WatchGuard Fireware XTM Web UI v11.8.4 User Guide

WatchGuard Fireware XTM Web UI v11.8.4 User Guide
Fireware XTM Web UI 11.8
User Guide
Fireware
XTM
Web UI
11.8 User Guide
WatchGuard XTM Devices
About this User Guide
The Fireware XTM Web UI User Guide is updated with each major product release. For minor product
releases, only the Fireware XTM Web UI Help system is updated. The Help system also includes
specific, task-based implementation examples that are not available in the User Guide.
For the most recent product documentation, see the Fireware XTM Web UI Help on the WatchGuard
web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the
express written permission of WatchGuard Technologies, Inc.
Guide revised: 10/9/2013
Copyright, Trademark, and Patent Information
Copyright © 1998–2011 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade
names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/
This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL
filtering to protect your network from spam, viruses, malware,
and intrusions. The new XCS line offers email and web content
security combined with data loss prevention. WatchGuard
extensible solutions scale to offer right-sized security ranging
from small businesses to enterprises with 10,000+ employees.
WatchGuard builds simple, reliable, and robust security
appliances featuring fast implementation and comprehensive
management and reporting tools. Enterprises throughout the
world rely on our signature red boxes to maximize security
without sacrificing efficiency and productivity.
ii
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
Fireware XTM Web UI
For more information, please call 206.613.6600 or visit
www.watchguard.com.
User Guide
iii
Table of Contents
Fireware XTM Web UI 11.8 User Guide
1
Introduction to Network Security
1
About Networks and Network Security
1
About Internet Connections
1
About Protocols
2
About IP Addresses
3
IPv4 Addresses
3
IPv6 Addresses
4
About Slash Notation
5
About Entering Addresses
6
Static and Dynamic IP Addresses
6
About DNS (Domain Name System)
7
About Firewalls
About Services and Policies
8
9
About Ports
10
The XTM Device and Your Network
10
Introduction to Fireware XTM
About Fireware XTM
13
13
Fireware XTM Components
14
WatchGuard System Manager
14
WatchGuard Server Center
15
Fireware XTM Web UI and Command Line Interface
16
Fireware XTM with a Pro Upgrade
17
Fireware XTM on an XTMv Device
18
XTMv Device Limitations
18
Virtual Switch Configuration
18
Hyper-V Virtual Adapter Configuration
18
XTMv Device Installation
19
FIPS Support in Fireware XTM
20
About FIPS Mode
20
FIPS Mode Operation and Constraints
20
User Guide
iv
Service and Support
About WatchGuard Support
21
LiveSecurity Service
21
LiveSecurity Service Gold
22
Service Expiration
23
Getting Started
Before You Begin
25
25
Verify Basic Components
25
Get an XTM Device Feature Key
26
Gather Network Addresses
26
Select a Firewall Configuration Mode
27
About the Quick Setup Wizard
28
Run the Web Setup Wizard
29
Connect to Fireware XTM Web UI
33
Connect to Fireware XTM Web UI from an External Network
34
About Fireware XTM Web UI
35
Limitations of Fireware XTM Web UI
Complete Your Installation
36
37
Customize Your Security Policy
37
About LiveSecurity Service
37
Additional Installation Topics
38
Connect to an XTM Device with Firefox v3
38
Identify Your Network Settings
39
Set Your Computer to Connect to Your XTM Device
41
Disable the HTTP Proxy in the Browser
43
Configuration and Management Basics
v
21
45
About Basic Configuration and Management Tasks
45
Make a Backup of the XTM Device Image
45
Restore an XTM Device Backup Image
47
Use a USB Drive for System Backup and Restore
48
About the USB Drive
48
Save a Backup Image to a Connected USB Drive
48
Restore a Backup Image from a Connected USB Drive
49
Fireware XTM Web UI
Automatically Restore a Backup Image from a USB Drive
49
USB Drive Directory Structure
52
Save a Backup Image to a USB Drive Connected to Your Computer
53
Use a USB Drive to Save a Support Snapshot
53
Reset an XTM Device
55
Start an XTM Device in Safe Mode
55
Reset an XTM 2 Series or XTM 33 to Factory-Default Settings
55
Reset an XTMv VM to Factory-Default Settings
56
Run the Setup Wizard
56
About Factory-Default Settings
56
About Feature Keys
59
See Features Available with the Current Feature Key
59
Get a Feature Key for Your XTM Device
61
Manually Add a Feature Key to Your XTM Device
65
Enable Automatic Feature Key Synchronization
68
Restart Your XTM Device
69
Restart the XTM Device Locally
69
Restart the XTM Device Remotely
69
Enable NTP and Add NTP Servers
70
Set the Time Zone and Basic Device Properties
71
About SNMP
72
SNMP Polls and Traps
72
Enable SNMP Polling
73
Enable SNMP Management Stations and Traps
74
About Management Information Bases (MIBs)
77
About WatchGuard Passphrases, Encryption Keys, and Shared Keys
78
Create a Secure Passphrase, Encryption Key, or Shared Key
78
XTM Device Passphrases
80
User Passphrases
80
Server Passphrases
80
Encryption Keys and Shared Keys
81
Change XTM Device Passphrases
82
Define XTM Device Global Settings
83
User Guide
vi
Change the Web UI Port
84
Automatic Reboot
85
Device Feedback
85
Define ICMP Error Handling Global Settings
86
Configure TCP Settings
87
Enable or Disable Traffic Management and QoS
87
Manage Traffic Flow
88
About WatchGuard Servers
88
Manage an XTM Device From a Remote Location
90
Configure an XTM Device as a Managed Device
92
Edit the WatchGuard Policy
92
Set Up the Managed Device
93
Upgrade to a New Version of Fireware XTM
Install the Upgrade on Your Management Computer
95
Upgrade the XTM Device
95
Downgrade Fireware XTM OS
97
Use a Saved Backup Image to Downgrade
97
Downgrade Without a Backup Image
97
Use the Web UI to Downgrade from Fireware XTM OS v11.7 or Higher
98
Download or Show the XTM Device Configuration
100
Download the Configuration File
100
Show the XTM Configuration Report
100
About Upgrade Options
102
Subscription Services Upgrades
102
Appliance and Software Upgrades
103
How to Apply an Upgrade
103
About Subscription Services Expiration and Renewal
103
Subscription Renewal Reminders
104
Feature Key Compliance
104
Security Service Expiration Behavior
104
LiveSecurity Service
106
Synchronize Subscription Renewals
106
Renew Subscription Services
vii
95
106
Fireware XTM Web UI
Subscription Services Status and Manual Signatures Updates
107
Network Setup and Configuration
109
About Network Interface Setup
109
Network Modes
110
Interface Types
111
About Private IP Addresses
111
About IPv6 Support
112
Mixed Routing Mode
114
Configure an External Interface
114
Enable IPv6 for an External Interface
119
Configure IPv4 DHCP in Mixed Routing Mode
122
Configure a Trusted or Optional Interface
125
Enable IPv6 for a Trusted or Optional Interface
125
About the Dynamic DNS Service
134
Configure Dynamic DNS
134
Drop-In Mode
136
Use Drop-In Mode for Network Interface Configuration
136
Configure Related Hosts
137
Configure DHCP in Drop-In Mode
139
Bridge Mode
142
Enable Bridge Mode
144
Allow Management Access from a VLAN
144
Common Interface Settings
145
Disable an Interface
146
Configure DHCP Relay
146
Restrict Network Traffic by MAC Address
146
Add WINS and DNS Server Addresses
147
Add a Secondary Network IP Address
149
About Advanced Interface Settings
152
Network Interface Card (NIC) Settings
152
Set DF Bit for IPSec
155
PMTU Setting for IPSec
155
Use Static MAC Address Binding
156
User Guide
viii
Find the MAC Address of a Computer
About LAN Bridges
157
Create a Network Bridge Configuration
157
Assign a Network Interface to a Bridge
159
About Routing
Add a Static Route
160
160
About Virtual Local Area Networks (VLANs)
164
VLAN Requirements and Restrictions
164
About Tagging
165
About VLAN ID Numbers
165
Define a New VLAN
165
Assign Interfaces to a VLAN
168
About Link Aggregation
170
Requirements and Limitations
170
Link Aggregation Modes
170
Configure Link Aggregation
172
Monitor Link Aggregation Interfaces
177
Network Setup Examples
178
Configure Two VLANs on the Same Interface
178
Configure One VLAN Bridged Across Two Interfaces
182
Use the Broadband Extend or 3G Extend Wireless Bridge
186
Multi-WAN
About Using Multiple External Interfaces
ix
157
189
189
Multi-WAN Requirements and Conditions
189
Multi-WAN and DNS
190
About Multi-WAN Options
191
Round-Robin Order
191
Failover
191
Interface Overflow
192
Routing Table
192
Modem (XTM 2 Series, 3 Series or 5 Series only)
193
Configure Round-Robin
194
Before You Begin
194
Fireware XTM Web UI
Configure the Interfaces
194
Find How to Assign Weights to Interfaces
195
Configure Failover
195
Before You Begin
195
Configure the Interfaces
195
Configure Interface Overflow
197
Before You Begin
197
Configure the Interfaces
197
Configure Routing Table
198
Before You Begin
198
Routing Table mode and load balancing
198
Configure the Interfaces
198
About the XTM Device Route Table
199
When to Use Multi-WAN Methods and Routing
199
Configure Modem Failover
200
Enable Modem Failover
200
Account Settings
201
DNS Settings
203
Dial-Up Settings
204
Advanced Settings
204
Link Monitor Settings
205
About Advanced Multi-WAN Settings
206
Set a Global Sticky Connection Duration
206
Set the Failback Action
207
Set Notification Settings
208
About WAN Interface Status
208
Time Needed for the XTM Device to Update its Route Table
208
Define a Link Monitor Host
208
Network Address Translation (NAT)
About Network Address Translation
Types of NAT
About Dynamic NAT
Add Network Dynamic NAT Rules
User Guide
211
211
212
212
214
x
Configure Policy-Based Dynamic NAT
217
About Dynamic NAT Source IP Addresses
220
About 1-to-1 NAT
222
About 1-to-1 NAT and VPNs
223
Configure Firewall 1-to-1 NAT
223
Configure Policy-Based 1-to-1 NAT
226
Configure NAT Loopback with Static NAT
228
Add a Policy for NAT Loopback to the Server
229
NAT Loopback and 1-to-1 NAT
230
About SNAT
233
Configure Static NAT
233
Configure Server Load Balancing
237
1-to-1 NAT Example
245
Wireless XTM Device Setup
About Wireless XTM Device Configuration
247
Wireless XTM Device Configuration Options
249
Before You Begin
249
About Wireless Configuration Settings
251
Enable/Disable SSID Broadcasts
252
Change the SSID
252
Log Authentication Events
252
Change the Fragmentation Threshold
252
Change the RTS Threshold
254
About Wireless Security Settings
254
Set the Wireless Authentication Method
254
Use a RADIUS Server for Wireless Authentication
256
Use the XTM Device as an Authentication Server for Wireless Authentication
257
Set the Encryption Level
259
Enable Wireless Connections to the Trusted or Optional Network
261
Enable a Wireless Guest Network
263
Enable a Hotspot on an XTM Wireless Access Point
267
Configure Your External Interface as a Wireless Interface
268
Configure the Primary External Interface as a Wireless Interface
xi
247
268
Fireware XTM Web UI
Configure a BOVPN tunnel for additional security
270
About Wireless Radio Settings
271
Country is Set Automatically
272
Select the Band and Wireless Mode
273
Select the Channel
273
Configure the Wireless Card on Your Computer
274
Rogue Access Point Detection
274
Enable Rogue Access Point Detection
275
Add an XTM Wireless Device as a Trusted Access Point
280
Find the Wireless MAC Address of a Trusted Access Point
283
Rogue Access Point Scan Results
283
WatchGuard AP Device Setup
284
Wireless Access Point Types
284
About AP Device Configuration
285
SSID Configuration
285
AP Device Configuration
286
WatchGuard AP Device Requirements and Limitations
286
Requirements
286
Limitations
286
Plan your Wireless AP Device Deployment
287
Wireless Site Survey
288
Wireless Modes and Channels
290
Wireless Signal Strength and Noise Levels
292
Wireless Environmental Factors
293
Wireless Placement
294
WatchGuard AP Device Deployment Overview
295
Deploy AP Devices Without VLAN Tagging
296
Deploy AP Devices With VLAN Tagging Enabled
299
Configure VLANs for WatchGuard AP Devices
302
When to Enable VLAN Tagging in SSIDs
302
Configure VLANs on the XTM Device
302
Configure VLANs on a Managed Switch
303
About AP Station Isolation
User Guide
305
xii
Station Isolation for a Single AP Device
305
Station Isolation for Multiple AP Devices
305
Example — Station Isolation and Roaming
306
About AP Device Activation
Automatic Activation
309
Manual Activation
309
About AP Device Passphrases
310
Pairing Passphrase
310
WatchGuard AP Passphrase
310
Passphrases and Pairing
310
Resolve a Passphrase Mismatch
311
Configure AP Devices in the Gateway Wireless Controller
xiii
309
312
Enable the Gateway Wireless Controller
312
Set the Diagnostic Log Level
313
Configure WatchGuard AP Device SSIDs
314
Configure SSID Security Settings
316
WatchGuard AP Device Discovery and Pairing
320
Configure AP Device Settings
321
Configure AP Device Radio Settings
326
Configure Gateway Wireless Controller Settings
330
Configure MAC Access Control
333
Unpair an AP Device
335
Monitor AP Device Status
336
See AP Connection Status and Uptime
336
See AP Radio Frequency and Channel
336
See the AP Activation Status
337
See AP Device Network Statistics
338
See Log Messages on an AP Device
339
Reboot an AP Device
339
Perform a Site Survey
340
Monitor Wireless Clients
342
Enable a Hotspot on an AP Device
342
Reset the WatchGuard AP Device
343
Fireware XTM Web UI
Reset the WatchGuard AP Device with the Reset Button
343
Reset the WatchGuard AP Device from the Access Point Web UI
344
Unpair the WatchGuard AP Device
344
Add an HTTPS Policy for Access Point Web UI Connections
345
Use the WatchGuard Access Point Web UI
345
Connect to the WatchGuard Access Point Web UI
346
Verify the Current AP Device Settings
347
Manage Network Settings
348
Change the Access Point Passphrase
349
Upgrade the AP Device Firmware
349
Save or Revert Configuration Changes
350
WatchGuard AP Device Deployment Examples
350
WatchGuard AP Device Deployment with a Single SSID
351
WatchGuard AP Device Deployment with Multiple SSIDs
352
WatchGuard AP Device Deployment with VLANs
354
Dynamic Routing
About Dynamic Routing
357
357
Dynamic Routing Protocols
357
Dynamic Routing Policies
357
Monitor Dynamic Routing
358
About Routing Daemon Configuration Files
358
About Routing Information Protocol (RIP)
358
Routing Information Protocol (RIP) Commands
359
Configure the XTM Device to Use RIP
361
Sample RIP Routing Configuration File
362
About Open Shortest Path First (OSPF) Protocol
364
OSPF Commands
364
OSPF Interface Cost Table
367
Configure the XTM Device to Use OSPF
368
Sample OSPF Routing Configuration File
369
About Border Gateway Protocol (BGP)
372
BGP Commands
373
Configure the XTM Device to Use BGP
375
User Guide
xiv
Sample BGP Routing Configuration File
Authentication
About User Authentication
379
379
User Authentication Steps
380
Manage Authenticated Users
382
Use Authentication to Restrict Incoming Traffic
Use Authentication Through a Gateway Firebox
383
385
About the WatchGuard Authentication (WG-Auth) Policy
385
Set Global Firewall Authentication Values
385
Specify Firewall Authentication Settings
385
Set Global Authentication Timeouts
386
Allow Unlimited Concurrent Login Sessions
387
Limit Login Sessions
387
Specify the Default Authentication Server in the Authentication Portal
389
Automatically Redirect Users to the Authentication Portal
389
Use a Custom Default Start Page
390
Set Management Session Timeouts
390
About Single Sign-On (SSO)
xv
376
391
The WatchGuard SSO Solution
391
Example Network Configurations for SSO
394
Before You Begin
397
Set Up SSO
398
Install the WatchGuard Single Sign-On (SSO) Agent
398
Configure the SSO Agent
400
Use Telnet to Debug the SSO Agent
410
Install the WatchGuard Single Sign-On (SSO) Client
413
Install the WatchGuard SSO Exchange Monitor
414
Enable Single Sign-On (SSO)
415
Install and Configure the Terminal Services Agent
419
About Single Sign-On for Terminal Services
420
Before You Begin
421
Install the Terminal Services Agent
421
Configure the Terminal Services Agent
422
Fireware XTM Web UI
Configure Terminal Services Settings
426
Authentication Server Types
428
About Third-Party Authentication Servers
428
Use a Backup Authentication Server
428
Configure Your XTM Device as an Authentication Server
429
Types of Firebox Authentication
429
Define a New User for Firebox Authentication
432
Define a New Group for Firebox Authentication
435
Configure RADIUS Server Authentication
436
Authentication Key
436
RADIUS Authentication Methods
436
Before You Begin
436
Use RADIUS Server Authentication with Your XTM Device
436
How RADIUS Server Authentication Works
439
Configure RADIUS Server Authentication with Active Directory Users and Groups For
Mobile VPN Users
443
WPA and WPA2 Enterprise Authentication
446
Configure VASCO Server Authentication
446
Configure SecurID Authentication
449
Configure LDAP Authentication
452
About LDAP Optional Settings
455
Test the Connection to the Server
455
Configure Active Directory Authentication
456
Add an Active Directory Authentication Domain and Server
456
About Active Directory Optional Settings
460
Test the Connection to the Server
460
Edit an Existing Active Directory Domain
461
Delete an Active Directory Domain
461
Find Your Active Directory Search Base
461
Change the Default Port for the Active Directory Server
463
Use Active Directory or LDAP Optional Settings
463
Before You Begin
464
Specify Active Directory or LDAP Optional Settings
464
User Guide
xvi
Use a Local User Account for Authentication
468
Use Authorized Users and Groups in Policies
468
Define Users and Groups for Firebox Authentication
468
Define Users and Groups for Third-Party Authentication
468
Allow Unlimited Concurrent Login Sessions
470
Limit Login Sessions
470
Add Users and Groups to Policy Definitions
470
Enable a Hotspot
Configure User Timeout Settings
474
Select the Hotspot Type
474
Configure the Hotspot Custom Page
475
Connect to a Hotspot
478
See Hotspot Connections
479
About Hotspot External Guest Authentication
480
Before You Begin
480
Configuration
481
External Guest Authentication Example
481
Configure a Web Server for Hotspot External Guest Authentication
484
Configure the Hotspot for External Guest Authentication
491
Troubleshoot Hotspot External Guest Authentication
493
Policies
About Policies
495
495
Packet Filter and Proxy Policies
495
Add Policies to Your XTM device
496
About the Policies Pages
497
About the Outgoing Policy
499
Add Policies to Your Configuration
500
Use Policy Checker to Find a Policy
500
Add a Policy from the List of Templates
501
Disable or Delete a Policy
502
Use Policy Checker to Find a Policy
Read the Results
About Policy Tags and Filters
xvii
471
503
504
506
Fireware XTM Web UI
Create and Apply Policy Tags
506
Remove Policy Tags From Policies
509
Modify Policy Tags
511
Create and Apply a Filter
511
Modify a Filter
512
About Aliases
514
Alias Members
514
Create an Alias
515
About Policy Precedence
519
Automatic Policy Order
519
Policy Specificity and Protocols
519
Traffic Rules
520
Firewall Actions
520
Schedules
521
Policy Types and Names
521
Set Precedence Manually
521
Create Schedules for XTM Device Actions
Set an Operating Schedule
About Custom Policies
Create or Edit a Custom Policy Template
About Policy Properties
522
523
524
524
527
Settings Tab
528
Application Control Tab
528
Traffic Management Tab
528
Scheduling Tab
528
Advanced Tab
529
Proxy Settings
529
Set Access Rules for a Policy
529
Configure Policy-Based Routing
531
Set a Custom Idle Timeout
535
Set ICMP Error Handling
536
Apply NAT Rules
536
Set the Sticky Connection Duration for a Policy
536
User Guide
xviii
Proxy Settings
About Proxy Policies and ALGs
Proxy Configuration
539
540
Add a Proxy Policy to Your Configuration
540
About Proxy Actions
543
Set the Proxy Action in a Proxy Policy
543
Clone, Edit, or Delete Proxy Actions
544
Proxy and AV Alarms
549
About Rules and Rulesets
550
About Working with Rules and Rulesets
550
Configure Rulesets
551
Add, Change, or Delete Rules
551
Cut and Paste Rule Definitions
553
Change the Order of Rules
553
Change the Default Rule
553
About Regular Expressions
555
About the DNS-Proxy
559
Settings Tab
560
Application Control Tab
560
Traffic Management Tab
560
Proxy Action Tab
561
Scheduling Tab
561
Advanced Tab
562
DNS-Proxy: General Settings
563
DNS-Proxy: OPcodes
564
DNS-Proxy: Query Types
567
DNS-Proxy: Query Names
570
DNS-Proxy: Proxy Alarm
572
About MX (Mail eXchange) Records
574
About the FTP-Proxy
xix
539
576
Settings Tab
577
Application Control Tab
577
Traffic Management Tab
577
Fireware XTM Web UI
Proxy Action Tab
578
Scheduling Tab
578
Advanced Tab
579
FTP-Proxy: General Settings
580
FTP-Proxy: Commands
583
FTP-Proxy: Content
584
FTP-Proxy: Data Loss Prevention
584
FTP-Proxy: Proxy and AV Alarms
584
About the H.323-ALG
586
VoIP Components
586
ALG Functions
586
Settings Tab
588
Application Control Tab
588
Traffic Management Tab
588
Proxy Action Tab
589
Scheduling Tab
589
Advanced Tab
590
H.323-ALG: General Settings
590
H.323-ALG: Access Control
593
H.323-ALG: Denied Codecs
596
About the HTTP-Proxy
598
Settings Tab
599
Application Control Tab
599
Traffic Management Tab
599
Proxy Action Tab
600
Scheduling Tab
600
Advanced Tab
601
HTTP Request: General Settings
602
HTTP Request: Request Methods
605
HTTP Request: URL Paths
608
HTTP Request: Header Fields
608
HTTP Request: Authorization
609
HTTP Response: General Settings
610
User Guide
xx
HTTP Response: Header Fields
611
HTTP Response: Content Types
612
HTTP Response: Cookies
614
HTTP Response: Body Content Types
615
HTTP-Proxy: Exceptions
615
HTTP-Proxy: Deny Message
617
HTTP-Proxy: Data Loss Prevention
619
HTTP-Proxy: Proxy and AV Alarms
619
Enable Windows Updates Through the HTTP-Proxy
620
Use a Caching Proxy Server
621
About the HTTPS-Proxy
Settings Tab
624
Application Control Tab
624
Traffic Management Tab
624
Proxy Action Tab
625
Scheduling Tab
625
Advanced Tab
626
HTTPS-Proxy: General Settings
627
HTTPS-Proxy: Content Inspection
629
HTTPS-Proxy: Certificate Names
632
HTTPS-Proxy: Proxy Alarm
632
About the POP3-Proxy
xxi
623
634
Settings Tab
635
Application Control Tab
635
Traffic Management Tab
635
Proxy Action Tab
636
Scheduling Tab
636
Advanced Tab
637
POP3-Proxy: General Settings
638
POP3-Proxy: Authentication
640
POP3-Proxy: Content Types
641
POP3-Proxy: Filenames
643
POP3-Proxy: Headers
645
Fireware XTM Web UI
POP3-Proxy: Deny Message
645
POP3-Proxy: Proxy and AV Alarms
647
About the SIP-ALG
648
VoIP Components
648
Instant Messaging Support
648
ALG Functions
649
Settings Tab
650
Application Control Tab
650
Traffic Management Tab
650
Proxy Action Tab
651
Scheduling Tab
651
Advanced Tab
652
SIP-ALG: General Settings
653
SIP-ALG: Access Control
656
SIP-ALG: Denied Codecs
658
About the SMTP-Proxy
661
Settings Tab
662
Application Control Tab
662
Traffic Management Tab
662
Proxy Action Tab
663
Scheduling Tab
663
Advanced Tab
664
SMTP-Proxy: General Settings
665
SMTP-Proxy: Greeting Rules
669
SMTP-Proxy: ESMTP Settings
672
SMTP-Proxy: TLS Encryption
674
SMTP-Proxy: Authentication
677
SMTP-Proxy: Content Types
680
SMTP-Proxy: Filenames
684
SMTP-Proxy: Mail From/Rcpt To
686
SMTP-Proxy: Headers
688
SMTP-Proxy: Deny Message
688
SMTP-Proxy: Data Loss Prevention
690
User Guide
xxii
SMTP-Proxy: Proxy and AV Alarms
690
Configure the SMTP-Proxy to Quarantine Email
692
Protect Your SMTP Server from Email Relaying
692
About the TCP-UDP-Proxy
Settings Tab
695
Application Control Tab
695
Traffic Management Tab
695
Proxy Action Tab
696
Scheduling Tab
696
Advanced Tab
697
TCP-UDP-Proxy: General Settings
697
Traffic Management and QoS
About Traffic Management and QoS
701
701
Enable Traffic Management and QoS
701
Guarantee Bandwidth
702
Restrict Bandwidth
703
QoS Marking
703
Traffic priority
703
Set Outgoing Interface Bandwidth
704
Set Connection Rate Limits
705
About QoS Marking
705
Before You Begin
705
QoS Marking for Interfaces and Policies
706
QoS Marking and IPSec Traffic
706
Enable QoS Marking for an Interface
706
Enable QoS Marking or Prioritization Settings for a Policy
707
Traffic Control and Policy Definitions
709
Define a Traffic Management Action
709
Add a Traffic Management Action to a Policy
710
Default Threat Protection
xxiii
694
713
About Default Threat Protection
713
About Default Packet Handling Options
714
Configure Default Packet Handling
714
Fireware XTM Web UI
About Spoofing Attacks
716
About IP Source Route Attacks
718
About Port Space and Address Space Probes
720
About Flood Attacks
722
About Unhandled Packets
724
About Distributed Denial-of-Service Attacks
727
About Blocked Sites
729
Permanently Blocked Sites
729
Auto-Blocked Sites/Temporary Blocked Sites List
730
Blocked Site Exceptions
730
See and Manage the Blocked Sites List
730
Block a Site Permanently
730
Create Blocked Site Exceptions
731
Block Sites Temporarily with Policy Settings
732
Change the Duration that Sites are Auto-Blocked
733
About Blocked Ports
733
Default Blocked Ports
734
Block a Port
736
Logging and Notification
About Logging, Log Files, and Notification
737
737
About Log Messages
737
Log Servers
737
Logging and Notification in Applications and Servers
738
System Status Traffic Monitor
738
Types of Log Messages
738
Send Log Messages to a WatchGuard Log Server
739
Add, Edit, or Change the Priority of Log Servers
740
Send Log Information to a Syslog Host
741
Configure Logging Settings
743
Set the Diagnostic Log Level
744
Monitor Hardware Health
746
Configure Logging and Notification for a Policy
747
Set Logging and Notification Preferences
748
User Guide
xxiv
Monitor Your Device
751
About the Dashboard and System Status Pages
751
The Dashboard
751
System Status Pages
753
Front Panel
755
Widgets
755
Top Panels
756
Subscription Services
756
FireWatch
757
See Connection Details
758
Delete a Connection
761
Block a Site
762
Refresh FireWatch Data
762
Interfaces
762
Release or Renew a DHCP Lease
763
Traffic Monitor
764
Sort and Filter Traffic Monitor Log Messages
766
Pause and Restart the Display
766
WatchGuard AP Device and Wireless Client Connections (Gateway Wireless Controller)
Summary
768
Access Points
768
Wireless Clients
770
ARP Table
771
Authentication List
772
Blocked Sites
773
Add or Edit Temporary Blocked Sites
xxv
767
774
Checksum
774
Components List
775
DHCP Leases
776
Diagnostics
777
Run a Basic Diagnostics Command
778
Use Command Arguments
778
Find the IP Address for a Host Name
778
Fireware XTM Web UI
Download a PCAP File
779
Run a VPN Diagnostic Report
782
Dynamic DNS
784
Hotspot Clients
785
LiveSecurity
785
Processes
786
Routes
786
Server Connection
788
Test the Server Connection
789
Read the Server Connection Results
790
Traffic Management
790
VPN Statistics
791
Certificates
About Certificates
793
793
Use Multiple Certificates to Establish Trust
794
How the XTM Device Uses Certificates
794
Certificate Lifetimes and CRLs
795
Certificate Authorities and Signing Requests
795
Certificate Authorities Trusted by the XTM Device
796
Manage XTM Device Certificates
808
Create a CSR with OpenSSL
812
Use OpenSSL to Generate a CSR
812
Sign a Certificate with Microsoft CA
812
Send the Certificate Request
813
Issue the Certificate
813
Download the Certificate
813
Use Certificates for the HTTPS-Proxy
814
Protect a Private HTTPS Server
814
Examine Content from External HTTPS Servers
815
Import the Certificates on Client Devices
817
Troubleshoot Problems with HTTPS Content Inspection
817
Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
Verify the Certificate
User Guide
817
818
xxvi
Verify VPN Certificates with an LDAP Server
Certificates for Mobile VPN With IPSec Tunnel Authentication
Verify VPN Certificates with an LDAP Server
Certificates for Mobile VPN with L2TP Tunnel Authentication
Verify VPN Certificates with an LDAP Server
819
820
821
821
Configure the Web Server Certificate for Firebox Authentication
822
Import a Certificate on a Client Device
824
Import a PEM Format Certificate with Windows 7
Virtual Private Networks (VPNs)
824
827
Introduction to VPNs
827
Branch Office VPN
827
Mobile VPN
828
About IPSec VPNs
828
About IPSec Algorithms and Protocols
828
About IPSec VPN Negotiations
832
About IPSec VPN Tunnel Authentication Methods
835
Configure Phase 1 and Phase 2 Settings
836
About Mobile VPNs
837
Select a Mobile VPN
837
Internet Access Options for Mobile VPN Users
841
Mobile VPN Setup Overview
842
Virtual IP Addresses and Mobile VPNs
843
DNS and Mobile VPNs
844
VPN Tunnel Capacity and Licensing
845
Find Your XTM Device Tunnel Capacity
845
VPN License Enforcement
845
Branch Office VPNs
xxvii
818
847
What You Need to Create a Manual BOVPN
847
About Manual Branch Office VPN Tunnels
848
What You Need to Create a VPN
848
BOVPN Tunnel Configuration Options
849
One-Way Tunnels
849
VPN Failover
849
Fireware XTM Web UI
Global VPN Settings
850
BOVPN Tunnel Status
851
Rekey BOVPN Tunnels
851
Sample VPN Address Information Table
851
Branch Office VPN Terminology
852
Configure Gateways
854
Define Gateway Endpoints
856
Configure Mode and Transforms (Phase 1 Settings)
860
Edit and Delete Gateways
866
Disable Automatic Tunnel Startup
866
If Your XTM Device is Behind a Device That Does NAT
866
Make Tunnels Between Gateway Endpoints
868
Define a Tunnel
868
Add Routes for a Tunnel
870
Configure Phase 2 Settings
871
Add a Phase 2 Proposal
872
Change Order of Tunnels
875
About BOVPN Virtual Interfaces
876
BOVPN Virtual Interface Configuration Scenarios
877
Metric-based VPN Failover and Failback
877
BOVPN Virtual Interface with Dynamic Routing
878
BOVPN Virtual Interface with Policy-Based Routing
879
Configure a BOVPN Virtual Interface
882
Configure VPN Routes
885
Assign BOVPN Virtual Interface IP Addresses
888
Configure BOVPN Virtual Interface Multicast Settings
890
About Global VPN Settings
891
Enable IPSec Pass-through
891
Enable TOS for IPSec
892
Enable the Use of Non-Default (Static or Dynamic) Routes to Determine if IPSec is Used 892
Disable or Enable the Built-in IPSec Policy
893
Remove VPN Routes for a BOVPN Virtual Interface
893
Enable LDAP Server for Certificate Verification
894
User Guide
xxviii
BOVPN Notification
894
Configure Inbound IPSec Pass-through with SNAT
894
Disable the Built-in IPSec Policy
895
Add IPSec Policies
895
Configure a Branch Office VPN for Failover from a Leased Line
896
Requirements
896
Configuration Overview
896
How Failover to the Branch Office VPN Operates
897
Set Up Outgoing Dynamic NAT Through a Branch Office VPN Tunnel
898
Configure the Endpoint Where All Traffic Must Appear to Come from a Single Address
(Site A)
898
Configure the Endpoint that Expects All Traffic to Come from a Single IP Address (Site B) 901
Use 1-to-1 NAT Through a Branch Office VPN Tunnel
903
1-to-1 NAT and VPNs
903
Other Reasons to Use 1-to-1 NAT Through a VPN
903
Alternative to Using NAT
904
How to Set Up the VPN
905
Example
905
Define a Route for All Internet-Bound Traffic
910
Configure the BOVPN Tunnel on the Remote XTM Device
910
Configure the BOVPN Tunnel on the Central XTM Device
911
Add a Dynamic NAT Entry on the Central XTM Device
912
Enable Multicast Routing Through a Branch Office VPN Tunnel
914
About Helper Addresses
914
Enable an XTM Device to Send Multicast Traffic Through a Tunnel
915
Enable an XTM Device to Receive Multicast Traffic Through a Tunnel
918
Enable an XTM Device to Send Multicast Traffic Through a BOVPN Virtual Interface
918
Enable an XTM Device to Receive Multicast Traffic Through a BOVPN Virtual Interface
919
Enable Broadcast Routing Through a Branch Office VPN Tunnel
Enable Broadcast Routing for the Local XTM device
921
Configure Broadcast Routing for the XTM Device at the Other End of the Tunnel
923
Configure VPN Failover
Define Multiple Gateway Pairs
xxix
920
924
925
Fireware XTM Web UI
Configure VPN Modem Failover
929
Before You Begin
929
Branch Office VPN Configuration Requirements
929
Configure a Branch Office VPN Gateway for Modem Failover
930
Configure a Branch Office VPN Virtual Interface for Modem Failover
933
Configure the Gateway on the Remote Device
933
Configure Tunnels
934
About Modem Failover
934
VPN Modem Failover and Multi-WAN
935
Example 1 — Single WAN at Both Sites
935
Example 2 — Multi-WAN at the Small Office
936
Example 3 — Multi-WAN at the Central Office
936
Multi-WAN at Both Sites
937
See VPN Statistics
937
Rekey BOVPN Tunnels
938
Related Questions About Branch Office VPN Set Up
938
Why do I Need a Static External Address?
938
How do I Get a Static External IP Address?
938
How do I Troubleshoot the Connection?
938
Why is Ping not Working?
938
Troubleshoot Branch Office VPN Tunnels
939
Use the VPN Diagnostic Report
939
Filter Branch Office VPN Log Messages
940
Improve Branch Office VPN Tunnel Availability
942
BOVPN Virtual Interface Examples
Example: BOVPN Virtual Interface with Dynamic Routing
Mobile VPN with PPTP
946
947
957
About Mobile VPN with PPTP
957
Mobile VPN with PPTP Requirements
957
Encryption Levels
Configure Mobile VPN with PPTP
958
958
Authentication
959
Encryption Settings
959
User Guide
xxx
Add to the IP Address Pool
959
Advanced Tab Settings
960
Configure PPTP Policies
962
Configure WINS and DNS Servers
962
Add New Users to the PPTP-Users Group
963
Configure Policies to Allow Mobile VPN with PPTP Traffic
Configure Policies to Allow Mobile VPN with PPTP Traffic
965
Allow PPTP Users to Access a Trusted Network
965
Use Other Groups or Users in a PPTP Policy
966
Options for Internet Access Through a Mobile VPN with PPTP Tunnel
966
Default-Route VPN
966
Split Tunnel VPN
967
Default-Route VPN Setup for Mobile VPN with PPTP
967
Split Tunnel VPN Setup for Mobile VPN with PPTP
967
Prepare Client Computers for PPTP
969
Create and Connect a PPTP Mobile VPN for Windows 8
969
Create and Connect a PPTP Mobile VPN for Windows 7
970
Create and Connect a PPTP Mobile VPN for Windows Vista
971
Create and Connect a PPTP Mobile VPN for Windows XP
972
Make Outbound PPTP Connections from Behind an XTM Device
Mobile VPN with IPSec
About Mobile VPN with IPSec
xxxi
964
973
975
975
Configure a Mobile VPN with IPSec Connection
976
System Requirements
976
Options for Internet Access Through a Mobile VPN with IPSec Tunnel
978
About Mobile VPN Client Configuration Files
978
Configure the XTM Device for Mobile VPN with IPSec
979
Add Users to a Firebox Mobile VPN Group
986
Modify an Existing Mobile VPN with IPSec Group Profile
989
Configure WINS and DNS Servers
1000
Lock Down an End User Profile
1001
Generate Mobile VPN with IPSec Configuration Files
1002
Configure Policies to Filter Mobile VPN Traffic
1003
Fireware XTM Web UI
Distribute the Software and Profiles
1005
Additional Mobile VPN Topics
1007
Configure Mobile VPN with IPSec to a Dynamic IP Address
1009
About the Shrew Soft VPN Client
1010
Shrew Soft VPN Client Limitations
1011
Shrew Soft VPN End-User Profile
1011
Install the Shrew Soft VPN Client Software
1011
Import Certificates to the Shrew Soft VPN Client
1013
Use the Shrew Soft VPN Client to Connect
1014
Troubleshoot the Shrew Soft VPN Client
1016
About the XTM IPSec Mobile VPN Client
1018
Client Requirements
1018
Install the IPSec Mobile VPN Client Software
1018
Connect and Disconnect the Mobile VPN Client
1022
See Mobile VPN Log Messages
1024
Secure Your Computer with the Mobile VPN Firewall
1025
End-User Instructions for WatchGuard IPSec Mobile VPN Client Installation
1027
About the WatchGuard Mobile VPN App
1034
WatchGuard Mobile VPN App for Android
1034
WatchGuard Mobile VPN App for iOS
1034
Mobile VPN App End-User Profile
1035
Use Mobile VPN with IPSec with a Mac OS X or iOS Device
1036
Configure the XTM Device
1036
Configure the VPN Client on an iOS Device
1041
Configure the VPN Client on a Mac OS X Device
1042
Use Mobile VPN with IPSec with an Android Device
1043
Configure the XTM Device
1044
Configure the WatchGuard Mobile VPN App
1048
Configure the Native Android 4.x VPN Client
1049
Mobile VPN with SSL
1053
About Mobile VPN with SSL
1053
Configure the XTM Device for Mobile VPN with SSL
1053
Configure Connection Settings
User Guide
1054
xxxii
Configure the Networking and IP Address Pool Settings
1055
Configure Authentication Settings
1056
Configure Advanced Settings for Mobile VPN with SSL
1060
Configure Policies to Control Mobile VPN with SSL Client Access
1062
Choose the Port and Protocol for Mobile VPN with SSL
1064
Options for Internet Access Through a Mobile VPN with SSL Tunnel
1066
Name Resolution for Mobile VPN with SSL
1067
Configure the External Authentication Server
1069
Install and Connect the Mobile VPN with SSL Client
Client Computer Requirements
1070
Download the Client Software
1070
Install the Client Software
1071
Connect to Your Private Network
1073
Mobile VPN with SSL Client Controls
1074
Manually Distribute and Install the Mobile VPN with SSL Client Software and
Configuration File
1075
Uninstall the Mobile VPN with SSL Client
1076
Use Mobile VPN with SSL with an OpenVPN Client
1078
Requirements
1078
Download the Mobile VPN with SSL Client Profile
1079
Import the Client Profile
1080
Mobile VPN with L2TP
About Mobile VPN with L2TP
1081
1082
Client Compatibility
1082
Authentication Server Compatibility
1082
Licensing
1082
Options for Internet Access Through a Mobile VPN with L2TP Tunnel
xxxiii
1070
1083
Default-Route VPN
1083
Split Tunnel VPN
1083
Default-Route VPN Setup for Mobile VPN with L2TP
1083
Split Tunnel VPN Setup for Mobile VPN with L2TP
1084
About L2TP User Authentication
1086
Use the WatchGuard L2TP Setup Wizard
1087
Fireware XTM Web UI
Before you Begin
1087
Start the L2TP Setup Wizard
1087
Edit the Mobile VPN with L2TP Configuration
1092
Edit the Virtual IP Address Pool
1093
Edit Network Settings
1093
Edit Authentication Settings
1094
Edit L2TP IPSec Settings
1096
Configure Mobile Clients
1100
Add an L2TP IPSec Phase 1 Transform
1100
Configure L2TP IPSec Phase 1 Advanced Settings
1102
Add an L2TP IPSec Phase 2 Proposal
1103
About L2TP Policies
1105
Configure WINS and DNS Servers
1105
Configure Client Devices for Mobile VPN with L2TP
1107
Configure and Use L2TP on Windows 8
1107
Configure and Use L2TP on Windows 7
1109
Configure and Use L2TP on Windows XP
1111
Configure and Use L2TP on Mac OS X
1113
Configure and Use L2TP on Android
1115
About L2TP Connections from an iOS Device
1116
Configure Mobile VPN with L2TP for Use with iOS Devices
1117
Generate and Distribute the L2TP Mobile Client Profile
1120
Import the L2TP Configuration to the iOS VPN Client
1122
Manually Configure L2TP on an iOS Device
1123
Connect from an L2TP VPN Client
WebBlocker
About WebBlocker
1124
1125
1125
WebBlocker Server Options
1125
WebBlocker and Policies
1126
WebBlocker Licensing
1126
Install a Local WebBlocker Server
1126
Get Started with WebBlocker
1127
WebBlocker Server Options
User Guide
1127
xxxiv
Create a WebBlocker Profile
1127
Apply a WebBlocker Profile to HTTP and HTTPS Proxies
1128
Configure WebBlocker Servers
1129
Change Categories to Block
1131
About WebBlocker Websense Categories
1135
See How Websense Categorizes a Site
1135
Request a Websense Category Change
1135
About WebBlocker SurfControl Categories
1136
See How SurfControl Categorizes a Site
1136
Request a SurfControl Category Change
1137
About WebBlocker Exceptions
Define the Action for Sites that do not Match Exceptions
1138
Components of Exception Rules
1139
Exceptions with Part of a URL
1139
Add WebBlocker Exceptions
1139
Define Advanced WebBlocker Options
1142
Local Override
1143
Cache Size
1143
Server Timeout
1143
License Bypass
1144
Diagnostic Log Level
1144
About the WebBlocker Cache
1145
Use WebBlocker Local Override
1145
Define WebBlocker Alarms
1146
About WebBlocker Subscription Services Expiration
1147
spamBlocker
About spamBlocker
xxxv
1138
1149
1149
spamBlocker Requirements
1150
spamBlocker Actions, Tags, and Categories
1150
Configure spamBlocker
1153
Before You Begin
1153
Configure spamBlocker for an SMTP or POP3 Proxy Action
1153
About spamBlocker Exceptions
1156
Fireware XTM Web UI
Configure Virus Outbreak Detection Actions
1158
Configure spamBlocker to Quarantine Email
1160
About Using spamBlocker with Multiple Proxies
1160
Configure Global spamBlocker Settings
1160
Use an HTTP Proxy Server for spamBlocker
1162
Add Trusted Email Forwarders to Improve Spam Score Accuracy
1162
Enable and Set Parameters for Virus Outbreak Detection (VOD)
1163
About spamBlocker Proactive Patterns
1165
About spamBlocker Scan Limits
1165
Create Rules for Your Email Reader
1165
Send Spam to an Outlook Folder
1166
Monitor spamBlocker Statistics
1167
Report False Positives or Missed Spam
1167
Send Feedback to Commtouch
1167
Report Feedback About a Confidential Message
1168
Find the Category a Message is Assigned To
1169
Reputation Enabled Defense
About Reputation Enabled Defense
1171
1171
Reputation Thresholds
1171
Reputation Scores
1172
Reputation Lookups
1172
Reputation Enabled Defense Feedback
1173
Configure Reputation Enabled Defense
1173
Before You Begin
1174
Configure Reputation Enabled Defense for a Proxy Action
1175
Configure the Reputation Thresholds
1176
Send Gateway AV Scan Results to WatchGuard
Gateway AntiVirus
About Gateway AntiVirus
1176
1179
1179
Install and Upgrade Gateway AV
1180
About Gateway AntiVirus and Proxy Policies
1180
Configure the Gateway AntiVirus Service
Before You Begin
User Guide
1181
1181
xxxvi
Configure the Gateway AntiVirus Service
1182
Configure Gateway AntiVirus Actions
1182
Configure Gateway AntiVirus to Quarantine Email
1187
About Gateway AntiVirus Scan Limits
1187
Update Gateway AntiVirus Settings
If you Use a Third-Party Antivirus Client
1188
Configure Gateway AV Decompression Settings
1188
Configure the Gateway AV Update Server
1189
Intrusion Prevention Service
About Intrusion Prevention Service
1193
1193
IPS Threat Levels
1193
Add the IPS Upgrade
1194
Keep IPS Signatures Updated
1194
See IPS Status
1194
Configure Intrusion Prevention
1194
Enable IPS and Configure IPS Actions
1194
Configure other IPS Settings
1196
Disable or Enable IPS for a Policy
1196
Configure the IPS Update Server
1197
Configure Automatic Signature Updates
1198
Connect to the Update Server Through an HTTP Proxy Server
1199
Block Access from the Trusted Network to the Update Server
1199
Update Signatures Manually
1199
Show IPS Signature Information
1200
See IPS Signatures
1200
Search, Sort and Filter the IPS Signatures
1201
Add an IPS Exception
1201
Configure IPS Exceptions
1202
Find the IPS Signature ID
1202
Add an IPS Signature Exception
1202
Configure IPS Notification
1204
Look Up IPS Signatures on the Security Portal
1204
Application Control
xxxvii
1188
1207
Fireware XTM Web UI
About Application Control
1207
Application Control Deny Message
1207
Add the Application Control Upgrade
1208
Keep Application Control Signatures Updated
1208
Application Control — Begin with Monitoring
1209
Monitor Application Use
1209
Application Control Reports
1210
Policy Guidelines for Application Control
1212
Global Application Control Action
1213
Configure Application Control Actions
1213
Add or Edit Application Control Actions
1214
Remove Configured Applications From an Application Control Action
1217
Apply an Application Control Action to a Policy
1218
Clone an Application Control Action
1218
Remove Application Control Actions
1219
Use Application Categories
1220
Configure Application Control for Policies
1222
Enable Application Control in a Policy
1223
Get Information About Applications
1224
Configure the Application Control Update Server
1225
Configure Signature Updates
1225
Connect to the Update Server Through an HTTP Proxy Server
1226
Block Access from the Trusted Network to the Update Server
1227
Update Signatures Manually
1227
Application Control and Proxies
1227
Application Control and WebBlocker
1228
Manage SSL Applications
1228
Manage Evasive Applications
1228
Block User Logins to Skype
1229
Manage Applications that Use Multiple Protocols
1230
Example: Block FlashGet
1230
File Transfer Applications and Protocols
1231
Monitor Downloads and File Transfers
User Guide
1232
xxxviii
Manage Facebook Applications
1232
Application Control Policy Examples
1235
Allow an Application For a Group of Users
1235
Block Applications During Business Hours
1236
Data Loss Prevention
About Data Loss Prevention
1239
DLP Text Extraction and File Types
1239
Add the DLP Upgrade
1241
About DLP and Proxy Policies
1241
About DLP False Positives
1241
Configure Data Loss Prevention
1242
Enable DLP and Configure DLP Sensors
1242
Configure other DLP Settings
1242
Configure DLP Sensors
xxxix
1238
1243
Rules
1243
Actions
1244
Settings
1244
Sensor Types
1245
Add a Sensor
1245
Clone a Sensor
1248
Edit a Sensor
1248
Add or Edit Sensor Actions
1249
Reorder Sensor Actions
1251
Configure Sensor Scan Settings
1252
Delete a Sensor
1252
Configure DLP Scan Settings
1253
About DLP Scan Limits
1255
Configure DLP for Policies
1256
Enable DLP Sensors for Policies
1256
Select the DLP Sensor in a Proxy Action
1257
Configure the DLP Update Server
1258
Configure Signature Updates
1258
Connect to the Update Server Through an HTTP Proxy Server
1259
Fireware XTM Web UI
Block Access from the Trusted Network to the Update Server
1259
Update Signatures Manually
1259
Monitor DLP Activity
1260
Look Up DLP Rules on the Security Portal
1261
Quarantine Server
1263
About the Quarantine Server
1263
Configure the XTM Device to Quarantine Email
1264
Define the Quarantine Server Location on the XTM Device
1264
User Management of Quarantined Messages
1266
Manage Quarantined Messages
1266
Change Quarantine Notification Settings
1268
User Guide
xl
User Guide
xli
1
Introduction to Network
Security
About Networks and Network Security
A network is a group of computers and other devices that are connected to each other. It can be two
computers in the same room, dozens of computers in an organization, or many computers around the
world connected through the Internet. Computers on the same network can work together and share
data.
Although networks like the Internet give you access to a large quantity of information and business
opportunities, they can also open your network to attackers. Many people think that their computers
hold no important information, or that a hacker is not interested in their computers. This is not correct. A
hacker can use your computer as a platform to attack other computers or networks. Information from
your organization, including personal information about users, employees, or customers, is also
valuable to hackers.
Your XTM device and LiveSecurity subscription can help you prevent these attacks. A good network
security policy, or a set of access rules for users and resources, can also help you find and prevent
attacks to your computer or network. We recommend that you configure your XTM device to match
your security policy, and think about threats from both inside and outside your organization.
About Internet Connections
ISPs (Internet service providers) are companies that give access to the Internet through network
connections. The rate at which a network connection can send data is known as bandwidth: for
example, 3 megabits per second (Mbps).
A high-speed Internet connection, such as a cable modem or a DSL (Digital Subscriber Line), is known
as a broadband connection. Broadband connections are much faster than dial-up connections. The
bandwidth of a dial-up connection is less than .1 Mbps, while a cable modem can be 5 Mbps or more.
User Guide
1
Introduction to Network Security
Typical speeds for cable modems are usually lower than the maximum speeds, because each
computer in a neighborhood is a member of a LAN. Each computer in that LAN uses some of the
bandwidth. Because of this shared-medium system, cable modem connections can become slow
when more users are on the network.
DSL connections supply constant bandwidth, but they are usually slower than cable modem
connections. Also, the bandwidth is only constant between your home or office and the DSL central
office. The DSL central office cannot guarantee a good connection to a web site or network.
How Information Travels on the Internet
The data that you send through the Internet is cut into units, or packets. Each packet includes the
Internet address of the destination. The packets that make up a connection can use different routes
through the Internet. When they all get to their destination, they are assembled back into the original
order. To make sure that the packets get to the destination, address information is added to the
packets.
About Protocols
A protocol is a group of rules that allow computers to connect across a network. Protocols are the
grammar of the language that computers use when they speak to each other across a network. The
standard protocol when you connect to the Internet is the IP (Internet Protocol). This protocol is the
usual language of computers on the Internet.
A protocol also tells how data is sent through a network. The most frequently used protocols are TCP
(Transmission Control Protocol) and UDP (User Datagram Protocol). TCP/IP is the basic protocol
used by computers that connect to the Internet.
You must know some of the TCP/IP settings when you set up your XTM device. For more information
on TCP/IP, see Find Your TCP/IP Properties on page 40.
2
Fireware XTM Web UI
Introduction to Network Security
About IP Addresses
To send ordinary mail to a person, you must know his or her street address. For one computer on the
Internet to send data to a different computer, it must know the address of that computer. A computer
address is known as an Internet Protocol (IP) address. All devices on the Internet have unique IP
addresses, which enable other devices on the Internet to find and interact with them.
Fireware XTM supports both IPv4 and IPv6 addresses. IPv6 addresses are supported only when the
XTM device is configured in mixed routing mode.
For more information about Fireware XTM support for IPv6, see About IPv6 Support.
IPv4 Addresses
An IPv4 address consists of four octets (8-bit binary number sequences) expressed in decimal format
and separated by periods. Each number between the periods must be within the range of 0 and 255.
Some examples of IPv4 addresses are:
n
n
n
206.253.208.100
4.2.2.2
10.0.4.1
Private Addresses and Gateways
Many companies create private networks that have their own address space. The addresses 10.x.x.x
and 192.168.x.x are reserved for private IP addresses. Computers on the Internet cannot use these
addresses. If your computer is on a private network, you connect to the Internet through a gateway
device that has a public IP address.
Usually, the default gateway is the router that is between your network and the Internet. After you
install the XTM device on your network, it becomes the default gateway for all computers connected to
its trusted or optional interfaces.
About Subnet Masks
Because of security and performance considerations, networks are often divided into smaller portions
called subnets. All devices in a subnet have similar IP addresses. For example, all devices that have
IP addresses whose first three octets are 10.0.1 would belong to the same subnet.
The subnet mask for a network IP address, or netmask, is a series of bits that mask sections of the IP
address that identify which parts of the IP address are for the network and which parts are for the host.
A subnet mask can be written in the same way as an IP address, or in slash or CIDR notation.
User Guide
3
Introduction to Network Security
IPv6 Addresses
IPv6 increases the IP address size from the 32 bits found in IPv4 to 128 bits. This allows for a more
structured hierarchy in addresses, and supports a much larger total number of addresses.
IPv6 Address Format
An IPv6 address contains eight groups of 16-bit hexadecimal values, separated by colons (:). The
hexadecimal digits are not case-sensitive. Some examples of IPv6 addresses are:
n
2561:1900:4545:0003:0200:F8FF:FE21:67CF
2260:F3A4:32CB:715D:5D11:D837:FC76:12FC
n
FE80:0000:0000:0000:2045:FAEB:33AF:8374
n
The first four groups of 16-bit hexadecimal values represent the network. The last four groups of 16-bit
hexadecimal values are the interface ID that uniquely identifies each networked device. This value is
usually derived from the MAC address of the device.
Shorten an IPv6 Address
There are two ways you can shorten the notation of an IPv6 address:
n
Remove leading zeros — In each 16-bit hexadecimal address group, you can remove the
leading zeros. For example, these two IPv6 addresses are equivalent:
2561:1900:4545:0003:0200:F8FF:FE21:67CF
2561:1900:4545:3:200:F8FF:FE21:67CF
n
Remove groups of zeros — If an IPv6 address contains adjacent groups of 16-bit
hexadecimal values that are all zeros (0000), you can replace one group of adjacent blocks of
zeros with two colons (::). For example, these two IPv6 addresses are equivalent:
FE80:0000:0000:0000:2045:FAEB:33AF:8374
FE80::2045:FAEB:33AF:8374
You can use two colons (::) only once in an IPv6 address to represent adjacent groups with all
zeros.
IPv6 Prefix
The IPv6 prefix indicates the subnet associated with an IPv6 address. The prefix is expressed as a
slash (/) followed by the prefix size, which is a decimal number between 1 and 128. The prefix size
indicates how many bits of the address make up the network identifier prefix. Examples of IPv6
prefixes are:
n
n
4
/64 — The prefix used for a single subnet
/48 — Prefix used for a site that could have multiple subnets
Fireware XTM Web UI
Introduction to Network Security
About Slash Notation
Your XTM device uses slash notation, also known as CIDR (Classless Inter-Domain Routing)
notation, for many purposes, such as policy configuration. You use slash notation differently for IPv4
and IPv6 addresses.
IPv4
Slash notation is a compact way to show or write an IPv4 subnet mask. When you use slash notation,
you write the IP address, a forward slash (/), and the subnet mask number.
To find the subnet mask number:
1. Convert the decimal representation of the subnet mask to a binary representation.
2. Count each “1” in the subnet mask. The total is the subnet mask number.
For example, to write the IPv4 address 192.168.42.23 with a subnet mask of 255.255.255.0 in slash
notation:
1. Convert the subnet mask to binary.
In this example, the binary representation of 255.255.255.0 is:
11111111.11111111.11111111.00000000.
2. Count each 1 in the subnet mask.
In this example, there are twenty-four (24).
3. Write the original IP address, a forward slash (/), and then the number from Step 2.
The result is 192.168.42.23/24.
This table shows common network masks and their equivalents in slash notation.
Network Mask
Slash Equivalent
255.0.0.0
/8
255.255.0.0
/16
255.255.255.0
/24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
User Guide
5
Introduction to Network Security
IPv6
In IPv6, slash notation is used to represent the network identifier prefix for an IPv6 network. The prefix
is expressed as a slash (/) followed by the prefix size, which is a decimal number between 1 and 128.
The CIDR notation works exactly the same as with IPv4, which means if you have a /48, that means
the first 48 bits of the address are the prefix.
This table shows common IPv6 network prefixes and the number of IPv6 subnets and IPv6 addresses
they support.
Prefix Number of Subnets
/64
1 IPv6 subnet with up to 18,446,744,073,709,551,616 IPv6 host addresses
/56
256 /64 subnets
/48
65,536 /64 subnets
A network site that is assigned a /48 prefix can use prefixes in the range /49 to /64 to define valid
subnets.
About Entering Addresses
IPv4 Addresses
When you type IPv4 addresses in the Quick Setup Wizard or dialog boxes, type the digits and
decimals in the correct sequence. Do not use the TAB key, arrow keys, spacebar, or mouse to put your
cursor after the decimals.
For example, if you type the IP address 172.16.1.10, do not type a space after you type 16. Do not try
to put your cursor after the subsequent decimal to type 1. Type a decimal directly after 16, and then
type 1.10. Press the slash (/) key to move to the netmask.
IPv6 Addresses
When you type IPv6 addresses in a text box, simply type the IP address with the colons to separate
each group of numbers in the address. To shorten an IP address, you can remove leading zeros in each
group of numbers and you can use a double colon (::) to replace adjacent groups of zeros in the
address.
For more information about IPv6 addresses, see About IP Addresses.
Static and Dynamic IP Addresses
ISPs (Internet service providers) assign an IP address to each device on their network. The IP address
can be static or dynamic.
6
Fireware XTM Web UI
Introduction to Network Security
Static IP Addresses
A static IP address is an IP address that always stays the same. If you have a web server, FTP
server, or other Internet resource that must have an address that cannot change, you can get a static
IP address from your ISP. A static IP address is usually more expensive than a dynamic IP address,
and some ISPs do not supply static IP addresses. You must configure a static IP address manually.
Dynamic IP Addresses
A dynamic IP address is an IP address that an ISP lets you use temporarily. If a dynamic address is
not in use, it can be automatically assigned to a different device. Dynamic IP addresses are assigned
using either DHCP or PPPoE.
About DHCP
Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that computers on a network use
to get IP addresses and other information such as the default gateway. When you connect to the
Internet, a computer configured as a DHCP server at the ISP automatically assigns you an IP address.
It could be the same IP address you had before, or it could be a new one. When you close an Internet
connection that uses a dynamic IP address, the ISP can assign that IP address to a different
customer.
You can configure your XTM device as a DHCP server for networks behind the device. You assign a
range of addresses for the DHCP server to use.
About PPPoE
Some ISPs assign IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE adds
some of the features of Ethernet and PPP to a standard dial-up connection. This network protocol
allows the ISP to use the billing, authentication, and security systems of their dial-up infrastructure
with DSL modem and cable modem products.
About DNS (Domain Name System)
You can frequently find the address of a person you do not know in the telephone directory. On the
Internet, the equivalent to a telephone directory is the DNS(Domain Name System). DNS is a network
of servers that translate numeric IP addresses into readable Internet addresses, and vice versa. DNS
takes the friendly domain name you type when you want to see a particular web site, such as
www.example.com, and finds the equivalent IP address, such as 203.0.113.2. Network devices need
the actual IP address to find the web site, but domain names are much easier for users to type and
remember than IP addresses.
A DNS server is a server that performs this translation. Many organizations have a private DNS server
in their network that responds to DNS requests. You can also use a DNS server on your external
network, such as a DNS server provided by your ISP (Internet Service Provider.)
User Guide
7
Introduction to Network Security
About Firewalls
A network security device, such as a firewall, separates your internal networks from external network
connections to decrease the risk of an external attack. The figure below shows how a firewall protects
the computers on a trusted network from the Internet.
Firewalls use access policies to identify and filter different types of information. They can also control
which policies or ports the protected computers can use on the Internet (outbound access). For
example, many firewalls have sample security policies that allow only specified traffic types. Users
can select the policy that is best for them. Other firewalls, such as XTM devices, allow the user to
customize these policies.
For more information, see About Services and Policies on page 9 and About Ports on page 10.
8
Fireware XTM Web UI
Introduction to Network Security
Firewalls can be in the form of hardware or software. A firewall protects private networks from
unauthorized users on the Internet. Traffic that enters or leaves the protected networks is examined by
the firewall. The firewall denies network traffic that does not match the security criteria or policies.
In some closed, or default-deny firewalls, all network connections are denied unless there is a specific
rule to allow the connection. To deploy this type of firewall, you must have detailed information about
the network applications required to meet needs of your organization. Other firewalls allow all network
connections that have not been explicitly denied. This type of open firewall is easier to deploy, but it is
not as secure.
About Services and Policies
You use a service to send different types of data (such as email, files, or commands) from one
computer to another across a network or to a different network. These services use protocols.
Frequently used Internet services are:
n
n
n
n
n
World Wide Web access uses Hypertext Transfer Protocol (HTTP)
Email uses Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP3)
File transfer uses File Transfer Protocol (FTP)
Resolve a domain name to an Internet address uses Domain Name Service (DNS)
Remote terminal access uses Telnet or SSH (Secure Shell)
When you allow or deny a service, you must add a policy to your XTM device configuration. Each
policy you add can also add a security risk. To send and receive data, you must open a door in your
computer, which puts your network at risk. We recommend that you add only the policies that are
necessary for your business.
As an example of how you can use a policy, suppose the network administrator of a company wants to
activate a Windows terminal services connection to the company’s public web server on the optional
interface of the XTM device. He or she routinely administers the web server with a Remote Desktop
connection. At the same time, he or she wants to make sure that no other network users can use the
Remote Desktop Protocol terminal services through the XTM device. The network administrator would
add a policy that allows RDP connections only from the IP address of his or her own desktop computer
to the IP address of the public web server.
User Guide
9
Introduction to Network Security
When you configure your XTM device with the Quick Setup Wizard, the wizard adds only limited
outgoing connectivity. If you have more software applications and network traffic for your XTM device
to examine, you must:
n
n
n
Configure the policies on your XTM device to pass through necessary traffic
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to get
access to external resources
About Ports
Although computers have hardware ports you use as connection points, ports are also numbers used
to map traffic to a particular process on a computer. These ports, also called TCP and UDP ports, are
where programs transmit data. If an IP address is like a street address, a port number is like an
apartment unit number or building number within that street address. When a computer sends traffic
over the Internet to a server or another computer, it uses an IP address to identify the server or remote
computer, and a port number to identify the process on the server or computer that receives the data.
For example, suppose you want to see a particular web page. Your web browser attempts to create a
connection on port 80 (the port used for HTTP traffic) for each element of the web page. When your
browser receives the data it requests from the HTTP server, such as an image, it closes the
connection.
Many ports are used for only one type of traffic, such as port 25 for SMTP (Simple Mail Transfer
Protocol). Some protocols, such as SMTP, have ports with assigned numbers. Other programs are
assigned port numbers dynamically for each connection. The IANA (Internet Assigned Numbers
Authority) keeps a list of well-known ports. You can see this list at:
http://www.iana.org/assignments/port-numbers
Most policies you add to your XTM device configuration have a port number between 0 and 1024, but
possible port numbers can be from 0 to 65535.
Ports are either open or closed. If a port is open, your computer accepts information and uses the
protocol identified with that port to create connections to other computers. However, an open port is a
security risk. To protect against risks created by open ports, you can block ports used by hackers to
attack your network. For more information, see About Blocked Ports on page 733.
The XTM Device and Your Network
Your XTM device is a powerful network security device that controls all traffic between the external
network and the trusted network. If computers with mixed trust connect to your network, you can also
configure an optional network interface that is separate from the trusted network. You can then
configure the firewall on your device to stop all suspicious traffic from the external network to your
trusted and optional networks. If you route all traffic for the mixed trust computers through your optional
network, you can increase the security for those connections to add more flexibility to your security
solution. For example, customers frequently use the optional network for their remote users or for
public servers such as a web server or an email server.
10
Fireware XTM Web UI
Introduction to Network Security
Some customers who purchase an XTM device do not know a lot about computer networks or network
security. Fireware XTM Web UI (web-based user interface), provides many self-help tools for these
customers. Advanced customers can use the advanced integration and multiple WAN support features
of the Fireware XTM OS with a Pro upgrade to connect an XTM device to a larger wide area network.
The XTM device connects to a cable modem, DSL modem, or ISDN router.
You can use the Web UI to safely manage your network security settings from different locations at
any time. This gives you more time and resources to use on other components of your business.
User Guide
11
Introduction to Network Security
User Guide
12
2
Introduction to Fireware XTM
About Fireware XTM
Fireware XTM gives you an easy and efficient way to view, manage, and monitor each XTM device in
your network. The Fireware XTM solution includes four software applications:
n
n
n
n
WatchGuard System Manager (WSM)
Fireware XTM Web UI
Fireware XTM Command Line Interface (CLI)
WatchGuard Server Center
You can use one or more of the Fireware XTM applications to configure your network for your
organization. For example, if you have only one XTM 2 Series device, you can perform most
configuration tasks with Fireware XTM Web UI or Fireware XTM Command Line Interface. However,
for more advanced logging and reporting features, you must use WatchGuard Server Center. If you
manage more than one XTM device, or if you have purchased Fireware XTM with a Pro upgrade, we
recommend that you use WatchGuard System Manager (WSM). If you choose to manage and monitor
your configuration with Fireware XTM Web UI, there are some features that you cannot configure.
For more information about these limitations, see Limitations of Fireware XTM Web UI on page 36.
For more information on how to connect to your XTM device with WatchGuard System Manager or
Fireware XTM Command Line Interface, see the Help or User Guide for those products. You can view
and download the most current documentation for these products on the Fireware XTM Product
Documentation page at http://www.watchguard.com/help/documentation/xtm.asp.
User Guide
13
Introduction to Fireware XTM
Fireware XTM Components
To start WatchGuard System Manager or WatchGuard Server Center from your Windows desktop,
select the shortcut from the Start Menu. You can also start WatchGuard Server Center from an icon in
the System Tray. From these applications, you can launch other tools that help you manage your
network. For example, from WatchGuard System Manager (WSM), you can launch Policy Manager or
HostWatch.
WatchGuard System Manager
WatchGuard System Manager (WSM) is the primary application for network management with your
XTM device. You can use WSM to manage many different XTM devices, even those that use different
software versions. WSM includes a comprehensive suite of tools to help you monitor and control
network traffic.
Policy Manager
You can use Policy Manager to configure your firewall. Policy Manager includes a full set of preconfigured packet filters, proxy policies, and application layer gateways (ALGs). You can also
make a custom packet filter, proxy policy, or ALG in which you set the ports, protocols, and
other options. Other features of Policy Manager help you to stop network intrusion attempts,
such as SYN Flood attacks, spoofing attacks, and port or address space probes.
Firebox System Manager (FSM)
Firebox System Manager gives you one interface to monitor all components of your XTM
device. From FSM, you can see the real-time status of your XTM device and its configuration.
14
Fireware XTM Web UI
Introduction to Fireware XTM
HostWatch
HostWatch is a real-time connection monitor that shows network traffic between different XTM
device interfaces. HostWatch also shows information about users, connections, ports, and
services.
Log Manager
Log Manager is the WatchGuard WebCenter tool you use to see log file data collected from your
WatchGuard servers and your XTM devices.
Report Manager
Report Manager is the WatchGuard WebCenter tool you use to see Available Reports and to
generate On-Demand reports of the data collected from your Log Servers for all your XTM
devices.
CA Manager
The Certificate Authority (CA) Manager shows a complete list of security certificates installed
on your management computer with Fireware XTM. You can use this application to import,
configure, and generate certificates for use with VPN tunnels and other authentication
purposes.
WatchGuard Server Center
WatchGuard Server Center is the application where you configure and monitor all your WatchGuard
servers.
Management Server
The Management Server operates on a Windows computer. With this server, you can manage
all firewall devices and create virtual private network (VPN) tunnels using a simple drag-anddrop function. The basic functions of the Management Server are:
n
n
n
Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
VPN tunnel configuration management
Management for multiple XTM devices
Log Server
The Log Server collects log messages from each XTM device. These log messages are
encrypted when they are sent to the Log Server. The log message format is XML (plain text).
The information collected from firewall devices includes these log messages: traffic, event,
alarm, debug (diagnostic), and statistic.
Report Server
The Report Server periodically consolidates data collected by your Log Servers from your XTM
devices, and then periodically generates reports. Once the data is on the Report Server, you
can use Report Manager to generate and see reports.
User Guide
15
Introduction to Fireware XTM
Quarantine Server
The Quarantine Server collects and isolates email messages that spamBlocker suspects to be
email spam, or emails that are suspected to have a virus.
For more information, see About the Quarantine Server on page 1263.
WebBlocker Server
The WebBlocker Server operates with the XTM device HTTP proxy to deny user access to
specified categories of web sites. When you configure your XTM device, you specify the
categories of web sites to allow or block.
For more information on WebBlocker and the WebBlocker Server, see About WebBlocker on
page 1125.
Fireware XTM Web UI and Command Line Interface
Fireware XTM Web UI and the Command Line Interface are alternative management solutions that can
perform most of the same tasks as WatchGuard System Manager and Policy Manager. Some
advanced configuration options and features are not available in Fireware XTM Web UI or the
Command Line Interface.
For more information, see About Fireware XTM Web UI on page 35.
16
Fireware XTM Web UI
Introduction to Fireware XTM
Fireware XTM with a Pro Upgrade
The Pro upgrade to Fireware XTM provides several advanced features for experienced customers,
such as server load balancing and additional SSL VPN tunnels. The features available with a Pro
upgrade depend on the type and model of your XTM device.
If you have an XTM 330, 5 Series (models 515, 525, 535, 545), 8 Series, 1050,1520, 2050, or 2520
device, your device has Fireware XTM with a Pro upgrade by default. If you have an XTM 2 Series or 5
Series (models 505, 510, 520, 530) device, you can purchase Fireware XTM with a Pro upgrade for
your device.
Feature
FireCluster
XTM 2
Series
(Pro)1
XTM 3
Series and
330 (Pro)1
XTM 5
Series
(Pro) 1
XTM 8 Series, 800 Series, 1050, 1500
Series, 2050, and 2500 Series, XTMv
(Pro)
2
Maximum VLANs
Dynamic Routing
(OSPF and BGP)
Policy-Based
Routing
Server Load
Balancing
Maximum
SSL VPN Tunnels
MultiWAN Failover
Multi-WAN Load
Balancing
1 To purchase Fireware XTM with a Pro upgrade for an XTM 2 or 5 Series
device, contact your local
reseller.
2 The FireCluster feature is available for XTM 25 and XTM 26 (active/passive only for wireless
models).
User Guide
17
Introduction to Fireware XTM
Fireware XTM on an XTMv Device
A WatchGuard XTMv device runs as a virtual machine in a VMware ESXi or Microsoft Hyper-V
environment. It does not run on WatchGuard XTM device hardware. You can use Fireware XTM Web
UI, WatchGuard System Manager, and Fireware XTM Command Line Interface (CLI) to configure and
monitor your WatchGuard XTMv device. Though you can use any of these programs to change an
XTMv device configuration file, there are several Fireware XTM features you cannot use on a
WatchGuard XTMv device.
XTMv Device Limitations
These features are not supported on WatchGuard XTMv devices:
n
n
n
n
n
FireCluster
Hardware diagnostics — The CLI diagnose hardware command
Connect a USB drive to automatically create a support snapshot
Connect a USB drive to automatically restore a saved backup image
Use the device front panel buttons to start the device in safe mode or recovery mode
You can use the CLI command restore factory-default to start the device with factory default
settings.
n
Features that require the switch be configured in promiscuous mode are not supported for XTMv
on Hyper-V
For information about CLI commands, see the Fireware XTM Command Line Interface Reference on
the Product Documentation page at http://www.watchguard.com/help/documentation/.
Virtual Switch Configuration
To work correctly, some Fireware XTM networking features require that you configure the virtual
switch on your network in promiscuous mode. These features are:
n
n
n
Bridge mode network configuration
Network bridge
Mobile VPN with SSL with the Bridged VPN Traffic setting
To use these features on an XTMv device in an ESXi environment, configure the vSwitch in
promiscuous mode. Virtual switches in Microsoft Hyper-V do not support promiscuous mode, so these
features are not supported in a Hyper-V environment.
To use multiple VLANs on a single interface on an XTMv device in an ESXi environment, configure the
VSwitch for the XTMv VLAN interface to use VLAN ID 4095 (All).
Hyper-V Virtual Adapter Configuration
Hyper-V supports two types of virtual adapters:
n
n
18
Network adapters (Hyper-V supports a maximum of 8)
Legacy network adapters (Hyper-V supports a maximum of 4)
Fireware XTM Web UI
Introduction to Fireware XTM
Though all XTMv editions support a maximum of 10 interfaces, the maximum number of interfaces you
can configure for an XTMv virtual machine in a Hyper-V environment is eight, because that is the
maximum number of network adapters Hyper-V supports. XTMv does not support the use of legacy
network adapters.
XTMv Device Installation
You must deploy the XTMv device in the ESXi or Hyper-V environment before you can configure the
XTMv virtual machine.
For detailed steps to set up an XTMv device, see the WatchGuard XTMv Setup Guide available on
the Product Documentation page at http://www.watchguard.com/help/documentation/.
User Guide
19
Introduction to Fireware XTM
FIPS Support in Fireware XTM
The Federal Information Processing Standards Publication 140-2, Security Requirements for
Cryptographic Modules (FIPS 140-2), describes the United States Federal Government requirements
for cryptographic modules.
WatchGuard XTM devices are designed meet the overall requirements for FIPS 140-2 Level 2 security,
when configured in a FIPS-compliant manner.
About FIPS Mode
You must use the Command Line Interface (CLI) to enable FIPS mode on an XTM device. When the
XTM device operates in FIPS mode, each time the device is powered on, it runs a set of self-tests
required by the FIPS 140-2 specification. If any of the tests fail, the XTM device writes a message to
the log file and shuts down.
For more information about the CLI commands, see the Command Line Interface Reference at
http://www.watchguard.com/help/documentation.
If you start the device in safe mode or recovery mode, the device does not operate in FIPS mode.
FIPS Mode Operation and Constraints
The XTM device does not operate in FIPS mode by default.
To use your XTM device in FIPS mode:
n
n
n
n
n
n
n
n
n
n
Type the CLI command fips enable to enable FIPS mode operation.
Configure the Admin and Status administrative accounts to use passwords with a minimum of 8
characters.
When you configure VPN tunnels, you must choose only FIPS-approved authentication and
encryption algorithms (SHA-1, SHA-256, SHA-512, 3DES, AES-128, AES-192, AES-256).
When you configure VPN tunnels, you must choose Diffie-Hellman Group 2 or Group 5 for IKE
Phase 1 negotiation. Use a minimum of 1024-bits for all RSA keys.
Do not configure FireCluster for high availability.
Do not use Mobile VPN with PPTP.
Do not use PPPoE.
Do not use WatchGuard System Manager to manage the XTM device.
For access to Fireware XTM Web UI, the web browser must be configured to use only TLS 1.0
and FIPS approved cipher suites.
For network access to the CLI, telnet and SSH clients must use SSH V2.0 protocol.
To determine if the XTM device has FIPS mode enabled, type the CLI command show fips .
When you use an XTM device in FIPS mode, your use of the device is subject to these limitations. We
recommend that you consider your requirements carefully before you decide to operate your
XTM device in FIPS mode. In some environments you could be required to use a FIPS-compliant
device, but you might not have to configure the device in a FIPS-compliant manner.
20
Fireware XTM Web UI
3
Service and Support
About WatchGuard Support
WatchGuard® knows just how important support is when you must secure your network with limited
resources. Our customers require greater knowledge and assistance in a world where security is
critical. LiveSecurity® Service gives you the backup you need, with a subscription that supports you
as soon as you register your XTM device.
LiveSecurity Service
Your XTM device includes a subscription to our ground-breaking LiveSecurity Service, which you
activate online when you register your product. As soon as you activate, your LiveSecurity Service
subscription gives you access to a support and maintenance program unmatched in the industry.
LiveSecurity Service comes with the following benefits:
Hardware Warranty with Advance Hardware Replacement
An active LiveSecurity subscription extends the one-year hardware warranty that is included
with each XTM device. Your subscription also provides advance hardware replacement to
minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard
will ship a replacement unit to you before you have to send back the original hardware.
Software Updates
Your LiveSecurity Service subscription gives you access to updates to current software and
functional enhancements for your WatchGuard products.
Technical Support
When you need assistance, our expert teams are ready to help:
n
n
User Guide
Representatives available from 6am - 6pm Monday through Friday your local time zone*
Access to online user forums moderated by senior support engineers
21
Service and Support
Support Resources and Alerts
Your LiveSecurity Service subscription gives you access to a variety of professionally produced
instructional videos, interactive online training courses, and online tools specifically designed to
answer questions you may have about network security in general or the technical aspects of
installation, configuration, and maintenance of your WatchGuard products.
Our Rapid Response Team, a dedicated group of network security experts, monitors the
Internet to identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you
specifically what you can do to address each new menace. You can customize your alert
preferences to fine-tune the kind of advice and alerts the LiveSecurity Service sends you.
LiveSecurity Service Gold
LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium
support service gives expanded hours of coverage and faster response times for around-the-clock
remote support assistance. LiveSecurity Service Gold is required on each unit in your organization for
full coverage.
Service Features
LiveSecurity Service
LiveSecurity Service
Gold
Technical Support hours
6AM–6PM, Monday–
Friday*
24/7
Number of support incidents
(online or by phone)
5 per year
Unlimited
Targeted initial response time
Support incidents are
handled in the order
received, with higher
priority given to higher
severity issues.
1 hour
Interactive support forum
Yes
Yes
Software updates
Yes
Yes
Online self-help and training tools
Yes
Yes
LiveSecurity broadcasts
Yes
Yes
Installation Assistance
Optional
Optional
Three-incident support package
Optional
N/A
One-hour, single incident
priority response upgrade
Optional
N/A
Single incident after-hours upgrade
Optional
N/A
* In the Asia Pacific region, standard support hours are 9AM–9PM, Monday–Friday (GMT +8).
22
Fireware XTM Web UI
Service and Support
Service Expiration
To secure your organization, we recommend that you keep your LiveSecurity subscription active.
When your subscription expires, you lose up-to-the-minute security warnings and regular software
updates. This loss can put your network at risk. Damage to your network is much more expensive than
a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement
fee.
User Guide
23
Service and Support
User Guide
24
4
Getting Started
Before You Begin
Before you begin the installation process, make sure you complete the tasks described in the
subsequent sections.
In these installation instructions, we assume your XTM device has one trusted, one
external, and one optional interface configured. To configure additional interfaces on
your device, use the configuration tools and procedures described in the Network
Setup and Configuration topics.
Verify Basic Components
Make sure that you have these items:
n
n
n
n
n
n
A computer with a 10/100BaseT Ethernet network interface card and a web browser installed
A WatchGuard XTM device
A serial cable (blue)
One crossover Ethernet cable (red)
One straight Ethernet cable (green)
Power cable or AC power adapter
User Guide
25
Getting Started
Get an XTM Device Feature Key
To enable all of the features on your XTM device, you must register the device on the WatchGuard web
site and get your feature key. If you register your XTM device before you use the Quick Setup Wizard,
you can paste a copy of your feature key in the wizard. The wizard then applies it to your device. If you
do not paste your feature key into the wizard, you can still finish the wizard. Until you add your feature
key, the XTM device allows only one connection to an external network, such as the Internet.
You also get a new feature key to enable optional products or services when you purchase them. After
you register your XTM device or any new feature, you can synchronize your XTM device feature key
with the feature keys kept in your registration profile on the WatchGuard web site. You can use
Fireware XTM Web UI at any time to get your feature key.
To learn how to activate your XTM device and get a feature key, see Get a Feature Key for Your
XTM Device on page 61.
Gather Network Addresses
We recommend that you record your network information before and after you configure your XTM
device. Use the first table below for your network IP addresses before you put the device into
operation. For information about how to identify your network IP addresses, see Identify Your Network
Settings on page 39.
WatchGuard uses slash notation to show the subnet mask. For more information, see About Slash
Notation on page 5. For more information on IP addresses, see About IP Addresses on page 3.
Table 1: Network IP addresses without the XTM device
Wide Area Network
_____._____._____._____ / ____
Default Gateway
_____._____._____._____
Local Area Network
_____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Public Server(s) (if applicable)
_____._____._____._____
_____._____._____._____
_____._____._____._____
Use the second table for your network IP addresses after you put the XTM device into operation.
External interface
Connects to the external network (typically the Internet) that is not trusted.
Trusted interface
Connects to the private LAN (local area network) or internal network that you want to protect.
26
Fireware XTM Web UI
Getting Started
Optional interface(s)
Usually connects to a mixed trust area of your network, such as servers in a DMZ (demilitarized
zone). You can use optional interfaces to create zones in the network with different levels of
access.
Table 2: Network IP addresses with the XTM device
Default Gateway
_____._____._____._____
External Interface
_____._____._____._____/ ____
Trusted Interface
_____._____._____._____ / ____
Optional Interface
_____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Select a Firewall Configuration Mode
You must decide how you want to connect the XTM device to your network before you run the Quick
Setup Wizard. The way you connect the device controls the interface configuration. When you connect
the device, you select the configuration mode—routed or drop-in—that is best suited to your current
network.
Many networks operate best with mixed routing configuration, but we recommend the drop-in mode if:
n
n
You have already assigned a large number of static IP addresses and do not want to change
your network configuration.
You cannot configure the computers on your trusted and optional networks that have public IP
addresses with private IP addresses.
This table and the descriptions below the table show three conditions that can help you to select a
firewall configuration mode.
Mixed Routing Mode
Drop-in Mode
All of the XTM device interfaces are on different
networks.
All of the XTM device interfaces are on
the same network and have the same IP
address.
Trusted and optional interfaces must be on different
networks. Each interface has an IP address on its
network.
The computers on the trusted or optional
interfaces can have a public IP address.
Use static NAT (network address translation) to map
public addresses to private addresses behind the trusted
or optional interfaces.
NAT is not necessary because the
computers that have public access have
public IP addresses.
For more information about drop-in mode, see Drop-In Mode on page 136.
For more information about mixed routing mode, see Mixed Routing Mode on page 114.
User Guide
27
Getting Started
The XTM device also supports a third configuration mode called bridge mode. This mode is less
commonly used. For more information about bridge mode, see Bridge Mode on page 142.
You can use the Web Setup Wizard or the WSM Quick Setup Wizard to create your
initial configuration. When you run the Web Setup Wizard, the firewall configuration is
automatically set to mixed routing mode. When you run the WSM Quick Setup
Wizard, you can configure the device in mixed routing mode or drop-in mode.
You can now start the Quick Setup Wizard. For more information, see About the Quick Setup Wizard
on page 28.
About the Quick Setup Wizard
You can use the Quick Setup Wizard to create a basic configuration for your XTM device. The device
uses this basic configuration file when it starts for the first time. This enables it to operate as a basic
firewall. You can use this same procedure at any time to reset the device to a new basic configuration.
This is helpful for system recovery.
When you configure your XTM device with the Quick Setup Wizard, you set only the basic policies
(TCP and UDP outgoing, FTP packet filter, ping, and WatchGuard) and interface IP addresses. If you
have more software applications and network traffic for the device to examine, you must:
n
n
n
Configure the policies on the XTM device to let the necessary traffic through
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to
connect to external resources
For instructions to run the wizard from a web browser, see Run the Web Setup Wizard on page 29.
28
Fireware XTM Web UI
Getting Started
Run the Web Setup Wizard
You can use the Web Setup Wizard to set up a basic configuration on any WatchGuard XTM device.
The Web Setup Wizard automatically configures the XTM device for mixed routing mode.
To use the Web Setup Wizard, you must make a direct network connection to the XTM device and use
a web browser to start the wizard. When you configure your XTM device, it uses DHCP to send a new
IP address to your computer.
Before you start the Web Setup Wizard, make sure you:
n
n
Register your XTM device with LiveSecurity Service
Store a copy of your XTM device feature key in a text file on your computer
Start the Web Setup Wizard
1. Use the red crossover Ethernet cable that ships with your XTM device to connect the
management computer to interface number 1 of your XTM device. This is the trusted interface.
2. Connect the power cord to the XTM device power input and to a power source.
3. Start the XTM device in factory default mode. This is also known as safe mode.
For more information, see Reset an XTM Device on page 55.
4. Make sure your computer is configured to accept a DHCP-assigned IP address.
If your computer uses Windows XP:
n
n
n
n
In the Windows Start menu, select All Programs > Control Panel > Network
Connections > Local Area Connections.
Click Properties.
Select Internet Protocol (TCP/IP) and click Properties.
Make sure Obtain an IP Address Automatically is selected.
For more detailed instructions, see Identify Your Network Settings on page 39.
5. If your browser uses an HTTP proxy server, you must temporarily disable the HTTP proxy
setting in your browser.
For more information, see Disable the HTTP Proxy in the Browser on page 43.
6. Open a web browser and type the factory default IP address of the trusted interface (interface
1), https://10.0.1.1:8080 .
If you use Internet Explorer, make sure you type https:// at the start of the IP address. This
opens a secure HTTP connection between your management computer and the XTM device.
The Web Setup Wizard starts automatically.
7. Log in with the default administrator account credentials:
Username: admin
Passphrase: readwrite
User Guide
29
Getting Started
8. Complete the subsequent screens of the wizard.
The Web Setup Wizard includes this set of dialog boxes. Some dialog boxes appear only if you
select certain configuration methods:
Login
Log in with the default administrator account credentials. For Username, select admin. For
Passphrase, use the passphrase: readwrite.
Welcome
The first screen tells you about the wizard.
Select a configuration type
Select whether to create a new configuration or restore a configuration from a saved
backup image.
License agreement
You must accept the license agreement to continue with the wizard.
Retrieve Feature Key, Apply Feature Key, Feature key options
If your XTM device does not already have a feature key the wizard provides options for you
to download or import a feature key. The wizard can only download a feature key if it has a
connection to the Internet. If you have downloaded a local copy of the feature key to your
computer, you can paste that into the setup wizard.
If the XTM device does not have an Internet connection while you run the wizard, and you
did not register the device and download the feature key to your computer before you
started the wizard, you can choose to not apply a feature key.
If you do not apply a feature key in the Web Setup Wizard you must register the
device and apply the feature key in the Fireware XTM Web UI. Functionality of the
device is limited until you apply a feature key.
Configure the External Interface of your Firebox
Select the method your ISP uses to assign your IP address. The choices are DHCP,
PPPoE or Static.
Configure the External Interface for DHCP
Type your DHCP identification as supplied by your ISP.
Configure the External Interface for PPPoE
Type your PPPoE information as supplied by your ISP.
Configure the External Interface with a static IP address
Type your static IP address information as supplied by your ISP.
30
Fireware XTM Web UI
Getting Started
Configure the DNS and WINS Servers
Type the Domain DNS and WINS server addresses you want the XTM device to use.
User Guide
31
Getting Started
Configure the Trusted Interface of the Firebox
Type the IP address of the trusted interface. Optionally, you can enable the DHCP server
for the trusted interface.
Create passphrases for your device
Type a passphrase for the status (read only) and admin (read/write) management accounts
on the XTM device.
Enable remote management
Enable remote management if you want to manage this device from the external interface.
Add contact information for your device
You can type a device name, location, and contact information to save management
information for this device. By default, the device name is set to the model number of your
XTM device. We recommend that you choose a unique name that you can use to easily
identify this device, especially if you use remote management.
Set the Time Zone
Select the time zone where the XTM device is located.
The Quick Setup Wizard is complete
After you complete the wizard, the XTM device restarts.
If you leave the Web Setup Wizard idle for 15 minutes or more, you must go back to Step 3 and start
again.
If you change the IP address of the trusted interface, you must change your network
settings to make sure your IP address matches the subnet of the trusted network
before you connect to the XTM device. If you use DHCP, restart your computer. If
you use static addressing, see Use a Static IP Address on page 42.
After the Wizard Finishes
After you complete all screens in the wizard, the XTM device is configured with a basic configuration
that includes four policies (TCP outgoing, FTP packet filter, ping, and WatchGuard) and the interface
IP addresses you specified. You can use Fireware XTM Web UI to expand or change the configuration
for your XTM device.
n
n
32
For information about how to complete the installation of your XTM device after the Web Setup
Wizard is finished, see Complete Your Installation on page 37.
For information about how to connect to Fireware XTM Web UI, see Connect to Fireware
XTM Web UI on page 33.
Fireware XTM Web UI
Getting Started
If You Have Problems with the Wizard
If the Web Setup Wizard is unable to install the Fireware XTM OS on the XTM device, the wizard times
out. If you have problems with the wizard, check these things:
n
The Fireware XTM OS file you downloaded from the WatchGuard web site could be corrupted.
For an XTM device that has an LCD interface, the LCD interface can display the message File
Truncate Error if the software image is corrupted.
If this message appears, download the software again and try the wizard once more.
n
If you use Internet Explorer 6, clear the file cache in your web browser and try again.
To clear the cache, in Internet Explorer select Tools > Internet Options > Delete Files.
Connect to Fireware XTM Web UI
To connect to Fireware XTM Web UI, you use a web browser to go to the IP address of the XTM
device trusted or optional interface over the correct port number. Connections to the Web UI are
always encrypted with HTTPS; the same high-strength encryption used by banking and shopping web
sites. You must use https when you type the URL into your browser’s address bar instead of http.
By default, the port used for the Web UI is 8080. The URL to connect to the Web UI in your browser is:
https://<firebox-ip-address>:8080
Where <firebox-ip-address> is the IP address assigned to the trusted or optional interface. When you
make this connection, the browser loads the login prompt. The default URL for a WatchGuard XTM
device is:
https://10.0.1.1:8080
You can change the IP address of the trusted network to a different IP address. For more information,
see Common Interface Settings on page 145.
For example, to use the default URL to connect to an XTM 2 Series device:
1. Open your web browser and go to https://10.0.1.1:8080 .
A security certificate notification appears in the browser.
2. When you see the certificate warning, click Continue to this website (IE 7) or Add Exception
(Firefox 3).
This warning appears because the certificate the XTM device uses is signed by the
WatchGuard certificate authority, which is not in the list of trusted authorities on your browser.
This warning appears each time you connect to the XTM device unless you
permanently accept the certificate, or generate and import a certificate for the device
to use. For more information, see About Certificates on page 793.
3. From the Username drop-down list, select the user name.
User Guide
33
Getting Started
4. In the Passphrase text box, type the passphrase.
n
n
If you selected the Username admin, type the configuration (read-write) passphrase.
If you selected the Username status, type the status (read-only) passphrase.
By default, the XTM device configuration only allows connections to Fireware
XTM Web UI from the trusted and optional networks. To change the configuration to
allow connections to the Web UI from the external network, see Connect to Fireware
XTM Web UI from an External Network on page 34.
Connect to Fireware XTM Web UI from an
External Network
The Fireware XTM device configuration has a policy called WatchGuard Web UI. This policy controls
which XTM device interfaces can connect to Fireware XTM Web UI. By default, this policy only allows
connections from Any-Trusted and Any-Optional networks. If you want to allow access to the Web
UI from the external network, you must edit the WatchGuard Web UI policy and add Any-External to
the From list.
In Fireware XTM Web UI:
1.
2.
3.
4.
5.
6.
7.
34
Select Firewall > Firewall Policies.
Double-click the WatchGuard Web UI policy to edit it.
Select the Policy tab.
In the From section, click Add.
Select Any-External.
Click OK.
Click Save.
Fireware XTM Web UI
Getting Started
About Fireware XTM Web UI
With Fireware XTM Web UI, you can monitor and manage any device that runs Fireware XTM OS. You
do not have to install any extra software on your computer. The only software you must have is a
browser with support for Adobe Flash Player v9 or later.
Because there is no software to install, you can use the Web UI from any computer that has TCP/IP
connectivity and a supported browser. This means you can administer your XTM device from a
computer with Windows, Linux, Mac OS, or any other platform, as long as it has a supported browser
with Adobe Flash Player v9 or later and network connectivity.
The Web UI is a real-time management tool. This means that when you use the Web UI to make
changes to a device, the changes you make generally take effect immediately. With the Web UI, you
do not build a list of many changes in a locally-stored configuration file that are later sent to the device
all at once. This is different from Fireware XTM Policy Manager, which is an off-line configuration tool.
Changes you make to a locally-stored configuration file with Policy Manager do not take effect until you
save the configuration file to the device.
You must complete the Quick Setup Wizard before you can see Fireware XTM Web
UI. For more information, see Run the Web Setup Wizard on page 29. You must also
use an account with full administrative access privileges to see and change the
configuration pages.
At the left side of Fireware XTM Web UI is the main menu navigation bar that you use to select a set of
configuration pages.
User Guide
35
Getting Started
All items in the navigation bar contain secondary menu items that you use to configure the properties of
that feature.
n
To see these secondary menu items, select a top level menu item.
For example, if you select Authentication, these secondary menu items appear: Servers,
Settings, Users and Groups, Web Server Certificate, Single Sign-On, and Terminal
Services.
n
To hide the secondary menu items, select the top level menu item again.
The first item in the navigation bar is the Dashboard. The Dashboard menu includes two pages:
n
n
System
Subscription Services
When you first connect to Fireware XTM Web UI, the System page automatically appears. To return to
the System page from another place in the Web UI, select Dashboard > System.
Limitations of Fireware XTM Web UI
You can use Fireware XTM Web UI, WatchGuard System Manager, and Fireware XTM Command
Line Interface (CLI) to configure and monitor your Fireware XTM device. When you want to change a
device configuration file, you can use any of these programs. There are, however, several device
configuration changes you cannot make with Fireware XTM Web UI.
Some of the tasks you can complete in Policy Manager, but not with the Web UI include:
n
n
n
n
n
n
n
n
n
n
n
n
Export a certificate or see details about a certificate (You can only import certificates)
Enable diagnostic logging or change diagnostic log levels
Change the logging of default packet handling options
Add or remove static ARP entries in the device ARP table
Manually get the Mobile VPN with SSL configuration file
Get the encrypted (.wgx) Mobile VPN with IPSec end-user client configuration (You can only
get the equivalent, but unencrypted, .ini file)
Edit the name of a policy
Add a custom address to a policy
Use a host name (DNS lookup) to add an IP address to a policy
Use role-based administration (also known as role-based access control, or RBAC)
View or change the configuration of a device that is a member of a FireCluster
Add or edit a secondary PPPoE interface
The group of applications that comes with WatchGuard System Manager includes many other tools for
monitoring and reporting. Some of the functions provided by HostWatch, Log and Report Manager, and
WSM are also not available in the Web UI.
To use some Fireware XTM features related to WatchGuard servers, you must install WatchGuard
Server Center. You do not have to use WatchGuard System Manager to install WatchGuard Server
Center. You can use WatchGuard Server Center to configure these WatchGuard servers:
n
n
n
36
Management Server
Log Server
Report Server
Fireware XTM Web UI
Getting Started
n
n
Quarantine Server
WebBlocker Server
To learn how to configure features not supported by the Web UI or how to use WatchGuard Server
Center, see the Fireware XTM WatchGuard System Manager Help at
http://www.watchguard.com/help/documentation.
To learn more about the CLI, see the WatchGuard Command Line Interface Reference at
http://www.watchguard.com/help/documentation.
Complete Your Installation
After you are finished with the Web Setup Wizard , you must complete the installation of your XTM
device on your network.
1. Put the XTM device in its permanent physical location.
2. Make sure the gateway of management computer and the rest of the trusted network is the IP
address of the trusted interface of your XTM device.
3. To connect to your XTM device with Fireware XTM Web UI, open a web browser and type:
https://10.0.1.1:8080 . This is the default IP address of the trusted interface.
For more information, see Connect to Fireware XTM Web UI on page 33.
4. If you use a routed configuration, make sure you change the default gateway on all the
computers that connect to your XTM device to match the IP address of the XTM device trusted
interface.
5. Customize your configuration as necessary for the security purposes of your business.
For more information, see the subsequent Customize your security policy section.
Customize Your Security Policy
Your security policy controls who can get into and out of your network, and where they can go in your
network. The configuration file of your XTM device manages the security policies.
When you completed the Quick Setup Wizard, the configuration file that you made was only a basic
configuration. You can modify this configuration to align your security policy with the business and
security requirements of your company. You can add packet filter and proxy policies to set what you let
in and out of your network. Each policy can have an effect on your network. The policies that increase
your network security can decrease access to your network. And the policies that increase access to
your network can put the security of your network at risk. For more information on policies, see About
Policies on page 495.
For a new installation, we recommend that you use only packet filter policies until all your systems
operate correctly. As necessary, you can add proxy policies.
