advertisement
WatchGuard ® XCS
Extensible Content Security v9.0 User Guide
WatchGuard XCS
170, 370, 570, 770, 970, 1170
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Document version: 1.1
Guide revision: 3/23/10
Copyright, Trademark, and Patent Information
Copyright © 2010 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online: http://www.watchguard.com/help/documentation/
This product is for indoor use only.
ABOUT WATCHGUARD
WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The
WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new
XCS line offers email and web content security combined with data loss prevention.
WatchGuard extensible solutions scale to offer right-sized security ranging from small businesses to enterprises with 10,000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity.
For more information, please call 206.613.6600 or visit www.watchguard.com
.
ADDRESS
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
SALES
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
ii WatchGuard XCS
Table of Contents
User Guide iii
iv
WatchGuard XCS
User Guide v
vi
WatchGuard XCS
Chapter 8
User Guide vii
viii
WatchGuard XCS
User Guide ix
x
WatchGuard XCS
User Guide xi
xii
WatchGuard XCS
1
About the WatchGuard XCS
WatchGuard XCS Overview
The WatchGuard XCS is the industry’s first consolidated messaging security platform delivering integrated protection, control, and management for email and web content.
Firewall-level network and system security
The WatchGuard XCS delivers the most complete security available for messaging systems. The system runs on a customized and hardened Unix operating system, and does not allow uncontrolled access to the system.
There is no command line access and the WatchGuard XCS runs as a closed system, preventing accidental or deliberate misconfiguration by administrators, which is a common cause of security vulnerabilities.
Message delivery security
The WatchGuard XCS provides content security that enables instant-on data loss prevention, encryption and content filtering with integrated threat prevention for viruses, spam, spyware, phishing, and malware attacks, all in a secured appliance. Additionally, the WatchGuard XCS protects outbound content against unintentional or malicious data loss, privacy discrepancies and non-compliance with regulations and company policies.
The WatchGuard XCS utilizes a sophisticated message delivery system with several security features and benefits to ensure that the identifying information about your company’s messaging infrastructure remains private.
ƒ For a company with multiple domain names, the system can accept, process, and deliver mail to private email servers. For a company with multiple private email servers, the system can route mail based on the domain or subdomain to separate groups of email users.
ƒ Security features such as mail mappings and address masquerading allow the ability to hide references to internal host names.
User Guide 1
About the WatchGuard XCS
Web security
The WatchGuard XCS incorporates a Web Proxy that allows the system to proxy web traffic and control access to external web sites. The system can scan web traffic using a subset of the same scanners that examine email messages to inspect the content of web traffic and downloaded files. Policy features allow specific HTTP access policies to be applied to different users, groups, and domains, and notifications for blocked connections or files can be customized and sent to the administrator and recipient.
The Web TrafficAccelerator solution provides critical Web traffic enhancements, such as disk caching and streaming media support that reduce bandwidth consumption, server loads and latency to improve network performance.
Content controls
The WatchGuard XCS implements attachment control, content scanning, and content filtering based on pattern and text matching. These content controls prevent the following issues:
ƒ Breaches of confidentiality
ƒ Legal liability from offensive content
ƒ Personal abuse of company resources
ƒ Breaches of compliance policies
Attachment controls are based on the following characteristics:
ƒ File Extension Suffix — The suffix of the file is checked to determine the attachment type, such as
.exe, or .jpg.
ƒ MIME Content Type — MIME (Multipurpose Internet Mail Extensions) can be used to identify the actual content type of the message.
ƒ Content Analysis — The file is analyzed to look for characteristics that can identify the file type. This analysis ensures that the attachment controls are not circumvented by simply renaming a file.
ƒ Content Scanning — Attachments such as Adobe® PDFs or Microsoft® Word documents can be analyzed for words or phrases that match a pattern filter or compliance dictionary.
Virus and spyware scanning
The WatchGuard XCS features a virus scanning engine based on Kaspersky ® Anti-Virus. Email messages and
Web requests in both inbound and outbound directions can be scanned for viruses and spyware. The high performance virus scanning provides a vital layer of protection against viruses for your entire organization.
Automatic pattern file updates ensure that the latest viruses and spyware are detected.
Outbreak control
The Outbreak Control feature provides customers with zero-day protection against early virus outbreaks. For most virus attacks, the time from the moment the virus is released to the time a pattern file is available to protect against the virus can be several hours. During this period, mail recipients are vulnerable to potential threats. The Outbreak Control feature can detect and take action against early virus outbreaks to contain the virus threat.
Malformed message protection
Similar to malformed data packets used to subvert networks, malformed messages allow viruses and other attacks to avoid detection, crash systems, and lock up mail servers. The system ensures that only correctly formatted messages are allowed into your mail systems. Message integrity checking protects your mail servers and clients and improves the effectiveness of existing virus scanning implementations.
2 WatchGuard XCS
About the WatchGuard XCS
Intercept Anti-Spam
The WatchGuard XCS provides a complete set of Anti-Spam features specifically designed to protect against the full spectrum of current and evolving spam threats. Intercept can combine the results of several Anti-Spam components to provide a better informed decision on whether a message is spam or legitimate mail while minimizing false positives. These features include:
ƒ Spam Words — Filters messages based on a dictionary of typical spam words and phrases that are matched against a message.
ƒ Mail Anomalies — Checks various aspects of the incoming message for issues such as unauthorized
SMTP pipelining, missing headers, and mismatched identification fields.
ƒ DNS Block List (DNSBL) — Detects spam using domain-based lists of hosts with a poor reputation.
Messages can also be rejected immediately regardless of the results of other anti-spam processing if the client is listed on a DNSBL. A configurable threshold allows administrators to specify how many
DNSBLs must trigger to consider the sender as unreliable.
ƒ URL Block List — Detects spam by examining the URLs in a message and querying a SURBL (Spam URI
Realtime Block Lists) server to determine if this URL has been used in spam messages.
ƒ ReputationAuthority — The ReputationAuthority helps to identify spam by reporting a collection of metrics about the sender of a message, including their overall reputation, whether the sender is a dialup, and whether the sender appears to be virus-infected, based on information collected from installed customer products and global DNS Block Lists. This information can be used by Intercept to reject the message, or used as part of the overall Anti-Spam decision.
ƒ Token Analysis — Detects spam based on advanced content analysis using databases of known spam and valid mail. This feature is also specially engineered to effectively detect image spam.
ƒ Backscatter Detection — Detects spam based on signature verification of the Envelope Sender to prevent spam bounce emails to forged sender addresses.
ƒ Sender Policy Framework (SPF) — Performs a check of a sending host’s SPF DNS records to identify the source of a message.
ƒ DomainKeys Authentication — Performs a check of a sending host’s DomainKeys DNS records to identify the source of a message.
ƒ Intercept Plug-in for Exchange — To further aid administrators with integrating the WatchGuard XCS into a Microsoft Exchange environment, the Intercept Plug-in for Exchange is provided. This plug-in is designed to allow customers the ability to integrate the WatchGuard XCS with their existing Exchange services by allowing Intercept spam classifications to be translated into equivalent values that are used by the Exchange server to evaluate and classify spam.
ReputationAuthority
The ReputationAuthority helps to identify spam by reporting behavioral information about the sender of a message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages, based on information collected from installed customer products and global DNS Block Lists. Domain and Sender Reputation increases the effectiveness of
ReputationAuthority by examining not only the IP reputation of a sender, but also the domain name and envelope sender information from that IP address. This information can be used by the system to either reject the message immediately or contribute to the Intercept score if a message is detected from a source with a poor reputation or numerous virus infections.
User Guide 3
About the WatchGuard XCS
If Reputation checks are enabled, the WatchGuard XCS will query the statistics on the ReputationAuthority
Domain service for the sender IP address of each message received, excluding those addresses from trusted and known networks. Using the information returned from ReputationAuthority, the system can make a decision about whether a message is spam or legitimate mail. A reputation of 0 indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of 100 indicates the sender is extremely unreliable and often sends spam or viruses. An IP address with no previous information from any source is assigned a value of 50.
Image spam analysis
An image spam email message typically consists of random text or no text body and contains an attachment picture (usually .gif or .jpg format) that supplies the text and graphics of the spam message. These types of spam messages are difficult to detect because the message contains no helpful text or URL characteristics that can be scanned and analyzed. The Image Spam Analysis feature performs advanced analysis of image attachments to help determine if the message is spam or legitimate mail. Similar to the other anti-spam features that detect spam characteristics in the text of a message, the Image Spam Analysis feature extracts certain characteristics of the attached image to determine if these characteristics are similar to those seen in actual spam messages.
Threat prevention
Threat Prevention allows organizations to detect and block incoming threats in real-time. Threat types can be monitored and recorded to track client IP behavior and reputation. By examining message flow patterns, the system detects whether a sending host is behaving maliciously by sending out viruses, spam, or attempting denial-of-service (DoS) attacks. By instantly recognizing these types of patterns, Threat Prevention presents an effective solution against immediate attacks. The Threat Prevention feature can block or throttle inbound connections before the content is processed to lessen the impact of a large number of inbound messages.
Trusted and blocked senders list
Users can create their own personal Trusted and Blocked Senders Lists based on a sender’s email address. The
Trusted email addresses will be exempt from the system’s spam controls, allowing users to trust legitimate senders, while email addresses on the Blocked Senders List will be prevented from sending mail to that user via this WatchGuard XCS.
Spam quarantine
The Spam Quarantine is used to redirect spam mail into a local storage area for each individual user. Users will be able to connect to the system either directly or through a summary email to view and manage their own quarantined spam. Messages can be deleted, or moved to the user’s local mail folders. Automatic notifications can be sent to end users notifying them of the existence of messages in their personal quarantine area. For large enterprises, a dedicated Quarantine Server can be utilized to support up to 100,000 quarantine users.
Secure WebMail
Secure WebMail provides remote access support to internal mail servers. With Secure WebMail, users can access their mailboxes using email web clients such as Outlook® Web Access, Lotus iNotes, or the WatchGuard
XCS’s own web mail client. The WatchGuard XCS addresses the security issues currently preventing deployment of web mail services by providing the following protection:
ƒ Strong authentication (including integration with Active Directory)
ƒ Encrypted sessions
ƒ Advanced session control to prevent information leaks on workstations
4 WatchGuard XCS
About the WatchGuard XCS
Authentication
The WatchGuard XCS supports the following authentication methods for administrators, WebMail users,
Trusted/Blocked Senders List, and Spam Quarantine purposes:
ƒ User ID and Password
ƒ LDAP
ƒ RADIUS
ƒ RSA SecurID ® tokens
ƒ SafeWord and CRYPTOCard tokens
Integrated and external message encryption
The WatchGuard XCS provides an integrated message encryption option and also provides integration with external encryption servers to provide email encryption and decryption functionality. Email encryption allows individual messages to be encrypted by the system’s integrated encryption server or a separate encryption server before being delivered to their destination by the WatchGuard XCS.
Incoming encrypted messages can also be sent to the encryption server to be decrypted before the
WatchGuard XCS accepts the message and delivers it to the intended recipient. This integration allows organizations to ensure that encrypted messages are still processed for security issues such as viruses, malformed mail, and content filtering and scanning.
Mail delivery encryption
All messages delivered to and from the WatchGuard XCS can be encrypted using TLS (Transport Layer
Security). This includes connections to remote systems, local internal mail systems, or internal mail clients.
Encrypted messages are delivered with complete confidentiality both locally and remotely.
TLS encryption can be used for the following:
ƒ Secure mail delivery on the Internet to prevent anyone from viewing email while in transit
ƒ Secure mail delivery across a LAN to prevent malicious users from viewing email other than their own
ƒ Create policies for secure mail delivery to branch offices, remote users and business partners
ƒ Supports TLS/SSL encryption for all user and administrative sessions.
ƒ TLS/SSL is used to encrypt SMTP sessions, effectively preventing eavesdropping and interception
Policy controls
Policy-based controls allow settings for the WatchGuard XCS’s security features, including Annotations, Anti-
Spam, Anti-Virus, and Attachment Control, to be customized and applied based on the group membership, domain membership, or email address of the recipient. User groups can be imported from an LDAP-based directory, and then policies can be created to apply customized settings to these groups. For example, you can set up an Attachment Control Policy to allow your Development group to accept and send executable files
(.exe), while configuring your Attachment Control settings for all your other departments to block this file type to prevent the spread of viruses among the general users.
User Guide 5
About the WatchGuard XCS
Directory Services
The WatchGuard XCS integrates with LDAP (Lightweight Directory Access Protocol) directory services such as
Active Directory, OpenLDAP, and iPlanet, allowing you to perform the following:
ƒ LDAP lookup prior to internal delivery — The system can check for the existence of an internal user via LDAP before delivering a message. This feature allows you to reject mail to unknown addresses in relay domains, reducing the number of attempted deliveries of spam messages for non-existent local addresses. This check can be performed directly to an LDAP server or to a cached directory stored locally on the system.
ƒ Group/User Imports — An LDAP lookup will determine the group membership of a user when applying policy-based controls. LDAP users can also be imported and mirrored on the system to be used for services such as the Spam Quarantine.
ƒ Authentication — LDAP can be used for authenticating Web Proxy access, IMAP access, user mailbox, and WebMail logins.
ƒ SMTP Relay Authentication — LDAP can be used for authenticating clients for SMTP Relay.
ƒ Mail Routing — LDAP can be used to lookup mail route information for a domain to deliver mail to its destination server.
System management
The WatchGuard XCS provides a complete range of monitoring and diagnostics tools to monitor the system and troubleshoot mail delivery issues. Admin sessions can also be encrypted for additional security, while comprehensive logs record all mail activity.
ƒ Web Browser-based management — The web browser management interface displays a live view of system activity and traffic flows. The management interface can be configured to display this information for one or many systems, including systems in a local cluster or systems that are being centrally managed.
ƒ Dashboard — The WatchGuard XCS system Dashboard provides administrators with a brief statistical and graphical summary of current inbound and outbound email and web activity, allowing rapid assessment of the current status of the WatchGuard XCS.
ƒ Enterprise integration with SNMP — Using SNMP (Simple Network Management Protocol), the system can generate both information and traps to be used by SNMP monitoring tools. This extends the administrator’s view of the WatchGuard XCS and allows notification of significant system events, including excessive traffic flows and system failures.
ƒ Alarms — The system can generate system alarms that can automatically notify the administrator via email and console alerts of a system condition that requires attention.
ƒ Archiving — Archiving support allows organizations to define additional mail handling controls for inbound and outbound mail. These features are especially important for organizations that must archive certain types of mail for regulatory compliance or for corporate security policies.
Clustering
The WatchGuard XCS clustering features provide a highly scalable, redundant messaging security infrastructure that enables two or more systems to act as a single logical unit for processing messages while providing redundancy and high availability benefits. There is no theoretical limit to the size of the cluster, and systems can be easily added to the cluster to increase processing and high-availability capabilities. Clustering ensures that the flow of traffic is not interrupted due to individual system failures. A cluster can be managed from any single system in the cluster without the need for a separate management console, and all systems in the cluster can process messages. Any configuration changes, such as Anti-Spam and Policies, will be propagated to all systems in the cluster.
6 WatchGuard XCS
About the WatchGuard XCS
Reporting
The WatchGuard XCS reporting functionality provides a comprehensive range of informative reports that can be generated in PDF (Adobe Portable Document Format), CSV, and HTML format on demand and at scheduled times. The reports are derived from information written to the systems and message logs that are stored in the message database. Up to a month's reporting data can be stored and viewed online depending on message loads for a particular environment. Reports are stored on the system for online viewing, and can also be emailed automatically to the systems administrator.
In clustered environments, reports will aggregate information for the entire cluster. System and resource reports will display information for each system in the cluster.
For organizations that support multiple domains, per domain information can be added to the reports providing the administrator with statistics for each hosted domain. Hosted domain reports can also be enabled that create separate reports for a specific domain that can be emailed to the administrators of each hosted domain.
Security Connection
The Security Connection provides an automated software update service that polls WatchGuard’s support servers for new updates, security alerts, and Anti-Spam database updates. When new information and updates are received, a notification can be sent to the administrator.
Internationalization
The WatchGuard XCS supports internationalization for annotations, notification messages, and message database views. For example, if a message is sent to someone who is on vacation and the message used character set ISO-2022-JP (Japanese), the vacation notification sent back will be in the same character set. The message history database can also be viewed using international character sets.
The WatchGuard XCS also supports the ISO-8859-1 (Western European Languages) based character set for dictionary-based content filtering using the Objectionable Content Filter.
User Guide 7
About the WatchGuard XCS
WatchGuard XCS Deployments
The WatchGuard XCS is designed to be situated between internal email servers and clients, and external servers on the Internet so that there are no direct connections between external and internal systems.
The WatchGuard XCS is typically installed in one of three locations:
ƒ On the DMZ (Demilitarized Zone) of a network firewall
ƒ In parallel with a network firewall
ƒ Behind the existing firewall on the internal network
Messaging traffic is redirected from either the external interface of the network firewall or from the external router to the system. When the message is accepted and processed, the system initiates a connection to the internal mail servers to deliver the messages.
WatchGuard XCS on the DMZ of a network firewall
The most common deployment strategy for the WatchGuard XCS is to be situated on the DMZ of a network firewall. This type of deployment prevents any direct connections from the Internet to the internal mail servers, and makes sure the WatchGuard XCS is located on a secure network behind the firewall.
8 WatchGuard XCS
About the WatchGuard XCS
WatchGuard XCS in parallel with the firewall
Deploying the WatchGuard XCS in parallel with an existing network firewall is another secure method of deployment configuration. The system’s inherent firewall security architecture eliminates the risk associated with deploying an appliance on the perimeter of a network. This parallel deployment eliminates any messaging traffic on the network firewall and decreases its overall load. A second network interface must be configured to connect to the Internet-facing network.
WatchGuard XCS on the internal network
The WatchGuard XCS can also be deployed on the internal network. Although this configuration allows a direct connection from the Internet into the internal network, it is a legitimate configuration when required by existing network resources.
User Guide 9
About the WatchGuard XCS
Additional configuration
When you have decided on a deployment strategy, the following information about your environment needs to be gathered to ensure a smooth implementation.
ƒ Determine which ports need to be opened on the network firewall (if the system is deployed behind a firewall)
ƒ Determine appropriate DNS settings for message routing
ƒ Identify changes required to the internal messaging servers for routing outbound email messages via the WatchGuard XCS
Network firewall configuration
For the WatchGuard XCS to process messages effectively when located behind a network firewall, various networking ports need to be configured on the network firewall to ensure connectivity.
The following table describes the list of ports required for each service. If you are not using some of the features listed in the following table, the corresponding ports can remain closed:
Port
21
Description From
Internet
To
Internet
From
Internal
Network
To
Internal
Network
X
Protocol
TCP
22
25
53
80
80
80
110
123
143
389
443
FTP for System
Backups
SCP (Backup or
Offload)
SMTP (standard port for sending and receiving of mail)
DNS and
ReputationAuthority
Queries
Anti-Virus Updates
(also requires port
443)
URL Categorization
Updates
Web Mail Access
(OWA, iNotes, etc.)
See port 443 for
Secure WebMail access.
POP3
Network Time
Protocol (NTP)
IMAP Proxy
LDAP
WatchGuard XCS
Software Updates
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TCP
TCP
TCP/UDP
TCP
TCP
TCP
TCP
UDP
TCP
TCP
TCP
10 WatchGuard XCS
About the WatchGuard XCS
Port Description From
Internet
To
Internet
From
Internal
Network
To
Internal
Network
Protocol
443
443
443
443
514
636
993
995
1812
5500
10101
10106
Anti-Virus Updates
(also requires port 80)
Secure Web Mail
Access
Web UI connections
ReputationAuthority
Statistics Sharing
Syslog
LDAPS
Secure IMAP
Secure POP3
RADIUS Server
RSA Secure ID ACE
Server
Support Access
Centralized
Management
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
TCP
TCP
TCP
TCP
UDP
TCP
TCP
TCP
UDP
UDP
TCP
TCP
DNS configuration for mail routing
DNS services are used to route mail messages from the Internet to the WatchGuard XCS. DNS configurations can be quite complex and are usually dependant on your specific site’s networking environment.
The following instructions represent the minimum changes required to facilitate mail routing.
ƒ Add an MX (mail exchanger) record to your DNS configuration to forward incoming messages to the
WatchGuard XCS: example.com. IN MX 0 hostname.example.com
ƒ Add an "A" record to resolve the domain name to an IP address: hostname.example.com. IN A 10.0.1.10
ƒ Add a PTR record to allow reverse look-ups to succeed and prevent messages sent from the
WatchGuard XCS being marked as suspected spam:
10.1.0.10.in-addr.arpa. IN PTR hostname.example.com
ƒ Consider keeping an MX record with a higher preference pointed at your current mail server during the integration phase. If the WatchGuard XCS is taken out of service, the messages will automatically route directly to the mail server. This entry should be deleted before you move to a production environment as spammers could find this alternate route and bypass the WatchGuard XCS.
example.com. IN MX 10 mailserver.example.com
Outbound mail routing
While DNS entries are required to route inbound messages through the WatchGuard XCS, changes are required to the existing internal mail servers to route outbound messages via the WatchGuard XCS.
After the installation is complete, all internal systems must be configured to use the WatchGuard XCS for delivery. This allows outbound message content to be processed for attachments and suspect files to prevent the spread of viruses introduced locally, and improves the spam detection capabilities of the system’s Anti-
Spam features.
User Guide 11
About the WatchGuard XCS
How Messages are Processed
The following sections describe the sequence in which the system’s security features are applied to any inbound and outbound messages and how these settings affect their delivery.
Trusted messages
The system only processes messages through the spam filters when a message originates from an untrusted source. Messages from trusted sources bypass the spam controls. By default, messages that arrive on a particular network interface from the same subnet are trusted.
There are two ways to control how message sources are identified and trusted:
ƒ The network interface the message arrives on
ƒ A specified IP address (or address block), or server or domain name
sources.
Inbound and outbound scanning
For features that scan both inbound and outbound messages, the following rules apply:
ƒ Mail from trusted source to local recipient — Inbound
ƒ Mail from trusted source to non-local recipient — Outbound
ƒ Mail from untrusted source to local recipient — Inbound
ƒ Mail from untrusted source to non-local recipient — Inbound
SMTP connection
An SMTP connection request is made from another system. The system accepts the connection request unless one of the following checks (if enabled) is triggered:
ƒ Reject on Threat Prevention — Rejects mail when the client is rejected by the Threat Prevention feature.
ƒ Reject on missing addresses — Rejects mail when no recipients in the To: field, or no senders in the
From: field were specified in the message headers.
ƒ Maximum number of recipients — Rejects mail if the number of recipients exceeds the specified maximum (default is 1000).
ƒ Maximum message size — Rejects mail if the message size exceeds the maximum.
ƒ Reject on unauthorized SMTP pipelining — Rejects mail when the client sends SMTP commands ahead of time without knowing that the mail server actually supports SMTP command pipelining. This stops messages from bulk mail software that use SMTP command pipelining improperly to speed up deliveries.
ƒ Reject on expired license — Rejects mail if the system license has expired.
ƒ Specific Access Pattern and Pattern Based Message Filter (Reject) — Rejects mail based on Specific
Access Patterns and Pattern Filters for the HELO, Envelope-To, Envelope-From, and Client IP fields.
ƒ Connection Rules Reject — Rejects mail based on any configured Connection Rules.
ƒ Reject on DNS Block list — Rejects mail if the sender is on a DNSBL and the system is set to reject on
DNSBL.
ƒ Reject on ReputationAuthority (Reputation, Infected, Dial-up) — Rejects mail based on statistics provided by the ReputationAuthority.
12 WatchGuard XCS
About the WatchGuard XCS
At this point, trusted or local networks skip any further Reject checks.
ƒ Reject on Backscatter Detection — Rejects mail when the message fails the Backscatter signature verification.
ƒ Reject on unknown sender domain — Rejects mail when the sender mail address has no DNS A or
MX record.
ƒ Reject on missing reverse DNS — Rejects mail from hosts where the host IP address has no PTR
(address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record. This setting is rarely used because many servers on the Internet do not have valid reverse DNS records, and enabling it may result in rejecting mail from legitimate sources.
ƒ Reject on missing sender MX — Rejects mail when the sender’s mail address is missing a DNS MX record.
ƒ Reject on non-FQDN sender — Rejects mail when the address in the client MAIL FROM command is not in the form of a fully-qualified domain name (FQDN).
ƒ Reject on Unknown Recipient — Rejects mail if the specified recipient does not exist. The system will perform an LDAP lookup on the recipient’s address to ensure they exist before delivering the message.
Virus and spyware checking
Messages are scanned for viruses and spyware. If there is a virus or spyware program detected, the system can perform a variety of actions, such as quarantining the message.
Malformed message checking
The system analyzes each message with extensive integrity checks. Malformed messages (which could be hidden viruses or attempts at a denial-of-service attack) can be quarantined, rejected, or discarded if they cannot be processed.
Attachment size limits
The size of all attachments are checked to ensure they do not exceed the attachment size limit threshold.
Attachment control
Message attachments are scanned for blocked content. If there is a problem, the system can perform a variety of actions, such as sending the message to the quarantine area. Attachments can also be stripped, and then the message will continue to be processed by other message checks.
Outbreak control
Messages are scanned by Outbreak Control to look for virus-like behavior. These messages can be quarantined until updated anti-virus pattern files are available to rescan them.
If a file is rejected or discarded by Malformed Mail or Attachment Control, the Outbreak Control feature will take precedence, and the Malformed or Attachment Control action will be applied when the message is released by Outbreak Control.
OCF (Objectionable Content Filter)
Messages are scanned for objectionable content using a pre-defined list of words, and then a configurable action is taken.
User Guide 13
About the WatchGuard XCS
Pattern Filters and Specific Access Patterns
The messages are scanned to see if they match any existing Pattern Filters and Specific Access Patterns set to
Trust or Allow Relaying .
Trusted and Blocked Senders List
If a sender is on a user’s Trusted Senders List, the message will skip all remaining checks. If the sender is on a user’s Blocked Senders List, the message will be rejected or discarded depending on the configuration.
Content Scanning
Deep scanning is performed on message content and attachments (such as Microsoft Word or Adobe PDF files) for blocked words and phrases.
Document Fingerprinting
Messages are checked by the Document Fingerprinting feature to examine message attachments against an uploaded training set of allowed and forbidden documents.
Content Rules
If enabled, any defined Content Rules are applied to the message.
Encryption
If enabled, outbound messages are encrypted before being delivered.
Anti-Spam processing
If the message arrives from an untrusted source, it will be processed for spam by the Intercept Anti-Spam engine. All Intercept components that are enabled will contribute to the final spam score of a message.
Mail mappings
The message is now accepted for processing and the following occurs:
ƒ If the recipient address is not for a domain or sub-domain for which the system is configured to accept mail (either as an inbound mail route or a virtual domain), then the message is rejected.
ƒ If the recipient address is mapped in the Mail Mappings table, then the To: field in the message header will be modified as required.
Virtual mappings
The message is now examined for a match in the Virtual Mapping table. If such a mapping is found, the envelope-header recipient field will be modified as required. LDAP virtual mappings will then be processed.
Virtual mappings are useful for the following:
ƒ Acting as a wildcard mail mapping, such as any message for a user at example.com goes to exchange.example.com. You can create exceptions to this rule in the mail mappings for particular users.
ƒ ISPs that need to accept mail for several domains and the envelope-header recipient field needs to be rewritten for further delivery.
ƒ To deliver to internal servers, use a mail route defined via Configuration > Mail > Routing .
14 WatchGuard XCS
About the WatchGuard XCS
Relocated Users
When mail is sent to an address that is listed in the relocated user table, the message is bounced back with a message informing the sender of the relocated user’s new contact information.
Mail Aliases
When mail needs to be delivered locally, the local delivery agent runs each local recipient name through the aliases database. An alias results in the creation of a new mail message for the named address or addresses.
This mail message is then entered back into the system to be mapped and routed. This process also occurs with local user accounts that have a forwarder address configured. Local user accounts will be treated like aliases in this case.
Local aliases are typically used to implement distribution lists or to direct mail for standard aliases such as mail to the postmaster account. LDAP aliases are then processed. LDAP functionality can be used to search for mail aliases on directory services such as Active Directory.
Mail routing
During the mail routing process, there is no modification made to the mail header or the envelope. A mail route specifies two things:
ƒ Which domains the system accepts mail for (other than itself)
ƒ Which hosts the mail should be delivered to
Message delivery
The message is now delivered to its destination.
Message Processing Order Summary
The following list summarizes the full order in which incoming messages are processed by the WatchGuard
XCS:
SMTP Connection Checks
ƒ Reject on Threat Prevention
ƒ Reject on missing addresses
ƒ Reject if number of recipients exceeds maximum
ƒ Reject if message size exceeds maximum
ƒ Reject on unauth SMTP pipelining
ƒ Reject on expired license
ƒ Reject on Specific Access Pattern and Pattern Filter HELO
ƒ Reject on Specific Access Pattern and Pattern Filter Envelope-To
ƒ Reject on Specific Access Pattern and Pattern Filter Envelope-From
ƒ Reject on Specific Access Pattern and Pattern Filter Client IP
ƒ Connection Rules
ƒ Reject on DNS Block List (DNSBL)
ƒ Reject on ReputationAuthority reputation
ƒ Reject on ReputationAuthority infected
ƒ Reject on ReputationAuthority dial-up
User Guide 15
About the WatchGuard XCS
At this point, local and trusted networks (including Specific Access Pattern Trust), will skip any remaining
Reject checks.
ƒ Reject on Backscatter Detection
ƒ Reject on unknown sender domain
ƒ Reject on missing reverse DNS
ƒ Reject on missing sender MX
ƒ Reject on non-FQDN sender
ƒ Reject on unknown recipient
Message Checks
ƒ Very Malformed
ƒ Anti-Virus
ƒ Spyware detection
ƒ Pattern Filter Bypass (This action skips remaining checks)
ƒ Attachment Size Limits
ƒ Malformed messages
ƒ Attachment Control (Block)
ƒ Attachment Control (Strip: message will continue to be processed for other checks)
ƒ Outbreak Control
ƒ Objectionable Content Filtering
ƒ Pattern Filter (High priority)
ƒ Pattern Filter (Medium priority)
ƒ Trusted Senders List (Skips remaining checks)
ƒ Blocked Senders List
ƒ Pattern Filter (Low priority)
ƒ Content Scanning
ƒ Document Fingerprinting
ƒ Content Rules
ƒ Specific Access Patterns (Trusted will bypass Anti-Spam and allow mail relay)
ƒ Message Encryption (Trusted Only)
ƒ Trusted Network (Skips remaining checks)
Intercept Anti-Spam processing
ƒ SPF (Sender Policy Framework)
ƒ DomainKeys
ƒ DNS Block Lists
ƒ Mail Anomalies
ƒ Spam Words
ƒ ReputationAuthority Reputation
ƒ ReputationAuthority Dial-up
ƒ Token Analysis
ƒ Backscatter Detection
ƒ URL Block Lists
16 WatchGuard XCS
Message mappings and routing
ƒ Mail Mappings
ƒ Virtual Mappings
ƒ Relocated Users
ƒ Mail Aliases
ƒ Mail Routing
ƒ Message delivery to its final destination
About the WatchGuard XCS
User Guide 17
About the WatchGuard XCS
18 WatchGuard XCS
2
System Administration
Connect to the WatchGuard XCS
The following web browsers are supported at a minimum screen resolution of 1024x768:
ƒ Internet Explorer 6 (Windows XP, Windows 2000, Windows 2003)
ƒ Internet Explorer 7 (Windows XP, Windows 2000, Windows 2003, Windows Vista)
ƒ Firefox 3.0 and greater (Windows, Linux, Mac)
To administer the WatchGuard XCS using the web browser administrative interface:
1. Launch a web browser on your computer.
2. Enter the IP address or hostname of the system as the URL in the location bar.
The login screen is displayed.
A security certificate notification appears in the browser because the system uses a self-signed certificate. It is safe to ignore the warning (Internet Explorer) or to add a certificate exception
(Mozilla Firefox).
3. Enter your Username and Password .
When accessing the system for the first time after installation, the default settings are admin for the
Username, and admin for the Password.
User Guide 19
System Administration
4. When logged in, the main Dashboard screen appears.
Navigate the Main Menu
The main menu consists of the following main categories:
Depending on your WatchGuard XCS system model and feature package, not all menu configuration items will be displayed.
Activity
The Activity menu provides a variety of information on system status and activity, including the main
Dashboard, message history, mail queue and quarantine management, and reports and logs. This menu includes the following features:
Status
ƒ Dashboard
ƒ Status & Utility
ƒ Alarms
ƒ Cluster Alarms (if in a Cluster)
ƒ Cluster Activity (if in a Cluster)
20 WatchGuard XCS
System Administration
ƒ CM Activity (on a CM Manager only)
ƒ Threat Prevention
History
ƒ Message History
ƒ System History
ƒ Connection History
Queue/Quarantine
ƒ Mail Queue
ƒ Message Quarantine
Reports
ƒ Schedule
ƒ View
ƒ Centralized Management (on a CM Manager only)
Logs
ƒ Mail
ƒ Web
ƒ System
ƒ Previous Searches
ƒ All
Security
The Security menu allows you to configure the system’s powerful security and content control features. This menu includes the following items:
Anti-Spam
The Anti-Spam menu allows you to configure the components of the system’s Anti-Spam features including Intercept, Reputation services, Threat Prevention, and Connection Controls. This menu includes the following features:
ƒ ReputationAuthority
ƒ Anti-Spam
ƒ Intercept Settings
ƒ Connection Control
ƒ Threat Prevention
Anti-Virus
The Anti-Virus menu includes message security scanning features such as Anti-Virus, Spyware,
Outbreak Control, and Malformed Mail scanning:
ƒ Anti-Virus
ƒ Spyware
ƒ Outbreak Control
ƒ Malformed Mail
User Guide 21
System Administration
Content Control
The Content Control menu allows you to configure the system’s powerful content control features such as Attachment Control, Content Scanning, and other content filters. This menu includes the following features:
ƒ Attachment Control
ƒ Content Scanning
ƒ Objectionable Content
ƒ Document Fingerprinting
ƒ Content Rules
ƒ Pattern Filters
ƒ Dictionaries & Lists
Policies
The Policies menu allows you to configure system policies for access control and compliance. This menu includes the following features:
ƒ Policies
ƒ User Policy
ƒ Group Policy
ƒ Domain Policy
ƒ Diagnostics
Configuration
The Configuration menu allows you to configure several system settings and includes the following items:
Network
The network menu allows you to configure items related to the system’s networking features:
ƒ Interfaces
ƒ Virtual Interfaces
ƒ Performance
ƒ Static Routes
ƒ Web Server
ƒ External Proxy Server
ƒ SNMP
LDAP
The LDAP menu allows you to configure your Directory Services and related features that rely on
LDAP:
ƒ Directory Servers
ƒ Directory Users
ƒ Web Users
ƒ Aliases
ƒ Mappings
ƒ Recipients
ƒ Relay
ƒ Routing
22 WatchGuard XCS
System Administration
The mail menu allows you to configure features related to mail processing and delivery:
ƒ Access
ƒ Delivery
ƒ Routing
ƒ Aliases
ƒ Mapping
ƒ Virtual Mapping
ƒ Archiving
ƒ Domain Keys
ƒ POP3 and IMAP
ƒ Encryption
WebMail
The WebMail menu allows you to configure the Secure WebMail feature and related features that operate within the WatchGuard XCS WebMail client:
ƒ WebMail
ƒ Trusted/Block Senders
ƒ User Spam Quarantine
Web
The Web menu allows you to configure features specific to the HTTP Proxy:
ƒ HTTP/S Proxy
ƒ URL Categorization
Miscellaneous
The Miscellaneous menu allows you to configure the general settings of various features:
ƒ Logs
ƒ Reports
ƒ Customization
ƒ Alarms
ƒ Feature Display
Administration
The Administration menu contains items used by the system administrator to manage the system, including user account administration, backup and restore, software updates, and feature key management. This menu includes the following features:
Accounts
The User Accounts menu allows you to configure local user accounts and authentication:
ƒ Administrator
ƒ Local Accounts (or Tiered Admin if in a cluster)
ƒ Mirror Accounts
ƒ Delegated Domains
ƒ Relocated Users
ƒ Vacations
ƒ Remote Authentication
ƒ SecurID
User Guide 23
System Administration
Backup/Restore
The Backup/Restore menu allows you to backup and restore the system configuration and data:
ƒ Backup & Restore
ƒ Daily Backup
Software Updates
The Software Updates menu allows you to manage system software updates and the Security
Connection:
ƒ Updates
ƒ Security Connection
Multi-System Management
The Multi-System Management menu allows you to configure multi-system features such as centralized management and mail queue replication:
ƒ Centralized Management
ƒ Configuration Set (if on a CM Manager)
ƒ Entities (if on a CM Manager)
ƒ Entity Status (if on a CM Entity)
ƒ Queue Replication
System
The System menu includes other system administrative settings such as feature keys and system certificates:
ƒ Feature Key
ƒ SSL Certificates
ƒ Reboot & Shutdown
Support
The Support menu offers several options for the administrator to obtain additional support for product. This menu includes the following features:
ƒ Technical Support
ƒ Problem Reporting
ƒ ReputationAuthority
ƒ Online Access (main Web site)
ƒ Online Manual
24 WatchGuard XCS
System Administration
WatchGuard XCS System Console
The system console supports a limited subset of administrative tasks and is only recommended for use during initial installation and network troubleshooting. Routine administration should be performed via the Web UI.
