you do not select this option, you must manually restart the XTM device each time the
connection resets.
User Guide
175
Network Setup and Configuration
6. To use LCP echo requests to detect lost PPPoE connections, select the Use LCP echo
requests to detect lost PPPoE connections check box.
This is enabled by default.
7. In the LCP echo failure in text box, type or select the number of failed LCP echo requests
allowed before the PPPoE connection is considered inactive and closed.
8. In the LCP echo timeout in text box, type or select the length of time, in seconds, that the
response to each echo timeout must be received.
9. To configure the XTM device to automatically restart the PPPoE connection on a daily or
weekly basis, select the Schedule time for auto restart check box.
10. From the Schedule time for auto restart drop-down list, select Daily to restart the connection
at the same time each day, or select a day of the week to restart weekly. Select the hour and
minute of the day (in 24 hour time format) to automatically restart the PPPoE connection.
11. In the Service Name text box, type a PPPoE service name.
This is either an ISP name or a class of service that is configured on the PPPoE server.
Usually, this option is not used. Select it only if there is more than one access concentrator, or
you know that you must use a specified service name.
12. In the Access Concentrator Name text box, type the name of a PPPoE access concentrator,
also known as a PPPoE server. Usually, this option is not used. Select it only if you know there
is more than one access concentrator.
13. In the Authentication retries text box, type or select the number of times that the XTM device
can try to make a connection.
The default value is three (3) connection attempts.
14. In the Authentication timeout text box, type a value for the amount of time between
connection attempt retries.
The default value is 20 seconds between each connection attempt.
15. If you configure the PPPoE settings to use a static IP address, you can select one of three
options for PPPoE IP address negotiation:
n Send PPPoE client static IP address during PPPoE negotiation — This option
configures the XTM device to send the PPPoE client IP address to the PPPoE server during
PPPoE negotiation. This is the default setting.
n Don't send PPPoE client static IP address during PPPoE negotiation — This option
configures the XTM device not to send the PPPoE client IP address to the PPPoE server.
n Send and enforce PPPoE client static IP address during PPPoE negotiation — This
option configures the XTM device to send the PPPoE client IP address to the
PPPoE server, and use the configured IP address even if another IP address is obtained
from the PPPoE server. To use this option, the XTM device must use Fireware XTM v11.8.1
or higher.
16. To configure the XTM device to negotiate DNS with the PPPoE server, select the Negotiate
DNS with PPPoE Server check box. This is enabled by default. Clear this check box if you do
not want the XTM device to negotiate DNS.
17. Click OK.
176
WatchGuard System Manager
Network Setup and Configuration
Configure a Trusted or Optional Interface
A trusted or optional interface is used to connect your XTM device to a network inside your
organization.
To configure a trusted or optional network interface:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an interface and click Configure.
The Interface Settings dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network.
Make sure the name is unique among interface names, as well as all Mobile VPN group names
and tunnel names. You can use this alias with other features, such as proxy policies, to manage
network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. From the Interface Type drop-down list, select Trusted or Optional.
6. In the IP Address text box, type the IPv4 address in slash notation. For information about
IP addresses to use for trusted and optional networks, see About Private IP Addresses.
7. Configure other interface settings.
n For information about how to automatically assign IPv4 addresses to clients that
connect to a trusted or optional interface, see Configure IPv4 DHCP in Mixed Routing
Mode on page 178 or Configure DHCP Relay on page 209.
n For information about how to use more than one IPv4 address on a single physical
network interface, see Add a Secondary Network IP Address on page 213.
n For information about how to configure an interface to use an IPv6 address, see Enable
IPv6 for a Trusted or Optional Interface.
8. Click OK.
User Guide
177
Network Setup and Configuration
Configure IPv4 DHCP in Mixed Routing Mode
DHCP (Dynamic Host Configuration Protocol) is a method to assign IP addresses automatically to
network clients. You can configure your XTM device as a DHCP server for the networks that it
protects. If you have a DHCP server, we recommend that you continue to use that server for DHCP.
These DHCP settings apply to trusted and optional interfaces, and to VLAN, Bridge, and Link
Aggregation interfaces in the trusted and optional security zones.
If your XTM device is configured in drop-in mode, see Configure DHCP in Drop-In Mode on page 199.
Configure DHCP for IPv4
1. Select Network > Configuration.
2. Select a trusted or an optional interface. Click Edit.
To configure DHCP for a wireless guest network, select Network > Wireless and click
Configure for the wireless guest network.
3. Select Use DHCP Server, or for the wireless guest network, select the Enable DHCP Server
on Wireless Guest Network check box.
178
WatchGuard System Manager
Network Setup and Configuration
4. To add a group of IP addresses to assign to users on this interface, in the Address Pool
section, click Add.
5. Specify starting and ending IP addresses on the same subnet, then click OK.
The address pool must belong either to the interface’s primary or secondary IP subnet.
You can configure a maximum of six address ranges. Address groups are used from first to last.
Addresses in each group are assigned by number, from lowest to highest.
6. To change the default lease time for addresses in the DHCP address pool, select a different
option in the Lease Time Leasing Time drop-down list.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP
server. When the lease time is about to expire, the client sends data to the DHCP server to get a new
lease.
To modify or delete an address pool range:
User Guide
179
Network Setup and Configuration
1. In the Address Pool table select the entry.
2. Click Edit to edit the selected range.
3. Click Remove to remove the selected range.
Configure DHCP Reservations
To reserve a specific IP address for a client:
1. In the Reserved Addresses section, click Add.
For a wireless guest network, click DHCP Reservations and then click Add.
2. Type a name for the reservation, the IP address you want to reserve, and the MAC address of
the client’s network card.
The DHCP reservation name cannot start or end with a dot (.) or dash (-), and cannot contain an
underscore (_).
3. Click OK.
To modify or delete a reservation:
1. In the Reserved Addresses table, select the reservation.
2. Click Edit to edit the selected reservation.
3. Click Remove to remove the selected reservation.
Configure DHCP Options
If you have a WatchGuard XTM 21, 22, or 23 device, this feature is not available for
your device.
There are three configurable DHCP options. Many VoIP phones use these DHCP options to download
their boot configuration. The DHCP options are:
n
n
n
TFTP Server IP (Option 150) — The IP address of the TFTP server where the DHCP client
can download the boot configuration.
TFTP Server Name (Option 66) — The name of the TFTP server where the DHCP client can
download the boot configuration. This option is supported only for devices that use Fireware
XTM v11.7.4 and higher.
TFTP Boot Filename (Option 67) — The name of the boot file.
Option 66 and 67 are described in RFC 2132. Option 150 is used by Cisco IP phones.
To configure the DHCP options:
1. Click DHCP Options.
180
WatchGuard System Manager
Network Setup and Configuration
2. In the TFTP Server IP text box, type the IP address of the TFTP server.
3. In the TFTP Server Name text box, type the name of the TFTP server.
4. In the TFTP Boot Filename text box, type the name of the boot file on the TFTP server.
Configure Per-Interface WINS/DNS
By default, when it is configured as a DHCP server your XTM device gives out the DNS and WINS
server information configured on the Network Configuration > WINS/DNS tab. To specify different
information for your device to assign when it gives out IP addresses, you can add a DNS server for the
interface.
n
n
n
n
n
n
To configure the per-interface DNS/WINS settings, click Configure DNS/WINS Servers.
To change the default DNS domain, type a Domain Name.
To create a new DNS or WINS server entry, click Add adjacent to the server type you want,
type an IP address, and click OK.
To change the IP address of the selected server, click Edit.
To remove the selected server from the adjacent list, click Delete.
To configure the per-interface DNS/WINS settings, click DNS/WINS, below the Use
DHCP Server drop-down list.
Enable IPv6 for a Trusted or Optional Interface
You can configure a trusted, optional, or custom interface with an IPv6 address in addition to the IPv4
address. IPv6 is not enabled on any interface by default. When you enable IPv6, you can configure the
interface with one or more static IPv6 addresses.You can also configure router advertisement of the
IP address prefix.
Add a Static IPv6 IP Address
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select a trusted, optional, or custom interface. Click Configure.
The Interface Settings dialog box appears.
3. Select the IPv6 tab.
4. Select the Enable IPv6 check box.
User Guide
181
Network Setup and Configuration
5. Click Add.
6. Type the IPv6 IP address and the routing prefix size.
7. To add the prefix for this IP address to the Prefix Advertisement list, select the Add Prefix
Advertisement check box.
You can select this option only if the prefix size is /64.
8. Click OK.
The IP address is added to the list
Configure Router Advertisement
When you enable IPv6 for a trusted, optional, or custom interface, you can enable the interface to send
Router Advertisement messages. When you enable Router Advertisement, the interface sends the
configured IP address prefixes in router advertisements on the local network. Router Advertisement is
used for IPv6 neighbor discovery and IPv6 address autoconfiguration.
The Router Advertisement settings appear in the Router Advertisement section of the IPv6 tab.
182
WatchGuard System Manager
Network Setup and Configuration
User Guide
183
Network Setup and Configuration
Router Advertisement Settings
Select the Send Advertisement check box to enable the XTM device to send periodic router
advertisements and respond to router solicitations. If you select the Add Prefix Advertisement check
box for any IPv6 IP address, the Send Advertisement check box is automatically selected.
The Router Advertisement section has five other settings that appear in all router advertisement
messages:
n
n
n
n
n
M Flag — The managed address configuration flag. This flag indicates that host addresses are
available through DHCPv6. If the M flag is selected, the O flag is ignored, because DHCPv6
returns all available configuration information. The M flag is disabled by default.
O Flag — The other stateful configuration flag. This flag indicates that other configuration
information is available through DHCPv6. Examples of such information include DNS-related
information, or information about other servers within the network. The O flag is disabled by
default.
Default Lifetime — The lifetime associated with the default router. The default value is 30
minutes. The maximum is 150 minutes.
Maximum Interval — The maximum time allowed between unsolicited multicast router
advertisements sent from the interface. It must be a value from 4 to 1800 seconds. The default
value is 10 minutes.
Minimum Interval — The minimum time allowed between unsolicited multicast router
advertisements sent from the interface. It must be a value from 3 to 1350 seconds. The default
value is 200 seconds.
Add a Prefix Advertisement
To add a Prefix Advertisement prefix for a static IPv6 address:
In the Static IPv6 Addresses list, select the Add Prefix Advertisement check box adjacent
to a configured static IP address. You can also select this check box when you add the static
IP address. In either case, the prefix for the static IP address is added to the Prefix
Advertisement list.
For example, if the static IP address is 2001:db8::2/64 , when you select Add Prefix
Advertisement, the prefix 2001:db8:: is added to the Prefix Advertisement list.
To add a Prefix Advertisement that is not associated with a static IPv6 address:
1. In the Router Advertisement section, select the Send Advertisement check box.
2. Click Add.
The Add Prefix Advertisement dialog box appears.
184
WatchGuard System Manager
Network Setup and Configuration
3. In the Prefix text box, type the IPv6 prefix.
The prefix must be a network IP address in the format x:x::/64.
4. (Optional) Change the other prefix advertisement settings:
n Valid Lifetime — The length of time after the packet is sent that the prefix is valid for the
purpose of onlink determination.
n Preferred Lifetime — The length of time after the packet is sent that addresses generated
from the prefix through stateless address autoconfiguration remain preferred.
n Onlink — If enabled, a host can use this prefix to determine whether a destination is onlink
as opposed to reachable only through a router.
n Autonomous — If enabled, a host can use this prefix for stateless autoconfiguration of the
link-local address.
5. Click OK.
Edit a Prefix Advertisement
1. To change the Autonomous and Online settings, select or clear the check box in the adjacent
column.
2. To edit other settings, select the Prefix Advertisement and click Edit.
Remove a Prefix Advertisement
1. To remove the prefix advertisement associated with a configured static IP address, clear the
Add Prefix Advertisement check box adjacent to the static IP address in the Static IPv6
Addresses table.
2. To remove any other prefix advertisement, select the prefix in the Prefix Advertisement list.
Then click Remove.
Configure IPv6 Connection Settings
When you enable IPv6 for an interface, you can configure IPv6 connection settings. The default values
are appropriate for most networks. We recommend that you do not change them unless your network
requires it. These settings appear in the IPv6 tab when you edit an interface.
1. In the Hop Limit text box, type or select the IPv6 hop limit.
The hop limit is the number of network segments a packet can travel over before it is discarded
by a router.
The default value is 64.
User Guide
185
Network Setup and Configuration
2. In the DAD Transmits text box, type or select the number of DAD (Duplication Address
Detection) transmits for this link.
The default value is 1. If you set this value to 0, duplicate address detection is not performed.
186
WatchGuard System Manager
Network Setup and Configuration
Configure an IPv6 DHCP Server
DHCPv6 is a method to assign IPv6 addresses automatically to network clients. When you enable
IPv6 for a trusted or optional interface, you can enable the DHCPv6 server on the interface, to assign
IPv6 addresses to clients that connect.
Before you can enable the DHCPv6 server, you must enable IPv6 for the interface. For more
information, see Enable IPv6 for a Trusted or Optional Interface.
You cannot use these special purpose IP addresses in the DHCPv6 configuration:
n
n
n
IP addresses that start with 2002, unless bits 17-48 specify a valid IPv4 address
IP addresses that start with FE80, because this specifies a link local address
IP addresses that start with FEC0, because this specifies a site local address
Configure DHCPv6 Server Settings
You can enable DHCPv6 for a trusted or optional interface that has IPv6 enabled.
1.
2.
3.
4.
5.
Select Network > Configuration.
Select a trusted or an optional interface. Click Edit.
Select the IPv6 tab.
From the DHCP drop-down list, select Use DHCP Server.
Click Configure.
The DHCPv6 Server Configuration dialog box appears.
User Guide
187
Network Setup and Configuration
Configure the DHCPv6 Address Pool
1. In the Address Pool section of the Settings tab, click Add.
Add Address Range dialog box appears.
2. In the Starting IP and Ending IP text boxes, type two IPv6 addresses in the same prefix range
as an IPv6 address configured for this interface.
3. Click OK.
Configure DHCPv6 Reservations
To reserve a specific IP address for a client:
188
WatchGuard System Manager
Network Setup and Configuration
1. In the Reserved Addresses section, click Add.
The Add Reserved IP by DUID dialog box appears.
2. In the Reserved IP text box, type the IPv6 address to reserve.
3. In the Reservation Name text box, type a name for this reservation.
The reservation name cannot start or end with a dot (.) or hyphen (-), and cannot contain an
underscore. The maximum length of a reservation name is 64 characters.
4. In the DUID text box, type the DHCPv6 Client DUID.
5. Click OK.
Enable Rapid Commit
To get IPv6 addresses from a server, the DHCPv6 client can use a rapid two-message exchange
(solicit, reply) or a four-message exchange (solicit, advertise, request, reply). By default, the DHCPv6
client uses the four-message exchange. To use the two-message exchange, you must enable the
Rapid Commit option on the XTM device and on the client. Select the Rapid Commit check box to
enable the DHCP server to use the rapid two-message exchange to assign an IP address.
Configure IPv6 Address Lifetimes
The IPv6 lifetime settings control the length of time an assigned IPv6 address remains valid and the
length of time the address is preferred. To change the default lifetime settings. change the values for
Valid Lifetime and Preferred Lifetime. The Valid Lifetime must be greater than or equal to the
Preferred Lifetime.
Configure Per-Interface DHCPv6 DNS Servers
By default, when it is configured as a DHCP server, your XTM device gives out the DNS and WINS
server information configured on the Network Configuration > WINS/DNS tab. To specify different
information for your device to assign when it gives out IPv6 addresses, you can add DNS servers in
the DHCPv6 settings for the interface.
To configure DNS servers:
1. In the DHCPv6 Server Configuration dialog box, select the DNS tab.
User Guide
189
Network Setup and Configuration
2. To change the default DNS domain that the DHCP client appends to unqualified host names, in
the Domain Name text box type a domain name.
3. In the text box below the DNS Servers list, type the IPv6 address of a DNS server.
4. Click Add.
You can add the IP addresses of up to three DNS servers.
Configure DHCPv6 SIP Servers
You can add the IPv6 addresses or domain name of SIP servers to your DHCPv6 server configuration.
This enables the DHCPv6 server to provide the SIP server domain name or SIP server IP addresses to
SIP clients that request them. You can specify a SIP server domain name, and up to three
IP addresses.
To configure SIP servers:
1. In the DHCPv6 Server Configuration dialog box, select the SIP tab.
190
WatchGuard System Manager
Network Setup and Configuration
2. To specify the SIP server domain. type the domain name in the SIP Domain Name text box.
3. To specify a SIP server IP address, in the text box below the SIP Servers list, type the IPv6
address of a SIP server.
4. Click Add to add the IP address to the list.
User Guide
191
Network Setup and Configuration
Configure a Custom Interface
A custom interface enables you to define a custom security zone that is separate from the predefined
trusted, optional, and external zones. A custom interface is not a member of the built-in aliases AnyTrusted, Any-Optional, or Any-External. Because a custom interface is not included in the built-in
aliases, traffic for a custom interface is not allowed through the XTM device unless you specifically
configure policies to allow it.
To configure a custom interface, the device must use Fireware XTM v11.9 or higher.
You can configure a physical interface, wireless interface, Bridge, VLAN, or Link Aggregation interface
as a custom interface. When you configure an interface as a custom interface, the network settings
you can configure are the same as for a trusted or optional interface.
These examples show how you can use a custom interface:
Example 1 — Create a wireless guest network on an XTM wireless device
To enable a wireless network for guest users, you can configure an access point in the Custom
zone and use the wireless interface alias in policies that you want to handle traffic from wireless
clients. For example, to set up Access Point 1 on an XTM wireless device as a guest network:
n
n
In the Wireless Access Point 1 configuration, set the Interface Type to Custom, and
configure the network settings.
Use the alias WG-Wireless-Access-Point1 in the policies you want to handle traffic for
connected wireless clients.
Example 2 — Create a security zone with a level of trust different from Trusted or Optional
If you already have trusted and optional networks, and you want to configure a third internal
security zone, you can configure one or more interfaces or wireless access points as Custom.
You can then add these custom interfaces to a new alias. Use the new alias in policies that you
want to handle traffic from this network.
For example, to create a Semi-Trusted security zone that includes both wired and wireless
networks:
n
n
n
n
Configure interfaces 1 and 2 as Custom and configure the network settings.
Configure Access Point 1 and Access Point 2 as Custom and configure the network
settings.
Create a new alias, Semi-Trusted, that includes the two custom interfaces, and the two
custom access points as members.
Use the Semi-Trusted alias in policies you want to handle traffic for clients connected to
any of these networks.
For more information about aliases, see About Aliases.
To configure a physical interface as a custom network interface:
192
WatchGuard System Manager
Network Setup and Configuration
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an interface and click Configure.
The Interface Settings dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network.
Make sure the name is unique among interface names, and is not used for any Mobile VPN
group names or tunnel names. You can use this alias with other features, such as proxy
policies, to manage network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. From the Interface Type drop-down list, select Custom.
6. In the IP Address text box, type the IPv4 address in slash notation. For information about
IP addresses to use for trusted and optional networks, see About Private IP Addresses.
7. Configure other interface settings.
n For information about how to automatically assign IPv4 addresses to clients that
connect to a trusted or optional interface, see Configure IPv4 DHCP in Mixed Routing
Mode on page 178 or Configure DHCP Relay on page 209.
n For information about how to use more than one IPv4 address on a single physical
network interface, see Add a Secondary Network IP Address on page 213.
n For information about how to configure an interface to use an IPv6 address, see Enable
IPv6 for a Trusted or Optional Interface.
8. Click OK.
To configure a wireless, VLAN, Bridge, or Link Aggregation interface as a custom interface, set the
Interface Type to Custom, and configure all other settings as you would for a trusted or optional
interface.
After you configure an interface as a custom interface, you must configure policies to allow traffic to
and from the interface. You can edit the existing policies or create new policies that use the custom
interface name. Or, you can create a new alias that includes multiple custom interfaces, and then use
that custom alias in policies. For more information about aliases, see About Aliases.
About the Dynamic DNS Service
You can register the external IP address of your XTM device with the dynamic Domain Name System
(DNS) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your
domain name changes when your ISP gives your device a new IP address. This feature is available in
either mixed routing or drop-in network configuration mode.
If you use this feature, your XTM device gets the IP address of members.dyndns.org when it starts up.
It makes sure the IP address is correct every time it restarts and at an interval of every twenty days. If
you make any changes to your DynDNS configuration on your XTM device, or if you change the IP
address of the default gateway, it updates DynDNS.com immediately.
For more information on the Dynamic DNS service or to create a DynDNS account, go to
http://www.dyndns.com.
User Guide
193
Network Setup and Configuration
WatchGuard is not affiliated with DynDNS.com.
194
WatchGuard System Manager
Network Setup and Configuration
Use Dynamic DNS
You can register the external IP address of your XTM device with the dynamic DNS (Domain Name
System) service called Dynamic Network Services (DynDNS). WatchGuard System Manager does
not currently support other dynamic DNS providers.
A dynamic DNS service makes sure that the IP address attached to your domain name changes when
your ISP gives your XTM device a new IP address. Your device checks the IP address of
members.dyndns.org when it starts up. It makes sure the IP address is correct every time it restarts
and at an interval of every twenty days. If you make any changes to your DynDNS configuration on
your XTM device, or if you change the IP address of the default gateway configured for your device,
your configuration at DynDNS.com is updated immediately.
For more information on dynamic DNS, go to http://www.dyndns.com.
WatchGuard is not affiliated with DynDNS.com.
1.
2.
3.
4.
Set up a dynDNS account. Go to the DynDNS web site and follow the instructions on the site.
In Policy Manager, select Network > Configuration.
Select the WINS/DNS tab.
Make sure you have defined at least one DNS server. If you have not, use the procedure in Add
WINS and DNS Server Addresses on page 211.
5. Select the Dynamic DNS tab.
6. Select the external interface for which you want to configure dynamic DNS and click
Configure.
The Per Interface Dynamic DNS dialog box appears.
User Guide
195
Network Setup and Configuration
7. To enable dynamic DNS, select the Enable Dynamic DNS check box.
8. Type the user name, password, and domain name you used to set up your dynamic DNS
account.
9. From the Service Type drop-down list, select the system to use for this update:
n dyndns — Sends updates for a Dynamic DNS host name. Use this option when you have
no control over your IP address (for example, it is not static, and it changes on a regular
basis).
n custom — Sends updates for a custom DNS host name. This option is frequently used by
businesses that pay to register their domain with dyndns.com.
For more information on each option, see http://www.dyndns.com/services/.
10. In the Options text box, you can type any of the subsequent options. You must type the “&”
character before and after each option you add. If you add more than one option, you must
separate the options with the “&” character.
For example:
&backmx=NO&wildcard=ON&
mx=mailexchanger
backmx=YES|NO
wildcard=ON|OFF|NOCHG
offline=YES|NO
For more information on options, see http://www.dyndns.com/developers/specs/syntax.html.
11. Use the arrows to set a time interval (in days) to force an update of the IP address.
Drop-In Mode
In a drop-in configuration, your XTM device is configured with the same IP address on all interfaces.
The drop-in configuration mode distributes the network’s logical address range across all available
network interfaces. You can put your XTM device between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in mode because
your XTM device is dropped in to a previously configured network.
In drop-in mode:
n
n
n
n
n
n
The same primary IP address is assigned to all interfaces on your XTM device (external,
trusted, optional, and custom).
You can assign secondary networks on any interface.
Dynamic routing (OSPF, BGP, or RIP) is not supported.
Built-in wireless networking on Firebox or XTM wireless devices is not supported (Fireware
XTM v11.9 and higher).
You can keep the same IP addresses and default gateways for hosts on your trusted and
optional networks, and add a secondary network address to the primary external interface so
your XTM device can correctly send traffic to the hosts on these networks.
The public servers behind your XTM device can continue to use public IP addresses. Network
address translation (NAT) is not used to route traffic from outside your network to your public
servers.
The properties of a drop-in configuration are:
196
WatchGuard System Manager
Network Setup and Configuration
n
n
n
You must assign and use a static IP address on the external interface.
You use one logical network for all interfaces.
You cannot configure more than one external interface when your XTM device is configured in
drop-in mode. Multi-WAN functionality is automatically disabled.
It is sometimes necessary to clear the ARP cache of each computer protected by the XTM device, but
this is not common.
If you move an IP address from a computer located behind one interface to a
computer located behind a different interface, it can take several minutes before
network traffic is sent to the new location. Your XTM device must update its internal
routing table before this traffic can pass. Traffic types that are affected include
logging, SNMP, and XTM device management connections.
You can configure your network interfaces with drop-in mode when you run the Quick Setup Wizard. If
you have already created a network configuration, you can use Policy Manager to switch to drop-in
mode. For more information, see Run the Web Setup Wizard on page 32.
Use Drop-In Mode for Network Interface Configuration
1. Click
.
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. From the Configure Interfaces in drop-down list, select Drop-In Mode.
3. In the IP Address text box, type the IP address you want to use as the primary address for all
interfaces on your XTM device.
4. In the Gateway text box, type the IP address of the gateway. This IP address is automatically
added to the Related Hosts list.
User Guide
197
Network Setup and Configuration
5. Click OK.
6. Save the Configuration File.
In the Network Configuration dialog box, you can also scroll down to configure settings for each
interface, such as the interface type, secondary IP addresses, MAC Access Control and other
settings.
Configure Related Hosts
In a drop-in or bridge configuration, the XTM device is configured with the same IP address on each
interface. Your XTM device automatically discovers new devices that are connected to these
interfaces and adds each new MAC address to its internal routing table. If you want to configure device
connections manually, or if the Automatic Host Mapping feature does not operate correctly, you can
add a related hosts entry. A related hosts entry creates a static route between the host IP address and
one network interface. We recommend that you disable Automatic Host Mapping on interfaces for
which you create a related hosts entry.
1. Click
.
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Configure network interfaces in drop-in or bridge mode, then click Properties.
The Drop-In Mode Properties dialog box appears.
3. Clear the check box for any interface for which you want to add a related hosts entry.
4. Click Add. Type the IP address of the device for which you want to build a static route from the
XTM device.
5. Click the Interface Name column area to select the interface for the related hosts entry.
198
WatchGuard System Manager
Network Setup and Configuration
6. Click OK.
7. Save the Configuration File.
Configure DHCP in Drop-In Mode
When you use drop-in mode for network configuration, you can use Policy Manager to optionally
configure the XTM device as a DHCP server for networks it protects, or make the XTM device a
DHCP relay agent. If you have a configured DHCP server, we recommend that you continue to use
that server for DHCP.
Use DHCP
1. Click
.
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. If your XTM device is not already configured in drop-in mode, from the Configure Interfaces in
drop-down list select Drop-In Mode.
User Guide
199
Network Setup and Configuration
3. Select Use DHCP Server.
4. To add an address pool from which your XTM device can give out IP addresses, click Add next
to the Address Pool box and specify starting and ending IP addresses that are on the same
subnet as the drop-in IP address.
Do not include the drop-in IP address in the address pool. Click OK.
You can configure a maximum of six address ranges.
5. To reserve a specific IP address from an address pool for a device or client, adjacent to the
Reserved Addresses field, click Add. Type a name to identify the reservation, the IP address
you want to reserve, and the MAC address for the device. Click OK.
6. In the Leasing Time drop-down list, select the maximum amount of time that a DHCP client
can use an IP address.
7. By default, your XTM device gives out the DNS/WINS server information configured on the
Network Configuration > WINS/DNS tab when it is configured as a DHCP server. To send
different DNS/WINS server information to DHCP clients, click the Configure DNS/WINS
servers button.
8. Click OK.
9. Save the Configuration File.
Configure DHCP Options
There are three configurable DHCP options. Many VoIP phones use these DHCP options to download
their boot configuration. The DHCP options are:
n
n
n
TFTP Server IP (Option 150) — The IP address of the TFTP server where the DHCP client
can download the boot configuration.
TFTP Server Name (Option 66) — The name of the TFTP server where the DHCP client can
download the boot configuration. This option is supported only for devices that use Fireware
XTM v11.7.4 and higher.
TFTP Boot Filename (Option 67) — The name of the boot file.
Option 66 and 67 are described in RFC 2132. Option 150 is used by Cisco IP phones.
200
WatchGuard System Manager
Network Setup and Configuration
To configure the DHCP options:
1. Click DHCP Options.
2. In the TFTP Server IP text box, type the IP address of the TFTP server.
3. In the TFTP Server Name text box, type the name of the TFTP server.
4. In the TFTP Boot Filename text box, type the name of the boot file on the TFTP server.
Use DHCP Relay
1. Click
.
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select Use DHCP Relay.
3. Type the IP address of the DHCP server in the related field. Make sure to Add a Static Route to
the DHCP server, if necessary.
4. Click OK.
5. Save the Configuration File.
Configure DHCP Settings for a Single Interface
In drop-in mode, you can specify different DHCP settings for each trusted or optional interface in your
configuration.
1. Click
.
Or, select Network > Configuration.
User Guide
201
Network Setup and Configuration
The Network Configuration dialog box appears.
2. Scroll to the bottom of the Network Configuration dialog box and select an interface.
3. Click Configure.
4. Update the DHCP settings:
n
n
n
n
n
To use the same DHCP settings that you configured for drop-in mode, select Use System
DHCP Setting.
To disable DHCP for clients on that network interface, select Disable DHCP.
To configure DHCP relay for clients on a secondary network, select Use DHCP Relay for
Secondary Network. Specify the IP address of the DHCP server to use for the secondary
network.
To configure different DHCP options for clients on a secondary network, select Use
DHCP Server for Secondary Network. Complete Steps 3–6 of the Use DHCP procedure
to add IP address pools, set the default lease time, and manage DNS/WINS servers.
To configure DHCP options for the secondary network, click DHCP Options.
5. Click OK.
202
WatchGuard System Manager
Network Setup and Configuration
Bridge Mode
Bridge mode is a feature that allows you to install your XTM device between an existing network and
its gateway to filter or manage network traffic. When you enable this feature, your XTM device
processes and forwards all network traffic to other gateway devices. When the traffic arrives at a
gateway from the XTM device, it appears to have been sent from the original device.
To use bridge mode, you must specify an IP address that is used to manage your XTM device. The
device also uses this IP address to receive security services signature updates and to route traffic to
internal DNS, NTP, or WebBlocker servers. Because of this, make sure you assign an IP address that
is routable on the Internet.
In bridge mode, L2 and L3 headers are not changed. If you want traffic on the same physical interface
of an XTM device to pass through the device, you cannot use bridge mode. In this case, you must use
drop-in or mixed routing mode, and set the default gateway of those computers to be the XTM device
itself.
When you use bridge mode, your XTM device cannot complete some functions that require the device
to operate as a gateway. These functions include:
n
n
n
n
n
n
n
n
n
n
n
n
n
n
Multi-WAN
VLANs (Virtual Local Area Networks)
Network bridges
Static routes
FireCluster
Secondary networks
DHCP server or DHCP relay
Modem failover
1-to-1, dynamic, or static NAT
Dynamic routing (OSPF, BGP, or RIP)
Any type of VPN for which the XTM device is an endpoint or gateway
Some proxy functions, including HTTP Web Cache Server
Authentication automatic redirect
Management of an AP device
If you have previously configured these features or services, they are disabled when you switch to
bridge mode. To use these features or services again, you must use a different network mode. If you
return to drop-in or mixed routing mode, you might have to configure some features again.
When you enable bridge mode, any interfaces with a previously configured network
bridge or VLAN are disabled. To use those interfaces, you must first change to either
drop-in or mixed routing mode, and configure the interface as External, Optional, or
Trusted, then return to bridge mode. Wireless features on XTM wireless devices
operate correctly in bridge mode.
User Guide
203
Network Setup and Configuration
When you configure your XTM device in Bridge Mode, the LCD display on your XTM
device shows the IP address of the bridged interfaces as 0.0.0.0. This is expected
behavior.
To use a network bridge on an XTMv virtual machine on ESXi, you must enable
promiscuous mode on the attached virtual switch (vSwitch) in VMware. You cannot
use a network bridge on an XTMv virtual machine on Hyper-V, because Hyper-V
virtual switches do not support promiscuous mode.
204
WatchGuard System Manager
Network Setup and Configuration
Enable Bridge Mode
To configure the XTM device in bridge mode:
1. Click
.
Or, select Network > Configuration.
The Network Configuration window appears.
1. From the Configure Interfaces In drop-down list, select Bridge Mode.
2. If you are prompted to disable interfaces, click Yes to disable the interfaces, or No to return to
your previous configuration.
3. Type the IP Address of your XTM device in slash notation.
For more information on slash notation, see About Slash Notation on page 5.
4. Type the Gateway IP address that receives all network traffic from the device.
5. Click OK.
User Guide
205
Network Setup and Configuration
Allow Management Access from a VLAN
When you configure an XTM device in bridge mode, you cannot configure VLANs on the XTM device.
But the XTM device can pass VLAN tagged traffic between 802.1Q bridges or switches. You can
optionally configure the XTM device to be managed from a VLAN that has a specified VLAN tag.
To enable management from a VLAN for a device in bridge mode:
1. Click
.
Or, select Network > Configuration.
The Network Configuration window appears.
1. Select the Allow VLAN tag for management access check box.
2. Type or select the VLAN ID you want to allow to connect to the device for management
access.
3. Click OK.
206
WatchGuard System Manager
Network Setup and Configuration
Common Interface Settings
When the XTM device is in mixed routing mode, you can configure it to send network traffic between a
wide variety of physical and virtual network interfaces. Mixed routing mode is the default network mode
and offers the greatest amount of flexibility for different network configurations. However, you must
configure each interface separately, and you might need to change network settings for each computer
or client protected by your XTM device.
For all of the supported network modes, you can configure common settings for each interface. The
interface configuration options available depend on the network mode and interface type.
To configure a network interface:
1. Select Network > Configuration.
2. Select an interface and click Configure.
The Interface Settings dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network and its own trust relationships.
Make sure the name is unique among interface names, as well as all Mobile VPN group names
and tunnel names. You can use this alias with other features, such as proxy policies, to manage
network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. From the Interface Type drop-down list, select the value of the interface type: External,
Trusted, Optional, Bridge, VLAN, Link Aggregation, or Disabled. Some interface types
have additional settings.
6. Configure the interface settings.
n To set the IP address of a trusted or optional interface, type the IP address in slash
notation.
n For information about IP addresses to use for trusted and optional networks, see About
Private IP Addresses.
n For information about how to assign an IPv4 address to an external interface for a
device in mixed routing mode, see Configure an External Interface on page 163.
n To automatically assign IPv4 addresses to clients that connect to a trusted or optional
interface, see Configure IPv4 DHCP in Mixed Routing Mode on page 178 or Configure
DHCP Relay on page 209.
n To use more than one IP address on a single physical network interface, see Add a
Secondary Network IP Address on page 213.
n To configure an interface to use an IPv6 address for a device in mixed routing mode,
see Enable IPv6 for an External Interface and Enable IPv6 for a Trusted or Optional
Interface.
n For information about how to configure a network bridge, see Create a Network Bridge
User Guide
207
Network Setup and Configuration
Configuration.
For information about VLAN configuration, see Assign Interfaces to a VLAN.
n For more information about Link Aggregation, see About Link Aggregation.
n To disable an interface from your configuration, see Disable an Interface on page 208.
7. Click OK.
n
Disable an Interface
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface you want to disable. Click Configure.
The Interface Settings dialog box appears.
208
WatchGuard System Manager
Network Setup and Configuration
3. From the Interface Type drop-down list, select Disabled. Click OK.
In the Network Configuration dialog box, the interface now appears as type Disabled.
Configure DHCP Relay
One way to get IP addresses for the computers on the trusted or optional networks is to use a DHCP
server on a different network. You can use DHCP relay to get IP addresses for the computers on the
trusted or optional network. With this feature, the XTM device sends DHCP requests to a server on a
different network.
If the DHCP server you want to use is not on a network protected by your XTM device, you must set
up a branch office VPN tunnel between your XTM device and the network where the DHCP server is
for this feature to operate correctly.
To configure DHCP relay:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select a trusted or an optional interface and click Configure.
3. Select Use DHCP Relay.
4. Type the IP address of the DHCP server in the related field. Make sure to Add a Static Route to
the DHCP server, if necessary. The DHCP server can be on the network at the remote end of a
branch office VPN tunnel.
User Guide
209
Network Setup and Configuration
Restrict Network Traffic by MAC Address
You can use a list of MAC addresses to manage which devices are allowed to send traffic on the
network interface you specify. When you enable this feature, your XTM device checks the
MAC address of each computer or device that connects to the specified interface. If the MAC address
of that device is not on the MAC Access Control list for that interface, the device cannot send traffic.
This feature is especially helpful to prevent any unauthorized access to your network from a location
within your office. However, you must update the MAC Address Control list for each interface when a
new, authorized computer is added to the network.
If you choose to restrict access by MAC address, you must include the MAC
address for the computer you use to administer your XTM device.
To enable MAC Access Control for a network interface:
1. Select Network > Configuration.
The Network Configuration window appears.
2. Select the interface on which you want to enable MAC Access Control, then click Configure.
The Interface Settings window appears.
3. Select the MAC Access Control tab.
4. Select the Restrict access by MAC address check box.
5. Click Add.
The Add a MAC address window appears.
6. Type the MAC address of the computer or device to give it access to the specified interface.
7. (Optional) Type a Name for the computer or device to identify it in the list.
8. Click OK.
Repeat steps 5–8 to add more computers or devices to the MAC Access Control list.
210
WatchGuard System Manager
Network Setup and Configuration
Add WINS and DNS Server Addresses
Some XTM device features use shared Windows Internet Name Server (WINS) and Domain Name
System (DNS) server IP addresses. These features include DHCP and Mobile VPN. Access to these
servers must be available from the trusted interface of the XTM device.
This information is used for two purposes:
n
n
The XTM device uses this DNS server to resolve names to IP addresses for IPSec VPNs and
for the spamBlocker, Gateway AV, and IPS features to operate correctly.
The WINS and DNS entries are used by DHCP clients on the trusted or optional networks, and
by Mobile VPN users to resolve DNS queries.
Mobile VPN clients use only the first two DNS servers.
Make sure that you use only an internal WINS and DNS server for DHCP and Mobile VPN. This is to
make sure that you do not create policies with configuration properties that make it difficult for your
users to connect to the DNS server.
To configure the network WINS and DNS settings:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the WINS/DNS tab.
The information on the WINS/DNS tab appears.
User Guide
211
Network Setup and Configuration
3.
4.
5.
6.
In the DNS Servers text box, type the IPv4 or IPv6 address for each DNS server.
Click Add.
(Optional) Repeat Steps 3–4 to specify up to three DNS servers.
(Optional) In the Domain Name text box, type a domain name that a DHCP client appends to
unqualified host names.
7. In the WINS Servers text boxes, type the primary and secondary IPv4 address of the WINS
servers.
8. Click OK.
The XTM device uses the WINS and DNS servers that you configure here unless you configure a
different WINS/DNS server elsewhere.
n
n
212
You can specify different WINS and DNS servers in the Mobile VPN with SSL settings. For
more information, see Configure the XTM Device for Mobile VPN with SSL.
You can specify different WINS and DNS servers when you configure an interface to use the
XTM device as a DHCP server. For more information, see Configure IPv4 DHCP in Mixed
Routing Mode.
WatchGuard System Manager
Network Setup and Configuration
Add a Secondary Network IP Address
When you configure an XTM device interface, you can add secondary network IP addresses to the
interface. Each IP address you add can be on the same subnet or on a different subnet from the
primary IP address of the interface.
Secondary network IP address on the same subnet
For an internal interface, you can use a secondary IP address on the same subnet if an internal
host must use that IP address as its default gateway.
For an external interface, a common reason to use a secondary IP address on the same subnet
is when you want to forward traffic to multiple internal servers. When outgoing traffic, such as
traffic from an SMTP server, must appear to come from the same secondary IP address, use
the policy-based dynamic NAT Set source IP option in an outgoing policy.
For an example of this type of configuration, see the configuration example Use NAT for Public
Access to Servers with Private IP Addresses, available at
http://www.watchguard.com/help/configuration-examples/.
For more information about policy-based dynamic NAT, see Configure Policy-Based Dynamic
NAT.
Secondary network IP address on a different subnet
If the secondary IP address is on a different subnet from the primary IP address of the interface,
it tells the XTM device that there is one more network on the XTM device interface. When you
add a secondary network on a different subnet, the XTM device creates a route from any IP
address on the secondary network to the IP address of the XTM device interface.
For an external interface, you would use a secondary network on a different subnet if your ISP
gives you multiple IP addresses on different subnets, and the ISP gateway can route traffic to
and from the different subnets.
For a trusted or optional interface, you would define a secondary network on a different subnet
when you want to connect the interface to more than one internal network. An example is
described in the subsequent section.
If you configure an XTM device in drop-in mode, each XTM device interface uses the same
primary IP address. However, you probably use a different set of IP addresses on your trusted
network. You can add this private network as a secondary network to the trusted interface of
your XTM device.
For you to configure a secondary network IP address for an interface, your XTM device must use a
routed or drop-in network configuration. You can add secondary network IP addresses to an external
interface of an XTM device even if that external interface is configured to get its primary IP address
through PPPoE or DHCP.
User Guide
213
Network Setup and Configuration
Configure a Secondary Network
Use these steps to add a secondary network. In this example, the secondary network is on a trusted
interface.
To define a secondary network address, you must have an unused IP address on the secondary
network to assign to the XTM device interface.
214
WatchGuard System Manager
Network Setup and Configuration
To define a secondary network:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface for the secondary network and click Configure.
The Interface Settings dialog box appears.
3.
4.
5.
6.
Select the Secondary tab.
Click Add. Type an unassigned host IP address from the secondary network.
Click OK.
Click OK again.
Make sure to add secondary network addresses correctly. The XTM device does not
tell you if the address is correct. We recommend that you do not create a subnet as a
secondary network on one interface that is a component of a larger network on a
different interface. If you do this, the XTM device could identify this traffic as
spoofing a network that it expects to exist on another interface, and the network
could fail to operate correctly. The XTM device might not ARP to the same network
on multiple interfaces (with the exception of drop-in mode, bridged interfaces, and
bridged VLANs).
User Guide
215
Network Setup and Configuration
About Advanced Interface Settings
You can use several advanced settings for XTM device interfaces:
Network Interface Card (NIC) Settings
Configures the speed and duplex parameters for XTM device interfaces to automatic or manual
configuration. We recommend you keep the link speed configured for automatic negotiation. If
you use the manual configuration option, you must make sure the device the XTM device
connects to is also manually set to the same speed and duplex parameters as the XTM device.
Use the manual configuration option only when you must override the automatic XTM device
interface parameters to operate with other devices on your network.
Set Outgoing Interface Bandwidth
When you use Traffic Management settings to guarantee bandwidth to policies, this setting
makes sure that you do not guarantee more bandwidth than actually exists for an interface. This
setting also helps you make sure the sum of guaranteed bandwidth settings does not fill the link
such that non-guaranteed traffic cannot pass.
Enable QoS Marking for an Interface
Creates different classifications of service for different kinds of network traffic. You can set the
default marking behavior as traffic goes out of an interface. These settings can be overridden by
settings defined for a policy.
Set DF Bit for IPSec
Determines the setting of the Don’t Fragment (DF) bit for IPSec.
PMTU Setting for IPSec
(External interfaces only) Controls the length of time that the XTM device lowers the MTU for an
IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a lower
MTU setting on the Internet.
Use Static MAC Address Binding
Uses computer hardware (MAC) addresses to control access to an XTM device interface.
Network Interface Card (NIC) Settings
1. Select Network > Configuration.
2. Click the interface you want to configure, and then click Configure.
3. Select the Advanced tab.
216
WatchGuard System Manager
Network Setup and Configuration
4. In the Link Speed drop-down list, select Auto Negotiate if you want the XTM device to select
the best network speed. You can also select one of the half-duplex or full-duplex speeds that
you know is compatible with your other network equipment.
Auto Negotiate is the default setting. We strongly recommend that you do not change this
setting unless instructed to do so by Technical Support. If you set the link speed manually and
other devices on your network do not support the speed you select, this can cause a conflict
that does not allow your XTM device interface to reconnect after failover.
5. In the Maximum Transmission Unit (MTU) text box, specify the maximum packet size, in
bytes, that can be sent through the interface. We recommend that you use the default, 1500
bytes, unless your network equipment requires a different packet size.
You can set the MTU from a minimum of 68 to a maximum of 9000.
For XTM 5 Series models, interface 0 supports a maximum MTU of 1500.
6. To change the MAC address of the external interface, select the Override MAC Address
check box and type the new MAC address.
For more information about MAC addresses, see the subsequent section.
7. Click OK.
About MAC Addresses
Some ISPs use a MAC address to identify the computers on their network. Each MAC address gets
one static IP address. If your ISP uses this method to identify your computer, then you must change
the MAC address of the XTM device external interface. Use the MAC address of the cable modem,
DSL modem, or router that connected directly to the ISP in your original configuration.
The MAC address must have these properties:
n
n
n
The MAC address must use 12 hexadecimal characters. Hexadecimal characters have a value
between 0 and 9 or between “a” and “f.”
The MAC address must operate with:
o One or more addresses on the external network.
o The MAC address of the trusted network for the device.
o The MAC address of the optional network for the device.
The MAC address must not be set to 000000000000 or ffffffffffff.
If the Override MAC Address check box is not selected when the XTM device is restarted, the device
uses the default MAC address for the external network.
To avoid problems with MAC addresses, the XTM device makes sure that the MAC address you
assign to the external interface is unique on your network. If the XTM device finds a device that uses
the same MAC address, the XTM device changes back to the standard MAC address for the external
interface and starts again.
User Guide
217
Network Setup and Configuration
Set Outgoing Interface Bandwidth
Some traffic management features require that you set a bandwidth limit for each network interface.
For example, you must configure the Outgoing Interface Bandwidth setting to use QoS marking and
prioritization.
After you set this limit, your XTM device completes basic prioritization tasks on network traffic to
prevent problems with too much traffic on the specified interface. Also, a warning appears in Policy
Manager if you allocate too much bandwidth as you create or adjust traffic management actions.
If you do not change the Outgoing Interface Bandwidth setting for any interface from the default
value of 0, it is set to the auto-negotiated link speed for that interface.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface for which you want to set bandwidth limits and click Configure.
The Interface Settings dialog box appears.
3. Select the Advanced tab.
4. In the Outgoing Interface Bandwidth text box, type the amount of bandwidth provided by the
network. Use your Internet connection upload speed (in Kbps rather than KBps) as the limit for
external interfaces. Set your LAN interface bandwidth based on the current or maximum link
speed supported by the devices in your LAN.
5. Click OK.
6. Click OK again.
7. Save the Configuration File.
218
WatchGuard System Manager
Network Setup and Configuration
Set DF Bit for IPSec
When you configure the external interface, select one of the three options to determine the setting for
the Don’t Fragment (DF) bit for IPSec section.
Copy
Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a
frame does not have the DF bits set, Fireware XTM does not set the DF bits and fragments the
packet if needed. If a frame is set to not be fragmented, Fireware XTM encapsulates the entire
frame and sets the DF bits of the encrypted packet to match the original frame.
Set
Select Set if you do not want your XTM device to fragment the frame regardless of the original
bit setting. If a user must make IPSec connections to a XTM device from behind a different
XTM device, you must clear this check box to enable the IPSec pass-through feature. For
example, if mobile employees are at a customer location that has a XTM device, they can make
IPSec connections to their network with IPSec. For your local XTM device to correctly allow the
outgoing IPSec connection, you must also add an IPSec policy.
Clear
Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH
header, regardless of the original bit setting.
PMTU Setting for IPSec
This advanced interface setting applies to external interfaces only.
The Path Maximum Transmission Unit (PMTU) setting controls the length of time that the XTM device
lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a
router with a lower MTU setting on the Internet.
We recommend that you keep the default setting. This can protect you from a router on the Internet
with a very low MTU setting.
User Guide
219
Network Setup and Configuration
Use Static MAC Address Binding
You can control access to an interface on your XTM device by computer hardware (MAC) address.
This feature can protect your network from ARP poisoning attacks, in which hackers try to change the
MAC address of their computers to match a real device on your network. To use MAC address binding,
you must associate an IP address on the specified interface with a MAC address. If this feature is
enabled, a computer with a specified MAC address can send and receive information only if it uses the
associated IP address.
You can also use this feature to restrict all network traffic to devices that match the MAC and IP
addresses on this list. This is similar to the MAC access control feature.
For more information, see Restrict Network Traffic by MAC Address on page 210.
If you choose to restrict network access by MAC address binding, make sure that
you include the MAC address for the computer you use to administer your XTM
device.
To configure the static MAC address binding settings:
1. Select Network > Configuration. Select an interface, then click Configure.
2. Select the Advanced tab.
3. Adjacent to the Static MAC/IP Address Binding table, click Add.
4. Type an IP address and MAC address pair. Click OK. Repeat this step to add additional pairs.
5. If you want this interface to pass only traffic that matches an entry in the Static MAC/IP
Address Binding list, select the Only allow traffic sent from or to these MAC/IP
addresses check box.
If you do not want to block traffic that does not match an entry in the list, clear this check box.
If you select the Only allow traffic sent from or to these MAC/IP addresses
check box, but do not add any entries to the table, the MAC/IP Address Binding
feature does not become active.
220
WatchGuard System Manager
Network Setup and Configuration
Find the MAC Address of a Computer
A MAC address is also known as a hardware address or an Ethernet address. It is a unique identifier
specific to the network card in the computer. A MAC address is usually shown in this form: XX-XX-XXXX-XX-XX, where each X is a digit or letter from A to F. To find the MAC address of a computer on your
network:
1. From the command line of the computer whose MAC address you want to find, type ipconfig
/all (Windows) or ifconfig (OS X or Linux).
2. Look for the entry for the computer’s “physical address.” This value is the MAC or hardware
address for the computer.
About LAN Bridges
A local area network bridge logically combines multiple interfaces to operate as a single network, with
a single interface name and IP address. You configure the interface IP address and other interface
settings in the bridge configuration, and then configure interfaces as members of the bridge. A bridge
must include at least one interface, and can include any combination of physical, wireless, and link
aggregation interfaces.
You can configure a bridge in the trusted, optional, or custom security zone. The configuration settings
for a bridge are similar to the settings for any other trusted, optional, or custom network interface. For
example, you can configure DHCP to give IP addresses to clients on a bridge, or use the bridge name
as an alias in firewall policies.
To use a bridge, you must:
1. Create a Network Bridge Configuration.
2. Assign a Network Interface to a Bridge.
If you want to all of the XTM device interfaces to be on the same network, we recommend that you use
bridge mode for your network configuration.
Create a Network Bridge Configuration
To use a bridge, you must create a bridge configuration and assign one or more network interfaces to
the bridge.
To use a network bridge on an XTMv virtual machine on ESXi, you must enable
promiscuous mode on the attached virtual switch (vSwitch) in VMware. You cannot
use a network bridge on an XTMv virtual machine on Hyper-V, because Hyper-V
virtual switches do not support promiscuous mode.
To create a bridge configuration:
1. Click
.
Or, select Network > Configuration.
User Guide
221
Network Setup and Configuration
The Network Configuration dialog box appears.
2. Select the Bridge tab.
3. Click Add.
The New Bridge Configuration dialog box appears.
4. Type a Name or Alias for the new bridge. This name is used to identify the bridge in network
interface configurations.
5. (Optional) In the Description text box, type a description of the bridge.
6. From the Security Zone list, select Trusted or Optional. The bridge is added to the alias of the
zone you specify.
For example, if you choose the Optional security zone, the bridge is added to the Any-Optional
network alias.
7. Type an IP address in slash notation for the bridge to use.
For more information, see About Slash Notation on page 5.
222
WatchGuard System Manager
Network Setup and Configuration
8. Select Disable DHCP, Use DHCP Server, or Use DHCP Relay to set the method of IP
address distribution for the bridge. If necessary, configure your DHCP server, DHCP relay,
DNS/WINS server, and DHCP Options settings.
For more information about DHCP configuration, see Configure IPv4 DHCP in Mixed Routing
Mode on page 178 and Configure DHCP Relay on page 209.
9. Select the Secondary tab to create one or more secondary network IP addresses.
For more information, see Add a Secondary Network IP Address on page 213.
10. To configure a bridge to use IPv6, select the IPv6 tab.
For information about IPv6 settings, see Enable IPv6 for a Trusted or Optional Interface.
11. Click OK.
Assign a Network Interface to a Bridge
To use a bridge, you must create a bridge configuration and assign it to one or more network interfaces.
You can create the bridge configuration in the Network Configuration dialog box, or when you
configure a network interface.
1. Click
.
Or, select Network > Configuration.
The Network Configuration window appears.
2. Select the interface that you want to add to the bridge, then click Configure.
The Interface Configuration - Interface # window appears.
User Guide
223
Network Setup and Configuration
3. In the Interface Type drop-down list, select Bridge.
4. Select the radio button adjacent to the network bridge configuration you created, or click New
Bridge to create a new bridge configuration.
5. Click OK.
224
WatchGuard System Manager
Network Setup and Configuration
About Routing
A route is the sequence of devices through which network traffic is sent. Each device in this sequence,
usually called a router, stores information about the networks it is connected to inside a route table.
This information is used to forward the network traffic to the next router in the route.
Your XTM device automatically updates its route table when you change network interface settings,
when a physical network connection fails, or when it is restarted. To update the route table at other
times, you must use dynamic routing or add a static route. Static routes can improve performance, but
if there is a change in the network structure or if a connection fails, network traffic cannot get to its
destination. Dynamic routing ensures that your network traffic can reach its destination, but it is more
difficult to set up.
Add a Static Route
A route is the sequence of devices through which network traffic must go to get from its source to its
destination. A router is the device in a route that finds the subsequent network point through which to
send the network traffic to its destination. Each router is connected to a minimum of two networks. A
packet can go through a number of network points with routers before it gets to its destination.
You can create static routes to send traffic to specific hosts or networks. The router can then send the
traffic to the correct destination from the specified route. Add a network route if you have a full network
behind a router on your local network. If you do not add a route to a remote network, all traffic to that
network is sent to the XTM device default gateway.
Before you start, you must understand the difference between a network route and a host route. A
network route is a route to a full network behind a router located on your local network. Use a host route
if there is only one host behind the router, or if you want traffic to go to only one host.
If you have configured a BOVPN virtual interface, you can also add and edit VPN routes for a
BOVPN virtual interface in the static routes table.
Add an IPv4 Static Route
To add a static route:
1. Select Network > Routes.
The Setup Routes dialog box appears.
2. Click Add.
The Add Route dialog box appears.
User Guide
225
Network Setup and Configuration
3. From the Route Type drop-down list, select Static Route.
4. From the Destination Type drop-down list, select an option:
n Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic
to go to only one host.
n Network IPv4 — Select this option if you have a full IPv4 network behind a router on your
local network.
5. In the Route To text box, type the network address or host address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Gateway text box, type the IP address of the router. Make sure that you type an IP
address that is on one of the same networks as the XTM device.
7. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
8. Click OK to close the Add Route dialog box.
The configured network route appears in the Setup Routes dialog box.
Add an IPv6 Static Route
When you add an IPv6 route, you can optionally specify which IPv6-enabled interface to use for the
route. Specify an interface if you want to control which interface is used in the route.
Here are some examples of when you would specify an interface for an IPv6 route:
n
n
If more than one interface can reach the gateway, and you want to route traffic to the gateway
through a specific interface, select the interface that you want this route to use.
If there are two gateways with the same IPv6 link local address on different connected
networks, select the interface that connects to the gateway you want to route to.
To add an IPv6 static route:
1. Select Network > Routes.
The Setup Routes dialog box appears.
2. Click Add.
The Add Route dialog box appears.
226
WatchGuard System Manager
Network Setup and Configuration
3. From the Route Type drop-down list, select Static Route.
4. From the Destination Type drop-down list, select an option:
n Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic
to go to only one host.
n Network IPv6 — Select this option if you have a full IPv6 network behind a router on your
local network.
5. In the Route To text box, type the network address or host address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Gateway text box, type the IP address of the router. Make sure that you type an IP
address that is on one of the same networks as the XTM device.
7. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
8. If you want this route to use a specific interface, select the Specify interface check box. From
the adjacent drop-down list, select an IPv6-enabled interface that can get access to the
specified gateway.
9. Click OK to close the Add Route dialog box.
The configured network route appears in the Setup Routes dialog box.
Add a BOVPN Virtual Interface Route
If you have configured a BOVPN virtual interface, you can also add and edit BOVPN virtual interface
routes here. This option is available only after you configure at least one BOVPN virtual interface. For
more information, see Configure a BOVPN Virtual Interface.
IPv6 BOVPN virtual interface routes are 6in4 tunnel routes that use a GRE tunnel within the IPSec
BOVPN tunnel. You can use an IPv6 BOVPN virtual interface route to send traffic between two IPv6
networks through an IPv4 BOVPN virtual interface tunnel. You cannot configure a BOVPN virtual
interface route for traffic between an IPv4 network and an IPv6 network.
User Guide
227
Network Setup and Configuration
IPv6 BOVPN virtual interface routes are supported in Fireware XTM OS v11.9 and
higher.
To add a BOVPN virtual interface route:
1. Select Network > Routes.
The Setup Routes dialog box appears.
2. Click Add.
The Add Route dialog box appears.
3. From the Route Type drop-down list, select BOVPN Virtual Interface Route.
4. From the Choose Type drop-down list, select an option:
n Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic
to go to only one host.
n Network IPv4 — Select this option if you have a full IPv4 network behind a router on your
local network.
n Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic
to go to only one host.
n Network IPv6 — Select this option if you have a full IPv6 network behind a router on your
local network.
5. In the Route To text box, type the network address or host address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
7. From the Interface drop-down list, select the BOVPN virtual interface you want to use for this
route.
8. Click OK to close the Add Route dialog box.
The configured network route appears in the Setup Routes dialog box.
The BOVPN virtual interface routes you configure here also appears in the VPN Routes tab in the
BOVPN virtual interface configuration.
228
WatchGuard System Manager
Network Setup and Configuration
If the XTM device is configured in drop-in mode, the route table on the XTM device
might or might not immediately show the correct interface for a static route after you
restart the device, or after you move the gateway associated with a static route to a
different interface. The XTM device cannot update the route table with the correct
interface for a static route until it receives network traffic through the gateway for that
static route. The XTM device updates the internal route table on demand when traffic
is received from the gateway.
Read the Route Tables
From WatchGuard System Manager, you can see the internal route tables for your XTM device.
1. Start Firebox System Manager.
2. Select the Status Report tab.
3. Scroll down until you see the Routes section.
Route Tables
The Routes section can contain several route tables:
Route Table: main
shows the default route, and all IPv4 and IPv6 static routes, including BOVPN virtual interface
routes
Route Table: ethx.out
shows active routes for an interface, ethx, where x is the interface number
Route Table: any.out
shows active routes for all external interfaces with multi-path default routes, when multi-WAN is
enabled
Route Table: zebra
shows dynamic routes received from a peer, if dynamic routing is enabled
The zebra route table shows only the first twenty dynamic routes. To see a complete list of the
dynamic routes, see the OSPF, RIP, or BGP sections of the Status Report.
Routes
A route assigned to a device interface appears in the main route table in this format:
<destination> dev <device> proto kernel scope link
For example:
203.0.113.0/24 dev eth0 proto kernel scope link
User Guide
229
Network Setup and Configuration
A static route that you add appears in the main route table in this format:
<destination> via <gateway> dev <device> metric <metric>
For example:
10.0.30.0/24 via 10.0.10.254 dev eth0 metric 1
A BOVPN virtual interface route that you add appears in the main route table in this format:
<destination> dev <device> proto static metric <metric>
For example:
10.0.30.0/24 dev bvpn1 proto static metric 1
A dynamic route appears in the zebra route table in this format:
<destination> via <gateway> dev <device> proto zebra metric <metric>
For example:
10.0.10.0/24 via 203.0.113.10 dev eth0 proto zebra metric 20
Some of the more common information that appears for each route includes:
n
n
n
n
n
n
n
230
<destination > — the destination IP address for the route
dev <device> — indicates which device (usually an interface number) the route applies to; for
example eth0 for interface 0, or lo for loopback.
proto kernel — indicates that the route is created by the Linux kernel
proto static — indicates that the route is a static route
proto zebra — indicates that the route is a dynamic route learned through a dynamic routing
protocol
scope link — indicates that the route is bound to an XTM device interface
metric <number> — is the routing metric, or cost for the route. A lower number indicates a lower
cost, and higher priority for the route.
WatchGuard System Manager
Network Setup and Configuration
Add Static ARP Entries
Address Resolution Protocol (ARP) is a protocol that associates the IP address with the MAC address
of a network device. A static ARP entry is a permanent entry in your ARP cache.
For example, it might be necessary to add static ARP entries for routers connected to an Active/Active
FireCluster. For more information, see Add Static ARP Entries for an Active/Active FireCluster .
To add a static ARP entry in the Web UI, the Firebox or XTM device must use
Fireware XTM v11.9 or higher.
To add a static ARP entry for a network device:
1. Select Network > ARP Entries.
The Static ARP Entries dialog box appears.
2. Click Add.
The Add ARP Entry dialog box appears.
3.
4.
5.
6.
In the Interface drop-down list, select the interface that the device is connected to.
In the IP Address text box, type the IP address of the device.
In the MAC Address text box, type the MAC address of the device.
Click OK.
The static ARP entry is added to the Static ARP Entries list.
To edit or remove a static ARP entry, select the static ARP entry in the table, and click Edit, or
Remove.
To see the ARP table, open the Status Report in Firebox System Manager.
User Guide
231
Network Setup and Configuration
About Virtual Local Area Networks (VLANs)
An 802.1Q VLAN (virtual local area network) is a collection of computers on a LAN or LANs that are
grouped together in a single broadcast domain independent of their physical location. This enables you
to group devices according to traffic patterns, instead of physical proximity. Members of a VLAN can
share resources as if they were connected to the same LAN. You can also use VLANs to split a switch
into multiple segments. For example, suppose your company has full-time employees and contract
workers on the same LAN. You want to restrict the contract employees to a subset of the resources
used by the full-time employees. You also want to use a more restrictive security policy for the contract
workers. In this case, you split the interface into two VLANs.
VLANs enable you to divide your network into groups with a logical, hierarchical structure or grouping
instead of a physical one. This helps free IT staff from the restrictions of their existing network design
and cable infrastructure. VLANs make it easier to design, implement, and manage your network.
Because VLANs are software-based, you can quickly and easily adapt your network to additions,
relocations, and reorganizations.
VLANs use bridges and switches, so broadcasts are more efficient because they go only to people in
the VLAN, not everyone on the wire. Consequently, traffic across your routers is reduced, which
means a reduction in router latency. You can configure your XTM device to act as a DHCP server for
devices on the VLAN, or use DHCP relay with a separate DHCP server.
You assign a VLAN to the Trusted, Optional, or External security zone. VLAN security zones
correspond to aliases for interface security zones. For example, VLANs of type Trusted are handled by
policies that use the alias Any-Trusted as a source or destination. VLANs of type External appear in
the list of external interfaces when you configure policy-based routing.
VLAN Requirements and Restrictions
n
n
n
n
n
n
n
n
n
232
The WatchGuard VLAN implementation does not support the spanning tree link management
protocol.
If your XTM device is configured to use drop-in network mode, you cannot use VLANs.
A VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN10, it cannot also send and receive VLAN traffic for any other VLAN at the same time.
A VLAN interface cannot be configured to send and receive untagged traffic for an external
VLAN.
A VLAN interface can be configured to send and receive tagged traffic for only one external
VLAN.
Your multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to
manage bandwidth when you use only physical interfaces in a multi-WAN configuration.
Your device model and license controls the number of VLANs you can create.
To see the number of VLANs you can add to your XTM device, Open Policy Manager and select
Setup > Feature Keys.
Find the row labeled Total number of VLAN interfaces.
We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
All network segments you want to add to a VLAN must have IP addresses on the VLAN
network.
WatchGuard System Manager
Network Setup and Configuration
n
To use multiple VLANs on a single interface on an XTMv device in an ESXi environment,
configure the VSwitch for the XTMv VLAN interface to use VLAN ID 4095 (All).