About LiveSecurity Service
Your XTM device includes a subscription to LiveSecurity Service. Your subscription:
n
n
Makes sure that you get the newest network protection with the newest software upgrades
Gives solutions to your problems with full technical support resources
User Guide
37
Getting Started
n
n
n
n
Prevents service interruptions with messages and configuration help for the newest security
problems
Helps you to find out more about network security through training resources
Extends your network security with software and other features
Extends your hardware warranty with advanced replacement
For more information about LiveSecurity Service, see About WatchGuard Support on page 21.
Additional Installation Topics
Connect to an XTM Device with Firefox v3
Web browsers use certificates to ensure that the device on the other side of an HTTPS connection is
the device you expect. Users see a warning when a certificate is self-signed, or when there is a
mismatch between the requested IP address or host name and the IP address or host name in the
certificate. By default, your XTM device uses a self-signed certificate that you can use to set up your
network quickly. However, when users connect to the XTM device with a web browser, a Secure
Connection Failed warning message appears.
To avoid this warning message, we recommend that you add a valid certificate signed by a CA
(Certificate Authority) to your configuration. This CA certificate can also be used to improve the
security of VPN authentication. For more information on the use of certificates with XTM devices, see
About Certificates on page 793.
If you continue to use the default self-signed certificate, you can add an exception for the XTM device
on each client computer. Current versions of most Web browsers provide a link in the warning
message that the user can click to allow the connection. If your organization uses Mozilla Firefox v3,
your users must add a permanent certificate exception before they can connect to the XTM device.
Actions that require an exception include:
n
n
n
n
About User Authentication
Install and Connect the Mobile VPN with SSL Client
Run the Web Setup Wizard
Connect to Fireware XTM Web UI
Common URLs that require an exception include:
https://IP address or host name of an XTM device interface:8080
https://IP address or host name of an XTM device interface:4100
https://IP address or host name of an XTM device:4100/sslvpn.html
Add a Certificate Exception to Mozilla Firefox v3
If you add an exception in Firefox v3 for the XTM device certificate, the warning message does not
appear on subsequent connections. You must add a separate exception for each IP address, host
name, and port used to connect to the XTM device. For example, an exception that uses a host name
does not operate properly if you connect with an IP address. Similarly, an exception that specifies port
4100 does not apply to a connection where no port is specified.
38
Fireware XTM Web UI
Getting Started
A certificate exception does not make your computer less secure. All network traffic
between your computer and the XTM device remains securely encrypted with SSL.
There are two methods to add an exception. You must be able to send traffic to the XTM device to add
an exception.
n
n
Click the link in the Secure Connection Failed warning message.
Use the Firefox v3 Certificate Manager to add exceptions.
In the Secure Connection Failed warning message:
1. Click Or you can add an exception.
2. Click Add Exception.
The Add Security Exception dialog box appears.
3. Click Get Certificate.
4. Select the Permanently store this exception check box.
5. Click Confirm Security Exception.
To add multiple exceptions:
1. In Firefox, select Tools > Options.
The Options dialog box appears.
2. Select Advanced.
3. Click the Encryption tab, then click View Certificates.
The Certificate Manager dialog box opens.
4. Click the Servers tab, then click Add Exception.
5. In the Location text box, type the URL to connect to the XTM device. The most common URLs
are listed above.
6. When the certificate information appears in the Certificate Status area, click Confirm
Security Exception.
7. Click OK.
8. To add more exceptions, repeat Steps 4–6.
Identify Your Network Settings
To configure your XTM device, you must know some information about your network. You can use this
section to learn how to identify your network settings.
For an overview of network basics, see About Networks and Network Security on page 1.
Network Addressing Requirements
Before you can begin installation, you must know how your computer gets an IP address. Your Internet
Service Provider (ISP) or corporate network administrator can give you this information. Use the same
User Guide
39
Getting Started
method to connect the XTM device to the Internet that you use for your computer. For example, if you
connect your computer directly to the Internet with a broadband connection, you can put the XTM
device between your computer and the Internet and use the network configuration from your computer
to configure the XTM device external interface.
You can use a static IP address, DHCP, or PPPoE to configure the XTM device external interface. For
more information about network addressing, see Configure an External Interface on page 114.
Your computer must have a web browser. You use the web browser to configure and manage the XTM
device. Your computer must have an IP address on the same network as the XTM device.
In the factory default configuration, the XTM device assigns your computer an IP address with DHCP
(Dynamic Host Configuration Protocol). You can set your computer to use DHCP and then you can
connect to the device to manage it. You can also give your computer a static IP address that is on the
same network as the trusted IP address of the XTM device. For more information, see Set Your
Computer to Connect to Your XTM Device on page 41.
Find Your TCP/IP Properties
To learn about the properties of your network, look at the TCP/IP properties of your computer or any
other computer on the network. You must have this information to install your XTM device:
n
n
n
n
n
IP address
Subnet mask
Default gateway
Whether your computer has a static or dynamic IP address
IP addresses of primary and secondary DNS servers
If your ISP assigns your computer an IP address that starts with 10, 192.168, or
172.16 to 172.31, then your ISP uses NAT (Network Address Translation) and your
IP address is private. We recommend that you get a public IP address for your XTM
device external IP address. If you use a private IP address, you can have problems
with some features, such as virtual private networking.
To find the TCP/IP properties for your computer operating system, use the instructions in the
subsequent sections .
Find Your TCP/IP Properties on Microsoft Windows XP, Windows 2003, and
Windows 7
1. Select Start > All Programs > Accessories > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
40
Fireware XTM Web UI
Getting Started
Find Your TCP/IP Properties on Microsoft Windows 8.
1. On the Windows 8 Start page, type command .
2. In the Apps search results list, click Command Prompt.
The Command Prompt dialog box appears.
3. At the command prompt, type ipconfig /all and press Enter.
4. Write down the values that you see for the primary network adapter.
Find Your TCP/IP Properties on Macintosh OS X 10.x
1. Select the Apple menu > System Preferences, or select the icon from the Dock.
The System Preferences dialog box appears.
2. Click the Network icon.
The Network preference pane appears.
3. Select the network adapter you use to connect to the Internet.
4. Write down the values that you see for the network adapter.
Find Your TCP/IP Properties on Other Operating Systems (Unix, Linux)
1. Read your operating system guide to find the TCP/IP settings.
2. Write down the values that you see for the primary network adapter.
Find PPPoE Settings
Many ISPs use Point to Point Protocol over Ethernet (PPPoE) because it is easy to use with a dial-up
infrastructure. If your ISP uses PPPoE to assign IP addresses, you must get this information:
n
n
n
Login name
Domain (optional)
Password
Set Your Computer to Connect to Your XTM Device
Before you can use the Web Setup Wizard, you must configure your computer to connect to your XTM
device. You can set your network interface card to use a static IP address, or use DHCP to get an IP
address automatically.
Use DHCP
If your computer does not use the Windows XP operating system, read the operating system help for
instructions on how to set your computer to use DHCP.
To configure a computer with Windows XP to use DHCP:
1. Select Start > Control Panel.
The Control Panel window appears.
2. Double-click Network Connections.
3. Double-click Local Area Connection.
The Local Area Connection Status window appears.
User Guide
41
Getting Started
4. Click Properties.
The Local Area Connection Properties window appears.
5. Double-click Internet Protocol (TCP/IP).
The Internet Protocol (TCP/IP) Properties dialog box appears.
6.
7.
8.
9.
Select Obtain an IP address automatically and Obtain DNS server address automatically.
Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
Click OK to close the Local Area Network Connection Properties dialog box.
Close the Local Area Connection Status, Network Connections, and Control Panel
windows.
Your computer is ready to connect to the XTM device.
10. When the XTM device is ready, open a web browser.
11. In the browser address bar, type the IP address of your XTM device and press Enter.
12. If a security certificate warning appears, accept the certificate.
The Quick Setup Wizard starts.
The default IP address for a WatchGuard XTM device is https://10.0.1.1/ .
13. Run the Web Setup Wizard.
Use a Static IP Address
If your computer does not use the Windows XP operating system, read the operating system help for
instructions on how to set your computer to use a static IP address. You must select an IP address on
the same subnet as the trusted network.
To configure a computer with Windows XP to use a static IP address:
1. Select Start > Control Panel.
The Control Panel window appears.
2. Double-click Network Connections.
3. Double-click Local Area Connection.
The Local Area Connection Status window appears.
4. Click Properties.
The Local Area Connection Properties window appears.
5. Double-click Internet Protocol (TCP/IP).
The Internet Protocol (TCP/IP) Properties dialog box appears.
6. Select Use the following IP address.
7. In the IP address field, type an IP address on the same network as the XTM device trusted
interface.
For example, you can set the IP address on your computer to 10.0.1.2 .
The default IP address for the XTM device trusted interface is 10.0.1.1.
8. In the Subnet Mask field, type 255.255.255.0 .
9. In the Default Gateway field, type the IP address of the XTM device trusted interface,
10.0.1.1 .
10. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
11. Click OK to close the Local Area Network Connection Properties dialog box.
42
Fireware XTM Web UI
Getting Started
12. Close the Local Area Connection Status, Network Connections, and Control Panel
windows.
Your computer is ready to connect to the XTM device.
13. When the XTM device is ready, open a web browser.
14. In the browser address bar, type the IP address of your XTM device and press Enter.
The default IP address for a WatchGuard XTM device is https://10.0.1.1/ .
15. If a security certificate warning appears, accept the certificate.
The Quick Setup Wizard starts.
16. Run the Web Setup Wizard.
Disable the HTTP Proxy in the Browser
Many web browsers are configured to use an HTTP proxy server to increase the download speed of
web pages. To manage or configure the XTM device with the Web UI, your browser must connect
directly to the device. If you use an HTTP proxy server, you must temporarily disable the HTTP proxy
setting in your browser. You can enable the HTTP proxy server setting in your browser again after you
set up the XTM device.
Use these instructions to disable the HTTP proxy in Mozilla Firefox or Internet Explorer. For other
browsers, use the browser Help system to find the necessary information. Many browsers
automatically disable the HTTP proxy feature.
Disable the HTTP proxy in Internet Explorer 7.x, or 8.x
1. Open Internet Explorer.
2. Select Tools > Internet Options.
The Internet Options dialog box appears.
3. Select the Connections tab.
4. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
5. Clear the Use a proxy server for your LAN check box.
6. Click OK to close the Local Area Network (LAN) Settings dialog box.
7. Click OK to close the Internet Options dialog box.
Disable the HTTP proxy in Firefox 3.x
1. Open Firefox.
2. Select Tools > Options.
The Options dialog box appears.
3.
4.
5.
6.
Click Advanced.
Select the Network tab.
Click Settings.
Click Connection Settings.
The Connection Settings dialog box appears.
User Guide
43
Getting Started
7. For Firefox 2.x, make sure the Direct Connection to the Internet option is selected.
For Firefox 3.x, make sure the No proxy option is selected.
8. Click OK to close the Connection Settings dialog box.
9. Click OK to close the Options dialog box.
44
Fireware XTM Web UI
5
Configuration and Management
Basics
About Basic Configuration and Management
Tasks
After your XTM device is installed on your network and is set up with a basic configuration file, you can
start to add custom configuration settings. The topics in this section help you complete these basic
management and maintenance tasks.
Make a Backup of the XTM Device Image
An XTM device backup image is an encrypted and saved copy of the flash disk image from the XTM
device flash disk. It includes the XTM device OS, configuration file, feature keys, passphrases,
DHCP leases, and certificates. The backup image also includes any event notification settings that
you configured in Traffic Monitor. You can save a backup image to your computer or to a directory on
your network or other connected storage device.
The backup image is unique to each device, and includes the serial number, certificates, and private
keys unique to that device.
Do not restore a backup image created from one XTM device to a different XTM
device, even if both devices are the same model.
We recommend that you regularly make backup files of the XTM device image. We also recommend
that you create a backup image of the XTM device before you make significant changes to your
configuration file, or before you upgrade your XTM device or its OS. You can use Fireware XTM Web
UI to make a backup of your device image.
User Guide
45
Configuration and Management Basics
1. Select System > Backup Image.
2. Type and confirm an encryption key. This key is used to encrypt the backup file. If you lose or
forget this encryption key, you cannot restore the backup file.
3. Click Backup.
4. Select a location to save the backup image file and type a filename.
The backup image is saved to the location you specify.
46
Fireware XTM Web UI
Configuration and Management Basics
Restore an XTM Device Backup Image
You can use Fireware XTM Web UI to restore a previously created backup image to your XTM device.
You can only restore a backup image that came from the same device.
For more information about Centralized Management and how to update a Fully Managed device, see
Fireware XTM WatchGuard System Manager Help.
Do not try to restore a backup image created from a different XTM device. The
backup image is unique to a single device, and includes the serial number,
certificates, and private keys unique to that device.
After the backup image is successfully restored, the device must reboot.
To restore the backup image:
1.
2.
3.
4.
Select System > Restore Image.
Click Restore Image.
Click Browse.
Select the location and file name of the saved backup image file created for this device. Click
Open.
5. Click Restore.
6. Type the encryption key you used when you created the backup image.
The XTM device restores the backup image. It restarts and uses the backup image.
Wait for two minutes before you connect to the XTM device again.
If you cannot successfully restore your XTM device image, you can reset the XTM device. Depending
on the XTM device model you have, you can reset a XTM device to its factory-default settings or rerun
the Quick Setup Wizard to create a new configuration.
For more information, see Reset an XTM Device on page 55.
User Guide
47
Configuration and Management Basics
Use a USB Drive for System Backup and Restore
A WatchGuard XTM device backup image is a copy of the flash disk image from the XTM device that
is encrypted and saved. The backup image file includes the XTM device OS, configuration file, feature
key, and certificates.
For XTM devices, you can attach a USB drive or storage device to the USB port on the XTM device for
system backup and restore procedures. When you save a system backup image to a connected USB
drive, you can restore your XTM device to a known state more quickly.
About the USB Drive
The USB drive must be formatted with the FAT or FAT32 file system. If the USB drive has more than
one partition, Fireware XTM only uses the first partition. Each system backup image can be as large as
30 MB. We recommend you use a USB drive large enough to store several backup images.
Save a Backup Image to a Connected USB Drive
For this procedure, a USB drive must be connected to your XTM device.
1. Select System > USB Drive.
The Backup/Restore to USB drive page appears.
2. In the New backup file section, type a Filename for the backup image.
3. Type and confirm an Encryption key. This key is used to encrypt the backup file. If you lose or
forget this encryption key, you cannot restore the backup file.
4. Click Save to USB Drive.
The saved image appears on the list of Available device backup images after the save is complete.
48
Fireware XTM Web UI
Configuration and Management Basics
Restore a Backup Image from a Connected USB Drive
For this procedure, a USB drive must be connected to your XTM device.
1. Select System > USB Drive.
The Backup/Restore to USB Drive page appears.
2.
3.
4.
5.
From the Available backup images list, select a backup image file to restore.
Click Restore Selected Image.
Type the Encryption key you used when you created the backup image.
Click OK.
The XTM device restores the backup image. It restarts and uses the backup image.
Automatically Restore a Backup Image from a USB Drive
If a USB drive (storage device) is connected to a WatchGuard XTM device in recovery mode, the
device can automatically restore a previously backed up image from the USB drive. To use the autorestore feature, you must first select a backup image on the USB drive as the one you want to use for
the restore process. You must use Fireware XTM Web UI, Firebox System Manager, or Fireware XTM
command line interface to select this backup image. This feature is not supported on XTMv devices.
Do not use a backup image created from a different XTM device for auto-restore. The
backup image is unique to a single device, and includes the serial number,
certificates, and private keys unique to that device.
User Guide
49
Configuration and Management Basics
Select the Backup Image to Auto-Restore
1. Select System > USB Drive.
The Backup/Restore to USB Drive page appears. The saved backup image files appear in a list at
the top of the page.
2. From the Available backup images list, select a backup image file.
3. Click Use Selected Image for Auto-Restore.
4. Type the Encryption key used to create the backup image. Click OK.
The XTM device saves a copy of the selected backup image on the USB drive.
If you had a previous auto-restore image saved, the auto-restore.fxi file is replaced with a copy of the
backup image you selected.
If your XTM device has used a version of the Fireware XTM OS before v11.3, you
must update the recovery mode software image on the device to v11.3 for the autorestore feature to operate. See the Fireware XTM 11.3 Release Notes for upgrade
instructions.
Auto-Restore the Backup Image for an XTM Device with an LCD Display
For an XTM device with an LCD display, use the arrow buttons near the LCD for this procedure.
1.
2.
3.
4.
Connect the USB drive with the auto-restore image to a USB interface on the XTM device.
Power off the XTM device.
Press and hold the up arrow on the device front panel while you power on the device.
Continue to hold down the up arrow button until Recovery Mode starting appears on the LCD
display.
The device restores the backup image from the USB drive, and automatically uses the restored
image after it reboots.
If the USB drive does not contain a valid auto-restore image for this XTM device model family, the
device does not reboot and is instead started in recovery mode. If you restart the device again, it uses
your current configuration. When the device is in recovery mode, you can use the WSM Quick Setup
Wizard to create a new basic configuration.
50
Fireware XTM Web UI
Configuration and Management Basics
Auto-Restore the Backup Image for an XTM 33 or XTM 2 Series Device
1. Attach the USB drive with the auto-restore image to a USB interface on the XTM 2 Series
device.
2. Disconnect the power supply.
3. Press and hold the Reset button on the back of the device.
4. Continue to hold down the Reset button and connect the power supply.
5. After 10 seconds, release the Reset button.
The device restores the backup image from the USB drive and automatically uses the restored
image after it reboots.
If the USB drive does not contain a valid auto-restore image, the auto-restore fails and the device does
not reboot. If the auto-restore process is not successful, you must disconnect and reconnect the power
supply to start the XTM device with factory-default settings.
For information about factory default settings, see About Factory-Default Settings.
User Guide
51
Configuration and Management Basics
USB Drive Directory Structure
The USB drive contains directories for backup images, configuration files, feature key, certificates and
diagnostics information for your XTM device.
When you save a backup image to a USB drive, the file is saved in a directory on the USB drive with
the same name as the serial number of your XTM device. This means that you can store backup
images for more than one XTM device on the same USB drive. When you restore a backup image, the
software automatically retrieves the list of backup images stored in the directory associated with that
device.
For each device, the directory structure on the USB device is as follows, where sn is replaced by the
serial number of the XTM device:
\sn\flash-images\
\sn\configs\
\sn\feature-keys\
\sn\certs\
The backup images for a device is saved in the \sn\flash-images directory. The backup image file
saved in the flash-images directory contains the Fireware XTM OS, the device configuration, feature
keys, and certificates. The \configs , \feature-keys and \certs subdirectories are not used for any
USB drive backup and restore operations. You can use these to store additional feature keys,
configuration files, and certificates for each device.
There is also one directory at the root level of the directory structure which is used to store the
designated auto-restore backup image.
\auto-restore\
When you designate a backup image to use for automatic restore, a copy of the selected backup image
file is encrypted and stored in the \auto-restore directory with the file name auto-restore.fxi . You
can have only one auto-restore image saved on each USB drive.
You must use the System > USB Drive command to create an auto-restore image. If you manually
copy and rename a backup image and store it in this directory, the automatic restore process does not
operate correctly.
There is also another directory at the root level of the directory structure which is used to store the
support snapshot that can be used by WatchGuard technical support to help diagnose issues with your
XTM device.
\wgdiag\
For more information about the support snapshot, see Use a USB Drive to Save a Support Snapshot
on page 53.
52
Fireware XTM Web UI
Configuration and Management Basics
Save a Backup Image to a USB Drive Connected to Your
Computer
You can use Fireware XTM Web UI to save a backup image to a USB drive or storage device
connected to your computer. If you save the configuration files for multiple devices to the same USB
drive, you can attach the USB drive to any of those XTM devices for recovery.
If you use the System > USB Drive command to do this, the files are automatically saved in the
proper directory on the USB drive. If you use the System > Backup Image command, or if you use
Windows or another operating system to manually copy configuration files to the USB device, you
must manually create the correct serial number and flash-image directories for each device (if they do
not already exist).
Before You Begin
Before you begin, it important that you understand the USB Drive Directory Structure used by the USB
backup and restore feature. If you do not save the backup image in the correct location, the device
cannot find it when you attach the USB drive to the device.
Save the Backup Image
To save a backup image to a USB drive connected to your computer, follow the steps in Make a
Backup of the XTM Device Image. When you select the location to save the file, select the drive letter
of the USB drive attached to your computer. If you want the backup image you save to be recognized
by the XTM device when you attach the USB drive, make sure to save the backup in the \flashimages folder, in the directory that is named with the serial number of your XTM device.
For example, if your XTM device serial number is 70A10003C0A3D , save the backup image file to this
location on the USB drive:
\70A10003C0A3D\flash-images\
Designate a Backup Image for Auto-restore
To designate a backup image for use with the auto-restore feature, you must connect the USB drive to
the device and designate the backup image to use for auto-restore, as described in Use a USB Drive
for System Backup and Restore. If you manually save a backup image to the auto-restore directory,
the automatic restore process does not operate correctly.
Use a USB Drive to Save a Support Snapshot
A support snapshot is a file that contains a recent copy of your device configuration, log files, and other
information that can help WatchGuard technical support troubleshoot issues with your device. To use
the support snapshot feature, your device must use Fireware XTM v11.4 or later.
This feature is not supported on XTMv devices.
User Guide
53
Configuration and Management Basics
If you connect a USB drive to one of the XTM device USB interfaces, the XTM device automatically
generates a new support snapshot and saves the snapshot to the USB drive as an encrypted file. This
happens automatically when the device is powered on and a USB drive is connected to the device.
Any time you connect a USB drive, the XTM device automatically saves a current support snapshot in
the \wgdiag directory on the USB drive.
When the XTM device detects a connected USB drive, it automatically completes these actions:
n
n
n
If the \wgdiag directory does not exist on the USB drive, the XTM device creates it.
If the \wgdiag directory already exists on the USB drive, the XTM device deletes and recreates
it.
The XTM device saves the new support snapshot in the \wgdiag directory with the filename
support1.tgz .
Each time you connect the USB drive or restart the XTM device, any files in the \wgdiag directory are
removed and a new support snapshot is saved.
If you want to keep a support snapshot, you can either rename the \wgdiag directory
on the USB drive or copy the support1.tgz file from the USB drive to your computer
before you reconnect the USB drive to the XTM device.
Status messages about USB diagnostics file generation appear as Info level messages in the log file.
These log messages contain the text USB Diagnostic. For XTM devices that have an LCD display,
messages also appear on the LCD while the USB diagnostic file is written, and when a USB drive is
connected or removed.
By default, the XTM device saves only a single support snapshot per USB drive when the USB drive is
first detected. You can use the usb diagnostic command in the Command Line Interface to enable
the XTM device to automatically save multiple support snapshots to the USB drive periodically while
the device is in operation. If the XTM device is configured to save multiple support snapshots, the
number at the end of the file name is incrementally increased each time a new snapshot is saved, so
that you can see a sequence of support snapshots. For example, the file names for the first two
support snapshots would be support1.tgz and support2.tgz . If enabled, the USB diagnostics
stores a maximum of 48 support snapshots on the USB drive.
For more information about how to use the usb diagnostic command, see the Fireware
XTM Command Line Interface Reference.
54
Fireware XTM Web UI
Configuration and Management Basics
Reset an XTM Device
If your XTM device has a configuration problem, or you just want to create a new configuration file for
your XTM device, you can reset the device to its factory-default settings. For example, if you do not
know the configuration passphrase, or if a power interruption causes damage to the Fireware XTM OS,
you can use the Quick Setup Wizard to build your configuration again or restore a saved configuration.
After you perform this reset procedure:
n
n
n
n
The XTM device is reset to factory-default settings
The installed feature key is not removed
Fireware XTM Web UI automatically starts the Web Setup Wizard when you connect to the
XTM device
The XTM device is discoverable by the Quick Setup Wizard
For a description of the factory-default settings, see About Factory-Default Settings on page 56.
Start an XTM Device in Safe Mode
To restore the factory-default settings for a WatchGuard XTM device with an LCD display, you must
start the XTM device in safe mode.
1. Power off the XTM device.
2. Press the down arrow on the device front panel while you power on the XTM device.
3. Continue to press the down arrow button until the message Safe Mode Starting appears on
the LCD display.
When the device is started in safe mode, the LCD display shows the model number followed by the
word safe. When you start a device in safe mode:
n
n
n
The device temporarily uses the factory-default network and security settings.
The current feature key is not removed. If you run the Quick Setup Wizard to create a new
configuration, the wizard uses the feature key you previously imported.
Your current configuration is deleted only when you save a new configuration file to the
XTM device. If you restart the XTM device before you save a new configuration, the device
uses your current configuration.
Reset an XTM 2 Series or XTM 33 to Factory-Default Settings
When you reset an XTM 2 Series or XTM 33 device, the original configuration settings are replaced by
the factory-default settings. The current feature key is not removed.
To reset the device to factory-default settings:
1.
2.
3.
4.
Disconnect the power supply.
Press and hold the Reset button on the back of the XTM device.
Continue to press the Reset button and reconnect the power supply.
If the Attn indicator begins to flash, you can release the Reset button. Do not disconnect the
power.
It takes between 30 and 60 seconds for the Attn indicator to flash. For some devices, the Attn
indicator does not flash.
User Guide
55
Configuration and Management Basics
5. If the Attn indicator does not flash, continue to press the Reset button until the Attn indicator is
lit. Then release the Reset button.
It can take between two and four minutes to complete this step, depending you your device model.
6. After the Attn light stays lit and does not flash, disconnect the power supply.
7. Connect the power supply again.
The Power Indicator lights and your device is reset.
Make sure that you complete all of the steps. You must complete Steps 6 and 7 to
restart your XTM device again before you can connect to it.
Reset an XTMv VM to Factory-Default Settings
For an XTMv VM (virtual machine), you cannot use the physical hardware to start the virtual machine in
safe mode. Instead, to reset the virtual machine to factory-default settings, you must use the Fireware
XTM CLI command restore factory-default .
To reset an XTMv VM on ESXi:
1.
2.
3.
4.
5.
6.
Log in to the vSphere client.
Select the XTMv VM from the inventory.
Select the Summary tab.
Click Open Console.
Log in with the admin account credentials.
Type the command restore factory-default .
To reset an XTMv VM on Hyper-V:
1.
2.
3.
4.
5.
Log in to the Hyper-V server.
Right click the XTMv VM.
From the drop-down menu, select Connect.
Log in with the admin account credentials.
Type the command restore factory-default .
For more information about how to use the command line interface, see the Fireware XTM Command
Line Interface Reference.
Run the Setup Wizard
After you restore the factory-default settings, you can use the Quick Setup Wizard or Web Setup
Wizard to create a basic configuration or restore a saved backup image.
For more information, see About the Quick Setup Wizard on page 28.
About Factory-Default Settings
The term factory-default settings refers to the configuration on the XTM device when you first receive it
before you make any changes. You can also reset the XTM device to factory-default settings as
described in Reset an XTM Device on page 55.
56
Fireware XTM Web UI
Configuration and Management Basics
The default network and configuration properties for the XTM device are:
Trusted network
Interface 1 (Eth1) is configured as a trusted interface.
The default IP address for the trusted network interface is 10.0.1.1 with a subnet mask of
255.255.255.0.
The default IP address and port for the Fireware XTM Web UI is https://10.0.1.1:8080 .
The XTM device is configured to give IP addresses to computers on the trusted network through
DHCP. By default, these IP addresses can be from 10.0.1.2 to 10.0.1.254.
External network
Interface 0 (Eth0) is configured as an external interface.
The XTM device is configured to get an IP address with DHCP.
Optional network
The optional network is disabled.
Administrator (read/write) account credentials
Username: admin
Passphrase: readwrite
Status (read-only) account credentials
Username: status
Passphrase: readonly
Firewall settings
All incoming traffic is denied. The outgoing policy allows all outgoing traffic. Ping requests
received from the external network are denied.
System Security
The XTM device has the built-in administrator accounts admin (read-write access) and status
(read-only access). When you first configure the device with the Quick Setup Wizard, you set
the status and configuration passphrases. After you complete the Quick Setup Wizard, you can
log in to Fireware XTM Web UI with the either the admin or status administrator accounts. For
full administrator access, log in with the admin user name and type the configuration
passphrase. For read-only access, log in with the status user name and type the read-only
passphrase.
By default, the XTM device is set up for local management from the trusted network only.
Additional configuration changes must be made to allow administration from the external
network.
User Guide
57
Configuration and Management Basics
Upgrade Options
To enable upgrade options such as WebBlocker, spamBlocker, and Gateway AV/IPS, you
must paste or import the feature key that enables these features into the configuration page or
use the Get Feature Key command to activate upgrade options. If you start the XTM device in
safe mode, you do not need to import the feature key again.
58
Fireware XTM Web UI
Configuration and Management Basics
About Feature Keys
A feature key is a license that enables you to use a set of features on your XTM device. You increase
the functionality of your device when you purchase an option or upgrade and get a new feature key.
When you purchase a new feature for your XTM device, you must activate the new feature on the
WatchGuard web site, and add the feature key your XTM device. For more information, see Get a
Feature Key for Your XTM Device.
See Features Available with the Current Feature Key
Your XTM device always has one currently active feature key. To see the features available with this
feature key:
1. Connect to Fireware XTM Web UI.
2. Select System > Feature Key.
The Feature Key page appears.
User Guide
59
Configuration and Management Basics
The Summary section includes:
n
n
n
n
60
The device model number and serial number
The licensed software edition (Fireware XTM or Fireware XTM Pro)
A signature that uniquely identifies the feature key
For some feature keys, an expiration date for the entire feature key
Fireware XTM Web UI
Configuration and Management Basics
If an expiration date appears in the Summary section, this is the date that the key
expires. When the feature key expires, some licensed features and capacities revert
back to the values they had before the feature key was applied, and the XTM device
allows only one connection to the external network.
The Features section shows:
n
n
n
n
n
A list of available features
Whether the feature is enabled
Value assigned to the feature such as the number of VLAN interfaces allowed
Expiration date of the feature, if any
Current status on expiration, such as how many days remain before the feature expires
The Retrieve Feature Key section provides two options to update the feature key on the device.
Click Get Feature Key to download the latest feature key for your device from your account on
the WatchGuard web site. For more information, see Get a Feature Key for Your XTM Device
Select the Enable automatic feature key synchronization check box to enable the device to
automatically synchronize the feature key with the WatchGuard web site. For more information,
see Enable Automatic Feature Key Synchronization
Get a Feature Key for Your XTM Device
When you purchase a new feature or upgrade for your XTM device, or when you renew a subscription
service, you must activate a license key on the WatchGuard web site. When you activate the license
key, you select which registered device to apply the key to. Then the WatchGuard web site generates
a new feature key that enables the activated feature for the device you selected. The feature is enabled
on the device after you add the updated feature key to the device.
Activate the License Key for a Feature
To activate a license key and get the feature key for the activated feature:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. On the Support Home tab, click Activate a Product.
The Activate Products page appears.
4. Type the serial number or license key for the product or service. Make sure to include any
hyphens.
Use the serial number to register a new XTM device, and the license key to register add-on
features.
User Guide
61
Configuration and Management Basics
5. Click Continue.
The Choose Product to Upgrade page appears.
6. In the drop-down list, select the device to upgrade or renew.
If you added a device name when you registered your XTM device, that name appears in the
list.
7. Click Activate.
The Retrieve and Apply Key page appears.
8. Copy the contents of the feature key to a text file and save it on your computer.
9. Click Finish.
Even though the XTM device can download the feature key from the WatchGuard
web site, it is a good idea to save the feature key contents to a local file, in case you
need to manually add the feature key to the XTM device when the device does not
have Internet access.
Add the Current Feature Key To The XTM Device
You can use Fireware XTM Web UI or Firebox System Manager to retrieve the current feature key from
the WatchGuard web site and add it directly to your XTM device. Or, you can log in to the WatchGuard
web site to download a current feature key to a file.
To use Fireware XTM Web UI to retrieve the current feature key:
1. Connect to Fireware XTM Web UI.
The Fireware XTM Web UI Dashboard appears.
2. Select System > Feature Key.
The Feature Key Summary page appears.
62
Fireware XTM Web UI
Configuration and Management Basics
3. Click Get Feature Key.
Your feature key is downloaded from LiveSecurity and automatically updated on your XTM device.
If you are connected to your device through your Management Server, you do not have to provide
the Configuration passphrase.
User Guide
63
Configuration and Management Basics
To manually retrieve the current feature key from the WatchGuard web site:
1.
2.
3.
4.
5.
6.
64
Open a web browser and go to http://www.watchguard.com/.
Log in with your WatchGuard account user name and password.
On the Support Home tab, click My Products.
In the list of products, select your device.
Use the on-screen instructions to download and save a local copy of the feature key to a file.
To manually add the feature key to the XTM device, see Manually Add a Feature Key to Your
XTM Device.
Fireware XTM Web UI
Configuration and Management Basics
Manually Add a Feature Key to Your XTM Device
If you purchase a new option or upgrade your XTM device, you can use Fireware XTM Web UI to
manually add a new feature key to enable the new features. Before you install the new feature key, you
must completely remove the old feature key.
To manually update the feature key on your XTM device from a local file:
1. Select System > Feature Key.
The Firebox Feature Key Summary page appears.
The features that are available with this feature key appear on this page.
User Guide
65
Configuration and Management Basics
2. To remove the current feature key, click Remove.
All feature key information is cleared from the page.
3. Click Update Feature Key.
The Add Firebox Feature Key page appears.
66
Fireware XTM Web UI
Configuration and Management Basics
4. Copy the text of the feature key file and paste it in the text box.
5. Click OK.
The Feature Key page reappears with the new feature key information.
Remove a Feature Key
1. Select System > Feature Key.
The Firebox Feature Key page appears.
2. Click Remove Feature Key.
A confirmation dialog box appears.
3. Click Yes to confirm that you want to remove the Feature Key.
All feature key information is cleared from the page.
User Guide
67
Configuration and Management Basics
Enable Automatic Feature Key Synchronization
By default, your XTM device does not automatically update the feature key when features expire. You
can optionally enable automatic feature key synchronization. This enables the device to automatically
download the latest feature key from your account on the WatchGuard web site when a feature is
expired or about to expire.
When you enable automatic feature key synchronization:
n
n
n
n
The XTM device immediately checks the expiration dates in the feature key, and continues to
check once per day.
If any feature is expired, or will expire within three days, the XTM device automatically
downloads the latest feature key from WatchGuard once per day, until it successfully
downloads a feature key that does not have expired features.
In a FireCluster, the cluster master synchronizes the feature keys for all cluster members.
If the XTM device attempts to synchronize the feature key and fails to retrieve a feature key
from the WatchGuard server, the device sends an error to the log file. The error log includes
information about the type of failure.
To enable automatic feature key synchronization:
1. Connect to Fireware XTM Web UI.
2. Select System > Feature Key.
The Feature Key page appears.
3. Select the Enable automatic feature key synchronization check box to enable the device to
automatically synchronize the feature key with the WatchGuard web site.
68
Fireware XTM Web UI
Configuration and Management Basics
Restart Your XTM Device
You can use Fireware XTM Web UI to restart your XTM device from a computer on the trusted
network. If you enable external access, you can also restart the XTM device from a computer on the
Internet. You can set the time of day at which your XTM device reboots automatically.
Restart the XTM Device Locally
To restart the XTM device locally, you can use Fireware XTM Web UI or you can power cycle the
device.
Reboot from Fireware XTM Web UI
To reboot the XTM device from Fireware XTM Web UI, you must log in with read-write access.
1. Select Dashboard > Front Panel.
2. In the System section, click Reboot.
Power Cycle
On the XTM 2 Series:
1. Disconnect the 2 Series device power supply.
2. Wait for a minimum of 10 seconds.
3. Connect the power supply again.
On the XTM 5 Series, 8 Series and XTM 1050:
1. Use the power switch to power off the device.
2. Wait for a minimum of 10 seconds.
3. Power on the device.
Restart the XTM Device Remotely
Before you can connect to your XTM device to manage or restart it from a remote computer external to
the XTM device, you must first configure the XTM device to allow management from the external
network.
For more information, see Manage an XTM Device From a Remote Location on page 90.
To restart the XTM device remotely from Fireware XTM Web UI:
1. Select Dashboard > Front Panel.
2. In the System section, click Reboot.
User Guide
69
Configuration and Management Basics
Enable NTP and Add NTP Servers
Network Time Protocol (NTP) synchronizes computer clock times across a network. Your XTM device
can use NTP to get the correct time automatically from NTP servers on the Internet. Because the XTM
device uses the time from its system clock for each log message it generates, the time must be set
correctly. You can change the NTP server that the XTM device uses. You can also add more
NTP servers or delete existing ones, or you can set the time manually.
To use NTP, your XTM device configuration must allow DNS. DNS is allowed in the default
configuration by the Outgoing policy. You must also configure DNS servers for the external interface
before you configure NTP.
1. Select System > NTP.
The NTP Setting page appears.
2. Select the Enable NTP Server check box.
3. To add an NTP server, select Host IP or Host name in the Choose Type drop-down list, then
type the IP address or host name of the NTP server you want to use in the adjacent text box.
You can configure up to three NTP servers.
4. To delete a server, select the server entry and click Remove.
5. Click Save.
70
Fireware XTM Web UI
Configuration and Management Basics
Set the Time Zone and Basic Device Properties
When you run the Web Setup Wizard, you set the time zone and other basic device properties.
To change the basic device properties:
1. Connect to Fireware XTM Web UI.
2. Select System > Information.
The Information page appears.
3. Configure these options:
Model
The XTM device model number, as determined by Quick Setup Wizard.If you add a new
feature key to the XTM device with a model upgrade, the XTM device model in the device
configuration is automatically updated.
Name
The friendly name of the XTM device. You can give the XTM device a friendly name that
appears in your log files and reports. Otherwise, the log files and reports use the IP address
of the XTM device external interface. Many customers use a Fully Qualified Domain Name
as the friendly name if they register such a name with the DNS system. You must give the
XTM device a friendly name if you use the Management Server to configure VPN tunnels
and certificates.
Location, Contact
Type any information that could be helpful to identify and maintain the XTM device. These
fields are filled in by the Quick Setup Wizard if you entered this information there.
Time zone
Select the time zone for the physical location of the XTM device. The time zone setting
controls the date and time that appear in the log file and in tools such as WatchGuard
WebCenter and WebBlocker.
4. Click Save.
User Guide
71
Configuration and Management Basics
About SNMP
SNMP (Simple Network Management Protocol) is used to monitor devices on your network. SNMP
uses management information bases (MIBs) to define what information and events are monitored. You
must set up a separate software application, often called an event viewer or MIB browser, to collect
and manage SNMP data.
There are two types of MIBs: standard and enterprise. Standard MIBs are definitions of network and
hardware events used by many different devices. Enterprise MIBs are used to give information about
events that are specific to a single manufacturer.
Your XTM device supports these MIBs:
Standard MIBs
Enterprise MIBs
IF-MIB
IPSEC-ISAKMP-IKE-DOI-TC
IP-MIB
WATCHGUARD-CLIENT-MIB
RFC1155 SMI-MIB
WATCHGUARD-INFO-SYSTEM-MIB
RFC1213-MIB
WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
SNMPv2-MIB
WATCHGUARD-IPSEC-SA-MON-MIB-EXT
SNMPv2-SMI
WATCHGUARD-IPSEC-TUNNEL-MIB
TCP-MIB
WATCHGUARD-POLICY-MIB
UDP-MIB
WATCHGUARD-PRODUCTS-MIB
WATCHGUARD-SMI
WATCHGUARD-SYSTEM-CONFIG-MIB
WATCHGUARD-SYSTEM-STATISTICS-MIB
SNMP Polls and Traps
You can configure your XTM device to accept SNMP polls from an SNMP server. The XTM device
reports information to the SNMP server, such as the traffic count from each interface, device uptime,
the number of TCP packets received and sent, and when each network interface on the XTM device
was last modified.
An SNMP trap is an event notification your XTM device sends to an SNMP management station. The
trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your XTM device can send a trap for any policy in Policy Manager. A trap is sent only once,
and the receiver does not send any acknowledgement when it gets the trap.
An SNMP inform request is similar to a trap, but the receiver sends a response. If your XTM device
does not get a response, it sends the inform request again until the SNMP manager sends a response.
72
Fireware XTM Web UI
Configuration and Management Basics
Enable SNMP Polling
You can configure your XTM device to accept SNMP polls from an SNMP server. Your XTM device
reports information to the SNMP server such as the traffic count from each interface, device uptime,
the number of TCP packets received and sent, and when each network interface was last modified.
1. Select System > SNMP.
The SNMP page appears.
User Guide
73
Configuration and Management Basics
2. To enable SNMP, from the Version drop-down list, select v1/v2c or v3.
3. If you selected v1/v2c type the Community String the SNMP server uses when it contacts the
XTM device.
The community string is like a user ID or password that allows access to the statistics of a
device.
If you selected v3, type the User name the SNMP server uses when it contacts the XTM
device.
4. If you selected v3 and your SNMP server uses authentication, from the Authentication
Protocol drop-down list, select MD5 or SHA1.
In the adjacent Password and Confirm text boxes, type the authentication password.
5. If you selected v3 and your SNMP server uses encryption, from the Privacy Protocol dropdown list, select DES.
In the adjacent Password and Confirm text boxes, type the encryption password.
6. Click Save.
To enable your XTM device to receive SNMP polls, you must also add an SNMP packet filter policy.
1. Select Firewall > Firewall Policies.
2. Click Add Policy.
3. From the Packet Filters drop-down list, select SNMP. Click Add Policy.
The Policy Configuration page appears.
4. In the From section, click Add.
The Add Member dialog box appears.
5. From the Member type drop-down list, selectHost IP.
6. In the Member type text box, type the IP address of your SNMP server. Click OK.
The IP address of the SNMP server appears in the From list.
7. From the From list, select Any-Trusted. Click Remove.
8. In the To section, click Add.
The Add Member dialog box appears.
9. From the drop-down list, select Firebox. Click OK.
Firebox appears in the To list.
10. From the To list, select Any-External. Click Remove.
11. Click Save.
Enable SNMP Management Stations and Traps
An SNMP trap is an event notification your XTM device sends to an SNMP management station. The
trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your XTM device can send a trap for any policy.
An SNMP inform request is similar to a trap, but the receiver sends a response. If your XTM device
does not get a response, it sends the inform request again until the SNMP manager sends a response.
A trap is sent only once, and the receiver does not send any acknowledgement when it gets the trap.
An inform request is more reliable than a trap because your XTM device knows whether the inform
request was received. However, inform requests consume more resources. They are held in memory
74
Fireware XTM Web UI
Configuration and Management Basics
until the sender gets a response. If an inform request must be sent more than once, the retries increase
traffic. Because each sent receipt increases the amount of memory in use on the router and the amount
of network traffic, we recommend that you consider whether it is necessary to send a receipt for every
SNMP notification.
To enable SNMP inform requests, you must use SNMPv2 or SNMPv3. SNMPv1 supports only traps,
not inform requests.
User Guide
75
Configuration and Management Basics
Configure SNMP Management Stations
1. Select System > SNMP.
The SNMP page appears.
2. From the SNMP Traps drop-down list, select a trap or inform.
SNMPv1 supports only traps, not inform requests.
76
Fireware XTM Web UI
Configuration and Management Basics
3. In the SNMP Management Stations text box, type the IP address of your SNMP server. Click
Add.
The IP address appears in the SNMP Management Stations list.
4. To remove a server from the list, select the entry and click Remove.
5. Click Save.
Add an SNMP Policy
To enable your XTM device to receive SNMP polls, you must also add an SNMP policy.
1. Select Firewall > Firewall Policies.
2. Click Add Policy.
3. From the Packet Filters drop-down list, select SNMP. Click Add Policy.
The Policy Configuration page appears.
4. In the Name text box, type a name for the policy.
5. Select the Enable check box.
6. In the From section, click Add.
The Add Member dialog box appears.
7.
8.
9.
10.
From the Member type drop-down list, select Host IP.
In the text box, type the IP address of your SNMP server. Click OK.
From the From list, select Any-Trusted. Click Remove.
In the To section, click Add.
The Add Member dialog box appears.
11. From the drop-down list, select Firebox. Click OK.
12. From the To list, select Any-External. Click Remove.
13. Click Save.
Send an SNMP Trap for a Policy
Your XTM device can send an SNMP trap when traffic is filtered by a policy. You must have at least
one SNMP management station configured to enable SNMP traps.
1. Select Firewall > Firewall Policies.
2. Click a policy.
Or, select a policy check box and from the Action drop-down list, select Edit Policy.
The Policy Configuration page appears.
3. Select the Settings tab.
4. In the Logging section, select the Send SNMP Trap check box.
5. Click Save.
About Management Information Bases (MIBs)
Fireware XTM supports two types of Management Information Bases (MIBs).
Standard MIBs
Standard MIBs are definitions of network and hardware events used by many different devices.
Your XTM device supports these standard MIBs:
n
n
User Guide
IF-MIB
IP-MIB
77
Configuration and Management Basics
n
n
n
n
n
n
RFC1155 SMI-MIB
RFC1213-MIB
SNMPv2-MIB
SNMPv2-SMI
TCP-MIB
UDP-MIB
These MIBs include information about standard network information, such as IP addresses and
network interface settings.
Enterprise MIBs
Enterprise MIBs are used to give information about events that are specific to a single
manufacturer. Your XTM device supports these enterprise MIBs:
n
n
n
n
n
n
n
n
n
n
n
IPSEC-ISAKMP-IKE-DOI-TC
WATCHGUARD-CLIENT-MIB
WATCHGUARD-INFO-SYSTEM-MIB
WATCHGUARD-IPSEC-ENDPOINT-PAIR-MIB
WATCHGUARD-IPSEC-SA-MON-MIB-EXT
WATCHGUARD-IPSEC-TUNNEL-MIB
WATCHGUARD-POLICY-MIB
WATCHGUARD-PRODUCTS-MIB
WATCHGUARD-SMI
WATCHGUARD-SYSTEM-CONFIG-MIB
WATCHGUARD-SYSTEM-STATISTICS-MIB
These MIBs include more specific information about device hardware.
If you want to install all MIBs, you must run the Fireware XTM OS installer for all XTM models you use.
You can find the Fireware XTM OS installer on the WatchGuard Portal.
About WatchGuard Passphrases, Encryption Keys,
and Shared Keys
As part of your network security solution, you use passphrases, encryption keys, and shared keys.
This topic includes information about most of the passphrases, encryption keys, and shared keys you
use for WatchGuard products. It does not include information about third-party passwords or
passphrases. Information about restrictions for passphrases, encryption keys, and shared keys is also
included in the related procedures.
Create a Secure Passphrase, Encryption Key, or Shared Key
To create a secure passphrase, encryption key, or shared key, we recommend that you:
n
n
n
78
Use a combination of uppercase and lowercase ASCII characters, numbers, and special
characters (for example, [email protected]).
Do not use a word from standard dictionaries, even if you use it in a different sequence or in a
different language.
Do not use a name. It is easy for an attacker to find a business name, familiar name, or the
name of a famous person.
Fireware XTM Web UI
Configuration and Management Basics
As an additional security measure, we recommend that you change your passphrases, encryption
keys, and shared keys at regular intervals.
User Guide
79
Configuration and Management Basics
XTM Device Passphrases
An XTM device uses two passphrases:
Status passphrase
The read-only password or passphrase that allows access to the XTM device. When you log in
with this passphrase, you can review your configuration, but you cannot save changes to the
XTM device. The status passphrase is associated with the user name status.
Configuration passphrase
The read-write password or passphrase that allows an administrator full access to the XTM
device. You must use this passphrase to save configuration changes to the XTM device. This is
also the passphrase you must use to change your XTM device passphrases. The configuration
passphrase is associated with the user name admin.
Each of these XTM device passphrases must be at least 8 characters.
User Passphrases
You can create user names and passphrases to use with Firebox authentication and role-based
administration.
User Passphrases for Firebox authentication
After you set this user passphrase, the characters are masked and it does not appear in simple
text again. If the passphrase is lost, you must set a new passphrase. The allowed range for this
passphrase is 8–32 characters.
User Passphrases for role-based administration
After you set this user passphrase, it does not appear again in the User and Group Properties
dialog box. If the passphrase is lost, you must set a new passphrase. This passphrase must be
at least 8 characters.
Server Passphrases
Administrator passphrase
The Administrator passphrase is used to control access to the WatchGuard Server Center. You
also use this passphrase when you connect to your Management Server from WatchGuard
System Manager (WSM). This passphrase must be at least 8 characters. The Administrator
passphrase is associated with the user name admin.
Authentication server shared secret
The shared secret is the key the XTM device and the authentication server use to secure the
authentication information that passes between them. The shared secret is case-sensitive and
must be the same on the XTM device and the authentication server. RADIUS, SecurID, and
VASCO authentication servers all use a shared key.
80
Fireware XTM Web UI
Configuration and Management Basics
Encryption Keys and Shared Keys
Log Server encryption key
The encryption key is used to create a secure connection between the XTM device and the Log
Servers, and to avoid man-in-the-middle attacks. The allowed range for the encryption key is 8–
32 characters. You can use all characters except spaces and slashes (/ or \).
Backup/Restore encryption key
This is the encryption key you create to encrypt a backup file of your XTM device configuration.
When you restore a backup file, you must use the encryption key you selected when you
created the configuration backup file. If you lose or forget this encryption key, you cannot
restore the backup file. The encryption key must be at least 8 characters, and cannot be more
than 15 characters.
VPN shared key
The shared key is a passphrase used by two devices to encrypt and decrypt the data that goes
through the tunnel. The two devices use the same passphrase. If the devices do not have the
same passphrase, they cannot encrypt and decrypt the data correctly.
User Guide
81
Configuration and Management Basics
Change XTM Device Passphrases
An XTM device uses two passphrases:
Status passphrase
The read-only password or passphrase that allows access to the XTM device.
Configuration passphrase
The read-write password or passphrase that allows an administrator full access to the XTM
device.
For more information about passphrases, see About WatchGuard Passphrases, Encryption Keys, and
Shared Keys on page 78.
To change the passphrases:
1. Select System > Passphrase.
The Passphrase page appears.
2. Type and confirm the new status (read-only) and configuration (read/write) passphrases. The
status passphrase must be different from the configuration passphrase.
3. Click Save.
82
Fireware XTM Web UI
Configuration and Management Basics
Define XTM Device Global Settings
From Fireware XTM Web UI, you can specify the settings that control the actions of many XTM device
features. You can configure the basic parameters for:
n
n
n
n
n
n
n
n
ICMP error handling
TCP SYN checking
TCP connection idle timeout
TCP maximum size adjustment
Traffic management and QoS
Web UI port
External console connections through the serial port
Automatic device reboot
To configure the global settings:
1. Select System > Global Settings.
The Global Settings dialog box appears.
2. On the General tab, configure settings for these global categories, as described in the
subsequent sections:
n Web UI Port
n Automatic Reboot
n Device Feedback
User Guide
83
Configuration and Management Basics
3. On the Networking tab, configure settings for these global categories, as described in the
subsequent sections:
n ICMP Error Handling
n TCP Settings
n Traffic Management and QoS
n Traffic Flow
4. Click Save.
Change the Web UI Port
By default, Fireware XTM Web UI uses port 8080.
To change the default port:
84
Fireware XTM Web UI
Configuration and Management Basics
1. In the Web UI Port text box, type or select a different port number.
2. Use the new port to connect to Fireware XTM Web UI and test the connection with the new
port.
Automatic Reboot
You can schedule your XTM device to automatically reboot at the day and time you specify.
To schedule an automatic reboot for your device:
1. Select the Schedule time for reboot check box.
2. In the adjacent drop-down list, select Daily to reboot at the same time every day, or select a day
of the week for a weekly reboot.
3. In the adjacent text boxes, type or select the hour and minute of the day (in 24-hour time format)
that you want the reboot to start.
Device Feedback
When you create a new configuration file for your XTM device, or upgrade your XTM device to Fireware
XTM OS v11.7.3 or higher, by default, your XTM device is configured to send feedback to
WatchGuard. This feedback helps WatchGuard to improve products and features. It includes
information about how your device is used and issues you encounter with your XTM device, but does
not include any information about your company or any company data that is sent through the XTM
device. Because of this, your device data is anonymous. All device feedback that is sent to
WatchGuard is encrypted.
This feature is only available for XTM devices that run Fireware XTM v11.7.3 or
higher.
When device feedback is enabled, feedback is sent to WatchGuard once each day and includes this
information:
n
n
n
n
XTM device serial number
Fireware XTM OS version and build number
XTM device model
XTM device uptime since the last restart
WatchGuard will initially use the information from the device feedback data to understand the
geographic distribution of Fireware XTM OS versions. In future releases, WatchGuard will expand the
data collected to include summarized information about which features and services are used on XTM
devices, about threats that are intercepted, and about device health and performance. This information
will help WatchGuard to better determine which areas of the product to enhance to provide the most
benefits to customers and users.
Use of the device feedback feature is entirely voluntary. You can disable it at any time.
To disable device feedback:
Clear the Send device feedback to WatchGuard check box.
User Guide
85
Configuration and Management Basics
Define ICMP Error Handling Global Settings
Internet Control Message Protocol (ICMP) settings control errors in connections. You can use it to:
n
n
Tell client hosts about error conditions
Probe a network to find general characteristics about the network
The XTM device sends an ICMP error message each time an event occurs that matches one of the
parameters you selected. These messages are good tools to use when you troubleshoot problems, but
can also decrease security because they expose information about your network. If you deny these
ICMP messages, you can increase security if you prevent network probes, but this can also cause
timeout delays for incomplete connections, which can cause application problems.
Settings for global ICMP error handling are:
Fragmentation Req (PMTU)
Select this check box to allow ICMP Fragmentation Req messages. The XTM device uses
these messages to find the MTU path.
Time Exceeded
Select this check box to allow ICMP Time Exceeded messages. A router usually sends these
messages when a route loop occurs.
Network Unreachable
Select this check box to allow ICMP Network Unreachable messages. A router usually sends
these messages when a network link is broken.
Host Unreachable
Select this check box to allow ICMP Host Unreachable messages. Your network usually sends
these messages when it cannot use a host or service.
Port Unreachable
Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually
sends these messages when a network service is not available or is not allowed.
Protocol Unreachable
Select this check box to allow ICMP Protocol Unreachable messages.
To override these global ICMP settings for a specific policy, from Fireware XTM Web UI:
1. Select Firewall > Firewall Policies.
2. Double-click the policy to edit it.
The Policy Edit page appears.
3.
4.
5.
6.
86
Select the Advanced tab.
Select the Use policy-based ICMP error handling check box.
Select only the check boxes for the settings you want to enable.
Click Save.
Fireware XTM Web UI
Configuration and Management Basics
Configure TCP Settings
Enable TCP SYN checking
To enable TCP SYN checking to make sure that the TCP three-way handshake is completed
before the XTM device allows a data connection, select this option.
TCP connection idle timeout
The amount of time that the TCP connection can be idle before a connection timeout occurs.
Specify a value in seconds, minutes, hours, or days. The default setting is 1 hour.
You can also configure a custom idle timeout for an individual policy. For more information, see
Set a Custom Idle Timeout on page 535.
If you configure this global idle timeout setting and also enable a custom idle timeout for a
policy, the custom idle timeout setting takes precedence over the global idle timeout setting for
only that policy.
TCP maximum segment size control
The TCP segment can be set to a specified size for a connection that must have more TCP/IP
layer 3 overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured,
users cannot get access to some web sites.
The global TCP maximum segment size adjustment settings are:
n
n
n
Auto Adjustment— This option enables the XTM device to examine all maximum
segment size (MSS) negotiations and changes the MSS value to the applicable one.
No Adjustment— The XTM device does not change the MSS value.
Limit to— Type or select a size adjustment limit.
Enable or Disable Traffic Management and QoS
For performance testing or network debugging purposes, you can disable the Traffic Management and
QoS features.
To enable these features:
Select the Enable all traffic management and QoS features check box.
To disable these features:
Clear the Enable all traffic management and QoS features check box.
User Guide
87
Configuration and Management Basics
Manage Traffic Flow
By default, your XTM device does not close active connections when you modify a static NAT action
used by a policy. You can override this default setting and enable your XTM device to close any active
connections through a policy that uses an SNAT action that you modify.
To override the default Traffic Flow setting and enable this feature, in the Traffic Flow section:
Select the When an SNAT action changes, clear active connections that use that SNAT
action (Fireware XTM OS v11.8 and higher) check box.
About WatchGuard Servers
When you install the WatchGuard System Manager software, you can choose to install one or more of
the WatchGuard servers. You can also run the installation program and select to install only one or
more of the servers, without WatchGuard System Manager. When you install a server, the
WatchGuard Server Center program is automatically installed. WatchGuard Server Center is a single
application you can use to set up and configure all your WatchGuard System Manager servers. You
can also use WatchGuard Server Center to backup and restore your Management Server.
When you use Fireware XTM Web UI to manage your XTM devices, you can choose to also use
WatchGuard servers and WatchGuard Server Center. For more information about WatchGuard
System Manager, WatchGuard servers, and WatchGuard Server Center, see the Fireware
XTM WatchGuard System Manager v11.x Help and the Fireware XTM WatchGuard System Manager
v11.x User Guide.
The five WatchGuard servers are:
n
n
n
n
n
Management Server
Log Server
Report Server
Quarantine Server
WebBlocker Server
For more information about WatchGuard System Manager and WatchGuard servers, see the Fireware
XTM WatchGuard System Manager v11.x Help or v11.x User Guide.
88
Fireware XTM Web UI
Configuration and Management Basics
Each server has a specific function:
Management Server
The Management Server operates on a Windows computer. With this server, you can manage
all firewall devices and create virtual private network (VPN) tunnels with a simple drag-and-drop
function. The basic functions of the Management Server are:
n
n
n
Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
VPN tunnel configuration management
Management for multiple XTM devices
For more information about the Management Server, see the Fireware XTM WatchGuard
System Manager v11.x Help or v11.x User Guide.
Log Server
The Log Server collects log messages from each XTM device and stores them in a PostgreSQL
database. The log messages are encrypted when they are sent to the Log Server. The log
message format is XML (plain text). The types of log message that the Log Server collects
include traffic log messages, event log messages, alarms, and diagnostic messages. You can
view the log messages from your XTM devices with FSM Traffic Monitor and in Log and Report
Manager.
For more information about Log Servers, see the Fireware XTM WatchGuard System Manager
v11.x Help or v11.x User Guide.
For more information about how to view log messages, see Traffic Monitor on page 764.
Report Server
The Report Server periodically consolidates data collected by your Log Servers from your XTM
devices, and stores them in a PostgreSQL database. The Report Server then generates the
reports you specify. When the data is on the Report Server, you can review it with Log and
Report Manager.
For more information about the Report Server, see the Fireware XTM WatchGuard System
Manager v11.x Help or v11.x User Guide.
Quarantine Server
The Quarantine Server collects and isolates email messages that spamBlocker identifies as
possible spam.
For more information on the Quarantine Server, see About the Quarantine Server on page 1263.
WebBlocker Server
The WebBlocker Server operates with the HTTP-proxy to deny user access to specified
categories of web sites. When you configure an XTM device, you set the web site categories
you want to allow or block.
For more information about WebBlocker and the WebBlocker Server, see About WebBlocker on
page 1125.
User Guide
89
Configuration and Management Basics
Manage an XTM Device From a Remote Location
When you configure an XTM device with the Quick Setup Wizard, the WatchGuard policy is created
automatically. This policy allows you to connect to and administer the XTM device from any computer
on the trusted or optional networks. To manage the XTM device from a remote location (any location
external to the XTM device), then you must modify the WatchGuard policy to allow administrative
connections from the IP address of your remote location.
The WatchGuard policy controls access to the XTM device on these TCP ports: 4105, 4117, 4118.
When you allow connections in the WatchGuard policy, you allow connections to each of these ports.
Before you modify the WatchGuard policy, we recommend that you consider connecting to the XTM
device with a VPN. This greatly increases the security of the connection. If this is not possible, we
recommend that you allow access from the external network to only certain authorized users and to the
smallest number of computers possible. For example, your configuration is more secure if you allow
connections from a single computer instead of from the alias Any-External.
1. Select Firewall > Firewall Policies.
2. Click the WatchGuard policy.
Or, select the WatchGuard policy and from the Action drop-down list, select Edit Policy.
The Firewall Policies/Edit page appears.
3. In the From section, click Add.
The Add Member dialog box appears.
90
Fireware XTM Web UI
Configuration and Management Basics
4. To add the IP address of the external computer that connects to the XTM device, from the
Member type drop-down list, select Host IP, and click OK. Type the IP address.
5. To give access to an authorized user, from the Member Type drop-down list, select Alias.
For information about how to create an alias, see Create an Alias on page 515.
User Guide
91
Configuration and Management Basics
Configure an XTM Device as a Managed Device
If your XTM device has a dynamic IP address, or if the Management Server cannot connect to it for
another reason, you can configure the XTM device as a managed device before you add it to the
Management Server.
If your Management Server is not behind a gateway Firebox, you must configure the firewall that is
between the Management Server and the Internet to allow connections to the Management Server
public IP address over TCP ports 4110, 4112, and 4113.
Edit the WatchGuard Policy
1. Select Firewall > Firewall Policies.
The Firewall policies page appears.
2. Double-click the WatchGuard policy to open it.
The Policy Configuration page for the WatchGuard policy appears.
3. In the Connections are drop-down list, make sure Allowed is selected.
4. In the From section, click Add.
The Add Member dialog box appears.
92
Fireware XTM Web UI
Configuration and Management Basics
5. In the Member Type drop-down list, select Host IP.
6. In the Member type text box, type the IP address of the external interface of the gateway
Firebox.
If you do not have a gateway Firebox that protects the Management Server from the Internet,
type the static IP address of your Management Server.
7. Click OK to close the Add Member dialog box.
8. Make sure the To section includes an entry of either Firebox or Any.
9. Click Save.
You can now add the device to your Management Server configuration. When you add this XTM device
to the Management Server configuration, the Management Server automatically connects to the static
IP address and configures the XTM device as a managed device.
Set Up the Managed Device
(Optional) If your XTM device has a dynamic IP address, or if the Management Server cannot find the
IP address of the XTM device for any reason, you can use this procedure to prepare your XTM device
to be managed by the Management Server.
1. Select System > Managed Device.
The Managed Device page appears.
User Guide
93
Configuration and Management Basics
2. To set up an XTM device as a managed device, select the Centralized Management check
box.
3. In the Managed Device Name text box, type the name you want to give the XTM device when
you add it to the Management Server configuration.
This name is case-sensitive and must match the name you use when you add the device to the
Management Server configuration.
4. In the Management Server IP Address(es) list, select the public IP address of the
Management Server.
Or, if the Management Server is behind a gateway Firebox, select the public IP address of the
gateway Firebox for the Management Server.
5. To add an address, type the IP address in the text box and click Add.
The XTM device that protects the Management Server automatically monitors all ports used by
the Management Server and forwards any connection on these ports to the configured
Management Server. When you use the Management Server Setup Wizard, the wizard adds a
WG-Mgmt-Server policy to your configuration to handle these connections. If you did not use
the Management Server Setup Wizard on the Management Server, or if you skipped the
Gateway Firebox step in the wizard, you must manually add the WG-Mgmt-Server policy to the
configuration of your gateway Firebox. When you add this policy, communication to the
Management Server over TCP ports 4110, 4112, and 4113 is automatically allowed.
If your Management Server is not behind a gateway Firebox, make sure to configure the firewall
that is between the Management Server and the Internet to allow connections to the
Management Server public IP address over TCP ports 4110, 4112, and 4113.
6. In the Shared Secret and Confirm text boxes, type the shared secret.
The shared secret you type here must match the shared secret you type when you add the XTM
device to the Management Server configuration.
7. Copy the text of your Management Server CA certificate file and paste it in the Management
Server Certificate text box.
8. Click Save.
When you save the configuration to the XTM device, the XTM device is enabled as a managed device.
The managed XTM device tries to connect to the IP address of the Management Server on TCP port
4110. Management connections are allowed from the Management Server to this managed XTM
device.
You can now add the device to your Management Server configuration. For more information, see the
WatchGuard System Manager Help or User Guide.
You can also use WSM to configure the management mode for your device. For more information, see
the WatchGuard System Manager Help or User Guide.
After you have configured your XTM device as a managed device, if your device is in a remote location
behind a third-party NAT gateway, you can configure a Management Tunnel to enable contact with the
XTM device. For more information about Management Tunnels, see the WatchGuard System Manager
Help.
94
Fireware XTM Web UI
Configuration and Management Basics
Upgrade to a New Version of Fireware XTM
Periodically, WatchGuard makes new versions Fireware XTM OS available to XTM device users with
active LiveSecurity subscriptions. To upgrade from one version of Fireware XTM OS to a new version
of Fireware XTM OS, use the procedures in the subsequent sections.
In Fireware XTM v11.7 and higher, if you use the Fireware XTM Web UI upgrade
feature to downgrade the version of Fireware XTM OS, the downgrade process
resets the configuration to factory default settings. The downgrade process does not
change the device passphrases and does not remove the feature keys and
certificates.
Install the Upgrade on Your Management Computer
1. Download the updated Fireware XTM OS installer file from the WatchGuard Portal on the
WatchGuard web site at http://www.watchguard.com.
2. Start the installer file that you downloaded from the LiveSecurity web site and follow the
instructions in the installer to install the Fireware XTM upgrade file on your management
computer.
By default, the file is installed in the C:\Program Files\Common
Files\WatchGuard\resources\FirewareXTM\11.x folder.
Upgrade the XTM Device
1. Select System > Backup Image to save a backup image of your XTM device.
For more information, see Make a Backup of the XTM Device Image on page 45.
We recommend that you always create a backup image before you upgrade. You
must have the backup image and the associated encryption key if you want to
downgrade the device to the previous version and configuration in the future.
2. Select System > Upgrade OS.
The Upgrade OS page appears.
User Guide
95
Configuration and Management Basics
3. Click Browse to select the upgrade file from the directory where you installed it.
The name of the upgrade file appears on the Upgrade OS page. The file name ends with .sysa_dl.
4. Click Upgrade.
The upgrade procedure can take up to 15 minutes and automatically reboots the XTM device.
If your XTM device has been in operation for some time before you upgrade, you might have to restart
the device before you start the upgrade to clear the temporary memory.
96
Fireware XTM Web UI
Configuration and Management Basics
Downgrade Fireware XTM OS
Use these procedures to downgrade the version of Fireware XTM OS to an earlier version.
It is not necessary to downgrade WatchGuard System Manager when you
downgrade Fireware XTM OS, because WatchGuard System Manager can manage
XTM devices that use earlier versions of Fireware XTM OS.
Use a Saved Backup Image to Downgrade
The recommended method to downgrade an XTM device to an older version of Fireware XTM OS is to
use the saved backup image that you created before the most recent Fireware XTM OS upgrade on the
device. If you have a backup image, there are two procedures you can use to downgrade an
XTM device to an earlier version of Fireware XTM OS:
Restore the full backup image you created for the device before the last Fireware XTM OS upgrade.
For more information, see Restore an XTM Device Backup Image.
Use the USB backup file you created before the upgrade as your auto-restore image on a USB
drive.
For more information, see Automatically Restore a Backup Image from a USB Drive.
Downgrade Without a Backup Image
If you do not have a backup image for your XTM device, there are two other methods you can use to
downgrade Fireware XTM OS to an earlier version:
Use the Quick Setup Wizard in WatchGuard System Manager to downgrade an XTM device in
recovery mode.
This downgrade requires that you create a new basic configuration. It removes the feature key
and certificates. After the downgrade, you can use Policy Manager to save a different
configuration file to the device.
For more information, see the WatchGuard System Manager Help or User Guide.
Use the Upgrade feature in the Fireware XTM Web UI to install an older version of Fireware
XTM OS.
Use this method only to downgrade a device from Fireware XTM OS v11.7 or later. This
downgrade procedure resets the configuration to factory default settings. The downgrade
process does not change the device passphrases and does not remove the feature keys and
certificates.
For more information, see Use the Web UI to Downgrade from Fireware XTM OS v11.7 or
Higher.
User Guide
97
Configuration and Management Basics
Use the Web UI to Downgrade from Fireware XTM OS v11.7 or
Higher
You can use the upgrade feature in the Fireware XTM Web UI to downgrade the device to an earlier
version.
In Fireware XTM v11.7 and higher, if you use the Fireware XTM Web UI upgrade
feature to downgrade the version of Fireware XTM OS, the downgrade process
resets the configuration to factory default settings. The downgrade process does not
change the device passphrases and does not remove the feature keys and
certificates.
If you have a saved backup image, the recommended method to downgrade an XTM device to an
earlier version of Fireware XTM OS is to restore the XTM device backup image. For more information,
see Downgrade Fireware XTM OS.
Do not use this procedure to downgrade a device that currently runs a version of Fireware XTM OS
lower than v11.7. If you want to downgrade a device that currently uses Fireware XTM OS v11.6.x or
lower to an earlier version and do not have a backup image, you can use the WSM Quick Setup Wizard
and recovery mode to downgrade the device. For more information, see the WatchGuard System
Manager Help or User Guide.
Step 1 — Install the Older Version of Fireware XTM OS
If you do not already have it, install the older version of Fireware XTM OS on your management
computer
1. Download the older version of Fireware XTM OS installer file from the WatchGuard Portal on the
WatchGuard web site at http://www.watchguard.com.
2. Install the Fireware XTM OS file on your management computer.
By default, the file is installed in the C:\Program Files\Common
Files\WatchGuard\resources\FirewareXTM\11.x folder.
Step 2 — Use the Upgrade Feature in Fireware XTM Web UI to
Downgrade
1. Select System > Upgrade OS.
The Upgrade OS page appears.
2. Click Browse to select the downgrade file from the folder where you installed it.
The name of the file appears on the Upgrade OS page. The file name ends with .sysa_dl.
3. Click Upgrade.
After the file upload is complete, a warning appears stating that if you continue, the configuration will
be downgraded, and reset to the factory default configuration.
4. Click Yes to continue with the downgrade.
98
Fireware XTM Web UI
Configuration and Management Basics
After the downgrade, the network and security settings are reset to factory default settings, but the
admin and status management account passphrases are not reset. You must connect to the device on
Eth1, with the default IP address 10.0.1.1 to manage it. For more information about the factory default
settings, see About Factory-Default Settings.
User Guide
99
Configuration and Management Basics
Download or Show the XTM Device Configuration
From the Fireware XTM Web UI, you can download the complete XTM device configuration to a file
that can be opened by Policy Manager, or you can generate an XTM Configuration Report to browse
and print most configuration settings from a single browser page.
For more information about how to download the configuration file, see Download the Configuration
File.
For more information about the XTM Configuration Report, see Show the XTM Configuration Report.
Download the Configuration File
From the Fireware XTM Web UI, you can download your XTM device configuration to a compressed
file. This can be useful if you want to open the same configuration file in Fireware XTM Policy Manager
but are unable to connect to the device from Policy Manager. This can also be useful if you want to
send your configuration file to a WatchGuard technical support representative.
1. Select System > Configuration File.
2. Click Download the configuration file.
The Select location for download dialog box appears.
3. Select a location to save the configuration file.
The configuration file is saved in a compressed (.tgz) file format. Before you can use this file with
Fireware XTM Policy Manager, you must extract the zipped file to a folder on your computer.
For more information about Policy Manager see the WatchGuard System Manager Help.
See Also
Show the XTM Configuration Report
Show the XTM Configuration Report
From the Fireware XTM Web UI, you can generate an XTM Configuration Report to show many
XTM device configuration settings in an easy to read, printable format. The XTM Configuration Report
opens in a separate browser window.
The XTM Configuration Report gives you an overview of your device configuration. It can be a useful
tool if you want to review your security policy implementation with your organization’s management
team. While it includes configuration information for many Fireware XTM features, it does not include
all configuration details. For example, it does not include:
n
n
n
n
n
n
100
FireCluster
Multi-WAN details
Dynamic routing
Wireless
IPv6, secondary networks, MAC access control, PPPoE, DHCP client, DHCP server, and
advanced interface settings
Some policy and proxy settings such as policy based routing, IPS, Application Control, logging,
Fireware XTM Web UI
Configuration and Management Basics
n
and notification
Proxy action configuration details
To see the XTM Configuration Report, you must configure your browser to allow
popups for Fireware XTM Web UI.
To show the XTM Configuration Report:
1. Select System > Configuration File.
2. Click XTM Configuration Report.
The XTM Configuration Report opens in a new browser window or tab.
The XTM Configuration Report is divided into five main sections:
n
n
n
n
n
Network — Network configuration settings
Setup — System configuration, aliases, logging, NTP, SNMP, and global settings
Firewall Policy — Firewall policies and proxy action settings
VPN — Branch Office VPN and Mobile VPN settings
Subscription Services— Subscription services settings
To move to a section of the report, click a section link in the Contents list.
To print the XTM Configuration Report, click [Print] at the top-right corner of the page.
User Guide
101
Configuration and Management Basics
About Upgrade Options
You can add upgrades to your XTM device to enable additional subscription services, features, and
capacity.
For a list of available upgrade options, see www.watchguard.com/products/options.asp.
Subscription Services Upgrades
Application Control
Enables you to monitor and control the use of applications on your network.
For more information, see About Application Control.
WebBlocker
Enables you to control access to web content based on content categories.
For more information, see About WebBlocker on page 1125.
spamBlocker
Enables you to filter spam and bulk email.
For more information, see About spamBlocker on page 1149.
Intrusion Prevention Service (IPS)
Enables you to prevent intrusion attempts by hackers.
For more information, see About Intrusion Prevention Service.
Gateway AntiVirus
Enables you to identify and block known spyware and viruses.
For more information, see About Gateway AntiVirus on page 1179.
Reputation Enabled Defense
Enables you to control access to web sites based on their reputation score.
For more information, see About Reputation Enabled Defense.
Data Loss Prevention
Enables you to detect, monitor, and prevent accidental unauthorized transmission of
confidential information outside your network or across network boundaries.
For more information, see About Data Loss Prevention.
102
Fireware XTM Web UI
Configuration and Management Basics
Appliance and Software Upgrades
Pro
The Pro upgrade to Fireware XTM provides several advanced features for experienced
customers, such as server load balancing and additional SSL VPN tunnels. The features
available with a Pro upgrade depend on the type and model of your XTM device.
For more information, see Fireware XTM with a Pro Upgrade on page 17.
Model upgrades
For some XTM device models, you can purchase a license key to upgrade the device to a higher
model in the same product family. A model upgrade gives your XTM device the same functions
as a higher model.
To compare the features and capabilities of different XTM device models, go to
http://www.watchguard.com/products/compare.asp.
How to Apply an Upgrade
When you purchase an upgrade, you register the upgrade on the WatchGuard LiveSecurity web site.
Then you download a feature key that enables the upgrade on your XTM device.
For information about feature keys, see About Feature Keys on page 59.
About Subscription Services Expiration and
Renewal
The XTM subscription services need regular updates to operate effectively. The subscription services
are:
n
n
n
n
n
n
n
Gateway AntiVirus
Intrusion Prevention Service
WebBlocker
spamBlocker
Reputation Enabled Defense
Application Control
Data Loss Prevention
In addition, an initial LiveSecurity subscription is activated when you register your product. Your
LiveSecurity subscription gives you access to technical support, software updates, and feature
enhancements. It also extends the hardware warranty of your WatchGuard device and provides
advance hardware replacement.
We recommend that you renew your subscription services before they expire. WatchGuard charges a
reinstatement fee for any subscriptions that are allowed to lapse.
User Guide
103
Configuration and Management Basics
Subscription Renewal Reminders
The Firebox or XTM device sends you reminders to renew your subscriptions. When you save a
configuration to your Firebox or XTM device, Policy Manager warns you if a subscription will expire.
These warnings appear 60 days before, 30 days before, 15 days before, and one day before the
expiration date.
You can also use Firebox System Manager to monitor your subscription services. If a subscription
service is about to expire or is expired, a warning appears on the front panel of Firebox System
Manager and Renew Now appears at the upper-right corner of the window. Click Renew Now to go to
the LiveSecurity Service web site to renew the subscription.
In the Fireware XTM Web UI, you can see the subscription service expiration dates in the License
Information section of the System page.
Feature Key Compliance
When you save a configuration to the device from Policy Manager (File > Save > To Firebox), Policy
Manager checks to see if any configured services are expired. You cannot save any configuration
changes from Policy Manager to the Firebox or XTM device when a configured subscription service is
expired. If you try to save a configuration to the device, the Feature Key Compliance dialog box
appears, with a list of all configured services that are expired. You must either add a feature key with a
later expiration date for the expired services, or you must select each service and click Disable to
disable the service. After you disable the expired services, Policy Manager saves the updated
configuration to the device.
If the LiveSecurity subscription on your device is expired, you can save configuration changes to the
device, but you cannot upgrade or reinstall any version of Fireware XTM OS on the device.
Security Service Expiration Behavior
When a subscription service expires, that service does not operate, and the configuration options are
disabled. The specific expiration behaviors for each subscription service are described below.
Gateway AntiVirus
When the Gateway AntiVirus subscription expires:
n
n
n
n
104
Gateway AntiVirus signature updates stop immediately.
Gateway AntiVirus stops detecting and blocking viruses immediately. If the device attempts a
Gateway AV scan when Gateway AV is enabled but expired, the device takes the same action
as when a scan error occurs, as configured in the AntiVirus proxy action settings. A scan error
is also sent to the log file.
Gateway AntiVirus configuration options are disabled in Policy Manager, except for the ability to
disable Gateway AntiVirus for a policy that has it enabled.
Gateway AntiVirus configuration options are disabled in the Fireware XTM Web UI.
Fireware XTM Web UI
Configuration and Management Basics
Intrusion Prevention Service (IPS)
When the IPS subscription expires:
n
n
n
n
n
n
IPS signature updates stop immediately.
IPS stops detecting and blocking intrusions immediately.
For Fireware XTM v11.0 - v11.3.x, if the device attempts an IPS scan when IPS is enabled but
expired, the device allows the content and sends a scan error to the log file.
For Fireware XTM v11.4 and later, IPS configuration options are disabled in Policy Manager
For Fireware XTM v11.0 - v11.3.x, IPS configuration options are disabled in Policy Manager,
except for the ability to disable IPS for a policy that has it enabled.
IPS configuration options are disabled in the Fireware XTM Web UI.
WebBlocker
When the WebBlocker subscription expires:
n
n
n
Updates to the WebBlocker Server stop immediately.
WebBlocker stops scanning web content immediately.
The License Bypass setting in the WebBlocker configuration controls whether policies that
have WebBlocker enabled allow or deny access to all web sites when WebBlocker is expired.
By default, policies that have WebBlocker enabled deny access to all web sites when the
WebBlocker service is expired.
If your WebBlocker subscription expires, and you did not change the default License Bypass
setting before the service expired, WebBlocker blocks access to all web sites. You cannot
change the License Bypass setting after the service has expired. If your service is expired and
WebBlocker blocks access to all web sites, you must either disable WebBlocker for each policy
that had it enabled, or renew the WebBlocker service and import an updated feature key.
n
n
WebBlocker configuration options are disabled in Policy Manager, except for the ability to
disable WebBlocker for a policy that has it enabled.
WebBlocker configuration options are disabled in the Fireware XTM Web UI.
spamBlocker
When the spamBlocker subscription expires:
n
n
n
spamBlocker stops blocking spam immediately.
spamBlocker configuration options are disabled in Policy Manager, except for the ability to
disable spamBlocker for a policy that has it enabled.
spamBlocker configuration options are disabled in the Fireware XTM Web UI.
Reputation Enabled Defense
When the Reputation Enabled Defense subscription expires:
n
n
Reputation Enabled Defense stops checking reputation immediately.
Reputation Enabled Defense configuration options are disabled in Policy Manager, except for
User Guide
105
Configuration and Management Basics
n
the ability to disable Reputation Enabled Defense for a policy that has it enabled.
Reputation Enabled Defense configuration options are disabled in the Fireware XTM Web UI.
Application Control
When the Application Control subscription expires:
n
n
n
n
Application Control signature updates stop immediately.
Application Control stops identifying and blocking applications immediately.
Application Control configuration options are disabled in Policy Manager.
Application Control configuration options are disabled in the Fireware XTM Web UI.
Data Loss Prevention (DLP)
When the DLP subscription expires:
n
n
n
n
DLP signature updates stop immediately.
DLP stops identifying DLP violations immediately.
DLP configuration options are disabled in Policy Manager.
DLP configuration options are disabled in the Fireware XTM Web UI.
LiveSecurity Service
When the LiveSecurity subscription expires:
n
n
n
n
n
You cannot upgrade or reinstall Fireware XTM OS on your device, even if it is a Fireware
XTM OS version that was released before the LiveSecurity expiration date.
WatchGuard does not provide telephone and web-based support, software updates and
enhancements, or hardware replacement (RMA).
All other functionality, including Fireware XTM Pro upgrade features, VPN features, logging,
and management functions, continue to operate.
You can manage your device and save configuration changes to your device from Policy
Manager or the Web UI.
You can save a backup image of your configuration from Policy Manager or the Web UI.
Synchronize Subscription Renewals
If you have many subscriptions with different expiration dates, your WatchGuard reseller can create a
custom renewal quote that synchronizes the renewal dates for multiple subscription services. Contact
WatchGuard or your WatchGuard reseller for details.
Renew Subscription Services
WatchGuard subscription services must get regular updates to operate effectively.
To see the expiration date of your subscription services, from Fireware XTM Web UI, select System
> Feature Key. The Expiration column shows when the subscription expires. You can also see the
number of days until each service expires on the system Dashboard. Select Dashboard > System to
see the system Dashboard.
106
Fireware XTM Web UI
Configuration and Management Basics
When you renew the security subscription, you must update the feature key on the XTM device. To
update the feature key, from Fireware XTM Web UI, select System > Feature Key.
For more information about feature keys, see About Feature Keys on page 59.
Subscription Services Status and Manual
Signatures Updates
The Gateway AntiVirus, Intrusion Prevention Service, Application Control, and Data Loss Prevention
security services use a frequently-updated set of signatures to identify the latest viruses, threats, and
applications. You can configure these services to update signatures automatically. For information
about signature update settings see:
n
n
n
n
Configure the Gateway AV Update Server
Configure the IPS Update Server
Configure the Application Control Update Server
Configure the DLP Update Server
You can also update signatures manually. If the signatures on the XTM device are not current, you are
not protected from the latest viruses and intrusions.
The Subscription Services status page shows statistics about the subscription services activity, and
shows the status of signature updates. For each signature-based service, you can see the current
signature version installed and whether a newer version of signatures is available.
To see the status of Subscription Services:
1. Connect to Fireware XTM Web UI for your device.
2. Select Dashboard > Subscription Services.
The Subscription Services status page appears.
User Guide
107
Configuration and Management Basics
3. To manually update signatures for a service, click Update for each service you want to update.
The XTM device downloads the most recent available signature update.
For more information about the statistics on this page, see About the Dashboard and System Status
Pages on page 751.
108
Fireware XTM Web UI
6
Network Setup and
Configuration
About Network Interface Setup
A primary component of your XTM device setup is the configuration of network interface IP addresses.
When you run the Quick Setup Wizard, the external and trusted interfaces are set up so traffic can flow
from protected devices to an outside network. You can use the procedures in this section to change the
configuration after you run the Quick Setup Wizard, or to add other components of your network to the
configuration. For example, you can set up an optional interface for public servers such as a web
server.
Your XTM device physically separates the networks on your Local Area Network (LAN) from those on
a Wide Area Network (WAN) like the Internet. Your device uses routing to send packets from networks
it protects to networks outside your organization. To do this, your device must know what networks are
connected on each interface.
We recommend that you record basic information about your network and VPN configuration in the
event that you need to contact technical support. This information can help your technician resolve
your problem quickly.
User Guide
109
Network Setup and Configuration
Network Modes
Your XTM device supports several network modes:
Mixed routing mode
In mixed routing mode, you can configure your XTM device to send network traffic between a
wide variety of physical and virtual network interfaces. This is the default network mode, and
this mode offers the greatest amount of flexibility for different network configurations. However,
you must configure each interface separately, and you may have to change network settings for
each computer or client protected by your XTM device. The XTM device uses Network Address
Translation (NAT) to send information between network interfaces.
For more information, see About Network Address Translation on page 211.
The requirements for mixed routing mode are:
n
n
All interfaces of the XTM device must be configured on different subnets. The minimum
configuration includes the external and trusted interfaces. You also can configure one or
more optional interfaces.
All computers connected to the trusted and optional interfaces must have an IP address
from that network.
Drop-in mode
In a drop-in configuration, your XTM device is configured with the same IP address on all
interfaces. You can put your XTM device between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in
because your XTM device is dropped in to an existing network. Some network features, such as
bridges and VLANs (Virtual Local Area Networks), are not available in this mode.
For drop-in configuration, you must:
n
n
n
Assign a static external IP address to the XTM device.
Use one logical network for all interfaces.
Not configure multi-WAN in Round-robin or Failover mode.
For more information, see Drop-In Mode on page 136.
Bridge mode
Bridge mode is a feature that allows you to place your XTM device between an existing network
and its gateway to filter or manage network traffic. When you enable this feature, your XTM
device processes and forwards all incoming network traffic to the gateway IP address you
specify. When the traffic arrives at the gateway, it appears to have been sent from the original
device. In this configuration, your XTM device cannot perform several functions that require a
public and unique IP address. For example, you cannot configure an XTM device in bridge mode
to act as an endpoint for a VPN (Virtual Private Network).
For more information, see Bridge Mode on page 142.
110
Fireware XTM Web UI
Network Setup and Configuration
Interface Types
You use three interface types to configure your network in mixed routing or drop-in mode:
External Interfaces
An external interface is used to connect your XTM device to a network outside your
organization. Often, an external interface is the method by which you connect your XTM device
to the Internet.
When you configure an external interface, you must choose the method your Internet service
provider (ISP) uses to give you an IP address for your XTM device. If you do not know the
method, get this information from your ISP or network administrator.
Trusted Interfaces
Trusted interfaces connect to the private LAN (local area network) or internal network of your
organization. A trusted interface usually provides connections for employees and secure
internal resources.
Optional Interfaces
Optional interfaces are mixed-trust or DMZ environments that are separate from your trusted
network. Examples of computers often found on an optional interface are public web servers,
FTP servers, and mail servers.
In mixed routing mode, you can also configure Bridge, VLAN, and Link Aggregation interfaces.
For more information about all interface types, see Common Interface Settings on page 145.
For an XTM 2 Series, 3 Series, or 5 Series device, you can use Fireware XTM Web UI to configure
failover to an external modem.
For more information, see Configure Modem Failover on page 200.
When you configure the interfaces on your XTM device, you must use slash notation to denote the
subnet mask. For example, you would enter the IPv4 network range 192.168.0.0 subnet mask
255.255.255.0 as 192.168.0.0/24. A trusted interface with the IPv4 address of 10.0.1.1/16 has a
subnet mask of 255.255.0.0.
For more information on slash notation, see About Slash Notation on page 5.
About Private IP Addresses
When you configure a trusted or optional interface, we recommend that you use an IP address in one of
the three IP address ranges reserved by the Internet Engineering Task Force (IETF) for private
networks on LANs.
n
n
n
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
By default, the XTM device enables dynamic NAT for outbound traffic from addresses in these ranges
to any external interface.
User Guide
111
Network Setup and Configuration
For more information about dynamic NAT, see About Dynamic NAT.
About IPv6 Support
Fireware XTM supports many features for IPv6 traffic.
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
IPv6 addressing — You can add a static IPv6 address to the External, Trusted, or Optional
interfaces when the device is configured in mixed routing mode.
For more information, see Enable IPv6 for an External Interface and Enable IPv6 for a Trusted
or Optional Interface.
IPv6 DNS servers — You can use an IPv6 address to specify a DNS server.
IPv6 static routes — You can add an IPv6 host or network static route.
IPv6 management — You can use the static IPv6 address to connect to Fireware XTM Web UI
or the CLI for device management. You cannot use the static IPv6 address to connect to the
XTM device from WatchGuard System Manager.
IPv6 diagnostic logging — You can set the diagnostic log level for IPv6 advertisements.
For information about how to configure diagnostic log levels, see Set the Diagnostic Log Level.
Packet filter policies — You can use IPv6 addresses in packet filter policies.
MAC access control — Applies to both IPv6 and IPv4 traffic.
Inspection of traffic received and sent by the same interface — Applies to both IPv6 and IPv4
traffic.
Blocked sites and exceptions — You can use an IPv6 address to define a blocked site or
exception.
Blocked ports — Applies to both IPv6 and IPv4 traffic.
TCP SYN checking — The TCP SYN checking setting in Global Settings applies to both IPv6
and IPv4 traffic.
Application Control
Intrusion Prevention Service
DHCPv6
FireCluster
Flood attack prevention — The Default Packet Handling settings to block flood attacks apply to
both IPv6 and IPv4 traffic.
Authentication — IPv6 addresses are supported for Firewall authentication.
All other networking and security features are not yet supported for IPv6 traffic. This includes:
n
n
n
n
n
n
n
n
n
n
n
n
112
Proxy policies
Authentication — Single Sign-On, Terminal Services, VPN support, fully qualified domain
names for RADIUS and SecurID servers, automatic redirect of users to the Authentication page
WebBlocker
Gateway AV
spamBlocker
Reputation Enabled Defense
Default packet handling other than Flood protection
Multi-WAN
Server load balancing
Traffic Management and QoS
VLAN interface
Bridge interface
Fireware XTM Web UI
Network Setup and Configuration
n
n
n
n
n
n
n
n
n
Drop-in mode
Bridge mode
Link aggregation
NAT
Dynamic routing
MAC/IP address binding
Branch Office VPN
Mobile VPN
Wireless and modem
Any other feature not in the list of supported IPv6 features is not supported for IPv6 traffic.
WatchGuard continues to add more IPv6 support to Fireware XTM for all XTM device models. For
more information about the WatchGuard IPv6 roadmap, see
http://www.watchguard.com/ipv6/index.asp.
User Guide
113
Network Setup and Configuration
Mixed Routing Mode
In mixed routing mode, you can configure your XTM device to send network traffic between many
different types of physical and virtual network interfaces. Mixed routing mode is the default network
mode. While most network and security features are available in this mode, you must carefully check
the configuration of each device connected to your XTM device to make sure that your network
operates correctly.
A basic network configuration in mixed routing mode uses at least two interfaces. For example, you
can connect an external interface to a cable modem or other Internet connection, and a trusted
interface to an internal router that connects internal members of your organization. From that basic
configuration, you can add an optional network that protects servers but allows greater access from
external networks, configure VLANs, and other advanced features, or set additional options for
security like MAC address restrictions. You can also define how network traffic is sent between
interfaces.
To get started on interface configuration in mixed routing mode, see Common Interface Settings on
page 145.
It is easy to forget IP addresses and connection points on your network in mixed routing mode,
especially if you use VLANs (Virtual Local Area Networks), secondary networks, and other advanced
features. We recommend that you record basic information about your network and VPN configuration
in the event that you need to contact technical support. This information can help your technician
resolve your problem quickly.
Configure an External Interface
An external interface is used to connect your XTM device to a network outside your organization.
Often, an external interface is the method by which you connect your device to the Internet.
When you configure an external interface, you must choose the method your Internet service provider
(ISP) uses to give you an IPv4 address for your device. If you do not know the method, get this
information from your ISP or network administrator. In addition to the IPv4 address, you can optionally
configure an IPv6 address.
For information about methods used to set and distribute IP addresses, see Static and Dynamic IP
Addresses on page 6.
For information about IPv6 configuration, see Enable IPv6 for an External Interface.
114
Fireware XTM Web UI
Network Setup and Configuration
Use a Static IPv4 Address
1. Select Network > Interfaces.
The Network Interfaces page appears.
2.
3.
4.
5.
Select an external interface. Click Edit.
From the Configuration Mode drop-down list, select Static IP.
In the IP address text box, type the IP address of the interface.
In the Gateway text box, type the IP address of the default gateway.
6. Click Save.
Use PPPoE Authentication to get an IPv4 Address
If your ISP uses PPPoE, you must configure PPPoE authentication before your device can send traffic
through the external interface. Fireware XTM supports the PAP, EAP, CHAP, MS-CHAP and MSCHAPv2 PPPoE authentication methods.
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select an external interface. Click Configure.
3. From the Configuration Mode drop-down list, select PPPoE.
4. Select an option:
n Obtain an IP address automatically
n Use this IP address (supplied by your Internet Service Provider)
5. If you selected Use this IP Address, in the adjacent text box, type the IP address.
6. Type the User Name and Password. Type the password again.
ISPs use the email address format for user names, such as [email protected]
User Guide
115
Network Setup and Configuration
116
Fireware XTM Web UI
Network Setup and Configuration
7. To configure additional PPPoE options, click Advanced.
Your ISP can tell you if you must change the timeout or LCP values.
8. Select when the device connects to the PPPoE server:
n Always-on — The XTM device keeps a constant PPPoE connection. It is not necessary for
network traffic to go through the external interface.
If you select this option, type or select a value in the PPPoE initialization retry every text
box to set the number of seconds that PPPoE tries to initialize before it times out.
n Dial-on-demand — The XTM device connects to the PPPoE server only when it gets a
request to send traffic to an IP address on the external interface.
If your ISP regularly resets the connection, select this option.
If you select this option, in the Idle timeout in text box, set the length of time a client can
stay connected when no traffic is sent.
If you do not select this option, you must manually restart the XTM device each time the
connection resets.
9. If your ISP requires the Host-Uniq tag for PPPoE discovery packets, select the Use Host-Uniq
tag in PPPoE discovery packets check box.
10. To use LCP echo requests to detect lost PPPoE connections, select the Use LCP echo
requests to detect lost PPPoE connections check box.
This is enabled by default.
11. In the LCP echo failure in text box, type or select the number of failed LCP echo requests
allowed before the PPPoE connection is considered inactive and closed.
User Guide
117
Network Setup and Configuration
12. In the LCP echo timeout in text box, type or select the length of time, in seconds, that the
response to each echo timeout must be received.
13. To configure the XTM device to automatically restart the PPPoE connection on a daily or
weekly basis, select the Schedule time for auto restart check box.
14. From the Schedule time for auto restart drop-down list, select Daily to restart the connection
at the same time each day, or select a day of the week to restart weekly. Select the hour and
minute of the day (in 24 hour time format) to automatically restart the PPPoE connection.
15. In the Service Name text box, type a PPPoE service name.
This is either an ISP name or a class of service that is configured on the PPPoE server.
Usually, this option is not used. Select it only if there is more than one access concentrator, or
you know that you must use a specified service name.
16. In the Access Concentrator Name text box, type the name of a PPPoE access concentrator,
also known as a PPPoE server. Usually, this option is not used. Select it only if you know there
is more than one access concentrator.
17. In the Authentication retries text box, type or select the number of times that the XTM device
can try to make a connection.
The default value is three (3) connection attempts.
18. In the Authentication timeout text box, type a value for the amount of time between
connection attempt retries.
The default value is 20 seconds between each connection attempt.
19. Configure PPPoE IP address negotiation. There are two settings:
n Send PPPoE client static IP address during PPPoE negotiation — If you configured
the PPPoE settings to use a static IP address, this option enables the XTM device to send
the PPPoE client IP address to the PPPoE server during PPPoE negotiation. This option is
enabled by default when you configure a static IP address for PPPoE. Clear this check box
if you want the XTM device to accept a different public IP address from the PPPoE server.
n Negotiate DNS with PPPoE Server — Select this option to enable the XTM device to
negotiate DNS with the PPPoE server. This is enabled by default. Clear this check box if
you do not want the XTM device to negotiate DNS.
20. Click OK.
118
Fireware XTM Web UI
Network Setup and Configuration
Use DHCP to Get an IPv4 IP Address
1. From the Configuration Mode drop-down list, select DHCP.
2. If your ISP or external DHCP server requires a client identifier, such as a MAC address, in the
Client text box, type this information.
3. To specify a host name for identification, type it in the Host Name text box.
4. To manually assign an IP address to the external interface, type it in the Use this IP address
text box.
To configure the external interface to obtain an IP address automatically, clear the Use this IP
address text box.
5. To change the lease time, select the Leasing Time check box and specify the value in the
adjacent text box and drop-down list.
IP addresses assigned by a DHCP server have an eight hour lease by default; each address is
valid for eight hours.
Enable IPv6 for an External Interface
You can configure the external interface with an IPv6 address in addition to the IPv4 address. IPv6 is
not enabled on any interface by default. When you enable IPv6 for an external interface, you can
configure the interface with one or more static IPv6 addresses, and you can configure the interface to
use DHCP to get an IPv6 address. You can also enable IP address autoconfiguration.
Enable IPv6
To enable IPv6 for an external interface:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. Select the IPv6 tab.
User Guide
119
Network Setup and Configuration
4. Select the Enable IPv6 check box.
Next you can add static IPv6 IP addresses, enable the interface to use DHCPv6, or both.
Add a Static IPv6 Address
To add a static IPv6 address:
1. Adjacent to the Static IPv6 Addresses list, click Add.
The Add Static IPv6 Address dialog box appears.
2. Type the IPv6 IP address and the routing prefix size.
3. Click OK.
The IP address is added to the list
120
Fireware XTM Web UI
Network Setup and Configuration
Use DHCPv6 to get an IPv6 Address
You can configure the interface to use DHCPv6 to get an IP address. To get IPv6 addresses from a
server, the DHCPv6 client can use a rapid two-message exchange (solicit, reply) or a four-message
exchange (solicit, advertise, request, reply). By default, the DHCPv6 client uses the four-message
exchange. To use the two-message exchange, enable the Rapid Commit option on the XTM device
and on the DHCPv6 server.