When accessing the console for the first time after installation, the default login credentials are admin for the
UserID, and admin for the Password. The password can be changed from the browser administration interface.
Console activity screen
The console activity screen provides you with basic activity and statistics information for this system.
Press any key to log in to the console using the admin login credentials.
Admin Menu
The Admin menu contains the following options:
ƒ Exit — Exits the console.
ƒ Hardware Information — Displays the processor type, available memory, and network interface information.
ƒ Configure Interfaces — Allows you to modify the host and domain name, IP address, Gateway, DNS and NTP servers for all network interfaces.
ƒ Security Connection — Enables automatic software updates.
ƒ Shutdown — Shuts down the system.
ƒ Reboot — Shuts down and restarts the system.
User Guide 25
System Administration
Diagnostics Menu
The Diagnostics menu contains the following options:
ƒ Activity Display — Displays CPU usage, network traffic and mail message activity.
ƒ Ping — Allows you to test network connectivity to other systems via the ping utility. An IP address or host name can be used.
ƒ Traceroute — Displays the routing steps between the system and a destination host.
ƒ Reset Network Interface — Resets network interfaces. This function is useful for correcting connection issues.
ƒ Display Disk Usage — Displays the amount of used and available disk space.
ƒ Display System Processes — Displays information about processes running on the system.
Repair Menu
The Repair menu contains the following options:
ƒ Reset SSL Certificates — Sets certificate information back to the factory defaults. Any uploaded certificates or private keys will be lost.
ƒ Delete Strong Authentication for Admin — Removes strong authentication for the admin user login to allow you to use the console password.
Misc Menu
The Misc menu contains the following options:
ƒ Set Time and Date — Sets the time and date for the system.
ƒ Set Time Zone — Sets your local time zone settings.
ƒ Configure UPS — Allows you to configure the link to an Uninterruptible Power Supply (UPS) for automatic shutdown in the event of a power failure. A UPS keeps a system running for several minutes after a power outage, allowing the system to shut down gracefully. The signal is sent via a serial COM port on the WatchGuard XCS that is connected to the UPS.
ƒ UPS Protocol — Select the protocol for communicating with the UPS.
The system only supports APC type UPS systems.
ƒ Enable UPS Monitor — Select Yes to enable the UPS monitor. When monitoring is enabled, the
WatchGuard XCS will detect alarms from the UPS that it is running on battery and will commence a graceful shutdown of the WatchGuard XCS. If this is set to No the system will not automatically shut down, and should be manually shut down before the UPS battery power is exhausted.
ƒ UPS Interface Port — Select the serial COM port on the WatchGuard XCS that is connected to the UPS.
ƒ Shutdown Interval — Enter the number of minutes (0-30) to wait before automatically shutting down the WatchGuard XCS.
ƒ Configure Web Admin — Modify the ports used to access the system web browser administration interface.
26 WatchGuard XCS
System Administration
ƒ Configure Serial Console — Allows you to configure a serial port for using the console over a serial connection. You must set your terminal program to the following values to use the serial console:
ƒ VT100 Emulation
ƒ Baud Rate: 9600
ƒ Data Bits: 8
ƒ Parity: None
ƒ Stop Bits: 1
ƒ Flow Control: Hardware
Configure the Admin User
The primary admin account is created during the system installation. To modify the password or strong authentication settings for the admin user:
1. Select Administration > Accounts > Administrator .
2. In the User ID field, you can view and modify the current admin user name.
The admin user name cannot be deleted, but the account name can be modified. This helps prevent attempts to compromise the primary admin user name by allowing the administrator to use a nonstandard user name. It is recommended that you create additional admin users and use those accounts to manage the system instead of the primary admin account. The primary admin account password should then be written down and stored in a safe place.
3. In the Forward email to: field, enter an optional email address to forward mail to from this account.
User Guide
4. Enter and confirm a Password for the admin user.
27
System Administration
5. You can also configure Strong Authentication for the admin user.
These methods of authentication require a hardware token that provides a response to the login challenge. You can choose between the following types of secure authentication tokens:
ƒ CRYPTOCard
ƒ SafeWord
ƒ SecurID
A configuration wizard will guide you through the steps to configure the token for the specified
authentication method. See “Strong Authentication” on page 256 for more information on strong
authentication methods.
6. In the IP Access Control List (ACL) field, click the Edit button to enter a list of IP addresses or networks that are allowed admin access to this system.
ƒ Enter a specific IP address such as
192.168.1.250
, or for a network address use
192.168.1.0
for the entire 192.168.1.0/24 network.
ƒ Click Add .
ƒ Admin access must also be enabled on a network interface (via Configuration > Network
>Interfaces ), in addition to the ACL access. Leave the IP access list undefined to limit admin access only via the network interface option.
7. Use Password Enforcement to strengthen the security of the admin and user accounts.
ƒ Unrestricted — Allow any type of password for the admin account and user accounts. This is the default setting that is used after the initial system installation.
ƒ Strong — Require that passwords for both admin accounts and user accounts be at least 6 characters in length and include a mix of alphabetic and non-alphabetic characters.
Any existing or uploaded user accounts and passwords that do not have a strong password after enabling strong passwords will not have the restrictions enforced until the next time the passwords are modified.
Add additional administrative users
There is only one primary admin user account, but additional administrative users can be added using Tiered
Administration . This feature allows you to configure another user with full admin rights, or with granular permissions that only give administrative rights to certain system options. For example, you may want to add a user who can administer reports or vacation notifications, but not have any other administrative access.
Granting full or partial admin access to one or more user accounts allows actions performed by administrators to be logged because they have an identifiable user ID that can be tracked by the system.
A user with Full Admin privileges cannot modify the profile of the default admin user. They can, however, edit others users with Full Admin privileges.
28 WatchGuard XCS
To add an administrative user:
1. Select Administration > Accounts > Local Accounts .
2. Click Add Admin User .
System Administration
User Guide
3. Enter a User ID .
4. Enter an optional Forward email to: address.
5. Enter and confirm a Password .
6. You can also set Strong Authentication methods, if required.
7. At the bottom of the Account Details screen is a section for Administrator Privileges where you can select the required administrative access for the user:
Full Admin
The user has administrative privileges equivalent to the admin user.
Delegated Domain Admin
The user has administrative privileges to a specific domain. No tiered admin permissions are available when this is enabled.
Administer Aliases
The user can add, edit, remove, upload, and download aliases (not including LDAP aliases.)
Administer Filter Patterns
The user can add, edit, remove, upload, and download Pattern Filters and Specific Access
Patterns.
Administer Mail Queue
The user can administer mail queues.
Administer Quarantine
The user can view, delete, and release quarantined files.
Administer Reports
The user can view, configure, and generate reports, and view system activity.
29
System Administration
Administer Users
The user can add, edit, and relocate user mailboxes (except the Full Admin users), including uploading and downloading user lists. User vacation notifications can also be configured.
Administer Vacations
The user can edit local user’s vacation notification settings and other global vacation parameters.
Message History
The user can view the message history database and perform quick searches of the recent Mail and Web activity on the Dashboard.
View Dashboard
The user can view the Dashboard screen. Tiered admins can only perform a quick search of the recent mail and web activity if Message History is also enabled.
View Alarms
The user can view the alarms in the alarms indicator and the local alarms screen, but cannot acknowledge them.
View System Logs
The user can view all system logs.
8. Click Create .
9. Select Configuration > Network > Interfaces .
10. Select the Admin & Web User Login and WebMail check box for the network interface to be used by tiered administration users.
See “Tiered Administration” on page 246 for more information on configuring admin access.
Admin automatic logout
The system will automatically log the admin user out if they have been logged in for 30 minutes without any activity.
Admin login lockout
If login credentials for an admin user are not properly entered after five times in a row, the account will be locked out for 30 minutes. This lockout can be reset by rebooting the system.
The system will automatically log the admin user out if they have been logged in for 30 minutes without any activity.
30 WatchGuard XCS
System Administration
Web Server
The Web Server screen defines the settings used for connecting to the WatchGuard XCS via the Web UI. By default, the system’s web server uses port 80 for HTTP requests and port 443 for HTTPS requests. For secure
WebMail and administration sessions, it is recommended that you leave the default SSL encryption enabled to force a connecting web browser to use HTTPS.
To configure your web server settings:
1. Select Configuration > Network > Web Server .
The following options are available:
Admin HTTP Port
Indicates the default port 80 for HTTP requests.
Admin HTTPS Port
Indicates the default port 443 for HTTPS requests.
The HTTP/HTTPS ports can only be modified on the system console.
User Guide
Require SSL encryption
Requires SSL encryption for all user and administrator web sessions.
Allow low-grade encryption
Allow the use of low-grade encryption, such as DES ciphers with a key length of 64 bits, for encrypted user and administrator web sessions.
Enable SSL version 2
Enables SSL version 2 protocol. SSL version 2 contains known security vulnerabilities.
Enable SSL version 3
Enable SSL version 3 protocol. This is the default setting.
Enable TLS version 1
Enable TLS version 1 protocol. This is the default setting.
Character set encoding
Select the type of character encoding used for displaying HTML data. This encoding may need to be changed if viewing system dictionaries that use different encodings, such as ISO-8859-1.
2. Click Apply .
31
System Administration
External Proxy Server
A proxy server may be used on your network to cache and proxy requests to systems external to your network.
If you are using features that must connect to the Internet for updates, the proxy server must be configured.
If you do not use an external proxy server, leave this option disabled.
The following features will utilize the external proxy server if one is configured:
ƒ Kaspersky and McAfee Anti-Virus pattern updates
ƒ Message encryption using a public key server
ƒ ReputationAuthority sharing uploads
ƒ URL Categorization control list downloads
ƒ Security Connection features such as software and Intercept updates
ƒ Feature key updates
To configure an external proxy server:
1. Select Configuration > Network > External Proxy Server .
2. Select the Use External Proxy Server check box.
3. Enter the Server Address which is the IP address or host name of the Proxy server.
4. Enter the Server Port number used by the Proxy server.
5. Enter a User Name to log in to the Proxy server if authentication is required.
6. Enter and confirm a Password for the user name on the proxy server.
7. Click Update .
32 WatchGuard XCS
System Administration
Customize the Web UI Interface
The WatchGuard XCS interface logos can be easily customized by uploading your own organization’s custom logos to replace the system logo on the main login page, the administration screen logo (that is also used for the Web Portal), and the WebMail logo. The title bar of the login page can also be modified to display a customized title.
The administration screen logo will also appear on generated reports.
To customize a logo:
1. Select Configuration > Miscellaneous > Customization .
2. For the logo you want to customize, click Browse to choose a file, and then click Next to upload the file.
Most graphic formats are supported (GIF, JPEG, PNG, BMP), but it is recommended that you use graphics suitable for web page viewing such as GIF and JPEG. The maximum file size is 32k, with a recommended height of 40 pixels.
3. Click Finished .
You can always revert to the default system logo by selecting the Reset this Logo to the Default link.
User Guide 33
System Administration
Customize the HTTP Proxy End-user agreement
You can customize the HTTP Proxy End-User Agreement text that appears to users when they log in via the Web
Portal. The Web Portal login screen appears to end users when IP Address Portal Authentication is enabled as the authentication method in the HTTP Proxy configuration.
The user must accept this agreement and successfully authenticate before being allowed to browse the Web via the HTTP Proxy.
The logo that appears on the Web Portal screen is the Administration screen logo.
To customize the agreement:
1. Select Configuration > Miscellaneous > Customization .
2. Edit the End-User Agreement text as required.
3. Click Finished .
Feature Display
You can choose to display or hide specific feature configuration entries in the main menu, the Dashboard, and the policy configuration.
For example, if you are not using Centralized Management, you can disable Display Centralized
Management to prevent any Centralized Management options from displaying in the menus.
To enable or disable the display of features:
1. Select Configuration > Miscellaneous > Feature Display .
2. Enable or disable the Display Centralized Management check box as required.
3. Click Finished .
34 WatchGuard XCS
3
Mail Delivery Settings
Network Configuration
The basic networking information to get the system up and running on the network is configured during installation time. To perform more advanced network configuration and to configure other network interfaces, you must use the network interfaces configuration screen.
Using the network interfaces screen you can modify the following items:
ƒ Hostname and Domain information
ƒ Default Gateway
ƒ Syslog Host
ƒ DNS and NTP servers
ƒ Network interface IP Address and feature access settings
ƒ Clustering and Queue Replication interface configuration
ƒ Web Proxy Bridging and Transparent Mode
ƒ Support Access settings
If you make any modifications to your network settings, you must reboot the system. The system will prompt you to restart after clicking the Apply button.
User Guide 35
Mail Delivery Settings
To configure your network settings:
1. Select Configuration > Network > Interfaces .
36
2. Enter the Hostname (not the Fully Qualified Domain Name) of this system, such as hostname in the
FQDN hostname.example.com.
3. Enter the Domain name such as example.com
.
4. In the Gateway field, enter the IP address of the default route for this system.
This is typically the external router connected to the Internet, or the network firewall’s interface if the system is located on the DMZ network.
5. Enter an optional Syslog Host if you use one on your network.
A syslog host collects and stores log files from many sources.
6. Enter a primary and any secondary Name Servers .
At least one DNS (Domain Name Service) name server must be configured for hostname resolution. It is recommended that secondary name servers be specified in the event the first DNS server is unavailable.
7. Select the Enable DNS Cache check box to enable DNS caching.
All configured DNS servers can be queried either in the order specified in the configuration, or by the fastest response. With this option enabled, the system determines which of the configured DNS servers is sending the fastest response, and caches the result. This option is enabled by default, which provides the best performance in most cases. Disable this option to use the configured DNS servers in the order they appear. If the first DNS server is unavailable the next configured server will be contacted.
Customers that use their ISP DNS servers configured as failover DNS servers should disable DNS caching. This option should be disabled if using external proxy servers for system updates (such as
Anti-Virus).
8. The Block Reserved Reverse Lookups check box prevents private reserved IP addresses from being used in a reverse lookup to a DNS server. This option is enabled by default.
Only disable this option if reverse lookups for reserved addresses are required in your network environment. When this option is disabled, the system queries internal reserved addresses, such as the network interfaces (including the cluster interface), to its configured DNS server. In most cases, this
DNS server will be a private, internal DNS server. In some environments, an organization may be using an external DNS server (such as an ISP DNS server), and it may not be desirable to perform reverse lookups for internal addresses in this case.
WatchGuard XCS
Mail Delivery Settings
9. In the NTP Server fields, enter a primary and any secondary time servers.
NTP (Network Time Protocol) is critical for accurate timekeeping system services. It is recommended that secondary NTP servers be specified in the event the primary NTP server is unavailable.
Network interface configuration
For each network interface, you can set the following options:
1. Enter an IP Address for this interface, such as 10.0.1.10
.
User Guide
2. Enter the Netmask for this interface, such as 255.255.0.0
.
3. Select the Media type for the network card.
Use Auto select for automatic configuration.
4. There are several additional options that can be enabled on a network interface.
Some of the following options will not be displayed unless the related feature is enabled.
Large MTU
Sets the MTU (Maximum Transfer Unit) to 1500 bytes. This may improve performance connecting to servers on the local network. Large MTU should be enabled if you are using the HTTP Proxy.
The default MTU is 576 bytes. For most organizations, the default option of 576 bytes is adequate.
This option should only be changed if needed and in consultation with a Technical Support representative.
Respond to Ping and ICMP Redirect
Allows ICMP ping requests to this interface. This will allow you to perform network connectivity tests to this interface, but will cause this interface to be more susceptible to denial of service ping attacks.
Trusted Subnet
If selected, all hosts on this subnet are considered trusted for relaying and anti-spam processing.
See “Trusted and Untrusted Mail Sources” on page 164 for more details on trusted subnets.
Admin and Web Login
Allows access to this interface for administrative purposes, including tiered admin users and Web users.
WebMail
Allows access to WebMail via this interface, including the WebMail client, Secure WebMail, Tiered
Admin, User Spam Quarantine, and Trusted/Blocked Senders List access.
IMAPS Server
Allows secure access to the internal IMAP server via this interface.
37
Mail Delivery Settings
IMAP Server
Allows access to the internal IMAP server via this interface.
POP3S Server
Allows secure access to the internal POP3 server via this interface.
POP3 Server
Allows access to the internal POP3 server via this interface.
SNMP Agent
Allows access to the SNMP agent via this interface.
Centralized Management
Enables Centralized Management on this interface.
HTTP/HTTPS Proxy
Enables access to the HTTP proxy on this interface.
5. Click Apply to save your network settings.
The system must be rebooted to allow the network settings to take effect.
Advanced parameters
The following advanced networking parameters are TCP extensions that improve the performance and reliability of communications.
38
Enable RFC 1323
Enable RFC 1323 TCP extensions to improve performance and to provide reliable operations of highspeed paths. This is enabled by default, and should only be disabled if you experiencing networking problems with certain hosts.
Path MTU Discovery (RFC 1191)
Disable Path MTU (Maximum Transfer Unit) if required to resolve delivery problems when interconnecting between specific firewalls and SMTP proxies. Path MTU is enabled by default.
WatchGuard XCS
Mail Delivery Settings
Clustering
To enable clustering:
1. Select Configuration > Network > Interfaces .
2. Go to the Clustering section.
3. Select the Enable Clustering check box.
4. Select the Cluster Interface that is connected to the cluster network.
5. Click Apply .
The system will reboot.
Transparent mode and bridging
The Web Proxy feature offers a Transparent Mode to integrate the Web Proxy more easily into existing environments with minimal network reconfiguration. In a typical Transparent Mode implementation, the Web
Proxy system sits inline between the primary internal switch or router and an existing network firewall. This enables the Web Proxy to act as a bridge for all non-local traffic, except selected HTTP traffic that is proxied.
Packet inspection is performed on all traffic to determine if data should be proxied or bridged.
See “Transparent Mode” on page 219 for more detailed information.
To configure Transparent Mode bridging for the Web Proxy:
1. Select Configuration > Network > Interfaces .
2. Go to the Bridging and Transparent Mode sections.
User Guide
3. Select the Enable Bridging check box. This option must be selected for Transparent Mode to work properly.
When bridging is enabled you must select two network interfaces for the bridge.
Select a network interface to be used as the Bridge In Interface in Transparent Mode.
For greater security and performance, this interface should be on a dedicated, non-routable subnet.
This interface must be assigned an IP address and have the HTTP/HTTPS Proxy access and Large MTU check boxes enabled before it is selected as the Bridge In interface. This IP address will be used as the address for the entire bridge interface.
4. Select a Bridge Out Interface in Transparent Mode.
For greater security and performance, this interface should be on a dedicated, non-routable subnet.
This interface does not require an IP address and will be configured automatically for use with the bridge.
39
Mail Delivery Settings
5. Select the Enable Transparent Mode check box.
6. Click Apply .
The system will reboot.
Support Access
Support Access allows technical support to connect to this system from the specified IP address. This setting does not need to be enabled during normal usage, and should only be enabled if requested by technical support.
For security reasons, Support Access communications use SSH (Secure Shell) to establish a secure connection via PKI (Public Key Infrastructure) encryption on a non-standard network port. Support Access will only allow a connection to be made from the WatchGuard network.
If Support Access is enabled and the system is installed behind a network firewall, you must open up
TCP port 10101 for support access to work.
To install and enable Support Access:
1. Select Administration > Software Updates > Updates .
40
2. Select the support_access update.
3. Click Install .
The system will reboot.
4. Select Configuration > Network > Interfaces .
5. Go to the Support Access section.
6. Enable the Support Access check box to allow support access on this system.
Support access will only be allowed to originate from the specified Support Access IP Address. The IP address is provided by technical support.
7. Using the Support Access I/F drop-down box, select the network interface on which you want to allow support access on.
8. Click Apply .
WatchGuard XCS
Mail Delivery Settings
Virtual Interfaces
Virtual Interfaces are used by the system to define additional interfaces and IP addresses to send and receive mail for specific domains. These Virtual Interfaces are associated with the existing physical network interfaces on this system.
The system will send all outbound email for a specific domain using its specified IP address in the Virtual
Interfaces configuration. The system selects the Virtual Interface to use for outgoing mail by matching the sender's domain to the domains associated with the configured Virtual Interfaces. If no Virtual Interface domains match the domain of the sender, or if using the Virtual Interface results in a non-network connection, the system will send the mail via its normal outbound interface.
The system will also accept inbound email arriving via this Virtual Interface's IP address. When a mail server connects to SMTP port 25 on a Virtual Interface, the customized banner for that interface will be communicated. If no banner has been specified, the default system banner will be used (configured via
Configuration > Mail > Access ).
Only TCP port 25 can be used for sending and receiving mail on a Virtual Interface. Virtual Interfaces can be pinged if ping is enabled on the corresponding physical network interface. Due to their nature, Virtual
Interfaces cannot be pinged from the Status & Utility screen, and cannot be used when the Web Proxy is in
Transparent Mode. Virtual Interfaces can only be configured on up to five different physical network interfaces
Domains using Virtual Interfaces can be used with Domain-based policies to provide flexibility in creating security and content policies for specific domains.
The system supports up to 175 Virtual Interfaces. This feature does not currently support IDN
(Internationalized Domain Names).
Network Routing of Virtual Interfaces
Virtual Interfaces are routed through:
ƒ A physical interface that shares the same subnet as the Virtual Interface.
ƒ The physical interface that can reach a host specified through a static route.
ƒ The current default route (through the physical interface that connects to the default router).
If your system has these settings:
ƒ Interface 1: 192.168.1.10/24
ƒ Interface 2: 172.16.1.10/16
ƒ Default Gateway/Router: 172.16.1.1
Adding a Virtual Interface of 192.168.1.20 will route via Interface 1.
Adding a Virtual Interface of 172.16.1.20 will route via Interface 2.
Adding a Virtual Interface of 10.10.1.20 will route via Interface 2 through the default gateway.
If the Virtual Interface has no corresponding physical interface displayed, there is no valid route through any physical interface, and the Virtual Interface will be disabled.
User Guide 41
Mail Delivery Settings
To configure Virtual Interfaces:
1. Select Configuration > Network > Virtual Interfaces .
2. Upload a Virtual Interface list in CSV format that contains comma or tab separated entries in the form:
[domain],[IP Address],[Banner message]
For example: example1.com,10.2.45.10,example1.com ESMTP
The file (vip.csv) should be created in CSV file format using a text editor.
It is recommended that you download the file first by clicking the Download File button, editing it as required, and uploading it using the Upload File button.
A standards-compliant banner should, at minimum, contain the domain name and the keyword
ESMTP, such as “example.com ESMTP”. Extra informational text after the ESMTP keyword is optional, such as “example.com ESMTP Authorized Users Only”.
3. For each domain that will be used with Virtual Interfaces, select Configuration > Mail > Routing to define a mail route to a destination mail server.
Virtual mappings can also be used for mail routing.
DNS MX records must be published for any Virtual Interfaces. Local network devices such as the default external router must also be properly configured to route traffic to and from the Virtual Interfaces.
Virtual interfaces and trusts
Email arriving via a Virtual Interface is considered untrusted by the system for anti-spam and security processing. To configure a client as trusted, use a Specific Access Pattern or Pattern Filter to trust the client connecting on that Virtual Interface.
To trust a client using a Specific Access Pattern:
1. Select Configuration > Mail > Access .
2. Click the Add Pattern button.
42
3. Enter the IP address of the client in the Pattern field.
4. Select the Client Access check box.
5. Select Trust in the If pattern matches field.
6. Click Apply .
WatchGuard XCS
Mail Delivery Settings
Static Routes
Static routes are required if the messaging servers to which messages must be relayed are located on another network, such as behind an internal router, firewall, or accessed via a VPN.
To add a static route:
1. Select Configuration > Network > Static Routes .
2. Enter the Network address, Mask , and Gateway for the static route.
3. Click New Route .
Mail Routing
The WatchGuard XCS, by default, accepts mail addressed directly to it and delivers it to local mailboxes. Use the Mail Routing screen to configure additional domains for which mail will be accepted and routed, and to what destination the mail servers will route the messages.
To add and configure Mail Routes:
1. Select Configuration > Mail > Routing .
User Guide
2. Select the Sub check box to accept and relay mail for subdomains of the specified domain.
3. Enter the Domain for which mail is to be accepted, such as example.com
.
4. Enter the Route-to address for the server to which mail will be delivered, such as 10.0.2.25
.
This will be the address of an internal mail server.
5. Enter the Port on which to deliver mail to this server.
The default is SMTP port 25.
6. Select the MX check box if you need to look up the mail routes in DNS before delivery.
If this option is not enabled, MX records will be ignored. You do not need to select this item unless you are using multiple mail server DNS entries for load balancing and failover purposes. By checking the
MX record, DNS will be able to send the request to the next mail server in the list.
43
Mail Delivery Settings
7. Select the KeepOpen check box to ensure that each mail message to the domain will not be removed from the active queue until delivery is attempted, even if the preceding mail failed or was deferred.
This setting ensures that local mail servers receive high priority.
The KeepOpen option should only be used for domains that are usually very reliable. If the domain is unavailable, it may cause system performance problems due to excessive error conditions and deferred mail.
8. A list of domains can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:
[domain],[route],[port],[ignore_mx],[subdomains_too],[keepopen]
For example: example.com,10.10.1.1,25,on,off,off
The file (domains.csv) should be created in csv file format using a text editor. It is recommended that you download the domain file first by clicking Download File , editing it as required, and uploading it using the Upload File button.
Subdomain routing via MX lookup
The system can route and deliver messages to subdomains based upon an MX record lookup using the domain portion of the RCPT TO: field of a message.
In the Mail Routing configuration, administrators can specify “any” or “ANY” in the Route-to field. The system will perform an MX lookup on the specified subdomain, and then the message will be delivered based on a
DNS A record lookup for the destination host.
When defining the Route-to field as “any” or “ANY”, the following default values will be assumed, and changing them in the user interface will have no effect.
ƒ The default Port will be 25
ƒ The MX option will be enabled
ƒ The KeepOpen option will be disabled
Subdomain routing and DNS caching
If DNS caching is enabled, a cached DNS entry may cause a message to be delivered to an incorrect host if the
DNS entry is modified. It is recommended that the Enable DNS Cache option be disabled (via Configuration
> Network > Interfaces ) if using DNS MX lookups for subdomain routing. This may cause a slight decrease in performance of DNS lookups, but will ensure the correct route will be used if a change is made to a DNS record.
LDAP routing
Click the LDAP Routing button to define mail routes using an LDAP directory server. This is the preferred
more detailed information on using LDAP for mail routing.
44 WatchGuard XCS
Mail Delivery Settings
Add rules for relays
To allow internal mail systems to relay mail outbound via this system, a Specific Access Pattern must be set up for the system.
1. Select Configuration > Mail > Access .
2. Click the Add Pattern button.
3. Enter the IP address of the system in the Pattern field.
4. Select Client Access .
5. Select Trust in the If pattern matches field.
6. Click Apply .
User Guide 45
Mail Delivery Settings
Mail Delivery Settings
The Mail Delivery settings screen allows you to configure parameters related to accepting, relaying, and delivering mail messages.
Select Configuration > Mail > Delivery to configure your mail delivery settings.
Delivery settings
Maximum time in mail queue
Enter the number of days for a message to stay in the queue before being returned to the sender as
“undeliverable”. The default is 5 days.
Maximum time in queue for bounces
Enter the number of days a system-generated bounce message (from MAILER-DAEMON) is queued before it is considered undeliverable. Default is 5 days. Set this value to 0 to attempt delivery of bounce messages only once.
Maximum original message text in bounces
Enter the maximum amount (in bytes) of original message text that is sent in a non-delivery notification. Range is 10 to 1000000000. If this field is left blank, the default is set to 5000 bytes.
Time before delay warning
Number of hours before issuing the sender a notification that mail is delayed. Set to “0” to disable this option. The default is 4 hours.
Time to retain undeliverable notice mail
The number of hours to keep undeliverable notice mail that is addressed to the external mail server’s
MAILER-DAEMON. These messages are typically notifications sent to mail servers with invalid return addresses and can be safely purged. Leave this value blank for no special processing.
Deliver mail to local users
Disable this option to prevent mail delivery to local accounts configured on the WatchGuard XCS. The postmaster (admin) account will not be affected by this setting.
Allow “-” as the first character
Allows a recipient address to have a “-” character as the first character in the address, such as “[email protected]”.
46 WatchGuard XCS
Mail Delivery Settings
Gateway features
Masquerade Addresses
Masquerades internal host names by rewriting headers to only include the address of this system.
Strip Received Headers
Strips all Received headers from outgoing messages.
Default mail relay
Relay To
(Optional) Enter an optional hostname or IP address of a mail server (not this system) to relay mail to for all email with unspecified destinations. A recipient’s email domain will be checked against the
Mail Routing table and, if the destination is not specified, the email will be sent to the Default Mail
Relay server for delivery. This option is usually used when the system cannot deliver email directly to remote mail servers. If you are setting up this system as a dedicated WebMail system, and all mail originating from this system should be forwarded to another mail server for delivery, then specify the destination mail server here.
Do not enter the name of your system as this will cause a relay loop.
SMTP Port
Enter the SMTP port used to deliver mail to the relay. The default is 25.
Ignore MX record
Enable this option to prevent an MX record lookup for this host to force relay settings.
Enable Client Authentication
Enable client SMTP authentication for relaying mail to another mail server. This option is only used in conjunction with the default mail relay feature. This allows the system to authenticate to a server that it is using to relay mail. With this configuration, connections to the default mail relay are authenticated, while connections to other mail routes are not.
User ID
Enter a User ID to login to the relay mail server.
Password
Enter and confirm a password for the specified User ID.
Failback mail relay
Relay To
Enter an optional hostname or IP address of a mail server (not this system) to be used as the failback server. In the event the default mail relay is unavailable, the failback server will relay mail for all email with unspecified destinations.
SMTP Port
Enter the SMTP port used to deliver mail to the relay. The default is 25.
Ignore MX record
Enable this option to prevent an MX record lookup for this host to force relay settings.
User Guide 47
Mail Delivery Settings
BCC (Blind carbon copy) all mail
The system offers an archiving feature for organizations that require storage of all email that passes through their corporate mail servers. This option sends a blind carbon copy (BCC) of each message that passes through the system to the specified address. This address can be local or on any other system. Once copied, the mail can be effectively managed and archived from this account. You must also specify an address that will receive error messages if there are problems delivering the BCC messages.
Annotations and delivery warnings
Administrators can enable and customize Annotations that are appended to all emails and customize Delivery
Failure and Delivery Delay warning messages.
Some mail clients will display notifications and annotations as attachments to a message rather than in the message body.
48
Separate annotations can be enabled for different users, domains, and groups using Policies.
WatchGuard XCS
Mail Delivery Settings
System variables for annotations and notifications
The variables in the messages, such as %PROGRAM% and %HOSTNAME%, are local system settings that are automatically substituted at the time the message is sent.
Not all variables will work with all notification features. None of the system variables can be used with the SMTP Banner or SMTP Content Reject message.
The following system-wide variables are available:
Variable
%PROGRAM% or %PRODUCT%
%HOSTNAME%
%POSTMASTER_MAIL_ADDR%
%DISPN%
%DELAY_WARN_TIME%
%MAX_QUEUE_TIME%
%S_YOU% (%SENDER%)
Description
Product name
Hostname entered on the
Network Settings screen.
Email address of the admin user.
Disposition or Action for a message. Applicable only to notifications for message content security and management features such as Anti-Virus, Attachment
Control, Malformed Mail, etc. Cannot be used in
Delivery failure notifications.
Time before Delay Warning.
Only applicable in
Configuration > Mail >
Delivery in the Delivery
Delay Warning section.
Maximum Time in Mail
Queue. Only applicable in
Configuration > Mail >
Delivery in the Delivery
Delay Warning section.
The Mail address of the sender. Applicable only to notifications for message content security and management features such as Anti-Virus, Attachment
Control, Malformed Mail, etc. Cannot be used in
Delivery failure notifications.
Example
WatchGuard XCS mail.example.com
quarantined
4 hours
5 days [email protected]
User Guide 49
Mail Delivery Settings
Variable
%R_YOU% (%RECIPIENT%)
%SPAM_FOLDER%
%SPAM_EXPIRY%
%SPAM_MESSAGES%
%WEBMAIL_URL%
%NUMSPAM%
%NUMSPAMSTAT%
Description
The Mail address of the recipient. Applicable only to notifications for message content security and management features such as Anti-Virus, Attachment
Control, Malformed Mail, etc. Cannot be used in
Delivery failure notifications.
The name of the spam folder for the user spam quarantine. Only applicable to the User Spam
Quarantine feature.
The number of days before quarantined spam is expired. Only applicable to the User Spam Quarantine feature.
The information for a spam message (Date, From,
Subject). Only applicable to the User Spam Quarantine.
The URL of the configured
WebMail server. Only applicable to the User Spam
Quarantine and other features that use WebMail.
Number of spam messages in the spam folder. This information is sent in a spam summary digest and is only applicable to the
User Spam Quarantine.
Number of spam messages and bytes used in the spam folder. This information is sent in a spam summary digest and is only applicable to the User Spam
Quarantine.