If you define VLANs, you can ignore messages with the text 802.1d unknown
version. These occur because the WatchGuard VLAN implementation does not
support spanning tree link management protocol.
About Tagging
To enable VLANs, you must deploy VLAN-capable switches in each site. The switch interfaces insert
tags at layer 2 of the data frame that identify a network packet as part of a specified VLAN. These tags,
which add an extra four bytes to the Ethernet header, identify the frame as belonging to a specific
VLAN. Tagging is specified by the IEEE 802.1Q standard.
The VLAN definition includes disposition of tagged and untagged data frames. You must specify
whether the VLAN receives tagged, untagged, or no data from each interface that is enabled. Your
XTM device can insert tags for packets that are sent to a VLAN-capable switch. Your device can also
remove tags from packets that are sent to a network segment that belongs to a VLAN that has no
switch.
An XTM device interface can handle traffic for multiple tagged VLANs. This allows the interface to
function as a VLAN trunk. The XTM device supports the 802.1Q standard.
About VLAN ID Numbers
By default, on most new switches that are not configured, each interface belongs to VLAN number 1.
Because this VLAN exists on every interface of most switches by default, the possibility exists that
this VLAN can accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the
XTM device.
Define a New VLAN
Before you create a new VLAN, make sure you understand all the VLAN concepts and restrictions, as
described in About Virtual Local Area Networks (VLANs) on page 232.
When you define a new VLAN, you add an entry in the VLAN Settings table. To change the view of
this table:
n
n
Click a column header to sort the table based on the values in that column.
Sort the table in descending or ascending order.
The values in the Interfaces column show the physical interfaces that are members of this VLAN. The
interface number in bold is the interface that sends untagged data to that VLAN.
User Guide
233
Network Setup and Configuration
To create a new VLAN:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the VLAN tab.
A table of existing user-defined VLANs and their settings appears.
3. Click Add..
The New VLAN Configuration dialog box appears.
234
WatchGuard System Manager
Network Setup and Configuration
4.
5.
6.
7.
In the Name (Alias) text box, type a name for the VLAN.
(Optional) In the Description text box, type a description of the VLAN.
In the VLAN ID text box, or type or select a value for the VLAN.
In the Security Zone text box, select Trusted, Optional, Custom, or External.
Security zones correspond to aliases for interface security zones. For example, VLANs of type
Trusted are handled by policies that use the alias Any-Trusted as a source or destination.
8. In the IP Address text box, type the address of the VLAN gateway.
Any computer in this new VLAN must use this IP address as its default gateway.
User Guide
235
Network Setup and Configuration
Use DHCP on a VLAN
For a VLAN in the Trusted, Optional, or Custom security zone, you can configure the XTM device as a
DHCP server for the computers on your VLAN network.
1. In the New VLAN Configuration dialog box, select Use DHCP Server. If necessary, type
your domain name to supply it to the DHCP clients.
2. To add an IP address pool, in the Address Pool section, click Add and type the first and last IP
addresses assigned for distribution. Click OK.
You can configure a maximum of six address pools.
3. To reserve a specific IP address for a client, in the Reserved Addresses section, click Add.
Type a name for the reservation, the IP address you want to reserve, and the MAC address of
the client’s network card. Click OK.
4. To change the default lease time, from the Leasing Time drop-down list, select a different time
interval.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP
server. When the lease time is about to expire, the client sends a request to the DHCP server to get a
new lease.
5. To add DNS or WINS servers to your DHCP configuration, click Configure DNS/WINS
Servers.
6. To configure DHCP options, click DHCP Options.
For more information about per-interface DNS/WINS and DHCP options, see Configure IPv4 DHCP in
Mixed Routing Mode.
Use DHCP Relay on a VLAN
1. In the New VLAN Configuration dialog box, select Use DHCP Relay.
2. Type the IP address of the DHCP server. Make sure to add a route to the DHCP server, if
necessary.
Apply Firewall Policies to Intra-VLAN Traffic
You can configure more than one XTM device interface as a member of the same VLAN.To apply
firewall policies to VLAN traffic between local interfaces, select the Apply firewall policies to intraVLAN traffic check box.
Intra-VLAN traffic is traffic from a VLAN that is destined for the same VLAN. When you enable this
feature, the XTM device applies policies to traffic that passes through the firewall between hosts that
are on the same VLAN. If you want to apply policies to intra-VLAN traffic, make sure that no alternate
path exists between the source and destination. The VLAN traffic must go through the XTM device in
order for firewall policies to apply.
For an external VLAN interface, this setting also applies to traffic from mobile VPN clients that connect
through that interface. You must enable this setting on an external VLAN interface if you want firewall
policies and NAT to function for users who use a mobile VPN client to connect to the external VLAN
interface.
236
WatchGuard System Manager
Network Setup and Configuration
Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match
any defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.
Configure Network Settings for a VLAN on the External Interface
When you configure a VLAN on the external interface, you must configure how the VLAN gets the
external IP address.
1. From the Security Zone drop-down list, select External.
User Guide
237
Network Setup and Configuration
2. Select an option: Use Static IP, Use DHCP Client, or Use PPPoE.
3. Configure the network settings with the same method you use for other external interfaces.
For more information, see Configure an External Interface on page 163.
If you configure an external VLAN interface to get an IP address through DHCP, you
can release or renew the VLAN interface IP address in Fireware XTM Web UI on the
System Status > Interfaces page.
Enable IPv6 on a VLAN
IPv6 addresses for a VLAN interface are supported in Fireware XTM v11.9 and
higher.
To enable IPv6 on a VLAN interface:
1. Select the IPv6 tab.
2. Select the Enable IPv6 check box.
3. Configure the IPv6 network settings the same as you would for any other interface.
For information about how to configure the IPv6 settings, see
n
n
Enable IPv6 for a Trusted or Optional Interface
Enable IPv6 for an External Interface
Configure a VLAN Secondary IP Addresses
Secondary IP addresses for a VLAN interface are supported in Fireware XTM v11.8.1
and higher.
To configure a secondary IPv4 network for a VLAN interface:
1.
2.
3.
4.
Select the Secondary tab.
Click Add.
Type an unassigned host IP address from the secondary network.
Click OK.
For more information about secondary interface IP addresses, see Add a Secondary Network
IP Address.
You can now take the next step, and Assign Interfaces to a VLAN on page 239.
238
WatchGuard System Manager
Network Setup and Configuration
Assign Interfaces to a VLAN
When you create a new VLAN, you specify the type of data it receives from XTM device interfaces.
However, you can also make an interface a member of a VLAN that is currently defined, or remove an
interface from a VLAN.
1. In the Network Configuration dialog box, select the Interfaces tab.
2. Select an interface and click Configure.
The Interface Settings dialog box appears.
3. In the Interface Type drop-down list, select VLAN.
A table that shows all current VLANs appears. You may need to increase the size of this dialog box
to see all of the options.
4. Select the Send and receive tagged traffic for selected VLANs check box to receive tagged
data on this network interface.
5. Select the Member check box for each interface you want to include in this VLAN.
To remove an interface from this VLAN, clear the adjacent Member check box.
An interface can be a member of one external VLAN, or multiple trusted or optional VLANs.
6. To configure the interface to receive untagged data, select the Send and receive untagged
traffic for selected VLAN check box at the bottom of the dialog box.
7. Select a VLAN configuration from the adjacent drop-down list, or click New VLAN to create a
new VLAN configuration.
8. Click OK.
User Guide
239
Network Setup and Configuration
About Link Aggregation
A link aggregation (LA) interface is a group of physical interfaces that you configure to work together as
a single logical interface. You can use a link aggregation interface to increase the cumulative
throughput beyond the capacity of a single physical interface, and to provide redundancy if there is a
physical link failure. When you use link aggregation, you connect the link aggregation interfaces to a
switch, and configure the connected switch to use the same link aggregation mode and link speed.
You can configure a link aggregation interface only on an XTM device configured in mixed routing
mode. A link aggregation interface can be configured as an External, Trusted, Optional, or Custom
interface, or as a member of a VLAN or Bridge interface. You can use a link aggregation interface in
most of the same ways that you use a physical interface. For example, you can use it in the
configuration of policies, multi-WAN, VPN, DHCP, and PPPoE.
Requirements and Limitations
n
n
n
n
n
Link aggregation requires Fireware XTM with a Pro upgrade.
Link aggregation interfaces do not support Traffic Management, QoS, and some other advanced
interface settings.
You cannot use a link aggregation interface with an active/active FireCluster, or on XTM 21, 22,
23, or XTMv devices.
You cannot use a link aggregation interface as an endpoint of a managed branch office VPN
tunnel.
Dynamic link aggregation mode is not supported on XTM 25, XTM 26, and XTM 33 devices.
Link Aggregation Modes
On a supported Fireware XTM device with Fireware XTM Pro, you can configure a link aggregation
interface in one of three modes. For all modes, a member interface can be active only when the
member interface link status is up. Whether a member interface is active depends on both the link
status of the physical interface and the link aggregation mode.
Dynamic (802.3ad)
All physical interfaces that are members of the link aggregation interface can be active. The
physical interface used for traffic between any source and destination is selected based on Link
Aggregation Control Protocol (LACP), as described in the IEEE 802.3ad dynamic link
aggregation specification.
Static
All physical interfaces that are members of the link aggregation interface can be active. The
same physical interface is always used for traffic between a given source and destination based
on source/destination MAC address and source/destination IP address. This mode provides
load balancing and fault tolerance.
240
WatchGuard System Manager
Network Setup and Configuration
Active-backup
In this mode, at most only one member interface in the link aggregation group is active at a time.
The other member interfaces in the link aggregation group become active only if the active
interface fails. This mode provides fault tolerance for connections to network switches that do
not support link aggregation.
To use dynamic or static link aggregation, you must also configure link aggregation on the connected
switch. To use Active-backup mode it is not necessary to enable link aggregation on your switches.
User Guide
241
Network Setup and Configuration
Configure Link Aggregation
To configure link aggregation, you add a new link aggregation interface, and then assign network
interfaces to the new link aggregation interface.
Add a Link Aggregation Interface
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the Link Aggregation tab.
A table of existing user-defined link aggregation interfaces and their settings appears.
3. Click Add.
The New Link Aggregation Interface Configuration dialog box appears.
242
WatchGuard System Manager
Network Setup and Configuration
4. In the Name (Alias) text box, type a name for the link aggregation interface.
5. (Optional) In the Description text box, type a description of the interface.
6. From the Mode drop-down list, select the link aggregation mode to use. You can choose Static,
Dynamic, or Active-backup.
For information about link aggregation modes, see About Link Aggregation.
If you choose Static or Dynamic mode, your connected switch or router must also
support and be configured to use the same mode.
User Guide
243
Network Setup and Configuration
7. In the Type drop-down list select the interface type. For a Link Aggregation interface, you can
set the type to Trusted, Optional, Custom, External, Bridge, or VLAN.
8. Configure the settings for the interface type you selected.
Configure the other settings the same way that you would configure them for any other interface.
For a Trusted, Optional, or Custom interface:
Type the IPv4 interface private IP address in slash notation. For more information about
private IP addresses, see About Private IP Addresses.
Configure the DHCP settings. For more information about DHCP settings, see Configure
IPv4 DHCP in Mixed Routing Mode on page 178 or Configure DHCP Relay on page 209.
To enable and configure IPv6, select the IPv6 tab. For information about the IPv6 settings,
see Enable IPv6 for a Trusted or Optional Interface.
For an External interface:
Type a static IPv4 address and default gateway, or configure the external interface to use
DHCP or PPPoE to get an IP address. For information about external interface network
settings, see Configure an External Interface.
To enable and configure IPv6, select the IPv6 tab. For information about the IPv6 settings,
see Enable IPv6 for an External Interface.
IPv6 on a link aggregation interface is supported in Fireware XTM v11.9 and higher.
For a Bridge interface:
Select the network bridge interface you want to add this link aggregation interface to. You
must assign this interface to a Bridge. For more information, see Assign a Network
Interface to a Bridge.
For a VLAN interface:
Select the tagged or untagged VLANs you want to add this link aggregation interface to.
You must assign this interface to a VLAN. For more information, see Assign Interfaces to a
VLAN.
9. To configure a secondary network on this interface, select the Secondary tab.
For information about how to configure a secondary network, see Add a Secondary Network
IP Address on page 213.
10. To configure network interface card settings, select the Advanced tab.
244
WatchGuard System Manager
Network Setup and Configuration
The network interface settings apply to all physical interfaces assigned to this link aggregation
interface. For more information, see Network Interface Card (NIC) Settings.
Physical interfaces that are members of a link aggregation interface must support the
same link speed. On XTM 505, 510, 520, or 530 devices, interface 0 (Eth0) supports
a lower maximum link speed than the other interfaces. If you use Eth0 as a member
of a link aggregation interface on these models, you must set the Link Speed to 100
Mbps or lower in the link aggregation interface configuration and on the connected
network switches.
Unlike a physical interface configuration, you cannot configure Traffic Management, QoS, or
static MAC/IP address binding in the interface advanced settings. A link aggregation interface
does not support those features.
Assign Interfaces to a Link Aggregation Interface
After you create the link aggregation interface, you can assign physical interfaces to it.
1. In the Network Configuration dialog box, select the Interfaces tab.
2. Select an interface and click Configure.
The Interface Settings dialog box appears.
3. From the Interface Type drop-down list, select Link Aggregation.
A list of configured link aggregation interfaces appears.
User Guide
245
Network Setup and Configuration
4. In the Member column, select the link aggregation interface to make this interface a member of.
5. Click OK.
If no link aggregation interfaces are configured, you can click New Link
Aggregation to add an interface. Use the steps in the previous procedure to
configure settings for the new link aggregation interface.
6. Repeat these steps to assign more physical interfaces to this link aggregation interface.
If you change an interface type from External to Link Aggregation, any 1 to 1
NAT rules previously associated with the external interface are automatically
removed.
Connect Link Aggregation Interfaces to a Switch
If you configure a link aggregation interface to use dynamic or static link aggregation, you must . Then,
you can connect the cables from the member interfaces on the XTM device to the other network
device.
246
WatchGuard System Manager
Network Setup and Configuration
If the link aggregation interface uses Active-backup mode, you do not need to enable link aggregation
on your connected switches or routers.
For more information about link aggregation network modes, see About Link Aggregation.
Read the Link Aggregation Settings Table
After you configure a link aggregation interface, you can see a summary of the settings on the Link
Aggregation tab.
1. Select Network > Configuration.
2. Select the Link Aggregation tab.
A table of existing user-defined link aggregation interfaces and their settings appears.
The columns show information about each link aggregation interface.
Name (Alias)
The interface name. You can use this name in policies just as you would any other interface
name.
Type
The interface type. Link aggregation interfaces can be Trusted, External, Optional, Bridge or
VLAN.
IPv4 Address
The interface IPv4 address. This column shows DHCP or PPPoE client for an external
interface configured to get an IP address from a DHCP or PPPoE server.
IPv6 Address
The interface IPv6 address. This column shows DHCP or PPPoE client for an external
interface configured to get an IP address from a DHCP or PPPoE server.
User Guide
247
Network Setup and Configuration
DHCP
Shows whether a DHCP server is enabled for a trusted or optional link aggregation interface.
Possible values are:
n
n
Local — This interface is configured to use the local DHCP server on the XTM device to
assign IP addresses to devices on the attached network
Relay — This interface is configured to use DHCP relay to another DHCP server that
assigns IP addresses to devices on the attached network.
Secondary
Secondary IP addresses configured for this interface.
Interfaces
The interface numbers of the physical interfaces that are members of this link aggregation
interface.
Edit or Delete a Link Aggregation Interface
From the Link Aggregation tab, you can edit or delete a link aggregation interface. When you remove a
link aggregation interface, any physical interfaces that were members of that link aggregation interface
are disabled.
1. Select Network > Configuration.
2. Select the Link Aggregation tab.
3. Select the interface you want to edit or delete
n
n
248
Click Edit to edit the selected link aggregation interface.
Click Delete to delete the selected link aggregation interface.
WatchGuard System Manager
Network Setup and Configuration
Monitor Link Aggregation Interfaces
Each link aggregation interface is identified by an interface number that starts with the prefix bond
followed by a number. Link aggregation interfaces are numbered consecutively in the order they were
added. For example, if you enable two link aggregation interfaces, the interface numbers are bond0 and
bond1.
Link aggregation interface numbers appear in the Firebox System Manager Front Panel tab, Status
Report tab, routes table, and log messages.
To monitor link aggregation interfaces:
1. In WatchGuard System Manager, connect to the device.
2. Click
.
Firebox System Manager appears.
3. Double click the Interfaces entry to expand the interfaces list.
The link aggregation interfaces appear at the bottom of the list
4. Double-click the link aggregation interface (for example bond0) to expand it.
The network statistics and list of physical interface members appear.
5. Double-click Physical Interface Members to see a list of link aggregation interface members.
The network statistics for the link aggregation interface appears when you expand the link aggregation
interface. To see network statistics for an individual physical interface, double click the interface to
expand it.
User Guide
249
Network Setup and Configuration
Network Setup Examples
Configure Two VLANs on the Same Interface
A network interface on a XTM device is a member of more than one VLAN when the switch that
connects to that interface carries traffic from more than one VLAN. This example shows how to
connect one switch that is configured for two different VLANs to a single interface on the XTM device.
The subsequent diagram shows the configuration for this example.
In this example, computers on both VLANs connect to the same 802.1Q switch, and the switch
connects to interface 3 on the XTM device.
The subsequent instructions show you how to configure the VLAN settings in Policy Manager.
Define the Two VLANs
1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
3. Click Add.
The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. For this example, type VLAN10 .
5. In the Description text box, type a description. For this example, type Accounting .
6. In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For
this example, type 10 .
7. From the Security Zone drop-down list, select the security zone. For this example, select
Trusted.
8. In the IP Address text box, type the IP address to use for the XTM device on this VLAN. For
this example, type 192.168.10.1/24 .
250
WatchGuard System Manager
Network Setup and Configuration
9. (Optional) To configure the XTM device to act as a DHCP server for the computers on VLAN10:
n Select Use DHCP Server.
n To the right of the Address Pool list, click Add.
n For this example, in the Starting address text box, type 192.168.10.10 and in the Ending
address text box type 192.168.10.20 .
The finished VLAN10 configuration for this example looks like:
10.
11.
12.
13.
14.
15.
16.
Click OK to add the new VLAN.
Click Add to add the second VLAN.
In the Name (Alias) text box, type VLAN20 .
In the Description text box, type Sales .
In the VLAN ID text box, type 20 .
From the Security Zone drop-down list, select Optional.
In the IP Address field, type the IP address to use for the XTM device on this VLAN. For this
example, type 192.168.20.1/24 .
17. (Optional) To configure the XTM device to act as a DHCP server for the computers on VLAN20:
n
n
n
User Guide
Select Use DHCP Server.
To the right of the Address Pool list, click Add.
For this example, in the Starting address text box, type 192.168.20.10 and in the
Ending address text box type 192.168.20.20 .
251
Network Setup and Configuration
18. Click OK to add the new VLAN.
Both VLANs now appear in the VLAN tab of the Network Configuration dialog box.
Configure Interface 3 as a VLAN Interface
After you define the VLANs, you can configure Interface 3 to send and receive VLAN traffic.
1. Click the Interfaces tab.
2. Select Interface 3.
3. Click Configure.
252
WatchGuard System Manager
Network Setup and Configuration
4.
5.
6.
7.
From the Interface Type drop-down list, select VLAN.
Select the Send and receive tagged traffic for selected VLANs check box.
Select the check boxes for VLAN10 and VLAN20.
Click OK.
Each device on these two VLANs must set the IP address of the default gateway to be the IP address
configured for the VLAN. In this example:
n
n
Devices on VLAN10 must use 192.168.10.1 as their default gateway.
Devices on VLAN20 must use 192.168.20.1 as their default gateway.
User Guide
253
Network Setup and Configuration
Configure One VLAN Bridged Across Two Interfaces
You can configure a VLAN to bridge across two interfaces of the XTM device. You might want to bridge
one VLAN across two interfaces if your organization is spread across multiple locations. For example,
suppose your network is on the first and second floors in the same building. Some of the computers on
the first floor are in the same functional group as some of the computers on the second floor. You want
to group these computers into one broadcast domain so that they can easily share resources, such as
a dedicated file server for their LAN, host-based shared files, printers, and other network accessories.
This example shows how to connect two 802.1Q switches so that both switches can send traffic from
the same VLAN to two interfaces on the same XTM device.
In this example, two 802.1Q switches are connected to XTM device interfaces 3 and 4, and carry
traffic from the same VLAN.
Define the VLAN on the XTM Device
1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
3. Click Add.
The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. For this example, type VLAN10 .
5. In the Description text box, type a description. For this example, type Accounting .
6. In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For
this example, type 10 .
254
WatchGuard System Manager
Network Setup and Configuration
7. From the Security Zone drop-down list, select the security zone. For this example, select
Trusted.
8. In the IP Address text box, type the IP address to use for the XTM device on this VLAN. For
this example, type 192.168.10.1/24 .
Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) To configure the XTM device to act as a DHCP server for the computers on VLAN10:
n
n
n
Select Use DHCP Server.
To the right of the Address Pool list, click Add.
For this example, in the Starting address text box, type 192.168.10.10 and in the
Ending address text box type 192.168.10.20 .
The finished VLAN10 configuration for this example looks like this:
10. Click OK to add the new VLAN.
11. To make XTM device interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.
12. Select Interface 3. Click Configure.
The Interface Settings dialog box appears.
User Guide
255
Network Setup and Configuration
13.
14.
15.
16.
From the Interface Type drop-down list, select VLAN.
Select the Send and receive tagged traffic for selected VLANs check box.
In the Member column, select the check box for VLAN10. Click OK.
Select Interface 4. Click Configure.
The Interface Settings dialog box appears.
17.
18.
19.
20.
256
From the Interface Type drop-down list, select VLAN.
Select the Send and receive tagged traffic for selected VLANs check box.
In the Member column, select the check box for VLAN10. Click OK.
Select the VLAN tab.
WatchGuard System Manager
Network Setup and Configuration
21. Verify that Interfaces column for VLAN10 shows interfaces 3 and 4.
22. Save the configuration to the device.
Configure the Switches
Configure each of the switches that connect to interfaces 3 and 4 of the XTM device. Refer to the
instructions from your switch manufacturer for details about how to configure your switches.
Configure the Switch Interfaces Connected to the XTM Device
The physical segment between the switch interface and the XTM device interface is a tagged data
segment. Traffic that flows over this segment must use 802.1Q VLAN tagging.
Some switch manufacturers refer to an interface configured in this way as a trunk
port or a trunk interface.
On each switch, for the switch interface that connects to the XTM device:
n
n
n
n
n
Disable Spanning Tree Protocol.
Configure the interface to be a member of VLAN10.
Configure the interface to send traffic with the VLAN10 tag.
If necessary for your switch, set the switch mode to trunk.
If necessary for your switch, set the encapsulation mode to 802.1Q.
Configure the Other Switch Interfaces
The physical segments between each of the other switch interfaces and the computers (or other
networked devices) that connect to them are untagged data segments. Traffic that flows over these
segments does not have VLAN tags.
On each switch, for the switch interfaces that connect computers to the switch:
n
n
Configure these switch interfaces to be members of VLAN10.
Configure these switch interfaces to send untagged traffic for VLAN10.
Physically Connect All Devices
1. Use an Ethernet cable to connect XTM device interface 3 to the Switch A interface that you
configured to tag for VLAN10 (the VLAN trunk interface of Switch A).
2. Use an Ethernet cable to connect the XTM device interface 4 to the Switch B interface that you
configured to tag for VLAN10 (the VLAN trunk interface of Switch B).
3. Connect a computer to the interface on Switch A that you configured to send untagged traffic for
VLAN10.
4. Configure the network settings on the connected computer. The settings depend on whether
you configured the XTM device to act as a DHCP server for the computers on VLAN10 in Step
9 of Define the VLAN on the XTM Device.
User Guide
257
Network Setup and Configuration
n
n
If you configured the XTM device to act as a DHCP server for the computers on VLAN10,
configure the computer to use DHCP to get an IP address automatically. See Step 9 in the
procedure Define the VLAN, above.
If you did not configure the XTM device to act as a DHCP server for the computers on
VLAN10, configure the computer with an IP address in the VLAN subnet 192.168.10.x.
Use subnet mask 255.255.255.0 and set the default gateway on the computer to the XTM
device VLAN IP address 192.168.10.1
5. Repeat the previous two steps to connect a computer to Switch B.
Test the Connection
After you complete these steps, the computers connected to Switch A and Switch B can communicate
as if they were connected to the same physical local area network. To test this connection you can:
n
n
Ping from a computer connected to Switch A to a computer connected to Switch B.
Ping from a computer connected to Switch B to a computer connected to Switch A.
Use the Broadband Extend or 3G Extend Wireless Bridge
You can use the WatchGuard Broadband Extend USB or 3G Extend USB wireless bridge to add
cellular connectivity to your WatchGuard Firebox T10, XTM 2 Series or 3 Series device. When you
connect the external interface of your XTM device to the wireless bridge, computers on your network
can connect wirelessly to the Internet through the cellular network.
To connect your Firebox or XTM device to the cellular network you need:
n
n
n
An XTM 2 Series, XTM 3 Series, or Firebox T10 device
A Broadband Extend USB (for 4G/3G connectivity) or a 3G Extend USB (for 3G connectivity)
A compatible wireless broadband data card
Use the Broadband Extend USB / Cradlepoint CBR450 Device
Follow these steps to use the Broadband Extend Cradlepoint cellular broadband adapter with your
Firebox or XTM device.
1. Use the instructions in the Cradlepoint CBA450 Setup Guide to set up the Cradlepoint device
and update the device firmware.
2. Configure the external interface on your XTM device to get its address with DHCP. To learn
how to configure your external interface, see Configure an External Interface on page 163.
3. Use an Ethernet cable to connect the Cradlepoint device to the external interface of the XTM
device.
4. Start (or restart) the XTM device.
When the device starts, it gets a DHCP address from the Cradlepoint device. After an IP address is
assigned, the device can connect to the Internet via the cellular broadband network.
The CBR450 supports a large number of popular 4G/3G USB modems. For a list of supported devices,
see http://www.cradlepoint.com/products/machine-to-machine-routers/cbr450-compact-broadbandrouter-without-wifi.
258
WatchGuard System Manager
Network Setup and Configuration
Use the 3G Extend USB / Cradlepoint CBA250 Device
Follow these steps to use the 3G Extend Cradlepoint cellular broadband adapter with your Firebox or
XTM device.
1. Use the instructions in the Cradlepoint CBA250 Quick Start Guide to set up the Cradlepoint
device and update the device firmware. If you have a newer modem that is not supported by the
firmware version that ships on the device, you must use different steps to upgrade your
firmware to the latest version:
n
n
Download the latest firmware for the CBA250 to your computer from the Cradlepoint
support site at http://www.cradlepoint.com/support/cba250.
Use these instructions to update your firmware: Updating the Firmware on your Cradlepoint
Router.
2. Configure the external interface on your Firebox or XTM device to get its address with DHCP.
To learn how to configure your external interface, see Configure an External Interface on page
163.
3. Use an Ethernet cable to connect the Cradlepoint device to the external interface of the Firebox
or XTM device.
4. Start (or restart) the XTM device.
When the device starts, it gets a DHCP address from the Cradlepoint device. After an IP address is
assigned, the device can connect to the Internet via the cellular broadband network.
The CBA250 supports a large number of USB or ExpressCard broadband wireless modems. For a list
of supported devices, see http://www.cradlepoint.com/support./cba250.
User Guide
259
Network Setup and Configuration
User Guide
260
7
Multi-WAN
About Using Multiple External Interfaces
You can use your XTM device to create redundant support for the external interface. This is a helpful
option if you must have a constant Internet connection.
With the multi-WAN feature, you can configure multiple external interfaces, each on a different subnet.
This allows you to connect your XTM device to more than one Internet Service Provider (ISP). When
you configure a second interface, the multi-WAN feature is automatically enabled.
Multi-WAN Requirements and Conditions
You must have a second Internet connection and more than one external interface to use most multiWAN configuration options.
Conditions and requirements for multi-WAN use include:
n
n
n
n
n
n
If you have a policy configured with an individual external interface alias in its configuration, you
must change the configuration to use the alias Any-External, or another alias you configure for
external interfaces. If you do not do this, some traffic could be denied by your firewall policies.
Multi-WAN settings do not apply to incoming traffic. When you configure a policy for inbound
traffic, you can ignore all multi-WAN settings.
To override the multi-WAN configuration in any individual policy, enable policy-based routing for
that policy. For more information on policy-based routing, see Configure Policy-Based Routing
on page 752.
Map your company’s Fully Qualified Domain Name to the external interface IP address of the
lowest order. If you add a multi-WAN XTM device to your Management Server configuration,
you must use the lowest-ordered external interface to identify it when you add the device.
To use multi-WAN, you must use mixed routing mode for your network configuration. This
feature does not operate in drop-in or bridge mode network configurations.
To use the Interface Overflow method, you must have Fireware XTM with a Pro upgrade. You
must also have a Fireware XTM Pro license if you use the Round-robin method and configure
different weights for the XTM device external interfaces.
User Guide
261
Multi-WAN
n
To use multi-WAN options except modem failover on an XTM 2 Series device, you must have
Fireware XTM with a Pro upgrade.
You can use one of four multi-WAN configuration options to manage your network traffic.
For configuration details and setup procedures, see the section for each option.
When you enable multi-WAN the XTM device monitors the status of each external interface. Make
sure that you define a link monitor host for each interface. We recommend that you configure two link
targets for each interface.
For more information, see About WAN Interface Status.
Multi-WAN and DNS
Make sure that your DNS server can be reached through every WAN. Otherwise, you must modify
your DNS policies such that:
n
n
The From list includes Firebox.
The Use policy-based routing check box is selected.
If only one WAN can reach the DNS server, select that interface in the adjacent drop-down list.
If more than one WAN can reach the DNS server, select any one of them, select Failover,
select Configure, and select all the interfaces that can reach the DNS server. The order does
not matter.
You must have Fireware XTM with a Pro upgrade to use policy-based routing.
Multi-WAN and FireCluster
You can use multi-WAN failover with the FireCluster feature, but they are configured separately. MultiWAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover.
FireCluster failover occurs only when the physical interface is down or does not respond. FireCluster
failover takes precedence over multi-WAN failover.
262
WatchGuard System Manager
Multi-WAN
About Multi-WAN Options
When you configure multiple external interfaces, you have several options to control which interface an
outgoing packet uses.
XTM 2 Series devices must have Fireware XTM with a Pro upgrade to use any of the
multi-WAN methods except modem failover. All other XTM devices must have
Fireware XTM with a Pro upgrade to use the weighted round robin or interface
overflow multi-WAN methods.
Round-Robin Order
When you configure multi-WAN with the Round-robin method, the XTM device looks at its internal
route table to check for specific static or dynamic routing information for each connection. The route
table includes dynamic routes as well as static routes you configure on the device. If no specified route
is found, the XTM device distributes the traffic load among its external interfaces. The XTM device
uses the average of sent (TX) and received (RX) traffic to balance the traffic load across all external
interfaces you specify in your round-robin configuration.
If you have Fireware XTM with a Pro upgrade, you can assign a weight to each interface used in your
round-robin configuration. By default and for all Fireware XTM users, each interface has a weight of 1.
The weight refers to the proportion of load that the XTM device sends through an interface. If you have
Fireware XTM Pro and you assign a weight of 2 to an interface, you double the portion of traffic that will
go through that interface compared to an interface with a weight of 1.
As an example, if you have three external interfaces with 6M, 1.5M, and .075M bandwidth and want to
balance traffic across all three interfaces, you would use 8, 2, and 1 as the weights for the three
interfaces. Fireware XTM will try to distribute connections so that 8/11, 2/11, and 1/11 of the total
traffic flows through each of the three interfaces.
For more information, see Configure Round-Robin on page 266.
Failover
When you use the failover method to route traffic through the XTM device external interfaces, you
select one external interface to be the primary external interface. Other external interfaces are backup
interfaces, and you set the order for the XTM device to use the backup interfaces. The XTM device
monitors the primary external interface. If it goes down, the XTM device sends all traffic to the next
external interface in its configuration. While the XTM device sends all traffic to the backup interface, it
continues to monitor the primary external interface. When the primary interface is active again, the
XTM device immediately starts to send all new connections through the primary external interface
again.
User Guide
263
Multi-WAN
You control the action for the XTM device to take for existing connections; these connections can
failback immediately, or continue to use the backup interface until the connection is complete. MultiWAN failover and FireCluster are configured separately. Multi-WAN failover caused by a failed
connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only
when the physical interface is down or does not respond. FireCluster failover takes precedence over
multi-WAN failover.
For more information, see Configure Failover on page 268.
Interface Overflow
When you use the Interface Overflow multi-WAN configuration method, you select the order you want
the XTM device to send traffic through external interfaces and configure each interface with a
bandwidth threshold value. The XTM device starts to send traffic through the first external interface in
its Interface Overflow configuration list. When the traffic through that interface reaches the bandwidth
threshold you have set for that interface, the XTM device starts to send traffic to the next external
interface you have configured in your Interface Overflow configuration list.
This multi-WAN configuration method allows the amount of traffic sent over each WAN interface to be
restricted to a specified bandwidth limit. To determine bandwidth, the XTM device examines the
amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the
interface bandwidth threshold for each interface, you must consider the needs of your network for this
interface and set the threshold value based on these needs. For example, if your ISP is asymmetrical
and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered
by a high RX rate.
If all WAN interfaces have reached their bandwidth limit, the XTM device uses the ECMP (Equal Cost
MultiPath Protocol) routing algorithm to find the best path.
For more information, see Configure Interface Overflow on page 270.
Routing Table
When you select the Routing Table option for your multi-WAN configuration, the XTM device uses the
routes in its internal route table or routes it gets from dynamic routing processes to send packets
through the correct external interface. To see whether a specific route exists for a packet’s destination,
the XTM device examines its route table from the top to the bottom of the list of routes. You can see
the list of routes in the route table on the Status tab of Firebox System Manager. The Routing Table
option is the default multi-WAN option.
If the XTM device does not find a specified route, it selects the route to use based on source and
destination IP hash values of the packet, using the ECMP (Equal Cost Multipath Protocol) algorithm
specified in:
http://www.ietf.org/rfc/rfc2992.txt
With ECMP, the XTM device uses an algorithm to decide which next-hop (path) to use to send each
packet. This algorithm does not consider current traffic load.
For more information, see When to Use Multi-WAN Methods and Routing on page 273.
264
WatchGuard System Manager
Multi-WAN
Modem (XTM 2 Series, 3 Series or 5 Series only)
You can connect an external modem to the USB port on your XTM 2 Series or XTM 33 device and use
that connection for failover when all other external interfaces are inactive.
For more information, see Configure Modem Failover on page 274.
User Guide
265
Multi-WAN
Configure Round-Robin
Before You Begin
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 163.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 261 and About MultiWAN Options on page 263.
Configure the Interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Round-robin.
4. Click Configure.
5. In the Include column, select the check box for each interface you want to use in the roundrobin configuration. It is not necessary to include all external interfaces in your round-robin
configuration.
266
WatchGuard System Manager
Multi-WAN
For example, you may have one interface that you want to use for policy-based routing that you
do not want to include in your round-robin configuration.
6. If you have Fireware XTM with a Pro upgrade and you want to change the weights assigned to
one or more interfaces, click Configure.
7. Click the value control to set an interface weight. The weight of an interface sets the percentage
of load through the XTM device that will use that interface.
You can change the weight from its default of 1 only if you have Fireware XTM with a
Pro upgrade. Otherwise, you see an error when you try to close the Network
Configuration dialog box.
8. Click OK.
For information on changing the weight, see Find How to Assign Weights to Interfaces on page
268.
9. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 283.
For information on advanced multi-WAN configuration options, see Advanced Multi-WAN
Settings on page 280.
User Guide
267
Multi-WAN
10. Click OK.
Find How to Assign Weights to Interfaces
If you use Fireware XTM with a Pro upgrade, you can assign a weight to each interface used in your
round-robin multi-WAN configuration. By default, each interface has a weight of 1. The weight refers to
the proportion of load that the XTM device sends through an interface.
You can use only whole numbers for the interface weights; no fractions or decimals are allowed. For
optimal load balancing, you might have to do a calculation to know the whole-number weight to assign
for each interface. Use a common multiplier so that the relative proportion of the bandwidth given by
each external connection is resolved to whole numbers.
For example, suppose you have three Internet connections. One ISP gives you 6 Mbps, another ISP
gives you 1.5 Mbps, and a third gives you 768 Kbps. Convert the proportion to whole numbers:
n
n
n
n
First convert the 768 Kbps to approximately .75 Mbps so that you use the same unit of
measurement for all three lines. Your three lines are rated at 6, 1.5, and .75 Mbps.
Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: [6 : 1.5
: .75] is the same ratio as [600 : 150 : 75]
Find the greatest common divisor of the three numbers. In this case, 75 is the largest number
that evenly divides all three numbers 600, 150, and 75.
Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. You could use these numbers as weights in a round-robin multiWAN configuration.
Configure Failover
Before You Begin
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 163.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 261 and About MultiWAN Options on page 263.
Configure the Interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Failover.
268
WatchGuard System Manager
Multi-WAN
4. Click Configure to specify a primary external interface and select backup external interfaces
for your configuration. In the Include column, select the check box for each interface you want
to use in the failover configuration.
5. Click Move Up or Move Down to set the order for failover. The first interface in the list is the
primary interface.
6. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 283.
For information on advanced multi-WAN configuration options, see Advanced Multi-WAN
Settings on page 280.
7. Click OK.
User Guide
269
Multi-WAN
Configure Interface Overflow
Before You Begin
n
n
To use the multiple WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 163.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 261 and About MultiWAN Options on page 263.
Configure the Interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Interface Overflow.
270
WatchGuard System Manager
Multi-WAN
4. Click Configure.
5. In the Include column, select the check box for each interface you want to include in your
configuration.
6. To configure a bandwidth threshold for an external interface, select the interface from the list
and click Configure.
The Interface Overflow Threshold dialog box appears.
7. In the drop-down list, select Mbps or Kbps as the unit of measurement for your bandwidth
setting and type the threshold value for the interface.
The XTM device calculates bandwidth based on the higher value of sent or received packets.
8. Click OK.
9. To complete your configuration, you must add information as described in About WAN Interface
Status on page 283.
For information on advanced multi-WAN configuration options, see Advanced Multi-WAN Settings on
page 280.
Configure Routing Table
Before You Begin
n
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 163.
You must decide whether the Routing Table method is the correct multi-WAN method for your
needs. For more information, see When to Use Multi-WAN Methods and Routing on page 273
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 261 and About MultiWAN Options on page 263.
Routing Table mode and load balancing
It is important to note that the Routing Table option does not do load balancing on connections to the
Internet. The XTM device reads its internal route table from top to bottom. Static and dynamic routes
that specify a destination appear at the top of the route table and take precedence over default routes.
(A default route is a route with destination 0.0.0.0/0.) If there is no specific dynamic or static entry in
the route table for a destination, the traffic to that destination is routed among the external interfaces of
the XTM device through the use of ECMP algorithms. This may or may not result in even distribution of
packets among multiple external interfaces.
User Guide
271
Multi-WAN
Configure the Interfaces
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Routing table.
By default, all external interface IP addresses are included in the configuration.
4. To remove external interfaces from the multi-WAN configuration, click Configure and clear the
check box adjacent to the external interface you want to exclude from the multi-WAN
configuration.
You can have as few as one external interface included in your configuration. This is useful if
you want to use policy-based routing for specific traffic and keep only one WAN for default
traffic.
5. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 283.
For information on advanced multi-WAN configuration options, see Advanced Multi-WAN Settings on
page 280.
272
WatchGuard System Manager
Multi-WAN
About the XTM Device Route Table
When you select the Routing Table configuration option, it is a good idea to know how to look at the
routing table that is on your XTM device.
From WatchGuard System Manager:
1. Start Firebox System Manager.
2. Select the Status Report tab.
3. Scroll down until you see the Routes section.
This shows the internal route table on your XTM device.
In the Status Report, the routes appear in separate tables within the routes section. For details about
the route tables, see Read the Route Tables.
Routes in the internal route table on the XTM device include:
n
n
n
Routes the XTM device learns from dynamic routing processes running on the device (RIP,
OSPF, and BGP) if you enable dynamic routing
Permanent network routes or host routes you add
Routes the XTM device automatically creates based on the network configuration information
If your XTM device detects that an external interface is down, it removes any static or dynamic routes
that use that interface. This is true if the hosts specified in the Link Monitor become unresponsive and
if the physical Ethernet link is down.
For more information on interface status and route table updates, see About WAN Interface Status on
page 283.
When to Use Multi-WAN Methods and Routing
If you use dynamic routing, you can use either the Routing Table or Round-Robin multi-WAN
configuration method. Routes that use a gateway on an internal (optional or trusted) network are not
affected by the multi-WAN method you select.
When to Use the Routing Table Method
The Routing Table method is a good choice if:
n
n
You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network
advertise routes to the XTM device so that the device can learn the best routes to external
locations.
You must get access to an external site or external network through a specific route on an
external network. Examples include:
n
n
You have a private circuit that uses a frame relay router on the external network.
You want all traffic to an external location to always go through a specific XTM device
external interface.
The Routing Table method is the fastest way to load balance more than one route to the Internet. After
you enable this option, the ECMP algorithm manages all connection decisions. No additional
configuration is necessary on the XTM device.
User Guide
273
Multi-WAN
When to Use the Round-Robin Method
Load balancing traffic to the Internet using ECMP is based on connections, not bandwidth. Routes
configured statically or learned from dynamic routing are used before the ECMP algorithm. If you have
Fireware XTM with a Pro upgrade, the weighted round-robin option gives you options to send more
traffic through one external interface than another. At the same time, the round-robin algorithm
distributes traffic to each external interface based on bandwidth, not connections. This gives you more
control over how many bytes of data are sent through each ISP.
Configure Modem Failover
You can configure your Firebox T10, XTM 2 Series, 3 Series, or 5 Series device to send traffic through
a modem when it cannot send traffic with any external interface.
Connect a serial or 3G/4G modem to the USB port on the Firebox or XTM device. To use a serial
modem, you must have a dial-up account with an ISP (Internet Service Provider). To use a 3G/4G
modem, the device must use Fireware XTM OS v11.7.3 or later and you must have a 3G or 4G data
plan with a wireless service provider.
Modem failover is supported for these 3G/4G modems:
n
n
n
n
n
n
n
n
AT&T Mobile Hotspot Elevate 4G (requires Fireware XTM v11.9 or higher)
ZTE MF683 (T-Mobile Rocket 3.0 4G)
Franklin U602 (Sprint 3G/4G Plug-in-Connect USB)
Netgear 341U (requires Fireware XTM v11.8.3 or higher)
Sierra Wireless AirCard 250U (Sprint 3G/4G USB 250U)
Sierra Wireless AirCard 313U (requires Fireware XTM v11.7.4 or higher)
Sierra Wireless AirCard 320U (requires Fireware XTM v11.8.1 or higher)
Verizon Wireless LTE USB551L (requires Fireware XTM v11.7.4 or higher)
Modem failover is supported for these serial modems:
n
n
n
n
Zoom FaxModem 56K model 2949
MultiTech 56K Data/Fax Modem International
OMRON ME5614D2 Fax/Data Modem
Hayes 56K V.90 serial fax modem
For XTM 21, 22, and 23 devices, you must use an IOGEAR GUC323A USB to Serial RS-232 adapter
to connect the serial modem to the USB port on the XTM device.
Enable Modem Failover
1. Select Network > Modem.
The Modem Configuration dialog box appears.
2. Select the Enable Modem for Failover when all External interfaces are down check box.
274
WatchGuard System Manager
Multi-WAN
3. Complete the Account, DNS, Dial-Up, and Link Monitor settings, as described in the
subsequent sections.
4. Click OK.
5. Save your configuration.
Account Settings
In the Dial Up Account Settings section, you configure the settings your modem uses to connect.
Serial Modem
For a serial modem, all account settings are required.
1. Select the Account tab.
2. In the Telephone number text box, type the telephone number of your ISP.
3. If you have another number for your ISP, in the Alternate Telephone number text box, type
that number.
4. In the Account name text box, type your dial-up account name.
5. If you log in to your account with a domain name, in the Account domain text box, type the
domain name.
For example, msn.com .
6. In the Account password text box, type the password you use to connect to your dial-up
account.
User Guide
275
Multi-WAN
3G/4G Modem
For a 3G or 4G modem, the telephone number is the access number specified by your wireless service
provider. Examples of 3G and 4G access numbers are *99#, *99****1#, and #777. The settings for
account name, domain, and password are not required for all 3G/4G modems. To determine the
requirements for your modem, contact your wireless service provider.
1. Select the Account tab.
2. Select the Enable 3G/4G modem support check box.
If a Telephone number is not already specified, it is set to *99# by default.
3. If necessary, change the Telephone number to the access number required by your wireless
service provider.
4. If you have another access number for your wireless service provider, in the Alternate
Telephone number text box, type that number.
5. If necessary, type the Account name, Account domain, and Account password the modem
must use to connect to your account.
Enable Modem Failover Debug Log Messages
If you have problems with your connection, select the Enable modem and PPP debug trace check
box. When this option is selected, the Firebox or XTM device sends detailed log messages to the
event log file when a modem failover occurs.
276
WatchGuard System Manager
Multi-WAN
DNS Settings
If your ISP or wireless service provider does not provide DNS server information, or if you must use a
different DNS server, you can manually add the IP addresses for a DNS server to use after failover
occurs.
1. Select the DNS tab.
The DNS Settings page appears.
2. Select the Manually configure DNS server IP addresses check box.
3. In the Primary DNS server text box, type the IP address of the primary DNS server.
4. If you have a secondary DNS server, in the Secondary DNS server text box, type the IP
address for the secondary server.
5. In the MTU text box, for compatibility purposes, you can set the Maximum Transmission Unit
(MTU) to a different value. Most users can keep the default setting.
User Guide
277
Multi-WAN
Dial-Up Settings
1. Select the Dial Up tab.
The Dialing Options page appears.
2. In the Dial up timeout text box, type or select the number of seconds before a timeout occurs if
your modem does not connect. The default value is two (2) minutes.
3. In the Redial attempts text box, type or select the number of times the XTM device tries to
redial if your modem does not connect. The default value is three (3) connection attempts.
4. In the Inactivity Timeout text box, type or select the number of minutes to wait if no traffic goes
through the modem before a timeout occurs. The default value is no timeout (0 minutes).
5. From the Speaker volume drop-down list, select the speaker volume for your modem.
Advanced Settings
Some dial-up ISPs or wireless service providers require that you specify one or more PPP options in
order to connect. In China, for example, some ISPs require that you use the PPP option receive-all.
The receive-all option causes PPP to accept all control characters from the peer.
1. Select the Advanced tab.
2. In the PPP options text box, type the required PPP options.
To specify more than one PPP option, separate each option with a comma.
Link Monitor Settings
The Link Monitor is a tool you can use to verify the status of each external interface on your Firebox or
XTM device. When you configure the modem settings on your Firebox or XTM device, you can set
options to test one or more external interfaces for an active connection. When an external interface
becomes active again, the device no longer sends traffic over the modem. Instead, it uses the
available external interface or interfaces. You can configure the Link Monitor to ping a site or device on
the external interface, create a TCP connection with a site and port number you specify, or both. You
can also set the time interval between each connection test, and configure the number of times a test
must fail or succeed before an interface is activated or deactivated.
To configure the link monitor settings for an interface:
278
WatchGuard System Manager
Multi-WAN
1. In the Modem Configuration dialog box, click Link Monitor.
The Link Monitor Configuration dialog box appears.
2. In the External Interfaces list, select an external interface.
3. Configure the settings for the selected interface.
You must configure each interface separately.
4. To ping a location or device on the external network, select the Ping check box. In the adjacent
text box, type an IP address or host name.
5. To create a TCP connection to a location or device on the external network, select the
TCP check box. In the adjacent text box, type an IP address or host name.
(Optional) In the Port text box, type or select a port number.
The default port number is 80 (HTTP).
6. To require successful ping and TCP connections before an interface is marked as active, select
the Both Ping and TCP must be successful check box.
7. To change the time interval between connection attempts, in the Probe interval text box, type
or select a different number.
The default setting is 15 seconds.
8. To change the number of failures that mark an interface as inactive, in the Deactivate after text
box, type or select a different number .
The default value is three (3) connection attempts.
9. To change the number of successful connections that mark an interface as active, in the
Reactivate after text box, type or select a different number.
The default value is three (3) connection attempts.
10. Click OK.
User Guide
279
Multi-WAN
Advanced Multi-WAN Settings
In your multi-WAN configuration, you can set preferences for sticky connections, failback, and
notification of multi-WAN events. Not all configuration options are available for all multi-WAN
configuration options. If a setting does not apply to the multi-WAN configuration option you selected,
those fields are not active.
About Sticky Connections
A sticky connection is a connection that continues to use the same WAN interface for a defined period
of time. You can set sticky connection parameters if you use the Routing Table, Round-robin, or
Interface Overflow options for multi-WAN. Sticky connections make sure that, if a packet goes out
through an external interface, any future packets between the source and destination address pair use
the same external interface for a specified period of time. By default, sticky connections use the same
interface for 3 minutes.
If a policy definition contains a sticky connection setting, this setting can override any global sticky
connection duration.
Set a Global Sticky Connection Duration
Use the Advanced tab to configure a global sticky connection duration for TCP connections, UDP
connections, and connections that use other protocols.
280
WatchGuard System Manager
Multi-WAN
If you set a sticky connection duration in a policy, you can override the global sticky connection
duration.
For more information, see Set the Sticky Connection Duration for a Policy on page 757.
Set the Failback Action
You can set the action you want the XTM device to take when a failover event has occurred and then
the primary external interface becomes active again. When this occurs, all new connections
immediately fail back to the primary external interface. However, you can select the method you want
to use for connections that are in process at the time of failback. This failback setting also applies to
any policy-based routing configuration you set to use failover external interfaces.
1. In the Network Configuration dialog box, select the Multi-WAN tab.
2. Click the Advanced tab.
User Guide
281
Multi-WAN
3. In the Failback for Active Connections section drop-down list select an option:
n
n
Immediate failback — The XTM device immediately stops all existing connections.
Gradual failback — The XTM device continues to use the failover interface for existing
connections until each connection is complete.
4. Click OK.
Set Notification Settings
Log messages are always created for multi-WAN failover events.
To configure notification settings for multi-WAN failover and failback events:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
For more information about notification settings, see Set Logging and Notification Preferences on page
1209.
282
WatchGuard System Manager
Multi-WAN
About WAN Interface Status
You can choose the method and frequency you want the XTM device to use to check the status of
each WAN interface. If you do not configure a specified method for the XTM device to use, it pings the
interface default gateway to check interface status.
We recommend that you configure one or two link monitor hosts for each external interface. Select
targets that have a record of high uptime, such as servers hosted by your ISP. If there is a remote site
that is critical to your business operations, such as a credit card processing site or business partner, it
may be worthwhile to ask the administrator at that site if they have a device that you can use as a
monitoring target to verify connectivity to their site.
Time Needed for the XTM Device to Update its Route Table
If a link monitor host does not respond, it can take from 40–60 seconds for the XTM device to update
its route table. When the same Link Monitor host starts to respond again, it can take from 1–60
seconds for your XTM device to update its route table.
The update process is much faster when your XTM device detects a physical disconnect of the
Ethernet port. When this happens, the XTM device updates its route table immediately. When your
XTM device detects the Ethernet connection is back up, it updates its route table within 20 seconds.
Define a Link Monitor Host
1. In the Network Configuration dialog box, select the Multi-WAN tab, and click the Link
Monitor tab.
2. Highlight the interface in the External Interface column. The Settings information changes
dynamically to show the settings for that interface.
3. Select the check boxes for each link monitor method you want the XTM device to use to check
status of each external interface:
n
n
n
Ping — Add an IP address or domain name for the XTM device to ping to check for
interface status.
TCP — Add the IP address or domain name of a computer that the XTM device can
negotiate a TCP handshake with to check the status of the WAN interface.
Both ping and TCP must be successful to define the interface as active — The
interface is considered inactive unless both a ping and TCP connection complete
successfully.
If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused
by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster
failover occurs only when the physical interface is down or does not respond. If you add a
domain name for the XTM device to ping and any one of the external interfaces has a static IP
address, you must configure a DNS server, as described in Add WINS and DNS Server
Addresses on page 211.
User Guide
283
Multi-WAN
4. To configure the frequency you want the XTM device to use to check the status of the interface,
type or select a Probe Interval setting.
The default setting is 15 seconds.
5. To change the number of consecutive probe failures that must occur before failover, type or
select a Deactivate after setting.
The default setting is three (3). After the selected number of failures, the XTM device starts to send
traffic through the next specified interface in the multi-WAN failover list.
6. To change the number of consecutive successful probes through an interface before an
interface that was inactive becomes active again, type or select a Reactivate after setting.
7. Repeat these steps for each external interface.
8. Click OK.
9. Save the Configuration File.
284
WatchGuard System Manager
8
Network Address Translation
(NAT)
About Network Address Translation
Network Address Translation (NAT) is a term used to describe any of several forms of IP address and
port translation. At its most basic level, NAT changes the IP address of a packet from one value to a
different value.
The primary purposes of NAT are to increase the number of computers that can operate off a single
publicly routable IP address, and to hide the private IP addresses of hosts on your LAN. When you use
NAT, the source IP address is changed on all the packets you send.
You can apply NAT as a general firewall setting, or as a setting in a policy. Firewall NAT settings do
not apply to BOVPN policies.
If you have Fireware XTM with a Pro upgrade, you can configure server load balancing as part of an
SNAT rule. The server load balancing feature is designed to help you increase the scalability and
performance of a high-traffic network with multiple public servers protected by your XTM device. With
server load balancing, you can have the XTM device control the number of sessions initiated to
multiple servers for each firewall policy you configure. The XTM device controls the load based on the
number of sessions in use on each server. The XTM device does not measure or compare the
bandwidth that is used by each server.
For more information on server load balancing, see Configure Server Load Balancing on page 312.
User Guide
285
Network Address Translation (NAT)
Types of NAT
The XTM device supports three different types of NAT. Your configuration can use more than one type
of NAT at the same time. You apply some types of NAT to all firewall traffic, and other types as a
setting in a policy.
Dynamic NAT
Dynamic NAT is also known as IP masquerading. The XTM device can apply its public IP
address to the outgoing packets for all connections or for specified services. This hides the real
IP address of the computer that is the source of the packet from the external network. Dynamic
NAT is generally used to hide the IP addresses of internal hosts when they get access to public
services.
For more information, see About Dynamic NAT on page 286.
Static NAT
Also known as port forwarding, you configure static NAT in an SNAT action and then use that
action when you configure policies. Static NAT is a port-to-host NAT. A host sends a packet
from the external network to a port on an external interface. Static NAT changes this IP address
to an IP address and port behind the firewall.
For more information, see Configure Static NAT on page 306.
1-to-1 NAT
1-to-1 NAT creates a mapping between IP addresses on one network and IP addresses on a
different network. This type of NAT is often used to give external computers access to your
public, internal servers.
For more information, see About 1-to-1 NAT on page 296.
About Dynamic NAT
Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an
outgoing connection to the public IP address of the XTM device. Outside the XTM device, you see only
the external interface IP address of the XTM device on outgoing packets.
Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more
security for internal hosts that use the Internet, because it hides the IP addresses of hosts on your
network. With dynamic NAT, all connections must start from behind the XTM device. Malicious hosts
cannot start connections to the computers behind the XTM device when the XTM device is configured
for dynamic NAT.
In most networks, the recommended security policy is to apply NAT to all outgoing packets. With
Fireware XTM, dynamic NAT is enabled by default for traffic from all private IP addresses to the
external network. You can edit, delete or add network dynamic NAT rules. For more information, see
Add Network Dynamic NAT Rules
286
WatchGuard System Manager
Network Address Translation (NAT)
By default, all policies use the network dynamic NAT rules configured for the device. You can override
the network dynamic NAT setting in your individual policies. For more information, see Configure
Policy-Based Dynamic NAT.
You can set the source IP address for traffic that matches a dynamic NAT rule or policy. For more
information, see About Dynamic NAT Source IP Addresses.
User Guide
287
Network Address Translation (NAT)
Add Network Dynamic NAT Rules
The default configuration of dynamic NAT enables dynamic NAT from all private IP addresses to the
external network. The default entries are:
n
n
n
192.168.0.0/16 – Any-External
172.16.0.0/12 – Any-External
10.0.0.0/8 – Any-External
These three network addresses are the private networks reserved by the Internet Engineering Task
Force (IETF) and usually are used for the IP addresses on LANs. To enable dynamic NAT for private
IP addresses other than these, you must add dynamic NAT rules for them. The XTM device applies the
dynamic NAT rules in the sequence that the entries appear in the Dynamic NAT list. We recommend
that you put the rules in a sequence that matches the volume of traffic the rules apply to.
By default, dynamic NAT rewrites the source IP address of packets to use the primary IP address of
the interface from which the packet is sent. When you add a dynamic NAT rule, you can optionally
specify a different source IP address to use for packets that match that rule.
1. Select Network > NAT.
The NAT Setup dialog box appears.
2. On the Dynamic NAT tab, click Add.
The Add Dynamic NAT dialog box appears.
288
WatchGuard System Manager
Network Address Translation (NAT)
3. In the From drop-down list, select the source of the outgoing packets.
For example, use the trusted host alias to enable NAT from all of the trusted network.
For more information on built-in XTM device aliases, see About Aliases on page 730.
4. In the To drop-down list, select the destination of the outgoing packets.
5. To add a host or a network IP address, click
.
The Add Address dialog box appears.
6. In the Choose Type drop-down list, select the address type.
7. In the Value text box, type the IP address or range.
You must type a network address in slash notation.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or
arrow keys.
8. Click OK.
9. Select the Set source IP check box if you want to specify a different source IP address to use
for this rule. Type the source IP address to use in the adjacent text box.
User Guide
289
Network Address Translation (NAT)
If you set the source IP address, the XTM device changes the source IP address for packets
that match this rule to the source IP address you specify. The source IP address must be on the
same subnet as the primary or secondary IP address of the interface you specified as the To
location in the dynamic NAT rule.
If you set the source IP address, and the To location in the network dynamic NAT rule specifies
an alias, such as Any-External, that includes more than one interface, the source IP address is
used only for traffic that leaves an interface that has an IP address on the same subnet as the
source IP address.
For more information, see About Dynamic NAT Source IP Addresses.
Delete a Dynamic NAT Rule
You cannot change an existing dynamic NAT rule. If you want to change an existing rule, you must
delete the rule and add a new one.
To delete a dynamic NAT rule:
1. Select the rule to delete.
2. Click Remove.
A warning message appears.
3. Click Yes.
290
WatchGuard System Manager
Network Address Translation (NAT)
Reorder Dynamic NAT Rules
To change the sequence of the dynamic NAT rules:
1. Select the rule to change.
2. Click Up or Down to move it in the list.
Configure Policy-Based Dynamic NAT
In policy-based dynamic NAT, the XTM device maps private IP addresses to public IP addresses.
Dynamic NAT is enabled in the default configuration of each policy. You do not have to enable it unless
you previously disabled it.
For policy-based dynamic NAT to work correctly, use the Policy tab of the Edit Policy Properties
dialog box to make sure the policy is configured to allow traffic out through only one XTM device
interface.
1-to-1 NAT rules have higher precedence than dynamic NAT rules. Policy-based dynamic NAT has
higher precedence than network dynamic NAT.
To configure dynamic NAT settings in a policy:
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2. Click the Advanced tab.
User Guide
291
Network Address Translation (NAT)
3. Select the Dynamic NAT check box.
4. If you want to use the dynamic NAT rules set for the XTM device, select Use Network NAT
Settings.
This is the default setting.
5. If you want to apply dynamic NAT to all traffic in this policy, select All traffic in this policy.
If you select All traffic in this policy, the XTM device changes the source IP address for each
packet handled by this policy to the primary IP address of the interface from which the packet is
sent, or the source IP address configured in the network dynamic NAT settings. You can
optionally set a different dynamic NAT source IP address for traffic handled by this policy.
To set the source IP address in the policy:
1. Select the Set source IP check box.
2. In the adjacent text box, type the source IP address to use for traffic handled by this policy. This
source address must be on the same subnet as the primary or secondary IP address of the
interface you specified for outgoing traffic.
292
WatchGuard System Manager
Network Address Translation (NAT)
When you select a source IP address, any traffic that uses this policy shows the specified
address from your public or external IP address range as the source. This is most often used to
force outgoing SMTP traffic to show the MX record address for your domain when the IP
address on the XTM device external interface is not the same as your MX record IP address.
We recommend that you do not use the Set source IP option if you have more than one
external interface configured on your XTM device. If you use the Set source IP option in a
policy, do not enable policy-based routing with failover in the policy settings.
For more information about dynamic NAT source IP addressing options, see About Dynamic
NAT Source IP Addresses.
Disable Policy-Based Dynamic NAT
Dynamic NAT is enabled in the default configuration of each policy. To disable dynamic NAT for a
policy:
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2. Click the Advanced tab.
3. To disable NAT for the traffic controlled by this policy, clear the Dynamic NAT check box.
User Guide
293
Network Address Translation (NAT)
About Dynamic NAT Source IP Addresses
In the default dynamic NAT configuration, the XTM device changes the source IP address for traffic
that goes out an external interface to the primary IP address of the external interface the traffic leaves.
You can optionally configure dynamic NAT to use a different source IP address. You can set the
dynamic NAT source IP address in a network NAT rule or in the NAT settings for a policy. When you
select a source IP address, dynamic NAT uses the specified source IP address for any traffic that
matches the dynamic NAT rule or policy.
Whether you specify the source IP address in a network dynamic NAT rule or in a policy, it is important
that the source IP address is on the same subnet as the primary or secondary IP address of the
interface from which the traffic is sent. It is also important to make sure that the traffic the rule applies
to goes out through only one interface.
If the dynamic NAT source IP address is not on the same subnet as the primary or
secondary IP address of the outgoing interface for that traffic, the XTM device does
not change the source IP address for each packet to the source IP address specified
in the dynamic NAT rule. Instead, it changes the source IP address to the primary IP
address of the interface from which the packet is sent.
Set the Dynamic NAT Source IP Address in a Network Dynamic NAT rule
If you have a WatchGuard XTM 21, 22, or 23 device, this feature is not available for
your device.
If you want to set the source IP address for traffic that matches a dynamic NAT rule, regardless of any
policies that apply to the traffic, add a network dynamic NAT rule that specifies the source IP address.
The source IP address you specify must be on the same subnet as the primary or secondary
IP address of the interface the traffic leaves.
If the To location in the network dynamic NAT rule specifies an alias, such as Any-External, that
includes more than one interface, the source IP address is used only for traffic that leaves an interface
that has an IP address on the same subnet as the source IP address.
For example, if:
n
n
n
Your XTM device has two external interfaces, Eth0 (203.0.113.2), and Eth1 (192.0.2.2).
You create a dynamic NAT rule for all traffic to Any-External.
In the dynamic NAT rule, you set a source IP address of 203.0.113.80.
The result is:
n
294
For traffic that leaves Eth0, the source IP address is the IP address in the dynamic NAT rule,
203.0.113.80.
WatchGuard System Manager
Network Address Translation (NAT)
n
For traffic that leaves Eth1, the source IP address is the Eth1 interface IP address, 192.0.2.2.
For more information, see Add Network Dynamic NAT Rules.
Set the Dynamic NAT Source IP Address in a Policy
If you want to set the source IP address for traffic handled by a specific policy, configure the source IP
address in the network settings of the policy. The source IP address you specify must be on the same
subnet as the primary or secondary IP address of the interface you specified for outgoing traffic in the
policy.
We recommend that you do not use the Set source IP option in a policy if you have more than one
external interface configured on your XTM device. If you use the Set source IP option in a policy, do
not enable policy-based routing with failover in the policy settings.
For more information, see Configure Policy-Based Dynamic NAT.
User Guide
295
Network Address Translation (NAT)
About 1-to-1 NAT
When you enable 1-to-1 NAT, your XTM device changes the routes for all incoming and outgoing
packets sent from one range of addresses to a different range of addresses. A 1-to-1 NAT rule always
has precedence over dynamic NAT.