To enable DHCPv6 for the interface:
1. Select Enable DHCPv6 Client.
2. Select the Rapid Commit check box to use a rapid two-message exchange to get an IPv6
address.
Use IPv6 Address Autoconfiguration
IPv6 address autoconfiguration enables the XTM device to automatically assign an IPv6 link-local
address to this interface. When you enable IP address autoconfiguration, the external interface is
automatically enabled to receive IPv6 router advertisements. With IPv6 address configuration enabled,
it is not necessary to specify a default gateway.
To enable IPv5 Address Autoconfiguration:
Select the IP Address Autoconfiguration check box in the IPv6 tab.
For more information about IPv6 stateless address autoconfiguration, see RFC 4862.
Configure the Default Gateway
When you enable IPv6 for an external interface, if you do not enable IPv6 address autoconfiguration,
you must specify the default IPv6 gateway.
To specify the default gateway:
In the Default Gateway text box, type the IPv6 address of the default gateway.
User Guide
121
Network Setup and Configuration
Configure IPv4 DHCP in Mixed Routing Mode
DHCP (Dynamic Host Configuration Protocol) is a method to assign IP addresses automatically to
network clients. You can configure your XTM device as a DHCP server for the networks that it
protects. If you have a DHCP server, we recommend that you continue to use that server for DHCP.
These DHCP settings apply to trusted and optional interfaces, and to VLAN, Bridge, and Link
Aggregation interfaces in the trusted and optional security zones.
If your XTM device is configured in drop-in mode, see .
Configure DHCP for IPv4
1. Select Network > Interfaces.
2. Select a trusted or an optional interface. Click Edit.
3. Select Use DHCP Server, or for the wireless guest network, select the Enable DHCP Server
on Wireless Guest Network check box.
4. To add a group of IP addresses to assign to users on this interface, in the Address Pool
section, click Add.
5. Specify starting and ending IP addresses on the same subnet, then click OK.
The address pool must belong either to the interface’s primary or secondary IP subnet.
You can configure a maximum of six address ranges. Address groups are used from first to last.
Addresses in each group are assigned by number, from lowest to highest.
122
Fireware XTM Web UI
Network Setup and Configuration
6. To change the default lease time, select a different option in the Lease Time drop-down list.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP
server. When the lease time is about to expire, the client sends data to the DHCP server to get a new
lease.
Configure DHCP Reservations
To reserve a specific IP address for a client:
1. In the Reserved Addresses section, click Add.
For a wireless guest network, click DHCP Reservations and then click Add.
2. Type a name for the reservation, the IP address you want to reserve, and the MAC address of
the client’s network card.
The DHCP reservation name cannot start or end with a dot (.) or dash (-), and cannot contain an
underscore (_).
3. Click OK.
1. In the Reserved Addresses section, type a name for the reservation, the IP address you want
to reserve, and the MAC address of the client’s network card.
The DHCP reservation name cannot start or end with a dot (.) or dash (-), and cannot contain an
underscore (_).
2. Click Add.
Configure DHCP Options
There are three configurable DHCP options. Many VoIP phones use these DHCP options to download
their boot configuration. The DHCP options are:
n
n
n
TFTP Server IP (Option 150) — The IP address of the TFTP server where the DHCP client
can download the boot configuration.
TFTP Server Name (Option 66) — The name of the TFTP server where the DHCP client can
download the boot configuration. This option is supported only for devices that use Fireware
XTM v11.7.4 and higher.
TFTP Boot Filename (Option 67) — The name of the boot file.
Option 66 and 67 are described in RFC 2132. Option 150 is used by Cisco IP phones.
To configure these options in the DHCP Options section:
1. In the TFTP Server IP text box, type the IP address of the TFTP server.
2. In the TFTP Server Name text box, type the name of the TFTP server.
3. In the TFTP Boot Filename text box, type the name of the boot file on the TFTP server.
User Guide
123
Network Setup and Configuration
Configure Per-Interface WINS/DNS
By default, when it is configured as a DHCP server your XTM device gives out the DNS and WINS
server information configured on the Network Configuration > WINS/DNS tab. To specify different
information for your device to assign when it gives out IP addresses, you can add a DNS server for the
interface.
n
n
n
n
n
124
To configure per-interface WINS/DNS settings, select the DNS/WINS tab.
To change the default DNS domain, in the Domain Nametext box type a domain name.
To create a new DNS server entry, in the DNS Server text box, type an IP address, and click
Add.
To create a new WINS server entry, in the WINS Server text box, type an IP address and click
Add.
To remove the selected server from a list, click Remove.
Fireware XTM Web UI
Network Setup and Configuration
Configure a Trusted or Optional Interface
A trusted or optional interface is used to connect your XTM device to a network inside your
organization.
To configure a trusted or optional network interface:
1. Select Network > Interfaces.
The Network Interfaces dialog box appears.
2. Select an interface and click Configure.
The Interface Configuration dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network.
Make sure the name is unique among interface names, as well as all Mobile VPN group names
and tunnel names. You can use this alias with other features, such as proxy policies, to manage
network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. From the Interface Type drop-down list, select Trusted or Optional.
6. In the IP Address text box, type the IPv4 address in slash notation. For information about
IP addresses to use for trusted and optional networks, see About Private IP Addresses.
7. Configure other interface settings.
n For information about how to automatically assign IPv4 addresses to clients that
connect to a trusted or optional interface, see Configure IPv4 DHCP in Mixed Routing
Mode on page 122 or Configure DHCP Relay on page 146.
n For information about how to use more than one IPv4 address on a single physical
network interface, see Add a Secondary Network IP Address on page 149.
n For information about how to configure an interface to use an IPv6 address, see Enable
IPv6 for a Trusted or Optional Interface.
8. Click Save.
Enable IPv6 for a Trusted or Optional Interface
You can configure the trusted or optional interfaces with an IPv6 address in addition to the IPv4
address. IPv6 is not enabled on any interface by default. When you enable IPv6, you can configure the
interface with one or more static IPv6 addresses.You can also configure router advertisement of the
IP address prefix.
Add a Static IPv6 IP Address
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select a trusted or optional interface. Click Edit.
3. Select the IPv6 tab.
4. Select the Enable IPv6 check box.
User Guide
125
Network Setup and Configuration
5. Click Add.
6. Type the IPv6 IP address and the routing prefix size.
7. To add the prefix for this IP address to the Prefix Advertisement list, select the Add Prefix
Advertisement check box.
You can select this option only if the prefix size is /64.
8. Click OK.
The IP address is added to the list
Configure Router Advertisement
When you enable IPv6 for a trusted or optional interface, you can enable the interface to send Router
Advertisement messages. When you enable Router Advertisement, the interface sends the configured
IP address prefixes in router advertisements on the local network. Router Advertisement is used for
IPv6 neighbor discovery and IPv6 address autoconfiguration.
The Router Advertisement settings appear in the Router Advertisement section of the IPv6 tab.
126
Fireware XTM Web UI
Network Setup and Configuration
User Guide
127
Network Setup and Configuration
Router Advertisement Settings
Select the Send Advertisement check box to enable the XTM device to send periodic router
advertisements and respond to router solicitations. If you select the Add Prefix Advertisement check
box for any IPv6 IP address, the Send Advertisement check box is automatically selected.
The Router Advertisement section has five other settings that appear in all router advertisement
messages:
n
n
n
n
n
M Flag — The managed address configuration flag. This flag indicates that host addresses are
available through DHCPv6. If the M flag is selected, the O flag is ignored, because DHCPv6
returns all available configuration information. The M flag is disabled by default.
O Flag — The other stateful configuration flag. This flag indicates that other configuration
information is available through DHCPv6. Examples of such information include DNS-related
information, or information about other servers within the network. The O flag is disabled by
default.
Default Lifetime — The lifetime associated with the default router. The default value is 30
minutes. The maximum is 150 minutes.
Maximum Interval — The maximum time allowed between unsolicited multicast router
advertisements sent from the interface. It must be a value from 4 to 1800 seconds. The default
value is 10 minutes.
Minimum Interval — The minimum time allowed between unsolicited multicast router
advertisements sent from the interface. It must be a value from 3 to 1350 seconds. The default
value is 200 seconds.
Add a Prefix Advertisement
To add a Prefix Advertisement prefix for a static IPv6 address:
In the Static IPv6 Addresses list, select the Add Prefix Advertisement check box adjacent
to a configured static IP address. You can also select this check box when you add the static
IP address. In either case, the prefix for the static IP address is added to the Prefix
Advertisement list.
For example, if the static IP address is 2001:db8::2/64 , when you select Add Prefix
Advertisement, the prefix 2001:db8:: is added to the Prefix Advertisement list.
To add a Prefix Advertisement that is not associated with a static IPv6 address:
1. In the Router Advertisement section, select the Send Advertisement check box.
2. Click Add.
The Add Prefix Advertisement dialog box appears.
128
Fireware XTM Web UI
Network Setup and Configuration
3. In the Prefix text box, type the IPv6 prefix.
The prefix must be a network IP address in the format x:x::/64.
4. (Optional) Change the other prefix advertisement settings:
n Valid Lifetime — The length of time after the packet is sent that the prefix is valid for the
purpose of onlink determination.
n Preferred Lifetime — The length of time after the packet is sent that addresses generated
from the prefix through stateless address autoconfiguration remain preferred.
n Onlink — If enabled, a host can use this prefix to determine whether a destination is onlink
as opposed to reachable only through a router.
n Autonomous — If enabled, a host can use this prefix for stateless autoconfiguration of the
link-local address.
5. Click OK.
Edit a Prefix Advertisement
1. To change the Autonomous and Online settings, select or clear the check box in the adjacent
column.
2. To edit other settings, select the Prefix Advertisement and click Edit.
Remove a Prefix Advertisement
1. To remove the prefix advertisement associated with a configured static IP address, clear the
Add Prefix Advertisement check box adjacent to the static IP address in the Static IPv6
Addresses table.
2. To remove any other prefix advertisement, select the prefix in the Prefix Advertisement list.
Then click Remove.
Configure IPv6 Connection Settings
When you enable IPv6 for an interface, you can configure IPv6 connection settings. The default values
are appropriate for most networks. We recommend that you do not change them unless your network
requires it. These settings appear in the IPv6 tab when you edit an interface.
1. In the Hop Limit text box, type or select the IPv6 hop limit.
The hop limit is the number of network segments a packet can travel over before it is discarded
User Guide
129
Network Setup and Configuration
by a router.
The default value is 64.
2. In the DAD Transmits text box, type or select the number of DAD (Duplication Address
Detection) transmits for this link.
The default value is 1. If you set this value to 0, duplicate address detection is not performed.
130
Fireware XTM Web UI
Network Setup and Configuration
Configure an IPv6 DHCP Server
DHCPv6 is a method to assign IPv6 addresses automatically to network clients. When you enable
IPv6 for a trusted or optional interface, you can enable the DHCPv6 server on the interface, to assign
IPv6 addresses to clients that connect.
Before you can enable the DHCPv6 server, you must enable IPv6 for the interface. For more
information, see Enable IPv6 for a Trusted or Optional Interface.
You cannot use these special purpose IP addresses in the DHCPv6 configuration:
n
n
n
IP addresses that start with 2002, unless bits 17-48 specify a valid IPv4 address
IP addresses that start with FE80, because this specifies a link local address
IP addresses that start with FEC0, because this specifies a site local address
Configure DHCPv6 Server Settings
You can enable DHCPv6 for a trusted or optional interface that has IPv6 enabled.
1.
2.
3.
4.
Select Network > Interfaces.
Select a trusted or an optional interface. Click Edit.
Select the IPv6 tab.
From the DHCP drop-down list, select Use DHCP Server.
The DHCP server configuration settings appear.
User Guide
131
Network Setup and Configuration
Configure the DHCPv6 Address Pool
1. In the Address Pool section of the Settings tab, click Add.
Add Address Range dialog box appears.
2. In the Starting IP and Ending IP text boxes, type two IPv6 addresses in the same prefix range
as an IPv6 address configured for this interface.
3. Click OK.
Configure DHCPv6 Reservations
To reserve a specific IP address for a client:
1. In the Reserved Addresses section, click Add.
The Add Reserved IP by DUID dialog box appears.
2. In the Reserved IP text box, type the IPv6 address to reserve.
3. In the Reservation Name text box, type a name for this reservation.
The reservation name cannot start or end with a dot (.) or hyphen (-), and cannot contain an
underscore. The maximum length of a reservation name is 64 characters.
4. In the DUID text box, type the DHCPv6 Client DUID.
5. Click OK.
Enable Rapid Commit
To get IPv6 addresses from a server, the DHCPv6 client can use a rapid two-message exchange
(solicit, reply) or a four-message exchange (solicit, advertise, request, reply). By default, the DHCPv6
client uses the four-message exchange. To use the two-message exchange, you must enable the
Rapid Commit option on the XTM device and on the client. Select the Rapid Commit check box to
enable the DHCP server to use the rapid two-message exchange to assign an IP address.
Configure IPv6 Address Lifetimes
The IPv6 lifetime settings control the length of time an assigned IPv6 address remains valid and the
length of time the address is preferred. To change the default lifetime settings. change the values for
Valid Lifetime and Preferred Lifetime. The Valid Lifetime must be greater than or equal to the
Preferred Lifetime.
132
Fireware XTM Web UI
Network Setup and Configuration
Configure Per-Interface DHCPv6 DNS Servers
By default, when it is configured as a DHCP server, your XTM device gives out the DNS and WINS
server information configured on the Network Configuration > WINS/DNS tab. To specify different
information for your device to assign when it gives out IPv6 addresses, you can add DNS servers in
the DHCPv6 settings for the interface.
To configure DNS servers:
1. In the DHCP section, select the DNS tab.
2. To change the default DNS domain that the DHCP client appends to unqualified host names, in
the Domain Name text box type a domain name.
3. In the text box below the DNS Servers list, type the IPv6 address of a DNS server.
4. Click Add.
You can add the IP addresses of up to three DNS servers.
Configure DHCPv6 SIP Servers
You can add the IPv6 addresses or domain name of SIP servers to your DHCPv6 server configuration.
This enables the DHCPv6 server to provide the SIP server domain name or SIP server IP addresses to
SIP clients that request them. You can specify a SIP server domain name, and up to three
IP addresses.
To configure SIP servers:
1. In the DHCP section, select the DNS tab.
User Guide
133
Network Setup and Configuration
2. To specify the SIP server domain. type the domain name in the SIP Domain Name text box.
3. To specify a SIP server IP address, in the text box below the SIP Servers list, type the IPv6
address of a SIP server.
4. Click Add to add the IP address to the list.
About the Dynamic DNS Service
You can register the external IP address of your XTM device with the dynamic Domain Name System
(DNS) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your
domain name changes when your ISP gives your device a new IP address. This feature is available in
either mixed routing or drop-in network configuration mode.
If you use this feature, your XTM device gets the IP address of members.dyndns.org when it starts up.
It makes sure the IP address is correct every time it restarts and at an interval of every twenty days. If
you make any changes to your DynDNS configuration on your XTM device, or if you change the IP
address of the default gateway, it updates DynDNS.com immediately.
For more information on the Dynamic DNS service or to create a DynDNS account, go to
http://www.dyndns.com.
WatchGuard is not affiliated with DynDNS.com.
Configure Dynamic DNS
1. Select Network > Dynamic DNS.
The Dynamic DNS client page appears.
2. Select a network interface, then click Edit.
The Dynamic DNS configuration page appears.
134
Fireware XTM Web UI
Network Setup and Configuration
3. Select the Enable Dynamic DNS for interface check box.
4. Type the User Name , Password, and Domain name you used to set up your dynamic DNS
account.
5. From the Server Type drop-down list, select the system to use for Dynamic DNS:
n
n
dyndns — Sends updates for a Dynamic DNS host name. Use the dyndns option when
you have no control over your IP address (for example, it is not static, and it changes on a
regular basis).
custom — Sends updates for a custom DNS host name. This option is frequently used by
businesses that pay to register their domain with dyndns.com.
For an explanation of each option, see http://www.dyndns.com/services/.
6. In the Options text box, type one or more of these options:
n
n
n
n
mx=mailexchanger& — Specifies a Mail eXchanger (MX) for use with the hostname.
backmx=YES|NO& — Requests that the MX in the previous parameter is set up as a backup
MX (includes the host as an MX with a lower preference value).
wildcard=ON|OFF|NOCHG& — Enables or disables wildcards for this host (ON to enable).
offline=YES|NO — Sets the hostname to offline mode. One or more options can be
chained together with the ampersand character. For example:
&mx=backup.kunstlerandsons.com&backmx=YES&wildcard=ON
For more information, see http://www.dyndns.com/developers/specs/syntax.html.
7. Click Save.
User Guide
135
Network Setup and Configuration
Drop-In Mode
In a drop-in configuration, your XTM device is configured with the same IP address on all interfaces.
The drop-in configuration mode distributes the network’s logical address range across all available
network interfaces. You can put your XTM device between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in mode because
your XTM device is dropped in to a previously configured network.
In drop-in mode:
n
n
n
n
n
You must assign the same primary IP address to all interfaces on your XTM device (external,
trusted, and optional).
You can assign secondary networks on any interface.
Dynamic routing (OSPF, BGP, or RIP) is not supported.
You can keep the same IP addresses and default gateways for hosts on your trusted and
optional networks, and add a secondary network address to the primary external interface so
your XTM device can correctly send traffic to the hosts on these networks.
The public servers behind your XTM device can continue to use public IP addresses. Network
address translation (NAT) is not used to route traffic from outside your network to your public
servers.
The properties of a drop-in configuration are:
n
n
n
You must assign and use a static IP address on the external interface.
You use one logical network for all interfaces.
You cannot configure more than one external interface when your XTM device is configured in
drop-in mode. Multi-WAN functionality is automatically disabled.
It is sometimes necessary to clear the ARP cache of each computer protected by the XTM device, but
this is not common.
If you move an IP address from a computer located behind one interface to a
computer located behind a different interface, it can take several minutes before
network traffic is sent to the new location. Your XTM device must update its internal
routing table before this traffic can pass. Traffic types that are affected include
logging, SNMP, and XTM device management connections.
You can configure your network interfaces with drop-in mode when you run the Quick Setup Wizard. If
you have already created a network configuration, you can use Policy Manager to switch to drop-in
mode.
For more information, see Run the Web Setup Wizard on page 29.
Use Drop-In Mode for Network Interface Configuration
1. Select Network > Interfaces.
The Network Interfaces dialog box appears.
2. From the Configure Interfaces in drop-down list, select Drop-In Mode.
136
Fireware XTM Web UI
Network Setup and Configuration
3. In the IP Address text box, type the IP address you want to use as the primary address for all
interfaces on your XTM device.
4. In the Gateway text box, type the IP address of the gateway. This IP address is automatically
added to the Related Hosts list.
5. Click Save.
Configure Related Hosts
In a drop-in or bridge configuration, the XTM device is configured with the same IP address on each
interface. Your XTM device automatically discovers new devices that are connected to these
interfaces and adds each new MAC address to its internal routing table. If you want to configure device
connections manually, or if the Automatic Host Mapping feature does not operate correctly, you can
add a related hosts entry. A related hosts entry creates a static route between the host IP address and
one network interface. We recommend that you disable Automatic Host Mapping on interfaces for
which you create a related hosts entry.
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Configure network interfaces in drop-in or bridge mode. Click Properties.
The Drop-In Mode Properties page appears.
3. Clear the check box for any interface for which you want to add a related hosts entry.
4. In the Host text box, type the IP address of the device for which you want to build a static route
from the XTM device. Select the Interface from the adjacent drop-down list, then click Add.
Repeat this step to add additional devices.
User Guide
137
Network Setup and Configuration
5. At the top of the page, click Return.
6. Click Save.
138
Fireware XTM Web UI
Network Setup and Configuration
Configure DHCP in Drop-In Mode
When you use drop-in mode for network configuration, you can optionally configure the XTM device as
a DHCP server for the networks it protects, or make the XTM device a DHCP relay agent. If you have
a configured DHCP server, we recommend that you continue to use that server for DHCP.
Use DHCP
When you use drop-in mode for network configuration, you can optionally configure the XTM device as
a DHCP server for networks it protects, or make the XTM device a DHCP relay agent. If you have a
configured DHCP server, we recommend that you continue to use that server for DHCP.
By default, your XTM device gives out the configure DNS/WINS server information when it is
configured as a DHCP server. You can configure DNS/WINS information on this page to override the
global configuration. For more information, see the instructions in Add WINS and DNS Server
Addresses on page 147.
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. If your XTM device is not already configured in drop-in mode, from the Configure Interfaces in
drop-down list select Drop-In Mode.
3. Click Properties.
4. Select the DHCP Settings tab.
5. From the drop-down list, select DHCP Server.
The DHCP configuration settings appear.
User Guide
139
Network Setup and Configuration
6. To change the DHCP lease time, select a different option in the Leasing Time drop-down list.
7. To add an address pool from which your XTM device can give out IP addresses, in the Address
Pool section:
n Click Add.
n In the Starting IP and Ending IP text boxes, type a range of IP addresses that are on the
same subnet as the drop-in IP address.
You can configure a maximum of six address pools.
n
Click OK.
8. To reserve a specific IP address from an address pool for a device or client, in the Reserved
Addresses section:
n Click Add.
n Type a Reservation Name to identify the reservation.
n Type the Reserved IP address you want to reserve.
n Type the MAC address for the device.
n Click OK.
Repeat this step to add more DHCP reservations.
9. If necessary, Add WINS and DNS Server Addresses.
10. At the top of the page, click Return.
11. Click Save.
Configure DHCP Options
There are three configurable DHCP options. Many VoIP phones use these DHCP options to download
their boot configuration. The DHCP options are:
n
n
n
TFTP Server IP (Option 150) — The IP address of the TFTP server where the DHCP client
can download the boot configuration.
TFTP Server Name (Option 66) — The name of the TFTP server where the DHCP client can
download the boot configuration. This option is supported only for devices that use Fireware
XTM v11.7.4 and higher.
TFTP Boot Filename (Option 67) — The name of the boot file.
Option 66 and 67 are described in RFC 2132. Option 150 is used by Cisco IP phones.
To configure these options in the DHCP Options section:
1. In the TFTP Server IP text box, type the IP address of the TFTP server.
2. In the TFTP Server Name text box, type the name of the TFTP server.
3. In the TFTP Boot Filename text box, type the name of the boot file on the TFTP server.
Use DHCP Relay
To configure DHCP relay for an XTM device in drop-in mode:
140
Fireware XTM Web UI
Network Setup and Configuration
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Click Properties.
3. Select the DHCP Settings tab.
4. From the drop-down list, select Use DHCP Relay.
5. Type the IP address of the DHCP server in the related field. Make sure to Add a Static Route to
the DHCP server, if necessary.
6. At the top of the page, click Return.
7. Click Save.
Specify DHCP Settings for a Single Interface
You can specify different DHCP settings for each trusted or optional interface in your configuration. To
modify these settings:
1. On the Network > Interfaces page, select an interface.
2. Click Edit.
3. To use the same DHCP settings that you configured for drop-in mode, select Use System
DHCP Setting.
To disable DHCP for clients on that network interface, select Disable DHCP.
To configure different DHCP options for clients on a secondary network, select Use
DHCP Server for Secondary Network.
To configure DHCP relay for clients on a secondary network, select Use DHCP Relay for
Secondary Network. Specify the IP address of the DHCP server to use for the secondary
network.
4. To add IP address pools, set the default lease time, and manage DNS/WINS servers, complete
Steps 3–6 of the Use DHCP section.
5. To configure DHCP options for a secondary network, complete the steps in the Configure
DHCP Options section
6. Click OK.
User Guide
141
Network Setup and Configuration
Bridge Mode
Bridge mode is a feature that allows you to install your XTM device between an existing network and
its gateway to filter or manage network traffic. When you enable this feature, your XTM device
processes and forwards all network traffic to other gateway devices. When the traffic arrives at a
gateway from the XTM device, it appears to have been sent from the original device.
To use bridge mode, you must specify an IP address that is used to manage your XTM device. The
device also uses this IP address to get Gateway AV/IPS updates and to route to internal DNS, NTP, or
WebBlocker servers as necessary. Because of this, make sure you assign an IP address that is
routable on the Internet.
In bridge mode, L2 and L3 headers are not changed. If you want traffic on the same physical interface
of an XTM device to pass through the device, you cannot use bridge mode. In this case, you must use
drop-in or mixed routing mode, and set the default gateway of those computers to be the XTM device
itself.
When you use bridge mode, your XTM device cannot complete some functions that require the device
to operate as a gateway. These functions include:
n
n
n
n
n
n
n
n
n
n
n
n
n
n
Multi-WAN
VLANs (Virtual Local Area Networks)
Network bridges
Static routes
FireCluster
Secondary networks
DHCP server or DHCP relay
Modem failover
1-to-1, dynamic, or static NAT
Dynamic routing (OSPF, BGP, or RIP)
Any type of VPN for which the XTM device is an endpoint or gateway
Some proxy functions, including HTTP Web Cache Server
Authentication automatic redirect
Management of an AP device
If you have previously configured these features or services, they are disabled when you switch to
bridge mode. To use these features or services again, you must use a different network mode. If you
return to drop-in or mixed routing mode, you might have to configure some features again.
When you enable bridge mode, any interfaces with a previously configured network
bridge or VLAN are disabled. To use those interfaces, you must first change to either
drop-in or mixed routing mode, and configure the interface as External, Optional, or
Trusted, then return to bridge mode. Wireless features on XTM wireless devices
operate correctly in bridge mode.
142
Fireware XTM Web UI
Network Setup and Configuration
When you configure your XTM device in Bridge Mode, the LCD display on your XTM
device shows the IP address of the bridged interfaces as 0.0.0.0. This is expected
behavior.
To use a network bridge on an XTMv virtual machine on ESXi, you must enable
promiscuous mode on the attached virtual switch (vSwitch) in VMware. You cannot
use a network bridge on an XTMv virtual machine on Hyper-V, because Hyper-V
virtual switches do not support promiscuous mode.
User Guide
143
Network Setup and Configuration
Enable Bridge Mode
To configure the XTM device in bridge mode:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. From the Configure Interfaces In drop-down list, select Bridge Mode.
3. If you are prompted to disable interfaces, click Yes to disable the interfaces, or No to return to
your previous configuration.
4. Type the IP Address of your XTM device in slash notation.
For more information on slash notation, see About Slash Notation on page 5.
5. Type the Gateway IP address that receives all network traffic from the device.
6. Click Save.
Allow Management Access from a VLAN
When you configure an XTM device in bridge mode, you cannot configure VLANs on the XTM device.
But the XTM device can pass VLAN tagged traffic between 802.1Q bridges or switches. You can
optionally configure the XTM device to be managed from a VLAN that has a specified VLAN tag.
To enable management from a VLAN for a device in bridge mode:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select the Allow VLAN tag for management access check box.
3. Type or select the VLAN ID you want to allow to connect to the device for management
access.
4. Click Save.
144
Fireware XTM Web UI
Network Setup and Configuration
Common Interface Settings
When the XTM device is in mixed routing mode, you can configure it to send network traffic between a
wide variety of physical and virtual network interfaces. Mixed routing mode is the default network mode
and offers the greatest amount of flexibility for different network configurations. However, you must
configure each interface separately, and you might need to change network settings for each computer
or client protected by your XTM device.
For all of the supported network modes, you can configure common settings for each interface. The
interface configuration options available depend on the network mode and interface type.
To configure a network interface:
1. Select Network > Interfaces.
2. Select an interface and click Edit.
The Interface Configuration dialog box appears.
3. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects your own network and its own trust relationships.
Make sure the name is unique among interface names, as well as all Mobile VPN group names
and tunnel names. You can use this alias with other features, such as proxy policies, to manage
network traffic for this interface.
4. (Optional) In the Interface Description text box, type a description of the interface.
5. From the Interface Type drop-down list, select the value of the interface type: External,
Trusted, Optional, Bridge, VLAN, Link Aggregation, or Disabled. Some interface types
have additional settings.
6. Configure the interface settings.
n To set the IP address of a trusted or optional interface, type the IP address in slash
notation.
n For information about IP addresses to use for trusted and optional networks, see About
Private IP Addresses.
n For information about how to assign an IPv4 address to an external interface for a
device in mixed routing mode, see Configure an External Interface on page 114.
n To automatically assign IPv4 addresses to clients that connect to a trusted or optional
interface, see Configure IPv4 DHCP in Mixed Routing Mode on page 122 or Configure
DHCP Relay on page 146.
n To use more than one IP address on a single physical network interface, see Add a
Secondary Network IP Address on page 149.
n To configure an interface to use an IPv6 address for a device in mixed routing mode,
see Enable IPv6 for an External Interface and Enable IPv6 for a Trusted or Optional
Interface.
User Guide
145
Network Setup and Configuration
For information about how to configure a network bridge, see Create a Network Bridge
Configuration.
n For information about VLAN configuration, see Assign Interfaces to a VLAN.
n For more information about Link Aggregation, see About Link Aggregation.
n To disable an interface from your configuration, see Disable an Interface on page 146.
7. Click Save.
n
Disable an Interface
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select the interface you want to disable. Click Edit.
The Interface Configuration page appears.
3. From the Interface Type drop-down list, select Disabled. Click Save.
In the Network Interfaces page, the interface now appears as type Disabled.
Configure DHCP Relay
One way to get IP addresses for the computers on the trusted or optional networks is to use a DHCP
server on a different network. You can use DHCP relay to get IP addresses for the computers on the
trusted or optional network. With this feature, the XTM device sends DHCP requests to a server on a
different network.
If the DHCP server you want to use is not on a network protected by your XTM device, you must set
up a branch office VPN tunnel between your XTM device and the network where the DHCP server is
for this feature to operate correctly.
To configure DHCP relay:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select a trusted or an optional interface and click Configure.
3. From the drop-down list at the bottom of the page, select Use DHCP Relay.
4. Type the IP address of the DHCP server in the related field. Make sure to Add a Static Route to
the DHCP server, if necessary. The DHCP server can be on the network at the remote end of a
branch office VPN tunnel.
Restrict Network Traffic by MAC Address
You can use a list of MAC addresses to manage which devices are allowed to send traffic on the
network interface you specify. When you enable this feature, your XTM device checks the
MAC address of each computer or device that connects to the specified interface. If the MAC address
of that device is not on the MAC Access Control list for that interface, the device cannot send traffic.
This feature is especially helpful to prevent any unauthorized access to your network from a location
within your office. However, you must update the MAC Address Control list for each interface when a
new, authorized computer is added to the network.
146
Fireware XTM Web UI
Network Setup and Configuration
If you choose to restrict access by MAC address, you must include the MAC
address for the computer you use to administer your XTM device.
To enable MAC Access Control for a network interface:
1. Select Network > Interfaces.
2. Select the interface on which you want to enable MAC Access Control, then click Edit.
3. Select the MAC Access Control tab.
4.
5.
6.
7.
8.
Select the Restrict access by MAC address check box.
Click Add.
Type the MAC address of the computer or device to give it access to the specified interface.
(Optional) Type a Name for the computer or device to identify it in the list.
Click OK.
Repeat steps 5 - 8 to add more computers or devices to the MAC Access Control list.
Add WINS and DNS Server Addresses
Your XTM device shares Windows Internet Name Server (WINS) and Domain Name System (DNS)
server IP addresses for some features. These features include DHCP and Mobile VPN. The WINS
and DNS servers must be accessible from the XTM device trusted interface.
This information is used for two purposes:
n
The XTM device uses the DNS server to resolve names to IP addresses for IPSec VPNs and
for the spamBlocker, Gateway AV, and IPS features to operate correctly.
User Guide
147
Network Setup and Configuration
n
The WINS and DNS entries are used by DHCP clients on the trusted or optional networks, and
by Mobile VPN users to resolve DNS queries.
Make sure that you use only an internal WINS and DNS server for DHCP and Mobile VPN. This is to
make sure that you do not create policies with configuration properties that make it difficult for your
users to connect to the DNS server.
1. Select Network > Interfaces.
The Interfaces configuration page appears.
2. (Optional) In the Domain Name text box, type a domain name that a DHCP client appends to
unqualified host names.
3. In the DNS Server or WINS Server text box, type the primary and secondary address for each
DNS or WINS server.
4. Click Add.
5. (Optional) Repeat Steps 2–3 to specify up to three DNS servers.
6. Click Save.
The XTM device uses the WINS and DNS servers that you configure here unless you configure a
different WINS/DNS server elsewhere.
n
n
148
You can specify different WINS and DNS servers in the Mobile VPN with SSL settings. For
more information, see Configure the XTM Device for Mobile VPN with SSL.
You can specify different WINS and DNS servers when you configure an interface to use the
XTM device as a DHCP server. For more information, see Configure IPv4 DHCP in Mixed
Routing Mode.
Fireware XTM Web UI
Network Setup and Configuration
Add a Secondary Network IP Address
When you configure an XTM device interface, you can add secondary network IP addresses to the
interface. Each IP address you add can be on the same subnet or on a different subnet from the
primary IP address of the interface.
Secondary network IP address on the same subnet
For an internal interface, you can use a secondary IP address on the same subnet if an internal
host must use that IP address as its default gateway.
For an external interface, a common reason to use a secondary IP address on the same subnet
is when you want to forward traffic to multiple internal servers. When outgoing traffic, such as
traffic from an SMTP server, must appear to come from the same secondary IP address, use
the policy-based dynamic NAT Set source IP option in an outgoing policy.
For an example of this type of configuration, see the configuration example Use NAT for Public
Access to Servers with Private IP Addresses, available at
http://www.watchguard.com/help/configuration-examples/.
For more information about policy-based dynamic NAT, see Configure Policy-Based Dynamic
NAT.
Secondary network IP address on a different subnet
If the secondary IP address is on a different subnet from the primary IP address of the interface,
it tells the XTM device that there is one more network on the XTM device interface. When you
add a secondary network on a different subnet, the XTM device creates a route from any IP
address on the secondary network to the IP address of the XTM device interface.
For an external interface, you would use a secondary network on a different subnet if your ISP
gives you multiple IP addresses on different subnets, and the ISP gateway can route traffic to
and from the different subnets.
For a trusted or optional interface, you would define a secondary network on a different subnet
when you want to connect the interface to more than one internal network. An example is
described in the subsequent section.
If you configure an XTM device in drop-in mode, each XTM device interface uses the same
primary IP address. However, you probably use a different set of IP addresses on your trusted
network. You can add this private network as a secondary network to the trusted interface of
your XTM device.
For you to configure a secondary network IP address for an interface, your XTM device must use a
routed or drop-in network configuration. You can add secondary network IP addresses to an external
interface of an XTM device even if that external interface is configured to get its primary IP address
through PPPoE or DHCP.
User Guide
149
Network Setup and Configuration
Configure a Secondary Network
Use these steps to add a secondary network. In this example, the secondary network is on a trusted
interface.
To define a secondary network address, you must have an unused IP address on the secondary
network to assign to the XTM device interface.
To define a secondary network:
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select the interface for the secondary network and click Edit.
3. Select the Secondary tab.
4. Type an unassigned host IP address in slash notation from the secondary network. Click Add.
Repeat this step to add additional secondary networks.
5. Click Save.
150
Fireware XTM Web UI
Network Setup and Configuration
Make sure to add secondary network addresses correctly. The XTM device does not
tell you if the address is correct. We recommend that you do not create a subnet as a
secondary network on one interface that is a component of a larger network on a
different interface. If you do this, the XTM device could identify this traffic as
spoofing a network that it expects to exist on another interface, and the network
could fail to operate correctly. The XTM device might not ARP to the same network
on multiple interfaces (with the exception of drop-in mode, bridged interfaces, and
bridged VLANs).
User Guide
151
Network Setup and Configuration
About Advanced Interface Settings
You can use several advanced settings for XTM device interfaces:
Network Interface Card (NIC) Settings
Configures the speed and duplex parameters for XTM device interfaces to automatic or manual
configuration. We recommend you keep the link speed configured for automatic negotiation. If
you use the manual configuration option, you must make sure the device the XTM device
connects to is also manually set to the same speed and duplex parameters as the XTM device.
Use the manual configuration option only when you must override the automatic XTM device
interface parameters to operate with other devices on your network.
Set Outgoing Interface Bandwidth
When you use Traffic Management settings to guarantee bandwidth to policies, this setting
makes sure that you do not guarantee more bandwidth than actually exists for an interface. This
setting also helps you make sure the sum of guaranteed bandwidth settings does not fill the link
such that non-guaranteed traffic cannot pass.
Enable QoS Marking for an Interface
Creates different classifications of service for different kinds of network traffic. You can set the
default marking behavior as traffic goes out of an interface. These settings can be overridden by
settings defined for a policy.
Set DF Bit for IPSec
Determines the setting of the Don’t Fragment (DF) bit for IPSec.
PMTU Setting for IPSec
(External interfaces only) Controls the length of time that the XTM device lowers the MTU for an
IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a lower
MTU setting on the Internet.
Use Static MAC Address Binding
Uses computer hardware (MAC) addresses to control access to an XTM device interface.
Network Interface Card (NIC) Settings
1. Select Network > Interfaces.
2. Select the interface you want to configure. Click Edit.
3. Click Advanced General Settings.
152
Fireware XTM Web UI
Network Setup and Configuration
4. In the Link Speed drop-down list, select Auto Negotiate if you want the XTM device to select
the best network speed. You can also select one of the half-duplex or full-duplex speeds that
you know is compatible with your other network equipment.
Auto Negotiate is the default setting. We strongly recommend that you do not change this
setting unless instructed to do so by Technical Support. If you set the link speed manually and
other devices on your network do not support the speed you select, this can cause a conflict
that does not allow your XTM device interface to reconnect after failover.
5. In the MTU text box, specify the maximum packet size, in bytes, that can be sent through the
interface. We recommend that you use the default, 1500 bytes, unless your network equipment
requires a different packet size.
You can set the MTU from a minimum of 68 to a maximum of 9000.
6. To change the MAC address of the external interface, select the Override MAC Address
check box and type the new MAC address.
For more information about MAC addresses, see the subsequent section.
7. Click Save.
About MAC Addresses
Some ISPs use a MAC address to identify the computers on their network. Each MAC address gets
one static IP address. If your ISP uses this method to identify your computer, then you must change
the MAC address of the XTM device external interface. Use the MAC address of the cable modem,
DSL modem, or router that connected directly to the ISP in your original configuration.
The MAC address must have these properties:
n
n
n
The MAC address must use 12 hexadecimal characters. Hexadecimal characters have a value
between 0 and 9 or between “a” and “f.”
The MAC address must operate with:
o One or more addresses on the external network.
o The MAC address of the trusted network for the device.
o The MAC address of the optional network for the device.
The MAC address must not be set to 000000000000 or ffffffffffff.
If the Override MAC Address check box is not selected when the XTM device is restarted, the device
uses the default MAC address for the external network.
User Guide
153
Network Setup and Configuration
To avoid problems with MAC addresses, the XTM device makes sure that the MAC address you
assign to the external interface is unique on your network. If the XTM device finds a device that uses
the same MAC address, the XTM device changes back to the standard MAC address for the external
interface and starts again.
154
Fireware XTM Web UI
Network Setup and Configuration
Set DF Bit for IPSec
When you configure the external interface, select one of the three options to determine the setting for
the Don’t Fragment (DF) bit for IPSec section.
Copy
Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a
frame does not have the DF bits set, Fireware XTM does not set the DF bits and fragments the
packet if needed. If a frame is set to not be fragmented, Fireware XTM encapsulates the entire
frame and sets the DF bits of the encrypted packet to match the original frame.
Set
Select Set if you do not want your XTM device to fragment the frame regardless of the original
bit setting. If a user must make IPSec connections to a XTM device from behind a different
XTM device, you must clear this check box to enable the IPSec pass-through feature. For
example, if mobile employees are at a customer location that has a XTM device, they can make
IPSec connections to their network with IPSec. For your local XTM device to correctly allow the
outgoing IPSec connection, you must also add an IPSec policy.
Clear
Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH
header, regardless of the original bit setting.
PMTU Setting for IPSec
This advanced interface setting applies to external interfaces only.
The Path Maximum Transmission Unit (PMTU) setting controls the length of time that the XTM device
lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a
router with a lower MTU setting on the Internet.
We recommend that you keep the default setting. This can protect you from a router on the Internet
with a very low MTU setting.
User Guide
155
Network Setup and Configuration
Use Static MAC Address Binding
You can control access to an interface on your XTM device by computer hardware (MAC) address.
This feature can protect your network from ARP poisoning attacks, in which hackers try to change the
MAC address of their computers to match a real device on your network. To use MAC address binding,
you must associate an IP address on the specified interface with a MAC address. If this feature is
enabled, a computer with a specified MAC address can send and receive information only if it uses the
associated IP address.
You can also use this feature to restrict all network traffic to devices that match the MAC and IP
addresses on this list. This is similar to the MAC access control feature.
For more information, see Restrict Network Traffic by MAC Address on page 146.
If you choose to restrict network access by MAC address binding, make sure that
you include the MAC address for the computer you use to administer your XTM
device.
To configure the static MAC address binding settings:
1. Select Network > Interfaces. Select an interface, then click Configure.
2. Select the Advanced tab.
3. Adjacent to the Static MAC/IP Address Binding table, click Add.
4. Type an IP address and MAC address pair. Click OK. Repeat this step to add additional pairs.
5. If you want this interface to pass only traffic that matches an entry in the Static MAC/IP
Address Binding list, select the Only allow traffic sent from or to these MAC/IP
addresses check box.
If you do not want to block traffic that does not match an entry in the list, clear this check box.
If you select the Only allow traffic sent from or to these MAC/IP addresses
check box, but do not add any entries to the table, the MAC/IP Address Binding
feature does not become active.
156
Fireware XTM Web UI
Network Setup and Configuration
Find the MAC Address of a Computer
A MAC address is also known as a hardware address or an Ethernet address. It is a unique identifier
specific to the network card in the computer. A MAC address is usually shown in this form: XX-XX-XXXX-XX-XX, where each X is a digit or letter from A to F. To find the MAC address of a computer on your
network:
1. From the command line of the computer whose MAC address you want to find, type ipconfig
/all (Windows) or ifconfig (OS X or Linux).
2. Look for the entry for the computer’s “physical address.” This value is the MAC or hardware
address for the computer.
About LAN Bridges
A network bridge makes a connection between multiple physical network interfaces on your XTM
device. A bridge can be used in the same ways as a normal physical network interface. For example,
you can configure DHCP to give IP addresses to clients on a bridge, or use it as an alias in firewall
policies.
To use a bridge you must assign one or more interfaces to type Bridge. Then you can Create a Network
Bridge Configuration
If you want to bridge all traffic between two interfaces, we recommend that you use bridge mode for
your network configuration.
Create a Network Bridge Configuration
To use a network bridge on an XTMv virtual machine on ESXi, you must enable
promiscuous mode on the attached virtual switch (vSwitch) in VMware. You cannot
use a network bridge on an XTMv virtual machine on Hyper-V, because Hyper-V
virtual switches do not support promiscuous mode.
Before you can configure a bridge, you must first set one or more interfaces to type Bridge.
1. Select Network > Bridge.
The Bridge page appears. Bridge interfaces are listed at the top of the page.
User Guide
157
Network Setup and Configuration
2.
3.
4.
5.
6.
7.
To configure an interface as type Bridge, click Configure.
The network Interfaces page appears.
Select the interface you want to use as a bridged interface. Click Configure.
Set the Interface Type to Bridge.
Repeat Steps 4 and 5 for each interface you want to bridge.
Click Save.
After you configure at least one bridge interface, you can create the bridge.
1. Select Network > Bridge.
The Bridge page appears.
2. Click Add.
3. On the Bridge Settings tab, type a Name and Description (optional) for the bridge
configuration.
158
Fireware XTM Web UI
Network Setup and Configuration
4. Select a Security Zone from the drop-down list and type an IP Address in slash notation for
the bridge.
The bridge is added to the alias of the security zone you specify.
5. To add network interfaces, select the check box adjacent to each network interface you want to
add to the bridge configuration.
6. To configure DHCP settings, select the DHCP tab. From the DHCP Mode drop-down list,
select DHCP Server or DHCP Relay.
For more information on DHCP configuration, see Configure IPv4 DHCP in Mixed Routing
Mode on page 122 or Configure DHCP Relay on page 146.
7. If you want to add secondary networks to the bridge configuration, select the Secondary tab.
Type an IP address in slash notation and click Add.
For more information on secondary networks, see Add a Secondary Network IP Address on
page 149.
8. Click Save.
Assign a Network Interface to a Bridge
To assign additional interfaces to an existing bridge, edit the bridge.
1. Select Network > Bridge.
The Bridge page appears.
2. Select a bridge configuration in the Bridge Settings list, then click Edit.
3. Select the check box next to each network interface that you want to add to the bridge.
4. Click Save.
User Guide
159
Network Setup and Configuration
About Routing
A route is the sequence of devices through which network traffic is sent. Each device in this sequence,
usually called a router, stores information about the networks it is connected to inside a route table.
This information is used to forward the network traffic to the next router in the route.
Your XTM device automatically updates its route table when you change network interface settings,
when a physical network connection fails, or when it is restarted. To update the route table at other
times, you must use dynamic routing or add a static route. Static routes can improve performance, but
if there is a change in the network structure or if a connection fails, network traffic cannot get to its
destination. Dynamic routing ensures that your network traffic can reach its destination, but it is more
difficult to set up.
Add a Static Route
A route is the sequence of devices through which network traffic must go to get from its source to its
destination. A router is the device in a route that finds the subsequent network point through which to
send the network traffic to its destination. Each router is connected to a minimum of two networks. A
packet can go through a number of network points with routers before it gets to its destination.
You can create static routes to send traffic to specific hosts or networks. The router can then send the
traffic from the specified route to the correct destination. If you have a full network behind a router on
your local network, add a network route. If you do not add a route to a remote network, all traffic to that
network is sent to the XTM device default gateway.
Before you begin, you must understand the difference between a network route and a host route. A
network route is a route to a full network behind a router located on your local network. Use a host route
if there is only one host behind the router, or if you want traffic to go to only one host.
If you have configured a BOVPN virtual interface, you can also add and edit VPN routes for a
BOVPN virtual interface in the static routes table.
Add a Static Route
To add a static route:
1. Select Network > Routes.
The Routes page appears.
2. Click Add.
The Route dialog box appears.
160
Fireware XTM Web UI
Network Setup and Configuration
3. From the Route Type drop-down list, select Static Route.
4. From the Destination Type drop-down list, select an option:
n Host IPv4 — Select this option if only one IPv4 host is behind the router or you want
traffic to go to only one host.
n Network IPv4 — Select this option if you have a full IPv4 network behind a router on
your local network.
n Host IPv6 — Select this option if only one IPv6 host is behind the router or you want
traffic to go to only one host.
n Network IPv6 — Select this option if you have a full IPv6 network behind a router on
your local network.
5. In the Route To text box, type the host address or network address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Gateway text box, type the IP address of the router.
Make sure that you type an IP address that is on one of the same networks as the XTM device.
7. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
8. If this is a Host IPv6 or Network IPv6 route, you can select the Specify interface check box
to select which interface this route applies to.
From the adjacent drop-down list, select an IPv6-enabled interface.
9. Click Save changes to close the Route dialog box.
The configured network route appears in the Routes page.
10. Click Save to save the change to the configuration.
Add a BOVPN Virtual Interface Route
If you have configured a BOVPN virtual interface, you can also add and edit BOVPN virtual interface
routes here. This option is available only after you configure at least one BOVPN virtual interface. For
more information, see Configure a BOVPN Virtual Interface.
To add a BOVPN virtual interface route:
User Guide
161
Network Setup and Configuration
1. Select Network > Routes.
The Routes page appears.
2. Click Add.
The Route dialog box appears.
3. From the Route Type drop-down list, select BOVPN Virtual Interface Route.
4. From the Choose Type drop-down list, select an option:
n Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic
to go to only one host.
n Network IPv4 — Select this option if you have a full IPv4 network behind a router on your
local network.
5. In the Route To text box, type the network address or host address. If you type a network
address, use slash notation.
For more information about slash notation, see About Slash Notation on page 5.
6. In the Metric text box, type or select a metric value for the route. Routes with lower metrics
have higher priority.
7. From the Interface drop-down list, select the BOVPN virtual interface you want to use for this
route.
8. Click Save changes to close the Route dialog box.
The configured network route appears in the Routes page.
9. Click Save to save the change to the configuration.
The BOVPN virtual interface routes you configure here also appears in the VPN Routes tab in the
BOVPN virtual interface configuration
162
Fireware XTM Web UI
Network Setup and Configuration
If the XTM device is configured in drop-in mode, the route table on the XTM device
might or might not immediately show the correct interface for a static route after you
restart the device, or after you move the gateway associated with a static route to a
different interface. The XTM device cannot update the route table with the correct
interface for a static route until it receives network traffic through the gateway for that
static route. The XTM device updates the internal route table on demand when traffic
is received from the gateway.
User Guide
163
Network Setup and Configuration
About Virtual Local Area Networks (VLANs)
An 802.1Q VLAN (virtual local area network) is a collection of computers on a LAN or LANs that are
grouped together in a single broadcast domain independent of their physical location. This enables you
to group devices according to traffic patterns, instead of physical proximity. Members of a VLAN can
share resources as if they were connected to the same LAN. You can also use VLANs to split a switch
into multiple segments. For example, suppose your company has full-time employees and contract
workers on the same LAN. You want to restrict the contract employees to a subset of the resources
used by the full-time employees. You also want to use a more restrictive security policy for the contract
workers. In this case, you split the interface into two VLANs.
VLANs enable you to divide your network into groups with a logical, hierarchical structure or grouping
instead of a physical one. This helps free IT staff from the restrictions of their existing network design
and cable infrastructure. VLANs make it easier to design, implement, and manage your network.
Because VLANs are software-based, you can quickly and easily adapt your network to additions,
relocations, and reorganizations.
VLANs use bridges and switches, so broadcasts are more efficient because they go only to people in
the VLAN, not everyone on the wire. Consequently, traffic across your routers is reduced, which
means a reduction in router latency. You can configure your XTM device to act as a DHCP server for
devices on the VLAN, or use DHCP relay with a separate DHCP server.
You assign a VLAN to the Trusted, Optional, or External security zone. VLAN security zones
correspond to aliases for interface security zones. For example, VLANs of type Trusted are handled by
policies that use the alias Any-Trusted as a source or destination. VLANs of type External appear in
the list of external interfaces when you configure policy-based routing.
VLAN Requirements and Restrictions
n
n
n
n
n
n
n
n
n
164
The WatchGuard VLAN implementation does not support the spanning tree link management
protocol.
If your XTM device is configured to use drop-in network mode, you cannot use VLANs.
A VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN10, it cannot also send and receive VLAN traffic for any other VLAN at the same time.
A VLAN interface cannot be configured to send and receive untagged traffic for an external
VLAN.
A VLAN interface can be configured to send and receive tagged traffic for only one external
VLAN.
Your multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to
manage bandwidth when you use only physical interfaces in a multi-WAN configuration.
Your device model and license controls the number of VLANs you can create.
To see the number of VLANs you can add to your configuration, select System Status
> License.
Find the row labeled Total number of VLAN interfaces.
We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
All network segments you want to add to a VLAN must have IP addresses on the VLAN
network.
Fireware XTM Web UI
Network Setup and Configuration
n
To use multiple VLANs on a single interface on an XTMv device in an ESXi environment,
configure the VSwitch for the XTMv VLAN interface to use VLAN ID 4095 (All).
If you define VLANs, you can ignore messages with the text 802.1d unknown
version. These occur because the WatchGuard VLAN implementation does not
support spanning tree link management protocol.
About Tagging
To enable VLANs, you must deploy VLAN-capable switches in each site. The switch interfaces insert
tags at layer 2 of the data frame that identify a network packet as part of a specified VLAN. These tags,
which add an extra four bytes to the Ethernet header, identify the frame as belonging to a specific
VLAN. Tagging is specified by the IEEE 802.1Q standard.
The VLAN definition includes disposition of tagged and untagged data frames. You must specify
whether the VLAN receives tagged, untagged, or no data from each interface that is enabled. Your
XTM device can insert tags for packets that are sent to a VLAN-capable switch. Your device can also
remove tags from packets that are sent to a network segment that belongs to a VLAN that has no
switch.
An XTM device interface can handle traffic for multiple tagged VLANs. This allows the interface to
function as a VLAN trunk. The XTM device supports the 802.1Q standard.
About VLAN ID Numbers
By default, on most new switches that are not configured, each interface belongs to VLAN number 1.
Because this VLAN exists on every interface of most switches by default, the possibility exists that
this VLAN can accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the
XTM device.
Define a New VLAN
Before you create a new VLAN, make sure you understand all the VLAN concepts and restrictions, as
described in About Virtual Local Area Networks (VLANs) on page 164.
Before you can create a VLAN configuration, you must change at least one interface to be of type
VLAN.
1.
2.
3.
4.
Select Network > Interfaces.
Select the interface that is connected to your VLAN switch. Click Edit.
From the Interface Type drop-down list, select VLAN.
Click Save.
When you define a new VLAN, you add an entry in the VLAN Settings table. To change the view of
this table:
User Guide
165
Network Setup and Configuration
n
n
Click a column header to sort the table based on the values in that column.
Sort the table in descending or ascending order.
The values in the Interfaces column show the physical interfaces that are members of this VLAN. The
interface number in bold is the interface that sends untagged data to that VLAN.
To create a new VLAN:
1. Select Network > VLAN.
The VLAN page appears, with a list of existing user-defined VLANs and their settings.
You can also configure network interfaces from the Interfaces list.
2. Click New.
The VLAN Settings page appears.
3.
4.
5.
6.
166
In the Name text box, type a name for the VLAN. The name cannot contain spaces.
(Optional) In the Description text box, type a description of the VLAN.
In the VLAN ID text box, or type or select a value for the VLAN.
In the Security Zone text box, select Trusted, Optional, or External.
Security zones correspond to aliases for interface security zones. For example, VLANs of type
Trusted are handled by policies that use the alias Any-Trusted as a source or destination.
Fireware XTM Web UI
Network Setup and Configuration
7. In the IP Address text box, type the address of the VLAN gateway.
Any computer in this new VLAN must use this IP address as its default gateway.
Use DHCP on a VLAN
You can configure the XTM device as a DHCP server for the computers on your VLAN network.
1. On the Network tab, from the DHCP Mode drop-down list, select DHCP Server. If necessary,
type your domain name to supply it to the DHCP clients.
2. To add an IP address pool, type the first and last IP addresses in the pool. Click Add.
You can configure a maximum of six address pools.
3. To reserve a specific IP address for a client, type the IP address, reservation name, and
MAC address for the device. Click Add.
4. To change the default lease time, from the drop-down list at the top of the page, select a
different time interval.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP
server. When the lease time is about to expire, the client sends a request to the DHCP server to get a
new lease.
5. To add DNS or WINS servers to your DHCP configuration, type the server address in the text
box adjacent to the list. Click Add.
6. To delete a server from the list, select the server from the list and click Remove.
For more information about per-interface DNS/WINS and DHCP options, see Configure IPv4 DHCP in
Mixed Routing Mode.
Use DHCP Relay on a VLAN
1. On the Network tab, from the DHCP Mode drop-down list, select DHCP Relay.
2. Type the IP address of the DHCP server. Make sure to add a route to the DHCP server, if
necessary.
Apply Firewall Policies to Intra-VLAN Traffic
You can configure more than one XTM device interface as a member of the same VLAN.To apply
firewall policies to VLAN traffic between local interfaces, select the Apply firewall policies to intraVLAN traffic check box.
Intra-VLAN traffic is traffic from a VLAN on one interface that is destined for the same VLAN on
another interface. When you enable this feature, the XTM device applies policies to traffic that passes
through the firewall between hosts on different interfaces that are on the same VLAN. If you want to
apply policies to intra-VLAN traffic, make sure that no alternate path exists between the source and
destination. The VLAN traffic must go through the XTM device in order for firewall policies to apply.
Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match
any defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.
User Guide
167
Network Setup and Configuration
Configure Network Settings for a VLAN on the External Interface
When you configure a VLAN on the external interface, you must configure how the VLAN gets the
external IP address.
1. On the VLAN Settings tab, from the Security Zone drop-down list, select External.
2. Select the Network tab.
3. From the Configuration Mode drop-down list, select Static IP, DHCP, or PPPoE.
4. Configure the network settings with the same method you use for other external interfaces.
For more information, see Configure an External Interface on page 114.
If you configure an external VLAN interface to get an IP address through DHCP, you
can release or renew the VLAN interface IP address in Fireware XTM Web UI on the
System Status > Interfaces page. For more information, see Interfaces on page
762.
Before you can save this VLAN, you must Assign Interfaces to a VLAN on page 168.
Assign Interfaces to a VLAN
When you create a new VLAN, you specify the type of data it receives from XTM device interfaces.
However, you can also make an interface a member of a VLAN that is currently defined, or remove an
interface from a VLAN.
168
Fireware XTM Web UI
Network Setup and Configuration
You must change an interface type to VLAN before you can use it in a
VLAN configuration.
To assign a network interface to a VLAN:
1. Select Network > VLAN.
The VLAN page appears.
2. Click New, or select a VLAN interface and click Edit.
3. In the Select a VLAN tag setting for each interface list, select one or more interfaces.
4. From the Select Traffic drop-down list, select an option to apply to the selected interfaces:
n Tagged traffic — The interface sends and receives tagged traffic.
n Untagged traffic — The interface sends and receives untagged traffic.
n No traffic — Remove the interface from this VLAN configuration.
5. Click Save.
User Guide
169
Network Setup and Configuration
About Link Aggregation
A link aggregation (LA) interface is a group of physical interfaces that you configure to work together as
a single logical interface. You can use a link aggregation interface to increase the cumulative
throughput beyond the capacity of a single physical interface, and to provide redundancy if there is a
physical link failure.
You can configure a link aggregation interface only on an XTM device configured in mixed routing
mode. A link aggregation interface can be configured as an External, Trusted, or Optional interface, or
as a member of a VLAN or Bridge interface. You can use a link aggregation interface in most of the
same ways that you use a physical interface. For example, you can use it in the configuration of
policies, multi-WAN, VPN, DHCP, and PPPoE.
Requirements and Limitations
n
n
n
n
Link aggregation requires Fireware XTM with a Pro upgrade.
Link aggregation interfaces do not support IPv6, Traffic Management, QoS, and some other
advanced interface settings.
You cannot use a link aggregation interface with an active/active FireCluster, or on XTM 21, 22,
23, or XTMv devices.
Dynamic link aggregation mode is not supported on XTM 25, XTM 26, and XTM 33 devices.
Link Aggregation Modes
On a supported Fireware XTM device with Fireware XTM Pro, you can configure a link aggregation
interface in one of three modes. For all modes, a member interface can be active only when the
member interface link status is up. Whether a member interface is active depends on both the link
status of the physical interface and the link aggregation mode.
Dynamic (803.2ad)
All physical interfaces that are members of the link aggregation interface can be active. The
physical interface used for traffic between any source and destination is selected based on Link
Aggregation Control Protocol (LACP), as described in the IEEE 802.3ad dynamic link
aggregation specification.
Static
All physical interfaces that are members of the link aggregation interface can be active. The
same physical interface is always used for traffic between a given source and destination based
on source/destination MAC address and source/destination IP address. This mode provides
load balancing and fault tolerance.
Active-backup
In this mode, at most only one member interface in the link aggregation group is active at a time.
The other member interfaces in the link aggregation group become active only if the active
interface fails. This mode provides fault tolerance for connections to network switches that do
not support link aggregation.
170
Fireware XTM Web UI
Network Setup and Configuration
To use dynamic or static link aggregation, you must also configure link aggregation on the connected
switches. To use Active-backup mode it is not necessary to enable link aggregation on your switches.
Configure Link Aggregation
User Guide
171
Network Setup and Configuration
Configure Link Aggregation
Each link aggregation interface can have several physical interface members. For each device
interface that you want to be a link interface member, you must set the interface type to Link
Aggregation. Then you create the link aggregation interface, and add the link aggregation members.
Configure Link Aggregation Members
1. Select Network > Interfaces.
The Network Interfaces page appears.
2. Select an interface and click Edit.
3. From the Interface Type drop-down list, select Link Aggregation.
4. In the Interface Name (Alias) text box, you can use the default name or change it to one that
more closely reflects how this interface is used.
5. (Optional) In the Interface Description text box, type a description of the interface.
6. Click Save.
Repeat these steps for each interface that you want to configure as a member of a link aggregation
interface.
If you change an interface type from External to Link Aggregation, any 1 to 1
NAT rules previously associated with the external interface are automatically
removed.
Add a Link Aggregation Interface
1. Select Network > Link Aggregation.
The Link Aggregation page appears. The interfaces configured as type Link Aggregation are listed at
the top.
172
Fireware XTM Web UI
Network Setup and Configuration
2. To configure additional link aggregation members, click Configure.
3. To add a new Link Aggregation interface, click Add.
The Link Aggregation settings page appears.
4. In the Name text box, type a name for this link aggregation configuration.
5. (Optional) In the Description text box, type a description for the link aggregation configuration
6. From the Mode drop-down list, select the link aggregation mode to use. You can choose Static,
Dynamic, or Active-backup.
For information about link aggregation modes, see About Link Aggregation.
User Guide
173
Network Setup and Configuration
If you choose Static or Dynamic mode, your connected switch or router must also
support and be configured to use the same mode.
7. In the Type drop-down list select the interface type. For a Link Aggregation interface, you can
set the type to Trusted, Optional, External, Bridge, or VLAN.
8. Configure the settings for the interface type you selected.
Configure the other settings the same way that you would configure them for any other interface.
For a Trusted or Optional interface:
Type the IPv4 interface private IP address in slash notation. For more information about
private IP addresses, see About Private IP Addresses.
Select the Network tab. Configure the DHCP settings. For more information about
DHCP settings, see Configure IPv4 DHCP in Mixed Routing Mode on page 122 or
Configure DHCP Relay on page 146.
For an External interface:
Select the Network tab. Type a static IPv4 address and default gateway, or configure the
external interface to use DHCP or PPPoE to get an IP address. For information about
external interface network settings, see Configure an External Interface.
For a Bridge interface:
Select the network bridge interface you want to add this link aggregation interface to. You
must assign this interface to a Bridge. For more information, see Assign a Network
Interface to a Bridge.
For a VLAN interface:
Select the tagged or untagged VLANs you want to add this link aggregation interface to.
You must assign this interface to a VLAN. For more information, see Assign Interfaces to a
VLAN.
9. To configure a secondary network on this interface, select the Secondary tab.
For information about how to configure a secondary network, see Add a Secondary Network
IP Address on page 149.
10. To configure network interface card settings, select the Advanced tab.
174
Fireware XTM Web UI
Network Setup and Configuration
The network interface settings apply to all physical interfaces assigned to this link aggregation
interface. For more information, see Network Interface Card (NIC) Settings.
Physical interfaces that are members of a link aggregation interface must support the
same link speed. On XTM 505, 510, 520, or 530 devices, interface 0 (Eth0) supports
a lower maximum link speed than the other interfaces. If you use Eth0 as a member
of a link aggregation interface on these models, you must set the Link Speed to 100
Mbps or lower in the link aggregation interface configuration and on the connected
network switches.
Unlike a physical interface configuration, you cannot configure Traffic Management, QoS, or
static MAC/IP address binding in the interface advanced settings. A link aggregation interface
does not support those features.
Connect Link Aggregation Interfaces to a Switch
If you configure a link aggregation interface to use dynamic or static link aggregation, you must
configure the switch that these interfaces connect with to use the same link aggregation mode and link
speed. Then you can connect the cables from the member interfaces on the XTM device to the other
network device.
If the link aggregation interface uses Active-backup mode, you do not need to enable link aggregation
on your connected switches or routers.
For more information about link aggregation network modes, see About Link Aggregation.
Read the Link Aggregation Settings Table
After you configure link aggregation settings, you can see a summary of the settings for each link
aggregation configuration on the Link Aggregation page. Select Network > Link Aggregation.
User Guide
175
Network Setup and Configuration
The columns show information about each link aggregation interface.
Name
The interface name. You can use this name in policies just as you would any other interface
name.
Type
The interface type. Link aggregation interfaces can be Trusted, External, Optional, Bridge or
VLAN.
IP Address
The interface IP address. This column shows DHCP or PPPoE client for an external interface
configured to get an IP address from a DHCP or PPPoE server.
Interfaces
The interface numbers of the physical interfaces that are members of this link aggregation
interface.
Edit or Remove a Link Aggregation Interface
From the Link Aggregation page, you can edit or remove a link aggregation interface. When you remove
a link aggregation interface, the member interfaces are still set to type Link Aggregation, but they are
no longer assigned to any link aggregation interface.
To edit or delete a link aggregation configuration:
1. Select Network > Link Aggregation.
2. Select the interface you want to edit or delete.
n
n
176
Click Configure to edit the selected link aggregation interface.
Click Remove to delete the selected link aggregation interface.
Fireware XTM Web UI
Network Setup and Configuration
Monitor Link Aggregation Interfaces
Each link aggregation interface is identified by an interface number that starts with the prefix bond
followed by a number. Link aggregation interfaces are numbered consecutively in the order they were
added. For example, if you enable two link aggregation interfaces, the interface numbers are bond0 and
bond1.
Link aggregation interface numbers appear in the routes table, and in log messages.
To monitor the status of physical interfaces that are members of a link aggregation interface select
Dashboard > Interfaces. The Interfaces page shows the status for each physical interface, including
link aggregation members, but does not show the status of link aggregation interfaces.
To monitor the status of link aggregation interfaces, you must use Firebox System Manager. For more
information, see the WatchGuard System Manager Help or User Guide.
User Guide
177
Network Setup and Configuration
Network Setup Examples
Configure Two VLANs on the Same Interface
A network interface on a XTM device is a member of more than one VLAN when the switch that
connects to that interface carries traffic from more than one VLAN. This example shows how to
connect one switch that is configured for two different VLANs to a single interface on the XTM device.
The subsequent diagram shows the configuration for this example.
In this example, computers on both VLANs connect to the same 802.1Q switch, and the switch
connects to interface 3 on the XTM device.
The subsequent instructions show you how to configure these VLANs.
Configure Interface 3 as a VLAN Interface
1. Select Network > Interfaces.
2. Select interface number 3.
3. Click Edit.
178
Fireware XTM Web UI
Network Setup and Configuration
4. In the Interface Name (Alias) text box type vlan.
5. From the Interface Type drop-down list, select VLAN.
6. Click Save.
Define the Two VLANs and Assign Them to the VLAN Interface
1.
2.
3.
4.
5.
6.
7.
8.
9.
Select Network > VLAN.
Click Add.
In the Name text box, type a name for the VLAN. For this example, type VLAN10 .
In the Description text box, type a description. For this example, type Accounting .
In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For
this example, type 10 .
From the Security Zone drop-down list, select the security zone. For this example, select
Trusted.
In the IP Address text box, type the IP address to use for the XTM device on this VLAN. For
this example, type 192.168.10.1/24 .
In the interface list, select the interface called vlan.
From the Select Traffic drop-down list, select Tagged traffic.
User Guide
179
Network Setup and Configuration
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
180
Click Save.
Click Add to add the second VLAN.
In the Name text box, type VLAN20 .
In the Description text box, type Sales .
In the VLAN ID text box, type 20 .
From the Security Zone drop-down list, select Optional.
In the IP Address text box, type the IP address to use for the XTM device on this VLAN. For
this example, type 192.168.20.1/24 .
In the interface list, select the interface called vlan.
From the Select Traffic drop-down list, select Tagged traffic.
Click Save.
Both VLANS now appear in the list, and are configured to use the defined VLAN interface.
Fireware XTM Web UI
Network Setup and Configuration
User Guide
181
Network Setup and Configuration
Configure One VLAN Bridged Across Two Interfaces
You can configure a VLAN to bridge across two interfaces of the XTM device. You might want to bridge
one VLAN across two interfaces if your organization is spread across multiple locations. For example,
suppose your network is on the first and second floors in the same building. Some of the computers on
the first floor are in the same functional group as some of the computers on the second floor. You want
to group these computers into one broadcast domain so that they can easily share resources, such as
a dedicated file server for their LAN, host-based shared files, printers, and other network accessories.
This example shows how to connect two 802.1Q switches so that both switches can send traffic from
the same VLAN to two interfaces on the same XTM device.
In this example, two 802.1Q switches are connected to XTM device interfaces 3 and 4, and carry
traffic from the same VLAN.
Any computer in this new VLAN must use this IP address as its default gateway.
Configure Interfaces 3 and 4 as VLAN Interfaces
1. Select Network > Interfaces.
2. Select interface number 3. Click Edit.
182
Fireware XTM Web UI
Network Setup and Configuration
3. In the Interface Name (Alias) text box, type a name. For this example, typevlanfloor1.
4. From the Interface Type drop-down list, select VLAN.
5. Click Save.
6. Repeat the same steps to configure Interface 4 as a VLAN interface called vlanfloor2.
Configure the VLAN
1.
2.
3.
4.
5.
6.
7.
8.
9.
Select Network > VLAN.
Click Add.
In the Name text box, type a name for the VLAN. For this example, type VLAN10 .
In the Description text box, type a description. For this example, type Accounting .
In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For
this example, type 10 .
From the Security Zone drop-down list, select the security zone. For this example, select
Trusted.
In the IP Address text box, type the IP address to use for the XTM device on this VLAN. For
this example, type 192.168.10.1/24 .
In the list of interfaces, select both interfaces.
From the Select Traffic drop-down list, select Tagged traffic.
User Guide
183
Network Setup and Configuration
10. Click Save.
Configure the Switches
Configure each of the switches that connect to interfaces 3 and 4 of the XTM device. Refer to the
instructions from your switch manufacturer for details about how to configure your switches.
Configure the Switch Interfaces Connected to the XTM Device
The physical segment between the switch interface and the XTM device interface is a tagged data
segment. Traffic that flows over this segment must use 802.1Q VLAN tagging.
Some switch manufacturers refer to an interface configured in this way as a trunk
port or a trunk interface.
On each switch, for the switch interface that connects to the XTM device:
184
Fireware XTM Web UI
Network Setup and Configuration
n
n
n
n
n
Disable Spanning Tree Protocol.
Configure the interface to be a member of VLAN10.
Configure the interface to send traffic with the VLAN10 tag.
If necessary for your switch, set the switch mode to trunk.
If necessary for your switch, set the encapsulation mode to 802.1Q.
Configure the Other Switch Interfaces
The physical segments between each of the other switch interfaces and the computers (or other
networked devices) that connect to them are untagged data segments. Traffic that flows over these
segments does not have VLAN tags.
On each switch, for the switch interfaces that connect computers to the switch:
n
n
Configure these switch interfaces to be members of VLAN10.
Configure these switch interfaces to send untagged traffic for VLAN10.
Physically Connect All Devices
1. Use an Ethernet cable to connect XTM device interface 3 to the Switch A interface that you
configured to tag for VLAN10 (the VLAN trunk interface of Switch A).
2. Use an Ethernet cable to connect the XTM device interface 4 to the Switch B interface that you
configured to tag for VLAN10 (the VLAN trunk interface of Switch B).
3. Connect a computer to the interface on Switch A that you configured to send untagged traffic for
VLAN10.
4. Configure the network settings on the connected computer. The settings depend on whether
you configured the XTM device to act as a DHCP server for the computers on VLAN10 in Step
9 of Define the VLAN on the XTM Device.
n
n
If you configured the XTM device to act as a DHCP server for the computers on VLAN10,
configure the computer to use DHCP to get an IP address automatically. See Step 9 in the
procedure Define the VLAN, above.
If you did not configure the XTM device to act as a DHCP server for the computers on
VLAN10, configure the computer with an IP address in the VLAN subnet 192.168.10.x.
Use subnet mask 255.255.255.0 and set the default gateway on the computer to the XTM
device VLAN IP address 192.168.10.1
5. Repeat the previous two steps to connect a computer to Switch B.
Test the Connection
After you complete these steps, the computers connected to Switch A and Switch B can communicate
as if they were connected to the same physical local area network. To test this connection you can:
n
n
Ping from a computer connected to Switch A to a computer connected to Switch B.
Ping from a computer connected to Switch B to a computer connected to Switch A.
User Guide
185
Network Setup and Configuration
Use the Broadband Extend or 3G Extend Wireless Bridge
You can use the WatchGuard Broadband Extend USB or 3G Extend USB wireless bridge to add
cellular connectivity to your WatchGuard XTM 2 Series or 3 Series device. When you connect the
external interface of your XTM device to the wireless bridge, computers on your network can connect
wirelessly to the Internet through the cellular network.
To connect your XTM device to the cellular network you need:
n
n
n
An XTM 2 Series or 3 Series device
A Broadband Extend USB (for 4G/3G connectivity) or a 3G Extend USB (for 3G connectivity)
A compatible wireless broadband data card
Use the Broadband Extend USB / Cradlepoint CBR450 Device
Follow these steps to use the Broadband Extend Cradlepoint cellular broadband adapter with your
WatchGuard XTM device.
1. Use the instructions in the Cradlepoint CBA450 Setup Guide to set up the Cradlepoint device
and update the device firmware.
2. Configure the external interface on your XTM device to get its address with DHCP. To learn
how to configure your external interface, see Configure an External Interface on page 114.
3. Use an Ethernet cable to connect the Cradlepoint device to the external interface of the XTM
device.
4. Start (or restart) the XTM device.
When the XTM device starts, it gets a DHCP address from the Cradlepoint device. After an
IP address is assigned, the XTM device can connect to the Internet via the cellular broadband
network.
The CBR450 supports a large number of popular 4G/3G USB modems. For a list of supported devices,
see http://www.cradlepoint.com/products/machine-to-machine-routers/cbr450-compact-broadbandrouter-without-wifi.
Use the 3G Extend USB / Cradlepoint CBA250 Device
Follow these steps to use the 3G Extend Cradlepoint cellular broadband adapter with your WatchGuard
XTM device.
1. Use the instructions in the Cradlepoint CBA250 Quick Start Guide to set up the Cradlepoint
device and update the device firmware. If you have a newer modem that is not supported by the
firmware version that ships on the device, you must use different steps to upgrade your
firmware to the latest version:
n
n
Download the latest firmware for the CBA250 to your computer from the Cradlepoint
support site at http://www.cradlepoint.com/support/cba250.
Use these instructions to update your firmware: Updating the Firmware on your Cradlepoint
Router.
2. Configure the external interface on your XTM device to get its address with DHCP. To learn
how to configure your external interface, see Configure an External Interface on page 114.
186
Fireware XTM Web UI
Network Setup and Configuration
3. Use an Ethernet cable to connect the Cradlepoint device to the external interface of the XTM
device.
4. Start (or restart) the XTM device.
When the XTM device starts, it gets a DHCP address from the Cradlepoint device. After an
IP address is assigned, the XTM device can connect to the Internet via the cellular broadband
network.
The CBA250 supports a large number of USB or ExpressCard broadband wireless modems. For a list
of supported devices, see http://www.cradlepoint.com/support./cba250.
User Guide
187
Network Setup and Configuration
User Guide
188
7
Multi-WAN
About Using Multiple External Interfaces
You can use your XTM device to create redundant support for the external interface. This is a helpful
option if you must have a constant Internet connection.
With the multi-WAN feature, you can configure up to four external interfaces, each on a different
subnet. This allows you to connect your XTM device to more than one Internet Service Provider (ISP).
When you configure a second interface, the multi-WAN feature is automatically enabled.
Multi-WAN Requirements and Conditions
You must have a second Internet connection and more than one external interface to use most multiWAN configuration options.
Conditions and requirements for multi-WAN use include:
n
n
n
n
n
n
If you have a policy configured with an individual external interface alias in its configuration, you
must change the configuration to use the alias Any-External, or another alias you configure for
external interfaces. If you do not do this, some traffic could be denied by your firewall policies.
Multi-WAN settings do not apply to incoming traffic. When you configure a policy for inbound
traffic, you can ignore all multi-WAN settings.
To override the multi-WAN configuration in any individual policy, enable policy-based routing for
that policy. For more information on policy-based routing, see Configure Policy-Based Routing
on page 531.
Map your company’s Fully Qualified Domain Name to the external interface IP address of the
lowest order. If you add a multi-WAN XTM device to your Management Server configuration,
you must use the lowest-ordered external interface to identify it when you add the device.
To use multi-WAN, you must use mixed routing mode for your network configuration. This
feature does not operate in drop-in or bridge mode network configurations.
To use the Interface Overflow method, you must have Fireware XTM with a Pro upgrade. You
must also have a Fireware XTM Pro license if you use the Round-robin method and configure
different weights for the XTM device external interfaces.
User Guide
189
Multi-WAN
n
To use multi-WAN options except modem failover on an XTM 2 Series device, you must have
Fireware XTM with a Pro upgrade.
You can use one of four multi-WAN configuration options to manage your network traffic.
For configuration details and setup procedures, see the section for each option.
When you enable multi-WAN the XTM device monitors the status of each external interface. Make
sure that you define a link monitor host for each interface. We recommend that you configure two link
targets for each interface.
For more information, see About WAN Interface Status.
Multi-WAN and DNS
Make sure that your DNS server can be reached through every WAN. Otherwise, you must modify
your DNS policies such that:
n
n
The From list includes Firebox.
The Use policy-based routing check box is selected.
If only one WAN can reach the DNS server, select that interface in the adjacent drop-down list.
If more than one WAN can reach the DNS server, select any one of them, select Failover,
select Configure, and select all the interfaces that can reach the DNS server. The order does
not matter.
You must have Fireware XTM with a Pro upgrade to use policy-based routing.
190
Fireware XTM Web UI
Multi-WAN
About Multi-WAN Options
When you configure multiple external interfaces, you have several options to control which interface an
outgoing packet uses.
XTM 2 Series devices must have Fireware XTM with a Pro upgrade to use any of the
multi-WAN methods except modem failover. All other XTM devices must have
Fireware XTM with a Pro upgrade to use the weighted round robin or interface
overflow multi-WAN methods.
Round-Robin Order
When you configure multi-WAN with the Round-robin method, the XTM device looks at its internal
route table to check for specific static or dynamic routing information for each connection. The route
table includes dynamic routes as well as static routes you configure on the device. If no specified route
is found, the XTM device distributes the traffic load among its external interfaces. The XTM device
uses the average of sent (TX) and received (RX) traffic to balance the traffic load across all external
interfaces you specify in your round-robin configuration.
If you have Fireware XTM with a Pro upgrade, you can assign a weight to each interface used in your
round-robin configuration. By default and for all Fireware XTM users, each interface has a weight of 1.
The weight refers to the proportion of load that the XTM device sends through an interface. If you have
Fireware XTM Pro and you assign a weight of 2 to an interface, you double the portion of traffic that will
go through that interface compared to an interface with a weight of 1.
As an example, if you have three external interfaces with 6M, 1.5M, and .075M bandwidth and want to
balance traffic across all three interfaces, you would use 8, 2, and 1 as the weights for the three
interfaces. Fireware XTM will try to distribute connections so that 8/11, 2/11, and 1/11 of the total
traffic flows through each of the three interfaces.
For more information, see Configure Round-Robin on page 194.
Failover
When you use the failover method to route traffic through the XTM device external interfaces, you
select one external interface to be the primary external interface. Other external interfaces are backup
interfaces, and you set the order for the XTM device to use the backup interfaces. The XTM device
monitors the primary external interface. If it goes down, the XTM device sends all traffic to the next
external interface in its configuration. While the XTM device sends all traffic to the backup interface, it
continues to monitor the primary external interface. When the primary interface is active again, the
XTM device immediately starts to send all new connections through the primary external interface
again.
User Guide
191
Multi-WAN
You control the action for the XTM device to take for existing connections; these connections can
failback immediately, or continue to use the backup interface until the connection is complete. MultiWAN failover and FireCluster are configured separately. Multi-WAN failover caused by a failed
connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only
when the physical interface is down or does not respond. FireCluster failover takes precedence over
multi-WAN failover.
For more information, see Configure Failover on page 195.
Interface Overflow
When you use the Interface Overflow multi-WAN configuration method, you select the order you want
the XTM device to send traffic through external interfaces and configure each interface with a
bandwidth threshold value. The XTM device starts to send traffic through the first external interface in
its Interface Overflow configuration list. When the traffic through that interface reaches the bandwidth
threshold you have set for that interface, the XTM device starts to send traffic to the next external
interface you have configured in your Interface Overflow configuration list.
This multi-WAN configuration method allows the amount of traffic sent over each WAN interface to be
restricted to a specified bandwidth limit. To determine bandwidth, the XTM device examines the
amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the
interface bandwidth threshold for each interface, you must consider the needs of your network for this
interface and set the threshold value based on these needs. For example, if your ISP is asymmetrical
and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered
by a high RX rate.
If all WAN interfaces have reached their bandwidth limit, the XTM device uses the ECMP (Equal Cost
MultiPath Protocol) routing algorithm to find the best path.
For more information, see Configure Interface Overflow on page 197.
Routing Table
When you select the Routing Table option for your multi-WAN configuration, the XTM device uses the
routes in its internal route table or routes it gets from dynamic routing processes to send packets
through the correct external interface. To see whether a specific route exists for a packet’s destination,
the XTM device examines its route table from the top to the bottom of the list of routes. You can see
the list of routes in the route table on the Status tab of Firebox System Manager. The Routing Table
option is the default multi-WAN option.
If the XTM device does not find a specified route, it selects the route to use based on source and
destination IP hash values of the packet, using the ECMP (Equal Cost Multipath Protocol) algorithm
specified in:
http://www.ietf.org/rfc/rfc2992.txt
With ECMP, the XTM device uses an algorithm to decide which next-hop (path) to use to send each
packet. This algorithm does not consider current traffic load.
For more information, see When to Use Multi-WAN Methods and Routing on page 199.
192
Fireware XTM Web UI
Multi-WAN
Modem (XTM 2 Series, 3 Series or 5 Series only)
You can connect an external modem to the USB port on your XTM 2 Series or XTM 33 device and use
that connection for failover when all other external interfaces are inactive.
For more information, see Configure Modem Failover on page 200.
User Guide
193
Multi-WAN
Configure Round-Robin
Before You Begin
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 114.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 189 and About MultiWAN Options on page 191.
Configure the Interfaces
1. Select Network > Multi-WAN.
2. From the Multi-WAN Mode drop-down list, select Round Robin.
3. If you have Fireware XTM with a Pro upgrade, you can modify the weight associated with each
interface. Choose an interface, then type or select a new value in the adjacent Weight field. The
default value is 1 for each interface.
For information on interface weight, see Find How to Assign Weights to Interfaces on page 195.
4. To assign an interface to the multi-WAN configuration, select an interface and click Configure.
5. Select the Participate in Multi-WAN check box and click OK.
6. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 208.
7. Click Save.
194
Fireware XTM Web UI
Multi-WAN
Find How to Assign Weights to Interfaces
If you use Fireware XTM with a Pro upgrade, you can assign a weight to each interface used in your
round-robin multi-WAN configuration. By default, each interface has a weight of 1. The weight refers to
the proportion of load that the XTM device sends through an interface.
You can use only whole numbers for the interface weights; no fractions or decimals are allowed. For
optimal load balancing, you might have to do a calculation to know the whole-number weight to assign
for each interface. Use a common multiplier so that the relative proportion of the bandwidth given by
each external connection is resolved to whole numbers.
For example, suppose you have three Internet connections. One ISP gives you 6 Mbps, another ISP
gives you 1.5 Mbps, and a third gives you 768 Kbps. Convert the proportion to whole numbers:
n
n
n
n
First convert the 768 Kbps to approximately .75 Mbps so that you use the same unit of
measurement for all three lines. Your three lines are rated at 6, 1.5, and .75 Mbps.
Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: [6 : 1.5
: .75] is the same ratio as [600 : 150 : 75]
Find the greatest common divisor of the three numbers. In this case, 75 is the largest number
that evenly divides all three numbers 600, 150, and 75.
Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. You could use these numbers as weights in a round-robin multiWAN configuration.
Configure Failover
Before You Begin
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 114.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 189 and About MultiWAN Options on page 191.
Configure the Interfaces
1. Select Network > Multi-WAN.
2. In the Multi-WAN Mode drop-down list, select Failover.
User Guide
195
Multi-WAN
3. Select an interface in the list and click Up or Down to set the order for failover. The first
interface in the list is the primary interface.
4. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 208.
For information on advanced multi-WAN configuration options, see About Advanced Multi-WAN
Settings on page 206.
5. Click Save.
196
Fireware XTM Web UI
Multi-WAN
Configure Interface Overflow
Before You Begin
n
n
To use the multiple WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 114.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 189 and About MultiWAN Options on page 191.
Configure the Interfaces
1. Select Network > Multi-WAN.
2. From the Multi-WAN Mode drop-down list, select Interface Overflow.
3. In the Threshold field for each interface, type or select the amount of network traffic in
megabits per second (Mbps) that the interface must carry before traffic is sent on other
interfaces.
4. To set the order of interface operation, select an interface in the table and click Up and Down to
change the order. The interfaces are used from first to last in the list.
5. To complete your configuration, you must add information as described in About WAN Interface
Status on page 208.
For information on advanced multi-WAN configuration options, see About Advanced Multi-WAN
Settings on page 206.
User Guide
197
Multi-WAN
Configure Routing Table
Before You Begin
n
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an External Interface on page 114.
You must decide whether the Routing Table method is the correct multi-WAN method for your
needs. For more information, see When to Use Multi-WAN Methods and Routing on page 199
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About Using Multiple External Interfaces on page 189 and About MultiWAN Options on page 191.
Routing Table mode and load balancing
It is important to note that the Routing Table option does not do load balancing on connections to the
Internet. The XTM device reads its internal route table from top to bottom. Static and dynamic routes
that specify a destination appear at the top of the route table and take precedence over default routes.
(A default route is a route with destination 0.0.0.0/0.) If there is no specific dynamic or static entry in
the route table for a destination, the traffic to that destination is routed among the external interfaces of
the XTM device through the use of ECMP algorithms. This may or may not result in even distribution of
packets among multiple external interfaces.
Configure the Interfaces
1. Select Network > Multi-WAN.
2. In the Multi-WAN Mode drop-down list, select Routing Table.
3. To add interfaces to the multi-WAN configuration, select an interface and click Configure.
4. Select the Participate in Multi-WAN check box. Click OK.
5. To complete your configuration, you must add link monitor information as described in About
WAN Interface Status on page 208.
198
Fireware XTM Web UI
Multi-WAN
For information on advanced multi-WAN configuration options, see About Advanced Multi-WAN
Settings on page 206.
About the XTM Device Route Table
When you select the Routing Table configuration option, it is a good idea to know how to look at the
routing table that is on your XTM device.
From Fireware XTM Web UI:
Select System Status > Routes.
This shows the internal route table on your XTM device.
Routes in the internal route table on the XTM device include:
n
n
n
Routes the XTM device learns from dynamic routing processes running on the device (RIP,
OSPF, and BGP) if you enable dynamic routing
Permanent network routes or host routes you add
Routes the XTM device automatically creates based on the network configuration information
If your XTM device detects that an external interface is down, it removes any static or dynamic routes
that use that interface. This is true if the hosts specified in the Link Monitor become unresponsive and
if the physical Ethernet link is down.
For more information on interface status and route table updates, see About WAN Interface Status on
page 208.
When to Use Multi-WAN Methods and Routing
If you use dynamic routing, you can use either the Routing Table or Round-Robin multi-WAN
configuration method. Routes that use a gateway on an internal (optional or trusted) network are not
affected by the multi-WAN method you select.
When to Use the Routing Table Method
The Routing Table method is a good choice if:
n
n
You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network
advertise routes to the XTM device so that the device can learn the best routes to external
locations.
You must get access to an external site or external network through a specific route on an
external network. Examples include:
n
n
You have a private circuit that uses a frame relay router on the external network.
You want all traffic to an external location to always go through a specific XTM device
external interface.
The Routing Table method is the fastest way to load balance more than one route to the Internet. After
you enable this option, the ECMP algorithm manages all connection decisions. No additional
configuration is necessary on the XTM device.
User Guide
199
Multi-WAN
When to Use the Round-Robin Method
Load balancing traffic to the Internet using ECMP is based on connections, not bandwidth. Routes
configured statically or learned from dynamic routing are used before the ECMP algorithm. If you have
Fireware XTM with a Pro upgrade, the weighted round-robin option gives you options to send more
traffic through one external interface than another. At the same time, the round-robin algorithm
distributes traffic to each external interface based on bandwidth, not connections. This gives you more
control over how many bytes of data are sent through each ISP.
Configure Modem Failover
You can configure your XTM 2 Series, 3 Series, or 5 Series device to send traffic through a modem
when it cannot send traffic with any external interface.
Connect a serial or 3G/4G modem to the USB port on the XTM device. To use a serial modem, you
must have a dial-up account with an ISP (Internet Service Provider). To use a 3G/4G modem, the
XTM device must use Fireware XTM OS v11.7.3 or later and you must have a 3G or 4G data plan with
a wireless service provider.
Modem failover is supported for these 3G/4G modems:
n
n
n
n
n
ZTE MF683 (T-Mobile Rocket 3.0 4G)
Franklin U602 (Sprint 3G/4G Plug-in-Connect USB)
Sierra Wireless AirCard 250U (Sprint 3G/4G USB 250U)
Sierra Wireless AirCard 313U (requires Fireware XTM v11.7.4 or higher)
Verizon Wireless LTE USB551L (requires Fireware XTM v11.7.4 or higher)
Modem failover is supported for these serial modems:
n
n
n
n
Zoom FaxModem 56K model 2949
MultiTech 56K Data/Fax Modem International
OMRON ME5614D2 Fax/Data Modem
Hayes 56K V.90 serial fax modem
For XTM 21, 22, and 23 devices, you must use an IOGEAR GUC323A USB to Serial RS-232 adapter
to connect the serial modem to the USB port on the XTM device.
Enable Modem Failover
1. Select Network > Modem.
The Modem page appears.
2. Select the Enable Modem for Failover when all External interfaces are down check box.
200
Fireware XTM Web UI
Multi-WAN
3. Complete the Account, DNS, Dial-Up, and Link Monitor settings, as described in the
subsequent sections.
4. Click Save.
Account Settings
In the Dial Up Account Settings section, you configure the settings your modem uses to connect.
Serial Modem
For a serial modem, all account settings are required.
1. Select the Account tab.
2. In the Telephone number text box, type the telephone number of your ISP.
3. If you have another number for your ISP, in the Alternate Telephone number text box, type
that number.
4. In the Account name text box, type your dial-up account name.
5. If you log in to your account with a domain name, in the Account domain text box, type the
domain name.
For example, msn.com .
6. In the Account password text box, type the password you use to connect to your dial-up
account.
User Guide
201
Multi-WAN
3G/4G Modem
For a 3G or 4G modem, the telephone number is the access number specified by your wireless service
provider. Examples of 3G and 4G access numbers are *99#, *99****1#, and #777. The settings for
account name, domain, and password are not required for all 3G/4G modems. To determine the
requirements for your modem, contact your wireless service provider.
1. Select the Account tab.
2. Select the Enable 3G/4G modem support check box.
If a Telephone number is not already specified, it is set to *99# by default.
3. If necessary, change the Telephone number to the access number required by your wireless
service provider.
4. If you have another access number for your wireless service provider, in the Alternate
Telephone number text box, type that number.
5. If necessary, type the Account name, Account domain, and Account password the modem
must use to connect to your account.
Enable Modem Failover Debug Log Messages
If you have problems with your connection, select the Enable modem and PPP debug trace check
box. When this option is selected, the XTM device sends detailed log messages to the event log file
when a modem failover occurs.
202
Fireware XTM Web UI
Multi-WAN
DNS Settings
If your ISP or wireless service provider does not provide DNS server information, or if you must use a
different DNS server, you can manually add the IP addresses for a DNS server to use after failover
occurs.
1. Select the DNS tab.
The DNS Settings page appears.
2. Select the Manually configure DNS server IP addresses check box.
3. In the Primary DNS server text box, type the IP address of the primary DNS server.
4. If you have a secondary DNS server, in the Secondary DNS server text box, type the IP
address for the secondary server.
5. In the MTU text box, for compatibility purposes, you can set the Maximum Transmission Unit
(MTU) to a different value. Most users can keep the default setting.
User Guide
203
Multi-WAN
Dial-Up Settings
1. Select the Dial Up tab.
The Dialing Options page appears.
2. In the Dial up timeout text box, type or select the number of seconds before a timeout occurs if
your modem does not connect. The default value is two (2) minutes.
3. In the Redial attempts text box, type or select the number of times the XTM device tries to
redial if your modem does not connect. The default value is three (3) connection attempts.
4. In the Inactivity Timeout text box, type or select the number of minutes to wait if no traffic goes
through the modem before a timeout occurs. The default value is no timeout (0 minutes).
5. From the Speaker volume drop-down list, select the speaker volume for your modem.
Advanced Settings
Some dial-up ISPs or wireless service providers require that you specify one or more PPP options in
order to connect. In China, for example, some ISPs require that you use the PPP option receive-all.
The receive-all option causes PPP to accept all control characters from the peer.
1. Select the Advanced tab.
2. In the PPP options text box, type the required PPP options.
To specify more than one PPP option, separate each option with a comma.
204
Fireware XTM Web UI
Multi-WAN
Link Monitor Settings
The Link Monitor is a tool you can use to verify the status of each external interface on your XTM
device. When you configure the modem settings on your XTM device, you can set options to test one
or more external interfaces for an active connection. When an external interface becomes active again,
the XTM device no longer sends traffic over the modem. Instead, it uses the available external
interface or interfaces. You can configure the Link Monitor to ping a site or device on the external
interface, create a TCP connection with a site and port number you specify, or both. You can also set
the time interval between each connection test, and configure the number of times a test must fail or
succeed before an interface is activated or deactivated.
To configure the link monitor settings for an interface:
1. Select the Link Monitor tab.
The ping and TCP connection options you set for each external interface appear.
2. Select an interface from the list and click Configure.
The Link Monitor dialog box appears.
3. To ping a location or device on the external network, select the Ping check box. In the adjacent
text box, type an IP address or host name.
4. To create a TCP connection to a location or device on the external network, select the
TCP check box. In the adjacent text box, type an IP address or host name.
(Optional) In the Port text box, type or select a port number.
The default port number is 80 (HTTP).
User Guide
205
Multi-WAN
5. To require successful ping and TCP connections before an interface is marked as active, select
the Both Ping and TCP must be successful check box.
6. To change the time interval between connection attempts, in the Probe interval text box, type
or select a different number.
The default setting is 15 seconds.
7. To change the number of failures that mark an interface as inactive, in the Deactivate after text
box, type or select a different number .
The default value is three (3) connection attempts.
8. To change the number of successful connections that mark an interface as active, in the
Reactivate after text box, type or select a different number.
The default value is three (3) connection attempts.
9. Click OK.
About Advanced Multi-WAN Settings
You can configure sticky connections, failback, and notification of multi-WAN events. Not all
configuration options are available for all multi-WAN configuration options. If a setting does not apply to
the multi-WAN configuration option you selected, those fields are not active.
To configure multi-WAN settings:
1. Select Network > Multi-WAN.
2. Select the Advanced Settings tab.
3. Configure Sticky Connection Duration, Failback for Active Connections and Notification
Settings as described in the subsequent sections.
4. Click Save.
Set a Global Sticky Connection Duration
A sticky connection is a connection that continues to use the same WAN interface for a defined period
of time. You can set sticky connection parameters if you use the Routing Table, Round-robin, or
Interface Overflow options for multi-WAN. Stickiness makes sure that, if a packet goes out through an
external interface, any future packets between the source and destination IP address pair use the
same external interface for a specified period of time. By default, sticky connections use the same
interface for 3 minutes.
If a policy definition contains a sticky connection setting, the policy setting is used instead of the global
setting.
To change the global sticky connection duration for a protocol or set of protocols:
1. In the text box for the protocol, type or select a number.
2. In the adjacent drop-down list, select a time duration.
206
Fireware XTM Web UI
Multi-WAN
If you set a sticky connection duration in a policy, you can override the global sticky connection
duration. For more information, see Set the Sticky Connection Duration for a Policy on page 536.
Set the Failback Action
You can set the action you want your XTM device to take when a failover event has occurred and the
primary external interface becomes active again. When this occurs, all new connections immediately
fail back to the primary external interface. You select the method you want to use for connections in
process at the time of failback.
In the Failback for Active Connections drop-down list:
n
n
Immediate failback — Select this option if you want the XTM device to immediately stop all
existing connections.
Gradual failback — Select this option if you want the XTM device to continue to use the
failover interface for existing connections until each connection is complete.
User Guide
207
Multi-WAN
This failback setting also applies to any policy-based routing configuration you set to use failover
external interfaces.
Set Notification Settings
Log messages are always created for multi-WAN failover events.
To configure notification settings for multi-WAN failover and failback events:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
For more information about notification settings, see Set Logging and Notification Preferences on page
748.
About WAN Interface Status
You can choose the method and frequency you want the XTM device to use to check the status of
each WAN interface. If you do not configure a specified method for the XTM device to use, it pings the
interface default gateway to check interface status.
We recommend that you configure one or two link monitor hosts for each external interface. Select
targets that have a record of high uptime, such as servers hosted by your ISP. If there is a remote site
that is critical to your business operations, such as a credit card processing site or business partner, it
may be worthwhile to ask the administrator at that site if they have a device that you can use as a
monitoring target to verify connectivity to their site.