Example [email protected]
spam_quarantine
30
05/27/09, [email protected], File for you http:// hostname.example.com/
20
20,10000
50 WatchGuard XCS
Mail Delivery Settings
Advanced mail delivery options
Click the Advanced button to reveal additional options for Advanced SMTP Settings, SMTP notifications, and the Received Header.
Advanced SMTP settings
The following advanced SMTP settings can be configured:
SMTP Pipelining
Select the check box to disable SMTP Pipelining when delivering mail. Some mail servers may experience problems with SMTP command pipelining. You may have to disable this feature if required.
ESMTP
Select the check box to disable ESMTP (Extended SMTP) when delivering mail. Some mail servers may not support ESMTP. You may have to disable this option if experiencing problems.
Disabling ESMTP will disable TLS encryption on outgoing connections.
HELO required
Enable this option to require clients to initiate their SMTP session with a standard HELO/EHLO sequence. It is recommended that you leave this feature enabled. It should only be disabled when experiencing problems with sending hosts that do not use a standard HELO message.
Content Reject Message
This is the text part of the SMTP 552 error message that is reported to clients when message content is rejected because the maximum message size has been exceeded.
Multiple Recipient Reject Mode
Indicates the reject handling of messages with multiple recipients. This option only applies to features with reject actions such as Malformed and Very Malformed Mail, Attachment Control,
Content Scanning, Pattern Filters, OCF, Anti-Virus, and Intercept Anti-Spam features, including those used within a policy.
ƒ All — Reject the message if all recipients reject the message. If some but not all of the recipients reject the message, the message will be discarded without notification to the sender for those recipients that rejected the message.
User Guide 51
Mail Delivery Settings
ƒ Any — Reject the message if any recipient rejects the message.
ƒ Never — The message will never be rejected, regardless of any configured reject actions. For recipients that rejected the message, the message will be discarded without notification to the sender.
Send EHLO
Always send EHLO when communicating with another server, even if their banner does not include
ESMTP. Disable EHLO if you are experiencing communications problems with specific SMTP servers.
Disabling ESMTP will disable TLS encryption on outgoing connections.
SMTP notification
Administrators can select the type of notifications that are sent to the postmaster account. Serious problems such as resource or software issues are selected by default for notification.
Resource
Mail not delivered due to resource problems, such as queue file write errors.
Software
Mail not delivered due to software problems.
Bounce
Send postmaster copies of undeliverable mail. If mail is undeliverable, a single bounce message is sent to the postmaster with a copy of the message that was not delivered. For privacy reasons, the postmaster copy is truncated after the original message headers. If a single bounce message is undeliverable, the postmaster receives a double bounce message with a copy of the entire single bounce message.
Delay
Inform the postmaster of delayed mail. In this case, the postmaster receives message headers only.
Policy
Inform the postmaster of client requests that were rejected because of policy restrictions. The postmaster will receive a transcript of the entire SMTP session.
Protocol
Inform the postmaster of protocol errors (client or server), or attempts by a client to execute unimplemented commands. The postmaster will receive a transcript of the entire SMTP session.
Double Bounce
Send double bounced messages to the postmaster.
Received header
The Received Header is the mail server information displayed in the Received: mail header of a message. The default system name can be modified to a more generic identifier to prevent attackers from knowing the server details.
52 WatchGuard XCS
Mail Delivery Settings
Mail Aliases
When mail is to be delivered locally, the delivery agent runs each local recipient name through the aliases database. If an alias exists, a new mail message will be created for the named address or addresses. This mail message will be returned to the delivery process to be mapped and routed. This process also occurs for local user accounts with a specified forwarder address. Local user accounts are treated as aliases in this case.
Local aliases are typically used to implement distribution lists, or to direct mail for standard aliases such as postmaster to real user mailboxes.
For example, the alias postmaster could resolve to the local mailboxes [email protected], and [email protected]. For distribution lists, an alias called [email protected] can be created that points to all members of the sales organization of a company.
To add a mail aliases:
1. Select Configuration > Mail > Aliases .
2. Click the Add Address button to add a new alias.
3. Enter the Alias Name .
4. Enter the corresponding mail Addresses for the alias.
5. Click the Add More Addresses button to enter multiple addresses for this alias.
Uploading Alias Lists
A list of aliases can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:
[alias],[mail_address]
For example: sales,[email protected]
info,[email protected]
The file (alias.csv) should be created in csv file format using a text editor. It is recommended that you download the mail alias file first by clicking Download File , editing it as required, and uploading it using the
Upload File button.
LDAP aliases
Click the LDAP Aliases button to configure and search for aliases using LDAP. This allows you to search LDAP-
information on LDAP Aliases.
User Guide 53
Mail Delivery Settings
Mail Mappings
Mail Mappings are used to map an external address to an internal address and vice versa. This is useful for hiding internal mail server addresses from external users. For mail originating externally, the mail mapping translates the address in the To: and CC: mail header field into a corresponding internal address to be delivered to a specific internal mailbox.
For example, mail addressed to [email protected] can be redirected to the internal mail address [email protected]. This enables the message to be delivered to the user’s preferred mailbox.
Similarly, mail originating internally will have the address in the From:, Reply-To:, and Sender: header modified by a mail mapping so it appears to have come from the preferred external form of the mail address, [email protected].
To add a mail mapping:
1. Click Configuration > Mail > Mapping .
2. Click the Add button to add a new mapping.
3. Enter the External mail address that you want to be converted to the specified internal email address for incoming mail.
The specified internal address will be converted to this external address for outgoing mail.
4. Enter the Internal mail address that you want external addresses to be mapped to for incoming mail.
The internal address will be converted to the specified external address for outgoing mail.
5. Enter any Extra internal mappings which will be included in the outgoing mail conversion.
Click the Add button for each entry.
6. Click Apply .
54 WatchGuard XCS
Mail Delivery Settings
Uploading mapping lists
A list of mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:
[type ("sender" or "recipient")],[map_in],[map_out],[value ("on" or "off")]
For example: sender,[email protected],[email protected],on
The file (mailmapping.csv) should be created in csv file format using a text editor. It is recommended that you download the mail mapping file first by clicking Download File , editing it as required, and uploading it using the Upload File button.
Mail mapping as access control
The system can block all incoming and outgoing mail messages that do not match a configured mail mapping.
This ensures that all incoming and outgoing mail matches a legitimate user as the destination or source of a message.
To configure access control:
1. Click the Preferences button.
2. Select the Enable Mail Mapping Access Control check box.
3. Click Apply .
Note the following when enabling Mail Mapping as Access Control :
ƒ Any users that send or receive mail require a mail mapping
ƒ The mailer-daemon address will bypass the access control list and does not require a mapping
ƒ The postmaster address will bypass the access control list and does not require a mapping
ƒ The following addresses must be added as mail mappings to ensure certain system-related messages can be sent out and received: o The admin user, such as: [email protected]
o Users configured to receive emailed reports o The user specified as the recipient in the Problem Reporting feature
ƒ If this feature is enabled, all incoming and outgoing mail will be blocked unless the user has a mapping listed in the mail mappings table.
User Guide 55
Mail Delivery Settings
Virtual Mappings
Virtual Mappings are used to redirect mail addressed for one domain to a different domain. This process is performed without modifying the To: and From: headers in the mail, as virtual mappings modify the enveloperecipient address.
For example, the system can be configured to accept mail for the domain @example.com and deliver it to
@sales.example.com. This allows the system to distribute mail to multiple internal servers based on the
Recipient: address of the incoming mail.
Virtual Mappings are useful for acting as a wildcard mail mapping, such as mail for example.com is sent to exchange.example.com. You can create exceptions to this rule in the Mail Mappings for particular users.
Virtual mappings are also useful for ISPs who need to accept mail for several domains, and situations where the envelope-recipient header needs to be rewritten for further delivery.
You should review the use of Mail Routes before setting anything in Virtual Mappings, as they may be more appropriate for delivering mail to internal mail servers.
When using Virtual Mappings, the Reject on Unknown Recipient and LDAP Recipient lookups will not be performed for these mapped addresses. This prevents these email addresses from being rejected by the system because the virtual mappings do not exist in an LDAP directory.
To configure virtual mappings:
1. Select Configuration > Mail > Virtual Mapping .
2. Click the Add Virtual Mapping button to add a new mapping.
3. Enter the domain or address to which incoming mail is directed in the Input field, such as
@example.com
.
4. Enter the domain or address to which mail should be redirected to, such as @sales.example.com
in the Output field.
The domain being virtually mapped or redirected must be defined via an "internal" DNS MX record to connect to this system.
56 WatchGuard XCS
Mail Delivery Settings
Uploading virtual mapping lists
A list of virtual mappings can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:
[map_in],[map_out]
For example: [email protected],user [email protected],[email protected]
@example.com,@sales.example.com
The file (virtmap.csv) should be created in csv file format using a text editor. It is recommended that you download the virtual mapping file first by clicking Download File , editing it as required, and uploading it using the Upload File button.
LDAP virtual mappings
Click the LDAP Virtual Mappings button to configure and search for virtual mappings using LDAP. This allows you to search LDAP-enabled directories, such as Active Directory, for virtual mappings.
See “LDAP Virtual Mappings” on page 83 for more information on configuring LDAP virtual mappings.
User Guide 57
Mail Delivery Settings
Queue Replication
The Queue Replication feature enables mail queue replication and failover between two systems. In the event that the primary owner of a mail queue is unavailable, the mirror system can take ownership of the mirrored mail queue for delivery.
Queue replication actively copies any queued mail to the mirror system, ensuring that if one system should fail or be taken offline, the mirror system can take ownership of the queued mail and deliver it. If the source system successfully delivers the message, the copy of the message on the mirror server is automatically removed.
Without queue replication, a system with received and queued messages that have not been delivered may result in lost mail if that system suddenly fails. In large environments, this could translate into hundreds or thousands of messages.
In the following diagram, System A and System B are configured to be mirrors of each other’s mail queues.
When a message is received by System A , it is queued locally and a copy of the message is also immediately sent over the failover connection to the mirror queue on System B .
If System A fails, administrators can login to System B and take ownership of the queued mail to deliver it.
Messages are exchanged between the systems to ensure that the mirrored mail queues are properly synchronized, preventing duplicate messages from being delivered when a failed system has come back online.
58 WatchGuard XCS
To configure queue replication:
1. Select Administration > Multi-System Management > Queue Replication .
Mail Delivery Settings
User Guide
2. Select the Enable Queue Replication check box.
3. Enable Queue Replication on a network interface on both the source and mirror hosts via
Configuration > Network > Interfaces .
If running Queue Replication in a cluster, you can use the cluster network for Queue Replication purposes. When selecting a network interface, select the interface that is connected to the cluster network. For the host and client addresses, use the host name of the system and not the IP address, such as systemA in the address systemA.example.com
.
4. Specify the Replication Timeout , in seconds, to contact the host system before timing out.
5. Click Replicate to Host to replicate the queue to the mirror host system immediately.
The mail queues are automatically updated when a message is first received, and the queues are also synchronized at regular intervals.
6. Set the Mirrored Messages value which indicates the current amount of queued mail that is mirrored on this system.
7. Click the Purge Mirrored Messages button to delete any mail messages in the local mirror queue.
These are the files that are mirrored for another host server.
8. Click the Deliver Mirrored Messages button to take ownership and process the mail that is mirrored for another source system.
If the server is still alive, importing and processing the mirror queue may result in duplicate messages being delivered.
Do not click the Deliver Mirrored Messages button unless you are certain that the source system is unable to deliver mail.
9. Click the Review Mirrored Messages button to review any mail in the local mirror queue that is mirrored for another source server.
10. Click Apply .
59
Mail Delivery Settings
Queue replication interface
You must enable queue replication on a network interface on both the host and client server.
If running Queue Replication in a cluster, you can use the cluster network for Queue Replication purposes.
When selecting a network interface, select the interface that is connected to the cluster bus network. For the host and client addresses, use the host name of the system.
1. Select Configuration > Network > Interfaces .
2. Go to the Queue Replication section.
The following options only appear in the Network settings screen after Queue Replication is enabled.
3. Select the Enable Replication check box.
4. Specify the Replication Host IP address of the host that will be backing up mail for this system.
If you are utilizing Queue Replication in a cluster and using the interface connected to the cluster network for replication, specify the hostname of the host cluster system, such as SystemA, in the address:
SystemA.example.com.
5. Specify the Replication Client IP address of the client that will be backing up its mail queue to this system.
If you are utilizing Queue Replication in a cluster and using the interface connected to the cluster network for replication, specify the hostname of the client cluster system, such as SystemB, in the address:
SystemB.example.com.
6. Select the Replication I/F (network interface) to use for queue replication.
This network interface should be connected to a secure network. It is recommended that queue replication and clustering functions be run together on their own dedicated subnet.
For example, because messages from System A will be replicated on System B , enter the IP address for
System B in the Replication Host field. System A will also act as a host for System B , so enter the address for
System B in the Replication Client field.
Messages from System B will be replicated on System A , so enter the IP address for System A in the Replication
Host field. System B will also act as a host for System A , so enter the IP address for System A in the Replication
Client field.
If you are backing up and restoring configuration information to a different system than the original, and queue replication is enabled, you will have to reconfigure Queue Replication to ensure that it will work properly.
60 WatchGuard XCS
Mail Delivery Settings
Importing and processing mirrored messages
If you have two systems that are mirroring each other’s mail queues and one of those systems fails, you must go to the mirror server and import the mirrored mail to ensure that it is processing and delivered.
Import the mirrored messages as follows:
1. Ensure that the host system is unavailable.
Before importing any mirrored mail, you must ensure that the host system is not processing mail. If you import and process the mirrored mail on the mirror system, this may result in duplicate messages if the host system starts functioning again.
2. On the mirror server, select Administration > Multi-System Management > Queue Replication .
3. Click the Review button to view the current mirrored mail.
4. Click Deliver .
This system will take ownership of any queued mail mirrored from the source server, and process and deliver it.
User Guide 61
Mail Delivery Settings
Message Archiving
Archiving support allows organizations to define additional mail handling controls for inbound and outbound mail. These features are especially important for organizations that must archive certain types of mail for regulatory compliance or other corporate security policies. The system allows mail to be categorized and selectively archived for different levels of importance. By providing the ability to classify and archive messages at different levels, mail of high importance or compliance classification can be archived while allowing different actions for mail of lower importance. These features also prevent the waste of unnecessary resources by ignoring spam messages and other types of unwanted mail when archiving messages.
The system can integrate with third-party archiving servers to archive email messages by creating pattern filters that classify messages and route them to the appropriate archiving server (or an archive email address), while still delivering the email to its original recipients. Mail headers added to an archived message by the system allow administrators to customize their archiving services for efficient retrieval of archived messages.
62
Mail archiving can be used with Pattern Filters, the Objectionable Content Filter, and Content Scanning, including the use of these features via Policies. When a message is received by the system, these features will search for text within a message and its attachments. When this text is found, an action can be taken to classify the message for archiving into one of three categories: Archive High , Archive Medium , and Archive Low .
The Archiving feature then applies the archiving action for each category. For example, messages categorized as Archive High can have an action of Archive copy to , with the action data identifying the archiving email address, or the mail route to archive mail to.
WatchGuard XCS
Mail Delivery Settings
Configure message archiving
The system can be configured to integrate with third party archiving servers to archive messages using the following steps:
1. Select Configuration > Mail > Archiving .
User Guide
Configuration fields for three classifications of archiving will appear for High , Medium , and Low
Importance archiving actions.
2. Select the Active check box to activate this archiving action.
3. Select an Action Name to be displayed as the archiving action for the Pattern Filter, Objectionable
Content, and Content Scanning features.
4. Select the Archive copy to action to send the message to an archive server.
5. In the Action Data field, enter an email address or the name of the mail route for the destination archiving server.
For archiving to an email address, enter an address such as [email protected]
.
This will be a mailbox that will contain all archived messages. Your archiving server will be able to pull its data for the system’s archived messages from this mailbox.
To use a mail route to route mail to the archiving server, set the Action Data to archive_high_reroute , archive_medium_reroute , or archive_low_reroute as required.
A corresponding mail route will need to be created on the system via Configuration > Mail > Routing . Mail routes are not required if archiving to an email address.
6. Select the Add header check box to add an archive header to the message when it is sent to the destination archive server.
This allows the archiving server to store that message according to its classification in the header and allow for more efficient retrieval of the message in the future.
7. Enter the mail Header data that will be added to the message header, such as X-Archive: high .
8. Select the Notification that can be sent to the recipients, sender, or administrator when a message has been archived.
63
Mail Delivery Settings
Define mail routes for archiving
When using the mail routing method for archiving message, mail routes to the Archiving server must be defined to make sure that the system knows where to send messages for the appropriate archiving classification of the message.
For each archiving classification, a corresponding mail route must created:
ƒ For archive_high_reroute use: .archive_high_reroute
ƒ For archive_medium_reroute use:
.archive_medium_reroute
ƒ For archive_low_reroute use: .archive_low_reroute
To set up mail routes for archiving:
1. Select Configuration > Mail > Routing to define mail routes.
2. Enter the domain, such as
.archive_high_reroute
, and enter the destination address of the archiving server.
3. Click Add .
Mail routes are not required when archiving to an email address.
Configure content control filters for archiving
To classify messages for archiving, the system’s content control features, such as Pattern Filters, Objectionable
Content filtering, and Content Scanning, must be configured to search for text in a message or its attachment.
The corresponding action will be the archive classification, such as “Archive High”.
Configure pattern filters for use with archiving
1. Select Security > Content Control > Pattern Filters .
2. Click Add .
3. Create a pattern filter for the required specific text.
For example, search for an inbound message subject that starts with the word “Compliance”.
4. Set the Action to the appropriate archive action, such as Archive High .
5. Click Apply .
Configure OCF for archiving
The Objectionable Content Filter can also be used for classifying and archiving messages. Custom dictionaries can be created for content specific to your organization. When the OCF feature finds a word from these dictionaries, an archive action can be applied.
1. Select Security > Content Control > Objectionable Content .
2. Enable the OCF feature.
3. Select your customized dictionary file, such as “Archive”.
4. Set the Action to the appropriate archive action for this dictionary file, such as Archive Low .
64 WatchGuard XCS
Mail Delivery Settings
Configure policies for archiving
The Archiving feature can also be used by the Policy engine to provide customization when applying archiving actions to different domains or groups of users. When creating a policy, the Content Scanning feature provides actions for archiving when certain text is found in an attachment.
The Content Scanning feature requires a dictionary file to match attachment content against and a corresponding archiving action to perform.
To configure a policy definition:
1. Enable Content Scanning globally via Security > Content Control > Content Scanning .
2. Select Security > Policies .
3. Select the Content Control tab.
4. In the Content Scanning section for inbound messages, select the Compliance Dictionary to be used for matching text, such as “Archive” in this example.
5. Set the Action to the appropriate archive action for this dictionary file, such as Archive Medium .
Customizing archive headers using policies
For each Policy definition, the Archive Header can be customized for each archiving classification if it needs to be changed from the default settings. This is configured in the Email policy tab.
User Guide 65
Mail Delivery Settings
66 WatchGuard XCS
4
LDAP Configuration
LDAP Overview
The WatchGuard XCS can utilize LDAP (Lightweight Directory Access Protocol) services for accessing directories
(such as Active Directory, OpenLDAP, and iPlanet) for user and group information. LDAP can be used for mail routing, group and user lookups for policies, user lookups for mail delivery, alias and virtual mappings, and remote authentication. LDAP was designed to provide a standard for efficient access to directory services using simple data queries. Most major directory services such as Active Directory support LDAP, but each differs in their interpretation and naming convention syntax. Other types of supported LDAP services include
OpenLDAP and iPlanet.
Naming conventions
The method for which data is arranged in the directory service hierarchy is a unique Distinguished Name . The following is an example of a Distinguished Name in Active Directory: cn=jsmith,dc=example,dc=com
User Guide 67
LDAP Configuration
In this example, “cn” represents the Common Name, and “dc” is the Domain Component. The user jsmith is in the users container. The domain component is analogous to the FQDN domain name, in this case, example.com.
For all LDAP Directory features, you must make sure you enter values specific to your LDAP environment and schema.
Common names are not always unique. Another way to reference user objects is by their login name, which is almost guaranteed to be unique within a company. Therefore, another DN for John Smith could be:
UID=jsmith,CN=Canada,DC=example,DC=com
This second DN is different from the first, but points to the same user object, and uses a different RDN name to identify the local entry. The root of the directory is called the base DN. The base DN is typically set to closely match the DNS name for the server. The base DN uses the Domain Components (dc) attribute to distinguish its DNS zones. The administrator may want to make the directory structure different than the DNS structure to have more flexibility in its design. Similar to DNS, the TLD is one zone with the registered name of the domain is another zone.
DNS name: example.com
Base DN: dc=example, dc=com
The objectClass attribute defines what rules for entry are. The objectClass attribute is mandatory for all entries in the directory. It describes the content of the entry by specifying which other attributes are mandatory, and which are optional. An entry can be assigned multiple objectClass attribute pairs. The schema of the directory determines which objectClasses are available. Some examples of common objectClasses are:
ƒ objectClass group
ƒ objectClass computer
ƒ objectClass user
ƒ objectClass container
LDAP schema
The directory schema defines the rules the directory can use when to save and store the data. The schema governs what types of objects can be populated, which attributes are allowed, the structure of those attributes, and what the valid compare operators are. “Greater than”, “less than”, and “equal to” are common compare operators. The minimum set of schema objects required by LDAP allows us to browse the directory structure. A directory schema may be extended beyond its default design to conform to the data requirements of a company. Most directories have a single schema which is shared throughout the entire directory. Others can have different schemas for different sections of the directory.
LDAP components
LDAP is a term commonly used in the technology field to describe a team of functions. There are several different components that encompass the LDAP technology.
Clients
The LDAP client used to query a directory can be a stand-alone piece of software, or can it can be integrated into other applications. When integrated, LDAP works seamlessly, and its functions are unknown to the user or administrator. LDAP is often used by organizations because of its flexibility between the client and the server, and its ease of client integration with existing software. As the naming conventions are the same for directory servers, LDAP clients can usually support many different LDAP implementations from different vendors.
68 WatchGuard XCS
LDAP Configuration
Protocol
LDAP uses TCP/IP for its interface to the network and its hosts. For LDAP to communicate with a directory server, a TCP session must be established. LDAP also encodes the attribute value data that passes between the server and client. Any LDAP client can speak to any LDAP enabled server because of the standard application programming interface (API). The LDAP protocol also supports the use of Unicode UTF-8 to support non-
English languages.
Operations
LDAP has very few operations available to lower the complexity of the protocol for the client programs. The categories of the operations and their functions can be grouped as follows:
Category
Client Session
Query and Retrieval
Modification
Extended
LDAP Operations
Bind, unbind, abandon
Search and compare
Add, modify, modifyRDN, delete
Extended
Client session operations
Session operations control access to the directory server using the bind, unbind, and abandon operations.
When a client binds to the directory server, its identity can be used to decide the level of permissions the client has when accessing the objects. The bind operation is similar to a login. Any other operation you use to interact with the server requires a successful bind to the directory. To do this requires a user name and password, or an anonymous bind can be performed.
For most LDAP servers, binding anonymously to the server does not allow you access to all the information you would be able to obtain if you had used an actual login and password.
The unbind operation closes the LDAP session to the server, and the abandon operation allows the client to cancel an outstanding operation request.
Query operations
The query operations are used the when applications are integrating with a directory server. These operations search and retrieve the information from the directory server. The “search” operation is most frequently used because you typically do not know the location of the information you want to obtain. Through the use of string parameters, an LDAP client can perform sophisticated queries to search for data within the directory.
The “compare” operation can take a value and verify it against a directory object or attribute. The LDAP client sends the values of the attribute pair, and the server responds with a “success” if it matches, or a failure if it does not.
Filter operators can be used in LDAP queries to help narrow down or widen the scope of the search. The following boolean operators can be used when performing a query:
!
|
LDAP Filter Character Boolean Operator
& AND
OR
NOT
User Guide 69
LDAP Configuration
These operators should precede the filter they modify. A normal search string to find all user objects resembles the following:
(objectCategory=person)
A search string to find a specific user object would look like:
(&(objectCategory=person)(name=John Smith))
A search string to return all user objects except for those in the admin group “admins” would be:
(objectCategory=person)(!(&(objectCategory=person)(memberOf=admins)))
Modification operations
Modification operations allow changes to be made to the data within the directory. Operations such as “add”,
“modify”, and “delete” are standard and self-explanatory. The modifyRDN operation allows the client to change the name of an entry and possibly move the entry to a different container. Depending on the access permissions (determined when binding to the directory), some modifications may not be allowed. For example, a read-only branch of the directory would not allow any of the modification operations to be run.
Extended operations
Extended operations are unique for each directory server and client. They are used as a placeholder for custom protocol expansions but still defines the syntax to be used.
Security
The LDAP protocol supports the use of SSL (Secure Sockets Layer) for its data encryption privacy. Encrypting the session between the client and the directory server ensures that computers sniffing the traffic in the network cannot read any of the data within the session. Authentication can be handled by the client bind operation. After a successful bind to the directory server, the authorization dictates which objects are available to the user. This can also include an anonymous user situation where no bind operation was performed before a query.
70 WatchGuard XCS
LDAP Configuration
Directory Servers
The first step in configuring directory services is to define and configure your directory servers. Directory servers will be used for the system’s LDAP functions, such as user and group membership lookups, authentication, and mail routing.
1. Select Configuration > LDAP > Directory Servers .
2. Click Add to configure a new directory server, or click Edit to modify an existing server.
User Guide
3. Enter the Server URI (Uniform Resource Identifier) address, such as ldap://10.0.2.120
.
To query an Active Directory global catalog, add the port number 3268 to the server URI, such as ldap://
10.0.2.120:3268. Use "ldaps:" if you are using SSL with the LDAP server directory.
4. Enter an optional Label or alias for the LDAP server.
5. Select the Type of LDAP server you are using, such as Active Directory , or choose Others for
OpenLDAP or iPlanet.
6. Select the Bind check box.
7. Enter the Bind DN (Distinguished Name). For example, for Active Directory, use: cn=Administrator,cn=users,dc=domain,dc=example,dc=com or
Older Windows login names such as DOMAIN/Administrator are also supported.
Make sure that you enter a bind DN specific to your environment. In Active Directory, if you are using an account other than Administrator to bind to the LDAP server, the name must be specified as the full name not the account name. For example, use “John Smith” instead of “jsmith”.
8. Enter the Bind Password for the LDAP server.
9. Specify a default Search Base for lookups. For example: dc=example,dc=com .
10. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds.
11. Use the Dereference Aliases option to set how alias dereferencing is performed during a search:
ƒ Never — Aliases are never dereferenced.
ƒ Searching — Aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search.
71
LDAP Configuration
ƒ Finding — Aliases are only dereferenced when locating the base object of the search.
ƒ Always — Aliases are dereferenced when searching and locating the base object of the search.
12. Select the Paged check box to enable paging support for an Active Directory server.
When querying an LDAP server, the amount of information returned may contain thousands of entries and subentries. Paging allows LDAP information to be retrieved in more manageable sections to control the rate of data return.
13. Enter the Page Size for an Active Directory server.
If this field is left blank, the default value of 1000 will be used. The Page Size must match the size configured in the
Active Directory server's LDAP query policy.
14. Click Apply .
Deleting an LDAP server will remove all additional configuration items that are based on that server such as Directory Users, Groups, and Aliases.
Testing LDAP servers
To test your LDAP server configuration:
1. Click Test .
The default settings are displayed.
72 WatchGuard XCS
LDAP Configuration
2. Click Submit LDAP Query .
If the remote server is not responding, you will see the following error message: ldap_bind: Can't contact LDAP server (81)
If the user you used to bind to the LDAP tree does not have enough permissions, you will see the following message: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C09030B, comment:
AcceptSecurityContext error, data 525, v893
This is typically caused by a wrong user name or password. If the user can log in to the domain, this same user should be able to bind to the LDAP tree.
If the search base specified does not exist, you will receive a message similar to the following:
# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: (objectClass=*)
# requesting: ALL
#
# search result search: 2 result: 32 No such object matchedDN: DC=example,DC=com text: 0000208D: NameErr: DSID-031001BD, problem 2001
(NO_OBJECT), data 0, best match of:
'DC=example,DC=com'
# numResponses: 1
Searching the LDAP tree
You can choose a specific type of object to find in the LDAP query field. For example, if you want to search for users, use the filter: (ObjectCategory=person) . This will display all the users within the specified search base. Specifying a search filter in the LDAP Query field alone will display every single record with all the attributes associated with the selected search filter.
To narrow the search results, LDAP attributes can be specified to format the display so that only certain attributes are displayed for each returned object. There is also an attribute called ObjectClass and the value is also equal to “user” in each user object, but (ObjectClass=user) will return a computer object as well.
To search for all user objects (including group information) with the email domain example.com, and display the mail attribute of each object in the result, use the following query:
(mail=*example.com)
The result should be similar to the following:
# extended LDIF
# LDAPv3
User Guide 73
LDAP Configuration
# base with scope sub
# filter: (mail=*@example.com)
# requesting: mail
#
# techsupport, users, example.com
dn: CN=techsupport,OU=users,DC=example,DC=com mail: [email protected]
# sales, users, example.com
dn: CN=sales,OU=users,DC=example,DC=com mail: [email protected]
# Joe TS. Smith, users, example.com
dn: CN=Joe TS. Smith,OU=users,DC=example,DC=com mail: [email protected]
# Ken R. Simon, users, example.com
dn: CN=Ken R. Simon,OU=users,DC=example,DC=com mail: [email protected]
# Andrew Y. Roberts, users, example.com
dn: CN=Andrew Y. Roberts,OU=users,DC=example,DC=com mail: [email protected]
# Kathy J. Norman, users, example.com
dn: CN=Kathy J. Norman,OU=users,DC=example,DC=com mail: [email protected]
# search result search: 2 result: 0 Success
# numResponses: 7
# numEntries: 6
74 WatchGuard XCS
LDAP Configuration
If you want to search for users only, you can change the LDAP Query string to:
(&(ObjectCategory=user)(mail=*example.com))
If you want to display the login name for each object returned, you can use sAMAccountName as an LDAP attribute instead of mail . The result will be similar to the following:
# techsupport, users, example.com
dn: CN=techsupport,OU=users,DC=example,DC=com sAMAccountName: techsupport
User Guide 75
LDAP Configuration
Directory Users
The Directory Users feature is used to import user account and group membership data from LDAP-based directory servers. This information is used by the Reject on Unknown Recipient Anti-Spam feature to provide
LDAP lookups for valid email addresses and to import group membership information for policies.
Only groups that the imported users belong to will be imported. Group Policy should be enabled before importing users and groups if you are using the information for Group policies.
Local mirror accounts can also be created to allow directory-based users to view and manage quarantined mail for the Spam Quarantine feature.
To configure Directory Users:
1. Select Configuration > LDAP > Directory Users .
2. Click Add .
76
3. Select a Directory Server to perform the search.
4. Enter the Search Base to start the search from. For example: dc=example,dc=com .
5. Enter the Scope of the search.
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree, of which the base distinguished name is the topmost object, including that base object.
6. Enter the appropriate Query Filter . For example, for Active Directory use:
(|(|(objectCategory=group)(objectCategory=person))(objectCategory=publicFold er))
This query filter includes mail-enabled Exchange public folders to prevent them from being rejected if
Reject on Unknown Recipient is enabled. For iPlanet and OpenLDAP, use the (objectClass=person) query filter.
7. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds.
8. Enter the Email attribute that identifies the user’s email address.
For Active Directory, iPlanet, and OpenLDAP, use “mail”.
WatchGuard XCS
LDAP Configuration
9. Enter the Email alias attribute that identifies the user’s alternate email addresses.
In Active Directory, the default is proxyAddresses. For iPlanet, use Email. For OpenLDAP, leave this field blank.
10. Enter the Member Of attribute that identifies the group(s) that the user belongs to.
This information is used for Policy controls. In Active Directory, the default is memberOf. For iPlanet, use Member.
For OpenLDAP, leave this field blank.
11. Enter the Account Name Attribute that identifies a user’s account name for login.
In Active Directory, the default is sAMAccountName. For iPlanet, use uid. For OpenLDAP, use cn.
12. Click the Test button to test your LDAP settings.
13. Click Apply .
Import settings
The system can automatically import LDAP user data on a scheduled basis to stay synchronized with the LDAP directory.
To import LDAP users and groups:
1. Select Configuration > LDAP > Directory Users .
2. Click Import Settings .
User Guide
3. Select the Import User Data check box to enable automatic import of LDAP user data.
Enabling automatic import ensures that your imported LDAP data remains current with the information on the
LDAP directory server.
4. Select the Frequency of LDAP imports.
ƒ Hourly
ƒ Every 3 Hours
ƒ Daily
ƒ Weekly
ƒ Monthly
5. Specify the Start Time for the import in the format hh:mm. For example, to schedule an import at midnight enter 00:00 .
6. Click Apply .
7. Click Import Now to immediately begin the import of users.
You can view the progress of LDAP imports via Activity > Logs > System .
77
LDAP Configuration
Mirror LDAP accounts as local users
To provide local account access, administrators can mirror existing LDAP accounts, which creates a local account on the system for each imported user. This provides a simple method for allowing directory-based users to view and manage quarantined messages, if you have enabled the Spam Quarantine feature and the
Trusted/Blocked Senders lists.
These local mirror accounts cannot be used as local mail accounts. They can only be used for the
Spam Quarantine and Trusted/Blocked Senders lists.
1. Select the Mirror accounts check box.
2. Choose an Expiry period for the mirrored accounts.
If the user no longer exists in the LDAP directory for the specified period of time, the local mirrored account will be deleted. This option only applies to a local mirrored account, not accounts used for the Reject on Unknown
Recipients feature.
3. Click Apply .
4. Click Import Now to immediately begin the import of users and create mirrored accounts.
You can view the progress of LDAP imports via Activity > Logs > System . You can view mirrored accounts via
Administration > Accounts > Mirrored Accounts .
Testing directory users
There are four main attributes specific to Active Directory that the WatchGuard XCS uses for mail processing:
ƒ mail
ƒ proxyAddresses
ƒ memberOf
ƒ sAMAccountName
To make sure that the information imported is properly accepted by the system, test the LDAP query and attributes before importing LDAP users.
1. Click Test .
78 WatchGuard XCS
LDAP Configuration
2. Test the mail attribute using the following query:
ƒ For LDAP Query , use the default value:
(|(objectCategory=group)(objectCategory=person)) .
ƒ For the LDAP attributes field, use the mail
attribute.
3. Click the Submit LDAP Query button.
This results show all the returned objects from the query and only the requested attribute (mail in this example) is displayed. The system will use this attribute as an account name to create the mirrored accounts.
There is only one email address returned for each user even though a user can have multiple messages in an
Active Directory/Exchange environment.
To view or modify the primary user in Active Directory:
1. Open Active Directory Users and Computers .
2. Double click on the user.
3. Click the Email Addresses tab.
The Primary account should be the one highlighted with type SMTP.
4. To change the Primary email account, select the address you want to make primary and click Set As
Primary .
5. Test the proxyAddresses attribute using the following query:
ƒ For LDAP Query , use (|(objectCategory=group)(objectCategory=person)) .
ƒ For the LDAP attributes field, use the proxyAddresses attribute.
6. Click the Submit LDAP Query button.
The SMTP item in uppercase letters is the primary address (the same as the mail attribute).