1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that
must be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You
do not have to change the IP address of your internal servers. When you have a group of similar
servers (for example, a group of email servers), 1-to-1 NAT is easier to configure than static NAT for
the same group of servers.
To understand how to configure 1-to-1 NAT, we give this example:
Company ABC has a group of five privately addressed email servers behind the trusted interface of
their XTM device. These addresses are:
10.0.1.1
10.0.1.2
10.0.1.3
10.0.1.4
10.0.1.5
Company ABC selects five public IP addresses from the same network address as the external
interface of their XTM device, and creates DNS records for the email servers to resolve to.
These addresses are:
203.0.113.1
203.0.113.2
203.0.113.3
203.0.113.4
203.0.113.5
Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static,
bi-directional relationship between the corresponding pairs of IP addresses. The relationship looks like
this:
10.0.1.1 <--> 203.0.113.1
10.0.1.2 <--> 203.0.113.2
10.0.1.3 <--> 203.0.113.3
10.0.1.4 <--> 203.0.113.4
10.0.1.5 <--> 203.0.113.5
When the 1-to-1 NAT rule is applied, your XTM device creates the bi-directional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses. 1-to-1 NAT also
operates on traffic sent from networks that your XTM device protects.
296
WatchGuard System Manager
Network Address Translation (NAT)
About 1-to-1 NAT and VPNs
When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different
network address ranges. You can use 1-to-1 NAT when you must create a VPN tunnel between two
networks that use the same private network address. If the network range on the remote network is the
same as on the local network, you can configure the VPN to use 1-to-1 NAT.
n
n
For a BOVPN virtual interface, you configure 1-to-1 NAT the same way as you would for any
other interface. You can select the BOVPN virtual interface name as the interface for 1-to-1
NAT.
For a branch office VPN tunnel that is not a BOVPN virtual interface, you must configure 1-to-1
NAT in the branch office VPN gateway and tunnel settings. For more information, see Use 1-to1 NAT Through a Branch Office VPN Tunnel on page 1559.
Configure Firewall 1-to-1 NAT
To configure 1-to-1 NAT for any interface:
1. Select Network > NAT.
The NAT Setup dialog box appears.
2. Click the 1-to-1 NAT tab.
3. Click Add.
The Add 1-to-1 Mapping dialog box appears.
4. In the Map Type drop-down list, select Single IP ( to map one host), IP range (to map a range
of hosts within a subnet), or IP subnet (to map a subnet).
If you select IP range or IP subnet, do not specify a subnet or range that includes more than
256 IP addresses. If you want to apply 1-to-1 NAT to more than 256 IP addresses, you must
create more than one rule.
5. Complete all the fields in the Configuration section of the dialog box.
For more information on how to use these fields, see the subsequent Define a 1-to-1 NAT rule
section.
User Guide
297
Network Address Translation (NAT)
6. Click OK.
7. Add the NAT IP addresses to the appropriate policies.
n For a policy that manages outgoing traffic, add the Real Base IP addresses to the From
section of the policy configuration.
n For a policy that manages incoming traffic, add the NAT Base IP addresses to the To
section of the policy configuration.
In the previous example, where we used 1-to-1 NAT to give access to a group of email servers
described in About 1-to-1 NAT on page 296, we must configure the SMTP policy to allow SMTP traffic.
To complete this configuration, you must change the policy settings to allow traffic from the external
network to the IP address range 10.1.1.1–10.1.1.5.
1.
2.
3.
4.
5.
Add a new policy, or modify an existing policy.
Adjacent to the From list, click Add.
Select the alias Any-External and click OK.
Adjacent to the To list, click Add. Click Add Other.
To add one IP address at a time, select Host IP from the drop-down list and type the IP address
in the adjacent text box. Click OK twice.
6. Repeat Steps 3–4 for each IP address in the NAT address range.
To add several IP addresses at once, select Host Range in the drop-down list. Type the first
and last IP addresses from the NAT Base range and click OK twice.
To connect to a computer located on a different interface that uses 1-to-1 NAT, you
must use that computer’s public (NAT base) IP address. If this is a problem, you can
disable 1-to-1 NAT and use static NAT.
Define a 1-to-1 NAT Rule
In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also
configure:
Interface
The name of the Ethernet interface on which 1-to-1 NAT is applied. Your XTM device applies 1to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is
applied to the external interface.
NAT base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP
addresses. The NAT base is the first available IP address in the to range of addresses. The
NAT base IP address is the address that the real base IP address changes to when the 1-to-1
NAT is applied. You cannot use the IP address of an existing Ethernet interface as your NAT
base. In our example above, the NAT base is 203.0.113.11.
298
WatchGuard System Manager
Network Address Translation (NAT)
Real base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP
addresses. The Real base is the first available IP address in the from range of addresses. It is
the IP address assigned to the physical Ethernet interface of the computer to which you will
apply the 1-to-1 NAT policy. When packets from a computer with a real base address go
through the specified interface, the 1-to-1 action is applied. In the example above, the Real base
is 10.0.1.11.
Number of hosts to NAT (for ranges only)
The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base
IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The
second real base IP address in the range is translated to the second NAT base IP address when
1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In the
example above, the number of hosts to apply NAT to is 5.
For an example of how to use 1-to-1 NAT, see 1-to-1 NAT Example.
1-to-1 NAT Through a Branch Office VPN
You can also use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the
same private network address. When you create a VPN tunnel, the networks at each end of the VPN
tunnel must have different network address ranges. If the network range on the remote network is the
same as on the local network, you must use 1-to-1 NAT. For a BOVPN virtual interface, you can select
the BOVPN virtual interface name in the 1-to-1 NAT configuration, and add a 1-to-1 NAT rule as
described in the previous section.
For a branch office VPN that is not a BOVPN virtual interface, you can configure 1-to-1 NAT in the
branch office VPN gateway and tunnel settings. To do this, you configure both gateways to use 1-to-1
NAT. Then, you can create the VPN tunnel and not change the IP addresses of one side of the tunnel.
You configure 1-to-1 NAT for a VPN tunnel when you configure the VPN tunnel and not in the Network
> NAT dialog box. For an example of this type of configuration, see Use 1-to-1 NAT Through a Branch
Office VPN Tunnel.
Configure Policy-Based 1-to-1 NAT
In policy-based 1-to-1 NAT, your XTM device uses the private and public IP ranges that you set when
you configured global 1-to-1 NAT, but the rules are applied to an individual policy. 1-to-1 NAT is
enabled in the default configuration of each policy. If traffic matches both 1-to-1 NAT and dynamic NAT
policies, 1-to-1 NAT takes precedence.
Enable Policy-Based 1-to-1 NAT
Because policy-based 1-to-1 NAT is enabled by default, you do not need to do anything else to enable
it. If you have previously disabled policy-based 1-to-1 NAT, select the check box in Step 3 of the
subsequent procedure to enable it again.
User Guide
299
Network Address Translation (NAT)
Disable Policy-Based 1-to-1 NAT
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2. Click the Advanced tab.
3. Clear the 1-to-1 NAT check box to disable NAT for the traffic controlled by this policy.
4. Click OK.
5. Save the Configuration File.
300
WatchGuard System Manager
Network Address Translation (NAT)
Configure NAT Loopback with Static NAT
Fireware XTM includes support for NAT loopback. NAT loopback allows a user on the trusted or
optional networks to get access to a public server that is on the same physical XTM device interface
by its public IP address or domain name. For NAT loopback connections, the XTM device changes the
source IP address to the IP address of the internal XTM device interface (the primary IP address for the
interface where the client and server both connect to the XTM device).
To understand how to configure NAT loopback when you use static NAT, we give this example:
Company ABC has an HTTP server on the XTM device trusted interface. The company uses static
NAT to map the public IP address to the internal server. The company wants to allow users on the
trusted network to use the public IP address or domain name to get access to this public server.
For this example, we assume:
n
n
The trusted interface is configured with an IP address on the 10.0.1.0/24 network
The HTTP server is physically connected to the trusted 10.0.1.0/24 network.
User Guide
301
Network Address Translation (NAT)
Add a Policy for NAT Loopback to the Server
In this example, to allow users on your trusted and optional networks to use the public IP address or
domain name to access a public server that is on the trusted network, you must create an SNAT action
and add it to an HTTP policy. The policy addresses could look like this:
The To section of the policy contains an SNAT action that defines a static NAT route from the public
IP address of the HTTP server to the real IP address of that server.
For more information about static NAT, see Configure Static NAT on page 306.
If you use 1-to-1 NAT to route traffic to servers inside your network, see NAT Loopback and 1-to-1
NAT on page 303.
302
WatchGuard System Manager
Network Address Translation (NAT)
NAT Loopback and 1-to-1 NAT
NAT loopback allows a user on the trusted or optional networks to connect to a public server with its
public IP address or domain name if the server is on the same physical XTM device interface. If you
use 1-to-1 NAT to route traffic to servers on the internal network, use these instructions to configure
NAT loopback from internal users to those servers. If you do not use 1-to-1 NAT, see Configure NAT
Loopback with Static NAT on page 301.
To help you understand how to configure NAT loopback when you use 1-to-1 NAT, we give this
example:
Company ABC has an HTTP server on the XTM device trusted interface. The company uses a 1-to-1
NAT rule to map the public IP address to the internal server. The company wants to allow users on the
trusted interface to use the public IP address or domain name to access this public server.
For this example, we assume:
n
A server with public IP address 203.0.113.5 is mapped with a 1-to-1 NAT rule to a host on the
internal network.
In the 1-to-1 NAT tab of the NAT Setup dialog box, select these options:
Interface — External, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
n
n
n
The trusted interface is configured with a primary network, 10.0.1.0/24
The HTTP server is physically connected to the network on the trusted interface. The Real
Base address of that host is on the trusted interface.
The trusted interface is also configured with a secondary network, 192.168.2.0/24.
For this example, to enable NAT loopback for all users connected to the trusted interface, you must:
1. Make sure that there is a 1-to-1 NAT entry for each interface that traffic uses when internal
computers get access to the public IP address 203.0.113.5 with a NAT loopback connection.
You must add one more 1-to1 NAT mapping to apply to traffic that starts from the trusted
interface. The new 1-to-1 mapping is the same as the previous one, except that the Interface is
set to Trusted instead of External.
User Guide
303
Network Address Translation (NAT)
After you add the second 1-to-1 NAT entry, the 1-to-1 NAT tab on the NAT Setup dialog box
shows two 1-to-1 NAT mappings: one for External and one for Trusted.
Interface — External, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
Interface — Trusted, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
2. Add a Dynamic NAT entry for every network on the interface that the server is connected to.
The From field for the Dynamic NAT entry is the network IP address of the network from which
computers get access to the 1-to-1 NAT IP address with NAT loopback.
The To field for the Dynamic NAT entry is the NAT base address in the 1-to-1 NAT mapping.
For this example, the trusted interface has two networks defined, and we want to allow users on
both networks to get access to the HTTP server with the public IP address or host name of the
server. We must add two Dynamic NAT entries.
In the Dynamic NAT tab of the NAT Setup, add:
10.0.1.0/24 - 203.0.113.5
192.168.2.0/24 - 203.0.113.5
304
WatchGuard System Manager
Network Address Translation (NAT)
3. Add a policy to allow users on your trusted network to use the public IP address or domain name
to get access to the public server on the trusted network. For this example:
From
Any-Trusted
To
203.0.113.5
The public IP address that users want to connect to is 203.0.113.5. This IP address is
configured as a secondary IP address on the external interface.
For more information about configuring static NAT, see Configure Static NAT on page 306.
For more information about how to configure 1-to-1 NAT, see Configure Firewall 1-to-1 NAT on page
297.
User Guide
305
Network Address Translation (NAT)
About SNAT
An SNAT action is a user-defined action that includes static NAT or server load balancing members
which can be referenced by a policy. An SNAT action is a NAT mapping which replaces the original
destination IP address (and optionally, port) with a new destination. For a server load balancing SNAT
action, the original destination is mapped to multiple server IP addresses, which the XTM device can
load balance between.
You can create SNAT actions and apply them to one or more policies in your configuration. To
reference an SNAT object in a policy, you add it to the To (destination) list in the policy. If you add a
server load balancing SNAT action to a policy, it must be the only destination in the policy.
For more information about static NAT and server load balancing, see Configure Static NAT and
Configure Server Load Balancing.
If your device uses Fireware XTM v11.0-v11.3.x, you cannot configure an SNAT
action. Instead, you configure Static NAT and Server Load Balancing in a policy. For
more information, see About Static NAT and Configure Server Load Balancing in the
Fireware XTM WatchGuard System Manager v11.3.x Help.
Configure Static NAT
Static NAT, also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends
a packet from a network to a port on an external or optional interface, static NAT changes the
destination IP address to an IP address and port behind the firewall. If a software application uses
more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check
whether a proxy on your XTM device manages this kind of traffic. Static NAT also operates on traffic
sent from networks that your XTM device protects.
You can configure static NAT for traffic sent to an external or optional XTM device interface. Static
NAT for an optional interface is supported in Fireware XTM OS v11.8.1 and higher.
You cannot configure static NAT for an optional interface in a Device Configuration
Template. For more information about how to configure an SNAT action in a Device
Configuration Template, see Configure an SNAT Action.
When you use static NAT, traffic to an internal server can be addressed to an XTM device interface
IP address, instead of to the actual IP address of the server. For example, you can put your SMTP
email server behind your XTM device with a private IP address and configure static NAT in your SMTP
policy. Your XTM device then receives connections on port 25 and sends any SMTP traffic to the real
address of the SMTP server behind the XTM device.
306
WatchGuard System Manager
Network Address Translation (NAT)
If your device runs Fireware XTM OS v11.0-v11.3.x, the steps to configure static
NAT are different. For more information, see About Static NAT in the Fireware
XTM WatchGuard System Manager v11.3.x Help.
User Guide
307
Network Address Translation (NAT)
Add a Static NAT Action
You can create a static NAT action and then add it to a policy, or you can create the static NAT action
from within a policy configuration. After you add a SNAT action, you can use it in one or more policies.
When you add a static NAT action, you can optionally specify a source IP address in the action. Then,
when traffic that matches the parameters in your static NAT action is received by your XTM device, it
changes the source IP address to the IP address that you specify. You can specify a different source
IP address for each SNAT member.
You can also enable port address translation (PAT) in a static NAT action. When you enable PAT, you
can change the packet destination to specify a different internal host and a different port.
To add a static NAT action before you add it to a policy:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Click Add.
The Add SNAT dialog box appears.
3. In the SNAT Name text box, type a name for this SNAT action.
4. (Optional) In the Description text box, type a description for this SNAT action.
5. Select Static NAT.
This is the default selection.
6. Click Add.
The Add Static NAT dialog box appears.
308
WatchGuard System Manager
Network Address Translation (NAT)
7. From the External/Optional IP Address drop-down list, select the IP address or alias of an
external or optional interface to use in this action.
For example, to you use static NAT for packets addressed to only one external IP address,
select that external IP address or alias. Or, to use static NAT for packets addressed to any
optional IP interface, select the Any-Optional alias.
8. To specify the source IP address for this static NAT action, select the Set source IP check
box. In the adjacent text box, type the source IP address.
9. In the Internal IP Address text box, type the destination on the trusted or optional network.
10. To enable port address translation (PAT), select the Set internal port to a different port
check box. In the adjacent text box, type or select the port number.
If you use an SNAT action in a policy that allows traffic other than TCP or UDP, the
internal port setting is not used for that traffic.
11. Click OK.
The static NAT route appears in the SNAT Members list.
12. To add another member to this action, click Add and repeat Steps 7–12.
13. Click OK.
The new SNAT action appears in the SNAT dialog box.
Add a Static NAT Action to a Policy
1. Double-click a policy to edit it.
2. From the Connections are drop-down list, select Allowed.
To use static NAT, the policy must allow incoming traffic.
3. In the To section, click Add.
The Add Address dialog box appears.
4. Click Add SNAT.
The SNAT dialog box appears, with a list of the configured static NAT and Server Load Balancing
actions.
User Guide
309
Network Address Translation (NAT)
5. Select the configured SNAT action to add. Click OK.
Or, click Add to define a new static NAT action. Follow the steps in the Add a Static
NAT Action section to configure the static NAT action.
6. Click OK to close the SNAT dialog box.
The static NAT route appears in the Selected Members and Addresses list.
7. Click OK to close the Add Address dialog box.
8. Click OK to close the Policy Properties dialog box.
Edit or Remove a Static NAT Action
You can edit an SNAT action from the SNAT action list or when you edit a policy.
To edit an SNAT action from the SNAT action list:
310
WatchGuard System Manager
Network Address Translation (NAT)
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Select an SNAT action.
3. Click Edit.
The Edit SNAT dialog box appears.
4. Modify the SNAT action.
When you edit an SNAT action, any changes you make apply to all policies that use that SNAT
action.
5. Click OK.
To edit an SNAT action from a policy:
1. Double-click a policy to edit it.
The Edit Policy Properties dialog box appears, with the Policy tab selected.
2. In the To section, select the SNAT action you want to edit.
3. Click Edit.
The Edit SNAT dialog box appears.
4. Modify the SNAT action.
When you edit an SNAT action in a policy, the changes apply to all policies that use that SNAT
action.
5. Click OK.
To remove an SNAT action:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Select an SNAT action.
3. Click Remove.
You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
4. Click Yes to confirm that you want to remove the SNAT action.
5. Click OK.
Change Static NAT Global Settings
By default, the XTM device does not clear active connections when you modify a static NAT action.
You can change the global SNAT setting so that the XTM device clears active connections that use an
SNAT action you modify.
To change the global SNAT setting:
1. Select Setup > Global Settings.
2. Select the Networking tab.
3. In the Traffic Flow section, select the When an SNAT action changes, clear active
connections that use that SNAT action check box.
4. Click OK.
User Guide
311
Network Address Translation (NAT)
Configure Server Load Balancing
Server load balancing requires Fireware XTM with a Pro upgrade, and is not
supported on Firebox T10, XTM 2 Series, and XTM 3 Series devices.
The server load balancing feature in Fireware XTM is designed to help you increase the scalability and
performance of a high-traffic network with multiple servers. With server load balancing, you can enable
the XTM device to control the number of sessions initiated to as many as 10 servers for each firewall
policy you configure. The XTM device controls the load based on the number of sessions in use on
each server. The XTM device does not measure or compare the bandwidth that is used by each server.
You configure server load balancing as an SNAT action. The XTM device can balance connections
among your servers with two different algorithms. When you configure server load balancing, you must
choose the algorithm for the XTM device to apply.
Round-robin
If you select this option, the XTM device distributes incoming sessions among the servers you
specify in the policy in round-robin order. The first connection is sent to the first server specified
in your policy. The next connection is sent to the next server in your policy, and so on.
Least Connection
If you select this option, the XTM device sends each new session to the server in the list that
currently has the lowest number of open connections to the device. The XTM device cannot tell
how many connections the server has open on other interfaces.
You can add any number of servers to a server load balancing action. You can also add a weight to
each server to make sure that your most powerful servers are given the heaviest load. The weight
refers to the proportion of load that the XTM device sends to a server. By default, each server has a
weight of 1. If you assign a weight of 2 to a server, you double the number of sessions that the XTM
device sends to that server, compared to a server with a weight of 1.
You can optionally configure a source IP address in a server load balancing action. If you do not
configure a source IP address in the server load balancing action, the XTM device does not modify the
sender, or source IP address, of traffic sent to these devices. While the traffic is sent directly from the
XTM device, each device that is part of your server load balancing configuration sees the original
source IP address of the network traffic.
When you configure server load balancing, it is important to know:
n
n
312
You can configure server load balancing for any policy to which you can apply static NAT.
If you apply server load balancing to a policy, you cannot set policy-based routing or other NAT
rules in the same policy.
WatchGuard System Manager
Network Address Translation (NAT)
n
n
n
If you use server load balancing in an active/passive FireCluster configuration, real-time
synchronization does not occur between the cluster members when a failover event occurs.
When the passive backup master becomes the active cluster master, it sends connections to
all servers in the server load balancing list to see which servers are available. It then applies the
server load balancing algorithm to all available servers.
If you use server load balancing for connections to a group of RDP servers, you must configure
the firewall on each RDP server to allow ICMP requests from the XTM device.
You can configure a server load balancing SNAT action for traffic sent to an external or optional
XTM device interface. Static NAT for an optional interface requires Fireware XTM OS v11.8.1
and higher.
If your device uses Fireware XTM v11.0-v11.3.x, the steps to configure Server Load
Balancing are different. For more information, see Configure Server Load Balancing
in the Fireware XTM WatchGuard System Manager v11.3.x Help.
User Guide
313
Network Address Translation (NAT)
Add a Server Load Balancing SNAT Action
You can create a server load balancing SNAT action and then add it to a policy, or you can create the
server load balancing SNAT action from within the policy configuration. After you add an SNAT action,
you can use it in multiple policies.
When you add a server load balancing SNAT action, you can choose to specify a source IP address in
the action. Then, when traffic that matches the parameters in your server load balancing SNAT action
passes through the policies that manage the traffic on your XTM device, the source IP address is
changed to the IP address that you specify. The same source IP address is used for all servers in the
server load balancing action.
You can also enable port address translation (PAT) in a server load balancing SNAT action. When you
enable PAT, you can change the packet destination to specify a different internal host and a different
port.
When you define the parameters for the SNAT action, sticky connections are always enabled. A sticky
connection is a connection that continues to use the same server for a defined period of time.
Stickiness makes sure that all packets between a source and destination IP address pair are sent to
the same server for the time period you specify. By default, the XTM device uses the default sticky
connection setting of 8 hours. You can change the setting to a different number of hours. When a new
connection from the same client is received, the expiration time of the connection is extended.
To add a server load balancing SNAT action before you add it to a policy:
1. In Policy Manager, select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Click Add.
The Add SNAT dialog box appears.
3.
4.
5.
6.
In the SNAT Name text box, type a name for this SNAT action.
(Optional) In the Description text box, type a description for this SNAT action.
Select Server Load Balancing.
Click Add.
The Add Server Load Balancing NAT dialog box appears.
314
WatchGuard System Manager
Network Address Translation (NAT)
7. From the External IP address drop-down list, select the external IP address or alias to use in
this server load balancing action.
For example, you can have the XTM device apply server load balancing for this action to
packets received on only one external IP address. Or, you can have the XTM device apply
server load balancing for packets received on any external IP address if you select the AnyExternal alias.
8. To specify the source IP address for this server load balancing action, select the Set source IP
check box. In the adjacent text box, type the source IP address.
9. From the Method drop-down list, select the algorithm to use for server load balancing: Roundrobin or Least Connection.
10. Click Add to add the IP address of an internal server to this action.
The Add Server dialog box appears.
11. In the IP Address text box, type the IP address of the server to add.
12. In the Weight text box, type or select the weight for this server for load balancing.
13. To enable port address translation (PAT), select the Set internal port to a different port
check box. In the adjacent text box, type or select the port number.
User Guide
315
Network Address Translation (NAT)
If you use a server load balancing SNAT action in a policy that allows traffic that does
not have ports (traffic other than TCP or UDP), the internal port setting is not used for
that traffic.
14. Click OK.
The server appears in the Servers list.
15. To add another server to this action, click Add and repeat Steps 10–14.
16. To set sticky connections for your internal servers, select the Enable sticky connection check
box. In the Enable sticky connection text box and drop-down list, specify the time period for
the sticky connection.
17. Click OK.
The servers are added to the SNAT Members list for this action.
316
WatchGuard System Manager
Network Address Translation (NAT)
18. Click OK.
The SNAT action is added.
19. Click OK.
Add a Server Load Balancing SNAT Action to a Policy
1. Double-click a policy to edit it.
Or, add a new policy.
2. In the To section, click Add.
The Add Address dialog box appears.
3. Click Add SNAT.
The SNAT dialog box appears. This list shows all configured Static NAT and Server Load Balancing
actions.
User Guide
317
Network Address Translation (NAT)
4. Select a configured server load balancing action. Click OK.
Or, to define a new server load balancing action, click Add and follow the steps in the Add a
Server Load Balancing SNAT Action section.
The selected server load balancing action appears in the Add Address dialog box.
5. Click OK to close the Add Address dialog box.
6. Click OK to close the Policy Properties dialog box.
318
WatchGuard System Manager
Network Address Translation (NAT)
Edit or Remove a Server Load Balancing SNAT Action
You can edit an SNAT action from the SNAT action list or when you edit a policy.
To edit an SNAT action from the SNAT action list:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Select an SNAT action.
3. Click Edit.
The Edit SNAT dialog box appears.
4. Modify the SNAT action.
When you edit an SNAT action, any changes you make apply to all policies that use that SNAT
action.
5. Click OK.
To edit an SNAT action from a policy:
1. Double-click a policy to edit it.
The Edit Policy Properties dialog box appears, with the Policy tab selected.
2. In the To section, select the SNAT action you want to edit.
3. Click Edit.
The Edit SNAT dialog box appears.
4. Modify the SNAT action.
When you edit an SNAT action in a policy, the changes apply to all policies that use that SNAT
action.
5. Click OK.
To remove an SNAT action:
1. Select Setup > Actions > SNAT.
The SNAT dialog box appears.
2. Select an SNAT action.
3. Click Remove.
You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
4. Click Yes to confirm that you want to remove the SNAT action.
5. Click OK.
User Guide
319
Network Address Translation (NAT)
1-to-1 NAT Example
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets
sent from one range of addresses to a different range of addresses.
Consider a situation in which you have a group of internal servers with private IP addresses that must
each show a different public IP address to the outside world. You can use 1-to-1 NAT to map public IP
addresses to the internal servers, and you do not have to change the IP addresses of your internal
servers. To understand how to configure 1-to-1 NAT, consider this example:
A company has a group of three privately addressed servers behind an optional interface of their XTM
device. The addresses of these servers are:
10.0.2.11
10.0.2.12
10.0.2.13
The administrator selects three public IP addresses from the same network address as the external
interface of their XTM device, and creates DNS records for the servers to resolve to. These addresses
are:
203.0.113.11
203.0.113.12
203.0.113.13
Now the administrator configures a 1-to-1 NAT rule for the servers. The 1-to-1 NAT rule builds a static,
bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like
this:
10.0.2.11 <--> 203.0.113.11
10.0.2.12 <--> 203.0.113.12
10.0.2.13 <--> 203.0.113.13
When the 1-to-1 NAT rule is applied, the XTM device creates the bidirectional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses.
320
WatchGuard System Manager
Network Address Translation (NAT)
For the instructions to define a 1-to-1 NAT rule, see Configure Firewall 1-to-1 NAT on page 297.
User Guide
321
Network Address Translation (NAT)
User Guide
322
9
Wireless Device Setup
About Wireless Device Configuration
When you enable the wireless feature of your Firebox or XTM wireless device, you can configure the
external interface to use wireless, or you can configure the device as a wireless access point for users
on specified networks. You can enable wireless clients to connect to the wireless device as part of the
trusted network or part of the optional network. You can also use a custom network to enable a
wireless guest services network for your device, or use bridge or VLAN networks in your wireless
configuration.
Wireless networking on Firebox or XTM wireless devices is not supported when the
device is in Drop-In mode (Fireware XTM OS v11.9 and later).
Before you set up wireless network access, see Before You Begin on page 327.
Before you can enable the wireless feature on your Firebox or XTM Device , you must get the feature
key for your device. For more information, see About Feature Keys on page 88.
Wireless Settings in Fireware XTM OS v11.8.x and v11.9.x
Wireless functionality for Fireware XTM OS v11.8.x and older is different than for Fireware
XTM OS v11.9.x and later.
Some features are supported only for devices that run Fireware XTM OS v11.9.x or later, or operate
very differently in Fireware XTM OS v11.9.x than in previous versions. Because Policy Manager can
manage devices that use different versions of Fireware XTM OS, you must select the Fireware XTM
OS version the device uses before you configure some features. For more information, see Configure
Fireware XTM OS Compatibility.
User Guide
323
Wireless Device Setup
Enable Wireless to the Trusted and Optional Networks
For devices that run Fireware XTM OS v11.8.x or older, you can enable wireless settings for the
trusted or optional networks. For more information, see Enable Wireless Connections (Fireware
XTM OS v11.8.x and Older)
If your device runs Fireware XTM OS v11.9 and later, you can enable wireless settings for the trusted,
optional, VLAN, bridge, or custom networks. For more information, see Enable Wireless Connections
(Fireware XTM OS v11.9.x and Later).
Enable a Wireless Guest Network
For devices that run Fireware XTM OS v11.8.x or older, a wireless access point is reserved for guest
wireless usage. For more information, see Enable a Wireless Guest Network (Fireware XTM OS
v11.8.x and Older).
In Fireware XTM v11.9 and later, this wireless access point is called Access Point 3. You can
configure any access point as a wireless guest network. For more information, see Enable a Wireless
Guest Network (Fireware XTM OS v11.9.x and Later).
Enable Wireless
To enable the wireless feature on your XTM device:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select a wireless configuration option:
Enable wireless client as external interface
Select this option to configure the external interface of the XTM wireless device to connect
to a wireless network. This is useful in areas with limited or no existing network
infrastructure.
For more information, see Configure Your External Interface as a Wireless Interface on
page 353.
324
WatchGuard System Manager
Wireless Device Setup
Enable wireless access points
Select this option to configure the XTM wireless device as an access point for users on
specified networks.
For more information, see Wireless Device Configuration Options on page 325.
4. In the Radio Settings section, select your wireless radio settings.
For more information, see About Wireless Radio Settings on page 356.
5. To enable the device to scan for untrusted wireless access points, select the Enable rogue
access point detection check box.
For more information, see Enable Rogue Access Point Detection on page 363.
6. Click OK.
Wireless Device Configuration Options
The configuration procedure for wireless interfaces depends on the version of Fireware XTM OS that
runs on your Firebox or XTM device:
n
n
For Fireware XTM OS v11.9 and later, see Wireless Device Configuration Options (Fireware
XTM OS v11.9 and Later)
For Fireware XTM OS v11.8.x and older, see Wireless Device Configuration Options (Fireware
XTM OS v11.8.x and Older)
Wireless Device Configuration Options (Fireware XTM OS v11.9
and Later)
Any wireless Firebox or XTM device can be configured as a wireless access point with more than one
different security zone. You can enable wireless clients to connect to the wireless XTM device as part
of the trusted or optional network. You can also use a custom network to enable a wireless guest
services network for your XTM device, or use bridge or VLAN networks in your wireless configuration.
Before you enable the wireless Firebox or XTM device as a wireless access point, you must look
carefully at the wireless users who connect to the device, and then determine the level of access for
each type of user.
You can select from these options for wireless access:
Allow Wireless Connections to a Trusted Interface
When you allow wireless connections through a trusted interface, wireless devices have full
access to all computers on the trusted and optional networks, and full Internet access based on
the rules you configure for outgoing access on your XTM device.
If you enable wireless access through a trusted interface, to allow access through the Firebox or
XTM device only for devices that you add to the Allowed MAC Address list, you can enable
and use the MAC restriction feature.
For more information, see Use Static MAC Address Binding on page 220.
User Guide
325
Wireless Device Setup
Allow Wireless Connections to an Optional Interface
When you allow wireless connections through an optional interface, wireless devices have full
access to all computers on the optional network, and full Internet access based on the rules you
configure for outgoing access on your wireless Firebox or XTM device.
Allow Wireless Connections on a Bridge or VLAN Interface
You can allow wireless connections through Bridge or VLAN interfaces to enable full access for
wireless users to those networks and any other network access based on your policy security
configuration.
Allow Wireless Guest Connections on a Custom Interface
Computers that connect to the custom network connect through the wireless Firebox or XTM
device to the Internet based on the rules you configure for outgoing access on your Firebox or
XTM device. The custom zone is not part of any default policies. You can use the wireless
interface alias in policies that you configure for traffic from wireless clients so they cannot
access trusted or optional networks.
For more information, see Enable a Wireless Guest Network (Fireware XTM OS v11.9.x and
Later) on page 344.
Before you set up wireless network access, see Before You Begin on page 327.
To allow wireless connections on an interface, see Enable Wireless Connections (Fireware XTM OS
v11.9.x and Later) on page 338.
Wireless Device Configuration Options (Fireware XTM
OS v11.8.x and Older)
Any Firebox or XTM wireless device can be configured as a wireless access point with three different
security zones. You can enable wireless clients to connect to the wireless device as part of the trusted
network or part of the optional network. You can also enable a wireless guest services network for
Firebox or XTM device users. Computers that connect to the guest network connect through the
wireless device, but do not have access to computers on the trusted or optional networks.
Before you enable the wireless Firebox or XTM device as a wireless access point, you must look
carefully at the wireless users who connect to the device and determine the level of access to enable
for each type of user. There are three types of wireless access you can allow:
Allow Wireless Connections to a Trusted Interface
When you allow wireless connections through a trusted interface, wireless devices have full
access to all computers on the trusted and optional networks, and full Internet access based on
the rules you configure for outgoing access on your Firebox or XTM device. If you enable
wireless access through a trusted interface, to allow access through the Firebox or XTM device
only for devices you add to the Allowed MAC Address list, you can enable and use the MAC
restriction feature.
For more information about how to restrict access by MAC addresses, see Use Static MAC
Address Binding on page 220.
326
WatchGuard System Manager
Wireless Device Setup
Allow Wireless Connections to an Optional Interface
When you allow wireless connections through an optional interface, those wireless devices
have full access to all computers on the optional network, and full Internet access based on the
rules you configure for outgoing access on your wireless Firebox or XTM device.
Allow Wireless Guest Connections Through the External Interface
Computers that connect to the wireless guest network connect through the wireless Firebox or
XTM device to the Internet based on the rules you configure for outgoing access on your XTM
device. These wireless-connected computers do not have access to computers on the trusted
or optional network.
For more information about how to configure a wireless guest network, see Enable a Wireless
Guest Network (Fireware XTM OS v11.8.x and Older) on page 348.
Before you set up wireless network access, see Before You Begin on page 327.
To allow wireless connections to your trusted or optional network, see Enable Wireless Connections
(Fireware XTM OS v11.8.x and Older) on page 342.
Before You Begin
WatchGuard XTM wireless devices adhere to 802.11n, 802.11b and 802.11g guidelines set by the
Institute of Electrical and Electronics Engineers (IEEE). When you install an XTM wireless device:
n
n
n
n
Make sure that the wireless device is installed in a location more than 20 centimeters from all
persons. This is an FCC requirement for low power transmitters.
It is a good idea to install the wireless device away from other antennas or transmitters to
decrease interference
The default wireless authentication algorithm configured for each wireless security zone is not
the most secure authentication algorithm. If the wireless devices that connect to your XTM
wireless device support WPA2 authentication, we recommend that you increase the
authentication level to WPA2.
A wireless client that connects to the XTM wireless device from the trusted or optional network
can be a part of any branch office VPN tunnels in which the local network component of the
Phase 2 settings includes optional or trusted network IP addresses. To control access to the
VPN tunnel, you can force XTM device users to authenticate.
Before you set up your wireless XTM device, it is also a good idea to consider environmental factors,
which apply to the installation of WatchGuard wireless devices. For example, you can use a wireless
site survey tool to better understand your current environment and existing wireless signals before you
add a new XTM wireless device. Based on the results of your site survey, and the requirements of your
wireless clients, you can plan which wireless modes and channels to use. You will also know more
about the level of wireless noise in your environment, and can consider other factors, such as the
position of walls, that can affect wireless signal range.
For more information, see:
n
n
Wireless Site Survey
Wireless Modes and Channels
User Guide
327
Wireless Device Setup
n
n
328
Wireless Signal Strength and Noise Levels
Wireless Environmental Factors
WatchGuard System Manager
Wireless Device Setup
About Wireless Configuration Settings
When you enable wireless access to a network, some configuration settings are defined the same way
for each of the security zones. These can be set to different values for each zone.
For information about the Broadcast SSID and respond to SSID queries setting, see
Enable/Disable SSID Broadcasts on page 330.
For information about setting the Network Name (SSID), see Change the SSID on page 330.
For information about the Log Authentication Events setting, see Log Authentication Events on page
330.
For information about the Fragmentation Threshold, see Change the Fragmentation Threshold on
page 330.
User Guide
329
Wireless Device Setup
For information about the RTS Threshold, see Change the RTS Threshold on page 331.
For information about the Encryption (Authentication) setting, see Set the Wireless Authentication
Method on page 332.
For information about the Encryption algorithm setting, see Set the Encryption Level on page 336.
Enable/Disable SSID Broadcasts
Computers with wireless network cards send requests to see whether there are wireless access points
to which they can connect.
To configure an XTM device wireless interface to send and answer these requests, select the
Broadcast SSID and respond to SSID queries check box. For security, enable this option only
while you configure computers on your network to connect to the XTM wireless device. Disable this
option after all your clients are configured. If you use the wireless guest services feature, it can be
necessary to allow SSID broadcasts in standard operation.
Change the SSID
The SSID (Service Set Identifier) is the unique name of your wireless network. To use the wireless
network from a client computer, the wireless network card in the computer must have the same SSID
as the WatchGuard wireless network to which the computer connects.
You must assign a unique SSID to each access point. To change the SSID, type a new name in the
Network Name (SSID) text box to uniquely identify your wireless network.
Log Authentication Events
An authentication event occurs when a wireless computer tries to connect to the wireless interface of a
WatchGuard XTM wireless device. To include these events in the log file, select the Log
Authentication Events check box.
Change the Fragmentation Threshold
Fireware XTM allows you to set the maximum frame size the XTM wireless device can send and not
fragment the frame. This is called the fragmentation threshold. This setting is rarely changed. The
default setting is the maximum frame size of 2346, which means that it will never fragment any frames
that it sends to wireless clients. This is best for most environments.
When to Change the Default Fragmentation Threshold
A collision happens when two devices that use the same medium transmit packets at exactly the
same time. The two packets can corrupt each other, and the result is a group of unreadable pieces of
data. If a packet results in a collision, the packet is discarded and it must be transmitted again. This
adds to the overhead on the network and can reduce the throughput or speed of the network.
330
WatchGuard System Manager
Wireless Device Setup
Larger frames are more likely to collide with each other than smaller frames. To make the wireless
packets smaller, you lower the fragmentation threshold on the XTM wireless device. If you lower the
maximum frame size, it can reduce the number of repeat transmissions caused by collisions, and
lower the overhead caused by repeat transmissions.
Smaller frames introduce more overhead on the network. This is especially true on a wireless network,
because every fragmented frame sent from one wireless device to another requires the receiving
device to acknowledge the frame. When packet error rates are high (more than five or ten percent
collisions or errors), you can help improve the performance of the wireless network if you lower the
fragmentation threshold. The time that is saved when you reduce repeat transmissions can be enough
to offset the extra overhead added with smaller packets. This can result in higher throughput.
If the rate of packet error is low and you lower the fragmentation threshold, wireless network
performance decreases. This occurs because when you lower the threshold, protocol overhead is
added and protocol efficiency is reduced.
If you want to experiment, start with the default maximum 2346, and lower the threshold a small
amount at a time. To get the most benefit, you must monitor the network for packet errors at different
times of the day. Compare the effect that a lower threshold has on network performance when errors
are very high with the effect on performance when errors are moderately high.
In general, we recommend that you leave this setting at its default of 2346.
Change the Fragmentation Threshold
1. Select Network > Wireless.
2. To select the wireless network to configure, click Configure.
The wireless configuration settings for that wireless network appear.
3. To change the fragmentation threshold, in the Fragmentation Threshold text box, type or
select a value between 256 and 2346.
4. Click OK.
5. Save the configuration.
Change the RTS Threshold
RTS/CTS (Request To Send / Clear To Send) helps prevent problems when wireless clients can
receive signals from more than one wireless access point on the same channel. The problem is
sometimes known as hidden node.
We do not recommend that you change the default RTS threshold. When the RTS Threshold is set to
the default of 2346, RTS/CTS is disabled.
If you must change the RTS threshold, adjust it incrementally. Lower it a small amount at a time. After
each change, allow enough time to decide whether the change in network performance is positive
before you change it again. If you lower this value too much, you can introduce more latency into the
network, as Requests to Send are increased so much that the shared medium is reserved more often
than necessary.
User Guide
331
Wireless Device Setup
About Wireless Security Settings
WatchGuard XTM wireless devices use three security protocol standards to protect your wireless
network: WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2. Each protocol
standard can encrypt the transmissions on the wireless LAN between the computers and the access
points. They also can prevent unauthorized access to the wireless access point.
To protect privacy, you can use these features together with other LAN security mechanisms such as
password protection, VPN tunnels, and user authentication.
Set the Wireless Authentication Method
From the Encryption (Authentication) drop-down list in the wireless access point configuration,
select the level of authentication method for your wireless connections. The eight available
authentication methods, from least secure to most secure, are listed below. Select the most secure
authentication method that is supported by your wireless network clients.
If your device uses Fireware XTM v11.0-v11.3.x, the available authentication
methods are different. For more information, see Set the Wireless Authentication
Method in the Fireware XTM WatchGuard System Manager v11.3.x Help.
Open System and Shared Key
The Open System and Shared Key authentication methods use WEP encryption. WEP is not as
secure as WPA2 and WPA (Wi-Fi Protected Access). We recommend you do not use these less
secure methods unless your wireless clients do not support WPA or WPA2.
n
n
Open System — Open System authentication allows any user to authenticate to the access
point. This method can be used with no encryption or with WEP encryption.
Shared Key — In Shared Key authentication, only those wireless clients that have the shared
key can connect. Shared Key authentication can be used only with WEP encryption.
WPA and WPA2 with Pre-Shared Keys
WPA (PSK) and WPA2 (PSK) Wi-Fi Protected Access methods use pre-shared keys for
authentication. WPA (PSK) and WPA2 (PSK) are more secure than WEP shared key authentication.
When you choose one of these methods, you configure a pre-shared key that all wireless devices must
use to authenticate to the wireless access point.
The XTM wireless device supports three wireless authentication settings that use pre-shared keys:
n
n
332
WPA ONLY (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA with pre-shared keys.
WPA/WPA2 (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA or WPA2 with pre-shared keys.
WatchGuard System Manager
Wireless Device Setup
n
WPA2 ONLY (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA2 with pre-shared keys authentication. WPA2 implements the full
802.11i standard; it does not work with some older wireless network cards.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE 802.1X standard for
network authentication. These authentication methods use the EAP (Extensible Authentication
Protocol) framework to enable user authentication to an external RADIUS authentication server or to
the XTM device (Firebox-DB). The WPA Enterprise and WPA2 Enterprise authentication methods are
more secure than WPA/WPA2 (PSK) because users authenticate with their own credentials instead of
a shared key.
Fireware XTM v11.4 and later supports three WPA and WPA2 Enterprise wireless authentication
methods:
n
n
n
WPA Enterprise — The XTM wireless device accepts connections from wireless devices
configured to use WPA Enterprise authentication.
WPA/WPA2 Enterprise — The XTM wireless device accepts connections from wireless
devices configured to use WPA Enterprise or WPA2 Enterprise authentication.
WPA2 Enterprise — The XTM wireless device accepts connections from wireless devices
configured to use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard;
it does not work with some older wireless network cards.
For more information about these authentication methods, see WPA and WPA2 Enterprise
Authentication.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication
server or configure the XTM device as an authentication server.
For more information about how to configure the settings for these authentication methods, see
n
n
Use a RADIUS Server for Wireless Authentication
Use the XTM Device as an Authentication Server for Wireless Authentication
Use a RADIUS Server for Wireless Authentication
If you select the WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise authentication
methods in your wireless configuration, you can use a RADIUS server for wireless authentication.
To configure your wireless access point to use RADIUS authentication:
1. Select Network > Wireless.
2. Click Configure adjacent to the Access point 1, Access point 2, or Wireless Guest
configuration.
3. Select the Wireless tab.
4. From the Encryption (Authentication) drop-down list, select WPA Enterprise, WPA2
Enterprise, or WPA/WPA2 Enterprise.
The Encryption, Authentication server, and EAP authentication timeout settings appear.
User Guide
333
Wireless Device Setup
5. From the Encryption algorithm drop-down list, select the encryption method. For more
information, see Set the Encryption Level.
6. From the Authentication server drop-down list, select RADIUS.
The authentication and protocol configuration settings are disabled. You must configure these
settings on your RADIUS server.
7. In the EAP authentication timeout text box, you can change the timeout value for
authentication. The default is 3600 seconds.
8. Click OK.
If you have not previously configured a RADIUS server, you are prompted to do this when you click
OK. For more information, see Configure RADIUS Server Authentication.
Use the XTM Device as an Authentication Server for Wireless
Authentication
If you select the WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise authentication
methods in your wireless configuration, you can use the XTM device as the authentication server for
wireless authentication.
1. Select Network > Wireless.
2. Click Configure adjacent to the required wireless interface.
3. Select the Wireless tab.
4. From the Encryption (Authentication) drop-down list, select WPA Enterprise, WPA2
Enterprise or WPA/WPA2 Enterprise.
334
WatchGuard System Manager
Wireless Device Setup
5. From the Encryption algorithm drop-down list, select the encryption method to use. For more
information, see Set the Encryption Level.
6. From the Authentication server drop-down list, select Firebox-DB.
7. In the EAP authentication timeout text box, you can change the timeout value for
authentication. The default is 3600 seconds.
8. From the EAP protocol drop-down list, select the EAP protocol wireless clients must use to
connect to the access point.
n
n
n
EAP-PEAP — EAP Protected Extensible Authentication Protocol
EAP-TTLS — EAP Tunneled Transport Layer Security
EAP-TLS — EAP Transport Layer Security
9. From the EAP tunnel protocol drop-down list, select the EAP tunnel protocol to use. The
available tunnel protocols depend on the selected EAP protocol.
10. Select the certificate type to use for authentication.
User Guide
335
Wireless Device Setup
n
n
Default certificate signed by Firebox — This is the default.
Third party certificates — Select from a list of installed third party certificates.
11. If you selected Third party certificates, select a certificate from the Certificate drop-down list.
12. If you want to use a certificate authority (CA) to validate the client certificate, select the
Validate client certificate check box and select a CA certificate from the CA Certificate dropdown list.
For more information about certificates, see About Certificates.
13. Click OK.
To use this authentication method, you must configure your XTM device as an authentication server.
For more information, see Configure Your XTM Device as an Authentication Server.
Set the Encryption Level
From the Encryption algorithm drop-down list in the wireless access point configuration, select the
level of encryption for your wireless connections. The available selections change when you use
different authentication mechanisms. The Fireware XTM OS automatically creates a random
encryption key for you when a key is required. You can use this key or change it to a different key.
Each wireless client must use this same key when they connect to the XTM wireless device.
Encryption for Open System and Shared Key Authentication
Encryption options for Open System and Shared Key authentication are WEP 64-bit hexadecimal,
WEP 40-bit ASCII, WEP 128-bit hexadecimal, and WEP 128-bit ASCII. If you select Open System
authentication, you can also select Disabled.
1. If you use WEP encryption, in the Key text boxes, type hexadecimal or ASCII characters. Not
all wireless adapter drivers support ASCII characters. You can have a maximum of four keys,
numbered 1 - 4.
n A WEP 64-bit hexadecimal key must have 10 hexadecimal (0-f) characters.
n A WEP 40-bit ASCII key must have 5 characters.
n A WEP 128-bit hexadecimal key must have 26 hexadecimal (0-f) characters.
n A WEP 128-bit ASCII key must have 13 characters.
2. If you typed more than one key, in the Key Index text box, type the key number to use as the
default key.
The XTM wireless device can use only one wireless encryption key at a time. If you select a
key other than the first key in the list, you also must set your wireless client to use the same
key.
Encryption for WPA and WPA2 Authentication
The encryption options for Wi-Fi Protected Access (WPA and WPA2) authentication methods are:
n
n
n
336
TKIP — Use only TKIP (Temporal Key Integrity Protocol) for encryption. This option is not
available if you configure the Radio Settings to use a wireless mode that supports 802.11n.
AES — Use only AES (Advanced Encryption Standard) for encryption.
TKIP or AES — Use either TKIP or AES.
WatchGuard System Manager
Wireless Device Setup
We recommend that you select TKIP or AES. This allows the XTM wireless device to accept
connections from wireless clients configured to use TKIP or AES encryption. For 802.11n wireless
clients, we recommend you configure the wireless client to use AES encryption.
User Guide
337
Wireless Device Setup
Enable Wireless Connections (Fireware XTM OS
v11.9.x and Later)
You can enable Access Point 1, Access Point 2, or Access Point 3 on your wireless XTM device for
any network type, and configure the wireless interfaces with the same type of settings as an internal
network interface.
The wireless interfaces appear on the network Interfaces page with these interface names:
Access Point
Interface Name
Access Point 1
ath1
Access Point 2
ath2
Access Point 3
ath3
For more information about network interfaces, see About Network Interface Setup.
To enable wireless connections:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to Access point 1 or Access point 2, or Access point 3, click Configure.
The Wireless Access Point configuration dialog box appears.
338
WatchGuard System Manager
Wireless Device Setup
5. From the Interface Type drop-down list, select an interface type for this Access Point interface.
n Trusted
n Optional
n Bridge
n VLAN
n Custom
6. Click OK.
7. Select the Wireless tab.
User Guide
339
Wireless Device Setup
8. To configure the wireless interface to send and answer SSID requests, select the Broadcast
SSID and respond to SSID queries check box.
9. To send a log message each time a wireless computer tries to connect to the interface, select
the Log Authentication Events check box.
10. To require wireless users to use the WatchGuard Mobile VPN with IPSec Client, select the
Require encrypted Mobile VPN with IPSec connections for wireless clients check box.
When you select this option, the XTM device only allows the DHCP, DNS, IKE (UDP port 500),
and ESP packets over the wireless network. If you require wireless users to use the IPSec
Mobile VPN Client, it can increase the security for wireless clients if you do not select WPA or
WPA2 as the wireless authentication method.
11. In the Network name (SSID) text box, type a unique name for your wireless optional network,
or use the default name.
340
WatchGuard System Manager
Wireless Device Setup
12. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 256–2346.
WatchGuard recommends that you do not change this setting.
13. To change the RTS threshold, in the RTS Threshold text box, type a value: 256-2346.
WatchGuard recommends that you do not change this setting.
14. From the Encryption (Authentication) drop-down list, select the encryption and authentication
to enable for wireless connections to the optional interface.
WatchGuard recommends that you select WPA2 if the wireless devices in your network can
support WPA2.
15. From the Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection and specify the keys or passwords required for the type of encryption you
select.
If you select an encryption option with pre-shared keys, a random pre-shared key is generated
for you. You can use this key or type another key.
16. Save the configuration.
If you enable wireless connections to the trusted interface, WatchGuard recommends that you restrict
access by MAC address. This is to make sure users cannot connect to the wireless XTM device from
unauthorized computers that could contain viruses or spyware.
To enable MAC access control:
1. Select the MAC Access Control tab.
2. Configure the settings to restrict network traffic on an interface, as described in Restrict
Network Traffic by MAC Address on page 210.
Wireless and wired networks operate as if they are on the same local network.
Broadcast traffic, such as DHCP requests, can pass between wired and wireless
clients. If a DHCP server is active on the physical network, or if a wireless client is
configured as a DHCP server, then all wired and wireless clients on that network can
receive IP addresses from that DHCP server.
User Guide
341
Wireless Device Setup
Enable Wireless Connections (Fireware XTM OS
v11.8.x and Older)
For a wireless XTM device that runs Fireware XTM OS v11.8.x or older, you can enable Access Point
1 and Access Point 2 on your wireless device to bridge to a trusted or optional network.
To bridge Access Point 1 and Access Point 2 to the same network, the XTM device
must run Fireware XTM OS v11.8.1 or higher.
When you enable an access point on your wireless device to bridge to an interface, you must select
whether to use a trusted or an optional interface.
Trusted
Any wireless clients on the trusted network have full access to computers on the trusted
and optional networks, and access to the Internet as defined in the outgoing firewall rules
on your Firebox or XTM device.
If the wireless client sets the IP address on its wireless network card with DHCP, the
DHCP server on the trusted network of the XTM device must be active and configured.
Optional
Any wireless clients on the optional network have full access to computers on the optional
network, and access to the Internet as defined in the outgoing firewall rules on your XTM
device.
If the wireless client sets the IP address on its wireless network card with DHCP, the
DHCP server on the optional network of the Firebox or XTM device must be active and
configured.
To enable wireless connections to your trusted or optional network:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
342
WatchGuard System Manager
Wireless Device Setup
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to Access point 1 or Access point 2, click Configure.
The Wireless Access Point configuration dialog box appears.
5. Select the Enable wireless bridge to a Trusted or Optional interface check box.
6. From the Enable wireless bridge to a Trusted or Optional interface drop-down list, select
an option:
n Trusted
n Optional
7. To configure the wireless interface to send and answer SSID requests, select the Broadcast
SSID and respond to SSID queries check box.
8. To send a log message each time a wireless computer tries to connect to the interface, select
the Log Authentication Events check box.
User Guide
343
Wireless Device Setup
9. To require wireless users to use the WatchGuard Mobile VPN with IPSec Client, select the
Require encrypted Mobile VPN with IPSec connections for wireless clients check box.
When you select this option, the Firebox or XTM device only allows DHCP, DNS, IKE
(UDP port 500), and ESP packets over the wireless network. This can increase the security for
wireless clients if you do not select WPA or WPA2 as the wireless authentication method.
10. In the Network name (SSID) text box, type a unique name for your wireless optional network or
use the default name.
11. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 256–2346.
WatchGuard recommends that you do not change this setting.
12. To change the RTS Threshold, in the RTS Threshold text box, type a value: 256-2346.
WatchGuard recommends that you do not change this setting.
13. From the Encryption (Authentication) drop-down list, select the encryption and authentication
options to enable for wireless connections to the optional interface.
WatchGuard recommends that you use WPA2, if the wireless devices in your network can
support WPA2.
14. From the Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection and add the keys or passwords for the type of encryption you select.
If you select an encryption option with pre-shared keys, a random pre-shared key is generated
for you. You can use this key or type your own.
15. Save the configuration.
If you enable wireless connections to the trusted interface, you can also restrict access by MAC
address. This prevents users from connecting to the XTM wireless device from unauthorized
computers that could contain viruses or spyware.
1. To enable MAC access control, select the MAC Access Control tab.
2. Configure the settings as described in Restrict Network Traffic by MAC Address on page 210.
When you enable wireless connections to a trusted or optional interface, the wireless
and wired networks operate as if they are on the same local network. Broadcast
traffic, such as DHCP requests, can pass between wired and wireless clients. If a
DHCP server is active on the physical network, or if a wireless client is configured as
a DHCP server, then all wired and wireless clients on that network can receive IP
addresses from that DHCP server.
To configure a wireless guest network with no access to the computers on your trusted or optional
networks, see Enable a Wireless Guest Network (Fireware XTM OS v11.8.x and Older) on page 348.
Enable a Wireless Guest Network (Fireware
XTM OS v11.9.x and Later)
To enable a wireless network for guest users, you can configure an access point in the custom zone
and use the wireless interface alias when you configure the policies for traffic from wireless clients.
344
WatchGuard System Manager
Wireless Device Setup
For more information on the custom zone, see Configure a Custom Interface.
To set up an access point on a wireless XTM device as a guest network:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to an access point, click Configure.
The Access Point Configuration dialog box appears.
User Guide
345
Wireless Device Setup
5. From the Interface Type drop-down list, select Custom.
6. In the IP Address text box, type the private IP address to use for the wireless guest network.
The IP address you specify must not already be in use on one of your network interfaces.
7. To configure the XTM device as a DHCP server when a wireless device tries to make a
connection, select Use DHCP Server.
8. Select the Wireless tab.
The Wireless settings appear with the security settings for the wireless guest network.
346
WatchGuard System Manager
Wireless Device Setup
9. To make your wireless guest network name visible to guest users, select the Broadcast SSID
and respond to SSID queries check box.
10. To send a log message each time a wireless computer tries to connect to the guest wireless
network, select the Log Authentication Events check box.
11. To require wireless users to use the WatchGuard Mobile VPN with IPSec Client , select the
Require encrypted Mobile VPN with IPSec connections for wireless clients check box.
When you select this option, the XTM device only allows DHCP, DNS, IKE (UDP port 500),
and ESP packets over the wireless network. This can increase the security for wireless clients
if you do not select WPA or WPA2 as the wireless authentication method.
12. In the Network name (SSID)) text box, type a unique name for your wireless guest network or
keep the default name.
13. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 256–2346.
WatchGuard recommends that you do not change this setting.
14. To change the RTS Threshold, in the RTS Threshold text box, type a value: 256-2346.
WatchGuard recommends that you do not change this setting.
15. From the Authentication drop-down list, select the type of authentication to enable for
connections to the wireless guest network.
Select the setting for the type of guest access you want to provide, and whether you want to
require your guests to enter a passphrase to use the network.
16. From the Encryption / Authentication drop-down list, select the type of encryption to use for
the wireless connection and specify the keys or passwords required for the type of encryption
you select.
If you select an authentication option that uses pre-shared keys, a random pre-shared key is
generated for you. You can use this key or type a new key.
User Guide
347
Wireless Device Setup
18. Click OK.
19. Save the configuration.
You can also configure your wireless guest network as a hotspot. For more information, see Enable a
Hotspot on page 679.
Another configuration option you can select is to restrict access to the guest network by MAC address.
1. To enable MAC access control, select the MAC Access Control tab.
2. Configure the settings as described in Restrict Network Traffic by MAC Address on page 210.
Wireless Guest and Policies
You can use the Custom interface type for your wireless interface. Because a custom interface is not
included in the built-in aliases, traffic for a custom interface is not allowed through the Firebox or XTM
device unless you specifically configure policies to allow it. This is important for wireless guest
network security to make sure users cannot access a trusted or optional network.
For wireless guest policies, we recommend that you create a new alias named Any-Guest. You can
then use the Any-Guest alias in policies for your wireless guest network.
For more information, see Create an Alias.
Enable a Wireless Guest Network (Fireware
XTM OS v11.8.x and Older)
You can enable a wireless guest network to give a guest user wireless access to the Internet without
access to computers on your trusted and optional networks.
To set up a wireless guest network:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to Wireless guest, click Configure.
The Wireless Guest Configuration dialog box appears.
348
WatchGuard System Manager
Wireless Device Setup
5. Select the Enable Wireless Guest Network check box.
Wireless connections are allowed through the XTM device to the Internet based on the rules you
have configured for outgoing access on your device. These computers have no access to
computers on the trusted or optional network.
6. In the IP Address text box, type the private IP address to use for the wireless guest network.
The IP address you type must not already be in use on one of your network interfaces.
7. In the Subnet Mask text box, type the subnet mask.
The correct value is usually 255.255.255.0.
8. To configure the XTM device as a DHCP server when a wireless device tries to make a
connection, select the Enable DHCP Server on Wireless Guest Network check box.
9. To see the security settings for the wireless guest network, select the Wireless tab.
The Wireless settings appear.
User Guide
349
Wireless Device Setup
10. To make your wireless guest network name visible to guest users, select the Broadcast SSID
and respond to SSID queries check box.
11. To send a log message to the log file each time a wireless computer tries to connect to the
guest wireless network, select the Log Authentication Events check box.
12. To allow wireless guest users to send traffic to each other, clear the Prohibit client to client
wireless network traffic check box.
13. In the Network name (SSID)) text box, type a unique name for your wireless guest network or
use the default name.
14. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 256–2346.
WatchGuard recommends that you do not change this setting.
15. To change the RTS Threshold, in the RTS Threshold text box, type a value: 256-2346.
WatchGuard recommends that you do not change this setting.
16. From the Authentication drop-down list, select the type of authentication to enable for
connections to the wireless guest network.
Select the setting for the type of guest access you want to provide, and whether you want to
require your guests to enter a passphrase to use the network.
17. From the Encryption / Authentication drop-down list, select the type of encryption to use for
the wireless connection and add the keys or passwords required for the type of encryption you
select.
If you select an authentication option that uses pre-shared keys, a random pre-shared key is
generated for you. You can use this key or type a new key.
18. Click OK.
19. Save the configuration.
You can also configure your wireless guest network as a hotspot. For more information, see Enable a
Hotspot on page 679.
Another configuration option you can select is to restrict access to the guest network by MAC address.
350
WatchGuard System Manager
Wireless Device Setup
1. To enable MAC access control, select the MAC Access Control tab.
2. Configure the settings as described in Restrict Network Traffic by MAC Address on page 210.
User Guide
351
Wireless Device Setup
Enable a Hotspot on a Wireless Access Point
You can enable a hotspot for any of the enabled wireless networks on a wireless Firebox or
XTM device. When you enable a hotspot, you must select an interface for the hotspot. In the hotspot
configuration, there are three interface names that correspond to the three wireless access points you
can enable on the XTM wireless device:
Interface Name
Wireless Access Point
WG-Wireless-Access-Point1
Access Point 1
WG-Wireless-Access-Point2
Access Point 2
WG-Wireless-Guest or WG-Wireless-AccessPoint3
Access Point 3 (Fireware XTM OS v11.9.x or
later)
Wireless Guest (Fireware XTM OS v11.8.x or
older)
In the hotspot configuration, only the enabled wireless access points appear in the list of interfaces you
can select.
After you enable an access point in the Firebox or XTM device configuration, you must save the
configuration to the wireless device before you can configure a hotspot for one of the enabled wireless
networks.
To enable a hotspot, select Authentication > Hotspot.
Hotspot configuration settings for both wired and wireless XTM devices are configured in the
Authentication settings for your XTM device.
For more information about how to configure a hotspot, see Enable a Hotspot on page 679.
352
WatchGuard System Manager
Wireless Device Setup
Configure Your External Interface as a Wireless
Interface
In areas with limited or no existing network infrastructure, you can use your XTM wireless device to
provide secure network access. You must physically connect your network devices to the XTM
device. Then you configure your external interface to connect to a wireless access point that connects
to a larger network.
When the external interface is configured with a wireless connection, the XTM
wireless device can no longer be used as a wireless access point. To provide
wireless access for users, connect a wireless access point device to the XTM
wireless device.
Configure the Primary External Interface as a Wireless
Interface
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless client as external interface.
4. Click Configure.
The external interface settings appear.
5. In the Configuration Mode drop-down list, select an option:
Manual Configuration
To use a static IP address, select this option. Type the IP Address, Subnet Mask, and
Default Gateway you use to connect to the wireless network.
User Guide
353
Wireless Device Setup
DHCP Client
To configure the external interface as a DHCP client, select this option. Configure the
DHCP client settings.
For more information about how to configure the external interface to use a static IP address or
DHCP, see Configure an External Interface on page 163.
354
WatchGuard System Manager
Wireless Device Setup
6. Select the Wireless tab.
The wireless client configuration settings appear.
7. In the Network name (SSID) text box, type the name of the external wireless network this
device connects to.
8. In the Encryption (Authentication) drop-down list, select the encryption and authentication
method to use for the wireless connection. We recommend that you use WPA2 if the wireless
device you connect to supports it.
For more information about wireless authentication methods, see About Wireless Security
Settings on page 332.
9. In the Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection. Add the passphrase or keys required for the type of encryption you select.
10. Click OK.
Configure a BOVPN tunnel for additional security
To create a wireless bridge and provide additional security, you can add a BOVPN tunnel between your
XTM device and the external gateway. You must set the mode to Aggressive Mode in the Phase 1
settings of your BOVPN configuration on both devices.
For information about how to set up a BOVPN tunnel, see About Manual Branch Office VPN Tunnels
on page 1498.
User Guide
355
Wireless Device Setup
About Wireless Radio Settings
WatchGuard XTM wireless devices use radio frequency signals to send and receive traffic from
computers with wireless Ethernet adapters.
The steps to configure radio settings for a Firebox X Edge e-Series wireless device
are different those for an XTM wireless device. For more information, see About
Wireless Radio Settings on the Firebox X Edge e-Series Wireless Device in the
Fireware XTM WatchGuard System Manager v11.3.x Help.
To view or change the radio settings:
1. Open Policy Manager.
2. Select Network > Wireless.
The Wireless Configuration dialog box appears.
The Radio Settings appear at the bottom of this dialog box.