Time Needed for the XTM Device to Update its Route Table
If a link monitor host does not respond, it can take from 40–60 seconds for the XTM device to update
its route table. When the same Link Monitor host starts to respond again, it can take from 1–60
seconds for your XTM device to update its route table.
The update process is much faster when your XTM device detects a physical disconnect of the
Ethernet port. When this happens, the XTM device updates its route table immediately. When your
XTM device detects the Ethernet connection is back up, it updates its route table within 20 seconds.
Define a Link Monitor Host
1. Select Network > Multi-WAN.
2. Select the interface and click Configure.
The Link Monitor Details dialog box appears.
208
Fireware XTM Web UI
Multi-WAN
3. Select the check boxes for each link monitor method you want the XTM device to use to check
status of each external interface:
n
n
n
Ping — Add an IP address or domain name for the XTM device to ping to check for
interface status.
TCP — Add the IP address or domain name of a computer that the XTM device can
negotiate a TCP handshake with to check the status of the WAN interface.
Both ping and TCP must be successful — The interface is considered inactive unless
both a ping and TCP connection complete successfully.
If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused
by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster
failover occurs only when the physical interface is down or does not respond. If you add a
domain name for the XTM device to ping and any one of the external interfaces has a static IP
address, you must configure a DNS server, as described in Add WINS and DNS Server
Addresses on page 147.
4. To configure the frequency you want the XTM device to use to check the status of the interface,
type or select a Probe after setting.
The default setting is 15 seconds.
5. To change the number of consecutive probe failures that must occur before failover, type or
select a Deactivate after setting.
The default setting is three (3). After the selected number of failures, the XTM device starts to send
traffic through the next specified interface in the multi-WAN failover list.
6. To change the number of consecutive successful probes through an interface before an
interface that was inactive becomes active again, type or select a Reactivate after setting.
7. Repeat these steps for each external interface.
8. Click Save.
User Guide
209
Multi-WAN
User Guide
210
8
Network Address Translation
(NAT)
About Network Address Translation
Network Address Translation (NAT) is a term used to describe any of several forms of IP address and
port translation. At its most basic level, NAT changes the IP address of a packet from one value to a
different value.
The primary purposes of NAT are to increase the number of computers that can operate off a single
publicly routable IP address, and to hide the private IP addresses of hosts on your LAN. When you use
NAT, the source IP address is changed on all the packets you send.
You can apply NAT as a general firewall setting, or as a setting in a policy. Firewall NAT settings do
not apply to BOVPN policies.
If you have Fireware XTM with a Pro upgrade, you can configure server load balancing as part of an
SNAT rule. The server load balancing feature is designed to help you increase the scalability and
performance of a high-traffic network with multiple public servers protected by your XTM device. With
server load balancing, you can have the XTM device control the number of sessions initiated to
multiple servers for each firewall policy you configure. The XTM device controls the load based on the
number of sessions in use on each server. The XTM device does not measure or compare the
bandwidth that is used by each server.
For more information on server load balancing, see Configure Server Load Balancing on page 237.
User Guide
211
Network Address Translation (NAT)
Types of NAT
The XTM device supports three different types of NAT. Your configuration can use more than one type
of NAT at the same time. You apply some types of NAT to all firewall traffic, and other types as a
setting in a policy.
Dynamic NAT
Dynamic NAT is also known as IP masquerading. The XTM device can apply its public IP
address to the outgoing packets for all connections or for specified services. This hides the real
IP address of the computer that is the source of the packet from the external network. Dynamic
NAT is generally used to hide the IP addresses of internal hosts when they get access to public
services.
For more information, see About Dynamic NAT on page 212.
Static NAT
Also known as port forwarding, you configure static NAT in an SNAT action and then use that
action when you configure policies. Static NAT is a port-to-host NAT. A host sends a packet
from the external network to a port on an external interface. Static NAT changes this IP address
to an IP address and port behind the firewall.
For more information, see Configure Static NAT on page 233.
1-to-1 NAT
1-to-1 NAT creates a mapping between IP addresses on one network and IP addresses on a
different network. This type of NAT is often used to give external computers access to your
public, internal servers.
For more information, see About 1-to-1 NAT on page 222.
About Dynamic NAT
Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an
outgoing connection to the public IP address of the XTM device. Outside the XTM device, you see only
the external interface IP address of the XTM device on outgoing packets.
Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more
security for internal hosts that use the Internet, because it hides the IP addresses of hosts on your
network. With dynamic NAT, all connections must start from behind the XTM device. Malicious hosts
cannot start connections to the computers behind the XTM device when the XTM device is configured
for dynamic NAT.
In most networks, the recommended security policy is to apply NAT to all outgoing packets. With
Fireware XTM, dynamic NAT is enabled by default for traffic from all private IP addresses to the
external network. You can edit, delete or add network dynamic NAT rules. For more information, see
Add Network Dynamic NAT Rules
212
Fireware XTM Web UI
Network Address Translation (NAT)
By default, all policies use the network dynamic NAT rules configured for the device. You can override
the network dynamic NAT setting in your individual policies. For more information, see Configure
Policy-Based Dynamic NAT.
You can set the source IP address for traffic that matches a dynamic NAT rule or policy. For more
information, see About Dynamic NAT Source IP Addresses.
User Guide
213
Network Address Translation (NAT)
Add Network Dynamic NAT Rules
The default configuration of dynamic NAT enables dynamic NAT from all private IP addresses to the
external network. The default entries are:
n
n
n
192.168.0.0/16 – Any-External
172.16.0.0/12 – Any-External
10.0.0.0/8 – Any-External
These three network addresses are the private networks reserved by the Internet Engineering Task
Force (IETF) and usually are used for the IP addresses on LANs. To enable dynamic NAT for private
IP addresses other than these, you must add dynamic NAT rules for them. The XTM device applies the
dynamic NAT rules in the sequence that the entries appear in the Dynamic NAT list. We recommend
that you put the rules in a sequence that matches the volume of traffic the rules apply to.
By default, dynamic NAT rewrites the source IP address of packets to use the primary IP address of
the interface from which the packet is sent. When you add a dynamic NAT rule, you can optionally
specify a different source IP address to use for packets that match that rule.
1. Select Network > NAT.
The NAT settings page appears.
2. In the Dynamic NAT section, click Add.
The Dynamic NAT configuration page appears.
214
Fireware XTM Web UI
Network Address Translation (NAT)
3. In the From section, click the Member Type drop-down list to select the type of address to use
to specify the source of the outgoing packets: Host IP, Network IP, Host Range, or Alias.
4. In the From section, below the Member Type drop-down list, type the host IP address,
network IP address, or host IP address range, or select an alias in the drop-down list.
You must type a network address in slash notation.
For more information about built-in XTM device aliases, see About Aliases on page 514.
5. In the To section, click the Member Type drop-down list to select the type of address to use to
specify the destination of the outgoing packets.
6. In the To section, below the Member Type drop-down list, type the host IP address, network
IP address, or host IP address range, or select an alias in the drop-down list.
7. Select the Set source IP check box if you want to specify a different source IP address to use
for this rule. Type the source IP address to use in the adjacent text box.
If you set the source IP address, the XTM device changes the source IP address for packets
that match this rule to the source IP address you specify. The source IP address must be on the
same subnet as the primary or secondary IP address of the interface you specified as the To
location in the dynamic NAT rule.
If you set the source IP address, and the To location in the network dynamic NAT rule specifies
an alias, such as Any-External, that includes more than one interface, the source IP address is
used only for traffic that leaves an interface that has an IP address on the same subnet as the
source IP address.
For more information, see About Dynamic NAT Source IP Addresses.
User Guide
215
Network Address Translation (NAT)
Delete a Dynamic NAT Rule
You cannot change an existing dynamic NAT rule. If you want to change an existing rule, you must
delete the rule and add a new one.
To delete a dynamic NAT rule:
1. Select the rule to delete.
2. Click Remove.
A warning message appears.
3. Click OK.
216
Fireware XTM Web UI
Network Address Translation (NAT)
Reorder Dynamic NAT Rules
To change the sequence of the dynamic NAT rules:
1. Select the rule to change.
2. Click Up or Down to move it in the list.
Configure Policy-Based Dynamic NAT
In policy-based dynamic NAT, the XTM device maps private IP addresses to public IP addresses.
Dynamic NAT is enabled in the default configuration of each policy. You do not have to enable it unless
you previously disabled it.
For policy-based dynamic NAT to work correctly, use the Policy tab of the Edit Policy Properties
dialog box to make sure the policy is configured to allow traffic out through only one XTM device
interface.
1-to-1 NAT rules have higher precedence than dynamic NAT rules. Policy-based dynamic NAT has
higher precedence than network dynamic NAT.
To configure dynamic NAT settings in a policy:
1. Select Firewall > Firewall Policies.
The Firewall Policies list appears.
2. Select a policy.
3. From the Action drop-down list select,Edit Policy.
4. Click the Advanced tab.
User Guide
217
Network Address Translation (NAT)
5. Select the Dynamic NAT check box.
6. If you want to use the dynamic NAT rules set for the XTM device, select Use Network NAT
Settings.
This is the default setting.
7. If you want to apply dynamic NAT to all traffic in this policy, select All traffic in this policy.
If you select All traffic in this policy, the XTM device changes the source IP address for each
packet handled by this policy to the primary IP address of the interface from which the packet is
sent, or the source IP address configured in the network dynamic NAT settings. You can
optionally set a different dynamic NAT source IP address for traffic handled by this policy.
To set the source IP address in the policy:
1. Select the Set source IP check box.
2. In the adjacent text box, type the source IP address to use for traffic handled by this policy. This
source address must be on the same subnet as the primary or secondary IP address of the
interface you specified for outgoing traffic.
218
Fireware XTM Web UI
Network Address Translation (NAT)
When you select a source IP address, any traffic that uses this policy shows the specified
address from your public or external IP address range as the source. This is most often used to
force outgoing SMTP traffic to show the MX record address for your domain when the IP
address on the XTM device external interface is not the same as your MX record IP address.
We recommend that you do not use the Set source IP option if you have more than one
external interface configured on your XTM device. If you use the Set source IP option in a
policy, do not enable policy-based routing with failover in the policy settings.
For more information about dynamic NAT source IP addressing options, see About Dynamic
NAT Source IP Addresses.
Disable Policy-Based Dynamic NAT
Dynamic NAT is enabled in the default configuration of each policy. To disable dynamic NAT for a
policy:
1. Select Firewall > Firewall Policies.
The Firewall Policies list appears.
2. Select a policy.
The Policies page appears.
3. From the Action drop-down list select,Edit Policy.
4. Click the Advanced tab.
5. To disable NAT for the traffic controlled by this policy, clear the Dynamic NAT check box.
User Guide
219
Network Address Translation (NAT)
About Dynamic NAT Source IP Addresses
In the default dynamic NAT configuration, the XTM device changes the source IP address for traffic
that goes out an external interface to the primary IP address of the external interface the traffic leaves.
You can optionally configure dynamic NAT to use a different source IP address. You can set the
dynamic NAT source IP address in a network NAT rule or in the NAT settings for a policy. When you
select a source IP address, dynamic NAT uses the specified source IP address for any traffic that
matches the dynamic NAT rule or policy.
Whether you specify the source IP address in a network dynamic NAT rule or in a policy, it is important
that the source IP address is on the same subnet as the primary or secondary IP address of the
interface from which the traffic is sent. It is also important to make sure that the traffic the rule applies
to goes out through only one interface.
If the dynamic NAT source IP address is not on the same subnet as the primary or
secondary IP address of the outgoing interface for that traffic, the XTM device does
not change the source IP address for each packet to the source IP address specified
in the dynamic NAT rule. Instead, it changes the source IP address to the primary IP
address of the interface from which the packet is sent.
Set the Dynamic NAT Source IP Address in a Network Dynamic NAT rule
If you have a WatchGuard XTM 21, 22, or 23 device, this feature is not available for
your device.
If you want to set the source IP address for traffic that matches a dynamic NAT rule, regardless of any
policies that apply to the traffic, add a network dynamic NAT rule that specifies the source IP address.
The source IP address you specify must be on the same subnet as the primary or secondary
IP address of the interface the traffic leaves.
If the To location in the network dynamic NAT rule specifies an alias, such as Any-External, that
includes more than one interface, the source IP address is used only for traffic that leaves an interface
that has an IP address on the same subnet as the source IP address.
For example, if:
n
n
n
Your XTM device has two external interfaces, Eth0 (203.0.113.2), and Eth1 (192.0.2.2).
You create a dynamic NAT rule for all traffic to Any-External.
In the dynamic NAT rule, you set a source IP address of 203.0.113.80.
The result is:
n
220
For traffic that leaves Eth0, the source IP address is the IP address in the dynamic NAT rule,
203.0.113.8.
Fireware XTM Web UI
Network Address Translation (NAT)
n
For traffic that leaves Eth1, the source IP address is the Eth1 interface IP address, 192.0.2.2.
For more information, see Add Network Dynamic NAT Rules.
Set the Dynamic NAT Source IP Address in a Policy
If you want to set the source IP address for traffic handled by a specific policy, configure the source IP
address in the network settings of the policy. The source IP address you specify must be on the same
subnet as the primary or secondary IP address of the interface you specified for outgoing traffic in the
policy.
We recommend that you do not use the Set source IP option in a policy if you have more than one
external interface configured on your XTM device. If you use the Set source IP option in a policy, do
not enable policy-based routing with failover in the policy settings.
For more information, see Configure Policy-Based Dynamic NAT.
User Guide
221
Network Address Translation (NAT)
About 1-to-1 NAT
When you enable 1-to-1 NAT, your XTM device changes the routes for all incoming and outgoing
packets sent from one range of addresses to a different range of addresses. A 1-to-1 NAT rule always
has precedence over dynamic NAT.
1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that
must be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You
do not have to change the IP address of your internal servers. When you have a group of similar
servers (for example, a group of email servers), 1-to-1 NAT is easier to configure than static NAT for
the same group of servers.
To understand how to configure 1-to-1 NAT, we give this example:
Company ABC has a group of five privately addressed email servers behind the trusted interface of
their XTM device. These addresses are:
10.0.1.1
10.0.1.2
10.0.1.3
10.0.1.4
10.0.1.5
Company ABC selects five public IP addresses from the same network address as the external
interface of their XTM device, and creates DNS records for the email servers to resolve to.
These addresses are:
203.0.113.1
203.0.113.2
203.0.113.3
203.0.113.4
203.0.113.5
Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static,
bi-directional relationship between the corresponding pairs of IP addresses. The relationship looks like
this:
10.0.1.1 <--> 203.0.113.1
10.0.1.2 <--> 203.0.113.2
10.0.1.3 <--> 203.0.113.3
10.0.1.4 <--> 203.0.113.4
10.0.1.5 <--> 203.0.113.5
When the 1-to-1 NAT rule is applied, your XTM device creates the bi-directional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses. 1-to-1 NAT also
operates on traffic sent from networks that your XTM device protects.
222
Fireware XTM Web UI
Network Address Translation (NAT)
About 1-to-1 NAT and VPNs
When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different
network address ranges. You can use 1-to-1 NAT when you must create a VPN tunnel between two
networks that use the same private network address. If the network range on the remote network is the
same as on the local network, you can configure the VPN to use 1-to-1 NAT.
n
n
For a BOVPN virtual interface, you configure 1-to-1 NAT the same way as you would for any
other interface. You can select the BOVPN virtual interface name as the interface for 1-to-1
NAT.
For a branch office VPN tunnel that is not a BOVPN virtual interface, you must configure 1-to-1
NAT in the branch office VPN gateway and tunnel settings. For more information, see Use 1-to1 NAT Through a Branch Office VPN Tunnel on page 903.
Configure Firewall 1-to-1 NAT
To configure 1-to-1 NAT for any interface:
1. Select Network > NAT.
The NAT settings page appears.
2. In the 1-to-1 NAT section, click Add.
The 1-to-1 NAT configuration page appears.
User Guide
223
Network Address Translation (NAT)
3. In the Map Type drop-down list, select Single IP (to map one host), IP range (to map a range
of hosts), or IP subnet (to map a subnet).
If you select IP range or IP subnet, do not specify a subnet or range that includes more than
256 IP addresses. If you want to apply 1-to-1 NAT to more than 256 IP addresse, you must
create more than one rule.
4. Configure the settings in the Configuration section.
For more information, see the subsequent Define a 1-to-1 NAT rule section.
5. Click Save.
6. Add the NAT IP addresses to the appropriate policies.
n For a policy that manages outgoing traffic, add the Real Base IP addresses to the From
section of the policy configuration.
n For a policy that manages incoming traffic, add the NAT Base IP addresses to the To
section of the policy configuration.
In the previous example, where we used 1-to-1 NAT to give access to a group of email servers
described in About 1-to-1 NAT on page 222, we must configure the SMTP policy to allow SMTP traffic.
To complete this configuration, you must change the policy settings to allow traffic from the external
network to the IP address range 10.1.1.1–10.1.1.5.
1.
2.
3.
4.
5.
Add a new policy, or modify an existing policy.
Adjacent to the From list, click Add.
Select the alias Any-External and click OK.
Adjacent to the To list, click Add.
To add one IP address at a time, select Host IP from the drop-down list and type the IP address
in the adjacent text box. Click OK.
6. Repeat Steps 3–4 for each IP address in the NAT address range.
To add several IP addresses at once, select Host Range in the drop-down list. Type the first
and last IP addresses from the NAT Base range and click OK.
224
Fireware XTM Web UI
Network Address Translation (NAT)
To connect to a computer located on a different interface that uses 1-to-1 NAT, you
must use that computer’s public (NAT base) IP address. If this is a problem, you can
disable 1-to-1 NAT and use static NAT.
Define a 1-to-1 NAT Rule
In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also
configure:
Interface
The name of the Ethernet interface on which 1-to-1 NAT is applied. Your XTM device applies 1to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is
applied to the external interface.
NAT base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP
addresses. The NAT base is the first available IP address in the to range of addresses. The
NAT base IP address is the address that the real base IP address changes to when the 1-to-1
NAT is applied. You cannot use the IP address of an existing Ethernet interface as your NAT
base. In our example above, the NAT base is 203.0.113.11.
Real base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP
addresses. The Real base is the first available IP address in the from range of addresses. It is
the IP address assigned to the physical Ethernet interface of the computer to which you will
apply the 1-to-1 NAT policy. When packets from a computer with a real base address go
through the specified interface, the 1-to-1 action is applied. In the example above, the Real base
is 10.0.1.11.
Number of hosts to NAT (for ranges only)
The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base
IP address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The
second real base IP address in the range is translated to the second NAT base IP address when
1-to-1 NAT is applied. This is repeated until the Number of hosts to NAT is reached. In the
example above, the number of hosts to apply NAT to is 5.
For an example of how to use 1-to-1 NAT, see 1-to-1 NAT Example.
1-to-1 NAT Through a Branch Office VPN
You can also use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the
same private network address. When you create a VPN tunnel, the networks at each end of the VPN
tunnel must have different network address ranges. If the network range on the remote network is the
same as on the local network, you must use 1-to-1 NAT. For a BOVPN virtual interface, you can select
User Guide
225
Network Address Translation (NAT)
the BOVPN virtual interface name in the 1-to-1 NAT configuration, and add a 1-to-1 NAT rule as
described in the previous section.
For a branch office VPN that is not a BOVPN virtual interface, you can configure 1-to-1 NAT in the
branch office VPN gateway and tunnel settings. To do this, you configure both gateways to use 1-to-1
NAT. Then, you can create the VPN tunnel and not change the IP addresses of one side of the tunnel.
You configure 1-to-1 NAT for a VPN tunnel when you configure the VPN tunnel and not in the Network
> NAT dialog box. For an example of this type of configuration, see Use 1-to-1 NAT Through a Branch
Office VPN Tunnel.
Configure Policy-Based 1-to-1 NAT
In policy-based 1-to-1 NAT, your XTM device uses the private and public IP ranges that you set when
you configured global 1-to-1 NAT, but the rules are applied to an individual policy. 1-to-1 NAT is
enabled in the default configuration of each policy. If traffic matches both 1-to-1 NAT and dynamic NAT
policies, 1-to-1 NAT takes precedence.
Enable Policy-Based 1-to-1 NAT
Because policy-based 1-to-1 NAT is enabled by default, you do not need to do anything else to enable
it. If you have previously disabled policy-based 1-to-1 NAT, select the check box inStep 4 of the
subsequent procedure to enable it again.
Disable Policy-Based 1-to-1 NAT
1. Select Firewall > Firewall Policies.
The Firewall Policies list appears.
2. Select a policy.
3. From the Action drop-down list selectEdit Policy .
4. Click the Advanced tab.
226
Fireware XTM Web UI
Network Address Translation (NAT)
5. Clear the 1-to-1 NAT check box to disable NAT for the traffic controlled by this policy.
6. Click Save.
User Guide
227
Network Address Translation (NAT)
Configure NAT Loopback with Static NAT
Fireware XTM includes support for NAT loopback. NAT loopback allows a user on the trusted or
optional networks to get access to a public server that is on the same physical XTM device interface
by its public IP address or domain name. For NAT loopback connections, the XTM device changes the
source IP address to the IP address of the internal XTM device interface (the primary IP address for the
interface where the client and server both connect to the XTM device).
To understand how to configure NAT loopback when you use static NAT, we give this example:
Company ABC has an HTTP server on the XTM device trusted interface. The company uses static
NAT to map the public IP address to the internal server. The company wants to allow users on the
trusted network to use the public IP address or domain name to get access to this public server.
For this example, we assume:
n
n
228
The trusted interface is configured with an IP address on the 10.0.1.0/24 network
The HTTP server is physically connected to the trusted 10.0.1.0/24 network.
Fireware XTM Web UI
Network Address Translation (NAT)
Add a Policy for NAT Loopback to the Server
In this example, to allow users on your trusted and optional networks to use the public IP address or
domain name to access a public server that is on the trusted network, you must create an SNAT action
and add it to an HTTP policy. The policy addresses could look like this:
The To section of the policy contains an SNAT action that defines a static NAT route from the public
IP address of the HTTP server to the real IP address of that server.
For more information about static NAT, see Configure Static NAT on page 233.
If you use 1-to-1 NAT to route traffic to servers inside your network, see NAT Loopback and 1-to-1
NAT on page 230.
User Guide
229
Network Address Translation (NAT)
NAT Loopback and 1-to-1 NAT
NAT loopback allows a user on the trusted or optional networks to connect to a public server with its
public IP address or domain name if the server is on the same physical XTM device interface. If you
use 1-to-1 NAT to route traffic to servers on the internal network, use these instructions to configure
NAT loopback from internal users to those servers. If you do not use 1-to-1 NAT, see Configure NAT
Loopback with Static NAT on page 228.
To help you understand how to configure NAT loopback when you use 1-to-1 NAT, we give this
example:
Company ABC has an HTTP server on the XTM device trusted interface. The company uses a 1-to-1
NAT rule to map the public IP address to the internal server. The company wants to allow users on the
trusted interface to use the public IP address or domain name to access this public server.
For this example, we assume:
n
A server with public IP address 203.0.113.5 is mapped with a 1-to-1 NAT rule to a host on the
internal network.
In the 1-to-1 NAT section of the NAT configuration page, select these options:
Interface — External, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
n
n
n
The trusted interface is configured with a primary network, 10.0.1.0/24
The HTTP server is physically connected to the network on the trusted interface. The Real
Base address of that host is on the trusted interface.
The trusted interface is also configured with a secondary network, 192.168.2.0/24.
For this example, to enable NAT loopback for all users connected to the trusted interface, you must:
1. Make sure that there is a 1-to-1 NAT entry for each interface that traffic uses when internal
computers get access to the public IP address 203.0.113.5 with a NAT loopback connection.
230
Fireware XTM Web UI
Network Address Translation (NAT)
You must add one more 1-to1 NAT mapping to apply to traffic that starts from the trusted
interface. The new 1-to-1 mapping is the same as the previous one, except that the Interface is
set to Trusted instead of External.
After you add the second 1-to-1 NAT entry, the 1-to-1 NAT section on the NAT page shows two
1-to-1 NAT mappings: one for External and one for Trusted.
Interface — External, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
Interface — Trusted, NAT Base — 203.0.113.5, Real Base — 10.0.1.5
2. Add a Dynamic NAT entry for every network on the interface that the server is connected to.
The From field for the Dynamic NAT entry is the network IP address of the network from which
computers get access to the 1-to-1 NAT IP address with NAT loopback.
The To field for the Dynamic NAT entry is the NAT base address in the 1-to-1 NAT mapping.
For this example, the trusted interface has two networks defined, and we want to allow users on
both networks to get access to the HTTP server with the public IP address or host name of the
server. We must add two Dynamic NAT entries.
In the Dynamic NAT section of the NAT configuration page, add:
10.0.1.0/24 - 203.0.113.5
192.168.2.0/24 - 203.0.113.5
3. Add a policy to allow users on your trusted network to use the public IP address or domain name
to get access to the public server on the trusted network. For this example:
From
Any-Trusted
To
203.0.113.5
User Guide
231
Network Address Translation (NAT)
The public IP address that users want to connect to is 203.0.113.5. This IP address is
configured as a secondary IP address on the external interface.
For more information about configuring static NAT, see Configure Static NAT on page 233.
For more information about how to configure 1-to-1 NAT, see Configure Firewall 1-to-1 NAT on page
223.
232
Fireware XTM Web UI
Network Address Translation (NAT)
About SNAT
An SNAT action is a user-defined action that includes static NAT or server load balancing members
which can be referenced by a policy. An SNAT action is a NAT mapping which replaces the original
destination IP address (and optionally, port) with a new destination. For a server load balancing SNAT
action, the original destination is mapped to multiple server IP addresses, which the XTM device can
load balance between.
You can create SNAT actions and apply them to one or more policies in your configuration. To
reference an SNAT object in a policy, you add it to the To (destination) list in the policy. If you add a
server load balancing SNAT action to a policy, it must be the only destination in the policy.
For more information about static NAT and server load balancing, see Configure Static NAT and
Configure Server Load Balancing.
Configure Static NAT
Static NAT, also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends
a packet from the external network to a port on an external interface, static NAT changes the
destination IP address to an IP address and port behind the firewall. If a software application uses
more than one port and the ports are selected dynamically, you must either use 1-to-1 NAT, or check
whether a proxy on your XTM device manages this kind of traffic. Static NAT also operates on traffic
sent from networks that your XTM device protects.
When you use static NAT, you use an external IP address from your XTM device instead of the IP
address from a public server. You could do this because you choose to, or because your public server
does not have a public IP address. For example, you can put your SMTP email server behind your XTM
device with a private IP address and configure static NAT in your SMTP policy. Your XTM device then
receives connections on port 25 and makes sure that any SMTP traffic is sent to the real SMTP server
behind the XTM device.
User Guide
233
Network Address Translation (NAT)
Add a Static NAT Action
Before you can configure a policy to use static NAT, you must define the static NAT action. After you
add a static NAT action, you can use it in one or more policies.
When you add a static NAT action, you can choose to specify a source IP address in the action. Then,
when traffic that matches the parameters in your static NAT action passes through your XTM device,
the source IP address is changed to the IP address that you specify. You can specify a different
source IP address for each SNAT member.
You can also enable port address translation (PAT) in a static NAT action. When you enable PAT, you
can change the packet destination to specify a different internal host and a different port.
To add a static NAT action:
1. Select Firewall > SNAT.
The SNAT page appears.
2. Click Add.
The Add SNAT page appears.
3. In the Name text box, type a name for this SNAT action.
4. (Optional) In the Description text box, type a description for this SNAT action.
5. Select Static NAT.
This is the default selection.
6. Click Add.
The Add Member dialog box appears.
234
Fireware XTM Web UI
Network Address Translation (NAT)
7. From the External IP Address drop-down list, select the external IP address or alias to use in
this action.
For example, to you use static NAT for packets received on only one external IP address,
select that external IP address or alias. Or, to use static NAT for packets received on any
external IP address, select the Any-External alias.
8. To specify the source IP address for this static NAT action, select the Set source IP check
box. In the adjacent text box, type the source IP address.
9. In the Internal IP Address text box, type the destination on the trusted or optional network.
10. To enable port address translation (PAT), select the Set internal port to a different port
check box. In the adjacent text box, type or select the port number.
If you use static NAT SNAT action in a policy that allows traffic that does not have
ports (traffic other than TCP or UDP), the internal port setting is not used for that
traffic.
11. Click OK.
The static NAT route appears in the SNAT Members list.
12. To add another member to this action, click Add and repeat Steps 7–12.
13. Click Save.
The new SNAT action appears in the SNAT page.
Add a Static NAT Action to a Policy
After you create a static NAT action, you can add it to one or more policies.
1. Select Firewall > Firewall Policies.
2. Click the name of a policy to edit it.
3. From the Connections are drop-down list, select Allowed.
To use static NAT, the policy must allow incoming traffic.
4. In the To section, click Add.
The Add Member dialog box appears.
User Guide
235
Network Address Translation (NAT)
5. From the Member Type drop-down list, select Static NAT.
A list of the configured Static NAT Actions appears.
6. Select the static NAT action to add to this policy. Click OK.
The static NAT route appears in the To section of the policy configuration.
7. Click Save.
Edit or Remove a Static NAT Action
To edit an SNAT action:
1. Select Firewall > SNAT.
The SNAT page appears.
2. Select an SNAT action.
3. Click Edit.
The Edit SNAT page appears.
4. Modify the SNAT action.
When you edit an SNAT action, any changes you make apply to all policies that use that SNAT
action.
5. Click Save.
To remove an SNAT action:
1. Select Firewall > SNAT.
The SNAT page appears.
2. Select an SNAT action.
3. Click Remove.
You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
4. Click OK to confirm that you want to remove the SNAT action.
Change Static NAT Global Settings
By default, the XTM device does not clear active connections when you modify a static NAT action.
You can change the global SNAT setting so that the XTM device clears active connections that use an
SNAT action you modify.
To change the global SNAT setting:
236
Fireware XTM Web UI
Network Address Translation (NAT)
1. Select System > Global Settings.
2. Select the Networking tab.
3. In the Traffic Flow section, select the When an SNAT action changes, clear active
connections that use that SNAT action check box.
4. Click Save.
Configure Server Load Balancing
Server load balancing requires Fireware XTM with a Pro upgrade, and is not
supported on XTM 2 Series and 3 Series devices.
The server load balancing feature in Fireware XTM is designed to help you increase the scalability and
performance of a high-traffic network with multiple public servers. With server load balancing, you can
enable the XTM device to control the number of sessions initiated to as many as 10 servers for each
firewall policy you configure. The XTM device controls the load based on the number of sessions in use
on each server. The XTM device does not measure or compare the bandwidth that is used by each
server.
You configure server load balancing as an SNAT action. The XTM device can balance connections
among your servers with two different algorithms. When you configure server load balancing, you must
choose the algorithm for the XTM device to apply.
Round-robin
If you select this option, the XTM device distributes incoming sessions among the servers you
specify in the policy in round-robin order. The first connection is sent to the first server specified
in your policy. The next connection is sent to the next server in your policy, and so on.
Least Connection
If you select this option, the XTM device sends each new session to the server in the list that
currently has the lowest number of open connections to the device. The XTM device cannot tell
how many connections the server has open on other interfaces.
You can add any number of servers to a server load balancing action. You can also add a weight to
each server to make sure that your most powerful servers are given the heaviest load. The weight
refers to the proportion of load that the XTM device sends to a server. By default, each server has a
weight of 1. If you assign a weight of 2 to a server, you double the number of sessions that the XTM
device sends to that server, compared to a server with a weight of 1.
You can optionally configure a source IP address in a server load balancing action. If you do not
configure a source IP address in the server load balancing action, the XTM device does not modify the
sender, or source IP address, of traffic sent to these devices. While the traffic is sent directly from the
XTM device, each device that is part of your server load balancing configuration sees the original
source IP address of the network traffic.
User Guide
237
Network Address Translation (NAT)
When you configure server load balancing, it is important to know:
n
n
n
n
238
You can configure server load balancing for any policy to which you can apply static NAT.
If you apply server load balancing to a policy, you cannot set policy-based routing or other NAT
rules in the same policy.
If you use server load balancing in an active/passive FireCluster configuration, real-time
synchronization does not occur between the cluster members when a failover event occurs.
When the passive backup master becomes the active cluster master, it sends connections to
all servers in the server load balancing list to see which servers are available. It then applies the
server load balancing algorithm to all available servers.
If you use server load balancing for connections to a group of RDP servers, you must configure
the firewall on each RDP server to allow ICMP requests from the XTM device.
Fireware XTM Web UI
Network Address Translation (NAT)
Add a Server Load Balancing SNAT Action
Before you can configure a policy to use server load balancing, you must define the server load
balancing details in an SNAT action. After you define a server load balancing SNAT action, you can
use it in one or more policies.
When you add a server load balancing SNAT action, you can choose to specify a source IP address in
the action. Then, when traffic that matches the parameters in your server load balancing SNAT action
passes through the policies that manage the traffic on your XTM device, the source IP address is
changed to the IP address that you specify. The same source IP address is used for all servers in the
server load balancing action.
You can also enable port address translation (PAT) in a server load balancing SNAT action. When you
enable PAT, you can change the packet destination to specify a different internal host and a different
port.
When you define the parameters for the SNAT action, sticky connections are always enabled. A sticky
connection is a connection that continues to use the same server for a defined period of time.
Stickiness makes sure that all packets between a source and destination IP address pair are sent to
the same server for the time period you specify. By default, the XTM device uses the default sticky
connection setting of 8 hours. You can change the setting to a different number of hours. When a new
connection from the same client is received, the expiration time of the connection is extended.
To add a server load balancing SNAT action:
1. Select Firewall > SNAT.
The SNAT page appears.
2. Click Add.
The Add SNAT page appears.
User Guide
239
Network Address Translation (NAT)
3. In the Name text box, type a name for this SNAT action.
4. (Optional) In the Description text box, type a description for this SNAT action.
5. Select Server Load Balancing.
6. From the External IP address drop-down list, select the external IP address or alias to use in
this server load balancing action.
For example, you can have the XTM device apply server load balancing for this action to
packets received on only one external IP address. Or, you can have the XTM device apply
server load balancing for packets received on any external IP address if you select the AnyExternal alias.
240
Fireware XTM Web UI
Network Address Translation (NAT)
7. To specify the source IP address for this server load balancing action, select the Set source IP
check box. In the adjacent text box, type the source IP address.
8. From the Method drop-down list, select the algorithm to use for server load balancing: Roundrobin or Least Connection.
9. Click Add to add the IP address of an internal server to this action.
The Add Member dialog box appears.
10. In the Internal IP Address text box, type the IP address of the server to add.
11. In the Weight text box, type or select the weight for this server for load balancing.
12. To enable port address translation (PAT), select the Set internal port to a different port
check box. In the adjacent text box, type or select the port number.
If you use a server load balancing SNAT action in a policy that allows traffic that does
not have ports (traffic other than TCP or UDP), the internal port setting is not used for
that traffic.
13. Click OK.
The server appears in the Server Load Balance Members list .
User Guide
241
Network Address Translation (NAT)
14. To add another server to this action, click Add and repeat Steps 10–14.
15. To set sticky connections for your internal servers, select the Enable sticky connection check
box. In the Enable sticky connection text box and drop-down list, specify the time period for
the sticky connection.
16. Click Save.
Add a Server Load Balancing SNAT Action to a Policy
1. Select Firewall > Firewall Policies.
2. Select a policy
Or, add a new policy.
3. From the Action drop-down list select,Edit Policy.
4. In the To section, click Add.
The Add Member dialog box appears.
5. From the Member Type drop-down list, select Server Load Balancing.
The list of server load balancing actions appears.
242
Fireware XTM Web UI
Network Address Translation (NAT)
6. Select a server load balancing action. Click OK.
The server load balancing action is added to the To section of the policy.
7. Click Save.
User Guide
243
Network Address Translation (NAT)
Edit or Remove a Server Load Balancing SNAT Action
To edit an SNAT action:
1. Select Firewall > SNAT.
The SNAT page appears.
2. Select an SNAT action.
3. Click Edit.
The Edit SNAT page appears.
4. Modify the SNAT action.
When you edit an SNAT action, any changes you make apply to all policies that use that SNAT
action.
5. Click Save.
To remove an SNAT action:
1. Select Firewall > SNAT.
The SNAT page appears.
2. Select an SNAT action.
3. Click Remove.
You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
4. Click OK to confirm that you want to remove the SNAT action.
244
Fireware XTM Web UI
Network Address Translation (NAT)
1-to-1 NAT Example
When you enable 1-to-1 NAT, the XTM device changes and routes all incoming and outgoing packets
sent from one range of addresses to a different range of addresses.
Consider a situation in which you have a group of internal servers with private IP addresses that must
each show a different public IP address to the outside world. You can use 1-to-1 NAT to map public IP
addresses to the internal servers, and you do not have to change the IP addresses of your internal
servers. To understand how to configure 1-to-1 NAT, consider this example:
A company has a group of three privately addressed servers behind an optional interface of their XTM
device. The addresses of these servers are:
10.0.2.11
10.0.2.12
10.0.2.13
The administrator selects three public IP addresses from the same network address as the external
interface of their XTM device, and creates DNS records for the servers to resolve to. These addresses
are:
203.0.113.11
203.0.113.12
203.0.113.13
Now the administrator configures a 1-to-1 NAT rule for the servers. The 1-to-1 NAT rule builds a static,
bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like
this:
10.0.2.11 <--> 203.0.113.11
10.0.2.12 <--> 203.0.113.12
10.0.2.13 <--> 203.0.113.13
When the 1-to-1 NAT rule is applied, the XTM device creates the bidirectional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses.
User Guide
245
Network Address Translation (NAT)
For the instructions to define a 1-to-1 NAT rule, see Configure Firewall 1-to-1 NAT on page 223.
246
Fireware XTM Web UI
9
Wireless XTM Device Setup
About Wireless XTM Device Configuration
When you enable the wireless feature of the XTM wireless device, you can configure the external
interface to use wireless, or you can configure the XTM device as a wireless access point for users on
the trusted, optional, or guest networks.
Before you set up wireless network access, see Before You Begin on page 249.
Before you can enable wireless, you must get the feature key for your device.
For more information, see About Feature Keys on page 59.
To enable the wireless feature on your XTM device:
1. Select Network > Wireless.
The Wireless page appears.
User Guide
247
Wireless XTM Device Setup
2. In the Wireless page, select a wireless configuration option:
Enable wireless client as external interface
This setting allows you to configure the external interface of the XTM wireless device to
connect to a wireless network. This is useful in areas with limited or no existing network
infrastructure.
For information about how to configure the external interface as wireless, see Configure
Your External Interface as a Wireless Interface on page 268.
Enable wireless access points
This setting allows you to configure the XTM wireless device as an access point for users
on the trusted, optional or guest networks.
For more information, see Wireless XTM Device Configuration Options on page 249.
3. In the Radio Settings section, select your wireless radio settings.
For more information, see About Wireless Radio Settings on page 271.
4. Select the Enable rogue access point detection check box to enable the device to scan for
untrusted wireless access points.
For more information, see Enable Rogue Access Point Detection on page 275.
5. Click Save.
248
Fireware XTM Web UI
Wireless XTM Device Setup
Wireless XTM Device Configuration Options
Any XTM wireless device can be configured as a wireless access point with three different security
zones. You can enable wireless clients to connect to the XTM wireless device as part of the trusted
network or part of the optional network. You can also enable a wireless guest services network for
XTM device users. Computers that connect to the guest network connect through the XTM wireless
device, but do not have access to computers on the trusted or optional networks.
Before you enable the XTM wireless device as a wireless access point, you must look carefully at the
wireless users who connect to the device and determine the level of access you want for each type of
user. There are three types of wireless access you can allow:
Allow Wireless Connections to a Trusted Interface
When you allow wireless connections through a trusted interface, wireless devices have full
access to all computers on the trusted and optional networks, and full Internet access based on
the rules you configure for outgoing access on your XTM device. If you enable wireless access
through a trusted interface, we strongly recommend that you enable and use the MAC
restriction feature to allow access through the XTM device only for devices you add to the
Allowed MAC Address list.
For more information about restricting access by MAC addresses, see Use Static MAC
Address Binding on page 156.
Allow Wireless Connections to an Optional Interface
When you allow wireless connections through an optional interface, those wireless devices
have full access to all computers on the optional network, and full Internet access based on the
rules you configure for outgoing access on your XTM wireless device.
Allow Wireless Guest Connections Through the External Interface
Computers that connect to the wireless guest network connect through the XTM wireless
device to the Internet based on the rules you configure for outgoing access on your XTM device.
These wirelessly connected computers do not have access to computers on the trusted or
optional network.
For more information about how to configure a wireless guest network, see Enable a Wireless
Guest Network on page 263.
Before you set up wireless network access, see Before You Begin on page 249.
To allow wireless connections to your trusted or optional network, see Enable Wireless Connections to
the Trusted or Optional Network on page 261.
Before You Begin
WatchGuard XTM wireless devices adhere to 802.11n, 802.11b and 802.11g guidelines set by the
Institute of Electrical and Electronics Engineers (IEEE). When you install an XTM wireless device:
n
Make sure that the wireless device is installed in a location more than 20 centimeters from all
persons. This is an FCC requirement for low power transmitters.
User Guide
249
Wireless XTM Device Setup
n
n
n
It is a good idea to install the wireless device away from other antennas or transmitters to
decrease interference
The default wireless authentication algorithm configured for each wireless security zone is not
the most secure authentication algorithm. If the wireless devices that connect to your XTM
wireless device support WPA2 authentication, we recommend that you increase the
authentication level to WPA2.
A wireless client that connects to the XTM wireless device from the trusted or optional network
can be a part of any branch office VPN tunnels in which the local network component of the
Phase 2 settings includes optional or trusted network IP addresses. To control access to the
VPN tunnel, you can force XTM device users to authenticate.
Before you set up your wireless XTM device, it is also a good idea to consider environmental factors,
which apply to the installation of WatchGuard wireless devices. For example, you can use a wireless
site survey tool to better understand your current environment and existing wireless signals before you
add a new XTM wireless device. Based on the results of your site survey, and the requirements of your
wireless clients, you can plan which wireless modes and channels to use. You will also know more
about the level of wireless noise in your environment, and can consider other factors, such as the
position of walls, that can affect wireless signal range.
For more information, see:
n
n
n
n
250
Wireless Site Survey
Wireless Modes and Channels
Wireless Signal Strength and Noise Levels
Wireless Environmental Factors
Fireware XTM Web UI
Wireless XTM Device Setup
About Wireless Configuration Settings
When you enable wireless access to the trusted, optional, or wireless guest network, some
configuration settings are defined the same way for each of the three security zones. These can be set
to different values for each zone.
For information about the Broadcast SSID and respond to SSID queries setting, see
Enable/Disable SSID Broadcasts on page 252.
For information about setting the Network Name (SSID), see Change the SSID on page 252.
For information about the Log Authentication Events setting, see Log Authentication Events on page
252.
For information about the Fragmentation Threshold, see Change the Fragmentation Threshold on
page 252.
For information about the RTS Threshold, see Change the RTS Threshold on page 254.
For information about the Encryption (Authentication) setting, see Set the Wireless Authentication
Method on page 254.
For information about the Encryption algorithm setting, see Set the Encryption Level on page 259.
User Guide
251
Wireless XTM Device Setup
Enable/Disable SSID Broadcasts
Computers with wireless network cards send requests to see whether there are wireless access points
to which they can connect.
To configure an XTM device wireless interface to send and answer these requests, select the
Broadcast SSID and respond to SSID queries check box. For security, enable this option only
while you configure computers on your network to connect to the XTM wireless device. Disable this
option after all your clients are configured. If you use the wireless guest services feature, it can be
necessary to allow SSID broadcasts in standard operation.
Change the SSID
The SSID (Service Set Identifier) is the unique name of your wireless network. To use the wireless
network from a client computer, the wireless network card in the computer must have the same SSID
as the WatchGuard wireless network to which the computer connects.
You must assign a unique SSID to each access point. To change the SSID, type a new name in the
Network Name (SSID) text box to uniquely identify your wireless network.
Log Authentication Events
An authentication event occurs when a wireless computer tries to connect to the wireless interface of a
WatchGuard XTM wireless device. To include these events in the log file, select the Log
Authentication Events check box.
Change the Fragmentation Threshold
Fireware XTM allows you to set the maximum frame size the XTM wireless device can send and not
fragment the frame. This is called the fragmentation threshold. This setting is rarely changed. The
default setting is the maximum frame size of 2346, which means that it will never fragment any frames
that it sends to wireless clients. This is best for most environments.
When to Change the Default Fragmentation Threshold
A collision happens when two devices that use the same medium transmit packets at exactly the
same time. The two packets can corrupt each other, and the result is a group of unreadable pieces of
data. If a packet results in a collision, the packet is discarded and it must be transmitted again. This
adds to the overhead on the network and can reduce the throughput or speed of the network.
Larger frames are more likely to collide with each other than smaller frames. To make the wireless
packets smaller, you lower the fragmentation threshold on the XTM wireless device. If you lower the
maximum frame size, it can reduce the number of repeat transmissions caused by collisions, and
lower the overhead caused by repeat transmissions.
252
Fireware XTM Web UI
Wireless XTM Device Setup
Smaller frames introduce more overhead on the network. This is especially true on a wireless network,
because every fragmented frame sent from one wireless device to another requires the receiving
device to acknowledge the frame. When packet error rates are high (more than five or ten percent
collisions or errors), you can help improve the performance of the wireless network if you lower the
fragmentation threshold. The time that is saved when you reduce repeat transmissions can be enough
to offset the extra overhead added with smaller packets. This can result in higher throughput.
If the rate of packet error is low and you lower the fragmentation threshold, wireless network
performance decreases. This occurs because when you lower the threshold, protocol overhead is
added and protocol efficiency is reduced.
If you want to experiment, start with the default maximum 2346, and lower the threshold a small
amount at a time. To get the most benefit, you must monitor the network for packet errors at different
times of the day. Compare the effect that a lower threshold has on network performance when errors
are very high with the effect on performance when errors are moderately high.
In general, we recommend that you leave this setting at its default of 2346.
Change the Fragmentation Threshold
1. Select Network > Wireless.
2. To select the wireless network to configure, adjacent to Access point 1 or Access point 2 or
Wireless Guest, click Configure.
The wireless configuration settings for that wireless network appear.
User Guide
253
Wireless XTM Device Setup
3. To change the fragmentation threshold, in the Fragmentation Threshold text box, type or
select a value between 256 and 2346.
4. Click Return to Main Page.
5. Click Save.
Change the RTS Threshold
RTS/CTS (Request To Send / Clear To Send) helps prevent problems when wireless clients can
receive signals from more than one wireless access point on the same channel. The problem is
sometimes known as hidden node.
We do not recommend that you change the default RTS threshold. When the RTS Threshold is set to
the default of 2346, RTS/CTS is disabled.
If you must change the RTS threshold, adjust it incrementally. Lower it a small amount at a time. After
each change, allow enough time to decide whether the change in network performance is positive
before you change it again. If you lower this value too much, you can introduce more latency into the
network, as Requests to Send are increased so much that the shared medium is reserved more often
than necessary.
About Wireless Security Settings
WatchGuard XTM wireless devices use three security protocol standards to protect your wireless
network: WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2. Each protocol
standard can encrypt the transmissions on the wireless LAN between the computers and the access
points. They also can prevent unauthorized access to the wireless access point.
To protect privacy, you can use these features together with other LAN security mechanisms such as
password protection, VPN tunnels, and user authentication.
Set the Wireless Authentication Method
From the Encryption (Authentication) drop-down list in the wireless access point configuration,
select the level of authentication method for your wireless connections. The eight available
authentication methods, from least secure to most secure, are listed below. Select the most secure
authentication method that is supported by your wireless network clients.
Open System and Shared Key
The Open System and Shared Key authentication methods use WEP encryption. WEP is not as
secure as WPA2 and WPA (Wi-Fi Protected Access). We recommend you do not use these less
secure methods unless your wireless clients do not support WPA or WPA2.
n
n
254
Open System — Open System authentication allows any user to authenticate to the access
point. This method can be used with no encryption or with WEP encryption.
Shared Key — In Shared Key authentication, only those wireless clients that have the shared
key can connect. Shared Key authentication can be used only with WEP encryption.
Fireware XTM Web UI
Wireless XTM Device Setup
WPA and WPA2 with Pre-Shared Keys
WPA (PSK) and WPA2 (PSK) Wi-Fi Protected Access methods use pre-shared keys for
authentication. WPA (PSK) and WPA2 (PSK) are more secure than WEP shared key authentication.
When you choose one of these methods, you configure a pre-shared key that all wireless devices must
use to authenticate to the wireless access point.
The XTM wireless device supports three wireless authentication settings that use pre-shared keys:
n
n
n
WPA ONLY (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA with pre-shared keys.
WPA/WPA2 (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA or WPA2 with pre-shared keys.
WPA2 ONLY (PSK) — The XTM wireless device accepts connections from wireless devices
configured to use WPA2 with pre-shared keys authentication. WPA2 implements the full
802.11i standard; it does not work with some older wireless network cards.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE 802.1X standard for
network authentication. These authentication methods use the EAP (Extensible Authentication
Protocol) framework to enable user authentication to an external RADIUS authentication server or to
the XTM device (Firebox-DB). The WPA Enterprise and WPA2 Enterprise authentication methods are
more secure than WPA/WPA2 (PSK) because users authenticate with their own credentials instead of
a shared key.
Fireware XTM v11.4 and later supports three WPA and WPA2 Enterprise wireless authentication
methods:
n
n
n
WPA Enterprise — The XTM wireless device accepts connections from wireless devices
configured to use WPA Enterprise authentication.
WPA/WPA2 Enterprise — The XTM wireless device accepts connections from wireless
devices configured to use WPA Enterprise or WPA2 Enterprise authentication.
WPA2 Enterprise — The XTM wireless device accepts connections from wireless devices
configured to use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard;
it does not work with some older wireless network cards.
For more information about these authentication methods, see WPA and WPA2 Enterprise
Authentication.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication
server or configure the XTM device as an authentication server.
For more information about how to configure the settings for these authentication methods, see
n
n
Use a RADIUS Server for Wireless Authentication
Use the XTM Device as an Authentication Server for Wireless Authentication
User Guide
255
Wireless XTM Device Setup
Use a RADIUS Server for Wireless Authentication
If you select the WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise authentication
methods in your wireless configuration, you can use a RADIUS server for wireless authentication.
To configure your wireless access point to use RADIUS authentication:
1. Select Network > Wireless.
2. Click Configure adjacent to the Access point 1, Access point 2, or Wireless Guest
configuration.
3. Select the Wireless tab.
4. From the Encryption (Authentication) drop-down list, select WPA Enterprise, WPA2
Enterprise, or WPA/WPA2 Enterprise.
The Encryption, Authentication server, and EAP authentication timeout settings appear.
5. From the Encryption algorithm drop-down list, select the encryption method. For more
information, see Set the Encryption Level.
6. From the Authentication server drop-down list, select RADIUS.
The authentication and protocol configuration settings are disabled. You must configure these
settings on your RADIUS server.
7. In the EAP authentication timeout text box, you can change the timeout value for
authentication. The default is 3600 seconds.
256
Fireware XTM Web UI
Wireless XTM Device Setup
8. Click Return to Main Page.
9. Click Save.
If you have not previously configured a RADIUS server, you are prompted to do this when you click
Save. For more information, see Configure RADIUS Server Authentication.
Use the XTM Device as an Authentication Server for Wireless
Authentication
If you select the WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise authentication
methods in your wireless configuration, you can use the XTM device as the authentication server for
wireless authentication.
1. Select Network > Wireless.
2. Click Configure adjacent to the Access point 1, Access point 2, or Wireless Guest
configuration.
3. Select the Wireless tab.
User Guide
257
Wireless XTM Device Setup
4. From the Encryption (Authentication) drop-down list, select WPA Enterprise, WPA2
Enterprise or WPA/WPA2 Enterprise.
5. From the Encryption algorithm drop-down list, select the encryption method to use. For more
information, see Set the Encryption Level.
6. From the Authentication server drop-down list, select Firebox-DB.
7. In the EAP authentication timeout text box, you can change the timeout value for
authentication. The default is 3600 seconds.
8. From the EAP protocol drop-down list, select the EAP protocol wireless clients must use to
connect to the access point.
n
n
258
EAP-PEAP — EAP Protected Extensible Authentication Protocol
EAP-TTLS — EAP Tunneled Transport Layer Security
Fireware XTM Web UI
Wireless XTM Device Setup
n
EAP-TLS — EAP Transport Layer Security
9. From the EAP tunnel protocol drop-down list, select the EAP tunnel protocol to use. The
available tunnel protocols depend on the selected EAP protocol.
10. From the Select Certificate drop-down list, select the certificate type to use for authentication.
n
n
Default certificate signed by Firebox — This is the default.
Third party certificates — Select from a list of installed third party certificates.
11. If you selected Third party certificates, select a certificate from the Certificate drop-down list.
12. If you want to use a certificate authority (CA) to validate the client certificate, select the
Validate client certificate check box and select a CA certificate from the CA Certificate dropdown list.
For more information about certificates, see About Certificates.
13. Click Return to Main Page.
14. Click Save.
To use this authentication method, you must configure your XTM device as an authentication server.
For more information, see Configure Your XTM Device as an Authentication Server.
Set the Encryption Level
From the Encryption algorithm drop-down list in the wireless access point configuration, select the
level of encryption for your wireless connections. The available selections change when you use
different authentication mechanisms. The Fireware XTM OS automatically creates a random
encryption key for you when a key is required. You can use this key or change it to a different key.
Each wireless client must use this same key when they connect to the XTM wireless device.
Encryption for Open System and Shared Key Authentication
Encryption options for Open System and Shared Key authentication are WEP 64-bit hexadecimal,
WEP 40-bit ASCII, WEP 128-bit hexadecimal, and WEP 128-bit ASCII. If you select Open System
authentication, you can also select Disabled.
1. If you use WEP encryption, in the Key text boxes, type hexadecimal or ASCII characters. Not
all wireless adapter drivers support ASCII characters. You can have a maximum of four keys,
numbered 1 - 4.
n A WEP 64-bit hexadecimal key must have 10 hexadecimal (0-f) characters.
n A WEP 40-bit ASCII key must have 5 characters.
n A WEP 128-bit hexadecimal key must have 26 hexadecimal (0-f) characters.
n A WEP 128-bit ASCII key must have 13 characters.
2. If you typed more than one key, in the Key Index text box, type the key number to use as the
default key.
The XTM wireless device can use only one wireless encryption key at a time. If you select a
key other than the first key in the list, you also must set your wireless client to use the same
key.
User Guide
259
Wireless XTM Device Setup
Encryption for WPA and WPA2 Authentication
The encryption options for Wi-Fi Protected Access (WPA and WPA2) authentication methods are:
n
n
n
TKIP — Use only TKIP (Temporal Key Integrity Protocol) for encryption. This option is not
available if you configure the Radio Settings to use a wireless mode that supports 802.11n.
AES — Use only AES (Advanced Encryption Standard) for encryption.
TKIP or AES — Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the XTM wireless device to accept
connections from wireless clients configured to use TKIP or AES encryption. For 802.11n wireless
clients, we recommend you configure the wireless client to use AES encryption.
260
Fireware XTM Web UI
Wireless XTM Device Setup
Enable Wireless Connections to the Trusted or
Optional Network
To allow wireless connections to your trusted or optional network:
1. Select Network > Wireless.
The Wireless configuration page appears.
2. Select Enable wireless access points.
3. Adjacent to Access point 1 or Access point 2, click Configure.
The Wireless Access Point configuration dialog box appears.
User Guide
261
Wireless XTM Device Setup
4. Select the Enable wireless bridge to a Trusted or Optional interface check box.
5. In the drop-down list adjacent to Enable wireless bridge to a Trusted or Optional interface,
select a trusted or optional interface.
Trusted
Any wireless clients on the trusted network have full access to computers on the trusted
and optional networks, and access to the Internet as defined in the outgoing firewall rules
on your XTM device.
If the wireless client sets the IP address on its wireless network card with DHCP, the DHCP
server on the trusted network of the XTM device must be active and configured.
Optional
Any wireless clients on the optional network have full access to computers on the optional
network, and access to the Internet as defined in the outgoing firewall rules on your XTM
device.
If the wireless client sets the IP address on its wireless network card with DHCP, the DHCP
server on the optional network of the XTM device must be active and configured.
6. To configure the wireless interface to send and answer SSID requests, select the Broadcast
SSID and respond to SSID queries check box.
For information about this setting, see Enable/Disable SSID Broadcasts on page 252.
7. Select the Log Authentication Events check box if you want the XTM device to send a log
message to the log file each time a wireless computer tries to connect to the interface.
For more information about logging, see Log Authentication Events on page 252.
8. To require wireless users to use the WatchGuard XTM IPSec Mobile VPN Client, select the
Require encrypted Mobile VPN with IPSec connections for wireless clients check box.
When you select this check box, the only packets the XTM device allows over the wireless
network are DHCP, DNS, IKE (UDP port 500), and ESP. If you require wireless users to use
the IPSec Mobile VPN Client, it can increase the security for wireless clients if you do not
select WPA or WPA2 as the wireless authentication method.
9. In the Network name (SSID) text box, type a unique name for your wireless optional network or
use the default name.
For information about changing the SSID, see Change the SSID on page 252.
10. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 256–2346. We do not recommend you change this setting.
For more information about this setting, see Change the Fragmentation Threshold on page 252.
11. In the Encryption (Authentication) drop-down list, select the encryption and authentication to
enable for wireless connections to the optional interface. We recommend that you use WPA2 if
the wireless devices in your network can support WPA2.
For more information about this setting, see Set the Wireless Authentication Method.
12. In the Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection and add the keys or passwords required for the type of encryption you
262
Fireware XTM Web UI
Wireless XTM Device Setup
select. If you select an encryption option with pre-shared keys, a random pre-shared key is
generated for you. You can use this key or type your own.
For more information, see Set the Encryption Level on page 259.
13. Save the configuration.
If you enable wireless connections to the trusted interface, we recommend that you restrict access by
MAC address. This prevents users from connecting to the XTM wireless device from unauthorized
computers that could contain viruses or spyware. Click the MAC Access Control tab to enable MAC
access control. You use this tab the same way as when you restrict network traffic on an interface as
described in Restrict Network Traffic by MAC Address on page 146.
When you enable wireless connections to a trusted or optional interface, the wireless
and wired networks operate as if they are on the same local network. Broadcast
traffic, such as DHCP requests, can pass between wired and wireless clients. If a
DHCP server is active on the physical network, or if a wireless client is configured as
a DHCP server, then all wired and wireless clients on that network can receive IP
addresses from that DHCP server.
To configure a wireless guest network with no access to the computers on your trusted or optional
networks, see Enable a Wireless Guest Network on page 263.
Enable a Wireless Guest Network
You can enable a wireless guest network to give a guest user wireless access to the Internet without
access to computers on your trusted and optional networks.
To set up a wireless guest network:
1. Select Network > Wireless.
The Wireless Configuration page appears.
2. Select Enable wireless access points.
3. Adjacent to Wireless guest, click Configure.
The Wireless Guest Configuration dialog box appears.
User Guide
263
Wireless XTM Device Setup
4. Select the Enable Wireless Guest Network check box.
Wireless connections are allowed through the XTM device to the Internet based on the rules you
have configured for outgoing access on your device. These computers have no access to
computers on the trusted or optional network.
5. In the IP Address text box, type the private IP Address to use for the wireless guest network.
The IP address you type must not already be in use on one of your network interfaces.
6. In the Subnet Mask text box, type the subnet mask. The correct value is usually
255.255.255.0.
7. To configure the XTM device as a DHCP server when a wireless device tries to make a
connection, select the Enable DHCP Server on Wireless Guest Network check box.
For more information about how to configure the settings for the DHCP Server, see Configure
IPv4 DHCP in Mixed Routing Mode on page 122.
264
Fireware XTM Web UI
Wireless XTM Device Setup
8. Click the Wireless tab to see the security settings for the wireless guest network.
The Wireless settings appear.
9. Select the Broadcast SSID and respond to SSID queries check box to make your wireless
guest network name visible to guest users.
For information about this setting, see Enable/Disable SSID Broadcasts on page 252.
10. To send a log message to the log file each time a wireless computer tries to connect to the
guest wireless network, select the Log Authentication Events check box.
For more information about logging, see Log Authentication Events on page 252.
11. To allow wireless guest users to send traffic to each other, clear the Prohibit client to client
wireless network traffic check box.
12. In the Network name (SSID)) text box, type a unique name for your wireless guest network or
use the default name.
For information about changing the SSID, see Change the SSID on page 252.
13. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a
value: 256–2346. We do not recommend you change this setting.
For more information about this setting, see Change the Fragmentation Threshold on page 252.
14. In the Authentication drop-down list, select the type of authentication to enable for connections
to the wireless guest network. The setting you choose depends on the type of guest access you
want to provide, and whether you want to require your guests to enter a passphrase to use the
network.
User Guide
265
Wireless XTM Device Setup
For more information about this setting, see Set the Wireless Authentication Method on page
254.
15. In the Encryption / Authentication drop-down list, select the type of encryption to use for the
wireless connection and add the keys or passwords required for the type of encryption you
select. If you select an authentication option that uses pre-shared keys, a random pre-shared
key is generated for you. You can use this key or type your own.
For more information, see Set the Encryption Level on page 259.
16. Click Return to Main Page.
17. Click Save.
You can also configure your wireless guest network as a hotspot. For more information, see Enable a
Hotspot on page 471.
Another configuration option you can select is to restrict access to the guest network by MAC address.
1. To enable MAC access control, select the MAC Access Control tab.
2. Configure the settings as described in the topic, Restrict Network Traffic by MAC Address on
page 146.
266
Fireware XTM Web UI
Wireless XTM Device Setup
Enable a Hotspot on an XTM Wireless Access
Point
You can enable a hotspot for any of the enabled wireless networks on an XTM wireless device. When
you enable a hotspot, you must select an interface for the hotspot. In the hotspot configuration, there
are three interface names that correspond to the three wireless access points you can enable on the
XTM wireless device:
WG-Wireless-Access-Point1
This corresponds to Access Point 1 in the XTM device wireless settings
WG-Wireless-Access-Point2
This corresponds to Access Point 2 in the XTM device wireless settings
WG-Wireless-Guest
This corresponds to Wireless guest in the XTM device wireless settings
In the hotspot configuration, only the enabled wireless access points appear in the list of interfaces you
can select.
Hotspot configuration settings for both wired and wireless XTM devices are configured in the
Authentication settings for your XTM device.
For more information about how to configure a hotspot, see Enable a Hotspot on page 471.
User Guide
267
Wireless XTM Device Setup
Configure Your External Interface as a Wireless
Interface
In areas with limited or no existing network infrastructure, you can use your XTM wireless device to
provide secure network access. You must physically connect your network devices to the XTM
device. Then you configure your external interface to connect to a wireless access point that connects
to a larger network.
When the external interface is configured with a wireless connection, the XTM
wireless device can no longer be used as a wireless access point. To provide
wireless access for users, connect a wireless access point device to the XTM
wireless device.
Configure the Primary External Interface as a Wireless
Interface
1. Select Network > Wireless.
The Wireless Configuration page appears.
2. Select Enable wireless client as external interface.
3. Click Configure.
The external interface settings appear.
4. In the Configuration Mode drop-down list, select an option:
Static IP
To use a static IP address, select this option. Type the IP Address, Subnet Mask, and
Default Gateway you use to connect to the wireless network.
268
Fireware XTM Web UI
Wireless XTM Device Setup
DHCP Client
To configure the external interface as a DHCP client, select this option. Type the DHCP
configuration settings.
For more information about how to configure the external interface to use a static IP address or
DHCP, see Configure an External Interface on page 114.
5. Select the Wireless tab.
The wireless client configuration settings appear.
User Guide
269
Wireless XTM Device Setup
6. In the Network name (SSID) text box, type the name of the external wireless network this
device connects to.
7. In the Encryption (Authentication) drop-down list, select the encryption and authentication
method to use for the wireless connection. We recommend that you use WPA2 if the wireless
device you connect to supports it.
For more information about wireless authentication methods, see About Wireless Security
Settings on page 254.
8. In the Encryption algorithm drop-down list, select the type of encryption to use for the
wireless connection. Add the passphrase or keys required for the type of encryption you select.
9. Click Save.
Configure a BOVPN tunnel for additional security
To create a wireless bridge and provide additional security, you can add a BOVPN tunnel between your
XTM device and the external gateway. You must set the mode to Aggressive Mode in the Phase 1
settings of your BOVPN configuration on both devices.
For information about how to set up a BOVPN tunnel, see About Manual Branch Office VPN Tunnels
on page 848.
270
Fireware XTM Web UI
Wireless XTM Device Setup
About Wireless Radio Settings
WatchGuard XTM wireless devices use radio frequency signals to send and receive traffic from
computers with wireless Ethernet cards.
To view or change the radio settings:
1. Connect to Fireware XTM Web UI.
2. Select Network > Wireless.
The Wireless page appears. The radio settings appear at the bottom of the page.
User Guide
271
Wireless XTM Device Setup
Country is Set Automatically
Due to regulatory requirements in different parts of the world, you cannot use all wireless radio settings
in every country. Each time you power on the XTM wireless device, the device contacts a WatchGuard
server to determine the country and the allowed wireless radio settings for that country. To do this, the
device must have an Internet connection. Once the country is determined, you can configure all
supported wireless radio settings that can be used in that country.
In the Wireless Configuration dialog box, the Country setting shows which country the device detects
it is in. You cannot change the Country setting. The available options for the other radio settings are
based on the regulatory requirements of the country the device detects it is located in.
If the XTM wireless device cannot connect to the WatchGuard server, the country is
unknown, and is shown as Default. In this case, you can only select from the limited
set of wireless radio settings that are allowed in all countries. The XTM wireless
device periodically continues to retry to connect to the WatchGuard server to
determine the country and allowed wireless radio settings.
If the XTM wireless device does not have a country set yet, or if the country is not up to date, you can
force the device to update the wireless country information.
To update the Wireless Radio Region:
1. Select System Status > Wireless Statistics.
2. Click Update Country Info.
The XTM wireless device contacts a WatchGuard server to determine the current operating region.
272
Fireware XTM Web UI
Wireless XTM Device Setup
Select the Band and Wireless Mode
The WatchGuard XTM wireless device supports two different wireless bands, 2.4 GHz and 5 GHz.
The the band you select and the country determine the wireless modes available. Select the Band that
supports the wireless mode you want to use. Then select the mode from the Wireless mode dropdown list.
The 2.4 GHz band supports these wireless modes:
802.11n, 802.11g and 802.11b
This is the default mode in the 2.4 GHz band, and is the recommended setting. This mode
allows the XTM wireless device to connect with devices that use 802.11n, 802.11g, or 802.11b.
802.11g and 802.11b
This mode allows the XTM wireless device to connect to devices that use 802.11g or 802.11b.
802.11b ONLY
This mode allows the XTM wireless device to connect only to devices that use 802.11b.
The 5 GHz band supports these wireless modes:
802.11a and 802.11n
This is the default mode in 5 GHz band. This mode allows the XTM wireless device to connect
to devices that use 802.11a or 802.11n.
802.11a ONLY
This mode allows the XTM wireless device to connect only to devices that use 802.11a.
If you choose a wireless mode that supports multiple 802.11 standards, the overall
performance can drop considerably. This is partly because of the need for backward
compatibility when devices that use slower modes are connected. The slower
devices tend to dominate the throughput because it can take much longer to send or
receive the same amount of data to devices that use a slower mode.
The 5 GHz band provides greater performance than the 2.4 GHz band, but is not compatible with all
wireless devices. Select the band and mode based on the wireless cards in the devices that will
connect to the XTM wireless device.
Select the Channel
The available channels depend on the country and the wireless mode you select. By default, the
Channel is set to Auto. When the channel is set to Auto, the XTM wireless device automatically
selects a quiet channel from the available list in the band you have selected. Or you can select a
specific channel from the Channel drop-down list.
User Guide
273
Wireless XTM Device Setup
Configure the Wireless Card on Your Computer
These instructions are for the Windows XP with Service Pack 2 operating system. For installation
instructions for other operating systems, see your operating system documentation or help files.
1. Select Start > Settings > Control Panel > Network Connections.
The Network Connections dialog box appears.
2. Right-click Wireless Network Connection and select Properties.
The Wireless Network Connection dialog box appears.
3. Select the Wireless Networks tab.
4. Below Preferred Networks, click Add.
The Wireless Network Properties dialog box appears.
5. Type the SSID in the Network Name (SSID) text box.
6. Select the network authentication and data encryption methods in the drop-down lists. If
necessary, clear The key is provided for me automatically check box and type the network
key two times.
7. Click OK to close the Wireless Network Properties dialog box.
8. Click View Wireless Networks.
All available wireless connections appear in the Available Networks text box.
9. Select the SSID of the wireless network and click Connect.
If the network uses encryption, type the network key twice in the Wireless Network Connection
dialog box and click Connect again.
10. Configure the wireless computer to use DHCP.
Rogue Access Point Detection
You can configure your XTM wireless device to detect (unknown) wireless access points that operate
in the same area. A rogue access point is any wireless access point within range of your network that
is not recognized as an authorized access point. When you enable rogue access point detection on
your XTM wireless device, the wireless radio in the device scans wireless channels to identify
unknown wireless access points. You can configure the scan to run continuously, or to run at a
scheduled interval and time of day.
When a rogue access point scan begins, the XTM wireless device scans the airwaves within range for
other radio broadcasts.The device scans for wireless access points in 802.11a, 802.11b, 802.11g, and
802.11n wireless modes on all available wireless channels for the country where the device is located.
The scan is not limited to the wireless mode and channel settings configured in the radio settings of
your device.
When the XTM wireless device detects the signal of another wireless access point, it compares the
characteristics of the access point to a list of trusted access points that you configure. If the
discovered access point does not match any trusted access point, the XTM device reports the device
as a potential rogue access point. You can configure the device to send an alarm when a rogue access
point is detected. If you enable logging, you can run a report of all scans and scan results.
274
Fireware XTM Web UI
Wireless XTM Device Setup
Enable Rogue Access Point Detection
To configure rogue access point detection on your XTM wireless device, you need to know the
configuration of the other wireless access points on your network; this enables you to identify them as
trusted in your configuration. You can then set up a schedule for rogue access point detection scans.
Configure Rogue Access Point Detection
1. Select Network > Wireless.
The Wireless page appears.
2. Select the Enable rogue access point detection check box.
3. Adjacent to the Enable rogue access point detection check box, click Configure.
The Trusted Access Point Configuration page appears.
User Guide
275
Wireless XTM Device Setup
On the Access Points tab you can add information about all other trusted wireless access
points on your network so the rogue access point scan does not identify them as potential rogue
access points.
Add a Trusted Access Point
1. To add a trusted access point to the list, click Add.
The Trusted access point dialog box appears.
276
Fireware XTM Web UI
Wireless XTM Device Setup
In the Trusted access point dialog box, provide as much information as you can to identify
your trusted access point. The more information you provide, the more likely it is that a rogue
access point detection scan can correctly identify a trusted access point.
2. In the Network name (SSID) text box, type the SSID of the trusted access point.
3. In the MAC address (Optional) text box, type the wireless MAC address of the trusted access
point.
If your trusted access point is an XTM wireless device, see Find the Wireless MAC Address of
a Trusted Access Point.
4. From the Channel drop-down list, select the channel used by the trusted access point. If the
trusted access point is a WatchGuard device and the Channel in the radio settings of that
trusted wireless device is set to Auto, select Any.
5. From the Encryption drop-down list, select the encryption method used by the trusted access
point.
The WPA or WPA2 authentication and encryption settings that apply to the encryption method you
select are enabled.
6. If you select WPA or WPA/WPA2 as the encryption method, configure the WPA settings to
match the configuration of your trusted access point.
Or, if you do not know these settings, select the Match any authentication and encryption
algorithms check box.
7. If you selected WPA2 or WPA/WPA2 as the encryption method, configure the WPA settings to
match the configuration of your trusted access point.
Or, if you do not know these settings, select the Match any authentication and encryption
algorithms check box.
8. Click OK.
The trusted access point is added to the list of trusted access points.
For information about how to add an XTM wireless device as a trusted access point, see Add an
XTM Wireless Device as a Trusted Access Point.
Edit or Remove a Trusted Access Point
To edit a trusted access point:
1. Select the access point in the list.
2. Click Edit.
3. Edit the information used to identify the trusted access point as described in the previous
section.
To remove a trusted access point, select the access point in the list and click Remove.
Configure Logging and Notification
You must enable logging to see information about rogue access point scans in a report. When you
enable logging, the log records the start and stop time, and the results of each scan. To enable logging,
select the Enable logging for reports check box.
You can also configure the device to notify you when a rogue access point is detected. To configure
notification:
User Guide
277
Wireless XTM Device Setup
1. Click the Notification tab.
2. Select a notification method: SNMP trap, email message, or pop-up window.
For more information about notification settings, see Set Logging and Notification Preferences on page
748.
Set the Scan Frequency
If you enable rogue access point detection on an XTM wireless device that is also configured as a
wireless access point, the device alternates between the two functions. When a rogue access point
scan is not in progress, the device operates as wireless access point. When a rogue access point scan
begins, the XTM device access point functionality is temporarily disabled, and wireless clients cannot
connect to the XTM wireless device until the scan completes. You cannot set the scan frequency to
Always scan if your device is also configured as a wireless access point.
If your XTM wireless device is configured to operate as a wireless client, the rogue access point scan
does not interrupt the wireless connection, but it does decrease the throughput of the wireless
connection while the scan is in progress.
278
Fireware XTM Web UI
Wireless XTM Device Setup
To set the scan frequency:
1. In the Trusted Access Point Configuration dialog box, select the Schedules tab.
2. Select the scan frequency.
n Select Always scan to automatically scan for rogue access points every 15 minutes.
n Select Schedule a scan to scan on a periodic schedule.
3. If you selected Schedule a scan, select how often the scan should run (daily, weekly, or
monthly) and select the time of day to start the scan.
4. Click Return to Main Page.
5. Click Save.
If you have added information about some trusted access points but still need to collect information
about other trusted access points, you might not be ready to enable the rogue access point scan. To
disable rogue access point detection scans, in the Wireless Configuration page, clear the Enable
rogue access point detection check box. When you disable rogue access point detection, your
trusted access point information is saved, but the device does not scan for rogue access points.
User Guide
279
Wireless XTM Device Setup
Add an XTM Wireless Device as a Trusted Access Point
If you have multiple wireless access points, you must add their information to the rogue access point
detection configuration's trusted access points list. The wireless settings you can select to identify a
trusted wireless access point are similar to the settings you use to configure an XTM wireless device
as a wireless access point. Use these steps to find the settings for your XTM wireless device so you
can add it to the trusted access point list.
Find the Settings for Your XTM Trusted Access Points
To find the required settings to identify a trusted access point:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. In the Radio Settings section, make a note of the Channel.
3. Click Configure adjacent to the enabled wireless access point name.
The Wireless settings for this access point appear.
280
Fireware XTM Web UI
Wireless XTM Device Setup
4. Make a note of these settings:
n Network name (SSID)
n Encryption / Authentication
n Encryption algorithm
5. Find the wireless MAC address. For an XTM 2 Series wireless device, the wireless
MAC address is six higher than the MAC address of the Eth0 interface.
For more information, see Find the Wireless MAC Address of a Trusted Access Point.
An XTM wireless device can have up to three enabled wireless access points with different settings. If
the XTM wireless device has multiple enabled access points, repeat these steps to get the information
about each enabled access point. Repeat these steps for any other trusted access points on your
network.
User Guide
281
Wireless XTM Device Setup
Add the Trusted Access Points to the Trusted Access Point List
On the wireless device that performs the rogue access point scan:
1. Select Network > Wireless.
2. Select the Enable rogue access point detection check box.
3. Adjacent to Enable rogue access point detection, click Configure.
The list of trusted access points appears.
4. Click Add.
The Trusted Access Point dialog box appears.
5. Type or select the information to match the configuration of your trusted access point.
For more information about these settings, see Enable Rogue Access Point Detection.
The Encryption / Authentication setting in the wireless network configuration
corresponds to two settings (Encryption and Authentication) in the Trusted Access
Point configuration.
6. Click OK to add the trusted access point.
Repeat these steps to add other trusted wireless access points.
282
Fireware XTM Web UI
Wireless XTM Device Setup
Find the Wireless MAC Address of a Trusted Access Point
When you enable rogue access point detection, you can specify the wireless MAC address of your
other trusted wireless access points so they can be identified as trusted.
For an XTM 2 Series wireless device, the wireless MAC address is six higher than the MAC address of
the Eth0 interface. So, for example, if the Eth0 Interface on the 2 Series wireless device has a MAC
address of 00:90:7F:80:1A:61 , the wireless MAC address for that device is 00:90:7F:80:1A:67 .
To see the Eth0 interface MAC address, select Dashboard > Interfaces.
You can also see the wireless MAC address of a WatchGuard wireless device in the Status Report in
Firebox System Manager. For more information, see the WatchGuard System Manager User Guide or
WatchGuard System Manager Help.
Rogue Access Point Scan Results
You can see the results of a wireless rogue access detection point scan in the Rogue Access Point
Detection (Wireless Intrusion Detection System) page. This page displays a list of untrusted wireless
access points found by the most recent rogue access point detection scan. This list does not include
access points that match the trusted access points defined in your wireless rogue access point
detection configuration.
To see and update the list:
1. Select System Status > Rogue AP Detection.
The Rogue Access Point Detection system status page appears.
2. To start an immediate scan for rogue access points, click Scan now.
The wireless access point starts a rogue access point detection scan and updates the list of
untrusted access points.
If an access point that you trust appears on this list, it is because you have not yet added it as a trusted
access point. For information about how to add an access point to the trusted access point list, see
Enable Rogue Access Point Detection.
User Guide
283
WatchGuard AP Device Setup
9
WatchGuard AP Device Setup
Wireless Access Point Types
WatchGuard offers two types of wireless devices that you can use separately or together to add
secure wireless access points to your network: a WatchGuard XTM wireless device and a
WatchGuard Access Point device.
A WatchGuard XTM wireless device
A WatchGuard Access Point device
The configuration options and setup procedures for these two types of access point devices are
different.
WatchGuard XTM wireless device
You can enable up to three wireless access points on a WatchGuard XTM wireless device. The
settings to configure a WatchGuard XTM wireless device are in the Network > Wireless menu.
For more information, see About Wireless XTM Device Configuration.
284
Fireware XTM Web UI
WatchGuard AP Device Setup
WatchGuard Access Point (AP) device
You can connect multiple WatchGuard AP devices to the trusted or optional network of an
XTM device, and manage them from any wired or wireless XTM device. You configure the
Gateway Access Controller on your XTM device to manage the WatchGuard AP devices.
The settings to configure WatchGuard AP devices are in the Network > Gateway Wireless
Controller menu.
For more information, see About AP Device Configuration.
About AP Device Configuration
You can think of a WatchGuard Access Point (AP) device as an extension to an XTM device. You can
connect one or more WatchGuard AP devices to your network to enable wireless access, expand the
wireless range of your network, and enable wireless access to different security zones in your network.
You configure and manage the AP devices through the Gateway Wireless Controller on your
XTM device.
SSID Configuration
An SSID (Service Set Identifier) is the unique name you give to each wireless network. You can
configure multiple SSIDs across multiple WatchGuard AP devices to accommodate different wireless
configurations.
When you configure SSIDs for your WatchGuard AP devices, you can:
Assign the same SSID to multiple AP devices (for wireless roaming on the same SSID)
When you assign the same SSID to multiple AP devices, the range of that SSID is extended.
When a wireless client that is connected to an SSID moves to a different location on your
physical network, the wireless client can automatically connect to the AP device that has the
strongest signal for that SSID. This eliminates the need for users to manually reconnect when
they move their wireless devices around your office.
Assign multiple SSIDs to AP devices
You can also enable multiple SSIDs on each WatchGuard AP device. The number of SSIDs
each wireless AP device can support depends on the AP device model, and whether the device
has single or dual radios.
n
n
AP 100 — Has one radio and supports a maximum of 8 SSIDs
AP 200 — Has two radios and supports a maximum of 16 SSIDs (eight per radio)
For each SSID you configure the security and encryption settings that protect your network.
For more information, see Configure WatchGuard AP Device SSIDs.
When you configure the SSIDs for your WatchGuard AP devices, you can optionally enable VLAN
tagging. If you enable VLAN tagging for SSIDs on a WatchGuard AP device, you must also enable
VLANs on the network that the AP device connects to.
There are a couple of reasons you might want to enable VLAN tagging on your AP SSIDs:
User Guide
285
WatchGuard AP Device Setup
n
n
You want to configure different firewall policies for SSIDs that connect to the same network
You want to separate the traffic on the same physical network to different logical networks.
For more information, see Configure VLANs for WatchGuard AP Devices.
If you want to support roaming for a wireless guest network, you might want to enable station isolation
to prevent wireless clients from directly sending traffic to each other. This requires a VLAN, but does
not require VLAN tagging. For more information, see About AP Station Isolation.
AP Device Configuration
In the Gateway Wireless Controller AP device settings, you configure the radio settings for each AP
device and set the SSIDs each AP device uses.
For more information, see Configure AP Device Settings.
WatchGuard AP Device Requirements and
Limitations
Before you add a WatchGuard AP device to your network, it is important to understand the
requirements and limitations of the AP device.
Requirements
n
n
n
n
The WatchGuard AP device must be managed by a WatchGuard XTM device that uses
Fireware XTM OS v11.7.2 or higher.
The XTM device must be configured in mixed routing mode.
The AP device must connect to a trusted or optional network.
The XTM device configuration must include a policy that allows NTP traffic from the AP device
to the Internet. The AP device uses an NTP server to set the correct local time.
The default Outgoing policy allows NTP traffic from the trusted network. If you
remove or disable the Outgoing policy, or if your AP device is connected to the
Optional network, you must add an NTP policy to allow outgoing NTP traffic from the
network the AP device connects to.
Limitations
n
n
n
286
You cannot use the Fireware XTM Command Line Interface to manage WatchGuard AP
devices.
You cannot use a WatchGuard Management Server to manage WatchGuard AP devices.
You cannot locate WatchGuard AP devices behind a NAT firewall.
Fireware XTM Web UI
WatchGuard AP Device Setup
Plan your Wireless AP Device Deployment
Before you deploy WatchGuard AP devices on your network, you must research, design, and plan your
wireless network deployment to make sure it meets your requirements for coverage, signal strength,
data rates, and security.
We recommend that you review these sections for general wireless knowledge and guidelines for a
successful deployment.
Wireless Site Survey
Perform a wireless site survey to analyze your current environment and wireless requirements.
For more information, see Wireless Site Survey.
Wireless Modes and Channels
Determine which wireless modes and channels you support for your wireless clients.
For more information, see Wireless Modes and Channels.
Wireless Signal Strength and Noise Levels
Understand wireless signal strength and signal-to-noise ratios.
For more information, see Wireless Signal Strength and Noise Levels.
Wireless Environment Factors
Identify environmental factors that can affect the range and performance of wireless networks.
For more information, see Wireless Environmental Factors.
WatchGuard AP Device Placement
Determine the best location and placement of your WatchGuard AP devices.
For more information, see Wireless Placement.
User Guide
287
WatchGuard AP Device Setup
Wireless Site Survey
Before you deploy a new WatchGuard AP device, you can perform a wireless site survey to analyze
your current environment and existing wireless signals. The wireless site survey helps you to identify
your specific requirements for your wireless network, and any external factors that could affect your
deployment.
Site survey results can help you determine this information:
n
n
n
n
n
n
n
Number of wireless clients that must be supported
Areas of coverage and number of AP devices required
Best physical placement of AP devices
Range from clients to each AP device
Minimum data rates required for specific applications
Wireless signal strength and potential sources of wireless noise and interference
Environmental factors that affect wireless signals, such as building construction and materials
Typically, you begin a site survey with a physical walk-through of your environment. It is helpful to
have a floor plan of your facilities that shows your existing networking environment and a list of
requirements for your planned wireless networks. A visual inspection helps you to understand the
areas of coverage required, the physical limitations and barriers due to building construction, and
potential sources of wireless interference.
After you complete a physical inspection of your facilities, you must be able to visualize and
understand where the current wireless signals are located in your environment, and how they react to
your physical environment.
Many wireless site survey tools are available that enable you to map your environment and generate
wireless heat maps, which provide a visual representation of the wireless signals in your environment.
The heat map shows the strength and range of wireless access points, how their signals react to your
physical environment, and identifies any existing wireless interference.
288
Fireware XTM Web UI
WatchGuard AP Device Setup
To determine what wireless signals and interference already exist in your environment, you can
generate a heat map to help you plan your deployment scenario. You can use one of the many available
third-party wireless site survey tools. such as Ekahau HeatMapper. After you install your AP devices,
you can make another heat map of your environment to see if your current placement provides
adequate coverage and signal strength for your wireless network.
User Guide
289
WatchGuard AP Device Setup
Wireless Modes and Channels
The WatchGuard AP wireless device supports two different wireless bands: 2.4 GHz and 5 GHz. The
band you select and the country determine the wireless modes available.
These wireless standards are supported:
802.11n
802.11g
802.11b
802.11a
Frequency Band
2.4GHz and 5GHz
2.4GHz
2.4GHz
5GHz
Data Rate
600Mbps
54Mbps
11Mbps
54Mbps
Channel Width
20 and 40MHz
20MHz
20MHz
20MHz
Indoor range
230 ft
125 ft
115 ft
115 ft
The 802.11n protocol is the latest wireless standard, and provides high data rates and performance in
the 5 GHz frequency band. It is only supported in the most recent types of wireless devices.
To achieve maximum performance, we recommend a pure 802.11n setup in the 5 GHz band. This
requires that all the wireless devices on your network run 802.11n. For most environments, you need to
support legacy wireless devices that do not support 802.11n, and we recommend that you configure
your WatchGuard AP to use the default mixed mode 802.11b/g/n.
If you choose a wireless mode that supports multiple 802.11 standards, the overall
performance can drop considerably. This is partly because of the need for backward
compatibility when devices that use slower modes are connected. The slower
devices tend to dominate the throughput because it can take much longer to send or
receive the same amount of data to devices that use a slower mode.
Wireless Channels
A wireless channel is a specific division of frequencies within a specific wireless band.
For example, in the 2.4GHz band with a channel width of 20MHz, there are 14 defined channels
spaced every 5MHz. Channels 12 and 13 are applicable in countries outside of North America.
Channel 14 is for Japan only and is spaced at 12 MHz.
One wireless channel can overlap the frequency of another wireless channel. When you design and
deploy wireless networks, you must take into account which channels you use for your wireless
network. For example, in the 2.4 GHz band, adjacent channels such as channel 3 and 4 have very
closely overlapping frequencies that can cause interference. In the 2.4 GHz band, channels 1, 6, and
11 do not overlap each other because of the spacing between their frequencies, and these are the
channels most commonly used. The 2.4GHz band is crowded because many other devices that
operate on this band, such as cordless phones, microwaves, monitors, and wireless headsets, also
use the same channels, and can cause wireless congestion.
290
Fireware XTM Web UI
WatchGuard AP Device Setup
In the 5GHz band, the full channel width is reserved and there is a very large selection of nonoverlapping channels. 802.11n also allows you to combine two 20MHz channels to form a 40MHz
channel for increased bandwidth.
Channel Selection
The WatchGuard AP is configured by default to automatically select the wireless channel to use.
When you power on the WatchGuard AP device, it automatically scans the network and selects the
wireless channel with the least amount of interference.
The default channel width is configured as 20/40MHz. This mixed mode sets the radio to use 40MHz
channel width, but with additional transmission information that enable it to be used in an environment
that includes 802.11a/b/g wireless access points.
User Guide
291
WatchGuard AP Device Setup
Wireless Signal Strength and Noise Levels
To make sure that all users in your environment receive a strong wireless signal, consider these
guidelines when you install your WatchGuard AP devices.
Signal Strength
The signal strength is the wireless signal power level received by the wireless client.
n
n
n
Strong signal strength results in more reliable connections and higher speeds.
Signal strength is represented in -dBm format (0 to -100). This is the power ratio in decibels (dB)
of the measured power referenced to one milliwatt.
The closer the value is to 0, the stronger the signal. For example, -41dBm is better signal
strength than -61dBm.
Noise Level
The noise level indicates the amount of background noise in your environment.
n
n
n
n
If the noise level is too high, it can result in degraded strength and performance for your wireless
signal strength.
Noise level is measured in -dBm format (0 to -100). This is the power ratio in decibels (dB) of the
measured power referenced to one milliwatt.
The closer the value to 0, the greater the noise level.
Negative values indicate less background noise. For example, -96dBm is a lower noise level
than
-20dBm.
Signal to Noise Ratio
The signal-to-noise ratio (SNR) is the power ratio between the signal strength and the noise level.
n
n
This value is represented as a +dBm value.
In general, you should have a minimum of +25dBm signal-to-noise ratio. Lower values than
+25dBm result in poor performance and speeds.
For example:
n
n
292
If you have a -41dBm signal strength, and a -50dBm noise level, this results in a poor signal-tonoise ratio of +9dBm.
If you have a -41dBm signal strength, and a -96dBm noise level, this results in an excellent
signal-to-noise ratio of +55dBm.
Fireware XTM Web UI
WatchGuard AP Device Setup
Wireless Environmental Factors
There are several environmental factors that can affect the range and performance of wireless
networks.
Walls and ceilings
Walls and ceilings between the AP device and wireless clients can degrade signal strength.
Wireless signals can penetrate walls and other structures, but the rate of penetration is directly
related to the type of building materials, materials thickness, and the distance from the wireless
antenna.
Building materials
Metal and aluminum doors, glass, concrete, and other types of building materials can have a
significantly negative effect on the signal strength of wireless signals.
EMI (Electro-magnetic interference)
EMI from other electrical devices, such as microwaves, cordless phones, and wireless
headsets, can generate significant RF noise and degrade or disrupt wireless communications.
Distance
Wireless signals degrade quickly past their maximum range. You must plan your network
carefully to provide adequate wireless coverage over the range you require in your environment.
User Guide
293
WatchGuard AP Device Setup
Wireless Placement
For full wireless coverage and to make sure that all users in your environment receive a strong wireless
signal, consider these guidelines for the location and placement of your WatchGuard AP devices:
n
n
n
n
294
Place your AP devices in a central location away from any corners, walls, or other physical
obstructions to provide maximum signal coverage.
Place your AP devices in a high location to provide the overall best signal strength reception and
performance for your wireless network.
Make sure you do not install an AP device in close proximity to any electronic devices that can
interfere with the signal, such as televisions, microwave ovens, cordless phones, air
conditioners, fans, or any other type of equipment that can cause signal interference.
When you install multiple AP devices, make sure to space them to provide maximum coverage
for your wireless network area of availability. For wireless coverage over multiple floors, you
can stagger the placement of devices to cover both vertical and horizontal space.
Fireware XTM Web UI
WatchGuard AP Device Setup
WatchGuard AP Device Deployment Overview
When you add one or more WatchGuard Access Point (AP) devices to your network, you manage and
configure the AP devices from the Gateway Wireless Controller on an XTM device. You do not have to
connect directly to the AP device to configure it.
To deploy any AP device on your XTM device network you must:
1. Enable the Gateway Wireless Controller on the XTM device.
2. Connect the AP device to your network.
If your network has a DHCP server, the AP device automatically gets an IP address.
3. In the Gateway Wireless Controller, configure the SSIDs you want your AP device to use.
4. In the Gateway Wireless Controller, pair the AP device with the XTM device.
5. In the Gateway Wireless Controller, configure the AP device settings, and select the SSIDs to
use.
You can optionally enable VLAN tagging in the SSIDs for your AP device. If you enable VLAN tagging,
you must configure the necessary VLANs on your XTM device. For information about when to enable
VLAN tagging and how to configure VLANs, see Configure VLANs for WatchGuard AP Devices.
You can optionally enable the AP device to use a tagged VLAN for management
connections from the XTM device. But you still must configure an untagged VLAN
that the XTM device can use to initially discover and connect to the AP device.
The subsequent sections provide a more detailed overview of the steps to deploy an AP device with,
and without, VLAN tagging enabled.
If the network you connect your AP device to does not use DHCP, you can use the
Access Point web UI to manually assign a static IP address to the AP device before
you connect it to your network. For more information, see Use the WatchGuard
Access Point Web UI.
User Guide
295
WatchGuard AP Device Setup
Deploy AP Devices Without VLAN Tagging
To deploy an AP device without VLAN tagging, you must enable the Gateway Wireless Controller,
configure SSIDs on your XTM device, pair your AP device with your XTM device, and configure your
AP device.
Step 1 — Enable the Gateway Wireless Controller
For the XTM device to discover and manage an AP device, you must enable the Gateway Wireless
Controller on your XTM device.
1. Connect to Fireware XTM Web UI for your XTM device.
2. Select Network > Gateway Wireless Controller .
The Gateway Wireless Controller page appears.
3. Select the Enable the Gateway Wireless Controller check box.
The WatchGuard AP Passphrase dialog box appears.
4. Type the WatchGuard AP Passphrase that you want all your AP devices to use after they are
paired.
For more information, see Configure AP Devices in the Gateway Wireless Controller on page 312.
Step 2 — Connect the AP Device
Select one of these options to connect the AP device to your Trusted or Optional network. By default,
the AP device automatically requests an IP address from a DHCP server on the local network.
Option 1 — Connect the AP device to an XTM device interface
If you have an available Trusted or Optional interface on your XTM device, you can connect the
AP device directly to one of those interfaces.
To configure an XTM device interface as a Trusted or Optional interface:
1. Select Network > Interfaces.
The Network Interfaces page appears.
296
Fireware XTM Web UI
WatchGuard AP Device Setup
2. Select a Trusted or Optional interface, and enable DHCP on that interface.
3. Connect the AP device to the interface you configured.
For more information about interface configuration, see Common Interface Settings on page
145.
User Guide
297
WatchGuard AP Device Setup
Option 2 — Connect the AP device to a switch
If you have a switch that connects to a Trusted or Optional interface on your XTM device, you
can connect the AP device to that switch. With this option, you do not have to change the
network settings on the XTM device interface.
Step 3 — Configure the SSIDs
Configure the SSIDs for your wireless users to connect to. You can configure up to eight SSIDs per
radio.
1. On the Gateway Wireless Controller page, select the SSIDs tab.
2. Click Add to add an SSID.
3. Configure the SSID (network name) and wireless security settings.
For more information, see Configure WatchGuard AP Device SSIDs on page 314.
Step 4 — Pair the AP Device
When you first connect the AP device to your network, it is an unpaired access point. This means it is
not yet managed by an XTM device.
To discover an unpaired AP device and pair it with your XTM device:
1. On the Network > Gateway Wireless Controller page, select the Access Points tab.
2. Click Refresh.
The unpaired AP device appears in the Unpaired Access Points list.
For more information, see WatchGuard AP Device Discovery and Pairing on page 320.
3. From the Unpaired Access Points list, select the AP device and click Pair.
4. In the Pairing Passphrase dialog box, type the passphrase of the AP device.
The default AP passphrase is wgwap.
Step 5 — Configure the AP Device
After you pair the AP device with your XTM device, configure the AP device settings.
298
Fireware XTM Web UI
WatchGuard AP Device Setup
1. In the AP device settings, specify the settings for each radio on the AP device.
2. Add the SSID you created in Step 3 to the SSID list.
For more information, see Configure AP Device Radio Settings on page 326.
For a configuration example that demonstrates this type of deployment, see WatchGuard AP Device
Deployment with a Single SSID on page 351.
Deploy AP Devices With VLAN Tagging Enabled
To set up an AP device with VLAN tagging enabled in the SSIDs, you must configure VLANs and
enable VLAN tagging in your SSIDs.
Step 1 — Configure VLANs on the XTM device
To enable VLAN tagging in your SSIDs, you must configure VLANs and enable them on an
XTM device interface. The AP device uses tagged VLANs to identify traffic for each SSID. The
XTM device uses an untagged VLAN to pair with the AP device.
To configure VLANs on the XTM device:
1. Add one VLAN for each SSID.
These VLANs are used for tagged VLAN traffic for each SSID.
2. Add one VLAN for management connections to the AP device.
This VLAN is used for untagged management connections to the AP device.
3. Enable DHCP server or DHCP relay for each VLAN.
4. Configure the XTM device interface to pass tagged traffic for the VLANs for each SSID.
5. Configure the XTM device to pass untagged traffic for the AP management VLAN.
For an example VLAN configuration, see Configure VLANs for WatchGuard AP Devices on page 302.
Step 2 — Enable the Gateway Wireless Controller
For the XTM device to discover and manage an AP device, you must enable the Gateway Wireless
Controller.
1. Connect to Fireware XTM Web UI for your XTM device.
2. Select Network > Gateway Wireless Controller .
The Gateway Wireless Controller page appears.
3. Select the Enable the Gateway Wireless Controller check box.
The WatchGuard AP Passphrase dialog box appears.
4. Type the WatchGuard AP Passphrase that you want all your AP devices to use after they are
paired.
For more information, see Configure AP Devices in the Gateway Wireless Controller on page 312.