The proxyAddresses attribute is used by the system for implementing the Reject on Unknown Recipients feature. The system uses this attribute for the mail attributes and to process any additional email addresses associated with the users and groups, including aliases.
Test the memberOf attribute using the following query:
1. For LDAP Query, use the default: (|(objectCategory=group)(objectCategory=person)) .
2. For the LDAP attributes field, use the memberOf attribute.
3. Click the Submit LDAP Query button.
The sAMAccountName attribute is used as the login name by the system when authenticating with the
Active Directory server. This attribute is not necessarily equivalent to the email name. To locate the sAMAccountName attribute in Active Directory:
1. Go to user properties in Active Directory Users and Computers .
2. Click the Account tab.
3. The sAMAccountName corresponds to the User Login Name .
User Guide 79
LDAP Configuration
LDAP Aliases
LDAP Aliases are used to search LDAP-enabled directories for user mail aliases. If an alias exists, a new mail message will be created for the named address or addresses. This mail message will be returned to the delivery process to be mapped, routed, and processed.
LDAP Aliases have been tested with Active Directory only, and the examples shown are for Active
Directory LDAP implementations. In most cases, Active Directory already performs its own internal alias translations and configuring LDAP Aliases is not required.
See “Mail Aliases” on page 53 for more information on Mail Aliases.
To configure LDAP Aliases:
1. Select Configuration > LDAP > Aliases .
2. Click Add .
80
3. Select a Directory Server to perform the search.
4. Enter the Search Base to start the search from. For example: cn=users,dc=example,dc=com .
5. Enter the Scope of the search.
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree, of which the base distinguished name is the topmost object, including that base object.
6. Enter the Alias Attribute that defines the alias mail addresses for a user. For example, for Active
Directory enter:
(proxyAddresses=smtp:%s@*)
7. Enter the Email attribute that returns the user’s email address. For example, for Active Directory enter the mail attribute.
8. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds.
9. Click the Test button to perform a test of the LDAP alias configuration.
10. Click Apply .
WatchGuard XCS
LDAP Configuration
LDAP Web Users
The LDAP Web Users feature allows LDAP-authenticated clients to utilize the system’s Web Proxy feature. These client systems must use a login and password to authenticate to an LDAP server before they can use the Web
Proxy. LDAP Authentication allows the system to authenticate the user directly to an LDAP directory server without creating a local account.
When a user is successfully authenticated with the LDAP server, this information is saved in an LDAP authentication cache on the system for 300 seconds. Any subsequent LDAP requests go to the cache instead of the LDAP server. This enables a faster response and prevents the LDAP server from being overloaded with authentication requests. After 300 seconds, the Web Proxy authenticates directly to the LDAP server again and caches the results if the authentication is successful.
To configure LDAP authentication for HTTP web users:
1. Select Configuration > LDAP > Web Users .
2. Select a method, and then click Add to add an entry.
You can only use one method, Bind or Query Direct, for all defined LDAP servers. You cannot use both at the same time.
The Bind method will only work with Active Directory and iPlanet implementations. The Query
Direct method will only work with OpenLDAP.
ƒ Bind — The Bind method will use the User ID and password to authenticate on a successful bind.
The Query Filter must specify the User ID with a %s variable. For example, for Active Directory, use
(sAMAccountName=%s) for the Query Filter. The Result Attribute must be a User ID such as mail .
For iPlanet, use uid=%s for theQuery Filter, and mail for the Result Attribute.
ƒ Query Directly — The Query Direct method will query the LDAP server directly to authenticate a user ID and password. The Query Filter must specify the user ID, and the Result Attribute must specify the password. For OpenLDAP, use (&(ObjectClass=inetOrgPerson)(cn=%s)) for the
Query Filter, and userPassword for the Result Attribute.
For either method, access will be refused if the LDAP server direct query or bind attempt fails for any reason, such as an invalid user name or password, bad query, or if the LDAP server is not responding.
User Guide
3. Select a Directory Server to perform the search.
4. The Search Base is derived from the Search Base setting in Configuration > LDAP > Directory
Servers .
You must make sure that you complete the Search Base string with information specific to your LDAP hierarchy. For example: cn=users,dc=example,dc=com .
81
LDAP Configuration
5. Enter the Scope of the search.
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.
6. Enter the Query Filter for the LDAP lookup.
For example, for Active Directory enter
(sAMAccountName=%s)
.
For OpenLDAP, use (&(ObjectClass=inetOrgPerson)(cn=%s)) . For iPlanet, use uid=%s .
7. Enter the Result Attribute that returns the user’s account.
For example, for Active Directory enter mail .
For OpenLDAP, use userPassword . For iPlanet, use mail .
8. If your organization has multiple LDAP domains, or if the domain of the WatchGuard XCS is different than the LDAP domain, then the LDAP authentication Bind method must be used for Web User authentication.
For example, for Active Directory, the LDAP Query Filter should consist of the user name, such as samAccountName=%s , and the Result Attribute should be mail .
For OpenLDAP, use cn=%s and mail .
This ensures proper matching for user, domain and group policies for this LDAP user.
9. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds.
10. Click the Test button to perform a test of the LDAP Authentication configuration.
11. Click Apply .
82 WatchGuard XCS
LDAP Configuration
LDAP Virtual Mappings
Virtual Mappings are used to accept mail addressed for one domain and redirect it to a different domain. This process is performed without modifying the To: and From: headers in the mail. Virtual mappings only modify the envelope-recipient address.
For example, the system can be configured to accept mail for the domain @example.com and deliver it to
@sales.example.com. This allows the system to distribute mail to multiple internal servers based on the
Recipient: address of the incoming mail.
LDAP mappings are used to search LDAP-enabled directories for virtual mappings for a user.
See “Virtual Mappings” on page 56 for more information on Virtual Mappings.
LDAP Virtual Mappings have been tested with only Active Directory, and the examples shown are for Active Directory LDAP implementations. In most cases, Active Directory already performs its own internal virtual mapping translations so configuring LDAP Virtual Mappings is not required.
To configure LDAP Virtual Mappings:
1. Select Configuration > LDAP > Mapping .
2. Click Add .
User Guide
3. Select a Directory Server to perform the search.
4. Enter the Search Base to start the search from. For example: cn=users,dc=example,dc=com
.
5. Enter the Scope of the search.
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.
6. Enter the Incoming Address attribute that defines the virtual mapping for a user.
For example, for Active Directory enter:
(proxyAddresses=smtp:%s)
7. Enter the Email attribute that returns the user’s email address. For example, for Active Directory enter: mail
8. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds.
9. Click the Test button to perform a test of the LDAP virtual mapping configuration.
10. Click Apply .
83
LDAP Configuration
LDAP Recipients
The LDAP Recipients feature is used in conjunction with the Reject on Unknown Recipient feature which is configured in the Intercept menu. Reject on Unknown Recipient must be enabled for LDAP Recipients to work properly. When a mail message is received by the system, this feature searches an LDAP directory for the existence of a recipient’s email address. If that user address does not exist in the LDAP directory, the mail is rejected. This feature differs from the LDAP Users lookup option, which searches for a user in the imported locally-cached LDAP users database. The LDAP Recipients feature performs a direct lookup on a configured
LDAP directory server for each address.
If using an Active Directory server, it is recommended that the LDAP Users function be used.
If Reject on Unknown Recipient is enabled for both LDAP Users and LDAP Recipients , the system will lookup the local and mirrored LDAP Users first, and then send the direct query to an LDAP server.
To configure LDAP recipient lookups:
1. Select Configuration > LDAP > Recipients .
2. Click Add .
84
3. Select a Directory Server to perform the search.
4. Enter the Search Base to start the search from. For example: cn=users,dc=example,dc=com .
5. Enter the Scope of the search.
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree, of which the base distinguished name is the topmost object, including that base object.
6. Enter the Query Filter for the LDAP Recipients lookup.
For example, for Active Directory enter: (
&(objectClass=person)(|(mail=%s)(proxyaddresses=SMTP:%s)))
For OpenLDAP and iPlanet, enter: (&(objectClass=person)(uid=%s))
7. Enter the Result Attribute that returns the user’s email address.
For example, for Active Directory, OpenLDAP, and iPlanet, enter: mail
8. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds.
9. Click the Test button to perform a test of the LDAP recipients configuration.
10. Click Apply .
WatchGuard XCS
LDAP Configuration
LDAP SMTP Authenticated Relay
The LDAP SMTP Authenticated Relay feature allows authenticated clients to use this system as an external mail relay for sending mail. For example, you may have remote users that need to send mail via this system.
These client systems must use a login and password to authenticate to the system before being allowed to relay mail. These accounts can be set up locally, but you can also use LDAP relay authentication to authenticate the user to an LDAP directory server.
To configure LDAP Authenticated SMTP Relay:
1. Select Configuration > Mail > Mail Access .
2. Select the Permit SMTP Authenticated Relay and the LDAP Authenticated Relay check boxes.
3. Select Configuration > LDAP > Relay .
User Guide
4. There are two different ways to provide LDAP support for SMTP authentication: using Bind, or querying the LDAP server directly.
For Active Directory and iPlanet implementations, use the Bind method. For OpenLDAP, use the Query
Direct method.
85
LDAP Configuration
ƒ Bind — The Bind method will use the User ID and password to authenticate on a successful bind.
The Query Filter must specify the User ID with a %s variable. For example, for Active Directory, enter
(sAMAccountName=%s) . The Result Attribute must be a User ID such as sAMAccountName .
For iPlanet, use uid=%s for Query Filter, and mail for Result Attribute.
ƒ Query Direct — The Query Direct method will query the LDAP server directly to authenticate a user
ID and password. The Query Filter must specify the user ID, and the Result Attribute must specify the password. For OpenLDAP, use uid=%s for Query Filter, and userPassword for Result Attribute.
For the Bind or Query Direct method, the relay will be refused if the LDAP server direct query or bind attempt fails for any reason, such as an invalid user name or password, bad query, or if the LDAP server is not responding.
5. Select a method, and then click Add .
You can only use one method, Bind or Query Direct, for all defined LDAP servers.
6. Select a Directory Server to perform the search.
7. The Search Base is derived from the Search Base setting in Configuration > LDAP > Directory
Servers .
You must make sure that you complete the Search Base string with information specific to your LDAP hierarchy. For example: cn=users,dc=example,dc=com .
8. Enter the Scope of the search.
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.
9. Enter the Query Filter for the LDAP lookup.
For example, for Active Directory enter: (sAMAccountName=%s)
10. Enter the Result Attribute that returns the user’s account.
For example, for Active Directory enter: sAMAccountName
11. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds.
12. Click the Test button to perform a test of the LDAP relay configuration.
13. Click Apply .
86 WatchGuard XCS
LDAP Configuration
LDAP Routing
LDAP routing allows a mail route for a recipient to be queried on a specified LDAP server. The destination mail server for that domain will be returned and the message will then be routed to that server. This is the preferred method for mail routing for organizations with a large amount of domains. Any locally defined mail routes (in
Configuration > Mail > Routing ) will be resolved before LDAP routing.
LDAP routing has been tested only with iPlanet implementations but the examples provided should also work with OpenLDAP, depending on your LDAP schema.
To configure LDAP routing:
1. Select Configuration > LDAP > Routing .
2. Click Add to add a new LDAP route search.
User Guide
3. Select a Directory Server to perform the search.
4. The Search Base is derived from the Search Base setting in Configuration > LDAP > Directory
Servers .
You must make sure that you complete the Search Base string with information specific to your LDAP hierarchy. For example: cn=users,dc=example,dc=com .
5. Enter the Scope of the search.
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.
6. Enter the Query Filter that will search for the Mail Domain of a recipient. For example, for iPlanet enter:
(&(cn=Transport Map)(uid=%s))
7. Enter the Result Attribute that returns the domain’s mail host. For example, for iPlanet enter: mailHost
8. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds.
9. Click the Test button to perform a test of the LDAP routing configuration.
10. Click Apply .
87
LDAP Configuration
Troubleshooting LDAP Issues
The following sections describe several common LDAP problems and procedures for their resolution.
Cannot contact the LDAP server
The following error may be displayed in the logs if LDAP User imports are failing or the server test function is performed:
Nov 16 17:03:13 server root: ldap_bind: Can't contact LDAP server (81)
Examine the following:
ƒ Verify that the LDAP Server is up and running.
ƒ In Configuration > LDAP > Directory Servers , verify the address of the LDAP Server.
ƒ Make sure that LDAP or LDAPS is used properly in the LDAP server URI.
ƒ Make sure nothing is blocking LDAP traffic for the WatchGuard XCS and the LDAP Server. For example, if the WatchGuard XCS is installed on a network off of the network firewall, make sure it can connect to the LDAP server via TCP port 389 (LDAP) or 636 (LDAPS).
ƒ Test connectivity with the LDAP Server by using telnet to connect to the LDAP Server on port 389 or
636.
LDAP user and group imports are failing
If the system is not importing any LDAP Users and Groups, check Activity > Logs > System for any of the following errors:
Nov 19 14:14:23 hostname spl: ALARM: LDAP import: serious: Import of users failed.
Nov 19 14:14:23 hostname spl: LDAP import of users failed.
Nov 19 14:14:23 hostname root: ldap_bind: Invalid credentials (49)
These messages indicate that the system can contact the LDAP Server, but either the user does not have the correct credentials to perform a search, or the Bind DN does not exist.
ƒ In Configuration > LDAP > Directory Servers , verify that you specified the correct Bind DN.
ƒ Verify the Bind DN is correct. The configured Bind DN user on the system is only used to search the
LDAP Server. In Active Directory, it can be any user in the Domain Users Group. In an Active Directory environment the DN would typically look something like: cn=User name,cn=users,dc=example,dc=com
For example: cn=Ken R. Simon,ou=users,dc=example,dc=com
ƒ Verify that the user can log in to the domain. If this user cannot log in to the domain, verify the user name and password.
Mirror accounts are not created
If the system is able to connect to the LDAP Server and import users, but fails to create any or only some mirrored accounts, examine the following:
ƒ If the system is not creating any mirrored users, make sure that Mirror Accounts is enabled in
Configuration > LDAP > Directory Users > Import Settings .
ƒ Verify that the search base is correct and is not too restrictive. Try re-importing with a wider search base.
ƒ Make sure that the email attribute is set correctly in Configuration > LDAP > Directory Users . In most environments it is typically set to mail.
88 WatchGuard XCS
LDAP Configuration
ƒ Verify that users have an assigned email address. The system will only create mirrored accounts for user accounts that have an email address. In Active Directory, make sure the user has a valid email address.
ƒ If a valid email address exists, verify that the system can view it using the Test button in Configuration
> LDAP > Directory Users . Specify the user in the LDAP Query Field, for example,
(sAMAccountName=username) and use mail as the attribute for the returned data.
# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: (sAMAccountName=ksimon)
# requesting: mail
#
# Ken R. Simon, users, example.com
dn: CN=Ken R. Simon,OU=users,DC=example,DC=com mail: [email protected]
In the previous example, the final line indicates the mail attribute returned.
LDAP authentication failures
If the system is able to contact the LDAP server, but when trying to login you receive the following error message “Invalid Login”, check the logs to see why the login failed via Activity > Logs > System .
Typically you will receive an error message similar to the following:
Nov 22 15:24:49 server login.spl: fail login as 'jsmith' [dom:0]: Invalid RADIUS/LDAP login [ip:10.10.8.224]
Verify that the user actually exists by using the LDAP Test Feature in Configuration > LDAP > Directory
Users , and clicking the Test button. For the LDAP Query, specify the user name attribute and the user name.
For example, for Active Directory use
(sAMAccountName=jsmith)
.
If the LDAP test does not return any results from the search then it is possible that the user name is incorrect, does not exist, or the search base is too restrictive. Repeat the test with a broader search base. After performing this step, if the system still does not find the user, verify that the user name exists by checking the directory server itself.
If the LDAP test does find the user, the password may be incorrect or the user cannot login because either the user does not have the required permissions or the account is disabled. Verify that the user can log in to the domain.
User Guide 89
LDAP Configuration
90 WatchGuard XCS
5
Message Security
SMTP Mail Access
The Mail Access screen allows you to configure features that provide security when the system is accepting mail during an SMTP connection.
To configure your SMTP mail access settings:
1. Select Configuration > Mail > Access .
User Guide 91
Message Security
Specific Access Patterns
Specific Access Patterns can be used to search for patterns in a message for filtering during the
SMTP connection. See “Specific Access Patterns” on page 94 for detailed information on
configuring these filters.
Pattern Based Message Filtering
Enable this option to use Pattern Filters to reject or accept mail based upon matches in the
message envelope, header, or body. See “Pattern Filters” on page 137 for detailed information on
configuring Pattern Filters.
Maximum recipients per message
Set the maximum number of recipients accepted per message. A very large amount of recipients means the message is more likely to be spam or bulk mail. The default is set to 1000.
Maximum recipients reject code
Allows administrators to define other errors to return instead of the default “452 Error: too many recipients” error, such as permanently rejecting the connection “554”.
Maximum message size
Set the maximum message size (in bytes) that will be accepted by the system. The default is
10240000 bytes. Note that processing large messages decreases mail processing performance.
The Attachment Size Limit option configured in Security > Content Control > Attachment
Control is also set to 10240000 bytes, and the threshold will be exceeded if the attachment size is close to the attachment size limit. We recommend that you set the Maximum Message Size value to at least 1.5 times the value of the Attachment Size Limit option. When attachments are sent with most email messages, the message size grows considerably due to the encoding methods used. The maximum message size should be set accordingly to accommodate attachments. Attachments are sent base64 encoded, not in their binary form. Base64 encoding can increase the size of a file to up to 140% of its original size. This means that a 9MB attachment is actually 13MB in size, and would exceed a message size limit of 10MB. The additional overhead caused by base64 encoding should be considered when deciding a maximum message limit.
Minimum Queue Free Space (Cluster Primary Only)
This option only appears on a Cluster Primary system and allows administrators to set the minimum amount of free space in kilobytes that is required in the queue file system to receive messages. If the system has less than the specified free space, messages will be rejected with a
“452: Insufficient system storage” error. This value must at minimum be greater than 1.5 times the specified Maximum message size , and at maximum 50 GB. The default value is automatically calculated for clusters with all the same hardware, and this configuration is replicated across all cluster systems. In a cluster that contains systems of different types of hardware, you must set this value to 20% of the total System Data Storage Area space available according to the cluster member with the least space. This information can be obtained via Activity > Status > Status &
Utility on the cluster member. For example, if the cluster system with the least amount of System
Data Storage Area space has 10 GB available, then set this value to 2097152 KB (2 GB).
The Minimum Queue Free Space value is not synchronized via Centralized Management.
Maximum Unknown recipients per message
This value determines how many unknown recipients are allowed in the message before it will be rejected by the system. A high number of unknown recipients indicates the message is likely spam or a denial of service attempt.
92 WatchGuard XCS
User Guide
Message Security
Maximum Unknown recipients reject code
This value indicates the SMTP reject code to use when the maximum unknown recipients value is exceeded. This should be set to either “421” (temporary reject) or “554” (permanent reject).
SMTP Authenticated Relay
This feature allows authenticated clients to use the system as an external mail relay for sending mail. For example, you may have remote users who need to send mail via this system. Clients must use a login and password to authenticate to the system before being allowed to relay mail.
These accounts can be local or they can be authenticated via LDAP.
LDAP SMTP Authentication
SMTP authentication can also be performed via an LDAP directory server. Select the check box to enable LDAP Authenticated Relay, and select the link to configure its options. This feature can also be configured via Configuration > LDAP > Relay
SMTP Banner
The SMTP banner is exchanged during the HELO/EHLO session of an SMTP connection. This banner contains identifying information for your mail server which can be used as information to launch attacks against the system. This option allows you to customize the SMTP banner and also remove the system’s hostname by using the Domain only option.
Queue Monitoring
The Queue Monitoring feature allows administrators to modify the system’s behavior depending on how large the incoming mail queue is. Delivery of queued mail can be given higher priority than receiving new mail when a certain threshold is reached to process the current mail queue faster. At the maximum threshold, incoming requests can be temporarily rejected to allow the queue to process current messages first.
Select the Monitor Mail Queue Size option to enable incoming queue thresholds.
ƒ Minor Queueing — If the active queue size reaches this threshold, the system will slightly increase the priority of mail delivery over mail receiving.
ƒ Medium Queueing — If the active queue size reaches this threshold, the system will significantly increase priority of mail delivery over mail receiving.
ƒ Significant Queueing — If the active queue size reaches this threshold, the system will temporarily reject any new mail and notify the system administrator.
2. Click Apply .
93
Message Security
Specific Access Patterns
Specific Access Patterns are always enabled by default and can be used to either accept or reject mail during an SMTP connection. These rules override all others. Use these special cases to allow email where it would be otherwise blocked, or to block email when it would otherwise be allowed. Specific access patterns allow an administrator to respond to local filtering requirements such as the following:
ƒ Allowing other systems to relay mail through the system
ƒ Rejecting all messages from specific systems
ƒ Allowing all messages from specific systems (effectively trusting the server)
When you specify a Specific Access Pattern rule, it can take one of the following forms:
ƒ IP Address — The system will match the IP address such as, 192.168.1.10, or you can use a more general address form such as 192.168 that will match anything in that address space. For the Client
Access parameter, the system also supports CIDR (Classless Inter-Domain Routing) format so that administrators can specify a pattern for a network such as 192.168.0.0/24.
ƒ Domain Name — The system will match the supplied domain name, such as example.com, with any subdomain such as mail.example.com, sales.mail.example.com and so on.
ƒ Address — The system will match an exact email address, such as [email protected], or a more general rule such as @example.com.
To add a new Specific Access Pattern:
1. Select Configuration > Mail > Access .
2. Click Add Pattern .
94
3. In the Pattern field text box, enter a mail address, IP address, hostname, or domain name.
ƒ Client Access — Specify a domain, server hostname, or IP address. This item is the most reliable and may be used to block spam as well as trust clients.
ƒ HELO Access — Specify either a domain or server name.
ƒ Envelope-From Access — Specify a valid email address.
ƒ Envelope-To Access — Specify a valid email address.
Only the Client Access parameter can be relied upon since spammers can easily forge all other message properties. These parameters can be useful for trusting purposes.
WatchGuard XCS
Message Security
4. In the If pattern matches drop-down list, select an action to perform:
ƒ Reject — The connection will be rejected.
ƒ Allow Relaying — When the Allow Relaying action is used:
ƒ Messages from the specified address are accepted for processing by the system
ƒ Messages will be checked by all features including Anti-Virus, Content Control, Anti-Spam,
ReputationAuthority, and DNSBL (DNS Block List) features
ƒ Messages will not be checked by the Reject on Unknown Recipient feature
ƒ Messages can be relayed externally
ƒ Trust — This option treats the server or message as part of the trusted network. When the Trust action is used:
ƒ Messages from the specified address are accepted for processing by the system
ƒ Messages will be checked by the Anti-Virus and Content Control features
ƒ Messages will not be checked by the Anti-Spam features
ƒ Messages will not be checked by the Reject on Unknown Recipient feature
ƒ Messages will not be checked by the ReputationAuthority and DNSBL (DNS Block List) features
ƒ Messages can be relayed externally
Anti-Virus
The virus scanning feature scans all messages (inbound and outbound) passing through the system for viruses. The WatchGuard XCS integrates the Kaspersky Anti-Virus engine which is one of the highest rated virus scanning technologies in the world. Virus scanning is tightly integrated with the message processing engine for maximum efficiency.
Viruses can be selectively blocked depending on whether they are found in inbound or outbound messages, and attachments are recursively disassembled to make sure that viruses cannot be concealed. When a virusinfected message is received, it can be rejected, deleted, quarantined, or the event can be simply logged.
Quarantined messages may be viewed, downloaded, or deleted. Quarantined messages can also be automatically deleted based on age.
By default, any message attachments that cannot be opened and examined by the scanner because of password-protection are quarantined. This feature prevents password-protected zip files that contain viruses or worms from being passed through the system.
Virus pattern files are automatically downloaded at regular intervals to make sure that they are always up to date. Notification messages can be sent to the sender, recipient, and administrator when an infected message is received.
Kaspersky Anti-Virus also includes an extended database to detect spyware and malware, and provides independent actions for messages that contain spyware and malware programs.
User Guide 95
Message Security
To configure Anti-Virus scanning:
1. Select Security > Anti-Virus > Anti-Virus .
96
2. Select the Enable Kaspersky virus scanning check box.
3. In the Treat as a Virus section, select from the following options:
Attachments resembling a known virus
Some types of attachments may resemble a known virus pattern and could contain malicious code. It is strongly recommended that you treat attachments with code that resembles a known virus as if they contained a virus.
Attachments containing unknown viral code
The Anti-Virus scanner can detect code that resembles the patterns of a virus. It is strongly recommended that you treat attachments containing suspected viral code as if they contained viruses.
Corrupt attachments
The Anti-Virus scanner may not be able to scan corrupted attachments which may contain viruses. It is strongly recommended that you treat corrupt attachments as if they contained viruses.
Password-protected attachments
Attachments protected by a password cannot be opened by the Anti-Virus scanner and could contain viruses. It is strongly recommended that you treat attachments that cannot be opened as if they contained viruses.
Attachments causing scan errors
Attachments that are causing errors while being scanned by the Anti-Virus scanner may contain viruses. It is strongly recommended that you treat attachments that cause scanning errors as if they contained viruses.
4. Configure the Email Action to be performed for both inbound and outbound mail.
ƒ Just log — Log the event and take no further action.
ƒ Reject mail — Reject the message with notification to the sending system.
ƒ Quarantine mail — Place the message into the administrative quarantine area. This is the default action.
ƒ Discard mail — Discard the message without notification to the sending system.
WatchGuard XCS
Message Security
5. Select the notifications you want to send when a virus is detected in a message, including notifications to the Sender, Recipient, and Administrator.
6. The inbound notification and outbound notification text can be customized as required.
Variables such as %HOSTNAME% are inserted by the system. See “Customizing Notification and
Annotation Messages” on page 611 for a full list of system variables that can be used in the notification.
Updating pattern files
Virus pattern files must be continuously updated to make sure that you are protected from new virus threats.
The frequency of virus pattern file updates can be configured from the Virus Pattern Files section. The system automatically contacts a default update server to update the pattern files at the specified time.
The administrator can optionally define alternate sites to retrieve the Anti-Virus pattern update files from an internal location before obtaining them from external sites. The administrator can specify up to two userdefined update servers. The primary and alternate user-defined servers will be queried in order. If the primary server cannot be contacted, the system will attempt to retrieve the update from the alternate server. If the user-defined fields are not configured, the system default servers will be used to retrieve the updates from external sites.
Kaspersky User-Defined Server (Optional)
Specify a URL indicating the hostname and directory of the primary web server hosting the pattern file using the syntax: http://<host>/<pathname>
Kaspersky User-Defined Alternate Server (Optional)
Specify a URL indicating the hostname and directory of the alternate web server hosting the pattern file. It is recommended that the alternate server be the default system update server.
Update interval (mins)
Select the time interval to configure how often to check for pattern file updates. Options include 15,
30, and 60 minutes.
Manual Update
Pattern files can be updated manually by clicking the Get Pattern Now button.
Kaspersky Anti-Virus Status
Displays the date and time of the last update.
If you access the Internet through a proxy server, you must enter its hostname and port number in the systems’s external proxy configuration (accessed via Configuration > Network > External
Proxy Server ) for updates to succeed.
User Guide 97
Message Security
Configuring Anti-Virus in a policy
To configure Kaspersky Anti-Virus in a policy:
1. Select Policies .
2. Select an existing policy to configure its settings or create a new policy.
3. Select Anti-Spam and Anti-Virus .
4. In the Anti-Virus section, enable or disable Kaspersky Anti-Virus scanning as required for this policy, or select Undefined to use the inherited settings from another policy, the default policy, or the global settings.
5. Actions and notifications can be set independently for each type of inbound and outbound protocol, such as Email and HTTP if a virus is detected in the message.
Notification settings for HTTP can only be customized in the Default policy. Email notifications are configured in the Anti-Virus global configuration.
Spyware Detection
The Kaspersky Anti-Virus scanner can detect specific spyware and malware threats in addition to Anti-Virus scanning for inbound and outbound Email messages and HTTP requests.
Spyware detection can be enabled or disabled globally and via policies. Specific protocol scanning, actions, and notifications for spyware detection can be configured that are independently from the configuration of the global Anti-Virus scanner.
The Spyware action will be performed after any applicable Anti-Virus action.
To configure Spyware Detection globally:
1. Make sure Kaspersky Anti-Virus is enabled via Security > Anti-Virus > Anti-Virus .
Spyware cannot be enabled and configured until Kaspersky Anti-Virus is enabled.
2. Select Security > Anti-Virus > Spyware .
98
3. Select the Enable Kaspersky spyware scanning check box.
WatchGuard XCS
Message Security
4. Configure the spyware Action to be performed for both inbound and outbound mail messages.
This action will take place after any Anti-Virus actions.
ƒ Just log — Log the event and take no further action.
ƒ Reject mail — Reject the message with notification to the sending system.
ƒ Quarantine mail — Place the message into the administrative quarantine area. This is the default action.
ƒ Discard mail — Discard the message without notification to the sending system.
5. Select the notifications you want to send when a virus is detected in a message, including notifications to the Sender, Recipient, and Administrator.
6. The inbound notification and outbound notification text can be customized as required.
Spyware actions for HTTP requests must be set in a policy. Email spyware actions can be set both globally and within a policy.
Configuring spyware detection in a policy
To configure Kaspersky spyware detection in a policy:
1. Select Policies .
2. Select an existing policy to configure its settings or create a new policy.
3. Select Anti-Spam and Anti-Virus .
4. In the Spyware section, enable or disable Kaspersky Spyware scanning as required for this policy, or select Undefined to use the inherited settings from another policy, the default policy, or the global settings.
5. Actions and notifications can be set independently for each type of inbound and outbound protocol, such as Email and HTTP if spyware is detected in the message.
Notification settings for HTTP can only be customized in the Default policy. Email notifications are configured in the spyware global configuration.
User Guide 99
Message Security
Outbreak Control
The Outbreak Control feature provides customers with zero-day protection against early virus outbreaks. For most virus attacks, the time from the moment the virus is released to the time a pattern file is available to protect against the virus can be several hours. During this period, mail recipients are vulnerable to potential threats.
Outbreak Control can detect and take action against early virus outbreaks to contain the virus threat. If a message is classified as containing a possible virus, the message can be quarantined, deleted, or the event can be logged. When an updated Anti-Virus pattern file is received, any quarantined files will be re-scanned automatically. If a virus is detected with the new pattern file, the configured Anti-Virus action is performed on the message. If the hold period for a message in the quarantine expires and the message has not been positively identified as a virus during that time, the configured release action will be performed.
The system will examine incoming untrusted messages and look for the following characteristics when deciding if the message indicates an early virus threat:
ƒ The message originates from an IP address that has recently sent viruses and it contains an executable or common office document attachment. To detect if the client has recently sent viruses, the Mail
Anomalies feature and the Recent virus from Client option must be enabled.
ƒ The message originates from an IP address with a poor ReputationAuthority reputation and it contains an executable or common office document attachment. To detect addresses with a poor reputation, the ReputationAuthority feature must be enabled.
ƒ The Anti-Virus scanner detects attachments that resemble a known virus or contain unknown viral code.
ƒ The message was malformed, or was blocked by Attachment Control and the action was set to Discard or Reject . If the message is automatically released by Outbreak Control, the original Malformed Mail or
Attachment Control action will take effect.
The following table lists the types of executable files and common office document formats that are scanned by Outbreak Control:.
.js
.jse
.nlm
.ovl
.pif
.scr
.shs
Executable bat
.chm
.cmd
.com
.dll
.drv
.exe
Common Office Documents
.doc
.dot
.ppt
.wk1
.wks
.wp
.xls
100 WatchGuard XCS
Executable
.sys
.vbe
.vbs
.vxd
To configure Outbreak Control:
Common Office Documents
1. Select Security > Anti-Virus > Outbreak Control .
Message Security
User Guide
2. Select the Email Action to perform if a message is detected as having a possible virus:
ƒ Just Log — The message will be delivered and an entry added to the logs.
ƒ Reject mail — Reject the message with notification to the sender.
ƒ Quarantine mail — Place the message into the administrative quarantine area. This is the default action.
ƒ Discard mail — Discard the message without notification to the sender.
3. Enter the Hold Period (in hours) for which to hold the message in the administrative quarantine area.
The default hold period is 8 hours. In most cases, the Anti-Virus pattern files will be updated within 2-
4 hours of a new virus being discovered. It is recommended that you configure enough time to allow the opportunity for the files to be rescanned with updated Anti-Virus pattern files as they become available. If the Quarantine expiration period is set to a value less than the Hold Period , the expiry period takes precedence and the held message will be expired.
During the hold period, if a quarantined message is rescanned and determined to have a virus, the configured Anti-Virus action will be performed, as set in Security > Anti-Virus > Anti-Virus . If the hold period expires and the message has been determined not to be infected with a virus, the Release action will be performed.
4. Select the users who will receive a Notification if a message is detected as having a possible virus, including the Recipients, the Sender, and the Administrator.
5. Enter the text for the automated Notification Message .
6. Select the Action to perform if the Hold Period has elapsed for a quarantined message:
101
Message Security
ƒ Just Notify — A message will be sent to notify the specified users that the Hold Period for a quarantined message has elapsed without it being classified as a virus. The message will remain in the quarantine until released manually by the administrator.
ƒ Release mail — The message will be automatically released from the quarantine and delivered to the original recipients. Notifications can also be enabled to notify users when the message is released. If the message was discarded or rejected by Attachment Control or Malformed Mail and was then quarantined by Outbreak Control, the message will be discarded on release. The final action will be Outbreak Control and Quarantine because of a possible virus.
7. Select the users who will receive a Notification if a message is released from the quarantine, including the Recipients, the Sender, and the Administrator.
8. Enter the text for the automated Notification Message .
In the Activity > History > Message History , the disposition of messages caught by Outbreak
Control can be searched for based on the subject containing “possible virus”.
102 WatchGuard XCS
Message Security
Malformed Mail
Many viruses try to elude virus scanners by concealing themselves in malformed messages. The scan engines cannot detect the attachment and therefore pass the complete message through to an internal server. Some mail clients try to rebuild malformed messages and may rebuild or activate a virus-infected attachment. Other types of malformed messages are designed to attack mail servers directly. Most often these types of messages are used in denial-of-service (DoS) attacks.
The system analyzes each message with extensive integrity checks. Malformed messages are quarantined if they cannot be processed.
To configure malformed mail scanning:
1. Select Security > Anti-Virus > Malformed Mail .
User Guide
2. Select the Malformed Scanning check box.
3. You can enable the Enable NULL Character Detect check box to consider messages containing null characters (a byte value of 0) in the raw mail body as a malformed message.
The null character detection feature may cause incompatibility with certain mail servers and it is recommended that this feature be disabled if issues occur.
4. Select an Action to be performed when a malformed message is detected.
ƒ Just log — Log the event and take no further action.
ƒ Reject mail — Reject the message with notification to the sending system.
ƒ Quarantine mail — Place the message into the administrative quarantine area. This is the default action.
ƒ Discard mail — Discard the message without notification to the sending system.
5. Select which Notifications to send for all recipients, the sender, and the administrator.
6. Customize the content for the notification message.
103
Message Security
7. Specify the Action to be performed when a very malformed message is detected by the system.
A very malformed message may cause scanning engine latency.