356
WatchGuard System Manager
Wireless Device Setup
Country is Set Automatically
Due to regulatory requirements in different parts of the world, you cannot use all wireless radio settings
in every country. Each time you power on the XTM wireless device, the device contacts a WatchGuard
server to determine the country and the allowed wireless radio settings for that country. To do this, the
device must have an Internet connection. Once the country is determined, you can configure all
supported wireless radio settings that can be used in that country.
When you configure an XTM wireless device for the first time, the Wireless Configuration page in
Policy Manager might not show the country. After the XTM wireless device connects to the Internet for
the first time, Policy Manager must connect to the XTM device to get the country setting, if it has been
determined.
To update the Policy Manager configuration with the country setting from the XTM wireless device:
1. Click Download.
The Download Country Information dialog box appears.
2. Type the XTM device status (readonly) passphrase.
The Country is updated to show the country setting from the XTM wireless device
In the Wireless Configuration dialog box, the Country setting shows which country the device detects
it is in. You cannot change the Country setting. The available options for the other radio settings are
based on the regulatory requirements of the country the device detects it is located in.
If Policy Manager has not yet connected with the XTM wireless device, or if the
XTM wireless device cannot connect to the WatchGuard server, the country is
unknown, and is shown as Default. In this case, you can only select from the limited
set of wireless radio settings that are allowed in all countries. The XTM wireless
device periodically continues to retry to connect to the WatchGuard server to
determine the country and allowed wireless radio settings.
If the XTM wireless device does not have a country set yet, or if the country is not up to date, you can
force the device to update the wireless country information.
To update the Wireless Radio Region:
User Guide
357
Wireless Device Setup
1. Start Firebox System Manager
2. Select Tools > Update Wireless Radio Region.
The XTM wireless device contacts a WatchGuard server to determine the current operating region.
358
WatchGuard System Manager
Wireless Device Setup
Select the Band and Wireless Mode
The WatchGuard XTM wireless device supports two different wireless bands, 2.4 GHz and 5 GHz.
The the band you select and the country determine the wireless modes available. Select the Band that
supports the wireless mode you want to use. Then select the mode from the Wireless mode dropdown list.
The 2.4 GHz band supports these wireless modes:
802.11n, 802.11g and 802.11b
This is the default mode in the 2.4 GHz band, and is the recommended setting. This mode
allows the XTM wireless device to connect with devices that use 802.11n, 802.11g, or 802.11b.
802.11g and 802.11b
This mode allows the XTM wireless device to connect to devices that use 802.11g or 802.11b.
802.11n and 802.11g
This mode allows the XTM wireless device to connect to devices that use 802.11n or 802.11g.
This mode is supported only on XTM wireless devices that use Fireware XTM v11.8.3 or higher.
802.11b ONLY
This mode allows the XTM wireless device to connect only to devices that use 802.11b.
The 5 GHz band supports these wireless modes:
802.11a and 802.11n
This is the default mode in 5 GHz band. This mode allows the XTM wireless device to connect
to devices that use 802.11a or 802.11n.
802.11a ONLY
This mode allows the XTM wireless device to connect only to devices that use 802.11a.
If you choose a wireless mode that supports multiple 802.11 standards, the overall
performance can drop considerably. This is partly because of the need for backward
compatibility when devices that use slower modes are connected. The slower
devices tend to dominate the throughput because it can take much longer to send or
receive the same amount of data to devices that use a slower mode.
The 5 GHz band provides greater performance than the 2.4 GHz band, but is not compatible with all
wireless devices. Select the band and mode based on the wireless cards in the devices that will
connect to the XTM wireless device.
User Guide
359
Wireless Device Setup
Select the Channel
The available channels depend on the country and the wireless mode you select. By default, the
Channel is set to Auto. When the channel is set to Auto, the XTM wireless device automatically
selects a quiet channel from the available list in the band you have selected. Or you can select a
specific channel from the Channel drop-down list.
360
WatchGuard System Manager
Wireless Device Setup
Monitor Wireless Access Points and Clients
From the Fireware XTM Web UI, you can monitor statistics for the access points configured on your
XTM wireless device, and see statistics about connected wireless clients. You can also update the
country information for your wireless XTM device.
To see wireless statistics and connected wireless clients:
1. Log in to the Fireware XTM Web UI on the XTM wireless device.
2. Select System Status > Wireless Statistics.
For more information, see the Fireware XTM Web UI Help.
User Guide
361
Wireless Device Setup
Configure the Wireless Card on Your Computer
These instructions are for the Windows XP with Service Pack 2 operating system. For installation
instructions for other operating systems, see your operating system documentation or help files.
1. Select Start > Settings > Control Panel > Network Connections.
The Network Connections dialog box appears.
2. Right-click Wireless Network Connection and select Properties.
The Wireless Network Connection dialog box appears.
3. Select the Wireless Networks tab.
4. Below Preferred Networks, click Add.
The Wireless Network Properties dialog box appears.
5. Type the SSID in the Network Name (SSID) text box.
6. Select the network authentication and data encryption methods in the drop-down lists. If
necessary, clear The key is provided for me automatically check box and type the network
key two times.
7. Click OK to close the Wireless Network Properties dialog box.
8. Click View Wireless Networks.
All available wireless connections appear in the Available Networks text box.
9. Select the SSID of the wireless network and click Connect.
If the network uses encryption, type the network key twice in the Wireless Network Connection
dialog box and click Connect again.
10. Configure the wireless computer to use DHCP.
Rogue Access Point Detection
You can configure your XTM wireless device to detect (unknown) wireless access points that operate
in the same area. A rogue access point is any wireless access point within range of your network that
is not recognized as an authorized access point. When you enable rogue access point detection on
your XTM wireless device, the wireless radio in the device scans wireless channels to identify
unknown wireless access points. You can configure the scan to run continuously, or to run at a
scheduled interval and time of day.
When a rogue access point scan begins, the XTM wireless device scans the airwaves within range for
other radio broadcasts.The device scans for wireless access points in 802.11a, 802.11b, 802.11g, and
802.11n wireless modes on all available wireless channels for the country where the device is located.
The scan is not limited to the wireless mode and channel settings configured in the radio settings of
your device.
When the XTM wireless device detects the signal of another wireless access point, it compares the
characteristics of the access point to a list of trusted access points that you configure. If the
discovered access point does not match any trusted access point, the XTM device reports the device
as a potential rogue access point. You can configure the device to send an alarm when a rogue access
point is detected. If you enable logging, you can run a report of all scans and scan results.
To use Wireless Rogue Access Point Detection, your WatchGuard wireless device must use Fireware
XTM v11.4 or later.
362
WatchGuard System Manager
Wireless Device Setup
Enable Rogue Access Point Detection
To configure rogue access point detection on your XTM wireless device, you need to know the
configuration of the other wireless access points on your network; this enables you to identify them as
trusted in your configuration. You can then set up a schedule for rogue access point detection scans.
Configure Rogue Access Point Detection
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable rogue access point detection check box.
3. Adjacent to the Enable rogue access point detection check box, click Configure.
The Trusted Access Point Configuration dialog box appears.
User Guide
363
Wireless Device Setup
On the Access Points tab you can add information about all other trusted wireless access
points on your network so the rogue access point scan does not identify them as potential rogue
access points.
Add a Trusted Access Point
1. To add a trusted access point to the list, click Add.
The Add Trusted access point dialog box appears.
364
WatchGuard System Manager
Wireless Device Setup
In the Add Trusted access point dialog box, provide as much information as you can to
identify your trusted access point. The more information you provide, the more likely it is that a
rogue access point detection scan can correctly identify a trusted access point.
2. In the Network name (SSID) text box, type the SSID of the trusted access point.
3. In the MAC address (Optional) text box, type the wireless MAC address of the trusted access
point.
If your trusted access point is an XTM wireless device, see Find the Wireless MAC Address of
a Trusted Access Point.
4. From the Channel drop-down list, select the channel used by the trusted access point. If the
trusted access point is a WatchGuard device and the Channel in the radio settings of that
trusted wireless device is set to Auto, select Any.
5. From the Encryption drop-down list, select the encryption method used by the trusted access
point.
The WPA or WPA2 authentication and encryption settings that apply to the encryption method you
select are enabled.
6. If you select WPA or WPA/WPA2 as the encryption method, configure the WPA settings to
match the configuration of your trusted access point.
Or, if you do not know these settings, select the Match any authentication and encryption
algorithms check box.
User Guide
365
Wireless Device Setup
7. If you selected WPA2 or WPA/WPA2 as the encryption method, configure the WPA settings to
match the configuration of your trusted access point.
Or, if you do not know these settings, select the Match any authentication and encryption
algorithms check box.
8. Click OK.
The trusted access point is added to the list of trusted access points.
For information about how to add an XTM wireless device as a trusted access point, see Add an
XTM Wireless Device as a Trusted Access Point.
Edit or Remove a Trusted Access Point
To edit a trusted access point:
1. Select the access point in the list.
2. Click Edit.
3. Edit the information used to identify the trusted access point as described in the previous
section.
To remove a trusted access point, select the access point in the list and click Remove.
Configure Logging and Notification
You must enable logging to see information about rogue access point scans in a report. When you
enable logging, the log records the start and stop time, and the results of each scan. To enable logging,
select the Enable logging for reports check box.
You can also configure the device to notify you when a rogue access point is detected. To configure
notification:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
For more information about notification settings, see Set Logging and Notification Preferences on page
1209.
Set the Scan Frequency
If you enable rogue access point detection on an XTM wireless device that is also configured as a
wireless access point, the device alternates between the two functions. When a rogue access point
scan is not in progress, the device operates as wireless access point. When a rogue access point scan
begins, the XTM device access point functionality is temporarily disabled, and wireless clients cannot
connect to the XTM wireless device until the scan completes. You cannot set the scan frequency to
Always scan if your device is also configured as a wireless access point.
If your XTM wireless device is configured to operate as a wireless client, the rogue access point scan
does not interrupt the wireless connection, but it does decrease the throughput of the wireless
connection while the scan is in progress.
366
WatchGuard System Manager
Wireless Device Setup
To set the scan frequency:
1. In the Trusted Access Point Configuration dialog box, select the Schedules tab.
2. Select the scan frequency.
n Select Always scan to automatically scan for rogue access points every 15 minutes.
n Select Schedule a scan to scan on a periodic schedule.
3. If you selected Schedule a scan, select how often the scan should run (daily, weekly, or
monthly) and select the time of day to start the scan.
4. Click OK.
If you have added information about some trusted access points but still need to collect information
about other trusted access points, you might not be ready to enable the rogue access point scan. To
disable rogue access point detection scans, in the Wireless Configuration dialog box, clear the Enable
rogue access point detection check box. When you disable rogue access point detection, your
trusted access point information is saved, but the device does not scan for rogue access points.
User Guide
367
Wireless Device Setup
Add an XTM Wireless Device as a Trusted Access Point
If you have multiple wireless access points, you must add their information to the rogue access point
detection configuration's trusted access points list. The wireless settings you can select to identify a
trusted wireless access point are similar to the settings you use to configure an XTM wireless device
as a wireless access point. Use these steps to find the settings for your XTM wireless device so you
can add it to the trusted access point list.
Find the Settings for Your XTM Trusted Access Points
To find the required settings to identify a trusted access point:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. In the Radio Settings section, make a note of the Channel.
3. Click Configure adjacent to the enabled wireless access point name.
The Wireless settings for this access point appear.
368
WatchGuard System Manager
Wireless Device Setup
4. Make a note of these settings:
n Network name (SSID)
n Encryption / Authentication
n Encryption algorithm
5. Find the wireless MAC address. For an XTM 2 Series wireless device, the wireless
MAC address is six higher than the MAC address of the Eth0 interface.
For more information, see Find the Wireless MAC Address of a Trusted Access Point.
An XTM wireless device can have up to three enabled wireless access points with different settings. If
the XTM wireless device has multiple enabled access points, repeat these steps to get the information
about each enabled access point. Repeat these steps for any other trusted access points on your
network.
User Guide
369
Wireless Device Setup
Add the Trusted Access Points to the Trusted Access Point List
On the wireless device that performs the rogue access point scan:
1. Select Network > Wireless.
2. Select the Enable rogue access point detection check box.
3. Adjacent to Enable rogue access point detection, click Configure.
The list of trusted access points appears.
4. Click Add.
The Add Trusted access point dialog box appears.
5. Type or select the information to match the configuration of your trusted access point.
For more information about these settings, see Enable Rogue Access Point Detection.
The Encryption / Authentication setting in the wireless network configuration
corresponds to two settings (Encryption and Authentication) in the Trusted Access
Point configuration.
6. Click OK to add the trusted access point.
370
WatchGuard System Manager
Wireless Device Setup
Repeat these steps to add other trusted wireless access points.
Find the Wireless MAC Address of a Trusted Access Point
When you enable rogue access point detection, you can specify the wireless MAC address of your
other trusted wireless access points so they can be identified as trusted.
To see the wireless MAC address of a trusted access point:
1. Start Firebox System Manager for the trusted access point you want to add.
2. Select the Status Report tab.
3. Scroll down to the Interfaces section.
The wireless MAC address appears on the first line of information for the ath interfaces.
For a wireless device, the first four interfaces listed are the wireless interfaces. These correspond to
the four wireless configuration options:
n
n
ath0 — Wireless client as external interface
ath1 — Access point 1
User Guide
371
Wireless Device Setup
n
n
ath2 — Access point 2
ath6 — Access point 3 (Wireless guest in Fireware XTM v11.8.x and lower)
All of these wireless interfaces have the same MAC address. For an XTM 2 Series wireless device,
the wireless MAC address is always six higher than the MAC address of the Eth0 interface.
Rogue Access Point Scan Results
You can see the results of a wireless rogue access detection point scan in the Rogue Access Point
Detection (Wireless Intrusion Detection System) dialog box. This page displays a list of untrusted
wireless access points found by the most recent rogue access point detection scan. This list does not
include access points that match the trusted access points defined in your wireless rogue access point
detection configuration.
To see and update the list:
1. In Firebox System Manager, select Tools > Rogue AP Detection.
The Rogue AP Detection dialog box appears.
2. To start an immediate scan for rogue access points, click Scan now.
The wireless access point starts a rogue access point detection scan and updates the list of
untrusted access points.
If an access point that you trust appears on this list, it is because you have not yet added it as a trusted
access point. For information about how to add an access point to the trusted access point list, see
Enable Rogue Access Point Detection.
372
WatchGuard System Manager
WatchGuard AP Device Setup
9
WatchGuard AP Device Setup
Wireless Access Point Types
WatchGuard offers two types of wireless devices that you can use separately or together to add
secure wireless access points to your network: a WatchGuard XTM wireless device and a
WatchGuard Access Point device.
A WatchGuard XTM wireless device
A WatchGuard Access Point device
The configuration options and setup procedures for these two types of access point devices are
different.
WatchGuard XTM wireless device
You can enable up to three wireless access points on a WatchGuard XTM wireless device. The
settings to configure a WatchGuard XTM wireless device are in the Network > Wireless menu.
For more information, see About Wireless Device Configuration.
User Guide
373
WatchGuard AP Device Setup
WatchGuard Access Point (AP) device
You can connect multiple WatchGuard AP devices to the trusted or optional network of an
XTM device, and manage them from any wired or wireless XTM device. You configure the
Gateway Access Controller on your XTM device to manage the WatchGuard AP devices.
The settings to configure WatchGuard AP devices are in the Network > Gateway Wireless
Controller menu.
For more information, see About AP Device Configuration.
About AP Device Configuration
Your WatchGuard Access Point (AP) device is an extension to your Firebox or XTM device. You can
connect one or more WatchGuard AP devices to your network to enable wireless access, expand the
wireless range of your network, and enable wireless access to different security zones in your network.
You configure and manage your AP devices through the Gateway Wireless Controller on your Firebox
or XTM device.
SSID Configuration
An SSID (Service Set Identifier) is the unique name you give to each wireless network. You can assign
more than one SSID to several different AP devices to accommodate different wireless configurations.
When you configure SSIDs for your WatchGuard AP devices, you can:
Assign the same SSID to more than one AP device (for wireless roaming on the same SSID)
When you assign the same SSID to more than one AP device, the range of that SSID is
extended. When a wireless client that is connected to an SSID moves to a different location on
your physical network, the wireless client can automatically connect to the AP device that has
the strongest signal for that SSID. This eliminates the need for users to manually reconnect
when they move their wireless devices around your office.
Assign more than one SSID to each AP device
You can also enable more than one SSID on each AP device. The number of SSIDs each
wireless AP device can support depends on the AP device model, and whether the device has
single or dual radios.
n
n
AP100 / AP102 — Has one radio and supports a maximum of 8 SSIDs
AP200 — Has two radios and supports a maximum of 16 SSIDs (eight per radio)
For each SSID, you configure the security and encryption settings that protect your network. For more
information, see Configure WatchGuard AP Device SSIDs.
When you configure the SSIDs for your AP devices, you can optionally enable VLAN tagging. If you
enable VLAN tagging for SSIDs on a WatchGuard AP device, you must also enable VLANs on the
network that the AP device connects to.
Enable VLAN tagging on your AP device SSIDs if you want to:
374
WatchGuard System Manager
WatchGuard AP Device Setup
n
n
Configure different firewall policies for SSIDs that connect to the same network
Separate the traffic on the same physical network to different logical networks.
For more information, see Configure VLANs for WatchGuard AP Devices.
To support roaming for a wireless guest network, you might want to enable station isolation to make
sure wireless clients cannot directly send traffic to each other. This requires a VLAN, but does not
require VLAN tagging. For more information, see About AP Station Isolation.
AP Device Configuration
In the Gateway Wireless Controller AP device settings, you configure the radio settings for each AP
device and set the SSIDs each AP device uses.
For more information, see Configure AP Device Settings.
User Guide
375
WatchGuard AP Device Setup
WatchGuard AP Device Requirements and
Limitations
Before you add a WatchGuard AP device to your network, it is important to understand the
requirements and limitations of the AP device.
Requirements
n
n
n
n
The WatchGuard AP device must be managed by a WatchGuard XTM device that uses
Fireware XTM OS v11.7.2 or higher.
The XTM device must be configured in mixed routing mode.
The AP device must connect to a trusted or optional network.
The XTM device configuration must include a policy that allows NTP traffic from the AP device
to the Internet. The AP device uses an NTP server to set the correct local time.
The default Outgoing policy allows NTP traffic from the trusted network. If you
remove or disable the Outgoing policy, or if your AP device is connected to the
Optional network, you must add an NTP policy to allow outgoing NTP traffic from the
network the AP device connects to.
Limitations
n
n
n
376
You cannot use the Fireware XTM Command Line Interface to manage WatchGuard AP
devices.
You cannot use a WatchGuard Management Server to manage WatchGuard AP devices.
You cannot locate WatchGuard AP devices behind a NAT firewall.
WatchGuard System Manager
WatchGuard AP Device Setup
Plan your Wireless AP Device Deployment
Before you deploy WatchGuard AP devices on your network, you must research, design, and plan your
wireless network deployment to make sure it meets your requirements for coverage, signal strength,
data rates, and security.
We recommend that you review these sections for general wireless knowledge and guidelines for a
successful deployment.
Wireless Site Survey
Perform a wireless site survey to analyze your current environment and wireless requirements.
For more information, see Wireless Site Survey.
Wireless Modes and Channels
Determine which wireless modes and channels you support for your wireless clients.
For more information, see Wireless Modes and Channels.
Wireless Signal Strength and Noise Levels
Understand wireless signal strength and signal-to-noise ratios.
For more information, see Wireless Signal Strength and Noise Levels.
Wireless Environment Factors
Identify environmental factors that can affect the range and performance of wireless networks.
For more information, see Wireless Environmental Factors.
WatchGuard AP Device Placement
Determine the best location and placement of your WatchGuard AP devices.
For more information, see Wireless Placement.
Wireless Deployment Maps
Use the Wireless Deployment Maps feature on the Gateway Wireless Controller to help deploy
your WatchGuard AP devices, check signal strength, and resolve channel conflicts.
For more information, see the Fireware XTM Web UI Help.
User Guide
377
WatchGuard AP Device Setup
Wireless Site Survey
Before you deploy a new WatchGuard AP device, you can perform a wireless site survey to analyze
your current environment and existing wireless signals. The wireless site survey helps you to identify
your specific requirements for your wireless network, and any external factors that could affect your
deployment.
Site survey results can help you determine this information:
n
n
n
n
n
n
n
Number of wireless clients that must be supported
Areas of coverage and number of AP devices required
Best physical placement of AP devices
Range from clients to each AP device
Minimum data rates required for specific applications
Wireless signal strength and potential sources of wireless noise and interference
Environmental factors that affect wireless signals, such as building construction and materials
Typically, you begin a site survey with a physical walk-through of your environment. It is helpful to
have a floor plan of your facilities that shows your existing networking environment and a list of
requirements for your planned wireless networks. A visual inspection helps you to understand the
areas of coverage required, the physical limitations and barriers due to building construction, and
potential sources of wireless interference.
After you complete a physical inspection of your facilities, you must be able to visualize and
understand where the current wireless signals are located in your environment, and how they react to
your physical environment.
Many wireless site survey tools are available that enable you to map your environment and generate
wireless heat maps, which provide a visual representation of the wireless signals in your environment.
The heat map shows the strength and range of wireless access points, how their signals react to your
physical environment, and identifies any existing wireless interference.
378
WatchGuard System Manager
WatchGuard AP Device Setup
To determine what wireless signals and interference already exist in your environment, you can
generate a heat map to help you plan your deployment scenario. You can use one of the many available
third-party wireless site survey tools. such as Ekahau HeatMapper. After you install your AP devices,
you can make another heat map of your environment to see if your current placement provides
adequate coverage and signal strength for your wireless network.
You can also use the Wireless Deployment Maps feature on the Gateway Wireless Controller to
provide a simulated physical view of your wireless network to help you place the AP devices in optimal
locations for maximum coverage, and to detect channel conflicts with other wireless devices in your
area.
For more information, see the Fireware XTM Web UI Help.
User Guide
379
WatchGuard AP Device Setup
Wireless Modes and Channels
WatchGuard AP wireless devices support two different wireless bands: 2.4 GHz and 5 GHz. The band
you select and the country you specify determine which wireless modes are available.
These wireless standards are supported:
802.11n
802.11g
802.11b
802.11a
Frequency Band
2.4GHz and 5GHz
2.4GHz
2.4GHz
5GHz
Data Rate
600Mbps
54Mbps
11Mbps
54Mbps
Channel Width
20 and 40MHz
20MHz
20MHz
20MHz
Indoor range
230 ft
125 ft
115 ft
115 ft
The 802.11n protocol is the latest wireless standard, and provides high data rates and performance in
the 5 GHz frequency band. It is only supported in the most recent types of wireless devices.
For maximum performance, select only the 802.11n standard in the 5 GHz band. This selection
requires that all the wireless devices on your network support the 802.11n standard. For most
environments, you must support legacy wireless devices that do not support 802.11n. Because of this,
WatchGuard recommends that you configure your WatchGuard AP device to use the default mixed
mode 802.11b/g/n.
If you choose a wireless mode that supports more than one 802.11 standards, the
overall performance can be considerably impacted. This is in part because of
backward compatibility requirement when devices that use slower modes are
connected. The slower devices often use more of the available throughput because it
can take much longer to send or receive the same amount of data to devices that use
a slower mode.
Wireless Channels
A wireless channel is a specific division of frequencies within a specific wireless band. For example, in
the 2.4GHz band with a channel width of 20MHz, there are 14 defined channels spaced every 5MHz.
Channels 12 and 13 are available in countries outside of North America. Channel 14 is for Japan only
and is spaced at 12 MHz.
One wireless channel can overlap the frequency of another wireless channel. When you design and
deploy wireless networks, you must consider which channels you use for your wireless network. For
example, in the 2.4 GHz band, adjacent channels such as channel 3 and 4 have frequencies that
closely overlap, which can cause interference. In the 2.4 GHz band, channels 1, 6, and 11 are the most
380
WatchGuard System Manager
WatchGuard AP Device Setup
commonly used channels. They do not overlap each other because of the space between their
frequencies. The 2.4GHz band is crowded because many other devices that operate on this band
(such as cordless phones, microwaves, monitors, and wireless headsets) also use the same
channels, and can cause wireless congestion.
In the 5GHz band, the full channel width is reserved and there is a very large selection of channels that
do not overlap. 802.11n also enables you to combine two 20MHz channels to form a 40MHz channel
for increased bandwidth.
In some regions, DFS (Dynamic Frequency Selection) channels operate in the 5GHz band. Because
DFS channels are used with radar, transmissions from your AP device stop if radar signals are
detected on that channel. Use can disable the use of DFS channels in your AP device configuration.
For outdoor model AP102, you can configure the device to only use outdoor channels.
Channel Selection
The WatchGuard AP device is configured by default to automatically select a wireless channel. When
you power on the WatchGuard AP device, it automatically scans the network and selects the wireless
channel with the least amount of interference.
The default channel width is configured as 20/40MHz. This mixed mode sets the radio to use 40MHz
channel width, but it also has additional transmission information, which enables it to be used in an
environment that includes 802.11a/b/g wireless access points.
User Guide
381
WatchGuard AP Device Setup
Use Wireless Deployment Maps to Find Channel Conflicts
You can use the Wireless Deployment Maps feature in the Gateway Wireless Controller to help you
find wireless channel conflicts and optimize your wireless environment.
For more information, see the Fireware XTM Web UI Help.
382
WatchGuard System Manager
WatchGuard AP Device Setup
Wireless Signal Strength and Noise Levels
To make sure that all users in your environment receive a strong wireless signal, consider these
guidelines when you install your WatchGuard AP devices.
Signal Strength
The signal strength is the wireless signal power level received by the wireless client.
n
n
n
Strong signal strength results in more reliable connections and higher speeds.
Signal strength is represented in -dBm format (0 to -100). This is the power ratio in decibels (dB)
of the measured power referenced to one milliwatt.
The closer the value is to 0, the stronger the signal. For example, -41dBm is better signal
strength than -61dBm.
Noise Level
The noise level indicates the amount of background noise in your environment.
n
n
n
n
If the noise level is too high, it can result in degraded strength and performance for your wireless
signal strength.
Noise level is measured in -dBm format (0 to -100). This is the power ratio in decibels (dB) of the
measured power referenced to one milliwatt.
The closer the value to 0, the greater the noise level.
Negative values indicate less background noise. For example, -96dBm is a lower noise level
than
-20dBm.
Signal to Noise Ratio
The signal-to-noise ratio (SNR) is the power ratio between the signal strength and the noise level.
n
n
This value is represented as a +dBm value.
In general, you should have a minimum of +25dBm signal-to-noise ratio. Lower values than
+25dBm result in poor performance and speeds.
For example:
n
n
If you have a -41dBm signal strength, and a -50dBm noise level, this results in a poor signal-tonoise ratio of +9dBm.
If you have a -41dBm signal strength, and a -96dBm noise level, this results in an excellent
signal-to-noise ratio of +55dBm.
User Guide
383
WatchGuard AP Device Setup
Wireless Environmental Factors
There are several environmental factors that can affect the range and performance of wireless
networks.
Walls and ceilings
Walls and ceilings between the AP device and wireless clients can degrade signal strength.
Wireless signals can penetrate walls and other structures, but the rate of penetration is directly
related to the type of building materials, materials thickness, and the distance from the wireless
antenna.
Building materials
Metal and aluminum doors, glass, concrete, and other types of building materials can have a
significantly negative effect on the signal strength of wireless signals.
EMI (Electro-magnetic interference)
EMI from other electrical devices, such as microwaves, cordless phones, and wireless
headsets, can generate significant RF noise and degrade or disrupt wireless communications.
Distance
Wireless signals degrade quickly past their maximum range. You must plan your network
carefully to provide adequate wireless coverage over the range you require in your environment.
384
WatchGuard System Manager
WatchGuard AP Device Setup
Wireless Placement
For full wireless coverage and to make sure that all users in your environment receive a strong wireless
signal, consider these guidelines for the location and placement of your WatchGuard AP devices:
n
n
n
n
Place your AP devices in a central location away from any corners, walls, or other physical
obstructions to provide maximum signal coverage.
Place your AP devices in a high location to provide the overall best signal strength reception and
performance for your wireless network.
Make sure you do not install an AP device in close proximity to any electronic devices that can
interfere with the signal, such as televisions, microwave ovens, cordless phones, air
conditioners, fans, or any other type of equipment that can cause signal interference.
When you install more than one AP device, make sure to put enough space between them to
provide maximum coverage for your wireless network area of availability. For wireless coverage
over many floors, you can stagger the placement of devices to cover both vertical and horizontal
space.
User Guide
385
WatchGuard AP Device Setup
Use Wireless Deployment Maps for AP Device Placement
You can use the Wireless Deployment Maps feature on the Gateway Wireless Controller to provide a
simulated physical view of your wireless network to help you place the AP devices in optimal locations
for maximum coverage.
For more information, see the Fireware XTM Web UI Help.
386
WatchGuard System Manager
WatchGuard AP Device Setup
WatchGuard AP Device Deployment Overview
When you add one or more WatchGuard Access Point (AP) devices to your network, you manage and
configure the AP devices from the Gateway Wireless Controller on an XTM device. You do not have to
connect directly to the AP device to configure it.
To deploy any AP device on your XTM device network you must:
1. Enable the Gateway Wireless Controller on the XTM device.
2. Connect the AP device to your network.
If your network has a DHCP server, the AP device automatically gets an IP address.
3. In the Gateway Wireless Controller, configure the SSIDs you want your AP device to use.
4. In the Gateway Wireless Controller, pair the AP device with the XTM device.
5. In the Gateway Wireless Controller, configure the AP device settings, and select the SSIDs to
use.
You can optionally enable VLAN tagging in the SSIDs for your AP device. If you enable VLAN tagging,
you must configure the necessary VLANs on your XTM device. For information about when to enable
VLAN tagging and how to configure VLANs, see Configure VLANs for WatchGuard AP Devices.
You can optionally enable the AP device to use a tagged VLAN for management
connections from the XTM device. But you still must configure an untagged VLAN
that the XTM device can use to initially discover and connect to the AP device.
The subsequent sections provide a more detailed overview of the steps to deploy an AP device with,
and without, VLAN tagging enabled.
If the network you connect your AP device to does not use DHCP, you can use the
Access Point web UI to manually assign a static IP address to the AP device before
you connect it to your network. For more information, see Use the WatchGuard
Access Point Web UI.
User Guide
387
WatchGuard AP Device Setup
Deploy AP Devices Without VLAN Tagging
To deploy an AP device without VLAN tagging, you must enable the Gateway Wireless Controller,
configure SSIDs on your XTM device, pair your AP device with your XTM device, and configure your
AP device.
Step 1 — Enable the Gateway Wireless Controller
For the XTM device to discover and manage an AP device, you must enable the Gateway Wireless
Controller on your XTM device.
1. Start Policy Manager for your XTM device.
2. Select Network > Gateway Wireless Controller .
The Gateway Wireless Controller dialog box appears.
3. Select the Enable the Gateway Wireless Controller check box.
The WatchGuard AP Passphrase dialog box appears.
4. Type the WatchGuard AP Passphrase that you want all your AP devices to use after they are
paired.
5. Save the configuration to the XTM device.
For more information, see Configure AP Devices in the Gateway Wireless Controller on page 406.
Step 2 — Connect the AP Device
Select one of these options to connect the AP device to your Trusted or Optional network. By default,
the AP device automatically requests an IP address from a DHCP server on the local network.
Option 1 — Connect the AP device to an XTM device interface
If you have an available Trusted or Optional interface on your XTM device, you can connect the
AP device directly to one of those interfaces.
To configure an XTM device interface as a Trusted or Optional interface:
1. Select Network > Configuration.
388
WatchGuard System Manager
WatchGuard AP Device Setup
The Network Configuration dialog box appears.
2. Select a Trusted or Optional interface, and enable DHCP on that interface.
3. Save the configuration to the XTM device.
4. Connect the AP device to the interface you configured.
For more information about interface configuration, see Common Interface Settings on page
207.
User Guide
389
WatchGuard AP Device Setup
Option 2 — Connect the AP device to a switch
If you have a switch that connects to a Trusted or Optional interface on your XTM device, you
can connect the AP device to that switch. With this option, you do not have to change the
network settings on the XTM device interface.
Step 3 — Configure the SSIDs
Configure the SSIDs for your wireless users to connect to. You can configure up to eight SSIDs per
radio.
1. In the Gateway Wireless Controller dialog box, select the SSIDs tab.
2. Click Add to add an SSID.
3. Configure the SSID (network name) and wireless security settings.
For more information, see Configure WatchGuard AP Device SSIDs on page 408.
Step 4 — Pair the AP Device
When you first connect the AP device to your network, it is an unpaired access point. This means it is
not yet managed by an XTM device. The power LED on the AP device alternates from green to red
when the device is unpaired.
To discover an unpaired AP device and pair it with your XTM device:
1. In the Gateway Wireless Controller dialog box, select the Access Points tab.
2. Click Refresh.
The unpaired AP device appears in the Unpaired Access Points list.
For more information, see WatchGuard AP Device Discovery and Pairing on page 414.
3. From the Unpaired Access Points list, select the AP device and click Pair.
4. In the Pairing Passphrase dialog box, type the passphrase of the AP device.
The default AP passphrase is wgwap.
When the AP device is paired, the power LED on the device will be green.
390
WatchGuard System Manager
WatchGuard AP Device Setup
Step 5 — Configure the AP Device
After you pair the AP device with your XTM device, configure the AP device settings.
1. In the Edit Access Point dialog box, select the radio settings to use for each radio.
2. Add the SSID you created in Step 3 to the SSID list.
3. Save the configuration to the XTM device.
For more information, see Configure AP Device Radio Settings on page 421.
For a configuration example that demonstrates this type of deployment, see AP Device Deployment
with a Single SSID on page 449.
Deploy AP Devices With VLAN Tagging Enabled
To set up an AP device with VLAN tagging enabled in the SSIDs, you must configure VLANs and
enable VLAN tagging in your SSIDs.
Step 1 — Configure VLANs on the XTM device
To enable VLAN tagging in your SSIDs, you must configure VLANs and enable them on an
XTM device interface. The AP device uses tagged VLANs to identify traffic for each SSID. The
XTM device uses an untagged VLAN to pair with the AP device.
To configure VLANs on the XTM device:
1. Add one VLAN for each SSID.
These VLANs are used for tagged VLAN traffic for each SSID.
2. Add one VLAN for management connections to the AP device.
This VLAN is used for untagged management connections to the AP device.
3. Enable DHCP server or DHCP relay for each VLAN.
4. Configure the XTM device interface to pass tagged traffic for the VLANs for each SSID.
5. Configure the XTM device to pass untagged traffic for the AP management VLAN.
For an example VLAN configuration, see Configure VLANs for WatchGuard AP Devices on page 394.
Step 2 — Enable the Gateway Wireless Controller
For the XTM device to discover and manage an AP device, you must enable the Gateway Wireless
Controller.
1. Start Policy Manager for your XTM device.
2. Select Network > Gateway Wireless Controller .
The Gateway Wireless Controller dialog box appears.
3. Select the Enable the Gateway Wireless Controller check box.
The WatchGuard AP Passphrase dialog box appears.
4. Type the WatchGuard AP Passphrase that you want all your AP devices to use after they are
paired.
5. Save the configuration to the XTM device.
For more information, see Configure AP Devices in the Gateway Wireless Controller on page 406.
User Guide
391
WatchGuard AP Device Setup
Step 3 — Connect the AP Device
Select one of these options to connect the AP device to your Trusted or Optional network. By default,
the AP device automatically requests an IP address from a DHCP server on the local network.
If the network you connect your AP device to does not use DHCP, you can use the Access Point web
UI for the AP device to manually assign a static IP address to the AP device before you connect it to
your network. For more information, see Use the WatchGuard Access Point Web UI.
Option 1 — Connect the AP device to an XTM device interface
You can connect the AP device directly to the XTM device interface that you configured as a
VLAN interface in Step 1.
392
WatchGuard System Manager
WatchGuard AP Device Setup
Option 2 — Connect the AP device to a 802.1Q switch
You can connect the AP device to an 802.1Q switch that has the necessary VLANs configured.
To configure the VLANs on the switch:
1. Add VLANs to the switch with the same IDs as the VLANs you configured on the
XTM device.
2. Configure the switch interfaces that connect to the XTM device VLAN interface
and the AP device to:
n Send and receive tagged traffic for the VLANs assigned to each SSID.
n Send and received untagged traffic for the VLAN you use for AP device
management.
For more information about VLAN configuration, see Configure VLANs for WatchGuard AP
Devices on page 394.
Step 4 — Configure the SSIDs
Configure the SSIDs for your wireless users to connect to. You can configure up to eight SSIDs per
radio.
1.
2.
3.
4.
In the Gateway Wireless Controller dialog box, select the SSIDs tab.
Click Add to add an SSID.
Configure the SSID (network name) and wireless security settings.
In each SSID, enable VLAN tagging, and select the VLAN ID to use.
For more information, see Configure WatchGuard AP Device SSIDs on page 408.
Step 5 — Pair the AP Device
When you first connect the AP device to your network, it is an unpaired access point. This means it is
not yet managed by an XTM device. The power LED on the AP device alternates from green to red
when the device is unpaired.
To discover an unpaired AP device and pair it with your XTM device:
1. In the Gateway Wireless Controller dialog box, select the Access Points tab.
2. Click Refresh.
The unpaired AP device appears in the Unpaired Access Points list.
For more information, see WatchGuard AP Device Discovery and Pairing on page 414.
3. From the Unpaired Access Points list, select the AP device and click Pair.
4. In the Pairing Passphrase dialog box, type the passphrase of the AP device.
The default AP passphrase is wgwap.
When the AP device is paired, the power LED on the device will be green.
Step 6 — Configure the AP Device
After you pair the AP device, you can configure the AP device settings.
User Guide
393
WatchGuard AP Device Setup
1. In the Edit Access Point dialog box, select the radio settings to use for each radio.
2. Add the SSID you created in Step 4 to the SSID list.
3. Save the configuration to the XTM device.
For more information, see Configure AP Device Radio Settings on page 421.
For a configuration example that demonstrates this type of deployment, see AP Device Deployment
with VLANs.
Configure VLANs for WatchGuard AP Devices
If you enable VLAN tagging for SSIDs on a WatchGuard AP device, or you enable management
VLAN tagging for an AP device, you must also enable VLANs on the network that the AP device
connects to.
By default, management traffic to the AP device is untagged, so we recommend that you add an
untagged VLAN for management traffic, as described here. If you prefer to use a tagged VLAN for
management traffic, make sure that you configure the AP device to tag management traffic, and set
the management VLAN ID in the Access Point configuration to the VLAN you want to use for
management traffic.
The tagged management VLAN is used only after the AP device is paired to the
AP device. An unpaired AP device cannot respond to tagged VLAN traffic.
When to Enable VLAN Tagging in SSIDs
There are a couple of reasons you might want to enable VLAN tagging on your AP SSIDs:
To configure different firewall policies for SSIDs that connect to the same network
If you configure multiple SSIDs for your AP devices and you want to set different firewall
policies for each SSID, you can enable VLAN tagging in the SSID and then use the VLAN
ID associated with each SSID in policies specific to each SSID. For example, you could add a
different HTTP packet filter policy for each SSID that specifies the VLAN associated with that
SSID.
To separate the traffic on the same physical network to different logical networks
If you have several AP devices connected to the same physical network, VLAN tagging gives
you the ability to separately examine traffic for the wireless clients connected to each SSID. For
example, if you run a network analyzer, you can use the VLAN tags to see the traffic for the
VLAN ID associated with an SSID.
Or, you can set up all of your AP devices with one SSID for the trusted network and a different
SSID for the optional network. You can set up a trusted VLAN and an optional VLAN to
separate the traffic for the wireless clients that connect to the trusted and optional networks.
394
WatchGuard System Manager
WatchGuard AP Device Setup
Configure VLANs on the XTM Device
To enable VLAN tagging in your AP device SSIDs, you must configure VLANs on the XTM device
interface where you plan to connect your AP devices.
n
n
Configure one VLAN for each SSID and one extra VLAN for management connections to the
AP device.
Enable DHCP server or DHCP relay on each VLAN.
o The AP device gets an IP address from the DHCP server on the VLAN used for
management connections.
o Wireless clients that connect to an SSID get an IP address from the DHCP server on the
VLAN for that SSID.
For example, if you want to create two SSIDs that use VLAN tags, you can create three VLANs with
the VLAN IDs 10, 20, and 30.
n
n
n
VLAN ID 10, in the Trusted zone — For the SSID for wireless connections to the trusted
network
VLAN ID 20, in the Optional zone — For the SSID for wireless guest access to the Internet
VLAN ID 30, in the Trusted zone — For management connections to the AP device
For information about how to create a VLAN, see Define a New VLAN.
After you create the VLANs, you configure the XTM device interface that your AP devices connect to
as a VLAN interface.
In the Interface settings for the interface that your AP device connects to:
1. From the Interface Type drop-down list, select VLAN.
2. Configure the interface to send and receive tagged traffic for each of the VLANs for your SSIDs.
User Guide
395
WatchGuard AP Device Setup
3. Configure the interface to send and receive untagged traffic for the VLAN for management
connections to the AP device.
For more information about how to configure the VLAN interface, see Assign Interfaces to a VLAN.
Configure VLANs on a Managed Switch
If you enable VLAN tagging and want to connect your AP device to a managed switch, you must also
configure VLANs on the switch. The switch must support 802.1Q VLAN tagging.
On the switch, you must:
1. Add VLANs with the same IDs as the VLANs you configured on the XTM device.
2. Configure the switch interfaces that connect to the XTM device and the AP device to send and
receive tagged traffic for the VLANs assigned to each SSID.
3. Configure the switch interfaces that connect to the XTM device and the AP device to send and
receive tagged or untagged traffic for the AP device management .
n If management VLAN tagging is not enabled in the AP device configuration, configure the
switch to send and received untagged traffic for the VLAN you use for AP device
management.
n If management VLAN tagging is enabled for the AP device, configure the switch to send and
receive tagged traffic for the VLAN you use for AP device management.
For instructions to enable and configure the VLANs on your switch, see the documentation for your
switch.
If you have enabled VLAN tagging in the SSIDs on your AP device, do not connect
your AP device to a switch that does not support 802.1Q VLAN tagging.
396
WatchGuard System Manager
WatchGuard AP Device Setup
For a list of switches that WatchGuard has tested with the WatchGuard AP device, see the
WatchGuard Knowledge Base at http://customers.watchguard.com/.
User Guide
397
WatchGuard AP Device Setup
About AP Station Isolation
When you configure an SSID for your AP device, you can optionally enable station isolation. The
station isolation setting enables you to control whether wireless clients can communicate directly to
each other through the AP device. Station isolation prevents direct traffic between wireless clients that
connect to the same SSID on the same radio. Station isolation does not prevent direct traffic between
wireless clients that connect to the SSID on different AP devices, or between wireless clients that
connect to different radios on an AP200 device.
We recommend that you enable station isolation for SSIDs on AP devices that provide a wireless
guest network for wireless clients that do not trust each other.
Station Isolation for a Single AP Device
To enable station isolation on an AP device, select the Enable station isolation check box in the
SSID settings.
For more information, see Configure WatchGuard AP Device SSIDs.
Station Isolation for Multiple AP Devices
When station isolation is enabled on a single AP device that uses the same SSID as another
AP device, traffic can still pass between wireless clients that are connected to other AP devices. To
effectively implement station isolation for an SSID that is used by more than one AP device, you must
also make sure that all traffic between your AP devices goes through the XTM device. The XTM device
can then apply policies that support your station isolation settings to the traffic.
To implement station isolation for more than one AP device, you must:
1. Add a VLAN and configure it to apply firewall policies to intra-VLAN traffic.
To make sure that the same IP address pool is used for wireless clients that connect to the SSID on
any AP device, you must configure a VLAN. For wireless roaming to function correctly, all SSIDs
must be on the same network. When you configure the VLAN to apply policies to intra-VLAN traffic,
the XTM device applies firewall policies to the VLAN traffic from one interface with the destination of
the same VLAN on another interface.
2. For each AP device, configure one VLAN interface to manage untagged VLAN traffic.
Or, you can enable management VLAN tagging in the AP device configuration and select a VLAN ID
to use for management.
3. Configure the SSID settings to enable station isolation.
It is not necessary to enable VLAN tagging in the SSID settings if the VLAN interfaces are configured
to manage untagged traffic.
4. Connect each AP device directly to a VLAN interface on the XTM device.
This ensures that all traffic between AP devices goes through the XTM device.
Because the default packet handling policy automatically denies traffic between AP devices on two
different interfaces, you do not have to create a policy to explicitly deny that traffic. For example, if you
configure a VLAN in the Optional security zone, the XTM device automatically denies packets
between the two interfaces as unhandled packets because they do not match any of the configured
firewall policies. To prevent traffic between AP devices, make sure that you do not add a policy that
allows traffic from Optional to Optional.
398
WatchGuard System Manager
WatchGuard AP Device Setup
You can also enable VLAN tagging in the SSID and configure the VLAN interfaces to
manage tagged traffic, but VLAN tagging is not required for station isolation. If you
enable VLAN tagging, you must configure two VLANs: one for tagged SSID traffic
and one for untagged management traffic. Or, you can enable one VLAN and
configure the AP to enable management VLAN tagging for that VLAN in the AP
device configuration.
For more information, see Configure VLANs for WatchGuard AP Devices.
Example — Station Isolation and Roaming
This example shows how to implement station isolation for a wireless guest network with two AP100
devices that use the same SSID.
Step 1 — Configure the VLAN
First, configure the VLAN and VLAN interfaces for your AP devices.
1. Create a VLAN to apply VLAN tagging to traffic to an SSID.
For example, the VLAN could have these properties:
n Name (Alias) — AP100-Guest
n VLAN ID — 20
n Security Zone — Optional
n IP Address — 10.0.20.1/24
n DHCP Server Address Pool — 10.0.20.10 to 10.0.20.100
n Apply firewall policies to intra-VLAN traffic — Enabled
User Guide
399
WatchGuard AP Device Setup
2. Configure a VLAN interface on the first AP device.
For example, the first VLAN interface could have these properties:
n Interface Name — AP100-1
n Interface Type — VLAN
n Send and received untagged traffic for VLAN AP100-Guest (10.0.20.1/24)
400
WatchGuard System Manager
WatchGuard AP Device Setup
3. Configure a VLAN interface on the second AP device.
For example, the second VLAN interface could have these properties:
n Interface Name — AP100-2
n Interface Type — VLAN
n Send and received untagged traffic for VLAN AP100-Guest (10.0.20.1/24)
For more information about how to configure a VLAN, see Define a New VLAN.
Step 2 — Configure the SSID
Next, enable station isolation in the SSID settings.
1. Add or edit an SSID for your wireless guest network.
For this example, we named the SSID "AP100-Guest".
2. Select the Enable station isolation check box.
User Guide
401
WatchGuard AP Device Setup
Because the AP-Guest VLAN in this example is an untagged VLAN, you do not have to enable VLAN
tagging in the SSID settings.
For more information about SSID configuration, see Configure WatchGuard AP Device SSIDs.
Step 3 — Connect the AP Devices to the VLAN Interfaces
After you configure the VLAN interfaces and SSID settings:
1. Connect the AP devices to the VLAN interfaces.
2. Discover and pair each AP device.
3. Configure both AP devices to use the SSID you configured.
For more information about discovery and pairing, see WatchGuard AP Device Discovery and Pairing.
About This Example
This configuration example prevents direct wireless traffic between wireless clients that connect to the
AP100-Guest SSID. The two main components of this configuration are:
n
n
Station isolation — The station isolation setting in the SSID makes sure that wireless clients
that connect to the same radio from cannot connect directly to each other.
VLAN — The firewall and VLAN configuration make sure that traffic cannot pass between
wireless clients that connect to the AP100-Guest SSID on different AP devices.
This example shows how to configure station isolation for two AP devices. To add a third AP device,
configure another VLAN interface to handle untagged VLAN traffic for the defined VLAN. Then,
connect the AP device to that VLAN interface and configure it to use the defined SSID.
402
WatchGuard System Manager
WatchGuard AP Device Setup
About AP Device Activation
You must activate your WatchGuard AP device to start your LiveSecurity subscription. The
WatchGuard LiveSecurity subscription activates your hardware replacement warranty, enables you to
receive technical support, and provides access to the latest OS updates and product news.
Your AP device can be activated automatically or you can activate it manually.
Automatic Activation
After you pair a WatchGuard AP device with an XTM device, the XTM device automatically connects
to the WatchGuard web site and sends the information necessary to activate the AP device on the
same WatchGuard account where the XTM device was activated.
If automatic activation fails, the XTM device periodically tries to activate again. The activation status
of your AP device does not affect the functionality of the AP device.
To check the activation status of your AP device, log in to your WatchGuard account on the
WatchGuard web site. Your activated AP devices appear in the My Products list in your WatchGuard
account.
Manual Activation
If your AP device has not been activated automatically and you want to activate it manually, you can
activate the AP device in your WatchGuard account just as you would activate an XTM device or addon feature.
To manually activate your WatchGuard AP device:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. On the Support Home tab, click Activate a Product.
The Activate Products page appears.
4. Type the serial number of the WatchGuard AP device. Make sure to include any hyphens.
5. Click Continue.
6. Follow any remaining prompts to complete activation of your AP device.
User Guide
403
WatchGuard AP Device Setup
After activation is complete, the AP device appears in the My Products list in your WatchGuard
account.
About AP Device Passphrases
Each WatchGuard AP device has a passphrase that is used for management connections to the
device. There are two passphrase settings in the Gateway Wireless Controller: the Pairing Passphrase
and the WatchGuard AP Passphrase.
Pairing Passphrase
The Pairing Passphrase is used for the initial pairing of the AP device with your XTM device. The
Pairing Passphrase set on the Gateway Wireless Controller must match the passphrase set on the
AP device. By default, the passphrase on an unpaired AP device is wgwap.
In the Gateway Wireless Controller, you must type the Pairing Passphrase:
n
n
When you click Pair to pair an unpaired AP device to an XTM device.
When you click Add to manually add an AP device configuration to the XTM device.
Unless you have connected to the AP device with the Access Point web UI and changed the
AP device passphrase, the Pairing Passphrase is always the AP default passphrase, wgwap. If you
changed the passphrase on the AP device, type that passphrase in the Pairing Passphrase dialog box
when you pair the device.
If you type the wrong Pairing Passphrase when you try to pair the AP device and pairing fails, you can
change the Pairing Passphrase in the AP device settings. For more information, see Configure
AP Device Settings.
WatchGuard AP Passphrase
The WatchGuard AP passphrase is used for management connections to a WatchGuard AP device
after it has been paired with an XTM device. The Gateway Wireless Controller on the XTM device uses
the WatchGuard AP Passphrase when it connects to any paired AP device. The WatchGuard
AP passphrase is also the passphrase you use to log into the Access Point web UI of a paired AP
device.
When you enable the Gateway Wireless Controller on the XTM device, you set the WatchGuard
AP passphrase. You can also change this passphrase in the Gateway Wireless Controller Settings
dialog box. For more information, see Configure Gateway Wireless Controller Settings.
Passphrases and Pairing
Although you configure two passphrases in the Gateway Wireless Controller settings, you use only
one passphrase for the AP device. The passphrase you use depends on the state of the AP device.
n
n
404
For an unpaired AP device, use the default passphrase, wgwap, unless you change it in the
Access Point web UI.
For a paired AP device, use the WatchGuard AP passphrase that you configured in the
Gateway Wireless Controller settings.
WatchGuard System Manager
WatchGuard AP Device Setup
When you first pair an AP device with an XTM device, the XTM device uses the Pairing Passphrase to
log in to the AP device. When the XTM device sends the AP device configuration to the paired AP
device, it changes the passphrase on the AP device from the Pairing Passphrase to the WatchGuard
AP passphrase configured in the Gateway Wireless Controller settings.
When you unpair an AP device from an XTM device, the XTM device resets the AP device to the
factory default settings. This changes the passphrase on the AP device to the default AP passphrase,
wgwap.
When the Gateway Wireless Controller connects to a paired AP device, it can use one of three
passphrases to log in.This makes the communication between the two devices more resilient, and
allows the AP device to automatically pair with the XTM device if the AP device is reset.
1. By default, the Gateway Wireless Controller uses the WatchGuard AP passphrase to log in to
the AP device.
2. If it cannot successfully log in with the WatchGuard AP passphrase, it tries the passphrase
used for the last successful connection to this AP device.
3. If it cannot successfully log in with the last used passphrase, it tries to log in with the Pairing
Passphrase.
If the XTM device uses anything other than the WatchGuard AP passphrase to log in, it resets the
passphrase on the AP device to the WatchGuard AP passphrase. If the XTM device cannot log in to a
paired AP device, the AP device status changes to Passphrase Mismatch.
Resolve a Passphrase Mismatch
The status of the AP device appears in Firebox System Manager on the Gateway Wireless
Controller tab .
If the AP device status is Passphrase Mismatch, the Pairing Passphrase in the Gateway Wireless
Controller settings does not match the passphrase on the AP device.
To resolve a passphrase mismatch, if you know the passphrase on the AP device, change the Pairing
Passphrase in the AP device configuration on the Gateway Wireless Controller. For more information,
see Configure AP Device Settings.
If you do not know the passphrase on the AP device, to resolve a passphrase mismatch:
1. If the device is paired in the Gateway Access Controller, remove it from the list of paired AP
devices.
For more information, see Unpair an AP Device.
2. Press the reset button on the AP device to reset it to factory default settings.
For more information, see Reset the WatchGuard AP Device.
3. Discover and pair the AP device again. Use the default Pairing Passphrase, wgwap.
For more information, see WatchGuard AP Device Discovery and Pairing.
User Guide
405
WatchGuard AP Device Setup
Configure AP Devices in the Gateway Wireless
Controller
To discover and manage the WatchGuard AP devices you add to your network, use the Gateway
Wireless Controller on your XTM device.
The Gateway Wireless Controller on your XTM device enables you to:
n
n
n
n
Pair WatchGuard AP devices on your network with your XTM device
Configure SSIDs and WatchGuard AP device settings
Monitor the paired AP devices and wireless client connections
Initiate a site survey from the WatchGuard AP device to detect other wireless access points
Enable the Gateway Wireless Controller
Before your XTM device can discover new WatchGuard AP devices on your network, you must enable
the Gateway Wireless Controller on your XTM device and save the configuration file to your XTM
device.
To enable the Gateway Wireless Controller:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Enable the Gateway Wireless Controller check box.
A Policy Manager warning appears.
3. Click OK.
The WatchGuard AP Passphrase dialog box appears.
4. In the WatchGuard AP Passphrase text box, type the passphrase to use for management of
your WatchGuard AP devices after they are paired with your XTM device.
This is the passphrase that is used for management connections to each paired AP device.
5. Save the configuration file to the XTM device.
When you enable the Gateway Wireless Controller, the WatchGuard Gateway Wireless Controller
policy is automatically added to the XTM device configuration. This policy allows traffic from the
trusted and optional networks to the XTM device over UDP port 2529.
After you enable the Gateway Wireless Controller on the XTM device, the XTM device can detect
connected WatchGuard AP devices on your trusted or optional network.
406
WatchGuard System Manager
WatchGuard AP Device Setup
The AP device can also be located on the custom zone network (XTM v11.9 and
higher). To allow the Gateway Wireless Controller to discover an AP device on a
custom zone network, you must modify the WatchGuard Gateway Wireless
Controller policy to allow traffic from the custom zone. For more information on the
custom zone, see Configure a Custom Interface.
For more information, see:
n
n
n
n
WatchGuard AP Device Discovery and Pairing
Configure WatchGuard AP Device SSIDs
Configure AP Device Settings
Configure Gateway Wireless Controller Settings
Set the Diagnostic Log Level
To generate more detailed log messages for the Gateway Wireless Controller, you can change the
diagnostic log level setting.
To set the diagnostic log level for the Gateway Wireless Controller:
1.
2.
3.
4.
Select Setup > Logging.
Click Diagnostic Log Level.
From the category list, select Networking > GWC.
Use the Settings slider to select the level of log message detail.
For more information about diagnostic logging, see Set the Diagnostic Log Level on page 1204.
User Guide
407
WatchGuard AP Device Setup
Configure WatchGuard AP Device SSIDs
Before you can assign an SSID to a WatchGuard AP device, you must add the SSID to the Gateway
Wireless Controller. You can also enable VLAN tagging on each SSID. If you enable VLAN tagging,
the SSID uses the VLAN ID you specify to connect to a VLAN that is configured on the network
between your AP device and XTM device.
For more information about when and how to use VLAN tagging with your AP device, see Configure
VLANs for WatchGuard AP Devices.
Add an SSID
To add an SSID for your AP devices:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears, with the SSID tab selected.
2. Click Add.
The Add SSID dialog box appears.
408
WatchGuard System Manager
WatchGuard AP Device Setup
3. In the Network Name (SSID) text box, type the SSID name.
4. To specify that your AP devices do not broadcast the SSID name, clear the Broadcast SSID
and respond to SSID queries check box.
5. To specify that wireless clients connected to this SSID cannot send traffic to each other
through the AP device, select the Enable station isolation check box. For more information,
see About AP Station Isolation.
6. To use the MAC Access Control list for your AP devices, select the Use the MAC Access
Control list defined in the Gateway Wireless Controller Settings check box. For more
information, see Configure MAC Access Control on page 429.
7. To use tagged VLANs to separate the traffic between multiple SSIDs, select the Enable
VLAN tagging check box.
8. If you enabled VLAN tagging, in the VLAN ID text box, type or select the ID of the tagged
VLAN to use for this SSID.
If you enable VLAN tagging and try to configure an SSID to use a VLAN ID that is not
configured on the XTM device, a warning message appears with the information that
User Guide
409
WatchGuard AP Device Setup
the VLAN ID you configured in the SSID settings does not exist on the XTM device.
Make sure you configure a tagged VLAN for this SSID. In most network
configurations, you create the tagged VLAN for each SSID on the XTM device, and
one untagged VLAN for management connections to the AP device.
Add AP Device Radios
When you add an SSID, you can assign the SSID to one or more AP device radios. For AP200
devices, which have two radios, you select each radio separately.
To assign an SSID to an AP device radio:
In the Access Points with this SSID list, select the check boxes next to each AP device radio
that you want to use this SSID.
You can also assign SSIDs to an AP device radio when you edit the AP device radio settings. For more
information, see Configure AP Device Radio Settings.
Configure Security Settings
To configure the wireless security settings for the SSID:
1. Select the Security tab.
2. From the Security Mode drop-down list, select the security protocol to use for this SSID.
3. Complete the settings to configure the selected security protocol.
Configure SSID Security Settings
When you add an SSID, you can configure security settings that determine how wireless clients must
connect to your AP devices. The wireless security mode is set to Disabled by default. In this mode,
the SSID operates as an open wireless network.
WatchGuard AP devices use two security protocol standards to protect your wireless network: WPA
(Wi-Fi Protected Access) and WPA2. Each protocol standard can encrypt the transmissions on the
wireless LAN between the computers and the AP devices. They also can prevent unauthorized access
to the WatchGuard AP device.
To protect privacy, you can use these features together with other LAN security mechanisms such as
password protection, VPN tunnels, and user authentication.
WPA and WPA2 with Pre-Shared Keys
The WPA (PSK) and WPA2 (PSK) Wi-Fi Protected Access methods use pre-shared keys for
authentication. When you choose one of these methods, you configure a pre-shared key that all
wireless devices must use to authenticate to the AP device.
AP devices support three wireless authentication settings that use pre-shared keys:
410
WatchGuard System Manager
WatchGuard AP Device Setup
n
n
n
WPA only (PSK) — The AP device accepts connections from wireless devices configured to
use WPA with pre-shared keys.
WPA2 only (PSK) — The AP device accepts connections from wireless devices configured to
use WPA2 with pre-shared keys. WPA2 implements the full 802.11i standard; it does not work
with some older wireless network cards.
WPA/WPA2 (PSK) — The AP device accepts connections from wireless devices configured
to use WPA or WPA2 with pre-shared keys.
To configure an AP device SSID to use WPA or WPA2 with pre-shared keys:
1. In the Edit SSID or Add SSID dialog box, select the Security tab.
2. From the Security Mode drop-down list, select WPA (PSK), WPA2 (PSK) or WPA/WPA2
(PSK).
3. From the Encryption drop-down list, select an encryption method:
n TKIP — Use only TKIP (Temporal Key Integrity Protocol) for encryption.
n AES — Use only AES (Advanced Encryption Standard) for encryption.
n TKIP or AES — Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the AP device to accept
connections from wireless clients configured to use TKIP or AES encryption. For 802.11n
wireless clients, we recommend you configure the wireless client to use AES encryption.
4. (Optional) In the Group Key Update Interval text box, type or select the WPA group key
update interval.
We recommend you use the default setting of 3600 seconds.
5. In the Passphrase text box, type the passphrase that wireless clients must use to connect to
this SSID.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE 802.1X standard for
network authentication. These authentication methods use the EAP (Extensible Authentication
Protocol) framework to enable user authentication to an external RADIUS authentication server. The
WPA Enterprise and WPA2 Enterprise authentication methods are more secure than WPA/WPA2
User Guide
411
WatchGuard AP Device Setup
(PSK) because users authenticate with their own credentials instead of a shared key.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication
server.
WatchGuard AP devices support three WPA and WPA2 Enterprise wireless authentication methods:
n
n
n
WPA Enterprise — The AP device accepts connections from wireless devices configured to
use WPA Enterprise authentication.
WPA2 Enterprise — The AP device accepts connections from wireless devices configured to
use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard; it does not
work with some older wireless network cards.
WPA/WPA2 Enterprise — The AP device accepts connections from wireless devices
configured to use WPA Enterprise or WPA2 Enterprise authentication.
To configure an AP device SSID to use WPA or WPA2 with enterprise authentication:
1. In the Edit SSID or Add SSID dialog box, select the Security tab.
2. From the Security Mode drop-down list, select WPA Enterprise, WPA2 Enterprise or
WPA/WPA2 Enterprise.
3. From the Encryption drop-down list, select an encryption method:
n TKIP — Use only TKIP (Temporal Key Integrity Protocol) for encryption.
n AES — Use only AES (Advanced Encryption Standard) for encryption.
n TKIP or AES — Use either TKIP or AES.
412
WatchGuard System Manager
WatchGuard AP Device Setup
We recommend that you select TKIP or AES. This allows the AP device to accept
connections from wireless clients configured to use TKIP or AES encryption. For 802.11n
wireless clients, we recommend you configure the wireless client to use AES encryption.
4. (Optional) In the Group Key Update Interval text box, set the WPA group key update interval.
We recommend you use the default setting of 3600 seconds.
5. In the RADIUS Server text box, type the IP address of the RADIUS server.
6. In the RADIUS Port text box, make sure that the port number the RADIUS server uses for
authentication is correct.
The default port number is 1812. Some older RADIUS servers use port 1645.
7. In the RADIUS Secret text box, type the shared secret between the AP device and the
RADIUS server.
The shared secret is case-sensitive, and it must be the same in the SSID configuration as it is
on the RADIUS server.
If you have a RADIUS accounting server, you can enable RADIUS Accounting:
1. Select the Enable RADIUS Accounting check box.
2. In the RADIUS Accounting Server text box, type the IP address of the RADIUS accounting
server.
3. In the RADIUS Accounting Port text box, make sure that the port number the
RADIUS accounting server uses is correct.
The default port number is 1813.
4. In the RADIUS Accounting Secret text box, type the shared secret between the AP device
and the RADIUS accounting server.
5. In the Interim Accounting Interval text box, set the interim accounting interval.
User Guide
413
WatchGuard AP Device Setup
WatchGuard AP Device Discovery and Pairing
For the Gateway Wireless Controller on your XTM device to control a WatchGuard AP device, the AP
device and the XTM device must be paired. For pairing to occur, you must first enable the Gateway
Wireless Controller on the XTM device. When the Gateway Wireless Controller is enabled, the
XTM device sends a discovery broadcast message to the trusted and optional networks.
The AP device can also be located on the custom zone network (XTM v11.9 and
higher). To allow the Gateway Wireless Controller to discover an AP device on a
custom zone network, you must modify the WatchGuard Gateway Wireless
Controller policy to allow traffic from the custom zone. For more information on the
custom zone, see Configure a Custom Interface.