Step 3 — Connect the AP Device
Select one of these options to connect the AP device to your Trusted or Optional network. By default,
the AP device automatically requests an IP address from a DHCP server on the local network.
User Guide
299
WatchGuard AP Device Setup
If the network you connect your AP device to does not use DHCP, you can use the Access Point web
UI for the AP device to manually assign a static IP address to the AP device before you connect it to
your network. For more information, see Use the WatchGuard Access Point Web UI.
Option 1 — Connect the AP device to an XTM device interface
You can connect the AP device directly to the XTM device interface that you configured as a
VLAN interface in Step 1.
300
Fireware XTM Web UI
WatchGuard AP Device Setup
Option 2 — Connect the AP device to a 802.1Q switch
You can connect the AP device to an 802.1Q switch that has the necessary VLANs configured.
To configure the VLANs on the switch:
1. Add VLANs to the switch with the same IDs as the VLANs you configured on the
XTM device.
2. Configure the switch interfaces that connect to the XTM device VLAN interface
and the AP device to:
n Send and receive tagged traffic for the VLANs assigned to each SSID.
n Send and received untagged traffic for the VLAN you use for AP device
management.
For more information about VLAN configuration, see Configure VLANs for WatchGuard AP
Devices on page 302.
Step 4 — Configure the SSIDs
Configure the SSIDs for your wireless users to connect to. You can configure up to eight SSIDs per
radio.
1.
2.
3.
4.
On the Network > Gateway Wireless Controller page, select the SSIDs tab.
Click Add to add an SSID.
Configure the SSID (network name) and wireless security settings.
In each SSID, enable VLAN tagging, and select the VLAN ID to use.
For more information, see Configure WatchGuard AP Device SSIDs on page 314.
Step 5 — Pair the AP Device
When you first connect the AP device to your network, it is an unpaired access point. This means it is
not yet managed by an XTM device.
To discover an unpaired AP device and pair it with your XTM device:
1. On the Network > Gateway Wireless Controller page, select the Access Points tab.
2. Click Refresh.
The unpaired AP device appears in the Unpaired Access Points list.
For more information, see WatchGuard AP Device Discovery and Pairing on page 320.
3. From the Unpaired Access Points list, select the AP device and click Pair.
4. In the Pairing Passphrase dialog box, type the passphrase of the AP device.
The default AP passphrase is wgwap.
Step 6 — Configure the AP Device
After you pair the AP device, you can configure the AP device settings.
1. In the AP device settings, specify the settings for each radio on the AP device.
2. Add the SSID you created in Step 4 to the SSID list.
For more information, see Configure AP Device Radio Settings on page 326.
User Guide
301
WatchGuard AP Device Setup
For a configuration example that demonstrates this type of deployment, see WatchGuard AP Device
Deployment with Multiple SSIDs on page 352.
Configure VLANs for WatchGuard AP Devices
If you enable VLAN tagging for SSIDs on a WatchGuard AP device, or you enable management
VLAN tagging for an AP device, you must also enable VLANs on the network that the AP device
connects to.
By default, management traffic to the AP device is untagged, so we recommend that you add an
untagged VLAN for management traffic, as described here. If you prefer to use a tagged VLAN for
management traffic, make sure that you configure the AP device to tag management traffic, and set
the management VLAN ID in the Access Point configuration to the VLAN you want to use for
management traffic.
The tagged management VLAN is used only after the AP device is paired to the
AP device. An unpaired AP device cannot respond to tagged VLAN traffic.
When to Enable VLAN Tagging in SSIDs
There are a couple of reasons you might want to enable VLAN tagging on your AP SSIDs:
To configure different firewall policies for SSIDs that connect to the same network
If you configure multiple SSIDs for your AP devices and you want to set different firewall
policies for each SSID, you can enable VLAN tagging in the SSID and then use the VLAN
ID associated with each SSID in policies specific to each SSID. For example, you could add a
different HTTP packet filter policy for each SSID that specifies the VLAN associated with that
SSID.
To separate the traffic on the same physical network to different logical networks
If you have several AP devices connected to the same physical network, VLAN tagging gives
you the ability to separately examine traffic for the wireless clients connected to each SSID. For
example, if you run a network analyzer, you can use the VLAN tags to see the traffic for the
VLAN ID associated with an SSID.
Or, you can set up all of your AP devices with one SSID for the trusted network and a different
SSID for the optional network. You can set up a trusted VLAN and an optional VLAN to
separate the traffic for the wireless clients that connect to the trusted and optional networks.
Configure VLANs on the XTM Device
To enable VLAN tagging in your AP device SSIDs, you must configure VLANs on the XTM device
interface where you plan to connect your AP devices.
302
Fireware XTM Web UI
WatchGuard AP Device Setup
For the XTM device interface where you plan to connect your AP device, set the Interface Type to
VLAN. Then, configure the VLANs to use for the AP device.
n
n
n
n
Configure one VLAN for each SSID and one extra VLAN for management connections to the
AP device.
Configure the VLANs that each SSID uses to send tagged traffic to the VLAN interface.
Configure a VLAN that the AP device management connection uses to send untagged traffic to
the VLAN interface.
Enable DHCP server or DHCP relay on each VLAN.
o The AP device gets an IP address from the DHCP server on the VLAN used for
management connections.
o Wireless clients that connect to an SSID get an IP address from the DHCP server on the
VLAN for that SSID.
For example, if you want to create two SSIDs that use VLAN tags, you can create three VLANs with
the VLAN IDs 10, 20, and 30.
n
n
n
VLAN ID 10, in the Trusted zone — For the SSID for wireless connections to the trusted
network
VLAN ID 20, in the Optional zone — For the SSID for wireless guest access to the Internet
VLAN ID 30, in the Trusted zone — For management connections to the AP device
For information about how to create a VLAN, see Define a New VLAN.
For more information about how to configure the VLAN interface, see Assign Interfaces to a VLAN.
Configure VLANs on a Managed Switch
If you enable VLAN tagging and want to connect your AP device to a managed switch, you must also
configure VLANs on the switch. The switch must support 802.1Q VLAN tagging.
On the switch, you must:
1. Add VLANs with the same IDs as the VLANs you configured on the XTM device.
2. Configure the switch interfaces that connect to the XTM device and the AP device to send and
receive tagged traffic for the VLANs assigned to each SSID.
User Guide
303
WatchGuard AP Device Setup
3. Configure the switch interfaces that connect to the XTM device and the AP device to send and
receive tagged or untagged traffic for the AP device management .
n If management VLAN tagging is not enabled in the AP device configuration, configure the
switch to send and received untagged traffic for the VLAN you use for AP device
management.
n If management VLAN tagging is enabled for the AP device, configure the switch to send and
receive tagged traffic for the VLAN you use for AP device management.
For instructions to enable and configure the VLANs on your switch, see the documentation for your
switch.
If you have enabled VLAN tagging in the SSIDs on your AP device, do not connect
your AP device to a switch that does not support 802.1Q VLAN tagging.
For a list of switches that WatchGuard has tested with the WatchGuard AP device, see the
WatchGuard Knowledge Base at http://customers.watchguard.com/.
304
Fireware XTM Web UI
WatchGuard AP Device Setup
About AP Station Isolation
When you configure an SSID for your AP device, you can optionally enable station isolation. The
station isolation setting enables you to control whether wireless clients can communicate directly to
each other through the AP device. Station isolation prevents direct traffic between wireless clients that
connect to the same SSID on the same radio. Station isolation does not prevent direct traffic between
wireless clients that connect to the SSID on different AP devices, or between wireless clients that
connect to different radios on an AP200 device.
We recommend that you enable station isolation for SSIDs on AP devices that provide a wireless
guest network for wireless clients that do not trust each other.
Station Isolation for a Single AP Device
To enable station isolation on an AP device, select the Enable station isolation check box in the
SSID settings.
For more information, see Configure WatchGuard AP Device SSIDs.
Station Isolation for Multiple AP Devices
When station isolation is enabled on a single AP device that uses the same SSID as another
AP device, traffic can still pass between wireless clients that are connected to other AP devices. To
effectively implement station isolation for an SSID that is used by more than one AP device, you must
also make sure that all traffic between your AP devices goes through the XTM device. The XTM device
can then apply policies that support your station isolation settings to the traffic.
To implement station isolation for more than one AP device, you must:
1. Add a VLAN and configure it to apply firewall policies to intra-VLAN traffic.
To make sure that the same IP address pool is used for wireless clients that connect to the SSID on
any AP device, you must configure a VLAN. For wireless roaming to function correctly, all SSIDs
must be on the same network. When you configure the VLAN to apply policies to intra-VLAN traffic,
the XTM device applies firewall policies to the VLAN traffic from one interface with the destination of
the same VLAN on another interface.
2. For each AP device, configure one VLAN interface to manage untagged VLAN traffic.
Or, you can enable management VLAN tagging in the AP device configuration and select a VLAN ID
to use for management.
3. Configure the SSID settings to enable station isolation.
It is not necessary to enable VLAN tagging in the SSID settings if the VLAN interfaces are configured
to manage untagged traffic.
4. Connect each AP device directly to a VLAN interface on the XTM device.
This ensures that all traffic between AP devices goes through the XTM device.
Because the default packet handling policy automatically denies traffic between AP devices on two
different interfaces, you do not have to create a policy to explicitly deny that traffic. For example, if you
configure a VLAN in the Optional security zone, the XTM device automatically denies packets
between the two interfaces as unhandled packets because they do not match any of the configured
firewall policies. To prevent traffic between AP devices, make sure that you do not add a policy that
allows traffic from Optional to Optional.
User Guide
305
WatchGuard AP Device Setup
You can also enable VLAN tagging in the SSID and configure the VLAN interfaces to
manage tagged traffic, but VLAN tagging is not required for station isolation. If you
enable VLAN tagging, you must configure two VLANs: one for tagged SSID traffic
and one for untagged management traffic. Or, you can enable one VLAN and
configure the AP to enable management VLAN tagging for that VLAN in the AP
device configuration.
For more information, see Configure VLANs for WatchGuard AP Devices.
Example — Station Isolation and Roaming
This example shows how to implement station isolation for a wireless guest network with two AP100
devices that use the same SSID.
Step 1 — Configure the VLAN
First, configure the VLAN interfaces and VLANs for your AP devices.
1. Configure two XTM device interfaces as VLAN interfaces.
For example, the two VLAN interfaces could have these settings:
n Interface Names — AP100-1 and AP100-2
n Interface Type — VLAN
2. Create a VLAN to use for traffic to an SSID.
For example, the VLAN could have these settings:
n Name — AP100-Guest
n VLAN ID — 20
n Security Zone — Optional
n IP Address — 10.0.20.1/24
n VLAN tag settings — Untagged traffic for VLAN interfaces AP100-1 and AP100-2
n Apply firewall policies to intra-VLAN traffic — Enabled
n Network — DHCP Server Address Pool: 10.0.20.10 to 10.0.20.100
306
Fireware XTM Web UI
WatchGuard AP Device Setup
For more information about how to configure a VLAN, see Define a New VLAN.
Step 2 — Configure the SSID
Next, enable station isolation in the SSID settings.
1. Add or edit an SSID for your wireless guest network.
For this example, we named the SSID "AP100-Guest".
2. Select the Enable station isolation check box.
User Guide
307
WatchGuard AP Device Setup
Because the AP-Guest VLAN in this example is an untagged VLAN, you do not have to enable VLAN
tagging in the SSID settings.
For more information about SSID configuration, see Configure WatchGuard AP Device SSIDs.
Step 3 — Connect the AP Devices to the VLAN Interfaces
After you configure the VLAN interfaces and SSID settings:
1. Connect the AP devices to the VLAN interfaces.
2. Discover and pair each AP device.
3. Configure both AP devices to use the SSID you configured.
For more information about discovery and pairing, see WatchGuard AP Device Discovery and Pairing.
About This Example
This configuration example prevents direct wireless traffic between wireless clients that connect to the
AP100-Guest SSID. The two main components of this configuration are:
n
n
Station isolation — The station isolation setting in the SSID makes sure that wireless clients
that connect to the same radio from cannot connect directly to each other.
VLAN — The firewall and VLAN configuration make sure that traffic cannot pass between
wireless clients that connect to the AP100-Guest SSID on different AP devices.
This example shows how to configure station isolation for two AP devices. To add a third AP device,
configure another VLAN interface to handle untagged VLAN traffic for the defined VLAN. Then,
connect the AP device to that VLAN interface and configure it to use the defined SSID.
308
Fireware XTM Web UI
WatchGuard AP Device Setup
About AP Device Activation
You must activate your WatchGuard AP device to start your LiveSecurity subscription. The
WatchGuard LiveSecurity subscription activates your hardware replacement warranty, enables you to
receive technical support, and provides access to the latest OS updates and product news.
Your AP device can be activated automatically or you can activate it manually.
Automatic Activation
After you pair a WatchGuard AP device with an XTM device, the XTM device automatically connects
to the WatchGuard web site and sends the information necessary to activate the AP device on the
same WatchGuard account where the XTM device was activated.
If automatic activation fails, the XTM device periodically tries to activate again. The activation status
of your AP device does not affect the functionality of the AP device.
To check the activation status of your AP device, log in to your WatchGuard account on the
WatchGuard web site. Your activated AP devices appear in the My Products list in your WatchGuard
account.
Manual Activation
If your AP device has not been activated automatically and you want to activate it manually, you can
activate the AP device in your WatchGuard account just as you would activate an XTM device or addon feature.
To manually activate your WatchGuard AP device:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
3. On the Support Home tab, click Activate a Product.
The Activate Products page appears.
4. Type the serial number of the WatchGuard AP device. Make sure to include any hyphens.
5. Click Continue.
6. Follow any remaining prompts to complete activation of your AP device.
After activation is complete, the AP device appears in the My Products list in your WatchGuard
account.
User Guide
309
WatchGuard AP Device Setup
About AP Device Passphrases
Each WatchGuard AP device has a passphrase that is used for management connections to the
device. There are two passphrase settings in the Gateway Wireless Controller: the Pairing Passphrase
and the WatchGuard AP Passphrase.
Pairing Passphrase
The Pairing Passphrase is used for the initial pairing of the AP device with your XTM device. The
Pairing Passphrase set on the Gateway Wireless Controller must match the passphrase set on the
AP device. By default, the passphrase on an unpaired AP device is wgwap.
In the Gateway Wireless Controller, you must type the Pairing Passphrase:
n
n
When you click Pair to pair an unpaired AP device to an XTM device.
When you click Add to manually add an AP device configuration to the XTM device.
Unless you have connected to the AP device with the Access Point web UI and changed the
AP device passphrase, the Pairing Passphrase is always the AP default passphrase, wgwap. If you
changed the passphrase on the AP device, type that passphrase in the Pairing Passphrase dialog box
when you pair the device.
If you type the wrong Pairing Passphrase when you try to pair the AP device and pairing fails, you can
change the Pairing Passphrase in the AP device settings. For more information, see Configure
AP Device Settings.
WatchGuard AP Passphrase
The WatchGuard AP passphrase is used for management connections to a WatchGuard AP device
after it has been paired with an XTM device. The Gateway Wireless Controller on the XTM device uses
the WatchGuard AP Passphrase when it connects to any paired AP device. The WatchGuard
AP passphrase is also the passphrase you use to log into the Access Point web UI of a paired AP
device.
When you enable the Gateway Wireless Controller on the XTM device, you set the WatchGuard
AP passphrase. You can also change this passphrase in the Gateway Wireless Controller Settings
dialog box. For more information, see Configure Gateway Wireless Controller Settings.
Passphrases and Pairing
Although you configure two passphrases in the Gateway Wireless Controller settings, you use only
one passphrase for the AP device. The passphrase you use depends on the state of the AP device.
n
n
310
For an unpaired AP device, use the default passphrase, wgwap, unless you change it in the
Access Point web UI.
For a paired AP device, use the WatchGuard AP passphrase that you configured in the
Gateway Wireless Controller settings.
Fireware XTM Web UI
WatchGuard AP Device Setup
When you first pair an AP device with an XTM device, the XTM device uses the Pairing Passphrase to
log in to the AP device. When the XTM device sends the AP device configuration to the paired AP
device, it changes the passphrase on the AP device from the Pairing Passphrase to the WatchGuard
AP passphrase configured in the Gateway Wireless Controller settings.
When you unpair an AP device from an XTM device, the XTM device resets the AP device to the
factory default settings. This changes the passphrase on the AP device to the default AP passphrase,
wgwap.
To connect to a paired AP device, the XTM device uses the WatchGuard AP Passphrase. If the XTM
device cannot log in to the paired AP device with the WatchGuard AP Passphrase, the XTM device
tries to log in to the AP device with the Pairing Passphrase. If the XTM device successfully logs in to
the AP device with the Pairing Passphrase, it sets the passphrase on the AP device to the
WatchGuard AP Passphrase. If the XTM device cannot log in to the paired AP device with either
passphrase, the AP device status changes to Passphrase Mismatch.
Resolve a Passphrase Mismatch
The status of the AP device appears in Fireware XTM Web UI on the Dashboard > Gateway
Wireless Controller page.
If the AP device status is Passphrase Mismatch, the Pairing Passphrase in the Gateway Wireless
Controller settings does not match the passphrase on the AP device.
To resolve a passphrase mismatch, if you know the passphrase on the AP device, change the Pairing
Passphrase in the AP device configuration on the Gateway Wireless Controller. For more information,
see Configure AP Device Settings.
If you do not know the passphrase on the AP device, to resolve a passphrase mismatch:
1. If the device is paired in the Gateway Access Controller, remove it from the list of paired AP
devices.
For more information, see Unpair an AP Device.
2. Press the reset button on the AP device to reset it to factory default settings.
For more information, see Reset the WatchGuard AP Device.
3. Discover and pair the AP device again. Use the default Pairing Passphrase, wgwap.
For more information, see WatchGuard AP Device Discovery and Pairing.
User Guide
311
WatchGuard AP Device Setup
Configure AP Devices in the Gateway Wireless
Controller
To discover and manage the WatchGuard AP devices you add to your network, use the Gateway
Wireless Controller on your XTM device.
The Gateway Wireless Controller on your XTM device enables you to:
n
n
n
n
Pair WatchGuard AP devices on your network with your XTM device
Configure SSIDs and WatchGuard AP device settings
Monitor the paired AP devices and wireless client connections
Initiate a site survey from the WatchGuard AP device to detect other wireless access points
Enable the Gateway Wireless Controller
Before your XTM device can discover new WatchGuard AP devices on your network, you must enable
the Gateway Wireless Controller on your XTM device.
To enable the Gateway Wireless Controller:
1. Select Network > Gateway Wireless Controller.
The WatchGuard AP Passphrase dialog box appears.
2. Select the Enable the Gateway Wireless Controller check box.
3. In the Pairing Passphrase text box, type the passphrase you want to use for management of
your WatchGuard AP devices after they are paired with your XTM device.
This is the passphrase that is used for management connections to each paired AP device.
4. Click Save.
When you enable the Gateway Wireless Controller, the WatchGuard Gateway Wireless Controller
policy is automatically added to the XTM device configuration. This policy allows traffic from the
trusted and optional networks to the XTM device over UDP port 2529.
After you enable the Gateway Wireless Controller on the XTM device, the XTM device can detect
connected WatchGuard AP devices on your trusted or optional network.
For more information, see:
n
n
312
WatchGuard AP Device Discovery and Pairing
Configure WatchGuard AP Device SSIDs
Fireware XTM Web UI
WatchGuard AP Device Setup
n
n
Configure AP Device Settings
Configure Gateway Wireless Controller Settings
Set the Diagnostic Log Level
To generate more detailed log messages for the Gateway Wireless Controller, you can change the
diagnostic log level setting.
To set the diagnostic log level for the Gateway Wireless Controller:
1. Select System > Diagnostic Log.
2. From the Gateway Wireless Controller drop-down list, select the level of log message detail.
For more information about diagnostic logging, see Set the Diagnostic Log Level on page 744.
User Guide
313
WatchGuard AP Device Setup
Configure WatchGuard AP Device SSIDs
Before you can assign an SSID to a WatchGuard AP device, you must add the SSID to the Gateway
Wireless Controller. You can also enable VLAN tagging on each SSID. If you enable VLAN tagging,
the SSID uses the VLAN ID you specify to connect to a VLAN that is configured on the network
between your AP device and XTM device.
For more information about when and how to use VLAN tagging with your AP device, see Configure
VLANs for WatchGuard AP Devices.
Add an SSID
To add an SSID for your AP devices:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller page appears, with the SSID tab selected.
2. Click Add.
The SSID configuration settings appear.
314
Fireware XTM Web UI
WatchGuard AP Device Setup
3. In the Network Name (SSID) text box, type the SSID name.
4. To specify that your AP devices do not broadcast the SSID name, clear the Broadcast SSID
and respond to SSID queries check box.
5. To specify that wireless clients connected to this SSID cannot send traffic to each other
through the AP device, select the Enable station isolation check box. For more information,
see About AP Station Isolation.
6. To use the MAC Access Control list for your AP devices, select the Use the MAC Access
Control list defined in the Gateway Wireless Controller Settings check box. For more
information, see Configure MAC Access Control on page 333.
7. To use tagged VLANs to separate the traffic between multiple SSIDs, select the Enable
VLAN tagging check box.
8. If you enabled VLAN tagging, in the VLAN ID text box, type or select the ID of the tagged
VLAN to use for this SSID.
If you enable VLAN tagging and try to configure an SSID to use a VLAN ID that is not
configured on the XTM device, a warning message appears with the information that
the VLAN ID you configured in the SSID settings does not exist on the XTM device.
Make sure you configure a tagged VLAN for this SSID. In most network
configurations, you create the tagged VLAN for each SSID on the XTM device, and
one untagged VLAN for management connections to the AP device.
Add AP Device Radios
When you add an SSID, you can assign the SSID to one or more AP device radios. For AP200
devices, which have two radios, you select each radio separately.
To assign an SSID to an AP device radio:
In the Access Points with this SSID list, select the check boxes next to each AP device radio
that you want to use this SSID.
You can also assign SSIDs to an AP device radio when you edit the AP device radio settings. For more
information, see Configure AP Device Radio Settings.
Configure Security Settings
To configure the wireless security settings for the SSID:
1. Select the Security tab.
2. From the Security Mode drop-down list, select the security protocol to use for this SSID.
3. Complete the settings to configure the selected security protocol.
User Guide
315
WatchGuard AP Device Setup
Configure SSID Security Settings
When you add an SSID, you can configure security settings that determine how wireless clients must
connect to your AP devices. The wireless security mode is set to Disabled by default. In this mode,
the SSID operates as an open wireless network.
WatchGuard AP devices use two security protocol standards to protect your wireless network: WPA
(Wi-Fi Protected Access) and WPA2. Each protocol standard can encrypt the transmissions on the
wireless LAN between the computers and the AP devices. They also can prevent unauthorized access
to the WatchGuard AP device.
To protect privacy, you can use these features together with other LAN security mechanisms such as
password protection, VPN tunnels, and user authentication.
WPA and WPA2 with Pre-Shared Keys
The WPA (PSK) and WPA2 (PSK) Wi-Fi Protected Access methods use pre-shared keys for
authentication. When you choose one of these methods, you configure a pre-shared key that all
wireless devices must use to authenticate to the AP device.
AP devices support three wireless authentication settings that use pre-shared keys:
n
n
n
WPA only (PSK) — The AP device accepts connections from wireless devices configured to
use WPA with pre-shared keys.
WPA2 only (PSK) — The AP device accepts connections from wireless devices configured to
use WPA2 with pre-shared keys. WPA2 implements the full 802.11i standard; it does not work
with some older wireless network cards.
WPA/WPA2 (PSK) — The AP device accepts connections from wireless devices configured
to use WPA or WPA2 with pre-shared keys.
To configure an AP device SSID to use WPA or WPA2 with pre-shared keys:
1. In the Edit SSID or Add SSID dialog box, select the Security tab.
316
Fireware XTM Web UI
WatchGuard AP Device Setup
2. From the Security Mode drop-down list, select WPA (PSK), WPA2 (PSK) or WPA/WPA2
(PSK).
3. From the Encryption drop-down list, select an encryption method:
n TKIP — Use only TKIP (Temporal Key Integrity Protocol) for encryption.
n AES — Use only AES (Advanced Encryption Standard) for encryption.
n TKIP or AES — Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the AP device to accept
connections from wireless clients configured to use TKIP or AES encryption. For 802.11n
wireless clients, we recommend you configure the wireless client to use AES encryption.
4. (Optional) In the Group Key Update Interval text box, type or select the WPA group key
update interval.
We recommend you use the default setting of 3600 seconds.
5. In the Passphrase text box, type the passphrase that wireless clients must use to connect to
this SSID.
WPA and WPA2 with Enterprise Authentication
The WPA Enterprise and WPA2 Enterprise authentication methods use the IEEE 802.1X standard for
network authentication. These authentication methods use the EAP (Extensible Authentication
Protocol) framework to enable user authentication to an external RADIUS authentication server. The
WPA Enterprise and WPA2 Enterprise authentication methods are more secure than WPA/WPA2
(PSK) because users authenticate with their own credentials instead of a shared key.
To use the Enterprise authentication methods, you must configure an external RADIUS authentication
server.
WatchGuard AP devices support three WPA and WPA2 Enterprise wireless authentication methods:
n
n
n
WPA Enterprise — The AP device accepts connections from wireless devices configured to
use WPA Enterprise authentication.
WPA2 Enterprise — The AP device accepts connections from wireless devices configured to
use WPA2 Enterprise authentication. WPA2 implements the full 802.11i standard; it does not
work with some older wireless network cards.
WPA/WPA2 Enterprise — The AP device accepts connections from wireless devices
configured to use WPA Enterprise or WPA2 Enterprise authentication.
To configure an AP device SSID to use WPA or WPA2 with enterprise authentication:
1. In the Edit SSID or Add SSID dialog box, select the Security tab.
User Guide
317
WatchGuard AP Device Setup
2. From the Security Mode drop-down list, select WPA Enterprise, WPA2 Enterprise or
WPA/WPA2 Enterprise.
3. From the Encryption drop-down list, select an encryption method:
n TKIP — Use only TKIP (Temporal Key Integrity Protocol) for encryption.
n AES — Use only AES (Advanced Encryption Standard) for encryption.
n TKIP or AES — Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the AP device to accept
connections from wireless clients configured to use TKIP or AES encryption. For 802.11n
wireless clients, we recommend you configure the wireless client to use AES encryption.
4. (Optional) In the Group Key Update Interval text box, set the WPA group key update interval.
We recommend you use the default setting of 3600 seconds.
5. In the RADIUS Server text box, type the IP address of the RADIUS server.
6. In the RADIUS Port text box, make sure that the port number the RADIUS server uses for
authentication is correct.
The default port number is 1812. Some older RADIUS servers use port 1645.
318
Fireware XTM Web UI
WatchGuard AP Device Setup
7. In the RADIUS Secret text box, type the shared secret between the AP device and the
RADIUS server.
The shared secret is case-sensitive, and it must be the same in the SSID configuration as it is
on the RADIUS server.
If you have a RADIUS accounting server, you can enable RADIUS Accounting:
1. Select the Enable RADIUS Accounting check box.
2. In the RADIUS Accounting Server text box, type the IP address of the RADIUS accounting
server.
3. In the RADIUS Accounting Port text box, make sure that the port number the
RADIUS accounting server uses is correct.
The default port number is 1813.
4. In the RADIUS Accounting Secret text box, type the shared secret between the AP device
and the RADIUS accounting server.
5. In the Interim Accounting Interval text box, set the interim accounting interval.
User Guide
319
WatchGuard AP Device Setup
WatchGuard AP Device Discovery and Pairing
For the Gateway Wireless Controller on your XTM device to control a WatchGuard AP device, the AP
device and the XTM device must be paired. For pairing to occur, you must first enable the Gateway
Wireless Controller on the XTM device. When the Gateway Wireless Controller is enabled, the
XTM device sends a discovery broadcast message to the trusted and optional networks. After you
connect a new AP device to your trusted or optional network, the AP device receives the broadcast
message and sends a response. When the XTM device receives a response from an unpaired AP
device, the discovered AP device appears in the Unpaired Access Points list in the Gateway
Wireless Controller.
An AP device discovered by the XTM device is not automatically paired with the XTM device. You
must pair the AP device with the XTM device in the Gateway Access Controller. This step makes sure
no one can add an unauthorized AP device to your network. The AP device only accepts configuration
information from the XTM device it is paired with.
After the first time you pair a new AP device with an XTM device, the XTM device attempts to
automatically activate the XTM device on your account on the WatchGuard web site. For more
information, see About AP Device Activation.
Connect the AP Device
Before you can pair the AP device with the XTM device, you must connect it to a trusted or optional
network. If you connect the AP device to a VLAN interface, make sure that you configure that interface
to handle untagged VLAN traffic. An unpaired AP device cannot accept tagged VLAN traffic.
By default, the AP device is configured to use DHCP to get an IP address. Make
sure that you enable the DHCP Server for the XTM device interface that connects to
the AP device, so that the AP device can get an IP address.
Pair the AP Device to the XTM Device
To pair an AP device with an XTM device:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Access Points tab.
The list of AP devices that responded to the discovery broadcast appear in the Unpaired Access
Points list.
320
Fireware XTM Web UI
WatchGuard AP Device Setup
3. To start a scan for new, unpaired AP devices, click Refresh.
When an unpaired Access Point is found, it appears in the Unpaired Access Points list.
4. From the Unpaired Access Points list, select an AP device to pair with your XTM device.
5. Click Pair.
The Pairing Passphrase dialog box appears.
6. In the Pairing Passphrase text box, type the current passphrase configured on the AP device.
The default passphrase is wgwap.
For more information about the Pairing Passphrase, see About AP Device Passphrases.
7. Click OK.
The Edit Access Point dialog box appears.
8. Configure the AP device settings.
For more information, see Configure AP Device Settings.
For information about how to monitor the status of your AP devices, see Monitor AP Device Status.
For information about how to unpair an AP device, see Unpair an AP Device.
Configure AP Device Settings
From the Gateway Wireless Controller on your XTM device, you can edit the settings for any AP
devices that are paired with the XTM device. You can also manually add new AP devices.
User Guide
321
WatchGuard AP Device Setup
When you save an access point configuration to the XTM device, the XTM device
immediately sends the update to the affected AP devices. While the update is in
progress, the AP device status briefly changes to Updating. The update process can
take up to a minute to complete. During this time wireless services might be
interrupted on the AP device.
Edit an Access Point Configuration
When you pair an AP device with an XTM device, you must configure the settings for the AP device.
Because some of the details about the AP device are automatically added to the AP device
configuration when it is paired, you edit the AP device settings to complete the initial configuration of
the AP device.
When you edit the AP device settings, you can change any of the settings except for the model and
serial number. The model and serial number are automatically set for paired AP devices and cannot be
edited.
There are two network settings options you can select for an AP device:
DHCP
DHCP is the default selection.
Choose this option to configure the AP device to request a dynamically assigned IP address
from a DHCP server. If you choose this option, make sure that a DHCP server is configured on
the network that the AP device connects to. You can configure the XTM device as the DHCP
server when you configure the XTM device interface that your AP device connects to.
For a configuration example, see WatchGuard AP Device Deployment Examples.
Static
Select this option to assign the AP device a static IP address, subnet mask, and default
gateway. When you select Static, you must configure these settings:
n
n
n
IP Address — The IP address to assign to the AP device
IP Subnet Mask — The subnet mask
Default Gateway — The IP address of the default gateway
By default, the AP device uses the syslog server settings you configure in the common settings in the
Gateway Access Controller. You can configure the AP device to use a different syslog server when
you edit the settings for that AP device. For more information about the syslog server settings for the
Gateway Wireless Controller, see Configure Gateway Wireless Controller Settings.
To configure the settings for a paired AP device:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Access Points tab.
The list of Access Points that you can configure appear in the Access Points list.
322
Fireware XTM Web UI
WatchGuard AP Device Setup
3. Select an AP device and click Edit.
The Edit Access Point dialog box appears.
4. (Optional) In the Name text box, type a new name for the AP device.
The default name is <AP device model number >_<AP device serial number>.
User Guide
323
WatchGuard AP Device Setup
5. Adjacent to Network Settings, select an option to assign the AP device an IP address:
n DHCP
n Static
6. If you selected Static, type the IP Address, Subnet Mask, and Default Gateway for your
AP device.
7. (Optional) In the Location text box, type the location of the AP device on your network.
8. To override the Gateway Access Controller settings for syslog server logging:
a. Select the Send log messages to a syslog server check box.
b. In the Syslog server IP address text box, type the IP address of your syslog server.
9. If want to use a tagged VLAN for management connections to the AP device, select the Enable
Management VLAN Tagging check box. In the Management VLAN ID text box, type the
VLAN ID you want to use for management. This must be a VLAN that is configured to handle
tagged traffic to the interface your AP device connects to.
10. In the Radio 1 Settings and Radio 2 Settings sections, configure the settings for each AP
device radio: band, wireless mode, channel, and SSID.
For more information, see Configure AP Device Radio Settings.
Manually Add an Access Point Configuration
The Gateway Wireless Controller uses a UDP broadcast to automatically discover connected AP
devices. The Gateway Wireless Controller cannot automatically discover an AP device located
somewhere on your network where it cannot receive the broadcast. In these types of deployments, you
can instead connect to the AP device to configure the network settings, and then add the AP device to
the Gateway Wireless Controller, with the same network settings. The XTM device can then connect
to the AP device to pair with it.
Some examples of examples of deployment scenarios where you must use manual configuration and
discovery are:
n
n
The XTM device and the AP device are separated by a Layer 3 switch or router
The XTM device and the AP device are separated by a Branch Office VPN
For the XTM device to discover an AP device, the network between the AP device
and the XTM device must include a route for the traffic between the two devices.
To configure the network settings on the AP device, use the WatchGuard Access Point web UI. For
information, see Use the WatchGuard Access Point Web UI.
To manually add an AP device to the Gateway Wireless Controller:
1. In Policy Manager, select Network > Gateway Wireless Controller.
2. Select the Access Points tab
3. Click Add.
The Pairing Passphrase dialog box appears.
324
Fireware XTM Web UI
WatchGuard AP Device Setup
4. In the Pairing Passphrase text box, type the passphrase configured on the AP device.
The default passphrase on an AP device is wgwap. If you changed the passphrase in the web
UI on the AP device, type that passphrase here.
For more information about the Pairing Passphrase, see About AP Device Passphrases.
5. Click OK.
The Add Access Point dialog box appears.
6.
7.
8.
9.
In the Name text box, type a name for this AP device.
In the Model drop-down list, select the AP device model.
In the Serial text box, type the serial number of the AP device.
Adjacent to Network Settings, select Static.
10. In the IP Address text box, type the static IP address you configured on the AP device.
11. In the Subnet Mask text box, type the subnet mask you configured on the AP device.
12. In the Default Gateway text box, type the default gateway IP address you configured on the AP
device.
13. Configure the other Access Point settings as described in the previous section.
Change the Pairing Passphrase
When you initially add an AP device to your configuration, you set the Pairing Passphrase. This
passphrase is only used when you first pair the AP device with the XTM device. If the first Pairing
Passphrase you typed did not match the passphrase on the AP device, you can change the
passphrase the XTM device uses to pair with the AP device.
To change the Pairing Passphrase:
1. On the Access Points tab, select an AP device and click Edit.
The settings for the AP device appear.
2. Adjacent to Pairing Passphrase, click Change.
The Change Pairing Passphrase dialog box appears.
User Guide
325
WatchGuard AP Device Setup
3. In the Pairing Passphrase text box, type the correct, current passphrase on the AP device.
The default passphrase for an AP device is wgwap.
4. To make the passphrase you type visible, select Show passphrase.
5. Click Save.
For more information about AP device passphrases, see About AP Device Passphrases.
Configure AP Device Radio Settings
When you configure your WatchGuard AP device, you specify the radio settings, which includes the
band, wireless mode, channel, and SSID settings.
To configure the radio settings:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Access Points tab.
The Access Points list appears.
3. Select an AP device and click Edit.
The Edit Access Point dialog box appears.
4. Configure the radio settings as described in the subsequent sections.
Set the Band and Wireless Mode
WatchGuard AP devices support two wireless bands, 2.4 GHz and 5 GHz. The 5 GHz band provides
greater performance than the 2.4 GHz band, but is not compatible with all wireless devices. When you
specify the band and mode in the radio settings, make sure to select the correct options for the
wireless cards in the wireless client devices that connect to the AP device.
The configuration options for each radio depend on the AP device model.
AP100
The AP100 has one radio, Radio 1. On an AP100, you can configure Radio 1 to use either the
2.4 GHz or 5 GHz band.
326
Fireware XTM Web UI
WatchGuard AP Device Setup
AP200
The AP200 has two single-band radios, Radio 1 and Radio 2.
n
n
Radio 1 always uses the 2.4 GHz band.
Radio 2 always uses the 5 GHz band.
You configure the settings for each radio separately.
The wireless modes available for each radio depend on the wireless band the radio uses.
The 2.4 GHz band supports five wireless modes:
User Guide
327
WatchGuard AP Device Setup
802.11 B/G/N Mixed
This is the default mode in the 2.4 GHz band. This mode enables the radio to connect with
devices that use 802.11n, 802.11g, or 802.11b.
802.11 B
This enables the radio to connect only with devices that use 802.11b.
802.11 B/G Mixed
This mode enables the radio to connect with devices that use 802.11b or 802.11g.
802.11 G
This enables the radio to connect only with devices that use 802.11g.
802.11 N only
This enables the radio to connect only with devices that use 802.11n.
The 5 GHz band supports three wireless modes:
802.11 A/N Mixed
This is the default mode in the 5 GHz band. This mode enables the radio to connect with
devices that use 802.11n or 802.11a.
802.11 A
This enables the radio to connect with devices that use 802.11a
802.11 N only
This enables the radio to connect with devices that use 802.11n.
If you choose a wireless mode that supports mixed 802.11 standards, the overall
performance of the radio can decrease. This reduction in performance is caused in
part by the backward compatibility settings in mixed modes that enable devices with
slower modes to connect to the AP device radio.
Configure the Preferred Channel
When you first pair or add an AP device, the Preferred Channel is set to Auto. When the Preferred
Channel is set to Auto, each radio automatically selects an available quiet channel in the band you
have chosen.
328
Fireware XTM Web UI
WatchGuard AP Device Setup
The location of the AP device affects which channels an AP device radio can use.
You configure the location of your AP devices in the Gateway Wireless Controller
settings. For more information, see Configure Gateway Wireless Controller Settings.
When you edit an AP device configuration, you can set the preferred channel for each radio. The
available channels are determined based on the band, wireless mode, channel HT mode, and the
configured location of the AP device.
To set a preferred channel for an AP device radio, select a channel from the Preferred Channel dropdown list.
The AP device attempts to use the preferred channel you select. If there is some reason the preferred
channel cannot be used, the AP device automatically selects a different available channel in the
configured radio band.
Configure Channel Width Settings
You can configure each radio to use a 20 MHz or 40 MHz channel width. To set the channel width for
each radio, configure the Channel HT (High Throughput) Mode.
For each radio, select a setting for the Channel HT Mode:
20 MHz
This mode sets the radio to use a 20 MHz channel width. This is the default setting.
20/40 MHz
This mode is available only when the Preferred Channel is set to Auto. This mode enables the
radio to use either a 20 or 40 MHz channel width, based on the available channels.
40 MHz
This mode sets the radio to use 40 MHz channel width. This mode assumes that no other
802.11a/b/g access points use the same channel.
If you use a 40 MHz channel mode, the Extension Channel controls whether the radio adds the extra
20 MHz of channel width above or below the selected channel.
For each radio, select a setting for the Extension Channel:
Upper Channel
Adds the 20 MHz channel width above the selected channel.
Lower Channel
Adds the 20 MHz channel width below the selected channel.
User Guide
329
WatchGuard AP Device Setup
Set the Data Transfer Rate
For each radio, you can optionally limit the speed at which wireless clients can send data. By default,
the data rate is set to Auto, which means that there is no limit.
To set the maximum data transfer rate, select a rate from the Rate drop-down list.
The available rates you can select depend on the wireless mode the radio uses. Rates that start with
MCS correspond to the MCS (Modulation and Coding Scheme) index values defined in the IEEE
802.11n-2009 standard. Each MCS option has two associated rates. The first number is the maximum
rate for 20 MHz Channel HT Mode. The second number is the maximum rate for 40 MHz Channel
HT Mode.
Select the SSIDs
Each radio can support up to eight SSIDs. You can use the same SSID for multiple radios on one or
more AP devices. You can add up to eight SSIDs to each radio.
To add a configured SSID to a radio:
In the SSID list, select the check box adjacent to each SSID you want the radio to use.
If the SSID you want to add is not yet configured, you can add this AP device radio to the SSID when
you add the SSID.
For more information, see Configure WatchGuard AP Device SSIDs.
Configure Gateway Wireless Controller Settings
The Gateway Wireless Controller includes some settings that apply to all AP devices. These global
settings include:
n
n
n
n
n
WatchGuard AP Passphrase
Firmware updates
Syslog server settings
Wireless Radio Region
MAC Access Control
To configure the global Access Point settings on the Gateway Wireless Controller:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Settings tab.
The Settings page appears.
330
Fireware XTM Web UI
WatchGuard AP Device Setup
3. Configure the global AP device settings as described in the subsequent sections.
4. Click Save.
Change the WatchGuard AP Passphrase
The WatchGuard AP Passphrase is used for all WatchGuard AP devices after they are paired with
your XTM device. The Gateway Wireless Controller uses this passphrase to establish connections
between the XTM device and the paired AP devices. This is also the passphrase you use to log in to
the Access Point web UI of a paired AP device. You set the WatchGuard AP passphrase when you
enabled the Gateway Wireless Controller.
To change the WatchGuard AP passphrase:
1. In the WatchGuard AP Passphrase text box, type the passphrase to use for management of
all AP devices.
2. To make the passphrase you type visible, select Show passphrase.
Enable Automatic AP Device Firmware Updates
By default, the Gateway Access Controller is configured to automatically update the firmware on
WatchGuard AP devices when a new version is available. The XTM device receives AP device
firmware updates as part of a Fireware XTM OS update. If you update the Fireware XTM OS on your
XTM device, and that update contains new firmware for the AP devices, the default setting enables the
Gateway Wireless Controller to automatically update the firmware on all paired AP devices.
To disable automatic firmware updates:
Clear the Automatically update WatchGuard AP firmware when a new version is
available on the XTM device check box.
User Guide
331
WatchGuard AP Device Setup
If you disable automatic firmware updates, and you want to update each AP device at
a different time, you can download the AP device firmware from the WatchGuard
portal. After you download the AP firmware file, you can use the web UI on the
AP device to manually update the firmware for each device. For more information,
see Use the WatchGuard Access Point Web UI.
Configure Syslog Settings
By default, each AP device automatically stores recent syslog log messages locally. You can see the
syslog messages stored on each AP device in Fireware XTM Web UI. For more information about how
to see syslog messages for an AP device, see WatchGuard AP Device and Wireless Client
Connections (Gateway Wireless Controller) on page 767
You can also configure your AP devices to send syslog messages to the same, external syslog server.
When you configure the syslog server in the Gateway Wireless Controller settings, all paired AP
devices send syslog messages to the specified server.
Before you configure the Gateway Wireless Controller settings for an external syslog server, make
sure the syslog server you specify is set up and your AP devices can connect to the IP address of the
syslog server.
To configure your AP devices to send log messages to an external syslog server:
1. Select the Send WatchGuard AP log messages to a syslog server check box.
2. In the Syslog server IP address text box, type the IP address of the syslog server.
Set the Wireless Radio Region
WatchGuard AP devices automatically select the best radio channel to use from the allowed channels
in the region where the device is located. To use the correct radio channels, you must select the
location of your AP devices. All AP devices managed by the same XTM device use the same wireless
radio region.
To set the wireless radio region:
From the Select the location of the WatchGuard AP devices drop-down list, select the
country where your AP devices are located.
Configure MAC Access Control
In the MAC Access Control section, you can configure a list of denied or allowed MAC addresses for
your AP devices.
To configure a list of denied or allowed MAC addresses for your AP devices:
From the Settings dialog box, select the MAC Access Control tab.
332
Fireware XTM Web UI
WatchGuard AP Device Setup
Configure MAC Access Control
You can configure the MAC access control lists to allow or deny wireless client connections based on
the MAC addresses of the client devices. You can configure a list of denied and allowed
MAC addresses in the Gateway Wireless Controller. Then, you can configure each SSID to use one of
these lists to control wireless client access to your network.
There are two types of MAC access control lists:
Denied MAC Addresses
To make sure certain wireless clients cannot connect to your AP device, you can add the MAC
addresses of those wireless clients to the Denied MAC Addresses list. If you configure an
SSID to use the Denied MAC Addresses list, any wireless clients with MAC addresses that
are on this list are not allowed to connect to that SSID.
Allowed MAC Addresses
To enable certain wireless clients to connect to your AP device, you can add the
MAC addresses those wireless clients to the Allowed MAC Addresses list. If you configure
an SSID to use the Allowed MAC Addresses list, only wireless clients with MAC addresses
that are on this list can connect to that SSID.
Edit the MAC Access Control Lists
To configure the denied and allowed MAC address lists:
1. Select Network > Gateway Wireless Controller.
The Gateway Wireless Controller page appears.
2. Select the Settings tab.
The MAC Access Control settings appear at the bottom.
To add denied MAC addresses:
1. In the Denied MAC Addresses section, click Add.
The MAC Address dialog box appears.
User Guide
333
WatchGuard AP Device Setup
2. In the MAC address text box, type the MAC address of a wireless client that you want to deny
access to your AP devices.
3. (Optional) In the Name text box, type a descriptive name to identify the wireless client in the
list.
4. Click Add.
The MAC address is added to the Denied MAC Addresses list.
To add allowed MAC addresses:
1. In the Allowed MAC Addresses list section, click Add.
2. In the MAC address text box, type the MAC address of a wireless client that you want to allow
access to your AP devices.
3. (Optional) In the Name text box, type a descriptive name to identify the wireless client in the
list.
4. Click OK.
The MAC address is added to the Allowed MAC Addresses list.
To delete a MAC address from either list, select the MAC address and click Remove.
Enable an SSID to Use MAC Access Control
To configure an SSID to deny access based on the MAC Access Control settings, you must enable
MAC Access Control in the SSID settings.
From the Gateway Wireless Controller:
1. On the SSIDs tab, select an SSID.
2. Click Edit.
3. Select the Use the MAC Access Control list defined in the Gateway Wireless Controller
Settings check box.
4. From the drop-down list, select a list: Denied MAC Addresses or Allowed MAC Addresses.
5. Save the configuration file to the XTM device.
After you enable MAC Access Control for an SSID, the AP device uses the selected MAC Access
Control list to determine whether to allow wireless clients to connect to that SSID.
334
Fireware XTM Web UI
WatchGuard AP Device Setup
Unpair an AP Device
To unpair a WatchGuard AP device from an XTM device, you remove the AP device from the Paired
Access Point list in the Gateway Wireless Controller. When you unpair an AP device, the AP device
restarts with factory default settings. The passphrase on the AP device is reset to wgwap.
To unpair an AP device from your XTM device:
1. Select Network > Gateway Wireless Controller.
2. Select the Access Points tab.
The list of paired Access Points appears in the list at the top of the Access Points tab.
3. From the Access Points list, select the AP device to unpair.
Use the Control and/or Shift keys to select multiple AP devices at the same time.
4. Click Remove.
The selected Access Points are removed from the configuration.The XTM device resets the AP
device to factory default settings.
After you unpair the AP device, it restarts with factory default settings. After the AP device restarts,
the Gateway Wireless Controller can discover it again as an unpaired AP device.
User Guide
335
WatchGuard AP Device Setup
Monitor AP Device Status
From the Fireware XTM Web UI System Status pages, you can monitor the WatchGuard AP devices
managed by your XTM device.
1. Select Dashboard > Gateway Wireless Controller.
The Gateway Wireless controller page appears.
2. Select the Access Points tab.
3. Monitor your AP devices as described in the subsequent sections.
See AP Connection Status and Uptime
In the Status column, you can see the status of each paired AP device.
n
n
n
n
Online — The AP device is enabled and can communicate with the XTM device.
Offline — The AP device cannot be contacted by the XTM device.
Updating — An update to the AP device configuration is in progress.
Passphrase Mismatch — The passphrase on the AP device does not match the passphrase
on the Gateway Wireless Controller.
For information about how to resolve a passphrase mismatch, see About AP Device
Passphrases.
In the Uptime column, you can see how long an AP device has been online.
For the Uptime to be correct, the XTM device must have a policy that allows NTP
traffic from the AP device to the Internet. For more information, see WatchGuard AP
Device Requirements and Limitations.
See AP Radio Frequency and Channel
In the Radio1 and Radio2 columns, you can see the frequency and channel used by each AP device
radio.
336
Fireware XTM Web UI
WatchGuard AP Device Setup
Each radio automatically selects a quiet channel in the band you have selected. The channel that the
radio uses is determined based on the band, wireless mode, channel HT mode, and on the country you
specify in the Gateway Wireless Controller settings.
For more information about radio settings, see Configure AP Device Radio Settings.
See the AP Activation Status
In the LiveSecurity column, you can see the activation status of each AP device.
n
n
Activated — The AP device is activated.
Not Activated — The AP device is not activated.
The XTM device automatically attempts to activate the AP device to start the LiveSecurity
subscription and hardware warranty.
For more information about activation, see About AP Device Activation.
User Guide
337
WatchGuard AP Device Setup
See AP Device Network Statistics
The Network Statistics report shows a collection of raw network statistics information from the
selected AP device, including the Interface Statistics (names, MAC and/or IP addresses, and traffic
counters), the Routing Table, and the ARP Table. This information can be helpful for troubleshooting.
To see network statistics for an AP device:
1. On the Access Points tab, select an AP device.
2. Click Network Statistics
The Network Statistics page appears with statistics from the selected AP device.
3. To return to the main Gateway Wireless Controller page, click Return.
338
Fireware XTM Web UI
WatchGuard AP Device Setup
See Log Messages on an AP Device
By default, each WatchGuard AP device stores recent syslog log messages locally. If you configure
the AP device to send syslog messages to an external syslog server, the recent syslog messages are
also available on the AP device. You can see the syslog messages on each AP device on the System
Status > Gateway Wireless Controller page.
To see syslog messages on the AP device:
1. On the Access Points tab, select an AP device.
2. Click Log Messages.
The Log Messages page appears with log messages from the selected AP device.
3. To return to the main Gateway Wireless Controller page, click Return.
For the timestamp in the log messages on the AP device to be correct, the
XTM device must have a policy that allows NTP traffic from the AP device to the
Internet. For more information, see WatchGuard AP Device Requirements and
Limitations.
Reboot an AP Device
To reboot an AP device:
1. On the Access Points tab, select an AP device
2. Click Reboot.
While the AP device reboots, Offline appears in the Status column for the AP device. When the
AP device reboot is complete, Online appears in the Status column.
User Guide
339
WatchGuard AP Device Setup
Perform a Site Survey
You can use your AP device to do a site survey to detect other wireless access points that operate in
the same area. When you do a site survey, the radios in the AP device scan the wireless channels to
find other wireless access points. The site survey can detect all wireless access points, including
other WatchGuard AP devices and WatchGuard XTM wireless devices. You must configure an
AP device radio to use at least one SSID before that radio can perform a site survey.
When a site survey scan begins, the AP device scans the airwaves within range for other radio
broadcasts in the same radio band. The device scans for wireless access points on all available
wireless channels. The scan is not limited to the wireless mode and channel settings configured in the
radio settings of your device. The AP 200 can use both radios to scan on the 2.4 GHz and 5 GHz radio
bands. The AP 100 scans on either the 2.4 GHz or 5 GHz band. The band used for the scan depends
on which band the radio is configured to operate in.
The site survey does not interrupt wireless connectivity for connected wireless clients.
To start a site survey:
1. On the Access Points tab, select an AP device.
2. Click Site Survey.
The Site Survey page appears and the AP device begins the scan for other wireless access points. A
list of detected access points appears in the Site Survey page.
3. To return to the main Gateway Wireless Controller page, click Return.
For each detected wireless access point, the site survey report shows this information:
BSSID
The Basic Service Set Identifier is the MAC address of the wireless access point.
SSID
This is the SSID for the access point. If an access point has multiple SSIDs, each SSID
appears as a separate item in the site survey.
Channel
This is the wireless channel that the wireless access point uses.
Signal Level
This is the signal strength of the wireless access point.
Type
This is the wireless standard the wireless access point supports.
340
Fireware XTM Web UI
WatchGuard AP Device Setup
Security
This is the type of wireless security used by the wireless access point.
Mode
This is the operating mode of the wireless device.
User Guide
341
WatchGuard AP Device Setup
Monitor Wireless Clients
On the Gateway Wireless Controller page, you can see a list of the wireless clients connected to
your WatchGuard AP device. You can also disconnect a wireless client.
To see the connected wireless clients:
1. Connect to Fireware XTM Web UI for your XTM device.
2. Select Dashboard > Gateway Wireless Controller.
3. Select the Wireless Clients tab.
A list of connected wireless clients appears.
For more information about the Wireless Clients tab, see WatchGuard AP Device and Wireless Client
Connections (Gateway Wireless Controller).
To disconnect a wireless client from an AP device:
1. Select a wireless client.
2. Click Disconnect Client.
To permanently deny a wireless client access to your WatchGuard AP devices, make a note of the
MAC address before you disconnect the wireless client. You can then add that MAC address for that
wireless client to the Denied MAC address list in the MAC Access Control configuration. You must
also enable MAC Access Control in the SSID settings. For more information, see Configure
MAC Access Control.
Enable a Hotspot on an AP Device
You can enable one SSID on your WatchGuard AP device as a hotspot. You can enable a hotspot on
one SSID or network at a time.
When you enable the hotspot feature for an SSID, wireless clients see a hotspot splash screen page
when they connect to the SSID. You can configure the hotspot to require wireless clients to accept
terms and conditions. Or, you can configure an external hotspot authentication server that requires
wireless clients to provide information that can be validated before the wireless client is allowed to
connect to the network.
When you enable a hotspot for an AP device SSID, the hotspot interface you select depends on how
you configure the SSID and how your AP devices connect to the XTM device.
342
Fireware XTM Web UI
WatchGuard AP Device Setup
n
n
n
If the SSID has VLAN tagging enabled, select the VLAN interface with the VLAN ID
configured in the SSID.
If the SSID does not have VLAN tagging enabled, and the AP device is directly connected
to an XTM device interface, select the XTM device interface your AP device is connected
to.
If the SSID does not have VLAN tagging enabled, but the AP devices that use the
SSID connect to XTM device VLAN interfaces that manage only untagged VLAN traffic,
select the untagged VLAN as the hotspot interface.
If you connect the AP device to a switch but do not use VLAN tagging, you cannot
enable the hotspot only for traffic that goes through the AP device. If you enable the
hotspot for the XTM device interface the switch connects to, the hotspot is enabled
for all traffic through that XTM device interface.
To enable a hotspot for an AP device, configure the hotspot settings on the XTM device that is paired
with the AP device. For more information about how to configure a hotspot, see Enable a Hotspot.
Reset the WatchGuard AP Device
There are three ways to reset the WatchGuard AP device to factory default settings:
n
n
n
Press the reset button on the AP device.
Reset the AP device from the WatchGuard Access Point web UI.
Unpair an AP device.
If you reset a paired WatchGuard AP device to factory default settings, the
XTM device attempts to use the pairing passphrase configured for the AP device in
the Gateway Wireless Controller to pair the device again and send the configuration
to the AP device. If the pairing passphrase for this AP device on the Gateway
Wireless Controller is not set to the default, wgwap, the pairing fails and you get a
passphrase mismatch. For more information, see About AP Device Passphrases.
After you reset an AP device to factory default settings, the AP passphrase is set to the default
passphrase, wgwap.
An AP device with factory default settings cannot accept tagged VLAN traffic. If you reset an AP
device that has management VLAN tagging enabled, the XTM device cannot automatically rediscover
and pair with the AP device on the tagged VLAN. For more information, see WatchGuard AP Device
Discovery and Pairing.
Reset the WatchGuard AP Device with the Reset Button
To reset the AP device with the reset button on the AP device:
User Guide
343
WatchGuard AP Device Setup
1. With the AP device powered on, press and hold the reset button.
2. After 12 seconds, release the reset button.
The AP device resets.
When the device completes initialization, it is reset to the factory default settings.
Reset the WatchGuard AP Device from the Access Point Web
UI
To reset the AP device from the Access Point web UI:
1. Log in to the WatchGuard Access Point web UI.
2. From the left navigation menu, select Status.
The Access Point Status page appears.
3. On the Access Point Status page, click Reset to Factory Defaults.
For more information about how to use the WatchGuard Access Point web UI, see Use the
WatchGuard Access Point Web UI.
Unpair the WatchGuard AP Device
When you unpair the AP device from an XTM device, the AP device restarts with factory default
settings.
For more information, see Unpair an AP Device.
344
Fireware XTM Web UI
WatchGuard AP Device Setup
Add an HTTPS Policy for Access Point Web UI
Connections
If the connection from your management computer to your AP device is routed through your
XTM device, to allow your management computer to log in to the WatchGuard Access Point web UI,
you might have to add an HTTPS packet filter policy to your XTM device configuration.
To allow connections to the AP device on a VLAN from any trusted network:
1. Add an HTTPS packet filter policy.
2. In the From list, add the alias Any-Trusted.
To allow connections to the Access Point web UI from only a specific network interface, add
that interface name to the From list.
3. In the To list, add the interface where your AP device is connected. This could be a physical
interface or a VLAN interface.
n If you do not use VLAN tagging, add the XTM device interface that your AP device connects
to.
n If you use VLAN tagging, add the untagged VLAN you configured for management
connections to your AP devices.
Use the WatchGuard Access Point Web UI
To see basic information about your WatchGuard Access Point (AP) device and manage some of the
settings for the AP device, you can connect directly to the WatchGuard Access Point web UI. From
the Access Point web UI, you can:
User Guide
345
WatchGuard AP Device Setup
n
n
n
n
n
See the current configuration details for the AP device
Manage the network settings for the AP device
Change the AP device passphrase
Upgrade the AP device firmware
Save configuration changes or revert recent changes to the AP device
Because you manage the configuration, passphrases, and firmware updates for your paired
WatchGuard AP device from the Gateway Wireless Controller on the XTM device, it is not often
necessary to use the WatchGuard Access Point web UI to directly manage the configuration of your
AP device.
Connect to the WatchGuard Access Point Web UI
Before you can connect your computer directly to the WatchGuard AP device for the first time, you
must change the network settings on your computer to enable your computer to get access to the AP
device. You can then connect to the AP device to manage the AP device settings. If you change the
network settings on the AP device and later want to connect directly to the AP device again, you must
configure your computer to use an IP address and gateway in the same network range as the IP
address you set for the AP device.
Connect to an Access Point Directly Connected to Your Computer
To directly connect to the WatchGuard Access Point web UI on an AP device that uses factory default
settings:
1. Configure your computer to use these network settings:
n IP address — 192.168.1.2
n Subnet mask — 255.255.255.0
n Gateway — 192.168.1.1
2. Connect your computer directly to the AP device with an Ethernet cable.
3. Open a web browser and go to https://192.168.1.1 .
The WatchGuard Access Point web UI login page appears.
4. In the Passphrase text box, type the passphrase for the AP device. The default passphrase is
wgwap .
5. Click Login.
The WatchGuard Access Point Web UI appears, with the Access Point Status page selected.
You can now monitor and manage the settings for your AP device, as described in the subsequent
sections.
346
Fireware XTM Web UI
WatchGuard AP Device Setup
Connect to an Access Point On Your Network
Depending on the location of your computer and the Access Point on the network, you might need to
add an HTTPS policy to allow connections to the AP device from another network. For more
information, see Add an HTTPS Policy for Access Point Web UI Connections.
Before you begin, make sure you have the IP address of the AP device.
n
n
The IP address of a paired AP device is available on the Gateway Wireless Controller System
Status page. For more information, see Monitor AP Device Status.
The IP address of an unpaired AP device is available on the Access Points tab of the Gateway
Wireless Controller. For more information, see WatchGuard AP Device Discovery and Pairing.
To connect to the WatchGuard Access Point web UI for an AP device that is connected to your
XTM device:
1. Open a web browser and go to https://<AP device IP address> .
The WatchGuard Access Point web UI login page appears.
2. In the Passphrase text box, type the passphrase for the AP device.
For a paired AP device, the passphrase is the WatchGuard AP Passphrase configured in the
Gateway Wireless Controller settings on the XTM device. For more information, see Configure
Gateway Wireless Controller Settings.
3. Click Login.
The WatchGuard Access Point Web UI appears, with the Access Point Status page selected.
You can now monitor and manage the settings for your AP device, as described in the subsequent
sections.
Verify the Current AP Device Settings
On the Access Point Status page, you can verify the current network settings, model information,
firmware version, and serial number for the AP device. You can also revert to the factory default
settings for your AP device.
When you connect to your AP device, the Access Point Status page is selected by default.
To go to the Access Point Status page and review the AP device settings:
1. From the left navigation menu, select Status.
The Access Point Status page appears.
User Guide
347
WatchGuard AP Device Setup
2. Review the current settings for your AP device.
To reset your AP device to the factory default settings:
On the Access Point Status page, click Reset to Factory Defaults.
Manage Network Settings
By default, your AP device uses DHCP to automatically receive an IP address from your network.
When you configure your AP device, you can continue to use DHCP to automatically configure the
network settings, or you can use a static IP address and manually configure the network settings. To
help you easily identify the AP device, you can also specify a friendly device name for the AP device.
1. From the left navigation menu, select Settings.
The Network Settings page appears.
2. Select an option:
n DHCP
n Static
3. If you select Static, in the IP Network Setting section, type the network configuration settings
for the AP device.
4. To specify a friendly name for the AP device, in the Device Name text box, type a name for the
AP device.
5. Click Save.
348
Fireware XTM Web UI
WatchGuard AP Device Setup
Change the Access Point Passphrase
All AP devices use the same passphrase by default: wgwap. The passphrase is changed
automatically when you pair the AP device with an XTM device. We recommend that you do not use
the WatchGuard Access Point web UI to change the AP device passphrase. If you use the
WatchGuard Access Point web UI to change the AP device passphrase, you must use this as the
pairing passphrase for this AP device in the Gateway Wireless Controller on the XTM device. For more
information, see About AP Device Passphrases.
1. From the left navigation menu, select Passphrase.
The Local passphrase page appears.
2. In the Current passphrase text box, type the current passphrase for your AP device.
If you have never changed the passphrase before, type the default passphrase, wgwap .
3. In the New passphrase and Confirm new passphrase text boxes, type the new passphrase
to use for the AP device.
4. Click Save.
Upgrade the AP Device Firmware
When you manage your WatchGuard AP device with the Gateway Access Controller on your
XTM device, by default, the firmware on your AP device is automatically updated when a new version
is available to the controller on the XTM device. You can also choose to manually upgrade the firmware
on your AP device from the Access Point web UI, if a firmware update for the AP device is available on
the WatchGuard Software Downloads page. Before you can upgrade your AP device to a new version
of firmware, you must have saved the firmware image to the computer connected to your AP device.
1. From the left navigation menu, select Firmware Upgrade.
The Firmware Upgrade page appears.
User Guide
349
WatchGuard AP Device Setup
2. Click Browse to select the firmware image file.
The firmware image file path appears in the Firmware Location text box.
3. Click Upgrade.
Do not interrupt the power to the AP device while the firmware upgrade is in progress.
Interruption of power during a firmware upgrade can cause the AP device to start in
failsafe mode. When the AP device is in failsafe mode, the Access Point web UI
provides a single option that enables you to upgrade the device firmware. For more
details about AP device failsafe mode and recovery, see the WatchGuard Knowledge
Base.
Save or Revert Configuration Changes
If you have made changes to the AP device configuration that have not yet been implemented, you can
choose to save your changes and apply them to the AP device, or revert the changes so they are not
applied to the AP device.
1. From the left navigation menu, select Save/Reload:0.
The Save/Reload page appears.
2. To apply changes and save them to the AP device configuration, select a change from the
Unsaved changes list and click Save & Apply.
3. To revert a change, select a change from the Unsaved changes list and click Revert.
WatchGuard AP Device Deployment Examples
These examples provide configuration diagrams for the most common types of WatchGuard AP device
deployment scenarios.
WatchGuard AP device with a Single SSID
For a basic type of wireless deployment in a small office with simple requirements, you can
deploy one or more WatchGuard AP devices with a single SSID.
For a configuration example, see WatchGuard AP Device Deployment with a Single SSID.
350
Fireware XTM Web UI
WatchGuard AP Device Setup
WatchGuard AP device with Multiple SSIDs
You can use multiple SSIDs for your wireless network to define different groups of wireless
users. You can use more than one SSID on each WatchGuard AP device.
For a configuration example, see WatchGuard AP Device Deployment with Multiple SSIDs.
WatchGuard AP device with Single or Multiple SSIDs and VLANs for Policies
For a more complex environment with additional security and policy requirements for wireless
users, you can use one or more SSIDs for your wireless network with VLANs. VLANs enable
you to apply wireless security policies for each SSID on the XTM device, and separate network
traffic for each SSID on a dedicated VLAN.
For a configuration example, see WatchGuard AP Device Deployment with VLANs.
WatchGuard AP Device Deployment with a Single SSID
For basic AP device installation, you deploy one or more WatchGuard AP devices with a single SSID.
In this deployment scenario, you do not have to configure VLANs or complex network settings. This
example is recommended for small office deployments where the requirement is to add secure,
wireless access to an existing LAN. The WatchGuard AP device management traffic and wireless
SSID traffic all communicate across the same network.
If your environment is large enough to require more than one AP device for wider wireless coverage,
you can assign the same SSID to multiple AP devices. When you assign the same SSID to more than
one AP device, the range of that SSID is extended, which enables mobile users to roam from one
AP device coverage area to another.
With this deployment scenario, there are two primary methods you can use to physically connect your
WatchGuard AP device to the network:
n
Connect the AP device directly to your XTM device on a Trusted or Optional network interface.
n
Connect the AP device to a switch that is on a Trusted or Optional network.
User Guide
351
WatchGuard AP Device Setup
WatchGuard AP Device Deployment with Multiple SSIDs
For more complex environments, you can use multiple SSIDs for your wireless network. For example,
you could create one SSID for your trusted wireless traffic, and another SSID for guest wireless
access.
For additional security and the ability to apply wireless policies to SSIDs from the
XTM device, we recommend you use VLANs. For more information, see
WatchGuard AP Device Deployment with VLANs.
With this deployment scenario, there are two primary methods you can use to physically connect your
WatchGuard AP device to the network:
n
352
Connect the AP device directly to the XTM device on a Trusted or Optional network.
Fireware XTM Web UI
WatchGuard AP Device Setup
n
Connect the AP device to a network switch connected to a Trusted or Optional network.
User Guide
353
WatchGuard AP Device Setup
WatchGuard AP Device Deployment with VLANs
If you have a complex network environment with security and policy requirements for wireless users,
you can enable VLANs on the SSIDs for your wireless network. VLANs enable you to apply wireless
security policies to each SSID on the XTM device, and to separate network traffic for each SSID on a
dedicated VLAN.
With this deployment scenario, there are two primary methods you can use to physically connect your
WatchGuard AP device to the network:
354
n
Connect the AP device directly to the XTM device on a Trusted or Optional network configured
as a VLAN interface. You create VLANs on the XTM device for AP device management, and for
each wireless SSID.
n
Connect the AP device to a managed network switch configured with the VLAN information for
the related SSIDs. You can also configure the same VLANs on the XTM device, so that you can
use the VLANs in firewall policies for each SSID.
Fireware XTM Web UI
WatchGuard AP Device Setup
Required VLAN Types
To enable VLAN tagging in your AP device SSIDs, there are two types of VLANs you must create:
n
n
Tagged VLANs for SSIDs — The AP device uses tagged VLANs to separate wireless traffic
from each SSID. You must create a tagged VLAN for each SSID you configure in your wireless
network.
Untagged VLAN for AP device management — The Gateway Wireless Controller on the
XTM device discovers and manages all WatchGuard AP devices through a special
management connection. You must create a separate, untagged VLAN to use for management
connections to your AP devices. The AP device management IP address cannot be an
IP address on a tagged VLAN.
If you enable management VLAN tagging in the AP device configuration, the
XTM device can use a tagged VLAN for management connections to the AP device.
An untagged VLAN is still required for the initial connection to an AP device that has
not yet been paired.
You can choose from two different methods to set up VLANs based on where you connect the
AP device to your network:
n
Connect the AP device directly to an XTM device — To connect your AP device directly to
your XTM device, you must set up VLANs on the XTM device interface that the AP device
User Guide
355
WatchGuard AP Device Setup
n
connects to.
a. On your XTM device, create a VLAN for AP device management and VLANs for all
wireless SSIDs.
b. Configure the XTM device interface to send and receive tagged traffic for the VLANs
for each of your SSIDs, and to send and receive untagged traffic for the AP device
management VLAN.
Connect the AP device to a managed switch — To connect your AP device to a managed
switch, you set up VLANs on the managed switch interfaces and on the XTM device interface
that the switch connects to.
a. On your XTM device, create a VLAN for AP device management and VLANs for all
wireless SSIDs.
b. Configure the XTM device interface to send and receive tagged traffic for the VLANs
for each of your SSIDs, and to send and receive untagged traffic for the AP device
management VLAN.
c. On the switch, configure the interfaces that connect to the XTM device and to the AP
device to send and receive tagged traffic for the VLANs for each of your SSIDs.
Configure the same interfaces on the switch to send and receive untagged traffic for
the AP device management VLAN.
For more information about when and how to configure VLANs for use with WatchGuard AP devices,
see Configure VLANs for WatchGuard AP Devices.
356
Fireware XTM Web UI
10
Dynamic Routing
About Dynamic Routing
A routing protocol is the language a router speaks with other routers to share information about the
status of network routing tables. With static routing, routing tables are set and do not change. If a router
on the remote path fails, a packet cannot get to its destination. Dynamic routing makes automatic
updates to route tables as the configuration of a network changes.
To use dynamic routing, the XTM device must be configured in mixed routing mode.
Support for some dynamic routing protocols is available only for Fireware XTM with a
Pro upgrade.
Dynamic Routing Protocols
Fireware XTM supports the RIP v1 and RIP v2 protocols. Fireware XTM with a Pro upgrade supports
the RIP v1, RIP v2, OSPF, and BGP v4 protocols.
For more information about each of the supported routing protocols, see:
n
n
n
About Routing Information Protocol (RIP)
About Open Shortest Path First (OSPF) Protocol
About Border Gateway Protocol (BGP)
Dynamic Routing Policies
When you enable a dynamic routing protocol, Fireware XTM Web UI automatically adds the required
dynamic routing policy. The automatically added policies are called:
User Guide
357
Dynamic Routing
n
n
n
DR-RIP-Allow
DR-OSPF-Allow
DR-BGP-Allow
Monitor Dynamic Routing
In the Fireware XTM Web UI, select System Status > Routes to see the current static and dynamic
routes.
To troubleshoot dynamic routing, you can change the diagnostic log level setting for dynamic routing to
generate more log messages about dynamic routing traffic. You do this in the diagnostic log level
settings for the Networking category.
For more information about how to set the diagnostic log level, see Set the Diagnostic Log Level.
About Routing Daemon Configuration Files
To use any of the dynamic routing protocols with Fireware XTM, you must type a dynamic routing
configuration file for the routing daemon you choose. This configuration file includes information such
as a password and log file name. To see sample configuration files for each of the routing protocols,
see these topics:
n
n
n
Sample RIP Routing Configuration File
Sample OSPF Routing Configuration File
Sample BGP Routing Configuration File
Notes about configuration files:
n
n
The "!" and "#" characters are placed before comments, which are lines of text in configuration
files that explain the function of subsequent commands. If the first character of a line is a
comment character, then the rest of the line is interpreted as a comment.
You can use the word "no" at the beginning of the line to disable a command. For example: "no
network 10.0.0.0/24 area 0.0.0.0" disables the backbone area on the specified network.
About Routing Information Protocol (RIP)
Routing Information Protocol (RIP) is used to manage router information in a self-contained network,
such as a corporate LAN or a private WAN. With RIP, a gateway host sends its routing table to the
closest router each 30 seconds. This router, then sends the contents of its routing tables to neighboring
routers.
RIP is best for small networks. This is because the transmission of the full routing table each 30
seconds can put a large traffic load on the network, and because RIP tables are limited to 15 hops.
OSPF is a better alternative for larger networks.
There are two versions of RIP. RIP v1 uses a UDP broadcast over port 520 to send updates to routing
tables. RIP v2 uses multicast to send routing table updates.
358
Fireware XTM Web UI
Dynamic Routing
Routing Information Protocol (RIP) Commands
The subsequent table is a catalog of supported routing commands for RIP v1 and RIP v2 that you can
use to create or modify a routing configuration file. If you use RIP v2, you must include the subnet
mask with any command that uses a network IP address or RIP v2 will not operate. The sections must
appear in the configuration file in the same order they appear in this table.
Section
Command
Description
Set simple password or MD5 authentication on an interface
interface eth [N]
Begin section to set
Authentication type for interface
ip rip authentication string
[PASSWORD]
Set RIP authentication password
key chain [KEY-CHAIN]
Set MD5 key chain name
key [INTEGER]
Set MD5 key number
key-string [AUTH-KEY]
Set MD5 authentication key
ip rip authentication mode md5
Use MD5 authentication
ip rip authentication mode keychain [KEY-CHAIN]
Set MD5 authentication key-chain
Configure interfaces
ip rip send version [1/2]
Set RIP to send version 1 or 2
ip rip receive version [1/2]
Set RIP to receive version 1 or 2
no ip rip split-horizon
Disable split-horizon; enabled by default
Configure RIP routing daemon
router rip
Enable RIP daemon
version [1/2]
Set RIP version to 1 or 2 (default version 2)
Configure interfaces and networks
no network eth[N]
passive-interface eth[N]
passive-interface default
network [A.B.C.D/M]
neighbor [A.B.C.D/M]
Distribute routes to RIP peers and inject OSPF or BGP routes to RIP routing table
User Guide
359
Dynamic Routing
Section
Command
Description
default-information originate
Share route of last resort (default route) with
RIP peers
redistribute kernel
Redistribute firewall static routes to RIP peers
redistribute connected
Redistribute routes from all interfaces to
RIP peers
redistribute connected routemap [MAPNAME]
Redistribute routes from all interfaces to
RIP peers, with a route map filter (mapname)
redistribute ospf
Redistribute routes from OSPF to RIP
redistribute ospf route-map
[MAPNAME]
Redistribute routes from OSPF to RIP, with a
route map filter (mapname)
redistribute bgp
Redistribute routes from BGP to RIP
redistribute bgp route-map
[MAPNAME]
Redistribute routes from BGP to RIP, with a route
map filter (mapname)
Configure route redistribution filters with route maps and access lists
access-list [PERMIT|DENY]
[LISTNAME] [A,B,C,D/M |
ANY]
Create an access list to allow or deny
redistribution of only one IP address or for all
IP addresses
route-map [MAPNAME] permit
[N]
Create a route map with a name and allow with a
priority of N
match ip address [LISTNAME]
360
Fireware XTM Web UI
Dynamic Routing
Configure the XTM Device to Use RIP
1. Select Network > Dynamic Routing.
The Dynamic Routing page appears.
2. Select the Enable Dynamic Routing check box.
3. Select the RIP tab.
4. Select the Enable check box.
5. Copy and paste the text of your routing daemon configuration file in the window.
6. Click Save.
If necessary, Fireware XTM automatically adds the required dynamic routing policy or enables an
existing RIP dynamic routing policy, if one exists.
For RIP, the automatically created dynamic routing policy is called DR-RIP-Allow. You can edit this
policy to add authentication and restrict the policy to listen on only the correct interfaces. The DR-RIPAny policy is configured to allow RIP multicasts to the reserved multicast address for RIP v2.
If you use RIP v1, you must configure the RIP policy to allow RIP broadcasts from the network
broadcast IP address to the XTM device. For example, if your external interface IP address is
203.0.113.2/24, the RIP policy must allow traffic from the broadcast address 203.0.113.255 to the
XTM device.
After you configure the XTM device and the RIP router, select System Status > Routes and verify
that the XTM device has received route updates from the RIP router.
User Guide
361
Dynamic Routing
Sample RIP Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
RIP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet the requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure MD5 authentication keychains.
! Set MD5 authentication key chain name (KEYCHAIN), key number (1),
! and authentication key string (AUTHKEY).
! key chain KEYCHAIN
! key 1
! key-string AUTHKEY
!! SECTION 2: Configure interface properties.
! Set authentication for interface (eth1).
! interface eth1
!
! Set RIP simple authentication password (SHAREDKEY).
! ip rip authentication string SHAREDKEY
!
! Set RIP MD5 authentication and MD5 keychain (KEYCHAIN).
! ip rip authentication mode md5
! ip rip authentication key-chain KEYCHAIN
!
!! SECTION 3: Configure global RIP daemon properties.
! Set RIP to send or received to version 1; default is version 2.
! ip rip send version 1
! ip rip receive version 1
!
! Enable RIP daemon. Must be enabled for all RIP configurations.
! router rip
!
! Set RIP version to 1; default is version 2.
! version 1
!
! Disable split-horizon to prevent routing loop. Default is enabled.
! no ip split-horizon
!
!! SECTION 4: Configure interfaces and networks.
! Disable RIP send and receive on interface (eth0).
! no network eth0
!
! Set RIP to receive-only on interface (eth2).
! passive-interface eth2
!
! Set RIP to receive-only on all interfaces.
! passive-interface default
!
362
Fireware XTM Web UI
Dynamic Routing
! Enable RIP broadcast (version 1) or multicast (version 2) on
! network (192.168.253.0/24)
! network 192.168.253.0/24
!
! Set unicast routing table updates to neighbor (192.168.253.254).
! neighbor 192.168.253.254
!! SECTION 5: Redistribute RIP routes to peers and inject OSPF or BGP
!! routes to RIP routing table.
! Share route of last resort (default route) from kernel routing table
! with RIP peers.
! default-information originate
!
! Redistribute firewall static routes to RIP peers.
! redistribute kernel
!
! Set route maps (MAPNAME) to restrict route redistribution in Section 6.
! Redistribute routes from all interfaces to RIP peers or with a route map
! filter (MAPNAME).
! redistribute connected
! redistribute connected route-map MAPNAME
!
! Redistribute routes from OSPF to RIP or with a route map filter (MAPNAME).
! redistribute ospf !redistribute ospf route-map MAPNAME
!
! Redistribute routes from BGP to RIP or with a route map filter (MAPNAME).
! redistribute bgp !redistribute bgp route-map MAPNAME
!! SECTION 6: Configure route redistribution filters with route maps and
!! access lists.
! Create an access list to only allow redistribution of 172.16.30.0/24.
! access-list LISTNAME permit 172.16.30.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a priority of 10.
! route-map MAPNAME permit 10
! match ip address LISTNAME
User Guide
363
Dynamic Routing
About Open Shortest Path First (OSPF) Protocol
Support for this protocol is available only on Fireware XTM with a Pro upgrade.
OSPF (Open Shortest Path First) is an interior router protocol used in larger networks. With OSPF, a
router that sees a change to its routing table or that detects a change in the network immediately sends
a multicast update to all other routers in the network. OSPF is different from RIP because:
n
n
OSPF sends only the part of the routing table that has changed in its transmission. RIP sends
the full routing table each time.
OSPF sends a multicast only when its information has changed. RIP sends the routing table
every 30 seconds.
Also, note the following about OSPF:
n
n
If you have more than one OSPF area, one area must be area 0.0.0.0 (the backbone area).
All areas must be adjacent to the backbone area. If they are not, you must configure a virtual
link to the backbone area.
OSPF Commands
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of supported routing commands for OSPF. The sections must appear in
the configuration file in the same order they appear in this table. You can also use the sample text
found in the Sample OSPF Routing Configuration File on page 369.
Section
Command
Description
Configure Interface
364
ip ospf authentication-key
[PASSWORD]
Set OSPF authentication password
interface eth[N]
Begin section to set properties for interface
ip ospf message-digest-key
[KEY-ID] md5 [KEY]
Set MD5 authentication key ID and key
ip ospf cost [1-65535]
Set link cost for the interface (see OSP Interface
Cost table below)
ip ospf hello-interval [165535]
Set interval to send hello packets; default is 10
seconds
ip ospf dead-interval [165535]
Set interval after last hello from a neighbor before
declaring it down; default is 40 seconds
ip ospf retransmit-interval [165535]
Set interval between link-state advertisements
(LSA) retransmissions; default is 5 seconds
Fireware XTM Web UI
Dynamic Routing
Section
Command
Description
ip ospf transmit-delay [13600]
Set time required to send LSA update; default is 1
second
ip ospf priority [0-255]
Set route priority; high value increases eligibility to
become the designated router (DR)
Configure OSPF Routing Daemon
router ospf
Enable OSPF daemon
ospf router-id [A.B.C.D]
set router ID for OSPF manually; router
determines its own ID if not set
ospf rfc1583compatibility
Enable RFC 1583 compatibility (can lead to route
loops)
ospf abr-type
More information about this command can be
[cisco|ibm|shortcut|standard] found in draft-ietf-abr-o5.txt
passive-interface eth[N]
Disable OSPF announcement on interface eth[N]
auto-cost referencebandwidth[0-429495]
Set global cost (see OSPF cost table below); do
not use with "ip ospf [COST]" command
timers spf [0-4294967295][04294967295]
Set OSPF schedule delay and hold time
Enable OSPF on a Network
*The "area" variable can be typed in two
formats: [W.X.Y.Z]; or as an integer [Z].
network [A.B.C.D/M] area
[Z]
Announce OSPF on network
A.B.C.D/M for area 0.0.0.Z
Configure Properties for Backbone area or Other Areas
The "area" variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
area [Z] range [A.B.C.D/M]
Create area 0.0.0.Z and set a classful network for
the area (range and interface network and mask
setting should match)
area [Z] virtual-link
[W.X.Y.Z]
Set virtual link neighbor for area 0.0.0.Z
area [Z] stub
Set area 0.0.0.Z as a stub
area [Z] stub no-summary
User Guide
area [Z] authentication
Enable simple password authentication for area
0.0.0.Z
area [Z] authentication
Enable MD5 authentication for area 0.0.0.Z
365
Dynamic Routing
Section
Command
Description
message-digest
Redistribute OSPF Routes
default-information originate
Share route of last resort (default route) with
OSPF
default-information originate
metric [0-16777214]
Share route of last resort (default route) with
OSPF, and add a metric used to generate the
default route
default-information originate
always
Always share the route of last resort (default route)
default-information originate
always metric [0-16777214]
Always share the route of last resort (default
route), and add a metric used to generate the
default route
redistribute connected
Redistribute routes from all interfaces to OSPF
redistribute connected
metrics
Redistribute routes from all interfaces to OSPF,
and a metric used for the action
Configure Route Redistribution with
Access Lists and Route Maps
access-list [LISTNAME]
permit [A.B.C.D/M]
Create an access list to allow distribution of
A.B.C.D/M
access-lists [LISTNAME]
deny any
Restrict distribution of any route map not specified
above
route-map [MAPNAME]
permit [N]
Create a route map with name [MAPNAME] and
allow with a priority of [N]
match ip address
[LISTNAME]
366
Fireware XTM Web UI
Dynamic Routing
OSPF Interface Cost Table
The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors
such as interface link speed, the number of hops between points, and other metrics. By default, OSPF
uses the actual link speed of a device to calculate the total cost of a route. You can set the interface
cost manually to help maximize efficiency if, for example, your gigabyte-based firewall is connected to
a 100M router. Use the numbers in this table to manually set the interface cost to a value different than
the actual interface cost.
Interface
Type
Bandwidth in
bits/second
Bandwidth in
bytes/second
OSPF Interface
Cost
Ethernet
1G
128M
1
Ethernet
100M
12.5M
10
Ethernet
10M
1.25M
100
Modem
2M
256K
500
Modem
1M
128K
1000
Modem
500K
62.5K
2000
Modem
250K
31.25K
4000
Modem
125K
15625
8000
Modem
62500
7812
16000
Serial
115200
14400
10850
Serial
57600
7200
21700
Serial
38400
4800
32550
Serial
19200
2400
61120
Serial
9600
1200
65535
User Guide
367
Dynamic Routing
Configure the XTM Device to Use OSPF
1. Select Network > Dynamic Routing.
The Dynamic Routing page appears.
2. Select the Enable Dynamic Routing check box.
3. Select the OSPF tab.
4. Select the Enable check box.
5. Copy and paste your routing daemon configuration file in the text box.
For more information, see About Routing Daemon Configuration Files on page 358.
To get started, you must have only two commands in your OSPF configuration file. These two
commands, in this order, start the OSPF process:
router ospf
network <network IP address of the interface you want the process to listen on and distribute
through the protocol>
area <area ID in x.x.x.x format, such as 0.0.0.0>
6. Click Save.
If necessary, Fireware XTM automatically adds the required dynamic routing policy or enables an
existing OSPF dynamic routing policy, if one exists.
For OSPF, the automatically created dynamic routing policy is called DR-OSPF-Allow. You can edit
this policy to add authentication and restrict the policy to listen on only the correct interfaces. The DROSPF-Any policy is configured to allow OSPF multicasts to the reserved multicast addresses for
OSPF.
After you configure the XTM device and the BGP router, select System Status > Routes and verify
that the XTM device has received route updates from the OSPF router.
368
Fireware XTM Web UI
Dynamic Routing
Sample OSPF Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
OSPF routing daemon. To use this configuration file as a base for your own configuration file, copy the
text into a new text file and save it with a new name. You can then edit the parameters to meet the
requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure interface properties.
! Set properties for interface eth1.
! interface eth1
!
! Set simple authentication password (SHAREDKEY).
! ip ospf authentication-key SHAREDKEY
!
! Set MD5 authentication key ID (10) and MD5 authentication key (AUTHKEY).
! ip ospf message-digest-key 10 md5 AUTHKEY
!
! Set link cost to 1000 (1-65535) on interface eth1.
! for OSPF link cost table.
! ip ospf cost 1000
!
! Set hello interval to 5 seconds (1-65535); default is 10 seconds.
! ip ospf hello-interval 5
!
! Set dead-interval to 15 seconds (1-65535); default is 40 seconds.
! ip ospf dead-interval 15
!
! Set interval between link-state advertisements (LSA) retransmissions
! to 10 seconds (1-65535); default is 5 seconds.
! ip ospf retransmit-interval 10
!
! Set LSA update interval to 3 seconds (1-3600); default is 1 second.
! ip ospf transmit-delay 3
!
! Set high priority (0-255) to increase eligibility to become the
! designated router (DR).
! ip ospf priority 255
!! SECTION 2: Start OSFP and set daemon properties.
! Enable OSPF daemon. Must be enabled for all OSPF configurations.
! router ospf
!
! Set the router ID manually to 100.100.100.20. If not set, the firewall will
! set its own ID based on an interface IP address.
! ospf router-id 100.100.100.20
!
! Enable RFC 1583 compatibility (increases probability of routing loops).
! ospf rfc1583compatibility
!
User Guide
369
Dynamic Routing
! Set area border router (ABR) type to cisco, ibm, shortcut, or standard.
! More information about ABR types is in draft-ietf-ospf-abr-alt-05.txt.
! ospf abr-type cisco
!
! Disable OSPF announcement on interface eth0.
! passive interface eth0
!
! Set global cost to 1000 (0-429495).
! auto-cost reference bandwidth 1000
!
! Set SPF schedule delay to 25 (0-4294967295) seconds and hold time to
! 20 (0-4294967295) seconds; default is 5 and 10 seconds.
! timers spf 25 20
!! SECTION 3: Set network and area properties. Set areas with W.X.Y.Z
!! or Z notation.
! Announce OSPF on network 192.168.253.0/24 network for area 0.0.0.0.
! network 192.168.253.0/24 area 0.0.0.0
!
! Create area 0.0.0.1 and set a classful network range (172.16.254.0/24)
! for the area (range and interface network settings must match).
! area 0.0.0.1 range 172.16.254.0/24
!
! Set virtual link neighbor (172.16.254.1) for area 0.0.0.1.
! area 0.0.0.1 virtual-link 172.16.254.1
!
! Set area 0.0.0.1 as a stub on all routers in area 0.0.0.1.
! area 0.0.0.1 stub
!
! area 0.0.0.2 stub no-summary
!
! Enable simple password authentication for area 0.0.0.0.
! area 0.0.0.0 authentication
!
! Enable MD5 authentication for area 0.0.0.1.
! area 0.0.0.1 authentication message-digest
!! SECTION 4: Redistribute OSPF routes
! Share route of last resort (default route) from kernel routing table
! with OSPF peers.
! default-information originate
!
! Redistribute static routes to OSPF.
! redistribute kernel
!
! Redistribute routes from all interfaces to OSPF.
! redistribute connected
! redistribute connected route-map
!!Redistribute routes from RIP and BGP to OSPF.
! redistribute rip
! redistribute bgp
!! SECTION 5: Configure route redistribution filters with access lists
!! and route maps.
! Create an access list to only allow redistribution of 10.0.2.0/24.
! access-list LISTNAME permit 10.0.2.0/24
! access-list LISTNAME deny any
370
Fireware XTM Web UI
Dynamic Routing
!
!
!
!
!
Create a route map with name MAPNAME and allow with a
priority of 10 (1-199).
route-map MAPNAME permit 10
match ip address LISTNAME
User Guide
371
Dynamic Routing
About Border Gateway Protocol (BGP)
Support for this protocol is available only in Fireware XTM with a Pro upgrade.
Border Gateway Protocol (BGP) is a scalable dynamic routing protocol used on the Internet by groups
of routers to share routing information. BGP uses route parameters or attributes to define routing
policies and create a stable routing environment. This protocol allows you to advertise more than one
path to and from the Internet to your network and resources, which gives you redundant paths and can
increase your uptime.
Hosts that use BGP use TCP to send updated routing table information when one host finds a change.
The host sends only the part of the routing table that has the change. BGP uses classless interdomain
routing (CIDR) to reduce the size of the Internet routing tables. The size of the BGP routing table in
Fireware XTM is set at 32K.
The size of the typical WatchGuard customer wide area network (WAN) is best suited for OSPF
dynamic routing. A WAN can also use external border gateway protocol (EBGP) when more than one
gateway to the Internet is available. EBGP allows you to take full advantage of the redundancy
possible with a multi-homed network.
To participate in BGP with an ISP you must have a public autonomous system number (ASN). You
must get an ASN from one of the regional registries in the table below. After you are assigned your own
ASN, you must contact each ISP to get their ASNs and other necessary information.
Region
Registry Name Web Site
North America RIN
www.arin.net
Europe
RIPE NCC
www.ripe.net
Asia Pacific
APNIC
www.apnic.net
Latin America
LACNIC
www.lacnic.net
Africa
AfriNIC
www.afrinic.net
372
Fireware XTM Web UI
Dynamic Routing
BGP Commands
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of supported BGP routing commands. The sections must appear in the
configuration file in the same order they appear in this table.
Do not use BGP configuration parameters that you do not get from your ISP.
Section Command
Description
Configure BGP Routing Daemon
router bgp [ASN]
Enable BGP daemon and set autonomous system number
(ASN); this is supplied by your ISP
network [A.B.C.D/M]
Announce BGP on network
A.B.C.D/M
no network [A.B.C.D/M]
Disable BGP announcements on network A.B.C.D/M
Set Neighbor Properties
neighbor [A.B.C.D] remoteas [ASN]
Set neighbor as a member of remote ASN
neighbor [A.B.C.D] ebgpmultihop
Set neighbor on another network using EBGP multi-hop
neighbor [A.B.C.D] version
[4|4-]
Set BGP version (4, 4-) for communication with neighbor;
default is 4
neighbor [A.B.C.D] updatesource [WORD]
Set the BGP session to use a specific interface for TCP
connections
neighbor [A.B.C.D] defaultoriginate
Announce default route to BGP neighbor [A,B,C,D]
neighbor [A.B.C.D] port 189
Set custom TCP port to communicate with BGP neighbor
[A,B,C,D]
neighbor [A.B.C.D] sendcommunity
Set peer send-community
neighbor [A.B.C.D] weight
1000
Set a default weight for neighbor's [A.B.C.D] routes
neighbor [A.B.C.D]
Set maximum number of prefixes allowed from this
maximum-prefix [NUMBER] neighbor
Community Lists
ip community-list [<199>|<100-199>] permit
AA:NN
User Guide
Specify community to accept autonomous system number
and network number separated by a colon
373
Dynamic Routing
Section Command
Description
Peer Filtering
neighbor [A.B.C.D]
distribute-list [LISTNAME]
[IN|OUT]
Set distribute list and direction for peer
neighbor [A.B.C.D] prefixlist [LISTNAME] [IN|OUT]
To apply a prefix list to be matched to incoming
advertisements or outgoing advertisements to that neighbor
neighbor [A.B.C.D] filter-list
[LISTNAME] [IN|OUT]
To match an autonomous system path access list to
incoming routes or outgoing routes
neighbor [A.B.C.D] routemap [MAPNAME] [IN|OUT]
To apply a route map to incoming or outgoing routes
Redistribute Routes to BGP
redistribute kernel
Redistribute static routes to BGP
redistribute rip
Redistribute RIP routes to BGP
redistribute ospf
Redistribute OSPF routes to BGP
Route Reflection
bgp cluster-id A.B.C.D
To configure the cluster ID if the BGP cluster has more
than one route reflector
neighbor [W.X.Y.Z] routereflector-client
To configure the router as a BGP route reflector and
configure the specified neighbor as its client
Access Lists and IP Prefix Lists
374
ip prefix-lists PRELIST
permit A.B.C.D/E
Set prefix list
access-list NAME
[deny|allow] A.B.C.D/E
Set access list
route-map [MAPNAME]
permit [N]
In conjunction with the "match" and "set" commands, this
defines the conditions and actions for redistributing routes
match ip address prefix-list
[LISTNAME]
Matches the specified access-list
set community [A:B]
Set the BGP community attribute
match community [N]
Matches the specified community_list
set local-preference [N]
Set the preference value for the autonomous system path
Fireware XTM Web UI
Dynamic Routing
Configure the XTM Device to Use BGP
To participate in BGP with an ISP you must have a public autonomous system number (ASN). For
more information, see About Border Gateway Protocol (BGP) on page 372.
1. Select Network > Dynamic Routing.
The Dynamic Routing page appears.
2. Select the Enable Dynamic Routing check box.
3. Select the BGP tab.
4. Select the Enable check box.
5. Copy and paste your routing daemon configuration file in the text box.
For more information, see About Routing Daemon Configuration Files on page 358.
To get started, you need only three commands in your BGP configuration file. These three
commands start the BGP process, set up a peer relationship with the ISP, and create a route for
a network to the Internet. You must use the commands in this order.
router BGP: BGP autonomous system number supplied by your ISP
network: network IP address that you want to advertise a route to from the Internet
neighbor: <IP address of neighboring BGP router> remote-as <BGP autonomous number>
6. Click Save.
If necessary, Fireware XTM automatically adds the required dynamic routing policy or enables an
existing BGP dynamic routing policy, if one exists.
For BGP, the automatically created dynamic routing policy is called DR-BGP-Allow. You can edit this
policy to add authentication and restrict the policy to listen on only the correct interfaces.
After you configure the XTM device and the BGP router, select System Status > Routes and verify
that the XTM device has received route updates from the BGP router.
User Guide
375
Dynamic Routing
Sample BGP Routing Configuration File
To use any of the dynamic routing protocols with Fireware XTM, you must import or type a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
BGP routing daemon. If you want to use this configuration file as a base for your own configuration file,
copy the text into an application such as Notepad or Wordpad and save it with a new name. You can
then edit the parameters to meet your own business requirements.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Start BGP daemon and announce network blocks to BGP neighbors
! Enable BGP and set local ASN to 100 router bgp 100
! Announce local network 64.74.30.0/24 to all neighbors defined in section 2
! network 64.74.30.0/24
!! SECTION 2: Neighbor properties
! Set neighbor (64.74.30.1) as member of remote ASN (200)
! neighbor 64.74.30.1 remote-as 200
! Set neighbor (208.146.43.1) on another network using EBGP multi-hop
! neighbor 208.146.43.1 remote-as 300
! neighbor 208.146.43.1 ebgp-multihop
! Set BGP version (4, 4-) for communication with a neighbor; default is 4
! neighbor 64.74.30.1 version 4! Announce default route to BGP neighbor (64.74.30.1)
! neighbor 64.74.30.1 default-originate
! Set custom TCP port 189 to communicate with BGP neighbor (64.74.30.1). Default
port is TCP 179
! neighbor 64.74.30.1 port 189
! Set peer send-community
! neighbor 64.74.30.1 send-community
! Set a default weight for neighbors (64.74.30.1) routes
! neighbor 64.74.30.1 weight 1000
! Set maximum number of prefixes allowed from this neighbor
! neighbor 64.74.30.1 maximum-prefix NUMBER
!! SECTION 3: Set community lists ! ip community-list 70 permit 7000:80
!! SECTION 4: Announcement filtering
! Set distribute list and direction for peer
! neighbor 64.74.30.1 distribute-list LISTNAME [in|out] ! To apply a prefix list
to be matched to incoming or outgoing advertisements to that neighbor
! neighbor 64.74.30.1 prefix-list LISTNAME [in|out
! To match an autonomous system path access list to incoming or outgoing routes
! neighbor 64.74.30.1 filter-list LISTNAME [in|out]
! To apply a route map to incoming or outgoing routes
! neighbor 64.74.30.1 route-map MAPNAME [in|out]
!! SECTION 5: Redistribute routes to BGP
! Redistribute static routes to BGP
! Redistribute kernel
! Redistribute rip routes to BGP
! Redistribute rip
376
Fireware XTM Web UI
Dynamic Routing
! Redistribute ospf routes to BGP
! Redistribute ospf
!! SECTION 6: Route reflection
! Set cluster ID and firewall as a client of route reflector server 51.210.0.254
! bgp cluster-id A.B.C.D
! neighbor 51.210.0.254 route-reflector-client
!! SECTION 7: Access lists and IP prefix lists
! Set prefix list
! ip prefix-list PRELIST permit 10.0.0.0/8
! Set access list!access-list NAME deny 64.74.30.128/25
! access-list NAME permit 64.74.30.0/25
! Create a route map with name MAPNAME and allow with a priority of 10
! route-map MAPNAME permit 10
! match ip address prefix-list LISTNAME
! set community 7000:80
User Guide
377
Dynamic Routing
User Guide
378
11
Authentication
About User Authentication
User authentication is a process that finds whether a user is who he or she is declared to be and
verifies the privileges assigned to that user. On the XTM device, a user account has two parts: a user
name and a passphrase. Each user account is associated with an IP address. This combination of
user name, passphrase, and IP address helps the device administrator to monitor connections through
the device. With authentication, users can log in to the network from any computer, but access only
the network ports and protocols for which they are authorized. The XTM device can then map the
connections that start from a particular IP address and also transmit the session name while the user is
authenticated.