ƒ Just log — Log the event and take no further action.
ƒ Quarantine mail — Place the message into the administrative quarantine area.
ƒ Temporarily Reject Mail — Return an error to the sending server and do not accept the mail. The mail delivery can be attempted again after a period of time.
ƒ Reject mail — Reject the message with notification to the sending system.
ƒ Discard mail — Discard the message without notification to the sending system.
8. Select the Notify option to allow notifications using the malformed notification settings (configured via Security > Anti-Virus > Malformed Mail ) when any action except for Just Log is performed.
Messages that are very malformed have not been virus scanned or filtered for attachments and spam.
104 WatchGuard XCS
Message Security
Integrated Email Message Encryption Option
Integrated message encryption allows users to encrypt outbound messages directly from the WatchGuard
XCS without the need for a local encryption server or additional desktop software. Messages are secured until they are delivered and decrypted by the recipient of the message.
The Encryption Option allows organizations to easily enforce company policies and compliance regulations with the secure delivery of encrypted messages without the need for the recipient to download or install any special software. The Encryption Option uses the Cisco Registered Envelope Service which creates an encrypted message for the recipient that can be read by opening an attachment that provides access to the decrypted message.
The integrated encryption engine allows the system to be configured to use the public key server for services and key-exchange related activities, or to use a local key server on the customer premises.
How message encryption works
User Guide
1. When a user sends a message, the system will use pattern and content filters to determine if a specific encryption policy applies to the message.
2. If the policy applies, the system then uses its integrated encryption engine to encrypt the message by communicating with the key server (either a public server or a local key server) to retrieve the session key for the message.
3. The message is then encrypted and delivered to the recipient as an attachment.
4. The recipient will open up the attachment to allow them to register (if this is the first encrypted message received) and authenticate to the Cisco Registered Envelope Service web site.
5. The Registered Envelope Service web site will use the session key to allow the user to read the unencrypted message.
6. The recipient only has to register once when they receive the first encrypted message from an organization. Subsequent messages will only require a passphrase to open the message.
105
Message Security
Cisco Registered Envelope Service
The Registered Envelope Service is a push service that sends secure, encrypted messages directly to a recipient's inbox. The WatchGuard XCS integrates this feature to allow message to be encrypted on the system before being delivered to the intended recipient. The recipient does not require any additional software or configuration to decrypt and read the message. Registered Envelopes can be opened from any email platform, using any operating system and web browser.
The Registered Envelope Service architecture allows the system's integrated encryption software to perform the message encryption and message delivery functions on the customer's premises, while the hosted system provides services such as key management, user accounts, online opening, and secure reply to messages.
Messages from a customer’s organization are never viewed, hosted or stored by the Registered Envelope
Service in any form.
The following features are also available when using the service:
ƒ User Enrollment — When a recipient receives a secure message for the first time, they will be prompted to register to create an account and establish a password. The password will be used to open this message and all future encrypted messages from the same organization.
ƒ Logging — Each Registered Envelope message is logged, and its status can be viewed by the administrator. The administrator can track the message to obtain proof that the message has been opened and read by the recipient.
ƒ Message Locking — Encrypted messages are locked if they have not been read by the recipient before the specified expiration time. Messages can also be manually locked by the administrator to prevent certain messages from being opened and decrypted.
ƒ Message Expiration — Encrypted messages can be set to expire after a certain date. After the message is expired, it will be locked and it cannot be opened by the intended recipient. This ensures that time-sensitive secure messages are expired if not read in the designated expiry time.
ƒ SecureReply — Recipients can immediately reply to encrypted messages they receive using a secure mechanism to ensure the integrity of the original email. The recipients reply can be composed within the web-based service and encrypted before being sent back to the original sender.
Encryption configuration on the WatchGuard XCS
When message encryption is enabled globally, outgoing messages can be flagged for encryption by the system via Pattern Filters, Objectionable Content Filtering, and Content Scanning via Policies.
Messages to local mailboxes on the system will not be encrypted. Internal mail boxes are already secured and do not require further protection by encryption.
To configure integrated message encryption:
1. Select Configuration > Mail > Encryption > PostX .
106 WatchGuard XCS
Message Security
2. Select the PostX Encryption check box to enable encryption globally for outgoing messages.
If encryption is disabled globally, all outgoing messages from the system will be sent in clear text.
When encryption is enabled, administrators must create pattern filters or use OCF/Content Scanning to identify messages to be encrypted. A token file must also be uploaded or a token string defined for use with a public key server. If Encryption is disabled globally, existing encryption filters will still trigger and the message will be queued and deferred to prevent the message from being delivered in unencrypted clear text. These filters should be disabled or deleted if you are disabling the Encryption option.
3. Enter the default Key Server to be used to encrypt and decrypt messages.
You will need an account with the Cisco Registered Envelope Service and a valid token file or token string. The address of a local key server can also be specified if you are not using the public key server.
4. Enter the Secure Port used for secure communications by the public key server or a local key server.
By default, the public key server listens on port 443. A local key server listens on port 8443.
5. Enter the Unsecure Port used for unsecured communications by the public key server or a local key server.
By default, the public key server listens on port 80. A local key server listens on port 8080.
6. Enter the Token String provided with your license to identify your account when communicating with the key server.
In some cases, only a token file is required and the token string field will remain undefined. If both are configured, the token string will take priority.
7. Specify the Maximum Message Size (in bytes) that will be accepted for encryption.
Mail larger than this size that is marked for encryption will be rejected. This prevents very large messages from causing latency with the encryption engine. Valid values are between 0 and 1,000,000,000. The default is
5,000,000 bytes. Set to “0” to specify no limit.
8. Specify the maximum Number of PostX Processes available to encrypt messages.
Each encryption process can simultaneously encrypt one message. The default is 1. Encryption is a CPU-intensive process and care should be taken when increasing this value.
9. Customize the Message Header and HTML Message Header that provides the recipient with instructions on how to read the encrypted message.
If this is the first time the recipient has received an encrypted message, they will be prompted to register with the
Registered Envelope Service to create an account login and password. The password will be used to open this and any future encrypted emails from the specified company.
About Token files
After an account has been established, you need to upload a token file to the WatchGuard XCS. This token file is used to identify your account when communicating with the key server. This token can be downloaded from your Cisco Registered Envelope Service web account. You must upload this token to all your WatchGuard XCS devices.
1. Log in to your Cisco Registered Envelope Service management account.
2. Select Accounts > Manage Accounts .
3. Click your account number.
4. Select Tokens .
5. For the “Default Token”, click the save icon in the Actions column to download the token file to your local computer.
Do not download the “SecureCompose” token to the WatchGuard XCS.
6. On the WatchGuard XCS, select Configuration > Mail > Encryption > PostX .
7. Click the Upload Token button and enter the name of the token file, or click the Browse button to find the file on your computer.
User Guide 107
Message Security
8. Click Upload .
If you are using a local key server and not the public key servers, the token file can be retrieved from the local server.
Token files are not replicated to other members of a Cluster and must be applied manually to each member.
Encryption with Pattern Filters
Administrators can create pattern filters to search for text in an outgoing message that identifies it as a message to be encrypted. For example, a filter can be created to search for the text “Encrypt” in a subject header to indicate the message should be encrypted before it is sent to its destination.
1. Select Security > Content Control > Pattern Filters .
2. Click Add .
3. Create an outbound filter that looks for the words “Encrypt” in the subject of a message.
4. Set the Action to PostX Encrypt .
Any outbound message with the word “Encrypt” in the subject will be encrypted before delivery.
Encryption with the Objectionable Content Filter (OCF)
Administrators can use the Objectionable Content Filter to create a dictionary of words that can be checked for in a message to indicate the message should be encrypted. For example, an organization may require that any outgoing messages that contain certain confidential information, such as credit card information or medical records, should be encrypted. An OCF dictionary can be created listing the words to scan for in a message. If any of these words are found in the message, the message will be encrypted before delivery.
1. Select Security > Content Control > Objectionable Content .
2. Select Enable OCF .
3. In the Outbound OCF section, select your dictionary file that contains a list of words that indicates a message should be encrypted.
In this example, a dictionary file called “Encrypt” is selected. Dictionary files are configured via Security > Content
Control > Dictionaries & Lists .
4. Set the Action to PostX Encrypt .
Any outbound message containing words from the OCF dictionary file will be encrypted before delivery.
5. Select the users to notify when a message is encrypted.
108 WatchGuard XCS
Message Security
Encryption with Content Scanning
Administrators can use a compliance dictionary to scan for specific words in the attachment of an outbound message that indicate a message should be encrypted. For example, an organization may require that any outgoing message attachments that contain certain confidential information, such as credit card information or medical records, should be encrypted. A compliance dictionary can be created listing the words to scan for in the message attachment. If any of these words are found in the attachment, the message will be encrypted before delivery.
To configure Content Scanning to use encryption:
1. Make sure Content Scanning is enabled globally via Security > Content Control > Content Scanning .
2. Content scanning actions are then configured via Policies. Go to the Content Scanning section of the required policy.
3. In the Outbound Content Scanning section, select your compliance file that contains a list of words that indicate a message should be encrypted.
In this example, a compliance dictionary file called “Encrypt” is selected. Dictionary files are configured via
Security > Content Control > Dictionaries & Lists .
4. Set the Action to PostX Encrypt .
Any outbound message with an attachment containing words from the compliance dictionary will be encrypted before delivery.
5. Select the users to notify when a message is encrypted.
User Guide 109
Message Security
CRES account administration
The Cisco Registered Envelope Service provides a web-based management console to allow administrators for an organization to perform the following tasks:
ƒ Manage Accounts
ƒ Manage Token Files
ƒ Manage Images (message branding)
ƒ Manage Users
ƒ Generate message activity reports
ƒ Manage secure messages and perform delivery and response tracking
The management console can be accessed at: https://res.cisco.com/admin/
Customers will be supplied with an administrative login user name and password.
Manage accounts
Administrators for an organization using the system’s encryption option can manage their account via a webbased administration console. This allows administrators to manage users, manage encrypted messages, perform delivery and response tracking, and generate message activity reports.
From the main home page, account information for your organization is displayed, including the organization’s current status, the number of users registered, and token file information.
110 WatchGuard XCS
Message Security
Manage token files
The token file identifies this system as a unique server when communicating with the key server. Your token file must be retrieved from the Cisco Registered Envelope Service management account and uploaded to the
file.
Managing images
Organizations can customize the logo that appears on Cisco Registered Envelope messages to reflect their own corporate branding.
Managing users
Select the Users tab to administer the organization’s users. Note that individual user accounts are not required for users in your organization to send out secure encrypted messages, but users must be enrolled to be able to decrypt and read encrypted messages or track sent messages. Additional administrative users can also be added from this menu.
User Guide 111
Message Security
Generate message activity reports
In the Reports menu, administrators can create account usage reports, including the ability to filter messages using the From or To fields, the timestamp, and status of the message.
112
Manage secure messages
In the Accounts > Manage Registered Envelopes menu, administrators can view the status of encrypted messages sent by their organization. Each message entry displays the following fields:
ƒ From — Displays who sent the message.
ƒ To — Displays the message recipients.
ƒ Subject — The subject of the message.
ƒ Sent — The time and date the message was sent.
ƒ Opened — Indicates when the message was opened by the recipient. The field will be blank if the message is unread.
ƒ Expires — Indicates when the secure message expires. If the recipient does not open the message before the expiration date, the message will be locked and further attempts to open the message will fail. Expiration dates can be modified by the administrator by selecting a message or group of messages and then clicking the Update Expiration Dates link.
ƒ Locked — Indicates if the message is locked due to being expired or if the administrator has manually locked the message to prevent viewing. Messages can be manually locked or unlocked by the administrator or the sender by selecting a message or group of messages and then clicking the Lock/
Unlock Envelopes link.
ƒ Reason — Displays information or an error status about the message. Administrators can enter text in the Reason field if they manually lock a message.
Messages can be searched by date and by using keywords in the From , To , Subject , and Reason fields.
WatchGuard XCS
Message Security
Read encrypted messages
When the recipient receives the encrypted message, it will appear in their inbox and will look similar to the following message:
The recipient will be prompted to open a message attachment called “securedoc.html”.
If this is the first encrypted message received by the recipient, when they open the attachment, they will be prompted to register with the Cisco Registered Envelope Service to create an account and establish a password.
The new account and password will be used to open this message and all other encrypted messages sent from the same organization. The recipient will then be prompted to enter the password to login and read the message:
User Guide 113
Message Security
When successfully authenticated, the secure message will be decrypted and displayed to the recipient:
Track encrypted messages
Users who have sent an encrypted message can track the status of the message using their account. After logging in, the user’s profile will appear displaying any secure messages recently sent.
ƒ To — Displays the message recipients.
ƒ Subject — The subject of the message.
ƒ Sent — The time and date the message was sent.
ƒ Opened — Indicates when the message was opened by the recipient. The field will be blank if the message is unread.
ƒ Expires — Indicates when the secure message expires. If the recipient does not open the message before the expiration date, the message will be locked and further attempts to open the message will fail. Expiration dates can be modified by selecting a message or group of messages and then clicking the Update Expiration for Messages link.
ƒ Locked — Indicates if the message is locked due to being expired or if the message has been manually locked by the sender or the administrator. Messages can be manually locked or unlocked by selecting a message or group of messages and then clicking the Lock/Unlock Message link.
114 WatchGuard XCS
Message Security
External Email Message Encryption
The WatchGuard XCS provides integration with external encryption servers to provide email encryption and decryption functionality. Email encryption allows individual messages to be encrypted by a separate encryption server before being delivered to their destinations by the system. An incoming encrypted message can also be sent to the encryption server to be decrypted before the system accepts the message and delivers it to the intended recipient. This integration allows organizations to make sure that encrypted messages are still processed to detect security issues, as well as being scanned for content and policy rules.
Email encryption provides organizations with the ability to protect the privacy and confidentiality of their messages and also to conform with any regulatory compliance policies that must make sure that certain types of data are encrypted before being sent out across the Internet. Encryption and decryption can be performed for selected email messages via filter rules on the WatchGuard XCS. A message filter can be created for specific email sending addresses, IP addresses and host names of specific SMTP servers, or for specific words located in the subject of a message such as “Encrypt”.
As mail is forwarded back and forth between the system and the Encryption server, all mail statistics will include this additional delivery and mail counts will be higher as a result.
To configure external message encryption and decryption:
1. Configure the Encryption Server to integrate with the WatchGuard XCS.
2. Create Mail Routes to the Encryption server on the WatchGuard XCS.
3. Enable Encryption and Decryption on the WatchGuard XCS.
4. Create Encryption rules on the WatchGuard XCS to identify messages to be encrypted.
The Encryption server must be on the same network as the WatchGuard XCS. Make sure they are communicating properly and can see each other on the network by using a utility such as ping.
Configure the encryption server
The existing Encryption server must be set up to relay all mail to the WatchGuard XCS. Please see the documentation provided by your Encryption server vendor. In general, outbound and inbound proxies or mail routes must be configured on the Encryption server to make sure messages are accepted from and passed back to the WatchGuard XCS after being encrypted or decrypted.
User Guide 115
Message Security
Define mail routes for encryption and decryption
Mail routes to the Encryption server must be defined for both encrypting and decrypting messages. To make sure the system knows where to route messages for encryption, create a mail route for the domains
.encrypt_reroute
and .decrypt_reroute
to the address of the Encryption server.
1. Select Configuration > Mail > Routing .
2. Enter .encrypt_reroute
as the Domain , and in the Route-to field enter the address of the
Encryption server such as 10.0.2.175
.
3. Similarly, create a route for .decrypt_reroute
as the Domain , and in the Route-to field enter the address of the Encryption server such as 10.0.2.175
.
The port and IP address may be different depending on the Encryption server configuration.
Enable encryption and decryption on the WatchGuard XCS
1. Select Configuration > Mail > Encryption > External .
116
2. Select the Active check box to enable the encryption and decryption action as required.
3. Select an Action to perform on a message that is to be encrypted or decrypted.
4. Select the Redirect to action to send this message to the Encryption server for encryption or decryption using the mail route specified in the Action Data field.
To reroute the message to the Encryption server using the Redirect to action, the Action Data must be set to the appropriate mail route for encryption and decryption.
5. Enter encrypt_reroute or decrypt_reroute as the action data.
These mail routes must be defined in Configuration > Mail > Routing to point to the Encryption server.
6. Select optional Notifications to the Recipients, Sender, or Administrator when a message has been sent for encryption.
WatchGuard XCS
Message Security
Define filter rules for encryption
A filter rule must be used to identify what types of messages are to be encrypted. For example, your organization may use a tag in the subject header such as “Encrypt” which can used to identify an outgoing message that must be encrypted. Specific email addresses and IP addresses can also be defined to make sure certain users or servers have their email encrypted.
Encryption rules can be created using either Pattern Filters or by using definable dictionaries with the
Objectionable Content and Content Scanning features. The latter features allow dictionaries with specific keywords and phrases to be used to trigger the encryption rules.
The filter rule will examine outbound mail messages for specific patterns to redirect mail for encryption. This could be anything from a user’s email address to a phrase. When setting up the filter rule, the only criteria is that the filter action must be set to “Encrypt” or “Decrypt”.
To set up an encryption rule using Pattern Filters:
1. Select Security > Content Control > Pattern Filters .
2. Create a simple rule that checks all outbound mail for the word “Encrypt” in the subject, and set the action to Encrypt .
The “Encrypt” and “Decrypt” Pattern Filter action will only appear when Encryption and Decryption are enabled in Configuration > Mail > Encryption > External .
3. Create a rule to match the Client IP field to the address of the Encryption server, such as
10.0.2.175
, and set the action to Relay .
A separate filter rule must be created to allow messages arriving from the Encryption server to be relayed. This action allows the system to accept messages back from the Encryption server that have been encrypted and relay these messages to external networks. The filter rule that allows messages to be relayed back must be of a higher priority than any Encryption rule that is created.
4. Similarly, you must create a Pattern Filter rule to examine incoming messages that need to be decrypted before being delivered to the recipient.
User Guide 117
Message Security
Encrypt Mail Delivery Sessions
The WatchGuard XCS offers a simple mechanism for encrypting mail delivery using SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption. A flexible policy can be implemented to allow other servers and clients to establish encrypted sessions with the system to send and receive mail.
118
The following types of traffic can be encrypted:
ƒ Server to Server — Used to create an email VPN (Virtual Private Network) and protect company email over the Internet.
ƒ Client to Server — Many email clients, such as Outlook, support TLS for sending and receiving mail.
This allows email messages to be sent with complete confidentiality from desktop to desktop, but without the difficulties of implementing other encryption schemes.
Encryption can be enforced between particular systems, such as setting up an email VPN between two
WatchGuard XCS systems at remote sites. Encryption can also be set as optional so that users who are concerned about the confidentiality of their messages on the internal network can specify encryption in their mail client when it communicates with the WatchGuard XCS. The WatchGuard XCS supports the use of certificates to initiate the negotiation of encryption keys. The system can generate its own site certificates, and can also import Certificate Authority (CA) signed certificates.
See “SSL Certificates” on page 121 for more information on importing certificates.
WatchGuard XCS
To configure mail delivery encryption:
1. Select Configuration > Mail > Encryption > TLS .
Message Security
User Guide
2. Select the Accept TLS check box to accept SSL/TLS for incoming mail connections.
3. Select Require TLS for SMTP AUTH if required.
This option is used to require SSL/TLS when accepting mail for authenticated relay.
4. The Enable SSL version 2 in incoming TLS connections option is enabled by default.
In certain cases, this option may need to be disabled for security audit testing. Disabling SSL version 2 may prevent older mail systems from sending mail using TLS.
5. Select the Log TLS info into Received header check box to log TLS information (including protocol, cipher used, client and issuer common name) into the Received: message header.
These headers may be modified by intermediate servers and only information recorded at the final destination is reliable.
6. In the Default TLS Policy section, select the Offer TLS check box to offer remote mail servers the option of using SSL/TLS when sending mail.
7. Select the Enforce TLS check box to require the validation of a CA-signed certificate when delivering mail to a remote mail server. If the certificate validation fails, the mail delivery connection will fail.
119
Message Security
Specific site policy
The Specific Site Policy option supports the specification of exceptions to the default settings for TLS/SSL.
For example, you may need to exempt a mail server from using TLS/SSL because of lack of TLS support.
When enabling TLS, create policies to improve performance for internal hosts that do not need to send or receive via TLS.
To exempt a system:
1. In the Add/Update Site field, specify the IP Address or FQDN (Fully Qualified Domain Name) of the remote mail server.
2. Select Don’t Use TLS in the drop-down box.
TLS options include the following:
ƒ Don’t Use TLS — TLS Mail Delivery is never used with the specified system.
ƒ May Use TLS — Use TLS if the specified system supports it.
ƒ Enforce TLS — Deliver to the specified system only if a TLS connection with a valid CA-signed certificate can be established.
ƒ Loose TLS — Similar to Enforce TLS but will accept a mismatch between the specified server name and the Common Name in the certificate.
3. Click the Update button.
The exempted mail server will be listed under the Specific Site Policy.
TLS and message history
The Message History log can be filtered for SSL/TLS messages via Activity > History > Message History >
Advanced search menu.
120 WatchGuard XCS
Message Security
SSL Certificates
A valid SSL certificate is required to support the encryption services available on the WatchGuard XCS. The SSL encrypted channel from the server to the web browser (such as when using a URL that begins with HTTPS), requires a valid digital certificate. You can use self-signed certificates generated by the system, or import certificates purchased from commercial vendors such as VeriSign.
A certificate binds a domain name to an IP address by means of the cryptographic signature of a trusted party.
The web browser can warn you of invalid certificates that undermine secure, encrypted communications with a server.
The disadvantage of self-signed certificates is that web browsers will display warnings that the “company” (in this case, the WatchGuard XCS) issuing the certificate is untrusted. When you purchase a commercial certificate, the browser will recognize the company that signed the certificate and will not generate these warning messages.
A web server digital certificate can only contain one domain name, such as server.example.com, and a limitation in the SSL protocol only allows one certificate per IP address. Some web browsers will display a warning message when trying to connect to any domain on the server that has a different domain name than the server specified in the single certificate. Digital certificates eventually expire and are no longer valid after a certain period of time and need to be renewed before the expiration date.
Install a commercial certificate as follows:
1. Select Administration > System > SSL Certificates .
2. Click Generate a 'self-signed' certificate .
User Guide
3. Enter the required information for your environment in the form.
4. Click Apply to reboot the system and install the new certificate.
After the reboot, the current certificate and certificate request that was signed by the on-board
Certificate Authority will be displayed. To obtain a commercial certificate, send this certificate request information to the commercial Certificate Authority (CA) of your choice (such as VeriSign or Entrust) for signing.
Make sure that the certificate is an Apache type of certificate for a mail server.
121
Message Security
5. When the certificate is received from the CA, click the Load site certificate button.
122
6. Enter the PEM encoded certificate information from the signed SSL certificate returned by the CA by copying and pasting the appropriate text into the specified field.
7. Select the Use this Private Key for SSL Certificate check box to use the supplied private key.
8. Copy and paste the PEM encoded private key into the required field.
Do not enable this option and leave the field blank if the certificate was generated by a request from this system.
Generating a new self-signed certificate after you have installed a commercial certificate will overwrite the private key associated with the installed commercial certificate, making it invalid.
9. Some commercial certificates require you to upload an intermediate certificate in addition to the commercial certificate and the private key, and this information can be entered into the Intermediate
Certificate section.
WatchGuard XCS
6
Content Control
Attachment Control
Attachment filtering can be used to control a wide range of problems originating from both inbound and outbound attachments in email messages and web requests, including the following:
ƒ Viruses and Spyware — Attachments and downloads carrying viruses, spyware, and other types of malware can be blocked.
ƒ Offensive Content — The system blocks the transfer of images, which reduces the possibility that an offensive picture will be transmitted to or from your company messaging and web systems.
ƒ Confidentiality — Prevents unauthorized documents from being transmitted through the system.
ƒ Loss of Productivity — Prevents your systems from being abused by employees.
In policies, email and web actions can be set for both inbound and outbound Attachment Control. In addition, administrators can configure separate types of Attachment Control file and MIME type lists for email and web traffic.
Attachment stripping
The Attachment Control feature provides the ability to identify and remove attachments from inbound and outbound mail messages. Administrators can configure a list of specific attachment extensions or MIME types that should be stripped from a message before it is delivered. A configurable notification text attachment will replace the attachment that was removed to indicate to the user that the attachment was stripped and specify the reason why it was removed.
Attachment Stripping is a global feature, and cannot be configured on a per-policy basis
User Guide 123
Content Control
The WatchGuard XCS will determine the file extension and MIME-type for each MIME part in a message. If the file extension or MIME type exists in the Attachment Stripping global list configured by the administrator, that specific file or MIME part will be stripped from the message and discarded before it is delivered to the recipient. The attachment cannot be retrieved after it has been stripped from a message. The WatchGuard XCS will also examine MIME parts contained in archive file types such as .zip. If a file to be stripped is found in an archive file, the entire archive file will be stripped.
Kaspersky Anti-Virus must be enabled to allow archive files to be expanded and examined for attachments.
Attachment stripping actions are performed in addition to any other scanning actions on a message, such as
Anti-Spam or content controls. A message may still be rejected or quarantined by other message scanners after the attachment is stripped. Any message encryption will be performed after the attachments have been stripped.
Attachment stripping and DomainKeys signatures
Attachment stripping is performed after the DomainKeys signature verification of inbound messages. This may cause DomainKeys message signatures to be invalidated for further recipients, because the system has modified the message body. The WatchGuard XCS will verify any DomainKeys signatures before stripping attachments, but the signature will not be valid for the final recipient because the message has been altered by the system to remove the attachments.
Configuring attachment control
To configure Attachment Control:
1. Select Security > Content Control > Attachment Control .
124 WatchGuard XCS
Content Control
2. Select the Default Action (“Pass” or “BLOCK”) for attachment control for items not specifically listed in the Attachment Types list or attachments that cannot be identified.
The default is “Pass”, which allows all attachments. Any file types defined in the Attachment Types list will override the default setting. The “Strip” action cannot be set as the default action, and can only be set within the Attachment Types list for mail messages.
When using Attachment Control with Web content, setting a “Reject” HTTP action for blocked image types and other web file types will effectively stop many web sites from working properly as files required for viewing of the web site will be blocked.
3. Select the Attachment Control check box.
This option can be set for both inbound and outbound messages.
4. Click Edit to configure the action for Email Attachment Types .
5. Click Edit to configure the action for each Web Content Type .
The Web Proxy uses the HTTP Content Header to determine the MIME type of the file, and file extensions should not be entered.
6. Select an Action to perform if attachment control blocks an email attachment.
ƒ Just log — Log the event and take no further action.
ƒ Reject mail — The message is rejected and a notification is sent to the sending system.
ƒ Quarantine mail — The message is placed into the administrative quarantine area. This is the default action.
ƒ Discard mail — The message is discarded without sending a notification to the sending system.
7. Enable and customize Notifications for inbound and outbound messages.
Notifications will not be sent for "Just Log" actions.
8. Customize the Stripped Attachment Text that will replace stripped attachments.
This text can be customized for both inbound and outbound messages. The replacement text attachment uses the content type of “text/plain” and uses the character set US-ASCII.
Attachment Control actions for HTTP content must be set in a policy. Email attachment control actions can be set both globally and within a policy.
Editing attachment types
To edit attachment types:
1. Click the Edit button to edit your attachment types for email or web content.
You can add file extensions for email messages (such as .mp3), or MIME content types for both email and web content (such as image/png).
User Guide 125
Content Control
2. For each attachment type, choose whether you want to Pass , Strip (for mail messages only), or BLOCK the attachment.
For attachments with no extension specified, there is a file type called [no extension] that is set to a default of Pass .
3. Select the Scan check box to perform content scanning for attachments with the specified extension.
4. Click the Add Extension .
ƒ Extension — Enter a specific attachment type extension or MIME type, such as .mp3
or image/png . HTTP Web content can only be detected based on MIME types.
ƒ Scan — Select the Scan check box to enable scanning for the selected extension or MIME type. The system can scan files within an archive file (such as .zip) for forbidden attachments. If an archive file, such as .zip, contains a file type that is blocked, the archive file will be blocked, even if it is set to
Pass. Disable the Scan option if you do not want to scan the content of the specific archive file type.
Anti-Virus scanning must be enabled to allow archive files to be decompressed and checked for forbidden attachments.
Attachment size limits
The Attachment Control feature can filter inbound and outbound mail messages based on the size of their attachments. Administrators can set a size limit threshold that will trigger an action if it is exceeded. If there is more than one attachment to the message, the attachment sizes are added together. Attachment size limits can be set globally and via policies.
Attachment size limits are checked before any other attachment control function, and size limit actions take precedence over attachment control actions.
126 WatchGuard XCS
To configure attachment size limits:
1. Select Security > Content Control > Attachment Control .
Content Control
2. Select the Attachment Size Limit check box.
3. Enter the attachment size Limit (in bytes).
Attachments greater than this threshold will trigger the Email Action defined in the next step. The default is 10240000 bytes. Set to 0 to indicate no limit.
The Maximum Message Size configured in Configuration > Mail > Access is also set to 10240000 bytes, and this threshold will be exceeded if the attachment size is close to the attachment size limit. It is recommended that the Maximum Message Size value be at least 1.5 times the value of the
Attachment Size Limit option to ensure that large attachments will not exceed the Maximum
Message Size .
4. Select an Email Action to perform on an email message when the attachment size threshold limit has been exceeded.
ƒ Just log — Log the event and take no further action.
ƒ Reject mail — The message is rejected and a notification is sent to the sending system.
ƒ Quarantine mail — The message is placed into the administrative quarantine area.
ƒ Discard mail — The message is discarded without sending a notification to the sending system.
5. Enable and customize Notifications for inbound and outbound messages.
Notifications will not be sent for “Just Log” actions.
Attachment size reports
The Per-User Attachment Report provides a summary of the size, file extension, and detected MIME type of all sent and received attachments. This report includes the total number of attachments and the total size of the attachments in kilobytes. The statistics are organized by domain and by per user.
User Guide 127
Content Control
Content Scanning
Content Scanning is a feature that performs deep scanning of attachments in email messages and web requests, such as PDF and Microsoft document files, for patterns of text and phrases. This allows organizations to use filter rules and policy settings to scan attachments for specific content that could be considered offensive, private and confidential, or against existing compliance rules.
There are two content scanning methods for message attachments:
ƒ A Pattern Filter is used to search for text and phrases in a document. If there is a match, an appropriate action is performed.
ƒ The extracted message text is searched for words that are included in the Content Scanning dictionary files, which are defined in a policy. If there is a match, the configured action is performed.
Unopenable attachments
The following cases of unopenable documents will result in an attachment being flagged as a compliance violation if the Treat unopenable documents as compliancy violations setting is enabled.
ƒ Files that are larger than 1 GB
ƒ File types that are not recognized by the scanner
ƒ Files that take longer than one minute to scan
ƒ Malformed or virus-infected attachments
Configuring content scanning
To configure Content Scanning:
1. Select Security > Content Control > Content Scanning .
128
2. Select the Enable check box.
3. Select the Treat unopenable documents as violations check box to treat unopenable documents as though they were not compliant.
Attachments that are protected by a password or encrypted may contain text that is a compliance violation.
4. Specify the Phrase Length used for pattern-matching checks.
This number of words will be passed to the scanning engine to check if it matches any phrases in your compliance file.
Long phrases will result in greater processing times. It is recommended that phrases be four words or less. The phrase length of the compliance dictionary selected for Content Scanning should not be greater than the phrase length selected in this field. A phrase length of four must be used with the default Financial and Medical dictionaries and Credit Card pattern filters.
5. Select the File Types to be scanned.
ƒ All Supported Formats — Scans all file formats supported by the content scanner.
WatchGuard XCS
Content Control
ƒ Common Document Formats — Scans only common word processing, spreadsheet, database, presentation, text, and archive formats.
ƒ Standard Document Formats — Scans only common document formats (word processing, spreadsheet, database, presentation, text, and archive files), including less common formats, such as graphics and desktop publishing formats.
6. Select the type of Punctuation Treatment .
ƒ Significant — The punctuation will be considered as part of the word or phrase it appears in.
ƒ Treat as space — The punctuation will be treated as a space. For example, the phrase “This, is classified” will be treated as “This is classified”. This is the default setting.
ƒ Ignore — The punctuation will be completely ignored.
7. Select how the scanning engine will treat Case Sensitivity .
If Sensitive is chosen, capitalization of letters will be taken into account. For example, the word
“Classified” must appear in the phrase compliance file with the first letter capitalized.
8. Enable and customize Notifications for inbound and outbound messages.
Notifications will not be sent for “Just Log” actions.
Using pattern filters for content scanning
One of the methods that can be used to search for compliance text within a file is to create a Pattern Filter.
To create a pattern filter:
1. Select Security > Content Control > Pattern Filters .
2. Click Add .
3. In the Apply To field, select whether you want to check Inbound , Outbound , or All Mail .
4. In the Message Part field, select Content Scanning .
Content Scanning will scan the entire email message, including the header, body and any attachment for matching content.
5. In the Pattern field, enter a pattern to match against.
6. Select the Action to perform on a message that contains the pattern text, such as Reject .
7. Click Apply to add the filter.
Using a policy compliance dictionary for content scanning
Content scanning can also be performed via policies when compliance dictionaries are uploaded and enabled. The compliance dictionaries will contain a list of words and phrases that will be checked against text in scanned attachment files and web uploads and downloads.
A weighted threshold can be set for weighted compliance dictionaries. For example, the system can encrypt an outbound message when the phrase “patient number” and the term “diagnosis” is detected in the same message content. In the weighted dictionary, these terms can be configured to have a weight of 50. If the weighted threshold for the compliance dictionary is set to 100, these two terms, or any number of terms that match or exceed a weight of 100, will cause the message to be encrypted. In the specified Content Control policy, select the dictionaries to use with the policy. If required, select a weighted threshold between 1 and
9999.
User Guide 129
Content Control
Select the corresponding action to perform for Email and HTTP traffic, such as Reject , and select the notifications for the sender, recipient, and administrator.
Custom dictionary files are uploaded via Security > Content Control > Dictionaries & Lists .
The phrase length of the compliance dictionary selected for Content Scanning should not be greater than the phrase length selected in the Content Scanning configuration.
130 WatchGuard XCS
Content Control
Objectionable Content Filter
The Objectionable Content Filter (OCF) defines a list of key words that will cause a message to be blocked if any of those words appear in the message. The Objectionable Content Filter provides enhanced content filtering functionality and flexibility, allowing users to restrict content of any form including objectionable words or phrases and offensive content.
The predefined lists provided are configurable and can be updated and customized to meet the specific needs of any organization. Rules can also be applied to both inbound and outbound email messages and web uploads and downloads. This prevents unwanted content from entering an organization, and prohibits the release of sensitive content outside an organization. OCF words can be extracted from messages that disguise the words with certain techniques. For example, OCF will detect the word “spam”, even if it is disguised as
“sp@m” or “s_p_a_m” using the advanced token recognition component of the Token Analysis feature.
OCF has a maximum of 35 characters for a word. OCF does not detect plurals of words. Both plural and singular word forms need to defined in the dictionaries.