After you connect a new AP device to your trusted or optional network, the AP device receives the
broadcast message and sends a response. When the XTM device receives a response from an
unpaired AP device, the discovered AP device appears in the Unpaired Access Points list in the
Gateway Wireless Controller.
An AP device discovered by the XTM device is not automatically paired with the XTM device. You
must pair the AP device with the XTM device in the Gateway Access Controller. This step makes sure
no one can add an unauthorized AP device to your network. The AP device only accepts configuration
information from the XTM device it is paired with.
After the first time you pair a new AP device with an XTM device, the XTM device attempts to
automatically activate the XTM device on your account on the WatchGuard web site. For more
information, see About AP Device Activation.
Connect the AP Device
Before you can pair the AP device with the XTM device, you must connect it to a trusted or optional
network.
If you connect the AP device to a VLAN interface, make sure that you configure that interface to handle
untagged VLAN traffic. An unpaired AP device cannot accept tagged VLAN traffic.
The power LED on the AP device alternates from green to red when the device is unpaired.
By default, the AP device is configured to use DHCP to get an IP address. Make
sure that you enable the DHCP Server for the XTM device interface that connects to
the AP device, so that the AP device can get an IP address.
414
WatchGuard System Manager
WatchGuard AP Device Setup
Pair the AP Device to the XTM Device
To pair an AP device with an XTM device:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Access Points tab.
The list of AP devices that responded to the discovery broadcast appear in the Unpaired Access
Points list.
3. To start a scan for new, unpaired AP devices, click Refresh.
When an unpaired Access Point is found, it appears in the Unpaired Access Points list.
4. When the correct AP device appears, click Stop.
The scan for unpaired AP devices ends.
5. From the Unpaired Access Points list, select an AP device to pair with your XTM device.
6. Click Pair.
The Pairing Passphrase dialog box appears.
User Guide
415
WatchGuard AP Device Setup
7. In the Pairing Passphrase text box, type the current passphrase configured on the AP device.
The default passphrase is wgwap.
For more information about the Pairing Passphrase, see About AP Device Passphrases.
8. Click OK.
The Edit Access Point dialog box appears.
9. Configure the AP device settings.
For more information, see Configure AP Device Settings.
10. Save the configuration file to the XTM device.
The XTM device sends the configuration to the AP device, and the SSIDs are activated on the
AP device.
When the AP device is paired, the power LED on the device will be green.
For information about how to monitor the status of your AP devices, see Monitor AP Device Status.
For information about how to unpair an AP device, see Unpair an AP Device.
If your AP device is correctly connected but cannot be discovered, it may be
necessary to reset the AP device to factory default settings. For more information,
see Reset the WatchGuard AP Device.
Configure AP Device Settings
From the Gateway Wireless Controller on your Firebox or XTM device, you can edit the settings for any
AP devices that are paired with the Firebox or XTM device. You can also manually add new AP
devices.
When you save an AP device configuration to the Firebox or XTM device, the device
immediately sends the update to the affected AP devices. While the update is in
progress, the AP device status briefly changes to Updating. The update process can
take up to a minute to complete. While the update is in progress, wireless services
might be interrupted on the AP device.
Edit an AP Device Configuration
When you pair an AP device with a Firebox or XTM device, you must configure the settings for the AP
device. Because some of the details about the AP device are automatically added to the AP device
configuration when it is paired, you edit the AP device settings to complete the initial configuration of
the AP device.
When you edit the AP device settings, you can change any of the settings except for the model and
serial number. The model and serial number are automatically set for paired AP devices and cannot be
edited.
416
WatchGuard System Manager
WatchGuard AP Device Setup
There are two network settings you can select for an AP device:
DHCP
DHCP is the default selection.
Choose this option to configure the AP device to request a dynamically assigned IP address
from a DHCP server. If you choose this option, make sure that a DHCP server is configured on
the network that the AP device connects to. You can configure the XTM device as the DHCP
server when you configure the Firebox or XTM device interface that your AP device connects
to.
For a configuration example, see WatchGuard AP Device Deployment Examples.
Static
Select this option to assign the AP device a static IP address, subnet mask, and default
gateway. When you select Static, you must configure these settings:
n
n
n
IP Address — The IP address to assign to the AP device
IP Subnet Mask — The subnet mask
Default Gateway — The IP address of the default gateway
By default, the AP device uses the syslog server settings you configure in the common settings in the
Gateway Access Controller. When you edit the settings for an AP device, you can configure the AP
device to use a different syslog server. For more information about the syslog server settings for the
Gateway Wireless Controller, see Configure Gateway Wireless Controller Settings.
To configure the settings for a paired AP device:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Access Points tab.
The list of Access Points that you can configure appear in the Access Points list.
User Guide
417
WatchGuard AP Device Setup
3. Select an AP device and click Edit.
The Edit Access Point dialog box appears.
4. (Optional) In the Name text box, type a new name for the AP device.
The default name is <AP device model number >_<AP device serial number>.
5. Adjacent to Network Settings, select an option to assign the AP device an IP address:
n DHCP
n Static
6. If you selected Static, type the IP Address, IP Subnet Mask, and Default Gateway for your
AP device.
7. (Optional) In the Location text box, type the location of the AP device on your network.
8. To override the Gateway Access Controller settings for syslog server logging:
a. Select the Send log messages to a syslog server check box.
b. In the Syslog server IP address text box, type the IP address of your syslog server.
9. To force your AP device to use outdoor wireless channels, select the Use Outdoor Channels
only check box.
This option is enabled by default for AP102 outdoor wireless devices.
418
WatchGuard System Manager
WatchGuard AP Device Setup
10. To make sure your AP device does not use DFS (Dynamic Frequency Selection) channels in
the 5 GHz band in your region, select the Disable DFS Channels check box.
DFS channels are used with radar and your AP device will stop transmitting if radar signals are
detected on that channel.
11. To disable the LEDs on your AP device, select the Disable LEDs check box.
This option allows you to operate your AP device in stealth mode to hide the use of wireless
activity when the device is deployed in a location that requires additional security. For
information on how you can flash the power LED to help identify AP devices in stealth mode,
see Monitor AP Device Status.
12. To use a tagged VLAN for management connections to the AP device:
a. Select the Enable Management VLAN Tagging check box.
b. In the Management VLAN ID text box, type the VLAN ID you want to use for
management. This must be a VLAN that is configured to handle tagged traffic to the
interface your AP device connects to.
If you configure a management VLAN ID in both the Gateway Wireless Controller
settings and the AP device settings, the Firebox or XTM device uses the
management VLAN ID specified in the AP device settings.
13. In the Radio 1 Settings and Radio 2 Settings sections, configure the settings for each AP
device radio: band, wireless mode, channel, and SSID.
For more information, see Configure AP Device Radio Settings.
Manually Add an AP Device Configuration
The Gateway Wireless Controller uses a UDP broadcast to automatically discover connected AP
devices. The Gateway Wireless Controller cannot automatically discover an AP device located
somewhere on your network where it cannot receive the broadcast. In these types of deployments, you
can instead connect to the AP device to configure the network settings, and then add the AP device to
the Gateway Wireless Controller, with the same network settings. The Firebox or XTM device can then
connect to the AP device to pair with it.
Some examples of examples of deployment scenarios where you must use manual configuration and
discovery are:
n
n
The Firebox or XTM device and the AP device are separated by a Layer 3 switch or router
The Firebox or XTM device and the AP device are separated by a Branch Office VPN
For the Firebox or XTM device to discover an AP device, the network between the
AP device and the Firebox or XTM device must include a route for the traffic between
the two devices.
User Guide
419
WatchGuard AP Device Setup
To configure the network settings on the AP device, use the WatchGuard Access Point web UI. For
information, see Use the WatchGuard Access Point Web UI.
To manually add an AP device to the Gateway Wireless Controller:
1. In Policy Manager, select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Access Points tab
3. Click Add.
The Pairing Passphrase dialog box appears.
4. In the Pairing Passphrase text box, type the passphrase configured on the AP device.
The default passphrase on an AP device is wgwap. If you changed the passphrase in the web
UI on the AP device, type that passphrase here.
For more information about the Pairing Passphrase, see About AP Device Passphrases.
5. Click OK.
The Add Access Point dialog box appears.
6.
7.
8.
9.
In the Name text box, type a name for this AP device.
In the Model drop-down list, select the AP device model.
In the Serial Number text box, type the serial number of the AP device.
Adjacent to Network Settings, select Static.
10. In the IP Address text box, type the static IP address you configured on the AP device.
11. In the IP Subnet Mask text box, type the subnet mask you configured on the AP device.
12. In the Default Gateway text box, type the default gateway IP address you configured on the AP
device.
13. Configure the other AP device settings as described in the previous section.
Change the Pairing Passphrase
When you initially add an AP device to your configuration, you set the Pairing Passphrase. This
passphrase is only used when you first pair the AP device with the XTM device. If the first Pairing
Passphrase you typed did not match the passphrase on the AP device, you can change the
passphrase the XTM device uses to pair with the AP device.
To change the Pairing Passphrase:
1. On the Access Points tab, select an AP device and click Edit.
The settings for the AP device appear.
2. Click Change Pairing Passphrase.
The Change Pairing Passphrase dialog box appears.
420
WatchGuard System Manager
WatchGuard AP Device Setup
3. In the Pairing Passphrase text box, type the correct, current passphrase on the AP device.
The default passphrase for an AP device is wgwap.
4. To make the passphrase you type visible, select Show passphrase.
5. Click OK.
6. Save the configuration to the XTM device.
For more information about AP device passphrases, see About AP Device Passphrases.
Configure AP Device Radio Settings
When you configure your WatchGuard AP device, you specify the radio settings, which includes the
band, wireless mode, channel, and SSID settings.
To configure the radio settings:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Access Points tab.
The Access Points list appears.
3. Select an AP device and click Edit.
The Edit Access Point dialog box appears.
4. Configure the radio settings as described in the subsequent sections.
Set the Band and Wireless Mode
WatchGuard AP devices support two wireless bands, 2.4GHz and 5GHz. The 5GHz band provides
greater performance than the 2.4GHz band, but is not compatible with all wireless devices. When you
specify the band and mode in the radio settings, make sure to select the correct options for the
wireless cards in the wireless client devices that connect to the AP device.
The configuration options for each radio depend on the AP device model.
AP100 / AP102
The AP100 and AP102 have one radio, Radio 1. You can configure Radio 1 to use either the
2.4GHz or 5GHz band.
User Guide
421
WatchGuard AP Device Setup
AP200
The AP200 has two single-band radios, Radio 1 and Radio 2.
n
n
Radio 1 always uses the 2.4GHz band.
Radio 2 always uses the 5GHz band.
You configure the settings for each radio separately.
The wireless modes available for each radio depend on the wireless band the radio uses.
The 2.4GHz band supports five wireless modes:
802.11 B/G/N Mixed
This is the default mode in the 2.4 GHz band. This mode enables the radio to connect with
devices that use 802.11n, 802.11g, or 802.11b.
802.11 B
This enables the radio to connect only with devices that use 802.11b.
802.11 B/G Mixed
This mode enables the radio to connect with devices that use 802.11b or 802.11g.
802.11 G
This enables the radio to connect only with devices that use 802.11g.
802.11 N only
This enables the radio to connect only with devices that use 802.11n.
The 5GHz band supports three wireless modes:
802.11 A/N Mixed
This is the default mode in the 5GHz band. This mode enables the radio to connect with devices
that use 802.11n or 802.11a.
422
WatchGuard System Manager
WatchGuard AP Device Setup
802.11 A
This enables the radio to connect with devices that use 802.11a
802.11 N only
This enables the radio to connect with devices that use 802.11n.
If you choose a wireless mode that supports mixed 802.11 standards, the overall
performance of the radio can decrease. This reduction in performance is caused in
part by the backward compatibility settings in mixed modes that enable devices with
slower modes to connect to the AP device radio.
Configure the Preferred Channel
When you first pair or add an AP device, the Preferred Channel is set to Auto, and each radio
automatically selects an available quiet channel in the band you have chosen.
The location of the AP device affects which channels an AP device radio can use.
You configure the location of your AP devices in the Gateway Wireless Controller
settings. For more information, see Configure Gateway Wireless Controller Settings.
When you edit an AP device configuration, you can set the preferred channel for each radio. The
available channels are determined based on the band, wireless mode, channel HT mode, and the
configured location of the AP device.
To set a preferred channel for an AP device radio, select a channel from the Preferred Channel dropdown list.
The AP device attempts to use the preferred channel you select. If there is some reason the preferred
channel cannot be used, the AP device automatically selects a different available channel in the
configured radio band.
If you change the country for your AP device or change the radio band, you might have to get the
Preferred Channel list from the AP device, so that the list includes the supported channels.
To update the Preferred Channel list:
1.
2.
3.
4.
In Policy Manager, select Network > Gateway Wireless Controller.
Select the Access Points tab.
Select the AP device and click Edit.
Click Update available AP channel list.
The Retrieve the available channel list dialog box appears.
5. Specify the user credentials for a user with Device Monitor privileges.
6. Save the configuration to the XTM device.
User Guide
423
WatchGuard AP Device Setup
After you update the channel list, the list of available channels in the Preferred Channel drop-down list
is updated to match the channels supported by the AP device configuration.
Configure Channel Width Settings
You can configure each radio to use a 20 MHz or 40 MHz channel width. To set the channel width for
each radio, configure the Channel HT (High Throughput) Mode.
For each radio, select a setting for the Channel HT Mode:
20MHz
This mode sets the radio to use a 20MHz channel width. This is the default setting.
20/40MHz
This mode is available only when the Preferred Channel is set to Auto. This mode enables the
radio to use either a 20MHz or 40MHz channel width, based on the available channels.
40MHz
This mode sets the radio to use 40MHz channel width. This mode assumes that no other
802.11a/b/g access points use the same channel.
If you use a 40MHz channel mode, the Extension Channel controls whether the radio adds the extra
20MHz of channel width above or below the selected channel.
For each radio, select a setting for the Extension Channel:
Upper Channel
Adds the 20MHz channel width above the selected channel.
Lower Channel
Adds the 20MHz channel width below the selected channel.
Set the Data Transfer Rate
For each radio, you can optionally limit the speed at which wireless clients can send data. By default,
the data rate is set to Auto, which means that there is no limit.
To set the maximum data transfer rate, select a rate from the Rate drop-down list. The actual client
receive (download) rate will be slightly less than this value.
The available rates you can select depend on the wireless mode the radio uses. Rates that start with
MCS correspond to the MCS (Modulation and Coding Scheme) index values defined in the IEEE
802.11n-2009 standard.
Each MCS option has two associated rates:
n
n
424
The first number is the maximum rate for 20 MHz Channel HT Mode.
The second number is the maximum rate for 40 MHz Channel HT Mode.
WatchGuard System Manager
WatchGuard AP Device Setup
Set the Transmit Power Level
For each radio, you can optionally set the maximum transmit power to limit or expand the transmission
distance of your wireless signals. You can set the transmit power between 3dBm to 20dBm, or set the
value to Auto. The default (Auto) is 20dBm. The transmit power cannot exceed the regulatory limits set
by your region.
To set the transmit power:
From the TX Power drop-down list, select a value.
Select the SSIDs
Each radio can support up to eight SSIDs. You can use the same SSID for more than one radio on one
or more AP devices. You can add up to eight SSIDs to each radio.
To add a configured SSID to a radio:
In the SSID list, select the check box adjacent to each SSID you want the radio to use.
If the SSID you want to add is not yet configured, you can add this AP device radio to the SSID when
you add the SSID.
For more information, see Configure WatchGuard AP Device SSIDs.
Configure Gateway Wireless Controller Settings
The Gateway Wireless Controller includes some settings that apply to all AP devices. These global
settings include:
n
n
n
n
n
WatchGuard AP Passphrase
Firmware updates
Syslog server settings
Wireless Radio Region
MAC Access Control
To configure the global Access Point settings on the Gateway Wireless Controller:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Click Settings.
The Settings dialog box appears.
User Guide
425
WatchGuard AP Device Setup
3. Configure the global AP device settings as described in the subsequent sections.
4. Click OK.
5. Save the configuration file to your XTM device.
Change the WatchGuard AP Passphrase
The WatchGuard AP Passphrase is used for all WatchGuard AP devices after they are paired with
your XTM device. The Gateway Wireless Controller uses this passphrase to establish connections
between the XTM device and the paired AP devices. This is also the passphrase you use to log in to
the Access Point web UI of a paired AP device. You set the WatchGuard AP passphrase when you
enabled the Gateway Wireless Controller.
To change the WatchGuard AP passphrase:
1. In the WatchGuard AP Passphrase text box, type the passphrase to use for management of
all AP devices.
2. To make the passphrase you type visible, select Show passphrase.
426
WatchGuard System Manager
WatchGuard AP Device Setup
Enable Automatic AP Device Firmware Updates
By default, the Gateway Access Controller is configured to automatically update the firmware on
WatchGuard AP devices when a new version is available. The XTM device receives AP device
firmware updates as part of a Fireware XTM OS update. If you update the Fireware XTM OS on your
XTM device, and that update contains new firmware for the AP devices, the default setting enables the
Gateway Wireless Controller to automatically update the firmware on all paired AP devices. If your
XTM device is paired to more than one AP device, the Gateway Wireless Controller automatically
updates the AP devices one at a time. The Gateway Wireless Controller updates one AP device every
five minutes.
To disable automatic firmware updates:
Clear the Automatically update WatchGuard AP firmware when a new version is
available on the XTM device check box.
If you disable automatic firmware updates, you can manually update the firmware for
each AP device. For more information, see Update AP Device Firmware.
Configure Syslog Settings
By default, each AP device automatically stores recent syslog log messages locally. You can see the
syslog messages stored on each AP device in Firebox System Manager. For more information about
how to see syslog messages for an AP device, see WatchGuard AP Device and Wireless Client
Connections (Gateway Wireless Controller) on page 1361
You can also configure all your AP devices to send syslog messages to the same, external syslog
server. When you configure the syslog server in the Gateway Wireless Controller settings, all paired
AP devices send syslog messages to the specified server.
Before you configure the Gateway Wireless Controller settings for an external syslog server, make
sure the syslog server you specify is set up and your AP devices can connect to the IP address of the
syslog server.
To configure your AP devices to send log messages to an external syslog server:
1. Select the Send WatchGuard AP log messages to a syslog server check box.
2. In the Syslog server IP address text box, type the IP address of the syslog server.
Enable Management VLAN Tagging
You can optionally use a tagged VLAN for management connections to the AP device. You can enable
VLAN tagging for each AP device in the configuration for each AP device, or you can enable it in the
Gateway Wireless Controller settings. If you want to use the same management VLAN ID for all paired
access points, it might be most convenient to set the VLAN ID in the Gateway Wireless Controller
settings.
User Guide
427
WatchGuard AP Device Setup
If you enable management VLAN tagging in the Gateway Wireless Controller settings, you do not need
to enable management VLAN tagging for each AP device. The XTM device uses the management
VLAN ID specified in the Gateway Wireless Controller settings for management traffic to all
AP devices, if management VLAN tagging is not enabled in the AP device settings.
To enable management VLAN tagging for all AP devices:
1. Select the Enable Management VLAN Tagging check box.
2. In the Management VLAN ID text box, type the VLAN ID you want to use for management.
This must be a VLAN that is configured to handle tagged traffic to the interface your AP devices
connect to.
If you specify a management VLAN ID in the configuration settings for an AP device,
the XTM device uses the VLAN ID configured for the AP device instead of the
VLAN ID specified in the Gateway Wireless Controller settings.
Set the Wireless Radio Region
WatchGuard AP devices automatically select the best radio channel to use from the allowed channels
in the region where the device is located. To use the correct radio channels, you must select the
location of your AP devices. All AP devices managed by the same XTM device use the same wireless
radio region.
To set the wireless radio region:
From the Set the location of the WatchGuard AP devices drop-down list, select the country
where your AP devices are located.
Enable SSH Access
Secure SSH access to wireless AP devices is used by WatchGuard Technical Support to help
troubleshoot issues with the AP device. Enable this option only if requested by technical support.
To allow SSH access on all AP devices, select the Enable SSH access on all WatchGuard APs
check box.
Configure MAC Access Control
In the MAC Access Control section, you can configure a list of denied or allowed MAC addresses for
your AP devices.
To configure a list of denied or allowed MAC addresses for your AP devices:
From the Settings dialog box, select the MAC Access Control tab.
428
WatchGuard System Manager
WatchGuard AP Device Setup
Configure MAC Access Control
You can configure the MAC access control lists to allow or deny wireless client connections based on
the MAC addresses of the client devices. You can configure a list of denied and allowed
MAC addresses in the Gateway Wireless Controller. Then, you can configure each SSID to use one of
these lists to control wireless client access to your network.
We recommend that you limit the total number of denied and allowed MAC addresses
to 50 addresses to avoid performance issues.
There are two types of MAC access control lists:
Denied MAC Addresses
To make sure certain wireless clients cannot connect to your AP device, you can add the MAC
addresses of those wireless clients to the Denied MAC Addresses list. If you configure an
SSID to use the Denied MAC Addresses list, any wireless clients with MAC addresses that
are on this list are not allowed to connect to that SSID.
Allowed MAC Addresses
To enable certain wireless clients to connect to your AP device, you can add the
MAC addresses those wireless clients to the Allowed MAC Addresses list. If you configure
an SSID to use the Allowed MAC Addresses list, only wireless clients with MAC addresses
that are on this list can connect to that SSID.
Edit the MAC Access Control Lists
To configure the denied and allowed MAC address lists:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears, with the SSIDs tab selected.
2. Click Settings.
The Settings dialog box appears, with the Access Point Settings tab selected.
3. Select the MAC Access Control tab.
User Guide
429
WatchGuard AP Device Setup
To add denied MAC addresses:
1. In the Denied MAC Addresses section, click Add.
The Add a MAC Address dialog box appears.
2. In the MAC address text box, type the MAC address of a wireless client that you want to deny
access to your AP devices.
3. (Optional) In the Name text box, type a descriptive name to identify the wireless client in the
list.
4. Click OK.
The MAC address is added to the Denied MAC Addresses list.
To add allowed MAC addresses:
430
WatchGuard System Manager
WatchGuard AP Device Setup
1. In the Allowed MAC Addresses list section, click Add.
2. In the MAC address text box, type the MAC address of a wireless client that you want to allow
access to your AP devices.
3. (Optional) In the Name text box, type a descriptive name to identify the wireless client in the
list.
4. Click OK.
The MAC address is added to the Allowed MAC Addresses list.
To edit a MAC address, select the MAC address in the list and click Edit.
To delete a MAC address from either list, select the MAC address and click Remove.
Enable an SSID to Use MAC Access Control
To configure an SSID to deny access based on the MAC Access Control settings, you must enable
MAC Access Control in the SSID settings.
From the Gateway Wireless Controller:
1. On the SSIDs tab, select an SSID.
2. Click Edit.
3. Select the Use the MAC Access Control list defined in the Gateway Wireless Controller
Settings check box.
4. From the drop-down list, select a list: Denied MAC Addresses or Allowed MAC Addresses.
5. Save the configuration file to the XTM device.
After you enable MAC Access Control for an SSID, the AP device uses the selected MAC Access
Control list to determine whether to allow wireless clients to connect to that SSID.
Unpair an AP Device
To unpair a WatchGuard AP device from an XTM device, you remove the AP device from the Paired
Access Point list in the Gateway Wireless Controller. When you unpair an AP device, the AP device
restarts with factory default settings. The passphrase on the AP device is reset to wgwap.
To unpair an AP device from your XTM device:
1. Select Network > Gateway Wireless Controller.
2. Select the Access Points tab.
The list of paired Access Points appears in the list at the top of the Access Points tab.
3. From the Access Points list, select the AP device to unpair.
Use the Control and/or Shift keys to select multiple AP devices at the same time.
4. Click Remove.
The selected Access Points are removed from the configuration.
5. Save the configuration to the XTM device.
The XTM device resets the AP device to factory default settings.
After you unpair the AP device, it restarts with factory default settings. After the AP device restarts,
the Gateway Wireless Controller can discover it again as an unpaired AP device.
The power LED on the AP device alternates from green to red when the device is unpaired.
User Guide
431
WatchGuard AP Device Setup
Monitor AP Device Status
From Firebox System Manager, you can monitor, reboot, and upgrade the WatchGuard AP devices
managed by your Firebox or XTM device.
1. Start Firebox System Manager for your XTM device.
2. Select the Gateway Wireless Controller tab.
The Gateway Wireless Controller Summary and Detail information appears.
3. Select the Access Points tab.
4. Monitor your AP devices as described in the subsequent sections.
See AP Connection Status and Uptime
In the Status column, you can see the status of each paired AP device.
n
n
n
n
n
Online — The AP device is enabled and can communicate with the Firebox or XTM device.
Offline — The AP device cannot be contacted by the Firebox or XTM device.
Discovered — The AP device has been discovered by the Firebox or XTM device, but is not yet
online.
Updating — An update to the AP device configuration is in progress.
Passphrase Mismatch — The passphrase on the AP device does not match the passphrase
on the Gateway Wireless Controller.
For information about how to resolve a passphrase mismatch, see About AP Device
Passphrases.
In the Uptime column, you can see how long an AP device has been online.
432
WatchGuard System Manager
WatchGuard AP Device Setup
For the Uptime to be correct, the Firebox or XTM device must have a policy that
allows NTP traffic from the AP device to the Internet. For more information, see
WatchGuard AP Device Requirements and Limitations.
See AP Radio Frequency and Channel
In the Radio1 and Radio2 columns, you can see the frequency, channel, and transmit power used by
each AP device radio. If available, secondary channel information is also displayed.
Each radio automatically selects a quiet channel in the band you have selected. The channel that the
radio uses is determined based on the band, wireless mode, channel HT mode, and on the country you
specify in the Gateway Wireless Controller settings.
For more information about radio settings, see Configure AP Device Radio Settings.
See the AP Activation Status
In the LiveSecurity column, you can see the activation status of each AP device.
n
n
Activated — The AP device is activated.
Not Activated — The AP device is not activated.
The XTM device automatically attempts to activate the AP device to start the LiveSecurity
subscription and hardware warranty.
For more information about activation, see About AP Device Activation.
User Guide
433
WatchGuard AP Device Setup
See AP Device Network Statistics
In the Sent, Received, and Total columns, you can see the number of kilobytes of data sent and
received by each AP device since the last time it restarted.
The Network Statistics report shows a more detailed collection of raw network statistics information
from the selected AP device. This includes the Interface Statistics (names, MAC and/or IP addresses,
and traffic counters), the Routing Table, and the ARP Table for the AP device. This information can be
helpful when you troubleshoot.
To see network statistics for an AP device:
1. On the Access Points tab, select an AP device.
2. Click Network Statistics.
The Network Statistics dialog box appears with statistics for the selected AP device.
3. To updated the statistics, click Refresh.
434
WatchGuard System Manager
WatchGuard AP Device Setup
See Log Messages on an AP Device
By default, each WatchGuard AP device stores recent syslog log messages locally. If you configure
the AP device to send syslog messages to an external syslog server, the recent syslog messages are
also available on the AP device. You can see the syslog messages on each AP device in Firebox
System Manager, on the Gateway Wireless Controller tab .
To see syslog messages on the AP device:
1. On the Access Points tab, select an AP device.
2. Click Log Messages.
The Log Messages dialog box appears with log messages from the selected AP device.
3. To updated the list of log messages, click Refresh.
4. To close the Log Messages dialog box, click Close.
For the time stamp in the log messages on the AP device to be correct, the Firebox or
XTM device must have a policy that allows NTP traffic from the AP device to the
Internet. For more information, see WatchGuard AP Device Requirements and
Limitations.
Flash the Power LED on the AP Device
You can flash the power LED on a specific AP device to help with identification. This utility is useful if
you use the Disable LEDs option to operate your AP device in stealth mode to hide the use of wireless
activity.
For more information on how to disable the LEDs on your AP device, see Configure AP Device
Settings.
To flash the power LED on your AP device:
1. On the Access Points tab, select an AP device
2. Click Flash Power LED.
The power LED will flash green for several minutes.
3. Type the Firebox or XTM device configuration passphrase.
4. Click OK.
Restart Wireless on the AP Device
When you restart the wireless interfaces on your AP device, you do not have to reboot the device. This
is useful if you encounter wireless interference on the current wireless channel and want to use autoselection to switch to another channel.
To restart the wireless interfaces on your AP device:
1. On the Access Points tab, select an AP device
2. Click Restart Wireless.
User Guide
435
WatchGuard AP Device Setup
3. Type the XTM device configuration passphrase.
4. Click OK.
Reboot an AP Device
To reboot an AP device:
1.
2.
3.
4.
On the Access Points tab, select an AP device
Click Reboot.
Type the XTM device configuration passphrase.
Click OK.
While the AP device reboots, Offline appears in the Status column for the AP device. When the
AP device reboot is complete, Online appears in the Status column.
Upgrade an AP Device
At the top of the Gateway Wireless Controller tab, the version of AP device firmware that is available
appears.
To upgrade the firmware on an AP device to the currently available version:
1.
2.
3.
4.
On the Access Points tab, select an AP device
Click Upgrade.
Type the XTM device configuration passphrase.
Click OK.
While the AP device reboots, Offline appears in the Status column for the AP device. When the
AP device reboot is complete, Online appears in the Status column.
436
WatchGuard System Manager
WatchGuard AP Device Setup
Perform a Site Survey
You can use your AP device to complete a site survey to detect other wireless access points that
operate in the same area. When you perform a site survey, the radios in the AP device scan the
wireless channels to find other wireless access points. The site survey can detect all local wireless
access points. This includes other WatchGuard AP devices and WatchGuard XTM wireless devices.
You must configure an AP device radio to use at least one SSID before that radio can perform a site
survey.
When a site survey scan begins, the AP device scans the airwaves within range for other radio
broadcasts in the same radio band, on all available wireless channels. The scan is not limited to the
wireless mode and channel settings configured in the radio settings of your device. The AP200 can use
both radios to scan on the 2.4GHz and 5GHz radio bands. The AP100 scans on either the 2.4GHz or
5GHz band. The band used for the scan depends on which band the radio is configured to operate in.
The site survey does not interrupt wireless connectivity for connected wireless clients.
To start a site survey:
1. On the Access Points tab, select an AP device.
2. Click Site Survey.
The Site Survey dialog box appears and the AP device begins to scan for other wireless access
points. A list of detected access points appears in the Site Survey dialog box.
3. To update the list of scan results from the AP device, click Refresh.
For each detected wireless access point, the site survey report shows this information:
BSSID
The Basic Service Set Identifier is the MAC address of the wireless access point.
SSID
This is the SSID for the access point. If an access point has more than one SSID, each SSID
appears as a separate item in the site survey.
User Guide
437
WatchGuard AP Device Setup
Channel
This is the wireless channel that the wireless access point uses. If available, secondary
channel information also appears.
Signal Level
This is the signal strength of the wireless access point.
Type
This is the wireless standard the wireless access point supports.
Security
This is the type of wireless security used by the wireless access point.
Mode
This is the operating mode of the wireless device.
438
WatchGuard System Manager
WatchGuard AP Device Setup
Monitor Wireless Clients
In Firebox System Manager, you can see the wireless clients that are connected to your WatchGuard
AP devices. You can also disconnect a wireless client from an AP device.
To see the connected wireless clients:
1. Start Firebox System Manager for your XTM device.
2. Select the Gateway Wireless Controller tab.
3. Select the Wireless Clients tab.
A list of connected wireless clients appears.
4. To show only wireless clients that are connected to a specific AP device, from the Filter By
AP drop-down list, select an AP device .
5. To show only wireless clients that are connected to a specific SSID, from the Filter By
SSID drop-down list, select an SSID.
6. To disconnect a wireless client, select the client and click Disconnect Client.
For more information about the Wireless Clients tab, see WatchGuard AP Device and Wireless Client
Connections (Gateway Wireless Controller).
To disconnect a wireless client from an AP device:
1. Select a wireless client.
2. Click Disconnect Client.
3. Type the XTM device configuration passphrase.
User Guide
439
WatchGuard AP Device Setup
To permanently deny a wireless client access to your WatchGuard AP devices, make a note of the
MAC address before you disconnect the wireless client. You can then add that MAC address for that
wireless client to the Denied MAC address list in the MAC Access Control configuration. You must
also enable MAC Access Control in the SSID settings. For more information, see Configure
MAC Access Control.
Enable a Hotspot on an AP Device
You can enable one SSID on your WatchGuard AP device as a hotspot. You can enable a hotspot on
one SSID or network at a time.
When you enable the hotspot feature for an SSID, wireless clients see a hotspot splash screen page
when they connect to the SSID. You can configure the hotspot to require wireless clients to accept
terms and conditions. Or, you can configure an external hotspot authentication server that requires
wireless clients to provide information that can be validated before the wireless client is allowed to
connect to the network.
When you enable a hotspot for an AP device SSID, the hotspot interface you select depends on how
you configure the SSID and how your AP devices connect to the XTM device.
n
n
n
If the SSID has VLAN tagging enabled, select the VLAN interface with the VLAN ID
configured in the SSID.
If the SSID does not have VLAN tagging enabled, and the AP device is directly connected
to an XTM device interface, select the XTM device interface your AP device is connected
to.
If the SSID does not have VLAN tagging enabled, but the AP devices that use the
SSID connect to XTM device VLAN interfaces that manage only untagged VLAN traffic,
select the untagged VLAN as the hotspot interface.
If you connect the AP device to a switch but do not use VLAN tagging, you cannot
enable the hotspot only for traffic that goes through the AP device. If you enable the
hotspot for the XTM device interface the switch connects to, the hotspot is enabled
for all traffic through that XTM device interface.
To enable a hotspot for an AP device, configure the hotspot settings on the XTM device that is paired
with the AP device. For more information about how to configure a hotspot, see Enable a Hotspot.
Reset the WatchGuard AP Device
There are three ways to reset the WatchGuard AP device to factory default settings:
n
n
n
440
Press the reset button on the AP device.
Reset the AP device from the WatchGuard Access Point web UI.
Unpair an AP device.
WatchGuard System Manager
WatchGuard AP Device Setup
If you reset a paired WatchGuard AP device to factory default settings, the
XTM device attempts to use the pairing passphrase configured for the AP device in
the Gateway Wireless Controller to pair the device again and send the configuration
to the AP device. If the pairing passphrase for this AP device on the Gateway
Wireless Controller is not set to the default, wgwap, the pairing fails and you get a
passphrase mismatch. For more information, see About AP Device Passphrases.
After you reset an AP device to factory default settings, the AP passphrase is set to the default
passphrase, wgwap.
An AP device with factory default settings cannot accept tagged VLAN traffic. If you reset an AP
device that has management VLAN tagging enabled, the XTM device cannot automatically rediscover
and pair with the AP device on the tagged VLAN. For more information, see WatchGuard AP Device
Discovery and Pairing.
Reset the WatchGuard AP Device with the Reset Button
To reset the AP device with the reset button on the AP device:
1. With the AP device powered on, press and hold the reset button.
2. After 12 seconds, release the reset button.
The AP device resets.
When the device completes initialization, it is reset to the factory default settings.
Reset the WatchGuard AP Device from the Access Point Web
UI
To reset the AP device from the Access Point web UI:
1. Log in to the WatchGuard Access Point web UI.
2. From the left navigation menu, select Status.
The Access Point Status page appears.
3. On the Access Point Status page, click Reset to Factory Defaults.
For more information about how to use the WatchGuard Access Point web UI, see Use the
WatchGuard Access Point Web UI.
Unpair the WatchGuard AP Device
When you unpair the AP device from an XTM device, the AP device restarts with factory default
settings. The power LED on the AP device alternates from green to red when the device is unpaired.
For more information, see Unpair an AP Device.
User Guide
441
WatchGuard AP Device Setup
Update AP Device Firmware
AP device firmware images are included with the Fireware XTM OS installation, so that the XTM
device can update the firmware for paired AP devices.
See the Current Firmware Version
You can see information about the installed and available versions of AP device firmware in the
Gateway Wireless Controller tab in Firebox System Manager. For more information, see Monitor AP
Device Status.
n
n
The Access Point Firmware Available section shows the version of Access Point firmware
that is available on the XTM device. This is the version of firmware the XTM device can install
on a paired AP device.
In the Access Points tab, the Version column shows the currently installed firmware version
on each paired access point.
Options for AP Device Firmware Updates
There are several ways that you can upgrade the firmware on your AP devices:
Enable automatic firmware updates
You can configure the Gateway Wireless Controller to automatically firmware for all paired
AP devices whenever a new version is available on the XTM device. For more information, see
Configure Gateway Wireless Controller Settings.
Send a firmware update to a single AP device
You can update the firmware for a single AP device from the Gateway Wireless Controller tab in
Firebox System Manager. For more information, see Monitor AP Device Status.
Use the Access Point web UI on the AP device
You can manually upgrade the firmware on an AP device from the Access Point web UI. Before
you can upgrade your AP device, you must download and save the firmware image to the
computer connected to your AP device. This is the only way to update firmware for an unpaired
AP device. For more information, see Use the WatchGuard Access Point Web UI.
442
WatchGuard System Manager
WatchGuard AP Device Setup
Add an HTTPS Policy for Access Point Web UI
Connections
If the connection from your management computer to your AP device is routed through your
XTM device, to allow your management computer to log in to the WatchGuard Access Point web UI,
you might have to add an HTTPS packet filter policy to your XTM device configuration.
To allow connections to the AP device on a VLAN from any trusted network:
1. Add an HTTPS packet filter policy.
2. In the From list, add the alias Any-Trusted.
To allow connections to the Access Point web UI from only a specific network interface, add
that interface name to the From list.
3. In the To list, add the interface where your AP device is connected. This could be a physical
interface or a VLAN interface.
n If you do not use VLAN tagging, add the XTM device interface that your AP device connects
to.
n If you use VLAN tagging, add the untagged VLAN you configured for management
connections to your AP devices.
Use the WatchGuard Access Point Web UI
To see basic information about your WatchGuard Access Point (AP) device and manage some of the
settings for the AP device, you can connect directly to the WatchGuard Access Point web UI. From
the Access Point web UI, you can:
User Guide
443
WatchGuard AP Device Setup
n
n
n
n
n
See the current configuration details for the AP device
Manage the network settings for the AP device
Change the AP device passphrase
Upgrade the AP device firmware
Save configuration changes or revert recent changes to the AP device
Because you manage the configuration, passphrases, and firmware updates for your paired
WatchGuard AP device from the Gateway Wireless Controller on the XTM device, it is not often
necessary to use the WatchGuard Access Point web UI to directly manage the configuration of your
AP device.
Connect to the WatchGuard Access Point Web UI
Before you can connect your computer directly to the WatchGuard AP device for the first time, you
must change the network settings on your computer to enable your computer to get access to the AP
device. You can then connect to the AP device to manage the AP device settings. If you change the
network settings on the AP device and later want to connect directly to the AP device again, you must
configure your computer to use an IP address and gateway in the same network range as the IP
address you set for the AP device.
Connect to an Access Point Directly Connected to Your Computer
To directly connect to the WatchGuard Access Point web UI on an AP device that uses factory default
settings:
1. Configure your computer to use these network settings:
n IP address — 192.168.1.2
n Subnet mask — 255.255.255.0
n Gateway — 192.168.1.1
2. Connect your computer directly to the AP device with an Ethernet cable.
3. Open a web browser and go to https://192.168.1.1 .
The WatchGuard Access Point web UI login page appears.
4. In the Passphrase text box, type the passphrase for the AP device. The default passphrase is
wgwap .
5. Click Login.
The WatchGuard Access Point Web UI appears, with the Access Point Status page selected.
444
WatchGuard System Manager
WatchGuard AP Device Setup
You can now monitor and manage the settings for your AP device, as described in the subsequent
sections.
Connect to an Access Point On Your Network
Depending on the location of your computer and the Access Point on the network, you might need to
add an HTTPS policy to allow connections to the AP device from another network. For more
information, see Add an HTTPS Policy for Access Point Web UI Connections.
Before you begin, make sure you have the IP address of the AP device.
n
n
The IP address of a paired AP device is available in Firebox System Manager on the Gateway
Wireless Controller tab . For more information, see Monitor AP Device Status.
The IP address of an unpaired AP device is available on the Access Points tab of the Gateway
Wireless Controller. For more information, see WatchGuard AP Device Discovery and Pairing.
To connect to the WatchGuard Access Point web UI for an AP device that is connected to your
XTM device:
1. Open a web browser and go to https://<AP device IP address> .
The WatchGuard Access Point web UI login page appears.
2. In the Passphrase text box, type the passphrase for the AP device.
For a paired AP device, the passphrase is the WatchGuard AP Passphrase configured in the
Gateway Wireless Controller settings on the XTM device. For more information, see Configure
Gateway Wireless Controller Settings.
3. Click Login.
The WatchGuard Access Point Web UI appears, with the Access Point Status page selected.
You can now monitor and manage the settings for your AP device, as described in the subsequent
sections.
Verify the Current AP Device Settings
On the Access Point Status page, you can verify the current network settings, model information,
firmware version, and serial number for the AP device. You can also revert to the factory default
settings for your AP device.
When you connect to your AP device, the Access Point Status page is selected by default.
To go to the Access Point Status page and review the AP device settings:
1. From the left navigation menu, select Status.
The Access Point Status page appears.
User Guide
445
WatchGuard AP Device Setup
2. Review the current settings for your AP device.
To reset your AP device to the factory default settings:
On the Access Point Status page, click Reset to Factory Defaults.
Manage Network Settings
By default, your AP device uses DHCP to automatically receive an IP address from your network.
When you configure your AP device, you can continue to use DHCP to automatically configure the
network settings, or you can use a static IP address and manually configure the network settings. To
help you easily identify the AP device, you can also specify a friendly device name for the AP device.
1. From the left navigation menu, select Settings.
The Network Settings page appears.
2. Select an option:
n DHCP
n Static
3. If you select Static, in the IP Network Setting section, type the network configuration settings
for the AP device.
4. To specify a VLAN, in the VLAN ID text box, type the VLAN number.
5. To specify a friendly name for the AP device, in the Device Name text box, type a name for the
AP device.
446
WatchGuard System Manager
WatchGuard AP Device Setup
6. To enable SSH for technical support access, select the Enable Sshd text box.
7. Click Save.
Change the Access Point Passphrase
All AP devices use the same passphrase by default: wgwap. The passphrase is changed
automatically when you pair the AP device with an XTM device. We recommend that you do not use
the WatchGuard Access Point web UI to change the AP device passphrase. If you use the
WatchGuard Access Point web UI to change the AP device passphrase, you must use this as the
pairing passphrase for this AP device in the Gateway Wireless Controller on the XTM device. For more
information, see About AP Device Passphrases.
1. From the left navigation menu, select Passphrase.
The Local passphrase page appears.
2. In the Current passphrase text box, type the current passphrase for your AP device.
If you have never changed the passphrase before, type the default passphrase, wgwap .
3. In the New passphrase and Confirm new passphrase text boxes, type the new passphrase
to use for the AP device.
4. Click Save.
Upgrade the AP Device Firmware
When you manage your WatchGuard AP device with the Gateway Access Controller on your
XTM device, by default, the firmware on your AP device is automatically updated when a new version
is available to the controller on the XTM device. You can also choose to manually upgrade the firmware
on your AP device from the Access Point web UI, if a firmware update for the AP device is available on
the WatchGuard Software Downloads page. Before you can upgrade your AP device to a new version
of firmware, you must have saved the firmware image to the computer connected to your AP device.
1. From the left navigation menu, select Firmware Upgrade.
The Firmware Upgrade page appears.
User Guide
447
WatchGuard AP Device Setup
2. Click Browse to select the firmware image file.
The firmware image file path appears in the Firmware Location text box.
3. Click Upgrade.
Do not interrupt the power to the AP device while the firmware upgrade is in progress.
Interruption of power during a firmware upgrade can cause the AP device to start in
failsafe mode. When the AP device is in failsafe mode, the Access Point web UI
provides a single option that enables you to upgrade the device firmware. For more
details about AP device failsafe mode and recovery, see the WatchGuard Knowledge
Base.
Save or Revert Configuration Changes
If you have made changes to the AP device configuration that have not yet been implemented, you can
choose to save your changes and apply them to the AP device, or revert the changes so they are not
applied to the AP device.
1. From the left navigation menu, select Save/Reload:0.
The Save/Reload page appears.
2. To apply changes and save them to the AP device configuration, select a change from the
Unsaved changes list and click Save & Apply.
3. To revert a change, select a change from the Unsaved changes list and click Revert.
448
WatchGuard System Manager
WatchGuard AP Device Setup
WatchGuard AP Device Deployment Examples
These examples provide configuration details for the most common types of WatchGuard AP device
deployment scenarios.
WatchGuard AP device with a Single SSID
For a basic type of wireless deployment in a small office with simple requirements, you can
deploy one or more WatchGuard AP devices with a single SSID.
For a configuration example, see AP Device Deployment with a Single SSID.
WatchGuard AP device with Simple Roaming
To extend the range of an SSID over a larger physical area, you can assign the same SSID to
multiple AP devices.
For a configuration example, see AP Device Deployment with Simple Roaming.
WatchGuard AP device with Single or Multiple SSIDs and VLANs for Policies
For a more complex environment with additional security and policy requirements for wireless
users, you can use one or more SSIDs for your wireless network with VLANs. VLANs enable
you to apply wireless security policies for each SSID on the XTM device, and separate network
traffic for each SSID on a dedicated VLAN.
For a configuration example, see AP Device Deployment with VLANs.
AP Device Deployment with a Single SSID
For basic AP device installation, you deploy one WatchGuard AP devices with a single SSID. In this
simple deployment scenario, you do not have to configure VLANs or complex network settings. This
example is recommended for small office deployments where the requirement is to add secure,
wireless access to an existing LAN. The WatchGuard AP device management traffic and wireless
SSID traffic all communicate across the same network.
If your environment is large enough to require more than one AP device for wider wireless coverage,
you can assign the same SSID to multiple AP devices. When you assign the same SSID to more than
one AP device, the range of that SSID is extended, which enables mobile users to roam from one
AP device coverage area to another. For more information, see AP Device Deployment with Simple
Roaming.
With this deployment scenario, there are two primary methods you can use to physically connect your
WatchGuard AP device to the network:
n
Connect the AP device directly to your XTM device on a Trusted or Optional network interface.
User Guide
449
WatchGuard AP Device Setup
n
Connect the AP device to a switch that is on a Trusted or Optional network.
Configure an XTM Interface and Enable DHCP
To connect the AP device directly to an XTM device interface, configure that interface as a Trusted or
Optional interface. Enable the DHCP server or DHCP relay on that interface so that the XTM device
can automatically assign an IP address to the AP device and to wireless clients.
1. Start Policy Manager for your XTM device.
2. Select Network > Configuration.
The Network Configuration dialog box appears.
3. Select a network interface and click Configure.
450
WatchGuard System Manager
WatchGuard AP Device Setup
4. In the Interface Name (Alias) text box, type a name for this network.
For this example, type Trusted-Wireless .
5. (Optional) In the Interface Description text box, type a description of the interface.
6. From the Interface Type drop-down list, select Trusted.
7. In the IP Address text box, type the IP address for this interface in slash notation.
For this example, type 10.0.10.0/24 .
8. Select Use DHCP Server.
9. In the Address Pool section, click Add.
The Add Address Range dialog box appears.
10. In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this example, type 10.0.10.2 and 10.0.10.100 .
11. Click OK to save the DHCP configuration.
The IP address range appears in the Address Pool list.
12. Click OK to save the interface settings.
13. Save the configuration file to your XTM device.
Add an SSID to the Gateway Wireless Controller
To add and configure an SSID on the Gateway Wireless Controller:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller configuration page appears, with the SSIDs tab selected.
User Guide
451
WatchGuard AP Device Setup
2. Select the Enable the Gateway Wireless Controller check box.
This enables the XTM device to discover unpaired AP devices on your trusted or optional network.
3. On the SSIDs tab, click Add.
The Add SSID dialog box appears, with the Settings tab selected.
4. In the Network Name (SSID) text box, type a name for this SSID.
For this example, type SSID-Trusted .
452
WatchGuard System Manager
WatchGuard AP Device Setup
5. Make sure the Enable VLAN tagging check box is cleared.
This is required because you do not want to configure VLANs for this simple deployment scenario.
6. In the Access Points with this SSID section, move the AP devices that you want to use this
SSID from the Available list to the Member list.
7. Select the Security tab.
8. Configure your wireless encryption security settings for this SSID.
9. Click OK to save your SSID settings.
10. Save the configuration file to your XTM device.
After you have configured the SSIDs, you can pair the AP device with the XTM device, and assign
these SSIDs to the radios on the AP device.
AP Device Deployment with Simple Roaming
To extend the range of an SSID over a larger physical area, you can assign the same SSID to multiple
AP devices. When a wireless user moves to a different location on your physical network, the wireless
client can automatically connect to a different AP device that has a stronger signal for that SSID. This
eliminates the need for users to manually reconnect when they move their wireless devices around
your office. Simple roaming relies on the wireless client to switch between wireless access points.
User Guide
453
WatchGuard AP Device Setup
For this deployment scenario, you can connect each AP device directly to a trusted XTM device
interface, or to a switch on the trusted network. As long as you connect all AP devices to interfaces in
the same network security zone, wireless clients that connect to the SSID can roam between the AP
devices.
The diagram below shows three AP devices connected to the trusted network, two connected to a
switch, and one connected to a trusted interface on the XTM device. All AP devices use the same
SSID.
Configure an XTM Interface and Enable DHCP
To connect the AP device directly to an XTM device interface, configure that interface as a Trusted or
Optional interface. Enable the DHCP server or DHCP relay on that interface so that the XTM device
can automatically assign an IP address to the AP device and to wireless clients.
1. Start Policy Manager for your XTM device.
2. Select Network > Configuration.
The Network Configuration dialog box appears.
3. Select a network interface and click Configure.
454
WatchGuard System Manager
WatchGuard AP Device Setup
4. In the Interface Name (Alias) text box, type a name for this network.
For this example, type Trusted-Wireless .
5. (Optional) In the Interface Description text box, type a description of the interface.
6. From the Interface Type drop-down list, select Trusted.
7. In the IP Address text box, type the IP address for this interface in slash notation.
For this example, type 10.0.10.0/24 .
8. Select Use DHCP Server.
9. In the Address Pool section, click Add.
The Add Address Range dialog box appears.
10. In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this example, type 10.0.10.2 and 10.0.10.100 .
11. Click OK to save the DHCP configuration.
The IP address range appears in the Address Pool list.
12. Click OK to save the interface settings.
13. Repeat this procedure for your Guest network SSID on another XTM interface.
14. Save the configuration file to your XTM device.
Add the SSID to the Gateway Wireless Controller
To add the SSID to the Gateway Wireless Controller for this deployment scenario:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears, with the SSIDs tab selected.
User Guide
455
WatchGuard AP Device Setup
2. Select the Enable the Gateway Wireless Controller check box.
3. On the SSIDs tab, click Add.
The Add SSID dialog box appears, with the Settings tab selected.
4. In the Network Name (SSID) text box, type Trusted .
5. Make sure the Enable VLAN tagging check box is cleared.
VLANs are not required for this roaming deployment scenario.
6. In the Access Points with this SSID section, move the AP devices that you want to use this
SSID from the Available list to the Member list.
If the AP devices have not been paired to the XTM device yet, you can assign this SSID to each
AP device after you add it to the Gateway Wireless Controller.
7. Select the Security tab.
8. Configure your wireless encryption security settings for this SSID.
9. Click OK to save the SSID configuration.
The Gateway Wireless Controller dialog box appears, with the Trusted SSID in the SSID list.
456
WatchGuard System Manager
WatchGuard AP Device Setup
10. Click OK to save the Gateway Wireless Controller configuration.
11. Save the configuration file to your XTM device.
After you have configured the SSID, you can pair any additional AP devices with the XTM device, and
assign this SSID to the radios on each AP device.
AP Device Deployment with VLANs
If you have a complex network environment with security and policy requirements for wireless users,
you can enable VLANs on the SSIDs for your wireless network. VLANs enable you to apply wireless
security policies to each SSID on the XTM device, and to separate network traffic for each SSID on a
dedicated VLAN.
With this deployment scenario, there are two primary methods you can use to physically connect your
WatchGuard AP device to the network:
n
Connect the AP device directly to the XTM device on a Trusted or Optional network configured
as a VLAN interface. You create VLANs on the XTM device for AP device management, and for
each wireless SSID.
User Guide
457
WatchGuard AP Device Setup
n
458
Connect the AP device to a managed network switch configured with the VLAN information for
the related SSIDs. You can also configure the same VLANs on the XTM device, so that you can
use the VLANs in firewall policies for each SSID.
WatchGuard System Manager
WatchGuard AP Device Setup
Required VLAN Types
To enable VLAN tagging in your AP device SSIDs, there are two types of VLANs you must create:
n
n
Tagged VLANs for SSIDs — The AP device uses tagged VLANs to separate wireless traffic
from each SSID. You must create a tagged VLAN for each SSID you configure in your wireless
network.
Untagged VLAN for AP device management — The Gateway Wireless Controller on the
XTM device discovers and manages all WatchGuard AP devices through a special
management connection. You must create a separate, untagged VLAN to use for management
connections to your AP devices. The AP device management IP address cannot be an
IP address on a tagged VLAN.
If you enable management VLAN tagging in the AP device configuration, the
XTM device can use a tagged VLAN for management connections to the AP device.
An untagged VLAN is still required for the initial connection to an AP device that has
not yet been paired.
You can choose from two different methods to set up VLANs based on where you connect the
AP device to your network:
n
n
Connect the AP device directly to an XTM device — To connect your AP device directly to
your XTM device, you must set up VLANs on the XTM device interface that the AP device
connects to.
a. On your XTM device, create a VLAN for AP device management and VLANs for all
wireless SSIDs.
b. Configure the XTM device interface to send and receive tagged traffic for the VLANs
for each of your SSIDs, and to send and receive untagged traffic for the AP device
management VLAN.
Connect the AP device to a managed switch — To connect your AP device to a managed
switch, you set up VLANs on the managed switch interfaces and on the XTM device interface
that the switch connects to.
a. On your XTM device, create a VLAN for AP device management and VLANs for all
wireless SSIDs.
b. Configure the XTM device interface to send and receive tagged traffic for the VLANs
for each of your SSIDs, and to send and receive untagged traffic for the AP device
management VLAN.
c. On the switch, configure the interfaces that connect to the XTM device and to the AP
device to send and receive tagged traffic for the VLANs for each of your SSIDs.
Configure the same interfaces on the switch to send and receive untagged traffic for
the AP device management VLAN.
For more information about how to enable tagged and untagged VLANs on switch interfaces, see the
documentation for your switch.
User Guide
459
WatchGuard AP Device Setup
Create VLANs on Your XTM Device
In this configuration example, we create three VLANs:
VLAN for trusted wireless access
n
n
n
n
n
Description — Used for the primary trusted wireless network.
VLAN ID — 10
Interface type — Trusted
IP address — 10.0.10.1/24
DHCP range — 10.0.10.2 - 10.0.10.20
VLAN for wireless guest access
n
n
n
n
n
Description — Used for the guest wireless network.
VLAN ID — 20
Interface type — Optional
IP address — 10.0.20.1/24
DHCP range — 10.0.20.2 - 10.0.20.20
Untagged VLAN for AP Device Management
n
n
n
n
n
Description — Used for AP device discovery and management by the Gateway Wireless
Controller.
VLAN ID — 30
Interface type — Trusted
IP address — 10.0.30.1/24
DHCP range — 10.0.30.2 - 10.0.30.20
Create a VLAN for the Trusted Wireless SSID
To create a VLAN for the Trusted wireless SSID on your XTM device:
1.
2.
3.
4.
460
Start Policy Manager for your XTM device.
Select Network > Configuration.
Select the VLAN tab.
Click Add.
WatchGuard System Manager
WatchGuard AP Device Setup
5. In the Name (Alias) text box, type a name for this VLAN.
For this example, type VLAN10 .
6. In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for the trusted wireless network .
7. In the VLAN ID text box, type a VLAN ID number.
For this example, type 10 .
8. From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select the trusted wireless VLAN interface, Trusted.
9. In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this VLAN, type, 10.0.10.1/24 .
10. Select Use DHCP Server and click Add.
11. In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this VLAN, type 10.0.10.2 and 10.0.10.20 .
12. Click OK to save this VLAN configuration.
Create a VLAN for the Guest Wireless SSID
To create a VLAN for the guest wireless SSID on the XTM device:
User Guide
461
WatchGuard AP Device Setup
1. Select Network > Configuration.
2. Select the VLAN tab.
3. Click Add.
4. In the Name (Alias) text box, type a name for this VLAN.
For this example, type VLAN20 .
5. In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for the guest wireless network .
6. In the VLAN ID text box, type a VLAN ID number.
For this example, type 20 .
7. From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select the guest wireless VLAN interface, Optional.
8. In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this example, type 10.0.20.1/24 .
9. Select Use DHCP Server and click Add.
10. In the Starting IP and Ending IP text boxes, type the IP addresses for the DHCP range.
For this example, type 10.0.20.2 and 10.0.20.20 .
11. Click OK to save the VLAN configuration.
462
WatchGuard System Manager
WatchGuard AP Device Setup
Create a VLAN for AP Device Management
To create a VLAN for AP device management connections on the XTM device:
1. Select Network > Configuration.
2. Select the VLAN tab.
3. Click Add.
4. In the Name (Alias) text box, type a name for this VLAN.
For this example, type VLAN30 .
5. In the Description text box, type a descriptive comment for this VLAN.
For this example, type VLAN for AP management connections .
6. In the VLAN ID text box, type a VLAN ID number.
For this example, type 30 .
7. From the Security Zone drop-down list, select the security zone for this VLAN and SSID.
For this example, select the AP device management VLAN interface, Trusted.
8. In the IP Address text box, type the IP address for the VLAN interface in slash notation.
For this example, type, 10.0.30.1/24 .
9. Select Use DHCP Server and click Add.
User Guide
463
WatchGuard AP Device Setup
10. In the Starting IP and Ending IP text boxes, type the IP address for the DHCP range.
For this example, type 10.0.30.2 and 10.0.30.20 .
11. Click OK to save the VLAN configuration.
When complete, the example VLAN settings looks like this:
Add VLANs to a Network Interface
Next, you must add these VLANs to a network interface.
1. Select Network > Configuration.
2. Select the Interfaces tab.
3. Select the network interface to use for VLANs and click Configure.
The Interface Settings dialog box appears for the selected interface.
464
WatchGuard System Manager
WatchGuard AP Device Setup
4.
5.
6.
7.
In the Interface Name text box, type a name for this VLAN interface.
In the Interface Description text box, type a description for this VLAN interface.
From the Interface Type drop-down list, select VLAN.
To receive tagged VLAN data on this network interface, select the Send and receive tagged
traffic for selected VLANs check box.
8. Select the Member check box for each tagged VLAN to include on this interface.
For this example, select VLAN10 and VLAN20.
Only the SSID VLANs are tagged. The AP device Management VLAN must remain untagged.
9. To configure the interface to receive untagged data, select the Send and receive untagged
traffic for selected VLAN check box.
To send and receive untagged data for the AP Management VLAN, you must select this option.
10. From the drop-down list, select the AP device management VLAN, VLAN30, as the untagged
VLAN.
11. Click OK.
12. Save the configuration file to your XTM device.
Add SSIDs to the Gateway Wireless Controller
To add SSIDs to the Gateway Wireless Controller for this deployment example:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears, with the SSIDs tab selected.
User Guide
465
WatchGuard AP Device Setup
2. Select the Enable the Gateway Wireless Controller check box.
3. On the SSIDs tab, click Add.
The Add SSID dialog box appears, with the Settings tab selected.
4. In the Network Name (SSID) text box, type Trusted .
5. Select the Enable VLAN tagging check box.
This is required because this SSID VLAN must be tagged.
6. In the VLAN ID text box, type or select 10 .
7. In the Access Points with this SSID section, move the AP devices that you want to use this
SSID from the Available list to the Member list.
8. Select the Security tab.
9. Configure your wireless encryption security settings for this SSID.
10. Click OK to save the SSID configuration.
The Gateway Wireless Controller dialog box appears, with the Trusted SSID in the SSID list.
11. On the SSIDs tab, click Add.
The Add SSID dialog box appears, with the Settings tab selected.
466
WatchGuard System Manager
WatchGuard AP Device Setup
12. In the Network Name (SSID) text box, type Guest .
13. Select the Enable VLAN tagging check box.
This is required because this SSID VLAN must be tagged.
14. In the VLAN ID text box, type or select 20 .
15. In the Access Points with this SSID section, move the AP devices that you want to use this
SSID from the Available list to the Member list.
16. Select the Security tab.
17. Configure your wireless encryption security settings for this SSID.
18. Click OK.
The Gateway Wireless Controller dialog box appears, with the Trusted and Guest SSIDs in the SSID
list.
User Guide
467
WatchGuard AP Device Setup
19. Click OK to save the Gateway Wireless Controller configuration.
20. Save the configuration file to your XTM device.
After you have configured the SSIDs, you can pair the AP device with the XTM device, and assign
these SSIDs to the radios on the AP device.
468
WatchGuard System Manager
10
Dynamic Routing
About Dynamic Routing
A routing protocol is the language a router speaks with other routers to share information about the
status of network routing tables. With static routing, routing tables are set and do not change. If a router
on the remote path fails, a packet cannot get to its destination. Dynamic routing makes automatic
updates to route tables as the configuration of a network changes.
To use dynamic routing, the XTM device must be configured in mixed routing mode.
Dynamic Routing Protocols
Fireware XTM supports the RIP v1, RIP v2, and RIPng protocols. Fireware XTM with a Pro upgrade
supports the RIP v1, RIP v2, RIPng, OSPF, OSPFv3, and BGP v4 protocols.
n
n
For IPv4 dynamic routing, you must use RIP, OSPF or BGP.
For IPv6 dynamic routing, you must use RIPng, OSPFv3, or BGP.
IPv6 dynamic routing protocols and commands are supported in Fireware XTM v11.9
and higher.
For more information about each of the supported routing protocols, see:
n
n
n
About Routing Information Protocol (RIP and RIPng)
About Open Shortest Path First (OSPF and OSPFv3) Protocol
About Border Gateway Protocol (BGP)
Fireware XTM uses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
User Guide
469
Dynamic Routing
Dynamic Routing Policies
When you enable a dynamic routing protocol, Policy Manager can automatically add the required
dynamic routing policy. The automatically added policies are called:
n
n
n
n
n
DR-RIP-Allow
DR-RIPng-Allow
DR-OSPF-Allow
DR-OSPFv3-Allow
DR-BGP-Allow
Monitor Dynamic Routing
When you enable dynamic routing, you can see the current dynamic routes on the Status Report tab in
Firebox System Manager. The first 20 dynamic routes appear in Routes section, in the zebra table.
The complete list of dynamic routes appears in the OSPF, RIP, or BGP sections of the Status Report.
For a FireCluster, the dynamic routes appear in the Routes section of the Status Report for the cluster
master.
For more information about how to read the route tables in the Status Report, see Read the Route
Tables.
To troubleshoot dynamic routing, you can change the diagnostic log level setting for dynamic routing to
generate more log messages about dynamic routing traffic. You do this in the diagnostic log level
settings for the Networking category.
For more information about how to set the diagnostic log level, see Set the Diagnostic Log Level.
About Routing Daemon Configuration Files
To use any of the dynamic routing protocols with Fireware XTM, you must import or type a dynamic
routing configuration file for the routing daemon you choose. This configuration file includes information
such as a password and log file name. To see sample configuration files for each of the routing
protocols, see these topics:
n
n
n
n
n
Sample RIP Routing Configuration File
Sample RIPng Routing Configuration File
Sample OSPF Routing Configuration File
Sample OSPFv3 Routing Configuration File
Sample BGP Routing Configuration File
Notes about configuration files:
n
n
470
The "!" and "#" characters are put before comments, which are lines of text in configuration files
that explain the function of subsequent commands. If the first character of a line is a comment
character, then the rest of the line is interpreted as a comment.
You can use the word "no" at the beginning of the line to disable a command. For example: "no
network 10.0.0.0/24 area 0.0.0.0" disables the backbone area on the specified network.