You can create firewall polices to give users and groups access to specified network resources. This is
useful in network environments where different users share a single computer or IP address.
You can configure your XTM device as a local authentication server, or use your existing Active
Directory or LDAP authentication server, or an existing RADIUS authentication server. When you use
Firebox authentication over port 4100, account privileges can be based on user name. When you use
third-party authentication, account privileges for users that authenticate to the third-party
authentication servers are based on group membership.
If you have configured your XTM device with an IPv6 address, you can use the IPv6 address for
Firebox authentication over port 4100. You can also use your XTM device to make IPv6 connections to
clients with IPv6 addresses when you use a third-party authentication server with an IPv4 address,
such as a RADIUS server.
The WatchGuard user authentication feature allows a user name to be associated with a specific IP
address to help you authenticate and track user connections through the device. With the device, the
fundamental question that is asked and answered with each connection is, Should I allow traffic from
source X to go to destination Y? For the WatchGuard authentication feature to work correctly, the IP
address of the user's computer must not change while the user is authenticated to the device.
User Guide
379
Authentication
In most environments, the relationship between an IP address and the user computer is stable enough
to use for authentication. For environments in which the association between the user and an IP
address is not consistent, such as kiosks or networks where applications are run from a terminal
server, we recommend that you use Terminal Services Agent for secure authentication. For more
information, see Install and Configure the Terminal Services Agent.
WatchGuard supports Authentication, Accounting, and Access control (AAA) in the firewall products,
based on a stable association between IP address and person.
The WatchGuard user authentication feature also supports authentication to an Active Directory
domain with Single Sign-On (SSO), as well as other common authentication servers. In addition, it
supports inactivity settings and session time limits. These controls restrict the amount of time an IP
address is allowed to pass traffic through the XTM device before users must supply their passwords
again (reauthenticate).
If you control SSO access with a white list and manage inactivity timeouts, session timeouts, and who
is allowed to authenticate, you can improve your control of authentication, accounting, and access
control.
To prevent a user from authenticating, you must disable the account for that user on the authentication
server.
User Authentication Steps
After you configure your XTM device as a local authentication server, the HTTPS server on the XTM
device accepts authentication requests. To authenticate, a user must connect to the authentication
portal web page on the XTM device.
1. Go to either:
https://[device interface IP address]:4100/
or
https://[device hostname]:4100
An authentication web page appears.
2. Type a user name and password.
3. Select the authentication server from the drop-down list, if more than one type of authentication
is configured.
The XTM device sends the name and password to the authentication server using PAP (Password
Authentication Protocol).
When authenticated, the user is allowed to use the approved network resources.
380
Fireware XTM Web UI
Authentication
Because Fireware XTM uses a self-signed certificate by default for HTTPS, you see
a security warning from your web browser when you authenticate. You can safely
ignore this security warning. If you want to remove this warning, you can use a thirdparty certificate or create a custom certificate that matches the IP address or domain
name used for authentication.
User Guide
381
Authentication
Manually Close an Authenticated Session
Users do not have to wait for the session timeout to close their authenticated sessions. They can
manually close their sessions before the timeout occurs. The Authentication web page must be open
for a user to close a session. If it is closed, the user must authenticate again to log out.
To close an authenticated session:
1. Go to the Authentication portal web page:
https://[device interface IP address]:4100/
or
https://[device host name]:4100
2. Click Logout.
If the Authentication portal web page is configured to automatically redirect to another
web page, the portal is redirected just a few seconds after you open it. Make sure you
logout before the page redirects.
Manage Authenticated Users
You can use Fireware XTM Web UI to see a list of all the users authenticated to your XTM device and
close sessions for those users.
See Authenticated Users
To see the users authenticated to your XTM device:
1. Connect to Fireware XTM Web UI.
2. Select System Status > Authentication List.
A list of all users authenticated to the Firebox appears.
Close a User Session
From Fireware XTM Web UI:
1. Select System Status > Authentication List.
A list of all users authenticated to the Firebox appears.
2. Select one or more user names from the list.
3. Click Log off users.
382
Fireware XTM Web UI
Authentication
Use Authentication to Restrict Incoming Traffic
One function of the authentication tool is to restrict outgoing traffic. You can also use it to restrict
incoming network traffic. When you have an account on the XTM device and the device has a public
external IP address, you can authenticate to the device from a computer external to the device.
For example, you can type this address in your web browser: https://<IP address of XTM device
external interface>:4100/ .
After you authenticate, you can use the policies that are configured for you on the device.
To enable a remote user to authenticate from the external network:
1. Select Firewall > Firewall Policies.
The Firewall Polices Page appears.
2. Double-click the WatchGuard Authentication policy to edit it.
This policy appears after you add a user or group to a policy configuration.
The Edit page appears.
3. From the Connections are drop-down list, make sure Allowed is selected.
4. In the From section, click Add.
The Add Member dialog box appears.
5. Member type drop-down list, select Alias.
6. From the list of members, select Any.
7. Click OK.
Any appears in the From list.
8. In the To section, click Add.
9. Member type drop-down list, select Alias.
10. From the list of members, select Firebox.
User Guide
383
Authentication
11. Click OK.
Firebox appears in the To list.
12. Click Save.
384
Fireware XTM Web UI
Authentication
Use Authentication Through a Gateway Firebox
The gateway Firebox is the XTM device that you place in your network to protect your Management
Server from the Internet.
To send an authentication request through a gateway Firebox to a different device, you must have a
policy that allows the authentication traffic on the gateway device. If authentication traffic is denied on
the gateway device, add the WG-Auth policy. This policy controls traffic on TCP port 4100. You must
configure the policy to allow traffic to the IP address of the destination device.
About the WatchGuard Authentication (WG-Auth)
Policy
The WatchGuard Authentication (WG-Auth) policy is automatically added to your XTM device
configuration when you add the first policy that has a user or group name in the From list on the Policy
tab of the policy definition. The WG-Auth policy controls access to port 4100 on your XTM device. Your
users send authentication requests to the device through this port. For example, to authenticate to an
XTM device with an IP address of 10.10.10.10, your users type https://10.10.10.10:4100 in the
web browser address bar.
If you want to send an authentication request through a gateway device to a different device, you might
have to add the WG-Auth policy manually. If authentication traffic is denied on the gateway device, you
must use Policy Manager to add the WG-Auth policy. Modify this policy to allow traffic to the IP
address of the destination device.
For more information on when to modify the WatchGuard Authentication policy, see Use
Authentication to Restrict Incoming Traffic on page 383.
Set Global Firewall Authentication Values
When you configure your global authentication settings, you can configure the global values for firewall
authentication, such as timeout values, user login session limits, and authentication page redirect
settings. You can also enable Single Sign-On (SSO), and configure settings for Terminal Services. For
more information, see the topics Enable Single Sign-On (SSO) and Configure Terminal Services
Settings.
If you configure user login session limits for individual users or groups, the limits set for a group and for
a user override the global setting.
If your device runs Fireware XTM v11.0–v11.3.x, the Authentication Settings for
Terminal Services are not available.
Specify Firewall Authentication Settings
To configure Firewall Authentication settings:
User Guide
385
Authentication
1. Connect to Fireware XTM Web UI.
2. Select Authentication > Settings.
The Authentication Settings page appears.
3. Configure authentication settings as described in the subsequent sections.
4. Click Save.
Set Global Authentication Timeouts
You can set the time period that users remain authenticated after they close their last authenticated
connection. This timeout is set either on the Authentication Settings page, or in the Firebox User
dialog box.
386
Fireware XTM Web UI
Authentication
For more information about user authentication settings and the Firebox User dialog box, see Define
a New User for Firebox Authentication on page 432.
For users authenticated by third-party servers, the timeouts set on those servers also override the
global authentication timeouts.
Global authentication timeout values for Firewall Authentication do not override the individual user
authentication timeout settings for Mobile VPN with PPTP and Mobile VPN with L2TP users.
Session Timeout
The maximum length of time the user can send traffic to the external network. If you set this
field to zero (0) seconds, minutes, hours, or days, the session does not expire and the user can
stay connected for any length of time.
Idle Timeout
The maximum length of time the user can stay authenticated when idle (not passing any traffic
to the external network). If you set this field to zero (0) seconds, minutes, hours, or days, the
session does not time out when idle and the user can stay idle for any length of time.
Allow Unlimited Concurrent Login Sessions
You can allow more than one user to authenticate with the same user credentials at the same time, to
one authentication server. This is useful for guest accounts or in laboratory environments. When the
second user logs in with the same credentials, the first user authenticated with the credentials is
automatically logged out. If you do not allow this feature, a user cannot authenticate to the
authentication server more than once at the same time.
On the Authentication Settings page:
Select Allow unlimited concurrent firewall authentication logins from the same account.
For Mobile VPN with IPSec and Mobile VPN with SSL users, concurrent logins from the same account
are always supported regardless of whether this option is selected. These users must log in from
different IP addresses for concurrent logins, which means that they cannot use the same account to
log in if they are behind an XTM device that uses NAT. Mobile VPN with PPTP and Mobile VPN with
L2TP users do not have this restriction.
Limit Login Sessions
From the Authentication Settingspage, you can limit your users to a specific number of authenticated
sessions. If you select this option, you can specify the number of times your users can use the same
credentials to log in to one authentication server from different IP addresses. When a user is
authenticated and tries to authenticate again, you can select whether the first user session is
terminated when a subsequent session is authenticated, or if the subsequent sessions are rejected.
1. Select Limit concurrent user sessions to.
2. In the text box, type or select the number of allowed concurrent user sessions.
3. From the drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
User Guide
387
Authentication
388
Fireware XTM Web UI
Authentication
Specify the Default Authentication Server in the
Authentication Portal
When your users log in to the Authentication Portal, they must select which authentication server to
use for authentication. Users can select from any of the authentication servers you have enabled. By
default, the first server in the list is Firebox-DB. You can change this setting so another enabled
authentication server is first in the list of authentication servers. This is helpful if you want your users to
authenticate with a server other than Firebox-DB.
To select the default authentication server:
From the Default authentication server on the authentication page drop-down list, select an
authentication server.
For example, if you want your users to authenticate to your Active Directory server named
Home AD, select Home AD from the drop-down list.
Automatically Redirect Users to the Authentication Portal
If you require your users to authenticate before they can get access to the Internet, you can choose to
automatically send users who are not already authenticated to the authentication portal, or have them
manually navigate to the portal. This applies only to HTTP and HTTPS connections.
Automatically redirect users to the authentication page
When you select this check box, all users who have not yet authenticated are automatically
redirected to the authentication portal when they try to get access to the Internet. If you do not
select this check box, unauthenticated users must manually navigate to the authentication
portal to log in.
For more information about user authentication, see User Authentication Steps on page 380.
Redirect traffic sent to the IP address of the XTM device to this host name
Select this check box to specify a host name for the page where your users are redirected,
when you choose to automatically redirect users to the authentication portal. Type the host
name in the text box.
Make sure that the host name matches the Common Name (CN) from the web server
certificate. This host name must be specified in the DNS settings for your organization and the
value of the host name must be the IP address of your XTM device.
If you have users who must manually authenticate to the authentication portal, and you use SSO, you
can add an SSO exception for those users to reduce the amount of time it takes for them to
authenticate. For more information about SSO exceptions, see Enable Single Sign-On (SSO).
User Guide
389
Authentication
Use a Custom Default Start Page
When you select the Auto redirect users to authentication page for authentication check box to
require your users to authenticate before they can get access to the Internet, the Authentication portal
appears when a user opens a web browser. If you want the browser to go to a different page after your
users successfully log in, you can define a redirect.
From the Authentication Settings page:
1. Select the Send a redirect to the browser after successful authentication check box.
2. In the text box, type the URL of the web site where users are redirected.
Set Management Session Timeouts
Use these options to set the time period that a user who is logged in with read/write privileges remains
authenticated before the XTM device terminates the session.
Session Timeout
The maximum length of time the user can send traffic to the external network. If you select zero
(0) seconds, minutes, hours, or days, the session does not expire and the user can stay
connected for any length of time.
Idle Timeout
The maximum length of time the user can stay authenticated when idle (not passing any traffic
to the external network). If you select zero (0) seconds, minutes, hours, or days, the session
does not expire when the user is idle, and the user can stay idle for any length of time.
390
Fireware XTM Web UI
Authentication
About Single Sign-On (SSO)
When users log on to the computers in your network, they must give a user name and password. If you
use Active Directory authentication on your XTM device to restrict outgoing network traffic to specified
users or groups, your users must also complete an additional step: they must manually log in again to
authenticate to the XTM device and get access to network resources or the Internet. To simplify the log
in process for your users, you can use Single Sign-On (SSO). With SSO, your users on the trusted or
optional networks provide their user credentials one time (when they log on to their computers) and are
automatically authenticated to your XTM device.
The WatchGuard SSO Solution
The WatchGuard SSO solution includes these components: SSO Agent, the SSO Client, the Event
Log Monitor, and the Exchange Monitor.
About the SSO Agent
To use SSO, you install the SSO Agent on the domain controller computer for your domain. This
enables the SSO Agent to run as a domain user account with domain admin privileges, and monitor
changes to your Active Directory users and groups. With these privileges, when users try to
authenticate to your domain, the SSO Agent can query the SSO Client on the client computer, the
Event Log Monitor, or the Exchange Monitor for the correct user credentials, and provide those user
credentials to your XTM device.
About the SSO Client
When you install the SSO Client software on your Windows or Mac OS X client computers, the SSO
Client receives the call from the SSO Agent and returns the user name and domain name for the user
who is currently logged in to the computer. The SSO Agent then contacts the Active Directory server
and uses the user name and domain name for the user to get group information and complete
credentials for the user.
About the Event Log Monitor
If you do not want to install the SSO Client on each client computer, you can instead install the Event
Log Monitor on a computer in each domain in your network, and configure the SSO Agent to get user
login information from the Event Log Monitor. This is known as clientless SSO. With clientless SSO,
the Event Log Monitor collects login information from the domain controller for users that have already
logged on to the domain. It then stores the user credentials and user group information for each user.
When the SSO Agent contacts the Event Log Monitor for user credentials, the Event Log Monitor
contacts the client computer over TCP port 445 to get the user logon credentials, retrieves the stored
user group membership information from the domain controller, and provides this information to the
SSO Agent. The Event Log Monitor continues to poll the client computer every five seconds to monitor
logon and logoff events, and connection abort issues. Any connection errors are recorded in the
eventlogmonitor.log file in the WatchGuard > Authentication Gateway directory on the computer
where the Event Log Monitor is installed.
User Guide
391
Authentication
If you have one domain that you use for SSO, you can install the Event Log Monitor on the same
domain controller computer where you install the SSO Agent. If you have more than one domain, you
must install the Event Log Monitor on one computer in each domain, but you only install the SSO Agent
on one domain controller in your network. The Event Log Monitor does not have to be installed on the
domain controller computer; it can be installed on any computer in the domain. The Event Log Monitor
must run as a user account in the Domain Admins group so it can get the user credentials.
About the Exchange Monitor
For your users with computers that run Windows or Mac OS X, or your users with mobile devices that
run iOS, Android, or Windows mobile operating systems, you can use the Exchange Monitor to get
user credentials and login information for SSO. To use the Exchange Monitor to get user login
information, you must install the Exchange Monitor on the same server where your Microsoft
Exchange Server is installed. Because Microsoft Exchange is integrated with your Active Directory
server, it can easily get the user credentials in your user store. Then, when a user successfully
connects to the Exchange Server to download email, the Exchange Monitor records the logon and
logoff events for the user, and gives the event information to the SSO Agent.
When a client computer connects to a Microsoft Exchange server, the IIS service on the Exchange
server records a log entry of the user logon event. To get the credentials for your users for SSO, the
Exchange Monitor verifies the logon and logoff events with the IIS service and keeps a list of all
currently active users. The Exchange Monitor queries the IIS service every three seconds to make
sure user information is current. When the SSO Agent contacts the Exchange Monitor, it sends the
392
Fireware XTM Web UI
Authentication
user information to the SSO Agent. If the user is listed as logged in to the Exchange server, the SSO
Agent notifies the XTM device that the user is currently logged in, and the user is authenticated. If the
user is not included in the list of logged in users, the SSO Agent notifies the XTM device that the user
is not found in the list of active users, and the user is not authenticated.
For the Exchange Monitor to get the correct user information, the user names in the user accounts that
your users use to connect to your XTM device do not have to match the user names in the user
accounts on your Active Directory server, but your Active Directory server must be able to resolve the
user name from the XTM device with the user name in the Active Directory Users and Groups list.
The SSO Exchange Monitor is supported for use with only Microsoft Exchange 2003,
2007, or 2010.
For more information about how to configure the SSO Agent to use the Event Log Monitor and the
Exchange Monitor, see Configure the SSO Agent on page 400.
How SSO Works
For SSO to work, you must install the SSO Agent software. The SSO Client software is optional and is
installed on each client computer. The Event Log Monitor is optional, and is installed on a computer in
each of your domains. The Exchange Monitor is also optional, and is installed on the computer where
your Microsoft Exchange Server is installed. When the SSO Client, the Event Log Monitor, or the
User Guide
393
Authentication
Exchange Monitor software is installed, and the SSO Agent contacts a client computer for user
credentials, either the SSO Client, Event Log Monitor, or Exchange Monitor sends the correct user
credentials to the SSO Agent. When you configure the settings for the SSO Agent, you can specify
whether the SSO Agent queries the SSO Client, Event Log Monitor, or Exchange Monitor first. For
SSO to work correctly, you must either install the SSO Client on all your client computers or use either
the Event Log Monitor or Exchange Monitor to get correct user information.
SSO Component Compatibility
The components of the WatchGuard SSO solution offer configuration flexibility to enable all of your
Windows, Mac, and mobile users to have a seamless authentication experience. Here are the options,
at a glance:
SSO Component Windows Mac OS X iOS Android
SSO Agent ‡
SSO Client *
Event Log Monitor
Exchange Monitor
‡ Though the SSO Agent can be used with all supported platforms, it must be installed on the Windows computer that is
your domain controller.
* The SSO Client is available in two versions: Windows and Mac OS X.
Example Network Configurations for SSO
This first diagram shows a network with a single domain. The SSO Agent and the Event Log Monitor
are installed on the domain controller, the Exchange Monitor is installed on the Microsoft Exchange
server, and the SSO Client is installed on the client computer. With this configuration, you can specify
whether the SSO Agent contacts the SSO Client, the Event Log Monitor, or Exchange Monitor first.
For example, if you configure the SSO Agent to contact the SSO Client first, the Event Log Monitor
second, and the Exchange Monitor third, and the SSO Client is not available, the SSO Agent next
contacts the Event Log Monitor for the user credentials and group information. If the client computer is
a Mac OS or mobile device, the SSO Agent contacts the Event Log Monitor for the user login and logoff
information.
The Event Log Monitor does not have to be installed on the domain controller. You can also install the
Event Log Monitor on another computer on the same domain, as long as the Event Log Monitor runs as
a user account in the Domain Admins group.
394
Fireware XTM Web UI
Authentication
The second diagram shows the configuration of a network with two domains. The SSO Agent is
installed on only one domain controller in your network, the SSO Client is installed on each client
computer, the Event Log Monitor is installed on a computer in each domain in your network, and the
Exchange Monitor is installed on your Microsoft Exchange Server. With this configuration, you can
specify whether the SSO Agent contacts the SSO Clients, the Event Log Monitors, or the Exchange
Monitor first. For example, if you configure the SSO Agent to contact the SSO Client first, the Event
Log Monitor second, and the Exchange Monitor third, and the SSO Client is not available, the SSO
Agent contacts the Event Log Monitor that is in the same domain as the client computer and gets the
user credentials and group information. If the client computer is a Mac OS or mobile device, the SSO
Agent contacts the Event Log Monitor for the user login and logoff information.
User Guide
395
Authentication
In your network environment, if more than one person uses the same computer, we recommend that
you either install the SSO Client software on each client computer, install the Event Log Monitor in
each domain, or install the Exchange Monitor on your Exchange server. Because there are access
control limitations if you do not use the SSO Client, Event Log Monitor, or Exchange Monitor, we
recommend that you do not use SSO without the SSO Client, the Event Log Monitor, or the Exchange
Monitor. For example, for services installed on a client computer (such as a centrally administered
antivirus client) that have been deployed so that users can log on with domain account credentials, the
XTM device gives all users access rights as defined by the first user that is logged on (and the groups
of which that user is a member), and not the credentials of the individual users that log on interactively.
Also, all log messages generated from user activity show the user name of the service account, and
not the individual user.
396
Fireware XTM Web UI
Authentication
If you do not install the SSO Client, the Event Log Monitor, or the Exchange Monitor,
we recommend you do not use SSO for environments where users log on to
computers with service or batch logons. When more than one user is associated with
an IP address, network permissions might not operate correctly. This can be a
security risk.
If you configure multiple Active Directory domains, you can choose to use either the SSO Client, the
Event Log Monitor, or the Exchange Server. For more information about how to configure the SSO
Client when you have multiple Active Directory domains, see Configure Active Directory
Authentication on page 456 and Install the WatchGuard Single Sign-On (SSO) Client on page 413.
If you enable Single Sign-On, you can also use Firewall authentication to log in to the Firewall
authentication page and authenticate with different user credentials. For more information, see Firewall
Authentication on page 430.
Single Sign-On (SSO) is configured separately for the Terminal Services Agent. For more information
about the Terminal Services Agent, see Install and Configure the Terminal Services Agent on page
419.
SSO is not supported for remote desktop sessions or for terminal sessions.
Before You Begin
Before you configure SSO for your network, verify that your network configuration meets these
prerequisites:
n
n
n
n
n
n
n
n
n
n
n
You must have an Active Directory server configured on a trusted or optional network.
Your XTM device must be configured to use Active Directory authentication.
Each user must have an account set up on the Active Directory server.
Each user must log on to a domain account for Single Sign-On (SSO) to operate correctly. If
users log on to an account that exists only on their local computers, their credentials are not
checked and the XTM device does not recognize that they are logged in.
If you use third-party firewall software on your network computers, make sure that TCP port 445
(Samba/ Windows Networking) is open on each client computer.
Make sure that TCP port 445 (port for SMB) is open on the client computers.
Make sure that TCP port 4116 is open on the client computers where you install the SSO Client.
Make sure that TCP port 4114 is open on the domain controller computer where you install the
SSO Agent.
Make sure that TCP port 4135 is open on the computer where you install the Event Log Monitor.
Make sure that TCP port 4136 is open on the computer where you install the Exchange Monitor.
Make sure that the Microsoft .NET Framework 2.0 or higher is installed on the computer where
you install the SSO Agent, the Event Log Monitor, and the Exchange Monitor.
User Guide
397
Authentication
n
n
Make sure that all computers from which users authenticate with SSO are members of the
domain with unbroken trust relationships.
Make sure the SSO Agent, the Event Log Monitor, and the Exchange Monitor run as a user
account in the Domain Admins group.
Set Up SSO
To use SSO, you must install the SSO Agent software. We recommend that you also use either the
Event Log Monitor, Exchange Monitor, or the SSO Client. Though you can use SSO with only the SSO
Agent, you increase your security and access control when you also use the SSO Client, the Event
Log Monitor, or the Exchange Monitor.
To set up SSO, follow these steps:
1.
2.
3.
4.
Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor (ELM is optional).
Install the WatchGuard Single Sign-On (SSO) Client (optional, but recommended).
Install the WatchGuard SSO Exchange Monitor (optional).
Enable Single Sign-On (SSO).
Install the WatchGuard Single Sign-On (SSO) Agent
To use Single Sign-On (SSO), you must install the WatchGuard Authentication Gateway, which
includes two components: the SSO Agent (mandatory) and the Event Log Monitor (optional).
The SSO Agent is a service that receives requests for Firebox authentication and checks user status
with the Active Directory server. The service runs with the name WatchGuard Authentication Gateway
on the computer where you install the SSO Agent software. This computer must have the Microsoft
.NET Framework 3.5 or later installed. You must install the SSO Agent to use Single Sign-On.
The Event Log Monitor is an optional component of the WatchGuard Authentication Gateway. If you do
not install the SSO Client on all of your client computers, we recommend that you install the Event Log
Monitor. When a logon event occurs, the Event Log Monitor polls the destination IP address (the client
computer) for the user name and domain name that was used to log in. Based on the user name
information, the Event Log Monitor gets the information about which users belong to which user
groups, and sends that information to the SSO Agent. This enables the SSO Agent to correctly identify
a user and make sure that each user can only log on from one computer at a time.
If you have more than one domain, install the SSO Agent on only one domain controller in your
network, and install the Event Log Monitor on one computer or domain controller in each of your
domains. The SSO Agent then contacts each Event Log Monitor to get information for the users on that
domain.
When you run the installer to install only the Event Log Monitor, make sure to clear the check box for
the SSO Agent component.
To install an additional WatchGuard Authentication Gateway component on a computer where you
have already installed one component, run the installer again and select the check boxes for both the
new component you want to install and for the previously installed component. If you do not select the
check box for the previously installed component, that component will be uninstalled.
398
Fireware XTM Web UI
Authentication
For example, if you have already installed the SSO Agent on your domain controller and want to add
the Event Log Monitor, run the installer again and make sure that both SSO Agent and the Event Log
Monitor check boxes are selected. If you clear the check box for the SSO Agent, it is uninstalled.
Download the SSO Agent Software
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
The WatchGuard Portal appears with your portal Home page selected.
3. Select the Articles & Software tab.
The Articles & Software page appears.
4. In the Search text box, type the name of the software you want to install or the model of your
XTM device.
5. Clear the Article check box and make sure the Software Downloads check box is selected.
6. Click Go.
The Search Results page appears with a list of the available WatchGuard device models.
7. Select your XTM device model.
The Software Downloads page for the device you selected appears.
8. Download the WatchGuard Single Sign-On Agent software and save the file to a convenient
location.
Before You Install
The WatchGuard Authentication Gateway service must run as a user who is a member of the Domain
Admins group. We recommend that you create a new user account for this purpose and then add the
new user to the Domain Admins group. For the service to operate correctly, make sure you configure
this Domain Admin user account with a password that never expires.
Before you start the SSO Agent installer, make sure that the .NET Framework v3.5 is installed on the
server where you intend to install the WatchGuard Authentication Gateway. If version 3.5 of the .NET
Framework is not installed, the SSO Agent cannot run correctly.
Install the SSO Agent and the Event Log Monitor
If you have more than one domain, make sure to install the Event Log Monitor on each of your domain
controllers.
1. Double-click WG-Authentication-Gateway.exe to start the Authentication Gateway Setup
Wizard.
To run the installer on some operating systems, you might need to type a local administrator
password, or right-click and select Run as administrator.
2. To install the software, follow the instructions on each page and complete the wizard.
3. On the Select Components page, make sure to select the check box for each component you
want to install:
n WatchGuard Authentication Single Sign-On Agent
n WatchGuard Authentication Event Log Monitor
4. On the Domain User Login page, make sure to type the user name in the form:
domain\username . Do not include the .com or .net part of the domain name.
User Guide
399
Authentication
For example, if your domain is example.com and you use the domain account ssoagent, type
example\ssoagent .
You can also use the UPN form of the user name: [email protected] . If you use the UPN
form of the user name, you must include the .com or .net part of the domain name.
5. Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically.
Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for
the SSO Agent and Event Log Monitor. For more information, see Configure the SSO Agent on page
400.
Configure the SSO Agent
If you use multiple Active Directory domains, you must specify the domains to use for SSO (Single
Sign-On). After you have installed the SSO Agent, you can specify the domains to use for
authentication and synchronize the domain configuration with the SSO Agent. You can also specify
options to use SSO without the SSO Client. This is known as clientless SSO. You configure settings
for clientless SSO when you configure the SSO Agent. To configure the SSO Agent settings, you must
have administrator privileges on the computer where the SSO Agent is installed.
When you first launch the SSO Agent, it generates the Users.xml and AdInfos.xml configuration files.
These configuration files are encrypted and store the domain configuration details you specify when
you configure the SSO Agent.
The SSO Agent has two default accounts, administrator and status, that you can use to log in to the
SSO Agent. To make changes to the SSO Agent configuration, you must log in with the administrator
credentials. After you log in for the first time, we recommend you change the passwords for the default
accounts. The default credentials (username/password) for these accounts are:
n
n
Administrator — admin/readwrite
Status — status/readonly
For more information about Active Directory, see Configure Active Directory Authentication.
Log In to the SSO Agent Configuration Tool
1. Select Start > WatchGuard > WatchGuard SSO Agent Configuration Tool.
The SSO Agent Configuration Tool login dialog box appears.
2. In the User Name text box, type the administrator user name: admin .
3. In the Password text box, type the administrator password: readwrite .
The SSO Agent Configuration Tools dialog box appears.
400
Fireware XTM Web UI
Authentication
4. Configure your SSO Agent as described in the subsequent sections.
Changes to the configuration are automatically saved.
Manage User Accounts and Passwords
After you log in for the first time, you can change the password for the default accounts. Because you
must log in with the administrator credentials to change the SSO Agent settings, make sure you
remember the password specified for the administrator account. You can also add new user accounts
and change the settings for existing user accounts. You can also use both the admin and status
accounts to open a telnet session to configure the SSO Agent.
For more information about how to use telnet with the SSO Agent, see Use Telnet to Debug the SSO
Agent.
Change a User Account Password
For the admin and status accounts, you can only change the password for the account; you cannot
change the user name.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form dialog box appears.
User Guide
401
Authentication
2. Select the account to change.
For example, select admin.
3. Click Change Password.
The Change Password dialog box appears.
4. In the Password and Confirm Password text boxes, type the new password for this user
account.
5. Click OK.
Add a New User Account
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Click Add User.
The Add User dialog box appears.
3. In the User Name text box, type the name for this user account.
4. In the Password and Confirm Password text boxes, type the password for this user account.
5. Select an access option for this account:
n Read-Only
n Read-Write
6. Click OK.
402
Fireware XTM Web UI
Authentication
Edit a User Account
When you edit a user account, you can change only the access option. You cannot change the user
name or password for the account. To change the user name, you must add a new user account and
delete the old user account.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Select the account to change.
3. Click Edit User.
The Edit User dialog box appears.
4. Select a new access option for this account:
n Read-Only
n Read-Write
5. Click OK.
Delete a User Account
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > User Management.
The User Management Form appears.
2. Select the account to delete.
3. Click Delete User.
The Delete User dialog box appears.
4. Verify the User Name is for the account you want to delete.
5. Click OK.
Configure Domains for the SSO Agent
To configure your SSO Agent, you can add, edit, and delete information about your Active Directory
domains. When you add or edit a domain, you must specify a user account to use to search your
Active Directory server. We recommend that you create a specific user account on your server with
permissions to search the directory and with a password that never expires.
Add a Domain
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > Add Domain.
The Add Domain dialog box appears.
2. In the Domain Name text box, type the name of the domain.
For example, type my-example.com .
The domain name of your Active Directory server is case-sensitive. Make sure you type the
domain name exactly as it appears on the Active Directory tab in the Authentication Server
settings on your XTM device. For more information, see Configure Active Directory
Authentication.
User Guide
403
Authentication
3. In the NetBIOS Domain Name text box, type the first part of your domain name, without the
top level extension (such as, .com).
For example, type my-example .
4. In the IP Address of Domain Controller text box, type the IP address of the Active Directory
server for this domain.
To specify more than one IP address for the domain controller, separate the IP addresses with a
semicolon, without spaces.
5. In the Port text box, type the port to use to connect to this server.
The default setting is 389.
6. In the Searching User section, select an option:
n Distinguished Name (DN) (cn=ssouser,cn=users,dc=domain,dc=com)
n User Principal Name (UPN) ([email protected]
n Pre-Windows 2000 (netbiosDomain\ssouser)
7. In the text box, type the user information for the option you selected.
Make sure to specify a user who has permissions to search the directory on your Active
Directory server.
8. In the Password of Searching User and Confirm password text boxes, type the password
for the user you specified.
This password must match the password for this user account on your Active Directory server.
9. To add another domain, click OK & Add Next. Repeat Steps 2–8.
10. Click OK.
The domain name appears in the SSO Agent Configuration Tools list.
Edit a Domain
When you edit an SSO domain, you can change all the settings except the domain name. If you want
to change the domain name, you must delete the domain and add a new domain with the correct name.
From the SSO Agent Configuration Tools dialog box:
1. Select the domain to change.
2. Select Edit > Edit Domain.
The Edit Domain dialog box appears.
3. Update the settings for the domain.
4. Click OK.
Delete a Domain
From the SSO Agent Configuration Tools dialog box:
1. Select the domain to delete.
2. Select Edit > Delete Domain.
A confirmation message appears.
3. Click Yes.
404
Fireware XTM Web UI
Authentication
Configure Clientless SSO
If the SSO Client is not installed or is not available, you can configure the SSO Agent to use clientless
SSO to get user login information from the Event Log Monitors or Exchange Monitors. The Event Log
Monitors are also installed on one computer in each domain. The Exchange Monitor is installed on the
same computer where your Microsoft Exchange Server is installed.
If you use the Event Log Monitor, when a user tries to authenticate, the SSO Agent sends the user
name and IP address of the client computer to the Event Log Monitor. The Event Log Monitor then uses
this information to query the client computer over TCP port 445 and retrieve the user credentials from
the logon events on the client computer. The Event Log Monitor gets the user credentials from the
client computer and contacts the domain controller to get the user group information for the user. The
Event Log Monitor then provides this information to the SSO Agent.
If you do not install the SSO Client on your user's computers, make sure the Event Log Monitor is the
first entry in the SSO Agent Contacts list. If you specify the SSO Client as the primary contact, but
the SSO Client is not available, the SSO Agent queries the Event Log Monitor next, but this can cause
a delay.
For users with devices that run Mac OS X 10.6 and higher, iOS, or Android platforms, you can use the
Exchange Monitor to get login information for those users. When the Exchange Monitor is installed on
the same computer where your Microsoft Exchange Server is installed, the Exchange Monitor tracks
the domain accounts log on/log off actions for each user and notifies the SSO Agent in real-time of
these events.
After you install the SSO Agent, you must add the domain information of the domains where the Event
Log Monitors and Exchange Monitors are installed to the SSO Agent configuration in the Contact
Domains list. If you have only one domain and the SSO Agent is installed on the domain controller, or
if you have more than one domain and the Event Log Monitor and Exchange Monitor are on the same
domain as the SSO Agent, you do not have to specify the domain information for the domain controller
in the SSO Agent configuration Contact Domains list. If you have more than one Event Log Monitor or
Exchange Monitor in the Contact Domains list, the SSO Agent queries the first entry in the list for the
user credentials and group information. If the first Event Log Monitor or Exchange Monitor is not
available, or does not have the information for the user, the SSO Agent contacts the next monitor in the
list. This process continues until the SSO Agent has contacted all the available monitors in the list.
For more information about how to install the Event Log Monitor and Exchange Monitor, see Install the
WatchGuard Single Sign-On (SSO) Agent on page 398.
Before you configure and enable the settings for clientless SSO, you must make sure the client
computers on your domain have TCP 445 port open, or have File and printer sharing enabled, and have
the correct group policy configured to enable the Event Log Monitor to get information about user login
events. If this port is not open and the correct policy is not configured, the Event Log Monitor cannot
get group information and SSO does not work properly.
On your domain controller computer:
User Guide
405
Authentication
1. Open the Group Policy Object Editor and edit the Default Domain Policy.
2. Make sure the Audit Policy (Computer Configuration > Windows Settings > Security
Settings > Local Policies > Audit Policy) has the Audit account logon events and Audit
logon events policies enabled.
3. At the command line, run the command gpupdate/force /boot .
When the command runs, this message string appears:
Updating Policy… User Policy update has completed successfully. Computer
Policy update has completed successfully.
You can add, edit, and delete domain information for clientless SSO. For each domain name that you
add, you can specify more than one IP address for the domain controller. If the Event Log Monitor
cannot contact the domain controller at the first IP address, it tries to contact the domain controller at
the next IP address in the list.
From the SSO Agent Configuration Tools dialog box:
1. Select Edit > Clientless SSO.
The Clientless SSO Settings dialog box appears.
2. In the SSO Agent Contacts list, select the check box for each contact for the SSO Agent:
n SSO Client
n Event Log Monitor
n Exchange Monitor
406
Fireware XTM Web UI
Authentication
3. To change the order of the SSO Agent Contacts, select a contact and click Up or Down.
You cannot change the position of the Exchange Monitor.
4. Add, edit, or delete a contact domain, as described in the subsequent sections.
5. Click OK to save your settings.
Add a Contact Domain
You can specify one or more domains for the Event Log Monitor or the Exchange Monitor to contact for
user login information.
When you add a domain for the Exchange Monitor, you must specify the IP addresses and the session
check interval for the Microsoft Exchange server. The session check interval specifies the amount of
time before the Exchange Monitor logs off a user that does not appear in the IIS logs on your Exchange
server as active. The default setting is 40 minutes. You must specify an interval of at least 5 minutes.
Add a Contact Domain for the Event Log Monitor
From the Clientless SSO Settings dialog box:
1. Click Add.
The Domain Settings dialog box appears.
2. For the Type option, select Event Log Monitor.
3. In the Domain Name text box, type the name of the domain that you want the Event Log
Monitor to contact for user credentials.
You must type the name in the format domain.com .
4. In the IP Addresses of Domain Controller text box, type the IP addresses for the
domain.
To specify more than one IP address for the domain controller, separate the IP addresses
with a semicolon, without spaces.
5. Click OK.
The domain information you specified appears in the Contact Domains list.
Add a Contact Domain for the Exchange Monitor
From the Clientless SSO Settings dialog box:
1. Click Add.
The Domain Settings dialog box appears.
User Guide
407
Authentication
2. For the Type option, select Exchange Monitor.
3. In the Domain Name text box, type the name of the domain that you want the Exchange
Monitor to contact for user credentials.
You must type the name in the format domain.com .
4. In the IP Addresses of Microsoft Exchange Server text box, type the IP addresses for
the domain.
To specify more than one IP address for the Exchange server, separate the IP addresses
with a semicolon, without spaces.
5. To change the Session Check Interval setting from the default setting of 40 minutes, type
or select a new interval.
6. Click OK.
The domain information you specified appears in the Contact Domains list.
Edit a Contact Domain
From the Clientless SSO Settings dialog box:
1. From the Contact Domains list, select the domain to change.
2. Click Edit.
The Event Log Monitor Settings dialog box appears.
3. Update the settings for the domain.
4. Click OK.
Delete a Domain
From the Clientless SSO Settings dialog box:
1. From the Contact Domains list, select the domain to delete.
2. Click Delete.
The domain is removed from the list.
408
Fireware XTM Web UI
Authentication
Test the SSO Port Connection
To verify that the SSO Agent can contact the Event Log Monitor and the Exchange Monitor, you can
use the SSO Port Tester tool. With the SSO Port Tester tool, you can verify whether the SSO Agent
can contact a server at a single IP address, or servers at multiple IP addresses or a range of IP
addresses. To verify the connection for a single IP address or multiple IP addresses, rather than a
range of addresses, you import a plain text file that includes the IP addresses to test. You can also
specify the ports to test and the connection timeout interval.
From the Clientless SSO Settings dialog box:
1. Click Test SSO Port.
The SSO Port Tester dialog box appears.
2. In the Specify IP Addresses section, select an option:
n IP Address Range
n Import IP Addresses
3. If you selected IP Address Range, in the IP Address Range text boxes, type the range of IP
addresses to test.
If you selected Import IP Addresses, click and navigate to select the plain text file with the list
of IP addresses to test.
4. In the Ports text box, type the port numbers to test.
To test more than one port, type each port number, separated by a comma, without spaces.
5. Click Test.
The results of the port test appear in the SSO Port Tester window.
6. To save the test results in a log file, click Save log and specify the file name and location to
save the log file.
7. To stop the port tester tool process, click Quit.
User Guide
409
Authentication
Use Telnet to Debug the SSO Agent
To debug your SSO Agent, you can use Telnet to connect to the SSO Agent on TCP port 4114 and run
commands to review information in the connection cache. You can also enable advanced debug
options. A list of the commands you can use in Telnet is available in the Telnet Help and in the
subsequent Telnet Commands List section.
We recommend that you only use these commands with direction from a
WatchGuard support representative.
To connect to your SSO Agent with Telnet, you must use a user account that is defined in the SSO
Agent Configuration Tool User Management settings. For more information, see Configure the SSO
Agent.
Before you begin, make sure that the Telnet Client is installed and enabled on your computer.
Open Telnet and Run Commands
To run Telnet commands, you can either open Telnet on the computer on which the SSO Agent is
installed, or use Telnet to make a remote connection to the SSO Agent over TCP port 4114. Make sure
that the SSO Agent service is started before you try to connect to it with Telnet.
1. Open a command prompt.
2. At the command prompt, type telnet <IP address of SSO Agent computer> 4114 .
3. Press Enter on your keyboard.
The connection message appears.
4. To see a list of commands, type help and press Enter on your keyboard.
The list of common commands appears.
5. To run a command, type a command and press Enter on your keyboard.
Output for the command appears.
For more information about the commands you can use in Telnet, see the Telnet Commands List.
Enable Debug Logging
To send debug log messages to the log file, you must set the debug status to ON.
1. In the Telnet window, type set debug on .
2. Press Enter on your keyboard.
The message "41 OK — (verbose = False, logToFile=True)" appears.
When you enable debug logging for the SSO Agent, debug log messages for the SSO Clients
connected to the SSO Agent are also generated and sent to separate log files. After the debug log
messages have been sent to the log files, you can view them to troubleshoot any issues.
For the SSO Agent:
410
Fireware XTM Web UI
Authentication
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Gateway
2. Open the debug log file: wagsrvc.log
For the SSO Client:
1. Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard
Authentication Client
2. Open a debug log file: wgssoclient_logfile.log or wgssoclient_errorfile.log
Make sure to disable debug logging when you are finished.
1. In the Telnet window, type set debug off .
2. Press Enter on your keyboard.
Telnet Commands List
This table includes commands that you can run to help you debug the SSO Agent.
Command
Telnet Message
Description
help
Show help
Shows the list of all Telnet commands.
login <user>
<password>
Login user. Quote if
space in credentials.
Type the user credentials to use to log in to the SSO
Agent with Telnet.
logout
Log out.
Log out of the SSO Agent.
get user <IP>
Show all users logged
in to <IP address>
Shows a list of all users logged in to the selected IP
address.
address.
Ex: get user
192.168.203.107
get timeout
Show the current
timeout.
get status
Show status about
the connections.
get status detail
Show connected
Shows detailed connection information used to analyze
SSO clients, pending,
the overall load in your SSO environment.
and processing IPs.
get domain
Show the current
domain filter.
Gets information about the current domain filters from
which the SSO Agent accepts authentication attempts.
get version <IP>
Show the SSO
component name,
version, and build
information for the IP
address.
Gets information about the SSO components (SSO
Agent, SSO Client, Event Log Monitor) that are installed
at the specified IP address. The information returned
includes the version and build numbers for each installed
SSO component.
get version all
Show the SSO
component name,
Gets information about the SSO components (SSO
Client, Event Log Monitor) that are monitored by the SSO
User Guide
Shows connection information used to analyze the
overall load in your SSO environment.
411
Authentication
Command
Telnet Message
Description
version, and build
information for all the
monitored IP
addresses.
Agent. The information returned includes the version and
build numbers for each installed SSO component.
log off <ip>
Kill the IP session on
Firebox and clear
SSO EM internal
cache
Ends the session of the specified IP address and
removes the active session details for that IP address
from the SSO Exchange Monitor internal cache.
set domainfilter
on
Turn on domain filter.
Permanently sets the domain filter to ON.
set domainfilter
off
Turn off domain filter.
Permanently sets the domain filter to OFF.
set user
Set artificial user
information (for
debugging).
Changes the user information in the debug log files to a
user name you select. This enables you to clearly track
user information when you review debug log messages.
Sets debug logging on the SSO Agent to ON. This
setting sends debug log messages to the log file, which
provides detailed information for troubleshooting.
set debug on
Save debug
messages to a file in
the same location as
the .exe.
Log file location:
SSO Agent — \Program Files\WatchGuard\WatchGuard
Authentication Gateway\wagsrvc.log
SSO Client — \Program Files\WatchGuard\WatchGuard
Authentication Client\wgssoclient_logfile.log and
wgssoclient_errorfile.log
set debug
verbose
Enable additional log
messages.
set debug off
Includes additional log messages in the debug log files.
Sets debug logging on the SSO Agent to OFF.
flush <ip>
Clear cache of <ip>
address.
Deletes all authentication information about the specified
IP address from the SSO Agent cache.
flush all
Clear cache of all
<ip> addresses.
Deletes all authentication information currently available
on the SSO Agent.
list
Return list of all IP in Shows a list of all authentication information currently
cache with expiration. available on the SSO Agent.
list config
Return list of all
monitoring domain
configurations.
Shows a list of all domains the SSO Agent is connected
to.
list user
Return list of all
registered users.
Shows a list of all user accounts included in the SSO
Agent configuration.
412
Fireware XTM Web UI
Authentication
Command
Telnet Message
Return list of all
list
registered Event Log
eventlogmonitors
Monitors.
Description
Shows a list of all instances of the Event Log Monitor
and the version of each instance.
get log <IP>
Get SSO Client logs
Download the SSO Client log files and DMP files in a
and dmp files (if have)
ZIP file from the specified IP address.
in zip format.
get log <xxx.txt>
Same as "get log
<IP>', but support
multiple ip, full path of
txt required and one ip
each line in the txt
file.
eg: get log C:\my
test\ips.txt .
Download the SSO Client log files and DMP files in a
ZIP file from each IP address specified in the TXT file. In
the TXT file, each SSO Client IP address must be on a
separate line and the full path to the log and dmp files for
each SSO Client must be specified.
quit
Terminate the
connection.
Closes the Telnet connection to the SSO Agent.
Install the WatchGuard Single Sign-On (SSO) Client
As a part of the WatchGuard Single Sign-On (SSO) solution, you can install the WatchGuard
SSO Client. The SSO Client installs as a Windows service that runs under the Local System account
on a workstation to verify the credentials of the user currently logged in to that computer. When a user
tries to authenticate, the SSO Agent sends a request to the SSO Client for the user's credentials. The
SSO Client then returns the credentials of the user who is logged in to the workstation.
The SSO Client listens on TCP port 4116. When you install the SSO Client, port 4116 is automatically
opened on the workstation firewall.
If you configure multiple Active Directory domains, your users must install the SSO Client. For more
information, see Configure Active Directory Authentication on page 456.
Because the SSO Client installer is an MSI file, you can choose to automatically install it on your
users' computers when they log on to your domain. You can use an Active Directory Group Policy to
automatically install software when users log on to your domain. For more information about software
installation deployment for Active Directory group policy objects, see the documentation for your
operating system.
User Guide
413
Authentication
Download the SSO Client Software
1.
2.
3.
4.
5.
Open a web browser and go to http://www.watchguard.com/.
Log in with your WatchGuard account user name and password.
Click the Articles & Software tab.
Find the Software Downloads for your XTM device.
Download the WatchGuard Single Sign-On Client software and save the file to a convenient
location.
Install the SSO Client Service
1. Double-click WG-Authentication-Client.msi to start the Authentication Client Setup Wizard.
On some operating systems, you might need to type a local administrator password to run the
installer.
2. To install the software, follow the instructions on each page and complete the wizard.
3. To see which drives are available to install the client, and how much space is available on each
of these drives, click Disk Cost.
4. Click Close to exit the wizard.
After the wizard completes, the WatchGuard Authentication Client service starts automatically.
Each time the computer starts, the service starts automatically.
Install the WatchGuard SSO Exchange Monitor
The WatchGuard SSO Exchange Monitor is an optional component of the WatchGuard SSO solution
that you can install for users who do not have the SSO Client and who use computers with Mac OS X
or mobile devices that run iOS, Android, or Windows mobile. The SSO Exchange Monitor enables the
SSO Agent to get user logon and logoff information for those users.
To use the Exchange Monitor, you must install it on the same server where your Microsoft Exchange
server is installed. The Exchange Monitor can then review the IIS service logs on your Exchange
server to get logon and logoff information for your users. When the SSO Agent contacts the Exchange
Monitor to find out if a user who wants to authenticate has a current session, the Exchange Monitor
sends the logon and logoff information for the user to the SSO Agent. The SSO Agent can then allow or
deny the user a connection to the XTM device.
System Requirements
On the computer where you install the Exchange Monitor:
n
n
n
Microsoft Exchange 2003, 2007, or 2010 must be installed and configured
TCP ports 540 and 4624 must be open
Microsoft Exchange IIS logging must be enabled
Download the SSO Exchange Monitor Software
There are two installer file options for the SSO Exchange Monitor. Make sure to select the correct
installer file for your server environment:
414
Fireware XTM Web UI
Authentication
n
n
SSOExchangeMonitor_x64.exe — 64-bit servers
SSOExchangeMonitor_x86.exe — 32-bit servers
To download an installer file:
1. Open a web browser and go to http://www.watchguard.com/.
2. Log in with your WatchGuard account user name and password.
The WatchGuard Portal appears with your portal Home page selected.
3. Select the Articles & Software tab.
The Articles & Software page appears.
4. In the Search text box, type the name of the software you want to install or the model of your
XTM device.
5. Clear the Article check box and make sure the Software Downloads check box is selected.
6. Click Go.
The Search Results page appears with a list of the available WatchGuard device models.
7. Select your XTM device model.
The Software Downloads page for the device you selected appears.
8. Download the correct WatchGuard Exchange Monitor installer file and save the file to a
convenient location.
Install the SSO Exchange Monitor
On the server where your Microsoft Exchange server is installed:
1. Double-click SSOExchangeMonitor_x64.exe or SSOExchangeMonitor_x86.exe to start the
installer.
To run the installer on some operating systems, you might need to type a local administrator
password, or right-click and select Run as administrator.
2. To install the software, follow the instructions on each page of the installation wizard and
complete the wizard.
3. On the Domain User Credentials page, type the domain user credentials to use for the
Exchange Monitor.
In the Domain User Name text box, make sure to type the user name in the format:
domain\username . Do not include .com or .net with the domain name.
For example, if your domain is example.com and you use the domain account ssoagent, type
example\ssoagent .
You can also use the UPN form of the user name: [email protected] . If you use the UPN
form of the user name, you must include .com or .net with the domain name.
4. Click Finish to close the wizard.
When the wizard completes, the WatchGuard Authentication Gateway service starts automatically.
Each time the computer starts, the service starts automatically.
After you complete the Authentication Gateway installation, you must configure the domain settings for
the SSO Agent and Exchange Monitor. For more information, see Configure the SSO Agent on page
400.
Enable Single Sign-On (SSO)
Before you can configure SSO, you must:
User Guide
415
Authentication
n
n
n
n
Configure your Active Directory server
Install the WatchGuard Single Sign-On (SSO) Agent
Install the WatchGuard Single Sign-On (SSO) Client (Optional)
Install the WatchGuard SSO Exchange Monitor (Optional)
If your device runs Fireware XTM v11.0–v11.3.x, the Authentication Settings for
Terminal Services are not available.
Enable and Configure SSO
To enable and configure SSO from Fireware XTM Web UI:
1. Select Authentication > Single Sign-On.
The Single Sign-On page appears.
2. Select the Enable Single Sign-On (SSO) with Active Directory check box.
3. In the SSO Agent IP address text box, type the IP address of your SSO Agent.
4. In the Cache data for text box, type or select the amount of time the SSO Agent caches data.
5. In the SSO Exceptions list, add or remove the IP addresses or ranges to exclude from SSO
queries.
For more information about SSO exceptions, see the Define SSO Exceptions on page 416
section.
6. Click Save to save your changes.
Define SSO Exceptions
If your network includes devices with IP addresses that do not require authentication, such as network
servers, print servers, or computers that are not part of the domain, or if you have users on your internal
network who must manually authenticate to the authentication login portal, we recommend that you
add their IP addresses to the SSO Exceptions list. Each time a connection attempt occurs from an IP
416
Fireware XTM Web UI
Authentication
address that is not in the SSO Exceptions list, the XTM device contacts the SSO Agent to try to
associate the IP address with a user name. This takes about 10 seconds. You can use the SSO
Exceptions list to prevent this delay for each connection, to reduce unnecessary network traffic, and
enable users to authenticate and connect to your network without delay.
When you add an entry to the SSO Exceptions list, you can choose to add a host IP address, network
IP address, subnet, or a host range.
User Guide
417
Authentication
To add an entry to the SSO Exceptions list:
1. Click Add.
The Add IP Addresses dialog box appears.
2. From the Choose Type drop-down list, select the type of entry to add to the SSO Exceptions
list:
n Host IP
n Network IP
n Host Range
The text boxes that appear change based on the type you select.
2. Type the IP address for the type you selected.
If you selected the type Host Range, type the start and end IP addresses for the range.
3. (Optional) In the Description text box, type a description to include with this exception in the
SSO Exceptions list.
4. Click OK.
The IP address or range appears in the SSO Exceptions list.
5. Click Save.
To remove an entry from the SSO Exceptions list:
1. From the SSO Exceptions list, select an entry.
2. Click Remove.
The selected entry is removed from the SSO Exceptions list.
3. Click Save.
418
Fireware XTM Web UI
Authentication
Install and Configure the Terminal Services Agent
When you have more than one user who connects to your Terminal Server or Citrix server and then
connects to your network or the Internet, it can be difficult to control the individual traffic flows from
these users based on their user names or group memberships. This is because when one user
authenticates to the XTM device, the XTM device maps that user to the IP address of the Terminal
Server or Citrix server. Then, when another user sends traffic from the Terminal Server or Citrix server
IP address, it appears to the XTM device that this traffic also came from the first user that
authenticated. There is no way for the XTM device to distinguish which of the several users who are
concurrently logged on to your Terminal Server or Citrix server generated any particular traffic.
If your device runs Fireware XTM v11.0–v11.3.x, terminal services support is not
available and the configuration settings do not appear in the Web UI.
To make sure that your users are correctly identified, you must:
1. Install the WatchGuard Terminal Services Agent on your Terminal Server (2003, 2008, or 2012)
or Citrix server.
2. Configure your XTM device to authenticate users to the authentication portal over port 4100.
3. Enable Terminal Services settings in your XTM device configuration file.
After you complete these configuration settings, when each Terminal Server or Citrix server user
authenticates to your XTM device, the XTM device sends the Terminal Services Agent (TO Agent) a
user session ID for each user who logs in. The Terminal Services Agent monitors traffic generated by
individual users and reports the user session ID to the XTM device for each traffic flow generated by a
Terminal Server or Citrix server client. Your XTM device can then correctly identify each user and
apply the correct security policies to the traffic for each user, based on user or group names.
For more information about how to enable your XTM device to authenticate users over port 4100, see
Configure Your XTM Device as an Authentication Server on page 429 and About the WatchGuard
Authentication (WG-Auth) Policy on page 385.
When you use the Terminal Services Agent, your XTM device can enforce policies based on user or
group names only for traffic that is authenticated. If traffic comes to the XTM device without session ID
information, the XTM device manages the traffic in the same way it manages any other traffic for which
it does not have the username mapped to an IP address. If there is a policy in your configuration file
that can process traffic from that IP address, the XTM device uses that policy to process the traffic. If
there is no policy that matches the source IP address of the traffic, the XTM device uses the unhandled
packet rules to process the traffic.
For more information about how to configure settings for unhandled packets, see About Unhandled
Packets on page 724.
If you use the Terminal Services Agent, your XTM device cannot automatically redirect users to the
authentication portal.
User Guide
419
Authentication
To enable your XTM device to correctly process system related traffic from the Terminal Server or
Citrix server, the Terminal Services Agent uses a special user account named Backend-Service,
which is part of the Terminal Services Agent. The Terminal Services Agent identifies the traffic
generated by system processes (instead of user traffic) with the Backend-Service user account. You
can add this user to the Authorized Users and Groups list in your XTM device configuration and then
use it in a policy to allow traffic to and from your server. For example, you can add a custom packet
filter policy that is similar to the default Outgoing policy. Configure the policy to use the TCP-UDP
protocol and allow traffic from the Backend-Service user account to Any-External.
For more information about how to add the Backend-Service user account to your XTM device
configuration, see Use Authorized Users and Groups in Policies on page 468. Make sure to select Any
from the Auth Server drop-down list.
For more information about how to add a policy, see Add Policies to Your Configuration on page 500.
Make sure the updates on your Terminal Server or Citrix server are scheduled to run as the system,
local service, or network service user account. The Terminal Services Agent recognizes these user
accounts as the Backend-Service account and allows the traffic. If you schedule updates to run as a
different user account, that user must manually authenticate to the application portal for the server to
receive the updates. If that user is not authenticated to the authentication portal, the traffic is not
allowed and the server does not receive the update.
The Terminal Services Agent cannot control ICMP, NetBIOS, or DNS traffic. It also does not control
traffic to port 4100 for Firebox Authentication. To control these types of traffic, you must add specific
policies to your XTM device configuration file to allow the traffic.
Terminal services support is not available if your XTM device is in bridge mode or is a
member of an active/active FireCluster.
About Single Sign-On for Terminal Services
Terminal services also supports Single Sign-On (SSO) with the Terminal Services Agent. When a user
logs in to the domain, the Terminal Services Agent collects the user information (user credentials, user
groups, and domain name) from the Windows user logon event and sends it to the XTM device. The
XTM device then creates the authentication session for the user and sends the user session ID to the
Terminal Services Agent, so the user does not have to manually authenticate to the Authentication
Portal. When the user logs off, the Terminal Services Agent automatically sends the logoff information
to the XTM device, and the XTM device closes the authenticated session for that user.
Terminal Services SSO enables your users to log in once and automatically have access to your
network without additional authentication steps. With SSO for terminal services, users do not have to
manually authenticate to the Authentication Portal. Users who are logged in through terminal services
can, however, still manually authenticate with different user credentials. Manual authentication always
overrides SSO authentication.
420
Fireware XTM Web UI
Authentication
Before You Begin
Before you install the Terminal Services Agent on your Terminal Server or Citrix server, make sure
that:
n
n
n
The server operating system is Windows Server 2003 R2 or later
Terminal services or remote desktop services is enabled on your server
Ports 4131–4134 are open
Install the Terminal Services Agent
You can install the Terminal Services Agent on a Terminal Server or Citrix server with either a 32-bit or
a 64-bit operating system. There is one version of the Terminal Services Agent installer for both
operating systems.
To install the Terminal Services Agent on your server:
1. Log in to the WatchGuard web site and select the Articles & Software tab.
2. Find the Software Downloads for your XTM device.
3. Get the latest version of the TO Agent Installer and copy it to the server where you have
installed Terminal Services or a Citrix server.
4. Start the installer.
The TO Agent wizard appears.
5. To start the wizard, click Next.
6. Complete the wizard to install the Terminal Services Agent on your server.
7. Reboot your Terminal Server or Citrix server.
User Guide
421
Authentication
Configure the Terminal Services Agent
After you install the Terminal Services Agent on your Terminal Server or Citrix server, you can use the
TO Settings tool to configure the settings for the Terminal Services Agent.
1. Select Start > All programs > WatchGuard > TO Agent > Set Tool.
The TO Agent Settings dialog box appears, with the Destination Exception List tab selected.
2. To configure settings for the Terminal Services Agent, follow the instructions in the subsequent
sections.
3. Click Close.
422
Fireware XTM Web UI
Authentication
Manage the Destination Exception List
Because it is not necessary for the Terminal Services Agent to monitor traffic that is not controlled by
the XTM device, you can specify one or more destination IP addresses, or a range of destination IP
addresses, for traffic that you do not want the Terminal Services Agent to monitor. This is usually
traffic that does not go through your XTM device, such as traffic that does not include a user account
(to which authentication policies do not apply), traffic within your network intranet, or traffic to your
network printers.
You can add, edit, and delete destinations for traffic that you do not want the Terminal Services Agent
to monitor.
To add a destination:
1. Select the Destination Exception List tab.
2. Click Add.
The Add Destination Exception dialog box appears.
3. From the Choose Type drop-down list, select an option:
n Host IP Address
n Network IP Address
n IP Address Range
4. If you select Host IP Address, type the IP Address for the exception.
If you select Network IP Address, type the Network Address and Mask for the exception.
If you select IP Address Range, type the Range start IP address and Range end IP address
for the exception.
5. Click Add.
The information you specified appears in the Destination Exception List.
6. To add more addresses to the Destination Exception List, repeat Steps 4–7.
To edit a destination in the list:
1. From the Destination Exception List, select a destination.
2. Click Edit.
The Destination Exception dialog box appears.
3. Update the details of the destination.
4. Click OK.
User Guide
423
Authentication
To delete a destination from the list:
1. From the Destination Exception List, select a destination.
2. Click Delete.
The selected address is removed from the list.
Specify Programs for the Backend-Service User Account
The Terminal Services Agent identifies traffic generated by system processes with the BackendService user account. By default, this includes traffic from SYSTEM, Network Service, and Local
Service programs. You can also specify other programs with the EXE file extension that you want the
Terminal Services Agent to associate with the Backend-Service account so that they are allowed
through your firewall. For example, clamwin.exe, SoftwareUpdate.exe, Safari.exe, or ieexplore.exe.
To specify the programs for the Terminal Services Agent to associate with the Backend-Service user
account:
1. Select the Backend-Service tab.
2. Click Add.
The Open dialog box appears.
3. Browse to select a program with an EXE extension.
The path to the program appears in the Backend-Service list.
4. To remove a program from the Backend-Service list, select the program and click Delete.
The program path is removed from the list.
424
Fireware XTM Web UI
Authentication
Set the Diagnostic Log Level and View Log Messages
You can configure the diagnostic log level for the Terminal Services Agent (TO Agent) and the TO Set
Tool applications. The log messages that are generated by each application are saved in a text file. To
see the log messages generated for the TO Agent or the TO Set Tool, you can open the log file for each
application from the Diagnostic Log Level tab.
1. Select the Diagnostic Log Level tab.
2. From the Set the diagnostic log level for drop-down list, select an application:
n TOAgent (This is the Terminal Services Agent.)
n TO Set Tool
3. Move the Settings slider to set the diagnostic log level for the selected application.
4. To see the available log files for the selected application, click View Log.
A text file opens with the available log messages for the selected application.
5. To configure settings and view log messages for the other application, repeat Steps 2–4.
For detailed steps on how to complete the Terminal Services configuration for your XTM device, see
Configure Terminal Services Settings on page 426.
User Guide
425
Authentication
Configure Terminal Services Settings
To enable your users to authenticate to your XTM device over a Terminal Server or Citrix server, you
must configure the authentication settings for terminal services. When you configure these settings,
you set the maximum length of time a session can be active and specify the IP address of your
Terminal Server or Citrix server. You can specify a maximum of 32 Terminal Services Agents in an
XTM device configuration.
If your device runs Fireware XTM v11.0–v11.3.x, terminal services is not available
and the configuration settings do not appear in Policy Manager.
When you configure the Terminal Services settings, if your users authenticate to your XTM device, the
XTM device reports the actual IP address of each user who logs in. This enables your XTM device to
correctly identify each user who logs in to your network, so the correct security policies can be applied
to each user's traffic.
You can use any of your configured authentication server methods (for example, Firebox
authentication, Active Directory, or RADIUS) with terminal services. To use Single Sign-On with
terminal services, you must use an Active Directory server.
To configure Authentication Settings for terminal services:
1. Select Authentication > Terminal Services.
The Terminal Services page appears.
2. Select the Enable Terminal Services Support check box.
The terminal services settings are enabled.
3. In the Session Timeout text box, type the maximum length of time in seconds that the user
can send traffic to the external network.
If you select zero (0) seconds, the session does not expire and the user can stay connected for
any length of time.
426
Fireware XTM Web UI
Authentication
4. To add a Terminal Server or Citrix server to the Agent IP list list, in the text box, type the
IP address of the server and click Add.
You can add a maximum of 32 Terminal Servers or Citrix servers to the list.
The IP address appears in the Terminal Services Agent IPs List list.
5. To remove a server IP address from the Agent IP list list, select an IP address in the list and
click Remove.
6. Click Save.
User Guide
427
Authentication
Authentication Server Types
The Fireware XTM OS supports six authentication methods:
n
n
n
n
n
n
XTM Device Authentication
RADIUS Server Authentication
VASCO Server Authentication
SecurID Authentication
LDAP Authentication
Active Directory Authentication
You can configure one or more authentication server types for an XTM device. If you use more than
one type of authentication server, users must select the authentication server type from a drop-down
list when they authenticate.
About Third-Party Authentication Servers
If you use a third-party authentication server, you do not have to keep a separate user database on the
XTM device. You can configure a third-party server, install the authentication server with access to
your XTM device, and put the server behind the device for security. You then configure the device to
forward user authentication requests to that server. If you create a user group on the XTM device that
authenticates to a third-party server, make sure you create a group on the server that has the same
name as the user group on the device.
For detailed information about how to configure an XTM device for use with third-party authentication
servers, see:
n
n
n
n
n
Configure RADIUS Server Authentication
Configure VASCO Server Authentication
Configure SecurID Authentication
Configure LDAP Authentication
Configure Active Directory Authentication
Use a Backup Authentication Server
You can configure a primary and a backup authentication server with any of the third-party
authentication server types. If the XTM device cannot connect to the primary authentication server
after three attempts, the primary server is marked as inactive and an alarm message is generated. The
device then connects to the backup authentication server.
If the XTM device cannot connect to the backup authentication server, it waits ten minutes, and then
tries to connect to the primary authentication server again. The inactive server is marked as active
after the specified time interval is reached.
For detailed procedures to configure primary and backup authentication servers, see the configuration
topic for your third-party authentication server.
428
Fireware XTM Web UI
Authentication
Configure Your XTM Device as an Authentication
Server
If you do not use a third-party authentication server, you can use your XTM device as an authentication
server, also known as Firebox authentication. When you configure Firebox authentication, you create
users accounts for each user in your company, and then divide these users into groups for
authentication. When you assign users to groups, make sure to associate them by their tasks and the
information they use. For example, you can have an accounting group, a marketing group, and a
research and development group. You can also have a new employee group with more controlled
access to the Internet.
When you create a group, you set the authentication procedure for the users, the system type, and the
information they can access. A user can be a network or one computer. If your company changes, you
can add or remove users from your groups.
The Firebox authentication server is enabled by default. You do not have to enable it before you add
users and groups.
For detailed instructions to add users and groups, see Define a New User for Firebox Authentication on
page 432 and Define a New Group for Firebox Authentication on page 435.
After you add users and groups, the users you added can connect to the Authentication Portal from a
web browser on a computer or smart phone and authenticate over port 4100 to get access to your
network. For more information about how to use Firebox authentication, see Firewall Authentication.
Types of Firebox Authentication
You can configure your XTM device to authenticate users with four different types of authentication:
n
n
n
n
n
Firewall Authentication
Mobile VPN with PPTP Connections
Mobile VPN with IPSec Connections
Mobile VPN with SSL Connections
Mobile VPN with L2TP Connections
When authentication is successful, the XTM device links these items:
n
n
n
n
User name
Firebox User group (or groups) of which the user is a member
IP address of the computer used to authenticate
Virtual IP address of the computer used to connect with Mobile VPN
User Guide
429
Authentication
Firewall Authentication
To enable your users to authenticate, you create user accounts and groups. When a user connects to
the authentication portal with a web browser on a computer or smart phone and authenticates to the
XTM device, the user credentials and computer IP address are used to find whether a policy applies to
the traffic that the computer sends and receives.
To create a Firebox user account:
1. Define a New User for Firebox Authentication.
2. Define a New Group for Firebox Authentication and put the new user in that group.
3. Create a policy that allows traffic only to or from a list of Firebox user names or groups.
This policy is applied only if a packet comes from or goes to the IP address of the authenticated
user.
After you have added a user to a group and created policies to manage the traffic for the user, the user
can open a web browser on a computer or smart phone to authenticate to the XTM device.
If you have configured the XTM device with an IPv4 or an IPv6 address, you can use either the IPv4 or
the IPv6 address to authenticate to the XTM device over port 4100.
To authenticate with an HTTPS connection to the XTM device over port 4100:
1. Open a web browser and go to https://<IP address of a XTM device interface>:4100/ .
The login page appears.
2. Type the Username and Password.
3. From the Domain drop-down list, select the domain to use for authentication.
This option only appears if you can choose from more than one domain.
4. Click Login.
If the credentials are valid, the user is authenticated.
Firewall authentication takes precedence over Single Sign-On, and replaces the user credentials and
IP address from your Single Sign-On session with the user credentials and IP address you select for
Firewall authentication. For more information about how to configure Single Sign-On, see About Single
Sign-On (SSO) on page 391.
Mobile VPN with IPSec Connections
When you configure your XTM device to host Mobile VPN with IPSec sessions, you create policies on
your device and then use the Mobile VPN with IPSec client to enable your users to access your
network. After the XTM device is configured, each client computer must be configured with the Mobile
VPN with IPSec client software.
When the user's computer is correctly configured, the user makes the Mobile VPN connection. If the
credentials used for authentication match an entry in the Firebox User database, and if the user is in
the Mobile VPN group you create, the Mobile VPN session is authenticated.
To set up authentication for Mobile VPN with IPSec:
430
Fireware XTM Web UI
Authentication
1. Configure a Mobile VPN with IPSec Connection.
2. Install the IPSec Mobile VPN Client Software.
Mobile VPN with PPTP Connections
When you activate Mobile VPN with PPTP on your XTM device, users included in the Mobile VPN with
PPTP group can use the PPTP feature included in their computer operating system to make a PPTP
connection to the device.
Because the XTM device allows the PPTP connection from any Firebox user that gives the correct
credentials, it is important that you make a policy for PPTP sessions that includes only users you want
to allow to send traffic over the PPTP session. You can also add a group or individual user to a policy
that restricts access to resources behind the XTM device. The XTM device creates a pre-configured
group called PPTP-Users for this purpose.
To configure a Mobile VPN with PPTP connection:
1. Select VPN > Mobile VPN with PPTP.
2. Select the Activate Mobile VPN with PPTP check box.
3. Make sure the Use Radius authentication for PPTP users check box is not selected.
If this check box is selected, the RADIUS authentication server authenticates the PPTP
session.
If you clear this check box, the XTM device authenticates the PPTP session.
The XTM device checks to see whether the user name and password the user types in the VPN
connection dialog box match the user credentials in the Firebox User database that is a member
of the PPTP-Users group.
If the credentials supplied by the user match an account in the Firebox User database, the user is
authenticated for a PPTP session.
4. Create a policy that allows traffic only from or to a list of Firebox user names or groups.
The XTM device does not look at this policy unless traffic comes from or goes to the IP address of the
authenticated user.
Mobile VPN with SSL Connections
You can configure the XTM device to host Mobile VPN with SSL sessions. When the XTM device is
configured with a Mobile VPN with SSL connection, users included in the Mobile VPN with SSL group
can install and use the Mobile VPN with SSL client software to make an SSL connection.
Because the XTM device allows the SSL connection from any of your users who give the correct
credentials, it is important that you make a policy for SSL VPN sessions that includes only users you
want to allow to send traffic over SSL VPN. You can also add these users to a Firebox User Group and
make a policy that allows traffic only from this group. The XTM device creates a pre-configured group
called SSLVPN-Users for this purpose.
To configure a Mobile VPN with SSL connection:
1. Select VPN > Mobile VPN with SSL.
The Mobile VPN with SSL page appears.
2. Configure the XTM Device for Mobile VPN with SSL.
User Guide
431
Authentication
Mobile VPN with L2TP Connections
You can configure the XTM device to host Mobile VPN with L2TP sessions. When the XTM device is
configured for Mobile VPN with L2TP, users included in the Mobile VPN with L2TP group can use an
L2TP client to make an L2TP connection.
Because the XTM device allows the L2TP connection from any of your users who give the correct
credentials, it is important that you make sure that a policy for L2TP VPN sessions that includes only
users you want to allow to send traffic over the L2TP VPN is included in your configuration. You can
also add these users to a Firebox User Group and add a policy that allows traffic only from this group.
The XTM device creates a pre-configured group called L2TP-Users for this purpose.
To configure a Mobile VPN with L2TP connection:
1. Select VPN > Mobile VPN with L2TP.
The Mobile VPN with L2TP page appears.
2. Edit the Mobile VPN with L2TP Configuration.
Define a New User for Firebox Authentication
You can use Fireware XTM Web UI to specify which users can authenticate to your XTM device.
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. From the Server list, select Firebox.
The Firebox page appears.
432
Fireware XTM Web UI
Authentication
3. In the Firebox Users section, click Add.
The Firebox User dialog box appears.
4. In the Name text box, type the user name for this user.
5. (Optional) In the Description text box, type a description of the new user.
6. Type and confirm the Passphrase for the usre.
When you set this passphrase, the characters are masked and it does not appear in
simple text again. If you lose the passphrase, you must set a new passphrase.
7. In the Session Timeout text box, type or select the maximum length of time the user can send
traffic to the external network.
The minimum value for this setting is one (1) seconds, minutes, hours, or days. The maximum
value is 365 days.
8. In the Idle Timeout text box, type or select the length of time the user can stay authenticated
when idle (not passing any traffic to the external network).
The minimum value for this setting is one (1) seconds, minutes, hours, or days. The maximum
value is 365 days.
User Guide
433
Authentication
9. Select the Enable login limits for each user or group check box.
10. Select an option:
n Allow unlimited concurrent firewall authentication logins from the same account
n Limit concurrent user sessions to.
a. In the text box, type or select the number of allowed concurrent user sessions.
b. From the drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
11. To add this user to an authentication group, in the Firebox Authentication Group list, select
the check box for each group to add this user to.
12. Click OK.
The new user appears in the Firebox Users list.
434
Fireware XTM Web UI
Authentication
Define a New Group for Firebox Authentication
You can use Fireware XTM Web UI to specify which user groups can authenticate to your XTM device.
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. Select the Firebox tab.
3. In the Groups section, click Add.
The Setup Firebox Group dialog box appears.
4.
5.
6.
7.
Type a name for the group.
(Optional) Type a description for the group.
Select the Enable login limits for each user or group check box.
Select an option:
n Allow unlimited concurrent firewall authentication logins from the same account
n Limit concurrent user sessions to.
a. In the text box, type or select the number of allowed concurrent user sessions.
b. From the drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
8. To add a user to the group, in the Firebox Authentication Users list, select the check box for
that user.
9. After you add all necessary users to the group, click OK.
You can now configure policies and authentication with these users and groups, as described in Use
Authorized Users and Groups in Policies on page 468.
User Guide
435
Authentication
Configure RADIUS Server Authentication
RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a
company network. RADIUS is a client/server system that keeps the authentication information for
users, remote access servers, VPN gateways, and other resources in one central database.
For more information on RADIUS authentication, see How RADIUS Server Authentication Works on
page 439.
Authentication Key
The authentication messages to and from the RADIUS server use an authentication key, not a
password. This authentication key, or shared secret, must be the same on the RADIUS client and
server. Without this key, there is no communication between the client and server.
RADIUS Authentication Methods
For web and Mobile VPN with IPSec or SSL authentication, RADIUS supports only PAP (Password
Authentication Protocol) authentication.
For authentication with PPTP, RADIUS supports only MSCHAPv2 (Microsoft Challenge-Handshake
Authentication Protocol version 2).
For authentication with WPA Enterprise and WPA2 Enterprise authentication methods, RADIUS
supports the EAP (Extensible Authentication Protocol) framework.
Before You Begin
Before you configure your XTM device to use your RADIUS authentication server, you must have this
information:
n
n
n
n
Primary RADIUS server — IP address and RADIUS port
Secondary RADIUS server (optional) — IP address and RADIUS port
Shared secret — Case-sensitive password that is the same on the XTM device and the
RADIUS server
Authentication methods — Set your RADIUS server to allow the authentication method your
XTM device uses: PAP, MS CHAP v2, WPA Enterprise, WPA2 Enterprise, or WPA/WPA2
Enterprise
Use RADIUS Server Authentication with Your XTM Device
To use RADIUS server authentication with your XTM device, you must:
n
n
n
436
Add the IP address of the XTM device to the RADIUS server as described in the documentation
from your RADIUS vendor.
Enable and specify the RADIUS server in your XTM device configuration.
Add RADIUS user names or group names to your policies.
Fireware XTM Web UI
Authentication
To enable and specify the RADIUS server(s) in your configuration, from Fireware XTM Web UI:
1. Select the RADIUS tab.
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. From the Server list, select RADIUS.
The RADIUS server settings appear.
User Guide
437
Authentication
3. Select the Enable RADIUS Server check box.
4. In the IP Address text box, type the IP address of the RADIUS server.
5. In the Port text box, make sure that the port number RADIUS uses for authentication appears.
The default port number is 1812. Older RADIUS servers might use port 1645.
438
Fireware XTM Web UI
Authentication
6. In the Passphrase text box, type the shared secret between the XTM device and the RADIUS
server.
The shared secret is case-sensitive, and it must be the same on the XTM device and the
RADIUS server.
7. In the ConfirmPassphrase text box, type the shared secret again.
8. Type or select the Timeout value.
The timeout value is the amount of time the XTM device waits for a response from the
authentication server before it tries to connect again.
9. In the Retries text box, type the number of times the XTM device tries to connect to the
authentication server (the timeout is specified above) before it reports a failed connection for
one authentication attempt.
10. In the Group Attribute text box, type an attribute value. The default group attribute is FilterID,
which is RADIUS attribute 11.
The group attribute value is used to set the attribute that carries the User Group information.
You must configure the RADIUS server to include the Filter ID string with the user
authentication message it sends to the XTM device. For example, engineerGroup or
financeGroup. This information is then used for access control. The XTM device matches the
FilterID string to the group name configured in the XTM device policies.
11. In the Dead Time text box, type the amount of time after which an inactive server is marked as
active again. Select minutes or hours from the drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts will not try this server until it is marked as active again.
12. To add a backup RADIUS server, in the Secondary Server Settings section, select the
Enable Secondary RADIUS Server check box.
13. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on
the primary and backup RADIUS server.
For more information, see Use a Backup Authentication Server on page 428.
14. Click Save.
How RADIUS Server Authentication Works
RADIUS is a protocol that was originally designed to authenticate remote users to a dial-in access
server. RADIUS is now used in a wide range of authentication scenarios. RADIUS is a client-server
protocol, with the XTM device as the client and the RADIUS server as the server. (The RADIUS client
is sometimes called the Network Access Server or NAS.) When a user tries to authenticate, the XTM
device sends a message to the RADIUS server. If the RADIUS server is properly configured to have
the XTM device as a client, RADIUS sends an accept or reject message back to the XTM device (the
Network Access Server).
When the XTM device uses RADIUS for an authentication attempt:
1. The user tries to authenticate, either through a browser-based HTTPS connection to the XTM
device over port 4100, or through a connection using Mobile VPN with PPTP or IPSec. The
XTM device reads the user name and password.
User Guide
439
Authentication
2. The XTM device creates a message called an Access-Request message and sends it to the
RADIUS server. The XTM device uses the RADIUS shared secret in the message. The
password is always encrypted in the Access-Request message.
3. The RADIUS server makes sure that the Access-Request message is from a known client (the
XTM device). If the RADIUS server is not configured to accept the XTM device as a client, the
server discards the Access-Request message and does not send a message back.
4. If the XTM device is a client known to the RADIUS server and the shared secret is correct, the
server looks at the authentication method requested in the Access-Request message.
5. If the Access-Request message uses an allowed authentication method, the RADIUS server
gets the user credentials from the message and looks for a match in a user database. If the user
name and password match an entry in the database, the RADIUS server can get additional
information about the user from the user database (such as remote access approval, group
membership, logon hours, and so on).
6. The RADIUS server checks to see whether it has an access policy or a profile in its
configuration that matches all the information it has about the user. If such a policy exists, the
server sends a response.
7. If any of the previous conditions fail, or if the RADIUS server has no matching policy, it sends
an Access-Reject message that shows authentication failure. The RADIUS transaction ends
and the user is denied access.
8. If the Access-Request message meets all the previous conditions, RADIUS sends an AccessAccept message to the XTM device.
9. The RADIUS server uses the shared secret for any response it sends. If the shared secret does
not match, the XTM device rejects the RADIUS response.
To see diagnostic log messages for authentication, Set the Diagnostic Log Level and change
the log level for the Authentication category.
10. The XTM device reads the value of any FilterID attribute in the message. It connects the user
name with the FilterID attribute to put the user in a RADIUS group.
11. The RADIUS server can put a large amount of additional information in the Access-Accept
message. The XTM device ignores most of this information, such as the protocols the user is
allowed to use (such as PPP or SLIP), the ports the user can access, idle timeouts, and other
attributes.
12. The XTM device only requires the FilterID attribute (RADIUS attribute number 11). The FilterID
is a string of text that you configure the RADIUS server to include in the Access-Accept
message. This attribute is necessary for the XTM device to assign the user to a RADIUS group,
however, it can support some other Radius attributes such as Session-Timeout (RADIUS
attribute number 27) and Idle-Timeout (RADIUS attribute number 28).
For more information on RADIUS groups, see the subsequent section.
About RADIUS Groups
When you configure RADIUS authentication, you can set the Group Attribute number. Fireware XTM
reads the Group Attribute number from Fireware XTM Web UI to tell which RADIUS attribute carries
RADIUS group information. Fireware XTM recognizes only RADIUS attribute number 11, FilterID, as
the Group Attribute. When you configure the RADIUS server, do not change the Group Attribute
number from its default value of 11.
440
Fireware XTM Web UI
Authentication
When the XTM device gets the Access-Accept message from RADIUS, it reads the value of the
FilterID attribute and uses this value to associate the user with a RADIUS group. (You must manually
configure the FilterID in your RADIUS configuration.) Thus, the value of the FilterID attribute is the
name of the RADIUS group where the XTM device puts the user.
The RADIUS groups you use in Fireware XTM Web UI are not the same as the Windows groups
defined in your domain controller, or any other groups that exist in your domain user database. A
RADIUS group is only a logical group of users the XTM device uses. Make sure you carefully select
the FilterID text string. You can make the value of the FilterID match the name of a local group or
domain group in your organization, but this is not necessary. We recommend you use a descriptive
name that helps you remember how you defined your user groups.
Practical Use of RADIUS Groups
If your organization has many users to authenticate, you can make your XTM device policies easier to
manage if you configure RADIUS to send the same FilterID value for many users. The XTM device
puts those users into one logical group so you can easily administer user access. When you make a
policy in Fireware XTM Web UI that allows only authenticated users to access a network resource,
you use the RADIUS Group name instead of adding a list of many individual users.
For example, when Mary authenticates, the FilterID string RADIUS sends is Sales, so the XTM device
puts Mary in the Sales RADIUS group for as long as she is authenticated. If users John and Alice
subsequently authenticate, and RADIUS puts the same FilterID value Sales in the Access-Accept
messages for John and Alice, then Mary, John, and Alice are all in the Sales group. You can make a
policy in Fireware XTM Web UI that allows the group Sales to access a resource.
You can configure RADIUS to return a different FilterID, such as IT Support, for the members of your
internal support organization. You can then make a different policy to allow IT Support users to access
resources.
For example, you might allow the Sales group to access the Internet using a Filtered-HTTP policy.
Then you can filter their web access with WebBlocker. A different policy in Policy Manager can allow
the IT Support users to access the Internet with the Unfiltered-HTTP policy, so that they access the
web without WebBlocker filtering. You use the RADIUS group name (or user names) in the From field
of a policy to show which group (or which users) can use the policy.
Timeout and Retry Values
An authentication failure occurs when no response is received from the primary RADIUS server. After
three authentication attempts fail, Fireware XTM uses the secondary RADIUS server. This process is
called failover.
This number of authentication attempts is not the same as the Retry number. You
cannot change the number of authentication attempts before failover occurs.
User Guide
441
Authentication
The XTM device sends an Access-Request message to the first RADIUS server in the list. If there is
no response, the XTM device waits the number of seconds set in the Timeout box, and then it sends
another Access-Request. This continues for the number of times indicated in the Retry box (or until
there is a valid response). If there is no valid response from the RADIUS server, or if the RADIUS
shared secret does not match, Fireware XTM counts this as one failed authentication attempt.
After three authentication attempts fail, Fireware XTM uses the secondary RADIUS server for the next
authentication attempt. If the secondary server also fails to respond after three authentication
attempts, Fireware XTM waits ten minutes for an administrator to correct the problem. After ten
minutes, Fireware XTM tries to use the primary RADIUS server again.
442
Fireware XTM Web UI
Authentication
Configure RADIUS Server Authentication with Active Directory
Users and Groups For Mobile VPN Users
When you use Mobile VPN with L2TP or Mobile VPN with PPTP to authenticate users to your network,
you can use the user accounts from your Active Directory server database to authenticate users with
your RADIUS server and the RADIUS protocol. You must configure the Mobile VPN settings on your
XTM device to enable RADIUS authentication, configure your RADIUS server to get user credentials
from your Active Directory database, and configure your Active Directory and RADIUS servers to
communicate with your XTM device.
Before You Begin
Before you configure your XTM device to use your Active Directory and RADIUS servers to
authenticate your Mobile VPN with L2TP or Mobile VPN with PPTP users, make sure that the settings
described in this section are configured on your RADIUS and Active Directory servers. Windows 2008
and 2003 Server are the supported RADIUS server platforms.
For complete instructions to configure your RADIUS server or Active Directory server, see the vendor
documentation for each server.
Configure NPS for a Windows 2008 Server
n
n
n
In Windows 2008 Server Manager, make sure NPS is installed with a Network Policy and
Access Service role that uses the Network Policy Server role service.
Add a New Radius Client to NPS that includes the IP address of your XTM device, uses the
RADIUS Standard vendor, and set a manual shared secret for the RADIUS client and
XTM device.
Add a network policy with these settings:
o Select the Active Directory user group that includes the users you want to authenticate with
Mobile VPN with L2TP or Mobile VPN with PPTP.
o Specify Access granted as the access permissions for the policy, and do not specify an
EAP type.
o Add the attribute Filter-ID to the policy and specify L2TP-Users or PPTP-Users as the
value. Make sure to remove Framed Protocol and Service-Type from the Attributes list.
Configure IAS for a Windows 2003 Server
n
n
On your Windows 2003 Server, make sure that the Internet Authentication Service (IAS)
networking service is installed.
In the IAS console, add a new RADIUS client for your XTM device that uses the device name
and IP address of your XTM device for the Friendly name and Client address. Make sure to
select the RADIUS Standard for the Client-Vendor value and set a shared secret for the
RADIUS client and XTM device.
User Guide
443
Authentication
n
From the IAS console, add a custom new remote access policy with these settings:
o Add the Windows-Group attribute to the policy.
o Select the Active Directory user group that includes the users you want to authenticate with
Mobile VPN with L2TP or Mobile VPN with PPTP.
o For the permissions setting, specify Grant remote access permission.
o Add the attribute Filter-ID to the policy and specify L2TP-Users or PPTP-Users as the
value.
Configure Active Directory Settings
When you configure these settings for your Active Directory server, you enable your RADIUS server to
contact your Active Directory server for the user credentials and group information stored in your
Active Directory database.
n
n
In Active Directory Users and Computers on your Active Directory server, make sure that the
remote access permissions are configured to Allow access to users.
Register NPS or IAS to your Active Directory server.
Enable Active Directory Behind a RADIUS Server Authentication for
Mobile VPN on Your XTM Device
Before your users can use Mobile VPN with L2TP or Mobile VPN with PPTP to authenticate to your
network with their Active Directory credentials, you must enable your XTM device to use a RADIUS
server for Mobile VPN with L2TP or Mobile VPN with PPTP authentication.
Before you configure the Mobile VPN with L2TP or Mobile VPN with PPTP settings, make sure that
you have added your RADIUS server to the Authentication Servers list on your XTM device. The
RADIUS server must have the same IP address and shared secret that you specified when you
configured the NPS or IAS settings for your RADIUS server.
For more information about how to add a RADIUS authentication server, see Configure RADIUS
Server Authentication on page 436.
Configure Mobile VPN with L2TP Settings
By default, Firebox-DB is the selected server for authentication. When you configure Mobile VPN to
use your RADIUS server, you can use Firebox-DB for a secondary authentication database if the
RADIUS server is not available.
To enable RADIUS server authentication for Mobile VPN with L2TP users:
1. Select VPN > Mobile VPN with L2TP.
2. Click Configure.
The Mobile VPN with L2TP page appears.
3. Select the Authentication tab.
4. In the Authentication Server list, select the check box for your RADIUS server.
5. If the RADIUS server is not the first server in the Authentication Server list, click Make
Default.
The RADIUS server moves to the top of the list.
6. To only use the RADIUS server for authentication, clear the Firebox-DB check box.
444
Fireware XTM Web UI
Authentication
7. In the Authentication Users and Groups list, make sure the L2TP-Users group appears.
The Authentication Server can be Any or RADIUS.
8. Make any additional changes to the Mobile VPN with L2TP configuration.
For more information about how to configure the settings for Mobile VPN with L2TP, see Edit the
Mobile VPN with L2TP Configuration.
Configure Mobile VPN with PPTP Settings
To enable RADIUS server authentication for Mobile VPN with PPTP users:
1. Select VPN > Mobile VPN with PPTP.
2. Select the Use RADIUS authentication for PPTP users check box.
For more information about how to configure the settings for Mobile VPN with PPTP, see Configure
Mobile VPN with PPTP.
User Guide
445
Authentication
WPA and WPA2 Enterprise Authentication
To add another layer of security when your users connect to your wireless network, you can enable
enterprise authentication methods on your XTM wireless device. When you configure an enterprise
authentication method, the client must have the correct authentication method configured to
successfully connect to the XTM device. The XTM wireless device then sends authentication requests
to the configured authentication server (RADIUS server or Firebox-DB). If the authentication method
information is not correct, the user cannot connect to the device, and is not allowed access to your
network.
If your device runs Fireware XTM v11.0-v11.3.x, the authentication methods based
on the IEEE 802.1X standard are not available.
In Fireware XTM v11.4 and later, the available enterprise authentication methods are WPA Enterprise
and WPA2 Enterprise. These authentication methods are based on the IEEE 802.1X standard, which
uses the EAP (Extensible Authentication Protocol) framework to enable user authentication to an
external RADIUS server or to your XTM device (Firebox-DB). The WPA Enterprise and WPA2
Enterprise authentication methods are more secure than WPA/WPA2 (PSK) because users must first
have the correct authentication method configured, and then authenticate with their own enterprise
credentials instead of one shared key that is known by everyone who uses the wireless access point.
You can use the WPA Enterprise and WPA2 Enterprise authentication methods with XTM wireless
devices. For more information about how to configure your XTM wireless device to use enterprise
authentication, see Set the Wireless Authentication Method on page 254.
Configure VASCO Server Authentication
VASCO server authentication uses the VACMAN Middleware software to authenticate remote users
on a company network through a RADIUS or web server environment. VASCO also supports multiple
authentication server environments. The VASCO one-time password token system enables you to
eliminate the weakest link in your security infrastructure—the use of static passwords.
To use VASCO server authentication with your XTM device, you must:
n
n
n
Add the IP address of the XTM device to the VACMAN Middleware server, as described in the
documentation from your VASCO vendor.
Enable and specify the VACMAN Middleware server in your XTM device configuration.
Add user names or group names to the policies in Policy Manager.
To configure VASCO server authentication, use the RADIUS server settings. The Authentication
Servers dialog box does not have a separate tab for VASCO servers.
From Fireware XTM Web UI:
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. From the Server list, select RADIUS.
The RADIUS server settings appear.
446
Fireware XTM Web UI
Authentication
3. To enable the VACMAN Middleware server, select the Enable RADIUS Server check box.
4. In the IP Address text box, type the IP address of the VACMAN Middleware server.
5. In the Port text box, make sure that the port number VASCO uses for authentication appears.
The default port number is 1812.
User Guide
447
Authentication
6. In the Passphrase text box, type the shared secret between the XTM device and the VACMAN
Middleware server.
The shared secret is case-sensitive, and it must be the same on the XTM device and the server.
7. In the Confirm text box, type the shared secret again.
8. In the Timeout text box, type the amount of time the XTM device waits for a response from the
authentication server before it tries to connect again.
9. In the Retries text box, type the number of times the XTM device tries to connect to the
authentication server before it reports a failed connection for one authentication attempt.
10. Type or select the Group Attribute value. The default group attribute is FilterID, which is
VASCO attribute 11.
The group attribute value is used to set which attribute carries the user group information. You
must configure the VASCO server to include the Filter ID string with the user authentication
message it sends to the XTM device. For example, engineerGroup or financeGroup. This
information is then used for access control. The XTM device matches the FilterID string to the
group name configured in the XTM device policies.
11. In the Dead Time text box, type the amount of time after which an inactive server is marked as
active again. Select minutes or hours from the drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try to connect to this server until it is marked as
active again.
12. To add a backup VACMAN Middleware server, in the Secondary Server Settings section,
select the Enable Secondary RADIUS Server check box.
13. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on
the primary and secondary VACMAN Middleware server.
For more information, see Use a Backup Authentication Server on page 428.
14. Click Save.
448
Fireware XTM Web UI
Authentication
Configure SecurID Authentication
To use SecurID authentication, you must configure the RADIUS, VASCO, and ACE/Server servers
correctly. The users must also have an approved SecurID token and a PIN (personal identification
number). Refer to the RSA SecurID documentation for more information.
From Fireware XTM Web UI:
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. From the Servers list, select SecurID.
The SecurID server settings appear.
User Guide
449
Authentication
3. Select the Enable SecurID Server check box.
4. In the IP Address text box, type the IP address of the SecurID server.
5. In the Port text box, type the port number to use for SecurID authentication.
The default number is 1812.
450
Fireware XTM Web UI
Authentication
6. In the Passphrase text box, type the shared secret between the XTM device and the SecurID
server. The shared secret is case-sensitive and must be the same on the XTM device and the
SecurID server.
7. In the Confirm text box, type the shared secret again.
8. In the Timeout text box, type the amount of time that the XTM device waits for a response from
the authentication server before it tries to connect again.
9. In the Retriestext box, type the number of times the XTM device tries to connect to the
authentication server before it reports a failed connection for one authentication attempt.
10. In the Group Attribute text box, type the group attribute value. We recommend that you do not
change this value.
The group attribute value is used to set the attribute that carries the user group information.
When the SecurID server sends a message to the XTM device that a user is authenticated, it
also sends a user group string. For example, engineerGroup or financeGroup. This information
is then used for access control.
11. In the Dead Time text box, type the amount of time after which an inactive server is marked as
active again. Select minutes or hours from the adjacent drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not use this server until it is marked as active again,
after the dead time value is reached.
12. To add a backup SecurID server, in the Secondary Server Settings section, select the Enable
Secondary SecurID Server check box.
13. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on
the primary and backup SecurID servers.
For more information, see Use a Backup Authentication Server on page 428.
14. Click Save.
User Guide
451
Authentication
Configure LDAP Authentication
You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate
your users with the XTM device. LDAP is an open-standard protocol for using online directory services,
and it operates with Internet transport protocols, such as TCP. Before you configure your XTM device
for LDAP authentication, make sure you check the documentation from your LDAP vendor to see if
your installation supports the memberOf (or equivalent) attribute. When you configure your primary and
backup LDAP server settings, you can select whether to specify the IP address or the DNS name of
your LDAP server.
If your users authenticate with the LDAP authentication method, their distinguished names (DN) and
passwords are not encrypted. To use LDAP authentication and encrypt user credentials, you can
select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAP
client on your XTM device and your LDAP server is secured by an SSL tunnel. When you enable this
option, you can also choose whether to enable the LDAPS client to validate the LDAP server
certificate, which prevents man-in-the-middle attacks. If you choose to use LDAPS and you specify
the DNS name of your server, make sure the search base you specify includes the DNS name of your
server. The standard LDAPS port is 636. For Active Directory Global Catalog queries, the SSL port is
3269.