To configure OCF:
1. Select Security > Content Control > Objectionable Content .
User Guide
2. Select the Enable OCF check box.
3. Set the type of Logging to perform for OCF processing.
ƒ No Logging — No OCF logging will be performed.
ƒ First match only — Log the first word that was matched by the filter.
ƒ All matches — Log all words that were matched by the filter.
4. Set the Action for both inbound and outbound messages.
ƒ Just log — Log the event and take no further action.
ƒ Reject mail — The message is rejected and a notification is sent to the sending system.
131
Content Control
ƒ Quarantine mail — The message is placed into the administrative quarantine area.
ƒ Discard mail — The message is discarded without sending a notification to the sending system.
ƒ Encrypt — Redirects the message to a defined encryption server.
ƒ Decrypt — Redirects the message to a defined decryption server.
ƒ Archive — Redirects the message to a defined archive server.
ƒ PostX Encrypt — Encrypts the message using integrated message encryption.
5. If the dictionary is a weighted dictionary, set the Weighted Threshold for OCF to consider a message as containing objectionable content. This value must be an integer between 1 and 9999. The default is
100.
If the aggregate weight of the OCF words found in a message matches or exceeds this threshold, OCF will perform the configured action. If both weighted and unweighted dictionaries are used, the final action will be triggered if the sum of the weights exceeds the configured weighted threshold, or if a match occurs in an unweighted dictionary.
6. Select the OCF Dictionaries to use with inbound and outbound OCF.
The dictionaries available are listed in the Available Dictionaries section. Use the arrow buttons to move the dictionaries to the Dictionaries in Use section as required. The default OCF dictionaries consist of a “Short”, “Medium”, and “Long” list of common objectionable words and phrases.
Organizations can create their own OCF dictionary files via the Security > Content Control >
Dictionaries & Lists feature.
The OCF dictionaries contain content that is of a vulgar nature. The pre-defined dictionaries should be viewed with caution as they contain words and phrases that may be offensive. All dictionaries should be reviewed and modified as required before enabling them for use with OCF.
7. Enable and customize Notifications for inbound and outbound messages.
Notifications will not be sent for “Just Log” actions.
132 WatchGuard XCS
Content Control
Document Fingerprinting
The Document Fingerprinting feature scans outbound email messages and their attachments, and allows or blocks the messages as required by comparing them to an uploaded training set of allowed and forbidden documents.
Document Fingerprinting extracts text from common office document formats, such as, plain text, HTML, PDF, and Microsoft Office (Word, Excel, Powerpoint). This text is compared to the existing document training set uploaded by the administrator. The system assigns a score (between 0 and 100) to the outgoing message indicating to which category it belongs. A score closer to 0 indicates an allowed category. A score closer to 100 indicates the forbidden category.
Content Scanning must be enabled to be able to scan common office document file types such as
Microsoft Office and PDF formats with Document Fingerprinting.
If the Document Fingerprinting score is greater than the configured threshold, the document will be classified as forbidden, and the specified action will be performed on the message. For example, if the administrator sets the threshold to 90, any scanned message with a Document Fingerprinting score of 90 or greater will be considered as forbidden and the configured action will be performed on the message.
Uploading training documents
Before enabling Document Fingerprinting, you must upload at least one allowed and one forbidden document for training purposes. Documents can be uploaded one at a time, or an archive file (of .zip or .gzip format) containing several documents can be uploaded for each category.
The system assumes that all data in plain text and HTML message parts belong to the ISO-8859-1 character set.
Text extracted from other types of documents such as Microsoft Office files will be converted to the ISO-8859-
1 character set. Any characters that do not exist in the ISO-8859-1 characters set will be converted to the “*” character.
Training documents can only be uploaded on a global basis, and different training sets cannot be uploaded within policies.
To upload training documents:
1. Select Security > Content Control > Dictionaries and Lists .
User Guide 133
Content Control
2. Click the Add button.
3. Click Browse and select the file to be uploaded.
4. Specify the correct Character Set for the content.
Choose the BINARY character set if uploading a Microsoft Office, PDF file, or .zip archive of documents.
5. Select dfp as the Type .
6. Select Security > Content Control > Document Fingerprinting .
7. In the Training Set section, click Add Document Fingerprinting File .
8. From the drop-down list, select the existing document file.
9. Specify if this file is Allowed or Forbidden .
10. Click the Add button.
134 WatchGuard XCS
Configuring Document Fingerprinting
To configure Document Fingerprinting
1. Select Security > Content Control > Document Fingerprinting .
Content Control
User Guide
2. Select the Enable Document Fingerprinting check box.
Document Fingerprinting cannot be enabled unless at least one allowed file and one forbidden file is uploaded for training.
3. Enter a Document Fingerprinting Threshold between 0 and 100.
Scores closer to 0 indicate the allowed category. Scores closer to 100 indicate the forbidden category.
The default threshold is 90. Any scanned message with a score of 90 or greater will trigger the specified action.
4. Select an Email Action to perform on the message when the Document Fingerprinting threshold is exceeded.
ƒ Just log — Log the event and take no further action.
ƒ Reject mail — The message is rejected and a notification is sent to the sending system.
ƒ Quarantine mail — The message is placed into the administrative quarantine area.
ƒ Discard mail — The message is discarded without sending a notification to the sending system.
ƒ BCC — A Blind Carbon Copy of the message is sent to the specified email address.
ƒ Encrypt — Redirects the message to an encryption server.
ƒ Decrypt — Redirects the message to a decryption server.
ƒ Archive — Redirects the message to an archive server. Archive priority can be set to Low , Medium , and High .
ƒ PostX Encrypt — Encrypts the message using the integrated message encryption feature.
5. Enable and customize Email Notifications as required.
6. Select the Enable Diagnostic Headers check box to include Document Fingerprinting diagnostic headers in the message header. This is helpful when troubleshooting message delivery issues.
This information includes the Document Fingerprinting score and highest and lowest-metric tokens.
7. Click Apply .
135
Content Control
Document Fingerprinting and policies
Document Fingerprinting can be configured using the WatchGuard XCS policy features. Document
Fingerprinting must be enabled globally to use this feature in a policy.
Document Fingerprinting cannot be configured via policies using Delegated Domain
Administration. Document training can only be provided on a global basis and per-policy training is not possible.
To use Document Fingerprinting in policies:
1. Make sure the Document Fingerprinting feature is enabled globally via Security > Content Control >
Document Fingerprinting .
2. Select Security > Policies .
3. Select the specific policy to configure.
4. Select the Content Control section.
5. Enable or disable the feature for this policy.
6. Define a Document Fingerprinting Threshold , or leave as Undefined to use the Global or Default
Policy setting.
7. Select the Email Action for this specific policy.
Reports
Statistics on Document Fingerprinting processing can be found in the following reports:
E-mail Executive Summary Report
Messages that are acted upon by Document Fingerprinting are counted in the Content Filters category.
E-mail Analysis Report
Messages that are acted upon by Document Fingerprinting are counted in the Document
Fingerprinting and Content Filters categories.
Outbound Content Control Report
Messages that are acted upon by Document Fingerprinting are counted in the Content Filters category.
Dashboard Mail Summary
Messages that are acted upon by Document Fingerprinting are counted in the Content Control category in the Dashboard Mail Summary.
Message history
In the advanced Message History search for email, you can choose Document Fingerprinting for the only show messages where field. This will display all messages that were acted upon by the Document
Fingerprinting feature.
136 WatchGuard XCS
Content Control
Pattern Filters
Pattern Filters are the primary tool for creating filter rules on the WatchGuard XCS. Pattern Filters are used for:
ƒ Trusting and blocking messages containing certain text or characteristics
ƒ Creating content filter rules for managing email messages
An administrator can create filter rules for any aspect of an email message, including the message header, sender, recipient, subject, attachment content, and message body text. For example, administrators can create a simple text filter that specifies to check messages for the word “spam” in the subject. This filter rule is helpful in correcting disadvantages in the other spam filters.
Specific Access Patterns should be used to trust specific servers because Pattern Filters may bypass or interfere with certain content filters such as Content Scanning and OCF that occur later in the processing order.
Email message structure
The following is an example of a typical mail message.
User Guide 137
Content Control
Message envelope
The information in the message envelope (HELO, MAIL FROM, and RCPT TO) are parameters not visible to the user. They are the handshake part of the SMTP protocol. You will need to look for these in the log files or have other knowledge of them.
Message header
The message header includes the following fields:
Received from
Indicates the final path that the message followed to get to its destination. It arrived from mail.example.com, which delivered it to server.example.com to be put in the mailbox of [email protected].
Received by
This indicates a previous hop that the message followed. In this case, the message came via mail.example.com which accepted the message addressed to [email protected].
Delivered-To
The user to be delivered to, in this case [email protected].
Received from
This marks the origin of the message. Note that it is not necessarily the same as the actual system that originated the message.
Subject
This is a free form field and is displayed by a typical mail client.
To
This is a free form field and is displayed by a typical mail client. It may be different from the destination address in the Received headers or from the actual recipient.
From
This is a free form field and is displayed by a typical mail client. It may be different from the From address in the Received headers. It is typically faked by spammers.
Message-ID
This is added by the mail server and is often faked by spammers.
Other header fields include Reply-to, Sender, and so on. These fields can be forged by spammers because they do not affect how the mail is delivered.
Message body
After the header is the text or content of the message. This content can be formatted or encoded in many different ways, but in this example, it is displayed as plain text.
Message attachment
Many emails contain attachments to the main message. The system has the ability to decode attachments to match text found within an attachment using a filter rule.
138 WatchGuard XCS
Content Control
Default pattern filters
Several default pattern filters have been predefined to ensure that mail is not trained in the following situations:
ƒ Outbound Mail To: contains @example.com
ƒ All Mail Subject: contains [SPAM]
ƒ All Mail Subject: contains [MAYBE SPAM]
ƒ All Mail Subject: contains Spam summary for
ƒ All Mail Subject: contains Delayed Mail
ƒ All Mail Subject: contains Delivery Status Notification
ƒ All Mail Subject: contains Delivery Failure Notification
ƒ All Mail Subject: contains Undelivered Mail Returned to Sender
ƒ All Mail Subject: contains AutoReply
ƒ All Mail Subject: contains Returned Mail:
ƒ All Mail From: contains postmaster@ + domain
ƒ All Mail From: contains MAILER-DAEMON@ + domain
These rules help prevent misconfiguration of the Token Analysis database by ensuring that forwarded spam messages, delivery notifications, automatic replies, and system messages are not trained.
Spam messages should never be forwarded within an organization as this will also misconfigure the Token Analysis training database.
The default WatchGuard Pattern Filter rules can be edited or removed by the administrator via Security >
Content Control > Pattern Filters . All WatchGuard rules can be deleted using the Remove Default PBMFs button in the Edit View. Additional postmaster and MAILER-DAEMON Pattern Filters need to be created for organizations supporting multiple domains.
Credit card pattern filters
To assist administrators with regulatory compliance for Payment Card Industry (PCI) and other types of Data
Loss Prevention (DLP) digital security standards, the WatchGuard XCS includes predefined regular expression
Pattern Filters that search messages and attachments for specific credit card patterns using the Content
Scanning feature. Several default credit card types are provided (Diners Club, American Express, Discover,
MasterCard, and Visa) that allow the administrator to search for these patterns in incoming and outgoing messages and attachments. For example, any messages or attachments that contain a credit card number can be encrypted before delivery to protect the data.
The credit card pattern filters are initially disabled and set to the action of Just Log by default. To enable and edit the pattern filter:
1. Select the credit card pattern filter to edit.
2. Select the Enabled check box to enable the pattern filter.
3. Select an Action to take when this credit card pattern is detected in a message or attachment.
For example, if a credit card pattern is detected, the message can be encrypted before being sent. The default action is Just Log .
User Guide 139
Content Control
Content scanning phrase length for credit card pattern filters
The Content Scanning feature has a default phrase length of 3, indicating that the system will only scan up to
3 words of a dictionary phrase. When enabling Credit Card patter filters, the phrase length must be increased to 4 to ensure the credit card filters are scanned properly.
To modify the content scanning phrase length:
1. Select Security > Content Control > Content Scanning .
2. Select the Enable check box.
3. Enter “ 4 ” for the Phrase length .
4. Click Apply .
Configuring pattern filters
To configure pattern filters:
1. Select Security > Content Control > Pattern Filters .
2. Click the Edit View button to see an editable list of the pattern filters.
3. Select the Enable PBMF check box to enable the Pattern Filter feature globally.
Each pattern filter can be individually enabled or disabled.
4. Click Add .
140
5. Select the Enabled check box to enable this pattern filter.
6. Enter a descriptive Name and Comment for the Pattern Filter to be more easily identified in the list of pattern filters and reports.
The name and comment can only consist of letters, numbers, spaces, periods, underscores, and dashes.
7. Select the direction of mail for the Pattern Filter rule in the Apply To field, such as All Mail , Inbound , or Outbound , depending on your requirements.
ƒ All Mail — Mail destined for any domain.
ƒ Inbound mail — Any mail that is destined to a domain for which the system is configured to accept mail for. This will be any domain listed in the Mail Routing table in Configuration > Mail > Routing .
ƒ Outbound mail — Mail destined to any domain for which the system is not configured to accept mail (every domain other than those configured in Mail Routing).
8. Select the Message Part for which to filter.
The system allows you to filter on the following parameters. These parameters will not be visible to the user. They are the handshake part of the SMTP protocol. You will need to look for these in the logs or have other knowledge of them.
<<Mail Envelope>>
This parameter allows for a match on any part of the message envelope which includes the HELO,
Client IP, and Client Host.
WatchGuard XCS
Content Control
User Guide
HELO
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: mail.example.com.
Client IP
This field will be accurately reported and may be reliably used for both blocking and trusting. It is the IP address of the system initiating the SMTP connection. For example: 192.168.1.200.
Client Host
This field will be accurately reported and may be reliably used for both blocking and trusting.
For example: mail.example.com.
The following envelope parameters (Envelope Addr, Envelope To, and Envelope From) may be visible if your client supports reading the message source. They can also be found in the transport logs. Other header fields may be visible as supported by the mail client.
Envelope Addr
This finds matches in either the Envelope To or Envelope From field. These fields are easily faked, and are not recommended for use in spam control. They may be useful in trusting a source of mail. For example: [email protected].
Envelope To
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: [email protected].
Envelope From
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: [email protected].
Message Header Parameters
Spammers will typically enter false information into these fields, except for the Subject field, and they are usually not useful in controlling spam. These fields may be useful in trusting certain users or legitimate source of email.
Mail Header parameters will only match on the primary header of a message and not other multipart message headers.
<<Mail Header>>
This parameter allows for a match in any part of the message header.
<<Recipient>>
This parameter finds matches in the To: or CC: fields of the message.
CC:
This parameter finds matches in the CC: (Carbon Copy) field of the message.
From:
This parameter finds matches in the From: field of the message.
Message-ID:
This parameter finds matches in the Message-ID: field of the message.
Received:
This parameter finds matches in the Received: field of the message.
Reply-to:
This parameter finds matches in the Reply-to: field of the message.
Sender:
This parameter finds matches in the Sender: field of the message.
141
Content Control
Subject:
This parameter finds matches in the Subject: field of the message.
To:
This parameter finds matches in the To: field of the message.
There are other header fields that are commonly used, such as List-ID, as well as those added by local mail systems and clients. You must use Regular Expressions to specify these parameters.
Message Body Parameters
<<Raw Mail Body>>
This parameter finds matches in any part of the encoded message body. This encoded content includes Base64, MIME, and HTML. Since messages are not decoded, a simple text match may not work. Use <<Mail Content>> for text matching on the decoded content. This parameter will also match in multi-part message parts.
<<Mail Content>>
This parameter finds matches in the visible decoded message body.
STA (Token Analysis) Token
Token Analysis tokens can also be selected for pattern based message filters. This allows you to match patterns for common spam words that could be hidden or disguised with fake or invisible
HTML text comments, which would not be caught by a normal pattern filter. For example, Token
Analysis extracts the token “viagra” from the text “vi<spam>ag<spam>ra” and “v.i.a.g.r.a.”.
Content Scanning
Pattern based message filters can be defined to match the content of an entire mail message, including attachments. This type of Pattern Filter is used with the Content Scanning feature.
9. Select the Match Option .
ƒ Contains — Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail.
ƒ Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character.)
ƒ Matches — The entire line or field must match the text.
ƒ Starts with — Looks for the text at the start of the line or field (no characters between the text and the start of line.)
ƒ Reg Exp — Enter a regular expression to match the text.
10. Enter a text Pattern (case insensitive) to search for in the message.
You may also use Regular Expressions which allow you to specify match rules in a more flexible and granular way. They are based on the standard POSIX specification for Regular Expressions.
For example, to search for a blank message field, use the following regular expression:
^subject:[[:blank:]]*$
Although the Regular Expression feature is supported, WatchGuard cannot help with devising or debugging Regular Expressions because the expressions have an infinite variety and can be very complex. Using Regular Expressions is not recommended unless you have advanced knowledge of their use.
142 WatchGuard XCS
User Guide
Content Control
11. Select a Priority for the filter ( High , Medium , Low ).
The entire message is read before making the decision about which filter to use. If a message matches multiple filters, the filter with the highest priority will be used. If more than one matched filter has the highest priority, the filter with the strongest action will be used, in order, from highest priority to lowest
( Bypass , Reject , Discard , Quarantine , Certainly Spam , PostX Encrypt , Archive , Redirect , Trust ,
Relay , Accept , Just log ).
Discard, Quarantine, and Redirect are actions available when creating a custom Pattern Filter action in the Pattern Filter preferences screen.
If more than one matched rule has the highest priority and highest action, then the filter with the highest rule number will be used.
12. Select an Action to perform when a rule has been triggered:
ƒ Bypass — Allow this message to bypass all Intercept Anti-Spam and Content Control (Attachment
Control, Content Scanning, Malformed Message, and OCF) processing. This action will override other Pattern Filter actions for the same priority. This action does not bypass Anti-Virus scanning.
ƒ Trust — This mail is considered trusted and from a legitimate source. This message will not be processed for spam. Mail will be trained as legitimate mail.
ƒ Reject — Mail is received, then rejected before the close of an SMTP session. Message is trained for spam if Train is also selected.
ƒ Relay — Message can be relayed externally. Message will be trained as legitimate mail or spam as determined by Intercept Anti-Spam if Train is also selected.
ƒ Accept — Mail is accepted and will be delivered regardless if the message is considered spam.
Message is trained as legitimate mail if Train is also selected.
ƒ Certainly Spam — Mail is received, trained as spam, and then the Intercept action for Certainly
Spam is applied.
ƒ Just Log — Take no action, but log the occurrence. Just Log can be used to override other lower priority Pattern Filters to test the effect of Pattern Filters without an action taking place.
ƒ PostX Encrypt — Message is encrypted using the Encryption Option if enabled.
ƒ BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This option only appears if you have a BCC email address set up in the Preferences section.
ƒ Do Not Train — Do not use the message for Token Analysis training purposes.
ƒ Configurable Actions — There are several configurable actions that can be defined by the administrator by clicking the Preferences button. When defined, these actions will appear in this list.
ƒ Encrypt — Redirects the message to an encryption server.
ƒ Decrypt — Redirects the message to a decryption server.
ƒ Archive (High, Medium, Low) — Redirects the message to an archiving server.
The Relay or Trust action can only be used with an Envelope message part because attempted relays must be rejected immediately after the envelope transaction.
143
Content Control
Upload and download of pattern filters
You can create a list of Pattern Filters and upload them together in one file. The file must contain comma or tab separated entries in the form:
[Section],[type],[pattern],[action],[sequence(priority)],[rulenumber],[direction],
[Options]
For example: to:,contains,[email protected],reject,medium,1,both,on
The Options field is used for the Do-Not-Train option. The value can be on or blank. If the field is blank, a
Reject action will be considered Reject+Train .
The file (pbmf.csv) should be created in csv file format using a text editor. It is recommended that you download the Pattern Filter file first by clicking Download File , edit it as required, and upload it using the
Upload File button.
Pattern filter preferences
1. Select the Preferences button to define custom Pattern Filter actions and notifications.
144
2. Enter the BCC Email Address option to use in conjunction with the PBMF BCC Action to specify the email address where a blind carbon copy of the message can be sent.
3. Select a PBMF Action .
Administrators can define up to six customized actions that can be used for Pattern Filters. When an action has been defined and activated, it will appear in the list of actions when creating a Pattern Filter rule.
4. Select the Active check box to activate the action.
5. Enter a descriptive Action Name .
WatchGuard XCS
Content Control
6. Select the Action .
ƒ Reject — The mail will not be accepted and the connecting mail server is forced to return it.
ƒ Discard — The mail will be dropped and a notification will not be sent.
ƒ Quarantine — The mail will be put into the administrative quarantine area.
ƒ Certainly Spam — Mail is received, trained as spam, and then the Intercept action for Certainly
Spam is applied.
ƒ Redirect to — The message will be delivered to the mail address specified in the Action Data field.
ƒ Accept — Mail is accepted and delivered when operating normally.
ƒ BCC — The message will be copied to the mail address specified in the Action Data field.
7. Set the Action Data for the specified Action .
For the Redirect To action, send the message to a mailbox such as [email protected]. You can also specify a domain such as spam.example.com. For BCC , enter an email address to send a blind carbon copy of the message to.
8. Select the Do Not Train option to ensure that when this action is triggered, the message will not be trained for spam.
9. Enable and customize Notifications as required.
Rerouting mail using pattern filters
Custom Pattern Filters can be used to redirect mail to another mail server, while preserving the message properties (such as Envelope To and Deliver To). This feature is similar to the redirect actions and reroute mail routes used in Archiving and External Encryption to redirect mail to an archiving or encryption server.
In your mail routing configuration (configured in Configuration > Mail > Routing ), create a mail route that begins with a “.” period character, (such as
.mail_reroute
) and enter the destination mail server as the address for your mail route.
When creating a custom Pattern Filter, set the Action to Redirect To , and in the Action Data field, enter the name of the corresponding mail route. For example: mail_reroute
.
When a pattern filter is triggered, it will reroute the message to the corresponding mail server.
User Guide 145
Content Control
Content and Connection Rules
Content rules allow the administrator to create customized rule conditions for examining email message content and perform customized actions based on the search criteria.
Content Rules cannot be used with HTTP Web requests.
A rule can contain one or several conditions, and the specified action will be performed on the message if the conditions in the rule are satisfied. Rules can be ordered in priority as required. Content Rules can be enabled globally, and can also be configured in a policy (in the Content Control section).
The Pattern Filters feature must be enabled for Content Rules to work properly. Content Rules are processed after Pattern Filters. It is recommended that you use either one method or the other when creating rule filters, and do not use both concurrently to prevent issues with rule order processing.
Note the following behavior when using Content Rules in conjunction with Trusted/Blocked Senders Lists:
ƒ Users listed in the Trusted Senders List will override any Content Rule action except if the rule action is
Quarantine, Reject, or Discard.
ƒ Users listed in the Blocked Senders List will override a Content Rule action unless the Content Rule action is Reject or Discard.
Configuring content rules
To configure and create content rules:
1. Ensure Pattern Filters are enabled via Security > Content Control > Pattern Filters .
2. Select Security > Content Control > Content Rules .
146
3. Select the Enable Content Rules check box.
Enabling Content Rules will also enable Connection Rules that are configured via Security > Anti-
Spam > Connection Control .
4. Select the Inbound or Outbound Content Rules link as required to create and manage your content rules.
WatchGuard XCS
Content Control
5. Select the Create New Rule link to create a new Content Rule, or select an existing rule to modify its settings.
User Guide
6. Enter a descriptive Name for this content rule.
7. Select the Enable This Rule check box to enable the rule globally.
8. Enter a detailed Description for this rule. You should record the purpose for why this rule was created to explain to other administrators why it was configured.
9. In the If field, select all if all conditions in this content rule must be true to trigger an action, or select any to trigger an action if any condition in the content rule is true.
Multiple conditions can be added by clicking the “+” icon. Delete conditions using the “x” icon.
10. Select a specific Message Part for this rule condition.
ƒ Trusted — The rule will only act on messages that are considered trusted by the system.
ƒ Untrusted — The rule will only act on messages that are considered untrusted by the system.
ƒ Mail Envelope — This parameter allows for a match in any part of the message envelope which includes the HELO, Client IP, and Client Host.
ƒ HELO — This parameter allows for a match in the HELO part of the message envelope. For example: mail.example.com.
ƒ Client IP — This parameter allows for a match in the IP address of the system initiating the SMTP connection. For example: 10.1.2.200.
ƒ Client Host — This parameter allows for a match in the client host name of the system initiating the SMTP connection. For example: mail.example.com.
ƒ Envelope Addr — This parameter allows for a match in the Envelope To or Envelope From. For example: [email protected].
ƒ Envelope To — This parameter allows for a match in the Envelope To field. For example: [email protected].
ƒ Envelope From — This parameter allows for a match in the Envelope From field. For example: [email protected].
ƒ Mail Header — This parameter allows for a match in any part of the message header.
ƒ Recipient — This parameter allows for a match in the To: or Cc: fields.
ƒ Cc — This parameter allows for a match in the Cc: field.
ƒ From — This parameter allows for a match in the From: field.
ƒ Message-ID — This parameter allows for a match in the Message-ID: field.
147
Content Control
ƒ Received — This parameter allows for a match in the Received: field.
ƒ Reply-to — This parameter allows for a match in the Reply-to: field.
ƒ Sender — This parameter allows for a match in the Sender: field.
ƒ Subject — This parameter allows for a match in the Subject: field.
ƒ To — This parameter allows for a match in the To: field.
ƒ Raw Mail Body — This parameter allows for a match in any part of the encoded message body.
This encoded content includes Base64, MIME, and HTML. Since messages are not decoded, a simple text match may not work. Use Mail Content for text matching on the decoded content.
ƒ Mail Content — This parameter allows for a match on the visible decoded message body.
ƒ STA (Token Analysis) Token — Token Analysis tokens can also be selected for a rule. This allows you to match patterns for common spam words that could be hidden or disguised with fake or invisible HTML text comments, which would not be caught by a normal content rule. For example,
Token Analysis is able to extract the token “viagra” from the text “vi<spam>ag<spam>ra” and
“v.i.a.g.r.a.”.
ƒ Content Scanning — Matches the content of an entire message, including document attachments. This field is used with the Content Scanning feature.
ƒ DFP Scanned — The rule will only act on messages that have been scanned by Document
Fingerprinting.
ƒ DFP Metric — This parameter allows for a match in the Document Fingerprinting metric score, such as equal to, greater than, less than, and so on.
11. Select the Match Option for the search you are performing.
ƒ Contains — Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail.
ƒ Starts with — Looks for the text at the start of the line or field (no characters between the text and the start of line.)
ƒ Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character.)
ƒ Matches — The entire line or field must match the text exactly as entered.
ƒ Raw Regex — Allows you to enter a regular expression for your search criteria.
ƒ In Dictionary — Select a predefined dictionary that will be matched against the specified message part.
12. Enter the specific text to search for.
13. In the Then field, select an action to perform when the rule statement is true.
ƒ Continue — No action is taken and the message will continue to be processed by the system. This is the default selection if no action is specified. BCC actions will still be performed.
ƒ Quarantine — The message is placed into the administrative quarantine area.
ƒ Just log — Log the event and take no further action.
ƒ Reject — The message is rejected and a notification is sent to the sending system.
ƒ Discard — The message is discarded without sending a notification to the sending system.
ƒ Modify Subject Header — The specified text will be inserted into the message subject line.
ƒ Add Header — The specified “X-” mail header will be added to the message headers.
ƒ Redirect To — The message will be delivered to the specified mail address or server.
ƒ Accept — Mail is accepted and will be delivered regardless if the message is considered spam.
ƒ PostX encrypt — Encrypts the message using the integrated message encryption feature.
ƒ PBMF Action — Use a custom pattern filter action as defined in the Pattern Filter configuration.
ƒ Encrypt — Redirects the message to the Encryption server specified in the Configuration > Mail
> Encryption > External Encryption menu.
148 WatchGuard XCS
Content Control
ƒ Decrypt — Redirects the message to the Decryption server specified in the Configuration > Mail
> Encryption > External Encryption menu.
ƒ Archive — Redirects the message to an archive server specified in the Configuration > Mail >
Archiving menu. Archive priority can be set to Low , Medium , and High .
14. Enter an optional email address to send a BCC (Blind Carbon Copy) of the message to if the rule is triggered.
15. Select the Train options for this rule if it is triggered.
ƒ Intercept decides — The Intercept Anti-Spam engine will decide whether to train the message as spam or legitimate mail based on its scanning results.
ƒ Do not train — The message will not be trained.
ƒ Train as ham — The message will be trained as a legitimate (ham) message.
ƒ Train as spam — The message will be trained as a spam message.
16. Click Apply .
Rule ordering
The rules are processed in order as displayed. Rules can be re-ordered by selecting a specific rule and dragging it to its desired location. Click the Save Rule Order button to save the updated order of your rules when you are finished.
Downloading and uploading content rules
You can download and upload the Content Rules list as a single file. It is recommended that you download the
Content Rules file first by clicking Download Rules To File , edit the file as required, and upload it using the
Upload Rules From File button.
The file (content rules.csv) should be created in csv file format using a text editor.
The file contains comma separated entries in the form:
[Policy],[Stage],[Rank],[Name],[Description],[Enabled],[Condition],[Final
Action],[Final Action Text],[BCC Address],[Train Action]
For example:
0,1,50,Rule_10,This_is_Rule_10,1,pbmf_match(sender:,contains,”spammer”),subject_rew rite,[Spam],[email protected],do_not_train
The following table describes the fields for the rules file:
Field
Policy
Stage
Rank
Name
Description
Enabled
Description
Policy ID of the rule. This will be 0 for a connection rule.
This will be 1 if the rule is an inbound content rule, 2 if the rule is an outbound content rule, and 0 if a connection rule.
The ordering of the rule in the given policy and stage. 1 is the highest priority, 2 is next highest priority, and so on.
The rule name.
Description of the rule.
This value will be 1 if the rule is enabled, and 0 if it is disabled.
User Guide 149
Content Control
Field
Condition
Final action
Final action data
BCC address
Train action
Description
Rule condition statement:
- trusted
- !trusted (not trusted)
- in_dict(messagepart,dictionaryID).
Such as in_dict(client_hostname,83)
- pbmf_match(messagepart, ptype, text).
Such as pbmf_match(sender:,contains,”spammer”) in the previous example.
messagepart : “env”, “helo”, “ip”, “client”, “env-addr”, “env-to”, “envfrom”, “body”, “content”, “token”, “acs”, “hdr”, “recipient”, “cc:”,
“from:”, “received:”, “reply-to:”, “sender:”, “subject:”, “to:”,
“message-id”.
ptype values: “contains”, “ends”, “starts”, “match”, “regex”.
text : The specified text string.
Boolean operators for “all” and “any” options:
&& - and, used with the “all” option
|| - or, used with the “any” option such as: trusted&&in_dict(sender_address,83)&&pbmf_match(subject:,con tains,”spam”)
Indicates the final rule action, including: “movem” (Quarantine),
“log”, “trash” (Discard), “reject”, “subject_rewrite”, “add_header”,
“redirect”, “postxenc” (Encrypt), “trust”, “relay”, “whitelist” (Accept),
“continue”.
Custom Pattern Filter actions including external Encryption and
Archiving if enabled: “actiona”, “actionb”, “actionc”, “actiond”,
“actione”, “action1”, “action2”, “action3”, “action4”, “action5”, and
“action6”.
Indicates any additional data for the action, such as the text for a modified subject or header, such as “[Spam]” in the previous example.
Contains a blind carbon email address such as [email protected].
This will be blank if no address is specified.
This field will be blank if set to the default “Intercept decides”.
Other values include: “do_not_train”, “train_spam”, and
“train_ham”.
150 WatchGuard XCS
Content Control
Content rules and policies
Content Rules can be configured using the WatchGuard XCS policy features. Content Rules must be enabled globally to be able to use this feature in a policy.
The Pattern Filters feature must be enabled for Content Rules to work properly, including policies.
To use Content Rules in a policy:
1. Ensure the Content Rules feature is enabled globally via Security > Content Control > Content Rules .
2. Ensure the Pattern Filters feature is enabled globally via Security > Content Control > Pattern Filters .
3. Select Security > Policies .
4. Select the specific policy to configure.
5. Select the Content Control section.
6. Enable or disable the feature for this policy.
7. Configure your Inbound and Outbound Content rules for this policy as required.
Reporting
Statistics on Content Rule processing can be found in the following reports:
E-mail Executive Summary Report
Messages that are acted upon by a Content Rule are counted in the Content Filters category.
E-mail Analysis Report
Messages that are acted upon by a Content Rule are counted in the Content Filters category.
Dashboard Mail Summary
Messages that are acted upon by a Content Rule are counted in the Content Control category in the
Dashboard Mail Summary.
Rules Report
A separate Rules Report lists the number of inbound and outbound messages acted upon by the
Content Rules and Connection Rules for specific time intervals. A table of the Top Applied Rules will list the most common triggered rules including information on the rule ID number, name, final action of the rule, condition, description, and the number of times it was triggered.
Message history
In the advanced Message History search for email, you can choose Content Rules for the only show messages where field. This will display all rules that triggered and resulted in actions being performed on the message.
User Guide 151
Content Control
Connection rules
Connection Rules allow the administrator to create customized rule conditions for examining incoming and outgoing message connections, to perform customized actions based on the search criteria. A rule can contain one or several conditions. The specified action will be performed on the message if the conditions in the rule are satisfied. Rules can be ordered in priority as required.
Connection Rules are processed after Specific Access Patterns and Pattern Filters. To prevent issues with rule order processing, do not use both methods concurrently.
To configure Connection Rules:
1. To enable Connection Rules, you must first enable the Content Rules feature by selecting Security >
Content Control > Content Rules .
2. Select the Enable Content Rules check box to enable the feature, and click Apply .
3. Select Security > Anti-Spam > Connection Control .
4. Select the Connection Rules link.
5. Click the Create New Rule link to start a new rule, or select an existing rule to modify its settings.
152
6. Enter a descriptive Name for this rule.
7. Select the Enable This Rule check box to enable this rule globally.
WatchGuard XCS
User Guide
Content Control
8. Enter a detailed Description for this rule.
You should record the purpose this rule was created to explain to other administrators why it was configured.
9. In the If field, select all if all statements in this rule must be true to trigger an action, or select any to trigger an action if any statement in the rule is true.
Multiple conditions can be added by clicking the “+” icon. Delete conditions using the “x” icon.
10. Select a specific Message Part for this rule condition.
ƒ Trusted — The rule will act only on messages that are considered trusted by the system.
ƒ Untrusted — The rule will act only on messages that are considered untrusted by the system.
ƒ Mail Envelope — This parameter allows for a match on any part of the message envelope which includes the HELO, Client IP, and Client Host.
ƒ HELO — This parameter allows for a match on the HELO part of the message envelope.
For example: mail.example.com.
ƒ Client IP — This parameter allows for a match on the IP address of the system initiating the SMTP connection. For example:10.1.2.200.
ƒ Client Host — This parameter allows for a match on the client host name of the system initiating the SMTP connection. For example: mail.example.com.
ƒ Envelope Addr — This parameter allows for a match on the Envelope To or Envelope From. For example: [email protected].
ƒ Envelope To — This parameter allows for a match on the Envelope To field.
For example: [email protected].