WatchGuard System Manager
Dynamic Routing
About Routing Information Protocol (RIP and
RIPng)
Routing Information Protocol (RIP) is used to manage router information in a self-contained network,
such as a corporate LAN or a private WAN. With RIP, a gateway host sends its routing table to the
closest router each 30 seconds. This router, then sends the contents of its routing tables to neighboring
routers.
RIP is best for small networks. This is because the transmission of the full routing table each 30
seconds can put a large traffic load on the network, and because RIP tables are limited to 15 hops.
OSPF is a better alternative for larger networks.
For IPv4 routing, there are two versions of RIP, RIP v1 and RIP v2. RIP v1 uses a UDP broadcast
over port 520 to send updates to routing tables. RIP v2 uses multicast to send routing table updates.
For information about RIP for IPv4 routing, see:
n
n
n
RIP Commands
Configure IPv4 Routing with RIP
Sample RIP Routing Configuration File
For IPv6 routing, use RIPng (next generation). RIPng uses UDP port 521 to send updates to routing
tables. For more information about RIPng for IPv6 routing, see:
n
n
n
RIPng Commands
Configure IPv6 Routing with RIPng
Sample RIPng Routing Configuration File
User Guide
471
Dynamic Routing
Configure IPv4 Routing with RIP
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the RIP tab.
4. Select the Enable RIP check box.
5. Click Import to import a routing daemon configuration file, or copy and paste your configuration
file in the text box.
6. Click OK.
If an enabled dynamic routing policy does not exist, Policy Manager asks if you want to add the
required policy.
7. Click Yes to add the required dynamic routing policy.
Policy Manager adds the required dynamic routing policy, or enables an existing RIP dynamic
routing policy, if one exists.
When you enable RIP, the dynamic routing policy called DR-RIP-Allow is automatically created. You
can edit this policy to add authentication and restrict the policy to listen on only the correct interfaces.
The DR-RIP-Allow policy is configured to allow RIP multicasts to the reserved multicast address for
RIP v2.
If you use RIP v1, you must configure the RIP policy to allow RIP broadcasts from the network
broadcast IP address to the XTM device. For example, if your external interface IP address is
203.0.113.2/24, the RIP policy must allow traffic from the broadcast address 203.0.113.255 to the
XTM device.
472
WatchGuard System Manager
Dynamic Routing
After you configure the XTM device and the RIP router, you can use Firebox System Manager to see
the dynamic routes. In Firebox System Manager, click the Status Report tab. The RIP section shows
route updates that the XTM device has received from the RIP router.
RIP Commands
Fireware XTM uses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
The subsequent table is a catalog of supported routing commands for RIP v1 and RIP v2 that you can
use to create or modify a routing configuration file. If you use RIP v2, you must include the subnet
mask with any command that uses a network IP address or RIP v2 will not operate. The sections must
appear in the configuration file in the same order they appear in this table.
User Guide
473
Dynamic Routing
Section
Command
Description
Set simple password or MD5 authentication on an interface
interface eth [N]
Begin section to set authentication
type for interface
ip rip authentication
string [PASSWORD]
Set RIP authentication password
key chain [KEYCHAIN]
Set MD5 key chain name
key [INTEGER]
Set MD5 key number
key-string [AUTH-KEY]
Set MD5 authentication key
ip rip authentication
mode md5
Use MD5 authentication
ip rip authentication
mode key-chain [KEYCHAIN]
Set MD5 authentication key-chain
Configure interfaces
ip rip send version [1/2]
Set RIP to send version 1 or 2
ip rip receive version
[1/2]
Set RIP to receive version 1 or 2
no ip rip split-horizon
Disable split-horizon; enabled by
default
Configure RIP routing daemon
router rip
Enable RIP daemon
version [1/2]
Set RIP version to 1 or 2 (default
version 2)
Configure interfaces and networks
no network eth[N]
passive-interface eth[N]
passive-interface
default
network [A.B.C.D/M]
neighbor [A.B.C.D/M]
Distribute routes to RIP peers and inject OSPF or BGP routes to
474
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
RIP routing table
default-information
originate
Share route of last resort (default
route) with RIP peers
redistribute static
Redistribute firewall static routes to
RIP peers
redistribute connected
Redistribute routes from all interfaces
to RIP peers
redistribute connected
route-map [MAPNAME]
Redistribute routes from all interfaces
to RIP peers, with a route map filter
(mapname)
redistribute ospf
Redistribute routes from OSPF to RIP
redistribute ospf routemap [MAPNAME]
Redistribute routes from OSPF to
RIP, with a route map filter
(mapname)
redistribute bgp
Redistribute routes from BGP to RIP
redistribute bgp routemap [MAPNAME]
Redistribute routes from BGP to RIP,
with a route map filter (mapname)
Configure route redistribution filters with route maps and access lists
access-list
[LISTNAME]
[PERMIT|DENY]
[A,B,C,D/M | ANY]
Create an access list to allow or deny
redistribution of only one IP address or
for all IP addresses
route-map [MAPNAME]
permit [N]
Create a route map with a name and
allow with a priority of N
match ip address
[LISTNAME]
User Guide
475
Dynamic Routing
Sample RIP Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must import or copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
RIP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet the requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure MD5 authentication keychains.
! Set MD5 authentication key chain name (KEYCHAIN), key number (1),
! and authentication key string (AUTHKEY).
! key chain KEYCHAIN
! key 1
! key-string AUTHKEY
!! SECTION 2: Configure interface properties.
! Set authentication for interface (eth1).
! interface eth1
!
! Set RIP simple authentication password (SHAREDKEY).
! ip rip authentication string SHAREDKEY
!
! Set RIP MD5 authentication and MD5 keychain (KEYCHAIN).
! ip rip authentication mode md5
! ip rip authentication key-chain KEYCHAIN
!! SECTION 3: Configure global RIP daemon properties.
! Set RIP to send or received to version 1; default is version 2.
! ip rip send version 1
! ip rip receive version 1
!
! Enable RIP daemon. Must be enabled for all RIP configurations.
! router rip
!
! Set RIP version to 1; default is version 2.
! version 1
!
! Disable split-horizon to prevent routing loop. Default is enabled.
! no ip split-horizon
!! SECTION 4: Configure interfaces and networks.
! Disable RIP send and receive on interface (eth0).
! no network eth0
!
! Set RIP to receive-only on interface (eth2).
! passive-interface eth2
!
! Set RIP to receive-only on all interfaces.
476
WatchGuard System Manager
Dynamic Routing
!
!
!
!
!
!
!
!
passive-interface default
Enable RIP broadcast (version 1) or multicast (version 2) on
network (192.168.253.0/24)
network 192.168.253.0/24
Set unicast routing table updates to neighbor (192.168.253.254).
neighbor 192.168.253.254
!! SECTION 5: Redistribute RIP routes to peers and inject OSPF or BGP
!! routes to RIP routing table.
! Share route of last resort (default route) from kernel routing table
! with RIP peers.
! default-information originate
!
! Redistribute firewall static routes to RIP peers.
! redistribute static
!
! Set route maps (MAPNAME) to restrict route redistribution in Section 6.
! Redistribute routes from all interfaces to RIP peers or with a route map
! filter (MAPNAME).
! redistribute connected
! redistribute connected route-map MAPNAME
!
! Redistribute routes from OSPF to RIP or with a route map filter (MAPNAME).
! redistribute ospf !redistribute ospf route-map MAPNAME
!
! Redistribute routes from BGP to RIP or with a route map filter (MAPNAME).
! redistribute bgp !redistribute bgp route-map MAPNAME
!! SECTION 6: Configure route redistribution filters with route maps and
!! access lists.
! Create an access list to only allow redistribution of 172.16.30.0/24.
! access-list LISTNAME permit 172.16.30.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a priority of 10.
! route-map MAPNAME permit 10
! match ip address LISTNAME
User Guide
477
Dynamic Routing
Configure IPv6 Routing with RIPng
Use RIPng for dynamic routing between IPv6 networks.
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the RIPng tab.
4. Select the Enable RIPng check box.
5. Click Import to import a routing daemon configuration file, or copy and paste your configuration
file in the text box.
6. Click OK.
If an enabled dynamic routing policy does not exist, Policy Manager asks if you want to add the
required policy.
7. Click Yes to add the required dynamic routing policy.
Policy Manager adds the required dynamic routing policy, or enables an existing RIP dynamic
routing policy, if one exists.
When you enable RIPng, the dynamic routing policy called DR-RIPng-Allow is automatically created.
You can edit this policy to add authentication and restrict the policy to listen on only the correct
interfaces. The DR-RIPng-Allow policy is configured to allow RIPng multicasts to the reserved
multicast address for RIPng, FF02::9.
After you configure the XTM device and the RIPng router, you can use Firebox System Manager to see
the dynamic routes. In Firebox System Manager, click the Status Report tab. The RIP section shows
route updates that the XTM device has received from the RIP router.
478
WatchGuard System Manager
Dynamic Routing
RIPng Commands
Fireware XTM uses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of some of the supported routing commands that you can use in a RIPng
configuration. The sections must appear in the configuration file in the same order they appear in this
table.
User Guide
479
Dynamic Routing
Section
Command
Description
Configure interfaces
no ipv6 ripng splithorizon
Disable split-horizon; enabled by default
Configure RIPng routing daemon
router ripng
Enable RIPng
Configure interfaces and networks
network eth[N]
Enable RIPng on the specified interface
network
[A:B:C:D:E:F:G:H/M]
Enable RIPng on the specified network
passive-interface eth
[N]
Set the specified interface to passive mode
Distribute routes to RIPng peers and inject OSPF or BGP routes to RIPng routing table
480
route
[A:B:C:D:E:F:G:H/M]
Enable RIPng static route announcements for the specified
IPv6 network
distribute-list
[ACCESS-LIST]
(in|out) eth[N]
Enable RIPng to use the specified access list to filter the
RIPng path for the specified interface. The parameter in or out
specifies whether the access list applies to incoming or
outgoing packets on the specified interface.
distribute-list prefix
[PREFIX-LIST]
(in|out) eth[N]
Enable RIPng to use the specified prefix list to filter the RIPng
path. The parameter in or out specifies whether the prefix list
applies to incoming or outgoing packets on the specified
interface.
default-information
originate
Share route of last resort (default route) with RIPng peers
default-metric
<METRIC>
Set the default metric value for redistributed routes. The metric
must be an integer from 1 to 16.
redistribute static
Redistribute firewall static routes to RIPng peers
redistribute static
route-map
[MAPNAME]
Redistribute static routes, with a route map filter (mapname)
redistribute
connected
Redistribute routes from all interfaces to RIPng peers
redistribute
connected route-map
[MAPNAME]
Redistribute routes from all interfaces to RIPng peers, with a
route map filter (mapname)
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
redistribute ospf6
Redistribute routes from OSPFv3 to RIPng
redistribute ospf6
route-map
[MAPNAME]
Redistribute routes from OSPFv3 to RIPng, with a route map
filter (mapname)
redistribute bgp
Redistribute routes from BGP to RIPng
redistribute bgp routemap [MAPNAME]
Redistribute routes from BGP to RIPng, with a route map filter
(mapname)
Configure route redistribution filters with route maps and access lists
User Guide
ipv6 access-list
[ACCESS-LIST]
[PERMIT|DENY]
[A,B,C,D/M | ANY]
Create an access list to allow or deny redistribution of only one
IP address or for all IP addresses
ipv6 prefix-list
[PREFIX-LIST]
[PERMIT|DENY]
[A,B,C,D/M | ANY]
Create a prefix list with a name
route-map
[MAPNAME] permit
[N]
Create a route map with a name and allow with a priority of N
match interface eth
[N]
Match the specified interface
481
Dynamic Routing
About Open Shortest Path First (OSPF and
OSPFv3) Protocol
Support for this protocol is available only on Fireware XTM with a Pro upgrade.
OSPF (Open Shortest Path First) is an interior routing protocol used in larger networks. With OSPF, a
router that sees a change to its routing table or that detects a change in the network immediately sends
a multicast update to all other routers in the network. OSPF is different from RIP because:
n
n
OSPF sends only the part of the routing table that has changed in its transmission. RIP sends
the full routing table each time.
OSPF sends a multicast only when its information has changed. RIP sends the routing table
every 30 seconds.
Also, note the following about OSPF:
n
n
If you have more than one OSPF area, one area must be area 0.0.0.0 (the backbone area).
All areas must be adjacent to the backbone area. If they are not, you must configure a virtual
link to the backbone area.
Fireware XTM supports OSPFv2 for IPv4 dynamic routing, and OSPFv3 for IPv6 dynamic routing.
For more information about IPv4 routing with OSPF v2, see:
n
n
n
Configure IPv4 Routing with OSPF
OSPF Commands
Sample OSPF Routing Configuration File
For more information about IPv6 routing with OSPF v3, see:
n
n
n
482
Configure IPv6 Routing with OSPFv3
OSPFv3 Commands
Sample OSPFv3 Routing Configuration File
WatchGuard System Manager
Dynamic Routing
Configure IPv4 Routing with OSPF
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the OSPF tab.
4. Select the Enable OSPF check box.
5. Click Import to import a routing daemon configuration file, or copy and paste your configuration
file in the text box.
User Guide
483
Dynamic Routing
For more information, see About Routing Daemon Configuration Files on page 470.
To get started, you must have only two commands in your OSPF configuration file. These two
commands, in this order, start the OSPF process:
router ospf
network <network IP address of the interface you want the process to listen on and distribute
through the protocol>
area <area ID in x.x.x.x format, such as 0.0.0.0>
If you enable OSPF for a FireCluster, you must set the router-id in the OSPF
configuration to the interface IP address used by the cluster. This is to make sure
that the routing protocol does not try to use the FireCluster management IP address
as the router-id. Do not use the FireCluster management IP address or cluster
IP address as the router-id. To set the router-id, use the command ospf router-id
<ip-address> in your OSPF configuration.
6. Click OK.
If an enabled dynamic routing policy does not exist, Policy Manager asks if you want to add the
required policy.
7. Click Yes to add the required dynamic routing policy.
Policy Manager adds the required dynamic routing policy, or enables an existing OSPF dynamic
routing policy, if one exists.
484
WatchGuard System Manager
Dynamic Routing
For OSPF, the automatically created dynamic routing policy is called DR-OSPF-Allow. You can edit
this policy to add authentication and restrict the policy to listen on only the correct interfaces. The DROSPF-Any policy is configured to allow OSPF multicasts to the reserved multicast addresses for
OSPF.
After you configure the XTM device and the OSPF router, you can use Firebox System Manager to see
the dynamic routes. In Firebox System Manager, click the Status Report tab. The OSPF section
shows route updates that the XTM device has received from the OSPF router.
OSPF Commands
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of supported routing commands for OSPF. The sections must appear in
the configuration file in the same order they appear in this table. You can also use the sample text
found in the Sample OSPF Routing Configuration File on page 488.
User Guide
485
Dynamic Routing
Section
Command
Description
Configure Interface
interface eth[N]
Begin section to set properties for interface
ip ospf authentication-key
[PASSWORD]
Set OSPF authentication password
ip ospf message-digest-key
[KEY-ID] md5 [KEY]
Set MD5 authentication key ID and key
ip ospf cost [1-65535]
Set link cost for the interface (see OSP
Interface Cost table below)
ip ospf hello-interval [165535]
Set interval to send hello packets; default is 10
seconds
ip ospf dead-interval [165535]
Set interval after last hello from a neighbor
before declaring it down; default is 40 seconds
ip ospf retransmit-interval [165535]
Set interval between link-state advertisements
(LSA) retransmissions; default is 5 seconds
ip ospf transmit-delay [13600]
Set time required to send LSA update; default is
1 second
ip ospf priority [0-255]
Set route priority; high value increases eligibility
to become the designated router (DR)
Configure OSPF Routing Daemon
router ospf
Enable OSPF daemon
ospf router-id [A.B.C.D]
set router ID for OSPF manually; router
determines its own ID if not set
ospf rfc1583compatibility
Enable RFC 1583 compatibility (can lead to
route loops)
ospf abr-type
[cisco|ibm|shortcut|standard]
More information about this command can be
found in draft-ietf-abr-o5.txt
passive-interface eth[N]
Disable OSPF announcement on interface eth
[N]
auto-cost referencebandwidth[0-429495]
Set global cost (see OSPF cost table below); do
not use with "ip ospf [COST]" command
timers spf [0-4294967295][04294967295]
Set OSPF schedule delay and hold time
Enable OSPF on a Network
*The "area" variable can be typed in two
486
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
formats: [W.X.Y.Z]; or as an integer [Z].
network [A.B.C.D/M] area
[Z]
Announce OSPF on network
A.B.C.D/M for area 0.0.0.Z
Configure Properties for Backbone area or Other Areas
The "area" variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
area [Z] range [A.B.C.D/M]
Create area 0.0.0.Z and set a classful network
for the area (range and interface network and
mask setting should match)
area [Z] virtual-link
[W.X.Y.Z]
Set virtual link neighbor for area 0.0.0.Z
area [Z] stub
Set area 0.0.0.Z as a stub
area [Z] stub no-summary
area [Z] authentication
Enable simple password authentication for area
0.0.0.Z
area [Z] authentication
message-digest
Enable MD5 authentication for area 0.0.0.Z
Redistribute OSPF Routes
User Guide
default-information originate
Share route of last resort (default route) with
OSPF
default-information originate
metric [0-16777214]
Share route of last resort (default route) with
OSPF, and add a metric used to generate the
default route
default-information originate
always
Always share the route of last resort (default
route)
default-information originate
always metric [0-16777214]
Always share the route of last resort (default
route), and add a metric used to generate the
default route
redistribute static
Redistribute firewall static routes to OSPF
redistribute connected
Redistribute routes from all interfaces to OSPF
redistribute connected
metrics
Redistribute routes from all interfaces to OSPF,
and a metric used for the action
487
Dynamic Routing
Section
Command
Description
Configure Route Redistribution with Access Lists and Route Maps
access-list [LISTNAME]
permit [A.B.C.D/M]
Create an access list to allow distribution of
A.B.C.D/M
access-lists [LISTNAME]
deny any
Restrict distribution of any route map not
specified above
route-map [MAPNAME]
permit [N]
Create a route map with name [MAPNAME] and
allow with a priority of [N]
match ip address
[LISTNAME]
Sample OSPF Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must import or copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
OSPF routing daemon. To use this configuration file as a base for your own configuration file, copy the
text into a new text file and save it with a new name. You can then edit the parameters to meet the
requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure interface properties.
! Set properties for interface eth1.
! interface eth1
!
! Set simple authentication password (SHAREDKEY).
! ip ospf authentication-key SHAREDKEY
!
! Set MD5 authentication key ID (10) and MD5 authentication key (AUTHKEY).
! ip ospf message-digest-key 10 md5 AUTHKEY
!
! Set link cost to 1000 (1-65535) on interface eth1.
! for OSPF link cost table.
! ip ospf cost 1000
!
! Set hello interval to 5 seconds (1-65535); default is 10 seconds.
! ip ospf hello-interval 5
!
! Set dead-interval to 15 seconds (1-65535); default is 40 seconds.
! ip ospf dead-interval 15
!
! Set interval between link-state advertisements (LSA) retransmissions
! to 10 seconds (1-65535); default is 5 seconds.
! ip ospf retransmit-interval 10
!
488
WatchGuard System Manager
Dynamic Routing
!
!
!
!
!
!
Set LSA update interval to 3 seconds (1-3600); default is 1 second.
ip ospf transmit-delay 3
Set high priority (0-255) to increase eligibility to become the
designated router (DR).
ip ospf priority 255
!! SECTION 2: Start OSFP and set daemon properties.
! Enable OSPF daemon. Must be enabled for all OSPF configurations.
! router ospf
!
! Set the router ID manually to 203.0.113.20. If not set, the firewall will
! set its own ID based on an interface IP address.
! ospf router-id 203.0.113.20
!
! Enable RFC 1583 compatibility (increases probability of routing loops).
! ospf rfc1583compatibility
!
! Set area border router (ABR) type to cisco, ibm, shortcut, or standard.
! More information about ABR types is in draft-ietf-ospf-abr-alt-05.txt.
! ospf abr-type cisco
!
! Disable OSPF announcement on interface eth0.
! passive interface eth0
!
! Set global cost to 1000 (0-429495).
! auto-cost reference bandwidth 1000
!
! Set SPF schedule delay to 25 (0-4294967295) seconds and hold time to
! 20 (0-4294967295) seconds; default is 5 and 10 seconds.
! timers spf 25 20
!! SECTION 3: Set network and area properties. Set areas with W.X.Y.Z
!! or Z notation.
! Announce OSPF on network 192.168.253.0/24 network for area 0.0.0.0.
! network 192.168.253.0/24 area 0.0.0.0
!
! Create area 0.0.0.1 and set a classful network range (172.16.254.0/24)
! for the area (range and interface network settings must match).
! area 0.0.0.1 range 172.16.254.0/24
!
! Set virtual link neighbor (172.16.254.1) for area 0.0.0.1.
! area 0.0.0.1 virtual-link 172.16.254.1
!
! Set area 0.0.0.1 as a stub on all routers in area 0.0.0.1.
! area 0.0.0.1 stub
!
! area 0.0.0.2 stub no-summary
!
! Enable simple password authentication for area 0.0.0.0.
User Guide
489
Dynamic Routing
! area 0.0.0.0 authentication
!
! Enable MD5 authentication for area 0.0.0.1.
! area 0.0.0.1 authentication message-digest
!! SECTION 4: Redistribute OSPF routes
! Share route of last resort (default route) from kernel routing table
! with OSPF peers.
! default-information originate
!
! Redistribute static routes to OSPF.
! redistribute static
!
! Redistribute routes from all interfaces to OSPF.
! redistribute connected
! redistribute connected route-map
!!Redistribute routes from RIP and BGP to OSPF.
! redistribute rip
! redistribute bgp
!! SECTION 5: Configure route redistribution filters with access lists
!! and route maps.
! Create an access list to only allow redistribution of 10.0.2.0/24.
! access-list LISTNAME permit 10.0.2.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a
! priority of 10 (1-199).
! route-map MAPNAME permit 10
! match ip address LISTNAME
490
WatchGuard System Manager
Dynamic Routing
Configure IPv6 Routing with OSPFv3
Use OSPFv3 to configure dynamic routing for IPv6.
The OSPFv3 area and access-list commands are not supported.
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the OSPFv3 tab.
4. Select the Enable OSPF check box.
5. Click Import to import a routing daemon configuration file, or copy and paste your configuration
file in the text box.
For more information, see About Routing Daemon Configuration Files on page 470.
6. Click OK.
If an enabled dynamic routing policy does not exist, Policy Manager asks if you want to add the
required policy.
7. Click Yes to add the required dynamic routing policy.
Policy Manager adds the required dynamic routing policy, or enables an existing OSPF dynamic
routing policy, if one exists.
User Guide
491
Dynamic Routing
For OSPF, the automatically created dynamic routing policy is called DR-OSPFv3-Allow. You can
edit this policy to add authentication and restrict the policy to listen on only the correct interfaces. The
DR-OSPFv3-Allow policy is configured to allow OSPF multicasts to the reserved multicast addresses
for OSPFv3, FF02::5 and FF02::6.
After you configure the XTM device and the OSPF router, you can use Firebox System Manager to see
the dynamic routes. In Firebox System Manager, click the Status Report tab. The OSPF section
shows route updates that the XTM device has received from the OSPF router.
OSPFv3 Commands
Fireware XTM uses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a list of some supported routing commands for OSPFv3. The sections must
appear in the configuration file in the same order they appear in this table. You can also use the sample
text found in the Sample OSPFv3 Routing Configuration File.
The OSPFv3 area and access-list commands are not supported.
492
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
Configure Interface Properties
interface eth[N]
Begin section to set properties for
interface
ipv6 ospf6 cost [165535]
Set link cost for the interface (see
OSP Interface Cost table below)
ipv6 ospf6 hellointerval [1-65535]
Set interval to send hello packets;
default is 10 seconds
ipv6 ospf6 deadinterval [1-65535]
Set interval after last hello from a
neighbor before declaring it down;
default is 40 seconds
ipv6 ospf6 retransmitinterval [1-65535]
Set interval between link-state
advertisements (LSA)
retransmissions; default is 5
seconds
ipv6 ospf6 transmitdelay [1-3600]
Set time required to send LSA
update; default is 1 second
ipv6 ospf6 priority [0255]
Set route priority; high value
increases eligibility to become the
designated router (DR)
ipv6 ospf6 passive
Disable OSPF announcement for
the interface
Configure OSPFv3 Routing Daemon
router ospf6
Enable OSPF6 daemon
router-id [A.B.C.D]
set router ID for OSPF6 manually;
router determines its own ID if not
set
Set OSPF network and area properties.
*The "area" variable can be typed in two
formats: [W.X.Y.Z]; or as an integer [Z].
interface eth[N] area
[W.X.Y.Z]
Bind interface to area and send
OSPFv3 packets
Redistribute OSPF Routes
User Guide
default-information
originate
Share route of last resort (default
route) with OSPF
default-information
Share route of last resort (default
493
Dynamic Routing
Section
Command
Description
originate metric [016777214]
route) with OSPF, and add a metric
used to generate the default route
default-information
originate always
Always share the route of last resort
(default route)
default-information
originate always
metric [0-16777214]
Always share the route of last resort
(default route), and add a metric
used to generate the default route
redistribute static
Redistribute firewall static routes to
OSPFv3
redistribute connected
Redistribute routes from all
interfaces to OSPFv3
redistribute connected
route-map
[MAPNAME]
Redistribute routes from all
interfaces to OSPFv3, , with a route
map filter (mapname)
Configure Route Redistribution with Access Lists and Route Maps
494
ipv6 prefix-list
[LISTNAME]
[PERMIT|DENY]
[A,B,C,D/M | ANY]
Create a prefix list to allow or deny
route redistribution
route-map
[MAPNAME] permit
[N]
Create a route map with name
[MAPNAME] and allow with a
priority of [N]
match ipv6 address
prefix-list
[LISTNAME]
Match the specified prefix-list
WatchGuard System Manager
Dynamic Routing
OSPF Interface Cost Table
The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors
such as interface link speed, the number of hops between points, and other metrics. By default, OSPF
uses the actual link speed of a device to calculate the total cost of a route. You can set the interface
cost manually to help maximize efficiency if, for example, your gigabyte-based firewall is connected to
a 100M router. Use the numbers in this table to manually set the interface cost to a value different than
the actual interface cost.
Interface
Type
Bandwidth in
bits/second
Bandwidth in
bytes/second
OSPF Interface
Cost
Ethernet
1G
128M
1
Ethernet
100M
12.5M
10
Ethernet
10M
1.25M
100
Modem
2M
256K
500
Modem
1M
128K
1000
Modem
500K
62.5K
2000
Modem
250K
31.25K
4000
Modem
125K
15625
8000
Modem
62500
7812
16000
Serial
115200
14400
10850
Serial
57600
7200
21700
Serial
38400
4800
32550
Serial
19200
2400
61120
Serial
9600
1200
65535
User Guide
495
Dynamic Routing
About Border Gateway Protocol (BGP)
Support for this protocol is available only in Fireware XTM with a Pro upgrade.
Border Gateway Protocol (BGP) is a scalable dynamic routing protocol used on the Internet by groups
of routers to share routing information. BGP uses route parameters or attributes to define routing
policies and create a stable routing environment. This protocol allows you to advertise more than one
path to and from the Internet to your network and resources, which gives you redundant paths and can
increase your uptime.
Hosts that use BGP use TCP to send updated routing table information when one host finds a change.
The host sends only the part of the routing table that has the change. BGP uses classless interdomain
routing (CIDR) to reduce the size of the Internet routing tables. The size of the BGP routing table in
Fireware XTM is set at 32K.
The size of the typical WatchGuard customer wide area network (WAN) is best suited for OSPF
dynamic routing. A WAN can also use external border gateway protocol (EBGP) when more than one
gateway to the Internet is available. EBGP allows you to take full advantage of the redundancy
possible with a multi-homed network.
To participate in BGP with an ISP you must have a public autonomous system number (ASN). You
must get an ASN from one of the regional registries in the table below. After you are assigned your own
ASN, you must contact each ISP to get their ASNs and other necessary information.
Region
Registry Name
Web Site
North America
RIN
www.arin.net
Europe
RIPE NCC
www.ripe.net
Asia Pacific
APNIC
www.apnic.net
Latin America
LACNIC
www.lacnic.net
Africa
AfriNIC
www.afrinic.net
Configure IPv4 and IPv6 Routing with BGP
To participate in BGP with an ISP you must have a public autonomous system number (ASN). For
more information, see About Border Gateway Protocol (BGP) on page 496. You can configure BGP to
do dynamic routing for both IPv4 and IPv6 networks.
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Select the BGP tab.
496
WatchGuard System Manager
Dynamic Routing
4. Select the Enable BGP check box.
5. Click Import to import a routing daemon configuration file.
Or, copy and paste your configuration file in the text box.
For more information, see About Routing Daemon Configuration Files on page 470.
To get started, you need only three commands in your BGP configuration file. These three
commands start the BGP process, set up a peer relationship with the ISP, and create a route for
a network to the Internet. You must use the commands in this order.
User Guide
497
Dynamic Routing
router BGP: BGP autonomous system number supplied by your ISP
network: network IP address that you want to advertise a route to from the Internet
neighbor: <IP address of neighboring BGP router> remote-as <BGP autonomous number>
If you enable BGP for a FireCluster, you must set the router-id in the BGP
configuration to the IP address of the XTM device interface that connects to the
router. This is to make sure that the routing protocol does not try to use
the FireCluster management IP address as the router-id. Do not use the FireCluster
management IP address or cluster IP address as the router-id. To set the router-id,
use the command bgp router-id <ip-address> in your BGP configuration, where
ip-address is the IP address of the XTM device interface that connects to the
router.
6. Click OK.
If an enabled dynamic routing policy does not exist, Policy Manager asks if you want to add the
required dynamic routing policy.
7. Click Yes to add the required dynamic routing policy.
Policy Manager adds the required dynamic routing policy, or enables an existing BGP dynamic
routing policy, if one exists.
For BGP, the automatically created dynamic routing policy is called DR-BGP-Allow. You can edit this
policy to add authentication and restrict the policy to listen on only the correct interfaces.
After you configure the XTM device and the BGP router, you can use Firebox System Manager to see
the dynamic routes. In Firebox System Manager, click the Status Report tab. The BGP section shows
route updates that the XTM device has received from the BGP router.
498
WatchGuard System Manager
Dynamic Routing
BGP Commands
Fireware XTM uses the Quagga routing software suite v0.99.18, which supports most routing
commands available in more recent versions of Quagga.
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a list of some of the supported BGP routing commands. The sections must appear
in the configuration file in the same order they appear in this table.
Do not use BGP configuration parameters that you do not get from your ISP.
User Guide
499
Dynamic Routing
Section
Command
Description
Configure BGP Routing Daemon
router bgp [ASN]
Enable BGP daemon and set autonomous system
number (ASN); this is supplied by your ISP.
bgp router-id [A.B.C.D]
Configure the router ID.
network [A.B.C.D/M]
Announce BGP on network: A.B.C.D/M, identifies the
subnet to advertise.
no network [A.B.C.D/M]
Disable BGP announcements on network A.B.C.D/M
ipv6 bgp network
[A:B:C:D:E:F:G:H/M]
Announce BGP on network.
ipv6 bgp aggregate-prefix
[A:B:C:D:E:F:G:H/M]
Configure BGP aggregate entries.
timers bgp [keepalive]
[holdtime]
Set the BGP keepalive time and the hold down time, in
seconds. The default keepalive time is 60 seconds, and
the default holdtime is 180 seconds. As a general rule,
the holdtime should be three times the keepalive time.
Set Neighbor Properties
500
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
remote-as [ASN]
Set neighbor as a member of remote ASN.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
ebgp-multihop
Set neighbor on another network using EBGP multihop.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
version [4|4-]
Set BGP version (4, 4-) for communication with
neighbor; default is 4.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
update-source [WORD]
Set the BGP session to use a specific interface for TCP
connections.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
default-originate
Announce default route to BGP neighbor [A,B,C,D].
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
port 189
Set custom TCP port to communicate with BGP
neighbor [A,B,C,D].
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
send-community
Set peer send-community.
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
weight 1000
Set a default weight for neighbor's [A.B.C.D] routes.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
maximum-prefix [NUMBER]
Set maximum number of prefixes allowed from this
neighbor.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
timers connect [time]
Set the BGP connection timer, in seconds.
Set IPv6 Address Family command mode
address-family ipv6
Enter the IPv6 address family command mode.
neighbor [A:B:C:D:E:F:G:H]
activate
The neighbor activate command must be used in the
address-family ipv6 mode.
network
[A:B:C:D:E:F:G:H/M]
This network statement here can replace the “ipv6 bgp
network [A:B:C:D:E:F:G:H/M]” command. This works
only within the address-family ipv6 mode.
exit-address-family
Exit the IPv6 address family command mode.
Community Lists
ip community-list [<199>|<100-199>] permit
AA:NN
Specify community to accept autonomous system
number and network number separated by a colon.
Peer Filtering
User Guide
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
distribute-list [LISTNAME]
[IN|OUT]
Set distribute list and direction for peer.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
prefix-list [LISTNAME]
[IN|OUT]
To apply a prefix list to be matched to incoming
advertisements or outgoing advertisements to that
neighbor.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
filter-list [LISTNAME]
[IN|OUT]
To match an autonomous system path access list to
incoming routes or outgoing routes.
neighbor
[A.B.C.D|A:B:C:D:E:F:G:H]
route-map [MAPNAME]
To apply a route map to incoming or outgoing routes.
501
Dynamic Routing
Section
Command
Description
[IN|OUT]
Redistribute Routes to BGP
redistribute static
Redistribute static routes to BGP
redistribute ripng
Redistribute RIPng routes to BGP
redistribute ospf6
Redistribute OSPFv3 routes to BGP
Route Reflection
bgp cluster-id A.B.C.D
To configure the cluster ID if the BGP cluster has more
than one route reflector.
neighbor
[W.X.Y.Z|A:B:C:D:E:F:G:H]
route-reflector-client
To configure the router as a BGP route reflector and
configure the specified neighbor as its client.
Access Lists and IP Prefix Lists
502
ip prefix-lists [PRELIST]
permit A.B.C.D/E
Set IPv4 prefix list
ipv6 prefix-list [PRELIST]
[deny|permit]
[A:B:C:D:E:F:G:H/M|Any]
Set IPv6 prefix list
access-list NAME
[deny|permit] A.B.C.D/E
Set IPv4 access list
ipv6 access-list [NAME]
[deny|permit]
[A:B:C:D:E:F:G:H/M|Any]
Set IPv6 access list
route-map [MAPNAME]
[deny|permit] [N]
In conjunction with the "match" and "set" commands,
this defines the conditions and actions for redistributing
routes
match ip address prefix-list
[LISTNAME]
Match the specified access-list
set community [A:B]
Set the BGP community attribute
match community [N]
Match the specified community_list
set local-preference [N]
Set the preference value for the autonomous system
path
WatchGuard System Manager
Dynamic Routing
Sample BGP Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must import or type a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
BGP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet your own business requirements.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
Sample 1 — IPv4
!! SECTION 1: Start BGP daemon and announce network blocks to BGP neighbors
! Enable BGP and set local ASN to 100
! router bgp 100
! Announce local network 192.0.2.0/24 to all neighbors defined in section 2
! network 192.0.2.0/24
!! SECTION 2: Neighbor properties
! Set neighbor (192.0.2.1) as member of remote ASN (200)
! neighbor 192.0.2.1 remote-as 200
! Set neighbor (203.0.113.1) on another network using EBGP multi-hop
! neighbor 203.0.113.1 remote-as 300
! neighbor 203.0.113.1 ebgp-multihop
! Set BGP version (4, 4-) for communication with a neighbor; default is 4
! neighbor 192.0.2.1 version 4! Announce default route to BGP neighbor (192.0.2.1)
! neighbor 192.0.2.1 default-originate
! Set custom TCP port 189 to communicate with BGP neighbor (192.0.2.1). Default
port is TCP 179
! neighbor 192.0.2.1 port 189
! Set peer send-community
! neighbor 192.0.2.1 send-community
! Set a default weight for neighbors (192.0.2.1) routes
! neighbor 192.0.2.1 weight 1000
! Set maximum number of prefixes allowed from this neighbor
! neighbor 192.0.2.1 maximum-prefix NUMBER
!! SECTION 3: Set community lists
! ip community-list 70 permit 7000:80
!! SECTION 4: Announcement filtering
! Set distribute list and direction for peer
! neighbor 192.0.2.1 distribute-list LISTNAME [in|out] ! To apply a prefix list to
be matched to incoming or outgoing advertisements to that neighbor
! neighbor 192.0.2.1 prefix-list LISTNAME [in|out]
! To match an autonomous system path access list to incoming or outgoing routes
! neighbor 192.0.2.1 filter-list LISTNAME [in|out]
! To apply a route map to incoming or outgoing routes
! neighbor 192.0.2.1 route-map MAPNAME [in|out]
User Guide
503
Dynamic Routing
!! SECTION 5: Redistribute routes to BGP
! Redistribute static routes to BGP
! Redistribute static
! Redistribute rip routes to BGP
! Redistribute rip
! Redistribute ospf routes to BGP
! Redistribute ospf
!! SECTION 6: Route reflection
! Set cluster ID and firewall as a client of route reflector server 198.51.100.254
! bgp cluster-id A.B.C.D
! neighbor 198.51.100.254 route-reflector-client
!! SECTION 7: Access lists and IP prefix lists
! Set prefix list
! ip prefix-list PRELIST permit 10.0.0.0/8
! Set access list!access-list NAME deny 192.0.2.128/25
! access-list NAME permit 192.0.2.0/25
! Create a route map with name MAPNAME and allow with a priority of 10
! route-map MAPNAME permit 10
! match ip address prefix-list LISTNAME
! set community 7000:80
Sample 2 — IPv6
!! SECTION 1: Start BGP daemon and set BGP neighbors
! Enable BGP and set local ASN to 100
! router bgp 100
! set route id for bgp
! bgp route-id 1.1.1.1
! Set neighbor (2000::2) as member of remote ASN (200)
! neighbor 2000::2 remote-as 200
!! SECTION 2: Enter IPv6 Address Family command mode
! address-family ipv6
!! SECTION
! Activate
! neighbor
! Announce
! neighbor
3: Neighbor properties
Neighbor 2000::2
2000::2 activate
default route to BGP neighbor (2000::2)
2000::2 default-originate
!!SECTION 4: Announce network
! Announce local network 3344::/64 to all neighbors
! network 3344::/64
!! SECTION 5: Announcement filtering
! Set distribute list and direction for peer
! neighbor 2000::2 distribute-list LISTNAME [in|out]
! To apply a prefix list to be matched to incoming or outgoing advertisements to
that neighbor
! neighbor 2000::2 prefix-list PRELIST [in|out]
504
WatchGuard System Manager
Dynamic Routing
!
!
!
!
To match
neighbor
To apply
neighbor
an autonomous system path access list to incoming or outgoing routes
2000::2 filter-list LISTNAME [in|out]
a route map to incoming or outgoing routes
2000::2 route-map MAPNAME [in|out]
!! SECTION 6: Redistribute routes to BGP
! Redistribute static routes to BGP
! Redistribute static
! Redistribute ripng routes to BGP
! Redistribute ripng
! Redistribute ospfv3 routes to BGP
! Redistribute ospf6
!! SECTION 7: Exit IPv6 Address Family command mode
! exit-address-family
!! SECTION 8: Access lists and IP prefix lists
! Set prefix list
! ipv6 prefix-list PRELIST permit 3000::/64
! Set access list
! ipv6 access-list LISTNAME deny 4000::/64
! ipv6 access-list LISTNAME permit 4000::/25
! Create a route map with name MAPNAME and allow with a priority of 10
! route-map MAPNAME permit 10
! match ipv6 address LISTNAME
Sample 3 — IPv4 and IPv6
router bgp 65534
bgp router-id 10.15.1.1
timers bgp 5 15
network 10.15.2.0/24
ipv6 bgp network 1500::0/64
neighbor 172.16.255.2 remote-as 65535
neighbor 172.16.255.2 timers connect 5
neighbor fd00::25 remote-as 65535
neighbor fd00::25 timers connect 5
address-family ipv6
# network 1500::0/64 ### Note — you can use this in place of the above ipv6 bgp
network command above
neighbor fd00::25 activate ### Note — this neighbor activate command must be inside
the address-family ipv6 mode in order to work
exit-address-family
User Guide
505
Dynamic Routing
User Guide
506
11
FireCluster
About WatchGuard FireCluster
You can use WatchGuard FireCluster to configure two XTM devices as a cluster to increase network
performance and scalability.
FireCluster is not supported on some XTM device models. For more information, see
Supported XTM Models for FireCluster.
There are two configuration options available for a FireCluster: active/passive and active/active. To
add redundancy, choose an active/passive cluster. To add both redundancy and load sharing to your
network, select an active/active cluster.
When you enable FireCluster, you manage and monitor the two devices in the cluster as you would a
single device.
User Guide
507
FireCluster
To configure an active/passive cluster, your network interfaces must be configured in mixed routing or
drop-in mode. To configure an active/active cluster, your network interfaces must be configured in
mixed routing mode. FireCluster does not support bridge network mode. For more information about
network modes, see About Network Interface Setup.
When FireCluster is enabled, your XTM devices continue to support:
n
n
n
n
508
Secondary networks on external, trusted, or optional interfaces
Multi-WAN connections
(Limitation— A multi-WAN failover caused by a failed connection to a link monitor host does not
trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down
or does not respond.)
VLANs
Dynamic routing
WatchGuard System Manager
FireCluster
When a cluster member fails, the cluster seamlessly fails over and maintains:
n
n
n
Packet filter connections
BOVPN tunnels
User sessions
When a failover event occurs, these connections may be disconnected:
n
n
n
n
Proxy connections
Mobile VPN with PPTP
Mobile VPN with IPSec
Mobile VPN with SSL
Mobile VPN users might have to manually restart the VPN connection after a failover.
For more information about FireCluster failover, see About FireCluster Failover on page 509.
FireCluster Status
To see the status of FireCluster in Firebox System Manager:
1. Start Firebox System Manager.
2. Find the FireCluster information, as described in XTM Device Status.
Use the Fireware XTM Web UI
In Fireware XTM v11.9 and higher, you can connect to the Fireware XTM Web UI for a FireCluster, but
you cannot use the Web UI to see or modify the FireCluster settings. For more information about how
to use the Web UI with a FireCluster, see the Fireware XTM Web UI help at
http://www.watchguard.com/help/documentation/..
About FireCluster Failover
The FireCluster failover process is the same for an active/active cluster or an active/passive cluster.
With both types of clusters, each cluster member maintains state and session information at all times.
When failover occurs, the packet filter connections, branch office VPN tunnels, and user sessions
from the failed device fail over automatically to the other device in the cluster.
One device is the cluster master and the other device is the backup master. The backup master uses
the primary cluster interface to synchronize connection and session information with the cluster
master. If the primary cluster interface fails or is disconnected, the backup master uses the backup
cluster interface to communicate with the cluster master. The cluster master also uses both the
primary and backup cluster interfaces to send a heartbeat packet once per second to the backup
master. We recommend that you always configure both a primary cluster interface and a backup
cluster interface.
Events that Trigger a Failover
There are three types of events that can trigger a failover of the cluster master.
User Guide
509
FireCluster
Health index of the cluster master is lower than the health index of the backup master
Each cluster member has a calculated health index that indicates the overall health of the
device. If the health index of the cluster master is lower than the health index of the backup
master, this triggers failover of the cluster master.
For more information about the cluster health index, see Monitor Cluster Health.
Lost heartbeat from the cluster master
The cluster master sends a heartbeat packet through the primary and backup cluster interfaces
once per second. If the backup master does not receive three consecutive heartbeats from the
cluster master, this triggers failover of the cluster master. The default threshold for lost
heartbeats is three. You can increase the lost heartbeat threshold that triggers a failover in the
FireCluster Advanced settings.
For more information about the lost heartbeat threshold, see Configure FireCluster Advanced
Settings.
Cluster receives the Failover Master command
In Firebox System Manager, when you select Tools > Cluster > Failover Master, you force a
failover from the cluster master to the backup master.
For more information about this command, see Force a Failover of the Cluster Master on page
554.
What Happens When a Failover Occurs
When a failover of the cluster master occurs, the backup master becomes the cluster master. Then,
the original cluster master rejoins the cluster as the backup master. When a failover occurs, the cluster
maintains all packet filter connections, branch office VPN tunnels, and user sessions. This behavior is
the same for an active/active or an active/passive FireCluster.
In an active/active cluster, if the backup master fails, the cluster master maintains all packet filter
connections, branch office VPN tunnels, and user sessions. Proxy connections and Mobile VPN
connections can be interrupted, as described in the subsequent table. In an active/passive cluster, if
the backup master fails, there is no interruption of connections or sessions because no traffic is
assigned to the backup master.
510
WatchGuard System Manager
FireCluster
Connection/Session
Type
Impact of a Failover Event
Packet filter
connections
Connections fail over to the other cluster member.
Branch office VPN
tunnels
Tunnels fail over to the other cluster member.
User sessions
Sessions fail over to the other cluster member.
Proxy connections
Connections assigned to the failed device (master or backup master) must
be restarted. Connections assigned to the other device are not interrupted.
Mobile VPN with
IPSec
If the cluster master fails over, all sessions must be restarted.
If the backup master fails, only the sessions assigned to the backup
master must be restarted.
Sessions assigned to the cluster master are not interrupted.
Mobile VPN with SSL
If either device fails over, all sessions must be restarted.
Mobile VPN with
L2TP
All L2TP sessions are assigned to the cluster master, even for an
active/active cluster.
If the cluster master fails over, all sessions must be restarted.
If the backup master fails, L2TP sessions are not interrupted.
Mobile VPN with
PPTP
All PPTP sessions are assigned to the cluster master, even for an
active/active cluster.
If the cluster master fails over, all sessions must be restarted.
If the backup master fails, PPTP sessions are not interrupted.
FireCluster Failover and Server Load Balancing
If you use server load balancing to balance connections between your internal servers, when a
FireCluster failover event occurs, real-time synchronization does not occur. After a failover, the new
cluster master sends connections to all servers in the server load balancing list to discover which
servers are available. It then applies the server load balancing algorithm to all available servers.
For information about server load balancing, see Configure Server Load Balancing on page 312.
FireCluster Failover and Dynamic Routing
When you enable dynamic routing on a FireCluster, only the cluster master participates directly in the
dynamic routing domain. The cluster master synchronizes dynamic route information to the other
cluster member. When a failover occurs, the new cluster master initially uses the previously learned
dynamic routes. The new cluster master then participates in the dynamic routing domain and uses the
configured dynamic routing protocol to discover the latest routes to all destination networks. When the
new cluster master discovers the updated dynamic routes, the old dynamic routes are purged and
replaced with the new ones.
User Guide
511
FireCluster
The time it takes for the new cluster master and all connected routers to agree on a common set of
routes (the convergence time) depends on the dynamic routing protocol.
For RIPv1 and RIPv2
The peer RIP router does not detect the FireCluster failover event if the connection itself is not
interrupted during the failover.
OSPFv2
The peer router detects the FireCluster failover event. The convergence time for OSPF is from
10 to 40 seconds. The convergence time could be shorter, because the new cluster master
uses a set of known dynamic routes synchronized from the previous cluster master until it
discovers the updated dynamic routes.
BGPv4
The peer router detects the FireCluster failover event. The convergence time for BGP is from 1
to 3 minutes. The convergence time could be shorter, because the new cluster master uses a
set of known dynamic routes synchronized from the previous cluster master until it discovers
the updated dynamic routes.
Monitor the Cluster During a Failover
The role of each device in the cluster appears after the member name on the Firebox System Manager
Front Panel tab. If you look at the Front Panel tab during a failover of the cluster master, you can see
the cluster master role move from one device to another. During a failover, you see:
n
n
n
The role of the old backup master changes from backup master to master.
The role of the old cluster master changes to inactive and then to idle while the device restarts.
The role of the old cluster master changes to backup master after the device restarts.
For more information, see Monitor and Control FireCluster Members on page 549.
Features Not Supported for a FireCluster
There are some Fireware XTM configuration and management features that you cannot use with
FireCluster.
FireCluster Network Configuration Limitations
n
n
n
n
n
n
n
512
For an active/active cluster, you cannot configure the network in bridge mode or drop-in mode.
For an active/passive cluster, you cannot configure the network in bridge mode.
You cannot configure the external interface to use DHCP.
You cannot configure IPv6 dynamic routing protocols (RIPng, OSPFv3, and BGP for IPv6).
For an active/active cluster, you cannot configure the external interface to use PPPoE.
The FireCluster for a wireless device can be configured only in active/passive mode when
wireless is enabled.
For an active/active cluster, you cannot configure link aggregation interfaces.
WatchGuard System Manager
FireCluster
FireCluster Management Limitations
n
n
n
In Fireware XTM v11.8.x and lower, you cannot use the Fireware XTM Web UI to connect to an
XTM device that is a member of a FireCluster.
In Fireware XTM v11.9.x and higher, you can use the Fireware XTM Web UI to connect to a
FireCluster, but you cannot use the Web UI to configure a cluster, or change the FireCluster
settings.
You cannot use the Management Server to schedule an OS update for any managed device that
is a member of a FireCluster.
Supported XTM Models for FireCluster
To use FireCluster, you must have two supported XTM devices that are the same model. The model
numbers of devices in a cluster must be exactly the same, even for devices in the same model family.
For some XTM device models, you can purchase a license key to upgrade the device
to a higher model in the same model family. You must first add the feature key to
upgrade the device to a higher model before you can configure it as part of a
FireCluster with another device that uses the higher model number.
FireCluster is fully supported on all XTM devices except:
n
n
n
n
Firebox T10 devices do not support FireCluster
XTM 25-W and 26-W devices support active/passive FireCluster only
XTM 21, 22, and 23 devices do not support FireCluster
XTMv devices support active/passive FireCluster only, in a VMware ESXi environment
About FireCluster Management IP Addresses
In a FireCluster configuration, all cluster members share the same IP addresses for each enabled
interface. When you use an interface IP address to connect to the cluster in WatchGuard System
Manager, you automatically connect to the cluster master and can see the status for all cluster
members.
For some management functions, such as upgrade or restore, you must connect to a specific cluster
member. To do that, you use the FireCluster Management IP address, which is a unique IP address
you assign to each cluster member. The cluster master also uses the Management IP address of the
backup master to communicate with the backup master about device status and action aggregation.
For example, when you connect to a FireCluster in Firebox System Manager, the cluster master uses
the Management IP address of the backup master to request status information from the backup
master. The cluster master then sends that information to Firebox System Manager, so the status of
both cluster members appears.
When you configure the FireCluster, you configure settings related to the FireCluster Management
IP address:
User Guide
513
FireCluster
Interface for management IP address (one for the cluster)
First, you must select an interface to assign the FireCluster Management IP address to. This is
a global setting that applies to all cluster members. You can select any enabled physical,
bridge, VLAN, or Link Aggregation interface, or an external interface that uses PPPoE. We
recommend that you select the interface that the management computer usually connects to.
To use a bridge or VLAN interface as the cluster management interface, the cluster
must use Fireware XTM v11.9 or higher.
If you want to use IPv6 to connect to an individual cluster member, you must choose an
interface that has IPv6 enabled.
IPv4 management addresses (one for each cluster member)
For each cluster member, you configure a FireCluster Management IP address to use on the
selected Interface for management IP address.
We recommend that you select two unused IPv4 addresses on the same subnet as the primary
IP address of the interface. This is to make sure that the IP addresses are routable.
For example, if you select the trusted interface as the Interface for management IP address,
choose two unused IP addresses from your trusted subnet to use as the FireCluster
management IP addresses. If you choose the External interface as the Interface for
management IP address, choose two unused external IP addresses on the same subnet as the
External interface IP address that you can dedicate to FireCluster management functions.
The management IP addresses must be on the same subnet as the WatchGuard Log Server or
syslog server your FireCluster sends log messages to.
514
WatchGuard System Manager
FireCluster
If you set the Management IP addresses of a FireCluster member to an IPv4 address
that is not on the same subnet as the IP address of the Interface for management IP
address, make sure your network configuration includes routes to allow the
management software to communicate with FireCluster members and to allow the
FireCluster members to communicate with each other.
IPv6 management addresses (one for each cluster member)
If the interface you selected as the Interface for management IP address has IPv6 enabled, you
can configure an IPv6 management IP address. If you configure an IPv6 management IP
address, it must be an unused IP address. We recommend that you use two IPv6 address with
the same prefix as an IPv6 IP address assigned to the Interface for management IP address.
This is to make sure that the IP addresses are routable.
If you configure an IPv6 management address for each member:
n
n
The cluster master uses the IPv6 management address of the backup master to
communicate with the backup master
The IPv4 management address for each member is optional
If you use a FireCluster Management IP address to directly connect to the backup master, you cannot
save configuration changes in Policy Manager.
Use the Management IP Address to Restore a Backup Image
When you restore a FireCluster backup image, you must use the FireCluster Management IP address
to connect directly to a cluster member. When you use this IP address to connect to a cluster member,
there are two additional commands available in Firebox System Manager on the Tools menu: Cluster
> Leave and Cluster > Join. You use these commands when you restore a backup image to the
cluster.
For more information, see Restore a FireCluster Backup Image on page 571.
Use the Management IP Address to Upgrade from an External
Location
The WatchGuard System Manager software uses the FireCluster Management IP address when you
upgrade the OS for the members of a cluster. If you want to update the OS from a remote location,
make sure that:
n
n
The Interface for management IP address is set to an external interface
The Management IP address for each cluster member is a public IP address and is routable
For more information, see Upgrade Fireware XTM for FireCluster Members on page 573.
User Guide
515
FireCluster
The Management IP Address and the WatchGuard Policy
The WatchGuard policy (policy type WG-Firebox-Mgmt) controls administrative connections to the
device. By default, the WatchGuard policy allows management connections from the Any-Trusted or
Any-Optional aliases. If you set the FireCluster Management Interface to a Trusted or Optional
interface, the Management Interface IP addresses are automatically included in the Any-Trusted alias
or the Any-Optional alias, and you do not need to modify the WatchGuard policy for FireCluster
management connections to operate correctly.
There are two situations for which you must edit the WatchGuard policy to add the FireCluster
Management IP addresses:
n
If you restrict management access to specific IP addresses
To restrict management access to specific IP addresses, you can edit the WatchGuard policy
to remove the Any-Trusted or Any-Optional aliases from the From section, and add only the IP
addresses or aliases that you want to manage the device. If you do this, it is important that you
also add the FireCluster Management IP addresses to the From section of the WatchGuard
policy.
n
If you set the FireCluster Management Interface to an External interface
If you select an External interface as the FireCluster Management Interface, you must either
add the FireCluster Management IP addresses or add the Any-External alias to the From
section of the WatchGuard policy. Your configuration is more secure if you add the specific
Management IP addresses than it is if you add the Any-External alias.
For more information about the WatchGuard policy, see Manage an XTM Device From a Remote
Location.
516
WatchGuard System Manager
FireCluster
About FireCluster on XTM Wireless Devices
You can enable FireCluster for two XTM 25-W, 26-W or 33-W wireless devices of the same model.
When wireless is enabled, you can configure FireCluster only in active/passive mode.
FireCluster is not supported for XTM 21-W, 22-W, and 23-W wireless models.
When you enable FireCluster for wireless XTM devices, the configuration must meet these
requirements:
n
n
n
If wireless is enabled, the XTM device must be configured as a wireless access point.
FireCluster is not supported when the XTM device has wireless enabled as an external
interface.
If the FireCluster Interface for management IP address is on an interface that is bridged to a
wireless network you cannot use a wireless connection to manage the device.
If you enable a hotspot on the wireless guest network, you must select the Custom Page
hotspot type. The External Guest Authentication hotspot type is not supported for a wireless
FireCluster.
For more information about the FireCluster interface for management IP address and the
primary and backup cluster interfaces, see Before You Begin.
All other FireCluster requirements and restrictions described in Configure FireCluster also apply to
wireless devices.
Configure FireCluster
FireCluster supports two types of cluster configurations.
Active/Passive cluster
In an active/passive cluster, one device is active, and the other is passive. The active device
handles all network traffic unless a failover event occurs. The passive device actively monitors
the status of the active device. If the active device fails, the passive device takes over the
connections assigned to the failed device. After a failover event, all traffic for existing
connections is automatically routed to the active device.
Active/Active cluster
In an active/active cluster, the cluster members share the traffic that passes through the
cluster. To distribute connections between the active devices in the cluster, configure
FireCluster to use a round-robin or least connections algorithm. If one device in a cluster fails,
the other cluster member takes over the connections assigned to the failed device. After a
failover event, all traffic for existing connections is automatically routed to the remaining active
device.
User Guide
517
FireCluster
For a demonstration of how to configure an active/passive cluster, see the
WatchGuard: XTM: FireCluster video tutorial (14 minutes).
518
WatchGuard System Manager
FireCluster
FireCluster Requirements and Restrictions
Make sure you understand these requirements and restrictions before you begin:
n
n
n
n
n
n
n
XTM devices in a cluster must be the same model number. For a list of supported models, see
Supported XTM Models for FireCluster.
Each device in a cluster must use the same version of Fireware XTM with a Pro upgrade.
Each device in a cluster must have an active LiveSecurity Service subscription.
For an active/passive cluster, your network interfaces must be configured in mixed routing
mode or drop-in mode.
For an active/active cluster, your network interfaces must be configured in mixed routing mode.
FireCluster does not support bridge network mode.
For an active/active cluster, we recommend all devices have active licenses for the same
optional subscription services such as WebBlocker or Gateway AntiVirus.
For more information, see About Feature Keys and FireCluster on page 564.
n
n
n
n
n
For an active/active FireCluter, the external interface must be configured with a static
IP address. You cannot enable an active/active FireCluster if the external interface is
configured to use DHCP or PPPoE.
For an active/passive FireCluter, the external interface must be configured with a static
IP address or can use PPPoE. You cannot enable an active/passive FireCluster if the external
interface is configured to use DHCP.
You must have a network switch or VLAN for each active traffic interface.
For an active/active cluster, all switches and routers in an active/active FireCluster broadcast
domain must meet the requirements specified in Switch and Router Requirements for an
Active/Active FireCluster on page 525.
For an active/active cluster, you must know the IP address and MAC address of each layer 3
switch connected to the cluster. Then you can add static ARP entries for these network devices
to the FireCluster configuration.
For more information, see Add Static ARP Entries for an Active/Active FireCluster on page
527.
For requirements and restrictions for wireless devices, see About FireCluster on XTM Wireless
Devices.
Cluster Synchronization and Status Monitoring
When you enable FireCluster, you must dedicate at least one interface to communication between the
cluster members. This is called a cluster interface. When you set up the cluster hardware, you connect
the primary cluster interfaces of each device to each other. For redundancy, we recommend you
configure a backup cluster interface. The cluster members use the cluster interfaces to continually
synchronize all information needed for load sharing and transparent failover.
User Guide
519
FireCluster
FireCluster Device Roles
When you configure devices in a cluster, it is important to understand the roles each device can play in
the cluster.
Cluster master
This cluster member assigns network traffic flows to cluster members, and responds to all
requests from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP,
routing protocols, and IKE. When you configure or modify the cluster configuration, you save
the cluster configuration to the cluster master. The cluster master can be either device. The first
device in a cluster to power on becomes the cluster master.
Backup master
This cluster member synchronizes all necessary information with the cluster master, so that it
can become the cluster master if the master fails. The Backup cluster master can be active or
passive.
Active member
This can be any cluster member that actively handles traffic flow. In an active/active cluster,
both devices are active. In an active/passive cluster, the cluster master is the only active
device
Passive member
A device in an active/passive cluster that does not handle network traffic flows unless an active
device fails over. In an active/passive cluster the passive member is the backup cluster master.
FireCluster Configuration Steps
To configure XTM devices as a FireCluster, you must:
1. Plan your FireCluster configuration, as described in Before You Begin on page 521.
2. Connect the FireCluster devices to the network, as described in Connect the FireCluster
Hardware on page 524.
3. Configure FireCluster in Policy Manager. You can use one of these methods:
n Use the FireCluster Setup Wizard
n Configure FireCluster Manually
For an active/active cluster, you must also complete these steps:
1. Make any necessary configuration changes to your layer 3 network routers and switches to
support the multicast MAC addresses used by the FireCluster.
For more information, see Switch and Router Requirements for an Active/Active FireCluster on
page 525.
2. Add static ARP entries for each of the layer 3 network routers and switches that connect to the
FireCluster.
For more information, see Add Static ARP Entries for an Active/Active FireCluster on page
527.
520
WatchGuard System Manager
FireCluster
Before You Begin
Before you configure FireCluster, you must complete the tasks described in the subsequent sections.
Verify Basic Components
Make sure that you have these items:
n
n
n
n
n
n
n
n
Two WatchGuard devices of the same model number
The same version of Fireware XTM Pro installed on each device
The feature key installed on each device, including any model upgrades
One crossover cable (red) for each cluster interface (If you configure a backup cluster interface,
you must use two crossover cables.)
One network switch for each active traffic interface
Ethernet cables to connect the devices to the network switches
The serial number for each device
Feature key for each device
For information about feature key requirements for FireCluster, see About Feature Keys and
FireCluster on page 564.
For information about supported models, see Supported XTM Models for FireCluster.
Configure the External Interface
Before you can configure a FireCluster, you must make sure that the external interface configuration is
compatible with the type of FireCluster you want to use.
n
n
Active/active FireCluster — each external interface must have a static IP address.
Active/passive FireCluster — each external interface must have a static IP address, or must
use PPPoE.
PPPoE for FireCluster is supported in Fireware XTM v11.9 and higher.
For more information about how to configure the external interface, see Configure an External
Interface.
Configure Network Routers and Switches
In an active/active FireCluster configuration, the network interfaces for the cluster use multicast MAC
addresses. Before you enable an active/active FireCluster, make sure your network routers and other
devices are configured to correctly route traffic to and from the multicast MAC addresses.
For more information, see Switch and Router Requirements for an Active/Active FireCluster on page
525.
User Guide
521
FireCluster
This step is not necessary for an active/passive cluster because an active/passive cluster does not
use multicast MAC addresses.
522
WatchGuard System Manager
FireCluster
Select IP Addresses for Cluster Interfaces
We recommend you make a table with the network addresses you plan to use for the cluster interfaces
and interface for management IP address. The FireCluster setup wizard asks you to configure these
settings individually for each cluster member. If you plan the interfaces and IP addresses in advance, it
is easier to configure these interfaces with the wizard. For example, your table could look something
like this:
Interface # and IP addresses for cluster interfaces
Interface
#
IP address for
Member 1
IP address for
Member 2
Primary cluster interface
5
10.10.5.1/24
10.10.5.2/24
Backup cluster interface
6
10.10.6.1/24
10.10.6.2/24
Interface for management IP
address
1
10.10.1.1/24
10.10.1.2/24
Primary cluster interface
This is the interface on the XTM device that you dedicate to communication between the cluster
members. This interface is not used for regular network traffic. If you have an interface
configured as a dedicated VLAN interface, do not choose that interface as a dedicated cluster
interface.
The primary interface IP addresses for both cluster members must be on the same subnet.
Backup cluster interface (optional, but recommended)
This is a second interface on the XTM device that you dedicate for communication between the
cluster members. The cluster members use the backup cluster interface to communicate if the
primary cluster interface is not available. For redundancy, we recommend you use two cluster
interfaces.
The backup interface IP addresses for both cluster members must be on the same subnet.
Do not set the Primary or Backup cluster IP address to the default IP address of any
interface on the device. The default interface IP addresses are in the range 10.0.0.1 10.0.17.1. The Primary and Backup cluster IP addresses must not be used for
anything else on your network, such as virtual IP addresses for Mobile VPN or the IP
addresses used by remote branch office networks.
User Guide
523
FireCluster
Interface for management IP address
This is an interface on the XTM device that you use to make a direct connection to a cluster
device from any WatchGuard management application. We recommend that you select the
interface that the management computer usually connects to.
The management IP address for each cluster member must be an unused IP address on the
same subnet as the address assigned to the interface configured as the Interface for
management IP address. It must also be on the same subnet as the Log Server or syslog server
the FireCluster sends log messages to.