When you configure the LDAP authentication method, you set a search base to specify where in the
authentication server directories the XTM device can search for an authentication match. For example,
if your user accounts are in an OU (organizational unit) you refer to as accounts and your domain name
is example.com, your search base is ou=accounts,dc=example,dc=com .
If you also have user group objects are in another OU you refer to as groups,with your user accounts in
an OU (organizational unit) you refer to as accounts, and your domain name is example.com, your
search base is dc=example,dc=com .
If you use an OpenLDAP server without the memberOf attribute overlay support, add users to more
than one OU, and find that the default Group String setting of memberOf does not return correct
group information for your users, you can instead configure the XTM device to use another group
attribute. To manage user groups, you can add the object classes member, memberUID, or
gidNumber. For more information about these object classes, see RFC 2256 and RFC 2307.
If you enable LDAPS, you can choose to validate the LDAP server certificate with an imported
Certificate Authority (CA) certificate. If you select to validate the LDAP server certificate, you must
import the root CA certificate from the CA that signed the LDAP server certificate so your XTM device
can use the CA certificate to validate the LDAP server certificate. When you import the CA certificate,
make sure to select the IPSec, Web Server, Other option. For more information about how to import
certificates, see Manage XTM Device Certificates on page 808.
From Fireware XTM Web UI:
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. From the Server list, select LDAP.
The LDAP server settings appear.
3. Select the Enable LDAPServer check box.
The LDAP server settings are enabled.
452
Fireware XTM Web UI
Authentication
4. From the IP Address/DNS Name drop-down list, select whether to use the IP address or DNS
name to contact your primary LDAP server.
User Guide
453
Authentication
5. In the IP Address/DNS Name text box, type the IP address or DNS name of the primary LDAP
server for the XTM device to contact with authentication requests.
The LDAP server can be located on any XTM device interface. You can also configure your
device to use an LDAP server on a remote network through a VPN tunnel.
6. In the Port text box, type the TCP port number for the XTM device to use to connect to the
LDAP server. The default port number is 389.
If you enable LDAPS, you must select port 636.
7. In the Search Base text box, type the search base settings in the standard format:
ou=organizational unit,dc=first part of distinguished server name,dc=any part of the
distinguished server name that appears after the dot.
For example: ou=accounts,dc=example,dc=com
8. In the Group String text box, type the group string attribute.
The default attribute is memberOf .
This attribute string holds user group information on the LDAP server. On many LDAP servers,
the default group string is uniqueMember; on other servers, it is member. For user groups on an
OpenLDAP server without memberOf overlay support, you can also specify the attributes
member, memberUID, or gidNumber.
9. In the DN of Searching User text box, type the distinguished name (DN) for a search
operation.
You can add any user DN with the privilege to search LDAP/Active Directory, such as an
administrator. Some administrators create a new user that only has searching privileges.
For example, cn=Administrator,cn=Users,dc=example,dc=com .
10. In the Password of Searching User text box, type the password associated with the
distinguished name for a search operation.
11. In the Login Attribute text box, select a LDAP login attribute to use for authentication from the
drop-down list.
The login attribute is the name used for the bind to the LDAP database. The default login
attribute is uid. If you use uid, the DN of Searching User and the Password of Searching
User text boxes can be empty.
12. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the adjacent drop-down list to set the
duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try this server until it is marked as active again.
13. To enable secure SSL connections to your LDAP server, select the Enable LDAPS check box.
14. If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port
message dialog box appears. To use the default port, click Yes. To use the port you specified,
click No.
15. To verify the certificate of the LDAP server with the imported CA certificate, select the Validate
server certificate check box.
16. To specify optional attributes for the primary LDAP server,complete the settings in the LDAP
Server Optional Settings section.
For more information about how to configure optional settings, see the subsequent section.
454
Fireware XTM Web UI
Authentication
17. To add a backup LDAP server, select the Secondary tab, and select the Enable Secondary
LDAP Server check box.
18. Repeat Steps 3–16 to configure the backup server. Make sure the shared secret is the same on
the primary and backup LDAP servers.
For more information, see Use a Backup Authentication Server on page 428.
19. Click Save.
About LDAP Optional Settings
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when
it reads the list of attributes in the server’s search response. This lets you use the directory server to
assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with
IPSec address assignments. Because the data comes from LDAP attributes associated with
individual user objects, you are not limited to the global settings in Fireware XTM Web UI. You can set
these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings on page 463.
Test the Connection to the Server
To make sure that your XTM device can connect to your LDAP server and successfully authenticate
your users, you can test the connection to your authentication server. You can also use this feature to
determine if a specific user is authenticated and to get authentication group information for that user.
You can test the connection to your authentication server from the Authentication Servers page for
your server, or you can navigate directly to the Server Connection page in Fireware XTM Web UI.
To navigate to the Server Connection page from the Authentication Servers page:
1. Click Test Connection for LDAP and Active Directory.
The Server Connection page appears.
2. Follow the instructions in the Server Connection topic to test the connection to your server.
For instructions to navigate directly to the Server Connection page in Fireware XTM Web UI, see
Server Connection on page 788.
User Guide
455
Authentication
Configure Active Directory Authentication
Active Directory is the Microsoft® Windows-based application of an LDAP directory structure. Active
Directory lets you expand the concept of domain hierarchy used in DNS to an organizational level. It
keeps information and settings for an organization in a central, easy-to-access database. You can use
an Active Directory authentication server to enable your users to authenticate to the XTM device with
their current network credentials. You must configure both your XTM device and the Active Directory
server for Active Directory authentication to work correctly.
When you configure Active Directory authentication, you can specify one or more Active Directory
domains that your users can select when they authenticate. For each domain, you can add up to two
Active Directory servers: one primary server and one backup server. If the first server you add fails, the
second server is used to complete authentication requests. When you add an Active Directory server,
you can select whether to specify the IP address or the DNS name of each server.
If you configure more than one Active Directory domain and you use Single Sign-On (SSO), to enable
your users to select from the available Active Directory domains and authenticate, your users must
install the SSO client. For more information, see About Single Sign-On (SSO) on page 391 and Install
the WatchGuard Single Sign-On (SSO) Client on page 413.
If your users authenticate with the Active Directory authentication method, their distinguished names
(DN) and passwords are not encrypted. To use Active Directory authentication and encrypt user
credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic
between the LDAPS client on your XTM device and your Active Directory server is secured by an SSL
tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to
validate the Active Directory server certificate. If you choose to use LDAPS and you specify the
DNS name of your server, make sure the search base you specify includes the DNS name of your
server.
The Active Directory server can be located on any XTM device interface. You can also configure your
XTM device to use an Active Directory server available through a VPN tunnel.
Before you begin, make sure your users can successfully authenticate to your Active Directory server.
You can then use Fireware XTM Web UI to configure your XTM device. You can add, edit, or delete the
Active Directory domains and servers defined in your configuration.
Add an Active Directory Authentication Domain and Server
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. From the Server list, select Active Directory.
The Active Directory server settings appear.
456
Fireware XTM Web UI
Authentication
3. Click Add.
The Add page appears.
User Guide
457
Authentication
458
Fireware XTM Web UI
Authentication
4. In the Domain Name text box, type the domain name to use for this Active Directory server.
The domain name must include a domain suffix. For example, type example.com , not example .
5. From the Primary drop-down list, select IP Address or DNS Name.
6. In the text box, type the IP address or DNS name of this Active Directory server.
7. In the Port text box, type the TCP port number for the device to use to connect to the Active
Directory server.
The default port number is 389. If you enable LDAPS, you must select port 636.
If your Active Directory server is a global catalog server, it can be useful to change the default
port. For more information, see Change the Default Port for the Active Directory Server on page
463.
8. To add another Active Directory server to this domain:
a. From the Secondary (Optional) drop-down list, select IP Address or DNS Name.
b. In the text box, type the IP address or DNS name of the secondary Active Directory
server.
c. In the Port text box, specify the TCP port number for the device to use to connect to the
Active Directory server.
For more information, see Use a Backup Authentication Server on page 428.
9. In the Search Base text box, type the location in the directory to begin the search.
The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first
part of the distinguished server name>,dc=<any part of the distinguished server name that
appears after the dot>.
To limit the directories on the authentication server where the XTM device can search for an
authentication match, you can set a search base. We recommend that you set the search base
to the root of the domain. This enables you to find all users and all groups to which those users
belong.
For more information, see Find Your Active Directory Search Base on page 461.
10. In the Group String text box, type the attribute string that is used to hold user group information
on the Active Directory server. If you have not changed your Active Directory schema, the
group string is always memberOf .
11. In the DN of Searching User text box, type the distinguished name (DN) for a search
operation.
If you keep the login attribute of sAMAccountName , you do not have to type anything in this text
box.
If you change the login attribute, you must add a value in the DN of Searching User text box.
You can use any user DN with the privilege to search LDAP/Active Directory, such as an
administrator. However, a weaker user DN with only the privilege to search is usually sufficient.
For example, cn=Administrator,cn=Users,dc=example,dc=com .
12. In the Password of Searching User text box, type the password associated with the
distinguished name for a search operation.
13. From the Login Attribute drop-down list, select an Active Directory login attribute to use for
authentication.
User Guide
459
Authentication
The login attribute is the name used for the bind to the Active Directory database. The default
login attribute is sAMAccountName. If you use sAMAccountName, you do not have to specify
a value for the DN of Searching User and Password of Searching User settings.
14. In the Dead Time text box, type a time after which an inactive server is marked as active again.
15. From the Dead Time drop-down list, select minutes or hours to set the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try this server until it is marked as active again.
16. To enable secure SSL connections to your Active Directory server, select the Enable LDAPS
check box.
17. If you enable LDAPS but did not set the Port value to the default port for LDAPS, a port
message dialog box appears. To use the default port, click Yes. To use the port you specified,
click No
18. To verify the certificate of the Active Directory server is valid, select the Validate server
certificate check box.
19. To specify optional attributes for the primary LDAP server, complete the Active Directory
Server Optional Settings section.
For more information about how to configure optional settings, see the subsequent section.
20. Click Save.
About Active Directory Optional Settings
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when
it reads the list of attributes in the server’s search response. This lets you use the directory server to
assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with
IPSec address assignments. Because the data comes from LDAP attributes associated with
individual user objects, you are not limited to the global settings in Fireware XTM Web UI. You can set
these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings on page 463.
Test the Connection to the Server
To make sure that your XTM device can connect to your Active Directory server and successfully
authenticate your users, you can test the connection to your authentication server. You can also use
this feature to determine if a specific user is authenticated and to get authentication group information
for that user.
You can test the connection to your authentication server from the Authentication Servers page for
your server, or you can navigate directly to the Server Connection page in Fireware XTM Web UI.
To navigate to the Server Connection page from the Authentication Servers page:
1. Click Test Connection for LDAP and Active Directory.
The Server Connection page appears.
2. Follow the instructions in the Server Connection topic to test the connection to your server.
For instructions to navigate directly to the Server Connection page in Fireware XTM Web UI, see
Server Connection on page 788.
460
Fireware XTM Web UI
Authentication
Edit an Existing Active Directory Domain
When you edit an Active Directory domain, you cannot change the details of the Active Directory
servers configured in the domain. Instead, you must add a new server. If there are two servers in the
list, you must remove one of the servers before you can add a new one.
From the Authentication Servers page:
1. In the Active Directory domains list, select the server to change.
2. Click Edit.
The Active Directory / Edit page appears.
3. To add an IP address or DNS name to the server for this domain, follow the instructions in the
previous section.
4. Update the settings for your Active Directory server.
Delete an Active Directory Domain
From the Authentication Servers page:
1. From the Server list, select Active Directory.
The Active Directory page appears.
2. In the Active Directory domains list, select the domain to delete.
3. Click Remove.
A confirmation message appears.
4. Click Yes.
The server is removed from the list.
Find Your Active Directory Search Base
When you configure your XTM device to authenticate users with your Active Directory server, you add
a comma-delimited search base. The search base is the place the search starts in the Active Directory
hierarchical structure for user account entries. This can help to make the authentication procedure
faster.
Before you begin, you must have an operational Active Directory server that contains account
information for all users for whom you want to configure authentication on the XTM device.
From your Active Directory server:
User Guide
461
Authentication
1. Select Start > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers tree, find and select your domain name.
3. Expand the tree to find the path through your Active Directory hierarchy.
Domain name components have the format dc=domain name component, are appended to the
end of the search base string, and are also comma-delimited.
For each level in your domain name, you must include a separate domain name component in
your Active Directory search base. For example, if your domain name is prefix.example.com,
the domain name component in your search base is DC=prefix,DC=example,DC=com .
To make sure that the Active Directory search can find any user object in your domain, specify the root
of the domain. For example, if your domain name is kunstlerandsons.com, and you want the Active
Directory search to find any user object in the entire domain, the search base string to add is:
dc=kunstlerandsons,dc=com .
To limit the search to begin in a container beneath the root of the domain, you must specify the fullyqualified name of the container in comma-delimited form. Start with the name of the base container and
progress to the root of the domain. For example, assume your domain in the tree looks like this after
you expand it:
Also assume that you want the Active Directory search to begin in the Sales container that appears in
the example. This enables the search to find any user object inside the Sales container, and inside any
containers in the Sales container.
The search base string to add in the XTM device configuration is:
ou=sales,ou=accounts,dc=kunstlerandsons,dc=com
The search string is not case-sensitive. When you type your search string, you can use either
uppercase or lowercase letters. Make sure that a comma separates each component in the search
base, without spaces between the components.
This search does not find user objects inside the Development or Admins containers, or inside the
Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, or Users containers.
DN of Searching User and Password of Searching User Fields
You must complete these fields only if you select an option for the Login Attribute that is different
from the default value, sAMAccountName. Most organizations that use Active Directory do not change
this. When you leave this field at the default sAMAccountName value, users supply their usual Active
Directory login names for their user names when they authenticate. This is the name you see in the
User logon name text box on the Account tab when you edit the user account in Active Directory
Users and Computers.
If you use a different value for the Login Attribute, a user who tries to authenticate gives a different
form of the user name. In this case, you must add Searching User credentials to your XTM device
configuration.
462
Fireware XTM Web UI
Authentication
Change the Default Port for the Active Directory Server
If your WatchGuard device is configured to authenticate users with an Active Directory (AD)
authentication server, it connects to the Active Directory server on the standard LDAP port by default,
which is TCP port 389. If the Active Directory servers that you add to your WatchGuard device
configuration are set up to be Active Directory global catalog servers, you can tell the
WatchGuard device to use the global catalog port—TCP port 3268—to connect to the Active Directory
server.
A global catalog server is a domain controller that stores information about all objects in the forest. This
enables the applications to search Active Directory, but not have to refer to specific domain controllers
that store the requested data. If you have only one domain, Microsoft recommends that you configure
all domain controllers as global catalog servers.
If the primary or secondary Active Directory server you use in your WatchGuard device configuration is
also configured as a global catalog server, you can change the port the WatchGuard device uses to
connect to the Active Directory server to increase the speed of authentication requests. However, we
do not recommend that you create additional Active Directory global catalog servers just to speed up
authentication requests. The replication that occurs among multiple global catalog servers can use
significant bandwidth on your network.
Configure the XTM Device to Use the Global Catalog Port
1. Select Authentication > Servers.
The Authentication Servers page appears.
2. In the Server list, select Active Directory.
The Active Directory page appears with the list of configured servers.
3. Select a server and click Edit.
4. In the Port text box, clear the contents and type 3268.
5. Click Save.
Find Out if Your Active Directory Server is Configured as a Global
Catalog Server
1. Select Start > Administrative Tools > Active Directory Sites and Services.
2. Expand the Sites tree and find the name of your Active Directory server.
3. Right-click NTDS Settings for your Active Directory server and select Properties.
If the Global Catalog check box is selected, the Active Directory server is configured to be a
global catalog.
Use Active Directory or LDAP Optional Settings
When Fireware XTM contacts the directory server (Active Directory or LDAP) to search for
information, it can get additional information from the list of attributes in the search response returned
by the server. This enables you to use the directory server to assign extra parameters to the
User Guide
463
Authentication
authenticated user session, such as timeouts and Mobile VPN address assignments. Because the
data comes from LDAP attributes associated with individual user objects, you can set these
parameters for each individual user and you are not limited to the global settings in Fireware XTM Web
UI.
Before You Begin
To use these optional settings you must:
n
n
n
Extend the directory schema to add new attributes for these items.
Make the new attributes available to the object class that user accounts belong to.
Give values to the attributes for the user objects that should use them.
Make sure you carefully plan and test your directory schema before you extend it to your directories.
Additions to the Active Directory schema, for example, are generally permanent and cannot be undone.
Use the Microsoft® web site to get resources to plan, test, and implement changes to an Active
Directory schema. Consult the documentation from your LDAP vendor before you extend the schema
for other directories.
Specify Active Directory or LDAP Optional Settings
You can use Fireware XTM Web UI to specify the additional attributes Fireware XTM looks for in the
search response from the directory server.
1. Select Authentication > Servers.
The Authentication Servers page appears.
464
Fireware XTM Web UI
Authentication
2. From the Authentication Servers list, select LDAP or Active Directory and make sure the
server is enabled.
User Guide
465
Authentication
3. In the Optional Settings section, type the attributes to include in the directory search in the
string fields.
IP Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute for Fireware XTM to use to assign a virtual IP address to the
Mobile VPN client. This must be a single-valued attribute and an IP address in decimal
format. The IP address must be within the pool of virtual IP addresses you specify when
you create the Mobile VPN Group.
If the XTM device does not see the IP attribute in the search response or if you do not
specify an attribute in Fireware XTM Web UI, it assigns the Mobile VPN client a virtual IP
address from the virtual IP address pool you create when you make the Mobile VPN Group.
Netmask Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute for Fireware XTM to use to assign a subnet mask to the
Mobile VPN client’s virtual IP address. This must be a single-valued attribute and a subnet
mask in decimal format.
The Mobile VPN software automatically assigns a netmask if the XTM device does not see
the netmask attribute in the search response or if you do not specify one in Fireware XTM
Web UI.
DNS Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute Fireware XTM uses to assign the Mobile VPN client one or
more DNS addresses for the duration of the Mobile VPN session. This can be a multivalued attribute and must be a normal dotted-decimal IP address. If the XTM device does
not see the DNS attribute in the search response, or if you do not specify an attribute in
Fireware XTM Web UI, it uses the WINS addresses you enter when you Configure WINS
and DNS Servers.
WINS Attribute String
This setting applies only to Mobile VPN clients.
Type the name of the attribute Fireware XTM should use to assign the Mobile VPN client
one or more WINS addresses for the duration of the Mobile VPN session. This can be a
multi-valued attribute and must be a normal dotted-decimal IP address. If the XTM device
does not see the WINS attribute in the search response or if you do not specify an attribute
in Fireware XTM Web UI, it uses the WINS addresses you enter when you Configure
WINS and DNS Servers.
Lease Time Attribute String
This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.
466
Fireware XTM Web UI
Authentication
Type the name of the attribute for Fireware XTM to use to control the maximum duration a
user can stay authenticated (session timeout). After this amount of time, the user is
removed from the list of authenticated users. This must be a single-valued attribute.
Fireware XTM interprets the attribute’s value as a decimal number of seconds. It interprets
a zero value as never time out.
Idle Timeout Attribute String
This setting applies to Mobile VPN clients and to clients that use Firewall Authentication.
Type the name of the attribute Fireware XTM uses to control the amount of time a user can
stay authenticated when no traffic is passed to the XTM device from the user (idle timeout).
If no traffic passes to the device for this amount of time, the user is removed from the list of
authenticated users. This must be a single-valued attribute. Fireware XTM interprets the
attribute’s value as a decimal number of seconds. It interprets a zero value as never time
out.
4. Click Save.
The attribute settings are saved.
User Guide
467
Authentication
Use a Local User Account for Authentication
Any user can authenticate as a Firewall user, PPTP user, or Mobile VPN user, and open a PPTP or
Mobile VPN tunnel if PPTP or Mobile VPN is enabled on the XTM device. However, after
authentication or a tunnel has been successfully established, users can send traffic through the VPN
tunnel only if the traffic is allowed by a policy on the XTM device. For example, a Mobile VPN-only user
can send traffic through a Mobile VPN tunnel. Even though the Mobile VPN-only user can authenticate
and open a PPTP tunnel, he or she cannot send traffic through that PPTP tunnel.
If you use Active Directory authentication and the group membership for a user does not match your
Mobile VPN policy, you can see an error message that says Decrypted traffic does not match any
policy. If you see this error message, make sure that the user is in a group with the same name as your
Mobile VPN group.
Use Authorized Users and Groups in Policies
You can use specified user and group names when you create policies in Fireware XTM Web UI. For
example, you can define policies that only allow connections for authenticated users, or you can limit
connections on a policy to particular users.
The term authorized users and groups refers to users and groups that are allowed to access network
resources.
Define Users and Groups for Firebox Authentication
If you use your XTM device as an authentication server and want to define users and groups that
authenticate to the XTM device, see Define a New User for Firebox Authentication on page 432 and
Define a New Group for Firebox Authentication on page 435.
Define Users and Groups for Third-Party Authentication
You can use Fireware XTM Web UI to define the users and groups to use for third-party authentication.
When you create a group, if you use more than one Active Directory domain for authentication, you
must specify the domain that you want users in the group to use to authenticate.
For both individual users and user groups, you can also enable login limits. When you enable unlimited
concurrent logins for a user or group, you allow more than one user or member of a group to
authenticate with the same user credentials at the same time, to one authentication server. This is
useful for guest accounts or in laboratory environments. When the second user logs in with the same
credentials, the first user authenticated with the credentials is automatically logged out. The other
option you can select for user and group login limits is to limit your users or members of a group to a
single authenticated session. If you select this option, your users cannot log in to one authentication
server from different IP addresses with the same credentials. When a user is authenticated, and tries
to authenticate again, you can select whether the first user session is terminated when the subsequent
session is authenticated, or if the subsequent session is rejected.
User and group names on your Active Directory server are case-sensitive. When you add an
authorized user or group to your XTM device, the user or group name must have the same
capitalization used in the name on the Active Directory server.
468
Fireware XTM Web UI
Authentication
1. Create a group on your third-party authentication server that contains all the user accounts on
your system.
2. Select Authentication > Users and Groups.
The Authentication Users and Groups page appears.
3. Click Add.
The Add User or Group dialog box appears.
4. For the Type option, select Group or User.
5. Type a user or group name that you created on the authentication server.
The user or group name is case-sensitive and must match the capitalization used on the
authentication server.
6. (Optional) Type a description for the user or group.
7. From the Authentication Server drop-down list, select your authentication server.
8. To enable login limits, select the Enable login limits for each user or group check box and
follow the instructions in the subsequent sections to select an option:
n Allow Unlimited Concurrent Login Sessions
n Limit Login Sessions
User Guide
469
Authentication
9. Click Add.
10. Click Save.
Allow Unlimited Concurrent Login Sessions
You can allow more than one user to authenticate with the same user credentials at the same time, to
one authentication server. This is useful for guest accounts or in laboratory environments. When the
second user logs in with the same credentials, the first user authenticated with the credentials is
automatically logged out. If you do not allow this feature, a user cannot authenticate to the
authentication server more than once at the same time.
From the Define User or Group dialog box:
1. Select the Enable login limits for each user or group check box.
2. Select Allow unlimited concurrent firewall authentication logins from the same account.
For Mobile VPN with IPSec and Mobile VPN with SSL users, concurrent logins from the same account
are always supported regardless of whether this option is selected. These users must log in from
different IP addresses for concurrent logins, which means that they cannot use the same account to
log in if they are behind an XTM device that uses NAT. Mobile VPN with PPTP and Mobile VPN with
L2TP users do not have this restriction.
Limit Login Sessions
From the Authentication Settings page, you can limit your users to a specific number of
authenticated sessions. If you select this option, you can specify the number of times your users can
use the same credentials to log in to one authentication server from different IP addresses. When a
user is authenticated and tries to authenticate again, you can select whether the first user session is
terminated when a subsequent session is authenticated, or if the subsequent sessions are rejected.
From the Define User or Group dialog box:
1.
2.
3.
4.
Select the Enable login limits for each user or group check box.
Select Limit concurrent user sessions to.
In the text box, type or select the number of allowed concurrent user sessions.
From the drop-down list, select an option:
n Reject subsequent login attempts
n Allow subsequent login attempts and logoff the first session.
Add Users and Groups to Policy Definitions
Any user or group that you want to use in your policy definitions must be added as an authorized user.
All users and groups you create for Firebox authentication, and all Mobile VPN users, are automatically
added to the list of authorized users and groups on the Authorized Users and Groups dialog box.
You can add any users or groups from third-party authentication servers to the authorized user and
group list with the previous procedure. You are then ready to add users and groups to your policy
configuration.
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
470
Fireware XTM Web UI
Authentication
2. Select a policy from the list and click Action > Edit Policy.
Or, double-click a policy.
The Policy Configuration page appears.
3. Below the From list, click Add.
The Add Member dialog box appears.
4. From the Member Type drop-down list, select Firewall User.
The list of available users appears.
If your user or group does not appear in the Groups list, see Define a New User for Firebox
Authentication on page 432, Define a New Group for Firebox Authentication on page 435, or the
previous Define users and groups for third-party authentication procedure, and add the user or
group.
5. Select a user and click OK.
After you add a user or group to a policy configuration, Fireware XTM Web UI automatically adds a
WatchGuard Authentication policy to your XTM device configuration. Use this policy to control access
to the authentication portal web page. For instructions to edit this policy, see Use Authentication to
Restrict Incoming Traffic on page 383.
Enable a Hotspot
You can configure the guest network on your WatchGuard XTM device as a hotspot to give Internet
connectivity to your visitors or customers. When you enable the hotspot feature, you have more control
over connections to your guest network. You can configure the hotspot feature for connections to either
a wireless or a wired guest network on your XTM device. You can also configure the hotspot feature for
connections through a WatchGuard Access Point (AP) device.
When you configure your XTM device as a hotspot you can customize:
n
n
n
n
A splash screen that users see when they connect
The terms and conditions that users must accept before they can browse to a web site
The maximum length of time a user can be continuously connected
The interface on the XTM device on which the hotspot runs:
o Any wireless interface (Access point 1, Access point 2, or a wireless guest network)
o Any physical interface (trusted or optional interfaces only)
o Any VLAN interface
o Any bridge interface
User Guide
471
Authentication
If you configure the hotspot for connections through a WatchGuard AP device, the interface you select
for the hotspot depends on the interface configuration on the AP device.
n
n
If you use VLAN tagging in your AP device SSID configuration, you can enable a hotspot for
one SSID. Select the VLAN interface that corresponds to the VLAN ID that is set in the SSID
you select on the AP device.
If you do not use VLAN tagging in your SSID configuration, select the interface on the
XTM device that your AP device is connected to.
For more information about how to configure an SSID for a WatchGuard AP device, see Configure
WatchGuard AP Device SSIDs on page 314.
If you enable a hotspot on a wireless XTM device, you can select one of these interfaces:
n
n
n
WG-Wireless-Access-Point1 — This is the Access Point 1 interface in the XTM device
wireless settings.
WG-Wireless-Access-Point2 — This is the Access Point 2 interface in the XTM device
wireless settings.
WG-Wireless-Guest — This is the Wireless guest interface in the XTM device wireless
settings.
When you enable the hotspot feature, the Allow Hotspot-Users policy is automatically created. This
policy allows connections from the guest interface to your external interfaces. This gives hotspot users
access to the Internet without access to computers on your trusted and optional networks.
If your hotspot is for a wireless network connection, before you set up a wireless hotspot, you must
configure the settings for your wireless guest network as described in Enable a Wireless Guest
Network.
To enable the hotspot:
1. Select Authentication > Hotspot.
2. Select the Enable Hotspot check box and select an interface from the drop-down list.
You cannot select an External physical interface for a hotspot.
472
Fireware XTM Web UI
Authentication
3. Complete the configuration settings as described in the subsequent sections.
User Guide
473
Authentication
Configure User Timeout Settings
You can configure timeout settings to limit the amount of time that users can continuously use your
hotspot. When the timeout period expires, the user is disconnected. When a users are disconnected,
they lose all Internet connectivity, but are still connected to the network. The hotspot splash screen
reappears and the users must accept the Terms and Conditions again before they can continue to use
the hotspot.
1. In the Session timeout text box and drop-down list, type or select the maximum amount of
time a user can remain continuously connected to your hotspot, and select the unit of time.
If the Session timeout is set to 0 (the default value), guest users are not disconnected after a
specified time interval.
2. In the Idle timeout text box and drop-down list, type or select the amount of time that a user
must be idle for the connection to time out, and select the unit of time.
If the Idle timeout is set to 0, users are not disconnected if they do not send or receive traffic.
Select the Hotspot Type
Select a hotspot type to specify how your XTM device manages the initial user connection to your
hotspot.
There are two hotspot types:
Custom Page
For a Custom Page hotspot, when a user connects to the hotspot URL, the XTM device shows
the hotspot splash screen that you configure on the XTM device. The user must accept the
terms and conditions you specify in order to use the hotspot. Custom Page is the most common
hotspot type, and is the default type.
External Guest Authentication
For an External Guest Authentication hotspot, when a user connects to the hotspot URL, the
XTM device redirects the user to a URL on an external web server that you set up. You
configure the page on the external web server to perform user authentication, or collect any user
information you want from hotspot users. After the hotspot user attempts to authenticate on the
external web server, the web server returns a result that tells the XTM device whether to allow
the user to use the hotspot.
To specify the type of hotspot:
1. From the Hotspot Type drop-down list, select the hotspot type.
2. Complete the configuration settings for the type of hotspot you selected:
n Configure the Hotspot Custom Page on page 475.
n Configure the Hotspot for External Guest Authentication on page 491.
474
Fireware XTM Web UI
Authentication
Configure the Hotspot Custom Page
If you selected the Custom Page hotspot type, when users connect to your hotspot, the hotspot
custom splash page that you configure appears. This is a web page that shows the terms and
conditions users must agree to before they can use the hotspot. You can configure the text that
appears on the splash page and the appearance of the page. You can also redirect hotspot users to a
specified web page after they accept the terms and conditions.
You can customize these elements of the hotspot custom page:
n
n
n
n
n
n
Page Title — Located at the top of the page
Welcome Message — Located below the page title
Logo — Located at the top left of the page, adjacent to the page title
Terms and Conditions — This text appears in a scrolling text box in the center of the page.
Each hotspot user must select the I have read and accept the terms and conditions check
box below this text to accept your terms and conditions before they can use your hotspot.
Redirect URL — Specify a URL to send users to after they accept the terms and conditions.
Font, Size, Text color, and Background color — Configure these options to customize the
appearance of the your hotspot page.
When you select the Custom Page hotspot type, you must configure the settings for the Page title
and the Terms and Conditions. All other settings are optional.
Before you begin, you must Enable a Hotspot.
To configure the Custom Page settings for your hotspot, on the Hotspot page:
1. From the Hotspot Type drop-down list, select Custom Page.
2. In the Page title text box, type the title text to appear at the top of the custom page.
User Guide
475
Authentication
476
Fireware XTM Web UI
Authentication
3. To include a welcome message, select the Welcome Message check box and in the text box,
type the text to appear at the top of the page.
4. (Optional) To use a custom logo on the splash screen, select the Use a custom logo check
box and click Upload to select your custom logo file.
The logo file must be in .jpg, .gif or .png format. We recommend that the image be no larger than
90 x 50 (width x height) pixels, or 50 kB.
5. In the Terms and Conditions text box, type or paste the text your users must agree to before
they can use the hotspot. The maximum length is 20,000 characters.
6. To automatically redirect users to a web site after they accept the Terms and Conditions, in the
Redirect URL text box, type the URL of the web site.
7. (Optional) To customize the fonts and colors for your splash screen Welcome page:
n Font — From the Font drop-down list, select a font.
If you do not specify a font, the Welcome page uses the default browser font for each user.
n Size — From the Size drop-down list, select the text size.
The default text size is Medium.
n Text Color — This is the color for the text on the hotspot splash screen. The default color is
#000000 (black).
To specify a different color, click
and select another color from the color palette.
Or, type the HTML color code in the Text Color text box.
n Background Color — This is the color to use for the background of the hotspot splash
screen. The default color is #FFFFFF (white).
To specify a different color, click
and select a different color from the color palette.
Or, type the HTML color code in the Background Color text box.
8. Click Preview Splash Screen.
A preview of the splash screen appears in a new browser window.
User Guide
477
Authentication
9. Close the preview browser window.
10. Finish the splash screen configuration settings and click Return to Main Page.
11. Click Save.
Connect to a Hotspot
If you selected the Custom Page hotspot type, you can connect to the hotspot to review the splash
screen settings.
If you selected the External Guest Authentication hotspot type, the connection steps are different,
and depend on how you configure the external web server. For more information, see About Hotspot
External Guest Authentication.
To review the hotspot splash screen:
1. Connect to your guest network with the SSID and other settings that you configured for the
guest network.
To connect to a wireless guest network, you must use a wireless client.
2. In a web browser, browse to any web site.
The hotspot splash screen appears in the browser.
3. Select the I have read and accept the terms and conditions check box.
4. Click Continue.
The browser displays the original URL you requested. Or, if the hotspot is configured to automatically
redirect the browser to a URL, the browser goes to the web site.
478
Fireware XTM Web UI
Authentication
The content and appearance of the hotspot splash screen can be configured with the hotspot settings
for your guest network.
The URL of the hotspot splash screen is http://<IP address of the guest
network>:4106/hotspot .
See Hotspot Connections
When you enable the hotspot feature, you can see information about the number of clients that are
connected to the hotspot. You can also disconnect clients.
To see the list of connected hotspot clients:
1. Connect to Fireware XTM Web UI for your XTM device.
2. Select System Status > Hotspot Clients.
The Hotspot Clients page appears, with the IP address and MAC address displayed for each
connected client.
To disconnect a client from the hotspot, on the Hotspot Clients page:
1. Select one or more connected hotspot clients.
2. Click Disconnect.
For more information, see Hotspot Clients on page 785.
User Guide
479
Authentication
About Hotspot External Guest Authentication
If you have a WatchGuard XTM 21, 22, or 23 device, this feature is not available for
your device.
When you enable a hotspot for your wired or wireless guest network, you can select the External
Guest Authentication hotspot type. With this hotspot type, the XTM device sends new hotspot users
to an external web server for authentication. External Guest Authentication is not related to other types
of user authentication supported by the XTM device.
Use this hotspot type if you want to automatically connect new hotspot users to an external web server
that collects and verifies authentication credentials or other information for the hotspot user. Based on
the information the user provides, the external web server sends an access decision to the XTM
device. The XTM device then either allows or denies the user access to the hotspot.
This feature is described in terms of authentication, but it does not require the
external web server to do user authentication. You can create an authentication page
on your web server to ask hotspot users for any information that you want to use as
criteria for access to your hotspot.
Before You Begin
Before you configure the external web server and enable external guest authentication on the
XTM device, you must select the shared secret, authentication URL, and authentication failure URL to
use. These settings affect the configuration of the external web server and the hotspot configuration on
the XTM device.
Shared Secret
The shared secret is used to generate and validate a checksum included with the access
decision. The external web server uses the shared secret to calculate a checksum it includes
with the access decision sent to the XTM device. The XTM device uses the shared secret to
verify the checksum received with the access decision. The shared secret must be between 1
and 32 characters.
Authentication URL
This is the URL on the external web server of the web page where a hotspot user authenticates.
In the XTM hotspot configuration, the Authentication URL must begin with https:// or http:// and
must use the IP address of the web server, rather than a domain name.
480
Fireware XTM Web UI
Authentication
Authentication Failure URL
This is the URL on the external web server of the web page the hotspot user sees if external
guest authentication is not successful. In the XTM hotspot configuration, the Authentication
Failure URL must begin with https:// or http:// and must use the IP address of the web server,
rather than a domain name.
Configuration
Because configuration of the web server requires web programming, we recommend that you configure
the web server first. A link to a code example is included in the setup instructions for the web server.
After you set up the web server, configure the XTM hotspot for External Guest Authentication.
For details about the configuration requirements and procedures, see:
n
n
Configure a Web Server for Hotspot External Guest Authentication
Configure the Hotspot for External Guest Authentication
After you have configured your web server and hotspot, you can test external guest authentication on
your hotspot and review the log messages to identify any errors. For more information, see
Troubleshoot Hotspot External Guest Authentication.
For an example of the script on the external web server, see the WatchGuard Knowledge Base at
http://customers.watchguard.com/.
External Guest Authentication Example
Communication between the XTM device and the external authentication server occurs through the
hotspot client browser. The XTM device and authentication server use the parameters specified in the
URLs to allow the communication. This example provides some example URLs that show at a high
level how external authentication operates. For more details and a description of all the parameters in
each URL, see Configure a Web Server for Hotspot External Guest Authentication.
The URLs in this example are based on these configuration settings and assumptions:
n
WatchGuard XTM device:
o Guest Network IP address — 10.0.3.1
o Optional interface IP address — 10.0.2.1
User Guide
481
Authentication
n
n
External Web Server:
o IP address — 10.0.2.80
o Authentication URL — http://10.0.2.80:8080/auth.html
o Authentication Failure URL — http://10.0.2.80:8080/failure.html
Hotspot user:
o MAC address — 9C:4E:36:30:2D:26
o The hotspot user initially tries to connect to http://www.google.com .
Step 1 — Hotspot User Authenticates
When a user initially tries to get access to a web site, the XTM device receives an HTTP request from
the hotspot user. The XTM device checks the MAC address to see if this user already has a current
hotspot session. If there is already a hotspot session for this MAC address, the XTM device allows or
denies the traffic based on the firewall policy configuration. If this is a new MAC address, to send the
access request URL to the external web server, the XTM device sends a redirect to the hotspot client
browser.
Example access request URL:
http://10.0.2.80:8080/auth.html?xtm=http://10.0.3.1:4106/wgcgi.cgi&action=hot
spot_auth
&ts=1344238620&sn=70AB02716F745&mac=9C:4E:36:30:2D:26&redirect=http://www.goo
gle.com/
The authentication page on the external web server appears in the hotspot user's browser. The hotspot
user provides the information required to authenticate.
Step 2 — External Web Server Sends the Access Decision
After the external web server authenticates the hotspot user, it sends the access decision URL to the
XTM device through the hotspot client browser.
Example access decision URL:
http://10.0.3.1:4106/wgcgi.cgi?action=hotspot_auth&ts=1344238620&success=1
&sig=a05d352951986e5fbf939920b260a6be3a9fffd3&redirect=http://www.google.com/
In this URL:
n
n
n
Success=1 means that the access decision from the web server was to allow access to this
URL.
The URL specified in the redirect section of the access decision URL is the URL the hotspot
user originally requested.
The external web server could optionally replace this with a different URL.
Step 3 — XTM Device Allows or Denies Access
The XTM device reads the access decision (success=1 or success=0 ) and verifies the checksum. If
success=1 and the checksum verification is successful, the XTM device creates a hotspot session for
the client and redirects the client to the URL specified in the access decision URL. If success=0 or any
authentication error is detected, the XTM device redirects the client to the authentication failure URL.
482
Fireware XTM Web UI
Authentication
In this example, authentication is successful, so the browser goes to the originally requested site,
http://www.google.com .
If authentication fails or if access was denied, the browser goes to the authentication failure URL.
Example failure URL:
http://10.0.2.80:8080/failure.html?error=510&sn=70A70272B454E&mac=9C:4E:36:30
:2D:26
User Guide
483
Authentication
Configure a Web Server for Hotspot External Guest
Authentication
Use these guidelines to configure a web server for hotspot external guest authentication. The web
server can be located on any network connected to the XTM device. We recommend that you install
the web server in the same part of your network as your other public servers.
External Authentication Process
This diagram summarizes the main steps in the interaction between the client browser, the XTM
device, and the external web server.
The steps in the external authentication process are:
1. A hotspot user tries to browse to a web page.
2. If this is a new hotspot user, the XTM device redirects the client browser to the Authentication
URL on the external web server.
This URL includes a query string that contains the access request.
484
Fireware XTM Web UI
Authentication
3. The browser sends the access request to the external web server.
4. The external web server sends the Authentication page to the browser.
5. The hotspot user types the requested authentication information and submits the form to the
external web server.
6. The external web server processes the authentication information and sends an HTML page
that contains the decision URL to the browser.
7. The browser sends the access decision to the XTM device.
The access decision URL contains the access decision, a checksum, and a redirect URL.
8. The XTM device reads the access decision, verifies the checksum, and sends the redirect URL
to the hotspot user's browser.
Based on the outcome of the external authentication process, the redirect URL can be:
n The original URL the user browsed to, if the external web server sent the original redirect
URL.
n A different redirect URL, if the external web server sent a different redirect URL.
n The authentication failure URL, if authentication failed or access was denied.
9. The external web server sends a logoff URL to the XTM device to end the user hotspot session.
The main steps in this external authentication process are more fully described in the subsequent
sections.
Requirements
You can write the web program in Perl, Python, PHP, or any other language. For reference, we provide
a code example written in Python. The code example is attached to the Knowledge Base article Code
Example for Wireless Hotspot External Authentication.
On the web server, you must create three web pages to work with this feature:
n
n
n
Authentication Page — Receives the authentication information from the hotspot user.
Result Page — Returns the authentication result and redirects the client browser to send the
access decision to the XTM device.
Authentication Failure Page — Shows error information if there is an error, or if access is
denied.
These pages are described in the subsequent sections.
For the web server to successfully communicate with your XTM device, you must make sure that the
web server can get access to the XTM device.
Authentication Page
The web server must send the authentication page to the hotspot client when it receives an access
request URL from the XTM device.
The web program must save all the information that comes in the access request URL, described in
Interaction Step 2. It can use the timestamp and MAC address parameters as a key or can use a file
name to save this data. After the client finishes authentication, the web program for the Result Page
must retrieve this data from the saved request and use it together with the shared secret to calculate a
hash checksum.
This example shows the format of an access request URL:
User Guide
485
Authentication
http://10.0.2.80:8080/auth.html?xtm=http://10.0.3.1:4106/wgcgi.cgi
&action=hotspot_auth&ts=1344238620&sn=70AB02716F745&mac=9C:4E:36:30:2D:26
&redirect=http://www.google.com/
The access request URL includes these parameters:
xtm — The URL on the XTM device where the external web server must send the access
decision.
action — The action type. The value is always hotspot_auth .
ts — The time stamp for the request.
sn — The serial number of the XTM device.
mac — The MAC address of the client.
redirect — The original URL the hotspot user tried to browse to.
You define the details of the authentication process. The XTM device must know only the access
decision and other parameters required to verify the integrity of the interaction.
Result Page
After the hotspot user provides the requested authentication information, the web program must
determine whether to allow access, based on the information provided by the hotspot user, and any
access criteria you specify. The web program must combine all the required parameters into one URL,
and include it in a web page that it sends to the client browser, as described in Interaction Step 6. This
URL is called the access decision URL.
This example shows the format of the access decision URL:
http://10.0.3.1:4106/wgcgi.cgi?action=hotspot_auth&ts=1344238620&success=1&
sess_timeout=1200&idle_
timeout=600&&sig=a05d352951986e5fbf939920b260a6be3a9fffd3&
redirect=http://www.google.com/
The access decision URL begins with the URL specified in the xtm parameter in the access request
URL.
The access decision URL must include all of these parameters:
action
The action type. The value must be hotspot_auth .
success
The decision about hotspot access. Set the value to 1 to allow the user to get access the
hotspot, or 0 to not allow access.
486
Fireware XTM Web UI
Authentication
sess_timeout
The session timeout value for the user hotspot connection. Specify the amount of time in
seconds that a user can be connected to the hotspot for each session. Set the value to 1 to use
the Session Timeout setting configured on the XTM device. Set the value to 0 to disable the
session timeout value. When you set the value to 0, the user connection to the hotspot does not
timeout.
idle_timeout
The idle timeout value for the user hotspot connection. Specify the amount of time in seconds
that a user session connection to the hotspot can be idle before the session is disconnected.
Set the value to -1 to use the default Idle Timeout setting configured on the XTM device. Set the
value to 0 to disable the idle timeout value. When you set the value to 0, the user connection to
the hotspot does not expire when there is no traffic between the user client and the hotspot.
sig
A hex encoded string in lower case. It is a SHA1 checksum based on the values of ts , sn , mac ,
success , sess_timeout , idle_timeout , and the shared secret. The shared secret you use to
calculate the hash checksum must match the shared secret configured in the hotspot settings
on the XTM device.
The formula to calculate the checksum value is Hash = SHA1(ts + sn + mac + success +
sess-timeout + idle_timeout + shared_secret) . The XTM device uses the checksum to
validate the integrity of the interaction between the client browser and the external web server.
redirect
The redirect URL you want the XTM device to send to the hotspot user after successful
authentication. To redirect the browser to the original URL the user requested, use the value
originally received in the access request URL. To redirect users to a different URL, specify that
URL in this parameter.
In Interaction Step 6, the web page sends the access decision URL to the XTM device. This page also
causes the client browser to send the access decision to the XTM device in order to check the integrity
of the interaction and create a hotspot session for the client on the XTM hotspot.
This web page can use a hyperlink to send the whole decision URL or it can use a <form> to send a
message that contains all the fields in the authentication decision URL.
Example of hyperlink:
<a href="http://10.0.3.1:4106/wgcgi.cgi?action=hotspot_auth
&ts=1344238620&success=1&sess_timeout=1200&idle_timeout=600&
sig=a05d352951986e5fbf939920b260a6be3a9fffd3&redirect=http://www.google.com/"
>Connect</a>
Example of form:
<form action="http://10.0.3.1:4106/wgcgi.cgi" method="post">
<fieldset>
<input type="submit" name="Connect" value="Connect" title="Connect" />
<input type="hidden" name="action" value="hotspot_auth" />
<input type="hidden" name="ts" value="1344238620" />
User Guide
487
Authentication
<input
<input
<input
<input
type="hidden"
type="hidden"
type="hidden"
type="hidden"
name="success" value="1" />
name="sess_timeout" value="1200" />
name="idle_timeout" value="600" />
name="sig"
value="a05d352951986e5fbf939920b260a6be3a9fffd3" />
<input type="hidden" name="redirect" value="http://www.google.com/" />
</fieldset>
</form>
Authentication Failure Page
After Interaction Step 7, if the XTM device detects any error in the authentication process, for example
a URL parameter error, create session error, or invalid checksum, the XTM device redirects the client
browser to the failure page of the external web server in Interaction Step 8.
The XTM device constructs the failure URL with an error code to indicate why the authentication did
not succeed. You can use these as the basis for messages to the user on the authentication failure
page.
This example shows the format of the failure URL:
http://10.0.2.80:8080/failure.html?error=510&sn=70A70272B454E
&mac=9C:4E:36:30:2D:28
The failure URL includes these parameters:
n
n
n
error — The error number that indicates the reason for failure.
sn — The serial number of the XTM device.
mac — The MAC address of the client.
The XTM device can set the error parameter to one of these error numbers:
Error
Reason for Failure
510
Invalid authentication result or signature
511
Invalid CGI parameter
512
Create hotspot session failed
513
Internal error
514
External authentication failed (success=0)
You can configure the authentication failure page on the external web server to show different
messages to the hotspot user based on the error code.
Logoff URL
If the external web server must log off a specified client, it sends a logoff URL to the XTM device that
includes the MAC address of the client to log off. Each logoff URL can log off only one client at a time.
For the XTM device to be able to successfully log off a client, the external web server must include
these specific details in the logoff URL:
488
Fireware XTM Web UI
Authentication
action
The action type. The value must always be hotspot_logoff .
mac
The MAC address of the client to log off. The web server can use the same MAC address used
in the access request URL.
sig
A hex encoded string in lower case. It is a SHA1 checksum based on the mac value and the
shared secret. The shared secret you specify in the sig to calculate the hash checksum must
match the shared secret configured in the hotspot settings on the XTM device.
The formula to calculate the checksum value is sig = SHA1(mac + secret) . The XTM device
uses the checksum value to identify the external web server. This enables the XTM device to
only allow logoff requests from legitimate sources, and to make sure logoff requests from
malicious sources are denied.
The external web server uses these parameters to generate the logoff URL in this format:
http://10.0.3.1:4106/wgcgi.cgi?action=hotspot_logoff&mac=9C:4E:36:30:2D:26
&sig=03349009b213b701871b936007cd92bc0eb94376
When the XTM device receives the logoff URL from the external web server, it sends one of these
responses:
Success or failure of the user hotspot session log off
<?xml version="1.0"?>
<authentication>
<logoff_list>
<logoff>
<session_id>12</session_id>
<success>1</success>
</logoff>
</logoff_list>
</authentication>
A <success> value of 0 means the logoff attempt failed. A <success> value of 1 means the
logoff attempt succeeded.
The user hotspot session was not found
<?xml version="1.0"?>
<authentication>
<logoff_list/>
</authentication>
User Guide
489
Authentication
This message appears if the session already timed out or was deleted.
An internal error occurred
<?xml version=\"1.0\"?>
<authentication>
<internal_error/>
</authentication>
You can review the error messages to see if there is a problem with the logoff URL settings and adjust
them as necessary.
490
Fireware XTM Web UI
Authentication
Configure the Hotspot for External Guest Authentication
After you configure your external web server for external guest authentication, you can configure the
hotspot on the XTM device to use the web server for hotspot authentication.
Before you begin, you must Enable a Hotspot.
To configure the External Guest Authentication settings for your hotspot:
1. On the Hotspot Configuration page, select the Enable Hotspot check box.
2. From the Hotspot Type drop-down list, select External Guest Authentication.
The External Guest Authentication settings appear.
3. In the Shared Secret and Confirm text boxes, type the shared secret.
This must be the same shared secret the external web server uses to create the checksum value it
sends with the access decision.
4. In the Authentication URL text box, type the URL of the authentication page on the external
web server.
The Authentication URL must begin with https:// or http:// and must specify the IP address
of the web server, not a domain name.
For example, http://10.0.2.80:8080/auth.html .
User Guide
491
Authentication
5. In the Authentication Failure URL text box, type the URL of the authentication failure page on
the external web server.
The Authentication Failure URL must begin with https:// or http:// and must specify the
IP address of the web server, not a domain name.
For example, http://10.0.2.80:8080/failure.html .
When you enable external guest authentication, these policies are automatically created:
n
n
n
492
Allow External Web Server — Allows TCP connections from users on the guest network to
the external web server IP address and the port you use for hotspot external guest
authentication.
Allow Hotspot Session Mgmt — Allows connections from the external web server IP address
to the XTM device.
Allow Hotspot-Users — Allows connections from the hotspot to addresses external to the
XTM device.
Fireware XTM Web UI
Authentication
Troubleshoot Hotspot External Guest Authentication
After the external web server and the XTM device are configured for external guest authentication, you
can use log messages on the XTM device to look at any errors that occur. This list shows log message
examples for a few of the more common error types and the possible cause and resolution for each.
Error type: missing a parameter in the decision URL
Log message example
Nov 2 18:20:32 2012 Firebox local3.err wgcgi[23924]: Hotspot auth failed, errcode=511
Possible cause
Missing parameter in the access decision URL.
Solution
Make sure the decision URL contains all the required parameters.
For information about required parameters, see Configure a Web Server for Hotspot External
Guest Authentication.
Error type: client request not found in the appliance
Log message example
Nov 2 18:28:14 2012 Firebox local3.err admd[1456]: Hotspot client request not found
Possible causes
Request timeout — The hotspot user must provide the authentication information within five
minutes. Otherwise, the request times out and is deleted.
Timestamp (parameter “ts” in the decision URL) is invalid — The XTM device uses the
timestamp and MAC address of the client to retrieve the client access request. If the ts
parameter is invalid, it cannot find the request.
Request has been used — After an access request is retrieved by the XTM device, it is deleted.
Do not send the same request multiple times.
Solution
Retype the original URL in the client web browser to get access to the Internet again in order to
create a new access request on the XTM device.
Error type: hash checksum is invalid
Log message example
Nov 2 18:43:52 2012 Firebox local3.err admd[1456]: Hash is invalid for this hotspot client
Possible causes
Parameter “success” in the decision URL is not 1 — If parameter success does not equal to 1,
authentication fails.
User Guide
493
Authentication
Parameter “sig” in the decision URL is invalid — If the checksum generated by the web server
does not match the checksum generated by the XTM device, authentication fails.
Solution
Check the hash checksum calculation. It must be a hex encoded string in lower case.
For the formula to calculate the hash checksum, see Configure a Web Server for Hotspot
External Guest Authentication.
494
Fireware XTM Web UI
12
Policies
About Policies
The security policy of your organization is a set of definitions to protect your computer network and the
information that goes through it. The XTM device denies all packets that are not specifically allowed.
When you add a policy to your XTM device configuration file, you add a set of rules that tell the XTM
device to allow or deny traffic based upon factors such as source and destination of the packet or the
TCP/IP port or protocol used for the packet.
As an example of how a policy could be used, suppose the network administrator of a company wants
to log in remotely to a web server protected by the XTM device. The network administrator manages
the web server with a Remote Desktop connection. At the same time, the network administrator wants
to make sure that no other network users can use Remote Desktop. To create this setup, the network
administrator adds a policy that allows RDP connections only from the IP address of the network
administrator's desktop computer to the IP address of the web server.
A policy can also give the XTM device more instructions on how to handle the packet. For example,
you can define logging and notification settings that apply to the traffic, or use NAT (Network Address
Translation) to change the source IP address and port of network traffic.
Packet Filter and Proxy Policies
Your XTM device uses two categories of policies to filter network traffic: packet filters and proxies. A
packet filter examines each packet’s IP and TCP/UDP header. If the packet header information is
legitimate, then the XTM device allows the packet. Otherwise, the XTM device drops the packet.
A proxy examines both the header information and the content of each packet to make sure that
connections are secure. This is also called deep packet inspection. If the packet header information is
legitimate and the content of the packet is not considered a threat, then the XTM device allows the
packet. Otherwise, the XTM device drops the packet.
User Guide
495
Policies
Add Policies to Your XTM device
The XTM device includes many pre-configured packet filters and proxies that you can add to your
configuration. For example, if you want a packet filter for all Telnet traffic, you add a pre-defined Telnet
policy that you can modify for your network configuration. You can also make a custom policy for
which you set the ports, protocols, and other parameters.
When you configure the XTM device with the Quick Setup Wizard, the wizard adds several packet
filters: Outgoing (TCP-UDP), FTP, ping, and up to two WatchGuard management policies. If you have
more software applications and network traffic for the XTM device to examine, you must:
n
n
n
Configure the policies on your XTM device to let the necessary traffic through
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to get
access to external resources
We recommend that you set limits on outgoing access when you configure your XTM device.
In all documentation, we refer to both packet filters and proxies as policies.
Information on policies refers to both packet filters and proxies unless otherwise
specified.
496
Fireware XTM Web UI
Policies
About the Policies Pages
The policies included in your current XTM device configuration appear on the Firewall Policies and
Mobile VPN Policies pages. From these pages you can see configuration information, such as
source and destination addresses, assigned ports, policy-based routing, and application control
settings, as well as whether notification, scheduling, and QoS/Traffic Management are configured. You
can also add, edit, and delete policies on these pages.
By default, Fireware XTM Web UI sorts policies from the most specific to the most general. The order
determines how traffic flows through the policies.
For more information about how to add policies, see Add Policies to Your Configuration on page 500.
This information appears for each policy:
Order
The order in which the policies are sorted, and how traffic flows through the policies. Policies
are automatically sorted from the most specific to the most general. To manually select the
order in which the policies are applied, you can switch to Manual-Order Mode. When the Policy
List is in Manual-Order Mode, you can sort the policy list by column.
To switch to Manual-Order Mode and change the policy order:
1. Click Disable policy Auto-Order mode.
A confirmation message appears.
2. Click Yes to enable Manual-Order Mode.
User Guide
497
Policies
3. Select one or more policies in the list and click Move Up or Move Down.
4. Click Save Policy Order.
For more information on policy order, see About Policy Precedence.
Action
The action taken by the policy for traffic that matches the policy definition. The symbols in this
column also indicate whether the policy is a packet filter policy or a proxy policy, and the
settings that are configured for the policy:
n
— Packet filter policy; traffic is allowed
n
n
— Packet filter policy; traffic is denied
— Disabled packet filter policy
n
— Proxy policy; traffic is allowed
n
— Proxy policy; traffic is denied
n
— Disabled proxy policy
n
— Application Control is configured
n
—Traffic Management/ QoS is configured
n
— Scheduling is configured
n
— Logging is enabled
n
— Notification is enabled
Policy Name
Name of the policy, as defined in the Name text box on the Policy Configuration page.
Policy Type
The protocol that the policy manages. Packet filters include the protocol name only. Proxies
include the protocol name and -proxy. ALGs include the protocol name and -ALG.
From
The source addresses for this policy.
To
The destination addresses for this policy.
Port
Protocols and ports used by the policy.
PBR
The interface numbers that are used for failover in the policy-based routing settings for the
policy.
Application Control
The Application Control action enabled for the policy.
For more information, see Enable Application Control in a Policy.
498
Fireware XTM Web UI
Policies
Tags
The policy tag that is applied to the policy. To filter the policies in the policy list by the applied
policy tags, click and apply a policy filter.
For more information, see About Policy Tags and Filters on page 506.
About the Outgoing Policy
The Outgoing policy is a packet filter policy that is automatically added to your XTM device
configuration when you run the Quick Setup Wizard to set up your device and create a basic device
configuration file. The Outgoing policy allows all TCP and UDP connections from any trusted or
optional source on your network to any external network. Because it is a packet filter policy, not a
proxy policy, the Outgoing policy does not filter content when it examines the traffic through your XTM
device.
If you remove the Outgoing policy from your device configuration file, you must add policies to your
configuration that allow outbound traffic. You can either add a separate policy for each type of traffic
that you want to allow out through your firewall, or you can add the TCP-UDP packet filter or TCPUDP-proxy policy.
For more information about the TCP-UDP proxy, see About the TCP-UDP-Proxy.
User Guide
499
Policies
Add Policies to Your Configuration
To add a firewall or Mobile VPN policy:
1. Select Firewall > Firewall Policies or Firewall > Mobile VPN Policies.
The Policies page you selected appears.
2. Click Add Policy.
3. In the Policy Name text box, type a name for the policy.
4. For a Mobile VPN policy, from the Select a group drop-down list, select an existing Mobile
VPN group.
5. Select a policy type:
n Packet Filter
n Proxies
n Custom
6. For a packet filter, from the Packet Filter drop-down list, select a policy type.
For a proxy, from the first drop-down list, select a proxy, and from the second drop-down list,
select a proxy action.
For a custom policy, from the Custom drop-down list, select a policy or click Add to create a
new custom policy.
For more information, see Create or Edit a Custom Policy Template
7. Click Add Policy
8. Define the settings for the policy.
9. Click Save.
For more information about Mobile VPN Policies, see Configure Policies to Filter Mobile VPN Traffic
on page 1003.
The XTM device includes a default definition for each policy included in the XTM device configuration
file. The default definition consists of settings that are appropriate for most installations. However, you
can modify them for your particular business purposes, or if you want to include special policy
properties such as Traffic Management actions and operating schedules.
After you add a policy to your configuration, you define rules to:
n
n
n
n
Set allowed traffic sources and destinations
Make filter rules
Enable or disable the policy
Configure properties such as Traffic Management, NAT, and logging
For more information on policy configuration, see About Policy Properties on page 527.
Use Policy Checker to Find a Policy
To determine how your XTM device manages traffic for a particular protocol between a source and
destination you specify, you can use Policy Checker in Fireware XTM Web UI.
For more information about Policy Checker, see Use Policy Checker to Find a Policy on page 503.
500
Fireware XTM Web UI
Policies
Add a Policy from the List of Templates
Your XTM device includes a default definition for each policy included in the XTM device configuration.
The default definition settings are appropriate for most installations, however, you can modify them to
include special policy properties, such as QoS actions and operating schedules.
On the Add Firewall Policy page
1. Select a policy type: Packet Filter, Proxies, or Custom.
2. From the adjacent drop-down lists, select a policy.
3. If you select a proxy, from the second drop-down list, select the proxy action.
4. To change the name of the policy, in the Name text box, type a new name.
5. Click Add Policy.
The Add page appears.
6. Configure the access rules and other settings for the policy.
7. Click Save.
For more information on policy properties, see About Policy Properties on page 527.
For more information about how to add Mobile VPN Policies, see Configure Policies to Filter Mobile
VPN Traffic on page 1003.
For more information about how to configure proxy actions, see About Proxy Actions.
User Guide
501
Policies
For more information about how to configure a schedule for a policy, see Set an Operating Schedule on
page 523.
For more information about how to configure application control actions, see Configure Application
Control Actions.
When you configure the access rules for your policy, you can choose to use an alias. For more
information about aliases, see About Aliases on page 514 and Create an Alias on page 515.
Disable or Delete a Policy
As your network security requirements change, you can disable or delete the policies in your
configuration.
To disable a policy:
1. Select Firewall > Firewall Policies or Firewall > Mobile VPN Policies.
2. Double-click the policy.
Or, select the policy and from the Action drop-down list, select Edit Policy.
3. Clear the Enable check box.
4. Click Save.
Delete a Policy
To delete a policy:
1. Select Firewall > Firewall Policies or Firewall > Mobile VPN Policies.
2. Select the policy and from the Action drop-down list, select Delete Policies.
A confirmation message appears.
3. Click Yes.
Your configuration changes are saved automatically.
502
Fireware XTM Web UI
Policies
Use Policy Checker to Find a Policy
You can use Policy Checker to determine how your XTM device manages traffic for a particular
protocol between a source and destination you specify. This can be a useful troubleshooting tool if your
XTM device allows or denies traffic unexpectedly, or if you want to make sure your policies manage
traffic the way you expect. Based on the parameters you specify, Policy Checker sends a test packet
through your XTM device to see how the device manages the packet. If there is a policy that manages
the traffic, Policy Checker highlights that policy in the Firewall Policies list.
When you run Policy Checker, you must specify these parameters:
n
n
n
n
An interface — Any active device interface (physical, VLAN, or bridge), or SSL-VPN, AnyBOVPN, Any-MUVPN, or PPTP
A protocol — Ping, TCP, or UDP
Source and destination IP address
Source and destination port — Only applies if you select TCP or UDP as the Protocol
The results can include any of these details:
n
n
n
n
n
n
Policy type
Policy name
An action
An interface
Source or destination NAT IP address
Source or destination NAT port
You cannot use Policy Checker in Fireware XTM Web UI for a FireCluster. Instead,
use the policy-check command in the Command Line Interface. For more
information, see the Command Line Interface Reference.
To run Policy Checker:
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Click Show policy checker.
The policy checker section appears.
3.
4.
5.
6.
7.
From the Interface drop-down list, select an active interface on your XTM device.
From the Protocol drop-down list, select an option: Ping, TCP, or UDP.
In the Source IP text box, type the source IP address for the traffic.
In the Destination IP text box, type the destination IP address for the traffic.
If you selected TCP or UDP for the Protocol, in the Source Port text box, type or select the
port for the traffic source.
If you selected Ping as the Protocol, the port text box is disabled.
8. If you selected TCP or UDP for the Protocol, in the Destination Port text box, type or select
the port for the traffic destination.
If you selected Ping as the Protocol, the port text box is disabled.
User Guide
503
Policies
9. Click Run policy checker.
The results appear in the Results section.
Read the Results
If the packet was managed by a policy, the policy details appear in the Results section, and the policy
is highlighted in the Firewall Policies list.
If the packet was not managed by a policy, but by another means (such as a hostile site match), that
information appears in the Results section, but nothing is highlighted in the Firewall Policies list.
The only elements that always include a value in the Results section are the Name and Type
elements. Values for all other elements are only present if their values are established.
Element
Value
Description
Type
Policy
The packet was allowed or denied by a policy.
Security
The packet was dropped by something other than a policy (for
example, a blocked site match) and a security measure was
triggered.
Inconclusive
There was an error in the interpretation of the disposition of
the packet.
Name
Depends on
the Type
value
If the type was Policy, the name of the policy appears.
Not all configured policies are exposed. If the policy name is
unfamiliar, you can examine the configuration file for more
information about the policy.
If the type was Security, the security function appears (for
example, Blocked Sites). The set of supported security
functions can be different from one release to the next.
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
504
ICMP Flood Attack
IKE Flood Attack
IPSec Flood Attack
TCP SYN Flood Attack
UDP Flood Attack
TCP SYN check
Broadcast
DNS forward inactive
FWSPEED license
Blocked Ports
Blocked Sites
Blocked connection — The packet matched an
existing connection that was blocked by a policy.
Unit not activated
DDoS Client Quota
DDoS Server Quota
User count exceeded
IP source route
Fireware XTM Web UI
Policies
Element
Value
Description
n
n
n
n
n
Spoofing Attack
Wireless Guest
Wireless MVPN
MAC Access Control
MAC/IP Address Binding
If the type was Inconclusive the name is Unspecified.
Action
Allow
The packet was allowed.
Deny
The packet was denied. This is always the result when the
type is Security.
Interface
Interface
name
The egress interface. This is the user-defined name (for
example, External), not the system name (for example, eth0).
Source NAT IP
IP address
The IP address to which the original source IP address was
changed by NAT.
Source NAT Port
TCP/UDP
port
The TCP or UDP port to which the original source port was
changed by NAT.
Destination NAT IP
IP address
The IP address to which the original destination IP address
was changed by NAT.
Destination NAT Port
TCP/UDP
port
The TCP or UDP port to which the original destination port
was changed by NAT.
User Guide
505
Policies
About Policy Tags and Filters
A policy tag is a label you can apply to your Firewall and Mobile VPN with IPSec policies to help you
organize your policies into easy to manage groups. You can apply more than one policy tag to a policy
and apply any policy tag to many policies. A policy filter uses the policy tags you have applied to your
policies to specify which policies appear in the policy lists on the Firewall and Mobile VPN with
IPSec pages.
When you create a policy tag or filter, you must use some combination of these characters in the policy
tag or filter name:
n
n
n
Uppercase and lowercase letters
Numerals
Special characters: -, space, _, +, /, *
You can use the procedures in the subsequent sections to create and apply policy tags and filters in a
single XTM device configuration file or a v11.7 or later Device Configuration Template. For more
information about templates, see the topic Create Device Configuration Templates in the WatchGuard
System Manager Help.
Create and Apply Policy Tags
To create a new policy tag, you can either select a policy and create a tag for that policy, or you can
create a tag and then apply it to one or more policies. You can select a color for each policy tag to make
it easy to identify the policy tag when it appears in the Tags column. This is particularly helpful when
you apply more than one policy tag to a single policy. When you create a policy tag, it is added to the
Tags List in the Manage Policy Tags dialog box in alphabetical order.
You can apply a policy tag from the policy list or when you define the properties in the policy
configuration. If you apply more than one policy tag to a policy, the tags appear in alphabetical order in
the Tags column of the policy list and in the Tags list of the policy properties. Capitalized tags appear
in the list before lowercase tags.
Create and Apply a Policy Tag from the Policy List
To create a policy tag and apply it to policies:
1. On the Firewall or Mobile VPN with IPSec page, select one or more policies in the policy list.
2. Select Action > Add Tag to Policy > New.
The New Policy Tag dialog box appears.
506
Fireware XTM Web UI
Policies
3. In the Name text box, type a descriptive name for the tag.
4. To specify a color for this policy tag, select a color from the palette.
5. Click OK.
The tag is applied to the policies you selected and appears in the Tags column for those policies.
The tag also appears in the Manage Policy Tags Tag List.
Add a Policy Tag to the Tag List
To create policy tags that you can apply to policies at a later time, you can add new tags to the Tag
List in the Manage Policy Tags dialog box.
To add a tag to the Tag List:
1. Select Action > Manage Tags .
The Manage Policy Tags page appears.
2. Click Add.
The New Policy Tag dialog box appears.
3. In the Name text box, type a descriptive name for the policy tag.
4. To specify a color for the policy tag, click the color palette and select a color.
5. Click OK.
The policy tag appears in the Tags list.
You can now apply the new tag to any policy.
To apply a policy tag that you have already created to one or more policies:
1. In the policy list, select one or more policies.
2. Select Action > Add Tag to Policy and select a tag.
The tag is applied to the policies you selected and appears in the Tags column for those policies.
Apply a Policy Tag in the Policy
1. Add a new policy or edit a policy in the policy list.
2. Select the Settings tab.
User Guide
507
Policies
508
Fireware XTM Web UI
Policies
3. In the Tags section, click Edit.
The Select Policy Tags dialog box appears.
4. To apply a tag to the policy, from the Available list, select a policy tag and click <<.
The tag is moved from the Available list to the Tagged list.
Remove Policy Tags From Policies
There are two methods you can use to remove a policy tag from a policy: you can remove one or more
policy tags from a single policy, or you can delete a policy tag to remove it from all the policies to which
it is applied. When you remove a policy tag from a single policy, the tag remains in the Tag List so you
can use the tag again later. When you delete a policy tag, it is deleted both from the Tag List and from
any policies to which it was applied. You cannot use a template to delete a policy tag from a policy in a
device configuration file.
To remove a single policy tag from a policy:
1. In the policy list, select the check box for a policy.
2. Select Action > Remove Tags from Policy and select the policy tag to remove.
The selected policy tag is removed from the policy and the Tags column.
User Guide
509
Policies
To remove all policy tags from a policy:
1. In the policy list, select one ore more policies.
2. Select Action > Remove Tag from Policy > All.
All policy tags are removed from the selected policies and the Tags column.
To permanently remove a policy tag from the Tag List and all policies:
1. Select Action > Manage Tags.
The Manage Policy Tags dialog box appears.
2. From the Tags list, select a policy tag and click Remove.
3. Click Save.
The selected policy tag is removed from the Tags list and from each policy to which the tag was
applied. The policy tag name is also removed from the Tags column in the policies list.
To remove a policy tag from a policy:
1. Add a new policy or edit a policy in the policy list.
2. Select the Settings tab.
3. Below the Tags list, click Edit.
The Select Policy Tags dialog box appears.
510
Fireware XTM Web UI
Policies
4. To remove a policy tag from the policy, from the Tagged list, select a policy tag and click >>
The tag is moved from the Tagged list to the Available list.
Modify Policy Tags
After you have created a policy tag, you can change the name or the color of the tag. When you modify
a policy tag, the changes that you make automatically appear in all the policies to which the policy tag
is applied.
To change a policy tag:
1. Select Action > Manage Tags .
The Manage Policy Tags dialog box appears.
2. From the Tags list, select a policy tag.
3. Click Edit.
The Policy Tag dialog box appears.
4. In the Name text box, type a new descriptive name for the policy tag.
5. From the color palette, select a new color for the policy tag.
6. Click OK.
The changes you made to the policy tag appear in the Tags list.
7. Click Save.
Create and Apply a Filter
After you have created and applied policy tags to your policies, you can use the tags to filter the policy
list and select which policies appear in the policy list. The criteria included in your filters is based on
both AND and OR operators.
After you apply a filter, you can sort the policy list by column to further refine your view of the policies
that appear in the policy list. You can also name and save the filters you create so you can apply the
filter again at any time. Because saved filters are stored in your XTM device configuration file, all saved
filters are available whether you manage the XTM device with Policy Manger or Fireware XTM Web UI.
When you apply a filter to the policy list, the filter remains applied to the list until you manually clear it.
If you do not remove a filter before you exit the policy list, that filter is still applied when you next
connect to the XTM device and view the policy list. To make sure that all of your policies appear in the
policy list when you next open the configuration file, we recommend that you always clear all filters
from the policy list before you exit the policy list.
To create and apply a filter:
8. From the Filter drop-down list, select Create New Filter.
The Policy Filter dialog box appears.
User Guide
511
Policies
9. In the Name text box, type a descriptive name for this filter.
10. Select a filter option:
n Match All — Only policies that include all the specified policy tags appear in the filtered
policy list. This is the default option.
n Match Any — Any policy that includes any of the specified policy tags appear in the filtered
policy list.
11. Select the policy tags to include in the filter.
12. Click OK.
The selected filter is applied to the list.
13. To clear all filters from the policy list, from the Filter drop-down list, select None.
All filters are removed from the policy list.
Modify a Filter
You can change the policy tags and filter options that are included in a filter. You can also change the
name of a filter. When you change the name of the filter, the name is automatically updated in the
Filters list and in all policies to which the filter is applied.
To change the filter, name, options, and the tags in a filter:
1. From the Filter drop-down list, select Manage Filter.
The Manage Filters page appears.
512
Fireware XTM Web UI
Policies
2. From the Filters list, select the filter to modify.
3. Click Edit.
The Policy Filter dialog box appears.
4. Change the filter parameters.
5. Click OK.
The modified filter appears in the Filters list.
6. Click Save.
User Guide
513
Policies
About Aliases
An alias is a shortcut that identifies a group of hosts, networks, or interfaces. When you use an alias, it
is easy to create a security policy because the XTM device allows you to use aliases when you create
policies.
Default aliases in Fireware XTM Web UI include:
n
n
n
n
n
n
Any — Any source or destination aliases that correspond to XTM device interfaces, such as
Trusted or External.
Firebox — An alias for all XTM device interfaces.
Any-Trusted — An alias for all XTM device interfaces configured as Trusted interfaces, and
any network you can get access to through these interfaces.
Any-External — An alias for all XTM device interfaces configured as External, and any network
you can get access to through these interfaces.
Any-Optional — Aliases for all XTM device interfaces configured as Optional, and any network
you can get access to through these interfaces.
Any-BOVPN — An alias for any BOVPN (IPSec) tunnel.
When you use the BOVPN Policy wizard to create a policy to allow traffic through a BOVPN
tunnel, the wizard automatically creates .in and .out aliases for the incoming and outgoing
tunnels.
Alias names are different from user or group names used in user authentication. With user
authentication, you can monitor a connection with a name and not as an IP address. The person
authenticates with a user name and a password to get access to Internet protocols.
For more information about user authentication, see About User Authentication on page 379.
You can also create and apply aliases when you use Centralized Management for your XTM device
and apply a Device Configuration Template to a device. If you apply a template to an XTM device that
runs Fireware XTM OS v11.7 or later, and the template includes an alias name that is already used by
an interface on the device, because you cannot have duplicate alias names in any configuration file,
the alias name does not appear correctly in the Aliases list after the template is applied.
Alias Members
You can add these objects to an alias:
n
n
n
n
n
n
n
n
514
Host IP address
Network IP address
A range of host IP addresses
DNS name for a host
Tunnel address — Defined by a user or group, address, and name of the tunnel
Custom address — Defined by a user or group, address, and XTM device interface
Another alias
An authorized user or group
Fireware XTM Web UI
Policies
Create an Alias
You can create an alias to use with your security policies to help you more easily identify a group of
hosts, users, or networks.
To create an alias:
1. Select Firewall > Aliases.
The Aliases page appears.
2. Click Add.
The Aliases / Add page appears.
3. In the Name text box, type a unique name to identify the alias.
This name appears in lists when you configure a security policy.
4. In the Description text box, type a description of the alias.
5. Add alias members to the alias, as described in the subsequent sections.
6. Click Save.
User Guide
515
Policies
Add an Address, Address Range, DNS Name, User, Group, or Another
Alias to the Alias
1. On the Aliases / Add page, click Add.
The Add Member dialog box appears.
2. From the Member type drop-down list, select the type of member you want to add.
3. Type the address or name in the Member Type text box, or select the user or group.
4. Click OK.
The new member appears in the Alias Members list.
5. To add more members, repeat Steps 1–4.
516
Fireware XTM Web UI
Policies
Edit an Alias
You can edit user-defined aliases from the Aliases page.
To edit an alias from the Aliases page:
1. Select Firewall > Aliases.
The Aliases page appears.
2. From the Aliases list, select the user-defined alias to change.
3. Click Edit.
The Edit Alias page appears.
4. To add a member to the Alias Members list, click Add.
For more information, see the previous sections.
User Guide
517
Policies
To remove a member from the Alias Members list, select the entry and click Remove.
5. Click Save.
518
Fireware XTM Web UI
Policies
About Policy Precedence
Precedence is the sequence in which the XTM device examines network traffic and applies a policy
rule. The XTM device automatically sorts policies from the most detailed to the most general. It
compares the information in the packet to the list of rules in the first policy. The first rule in the list to
match the conditions of the packet is applied to the packet. If the detail level in two policies is equal, a
proxy policy always takes precedence over a packet filter policy.
Automatic Policy Order
The XTM device automatically gives the highest precedence to the most specific policies and the
lowest to the least specific. The XTM device examines specificity of the subsequent criteria in the
following order. If it cannot determine the precedence from the first criterion, it moves to the second,
and so on.
1.
2.
3.
4.
5.
6.
7.
8.
Policy specificity
Protocols set for the policy type
Traffic rules of the To list
Traffic rules of the From list
Firewall action (Allowed, Denied, or Denied (send reset)) applied to the policies
Schedules applied to the policies
Alphanumeric sequence based on policy type
Alphanumeric sequence based on policy name
The subsequent sections include more details about what the XTM device does within these eight
steps.
Policy Specificity and Protocols
The XTM device uses these criteria in sequence to compare two policies until it finds that the policies
are equal, or that one is more detailed than the other.
1. An Any policy always has the lowest precedence.
2. Check for the number of TCP 0 (any) or UDP 0 (any) protocols. The policy with the smaller
number has higher precedence.
3. Check for the number of unique ports for TCP and UDP protocols. The policy with the smaller
number has higher precedence.
4. Add up the number of unique TCP and UDP ports. The policy with the smaller number has
higher precedence.
5. Score the protocols based on their IP protocol value. The policy with the smaller score has
higher precedence.
If the XTM device cannot set the precedence when it compares the policy specificity and protocols, it
examines traffic rules.
User Guide
519
Policies
Traffic Rules
The XTM device uses these criteria in sequence to compare the most general traffic rule of one policy
with the most general traffic rule of a second policy. It assigns higher precedence to the policy with the
most detailed traffic rule.
1.
2.
3.
4.
5.
6.
7.
8.
9.
Host address
IP address range (smaller than the subnet being compared to)
Subnet
IP address range (larger than the subnet being compared to)
Authentication user name
Authentication group
Interface, XTM device
Any-External, Any-Trusted, Any-Optional
Any
For example, compare these two policies:
(HTTP-1) From: Trusted, user1
(HTTP-2) From: 10.0.0.1, Any-Trusted
Trusted is the most general entry for HTTP-1. Any-Trusted is the most general entry for HTTP-2.
Because Trusted is included in the Any-Trusted alias, HTTP-1 is the more detailed traffic rule. This is
correct despite the fact that HTTP-2 includes an IP address, because the XTM device compares the
most general traffic rule of one policy to the most general traffic rule of the second policy to set
precedence.
If the XTM device cannot set the precedence when it compares the traffic rules, it examines the
firewall actions.
Firewall Actions
The XTM device compares the firewall actions of two policies to set precedence. Precedence of
firewall actions from highest to lowest is:
1. Denied or Denied (send reset)
2. Allowed proxy policy
3. Allowed packet-filter policy
If the XTM device cannot set the precedence when it compares the firewall actions, it examines the
schedules.
520
Fireware XTM Web UI
Policies
Schedules
The XTM device compares the schedules of two policies to set precedence. Precedence of schedules
from highest to lowest is:
1. Always off
2. Sometimes on
3. Always on
If the XTM device cannot set the precedence when it compares the schedules, it examines the policy
types and names.
Policy Types and Names
If the two policies do not match any other precedence criteria, the XTM device sorts the policies in
alphanumeric sequence. First, it uses the policy type. Then, it uses the policy name. Because no two
policies can be the same type and have the same name, this is the last criteria for precedence.
Set Precedence Manually
You can disable auto-order mode to change to manual-order mode and set the policy precedence for
your XTM device. When you change to manual-order mode, you can also sort the policy list by column.
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Below the policy list, click Disable policy Auto-Order mode.
A confirmation message appears.
3. Click Yes.
4. To change the order of a policy, select the check box for a policy and click Move Up or Move
Down to move it higher or lower in the list.
5. To sort the policy list by a column, click the column header.
6. Click Save Policy Order.
User Guide
521
Policies
Create Schedules for XTM Device Actions
A schedule is a set of times for which a feature is active or disabled. You must use a schedule if you
want a policy or WebBlocker action to automatically become active or inactive at the times you
specify. You can apply a schedule you create to more than one policy or WebBlocker action if you want
those policies or actions to be active at the same times.
For example, an organization wants to restrict certain types of network traffic during normal business
hours. The network administrator could create a schedule that is active on weekdays, and set each
policy in the configuration to use the same schedule.
To create a schedule:
1. Select Firewall > Scheduling.
The Scheduling page appears.
2. To modify an existing schedule, select the schedule and click Edit.
The Schedule Settings page appears.
3. To create a new schedule, click Add.
The Add Schedule page appears.
522
Fireware XTM Web UI
Policies
4. For a new schedule, in the Name text box, type a descriptive name for the schedule.
You cannot modify the name of a saved schedule.
5. From the drop-down list, select the time interval to see in the schedule: 15 minutes, 30
minutes, 1 hour.
6. Select the times for the schedule to operate for each day of the week.
7. To abandon your changes, reload the page, and return to the current settings in the configuration
file, click Restore.
8. Click Save.
Set an Operating Schedule
You can set an operating schedule for a policy so that the policy takes effect only at the times you
specify. Schedules can be shared by more than one policy.
To modify a policy schedule:
1. Select Firewall > Scheduling.
The Scheduling page appears.
2. In the Scheduling Policies list, select the check box for one or more policies.
3. From the Select Action drop-down list, select a schedule to apply to the policies you selected.
4. To abandon your changes, reload the page, and return to the current settings in the configuration
User Guide
523
Policies
file, click Restore.
5. Click Save.
About Custom Policies
To allow for a protocol that is not included by default as a XTM device configuration option, you must
define a custom traffic policy. You can add a custom policy that uses:
n
n
n
TCP ports
UDP ports
An IP protocol that is not TCP or UDP, such as GRE, AH, ESP, ICMP, IGMP, and OSPF. You
identify an IP protocol that is not TCP or UDP with the IP protocol number.
To create a custom policy, you must first create or edit a custom policy template that specifies the
ports and protocols used by policies of that type. Then, you create one or more policies from that
template to set access rules, logging, QoS, and other settings.
Create or Edit a Custom Policy Template
To add specialized policies to your configuration files, you can create custom policy templates. These
templates can be packet filter or proxy policies and use any available protocol. When you add a custom
policy template to your configuration file, make sure to specify a unique name for the policy. A unique
name helps you to find the policy when you want to change or remove it. This name must not be the
same as any other policy name in the policies list for your device.
From Fireware XTM Web UI:
1. Select Firewall > Firewall Policies or Firewall > Mobile VPN Policies.
The Policies page you selected appears.
2. Click Add Policy.
The Add Firewall Policy page appears.
524
Fireware XTM Web UI
Policies
3. In the Policy Name text box, type a name for the policy.
4. For the policy type, select Custom.
5. From the Custom drop-down list, select a policy or click Add to create a new custom policy
The Add Policy Template page appears.
User Guide
525
Policies
6. In the Name text box, type a name for the custom policy.
7. (Optional) In the Description text box, type a description of the policy.
This appears in the Details section when you click the policy name in the list of User Filters.
8. Select a type: Packet Filter or Proxy.
9. For a proxy, from the Proxy drop-down list, select a proxy type.
10. To add a protocol, click Add.
The Add Protocol dialog box appears.
11. From the Type drop-down list, select an option: Single Port or Port Range.
12. From the Protocol drop-down list, select the protocol to use for this policy.
If you select Single Port, you can select TCP, UDP, GRE, AH, ESP, ICMP, IGMP, OSP, IP,
or Any.
If you select Port Range, you can select TCP or UDP. The options below the drop-down list
change for each protocol.
Fireware XTM does not pass IGMP multicast traffic through the XTM device, or
between XTM device interfaces. It passes IGMP multicast traffic only between an
interface and the XTM device.
13. If you selected Single Port, in the Server Port text box, type the port number.
If you selected Port Range, in the Start Server Port and End Server Port text boxes, type the
server port range.
14. Click OK.
The protocol appears in the Protocols list.
15. To specify the idle timeout, select the Specify custom idle timeout check box and type the
timeout value in seconds.
16. Click Save.
The custom policy name appears in the Add Firewall Policy page in the Custom drop-down list.
17. Click Add Policy.
You can now use the policy template you created to add one or more custom policies to your
configuration. Use the same procedure as you would for a predefined policy.
526
Fireware XTM Web UI
Policies
About Policy Properties
Each policy type has a default definition, which consists of settings that are appropriate for most
organizations. However, you can modify policy settings for your particular business purposes, or add
other settings such as traffic management and operating schedules.
Mobile VPN policies are created and operate in the same way as firewall policies. You must, however,
specify a Mobile VPN group for the policy.
When you add a new policy to your configuration, the Firewall Polices / Add Firewall Policy page
automatically appears after you select the policy type and click Add Policy. To set properties for an
existing policy, on the Firewall Policies page, double-click the policy to open the Firewall Polices /
Edit page.
User Guide
527
Policies
Settings Tab
On the Settings tab, you can set basic information about a policy, such as whether it allows or denies
traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server load
balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
n
n
Set Access Rules for a Policy on page 529
Configure Policy-Based Routing on page 531
Configure Static NAT on page 233
Configure Server Load Balancing on page 237
Set Logging and Notification Preferences on page 748
Block Sites Temporarily with Policy Settings on page 732
Set a Custom Idle Timeout on page 535
About Policy Tags and Filters
Application Control Tab
On the Application Control tab, you can select the Application Control action for the policy. You can
also create a new Application Control action. For more information about Application Control actions in
policies, see Enable Application Control in a Policy on page 1223.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
528
Fireware XTM Web UI
Policies
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
For more information on the options for this tab, see:
n
n
n
n
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
Proxy Settings
Proxy policies have predefined rulesets that provide a good balance of security and accessibility for
most installations. If a default ruleset does not meet all of your business needs, you can add, delete, or
modify rules.
Each proxy policy has connection-specific settings that you can customize. To modify the settings and
rulesets for a proxy action from the proxy configuration, select the Proxy Action tab, and configure the
settings for the proxy action.
For more information, see About Rules and Rulesets on page 550 and the About topic for the specific
proxy type.
About the DNS-Proxy on page 559
About the FTP-Proxy on page 576
About the H.323-ALG on page 586
About the HTTP-Proxy on page 598
About the HTTPS-Proxy on page 623
About the POP3-Proxy on page 634
About the SIP-ALG on page 648
About the SMTP-Proxy on page 661
About the TCP-UDP-Proxy on page 694
Set Access Rules for a Policy
To configure access rules for a policy, select the Settingstab.
The Connections are drop-down list specifies whether traffic that matches the rules in the policy is
allowed or denied. To configure how traffic is managed, select one of these settings:
Allowed
The XTM device allows traffic that uses this policy if it matches the rules you set in the policy.
You can configure the policy to create a log message when network traffic matches the policy.
Denied
The XTM device denies all traffic that matches the rules in this policy and does not send a
notification to the device that sent the traffic. You can configure the policy to create a log
message when a computer tries to use this policy. The policy can also automatically add a
computer or network to the Blocked Sites list if it tries to start a connection with this policy.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
User Guide
529
Policies
Denied (send reset)
The XTM device denies all traffic that matches the rules in this policy. You can configure it to
create a log message when a computer tries to use this policy. The policy can also
automatically add a computer or network to the Blocked Sites list if it tries to start a connection
with this policy.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
With this option, the XTM device sends a packet to tell the device which sent the network traffic
that the session is refused and the connection is closed. You can set a policy to return other
errors instead, which tell the device that the port, protocol, network, or host is unreachable. We
recommend that you use these options with caution to ensure that your network operates
correctly with other networks.
The Settings tab also includes:
n
n
A From list (or source) that specifies who can send (or cannot send) network traffic with this
policy.
A To list (or destination) that specifies who the XTM device can route traffic to if the traffic
matches (or does not match) the policy specifications.
For example, you could configure a ping packet filter to allow ping traffic from all computers on the
external network to one web server on your optional network. However, when you open the destination
network to connections over the port or ports that the policy controls, you can make the network
vulnerable. Make sure you configure your policies carefully to avoid vulnerabilities.
To add members to your access specifications:
1. On the Settings tab, below the From or To list, click Add.
The Add Member dialog box appears.
530
Fireware XTM Web UI
Policies
The members list contains the members you can add to the From or To lists. A member can be
an alias, user, group, IP address, or range of IP addresses.
2. From the Member Type drop-down list, select the type of member you want to add.
The member list updates to show only members of the type you selected.
3. From the member list, select a member.
4. Click OK.
The member appears in the member list on the Settings tab.
5. To add other members to the From or To list, repeat the previous steps.
6. Click Save.
The source and destination can be a host IP address, host range, host name, network address, user
name, alias, VPN tunnel, or any combination of those objects.
For more information on the aliases that appear in the From and To list, see About Aliases on page
514.
For more information about how to create a new alias or edit a user-defined alias, see Create an Alias
on page 515.
Configure Policy-Based Routing
To send network traffic, a router usually examines the destination address in the packet and looks at
the routing table to find the next-hop destination. In some cases, you want to send traffic to a different
path than the default route specified in the routing table. You can configure a policy with a specific
external interface to use for all outbound traffic that matches that policy. This technique is known as
policy-based routing. Policy-based routing takes precedence over other multi-WAN settings.
Policy-based routing can be used when you have more than one external interface and have configured
your XTM device for multi-WAN. With policy-based routing, you can make sure that all traffic for a
policy always goes out through the same external interface, even if your multi-WAN configuration is
set to send traffic in a round-robin configuration. For example, if you want email to be routed through a
particular interface, you can use policy-based routing in the SMTP-proxy or POP3-proxy definition.
User Guide
531
Policies
To use policy-based routing, you must have Fireware XTM with a Pro upgrade. You
must also configure at least two external interfaces.
Policy-Based Routing, Failover, and Failback
When you use policy-based routing with multi-WAN failover, you can specify whether traffic that
matches the policy uses another external interface when failover occurs. The default setting is to drop
traffic until the interface is available again.
Failback settings (defined on the Multi-WAN tab of the Network Configuration dialog box) also apply
to policy-based routing. If a failover event occurs, and the original interface later becomes available,
the XTM device can send active connections to the failover interface, or it can fail back to the original
interface. New connections are sent to the original interface.
Restrictions on Policy-Based Routing
n
n
n
Policy-based routing is available only if multi-WAN is enabled. If you enable multi-WAN, the
policy configuration automatically includes fields to configure policy-based routing.
By default, policy-based routing is not enabled.
Policy-based routing does not apply to IPSec traffic, or to traffic destined for the trusted or
optional network (incoming traffic).
Add Policy-Based Routing to a Policy
1. Select Firewall > Firewall Policies.
2. Select the check box for a policy and select Action > Edit Policy.
Or, double-click a policy.
The Edit page appears.
3. Select the Use policy-based routing check box.
532
Fireware XTM Web UI
Policies
4. To specify the interface to use to send outbound traffic that matches the policy, from the
adjacent drop-down list, select the interface name.
Make sure that the interface you select is a member of the alias or network that you set in the
To list for your policy.
5. (Optional) Configure policy-based routing with multi-WAN failover as described below. If you do
not select Failover and the interface you set for this policy is becomes inactive, traffic is
dropped until the interface becomes available again.
6. Click Save.
User Guide
533
Policies
Configure Policy-Based Routing with Failover
You can set the interface you specified for this policy as the primary interface, and define other external
interfaces as backup interfaces for all non-IPSec traffic. If the primary interface you set for a policy is
not active, traffic is sent to the backup interface or interfaces you specify.
1. On the Edit page for the policy, below the Use policy-based routing check box, select the
Use Failovercheck box.
2. In the subsequent list, select the check box for each interface you want to use in the failover
configuration.
3. To set the order for failover, select an item in the list and click Move Up or Move Down.
The first interface in the list is the primary interface.
4. Click Save.
534
Fireware XTM Web UI
Policies
Set a Custom Idle Timeout
Idle timeout is the maximum length of time that a connection can stay active when no traffic is sent
through the connection. You can configure the global idle timeout setting that applies to all policies.
You can also configure a custom idle timeout setting for an individual policy.
For more information about how to configure the global idle timeout setting, see Define XTM Device
Global Settings on page 83.
For an individual policy, you can enable and configure a custom idle timeout that applies only to that
policy. You can then specify the length of time (in seconds) that can elapse before the XTM device
closes the connection. The default custom idle timeout setting is 180 seconds (3 minutes).
If you configure the global idle timeout setting and also enable a custom idle timeout for a policy, the
custom idle timeout setting takes precedence over the global idle timeout setting.
To specify the custom idle timeout value for a policy:
1. On the Firewall Policies / Edit page, select the Settingstab.
2. Select the Specify Custom Idle Timeout check box.
The idle timeout setting is enabled and the default value of 180 seconds appears in the adjacent text
box.
User Guide
535
Policies
3. In the adjacent text box, type the number of seconds before a timeout occurs.
Set ICMP Error Handling
You can set the ICMP error handling settings associated with a policy. These settings override the
global ICMP error handling settings.
To change the ICMP error handling settings for the current policy:
1. Select the Advanced tab.
2. Select the Use policy based ICMP error handling check box.
3. Select one or more check boxes to override the global ICMP settings for that parameter.
For more information on global ICMP settings, see Define XTM Device Global Settings on page 83.
Apply NAT Rules
You can apply Network Address Translation (NAT) rules to a policy. You can select 1-to-1 NAT or
Dynamic NAT.
1. Add or edit a policy.
2. Select the Advanced tab.
3. Select one of the options described in the subsequent sections.
1-to-1 NAT
With this type of NAT, the XTM device uses private and public IP ranges that you set, as described in
About 1-to-1 NAT on page 222.
Dynamic NAT
With this type of NAT, the XTM device maps private IP addresses to public IP addresses. All policies
have dynamic NAT enabled by default.
Select Use Network NAT Settings if you want to use the dynamic NAT rules set for the XTM device.
Select All traffic in this policy if you want to apply NAT to all traffic in this policy.
In the Set Source IP field, you can select a dynamic NAT source IP address for any policy that uses
dynamic NAT. This makes sure that any traffic that uses this policy shows a specified address from
your public or external IP address range as the source. This is helpful if you want to force outgoing
SMTP traffic to show your domain’s MX record address when the IP address on the XTM device
external interface is not the same as your MX record IP address.
1-to-1 NAT rules have higher precedence than dynamic NAT rules.
Set the Sticky Connection Duration for a Policy
The sticky connection setting for a policy overrides the global sticky connection setting. You must
enable multi-WAN to use this feature.
536
Fireware XTM Web UI
Policies
1. Add or edit a policy.
2. Select the Advanced tab.
3. To use the global multi-WAN sticky connection setting, clear the Override Multi-WAN sticky
connection setting check box.
4. To set a custom sticky connection value for this policy, select the Enable sticky connection
check box.
5. In the Enable sticky connection text box, type the amount of time in minutes to maintain the
connection.
User Guide
537
Policies
User Guide
538
13
Proxy Settings
About Proxy Policies and ALGs
All WatchGuard policies are important tools for network security, whether they are packet filter
policies, proxy policies, or application layer gateways (ALGs). A packet filter examines each packet’s
IP and TCP/UDP header, a proxy monitors and scans whole connections, and an ALG provides
transparent connection management in addition to proxy functionality. Proxy policies and ALGs
examine the commands used in the connection to make sure they are in the correct syntax and order,
and use deep packet inspection to make sure that connections are secure.
A proxy policy or ALG opens each packet in sequence, removes the network layer header, and
examines the packet’s payload. A proxy then rewrites the network information and sends the packet to
its destination, while an ALG restores the original network information and forwards the packet. As a
result, a proxy or ALG can find forbidden or malicious content hidden or embedded in the data payload.
For example, an SMTP proxy examines all incoming SMTP packets (email) to find forbidden content,
such as executable programs or files written in scripting languages. Attackers frequently use these
methods to send computer viruses. A proxy or ALG can enforce a policy that forbids these content
types, while a packet filter cannot detect the unauthorized content in the packet’s data payload.
If you have purchased and enabled additional subscription services (Gateway AntiVirus, Intrusion
Prevention Service, spamBlocker, WebBlocker), WatchGuard proxies can apply these services to
network traffic.
User Guide
539
Proxy Settings
Proxy Configuration
Like packet filters, proxy policies include common options to manage network traffic, including traffic
management and scheduling features. However, proxy policies also include settings that are related to
the specified network protocol. These settings are configured with rulesets, or groups of options that
match a specified action. For example, you can configure rulesets to deny traffic from individual users
or devices, or allow VoIP (Voice over IP) traffic that matches the codecs you want. When you have set
all of the configuration options in a proxy, you can save that set of options as a user-defined proxy
action and use it with other proxies.
Fireware XTM supports proxy policies for many common protocols, including DNS, FTP, H.323,
HTTP, HTTPS, POP3, SIP, SMTP, and TCP-UDP. For more information on a proxy policy, see the
section for that policy.
About the DNS-Proxy on page 559
About the FTP-Proxy on page 576
About the H.323-ALG on page 586
About the HTTP-Proxy on page 598
About the HTTPS-Proxy on page 623
About the POP3-Proxy on page 634
About the SIP-ALG on page 648
About the SMTP-Proxy on page 661
About the TCP-UDP-Proxy on page 694
Add a Proxy Policy to Your Configuration
When you add a proxy policy or ALG (application layer gateway) to your Fireware XTM configuration
file, you specify types of content that the XTM device must find as it examines network traffic. If the
content matches (or does not match) the criteria you set in the proxy or ALG definition, the traffic is
either allowed or denied, based on the criteria and settings you specify.