ƒ Envelope From — This parameter allows for a match on the Envelope From field.
For example: [email protected].
11. Select the Match Option for the search you are performing.
ƒ Contains — Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail.
ƒ Starts with — Looks for the text at the start of the line or field (no characters between the text and the start of line.)
ƒ Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed, end-of-line character.)
ƒ Matches — The entire line or field must match the text exactly as entered.
ƒ Raw Regex — Allows you to enter a regular expression for your search criteria.
ƒ In Dictionary — Select a predefined dictionary that will be matched against the specified message part.
12. Enter the required text to search for.
13. In the Then field, select an action to perform when the rule statement is true.
ƒ Continue — No action is taken and the message will continue to be processed by the system. This is the default selection if no action is specified. BCC actions will still be performed.
ƒ Quarantine — The message is placed into the administrative quarantine area.
ƒ Just log — Log the event and take no further action.
ƒ Reject — The message is rejected and a notification is sent to the sending system. BCC and Train options will not be available.
ƒ Discard — The message is discarded without sending a notification to the sending system. BCC and Train options will not be available.
ƒ Subject Rewrite — The specified text will be inserted into the message subject line.
ƒ Add Header — The specified “X-” mail header will be added to the message headers.
ƒ Redirect To — The message will be delivered to the specified mail address or server.
ƒ PostX encrypt — Encrypts the message using the integrated message encryption feature.
153
Content Control
ƒ Trust — This mail is considered trusted and from a legitimate source. This message will not be processed for spam.
ƒ Relay — Message can be relayed externally.
ƒ Accept — Mail is accepted and will be delivered regardless if the message is considered spam.
ƒ PBMF Action — Use a custom pattern filter action, as defined in the Pattern Filter configuration.
ƒ Encrypt — Redirects the message to an Encryption server.
ƒ Decrypt — Redirects the message to a Decryption server.
ƒ Archive — Redirects the message to an archive server. Archive priority can be set to Low , Medium , and High .
14. Enter an optional email address where a BCC Blind Carbon Copy of the message is sent if the rule is triggered.
15. Select the Train options for this rule if it is triggered.
ƒ Intercept decides — The Intercept Anti-Spam engine will decide whether to train the message as spam or legitimate mail, based on its scanning results.
ƒ Do not train — The message will not be trained.
ƒ Train as ham — The message will be trained as a legitimate (ham) message.
ƒ Train as spam — The message will be trained as a spam message.
16. Click Apply .
Rule ordering
The rules are processed in the displayed order. Rules can be re-ordered by selecting a specific rule and dragging it to its desired location. Click the Save Rule Order button to save the updated order of your rules when you are finished.
Reporting
Statistics on Connection Rule processing can be found in the following reports:
E-mail Executive Summary Report
Messages that are rejected by a Connection Rule are counted in the ReputationAuthority connection rejects category.
E-mail Analysis Report
Messages that are rejected by a Connection Rule are counted in the ReputationAuthority connection rejects category.
Connection Control Report
Messages that are rejected by a Connection Rule will be reported in the Connection Control report.
Dashboard Mail Summary
Messages that are rejected by a Connection Rule are counted in the ReputationAuthority connection rejects category in the Dashboard Mail Summary.
Rules Report
A separate Rules Report lists the number of inbound and outbound messages acted upon by the
Content Rules and Connection Rules for specific time intervals. A table of the Top Applied Rules will list the most commonly triggered rules. This includes information on the rule ID number, name, final action of the rule, condition, description, and the number of times it was triggered.
154 WatchGuard XCS
Content Control
Dictionaries and Lists
The Dictionaries and Lists feature contains default and custom word and phrase dictionaries that can be used with Objectionable Content, Spam Dictionaries, and Content Scanning features. Lists of IP addresses, domains, and email addresses can also be created for use with features such as Blocked and Trusted sites for web traffic scanning.
Each dictionary or list is a simple word or phrase text file (in Unix format) with one word or phrase per line, such as:
Compliance
Classified
Top Secret
This is Confidential
The maximum word length is 35 characters. Words or phrases greater than 35 characters can be uploaded, but will be truncated for matching purposes. Both plural and singular word forms need to defined in the dictionaries. In policies, the phrase length of the compliance dictionary selected should not be greater than the phrase length configured in the content scanning configuration.
Character set support
The WatchGuard XCS supports several characters sets for dictionary-based message scanning. This support allows administrators to upload dictionaries in a variety of language character set encodings and use these dictionaries with the Objectionable Content Filter when scanning email and web content.
Non-English character sets cannot be used with the Content Scanning feature.
The following character set encodings are supported for dictionaries:
ƒ ASCII
ƒ Unicode
ƒ UTF-8, UTF-16, UTF-32
ƒ ISO-8859-1 (Western European Languages)
Only languages that can be converted to ISO-8859-1 and Big Endian byte order character set encodings are supported.
When a dictionary is uploaded, the system will convert the file’s contents to ISO-8859-1 for use with the system’s internal scanners. The file will then be displayed in ISO-8859-1 format in the Dictionaries screen.
Downloading the dictionary will save it in the original character encoding format that it was uploaded with.
Only languages that can be converted to ISO-8859-1 (Western European Latin-based Character Set) are supported.
For email messages, incoming data is assumed to be in the ISO-8859-1 character set. UTF-8, double byte, or multi-byte content will not be processed properly. This content cannot be matched to a dictionary scanningbased feature and will pass through the system without being blocked.
For web scanning, most web content is UTF-based. The system will attempt to convert incoming data to be scanned to the ISO-8859-1 character encoding. Any characters (which are primarily those that do not belong to the ISO-8859-1 character set) that cannot be converted into a single byte will not be able to be matched to a dictionary by the message scanners, and will pass through without being blocked.
User Guide 155
Content Control
Your web browser must be configured to display the ISO-8859-1 character set to view the contents of the dictionary file properly. In addition, ensure the web server configuration (accessed via Configuration >
Network > Web Server ), accurately reflects the encoding used.
The following languages are supported by the ISO-8859-1 character set:
ƒ Afrikaans
ƒ Albanian
ƒ Basque
ƒ Breton
ƒ Danish
ƒ Dutch (missing IJ, ij but these should always be represented as IJ or ij in electronic form)
ƒ English (US and modern British)
ƒ Estonian (missing Š, š, Ž, ž for loan words)
ƒ Faroese
ƒ Finnish (missing Š, š, Ž, ž for loan words)
ƒ French (missing Œ, œ and the very rare Ÿ; they are generally replaced by “OE” and “oe” without the normally required ligature, and “Y” without the diaeresis)
ƒ Galician
ƒ German
ƒ Icelandic
ƒ Irish (new orthography)
ƒ Italian
ƒ Latin (basic classical orthography)
ƒ Luxembourgish (basic classical orthography)
ƒ Norwegian (Bokmål and Nynorsk)
ƒ Occitan
ƒ Portuguese (European and Brazilian)
ƒ Rhaeto-Romanic
ƒ Scottish Gaelic
ƒ Spanish
ƒ Swahili
ƒ Swedish
ƒ Walloon
ƒ Welsh (missing the following circumflex accented characters W, w, Y, y)
156 WatchGuard XCS
Adding a dictionary
To add a new dictionary to the system:
1. Select Security > Content Control > Dictionaries & Lists .
Content Control
2. Click Add to add a new dictionary file.
3. Click Browse to select the file to be uploaded.
4. Select the Character set encoding used in the uploaded file.
The file must be in the character set encoding you specify. If it is not, unexpected results will occur and the displayed dictionary file will not exactly match its content (such as accented characters not displayed properly). For example, if the file you upload is encoded with ISO 8859-1, you must select the
ISO-8859-1 character set from the drop-down list. If the file is using UTF-8, you must select the UTF-8 character set from the drop-down list.
5. Click Continue .
User Guide
6. Choose the name of the file, and select the type of file you are uploading.
ƒ Any — This file type can be used for any dictionary-based feature.
ƒ ACS — This file type of words and phrases is used with the policy-based content scanning feature.
ƒ DFP — This file type of words and phrases is used with the Document Fingerprinting feature.
ƒ OCF — This file type of objectionable words and phrases can be used with Objectionable Content
Filtering.
ƒ Spam — This file type of spam words and phrases can be used with the Spam Words Intercept Anti-
Spam feature.
157
Content Control
ƒ IP — A list of IP addresses in the form 192.168.1.128.
ƒ Email — A list of email addresses in the form [email protected].
ƒ Domain — A list of domains in the form example.com.
ƒ CIDR — A list of CIDR IP address networks in the form, 10.10.0.0/16.
ƒ Domain&email — A list of domains and email addresses in the form example.com,[email protected]. These can be used for the Hosted Domains reporting feature.
7. Click Continue to finish uploading the file.
The new dictionary will now appear in the list and can be selected when using a dictionary-based feature.
Financial and medical dictionaries
The WatchGuard XCS includes predefined dictionaries that contain industry-specific terms for medical and financial organizations to assist administrators with regulatory compliance configurations. Organizations can customize these dictionaries to comply with specific regulations regarding their communications and storage of message data. The dictionaries are used with the Content Scanning feature to allow the system to check the dictionary for matched words and phrases in incoming and outgoing messages and attachments. Policies can be used to define specific Content Scanning actions when dictionary terms are detected.
If using the Financial and Medical dictionaries when content scanning email messages and web requests, it is very important that administrators review these dictionaries and customize them as appropriate for their organization to prevent legitimate messages from being blocked due to words and phrases in these dictionaries.
To enable a dictionary for use in a Content Scanning policy:
1. Select Security Policies > Content Control > Content Scanning .
2. Select the Enable check box.
158
3. Ensure the Phrase length is configured as required for your specific dictionaries.
The Content Scanning feature has a default Phrase length of 3, indicating that the system will only scan up to 3 words of a dictionary phrase. If longer phrases appear in your Financial or Medical dictionaries, the Phrase length should be increased to 4 or more as required. Longer phrase lengths require additional system processing.
4. Click Apply .
5. Select Policies .
6. Select a policy to configure such as the Default Policy or another policy.
7. Select the Edit link in the Content Control section.
WatchGuard XCS
Content Control
8. In the Content Scanning section, enable Content Scanning and select the required dictionary (such as Medical Terms ) from the drop-down box in the Compliance Dictionaries field.
9. Select the Actions to perform for email messages and HTTP requests when a dictionary term is detected in a message or its attachments.
The Medical and Financial dictionaries are by default configured with no weights. Administrators can modify and customize the dictionaries as required with weights for each word or phrase.
Weighted dictionaries
Dictionary words and phrases can be assigned a configurable weight by the administrator to provide more intelligent and flexible decisions for dictionary scanner components and compliance policies.
Using a weighted dictionary, an action can be performed if the aggregate weight of several matched dictionary terms exceeds a configurable threshold. An administrator can set a weight to a dictionary word or phrase, so that it will be a compliance violation if any two terms from a dictionary appear in a message or attachment. The weight of these two terms would be added together, and if they exceeded the threshold for that policy, an action would be performed.
For example, the system can encrypt an outbound message when the phrase “patient number” and the term
“diagnosis” are detected in the same message content. In the weighted dictionary, these terms can be configured to have a weight of 50. If the weighted threshold for the compliance dictionary is set to 100, these two terms, or any number of terms that match or exceed a weight of 100, will cause the message to be encrypted.
If the same word appears more than once in a message (including text and HTML portions of a message), each instance will be included in the total weight.
When a dictionary is configured as a weighted dictionary, the syntax of the dictionary entries must be as follows: match,weight or weight,match
For example: patient,30 or
50,diagnosis
User Guide 159
Content Control
The first line of the weighted dictionary must contain the heading match,weight , or weight,match depending on the configuration of your file. For example: match,weight patient,30 diagnosis,50
Negative dictionary weights
Negative weights can be applied to specific words or phrases in a weighted dictionary that, on their own, may not constitute a match in an objectionable content or compliance dictionary. For example, a weighted dictionary entry can be entered as “junk,-25”. This indicates that if the word “junk” appears on its own in the text of a message, the weight threshold is lowered by 25. Another phrase entry may be entered as “junk message,50” that indicates that the phrase “junk message” will raise the weight by 50. This allows the administrator to provide a more granular dictionary configuration. This helps to prevent weighted thresholds from being exceeded by words that may not be objectionable or classified for compliance, when they are not used in conjunction with other words or phrases.
When a dictionary is configured as a weighted dictionary, the syntax of the dictionary entries must be as follows: match,weight or weight,match
For example: patient,-30 or
50,diagnosis
The first line of the weighted dictionary must contain the heading match,weight , or weight,match depending on the configuration of your file. For example: match,weight patient,-30 diagnosis,50
Using weighted dictionaries
Weighted dictionaries can be used with Spam Words, Content Scanning, and the Objectionable Content Filter.
1. Create a dictionary with spam words and phrases and their assigned weights that will be checked by the Spam Words scanning feature.
match,weight spam,40 hot stocks,40 viagra,50 stock tips,40 stock,-50
2. Upload this dictionary via Security > Content Control > Dictionaries & Lists .
160 WatchGuard XCS
User Guide
3. Make sure the dictionary Type is set to Spam or Any , and that Weighted is set to Yes .
Content Control
4. Select Security > Anti-Spam > Anti-Spam > Spam Words .
5. Select Enable Spam Words .
6. Set the Weighted Threshold for this feature.
This threshold can be any positive integer from 1 to 9999. In this example, the default threshold is 100.
If the number of spam words in a message have an aggregate weight of 100 or more, the message will be considered spam.
7. Select the weighted dictionary created in the first step.
161
Content Control
162 WatchGuard XCS
7
Intercept Anti-Spam
Intercept Anti-Spam Overview
The Intercept Anti-Spam features take advantage of the extensive message control features of the
WatchGuard XCS, and provide a solutions-based approach where each anti-spam component, when enabled, provides input to the final spam score of a message. Information retrieved by all of the enabled Anti-Spam components results in a more informed decision on whether the message is in fact spam or legitimate mail.
Thresholds can be set to take appropriate action on a message based on its score and classification, such as
Certainly Spam , Probably Spam , and Maybe Spam . A different action can be set for each threshold, such as
“Reject” for messages that are classified as Certainly Spam , or “Modify Subject Header” for messages that are classified as Maybe Spam .
Administrators can modify the Intercept options to provide more granular control over each Anti-Spam
Intercept component for their environment; however, the default Intercept configuration has been engineered to provide maximum protection against spam without additional configuration.
The Intercept Anti-Spam engine includes the following components:
Spam Words
Filters messages based on a dictionary of typical spam words and phrases that are matched against the message.
Mail Anomalies
Checks various aspects of the incoming message for issues such as unauthorized SMTP pipelining, missing headers, and mismatched identification fields.
DNS Block List (DNSBL)
Detects spam using domain-based lists of hosts that have a poor reputation. Messages can also be rejected immediately, regardless of the results of other Anti-Spam processing, if the client is listed on a DNSBL. A configurable threshold allows administrators to specify how many DNSBLs must be triggered to consider the sender as unreliable.
URL Block List
URL Block Lists contain a list of domains and IP addresses of URLs that have appeared previously in spam messages. This feature is used to determine if the message is spam by examining any URLs contained in the body of a message to see if they appear on a block list.
User Guide 163
Intercept Anti-Spam
ReputationAuthority
The ReputationAuthority helps to identify spam by reporting a collection of metrics about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected, based on information collected from installed WatchGuard XCS products and global DNS Block Lists. This information can be used by Intercept to reject the message, or used as part of the overall anti-spam decision.
Token Analysis
Detects spam based on advanced content analysis using databases of known spam and valid mail.
Backscatter Detection
Detects spam based on signature verification of the Envelope Sender to prevent spam bounce emails to forged sender addresses.
Sender Policy Framework (SPF)
Performs a check of a sending host’s SPF DNS records to identify and validate the source of a message to determine whether a message was spoofed.
DomainKeys Authentication
Performs a check of a sending host’s DomainKeys DNS records to identify and validate the source of a message to determine whether a message was spoofed.
Trusted and Untrusted Mail Sources
The WatchGuard XCS must be properly configured for interaction with local and remote mail servers. The system only processes mail through the spam filters when a message originates from an untrusted source.
Mail from trusted sources bypass the spam controls.
There are two ways to control how sources of mail are identified and trusted:
ƒ Trusted Subnet — All mail from a specific network interface is considered trusted.
ƒ Specific Access Pattern — An IP address (or address block), server, or domain name is identified as trusted using a specific access pattern rule.
164 WatchGuard XCS
Intercept Anti-Spam
Trusted subnet
To specify a network interface as trusted or untrusted, perform the following steps:
1. Select Configuration > Network > Interfaces .
2. For the specified interface, enable or disable the Trusted Subnet check box.
The Trusted Subnet setting should not be used if the system is deployed internally or behind a network firewall.
Trusting via specific access patterns
To trust a system with a specific access pattern:
1. Select Configuration > Mail > Access .
2. For Specific Access Patterns, click Add Pattern .
3. Enter the IP address or hostname of the system in the Pattern field.
4. Select the Client Access check box.
5. Select Trust from the If pattern matches drop-down list.
6. Click Apply .
User Guide 165
Intercept Anti-Spam
Intercept Settings
Global Intercept connection settings can be configured via Security > Anti-Spam > Intercept Settings .
Aggressiveness presets can be configured for Intercept’s Connection Control, Anti-Spam, and Anti-Virus features. If any of the default presets are modified, the preset will be listed as Custom .
Intercept connection control aggressiveness
Specify the initial level of aggressiveness for the Intercept Connection Controls, and then click Apply . View and modify the actions for the selected aggressiveness level by clicking the Connection Control Actions link.
Feature
Reject on unknown sender domain
Reject on missing sender MX
Reject on non FQDN sender
Reject on unauth pipelining
Reject on missing addresses
Reject on missing reverse DNS
Reject on ReputationAuthority
Reputation
Reject on infection (ReputationAuthority)
Reject connections from dial-ups
(ReputationAuthority)
Reject on DNSBL
Lenient
X
X
X
Standard
X
X
X
X
(Threshold: 99)
X
(Threshold: 2)
Aggressive
X
X
X
X
(Threshold: 85)
X
X
X
(Threshold: 1)
166 WatchGuard XCS
Intercept Anti-Spam
Intercept Anti-Spam aggressiveness
Specify the initial level of aggressiveness for the Intercept Anti-Spam features, and then click Apply . View the action for the selected aggressiveness level by clicking the Anti-Spam Actions link.
Intercept Option
Certainly Spam
Probably Spam
Maybe Spam
Decision Strategy
Spam Words
Mail Anomalies
DNS/URL Block List
ReputationAuthority
Token Analysis
SPF
DomainKeys
Lenient
Modify Subject
Header
Modify Subject
Header
Just Log
Heuristic 1
X
X
X
Standard
Reject
Modify Subject
Header
Just Log
Heuristic 1
X
X
X
X
X
Aggressive
Reject
X
X
X
X
Modify Subject
Header
Modify Subject
Header
X
X
Heuristic 2
X
X
In environments where there is no Token Analysis training on outbound legitimate mail (such as some evaluation scenarios), Heuristic 2 may result in an increase in false positives. In this case, administrators should use the Heuristic 1 strategy, which is identical to Heuristic 2 except that Token Analysis is de-emphasized and additional Anti-Spam features must be triggered for a message to be considered Probably Spam or Certainly
Spam.
Intercept Anti-Virus aggressiveness
Specify the initial level of aggressiveness for the Intercept Anti-Virus feature, and then click Apply . View the action for the selected level by clicking the Anti-Virus Actions link.
Standard Anti-Virus
Enables Anti-Virus scanning for both Inbound and Outbound directions. The action is set to
Quarantine Mail . Malformed Mail checks are also enabled.
Anti-Virus Plus Outbreak Control
Enables Anti-Virus scanning for both Inbound and Outbound directions. The action is set to
Quarantine Mail . Outbreak control is also enabled to quarantine possible virus infected messages.
Malformed Mail checks are also enabled.
User Guide 167
Intercept Anti-Spam
Reject on unknown recipient
This option rejects mail if the intended recipients do not exist locally or in an LDAP directory. This option is used in conjunction with LDAP Users and the LDAP Recipients feature. The system will determine if a user exists as follows:
ƒ Checks to see if the user is in the local database of imported LDAP Users
ƒ Performs a direct lookup on an LDAP user directory with the LDAP Recipients feature
If using an Active Directory server, it is recommended that the LDAP Users function be used.
Configure LDAP Users and Groups and LDAP Recipients via the Configuration > LDAP
You can override Reject on Unknown Recipient by using a Specific Access Pattern set to Allow
Relaying or Trust.
Intercept Connection Control
Intercept connection control settings can be configured via Security > Anti-Spam > Connection Control to reject messages before the SMTP mail connection is completed based on several identifying factors about the connection.
168
Reject on unknown sender domain
Rejects mail when the sender’s mail address does not appear in the DNS as an A or MX record. This option applies to untrusted mail only.
Reject on missing sender MX
Rejects mail when the sender’s mail address has no DNS MX record.
Reject on non FQDN sender
Rejects mail when the client MAIL FROM command is not in the form of an FQDN (Fully Qualified
Domain Name) such as mail.example.com. This option applies to untrusted mail only.
Reject on unauth pipelining
Rejects mail when SMTP commands are sent ahead of the message even though the SMTP server supports pipelining. This option blocks mail from bulk mail software that uses SMTP command pipelining improperly to speed up deliveries.
WatchGuard XCS
Intercept Anti-Spam
Reject on missing addresses
Reject mail when no recipients (To:) or sender (From:) were specified in the message headers. These fields are the optional To: and From: fields, not the corresponding Envelope fields.
Reject on missing reverse DNS
Reject mail from a host when the host IP address has no PTR (address to name) record in the DNS, or when the PTR record does not have a matching A (name to address) record.
Many servers on the Internet do not have valid Reverse DNS records. Setting this option may result in rejecting mail from legitimate sources. It is recommended that you do not enable this option.
ReputationAuthority, DNSBL, and Backscatter rejects
ReputationAuthority, DNS Block Lists, and Backscatter rejects can also be configured from this screen. These features are discussed in more detail later in this section.
User Guide 169
Intercept Anti-Spam
Configure Intercept Anti-Spam
Select Security > Anti-Spam > Anti-Spam to enable and configure the Intercept Anti-Spam features.
Intercept actions
In the Intercept Anti-Spam Actions section, administrators can assign actions for three levels of spam score thresholds. The categories are as follows:
Certainly Spam
Any message with a score over this threshold (Default: 99) is Certainly Spam . These types of messages require a strong action such as Reject Mail or Redirect To .
Probably Spam
Any message with a score over this threshold (Default: 90) is probably spam. This threshold indicates a message with a very high spam score, but not high enough to be Certainly Spam . These messages should be treated with a lighter action than Certainly Spam , such as Redirect To or Modify Subject
Header , but should not be rejected.
Maybe Spam
Any message with a score over this threshold (Default: 60) might be spam but should be treated with caution to prevent false positives. This threshold indicates messages which could be spam, but could also be legitimate mail. It is recommended that a light action such as Modify Subject Header be used.
For each category you can set the following fields and actions:
ƒ Threshold — Set the threshold spam score (between 1 and 99) for this category. It is recommended that you leave these values at their defaults.
ƒ Email Action — Specify one of the following actions to take when the threshold is exceeded:
ƒ Just log — An entry is made in the logs about the occurrence, and no other action is taken.
ƒ Modify Subject Header — The text specified in the Email Action Data field will be inserted into the message subject line.
ƒ Add header — An “X-” mail header will be added as specified in the Email Action Data field.
170 WatchGuard XCS
Intercept Anti-Spam
ƒ Redirect to — The message will be delivered to the mail address or server specified in the Email
Action Data field.
ƒ Discard mail — The message is rejected without notification to the sender.
ƒ Reject mail — The mail will not be accepted and the connecting mail server is forced to return it.
ƒ BCC — Send a blind carbon copy of the message to the mail address specified in the Action Email
Data field.
ƒ Quarantine Mail — The message is sent to the administrative quarantine area.
ƒ Email Action Data — Select the Email Action Data depending on the specified Email Action :
ƒ Modify Subject Header — The specified text will be inserted into the subject line, such as [SPAM].
If this field is left blank, [SPAM] will be used as the default modifier.
ƒ Redirect to — Send the message to a mailbox such as [email protected]. The message can also be redirected to a spam quarantine server such as spam.example.com.
ƒ Add header — An “X-” message header will be added with the specified text as, such as “X-Reject: spam”. The header action data must start with “X-” and must contain a colon followed by a space.
If this is not specified, the phrase “X-Reject” will be added as a prefix to the header. For example, if
“spam” is entered, the full header will be “X-Reject: spam”. If a header is entered with a colon, such as “Reason:spam”, the full header will be “X-Reason:spam”.
This field can also be left blank to add a default header to be used by the Intercept Plug-in for
Exchange:
For the Certainly Spam action, the added header will be: X-BTI-AntiSpamCode: certainly
For the Probably Spam action, the added header will be: X-BTI-AntiSpamCode: probably
For the Maybe Spam action, the added header will be: X-BTI-AntiSpamCode: maybe
For no classification, the added header will be: X-BTI-AntiSpamCode: none
Anti-Spam header
Anti-spam headers are added to all messages for diagnostic purposes and contain data on the spam processing applied to the message and its metrics. Enable this option to include the header with the message.
The header output is similar to the following:
X-BTI-AntiSpam:score:51,sta:51025,dnsbl:off,sw:passed, bsn:none,spf:none,dk:passed,pbmf:none,ipr:0/1,trusted:no,ts:no,bs:no,ubl:passed
The Anti-Spam header must be enabled when using the Intercept Plug-in for Exchange.
The anti-spam header output can contain the items shown in the following table: sw bsn spf dk
Item score sta dnsbl
Description
Overall Intercept score
Token Analysis score
DNS Block List check
Spam Words
ReputationAuthority reputation
SPF results
DomainKeys results
User Guide 171
Intercept Anti-Spam
Item pbmf ipr trusted ts bs ubl bsctr dfp
Description
Pattern Based Message Filters
Mail Anomalies checks
Trusted or non-trusted
Trusted Senders List
Blocked Senders List
URL Block List check
Backscatter Detection
Document Fingerprinting
ReputationAuthority/DNSBL/UBL timeout setting
ReputationAuthority, DNS Blocks lists, and URL Block Lists, if enabled, perform their own separate checks per message when scanning messages for spam. In the event that one or more of the specified services are unavailable, the query to the service domain will time out.
The following options allow the administrator to configure the timeout and retry settings for each lookup query. It is recommended that the system defaults be used. If a query for ReputationAuthority, DNS Blocks
Lists, or URL Block Lists exceeds the timeout and retry threshold, the checks for this message will be skipped for that feature.
ƒ Timeout — Delay (in seconds) between each retry in the event of a ReputationAuthority/DNSBL/UBL lookup failure for a message. The default is 5 seconds.
ƒ Retries — Enter the number of retries to perform in the event of a ReputationAuthority/DNSBL/UBL lookup failure for a message. The default is 1 retry.
172 WatchGuard XCS
Intercept Anti-Spam
Intercept Components
Each component of the Intercept Anti-Spam engine can be enabled or disabled depending on your requirements.
To configure the settings for each feature:
1. Select the Enable check box for a specific feature.
2. Select the spam feature link to review or customize the default settings.
3. When finished, click the Apply button to save the configuration.
Each Intercept Anti-Spam feature is discussed in more detail in the following sections.
User Guide 173
Intercept Anti-Spam
Spam Words
The WatchGuard XCS provides a Spam Words dictionary filter. When enabled, all inbound messages passing through the system are scanned for words and phrases that appear in the spam words dictionary. Messages with words or phrases in their subject or body that match the phrase list are more likely to be spam. The
Intercept Anti-Spam engine will use this information to help decide if the message is spam or legitimate mail.
The system includes a basic pre-configured spam words list that can be used for message filtering.
WatchGuard’s default list includes basic words most commonly found in spam, such as “prescription” and
“viagra”. The full default list can be viewed and modified. Administrators can use this list to build and upload their own custom spam word list.
It is recommended that administrators review this default spam words list to ensure any included words are not part of their organizations functions. For example, the word “prescription” should be removed if the company is involved with the pharmaceutical industry.
To configure Spam Words:
1. Select Security > Anti-Spam > Anti-Spam .
2. Select Spam Words .
174
3. Select the Enable Spam Words check box to enable the Spam Words feature.
4. Select the type of Logging for messages that contain matched spam words and phrases.
This logging information will appear in the Mail Logs . Choose from the following:
ƒ No logging — No logging will be performed.
ƒ First match only — Only the first matching word will be displayed.
ƒ All matches — All matched words will be displayed.
5. Enter the Weighted Threshold value for weighted spam words dictionaries.
If using a weighted spam dictionary, the terms and their weight in the dictionary must match or exceed this threshold to classify a message as spam. If both weighted and unweighted dictionaries are used, the final action will be triggered if the sum of the weights exceeds the configured weighted threshold,
or if a match occurs in an unweighted dictionary. See “Weighted dictionaries” on page 159 for more
details on weighted dictionaries.
6. Select the Spam Words Dictionaries to be used for anti-spam checks.
The dictionaries available are listed in the Available Dictionaries list. Use the arrow buttons to move the dictionaries to the Dictionaries in Use list as required. This can be the Default Spam Words list provided by WatchGuard, or a custom list uploaded via Security > Content Control > Dictionaries & Lists . See the following section for more information on adding a custom dictionary.
WatchGuard XCS
Adding a spam words dictionary
To add a Spam Words Dictionary:
1. Select Security > Content Control > Dictionaries & Lists .
Intercept Anti-Spam
2. Select the Default Spam Words list that contains a list of common words that are typically seen in spam messages.
3. Click Download to save and view the text file of spam words. The list contains one word or phrase per line, such as the following: free pic free pics free picz meds medz
Administrators can use this base list to create their own dictionary of spam words by editing the text file and adding one word or phrase per line. Default words that are not required can be deleted.
4. Select Security > Content Control > Dictionaries & Lists .
5. Click Add to add a new dictionary file.
6. Click Browse to select the file to be uploaded.
7. Click Continue .
User Guide
8. The file information screen displays the initial contents of the file.
You can change both the name of the list and the type of dictionary.
9. Set the Type of file to spam .
This indicates that this dictionary file can be used with the Spam Words feature. Select Any to allow the dictionary to be used with any dictionary-based scanning feature. The Weight option is used for
Weighted Dictionaries.
10. Click Continue to finish uploading the file.
The new dictionary will now appear in the list and can be selected when using Spam Words.
175
Intercept Anti-Spam
Mail Anomalies
The Mail Anomalies feature performs checks on incoming messages to help determine whether the message is coming from a known source of spam or is legitimate mail. Systems that send spam have certain characteristics that can give away the nature of the sending system. Many spammers deploy scripts and use spoofed or false information when sending mail. By checking incoming connections for patterns of these behaviors, the system can help to determine whether mail from an incoming system is legitimate or spam.
The Mail Anomalies feature checks messages for a variety of information that may reveal discrepancies between the message’s sending host and the host listed in the message envelope and contents, and information about messages recently sent by the sending host. A message must fail four or more checks to be classified as spam.
To configure Mail Anomalies:
1. Select Security > Anti-Spam > Anti-Spam > Mail Anomalies .
2. The following anomalies indicators can be enabled by the administrator.
If a message fails four or more checks, the weight assigned to Mail Anomalies in the Intercept settings will be the score used for Intercept processing.
176
The following checks relate to issues with DNS record lookups for the sending host:
ƒ Missing client reverse DNS — Checks to see if the sending host has a PTR (address to name) record and the PTR record has a matching A (name to address) record.
ƒ Missing sender MX — Checks to see if the sender mail address has a DNS MX record.
This check is more restrictive than the check for Unknown sender domain. If Unknown sender domain fails then this check will also fail. It is recommended that only one of the two checks be used at the same time.
ƒ Unknown sender domain — Checks to see if the sender mail address has a DNS A or MX record.
This check is less restrictive than the check for Missing sender MX . If this check fails, then Missing sender MX will also fail. It is recommended that only one of these two checks be used at the same time.
ƒ Invalid HELO/EHLO hostname — Checks to see if the HELO/EHLO address is a valid hostname.
WatchGuard XCS
Intercept Anti-Spam
ƒ Unknown HELO/EHLO domain — Checks to see if the HELO/EHLO address has a DNS A or MX record.
The following checks relate to issues with the connecting client’s SMTP connection and message information:
ƒ Unauthorized pipelining — Checks to see if the client sends SMTP commands ahead of time without knowing that the mail server actually supports SMTP command pipelining. This check detects bulk mail software that improperly uses SMTP command pipelining to speed up deliveries.
ƒ HELO/EHLO doesn’t match client — Checks to see if the HELO/EHLO address matches the sending host address.
ƒ Missing From header — Checks to see if the From header is present.
ƒ Missing To header — Checks to see if the To header is present.
ƒ Envelope sender doesn’t match From header — Checks to see if the From header matches the envelope sender address.
The following checks identify clients who have recently sent spam or viruses and will only work if
Threat Prevention (configured via Security > Anti-Spam > Threat Prevention ) is enabled.
ƒ Recent spam from client — Checks to see if the sending host recently sent spam.
ƒ Recent virus from client — Checks to see if the sending host recently sent a virus.
User Guide 177
Intercept Anti-Spam
DNS Block Lists
DNS Block Lists (DNSBL) contain the addresses of known sources of spam and are maintained by both commercial and non-commercial organizations. The DNSBL mechanism is DNS-based resulting in a lookup on the specified DNSBL server for every server that attempts to connect to the WatchGuard XCS.
The weight assigned to DNS Block Lists in the Intercept settings will be the score (default is 80) used by
Intercept processing when a DNSBL is triggered for a message. If a sender is matched on more than one DNS
Block List, this will increase the weight score assigned by Intercept for each list it is matched on.
If a message that you want to receive is blocked by a DNSBL, add a Specific Access Pattern to trust messages from that client.
To configure DNS Block Lists:
1. Select Security > Anti-Spam > Anti-Spam .
2. Select DNS Block List .
178
3. Select the Reject on DNSBL check box to reject mail from blocked clients regardless of other message processing.
Reject on DNSBL will reject the message at SMTP connection time regardless of other Intercept processing. Caution should be used when enabling this feature. Note that this feature, if enabled, cannot be disabled by a policy.
4. Enter the DNSBL Reject Threshold , which is the number of block lists that must be triggered before rejecting based on DNSBL.
If this value is set to 2 (default) the server must appear on at least two DNSBLs before being rejected.
5. Select the Enable DNSBLs for Anti-Spam .
WatchGuard XCS
User Guide
Intercept Anti-Spam
6. Specify in the Check Relays field how many relay points, starting from the latest headers to the earliest, should be checked against a DNS Block List.
The Check Relays setting deals with spammers who are relaying their messages, usually illegally, through an intermediate server. The information about the originating server is carried in the headers of the message. Acceptable values are between “0” and “ALL”. It is recommended that this option be left at the default value of “5”.
The Check Relays option should be enabled if the WatchGuard XCS is behind another MTA or mail gateway. This ensures the relay before the intermediary MTA is checked.
7. Specify in the Exclude Relays field how many received headers to exclude from DNSBL checks, starting from the earliest to the most recent.
Some ISPs include the originating dial-up IP as the first relay point, which can result in legitimate mail being blocked by DNSBLs that block dial-ups. It is recommended to set this value to “1” or “0”. Use “1” if any of the DNSBL servers utilized include dynamic IP addresses (such as a dial-up connection). If the
DNSBL service does not include dial-ups, set this to “0” to ensure mail originating from webmail systems is not rejected.