If the Interface for management IP address has IPv6 enabled, you can also configure an IPv6
management IP address for each cluster member.
For more information, see About FireCluster Management IP Addresses on page 513.
For wireless devices, the primary cluster interface, backup cluster interface, and interface for
management IP address cannot be an interface that is bridged to a wireless network.
For more information, see About FireCluster on XTM Wireless Devices.
Connect the FireCluster Hardware
Each device in a cluster must be the same model, and must use the same version of
Fireware XTM with a Pro upgrade.
To connect two XTM devices in a FireCluster configuration:
1. Use a crossover Ethernet cable (red) to connect the primary cluster interface on one XTM
device to the primary cluster interface on the other device.
2. If you want to enable a backup cluster interface, use a second crossover Ethernet cable to
connect the backup cluster interfaces. If you have a network interface available, we
recommend that you connect and configure a backup cluster interface for redundancy.
3. Connect the external interface of each device to a network switch or VLAN. If you use MultiWAN, connect the second external interface of each device to another network switch.
4. Connect the trusted interface of each device to an internal network switch or VLAN.
5. For each device, connect the other trusted or optional network interfaces to the internal network
switch for that device.
For information about network switch requirements, see Switch and Router Requirements for
an Active/Active FireCluster on page 525.
You must connect each pair of network interfaces to its own dedicated switch or hub.
Do not connect more than one pair of interfaces to the same switch.
524
WatchGuard System Manager
FireCluster
The diagram below shows connections for a simple FireCluster configuration.
In this example, the FireCluster has one external and one trusted interface connected to network
switches. The primary cluster interfaces are connected by a crossover cable.
After you connect the FireCluster devices, you are ready to configure the FireCluster in Policy
Manager. You can do this two ways:
n
n
Use the FireCluster Setup Wizard
Configure FireCluster Manually
Switch and Router Requirements for an Active/Active
FireCluster
When you configure FireCluster in an active/active configuration, the cluster uses
multicast MAC addresses for all interfaces that send network traffic. Before you
enable FireCluster, make sure your network switches, routers, and other devices are
configured to route network traffic with multicast MAC addresses.
User Guide
525
FireCluster
A layer 2 broadcast domain is a logical part of a computer network in which all network nodes can
communicate with each other without the use of a layer 3 routing device, such as a router or managed
switch.
An active/active FireCluster uses a single multicast MAC address. Most network routers and managed
switches ignore traffic from multicast MAC addresses by default. Before you enable an active/active
FireCluster, make sure that all the network switches and routers in the layer 2 broadcast domain meet
the requirements.
Requirements for Switches and Routers
All switches and routers in an active/active FireCluster broadcast domain must meet these
requirements.
1. All switches and routers in the broadcast domain must not block ARP requests if the response
contains a multicast MAC address.
n This is the default behavior for most layer 2 switches.
n For routers and layer 3 switches, the default behavior is to follow RFC 1812, which says that
the router must not believe any ARP reply that claims that the Link Layer address of another
host or router is a broadcast or multcast address. If possible, disable this behavior. If you are
unable to block RFC 1812 support, you might need to configure static MAC and static ARP
entries on your routing device.
Some Layer 3 switches do not allow you to configure static MAC addresses on
multiple ports. If possible we recommend that you use a Layer 2 switch, which
requires less configuration and is easier to set up.
2. All switches in the broadcast domain must be configured to forward traffic to all ports when the
destination MAC address is the multicast MAC address of the FireCluster.
n For unmanaged layer 2 switches, this should be the default behavior.
n For managed switches, you could need to add static MAC and static ARP entries for the
FireCluster.
3. You could need to add the IP address and MAC address of each router or layer 3 switch in the
broadcast domain as a static ARP entry in the FireCluster configuration.
One multicast MAC address is shared between the pair. The MAC address starts with 01:00:5E . You
can find the multicast MAC addresses for a cluster in the Firebox System Manager Status Report tab,
or in the FireCluster configuration dialog box in Policy Manager.
526
WatchGuard System Manager
FireCluster
Add Static ARP Entries for an Active/Active FireCluster
An active/active FireCluster uses a multicast MAC address for each active interface connected to your
network. The active/active FireCluster sends this multicast MAC address across the network.
For some switches, you might need to add static ARP entries for each layer 3 network switch
connected to the FireCluster traffic interface. Otherwise, network communication might not work
properly. You can use Policy Manager to add the static ARP entries to the FireCluster.
To add static ARP entries to your XTM device configuration:
1. In WatchGuard System Manager, use the configured cluster interface IP address to connect to
the FireCluster. Do not use the Management IP address.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select Network > ARP Entries.
The Static ARP Entries dialog box appears.
4. Click Add.
The Add ARP Entry dialog box appears.
5. In the Interface drop-down list, select the interface for the layer 3 switch.
6. In the IP Address text box, type the IP address of the network switch.
7. In the MAC Address text box, type the MAC address of the switch. Click OK.
The static ARP entry is added to the Static ARP Entries list.
8. Repeat Steps 4–7 to add static ARP entries for each switch that is directly connected to each
interface of the FireCluster.
9. Click OK.
10. Select File > Save > to Firebox to save the static ARP entries to the FireCluster.
You must also configure the network switches to work with the active/active FireCluster. For more
information, see Switch and Router Requirements for an Active/Active FireCluster on page 525.
For an example of how to configure two switches for an active/active FireCluster, see Example Switch
and Static ARP Configuration for an Active/Active FireCluster on page 527.
Example Switch and Static ARP Configuration for an Active/Active
FireCluster
Layer 3 switches that operate in default mode do not have issues with multicast traffic, so the
FireCluster works without configuration changes. A layer 3 switch that has all ports configured in one
VLAN also works without issues. If the layer 3 switch has ports configured for different VLANs you
must change the configuration to enable the switch to operate correctly with a FireCluster.
Layer 3 switches that perform VLAN, and/or IP address routing, discard multicast traffic from the
FireCluster members. The switch discards traffic to and through the router unless you configure static
MAC and ARP entries for the FireCluster multicast MAC on the switch that receives the multicast
traffic.
User Guide
527
FireCluster
When you configure an active/active FireCluster, you might need to make some configuration changes
on the FireCluster and on your network switches so that the FireCluster multicast MAC addresses
work properly. For general information, see:
n
n
Switch and Router Requirements for an Active/Active FireCluster
Add Static ARP Entries for an Active/Active FireCluster
This topic includes an example of how to configure the switches and the FireCluster static
ARP settings for an active/active FireCluster. This example does not include all the other steps to
configure a FireCluster. For instructions to configure a FireCluster, see Configure FireCluster on page
517.
Before you begin, make sure you have:
n
n
The IP address and multicast MAC address of the FireCluster interface to which the switch is
connected.
For more information, see Find the Multicast MAC Addresses for an Active/Active Cluster on
page 547.
The IP address and MAC address of each switch or router connected to the FireCluster
interfaces.
WatchGuard provides interoperability instructions to help our customers configure
WatchGuard products to work with products created by other organizations. If you
need more information or technical support about how to configure a nonWatchGuard product, see the documentation and support resources for that product.
Example Configuration
In this example, the FireCluster configuration has one external and one internal interface. The external
interface of each cluster member is connected to a Cisco 3750 switch. The internal interface of each
cluster member is connected to an Extreme Summit 15040 switch. For the equivalent commands to
make these configuration changes on your switch, see the documentation for your switch. The
commands for two different switches are included in this example.
IP addresses in this example:
n
FireCluster interface 0 (External) interface
IP address: 203.0.113.2/24
Multicast MAC address: 01:00:5e:00:71:02
n
FireCluster interface 1 (Trusted) interface
IP address: 10.0.1.1/24
Multicast MAC address: 01:00:5e:00:01:01
n
Cisco 3750 switch connected to the FireCluster external interface
IP address: 203.0.113.100
528
WatchGuard System Manager
FireCluster
VLAN interface MAC address: 00:10:20:3f:48:10
VLAN ID: 1
Interface: gi1/0/11
User Guide
529
FireCluster
n
Extreme Summit 48i switch connected to the FireCluster internal interface
IP address: 10.0.1.100
MAC address: 00:01:30:f3:f1:40
VLAN ID: Border-100
Interface: 9
Configure the Cisco Switch
In this example, the Cisco switch is connected to the FireCluster interface 0 (external). You must use
the Cisco command line to add static MAC and ARP entries for the multicast MAC address of the
external FireCluster interface.
1. Start the Cisco 3750 command line interface.
2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
arp <FireCluster interface IP address> <FireCluster MAC address> arpa
For this example, type:
arp 203.0.113.2 0100.5e00.7102 arpa
3. Add an entry to the MAC address table.
Type this command:
mac-address-table static <FireCluster interface MAC address> vlan <ID>
interface <#>
For this example, type:
mac-address-table static 0100.5e00.7102 vlan 1 interface gi1/0/11
Configure the Extreme Switch
In this example, the Extreme Summit switch is connected to the FireCluster interface 1 (trusted). You
must use the Extreme Summit command line to add static MAC and ARP entries for the multicast
MAC address of the trusted FireCluster interface.
1. Start the Extreme Summit 48i command line.
2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
configured iparp add <ip address> <MAC Address>
For this example, type:
configured iparp add 10.0.1.1/24 01:00:5e:00:01:01
3. Add an entry to the MAC address table.
Type this command:
create fdbentry <MAC> VLAN <ID> port <#> For this example, type:
create fdbentry 01:00:5e:00:01:01 VLAN Border-100 port 9
530
WatchGuard System Manager
FireCluster
Add Static ARP Entries to the FireCluster Configuration for Each Switch
For an explanation of why this is required, see Add Static ARP Entries for an Active/Active FireCluster
on page 527.
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
FireCluster. Do not use the management IP address.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select Network > ARP Entries.
The Static ARP Entries dialog box appears.
4. Click Add.
The Add ARP Entry dialog box appears.
5. In the Interface drop-down list, select External.
6. In the IP Address text box, type the IP address of the switch interface that is connected to the
external interface.
For this example, type: 203.0.113.100
7. In the MAC Address text box, type the MAC address of the VLAN interface on the Cisco
switch that is connected to the external interface.
For this example, type: 00:10:20:3f:48:10
8. Click OK.
The static ARP entry is added to the Static ARP Entries list.
9. Click Add.
The Add ARP Entry dialog box appears.
10. In the Interface drop-down list, select Trusted.
11. In the IP Address text box, type the IP address of the switch interface that is connected to the
trusted interface.
For this example, type: 10.0.1.100
12. In the MAC Address text box, type the MAC address of the switch interface that is connected
to the trusted interface.
For this example, type: 00:01:30:f3:f1:40
13. Click OK.
The static ARP entry is added to the Static ARP Entries list.
14. Click OK to close the Static ARP Entries dialog box.
15. Select File > Save > to Firebox to save the static ARP entries to the FireCluster.
User Guide
531
FireCluster
Use the FireCluster Setup Wizard
To configure FireCluster, you can either run the FireCluster Setup Wizard or you can configure
FireCluster manually.
For more information about how to configure FireCluster manually, see Configure FireCluster Manually
on page 539 .
For a demonstration of how to configure an active/passive cluster with the
FireCluster Setup Wizard, see the FireCluster video tutorial (14 minutes).
Before you enable FireCluster:
n
n
n
n
Make sure you have everything necessary to configure your FireCluster and that you have
planned your configuration settings.
For information, see Before You Begin on page 521.
Make sure you understand the limitations described in Features Not Supported for a
FireCluster.
Connect the FireCluster devices to each other and to the network as described in Connect the
FireCluster Hardware on page 524.
For information about how to set up an active/passive FireCluster with XTMv devices, see the
steps and switch requirements in the WatchGuard XTMv Setup Guide available at
http://www.watchguard.com/help/documentation/xtm.asp.
In an active/active FireCluster configuration, the network interfaces for the cluster
use multicast MAC addresses. Before you enable an active/active FireCluster, make
sure your network routers and other devices are configured to support multicast
network traffic.
For more information, see Switch and Router Requirements for an Active/Active
FireCluster on page 525.
532
WatchGuard System Manager
FireCluster
Configure FireCluster
1. In WatchGuard System Manager, connect to the XTM device that has the configuration you
want to use for the cluster. After you enable FireCluster, this device becomes the cluster
master the first time you save the configuration.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager opens the configuration file for the selected device.
3. Select FireCluster > Setup.
The FireCluster Setup Wizard starts.
4. Click Next.
5. Select the type of cluster you want to enable:
Active/Passive cluster
Enables the cluster for high availability, but not load sharing. If you select this option, the
cluster has an active device that handles all the connections and a passive device that
handles connections only if a failover of the first device occurs.
Active/Active cluster
Enables the cluster for high availability and load sharing. If you select this option, the
cluster balances incoming connection requests across both devices in the cluster.
6. Select the Cluster ID.
The cluster ID uniquely identifies this cluster if you set up more than one cluster on the same
layer 2 broadcast domain. If you only have one cluster, you can keep the default value of 1.
User Guide
533
FireCluster
7. If you selected Active/Active cluster, select the Load-balance method.
The load-balance method is the method used to balance connections among active cluster
members. There are two options:
Least connection
If you select this option, each new connection is assigned to the active cluster member
with the lowest number of open connections. This is the default setting.
Round-robin
If you select this option, new connections are distributed among the active cluster
members in round-robin order. The first connection goes to one cluster member. The next
connection goes to the other cluster member, and so on.
8. Select the Primary and Backup cluster interfaces. The cluster interfaces are dedicated to
communication between cluster members and are not used for other network traffic. You must
configure the Primary interface. For redundancy, we recommend you also configure the
Backup interface.
Primary
The XTM device interface that you dedicate to primary communication between the cluster
members. Select the interface number that you used to connect the FireCluster devices to
each other.
Backup
The XTM device interface that you dedicate to communication between the cluster
members if the primary interface fails. Select the second interface number that you used to
connect the FireCluster devices to each other, if any.
If you have an interface configured as a dedicated VLAN interface, do not choose
that interface as a dedicated cluster interface.
9. Select the Interface for Management IP address. You use this interface to connect directly to
FireCluster member devices for maintenance operations. This is not a dedicated interface. It
also is used for other network traffic. You cannot select a VLAN interface or an external
interface that uses PPPoE as the Interface for Management IP address.We recommend that
you select the interface that the management computer usually connects to.
For more information, see About FireCluster Management IP Addresses on page 513.
10. When prompted by the configuration wizard, add these FireCluster member properties for each
device:
Feature Key
For each device, import or download the feature key to enable all features for the device. If
you previously imported the feature key in Policy Manager, the wizard automatically uses
that feature key for the first device in the cluster.
534
WatchGuard System Manager
FireCluster
Member Name
The name that identifies each device in the FireCluster configuration.
Serial Number
The serial number of the device. The serial number is used as the Member ID in the
FireCluster Configuration dialog box. The wizard sets this automatically when you
import or download the feature key for the device.
Primary cluster interface IP address
The IP address the cluster members use to communicate with each other over the primary
cluster interface. The primary FireCluster IP address for each cluster member must be an
IPv4 address on the same subnet.
If both devices start at the same time, the cluster member with the highest IP address
assigned to the primary cluster interface becomes the master.
Backup cluster interface IP address
The IP address the cluster members use to communicate with each other over the backup
cluster interface. The backup FireCluster IP address for each cluster member must be an
IPv4 address on the same subnet.
Do not set the Primary or Backup cluster IP address to the default IP address of any
interface on the device. The default interface IP addresses are in the range 10.0.0.1 10.0.17.1. The Primary and Backup cluster IP addresses must not be used for
anything else on your network, such as virtual IP addresses for Mobile VPN or the IP
addresses used by remote branch office networks.
Management IP address
A unique IP address that you can use to connect to an individual XTM device while it is
configured as part of a cluster. You must specify a different management IP address for
each cluster member. If the interface you chose as the Interface for management
IP address has IPv6 enabled, you can optionally configure an IPv6 management
IP address.
The IPv4 management IP address can be any unused IP address. We recommend that you
use an IP address on the same subnet as the interface you select as the Interface for
management IP address. This is to make sure that the address is routable. The
management IP address must be on the same subnet as the WatchGuard Log Server or
syslog server that your FireCluster sends log messages to.
The IPv6 management IP address must be an unused IP address. We recommend that you
use an IPv6 address with the same prefix as an IPv6 address assigned to the interface you
selected as the Interface for management IP address. This is to make sure that the
IPv6 address is routable.
User Guide
535
FireCluster
For more information, see About FireCluster Management IP Addresses.
11. Review the configuration summary on the final screen of the FireCluster Setup Wizard. The
configuration summary includes the options you selected and which interfaces are monitored for
link status.
536
WatchGuard System Manager
FireCluster
12. Click Finish.
The FireCluster Configuration dialog box appears.
13. In the Interface Settings section, review the list of monitored interfaces.
The list of monitored interfaces does not include the interfaces you configured as the Primary
and Backup cluster interfaces. FireCluster monitors the link status for all enabled interfaces by
default. If the cluster master detects loss of link on a monitored interface, the cluster master
starts the failover process for that device.
For an Active/Passive cluster, you can select which of the active interfaces to monitor. If you
do not want to monitor the link status of an enabled interface as a criteria for failover, clear the
check box for that interface in the Monitor Link column.
We recommend that you configure the FireCluster to monitor the link status of all
enabled interfaces.
For an active/active FireCluster, you must disable any interfaces that are not connected to your
network before you save the FireCluster configuration to the XTM device. To disable an
interface:
n
n
User Guide
In Policy Manager, select Network > Configuration.
Double-click the interface that you want to disable, and set the Interface Type to
Disabled.
537
FireCluster
If you want the second device to be automatically discovered and added to the
cluster, do not save the configuration file until you start the second device in safe
mode.
14. Start the second XTM device with factory-default settings.
Make sure that you have installed the feature key on the second device before you restart it with
factory-default settings. The feature key is not removed when you reset the device and is
required for the second device to be added to the cluster.
For any XTM device that has an LCD screen, start the device in safe mode
To start in safe mode, press and hold the down arrow button on the device front panel while
you power on the device. Continue to hold the down arrow button until Safe Mode
Starting... appears on the LCD display. When the device is in safe mode, the model
number followed by the word safe appears on the LCD display.
For any desktop XTM device, reset the device to factory-default settings
For instructions to reset an XTM 33 or 2 Series device to factory-default settings, see
Reset a Device.
15. Save the configuration to the cluster master.
The cluster is built. The cluster master automatically discovers the other configured cluster member.
After the cluster is active, you can monitor the status of the cluster members on the Firebox System
Manager Front Panel tab.
For more information, see Monitor and Control FireCluster Members on page 549.
If you save the configuration to the cluster master before you start the second device in safe mode, the
cluster master does not automatically discover the second device. If the second device is not
automatically discovered, you can use Firebox System Manager to manually trigger device discovery
as described in Discover a Cluster Member on page 553.
538
WatchGuard System Manager
FireCluster
Configure FireCluster Manually
You can enable FireCluster manually or use the FireCluster Setup Wizard. For more information, see
Use the FireCluster Setup Wizard on page 532 .
Before you enable FireCluster:
n
n
n
Make sure you have everything necessary to configure your FireCluster and have planned your
configuration settings.
For more information, see Before You Begin on page 521.
Make sure you understand the limitations described in Features Not Supported for a
FireCluster.
Connect the FireCluster devices to each other and to the network as described in Connect the
FireCluster Hardware on page 524.
For information about how to set up an active/passive FireCluster with XTMv devices, see the steps
and switch requirements in the WatchGuard XTMv Setup Guide available at
http://www.watchguard.com/help/documentation/xtm.asp.
In an active/active FireCluster configuration, the network interfaces for the cluster
use multicast MAC addresses. Before you enable an active/active FireCluster, make
sure your network routers and other devices are configured to support multicast
network traffic. For more information, see Switch and Router Requirements for an
Active/Active FireCluster on page 525.
Enable FireCluster
1. In WatchGuard System Manager, connect to the XTM device that has the configuration you
want to use for the cluster. This device becomes the cluster master the first time you save the
configuration with FireCluster enabled.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
User Guide
539
FireCluster
4. Select the Enable FireCluster check box.
5. Select which type of cluster you want to enable.
Enable Active/Passive cluster
Enables the cluster for high availability, but not load sharing. If you select this option, the
cluster has an active device that handles all the network traffic and a passive device that
handles traffic only if a failover of the first device occurs.
Enable Active/Active cluster
Enables the cluster for high availability and load sharing. If you select this option, the
cluster balances traffic load across both devices in the cluster.
6. If you selected Enable Active/Active cluster, from the Load-balance method drop-down list,
select the method to use to balance the traffic load between active cluster members.
Least connection
If you select this option, each new connection is assigned to the active cluster member that
has the lowest number of open connections.
Round-robin
If you select this option, connections are distributed among the active cluster members in
round-robin order. The first connection goes to one cluster member. The next connection
goes to the other cluster member, and so on.
7. From the Cluster ID drop-down list, select a number to identify this FireCluster.
540
WatchGuard System Manager
FireCluster
The cluster ID uniquely identifies this FireCluster if there is more than one FireCluster active on
the same network segment. If you only have one FireCluster, you can keep the default value of
1.
For an active/passive cluster, the Cluster ID determines the virtual MAC addresses used by the
interfaces of the clustered devices. For more information, see Active/Passive Cluster ID and
the Virtual MAC Address.
Configure Interface Settings
The FireCluster interface is the dedicated interface the cluster members use to communicate with
each other about system status. You can configure either one or two FireCluster interfaces. For
redundancy, if you have the interfaces available, we recommend you configure two FireCluster
interfaces. If you have an interface configured as a dedicated VLAN interface, do not choose that
interface as a dedicated FireCluster interface. You must disable any interfaces that are not connected
to your network before you save the FireCluster configuration to the XTM device.
1. From the Primary cluster interface drop-down list, select an interface to use as the primary
interface.
2. To use a second cluster interface, from the Backup cluster interface drop-down list, select an
interface to use as the backup interface.
3. Select an Interface for management IP address. This is the XTM device network interface
you use to make a direct connection to a cluster device with any WatchGuard management
application. You cannot select a VLAN interface as the Interface for Management IP address.
We recommend that you select the interface that the management computer usually connects
to.
For more information, see About FireCluster Management IP Addresses on page 513.
4. Review the list of monitored interfaces. The list of monitored interfaces does not include the
interfaces you configured as the Primary and Backup FireCluster interfaces. By default,
FireCluster monitors the link status for all enabled interfaces. If the cluster master detects a
loss of link on a monitored interface, the cluster master starts failover.
5. For an active/passive cluster, you can select which of the active interfaces to monitor. If you do
not want to monitor the link status of an enabled interface as a criteria for failover, clear the
check box for that interface in the Monitor Link column.
We recommend that you configure the FireCluster to monitor the link status of all
enabled interfaces.
An active/active FireCluster always monitors the link status of all enabled network interfaces. For an
Active/Active FireCluster, you must disable any interface that is not connected to a network switch.
To disable an interface:
1. In Policy Manager, select Network > Configuration.
2. Double-click the interface that you want to disable.
3. Set the Interface Type to Disabled.
User Guide
541
FireCluster
If you enable a physical interface or add a Link Aggregation interface after FireCluster is enabled, that
interface is automatically selected as a monitored interface in the FireCluster configuration.
542
WatchGuard System Manager
FireCluster
Configure FireCluster Members
1. Select the Members tab.
The FireCluster members configuration settings appear.
If you previously imported a feature key in this configuration file, that device is automatically
configured as Member 1.
If you do not have a feature key in this configuration file, a FireCluster member does not appear
in the list. In this case, you must add each device as a member and import the configuration file
for each device as described in the subsequent steps.
2. To add a member, click Add.
The Add member dialog appears.
User Guide
543
FireCluster
3. In the Member Name text box, type a name. This name identifies this device in the members
list.
4. Select the Feature Key tab.
5. Click Import.
The Import Firebox Feature Key dialog box appears.
6. To find the feature key file, click Browse.
Or, copy the text of the feature key file and click Paste to insert it in the dialog box.
7. Click OK.
8. Select the Configuration tab.
The Serial Number field is automatically filled with the serial number from the feature key.
544
WatchGuard System Manager
FireCluster
9. In the Interface IP Address section, type the addresses to use for each cluster interface and
the interface for management IP address.
n In the Primary cluster text box, type the IP address to use for the primary cluster interface.
The IP address for the primary cluster interface must be on the same subnet for each cluster
member. The cluster member that has the highest IP address assigned to the primary
cluster interface becomes the master if both devices start at the same time.
n In the Backup cluster text box, type the IP address to use for the backup cluster interface.
This option only appears if you configured a backup cluster interface. The IP address for the
backup cluster interface must be on the same subnet for each cluster member.
n In the Management section, in the IPv4 text box, type the IP address to use to connect to
an individual cluster member for maintenance operations. The interface for management is
not a dedicated interface. It also is used for other network traffic. You must specify a
different management IP address for each cluster member. The IPv4 management IP
address must be an unused IP address. We recommend that you use an IP address on the
same subnet as the IPv4 address assigned to the interface. It must also be on the same
subnet as the WatchGuard Log Server or syslog server that your FireCluster sends log
messages to.
n If the interface that you selected as the Interface for management IP address has IPv6
enabled, you can also configure an IPv6 management IP address. In the Management
section, in the IPv6 text box, type the IPv6 address to use to connect to an individual cluster
member for maintenance operations. The IPv6 management IP address must be an unused
IP address. We recommend that you use an IP address that has the same prefix as an IPv6
IP address assigned to the interface.
For more information, see About FireCluster Management IP Addresses on page 513.
Do not set the Primary or Backup cluster IP address to the default IP address of any
interface on the device. The default interface IP addresses are in the range 10.0.0.1 10.0.17.1. The Primary and Backup cluster IP addresses must not be used for
anything else on your network, such as virtual IP addresses for Mobile VPN or the IP
addresses used by remote branch office networks.
10. Click OK.
The device you added appears on the Members tab as a cluster member.
11. Repeat the previous steps to add the second XTM device to the cluster configuration.
If you want the second device to be automatically discovered and added to the
cluster, do not save the configuration to the XTM device until you start the second
device in safe mode.
12. Start the second XTM device with factory-default settings.
User Guide
545
FireCluster
Make sure that you have installed the feature key on the second device before you restart it with
factory default settings. The feature key is not removed when you reset the device and is
required for the second device to be added to the cluster.
For any XTM device that has an LCD screen, start the device in safe mode
To start in safe mode, press and hold the down arrow button on the device front panel while
you power on the device. Continue to hold the down arrow button until Safe Mode
Starting... appears on the LCD display. When the device is in safe mode, the model
number followed by the word safe appears on the LCD display.
For any desktop XTM device, reset the device to factory-default settings
For instructions to reset an XTM 33 or 2 Series device to factory-default settings, see
Reset a Device.
13. Save the configuration file to the XTM device.
The cluster is built. The cluster master automatically discovers the other configured cluster member
and synchronizes the configuration.
After the cluster is active, you can monitor the status of the cluster members on the Firebox System
Manager Front Panel tab.
For more information, see Monitor and Control FireCluster Members on page 549.
If you save the configuration to the cluster master before you start the second device in safe mode, the
cluster master does not automatically discover the second device. If the second device is not
automatically discovered, you can use Firebox System Manager to manually trigger device discovery
as described in Discover a Cluster Member on page 553.
546
WatchGuard System Manager
FireCluster
Find the Multicast MAC Addresses for an Active/Active Cluster
To configure your switch to support the FireCluster multicast MAC addresses, you might need to know
the multicast MAC addresses the cluster uses for each interface. There are two ways to find the MAC
addresses assigned to the interfaces.
Find the MAC Addresses in Policy Manager
1. Open Policy Manager for the active/active FireCluster.
2. Select FireCluster > Configure.
The FireCluster Configuration dialog box appears.
3. In the Interface Settings section, find the multicast MAC address for each interface.
To copy a multicast MAC address from the FireCluster configuration to your switch or router
configuration:
1. In the Multicast MAC column, double-click the MAC address.
The MAC address appears highlighted.
2. Click and drag to highlight the MAC address.
3. Press Ctrl+C on your keyboard to copy it to the clipboard
4. Paste the MAC address in your switch or router configuration.
For more information, see Switch and Router Requirements for an Active/Active FireCluster on
page 525.
User Guide
547
FireCluster
Find the MAC Address in Firebox System Manager
You can also find the multicast MAC addresses in Firebox System Manager.
1. Open Firebox System Manager.
2. Select the Front Panel tab.
3. Expand Interfaces.
The multicast MAC address is included with each interface in the cluster.
Active/Passive Cluster ID and the Virtual MAC Address
An active/passive FireCluster uses a virtual MAC address, calculated based on the Cluster ID and the
interface numbers. If you configure more than one active/passive FireCluster on the same subnet, it is
important to know how to set the Cluster ID to avoid a possible virtual MAC address conflict.
How the Virtual MAC Address is Calculated
The virtual MAC addresses for interfaces on an active/passive FireCluster start with 00:00:5E:00:01 .
The sixth octet of the MAC address is set to a value that is equal to the interface number plus the
Cluster ID.
For example, for a FireCluster with the Cluster ID set to 1, the virtual MAC addresses are:
Interface 0: 00:00:5E:00:01:01
Interface 1: 00:00:5E:00:01:02
Interface 2: 00:00:5E:00:01:03
548
WatchGuard System Manager
FireCluster
If you add a second FireCluster to the same subnet, you must make sure to set the Cluster ID to a
number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC
address conflict. For example, if the first FireCluster has 5 interfaces, you must set the Cluster ID of
the second FireCluster at least 5 higher than the Cluster ID for the first FireCluster.
For example, if the second FireCluster has the Cluster ID set to 6, the virtual MAC addresses are:
Interface 0: 00:00:5E:00:01:06
Interface 1: 00:00:5E:00:01:07
Interface 2: 00:00:5E:00:01:08
It is also possible that the FireCluster virtual MAC addresses can conflict with HSRP and VRRP
configured devices on your network.
Monitor and Control FireCluster Members
Use the IP address of the trusted interface to monitor and manage the cluster. When you monitor the
cluster in Firebox System Manager, you see an aggregated view of the devices in the cluster. In FSM,
you view the status of the cluster members as if the cluster were one device.
To monitor a cluster:
1. In WatchGuard System Manager, connect to the trusted IP address of the cluster.
2. Click
.
Firebox System Manager appears.
When you connect to the trusted IP address of the cluster in Firebox System Manager, the clustered
devices appear on the Front Panel tab. The other tabs include information that is combined for all
devices in the cluster.
User Guide
549
FireCluster
Monitor Status of FireCluster Members
When you monitor a FireCluster, the Firebox System Manager tabs include information about all
devices in the cluster. On the Front Panel tab, you can expand the cluster to view the status of each
member. This shows which device is the master, and the status of each device in the cluster. The
other tabs include information that is combined for all devices in the cluster.
You can also use the FireCluster Management IP address to connect to and monitor
an individual cluster member. When you monitor only one cluster member, you do not
see all the information about the cluster. For more information, see About FireCluster
Management IP Addresses on page 513.
Monitor and Control Cluster Members
You can also use Firebox System Manager to monitor and control individual cluster members.
Although FireCluster operations usually occur automatically, you can manually complete some of the
functions in Firebox System Manager.
To control cluster members:
550
WatchGuard System Manager
FireCluster
1. Select Tools > Cluster.
2. Select an option:
n
n
n
n
n
n
n
User Guide
Discover a Cluster Member
Force a Failover of the Cluster Master
Reboot a Cluster Member
Shut Down a Cluster Member
Connect to a Cluster Member
Make a Member Leave a Cluster
Make a Member Join a Cluster
551
FireCluster
Monitor Cluster Health
Each cluster member has a health index that indicates the overall health of the device. If the health
index of the cluster master is lower than the health index of the backup master, this triggers failover of
the cluster master.
The cluster health index for each cluster member is a weighted average of three more specific health
indexes that indicate the status of monitored ports, processes, and hardware. Each health index can
have a value from 0 to 100. You can see information about the health of cluster members on the
Firebox System Manager Status Report tab.
To see the cluster health information:
1.
2.
3.
4.
Connect to the FireCluster in WatchGuard System Manager.
Start Firebox System Manager.
Select the Status Report tab.
Scroll down to the Cluster Health section of the Status Report.
Cluster Health
----------------Member Id = 80B0030CA6EE9
Member cluster Role = 3
System Health Index (SHI) = 100
Hardware Health Index (HHI) = 100 (disabled)
Monitored Ports Health Index (MPHI) = 100
Weighted Avg Index (WAI) = 100
Member Id = 80B0030EBCFAA
Member cluster Role = 2
System Health Index (SHI) = 100
Hardware Health Index (HHI) = 100 (disabled)
Monitored Ports Health Index (MPHI) = 100
Weighted Avg Index (WAI) = 100
For each cluster member, the Status Report shows these health index values:
System Health Index (SHI)
This number indicates the status of monitored processes on the device. If all monitored
processes are active, the SHI value is 100.
Hardware Health Index (HHI)
This number indicates the status of critical hardware components. If no hardware failures are
detected, the HHI value is 100. If a critical monitored hardware component fails, the HHI value
is zero. The HHI is based on the status of monitored health statistics, described in Monitor
Hardware Health.
If (disabled) appears adjacent to the HHI number, the HHI is not used as a criteria for
Firecluster failover.
552
WatchGuard System Manager
FireCluster
HHI is disabled by default. When HHI is disabled, hardware health of the cluster members is
still monitored, but the HHI is not used in the calculation of the weighted average index. For
more information about hardware health monitoring, see Monitor Hardware Health.
Monitored Ports Health Index (MPHI)
This number indicates the status of monitored ports. If all monitored ports are up, the SHI value
is 100. The status of wireless connections are not monitored as part of this index.
Weighted Average Index (WAI)
This number is used to compare the overall health of two cluster members, as a criteria for
failover. By default, the WAI for a cluster member is a weighted average of the SHI, and MPHI
for that device, but does not include the HHI.
You can optionally enable the HHI to be used in the calculation of the WAI. If you do this, the
WAI is a weighted average of the HHI, SHI, and MPHI. The one exception is that if the HHI of a
device is zero, the WAI for that device is also zero.
To enable the HHI to be used in the calculation of the WAI, select the Monitor hardware
status as a criteria for FireCluster failover check box in FireCluster Advanced settings. For
more information, see Configure FireCluster Advanced Settings
The Status Report for a FireCluster includes other detailed information that can be
used by WatchGuard technical support to help diagnose issues with your
FireCluster.
Discover a Cluster Member
When you enable FireCluster, the cluster master can automatically discover the other cluster member
device the first time you save the configuration to the cluster master, if the other device is started in
safe mode. You can also use the Discover member command to trigger the cluster master to discover
a device. This can be a new device or an existing cluster member.
Before you begin, make sure that the device is:
n
n
Connected to the network correctly, as described in Connect the FireCluster Hardware on page
524
Configured as a cluster member in the cluster configuration. Use one of these methods:
o Use the FireCluster Setup Wizard
o Configure FireCluster Manually
To trigger the cluster master to discover a device:
1. If this is a new device for this cluster, start the new device in safe mode.
For more information, see the subsequent section.
2. In WatchGuard System Manager, connect to the cluster master.
3. Start Firebox System Manager.
User Guide
553
FireCluster
4. Select Tools > Cluster > Discover member.
The Discover member dialog box appears.
5. Type the configuration passphrase for the cluster.
A message appears to tell you the discovery process has started.
6. Click OK.
The cluster master tries to discover new devices connected to the cluster.
When the cluster master discovers a connected device, it checks the serial number of the device. If
the serial number matches the serial number of a cluster member in the FireCluster configuration, the
cluster master loads the cluster configuration on the second device. That device then becomes active
in the cluster. The second device synchronizes all cluster status with the cluster master.
After discovery and the initial synchronization is complete, the device appears on the Firebox System
Manager Front Panel tab as a member of the cluster.
Start The XTM Device with Factory Default Settings
For an XTM device to be discoverable, you must start the device in safe mode or reset it to factory
default settings.
For any XTM device that has an LCD screen, start the device in safe mode
To start in safe mode, press and hold the down arrow button on the device front panel while
you power on the device. Continue to hold the down arrow button until Safe Mode
Starting... appears on the LCD display. When the device is in safe mode, the model
number followed by the word safe appears on the LCD display.
For any desktop XTM device, reset the device to factory-default settings
For instructions to reset an XTM 33 or 2 Series device to factory-default settings, see
Reset a Device.
Force a Failover of the Cluster Master
You can use the Firebox System Manager Failover Master command to force the cluster master to fail
over. The backup master becomes the cluster master, and the original master device becomes the
backup master.
1. Select Tools > Cluster > Failover master.
The Failover Master dialog box appears.
554
WatchGuard System Manager
FireCluster
2. Type the configuration passphrase.
3. Click OK.
The cluster master fails over to the backup master, and the backup master becomes the master.
User Guide
555
FireCluster
Reboot a Cluster Member
You can use the Reboot member command in Firebox System Manager to reboot a cluster member.
This is equivalent to the File > Reboot command that you use to reboot a non-clustered device.
1. Select Tools > Cluster > Reboot member.
The Reboot member dialog box appears.
2. Select the cluster member you want to reboot.
3. Type the configuration passphrase.
4. Click OK.
The cluster member reboots, and then rejoins the cluster.
If you reboot the cluster master, this triggers failover. The backup master becomes the master. After
the reboot is complete, the original master rejoins the cluster as the backup master.
Shut Down a Cluster Member
You can use the Shutdown member command in Firebox System Manager to shut down a member of
a cluster. This is equivalent to the File > Shutdown command that you use to shut down a nonclustered device.
1. Select Tools > Cluster > Shutdown member.
The Shutdown member dialog box appears.
556
WatchGuard System Manager
FireCluster
2. Select the cluster member you want to shut down.
3. Type the configuration passphrase.
4. Click OK.
The cluster member shuts down. Any traffic handled by that cluster member shifts to the other cluster
member.
When you shut down a cluster member, the LCD, the serial port, and all interfaces of the device are
shut down. The power indicator changes to orange, and the fans continue to run, but you cannot
communicate with the device. To restart the device after a shut down, you must press the power
button to power off the device. Then press the power button again to power on the device and restart it.
Connect to a Cluster Member
When you connect to a FireCluster with WatchGuard System Manager, the available information is
combined for all members of the cluster. To monitor an individual cluster member, you can connect to
the cluster member with Firebox System Manager (FSM). FSM has two available methods to connect
to a cluster member: the FSM main menu or the right-click menu.
To use the main menu:
1. Select Tools > Cluster > Connect to member.
The Connect to member dialog appears.
User Guide
557
FireCluster
2. Select the cluster member to which you want to connect.
3. Click OK.
Another Firebox System Manager window opens for the selected cluster member.
To use the right-click menu:
1. On the Front Panel tab, select a cluster member.
2. Right-click the device and select Connect to Member.
Make a Member Leave a Cluster
If you use the FireCluster management IP address to connect to the cluster member, the Leave
command is available in Firebox System Manager. The Leave command is part of the procedure to
restore a FireCluster backup image.
When a member leaves the cluster, it is still part of the cluster configuration, but does not participate in
the cluster. The other cluster member handles all traffic in the cluster after the second member has left.
To make a member leave the cluster:
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to
the backup master.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Leave.
The backup master leaves the cluster and reboots.
For information about the Management IP address, see About FireCluster Management IP Addresses
on page 513.
For information about how to restore a backup image to members of a cluster, see Restore a
FireCluster Backup Image on page 571.
558
WatchGuard System Manager
FireCluster
Make a Member Join a Cluster
The Join command is only available in Firebox System Manager if you connect to a cluster member
with the interface for management IP address, and if you previously used the Leave command to make
the member leave the cluster. The Leave and Join commands are part of the procedure to restore a
FireCluster backup image.
1. In WatchGuard System Manager, use the FireCluster management IP address to connect to
the backup master.
If the backup image you restored has a different Management IP address for this cluster
member or a different passphrase, use the Management IP and passphrase from the backup
image to reconnect to the device in WSM.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Join.
The backup master reboots and rejoins the cluster.
For information about the Management IP address, see About FireCluster Management IP Addresses
on page 513.
For information about how to restore a backup image to members of a cluster, see Restore a
FireCluster Backup Image on page 571.
User Guide
559
FireCluster
Remove or Add a Cluster Member
You can use Policy Manager to remove and add devices to the FireCluster.
Remove a Device from a FireCluster
To remove a device from a FireCluster:
1. In WatchGuard System Manager, open the configuration for the cluster master.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
4. Click the Members tab.
A list of cluster members appears.
5. Select the name of the cluster member you want to delete.
6. Click Delete.
The device is removed from the member list.
7. Click OK.
8. Save the configuration file to the cluster.
The device is removed from the cluster.
560
WatchGuard System Manager
FireCluster
When you save the configuration tile to the cluster, Policy Manager checks to see if
the current cluster master is in the cluster configuration. If the device you removed
from the configuration is the current cluster master, Policy Manager attempts to force
a failover, so the backup master becomes the new cluster master. If the failover
succeeds, the configuration change is saved. If the failover does not succeed, Policy
Manager does not allow you to save the configuration to the cluster.
After you remove an XTM device from a cluster, when you save the configuration to the cluster the
device you removed reboots and all settings on the device are reset to factory defaults. The other
member becomes the cluster master.
For information about how to see which device is the cluster master, or to manually force failover from
the cluster master to another member, see Monitor and Control FireCluster Members on page 549.
Add a New Device to a FireCluster
You can add a new cluster member on the FireCluster Configuration dialog box Members tab.
To add a new device to the cluster:
1. Click Add.
2. Configure the settings for the new cluster member as described in Configure FireCluster
Manually on page 539.
When FireCluster is enabled, you must have at least one device in the cluster.
3. To remove both devices from the cluster, you must Disable FireCluster.
Update the FireCluster Configuration
You update the configuration of a FireCluster in much the same way that you update the configuration
for an individual XTM device. You can save an updated configuration only to the cluster master.
If you change the IP addresses of the primary or secondary cluster interface, all
cluster members must reboot at the same time after you save the configuration.
To update the FireCluster configuration:
1. In WatchGuard System Manager, click
Or, select File > Connect To Device.
.
The Connect to Firebox dialog box appears.
2. Select or type the trusted IP address for the cluster. Type the status (read-only) passphrase.
Click OK.
The cluster appears as a device in the WatchGuard System Manager Device Status tab.
3. On the Device Status tab, select the cluster device.
User Guide
561
FireCluster
4. Click .
Or, select Tools > Policy Manager.
Policy Manager appears with the current configuration file for the cluster.
5. Make any configuration changes to the cluster.
6. Save the configuration file to the trusted IP address of the cluster.
When you save the configuration to a cluster, the cluster master automatically sends the updated
configuration to the other cluster member.
For details about the FireCluster configuration settings, see Configure FireCluster Manually.
562
WatchGuard System Manager
FireCluster
Configure FireCluster Advanced Settings
The Advanced tab in the FireCluster Configuration dialog box includes settings for logging and
notification, and enables you to adjust the lost heartbeat threshold.
Configure Logging and Notification
Log messages are always created for FireCluster events.
To configure notification settings for FireCluster failover and failback events:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
For more information about notification settings, see Set Logging and Notification Preferences on page
1209.
To set the diagnostic log level for FireCluster events in Policy Manager:
1. Select Setup > Logging.
2. Click Diagnostic Log Level.
For more information about diagnostic logging, see Set the Diagnostic Log Level on page 1204.
Change the Lost Heartbeat Threshold
The cluster master sends a VRRP heartbeat packet through the primary and backup cluster interfaces
once per second. The Lost Heartbeat Threshold determines the number of consecutive heartbeats not
received by the backup master before a FireCluster failover is triggered.
The default Lost Heartbeat Threshold value of three is optimal for most FireCluster configurations.
Before you change the default value, make sure you eliminate any legitimate causes for failover. Look
in the log messages to see if the lost heartbeat was caused by something else that happened. To see
the cause of lost heartbeats, you might need to temporarily increase the diagnostic log level, as
described in the previous section.
If unexplained failovers occur with your FireCluster, with no known cause, you can increase the Lost
Heartbeat Threshold to try to make the cluster more stable. The maximum value for Lost Heartbeat
Threshold is 10.
To change the lost heartbeat threshold:
In the Lost Heartbeat Threshold text box, type or select a value between 3 and 10.
Use Hardware Status as a Criteria for FireCluster Failover
FireCluster failover can be triggered based upon a comparison of the weighted average index (WAI) of
each cluster member. By default the hardware health index (HHI) is not used in the calculation of the
WAI.
To enable the HHI to be used in the calculation of the weighted average index:
Select the Monitor hardware status as a criteria for FireCluster failover check box.
User Guide
563
FireCluster
For more information about the hardware health index and the calculation of WAI, see Monitor Cluster
Health.
About Feature Keys and FireCluster
Each device in a cluster has its own feature key. When you configure a FireCluster, you import feature
keys for each cluster member. The FireCluster has a set of Cluster Features, which apply to the whole
cluster. The Cluster Features are based on the feature keys for all devices in the cluster.
For more information about how to get a feature key for a device, see Get a Feature Key for Your
XTM Device on page 89.
When you enable a FireCluster, the subscription services and upgrades activated for cluster members
operate as follows:
LiveSecurity Service subscription
A LiveSecurity Service subscription applies to a single device, even when that device is
configured as a member of a cluster. You must have an active LiveSecurity Service
subscription for each device in the cluster. If the LiveSecurity subscription expires for a cluster
member, you cannot upgrade the Fireware XTM OS on that device.
BOVPN and Mobile VPN upgrades
Branch Office VPN (BOVPN) and Mobile VPN licenses operate differently for an active/active
cluster and an active/passive cluster.
Active/Active — Licenses for Branch Office VPN and Mobile VPN are aggregated for devices
configured as a FireCluster. If you purchase additional BOVPN or Mobile VPN licenses for each
device in a cluster, that additional capacity is shared between the devices in the cluster. For
example, if you have two devices in a cluster and each device feature key has a capacity for
2000 Mobile VPN users, the effective license for the FireCluster is 4000 Mobile VPN users.
Active/Passive — Licenses for Branch Office and Mobile VPN are not aggregated for devices
configured as a FireCluster. The active device uses the highest capacity Branch Office and
Mobile VPN activated for either device. If you purchase additional BOVPN or Mobile VPN
licenses for either device in a cluster, the additional capacity is used by the active device.
Subscription Services
Subscription Services such as WebBlocker, spamBlocker, and Gateway AV operate differently
for an active/active cluster and an active/passive cluster.
n
n
564
Active/Active — You must have the same subscription services enabled in the feature
keys for both devices. Each cluster member applies the services from its own feature key.
Active/Passive — You must enable the subscription services in the feature key for only
one cluster member. The active cluster member uses the subscription services that are
active in the feature key of either cluster member.
WatchGuard System Manager
FireCluster
In an active/active cluster, it is very important to renew subscription services for both
cluster members. If a subscription service expires on one member of an active/active
cluster, the service does not function for that member. The member with the expired
license continues to pass traffic, but does not apply the service to that traffic.
User Guide
565
FireCluster
See the Feature Keys and Cluster Features for a Cluster
1. Open Policy Manager for the cluster master.
2. Select FireCluster > Configure.
3. Select the Members tab.
4. Select the FireCluster folder.
Tabs with the cluster features, and features for each cluster member, appear at the bottom of the
dialog box.
5. To see the licensed features for the cluster, select the Cluster Features tab.
n The Expiration and Status columns show the latest expiration date and days remaining for
that service among the cluster members.
n The Value column shows the status or capacity of the feature for the cluster as a whole.
6. Select the Member tabs to see the individual licenses for each cluster member.
Make sure to check the expiration date on any services for each cluster member.
566
WatchGuard System Manager
FireCluster
See or Update the Feature Key for a Cluster Member
You can use Policy Manager to see or update the feature key for each cluster member.
1. Select FireCluster > Configure.
2. Select the Members tab.
3. In the FireCluster tree, select the member name. Click Edit.
The FireCluster Member Configuration dialog box appears.
4. Select the Feature Key tab.
The features that are available from this feature key appear.
This tab also includes:
n Whether each feature is enabled or disabled
n A value assigned to the feature, such as the number of allowed VLAN interfaces
n The expiration date of the feature
n The amount of time that remains before the feature expires
5. Click Import.
The Import Firebox Feature Key dialog box appears.
User Guide
567
FireCluster
6. To find the feature key file, click Browse.
Or, copy the text of the feature key file and click Paste to insert it in the dialog box. Click OK.
7. Save the Configuration File.
The feature key is not copied to the device until you save the configuration file to the cluster master.
In Policy Manager, you can also select Setup > Feature Keys to see the feature key information for
the cluster, and to enable automatic feature key synchronization for the cluster.
For more information, see Enable Automatic Feature Key Synchronization.
568
WatchGuard System Manager
FireCluster
See the FireCluster Feature Key in Firebox System Manager
You can also see the feature key from Firebox System Manager:
1. Select View > Feature Keys.
The Firebox Feature Key dialog appears with a summary of all devices in the cluster. The Licensed
Features section includes the features licensed for the entire cluster.
2. Click Details to see the details about the feature key for each device in the cluster.
User Guide
569
FireCluster
3. Scroll down to see the feature key for the second device.
Create a FireCluster Backup Image
Because the cluster master synchronizes the configuration with the cluster members, you only have to
back up the image of the cluster master.
To create a backup of the flash image (.fxi) of the cluster master:
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
cluster master.
2. Open Policy Manager for the cluster master.
3. Make a Backup of the XTM Device Image.
To create a backup image of an individual cluster member:
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
cluster master.
2. Open Policy Manager for the cluster member.
3. Make a Backup of the XTM Device Image.
Make sure to keep a record of the management IP addresses and passphrases in the
backup image. If you restore a FireCluster from this image, you must have this
information to connect to the cluster members.
570
WatchGuard System Manager
FireCluster
Restore a FireCluster Backup Image
To restore a FireCluster backup image to a cluster, you must restore the image to each cluster member
one at a time. The backup master must leave the cluster before you restore the backup image to each
cluster member. After you restore the configuration to both cluster members, the backup master must
rejoin the cluster.
When you restore a backup image, you must use the cluster Management IP address to connect to the
device. All other interfaces on the device are inactive until the final step when the backup master
rejoins the cluster.
You must connect to the cluster from a workstation that is on the same subnet as the
cluster Management IP address. If the Management IP address is a public, routable
IP address, you can also connect through the Internet.
For more information about the cluster Management IP address, see About FireCluster Management
IP Addresses.
Make the Backup Master Leave the Cluster
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to
the backup master.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Leave.
The backup master leaves the cluster and reboots.
Do not make configuration changes to the cluster master after the backup master has
left the cluster.
Restore the Backup Image to the Backup Master
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to
the backup master.
2. Start Policy Manager for the backup master.
3. Select File > Restore to restore the backup image.
The device restarts with the restored configuration.
For more information about the Restore command, see Restore an XTM Device Backup Image
on page 62.
User Guide
571
FireCluster
After you restore the backup image to a cluster member, the device appears to be a
member of a cluster in WatchGuard System Manager and Firebox System Manager.
The cluster does not function until after the last step when the backup master rejoins
the cluster.
Restore the Backup Image to the Cluster Master
1. In WatchGuard System Manager, use the interface for management IP address to connect to
the cluster master.
2. Start Policy Manager for the cluster master.
3. Select File > Restore to restore the backup image.
The device restarts with the restored configuration.
For more information about the Restore command, see Restore an XTM Device Backup Image
on page 62.
4. In WatchGuard System Manager, use the interface for management IP address to connect to
the cluster master.
If the backup image you restored has a different interface for management IP address for this
cluster member or a different passphrase, use the interface for management IP and passphrase
from the backup image to reconnect to the device.
Make the Backup Master Rejoin the Cluster
1. In WatchGuard System Manager, use the management IP address to connect to the backup
master.
If the backup image you restored has a different interface for management IP address for this
cluster member or a different passphrase, use the interface for management IP and passphrase
from the backup image to reconnect to the device.
2. Start Fireware System Manager for the backup master.
3. Select Tools > Cluster > Join.
The backup master reboots and rejoins the cluster.
572
WatchGuard System Manager
FireCluster
Upgrade Fireware XTM for FireCluster Members
To upgrade the Fireware XTM OS for devices in a FireCluster configuration, you use Policy Manager.
When you upgrade the Fireware XTM OS on a member of a cluster, the device reboots. When the
upgrade is in progress, network traffic is handled by the other device in the cluster. When the reboot
completes, the device you upgraded automatically rejoins the cluster. Because the cluster cannot do
load balancing at the time of the reboot, if you have an active/active cluster, we recommend you
schedule the upgrade at a time when the network traffic is lightest.
For some Fireware XTM software upgrades, the cluster becomes unavailable and
passes no traffic until the upgrade is complete and the devices in the cluster reboot. If
an OS upgrade will cause a service interruption, Policy Manager displays a warning
and requires you to confirm that you want to continue.
To upgrade Fireware XTM for the devices in a cluster:
1.
2.
3.
4.
5.
Open the cluster configuration file in Policy Manager.
Select File > Upgrade.
Type the configuration passphrase.
Type or select the location of the upgrade file.
To create a backup image, select Yes.
A list of the cluster members appears.
6. Select the check box for each device you want to upgrade.
A message appears when the upgrade for each device is complete.
When the upgrade is complete, each cluster member reboots and rejoins the cluster. If you upgrade
both devices in the cluster at the same time, the devices are upgraded one at a time. This is to make
sure there is not an interruption in network access at the time of the upgrade.
Policy Manager upgrades the backup master first. When the upgrade of the first member is complete,
that device becomes the new cluster master. Then Policy Manager upgrades the second device.
We recommend you use the same OS version on both devices. A cluster functions
best if all devices in the cluster use the same software version.
To verify that both devices use the same OS version after an upgrade, monitor the cluster in Firebox
System Manager. If the version of Fireware XTM OS on the cluster members are not the same, Firebox
System Manager displays a warning on the Front Panel tab in the list above all other status
information.
For more information, see Monitor and Control FireCluster Members.
User Guide
573
FireCluster
If you want to upgrade the firmware from a remote location, make sure the interface for management IP
address is configured on the external interface, and the IP address is public and routable.
For more information, see About FireCluster Management IP Addresses on page 513.
574
WatchGuard System Manager
FireCluster
Disable FireCluster
When you disable FireCluster, both cluster members reboot at the same time. We recommend that you
plan this for a time when you can have a brief network interruption.
To disable FireCluster:
1. In WatchGuard System Manager, open the configuration for the cluster master.
2. Click .
Or, select Tools > Policy Manager.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
4. Clear the Enable FireCluster check box.
5. Click OK.
6. Save the configuration to the XTM device.
The configuration is saved and both devices in the cluster reboot.
n
n
The cluster master starts with the same IP addresses that were assigned to the cluster.
The cluster backup master starts with the default IP addresses and configuration.
You can remove one member from the cluster and not disable the FireCluster feature. This results in a
cluster with only one member, but does not disable FireCluster or cause a network interruption.
For more information, see Remove or Add a Cluster Member on page 560.
User Guide
575
FireCluster
User Guide
576
12
Authentication
About User Authentication
User authentication is a process that finds whether a user is who he or she is declared to be and
verifies the privileges assigned to that user. On the XTM device, a user account has two parts: a user
name and a passphrase. Each user account is associated with an IP address. This combination of
user name, passphrase, and IP address helps the device administrator to monitor connections through
the device. With authentication, users can log in to the network from any computer, but access only
the network ports and protocols for which they are authorized. The XTM device can then map the
connections that start from a particular IP address and also transmit the session name while the user is
authenticated.
You can create firewall polices to give users and groups access to specified network resources. This is
useful in network environments where different users share a single computer or IP address.
You can configure your XTM device as a local authentication server, or use your existing Active
Directory or LDAP authentication server, or an existing RADIUS authentication server. When you use
Firebox authentication over port 4100, account privileges can be based on user name. When you use
third-party authentication, account privileges for users that authenticate to the third-party
authentication servers are based on group membership.
If you have configured your XTM device with an IPv6 address, you can use the IPv6 address for
Firebox authentication over port 4100. You can also use your XTM device to make IPv6 connections to
clients with IPv6 addresses when you use a third-party authentication server with an IPv4 address,
such as a RADIUS server.
The WatchGuard user authentication feature allows a user name to be associated with a specific IP
address to help you authenticate and track user connections through the device. With the device, the
fundamental question that is asked and answered with each connection is, Should I allow traffic from
source X to go to destination Y? For the WatchGuard authentication feature to work correctly, the IP
address of the user's computer must not change while the user is authenticated to the device.
User Guide
577
Authentication
In most environments, the relationship between an IP address and the user computer is stable enough
to use for authentication. For environments in which the association between the user and an IP
address is not consistent, such as kiosks or networks where applications are run from a terminal
server, we recommend that you use Terminal Services Agent for secure authentication. For more
information, see Install and Configure the Terminal Services Agent.
WatchGuard supports Authentication, Accounting, and Access control (AAA) in the firewall products,
based on a stable association between IP address and person.
The WatchGuard user authentication feature also supports authentication to an Active Directory
domain with Single Sign-On (SSO), as well as other common authentication servers. In addition, it
supports inactivity settings and session time limits. These controls restrict the amount of time an IP
address is allowed to pass traffic through the XTM device before users must supply their passwords
again (reauthenticate).
If you control SSO access with a white list and manage inactivity timeouts, session timeouts, and who
is allowed to authenticate, you can improve your control of authentication, accounting, and access
control.
To prevent a user from authenticating, you must disable the account for that user on the authentication
server.
User Authentication Steps
After you configure your XTM device as a local authentication server, the HTTPS server on the XTM
device accepts authentication requests. To authenticate, a user must connect to the authentication
portal web page on the XTM device.
1. Go to either:
https://[device interface IP address]:4100/
or
https://[device hostname]:4100
An authentication web page appears.
2. Type a user name and password.
3. Select the authentication server from the drop-down list, if more than one type of authentication
is configured.
The XTM device sends the name and password to the authentication server using PAP (Password
Authentication Protocol).
When authenticated, the user is allowed to use the approved network resources.
578
WatchGuard System Manager
Authentication
Because Fireware XTM uses a self-signed certificate by default for HTTPS, you see
a security warning from your web browser when you authenticate. You can safely
ignore this security warning. If you want to remove this warning, you can use a thirdparty certificate or create a custom certificate that matches the IP address or domain
name used for authentication.
For more information, see Configure the Web Server Certificate for Firebox
Authentication on page 1452.
User Guide
579
Authentication
Manually Close an Authenticated Session
Users do not have to wait for the session timeout to close their authenticated sessions. They can
manually close their sessions before the timeout occurs. The Authentication web page must be open
for a user to close a session. If it is closed, the user must authenticate again to log out.
To close an authenticated session:
1. Go to the Authentication portal web page:
https://[device interface IP address]:4100/
or
https://[device host name]:4100
2. Click Logout.
If the Authentication portal web page is configured to automatically redirect to another
web page, the portal is redirected just a few seconds after you open it. Make sure you
logout before the page redirects.
Manage Authenticated Users
You can use Firebox System Manager to see a list of all the users authenticated to your XTM device
and close sessions for those users.
See Authenticated Users
To see the users authenticated to your XTM device:
1. Start Firebox System Manager.
2. Select the Authentication List tab.
A list of all users authenticated to the Firebox appears.
Close a User Session
From Firebox System Manager:
1. Select the Authentication List tab.
A list of all users authenticated to the Firebox appears.
2. Select one or more user names from the list.
3. Right-click the user name(s) and select Log Off User.
For more information, see Authenticated Users (Authentication List) on page 1341.
580
WatchGuard System Manager
Authentication
Use Authentication to Restrict Incoming Traffic
One function of the authentication tool is to restrict outgoing traffic. You can also use it to restrict
incoming network traffic. When you have an account on the XTM device and the device has a public
external IP address, you can authenticate to the device from a computer external to the device.
For example, you can type this address in your web browser: https://<IP address of XTM device
external interface>:4100/ .
After you authenticate, you can use the policies that are configured for you on the device.
To enable a remote user to authenticate from the external network:
1. Open Policy Manager for your device.
2. Double-click the WatchGuard Authentication policy. This policy appears after you add a user
or group to a policy configuration.
The Edit Policy Properties dialog box appears.
3. From the WG-Auth connections are drop-down list, make sure Allowed is selected.
4. In the From section, click Add.
The Add Address dialog box appears.
5. From the Available Members list, select Any and click Add.
6. Click OK.
Any appears in the From list.
7. In the To section, click Add.
8. From the Available Members list, select Firebox and click Add.
User Guide
581
Authentication
9. Click OK.
Firebox appears in the To list.
10. Click OK to close the Edit Policy Properties dialog box.
Use Authentication Through a Gateway Firebox
The gateway Firebox is the XTM device that you place in your network to protect your Management
Server from the Internet.
For more information, see About the Gateway Firebox on page 947.
To send an authentication request through a gateway Firebox to a different device, you must have a
policy that allows the authentication traffic on the gateway device. If authentication traffic is denied on
the gateway device, use Policy Manager to add the WG-Auth policy. This policy controls traffic on
TCP port 4100. You must configure the policy to allow traffic to the IP address of the destination
device.
582
WatchGuard System Manager
Authentication
About the WatchGuard Authentication (WG-Auth)
Policy
The WatchGuard Authentication (WG-Auth) policy is automatically added to your XTM device
configuration when you add the first policy that has a user or group name in the From list on the Policy
tab of the policy definition. The WG-Auth policy controls access to port 4100 on your XTM device. Your
users send authentication requests to the device through this port. For example, to authenticate to an
XTM device with an IP address of 10.10.10.10, your users type https://10.10.10.10:4100 in the
web browser address bar.
If you want to send an authentication request through a gateway device to a different device, you might
have to add the WG-Auth policy manually. If authentication traffic is denied on the gateway device, you
must use Policy Manager to add the WG-Auth policy. Modify this policy to allow traffic to the IP
address of the destination device.
For more information on when to modify the WatchGuard Authentication policy, see Use
Authentication to Restrict Incoming Traffic on page 581.
Set Global Firewall Authentication Values
When you configure your global authentication settings, you can configure the global values for firewall
authentication, such as timeout values, user login session limits, and authentication page redirect
settings. You can also enable Single Sign-On (SSO), and configure settings for Terminal Services. For
more information, see the topics Enable Single Sign-On (SSO) and Configure Terminal Services
Settings.
If you configure user login session limits for individual users or groups, the limits set for a group and for
a user override the global setting.
If your device runs Fireware XTM v11.0–v11.3.x, the Authentication Settings for
Terminal Services are not available.
Specify Firewall Authentication Settings
To configure Firewall Authentication settings:
1. Open Policy Manager.
2. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears with the Firewall Authentication tab selected by
default.
User Guide
583
Authentication
3. Configure authentication settings as described in the subsequent sections.
4. Click OK.
Set Global Authentication Timeouts
You can set the time period that users remain authenticated after they close their last authenticated
connection. This timeout is set either in the Authentication Settings dialog box, or in the Setup
Firebox User dialog box.
For more information about user authentication settings and the Setup Firebox User dialog box, see
Define a New User for Firebox Authentication on page 636.
For users authenticated by third-party servers, the timeouts set on those servers also override the
global authentication timeouts.
584
WatchGuard System Manager
Authentication
Global authentication timeout values for Firewall Authentication do not override the individual user
authentication timeout settings for Mobile VPN with PPTP and Mobile VPN with L2TP users.
Session Timeout
The maximum length of time the user can send traffic to the external network. If you set this
field to zero (0) seconds, minutes, hours, or days, the session does not expire and the user can
stay connected for any length of time.
Idle Timeout
The maximum length of time the user can stay authenticated when idle (not passing any traffic
to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, the
session does not time out when idle and the user can stay idle for any length of time.
Allow Unlimited Concurrent Login Sessions
You can allow more than one user to authenticate with the same user credentials at the same time, to
one authentication server. This is useful for guest accounts or in laboratory environments. When the
second user logs in with the same credentials, the first user authenticated with the credentials is
automatically logged out. If you do not allow this feature, a user cannot authenticate to the
authentication server more than once at the same time.
In the Authentication Settings dialog box:
Select Allow unlimited concurrent firewall authentication logins from the same account.