You can use the default settings of the proxy policy or ALG, or you can change these settings to match
network traffic in your organization. You can also create additional proxy policies or ALGs to manage
different parts of your network.
It is important to remember that a proxy policy or ALG requires more processor power than a packet
filter. If you add a large number of proxy policies or ALGs to your configuration, network traffic speeds
might decrease. However, a proxy or ALG uses methods that packet filters cannot use to catch
dangerous packets. Each proxy policy includes several settings that you can adjust to create a
balance between your security and performance requirements.
You can use Fireware XTM Web UI to add a proxy policy.
1.
2.
3.
4.
5.
540
Select Firewall > Firewall Policies.
Click Add Policy.
In the Policy Name text box, type a name for the policy.
For the Select a policy type option, select Proxies.
From the first drop-down list, select a proxy, and from the second drop-down list, select a proxy
action.
Fireware XTM Web UI
Proxy Settings
6. Click Add Policy.
The Firewall Policies / Add page appears.
User Guide
541
Proxy Settings
For more information on the basic properties of all policies, see About Policy Properties on page 527.
542
Fireware XTM Web UI
Proxy Settings
Proxy policies and ALGs have default proxy action rulesets that provide a good balance of security and
accessibility for most installations. If a default proxy action ruleset does not match the network traffic
you want to examine, you can add a new proxy action, or clone an existing proxy action to modify the
rules. You cannot modify a default predefined proxy action. For more information, see About Rules and
Rulesets on page 550 and the About topic for the type of policy you added.
About the DNS-Proxy on page 559
About the FTP-Proxy on page 576
About the H.323-ALG on page 586
About the HTTP-Proxy on page 598
About the HTTPS-Proxy on page 623
About the POP3-Proxy on page 634
About the SIP-ALG on page 648
About the SMTP-Proxy on page 661
About the TCP-UDP-Proxy on page 694
About Proxy Actions
A proxy action is a specific group of settings, sources, or destinations for a type of proxy. Because
your configuration can include several proxy policies of the same type, each proxy policy uses a
different proxy action. Each proxy policy has predefined, or default, proxy actions for clients and
servers. For example, you can use one proxy action for packets sent to a POP3 server protected by
the XTM device, and a different proxy action to apply to email messages retrieved by POP3 clients.
You can clone, edit, and delete proxy actions in your XTM device configuration.
Fireware XTM proxy actions are divided into two categories: predefined proxy actions , and userdefined proxy actions. The predefined proxy actions are configured to balance the accessibility
requirements of a typical company, with the need to protect your computer assets from attacks. You
cannot change the settings of predefined proxy actions. Instead, you must clone (copy) the existing
predefined proxy action definition and save it as a new, user-defined proxy action. You cannot
configure subscription services, such as Gateway AntiVirus, for predefined proxy actions. For
example, if you want to change a setting in the POP3-Client proxy action, you must save it with a
different name, such as POP3-Client.1.
You can create many different proxy actions for either clients or servers, or for a specified type of proxy
policy. However, you can assign only one proxy action to each proxy policy. For example, a POP3
policy is linked to a POP3-Client proxy action. If you want to create a POP3 proxy action for a POP3
server, or an additional proxy action for POP3 clients, you must add new POP3 proxy policies to Policy
Manager that use those new proxy actions.
Set the Proxy Action in a Proxy Policy
To set the proxy action for a proxy policy when you add a new policy:
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Click Add Policy.
The Select a policy type page appears.
3. Select Proxies.
4. From the Proxies drop-down lists, select the proxy policy and proxy action for this policy.
5. Click Add Policy.
User Guide
543
Proxy Settings
To change a proxy action for an existing proxy policy:
1. Select Firewall > Firewall Policies.
The Firewall Policies page appears.
2. Select the proxy policy you want to change.
The Edit page appears.
3. Select the Proxy Action tab.
4. From the Proxy Action drop-down list, select the proxy action to use with this policy.
5. Click Save.
Clone, Edit, or Delete Proxy Actions
To manage the proxy actions for your XTM device, you can clone, edit, and delete proxy actions. You
can clone, edit, or delete any user-defined proxy action. You cannot make changes to predefined proxy
actions, or delete them. You also cannot delete user-defined proxy actions that are used by a policy.
If you want to change the settings in a predefined proxy action, you can clone it and create a new, userdefined proxy action with the same settings. You can then edit the proxy action to modify the settings
as necessary. If you choose to edit a predefined proxy action, you cannot save your changes. Instead,
you are prompted to clone the changes you have made to a new, user-defined proxy action.
When you edit a proxy action, you can change the rules and rulesets, and the associated actions. Each
proxy action includes proxy action rules, which are organized into categories. Some categories are
further subdivided into subcategories of rules.
The available categories of settings for each proxy action appear in an accordion list, with section
headers that are always visible. When you select the section header for a category, the category
section expands and the settings and rules for each category appear on the category panel. If the
category includes more than one subcategory of settings, a link bar navigation menu appears at the top
of the category panel.
For more information on the available proxy action settings for each proxy, see the About topic for that
proxy.
About the DNS-Proxy on page 559
About the FTP-Proxy on page 576
About the H.323-ALG on page 586
About the HTTP-Proxy on page 598
About the HTTPS-Proxy on page 623
544
About the POP3-Proxy on page 634
About the SIP-ALG on page 648
About the SMTP-Proxy on page 661
About the TCP-UDP-Proxy on page 694
Fireware XTM Web UI
Proxy Settings
Clone or Edit a Proxy Action
You can clone both predefined and user-defined proxy actions. But, you can only edit a user-defined
proxy action.
1. Select Firewall > Proxy Actions.
The Proxy Actions page appears.
2. Select the proxy action to clone or edit.
3. Click Clone or Edit.
If you selected to clone a proxy action, the Clone Proxy Action page appears.
User Guide
545
Proxy Settings
If you selected to edit a proxy action, the Edit Proxy Action page appears.
546
Fireware XTM Web UI
Proxy Settings
4. Select a category tab to see the options for that category.
If the category you selected includes subcategories, a drop-down list expands to show the
available subcategories. Select a subcategory.
The content for the selected category appears. .
User Guide
547
Proxy Settings
5. Edit the rules and settings for the proxy action for all the necessary categories.
6. Click Save.
You can also clone a proxy action when you edit the configuration of a proxy policy that uses a
predefined proxy action.
1. From the Edit page for a proxy, select the Proxy Action tab.
2. From the Proxy Action drop-down list, select Clone the current proxy action.
The proxy action settings appear.
3. In the Name text box, type a new name for the proxy action.
4. Configure the settings for the proxy action.
5. Click Save.
Delete a Proxy Action
You cannot delete predefined proxy actions. You can only delete user-defined proxy actions that are
not used by a policy.
548
Fireware XTM Web UI
Proxy Settings
1. Select Firewall > Proxy Actions.
The Proxy Actions page appears.
2. Select the proxy action to delete.
3. Click Remove.
A confirmation dialog box appears.
4. To delete the proxy action, click Yes.
The proxy action is removed from your device configuration.
Proxy and AV Alarms
An alarm is an event that triggers a notification, which is a mechanism to tell a network administrator
about a condition in the network. In a proxy definition, an alarm might occur when traffic matches, or
does not match, a rule in the proxy. An alarm might also occur when the Actions to take selections are
set to an action other than Allow.
For example, the default definition of the FTP-proxy has a rule that denies the download of files whose
file types match any of these patterns: .cab, .com, .dll, .exe, and .zip. You can specify that an alarm is
generated whenever the XTM device takes the Deny action because of this rule.
For each proxy action, you can define what the XTM device does when an alarm occurs.
User Guide
549
Proxy Settings
AV alarm settings are only available if Gateway AntiVirus applies to the proxy. Gateway AntiVirus is
available for the SMTP, POP3, HTTP, FTP, or TCP-UDP proxies. For all other proxies, you can only
configure the proxy alarm settings.
From the Proxy Actions > Edit page:
1. Select the Proxy and AV Alarms tab.
2. Configure the XTM device to send an SNMP trap, a notification to a network administrator, or
both. The notification can either be an email message to a network administrator or a pop-up
window on the administrator's management computer.
For more information on the Proxy and AV alarms settings, see Set Logging and Notification
Preferences on page 748.
3. To change settings for one or more other categories in this proxy, go to the topic on the next
category you want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
About Rules and Rulesets
When you configure a proxy policy or ALG (application layer gateway), you must select a proxy action
to use. You can use either a predefined proxy action or create a new proxy action. Each proxy action
contains rules. Rules are sets of criteria to which a proxy compares traffic.
A rule consists of a type of content, pattern, or expression, and the action of the XTM device when a
component of the packet’s content matches that content, pattern, or expression. Rules also include
settings for when the XTM device sends alarms or creates a log entry. A ruleset is a group of rules
based on one feature of a proxy such as the content types or filenames of email attachments. The
process to create and modify rules is consistent for each type of proxy action.
Your XTM device configuration includes default sets of rules in each proxy actions used by each proxy
policy. Separate sets of rules are provided for clients and servers, to protect both your trusted users
and your public servers. You can use the default configuration for these rules, or you can customize
them for your particular business purposes. You cannot modify or delete predefined proxy actions. If
you want to make changes to a predefined proxy action, you can clone it a new proxy action and then
make the necessary changes in the new proxy action.
About Working with Rules and Rulesets
When you edit a proxy action, you can see the list of rulesets that apply to that proxy action. You can
expand each ruleset to see and edit the rules for that proxy action.
WatchGuard provides a set of predefined rulesets that provide a good balance of security and
accessibility for most installations. If a default ruleset does not meet all of your business needs, you
can Add, Change, or Delete Rules.
550
Fireware XTM Web UI
Proxy Settings
Configure Rulesets
To configure rulesets for a proxy action:
1. Select Firewall > Proxy Actions.
The Proxy Actions page appears.
2. Double-click a proxy action to edit it.
The Proxy Actions / Edit page appears.
3. Add, Change, or Delete Rules.
Add, Change, or Delete Rules
When you configure rules, you can use wildcard pattern matches, exact matches, and Perl-compatible
regular expressions to identify content. When you add rules, you select the action for each rule, and
you can edit, clone (use an existing rule definition to create a new rule), delete, or reset rules.
For more information, see About Rules and Rulesets on page 550 and About Regular Expressions on
page 555.
When you configure a rule, you select the actions the proxy takes for each packet. Different actions
appear for different proxies or for different features of a particular proxy. This list includes all possible
actions:
Allow
Allows the connection.
Deny
Denies a specific request but keeps the connection if possible. Sends a response to the client.
Drop
Denies the specific request and drops the connection. Does not send a response to the sender.
The XTM device sends only a TCP reset packet to the client. The client’s browser might display
“The connection was reset” or “The page cannot be displayed” but the browser does not tell the
user why.
Block
Denies the request, drops the connection, and blocks the site. For more information on blocked
sites, see About Blocked Sites on page 729.
All traffic from this site's IP address is denied for the amount of time specified in the Firewall >
Blocked Sites page on the Auto-Blocked tab. Use this action only if you want to stop all
traffic from the offender for this time.
Replace
Replaces the address in the To field with an address you specify.
For example, you can send all email that is addressed to [email protected] to
[email protected]
User Guide
551
Proxy Settings
For an outbound proxy action, you can also use this rule to standardize a domain name.
For example, you can send all email addressed to the success-co.net domain to the
successfulcompany.com domain. So, email sent to [email protected] is instead sent to
[email protected]
Strip
Removes an attachment from a packet and discards it. The other parts of the packet are sent
through the XTM device to the intended destination.
Lock
Locks an attachment, and wraps it so that it cannot be opened by the user. Only the
administrator can unlock the file.
AV Scan
Scans the attachment for viruses. If you select this option, Gateway AntiVirus is enabled for the
policy.
Add Rules
For information on how to work with regular expressions, see About Regular Expressions on page 555.
1. On a Proxy Actions / Edit subcategory page, in the list of rules for a ruleset, click Add.
The Add Rule dialog box appears.
2. In the Rule Name text box, type the name of the rule.
This text box is blank when you add a rule, and cannot be changed when you edit a rule.
3. In the Match Type drop-down list, select an option:
n Exact Match — Select when the contents of the packet must match the rule text exactly.
n Pattern Match — Select when the contents of the packet must match a pattern of text, can
include wildcard characters.
n Regular Expression — Select when the contents of the packet must match a pattern of
text with a regular expression.
4. In the Value text box, type the text of the rule.
If you selected Pattern Match as the rule setting, use an asterisk (*), a period (.), or a question
mark (?) as wildcard characters.
552
Fireware XTM Web UI
Proxy Settings
5. In the Rule Actions section, in the Action drop-down list, select the action the proxy takes for
this rule.
6. To create an alarm for this event, select the Alarm check box. An alarm tells users when a
proxy rule applies to network traffic.
7. To create a message for this event in the traffic log, select the Log check box.
Cut and Paste Rule Definitions
You can copy and paste content in text boxes from one proxy definition to another. For example,
suppose you write a custom deny message for the POP3 proxy. You can select the deny message,
copy it, and paste it into the Deny Message text box for the SMTP proxy.
When you copy between proxy definitions, you must make sure the text box you copy from is
compatible with the proxy you paste it into. You can copy rulesets only between proxies or categories
within these four groups. Other combinations are not compatible.
Content Types
Filenames
Addresses
Authentication
HTTP Content Types
FTP Download
SMTP Mail From
SMTP Authentication
SMTP Content Types
FTP Upload
SMTP Mail To
POP3 Authentication
POP3 Content Types
HTTP URL Paths
SMTP Filename
POP3 Filenames
Change the Order of Rules
The order that rules are listed in a proxy action category is the same as the order in which traffic is
compared to the rules. The proxy compares traffic to the first rule in the list and continues in sequence
from top to bottom. When traffic matches a rule, the XTM device performs the related action. It
performs no other actions, even if the traffic matches a rule later in the list.
To change the sequence of rules in a proxy action:
1. Select the rule to change.
2. Click Up or Down to move the rule up or down in the list.
Change the Default Rule
If traffic does not match any of the rules you have defined for a proxy category, the XTM device uses
the default rule. The action for the default rule appears in a drop-down list below the rule list.
To modify the default rule:
1. On the HTTP Proxy Action Settings page, from the HTTP Request drop-down list, select
Request Methods.
The Request Methods settings appear.
2. From the Action to take if no rule above is matched drop-down list, select the default rule.
User Guide
553
Proxy Settings
3. Select the adjacent Alarm check box to send an alarm for the default rule.
4. Select the Log check box to save a log message for the default rule.
5. Click Save.
554
Fireware XTM Web UI
Proxy Settings
About Regular Expressions
A regular expression is a group of letters, numbers, and special characters used to match data. You
can use Perl-compatible regular expressions (PCRE) in your XTM device configuration to match
certain types of traffic in proxy actions. For example, you can use one regular expression to block
connections to some web sites and allow connections to other web sites. You can also deny SMTP
connections when the recipient is not a valid email address for your company. For example, if you want
to block parts of a web site that violate your company’s Internet use policy, you can use a regular
expression in the URL Paths category of the HTTP proxy configuration.
General Guidelines
n
n
Regular expressions in Fireware are case-sensitive — When you create a regular expression,
you must be careful to match the case of the letters in your regular expression to the letters of
the text you want to match. You can change the regular expression to not be case-sensitive
when you put the (?i) modifier at the start of a group.
Regular expressions in Fireware are different from MS-DOS and Unix wildcard characters —
When you change files using MS-DOS or the Windows Command Prompt, you can use ? or * to
match one or more characters in a file name. These simple wildcard characters do not operate
the same way in Fireware.
For more information on how wildcard characters operate in Fireware, see the subsequent
sections.
How to Build a Regular Expression
The most simple regular expression is made from the text you want to match. Letters, numbers, and
other printable characters all match the same letter, number, or character that you type. A regular
expression made from letters and numbers can match only a character sequence that includes all of
those letters and numbers in order.
Example: fat matches fat, fatuous, and infatuated, as well as many other sequences.
Fireware accepts any character sequence that includes the regular expression. A
regular expression frequently matches more than one sequence. If you use a regular
expression as the source for a Deny rule, you can block some network traffic by
accident. We recommend that you fully test your regular expressions before you
save the configuration to your XTM device.
To match different sequences of characters at the same time, you must use a special character. The
most common special character is the period (.), which is similar to a wildcard. When you put a period
in a regular expression, it matches any character, space, or tab. The period does not match line breaks
(\r\n or \n).
Example: f..t matches foot, feet, f&#t, f -t, and f\t3t.
User Guide
555
Proxy Settings
To match a special character, such as the period, you must add a backslash (\) before the character. If
you do not add a backslash to the special character, the rule may not operate correctly. It is not
necessary to add a second backslash if the character usually has a backslash, such as \t (tab stop).
You must add a backslash to each of these special characters to match the real character: ? . * | + $ \ ^
()[
Example: \$9\.99 matches $9.99
Hexadecimal Characters
To match hexadecimal characters, use \x or %0x%. Hexadecimal characters are not affected by the
case-insensitive modifier.
Example: \x66 or %0x66% matches f, but cannot match F.
Repetition
To match a variable amount of characters, you must use a repetition modifier. You can apply the
modifier to a single character, or a group of characters. There are four types of repetition modifiers:
n
n
n
n
Numbers inside curly braces (such as {2,4}) match as few as the first number, or as many as
the second number.
Example: 3{2,4} matches 33, 333, or 3333. It does not match 3 or 33333.
The question mark (?) matches zero or one occurrence of the preceding character, class, or
group.
Example: me?et matches met and meet.
The plus sign (+) matches one or more occurrences of the preceding character, class, or group.
Example: me+t matches met, meet, and meeeeeeeeet.
The asterisk (*) matches zero or more occurrences of the preceding character, class, or group.
Example: me*t matches mt, met, meet, and meeeeeeeeet.
To apply modifiers to many characters at once, you must make a group. To group a sequence of
characters, put parentheses around the sequence.
Example: ba(na)* matches ba, bana, banana, and banananananana.
Character Classes
To match one character from a group, use square brackets instead of parentheses to create a
character class. You can apply repetition modifiers to the character class. The order of the characters
inside the class does not matter.
The only special characters inside a character class are the closing bracket (]), the backslash (\), the
caret (^), and the hyphen (-).
Example: gr[ae]y matches gray and grey.
To use a caret in the character class, do not make it the first character.
To use a hyphen in the character class, make it the first character.
556
Fireware XTM Web UI
Proxy Settings
A negated character class matches everything but the specified characters. Type a caret (^) at the
beginning of any character class to make it a negated character class.
Example: [Qq][^u] matches Qatar, but not question or Iraq.
Ranges
Character classes are often used with character ranges to select any letter or number. A range is two
letters or numbers, separated by a hyphen (-), that mark the start and finish of a character group. Any
character in the range can match. If you add a repetition modifier to a character class, the preceding
class is repeated.
Example: [1-3][0-9]{2} matches 100 and 399, as well as any number in between.
Some ranges that are used frequently have a shorthand notation. You can use shorthand character
classes inside or outside other character classes. A negated shorthand character class matches the
opposite of what the shorthand character class matches. The table below includes several common
shorthand character classes and their negated values.
ClassEquivalent to
NegatedEquivalent to
\w Any letter or number [A-Za-z09]
\W Not a letter or number
\s Any whitespace character [
\t\r\n]
\S Not whitespace
\d Any number [0-9]
\D Not a number
Anchors
To match the beginning or end of a line, you must use an anchor. The caret (^) matches the beginning
of a line, and the dollar sign ($) matches the end of a line.
Example: ^am.*$ matches ampere if ampere is the only word on the line. It does not match
dame.
You can use \b to match a word boundary, or \B to match any position that is not a word boundary.
There are three kinds of word boundaries:
n
n
n
Before the first character in the character sequence, if the first character is a word character (\w)
•
After the last character in the character sequence, if the last character is a word character (\w)•
Between a word character (\w) and a non-word character (\W)
Alternation
You can use alternation to match a single regular expression out of several possible regular
expressions. The alternation operator in a regular expression is the pipe character (|). It is similar to the
boolean operator OR.
Example: m(oo|a|e)n matches the first occurrence of moon, man, or men.
User Guide
557
Proxy Settings
Common Regular Expressions
Match the PDF content type (MIME type)
^%PDFMatch any valid IP address
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9] [0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[09][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]? [0-9][0-9]?)
Match most email addresses
[A-Za-z0-9._-][email protected][A-Za-z0-9.-]+\.[A-Za-z]{2,4}
558
Fireware XTM Web UI
Proxy Settings
About the DNS-Proxy
The Domain Name System (DNS) is a network system of servers that translates numeric IP
addresses into readable, hierarchical Internet addresses, and vice versa. DNS enables your computer
network to understand, for example, that you want to reach the server at 200.253.208.100 when you
type a domain name into your browser, such as www.example.com. With Fireware XTM, you have two
methods to control DNS traffic: the DNS packet filter and the DNS-proxy policy. The DNS-proxy is
useful only if DNS requests are routed through your XTM device.
When you create a new configuration file, the file automatically includes an Outgoing packet filter
policy that allows all TCP and UDP connections from your trusted and optional networks to external.
This allows your users to connect to an external DNS server with the standard TCP 53 and UDP 53
ports. Because Outgoing is a packet filter, it is unable to protect against common UDP outgoing
trojans, DNS exploits, and other problems that occur when you open all outgoing UDP traffic from your
trusted networks. The DNS-proxy has features to protect your network from these threats. If you use
external DNS servers for your network, the DNS-Outgoing ruleset offers additional ways to control the
services available to your network community.
To add the DNS-proxy to your XTM device configuration, see Add a Proxy Policy to Your Configuration
on page 540.
If you must change the proxy definition, from the Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
User Guide
559
Proxy Settings
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
Connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 529.
Use policy-based routing — See Configure Policy-Based Routing on page 531.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 233 and Configure Server Load Balancing on page 237.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 748.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use DNS.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. From the Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
560
Fireware XTM Web UI
Proxy Settings
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 543.
To configure the proxy action:
1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 543.
3. Click Save.
For the DNS-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
DNS-Proxy: General Settings
DNS-Proxy: OPcodes
DNS-Proxy: Query Types
DNS-Proxy: Query Names
DNS-Proxy: Proxy Alarm
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
User Guide
561
Proxy Settings
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n
n
n
n
562
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
Fireware XTM Web UI
Proxy Settings
DNS-Proxy: General Settings
On the Proxy Action tab,General tab of the Edit page for a DNS-proxy action, you can change the
settings of the two protocol anomaly detection rules. We recommend that you do not change the
default rule settings. You can also select whether to create a traffic log message for each transaction.
Not of class Internet
Select the action when the proxy examines DNS traffic that is not of the Internet (IN) class. The
default action is to deny this traffic. We recommend that you do not change this default action.
Badly formatted query
Select the action when the proxy examines DNS traffic that does not use the correct format.
Alarm
An alarm is a mechanism to tell users when a proxy rule applies to network traffic.
User Guide
563
Proxy Settings
To configure an alarm for this event, select the Alarm check box.
To set the options for the alarm, expand the Proxy Action accordion. Alarm notifications are
sent in an SNMP trap, email, or a pop-up window.
For more information about proxy alarms, see Proxy and AV Alarms.
For more information about notification messages, see Set Logging and Notification
Preferences.
Log
To send a log message to the traffic log for this event, select this check box.
Enable logging for reports
Select this check box to create a traffic log message for each transaction. This option creates a
large log file, but this information is very important if your firewall is attacked. If you do not
select this check box, detailed information about DNS-proxy connections does not appear in
your reports.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
744.
DNS-Proxy: OPcodes
DNS OPcodes (operation codes) are commands given to the DNS server that tell it to do some action,
such as a query (Query), an inverse query (IQuery), or a server status request (STATUS). They
opSerate on items such as registers, values in memory, values stored on the stack, I/O ports, and the
bus. You can add, delete, or modify rules in the default ruleset. You can allow, deny, drop, or block
specified DNS OPcodes.
1. On the Proxy Action tab, select the OPCodes tab.
564
Fireware XTM Web UI
Proxy Settings
User Guide
565
Proxy Settings
2. To enable a rule in the list, select the adjacent Enabled check box.
To disable a rule, clear the Enabled check box.
If you use Active Directory and your Active Directory configuration requires dynamic
updates, you must allow DNS OPcodes in your DNS-Incoming proxy action rules.
This is a security risk, but can be necessary for Active Directory to operate correctly.
Add a New OPcodes Rule
1. Click Add.
The New OPCodes Rule dialog box appears.
2. Type a name for the rule.
Rule names can have no more than 200 characters.
3. Click the arrows to set the OPCode value. DNS OPcodes have an integer value.
For more information on the integer values of DNS OPcodes, see RFC 1035.
Delete or Modify Rules
1. Add, delete, or modify rules, as described in Add, Change, or Delete Rules on page 551.
2. To change settings for one or more other categories in this proxy, go to the topic on the next
category you want to modify.
3. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
566
Fireware XTM Web UI
Proxy Settings
DNS-Proxy: Query Types
A DNS query type can configure a resource record by type (such as a CNAME or TXT record) or as a
custom type of query operation (such as an AXFR Full zone transfer). You can add, delete, or modify
rules. You can allow, deny, drop, or block specified DNS query types.
1. On the Proxy Action tab, select the Query Types tab.
User Guide
567
Proxy Settings
568
Fireware XTM Web UI
Proxy Settings
2. To enable a rule, select the Enabled check box adjacent to the action and name of the rule.
Add a New Query Types Rule
1. To add a new query types rule, click Add.
The New Query Types Rule dialog box appears.
2. Type a name for the rule.
Rules can have no more than 200 characters.
3. In the Query Type Value text box, type or select the resource record (RR) value for this DNS
query type.
For more information on the values of DNS query types, see RFC 1035.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
5. To change settings for other categories in this proxy, go to the topic for the next category you
want to modify and follow the instructions.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
569
Proxy Settings
DNS-Proxy: Query Names
A DNS query name refers to a specified DNS domain name, shown as a fully qualified domain name
(FQDN). You can add, delete, or modify rules.
1. On the Proxy Action tab, select the Query Names tab.
570
Fireware XTM Web UI
Proxy Settings
User Guide
571
Proxy Settings
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for other categories in this proxy, go to the topic for the next category you
want to modify and follow the instructions.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
DNS-Proxy: Proxy Alarm
You can configure how the DNS-proxy sends messages for alarm events that occur through the DNSproxy. You can define the proxy to send an SNMP trap, a notification to a network administrator, or
both. The notification can either be an email message to a network administrator or a pop-up window on
the management computer.
1. On the Edit page, Proxy Action tab, select the Proxy Alarm tab.
The Proxy Alarm settings appear.
572
Fireware XTM Web UI
Proxy Settings
2. Configure the notification settings for the DNS-proxy action.
For more information, see Set Logging and Notification Preferences on page 748.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
573
Proxy Settings
About MX (Mail eXchange) Records
An MX (Mail eXchange) record is a type of DNS record that gives one or more host names of the email
servers that are responsible for and authorized to receive email for a given domain. If the MX record
has more than one host name, each name has a number that tells which is the most preferred host and
which hosts to try next if the most preferred host is not available.
MX Lookup
When an email server sends email, it first does a DNS query for the MX record of the recipient’s
domain. When it gets the response, the sending email server knows the host names of authorized mail
exchangers for the recipient’s domain. To get the IP addresses associated with the MX host names, a
mail server does a second DNS lookup for the A record of the host name. The response gives the IP
address associated with the host name. This lets the sending server know what IP address to connect
to for message delivery.
Reverse MX Lookup
Many anti-spam solutions, including those used by most major ISP networks and web mail providers
such as AOL, MSN, and Yahoo!, use a reverse MX lookup procedure. Different variations of the
reverse lookup are used, but the goals are the same: the receiving server wants to verify that the email
it receives does not come from a spoofed or forged sending address, and that the sending server is an
authorized mail exchanger for that domain.
To verify that the sending server is an authorized email server, the receiving email server tries to find
an MX record that correlates to the sender’s domain. If it cannot find one, it assumes that the email is
spam and rejects it.
The domain name that the receiving server looks up can be:
n
n
n
n
Domain name in the email message’s From: header
Domain name in the email message’s Reply-To: header
Domain name the sending server uses as the FROM parameter of the MAIL command. (An
SMTP command is different from an email header. The sending server sends the MAIL FROM:
command to tell the receiving sender who the message is from.)
Domain name returned from a DNS query of the connection’s source IP address. The receiving
server sometimes does a lookup for a PTR record associated with the IP address. A PTR DNS
record is a record that maps an IP address to a domain name (instead of a normal A record,
which maps a domain name to an IP address).
Before the receiving server continues the transaction, it makes a DNS query to see whether a valid MX
record for the sender’s domain exists. If the domain has no valid DNS MX record, then the sender is
not valid and the receiving server rejects it as a spam source.
574
Fireware XTM Web UI
Proxy Settings
MX Records and Multi-WAN
Because outgoing connections from behind your XTM device can show different source IP addresses
when your XTM device uses multi-WAN, you must make sure that your DNS records include MX
records for each external IP address that can show as the source when you send email. If the list of
host names in your domain’s MX record does not include one for each external XTM device interface, it
is possible that some remote email servers could drop your email messages.
For example, Company XYZ has an XTM device configured with multiple external interfaces. The XTM
device uses the Failover multi-WAN method. Company XYZ’s MX record includes only one host
name. This host name has a DNS A record that resolves to the IP address of the XTM device primary
external interface.
When Company XYZ sends an email to [email protected], the email goes out through the primary
external interface. The email request is received by one of Yahoo’s many email servers. That email
server does a reverse MX lookup to verify the identify of Company XYZ. The reverse MX lookup is
successful, and the email is sent.
If a WAN failover event occurs at the XTM device, all outgoing connections from Company XYZ start
to go out the secondary, backup external interface. In this case, when the Yahoo email server does a
reverse MX lookup, it does not find an IP address in Company XYZ’s MX and A records that matches,
and it rejects the email. To solve this problem, make sure that:
n
n
The MX record has multiple host names, at least one for each external XTM device interface.
At least one host name in the MX record has a DNS A record that maps to the IP address
assigned to each XTM device interface.
Add Another Host Name to an MX Record
MX records are stored as part of your domain’s DNS records. For more information on how to set up
your MX records, contact your DNS host provider (if someone else hosts your domain’s DNS service)
or consult the documentation from the vendor of your DNS server software.
User Guide
575
Proxy Settings
About the FTP-Proxy
FTP (File Transfer Protocol) is used to send files from one computer to a different computer over a
TCP/IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps
files on the same network or on a different network. The FTP client can be in one of two modes for data
transfer: active or passive. In active mode, the server starts a connection to the client on source port
20. In passive mode, the client uses a previously negotiated port to connect to the server. The FTPproxy monitors and scans these FTP connections between your users and the FTP servers they
connect to.
With an FTP-proxy policy, you can:
n
n
Set the maximum user name length, password length, file name length, and command line
length allowed through the proxy to help protect your network from buffer overflow attacks.
Control the type of files that the FTP-proxy allows for downloads and uploads.
The TCP/UDP proxy is available for protocols on non-standard ports. When FTP uses a port other than
port 20, the TCP/UDP proxy relays the traffic to the FTP-proxy. For information on the TCP/UDP
proxy, see About the TCP-UDP-Proxy on page 694.
For detailed instructions on how to add the FTP-proxy to your XTM device configuration, see Add a
Proxy Policy to Your Configuration on page 540.
If you must change the proxy definition, from the Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
576
Fireware XTM Web UI
Proxy Settings
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
Connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 529.
Use policy-based routing — See Configure Policy-Based Routing on page 531.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 233 and Configure Server Load Balancing on page 237.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 748.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use FTP.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. From the Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
User Guide
577
Proxy Settings
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 543.
To configure the proxy action:
1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 543.
3. Click Save.
For the FTP-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
FTP-Proxy: General Settings
FTP-Proxy: Commands
FTP-Proxy: Content
FTP-Proxy: Data Loss Prevention
FTP-Proxy: Proxy and AV Alarms
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
578
Fireware XTM Web UI
Proxy Settings
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n
n
n
n
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
User Guide
579
Proxy Settings
FTP-Proxy: General Settings
In the General section of the Edit page for an FTP-proxy action, you can set basic FTP parameters
including maximum user name length.
1. On the Proxy Action tab, select the General tab.
The General settings appear.
580
Fireware XTM Web UI
Proxy Settings
User Guide
581
Proxy Settings
2. To set limits for FTP parameters, select the applicable check boxes. These settings help to
protect your network from buffer overflow attacks.
Set the maximum user name length to
Sets a maximum length for user names on FTP sites.
Set the maximum password length to
Sets a maximum length for passwords used to log in to FTP sites.
Set the maximum file name length to
Sets the maximum file name length for files to upload or download.
Set the maximum command line length to
Sets the maximum length for command lines used on FTP sites.
Set the maximum number of failed logins per connection to
Allows you to limit the number of failed connection requests to your FTP site. This can
protect your site against brute force attacks.
3. In the text box for each setting, type or select the limit for the selected parameter.
4. For each setting, select or clear the Auto-block check box.
If someone tries to connect to an FTP site and exceeds a limit that you have selected to autoblock, the computer that sent the commands is added to the temporary Blocked Sites List.
5. To create a log message for each transaction, select the Enable logging for reports check
box.
You must select this option to get detailed information on FTP traffic.
6. To specify the diagnostic log level for all proxy polices that use this proxy action, select the
Override the diagnostic log level for proxy policies that use this proxy action check box.
From the Diagnostic log level for this proxy action drop-down list, select a log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
744.
7. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
8. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
582
Fireware XTM Web UI
Proxy Settings
FTP-Proxy: Commands
There are a number of commands that FTP uses to manage files. You can configure rules to put limits
on some FTP commands.
To control the commands that can be used on an FTP server protected by your XTM device, you can
configure the FTP-Server proxy action. By default, the FTP-Server proxy action configuration allows
these commands:
ABOR* HELP*
PASS* REST*
APPE*
PASV* RETR* STOR* XCUP*
LIST*
STAT*
USER*
CDUP* MKD*
PORT* RMD*
STOU* XCWD*
CWD*
NLST*
PWD*
RNFR* SYST*
XMKD*
DELE*
NOOP* QUIT*
RNTO* TYPE*
XRMD*
The FTP-Server proxy action denies all other FTP commands by default.
To put limits on the commands that users protected by the XTM device can use when they connect to
external FTP servers, modify the FTP-Client proxy action. The default configuration of the FTP-Client
is to allow all FTP commands.
You can add, delete, or modify rules. We recommend that you do not block these commands, because
they are necessary for the FTP protocol to work correctly:
Protocol
Client
Description
Command Command
USER
n/a
Sent with login name
PASS
n/a
Sent with password
PASV
pasv
Select passive mode for data transfer
SYST
syst
Print the server's operating system and version. FTP clients use this
information to correctly interpret and show a display of server responses.
To add, delete, or modify rules:
1.
2.
3.
4.
On the Proxy Action tab, select the Commands tab.
Add, Change, or Delete Rules.
To change settings for another category in this proxy, see the topic for that category.
Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
583
Proxy Settings
FTP-Proxy: Content
You can control the type of files that the FTP-proxy allows for downloads and uploads. For example,
because many hackers use executable files to deploy viruses or worms on a computer, you could deny
requests for *.exe files. Or, if you do not want to let users upload Windows Media files to an FTP
server, you could add *.wma to the proxy definition and specify that these files are denied. Use the
asterisk (*) as a wildcard character.
To define rules for an FTP server protected by the XTM device, modify the FTP-Server proxy action.
To define rules for users who connect to external FTP servers, modify the FTP-Client proxy action.
1. On the Proxy Action tab , select the Upload or Download tab.
2. Add, delete, or modify rules, as described in Add, Change, or Delete Rules.
3. If you want uploaded files to be scanned for viruses by Gateway AntiVirus, from the Action to
take if no rule above is matched drop-down list, select AV Scan for one or more rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. When you are finished with your changes to this proxy action definition, click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
FTP-Proxy: Data Loss Prevention
To apply consistent settings for Data Loss Prevention (DLP) content inspection and extraction, you
can associate a DLP configuration with your FTP-proxy.
From the Edit page for the FTP-proxy:
1.
2.
3.
4.
Select the Proxy Action tab.
Select the Data Loss Prevention tab.
From the DLP Sensor drop-down list, select a configuration.
Click Save.
For more information, see About Data Loss Prevention on page 1239 and Configure Data Loss
Prevention on page 1242.
FTP-Proxy: Proxy and AV Alarms
You can configure how the FTP-proxy sends messages for alarm and antivirus events that occur
through the FTP-proxy. You can define the proxy to send an SNMP trap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit Proxy Action page, select the Proxy Alarm category.
The Proxy Alarm settings appear.
584
Fireware XTM Web UI
Proxy Settings
2. Configure the notification settings for the FTP-proxy action.
For more information, see Set Logging and Notification Preferences on page 748.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
585
Proxy Settings
About the H.323-ALG
If you use Voice-over-IP (VoIP) in your organization, you can add an H.323 or SIP (Session Initiation
Protocol) ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your
XTM device. An ALG is created in the same way as a proxy policy and offers similar configuration
options. These ALGs have been created to work in a NAT environment to maintain security for
privately addressed conferencing equipment protected by your XTM device.
H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IP phones. You
can use both H.323 and SIP ALGs at the same time, if necessary. To determine which ALG to add,
consult the documentation for your VoIP devices or applications.
VoIP Components
It is important to understand that you usually implement VoIP by using either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device
and connects to the other directly, without the use of a proxy server to route their calls.
Host-based connections
Connections managed by a call management system (PBX). The call management system can
be self-hosted, or hosted by a third-party service provider.
With H.323, the key component of call management is known as a gatekeeper. A gatekeeper manages
VoIP calls for a group of users, and can be located on a network protected by your XTM device or at an
external location. For example, some VoIP providers host a gatekeeper on their network that you must
connect to before you can place a VoIP call. Other solutions require you to set up and maintain a
gatekeeper on your network.
Coordination of the many components of a VoIP installation can be a difficult task. We recommend you
make sure that VoIP connections work successfully before you add an H.323 or SIP ALG. This can
help you to troubleshoot any problems.
ALG Functions
When you use an H.323-ALG, your XTM device:
n
n
n
n
Routes traffic for VoIP applications
Opens the ports necessary to make and receive calls, and to exchange audio and video media
Makes sure that VoIP connections use standard H.323 protocols
Generates log messages for auditing purposes
Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports
automatically. The H.323 and SIP ALGs also perform this function. You must disable NAT on your
VoIP devices if you configure an H.323 or SIP ALG.
To change the ALG definition, from the Firewall Polices / Edit page, you can modify the definition.
.This page is separated into several tabs: Settings, Application Control, Traffic Management,
Proxy Action, Scheduling, and Advanced.
586
Fireware XTM Web UI
Proxy Settings
For more information on how to add a proxy to your configuration, see Add a Proxy Policy to Your
Configuration on page 540.
User Guide
587
Proxy Settings
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
Connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 529.
Use policy-based routing — See Configure Policy-Based Routing on page 531.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 233 and Configure Server Load Balancing on page 237.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 748.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use H.323.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. From the Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
588
Fireware XTM Web UI
Proxy Settings
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 543.
To configure the proxy action:
1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 543.
3. Click Save.
For the H.323-ALG, you can configure these categories of settings for a proxy action:
n
n
n
H.323-ALG: General Settings
H.323-ALG: Access Control
H.323-ALG: Denied Codecs
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
User Guide
589
Proxy Settings
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n
n
n
n
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
H.323-ALG: General Settings
On the Edit page for an H.323-ALG, on the Proxy Action tab, on the General tab, you can set
security and performance options for the H.323-ALG (Application Layer Gateway).
590
Fireware XTM Web UI
Proxy Settings
Enable directory harvesting protection
Select this check box to prevent attackers from stealing user information from
VoIP gatekeepers protected by your XTM device. This option is enabled by default.
User Guide
591
Proxy Settings
Set the maximum number of sessions allowed per call
Use this feature to restrict the maximum number of audio or video sessions that can be created
with a single VoIP call. For example, if you set the number of maximum sessions to one and
participate in a VoIP call with both audio and video, the second connection is dropped. The
default value is two sessions, and the maximum value is four sessions. The XTM device
creates a log message when it denies a media session above this number.
User agent information
To have outgoing H.323 traffic identify as a client you specify, in the Rewrite user agent as
text box, type a new user agent string. To remove the false user agent, clear the text box.
Idle media channels
When no data is sent for a specified amount of time on a VoIP audio, video, or data channel,
your XTM device closes that network connection. The default value is 180 seconds (three
minutes) and the maximum value is 3600 seconds (sixty minutes).
To specify a different time interval, in the Idle media channels text box, type or select the
amount of time in seconds.
Enable logging for reports
To send a log message for each connection request managed by the H.323-ALG, select this
check box. This option is necessary to create accurate reports on H.323 traffic.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
744.
592
Fireware XTM Web UI
Proxy Settings
H.323-ALG: Access Control
On the Edit page for an H.323-ALG, on the Proxy Action tab, on the Access Control tab, you can
create a list of users who are allowed to send VoIP network traffic.
User Guide
593
Proxy Settings
594
Fireware XTM Web UI
Proxy Settings
Enable access control for VoIP
Select this check box to enable the access control feature. When enabled, the H.323-ALG
allows or restricts calls based on the options you set.
Default Settings
To enable all VoIP users to start calls by default, select the Start VoIP calls check box.
To enable all VoIP users to receive calls by default, select the Receive VoIP calls check box.
To create a log message for each H.323 VoIP connection started or received, select the
adjacent Log check box.
Access Levels
To create an exception to the default settings you specified, in the Address of Record text
box, type the address that shows up in the TO and FROM headers of the packet for the
exception. This is usually an H.323 address in the format [email protected], such as
[email protected] .
From the Access Levels drop-down list, select an access level and click Add.
You can allow users to Start calls only, Receive calls only, Start and receive calls, or give
them No VoIP access. These settings apply only to H.323 VoIP traffic.
To delete an exception, select it in the list and click Remove.
Connections made by users who have an access level exception are logged by default. If you
do not want to log connections made by a user with an access level exception, clear the Log
check box adjacent to the exception name in the list.
User Guide
595
Proxy Settings
H.323-ALG: Denied Codecs
You can use the H.323-ALG Denied Codecs feature to specify one or more VoIP voice, video, or data
transmission codecs to deny on your network. When an H.323 VoIP connection is opened that uses a
codec specified in this list, your XTM device reads the value from the H.323 header in the "a=rtpmap"
field and strips the codec information from the connection negotiation.
The Denied Codecs list is empty by default. We recommend that you add a codec to this list if the
codec:
n
n
n
Consumes too much bandwidth and causes excessive data usage across trunks or between
network elements
Presents a security risk
Is necessary for your VoIP solution to operate correctly
For example, you might choose to deny the G.711 or G.726 codecs because they use more than 32
Kb/sec of bandwidth, or you might choose to deny the Speex codec because it is used by an
unauthorized VoIP application.
For a list of codecs and the name or text pattern associated with each codec, see
http://www.iana.org/assignments/rtp-parameters/rtp-parameters.xml. When you add a codec to the
Denied Codecs list, make sure to specify the value in the Encoding Name column for that codec.
To configure the denied codecs settings for an H.323-ALG:
1. On the Proxy Action tab, select the Denied Codecs tab.
The Denied Codecs settings appear.
596
Fireware XTM Web UI
Proxy Settings
2. To add a codec to the list, in the Denied Codecs text box, type the codec name or unique text
pattern in the text box.
Do not use wildcard characters or regular expression syntax. Codec patterns are case
sensitive.
3. Click Add
4. To delete a codec from the list, select the codec and click Remove.
5. To create a log message when your XTM device strips the codec information from H.323 traffic
that matches a codec in this list, select the Log each transaction that matches a denied
codec pattern check box.
6. Click Save.
User Guide
597
Proxy Settings
About the HTTP-Proxy
Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The
HTTP client is usually a web browser. The HTTP server is a remote resource that stores HTML files,
images, and other content. When the HTTP client starts a request, it establishes a TCP (Transmission
Control Protocol) connection on Port 80. An HTTP server listens for requests on Port 80. When it
receives the request from the client, the server replies with the requested file, an error message, or
some other information.
The HTTP-proxy is a high-performance content filter. It examines Web traffic to identify suspicious
content that can be a virus or other type of intrusion. It can also protect your HTTP server from attacks.
With an HTTP-proxy filter, you can:
n
n
n
n
n
Adjust timeout and length limits of HTTP requests and responses to prevent poor network
performance, as well as several attacks.
Customize the deny message that users see when they try to connect to a web site blocked by
the HTTP-proxy.
Filter web content MIME types.
Block specified path patterns and URLs.
Deny cookies from specified web sites.
You can also use the HTTP-proxy with the WebBlocker security subscription. For more information,
see About WebBlocker on page 1125.
To enable your users to downloads Windows updates through the HTTP-proxy, you must change your
HTTP-proxy settings. For more information, see Enable Windows Updates Through the HTTP-Proxy.
The TCP/UDP proxy is available for protocols on non-standard ports. When HTTP uses a port other
than Port 80, the TCP/UDP proxy sends the traffic to the HTTP-proxy. For more information on the
TCP/UDP proxy, see About the TCP-UDP-Proxy on page 694.
To add the HTTP-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 540.
If you must change the proxy definition, from the Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
598
Fireware XTM Web UI
Proxy Settings
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
Connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 529.
Use policy-based routing — See Configure Policy-Based Routing on page 531.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 233 and Configure Server Load Balancing on page 237.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 748.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use HTTP.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. From the Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
User Guide
599
Proxy Settings
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 543.
To configure the proxy action:
1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 543.
3. Click Save.
For the HTTP-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
HTTP Request: General Settings on page 602
HTTP Request: Request Methods on page 605
HTTP Request: URL Paths on page 608
HTTP Request: Header Fields on page 608
HTTP Request: Authorization on page 609
HTTP Response: General Settings on page 610
HTTP Response: Header Fields on page 611
HTTP Response: Content Types on page 612
HTTP Response: Cookies on page 614
HTTP Response: Body Content Types on page 615
Use a Caching Proxy Server on page 621
HTTP-Proxy: Exceptions on page 615
HTTP-Proxy: Data Loss Prevention
HTTP-Proxy: Deny Message on page 617
HTTP-Proxy: Proxy and AV Alarms on page 619
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
600
Fireware XTM Web UI
Proxy Settings
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n
n
n
n
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
User Guide
601
Proxy Settings
HTTP Request: General Settings
On the Edit page for an HTTP-proxy action, on the HTTP Request > General Settings page, you can
set basic HTTP parameters, such as idle time out and URL length.
Set the connection idle timeout to
This option controls performance.
To close the TCP socket for the HTTP connection when no packets have passed through the
TCP socket in the amount of time you specify, select the Set the connection idle timeout to
check box. In the adjacent text box, type or select the number of minutes before the proxy times
out.
602
Fireware XTM Web UI
Proxy Settings
Because every open TCP session uses a small amount of memory on the XTM device, and
browsers and servers do not always close HTTP sessions cleanly, we recommend that you
keep this check box selected. This makes sure that stale TCP connections are closed and
helps the XTM device save memory. You can lower the timeout to five minutes and not reduce
performance standards.
Set the maximum URL path length to
To set the maximum number of characters allowed in a URL, select the Set the maximum
URL path link to check box.
In this area of the proxy, URL includes anything in the web address after the top-level-domain.
This includes the slash character but not the host name (www.myexample.com or
myexample.com). For example, the URL www.myexample.com/products counts nine
characters toward this limit because /products has nine characters.
The default value of 2048 is usually enough for any URL requested by a computer behind your
XTM device. A URL that is very long can indicate an attempt to compromise a web server. The
minimum length is 15 bytes. We recommend that you keep this setting enabled with the default
settings. This helps protect against infected web clients on the networks that the HTTP-proxy
protects.
Allow range requests through unmodified
To allow range requests through the XTM device, select this check box. Range requests allow a
client to request subsets of the bytes in a web resource instead of the full content. For example,
if you want only some sections of a large Adobe file but not the whole file, the download occurs
more quickly and prevents the download of unnecessary pages if you can request only what you
need.
Range requests introduce security risks. Malicious content can hide anywhere in a file and a
range request makes it possible for any content to be split across range boundaries. The proxy
can fail to see a pattern it is looking for when the file spans two GET operations.
We recommend that you do not select this check box if the rules you add in the Body Content
Types section of the proxy are designed to identify byte signatures deep in a file, instead of just
in the file header.
To add a traffic log message when the proxy takes the action indicated in the check box for
range requests, select the Log this action check box.
Enable YouTube for Schools
To ensure that students are only able to get access to appropriate content on YouTube through
the school network, schools can enable the Education Filter. With this filter, YouTube content is
filtered to restrict access to any content on YouTube.com that is not educational, and allow
unrestricted access to only educational content on YouTube for Schools.
To configure this feature, schools must first contact YouTube to get a unique School ID
code.Then select the Enable YouTube for Schools check box and type or paste the unique
School ID code in the School ID text box.
User Guide
603
Proxy Settings
When you configure this option, the X-YouTube-Edu-Filter is added to the HTTP request as a
header rule and includes the School ID code in this format:
X-YouTube-Edu-Filter:<SchoolIDCode>
For example:
X-YouTube-Edu-Filter:ABCD1234567890abcdef
If this text does not appear in the HTTP request header, YouTube for Schools is not properly
enabled and content is not restricted.
Enforce safe search for major search engines such as Google, Bing, Yahoo and YouTube
To enable the HTTP-Client proxy action to enforce Safe Search for search engines, select the
Enforce safe search for major search engines such as Google, Bing, Yahoo and
YouTube check box.
Safe Search is a feature included in web browser search engines that enables users to specify
what level of potentially inappropriate content can be returned in search results. When you
enable Safe Search in the HTTP-Client proxy action, the strictest level of Safe Search rules are
enforced regardless of the settings configured in the client web browser search engines.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option creates
a large log file, but this information can be very important if your firewall is attacked. If you do
not select this check box, you do not see detailed information about HTTP-proxy connections in
reports.
To generate log messages for both Web Audit and WebBlocker reports, you must select this
option.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
744.
604
Fireware XTM Web UI
Proxy Settings
HTTP Request: Request Methods
Most browser HTTP requests are in one of two categories: GET or POST operations. Browsers usually
use GET operations to download objects such as a graphic, HTML data, or Flash data. More than one
GET is usually sent by a client computer for each page, because web pages usually contain many
different elements. The elements are put together to make a page that appears as one page to the end
user.
Browsers usually use POST operations to send data to a web site. Many web pages get information
from the end user such as location, email address, and name. If you disable the POST command, the
XTM device denies all POST operations to web servers on the external network. This feature can
prevent your users from sending information to a web site on the external network.
Web-based Distributed Authoring and Versioning (webDAV) is a set of HTTP extensions that allows
users to edit and manage files on remote web servers. WebDAV is compatible with Outlook Web
Access (OWA). If webDAV extensions are not enabled, the HTTP proxy supports these request
methods: HEAD, GET, POST, OPTIONS, PUT, and DELETE. For HTTP-Server, the proxy supports
these request methods by default: HEAD, GET, and POST. The proxy also includes these options
(disabled by default): OPTIONS, PUT, and DELETE.
1. On the Edit page for the proxy, select the Proxy Action tab.
The proxy action settings appear.
2. From the HTTP Request drop-down list, select Request Methods.
The Request Methods settings appear.
User Guide
605
Proxy Settings
3. To enable your users to use these extensions, select the Enable webDAV check box.
Many extensions to the base webDAV protocol are also available. If you enable webDAV, from
the drop-down list, select whether you want to enable only the extensions described in RFC
2518 or if you want to include an additional set of extensions to maximize interoperability.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
606
Fireware XTM Web UI
Proxy Settings
5. To change settings for another category in this proxy, see the topic for that category.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
607
Proxy Settings
HTTP Request: URL Paths
A URL (Uniform Resource Locator) identifies a resource on a remote server and gives the network
location on that server. The URL path is the string of information that comes after the top level domain
name. You can use the HTTP-proxy to block web sites that contain specified text in the URL path. You
can add, delete, or modify URL path patterns.
To use the HTTP request proxy action to block content based on patterns in URL paths, you must edit
the HTTP Request category of the HTTP proxy action and specify the URL path patterns for the
content you want to block. For example:
n
n
n
To block all pages that have the host name www.example.net, type www.example.net/* .
To block all paths containing the word sex on all web sites, type *sex* .
To block URL paths ending in *.exe on all web sites, type *.exe .
If you filter URLs with the HTTP request URL path ruleset, you must configure a
complex pattern that uses full regular expression syntax from the advanced view of a
ruleset. It is easier and gives better results to filter based on header or body content
type than it is to filter by URL path.
To block web sites with specific text in the URL path:
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the HTTP Request drop-down list, select URL paths.
The URL Paths settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Request: Header Fields
This ruleset supplies content filtering for the full HTTP header. By default, the HTTP-proxy uses exact
matching rules to strip Via and From headers, and allows all other headers. This ruleset matches the
full header, not only the name.
To match all values of a header, type the pattern: [header name]:* . To match only some values of a
header, replace the asterisk (*) wildcard with a pattern. If your pattern does not start with an asterisk (*)
wildcard, include one space between the colon and the pattern when you type in the Pattern text box.
For example, type: [header name]: [pattern] , not [header name]:[pattern] .
608
Fireware XTM Web UI
Proxy Settings
The default rules do not strip the Referer header, but do include a disabled rule to strip this header. To
enable the rule to strip the header, select Change View. Some web browsers and software
applications must use the Referer header to operate correctly.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the HTTP Request drop-down list, select Header Fields.
The Header Fields settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Request: Authorization
This rule sets the criteria for content filtering of HTTP Request Header authorization fields. When a
web server starts a WWW-Authenticate challenge, it sends information about which authentication
methods it can use. The proxy puts limits on the type of authentication sent in a request. It uses only
the authentication methods that the web server accepts. With a default configuration, the XTM device
allows Basic, Digest, NTLM, and Passport1.4 authentication, and strips all other authentication. You
can add, delete, or modify rules in the default ruleset.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the HTTP Request drop-down list, select Authorization.
The Authorization settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
609
Proxy Settings
HTTP Response: General Settings
On the General Settings page, you can configure basic HTTP parameters such as idle time out, and
limits for line and total length.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the HTTP Response drop-down list, select General Settings.
The General Settings page appears.
610
Fireware XTM Web UI
Proxy Settings
3. To set limits for HTTP parameters, select the applicable check boxes. Type or select a value for
the limits.
Set the timeout to
Controls how long the HTTP proxy waits for the web server to send the web page. When a
user clicks a hyperlink or types a URL in a web browser, it sends an HTTP request to a
remote server to get the content. In most browsers, a message similar to Contacting site...,
appears in the status bar. If the remote server does not respond, the HTTP client continues
to send the request until it receives an answer or until the request times out. During this
time, the HTTP proxy continues to monitor the connection and uses valuable network
resources.
Set the maximum line length to
Controls the maximum allowed length of a line of characters in HTTP response headers.
Use this property to protect your computers from buffer overflow exploits. Because URLs
for many commerce sites continue to increase in length over time, you may need to adjust
this value in the future.
Set the maximum total length to
Controls the maximum length of HTTP response headers. If the total header length is more
than this limit, the HTTP response is denied.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP Response: Header Fields
This ruleset controls which HTTP response header fields the XTM device allows. You can add, delete,
or modify rules. Many of the HTTP response headers that are allowed in the default configuration are
described in RFC 2616. For more information, see http://www.ietf.org/rfc/rfc2616.txt.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the HTTP Response drop-down list, select Header Fields.
The Header Fields settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
611
Proxy Settings
HTTP Response: Content Types
When a web server sends HTTP traffic, it usually adds a MIME type, or content type, to the packet
header that shows what kind of content is in the packet. The HTTP header on the data stream contains
this MIME type. It is added before the data is sent.
Certain kinds of content that users request from web sites can be a security threat to your network.
Other kinds of content can decrease the productivity of your users. By default, the XTM device allows
some safe content types, and denies MIME content that has no specified content type. The HTTPproxy includes a list of commonly used content types that you can add to the ruleset. You can also
add, delete, or modify the definitions.
The format of a MIME type is type/subtype. For example, if you wanted to allow JPEG images, you
would add image/jpg to the proxy definition. You can also use the asterisk (*) as a wildcard. To allow
any image format, you add image/* .
For a list of current, registered MIME types, see http://www.iana.org/assignments/media-types.
Add, Delete, or Modify Content Types
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the HTTP Response drop-down list, select Content Types.
The Content Types settings appear.
612
Fireware XTM Web UI
Proxy Settings
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
613
Proxy Settings
Allow Web Sites with a Missing Content Type
By default, the XTM device denies MIME content that has no specified content type. In most cases,
we recommend that you keep this default setting. Sites that do not supply legitimate MIME types in
their HTTP responses do not follow RFC recommendations and could pose a security risk. However,
some organizations need their employees to get access to web sites that do not have a specified
content type.
You must make sure that you change the proxy action used by the correct policy or policies. You can
apply the change to any policy that uses an HTTP-Client proxy action. This could be an HTTP-proxy
policy, the Outgoing policy (which also applies an HTTP-Client proxy action), or the TCP-UDP policy.
To allow web sites with a missing content type:
1. In the Content Types list, select the Enabled check box adjacent to the Allow (none) rule.
2. Click Save.
HTTP Response: Cookies
HTTP cookies are small files of alphanumeric text that web servers put on web clients. Cookies
monitor the page a web client is on, to enable the web server to send more pages in the correct
sequence. Web servers also use cookies to collect information about an end user. Many web sites use
cookies for authentication and other legitimate functions, and cannot operate correctly without cookies.
The HTTP proxy gives you control of the cookies in HTTP responses. You can configure rules to strip
cookies, based on your network requirements. The default rule for the HTTP-Server and HTTP-Client
proxy action allows all cookies. You can add, delete, or modify rules.
The proxy looks for packets based on the domain associated with the cookie. The domain can be
specified in the cookie. If the cookie does not contain a domain, the proxy uses the host name in the
first request. For example, to block all cookies for nosy-adware-site.com, use the pattern: *.nosyadware-site.com . If you want to deny cookies from all subdomains on a web site, use the wildcard
symbol (*) before and after the domain. For example, *example.com* blocks all subdomains of
example.com, such as images.example.com and mail.example.com.
Change Settings for Cookies
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the HTTP Response drop-down list, select Cookies.
The Cookies settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
614
Fireware XTM Web UI
Proxy Settings
HTTP Response: Body Content Types
This ruleset gives you control of the content in an HTTP response. The XTM device is configured to
deny Java bytecodes, Zip archives, Windows EXE/DLL files, and Windows CAB files. The default
proxy action for outgoing HTTP requests (HTTP-Client) allows all other response body content types.
You can add, delete, or modify rules. We recommend that you examine the file types that are used in
your organization and allow only those file types that are necessary for your network.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the HTTP Response drop-down list, select Body Content Types.
The Body Content Types settings appear.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
4. To change settings for another category in this proxy, see the topic for that category.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTP-Proxy: Exceptions
For certain web sites, you can use HTTP-proxy exceptions to bypass HTTP-proxy rules, but not
bypass the proxy framework. Traffic that matches HTTP-proxy exceptions is still handled by the
HTTP-proxy, but, when a match occurs, some proxy settings are not included.
Excluded Proxy Settings
These settings are not included:
n
n
HTTP request — Range requests, URL path length, all request methods, all URL paths,
request headers, authorization pattern matching
HTTP response — Response headers, content types, cookies, body content types
Request headers and response headers are parsed by the HTTP-proxy even when the traffic matches
the HTTP-proxy exception. If a parsing error does not occur, all headers are allowed. Antivirus
scanning and WebBlocker are not applied to traffic that matches an HTTP-proxy exception.
Included Proxy Settings
These settings are included:
n
n
HTTP request — Idle timeout
HTTP response — Idle timeout, maximum line length limit, maximum total length limit
All transfer-encoding parsing is still applied to allow the proxy to determine the encoding type. The
HTTP-proxy denies all invalid or malformed transfer encoding.
User Guide
615
Proxy Settings
Define Exceptions
You can add host names or patterns as HTTP-proxy exceptions. For example, if you block all web
sites that end in .test but want to allow your users to go to the site www.example.test, you can add
www.example.test as an HTTP-proxy exception.
When you define exceptions, you specify the IP address or domain name of sites to allow. The domain
(or host) name is the part of a URL that ends with .com, .net, .org, .biz, .gov, or .edu. Domain names
can also end in a country code, such as .de (Germany) or .jp (Japan).
To add a domain name, type the URL pattern without the leading http://. For example, to allow your
users to go to the Example web site, http://www.example.com, type www.example.com . If you want to
allow all subdomains that contain example.com, you can use the asterisk (*) as a wildcard character.
For example, to allow users to go to www.example.com, and support.example.com type
*.example.com .
1. On the Edit Proxy Action page, select the HTTP Proxy Exceptions tab.
The HTTP Proxy Exceptions settings appear.
2. In the text box, type the host name or host name pattern. Click Add.
3. Repeat this process to add more exceptions.
4. To add a traffic log message each time the HTTP-proxy takes an action on a proxy exception,
select the Log each transaction that matches an HTTP proxy exception check box.
5. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
616
Fireware XTM Web UI
Proxy Settings
HTTP-Proxy: Deny Message
When content is denied, the XTM device sends a default deny message that replaces the denied
content. You can change the text of that deny message. You can customize the deny message with
standard HTML. You can also use Unicode (UTF-8) characters in the deny message. The first line of
the deny message is a component of the HTTP header. You must include an empty line between the
first line and the body of the message.
You get a deny message in your web browser from the XTM device when you make a request that the
HTTP-proxy does not allow. You also get a deny message when your request is allowed, but the
HTTP-proxy denies the response from the remote web server. For example, if a user tries to download
an .exe file and you have blocked that file type, the user sees a deny message in the web browser. If
the user tries to download a web page that has an unknown content type and the proxy policy is
configured to block unknown MIME types, the user sees an error message in the web browser.
The default deny message appears in the Deny Message text box. To change this to a custom
message, scroll to the <body> element of the message code and add any of these variables:
%(transaction)%
Select Request or Response to show which side of the transaction caused the packet to be
denied.
This variable also appears in the <title> element of the deny message.
%(reason)%
Includes the reason the XTM device denied the content.
%(method)%
Includes the request method from the denied request.
%(url-host)%
Includes the server host name from the denied URL. If no host name was included, the IP
address of the server is included.
%(url-path)%
Includes the path component of the denied URL.
%(serial)%
Includes the serial number of the XTM device in the deny message.
%(firewall)%
Includes the XTM device name in the deny message.
To configure the Deny Message:
1. On the Proxy Action tab, select the Deny Message tab.
The Deny Message settings appear.
User Guide
617
Proxy Settings
2. In the Deny Message text box, type the deny message.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
618
Fireware XTM Web UI
Proxy Settings
HTTP-Proxy: Data Loss Prevention
To apply consistent settings for Data Loss Prevention (DLP) content inspection and extraction, you
can associate a DLP configuration with your HTTP-proxy.
From the Edit page for the HTTP-proxy:
1.
2.
3.
4.
Select the Proxy Action tab.
Select the Data Loss Prevention tab.
From the DLP Sensor drop-down list, select a configuration.
Click Save.
For more information, see About Data Loss Prevention on page 1239 and Configure Data Loss
Prevention on page 1242.
HTTP-Proxy: Proxy and AV Alarms
You can configure how the HTTP-proxy sends messages for alarm and antivirus events that occur
through the HTTP-proxy. You can define the proxy to send an SNMP trap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit page for the proxy action, select the Proxy and AV Alarms tab.
The Proxy and AV Alarms settings appear.
User Guide
619
Proxy Settings
2. Configure the notification settings for the HTTP-proxy action.
For more information, see Set Logging and Notification Preferences on page 748.
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Enable Windows Updates Through the HTTP-Proxy
Windows Update servers identify the content they deliver to a computer as a generic binary stream
(such as octet stream), which is blocked by the default HTTP proxy rules. To allow Windows updates
through the HTTP-proxy, you must edit your HTTP-Client proxy ruleset to add HTTP-proxy exceptions
for the Windows Update servers.
1. Make sure that your XTM device allows outgoing connections on port 443 and port 80.
These are the ports that computers use to contact the Windows Update servers.
2. On the Edit page of the proxy action, select the HTTP Proxy Exceptions category.
620
Fireware XTM Web UI
Proxy Settings
3. In the text box, type or paste each of these domains, and click Add after each one:
*.download.windowsupdate.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.microsoft.com
download.microsoft.com
download.windowsupdate.com
ntservicepack.microsoft.com
support.microsoft.com/kb/885819
update.microsoft.com
windowsupdate.microsoft.com
wustat.windows.com
4. Click Save.
If You Still Cannot Download Windows Updates
If you have more than one HTTP-proxy policy, make sure that you add the HTTP exceptions to the
correct policy and proxy action.
Microsoft does not limit updates to only these domains. Examine your log messages for denied traffic
to a Microsoft-owned domain. Look for any traffic denied by the HTTP-proxy. The log message details
should include the domain. Add any new Microsoft domain to the HTTP-proxy exceptions list, and then
run Windows Update again.
Use a Caching Proxy Server
Because your users can look at the same web sites frequently, a caching proxy server increases the
traffic speed and decreases the traffic volume on the external Internet connections. Although the
HTTP-proxy on the XTM device does not cache content, you can use a caching proxy server with the
HTTP proxy. All XTM device proxy and WebBlocker rules continue to have the same effect.
The XTM device connection with a proxy server is the same as with a client. The XTM device changes
the GET function to: GET / HTTP/1.1 to GET www.mydomain.com / HTTP/1.1 and sends it to a
caching proxy server. The proxy server moves this function to the web server in the GET function.
User Guide
621
Proxy Settings
Use an External Caching Proxy Server
To set up your HTTP-proxy to work with an external caching proxy server:
1. Configure a proxy server, such as Microsoft Proxy Server 2.0.
2. Select Firewall > Proxy Actions.
3. Double-click the HTTP-Client proxy action used by your HTTP-proxy policy.
The Edit page appears.
4. Select the Use Web Cache Server tab.
The Use Web Cache Server page appears.
5. Select the Use external caching proxy server for HTTP traffic check box.
6. In the IP Address and Port text boxes, type the IP address and port for the external caching
proxy server.
7. To change settings for another category in this proxy, see the topic for that category.
8. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
Use an Internal Caching Proxy Server
You can also use an internal caching proxy server with your XTM device.
To use an internal caching proxy server:
1. Configure the HTTP-proxy action with the same settings as for an external proxy server.
2. In the same HTTP-proxy policy, allow all traffic from the users on your network whose web
requests you want to route through the caching proxy server.
3. Add an HTTP packet filter policy to your configuration.
4. Configure the HTTP packet filter policy to allow traffic from the IP address of your caching
proxy server to the Internet.
5. If necessary, manually move this policy up in your policy list so that it has a higher precedence
than your HTTP-proxy policy.
622
Fireware XTM Web UI
Proxy Settings
About the HTTPS-Proxy
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a
request/response protocol between clients and servers used for secure communications and
transactions. You can use the HTTPS-proxy to secure a web server protected by your XTM device, or
to examine HTTPS traffic requested by clients on your network. By default, when an HTTPS client
starts a request, it establishes a TCP (Transmission Control Protocol) connection on port 443. Most
HTTPS servers listen for requests on port 443.
HTTPS is more secure than HTTP because HTTPS uses a digital certificate to encrypt and decrypt
user page requests as well as the pages that are returned by the web server. Because HTTPS traffic is
encrypted, the XTM device must decrypt it before it can be examined. After it examines the content,
the XTM device encrypts the traffic with a certificate and sends it to the intended destination.
You can export the default certificate created by the XTM device for this feature, or import a certificate
for the XTM device to use instead. If you use the HTTPS-proxy to examine web traffic requested by
users on your network, we recommend that you export the default certificate and distribute it to each
user so that they do not receive browser warnings about untrusted certificates. If you use the HTTPSproxy to secure a web server that accepts requests from an external network, we recommend that you
import the existing web server certificate for the same reason.
When an HTTPS client or server uses a port other than port 443 in your organization, you can use the
TCP/UDP proxy to relay the traffic to the HTTPS-proxy. For information on the TCP/UDP proxy, see
About the TCP-UDP-Proxy on page 694.
To add the HTTPS-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 540.
If you must change the proxy definition, from the Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
User Guide
623
Proxy Settings
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
Connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 529.
Use policy-based routing — See Configure Policy-Based Routing on page 531.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 233 and Configure Server Load Balancing on page 237.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 748.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use HTTPS.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. From the Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
624
Fireware XTM Web UI
Proxy Settings
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 543.
To configure the proxy action:
1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 543.
3. Click Save.
For the HTTPS-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
HTTPS-Proxy: General Settings
HTTPS-Proxy: Content Inspection
HTTPS-Proxy: Certificate Names
HTTPS-Proxy: Proxy Alarm
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
User Guide
625
Proxy Settings
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n
n
n
n
626
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
Fireware XTM Web UI
Proxy Settings
HTTPS-Proxy: General Settings
On the Edit proxy action page, on the General tab, you can configure basic HTTPS parameters such
as ,connection timeout, and logging settings.
Connection Timeout
Configure these settings to specify how long the HTTPS-proxy waits for the web client to make
a request from the external web server after it starts a TCP/IP connection, or after an earlier
request for the same connection. If the time period exceeds this setting, the HTTPS-proxy
closes the connection.
To enable this feature, select the Connection timeout check box. In the adjacent text box,
type or select the number of minutes before the proxy times out.
Enable logging for reports
To create a traffic log message for each transaction, select this check box. This option
increases the size of your log file, but this information is very important if your firewall is
attacked. If you do not select this check box, you do not see detailed information about HTTPSproxy connections in reports.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
User Guide
627
Proxy Settings
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
744.
628
Fireware XTM Web UI
Proxy Settings
HTTPS-Proxy: Content Inspection
You can enable and configure deep inspection of HTTPS content on the HTTPS Proxy Action
Configuration Content Inspection tab.
If your device runs Fireware XTM v11.0–v11.3.x, the Content Inspection settings
for your device do not include the Allow SSLv2 (insecure) option.
User Guide
629
Proxy Settings
Enable deep inspection of HTTPS content
When this check box is selected, the XTM device decrypts HTTPS traffic, encrypts the traffic
again with a new certificate, and then examines the content. The content is examined by the
HTTP-proxy policy that you choose on this page.
If you have other traffic that uses the HTTPS port, such as SSL VPN traffic, we
recommend that you evaluate this option carefully. The HTTPS-proxy attempts to
examine all traffic on TCP port 443 in the same way. To ensure that other traffic
sources operate correctly, we recommend that you add those sources to the Bypass
List. See the subsequent section for more information.
By default, the certificate used to encrypt the traffic is generated automatically by the XTM
device. You can also upload your own certificate to use for this purpose. If you choose to upload
your own certificate, use your own internal CA to sign the certificate. If your users are on your
domain, and you use a certificate signed by your own internal CA, users can connect
successfully. If you use a certificate generated by a public CA, your users receive a warning in
their browsers. Public certificate authorities generate certificates that do not include properties
that allow the XTM device to operate as an intermediate CA.
If the original web site or your web server has a self-signed or invalid certificate, or if the
certificate was signed by a CA the XTM device does not recognize (such as a public third-party
CA), clients are presented with a browser certificate warning. Certificates that cannot be
properly re-signed appear to be issued by Fireware HTTPS-proxy: Unrecognized Certificate or
simply Invalid Certificate.
We recommend that you import the certificate you use, as well as any other certificates
necessary for the client to trust that certificate, on each client device. When a client does not
automatically trust the certificate used for the content inspection feature, the user sees a
warning in the browser, and services like Windows Update do not operate correctly.
Some third-party programs store private copies of necessary certificates and do not use the
operating system certificate store, or transmit other types of data over TCP port 443. These
programs include:
n
n
n
Communications software, such as AOL Instant Messenger and Google Voice
Remote desktop and presentation software, such as LiveMeeting and WebEx
Financial and business software, such as ADP, iVantage, FedEx, and UPS
If these programs do not have a method to import trusted CA certificates, they do not operate
correctly when content inspection is enabled. Contact your software vendor for more
information about certificate use or technical support, or add the IP addresses of computers that
use this software to the Bypass list.
For more information, see Use Certificates for the HTTPS-Proxy, About Certificates on page
793 or Use Certificates for the HTTPS-Proxy on page 814.
630
Fireware XTM Web UI
Proxy Settings
Allow SSLv2 (insecure)
SSLv3, SSLv2, and TLSv1 are protocols used for HTTPS connections. SSLv2 is not as secure
as SSLv3 and TLSv1. By default, the HTTPS-proxy only allows connections that negotiate the
SSLv3 and TLSv1 protocols. If your users connect to client or server applications that only
support SSLv2, you can allow the HTTPS-proxy to use the SSLv2 protocol for connections to
these web sites.
To enable this option, select the Allow SSLv2 (insecure) check box. This option is disabled by
default.
Proxy Action
Select an HTTP-proxy policy for the XTM device to use when it inspects decrypted HTTPS
content.
When you enable content inspection, the HTTP proxy action WebBlocker settings override the
HTTPS-proxy WebBlocker settings. If you add IP addresses to the bypass list for content
inspection, traffic from those sites is filtered with the WebBlocker settings from the HTTPSproxy.
For more information on WebBlocker configuration, see About WebBlocker on page 1125.
Use OCSP to confirm the validity of certificates
Select this check box to have the XTM device automatically check for certificate revocations
with OCSP (Online Certificate Status Protocol). When this feature is enabled, the XTM device
uses information in the certificate to contact an OCSP server that keeps a record of the
certficate status. If the OCSP server responds that the certificate has been revoked, the XTM
device disables the certificate.
If you select this option, there can be a delay of several seconds as the XTM device requests a
response from the OCSP server. The XTM device keeps between 300 and 3000 OCSP
responses in a cache to improve performance for frequently visited web sites. The number of
responses stored in the cache is determined by your XTM device model.
If a certificate cannot be validated, the certificate is invalid
When this option is selected and an OCSP responder does not send a response to a revocation
status request, the XTM device considers the original certificate as invalid or revoked. This
option can cause certificates to be considered invalid if there is a routing error or a problem with
your network connection.
Bypass list
The XTM device does not inspect content sent to or from IP addresses on this list. To add a
web site or hostname, type the IP address in the text box and click Add.
When you enable content inspection, the HTTP proxy action WebBlocker settings override the
HTTPS-proxy WebBlocker settings. If you add IP addresses to the Bypass List for content
inspection, traffic from those sites is filtered with the WebBlocker settings from the HTTPSproxy.
For more information on WebBlocker configuration, see About WebBlocker on page 1125.
User Guide
631
Proxy Settings
HTTPS-Proxy: Certificate Names
Certificate names are used to filter content for an entire site. The XTM device allows or denies access
to a site if the domain of an HTTPS certificate matches an entry in this list.
For example, if you want to deny traffic from any site in the example.com domain, add a Certificate
Names rule with the pattern *.example.com and set the If matched action to Deny.
1. On the Editproxy action page, select the Certificate Names tab.
The Certificate Names panel expands.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
HTTPS-Proxy: Proxy Alarm
You can configure how the HTTPS-proxy sends messages for alarm events that occur through the
HTTPS-proxy. You can define the proxy to send an SNMP trap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit proxy action page, select the Proxy and AV Alarms tab.
The Proxy Alarm settings appear.
2. Configure the notification settings for the HTTPS-proxy action.
For more information, see Set Logging and Notification Preferences on page 748.
632
Fireware XTM Web UI
Proxy Settings
3. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
633
Proxy Settings
About the POP3-Proxy
POP3 (Post Office Protocol v.3) is a protocol that moves email messages from an email server to an
email client on a TCP connection over port 110. Most Internet-based email accounts use POP3. With
POP3, an email client contacts the email server and checks for any new email messages. If it finds a
new message, it downloads the email message to the local email client. After the message is received
by the email client, the connection is closed.
With a POP3-proxy filter you can:
n
n
n
n
Adjust timeout and line length limits to make sure the POP3-proxy does not use too many
network resources, and to prevent some types of attacks.
Customize the deny message that is sent to a user when content or attachments are stripped
from an email sent to that user.
Filter content embedded in email with MIME types.
Block specified path patterns and URLs.
To add the POP3-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 540.
If you must change the proxy definition, from the Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
634
Fireware XTM Web UI
Proxy Settings
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
Connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 529.
Use policy-based routing — See Configure Policy-Based Routing on page 531.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 233 and Configure Server Load Balancing on page 237.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 748.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use POP3.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. From the Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
User Guide
635
Proxy Settings
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 543.
To configure the proxy action:
1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 543.
3. Click Save.
For the POP3-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
n
n
POP3-Proxy: General Settings
POP3-Proxy: Authentication
POP3-Proxy: Content Types
POP3-Proxy: Filenames
POP3-Proxy: Headers
POP3-Proxy: Deny Message
POP3-Proxy: Proxy and AV Alarms
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
636
Fireware XTM Web UI
Proxy Settings
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n
n
n
n
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
User Guide
637
Proxy Settings
POP3-Proxy: General Settings
On the Edit page for a POP3-proxy action, on the Generaltab, you can adjust time out and line length
limits as well as other general parameters for the POP3-proxy.
Set the timeout to
To limit the number of minutes that the email client tries to open a connection to the email server
before the connection is closed, select this check box. In the adjacent text box, type or select
the number of minutes for the timeout value. This makes sure the proxy does not use too many
network resources when the POP3 server is slow or cannot be reached.
Set the maximum email line length to
To prevent some types of buffer overflow attacks, select this check box. In the adjacent text
box, type or select the limit of the line length. Very long line lengths can cause buffer overflows
on some email systems. Most email clients and systems send relatively short lines, but some
web-based email systems send very long lines. However, it is unlikely that you will need to
change this setting unless it prevents access to legitimate mail.
638
Fireware XTM Web UI
Proxy Settings
Hide server replies
To replace the POP3 greeting strings in email messages, select this check box. These strings
can be used by hackers to identify the POP3 server vendor and version.
Allow uuencoded attachments
To enable the POP3-proxy to allow uuencoded attachments in email messages, select this
check box. Uuencode is an older program used to send binary files in ASCII text format over the
Internet. UUencoded attachments can be security risks because they appear as ASCII text
files, but can actually contain executable files.
Allow BinHex attachments
To enable the POP3-proxy to allow BinHex attachments in email messages, select this check
box. BinHex, which is short for binary-to-hexadecimal, is a utility that converts a file from binary
format to ASCII text format.
Enable logging for reports
To enable the POP3-proxy to send a log message for each POP3 connection request, select
this check box. To use WatchGuard Reports to create reports of POP3 traffic, you must select
this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
Error
Warning
Information
Debug
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
744.
User Guide
639
Proxy Settings
POP3-Proxy: Authentication
A POP3 client must authenticate to a POP3 server before they exchange information. You can set the
types of authentication for the proxy to allow and the action to take for types that do not match the
criteria. You can add, delete, or modify rules.
1. On the Edit proxy action page, select the POP3 Protocol category.
The POP3 authentication rules appear.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
640
Fireware XTM Web UI
Proxy Settings
For more information on predefined proxy actions, see About Proxy Actions.
POP3-Proxy: Content Types
The headers for email messages include a Content Type header to show the MIME type of the email
and of any attachments. The content type or MIME type tells the computer the types of media the
message contains. Certain kinds of content embedded in email can be a security threat to your
network. Other kinds of content can decrease the productivity of your users.
You can enable the POP3-proxy to automatically detect the content type of an email message and any
attachments. If you do not enable this option, the POP3-proxy uses the value stated in the email
header, which clients sometimes set incorrectly. Because hackers often try to disguise executable
files as other content types, we recommend that you enable content type auto detection to make your
installation more secure.
For example, a .pdf file attached to an email might have a content type stated as application/octetstream. If you enable content type auto detection, the POP3-proxy recognizes the .pdf file and uses
the actual content type, application/pdf. If the proxy does not recognize the content type after it
examines the content, it uses the value stated in the email header, as it would if content type auto
detection were not enabled.
You can add, delete, or modify rules. You can also set values for content filtering and the action to take
for content types that do not match the criteria. For the POP3-Server proxy action, you set values for
incoming content filtering. For the POP3-Client action, you set values for outgoing content filtering.
When you specify the MIME type, make sure to use the format type/subtype. For example, if you want
to allow JPEG images, you add image/jpg . You can also use the asterisk (*) as a wildcard. To allow
any image format, add image/* to the list.
To specify the content types for automatic detection:
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the Attachments drop-down list, select Content Types.
The Content Types page appears.
User Guide
641
Proxy Settings
3. To enable the POP3 proxy to examine content and determine the content type, select the
Enable content type auto detection check box.
If you do not select this option, the POP3 proxy uses the value stated in the email header.
4. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
5. To change settings for another category in this proxy, see the topic for that category.
6. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
642
Fireware XTM Web UI
Proxy Settings
POP3-Proxy: Filenames
To put limits on file names for incoming email attachments, you can use the Filenames ruleset in a
POP3-Server proxy action. Or, you can use the ruleset for the POP3-Client proxy action to put limits on
file names for outgoing email attachments. You can add, delete, or modify rules.
1. On the Edit page for the proxy, select the Proxy Action tab.
2. From the Attachments drop-down list, select Filenames.
The Filenames page appears.
3. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
User Guide
643
Proxy Settings
4. To change settings for other categories in this proxy, see the topic for the next category you
want to modify.
5. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
644
Fireware XTM Web UI
Proxy Settings
POP3-Proxy: Headers
The POP3-proxy examines email headers to find patterns common to forged email messages, as well
as those from legitimate senders. You can add, delete, or modify rules.
1. On the Edit page, select the Headers tab.
The Headers settings appear.
2. Configure the rule action.
For more information, see Add, Change, or Delete Rules.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
POP3-Proxy: Deny Message
When content is denied, the XTM device sends a default deny message that replaces the denied
content. This message appears in a recipient's email message when the proxy blocks an email. You
can change the text of that deny message. The first line of the deny message is a section of the HTTP
header. You must include an empty line between the first line and the body of the message.
The default deny message appears in the Deny Message text box. To change this to a custom
message, use these variables:
%(reason)%
Includes the reason the XTM device denied the content.
%(filename)%
Includes the file name of the denied content.
%(virus)%
Includes the name or status of a virus for Gateway AntiVirus users.
%(action)%
Includes the name of the action taken. For example, lock or strip.
%(recovery)%
Includes whether you can recover the attachment.
To configure the deny message:
1. On the Edit page, select the Deny Messages tab.
The Deny Message category expands.
User Guide
645
Proxy Settings
2. In the Deny Message text box, type a custom plain text message in standard HTML.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
646
Fireware XTM Web UI
Proxy Settings
POP3-Proxy: Proxy and AV Alarms
You can configure how the POP3-proxy sends messages for alarm and antivirus events that occur
through the POP3-proxy. You can define the proxy to send an SNMP trap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator or a
pop-up window on the management computer.
1. On the Edit page, select the Proxy Alarm tab.
The Proxy Alarm settings appear.
2. Configure the notification settings for the POP3-proxy action.
For more information, see Set Logging and Notification Preferences on page 748.
3. To change settings for another category in this proxy, see the topic for that category.
4. Click Save.
If you modified a predefined proxy action, when you save the changes you are prompted to clone
(copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
User Guide
647
Proxy Settings
About the SIP-ALG
If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or
H.323 ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your XTM
device. An ALG is created in the same way as a proxy policy and offers similar configuration options.
These ALGs have been created to work in a NAT environment to maintain security for privatelyaddressed conferencing equipment behind the XTM device.
H.323 is commonly used on videoconferencing equipment. SIP is commonly used with IP phones. You
can use both H.323 and SIP-ALGs at the same time, if necessary. To determine which ALG you need
to add, consult the documentation for your VoIP devices or applications.
VoIP Components
It is important to understand that you usually implement VoIP with either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device
and connects to the other directly without the use of a proxy server to route their calls.
Host-based connections
Connections managed by a call management system (PBX). The call management system can
be self-hosted, or hosted by a third-party service provider.
In the SIP standard, two key components of call management are the SIP Registrar and the SIP
Proxy. Together, these components manage connections hosted by the call management system. The
WatchGuard SIP-ALG opens and closes the ports necessary for SIP to operate. The WatchGuard SIPALG supports SIP trunks. It can support both the SIP Registrar and the SIP Proxy when used with a
call management system that is external to the XTM device.
It can be difficult to coordinate the many components of a VoIP installation. We recommend you make
sure that VoIP connections work successfully before you add an H.323 or SIP-ALG. This can help you
to troubleshoot any problems.
Instant Messaging Support
The SIP-ALG supports page-based instant messaging (IM) as part of the default SIP protocol. You do
not have to complete any additional configuration steps to use IM with the SIP-ALG.
648
Fireware XTM Web UI
Proxy Settings
ALG Functions
When you use a SIP-ALG, your XTM device:
n
n
n
n
n
Routes traffic for VoIP applications
Opens the ports necessary to make and receive calls, and to exchange audio and video media
Makes sure that VoIP connections use standard SIP protocols
Generates log messages for auditing purposes
Supports SIP presence through the use of the SIP Publish method. This allows softphone users
to see peer status.
Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports
automatically. The H.323 and SIP-ALGs also perform this function. You must disable NAT on your
VoIP devices if you configure an H.323 or SIP-ALG.
For instructions to add the SIP-ALG to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 540.
If you must change the proxy definition, from the Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
User Guide
649
Proxy Settings
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
Connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 529.
Use policy-based routing — See Configure Policy-Based Routing on page 531.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 233 and Configure Server Load Balancing on page 237.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 748.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use POP3.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. From the Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
650
Fireware XTM Web UI
Proxy Settings
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 543.
To configure the proxy action:
1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 543.
3. Click Save.
For the SIP-ALG, you can configure these categories of settings for a proxy action:
n
n
n
SIP-ALG: General Settings
SIP-ALG: Access Control
SIP-ALG: Denied Codecs
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
User Guide
651
Proxy Settings
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n
n
n
n
652
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
Fireware XTM Web UI
Proxy Settings
SIP-ALG: General Settings
In the General settings for the Edit page for a SIP-ALG action, you can set security and performance
options for the SIP-ALG (Application Layer Gateway).
Enable header normalization
To deny malformed or extremely long SIP headers, select this check box . While these headers
often indicate an attack on your XTM device, you can disable this option if necessary for your
VoIP solution to operate correctly.
Enable topology hiding
This feature rewrites SIP and SDP (Session Description Protocol) headers to remove private
network information, such as IP addresses. We recommend that you select this option unless
you have an existing VoIP gateway device that performs topology hiding.
User Guide
653
Proxy Settings
Enable directory harvesting protection
To prevent attackers from stealing user information from VoIP gatekeepers protected by your
XTM device, select this check box. This option is enabled by default.
Set the maximum number of sessions allowed per call
To restrict the maximum number of audio or video sessions that can be created with a single
VoIP call, type or select a value in this text box.
For example, if you set the number of maximum sessions to one and participate in a VoIP call
with both audio and video, the second connection is dropped. The default value is two sessions
and the maximum value is four sessions. The XTM device sends a log message when it denies
a media session above this number.
User agent information
To identify outgoing SIP traffic as a client you specify, type a new user agent string in the
Rewrite user agent as text box.
To remove the false user agent, clear the text box.
Idle media channels
When no data is sent for a specified amount of time on a VoIP audio, video, or data channel,
your XTM device closes that network connection. The default value is 180 seconds (three
minutes) and the maximum value is 600 seconds (ten minutes).
To specify a different time interval, type or select the time in seconds in the Idle media
channels text box.
Registration expires after
Specify the elapsed time interval before the SIP-ALG rewrites the SIP registration value that
VoIP phones and PBX systems use to update their registration. The default value is 180
seconds (three minutes) and the maximum value is 600 seconds (ten minutes).
To specify a different time interval, type or select the time in seconds in the Registration
expires after text box.
Enable logging for reports
To send a log message for each connection request managed by the SIP-ALG, select this
check box. To create accurate reports on SIP traffic, you must select this check box.
Override the diagnostic log level for proxy policies that use this proxy action
To specify the diagnostic log level for all proxy polices that use this proxy action, select this
check box. Then, from the Diagnostic log level for this proxy action drop-down list, select a
log level:
n
n
n
n
654
Error
Warning
Information
Debug
Fireware XTM Web UI
Proxy Settings
The log level you select overrides the diagnostic log level that is configured for all log messages
of this proxy policy type.
For more information about the diagnostic log level, see Set the Diagnostic Log Level on page
744.
User Guide
655
Proxy Settings
SIP-ALG: Access Control
On the Edit page for a SIP-ALG action, in the Access Control settings, you can create a list of users
who are allowed to send VoIP network traffic.
656
Fireware XTM Web UI
Proxy Settings
User Guide
657
Proxy Settings
Enable access control for VoIP
To enable the access control feature, select this check box. When enabled, the SIP-ALG allows
or restricts calls based on the options you set.
Default Settings
To allow all VoIP users to start calls by default, select the Start VoIP calls check box.
To allow all VoIP users to receive calls by default, select the Receive VoIP calls check box.
To create a log message for each SIP VoIP connection that is started or received, select the
adjacent Log check box.
Access Levels
To create an exception to the default settings you specified, type the Address of Record (the
address that shows up in the TO and FROM headers of the packet) for the exception. This is
usually a SIP address in the format [email protected], such as [email protected] .
From the Access Level drop-down list, select an access level and click Add.
You can select whether to allow users to Start calls only, Receive calls only, Start and
receive calls, or give them No VoIP access. These settings apply only to SIP VoIP traffic.
To delete an exception, select it in the list and click Remove.
Connections made by users who have an access level exception are logged by default. If you
do not want to log connections made by a user with an access level exception, clear the Log
check box adjacent to the exception.
SIP-ALG: Denied Codecs
You can use the SIP-ALG Denied Codecs feature to specify one or more VoIP voice, video, or data
transmission codecs to deny on your network. When a SIP VoIP connection is opened that uses a
codec specified in this list, your XTM device reads the value from the SIP header in the "a=rtpmap"
field and strips the codec information from the connection negotiation.
The Denied Codecs list is empty by default. We recommend that you add a codec to this list if the
codec:
n
n
n
Consumes too much bandwidth and causes excessive data usage across trunks or between
network elements
Presents a security risk
Is necessary for your VoIP solution to operate correctly
For example, you might choose to deny the G.711 or G.726 codecs because they use more than 32
Kb/sec of bandwidth, or you might choose to deny the Speex codec because it is used by an
unauthorized VoIP application.
For a list of codecs and the name or text pattern associated with each codec, see
http://www.iana.org/assignments/rtp-parameters/rtp-parameters.xml. When you add a codec to the
Denied Codecs list, make sure to specify the value in the Encoding Name column for that codec.
To configure the denied codecs settings for a SIP-ALG:
658
Fireware XTM Web UI
Proxy Settings
1. On the Edit page for the SIP-Client proxy action, select the Denied Codecs tab.
The Denied Codecs settings.
2. To add a codec to the list, in the Denied Codecs text box, type the codec name or unique text
pattern in the text box.
Do not use wildcard characters or regular expression syntax. Codec patterns are case
sensitive.
3. Click Add
User Guide
659
Proxy Settings
4. To delete a codec from the list, select the codec and click Remove.
5. To create a log message when your XTM device strips the codec information from SIP traffic
that matches a codec in this list, select the Log each transaction that matches a denied
codec pattern check box.
6. Click Save.
660
Fireware XTM Web UI
Proxy Settings
About the SMTP-Proxy
SMTP (Simple Mail Transport Protocol) is a protocol used to send email messages between email
servers and also between email clients and email servers. It usually uses a TCP connection on Port
25. You can use the SMTP-proxy to control email messages and email content. The proxy scans
SMTP messages for a number of filtered parameters, and compares them against the rules in the proxy
configuration.
With an SMTP-proxy filter you can:
n
n
n
n
Adjust timeout, maximum email size, and line length limit to make sure the SMTP-proxy does
not use too many network resources and can prevent some types of attacks.
Customize the deny message that users see when an email they try to receive is blocked.
Filter content embedded in email with MIME types and name patterns.
Limit the email addresses that email can be addressed to and automatically block email from
specific senders.
To add the SMTP-proxy to your XTM device configuration, see Add a Proxy Policy to Your
Configuration on page 540.
You can also configure subscription service settings for the SMTP-proxy. For more information, see:
n
n
Configure spamBlocker
Configure the Gateway AntiVirus Service
If you must change the proxy definition, from the Firewall Polices / Edit page, you can modify the
definition. .This page is separated into several tabs: Settings, Application Control, Traffic
Management, Proxy Action, Scheduling, and Advanced.
User Guide
661
Proxy Settings
Settings Tab
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or
denies traffic, create access rules for a policy, or configure policy-based routing, static NAT, or server
load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional
description of the policy. You can use the settings on this tab to set logging, notification, automatic
blocking, and timeout preferences.
n
n
n
n
n
n
Connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition).
See Set Access Rules for a Policy on page 529.
Use policy-based routing — See Configure Policy-Based Routing on page 531.
You can also configure static NAT or configure server load balancing. See Configure Static
NAT on page 233 and Configure Server Load Balancing on page 237.
To define the logging settings for the policy, configure the settings in the Logging section.
For more information, see Set Logging and Notification Preferences on page 748.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can
block sites that try to use SMTP.
For more information, see Block Sites Temporarily with Policy Settings on page 732.
To change the idle timeout that is set by the XTM device or authentication server, see Set a
Custom Idle Timeout.
Application Control Tab
If Application Control is enabled on your device, you can set the action this proxy uses for Application
Control.
1. Select the Application Control tab.
2. From the Application Control Action drop-down list, select an application control action to
use for this policy, or create a new action.
3. Click Save.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can
also create a new Traffic Management action. For more information about Traffic Management actions,
see Define a Traffic Management Action and Add a Traffic Management Action to a Policy on page
710.
To apply a Traffic Management action in a policy:
1. Select the Traffic Management tab.
2. From the Traffic Management Action drop-down list, select a Traffic Management action.
Or, to create a new Traffic Management action, select Create new and configure the settings
as described in the topic Define a Traffic Management Action on page 709.
3. Click Save.
662
Fireware XTM Web UI
Proxy Settings
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For
more information about how to configure proxy actions, see About Proxy Actions on page 543.
To configure the proxy action:
1. Select the Proxy Action tab.
2. From the Proxy Action drop-down list, select the proxy action to use for this policy.
For information about proxy actions, see About Proxy Actions on page 543.
3. Click Save.
For the SMTP-proxy, you can configure these categories of settings for a proxy action:
n
n
n
n
n
n
n
n
n
n
n
n
SMTP-Proxy: General Settings
SMTP-Proxy: Greeting Rules
SMTP-Proxy: TLS Encryption
SMTP-Proxy: ESMTP Settings
SMTP-Proxy: Authentication
SMTP-Proxy: Content Types
SMTP-Proxy: Filenames
SMTP-Proxy: Mail From/Rcpt To
SMTP-Proxy: Headers
SMTP-Proxy: Deny Message
SMTP-Proxy: Data Loss Prevention
SMTP-Proxy: Proxy and AV Alarms
Scheduling Tab
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an
existing schedule or create a new schedule.
1. Select the Scheduling tab.
2. From the Schedule Action drop-down list, select a schedule.
Or, to create a new schedule, select Create New and configure the settings as described in the
topics Create Schedules for XTM Device Actions and Set an Operating Schedule on page 523.
3. Click Save.
User Guide
663
Proxy Settings
Advanced Tab
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text
box.
For more information on the options for this tab, see:
n
n
n
n
664
Apply NAT Rules on page 536
Set the Sticky Connection Duration for a Policy on page 536
Set ICMP Error Handling on page 536
Enable QoS Marking or Prioritization Settings for a Policy on page 707
Fireware XTM Web UI
Proxy Settings
SMTP-Proxy: General Settings
In the General section of the Edit page for an SMTP proxy action, you can set basic SMTP-proxy
parameters such as idle timeout, message limits, and email message information.
User Guide
665
Proxy Settings
666
Fireware XTM Web UI
Proxy Settings
Idle timeout
You can set the length of time an incoming SMTP connection can be idle before the connection
times out. The default value is 10 minutes.
Set the maximum email recipients
To set the maximum number of email recipients to which a message can be sent, select this
check box. In the adjacent text box that appears, type or select the number of recipients.
The XTM device counts and allows the specified number of addresses through, and then drops
the other addresses. For example, if you set the value to 50 and there is a message for 52
addresses, the first 50 addresses get the email message. The last two addresses do not get a
copy of the message. The XTM device counts a distribution list as one SMTP email address (for
example, [email protected]). You can use this feature to decrease spam email because
spam usually includes a large recipient list. When you enable this option, make sure you do not
also deny legitimate email.
Set the maximum address length to
To set the maximum length of email addresses, select this check box. In the adjacent text box
that appears, type or select the maximum length for an email address in bytes.
Set the maximum email size to
To set the maximum length of an incoming SMTP message, select this check box. In the
adjacent text box that appears, type or select the maximum size for each email in kilobytes.
Most email is sent as 7-bit ASCII text. The exceptions are Binary MIME and 8-bit MIME. 8-bit
MIME content (for example, MIME attachments) is encoded with standard algorithms (Base64
or quote-printable encoding) to enable them to be sent throu