For Mobile VPN with IPSec and Mobile VPN with SSL users, concurrent logins from the same account
are always supported regardless of whether this option is selected. These users must log in from
different IP addresses for concurrent logins, which means that they cannot use the same account to
log in if they are behind an XTM device that uses NAT. Mobile VPN with PPTP and Mobile VPN with
L2TP users do not have this restriction.
Limit Login Sessions
From the Authentication Settings dialog box, you can limit your users to a specific number of
authenticated sessions. If you select this option, you can specify the number of times your users can
use the same credentials to log in to one authentication server from different IP addresses. When a
user is authenticated and tries to authenticate again, you can select whether the first user session is
terminated when a subsequent session is authenticated, or if the subsequent sessions are rejected.
1. Select Limit concurrent user sessions to.
2. In the text box, type or select the number of allowed concurrent user sessions.
3. From the drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
User Guide
585
Authentication
586
WatchGuard System Manager
Authentication
Specify the Default Authentication Server in the
Authentication Portal
When your users log in to the Authentication Portal, they must select which authentication server to
use for authentication. Users can select from any of the authentication servers you have enabled. By
default, the first server in the list is Firebox-DB. You can change this setting so another enabled
authentication server is first in the list of authentication servers. This is helpful if you want your users to
authenticate with a server other than Firebox-DB.
To select the default authentication server:
From the Default authentication server on the authentication page drop-down list, select an
authentication server.
For example, if you want your users to authenticate to your Active Directory server named
Home AD, select Home AD from the drop-down list.
Automatically Redirect Users to the Authentication Portal
If you require your users to authenticate before they can get access to the Internet, you can choose to
automatically send users who are not already authenticated to the authentication portal, or have them
manually navigate to the portal. This applies only to HTTP and HTTPS connections.
Automatically redirect users to the authentication page
When you select this check box, all users who have not yet authenticated are automatically
redirected to the authentication portal when they try to get access to the Internet. If you do not
select this check box, unauthenticated users must manually navigate to the authentication
portal to log in.
For more information about user authentication, see User Authentication Steps on page 578.
Redirect traffic sent to the IP address of the XTM device to this host name
Select this check box to specify a host name for the page where your users are redirected,
when you choose to automatically redirect users to the authentication portal. Type the host
name in the text box.
Make sure that the host name matches the Common Name (CN) from the web server
certificate. This host name must be specified in the DNS settings for your organization and the
value of the host name must be the IP address of your XTM device.
If you have users who must manually authenticate to the authentication portal, and you use SSO, you
can add an SSO exception for those users to reduce the amount of time it takes for them to
authenticate. For more information about SSO exceptions, see Enable Single Sign-On (SSO).
User Guide
587
Authentication
Use a Custom Default Start Page
When you select the Automatically redirect users to authentication page check box to require your
users to authenticate before they can get access to the Internet, the Authentication portal
automatically appears when a user opens a web browser. If you want the browser to go to a different
page after your users successfully log in, you can define a redirect.
From the Authentication Settings dialog box:
1. Select the Send a redirect to the browser after successful authentication check box.
2. In the text box, type the URL of the web site where users are redirected.
Set Management Session Timeouts
Use these options to set the time period that a user who is logged in with read/write privileges remains
authenticated before the XTM device terminates the session.
Session Timeout
The maximum length of time the user can send traffic to the external network. If you select zero
(0) seconds, minutes, hours, or days, the session does not expire and the user can stay
connected for any length of time.
Idle Timeout
The maximum length of time the user can stay authenticated when idle (not passing any traffic
to the external network). If you select zero (0) seconds, minutes, hours, or days, the session
does not expire when the user is idle, and the user can stay idle for any length of time.
588
WatchGuard System Manager
Authentication
About Single Sign-On (SSO)
When users log on to the computers in your network, they must give a user name and password. If you
use Active Directory authentication on your XTM device to restrict outgoing network traffic to specified
users or groups, your users must also complete an additional step: they must manually log in again to
authenticate to the XTM device and get access to network resources or the Internet. To simplify the log
in process for your users, you can use Single Sign-On (SSO). With SSO, your users on the trusted or
optional networks provide their user credentials one time (when they log on to their computers) and are
automatically authenticated to your XTM device.
The WatchGuard SSO Solution
The WatchGuard SSO solution includes these components: SSO Agent, the SSO Client, the Event
Log Monitor, and the Exchange Monitor.
About the SSO Agent
To use SSO, you install the SSO Agent on a server in your network. This server can be the domain
controller computer for your domain, or another domain member server in your network. When you
install the SSO Agent on the domain controller, it enables the SSO Agent to run as a domain user
account with Domain Admin privileges. With these privileges, when users try to authenticate to your
domain, the SSO Agent can query the SSO Client on the client computer, the Event Log Monitor, or the
Exchange Monitor for the correct user credentials, and provide those user credentials to your
XTM device. When you install the SSO Agent, make sure that it runs as a user with Domain Admin
privileges.
About the SSO Client
When you install the SSO Client software on your Windows or Mac OS X client computers, the SSO
Client receives the call from the SSO Agent and returns the user name, group membership information
and domain name for the user who is currently logged in to the computer.
About the Event Log Monitor
If you do not want to install the SSO Client on each client computer, you can instead install the Event
Log Monitor on a server in each domain in your network. This can be the domain controller or another
domain member server. You then configure the SSO Agent to get user login information from the Event
Log Monitor. This is known as clientless SSO. With clientless SSO, the Event Log Monitor collects
user login information from the Windows security event log files on each client computer. The Event
Log Monitor uses the login information to get the group membership information for each user from the
domain controller. It then stores the user credentials and user group information for each user. When
you install the Event Log Monitor, make sure that it runs as a user with Domain Admin privileges.
User Guide
589
Authentication
When the SSO Agent contacts the Event Log Monitor for user credentials, the Event Log Monitor
contacts the client computer over TCP port 445 to get the user logon credentials, retrieves the stored
user group membership information from the domain controller, and provides this information to the
SSO Agent. The Event Log Monitor continues to poll the client computer every five seconds to monitor
logon and logoff events, and connection abort issues. Any connection errors are recorded in the
eventlogmonitor.log file in the WatchGuard > Authentication Gateway directory on the server where
the Event Log Monitor is installed.
If you have one domain that you use for SSO, you can install the Event Log Monitor on the same server
or domain controller where you install the SSO Agent. If you have more than one domain, you must
install one instance of the Event Log Monitor in each domain, but you only install one instance of the
SSO Agent for your entire network. The Event Log Monitor does not have to be installed on the domain
controller computer; it can be installed on any domain member server in that domain. The Event Log
Monitor must run as a user account in the Domain Admins group so it can get the user credentials.
About the Exchange Monitor
For your users with computers that run Windows or Mac OS X, or your users with mobile devices that
run iOS, Android, or Windows mobile operating systems, you can use the Exchange Monitor to get
user credentials and login information for SSO. To use the Exchange Monitor to get user login
information, you must install the Exchange Monitor on the same server where your Microsoft
Exchange Server is installed. This Exchange Server must generate IIS and RPC client access log
messages. Because Microsoft Exchange is integrated with your Active Directory server, it can easily
get the user credentials from the IIS and RPC client access log messages in your user store. Then,
when a user successfully connects to the Exchange Server to download email, the Exchange Monitor
records the logon and logoff events for the user, and gives the event information to the SSO Agent.
590
WatchGuard System Manager
Authentication
When a client computer connects to a Microsoft Exchange server, the IIS service on the Exchange
server records a log entry of the user logon event. To get the credentials for your users for SSO, the
Exchange Monitor verifies the logon and logoff events with the IIS service and keeps a list of all
currently active users. The Exchange Monitor queries the IIS service every three seconds to make
sure user information is current. When the SSO Agent contacts the Exchange Monitor, it sends the
user information to the SSO Agent. If the user is listed as logged in to the Exchange server, the SSO
Agent notifies the XTM device that the user is currently logged in, and the user is authenticated. If the
user is not included in the list of logged in users, the SSO Agent notifies the XTM device that the user
is not found in the list of active users, and the user is not authenticated.
The SSO Exchange Monitor is supported for use with only Microsoft Exchange 2003,
2007, or 2010.
For more information about how to configure the SSO Agent to use the Event Log Monitor and the
Exchange Monitor, see Configure the SSO Agent on page 598.
User Guide
591
Authentication
How SSO Works
For SSO to work, you must install the SSO Agent software. The SSO Client software is optional and is
installed on each client computer. The Event Log Monitor is optional, and is installed on a member
server or domain controller in each of your domains. The Exchange Monitor is also optional, and is
installed on the computer where your Microsoft Exchange Server is installed. When the SSO Client,
the Event Log Monitor, or the Exchange Monitor software is installed, and the SSO Agent contacts a
SSO component for user credentials, either the SSO Client, Event Log Monitor, or Exchange Monitor
sends the correct user credentials and group membership information to the SSO Agent. When you
configure the settings for the SSO Agent, you can specify which SSO component (SSO Client, Event
Log Monitor, or Exchange Monitor) the SSO Agent queries first. For SSO to work correctly, you must
either install the SSO Client on all your client computers, or use either the Event Log Monitor or
Exchange Monitor to get correct user information.
If the SSO Client, the Event Log Monitor, and the Exchange Monitor are not available, to get the user
credentials, the SSO Agent makes a NetWkstaUserEnum call to the client computer over TCP port
445. It then uses the information it gets to authenticate the user for Single Sign-On. The SSO Agent
uses only the first answer it gets from the computer. It reports that user to the XTM device as the user
that is logged on. The XTM device checks the user information against all the defined policies for that
user and/or user group at one time. The SSO Agent caches this data for about 10 minutes by default,
so that a query does not have to be generated for every connection.
For examples of how the SSO Agent can contact the other SSO components for user information, see
the Example Network Configurations for SSO section.
SSO Component Compatibility
The components of the WatchGuard SSO solution offer configuration flexibility to enable all of your
Windows, Mac OS X, and mobile users to have a seamless authentication experience. The options for
the SSO components that you can use with your computers or mobile device platforms include:
SSO Component
Windows
Mac OS X
iOS
Android
SSO Agent 1
SSO Client 2
Event Log Monitor
Exchange Monitor 3
1 Though the SSO Agent can be used with all supported platforms, it must be installed only on a Windows server or your
domain controller.
2 The SSO Client is available in two versions: Windows and Mac OS X.
3 Though you can use Exchange Monitor for your users with Windows computers, we recommend that Exchange Monitor
only be used for users with Mac OS X or mobile devices.
592
WatchGuard System Manager
Authentication
Example Network Configurations for SSO
This first diagram shows one possible configuration for a network with a single domain. The SSO
Agent and the Event Log Monitor are installed on the domain controller, the Exchange Monitor is
installed on the Microsoft Exchange server, and the SSO Client is installed on the client computer.
With this configuration, you can specify whether the SSO Agent contacts the SSO Client, the Event
Log Monitor, or Exchange Monitor first.
For example, if you configure the SSO Agent to contact the SSO Client first, the Event Log Monitor
second, and the Exchange Monitor third, and the SSO Client is not available, the SSO Agent next
contacts the Event Log Monitor for the user credentials and group information. If the client computer is
a Mac OS X or mobile device, the SSO Agent contacts the Exchange Monitor for the user login and
logoff information.
The SSO Agent and the Event Log Monitor do not have to be installed on the domain controller. You
can also install both the SSO Agent and the Event Log Monitor on another computer on the same
domain, as long as they both run as a user account in the Domain Admins group.
User Guide
593
Authentication
The second diagram shows one possible configuration of a network with two domains. The SSO Agent
is installed on only one domain controller in your network, the SSO Client is installed on each client
computer, the Event Log Monitor is installed on a Windows member server in each domain in your
network, and the Exchange Monitor is installed on your Microsoft Exchange Server. With this
configuration, you can specify whether the SSO Agent contacts the SSO Clients, the Event Log
Monitors, or the Exchange Monitor first.
For example, if you configure the SSO Agent to contact the SSO Client first, the Event Log Monitor
second, and the Exchange Monitor third, and the SSO Client is not available, the SSO Agent contacts
the Event Log Monitor that is in the same domain as the client computer and gets the user credentials
and group information. If the client computer is a Mac OS X or mobile device, the SSO Agent contacts
the Exchange Monitor for the user login and logoff information.
In your network environment, if more than one person uses the same computer, we recommend that
you either install the SSO Client software on each client computer, install the Event Log Monitor in
each domain, or install the Exchange Monitor on your Exchange server. Because there are access
control limitations if you do not use the SSO Client, Event Log Monitor, or Exchange Monitor, we
recommend that you do not use SSO without the SSO Client, the Event Log Monitor, or the Exchange
Monitor.
594
WatchGuard System Manager
Authentication
For example, if you configure SSO without the SSO Client, the Event Log Monitor, or the Exchange
Monitor, for services installed on a client computer (such as a centrally administered antivirus client)
that have been deployed so that users can log on with domain account credentials, the XTM device
gives all users access rights as defined by the first user that is logged on (and the groups of which that
user is a member), and not the credentials of the individual users that log on interactively. Also, all log
messages generated from user activity show the user name of the service account, and not the
individual user.
If you do not install the SSO Client, the Event Log Monitor, or the Exchange Monitor,
we recommend you do not use SSO for environments where users log on to
computers with service or batch logons. When more than one user is associated with
an IP address, network permissions might not operate correctly. This can be a
security risk.
If you configure multiple Active Directory domains, you can choose to use either the SSO Client, the
Event Log Monitor, or the Exchange Monitor. For more information about how to configure the SSO
Client when you have multiple Active Directory domains, see Configure Active Directory
Authentication on page 661 and Install the WatchGuard Single Sign-On (SSO) Client on page 612.
If you enable Single Sign-On, you can also use Firewall authentication to log in to the Firewall
Authentication Portal page and authenticate with different user credentials. For more information, see
Firewall Authentication on page 633.
Single Sign-On (SSO) is configured separately for the Terminal Services Agent. For more information
about the Terminal Services Agent, see Install and Configure the Terminal Services Agent on page
622.
SSO is not supported for remote desktop sessions or for terminal sessions.
Choose Your SSO Components
Because the WatchGuard SSO solution is so flexible, you have many choices available to you for your
various network access configurations. If, after you have reviewed the previous SSO Component
Compatibility section, you are unsure which components to use for your network, WatchGuard
recommends these guidelines:
n
n
For your users with Windows — Install the SSO Client on each Windows computer, specify the
SSO Client as the primary contact, and specify the Event Log Monitor as the secondary
contact.
For your users with Mac OS X or mobile devices — Install the SSO Client on each Mac OS X
computer, specify the SSO Client as the primary contact, and specify the Exchange Monitor as
the secondary contact.
User Guide
595
Authentication
For more information about how to set the contact priority for your SSO components, see the Configure
Clientless SSO section in Configure the SSO Agent on page 598.
Before You Begin
Before you configure SSO for your network, verify that your network configuration meets these
prerequisites:
n
n
n
n
n
n
n
n
n
n
n
n
You must have an Active Directory server configured on a trusted or optional network.
Your XTM device must be configured to use Active Directory authentication.
Each user must have an account set up on the Active Directory server.
Each user must log on to a domain account for Single Sign-On (SSO) to operate correctly. If
users log on to an account that exists only on their local computers, their credentials are not
checked and the XTM device does not recognize that they are logged in.
Make sure that TCP port 445 (port for SMB) is open on the client computers.
Make sure that TCP port 4116 is open on the client computers where you install the SSO Client.
Make sure that TCP port 4114 is open on the server where you install the SSO Agent.
Make sure that TCP port 4135 is open on the server where you install the Event Log Monitor.
Make sure that TCP port 4136 is open on the server where you install the Exchange Monitor.
Make sure that the Microsoft .NET Framework (v2.0–4.5 or higher) is installed on the server
where you install the SSO Agent and Exchange Monitor.
Make sure that all computers from which users authenticate with SSO are members of the
domain with unbroken trust relationships.
Make sure the SSO Agent, the Event Log Monitor, and the Exchange Monitor run as a user
account in the Domain Admins group.
Set Up SSO
To use SSO, you must install the SSO Agent software. We recommend that you also use either the
Event Log Monitor, Exchange Monitor, or the SSO Client. Though you can use SSO with only the SSO
Agent, you increase your security and access control when you also use the SSO Client, the Event
Log Monitor, or the Exchange Monitor.
To set up SSO, follow these steps:
1.
2.
3.
4.
Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor (ELM is optional).
Install the WatchGuard Single Sign-On (SSO) Client (optional, but recommended).
Install the WatchGuard SSO Exchange Monitor (optional).
Enable Single Sign-On (SSO).
Install the WatchGuard Single Sign-On (SSO) Agent
To use Single Sign-On (SSO), you must install the WatchGuard Authentication Gateway, which
includes two components: the SSO Agent (mandatory) and the Event Log Monitor (optional).
The SSO Agent is a service that receives requests for Firebox authentication and checks user status
with the Active Directory server. The service runs with the name WatchGuard Authentication Gateway
on the computer where you install the SSO Agent software. This computer must have the Microsoft
.NET Framework v2.0–4.5 or later installed. You must install the SSO Agent to use Single Sign-On.
596
WatchGuard System Manager
Authentication
The Event Log Monitor is an optional component of the WatchGuard Authentication Gateway. If you do
not install the SSO Client on all of your client computers, we recommend that you install the Event Log
Monitor. When a logon event occurs, the Event Log Monitor polls the destination IP address (the client
computer) for the user name and domain name that was used to log in. Based on the user name
information, the Event Log Monitor gets the information about which users belong to which user
groups, and sends that information to the SSO Agent. This enables the SSO Agent to correctly identify
a user and make sure that each user can only log on from one computer at a time.
If you have more than one domain, install the SSO Agent on only one domain member server or domain
controller in your network, and install the Event Log Monitor on one member server or domain controller
in each of your domains. The SSO Agent then contacts each Event Log Monitor to get information for
the users on that domain.
When you run the installer to install only the Event Log Monitor, make sure to clear the check box for
the SSO Agent component.
To install an additional WatchGuard Authentication Gateway component on a computer where you
have already installed one component, run the installer again and select the check boxes for both the
new component you want to install and for the previously installed component. If you do not select the
check box for the previously installed component, that component will be uninstalled.
For example, if you have already installed the SSO Agent and you want to add the Event Log Monitor,
run the installer again and make sure that both SSO Agent and the Event Log Monitor check boxes are
selected. If you clear the check box for the SSO Agent, it is uninstalled.
Download the SSO Agent Software
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
The WatchGuard Portal appears with your portal Home page selected.
3. Select the Articles & Software tab.
The Articles & Software page appears.
4. In the Search text box, type the name of the software you want to install or the model of your
XTM device.
5. Clear the Article check box and make sure the Software Downloads check box is selected.
6. Click Go.
The Search Results page appears with a list of the available WatchGuard device models.
7. Select your XTM device model.
The Software Downloads page for the device you selected appears.
8. Download the WatchGuard Single Sign-On Agent software and save the file to a convenient
location.
Before You Install
The WatchGuard Authentication Gateway service must run as a user who is a member of the Domain
Admins group. We recommend that you create a new user account for this purpose and then add the
new user to the Domain Admins group. For the service to operate correctly, make sure you configure
this Domain Admin user account with a password that never expires.
User Guide
597
Authentication
Before you start the SSO Agent installer, make sure that the .NET Framework v2.0–4.5 or later is
installed on the server where you intend to install the WatchGuard Authentication Gateway. If the
correct version of the .NET Framework is not installed, the SSO Agent cannot run correctly.
Install the SSO Agent and the Event Log Monitor
If you have more than one domain, make sure to install the SSO Agent on only one server in your
network and the Event Log Monitor on one server in each of your domains.
1. Double-click WG-Authentication-Gateway.exe to start the Authentication Gateway Setup
Wizard.
To run the installer on some operating systems, you might need to type a local administrator
password, or right-click and select Run as administrator.
2. To install the software, follow the instructions on each page and complete the wizard.
3. On the Select Components page, make sure to select the check box for each component to
install:
n Single Sign-On Agent
n Event Log Monitor
4. On the Domain User Login page, make sure to type the user name in the form: domain\user
name . Do not include the .com or .net part of the domain name.
For example, if your domain name is example.com and you use the domain account ssoagent,
type example\ssoagent .
You can also use the UPN form of the user name: [email protected] . If you use the UPN
form of the user name, you must include the .com or .net part of the domain name.
5. Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically.
Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for
the SSO Agent and Event Log Monitor. For more information, see Configure the SSO Agent on page
598.
Configure the SSO Agent
If you use multiple Active Directory domains, you must specify the domains to use for SSO (Single
Sign-On). After you have installed the SSO Agent, you can specify the domains to use for
authentication and synchronize the domain configuration with the SSO Agent. You can also specify
options to use SSO without the SSO Client. This is known as clientless SSO. You configure settings
for clientless SSO when you configure the SSO Agent. To configure the SSO Agent settings, you must
have administrator privileges on the computer where the SSO Agent is installed.
When you first launch the SSO Agent, it generates the Users.xml and AdInfos.xml configuration files.
These configuration files are encrypted and store the domain configuration details you specify when
you configure the SSO Agent.
598
WatchGuard System Manager
Authentication
The SSO Agent has two default accounts, administrator and status, that you can use to log in to the
SSO Agent. To make changes to the SSO Agent configuration, you must log in with the administrator
credentials. After you log in for the first time, we recommend you change the passwords for the default
accounts.
The default credentials (username/password) for these accounts are:
n
n
Administrator — admin/readwrite
Status — status/readonly
For more information about Active Directory, see Configure Active Directory Authentication.
Log In to the SSO Agent Configuration Tool
1. Select Start > WatchGuard > WatchGuard SSO Agent Configuration Tool.
The SSO Agent Configuration Tool login dialog box appears.
2. In the User Name text box, type the administrator user name: admin .
3. In the Password text box, type the administrator password: readwrite .
The SSO Agent Configuration Tools dialog box appears.
4. Configure your SSO Agent as described in the subsequent sections.
Changes to the configuration are automatically saved.
Manage User Accounts and Passwords
After you log in for the first time, you can change the password for the default accounts. Because you
must log in with the administrator credentials to change the SSO Agent settings, make sure you
remember the password specified for the administrator account. You can also add new user accounts
and change the settings for existing user accounts. You can also use both the admin and status
accounts to open a telnet session to configure the SSO Agent.
For more information about how to use telnet with the SSO Agent, see Use Telnet to Debug the SSO
Agent.
User Guide
599
Authentication
Change a User Account Password
For the admin and status accounts, you can only change the password for the account; you cannot
change the user name.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form dialog box appears.
2. Select the account to change.
For example, select admin.
3. Click Change Password.
The Change Password dialog box appears.
4. In the Password and Confirm Password text boxes, type the new password for this user
account.
5. Click OK.
Add a New User Account
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Click Add User.
The Add User dialog box appears.
3. In the User Name text box, type the name for this user account.
4. In the Password and Confirm Password text boxes, type the password for this user account.
5. Select an access option for this account:
n Read-Only
n Read-Write
6. Click OK.
600
WatchGuard System Manager
Authentication
Edit a User Account
When you edit a user account, you can change only the access option. You cannot change the user
name or password for the account. To change the user name, you must add a new user account and
delete the old user account.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Select the account to change.
3. Click Edit User.
The Edit User dialog box appears.
4. Select a new access option for this account:
n Read-Only
n Read-Write
5. Click OK.
Delete a User Account
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Select the account to delete.
3. Click Delete User.
The Delete User dialog box appears.
4. Verify the User Name is for the account you want to delete.
5. Click OK.
Configure Domains for the SSO Agent
To configure your SSO Agent, you can add, edit, and delete information about your Active Directory
domains. When you add or edit a domain, you must specify a user account to use to search your
Active Directory server. We recommend that you create a specific user account on your server with
permissions to search the directory and with a password that never expires.
Add a Domain
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > Add Domain.
The Add Domain dialog box appears.
2. In the Domain Name text box, type the name of the domain.
For example, type my-example.com .
The domain name of your Active Directory server is case-sensitive. Make sure you type the
domain name exactly as it appears on the Active Directory tab in the Authentication Server
settings on your XTM device. For more information, see Configure Active Directory
User Guide
601
Authentication
Authentication.
3. In the NetBIOS Domain Name text box, type the NetBios domain name for your domain.
To find the NetBios domain name:
1. On the Active Directory server for the domain, select Start > Administrative
Tools > Active Directory Domain and Trusts.
2. In the list of domains, right-click your domain and select Properties.
3. Find the Domain name (pre-Windows 2000) value. This is the NetBios
domain name for your domain.
4. In the IP Address of Domain Controller text box, type the IP address of the Active Directory
server for this domain.
To specify more than one IP address for the domain controller, separate the IP addresses with a
semicolon, without spaces.
5. In the Port text box, type the port to use to connect to this server.
The default setting is 389.
6. In the Searching User section, select an option:
n Distinguished Name (DN) (cn=ssouser,cn=users,dc=domain,dc=com)
n User Principal Name (UPN) ([email protected]
n Pre-Windows 2000 (netbiosDomain\ssouser)
7. In the text box, type the user information for the option you selected.
Make sure to specify a user who has permissions to search the directory on your Active
Directory server.
8. In the Password of Searching User and Confirm password text boxes, type the password
for the user you specified.
This password must match the password for this user account on your Active Directory server.
9. To add another domain, click OK & Add Next. Repeat Steps 2–8.
10. Click OK.
The domain name appears in the SSO Agent Configuration Tools list.
Edit a Domain
When you edit an SSO domain, you can change all the settings except the domain name. If you want
to change the domain name, you must delete the domain and add a new domain with the correct name.
From the SSO Agent Configuration Tools dialog box:
1. Select the domain to change.
2. Select Edit > Edit Domain.
The Edit Domain dialog box appears.
3. Update the settings for the domain.
4. Click OK.
Delete a Domain
From the SSO Agent Configuration Tools dialog box:
1. Select the domain to delete.
2. Select Edit > Delete Domain.
602
WatchGuard System Manager
Authentication
A confirmation message appears.
3. Click Yes.
Configure Clientless SSO
If the SSO Client is not installed or is not available, you can configure the SSO Agent to use clientless
SSO to get user login information from the Event Log Monitors or Exchange Monitors. The Event Log
Monitors are also installed on one domain member server in each domain. The Exchange Monitor is
installed on the same computer where your Microsoft Exchange Server is installed.
If you use the Event Log Monitor, when a user tries to authenticate, the SSO Agent sends the
IP address of the client computer to the Event Log Monitor. The Event Log Monitor then uses this
information to query the client computer over TCP port 445 and retrieve the user credentials from the
Windows security event log file on the client computer. The Event Log Monitor gets the user
credentials from the client computer and contacts the domain controller to get the user group
information for the user. The Event Log Monitor then provides this information to the SSO Agent.
If you do not install the SSO Client on your user's computers, make sure the Event Log Monitor is the
first entry in the SSO Agent Contacts list. If you specify the SSO Client as the primary contact, but
the SSO Client is not available, the SSO Agent queries the Event Log Monitor next, but this can cause
a delay.
For users with devices that run Mac OS X 10.6 and higher, iOS, or Android platforms, you can use the
Exchange Monitor to get login information for those users. Because the Exchange Monitor is installed
on the same computer where your Microsoft Exchange Server is installed, the Exchange Monitor
tracks the domain accounts log on/log off actions for each user and notifies the SSO Agent in real-time
of these events.
After you install the SSO Agent, you must add the domain information of the domains where the Event
Log Monitors and Exchange Monitors are installed to the SSO Agent configuration in the Contact
Domains list. If you have only one domain and the SSO Agent is installed on the domain controller, or
if you have more than one domain and the Event Log Monitor and Exchange Monitor are on the same
domain as the SSO Agent, you do not have to specify the domain information for the domain controller
in the SSO Agent configuration Contact Domains list. If you have more than one Event Log Monitor or
Exchange Monitor in the Contact Domains list, the SSO Agent queries the first entry in the list for the
user credentials and group information. If the first Event Log Monitor or Exchange Monitor is not
available, the SSO Agent contacts the next monitor in the list. This process continues until the SSO
Agent finds an available monitor.
For more information about how to install the Event Log Monitor and Exchange Monitor, see Install the
WatchGuard Single Sign-On (SSO) Agent on page 596.
Before you configure and enable the settings for clientless SSO, you must make sure the client
computers on your domain have TCP 445 port open, or have File and printer sharing enabled, and have
the correct group policy configured to enable the Event Log Monitor to get information about user login
events. If this port is not open and the correct policy is not configured, the Event Log Monitor cannot
get group information and SSO does not work properly.
On your domain controller computer:
User Guide
603
Authentication
1. Open the Group Policy Object Editor and edit the Default Domain Policy.
2. Make sure the Audit Policy (Computer Configuration > Windows Settings > Security
Settings > Local Policies > Audit Policy) has the Audit account logon events and Audit
logon events policies enabled.
3. At the command line, run the command gpupdate/force /boot .
When the command runs, this message string appears:
Updating Policy… User Policy update has completed successfully. Computer
Policy update has completed successfully.
You can add, edit, and delete domain information for clientless SSO. For each domain name that you
add, you can specify more than one IP address for the domain controller. If the Event Log Monitor
cannot contact the domain controller at the first IP address, it tries to contact the domain controller at
the next IP address in the list.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > Clientless SSO.
The Clientless SSO Settings dialog box appears.
2. In the SSO Agent Contacts list, select the check box for each contact for the SSO Agent:
n SSO Client
n Event Log Monitor
n Exchange Monitor
604
WatchGuard System Manager
Authentication
3. To change the order of the SSO Agent Contacts, select a contact and click Up or Down.
You cannot change the position of the Exchange Monitor.
4. Add, edit, or delete a contact domain, as described in the subsequent sections.
5. Click OK to save your settings.
Add a Contact Domain
You can specify one or more domains for the Event Log Monitor or the Exchange Monitor to contact for
user login information.
When you add a domain for the Exchange Monitor, you must specify the IP addresses and the session
check interval for the Microsoft Exchange server. The session check interval specifies the amount of
time before the Exchange Monitor logs off a user that does not appear in the IIS log messages on your
Exchange server as active. The default setting is 40 minutes. You must specify an interval of at least 5
minutes.
Add a Contact Domain for the Event Log Monitor
From the Clientless SSO Settings dialog box:
1. Click Add.
The Domain Settings dialog box appears.
2. For the Type option, select Event Log Monitor.
3. In the Domain Name text box, type the name of the domain that you want the Event Log
Monitor to contact for user credentials.
You must type the name in the format domain.com .
4. In the IP Addresses of Domain Controller text box, type the IP addresses for the
domain.
To specify more than one IP address for the domain controller, separate the IP addresses
with a semicolon, without spaces.
5. Click OK.
The domain information you specified appears in the Contact Domains list.
Add a Contact Domain for the Exchange Monitor
From the Clientless SSO Settings dialog box:
User Guide
605
Authentication
1. Click Add.
The Domain Settings dialog box appears.
2. For the Type option, select Exchange Monitor.
3. In the Domain Name text box, type the name of the domain that you want the Exchange
Monitor to contact for user credentials.
You must type the name in the format domain.com .
4. In the IP Addresses of Microsoft Exchange Server text box, type the IP addresses for
the domain.
To specify more than one IP address for the Exchange server, separate the IP addresses
with a semicolon, without spaces.
5. To change the Session Check Interval setting from the default setting of 40 minutes, type
or select a new interval.
6. Click OK.
The domain information you specified appears in the Contact Domains list.
Edit a Contact Domain
From the Clientless SSO Settings dialog box:
1. From the Contact Domains list, select the domain to change.
2. Click Edit.
The Event Log Monitor Settings dialog box appears.
3. Update the settings for the domain.
4. Click OK.
Delete a Domain
From the Clientless SSO Settings dialog box:
1. From the Contact Domains list, select the domain to delete.
2. Click Delete.
The domain is removed from the list.
606
WatchGuard System Manager
Authentication
Test the SSO Port Connection
To verify that the SSO Agent can contact the Event Log Monitor and the Exchange Monitor, you can
use the SSO Port Tester tool. With the SSO Port Tester tool, you can verify whether the SSO Agent
can contact a server at a single IP address, or servers at multiple IP addresses or a range of IP
addresses. To verify the connection for a single IP address or multiple IP addresses, rather than a
range of addresses, you import a plain text file that includes the IP addresses to test. You can also
specify the ports to test and the connection timeout interval.
From the Clientless SSO Settings dialog box:
1. Click Test SSO Port.
The SSO Port Tester dialog box appears.
2. In the Specify IP Addresses section, select an option:
n IP Address Range
n Import IP Addresses
3. If you selected IP Address Range, in the IP Address Range text boxes, type the range of IP
addresses to test.
If you selected Import IP Addresses, click
and navigate to select the plain text file with the
list of IP addresses to test.
4. In the Ports text box, type the port numbers to test.
To test more than one port, type each port number, separated by a comma, without spaces.
5. Click Test.
The results of the port test appear in the SSO Port Tester window.
6. To save the test results in a log file, click Save log and specify the file name and location to
save the log file.
7. To stop the port tester tool process, click Quit.
User Guide
607
Authentication
Use Telnet to Debug the SSO Agent
To debug your SSO Agent, you can use Telnet to connect to the SSO Agent on TCP port 4114 and run
commands to review information in the connection cache. You can also enable advanced debug
options. A list of the commands you can use in Telnet is available in the Telnet Help and in the
subsequent Telnet Commands List section.
We recommend that you only use these commands with direction from a
WatchGuard support representative.
To connect to your SSO Agent with Telnet, you must use a user account that is defined in the SSO
Agent Configuration Tool User Management settings. For more information, see Configure the SSO
Agent.
Before you begin, make sure that the Telnet Client is installed and enabled on your computer.
Open Telnet and Run Commands
To run Telnet commands, you can either open Telnet on the computer where the SSO Agent is
installed, or use Telnet to make a remote connection to the SSO Agent over TCP port 4114. Make sure
that the SSO Agent service is started before you try to connect to it with Telnet.
1. Open a command prompt.
2. At the command prompt, type telnet <IP address of SSO Agent computer> 4114 .
3. Press Enter on your keyboard.
The connection message appears.
4. To see a list of commands, type help and press Enter on your keyboard.
The list of common commands appears.
5. To run a command, type a command and press Enter on your keyboard.
Output for the command appears.
For more information about the commands you can use in Telnet, see the Telnet Commands List.
Enable Debug Logging
To send debug log messages to the log file, you must set the debug status to ON.
1. In the Telnet window, type set debug on .
2. Press Enter on your keyboard.
The message "41 OK — (verbose = False, logToFile=True)" appears.
When you enable debug logging for the SSO Agent, debug log messages for the SSO Clients
connected to the SSO Agent, and for the Event Log Monitor and Exchange Monitor, are also generated
and sent to separate log files. After the debug log messages have been sent to the log files, you can
view them to troubleshoot any issues.
For the SSO Agent:
608
WatchGuard System Manager
Authentication
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Gateway
2. Open the debug log file: wagsrvc.log
For the SSO Client:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Client
2. Open a debug log file: wgssoclient_logfile.log or wgssoclient_errorfile.log
For the Event Log Monitor:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Gateway
2. Open a debug log file: eventlogmonitor.log
For the Exchange Monitor:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Gateway
2. Open a debug log file: exchangemonitor.log
Make sure to disable debug logging when you are finished.
1. In the Telnet window, type set debug off .
2. Press Enter on your keyboard.
Telnet Commands List
This table includes commands that you can run to help you debug the SSO Agent.
User Guide
609
Authentication
610
Command
Telnet Message
Description
help
Show help
Shows the list of all Telnet commands.
login <user>
<password>
Login user. Quote if
space in
credentials.
Type the user credentials to use to log in to the SSO
Agent with Telnet.
logout
Log out.
Log out of the SSO Agent.
get user <IP>
Show all users
logged in to <IP
address> address.
Ex: get user
192.168.203.107
Shows a list of all users logged in to the selected IP
address.
get timeout
Show the current
timeout.
get status
Show status about
the connections.
Shows connection information used to analyze the
overall load in your SSO environment.
get status detail
Show connected
SSO clients,
pending, and
processing IPs.
Shows detailed connection information used to
analyze the overall load in your SSO environment.
get domain
Show the current
domain filter.
Gets information about the current domain filters from
which the SSO Agent accepts authentication
attempts.
get version <IP>
Show the SSO
component name,
version, and build
information for the
IP address.
Gets information about the SSO components (SSO
Agent, SSO Client, Event Log Monitor) that are
installed at the specified IP address. The information
returned includes the version and build numbers for
each installed SSO component.
get version all
Show the SSO
component name,
version, and build
information for all
the monitored IP
addresses.
Gets information about the SSO components (SSO
Client, Event Log Monitor) that are monitored by the
SSO Agent. The information returned includes the
version and build numbers for each installed SSO
component.
log off <ip>
Kill the IP session
on Firebox and clear
SSO EM internal
cache
Ends the session of the specified IP address and
removes the active session details for that IP address
from the SSO Exchange Monitor internal cache.
set domainfilter
on
Turn on domain
filter.
Permanently sets the domain filter to ON.
set domainfilter
Turn off domain
Permanently sets the domain filter to OFF.
WatchGuard System Manager
Authentication
Command
Telnet Message
Description
off
filter.
set user
Set artificial user
information (for
debugging).
Changes the user information in the debug log files to a
user name you select. This enables you to clearly track
user information when you review debug log
messages.
set debug on
Save debug
messages to a file in
the same location
as the .exe.
Sets debug logging on the SSO Agent to ON. This
setting sends debug log messages to the log file,
which provides detailed information for
troubleshooting.
Log file location:
SSO Agent — \Program
Files\WatchGuard\WatchGuard Authentication
Gateway\wagsrvc.log
SSO Client — \Program
Files\WatchGuard\WatchGuard Authentication
Client\wgssoclient_logfile.log and wgssoclient_
errorfile.log
set debug
verbose
Enable additional
log messages.
set debug off
Includes additional log messages in the debug log files.
Sets debug logging on the SSO Agent to OFF.
flush <ip>
Clear cache of <ip>
address.
Deletes all authentication information about the
specified IP address from the SSO Agent cache.
flush all
Clear cache of all
<ip> addresses.
Deletes all authentication information currently
available on the SSO Agent.
list
Return list of all IP
in cache with
expiration.
Shows a list of all authentication information currently
available on the SSO Agent.
list config
Return list of all
monitoring domain
configurations.
Shows a list of all domains the SSO Agent is
connected to.
User Guide
611
Authentication
Command
Telnet Message
Description
list user
Return list of all
registered users.
Shows a list of all user accounts included in the SSO
Agent configuration.
list
eventlogmonitors
Return list of all
registered Event
Log Monitors.
Shows a list of all instances of the Event Log Monitor
and the version of each instance.
get log <IP>
Get SSO Client logs
and dmp files (if
have) in zip format.
Download the SSO Client log files and DMP files in a
ZIP file from the specified IP address.
get log <xxx.txt>
Same as "get log
<IP>', but support
multiple ip, full path
of txt required and
one ip each line in
the txt file.
eg: get log C:\my
test\ips.txt .
Download the SSO Client log files and DMP files in a
ZIP file from each IP address specified in the TXT file.
In the TXT file, each SSO Client IP address must be
on a separate line and the full path to the log and dmp
files for each SSO Client must be specified.
quit
Terminate the
connection.
Closes the Telnet connection to the SSO Agent.
Install the WatchGuard Single Sign-On (SSO) Client
As a part of the WatchGuard Single Sign-On (SSO) solution, you can install the WatchGuard
SSO Client. The SSO Client installs as a service that runs under the Local System account on a
workstation to verify the credentials of the user currently logged in to that computer. When a user tries
to authenticate, the SSO Agent sends a request to the SSO Client for the user's credentials. The SSO
Client then returns the credentials of the user who is logged in to the workstation.
The SSO Client listens on TCP port 4116. When you install the SSO Client, port 4116 is automatically
opened on the workstation firewall.
If you configure multiple Active Directory domains, your users must install the SSO Client. For more
information, see Configure Active Directory Authentication on page 661.
For your users with a Windows operating system, because the SSO Client installer is an MSI file, you
can choose to force users to automatically install it on your their computers when they log on to your
domain. You can use an Active Directory Group Policy to automatically install software when users log
on to your domain. For more information about software installation deployment for Active Directory
group policy objects, see the documentation for your operating system.
For your users with Mac OS X, before they can successfully use the SSO Client, they must make sure
their computers have joined the Active Directory server. For more information, see the documentation
for your Active Directory server.
612
WatchGuard System Manager
Authentication
Download the SSO Client Software
1.
2.
3.
4.
5.
Open a web browser and go to http://www.watchguard.com/.
Log in with your WatchGuard account user name and password.
Select the Articles & Software tab.
Find the Software Downloads for your XTM device.
Download the WatchGuard Single Sign-On Client software installer file:
n For Windows computers — WG-Authentication-Client.msi
n For Mac OS X computers — WG-SSOCLIENT-MAC.dmg
6. Save the file to a convenient location.
Install the SSO Client
To install the SSO Client:
1. Double-click the SSO Client installer file you downloaded.
On some operating systems, you might need to type a local administrator password to run the
installer.
The Authentication Client Setup Wizard starts.
2. To install the software, follow the instructions on each page and complete the wizard.
3. To see which drives are available to install the client, and how much space is available on each
of these drives, click Disk Cost.
4. Click Close to exit the wizard.
When the SSO Client is installed on a Windows computer, after the wizard completes, the
WatchGuard Authentication Client service starts automatically. Each time the computer starts, the
service starts automatically.
The SSO Client for a Mac OS X computer has two components: ssodaemon.app and ssoclient.app.
After the wizard completes, ssodaemon.app and ssoclient.app start automatically. Each time the Mac
OS X computer starts, ssodaemon.app starts automatically. Then, when a user logs in to the computer
with credentials stored in your Active Directory server, ssoclient.app starts and the user can
authenticate with SSO.
Install the WatchGuard SSO Exchange Monitor
The WatchGuard SSO Exchange Monitor is an optional component of the WatchGuard SSO solution
that you can install for users who do not have the SSO Client and who use computers with Mac OS X
or mobile devices that run iOS, Android, or Windows mobile. The SSO Exchange Monitor enables the
SSO Agent to get user logon and logoff information for those users.
To use the Exchange Monitor, you must install it on the same server where your Microsoft Exchange
server is installed. The Exchange Monitor can then review the IIS service logs on your Exchange
server to get logon and logoff information for your users. When the SSO Agent contacts the Exchange
Monitor to find out if a user who wants to authenticate has a current session, the Exchange Monitor
sends the logon and logoff information for the user to the SSO Agent. The SSO Agent can then allow or
deny the user a connection to the XTM device.
User Guide
613
Authentication
System Requirements
On the computer where you install the Exchange Monitor:
n
n
n
n
Microsoft Exchange 2003, 2007, or 2010 must be installed and configured
Microsoft .NET Framework (v2.0–4.5 or higher) must be installed
TCP port 4136 must be open
Microsoft Exchange IIS logging must be enabled
Download the SSO Exchange Monitor Software
There are two installer file options for the SSO Exchange Monitor. Make sure to select the correct
installer file for your server environment:
n
n
64-bit servers — SSOExchangeMonitor_x64.exe
32-bit servers — SSOExchangeMonitor_x86.exe
To download an installer file:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
The WatchGuard Portal appears with your portal Home page selected.
3. Select the Articles & Software tab.
The Articles & Software page appears.
4. In the Search text box, type the name of the software you want to install or the model of your
XTM device.
5. Clear the Article check box and make sure the Software Downloads check box is selected.
6. Click Go.
The Search Results page appears with a list of the available WatchGuard device models.
7. Select your XTM device model.
The Software Downloads page for the device you selected appears.
8. Download the correct WatchGuard Exchange Monitor installer file and save the file to a
convenient location.
Install the SSO Exchange Monitor
On the server where your Microsoft Exchange server is installed:
1. Double-click SSOExchangeMonitor_x64.exe or SSOExchangeMonitor_x86.exe to start the
installer.
To run the installer on some operating systems, you might need to type a local administrator
password, or right-click and select Run as administrator.
2. To install the software, follow the instructions on each page of the installation wizard and
complete the wizard.
3. On the Domain User Credentials page, type the domain user credentials to use for the
Exchange Monitor.
In the Domain User Name text box, make sure to type the user name in the format:
domain\username . Do not include .com or .net with the domain name.
614
WatchGuard System Manager
Authentication
For example, if your domain is example.com and you use the domain account ssoagent, type
example\ssoagent .
You can also use the UPN form of the user name: [email protected] . If you use the UPN
form of the user name, you must include .com or .net with the domain name.
4. Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically.
Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for
the SSO Agent and Exchange Monitor. For more information, see Configure the SSO Agent on page
598.
Enable Single Sign-On (SSO)
Before you can configure SSO, you must:
n
n
n
n
Configure your Active Directory server
Install the WatchGuard Single Sign-On (SSO) Agent
Install the WatchGuard Single Sign-On (SSO) Client (Optional)
Install the WatchGuard SSO Exchange Monitor (Optional)
If your device runs Fireware XTM v11.0–v11.3.x, the Authentication Settings for
Terminal Services are not available.
Enable and Configure SSO
To enable and configure SSO from Policy Manager:
1. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears.
2. Select the Single Sign-On tab.
3. Select the Enable Single Sign-On (SSO) with Active Directory check box.
User Guide
615
Authentication
4. In the SSO Agent IP address text box, type the IP address of your SSO Agent.
5. In the Cache data for text box, type or select the amount of time the SSO Agent caches data.
6. In the SSO Exceptions list, add or remove the IP addresses or ranges to exclude from SSO
queries.
For more information about SSO exceptions, see the Define SSO Exceptions on page 617
section.
7. Click OK to save your changes.
616
WatchGuard System Manager
Authentication
Define SSO Exceptions
If your network includes devices with IP addresses that do not require authentication, such as network
servers, print servers, or computers that are not part of the domain, or if you have users on your internal
network who must manually authenticate to the Authentication Portal, we recommend that you add
their IP addresses to the SSO Exceptions list. Each time a connection attempt occurs from an IP
address that is not in the SSO Exceptions list, the XTM device contacts the SSO Agent to try to
associate the IP address with a user name. This takes about 10 seconds. You can use the SSO
Exceptions list to prevent this delay for each connection, to reduce unnecessary network traffic, and
enable users to authenticate and connect to your network without delay.
When you add an entry to the SSO Exceptions list, you can choose to add a host IP address, network
IP address, subnet, host DNS name, or a host range.
User Guide
617
Authentication
To add an entry to the SSO Exceptions list:
1. Below the SSO Exceptions list, click Add.
The Add SSO Exception dialog box appears.
2. From the Choose Type drop-down list, select the type of entry to add to the SSO Exceptions
list:
n Host IPv4
n Network IPv4
n Host Range IPv4
n Host Name (DNS lookup)
3. In the Value text box, type the IP address for the type you selected.
If you selected the type Host Range, in the Value text box, type the IP address at the start of
the range.
In the To text box, type the IP address at the end of the range.
4. (Optional) In the Comment text box, type a description to include with this exception in the
SSO Exceptions list.
The Comment text box does not appear for the Host Name type.
5. Click OK.
The IP address or range appears in the SSO Exceptions list.
618
WatchGuard System Manager
Authentication
To modify an entry in the SSO Exceptions list:
1. From the SSO Exceptions list, select an entry.
2. Click Edit.
The Edit SSO exception IP dialog box appears.
3. Change the settings for the SSO exception.
4. Click OK.
The updated entry appears in the SSO Exceptions list.
5. Click OK.
To remove an entry from the SSO Exceptions list:
1. From the SSO Exceptions list, select an entry.
2. Click Remove.
The selected entry is removed from the SSO Exceptions list.
3. Click OK.
User Guide
619
Authentication
About SSO Log Files
When you use Telnet to enable debug logging for the main components of your WatchGuard Single
Sign-On (SSO) solution—the SSO Agent, Event Log Monitor, and Exchange Monitor—the SSO
components all generate log messages about the activity and events that occur at each component.
These log messages are saved in a log file in the installation folder where each component is installed.
To troubleshoot any problems with one of your SSO components, you can open the log files and review
the events that occurred on that component.
For more information about how to enable debug logging for your SSO components, see Use Telnet to
Debug the SSO Agent.
The default installation directory for the SSO components is:
n
64-bit servers — C:\Program Files(x86)\WatchGuard\WatchGuard Authentication
Gateway
n
32-bit servers — C:\Program Files\WatchGuard\WatchGuard Authentication Gateway
The names of the log files for each SSO component are:
n
n
n
SSO Agent — wagsrvc.log
Event Log Monitor — eventlogmonitor.log
Exchange Monitor — exchangemonitor.log
Each SSO component maintains one log file that includes the most recent log messages generated by
that component. The size of the log file is limited to 10MB. When a log file reaches the maximum size
of 10MB, it is compressed in GZIP format to approximately 1MB in size, and moved to the appropriate
archive folder for that SSO component. For each component, there can be a maximum of 30
compressed files in the archive folder. When the maximum of 30 files is reached and a new
compressed GZIP file is added to the folder, the oldest GZIP file is deleted to make room for the new
file.
In the installation directory for each component, you can find the GZIP file in these archive folders:
n
n
n
SSO Agent — \agent_logs
Event Log Monitor — \elm_logs
Exchange Monitor — \em_logs
The name of each GZIP file uses this format: <log_file_name>_<createtime>_
<lastwritetime>.log.gz :
n
n
n
SSO Agent — wagsrvc_<createtime>_<lastwritetime>.log.gz
Event Log Monitor — eventlogmonitor_<createtime>_<lastwritetime>.log.gz
Exchange Monitor — exchangemonitor_<createtime>_<lastwritetime>.log.gz
When the SSO component log file reaches the maximum size of 10MB, if an error occurs that does not
allow the log file to be compressed, a backup log file is instead created. The log messages in the
original log file are then moved to the backup log file. The log messages in the backup log files are
deleted when they are replaced by the log messages in the main log file, when the main log file is again
10MB in size.
Backup log files are stored in the same directory where the main log files are stored: the location where
each SSO component is installed. The names of the backup log files for each SSO component are:
620
WatchGuard System Manager
Authentication
n
n
n
SSO Agent — wagsrvc.log.bak
Event Log Monitor — eventlogmonitor.log.bak
Exchange Monitor — exchangemonitor.log.bak
User Guide
621
Authentication
Install and Configure the Terminal Services Agent
When you have more than one user who connects to your Terminal Server or Citrix server and then
connects to your network or the Internet, it can be difficult to control the individual traffic flows from
these users based on their user names or group memberships. This is because when one user
authenticates to the XTM device, the XTM device maps that user to the IP address of the Terminal
Server or Citrix server. Then, when another user sends traffic from the Terminal Server or Citrix server
IP address, it appears to the XTM device that this traffic also came from the first user that
authenticated. There is no way for the XTM device to distinguish which of the several users who are
concurrently logged on to your Terminal Server or Citrix server generated any particular traffic.
If your device runs Fireware XTM v11.0–v11.3.x, terminal services support is not
available and the configuration settings do not appear in Policy Manager.
To make sure that your users are correctly identified, you must:
1. Install the WatchGuard Terminal Services Agent on your Terminal Server (2003, 2008, or 2012)
or Citrix server.
2. Configure your XTM device to authenticate users to the authentication portal over port 4100.
3. Enable Terminal Services settings in your XTM device configuration file.
After you complete these configuration settings, when each Terminal Server or Citrix server user
authenticates to your XTM device, the XTM device sends the Terminal Services Agent (TO Agent) a
user session ID for each user who logs in. The Terminal Services Agent monitors traffic generated by
individual users and reports the user session ID to the XTM device for each traffic flow generated by a
Terminal Server or Citrix server client. Your XTM device can then correctly identify each user and
apply the correct security policies to the traffic for each user, based on user or group names.
For more information about how to enable your XTM device to authenticate users over port 4100, see
Configure Your XTM Device as an Authentication Server on page 632 and About the WatchGuard
Authentication (WG-Auth) Policy on page 583.
When you use the Terminal Services Agent, your XTM device can enforce policies based on user or
group names only for traffic that is authenticated. If traffic comes to the XTM device without session ID
information, the XTM device manages the traffic in the same way it manages any other traffic for which
it does not have the username mapped to an IP address. If there is a policy in your configuration file
that can process traffic from that IP address, the XTM device uses that policy to process the traffic. If
there is no policy that matches the source IP address of the traffic, the XTM device uses the unhandled
packet rules to process the traffic.
For more information about how to configure settings for unhandled packets, see About Unhandled
Packets on page 928.
If you use the Terminal Services Agent, your XTM device cannot automatically redirect users to the
authentication portal.
622
WatchGuard System Manager
Authentication
To enable your XTM device to correctly process system related traffic from the Terminal Server or
Citrix server, the Terminal Services Agent uses a special user account named Backend-Service,
which is part of the Terminal Services Agent. The Terminal Services Agent identifies the traffic
generated by system processes (instead of user traffic) with the Backend-Service user account. You
can add this user to the Authorized Users and Groups list in your XTM device configuration and then
use it in a policy to allow traffic to and from your server. For example, you can add a custom packet
filter policy that is similar to the default Outgoing policy. Configure the policy to use the TCP-UDP
protocol and allow traffic from the Backend-Service user account to Any-External.
For more information about how to add the Backend-Service user account to your XTM device
configuration, see Use Authorized Users and Groups in Policies on page 675. Make sure to select Any
from the Auth Server drop-down list.
For more information about how to add a policy, see Add Policies to Your Configuration on page 714.
Make sure the updates on your Terminal Server or Citrix server are scheduled to run as the system,
local service, or network service user account. The Terminal Services Agent recognizes these user
accounts as the Backend-Service account and allows the traffic. If you schedule updates to run as a
different user account, that user must manually authenticate to the application portal for the server to
receive the updates. If that user is not authenticated to the authentication portal, the traffic is not
allowed and the server does not receive the update.
The Terminal Services Agent cannot control ICMP, NetBIOS, or DNS traffic. It also does not control
traffic to port 4100 for Firebox Authentication. To control these types of traffic, you must add specific
policies to your XTM device configuration file to allow the traffic.
Terminal services support is not available if your XTM device is in bridge mode or is a
member of an active/active FireCluster.
About Single Sign-On for Terminal Services
Terminal services also supports Single Sign-On (SSO) with the Terminal Services Agent. When a user
logs in to the domain, the Terminal Services Agent collects the user information (user credentials, user
groups, and domain name) from the Windows user logon event and sends it to the XTM device. The
XTM device then creates the authentication session for the user and sends the user session ID to the
Terminal Services Agent, so the user does not have to manually authenticate to the Authentication
Portal. When the user logs off, the Terminal Services Agent automatically sends the logoff information
to the XTM device, and the XTM device closes the authenticated session for that user.
Terminal Services SSO enables your users to log in once and automatically have access to your
network without additional authentication steps. With SSO for terminal services, users do not have to
manually authenticate to the Authentication Portal. Users who are logged in through terminal services
can, however, still manually authenticate with different user credentials. Manual authentication always
overrides SSO authentication.
User Guide
623
Authentication
Before You Begin
Before you install the Terminal Services Agent on your Terminal Server or Citrix server, make sure
that:
n
n
n
The server operating system is Windows Server 2003 R2 or later
Terminal services or remote desktop services is enabled on your server
Ports 4131–4134 are open
Install the Terminal Services Agent
You can install the Terminal Services Agent on a Terminal Server or Citrix server with either a 32-bit or
a 64-bit operating system. There is one version of the Terminal Services Agent installer for both
operating systems.
To install the Terminal Services Agent on your server:
1. Log in to the WatchGuard web site and select the Articles & Software tab.
2. Find the Software Downloads for your XTM device.
3. Get the latest version of the TO Agent Installer and copy it to the server where you have
installed Terminal Services or a Citrix server.
4. Start the installer.
The TO Agent wizard appears.
5. To start the wizard, click Next.
6. Complete the wizard to install the Terminal Services Agent on your server.
7. Reboot your Terminal Server or Citrix server.
624
WatchGuard System Manager
Authentication
Configure the Terminal Services Agent
After you install the Terminal Services Agent on your Terminal Server or Citrix server, you can use the
TO Settings tool to configure the settings for the Terminal Services Agent.
1. Select Start > All programs > WatchGuard > TO Agent > Set Tool.
The TO Agent Settings dialog box appears, with the Destination Exception List tab selected.
2. To configure settings for the Terminal Services Agent, follow the instructions in the subsequent
sections.
3. Click Close.
User Guide
625
Authentication
Manage the Destination Exception List
Because it is not necessary for the Terminal Services Agent to monitor traffic that is not controlled by
the XTM device, you can specify one or more destination IP addresses, or a range of destination IP
addresses, for traffic that you do not want the Terminal Services Agent to monitor. This is usually
traffic that does not go through your XTM device, such as traffic that does not include a user account
(to which authentication policies do not apply), traffic within your network intranet, or traffic to your
network printers.
You can add, edit, and delete destinations for traffic that you do not want the Terminal Services Agent
to monitor.
To add a destination:
1. Select the Destination Exception List tab.
2. Click Add.
The Add Destination Exception dialog box appears.
3. From the Choose Type drop-down list, select an option:
n Host IP Address
n Network IP Address
n IP Address Range
4. If you select Host IP Address, type the IP Address for the exception.
If you select Network IP Address, type the Network Address and Mask for the exception.
If you select IP Address Range, type the Range start IP address and Range end IP address
for the exception.
5. Click Add.
The information you specified appears in the Destination Exception List.
6. To add more addresses to the Destination Exception List, repeat Steps 4–7.
To edit a destination in the list:
1. From the Destination Exception List, select a destination.
2. Click Edit.
The Destination Exception dialog box appears.
3. Update the details of the destination.
4. Click OK.
626
WatchGuard System Manager
Authentication
To delete a destination from the list:
1. From the Destination Exception List, select a destination.
2. Click Delete.
The selected address is removed from the list.
Specify Programs for the Backend-Service User Account
The Terminal Services Agent identifies traffic generated by system processes with the BackendService user account. By default, this includes traffic from SYSTEM, Network Service, and Local
Service programs. You can also specify other programs with the EXE file extension that you want the
Terminal Services Agent to associate with the Backend-Service account so that they are allowed
through your firewall. For example, clamwin.exe, SoftwareUpdate.exe, Safari.exe, or ieexplore.exe.
To specify the programs for the Terminal Services Agent to associate with the Backend-Service user
account:
1. Select the Backend-Service tab.
2. Click Add.
The Open dialog box appears.
3. Browse to select a program with an EXE extension.
The path to the program appears in the Backend-Service list.
4. To remove a program from the Backend-Service list, select the program and click Delete.
The program path is removed from the list.
User Guide
627
Authentication
Set the Diagnostic Log Level and View Log Messages
You can configure the diagnostic log level for the Terminal Services Agent (TO Agent) and the TO Set
Tool applications. The log messages that are generated by each application are saved in a text file. To
see the log messages generated for the TO Agent or the TO Set Tool, you can open the log file for each
application from the Diagnostic Log Level tab.
1. Select the Diagnostic Log Level tab.
2. From the Set the diagnostic log level for drop-down list, select an application:
n TOAgent (This is the Terminal Services Agent.)
n TO Set Tool
3. Move the Settings slider to set the diagnostic log level for the selected application.
4. To see the available log files for the selected application, click View Log.
A text file opens with the available log messages for the selected application.
5. To configure settings and view log messages for the other application, repeat Steps 2–4.
For detailed steps on how to complete the Terminal Services configuration for your XTM device, see
Configure Terminal Services Settings on page 629.
628
WatchGuard System Manager
Authentication
Configure Terminal Services Settings
To enable your users to authenticate to your XTM device over a Terminal Server or Citrix server, you
must configure the authentication settings for terminal services. When you configure these settings,
you set the maximum length of time a session can be active and specify the IP address of your
Terminal Server or Citrix server. You can specify a maximum of 32 Terminal Services Agents in an
XTM device configuration.
If your device runs Fireware XTM v11.0–v11.3.x, terminal services is not available
and the configuration settings do not appear in Policy Manager.
When you configure the Terminal Services settings, if your users authenticate to your XTM device, the
XTM device reports the actual IP address of each user who logs in. This enables your XTM device to
correctly identify each user who logs in to your network, so the correct security policies can be applied
to each user's traffic.
You can use any of your configured authentication server methods (for example, Firebox
authentication, Active Directory, or RADIUS) with terminal services. To use Single Sign-On with
terminal services, you must use an Active Directory server.
To configure Authentication Settings for terminal services:
1. Open Policy Manager.
2. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears with the Firewall Authentication tab selected by
default.
3. Select the Terminal Services tab.
4. Select the Enable Terminal Services Support check box.
The terminal services settings are enabled.
User Guide
629
Authentication
5. In the Session Timeout text box, type or select the maximum length of time in seconds that
the user can send traffic to the external network.
If you select zero (0) seconds, the session does not expire and the user can stay connected for
any length of time.
6. To add a Terminal Server or Citrix server to the Terminal Services Agent IPs List list, in the
text box, type the IP address of the server and click Add.
You can add a maximum of 32 Terminal Servers or Citrix servers to the list.
The IP address appears in the Terminal Services Agent IPs List list.
7. To remove a server IP address from the Terminal Services Agent IPs List list, select an
IP address in the list and click Remove.
8. Click OK.
630
WatchGuard System Manager
Authentication
Authentication Server Types
The Fireware XTM OS supports six authentication methods:
n
n
n
n
n
n
XTM Device Authentication
RADIUS Server Authentication
VASCO Server Authentication
SecurID Authentication
LDAP Authentication
Active Directory Authentication
You can configure one or more authentication server types for an XTM device. If you use more than
one type of authentication server, users must select the authentication server type from a drop-down
list when they authenticate.
About Third-Party Authentication Servers
If you use a third-party authentication server, you do not have to keep a separate user database on the
XTM device. You can configure a third-party server, install the authentication server with access to
your XTM device, and put the server behind the device for security. You then configure the device to
forward user authentication requests to that server. If you create a user group on the XTM device that
authenticates to a third-party server, make sure you create a group on the server that has the same
name as the user group on the device.
For detailed information about how to configure an XTM device for use with third-party authentication
servers, see:
n
n
n
n
n
Configure RADIUS Server Authentication
Configure VASCO Server Authentication
Configure SecurID Authentication
Configure LDAP Authentication
Configure Active Directory Authentication
Use a Backup Authentication Server
You can configure a primary and a backup authentication server with any of the third-party
authentication server types. If the XTM device cannot connect to the primary authentication server
after three attempts, the primary server is marked as inactive and an alarm message is generated. The
device then connects to the backup authentication server.
If the XTM device cannot connect to the backup authentication server, it waits ten minutes, and then
tries to connect to the primary authentication server again. The inactive server is marked as active
after the specified time interval is reached.
For detailed procedures to configure primary and backup authentication servers, see the configuration
topic for your third-party authentication server.
User Guide
631
Authentication
Configure Your XTM Device as an Authentication
Server
If you do not use a third-party authentication server, you can use your XTM device as an authentication
server, also known as Firebox authentication. When you configure Firebox authentication, you create
users accounts for each user in your company, and then divide these users into groups for
authentication. When you assign users to groups, make sure to associate them by their tasks and the
information they use. For example, you can have an accounting group, a marketing group, and a
research and development group. You can also have a new employee group with more controlled
access to the Internet.
When you create a group, you set the authentication procedure for the users, the system type, and the
information they can access. A user can be a network or one computer. If your company changes, you
can add or remove users from your groups.
The Firebox authentication server is enabled by default. You do not have to enable it before you add
users and groups.
For detailed instructions to add users and groups, see Define a New User for Firebox Authentication on
page 636 and Define a New Group for Firebox Authentication on page 639.
After you add users and groups, the users you added can connect to the Authentication Portal from a
web browser on a computer or smart phone and authenticate over port 4100 to get access to your
network. For more information about how to use Firebox authentication, see Firewall Authentication.
Types of Firebox Authentication
You can configure your XTM device to authenticate users with four different types of authentication:
n
n
n
n
n
Firewall Authentication
Mobile VPN with PPTP Connections
Mobile VPN with IPSec Connections
Mobile VPN with SSL Connections
Mobile VPN with L2TP Connections
When authentication is successful, the XTM device links these items:
n
n
n
n
632
User name
Firebox User group (or groups) of which the user is a member
IP address of the computer used to authenticate
Virtual IP address of the computer used to connect with Mobile VPN
WatchGuard System Manager
Authentication
Firewall Authentication
To enable your users to authenticate, you create user acco