8. As an example of using the Check Relays and Exclude Relays options, consider the following scenario:
Server A -> Server B -> Server C -> Server D -> WatchGuard XCS
With the mail relayed via four previous servers (A-D), the received headers of a message will appear in the following order:
Received: D
Received: C
Received: B
Received: A
With Check Relays enabled, the system starts with server D and checks the configured number of received headers. If Check Relays is set to “3”, it will check D, C, and B.
Use the Exclude Relays option to ignore the configured number of received headers starting at the end of the header list regardless of what the Check Relays option is set to. If Exclude Relays is set to
“1”, then server A will be excluded from the checks.
179
Intercept Anti-Spam
DNSBL servers
To edit the list of DNS Block List servers:
1. Click Edit .
2. Click Update when finished.
The default WatchGuard DNSBL servers supplied will cover most cases and should not be changed without careful consideration.
Timeout mode
The Timeout Mode is used to ensure the timely recovery of lookup timeouts to the DNSBL domain and to improve redundancy via alternate DNSBL domains in the event the primary domain is unavailable and cannot be contacted. If the primary or alternate DNSBL domains cannot be contacted, the DNSBL check will be skipped for the message. An alarm will also be triggered to notify the administrator if a service cannot be contacted.
ƒ Disable — No DNSBL lookups will be performed if the DNSBL domain is unavailable and cannot be contacted. The system will check the status of the domain every 5 minutes. Domain queries will resume when the service becomes available again.
ƒ Alternate — Use the alternate DNSBL domain specified in the Alternate Domain field. The system will check the status of the primary domain every 5 minutes. The system will revert to the primary domain when the primary domain service is restored.
ƒ Ignore — Continue to attempt a lookup to the DNSBL domain. An alarm will be triggered if the timeout threshold (900 seconds) is exceeded, and the domain query will be skipped.
180 WatchGuard XCS
Intercept Anti-Spam
URL Block Lists
URL Block Lists contain a list of domains and IP addresses of URLs that have appeared previously in spam, phishing, or other malicious messages. This feature is used to determine if the message is spam by examining any URLs contained in the body of a message to see if they appear on a block list. URL Block Lists can also be used to check URLs in HTTP requests.
Similar to DNS Block Lists, the URL Block List will be queried to see if a URL exists on the configured block list server. If a match is found, this information will be used by the Intercept engine to decide whether a message is spam or legitimate mail.
If the URL in a message is matched on a URL Block List, it will be assigned a score as per the URL Block List weighting configured in the Intercept component weight setting (default is 90.) If a URL is matched on more than one URL Block List, this will increase the weight of the score assigned by Intercept for each list it is matched on.
To configure URL Block Lists:
1. Select Security > Anti-Spam > Anti-Spam .
2. Select URL Block List .
3. Select the Enable UBLs check box.
4. In the Maximum UBL Lookup Time field, enter the maximum time (in seconds) for a lookup to a URL
Block List.
This option prevents excessive processing time for messages containing a large number of URLs. If all of the URLs in a message cannot be looked up before the timeout value is reached, the checks will stop and only the URLs checked within the time limit will be used in the Intercept Anti-Spam decision. Valid values are from 1 to 3600. The default is 60 seconds.
User Guide 181
Intercept Anti-Spam
UBL domains
URLs can be checked either by a SURBL (Spam URI Realtime Block Lists) method that performs lookups for a domain using the base domain or IP addresses of the URL, or a DNSBL lookup that can query a DNS Block List server to lookup the full domain using the resolved host IP address for the URLs in a message.
WatchGuard provides a default SURBL server that can be used for the URL Block List. Other SURBL or DNSBL lists can be added by the administrator, but caution must be taken when adding servers as some free services can introduce false positives.
Click the Edit button to configure the SURBL and DNSBL server lists.
Timeout mode
The Timeout Mode ensures the timely recovery of lookup timeouts to the UBL domain and improves redundancy via alternate UBL domains in the event the primary domain is unavailable and cannot be contacted. If the primary or alternate UBL domains cannot be contacted, the UBL check will be skipped for the message. An alarm will also be triggered to notify the administrator if a service cannot be contacted.
ƒ Disable — No UBL lookups will be performed if the UBL domain is unavailable and cannot be contacted. The system will check the status of the domain every 5 minutes. Domain queries will resume when the service becomes available again.
ƒ Alternate — Use the alternate UBL domain specified in the Alternate Domain field. The system will check the status of the primary domain every 5 minutes. The system will revert to the primary domain when the primary domain service is restored.
ƒ Ignore — Continue to attempt a lookup to the UBL domain. An alarm will be triggered if the timeout threshold (900 seconds) is exceeded and the domain query will be skipped.
UBL whitelist
Administrators can define a list of domains and IP addresses that will be trusted, even if messages from those addresses contain URLs that appear in a URL Block List.
Enter a domain name or IP address to be trusted and then click the Add button.
If a domain is entered (such as example.com), all subdomains of that domain will also be included (such as www.example.com).
182 WatchGuard XCS
Intercept Anti-Spam
A list of domain names and IP addresses can also be uploaded in one text file. The entries must appear one per line in the form:
192.168.1.100
192.168.10.200
example.com
The file (ubl_wl.csv) should be created in csv file format using a text editor. It is recommended that you download the file first by clicking Download File , edit it as required, and upload it using the Upload File button.
ReputationAuthority
The ReputationAuthority helps to identify spam by reporting behavior information for a collection of metrics about the sender of a mail message, based on information collected from installed products and global DNS
Block Lists. The metrics it reports include the sender's overall reputation, where the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages.
This information can be used by the WatchGuard XCS to either reject the message immediately or contribute to the Intercept score if a message is detected from a source with a poor reputation or numerous virus infections.
If the ReputationAuthority option is enabled, the system will query for statistics from the ReputationAuthority service for the sender IP of each message received, excluding those from trusted and known networks. Using the information returned from ReputationAuthority, the system can make a decision about whether a message is spam or legitimate mail. A reputation of “0” indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of “100” indicates the sender is extremely unreliable and often sends spam or viruses. An IP address with no previous information from any source is assigned a value “50”.
Domain and sender reputation
Domain and Sender Reputation increases the reputation effectiveness by examining not only the IP reputation of a sender, but also the domain name and envelope sender information from that IP address. A domain can receive a reputation independent of the behavior of another domain originating from the same address. A specific sender address can receive a reputation independent of the behavior of another sender address from the same domain or IP address. For a message from the sender [email protected], a query will be sent to ReputationAuthority checking the sender address [email protected], the domain example.com, and the originating IP address of the connection.
ReputationAuthority will examine the behavior of the user at its originating IP address ([email protected],
207.236.65.232), and also the domain at its originating IP address (example.com, 207.236.65.232). The result generated by ReputationAuthority will depend, in priority order, on the reputation for that specific sender at that IP address, on the reputation of the domain originating from that IP address, and on reputation of the IP address itself. If there is enough information to make a decision on the reputation of a specific sender at that
IP address ([email protected], 207.236.65.232), ReputationAuthority will not make use of the information on
User Guide 183
Intercept Anti-Spam the domain and IP address reputation. If there is enough information to make a decision on the reputation of a domain at that IP address (example.com, 207.236.65.232), ReputationAuthority will not make use of the information on the IP address reputation. If there is no recorded reputation information on a specific sender address or domain, ReputationAuthority will use the reputation of the IP address.
The Domain and Sender Reputation query and any uploaded information are sent to the ReputationAuthority network as a one-way hash that cannot be reversed. All information shared with the ReputationAuthority is encrypted to protect the details of the domain and sender. If this option is disabled, only the IP address reputation is used when querying and sharing statistics with ReputationAuthority.
ReputationAuthority statistics sharing
Statistics from your system can also be shared with ReputationAuthority by selecting the Share Statistics option. The following statistics are sent to the ReputationAuthority network when Share Statistics is enabled:
ƒ Originating IP address
ƒ Destination IP address
ƒ Total mail
ƒ Clean mail
ƒ Spam mail (including results of Intercept scanning)
ƒ Anti-virus scanning results
ƒ Outbreak control results
ƒ Known and unknown recipients
ƒ Malformed mail
ƒ Domain and user information (sent using a one-way hash for security purposes)
ƒ Checksum identification of attached files
Reputation service queries use the DNS protocol on UDP port 53. Statistics sharing uploads data to the reputation network using HTTPS on TCP port 443. These ports must be opened up on your network firewall if the system is located behind the firewall.
184 WatchGuard XCS
Intercept Anti-Spam
Trusted clients and known mail servers
Administrators can trust friendly local networks or addresses of known mail servers in their environment that relay mail via this system. These specific networks and servers can be added to the relays IP Address list in the
Threat Prevention configuration page to prevent them from being blocked by Threat Prevention and
ReputationAuthority, as well as ensuring that reputation statistics for these addresses will not be reported to
ReputationAuthority.
For example, it is possible that in certain environments with a backup MTA (Mail Transfer Agent) system, the backup system may be classified with a poor reputation because the mail received from the backup includes relayed spam. If the WatchGuard XCS is offline, mail will be collected by the backup MTA as specified in the organization's MX records. When the WatchGuard XCS comes back online, this mail (which may include spam, viruses, and other types of infected mail) will be forwarded from the backup MTA to the WatchGuard XCS for processing. If ReputationAuthority is enabled, this backup system may receive a low reputation score from
ReputationAuthority.
ReputationAuthority checks and statistics sharing are not performed for any internal IP addresses and systems listed in the Relays list. If a message comes from an IP address identified in the Relays list and Share Statistics is enabled, an upload of information can still occur. If a prior network hop is listed in a Received header, it will be considered the source of the message and an upload will occur as if that IP address had sent it directly. Each system in the Received header is consulted until a suitable one is found, while identified relays and internal IP addresses are ignored.
To add a system to the relays list:
1. Click the internal hosts and friendly mail relays link on the ReputationAuthority page.
The relays Static IP/CIDR List screen will appear.
User Guide
2. Add the address of any internal relays including a descriptive comment.
3. Click Add .
185
Intercept Anti-Spam
Configuring ReputationAuthority checks
To configure ReputationAuthority:
1. Select Security > Anti-Spam > ReputationAuthority .
186
2. Enter the ReputationAuthority Domain to query.
The default is WatchGuard’s ReputationAuthority domain, and should not be modified.
3. Select a Timeout Mode option to ensure the timely recovery of lookup timeouts to the
ReputationAuthority domain and to improve redundancy via alternate ReputationAuthority domains in the event the primary domain is unavailable and cannot be contacted.
In the event the primary ReputationAuthority domain is unavailable and the timeout mode is set to
Alternate , an alternate ReputationAuthority domain will be queried. If the primary or alternate
ReputationAuthority domains cannot be contacted, the ReputationAuthority check will be skipped for the message. An alarm will also be triggered to notify the administrator if a service cannot be contacted.
ƒ Disable — No ReputationAuthority lookups will be performed if the ReputationAuthority domain is unavailable and cannot be contacted. The system will check the status of the domain every 5 minutes. Domain queries will resume when the service becomes available again.
ƒ Alternate — Use an alternate ReputationAuthority domain for queries. The system will check the status of the primary domain every 5 minutes. The system will revert to the primary domain when the primary domain service is restored. The alternate ReputationAuthority domain is preconfigured and is not configurable by the administrator.
ƒ Ignore — Continue to attempt a lookup to the ReputationAuthority domain. An alarm will be triggered if the timeout threshold (900 seconds) is exceeded and the domain query will be skipped.
4. Select the Share Statistics check box to allow ReputationAuthority information, such as spam and virus statistics for connecting client IP addresses, from this system to be shared with the
ReputationAuthority network.
TCP Port 443 must be enabled outbound to allow statistics to be uploaded to the reputation server.
There are no security risks associated with sharing statistics. The system does not relay any private or sensitive information to the ReputationAuthority.
WatchGuard XCS
User Guide
Intercept Anti-Spam
5. Select the Use Domain and Sender Behaviour check box to make use of domain and sender behavior when performing ReputationAuthority checks.
This option will increase the effectiveness of ReputationAuthority by examining not only the IP reputation of a sender, but also the domain name and envelope sender information from that IP address.
6. Select the Reject on Reputation check box to reject messages from senders whose reputation is above the configured Reputation Threshold.
A reputation of “0” indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of “100” indicates the sender is extremely unreliable and often sends spam or viruses. An
IP address with no previous information from any source is assigned a value “50”.
To override a ReputationAuthority reject, add the system to the internal hosts and friendly mail relays list. ReputationAuthority rejects can also be overridden by creating a Specific Access Pattern to Trust the rejected address. ReputationAuthority rejects cannot be overridden by a policy.
Pattern Based Message Filtering can also be set to Bypass (to bypass all Anti-Spam and content checks), Trust (to accept and train as valid mail) or Accept (just accept without training) the message, however, this may interfere with later message processing and using the mail relays list is recommended.
7. Enter a Rejection Threshold over which a message will be rejected.
The default value is “99”. If the reputation of a connecting system is greater than this value, it will be rejected. The lower the reputation threshold, the greater the chance that a system with valid mail will be blocked. This setting is only valid when Reject on Reputation is enabled.
8. Select Reject on Infection to reject messages from senders based on the criteria configured in the
Infection Threshold option.
9. Select an Infection Threshold that indicates the criteria for rejecting messages based on whether the sending host is Currently infected (received in last hour), or Recently infected (received in last day).
This is setting is only valid when Reject on Infection is enabled.
10. Select the Reject Connection From Dial-ups check box to reject messages sent directly from dial-up connections.
If a message is not rejected because it violates a reputation threshold, the reputation score and information about whether the sender is a dial-up can be incorporated into the overall Intercept
Anti-Spam decision.
187
Intercept Anti-Spam
11. Customize the ReputationAuthority Reject Message as required.
This option allows the administrator to customize the reject message for ReputationAuthority. Use
“%s” to specify the IP address of the rejected sender, such as: go to http://www.reputationauthority.org/lookup?ip=%s
ReputationAuthority rejection, infection, and dial-up log messages will include a URL similar to the following:
450: blocked by Intercept: http://www.reputationauthority.org/ lookup?ip=207.236.65.226&d=4ECD2A71BB0D0E6A&u=45F00D38BFC08DFC where the IP address is the connecting system that was rejected. The “d=” and “u=” section are domain and user hashes for the domain and sender reputation. Clicking the URL will open up a web page displaying ReputationAuthority reputation statistics for the specified IP address, domain, and user.
188
12. Select the Enable ReputationAuthority for Anti-Spam check box to check incoming messages against the spam information gathered by the ReputationAuthority network.
13. In the Check Relays text box, specify how many received headers to check with ReputationAuthority.
For example, an email message may have been relayed by four mail servers before it reached the system. Use this field to specify how many relay points, starting from the latest headers to the earliest, should have their reputation checked via ReputationAuthority. Acceptable values are between “0” and
“ALL”. The default is “5”.
Check Relays should be enabled if the system is installed behind another MTA or mail gateway. This ensures the relay before the intermediary MTA is checked.
WatchGuard XCS
User Guide
Intercept Anti-Spam
14. In the Exclude Relays field, specify how many received headers to exclude from ReputationAuthority checks, starting from the earliest header to the most recent.
For example, if Check Relays is enabled, setting this value to “1” means that the first relay point will not be checked. Note that some ISPs include the originating dial-up IP as the first relay point which can lead to legitimate mail being classified as spam by ReputationAuthority. Recommended values are “0”
(off) or “1”. The default is “1”.
The Exclude Relays setting will only be enabled if Check Relays is also enabled.
As an example of using the Check Relays and Exclude Relays options, consider the following scenario:
Server A -> Server B -> Server C -> Server D -> WatchGuard XCS
With the mail relayed via four previous servers (A-D), the received headers of a message will appear in the following order:
Received: D
Received: C
Received: B
Received: A
With Check Relays enabled, the system starts with server D and checks the configured number of received headers. If Check Relays is set to “3”, it will check D, C, and B.
Use the Exclude Relays option to ignore the configured number of received headers starting at the end of the header list regardless of what the Check Relays option is set to. If Exclude Relays is set to
“1”, then server A will be excluded from the checks.
189
Intercept Anti-Spam
Token Analysis
Token Analysis is a sophisticated method of identifying spam based on statistical analysis of mail content.
Simple text matches can lead to false positives because a word or phrase can have many meanings depending on the context. Token Analysis provides a way to accurately measure how likely any particular message is to be spam without having to specify every word and phrase.
Token Analysis achieves this by deriving a measure of a word or phrase contributing to the likelihood of a message being spam. This is based on the relative frequency of words and phrases in a large number of spam messages. From this analysis, it creates a table of tokens (words associated with spam) and associated measures of how likely a message is spam.
When a new incoming message is received, Token Analysis analyzes the message, extracts the tokens (words and phrases), finds their measures from the table, and aggregates these measures to produce a spam metric for the message. This spam metric is the score assigned by Token Analysis to be used in the Intercept Anti-
Spam decision.
Token Analysis has a built-in weighting mechanism that assigns a value between 0 and 100 to indicate whether a message is spam. A message with a low metric (closer to 0) is considered to be legitimate, while a message with a high metric (closer to 100) is considered to be spam. Token Analysis uses three sources of data to build its run-time database:
ƒ The initial default database based on analysis of known spam.
ƒ Tables derived from an analysis of local legitimate mail. This is referred to as “training”.
ƒ Training provided by spam from Pattern Filter Spam, DNSBL, UBL, SPF, and DomainKeys Intercept components.
How Token Analysis works
Consider the following simple message:
---------------------------------------------------------------
Subject: Get rich quick!!!!
Click on http://getrichquick.com to earn millions!!!!!
---------------------------------------------------------------
Token Analysis will break the message down into the following tokens:
[Get] [rich] [quick!!!] [Click] [on] [http://getrichquick.com] [to] [earn]
[millions!!!!!]
Each token is looked up in the database and a spam metric is retrieved. The token “Click” has a high metric of
91, whereas the word “to” is neutral (indicating neither spam nor legitimate.) These metrics are aggregated using statistical methods to give the overall score for the message of 98.
Mail messages with a spam metric of 90 or greater are very likely to be spam. Lower values (50-60) indicate possible spam, while very low values (20-25) are unlikely to be spam. These spam metrics are the score assigned by Token Analysis as part of the final Intercept Anti-Spam decision.
Token Analysis training
When enabled, Token Analysis will always run in training mode and analyze all local mail. Local mail is assumed to be not spam and the frequency of the words found in this mail may therefore be used to modify the values supplied by WatchGuard’s master list. For example, a mortgage company may use the word
“refinance” quite frequently in its regular mail. The likelihood of this word suggesting spam would therefore be reduced.
190 WatchGuard XCS
Intercept Anti-Spam
Token Analysis trains messages for spam if one of the following features (if enabled) classifies a message as spam:
ƒ Pattern Filter spam
ƒ DNS Block Lists
ƒ URL Block Lists
ƒ ReputationAuthority Reputation
Token Analysis can train messages from the following sources as legitimate mail:
ƒ Pattern Filter Train action
ƒ Trusted Subnet
Configuring Token Analysis
To configure Token Analysis
1. Select Security > Anti-Spam > Anti-Spam .
2. Select the Token Analysis check box.
3. Select Enable Token Analysis .
4. Select the Current Mode for Token Analysis:
ƒ Training Only — Token Analysis will analyze local mail but will NOT classify incoming mail.
ƒ Scanning and Training — Token Analysis will analyze local mail AND will classify incoming mail.
Database and Training
The Token Analysis database is built and rebuilt at two hour intervals using several sources such as the supplied spam data, updated data from WatchGuard, trained spam from other Intercept features, and local training. The database is not built for the first time until two hours after installation, and you can use the
Rebuild Database option to immediately rebuild the Token Analysis database. Click Rebuild Database to rebuild the Token Analysis database.
You should delete all training material if your system has been misconfigured and starts to treat trusted mail as untrusted or vice versa. Click Delete Training to remove all training material.
User Guide 191
Intercept Anti-Spam
Token Analysis advanced options
To configure advanced options, click Advanced .
These options are for advanced configuration only, and it is highly recommended that the default values be used. Modifications to the default values may decrease Token Analysis accuracy and should be used with care.
192
Neutral words
Neutral words are words that may or may not indicate spam. For example, a mortgage company may want to build a neutral word list that includes “refinance” or “mortgage” because these words show up quite frequently in spam mail. By adding them to the neutral word list, the likelihood of this word suggesting spam would therefore be reduced to a neutral value.
ƒ Default Neutral Words — Select the check box to enable the WatchGuard neutral words list. This list helps prevent pollution of the Token Analysis database. It is recommended that you leave this option enabled.
ƒ Uploaded Neutral Words — Select the check box to enable the use of the uploaded neutral words list.
Upload a file using the Upload Neutral Words button. The file must be in text format and contain a list of neutral words with one word per line. Uploading a new list will replace the previous neutral words list.
The system will automatically rebuild the Token Analysis database during the upload of a neutral words list. This process may take some time to complete.
Token Analysis and languages
The Token Analysis spam database is based on English language spam. As a result, it may not be initially responsive to spam created in other languages. The ability to learn means that it can readily adapt to other languages. Token Analysis will train on local legitimate mail from the moment the system is started. This will help properly characterize the local language use by building up a database of good words to help prevent mail messages from being classified as spam. To train the system with known local language spam mail, it is recommended that you set up rules to use the Certainly Spam action in Pattern Based Message Filters.
Messages specified as spam will be forwarded to Token Analysis and will increase its database of local language words.
WatchGuard XCS
Intercept Anti-Spam
Japanese, Chinese, and Korean languages
The language options can alter the Token Analysis processing behavior for Japanese, Chinese, and Korean language messages to ensure they are not automatically classified as spam. These include the following character sets:
ƒ Japanese major character sets — ISO-2022-JP, EUC-JP, Shift-JIS
ƒ Chinese major character sets — GB2312, HZ-GB-2312, BIG5, GB7589, GB7590, GB8565.2-88,
GB12052, GB/T12345, GB/T13131, GB/T13132, GB/T13000.1, ISO-2022-CN, ISO-2022-CN-EXT
ƒ Korean major character sets — KS C 5601 (KS C 5601-1987), EUC-KR, ISO-2022-KR
For each character set, select how Token Analysis will process the message:
ƒ Default — All content is processed by Token Analysis. If you receive legitimate mail in these languages, this may result in false positives.
ƒ No Token Analysis Scan — Token Analysis scanning will be turned off for all messages containing
Japanese, Chinese, and Korean language characters.
ƒ Lenient Token Analysis Scan — Token Analysis scanning will be turned off for only the parts of the message containing Japanese, Chinese, and Korean language characters. The rest of the message will be processed normally. If there are 20 or fewer tokens in the message of non-Japanese, Chinese, and
Korean characters, the Token Analysis scan will be skipped for that message.
Image analysis
An image spam email message typically consists of random text or no text body and contains an attachment picture (usually .gif or .jpg format) that supplies the text and graphics of the spam message. These types of spam messages are difficult to detect because the message contains no helpful text or URL characteristics that can be scanned and analyzed. The Image Spam Analysis feature performs advanced analysis of image attachments to help determine if the message is spam or legitimate mail. Similar to the other Anti-Spam features that detect spam characteristics in the text of a message, the Image Analysis feature extracts certain characteristics of the attached image to determine if these characteristics are similar to those seen in actual spam messages.
1. Make sure the Enable Token Analysis option is enabled using Scanning and Training mode.
2. Select the Enable Image Analysis check box in the Options section.
3. Click Apply .
Allow at least 24 hours for the Token Analysis scanner to scan and train incoming mail and update its database to see an improvement in spam catch rates.
To accelerate this process:
1. Select Administration > Software Updates > Security Connection .
2. Click the Connect Now button to retrieve the latest Token Analysis database updates.
3. Select Security > Anti-Spam > Anti-Spam > Token Analysis .
4. Click the Rebuild Database button to perform a manual rebuild of the Token Analysis database. (The database is rebuilt automatically every two hours.)
PDF spam analysis
In response to the effectiveness of image spam detection technologies, spammers have attempted to circumvent the anti-spam scanners by embedding spam text and images in PDF (Portable Document Format) documents. Within these PDF documents, the images and text themselves can be further obfuscated using various image distortion techniques and using “word salad” text that contains valid text included with the spam message text. A further technique used to avoid detection is to compress the PDF into an archive file
User Guide 193
Intercept Anti-Spam such as .zip. Token Analysis can improve detection of PDF spam by analyzing specific information in the PDF such as the document meta-properties (author, creation date, etc.) and the text and images contained in the
PDF. The Token Analysis scanner will create tokens for each of these unique PDF properties to be able to detect characteristics of PDF spam.
The PDF Analysis feature uses the Token Analysis component to analyze PDF spam messages. Token
Analysis must be enabled for PDF Spam detection to work. To perform content inspection of archive files, such as .zip, that contain PDF files, Kaspersky Anti-Virus must be enabled.
Tokens generated by the PDF analysis feature (by analyzing text in the PDF) are also utilized by the Spam
Words and URL Block List (UBL) features. They cannot be used for the Objectionable Content Filter.
ƒ Enable PDF Analysis — Enables PDF analysis to allow the system to scan PDF files for spam. This is enabled by default.
If the PDF document size is larger than 45kb, analysis of the document will be skipped. Larger documents are less likely to be spam messages the PDF document size is larger than 45kb, analysis of the document will be skipped. Larger documents are less likely to be spam messages.
ƒ Analyze PDF Text — Select this check box to extract and analyze the text in a PDF file. This allows the scanner to examine the PDF text for words that may indicate it is a spam message. Tokens created from the text in a PDF are used by Token Analysis, Spam Words, and the URL Block list features.
ƒ Analyze PDF Images — Select this check box to analyze images in PDF documents for image spam.
The Enable Image Analysis option must also be enabled to analyze images in PDF documents.
PDF text and image analysis are enabled by default. These options should be disabled if there is an increased amount of false positives (legitimate mail identified as spam), or system message processing performance is affected.
Diagnostics
The diagnostics section allows administrators to configure diagnostic options for Token Analysis to help with troubleshooting.
ƒ Enable X-STA Headers — This setting inserts X-STA (Token Analysis) headers into all messages. These are not visible to the user (although they can be filtered in most mail clients), but can be used to gather information on why mail is processed in a particular way.
The following headers will be inserted:
ƒ X-STA-Metric — The score assigned by Token Analysis, such as 95, which would indicate a spam message.
ƒ X-STA-NotSpam — Indicates the words with the highest non-spam value found in the message.
ƒ X-STA-Spam — Indicates the words with the highest spam value found in the message.
ƒ Enable Monitoring — Select the check box to enable the monitoring of messages received by the specified email address.
ƒ Monitor email for — Enter an email address that you would like to monitor.
ƒ Copy to — Copy messages and the Token Analysis diagnostic to this email address.
194 WatchGuard XCS
Intercept Anti-Spam
Token Analysis training
The following sections allow you to define advanced parameters for Token Analysis training, such as legitimate and spam mail training settings.
User Guide
ƒ Valid Training Sources — Select Trusted/Local Mail to train all local trusted network mail for Token
Analysis, or select No Training .
If “No Training” is selected, the Heuristic 1 Intercept Decision strategy should be used that deemphasizes Token Analysis. This prevents false positives from occurring when using the Heuristic 2 strategy.
ƒ Local Limit — Enter the maximum number of messages from local users that can be used for Token
Analysis training. When the limit is reached, older training messages are deleted as new messages arrive. Default is 20000.
ƒ Local Threshold — Set the threshold for messages from local users to be used for training. If the Token
Analysis classification for the message is greater than or equal to the specified number, the message will be used for training.
ƒ Source Weighting % — For Token Analysis to be useful and efficient, the training must be based on well selected data. The initial database supplied by WatchGuard represents well selected data, and is therefore highly weighted, compared to uploaded legitimate mail or legitimate mail from the trusted network.
ƒ Default — Enter a percentage for the weight of the WatchGuard maintained Token Analysis database of valid mail.
ƒ Uploaded — Enter the weight of locally uploaded valid mail. Legitimate mail can be uploaded by clicking the Upload Legitimate Mail button. The mail must be in plain-text Unix mbox format. A minimum of ten messages should be uploaded to be effective.
195
Intercept Anti-Spam
ƒ Trusted-net — Enter the weight of mail from trusted networks that are automatically trained as valid mail.
When uploading mail, it is recommended that you set the weighting to 60% for Default, 20% for
Upload, and 20% for Trusted. Significant changes to the source weighting may decrease Token
Analysis accuracy.
Spam training
Select which features (if enabled) will be used for spam training:
ƒ Backscatter Detection — Train using mail marked as spam by Backscatter Detection.
ƒ (BSN) ReputationAuthority Reputation — Train using mail marked as spam by ReputationAuthority
Reputation.
ƒ (BSN) ReputationAuthority DUL — Train using mail marked as spam by ReputationAuthority DUL
(dial-up).
ƒ DNSBL — Train using mail marked as spam by DNS Block Lists.
ƒ Domain Keys — Train using mail marked as spam by DomainKeys.
ƒ PBMF — Train using mail marked as spam by PBMF (Pattern Filters).
ƒ SPF — Train using mail marked as spam by SPF.
ƒ URL Block List — Train using mail marked as spam by URL Block List.
Spam settings
ƒ Spam Limit — Enter the maximum number of spam messages used for training.
ƒ Spam Training Threshold — Set the threshold for spam messages to be used for training.
If the Token Analysis classification for the message is less than or equal to the specified number, the message will be used for training.
ƒ Source Weighting — For Token Analysis to be useful and efficient, the training must be based on well selected data. The default database supplied by WatchGuard represents well selected data and is therefore highly weighted, compared to uploaded spam mail.
ƒ Default — Enter a percentage for the weight of the WatchGuard maintained Token Analysis database of spam mail.
ƒ Uploaded — Enter the weight of locally uploaded spam mail. Spam mail can be uploaded by clicking Upload Spam Mail . The mail must be in plain-text Unix mbox format. A minimum of ten messages should be uploaded to be effective.
ƒ Detected — Weight of mail from DNSBL, UBL Block Lists, Pattern Filters or ReputationAuthority automatically trained as spam.
When uploading mail, it is recommended to set the weighting to 60% for Default, 20% for Upload, and 20% for Detected. Significant changes to the source weighting may decrease Token Analysis accuracy
196 WatchGuard XCS
Intercept Anti-Spam
Dictionary spam count
Recent changes to the way that spammers compose their messages can reduce the effectiveness of the Token
Analysis filter. By introducing large numbers of normal words into their spam messages, they can hide their content because the normal words outweigh the spam words and result in a low spam count. More aggressive settings may result in more false positives. The system counters this in two ways:
1. All words in the dictionary are assigned a base level of how likely they are to be spam. In a normal message, this increased level will not result in a false positive, since the overall count is low. In a spam message, the result is different; the normal words will not counteract the spam content, and the message is correctly identified as spam.
2. Training on local mail now works to reduce this base level closer to zero. This further reduces the likelihood of a false positive.
The Dictionary Count is set to “1” by default. This should be sufficient for most situations. It is recommended that you only change the default value if the following conditions occur:
ƒ If there are too many false positives and this is not alleviated by training, then the Dictionary Count should be set to “0”, disabling this feature.
ƒ If too much spam is getting through then the Dictionary Count can be increased. Try increasing the value to “10”. If this results in too many false positives, reduce it to “5”.
This setting should only be considered for modification if other measures (training, threshold changes, uploading spam and/or legitimate mail) have been tried and have not provided the desired result.
Troubleshooting Token Analysis
Token Analysis is a very effective anti-spam tool and provides the mail administrator with a variety of options to finely tune this feature for their particular environment. With these advanced controls, there is a greater chance of creating a configuration that may result in excessive false positives (mail marked as spam when they are legitimate) or false negatives (mail not marked as spam when they are spam.)
The following are some considerations when troubleshooting issues with Token Analysis:
For excessive false positives:
ƒ Ensure that the system has gone through a cycle of training.
ƒ Ensure that any mailing lists that the organization sends out are trusted (via Pattern Filters) as Accept .
ƒ Check for tokens that may be words used by the organization for their regular business. For example, a financing company would want the words “mortgage” or “refinance” to be allowed as legitimate tokens.
ƒ Lower the component weighting in the Intercept settings.
For excessive false negatives:
ƒ Check that any mailing lists received by the users are trusted (via Pattern Filters) as Bypass or Accept .
User Guide 197
Intercept Anti-Spam
Backscatter Detection
Backscatter is a type of spam attack where spam mail is sent to email servers with forged header information for the Envelope Sender address. If the email server bounces this email back to the sender, a bounced message usually has the Envelope Recipient set to the Envelope Sender of the original message, and the undeliverable message notification will be sent to the email address of the innocent user. There can also be other unsuspecting email servers in the message path and in a large spam campaign the target systems can be flooded with these backscatter spam messages.
Backscatter spam can be mitigated using signing techniques such as Bounce Address Tag Validation (BATV).
BATV uses message signing to sign the local Envelope Sender address. If the message is bounced back, the
Envelope Recipient address signature is validated which prevents any undeliverable message bounce notifications from being returned to a forged address.
Messages are not signed if they are sent to a local internal recipient.
As an example, if the WatchGuard XCS sends an outgoing message to an external user from: [email protected], a PRVS (Simple Private Signature) tag is created utilizing the key index, the timestamp and expiry term of the message, and a private key. An SHA1 message digest is then generated for this information resulting in the following syntax:
<prvs=[Key Index][Expiry][Digest][Email address]>
Using the following information:
Key Index = 0
Expiry = 110 (generated from the current time and the expiry time)
SHA 1 digest = 450a98
Email Address = [email protected]
results in the email address being rewritten using the PRVS tag as follows:
If this message is bounced back to the system, it will extract and verify the address signature. If the signature cannot be verified, or if it is invalid or expired, the system can reject the message immediately, or contribute to the overall Intercept Anti-Spam score for the message.
You must ensure in your specific deployment that only the gateway device, such as the WatchGuard
XCS, is performing PRVS tag signing and verifying, and that PRVS tag signing and verifying is disabled on any internal mail servers.
198 WatchGuard XCS
Intercept Anti-Spam
Intercept Anti-Spam processing
For Intercept Anti-Spam processing, the Backscatter Detection feature will create a result code between 0 and
100 for the message. The following table describes the result codes that can be returned for a message after
Backscatter Detection processing.
Any result greater than code 50 will result in the message being considered spam, and the configured
Backscatter Detection Intercept weight will be applied to the overall Intercept Anti-Spam score for the message.
51
52
53
60
Code
0
1
50
61
62
Description
No PRVS checking or signing was performed
OK (signature verified)
Unsigned
Invalid key
Invalid signature
Signature expired
Syntax error 1
Syntax error 2
Syntax error 3
Anti-Spam header
Any Backscatter Detection results will be added to the Anti-Spam header (if enabled), using the following syntax:
<Backscatter on/off><Explanation/Result Code>
For example: bsctr:off bsctr:spam/52 bsctr:passed/1
User Guide 199
Intercept Anti-Spam
Configuring Backscatter detection
To enable and configure Backscatter Detection:
1. Select Security > Anti-Spam > Anti-Spam .
2. Select Backscatter Detection .
200
3. Select the Enable Backscatter Detection check box to enable the feature globally.
If Backscatter Detection is enabled, and envelope signing and verification are disabled, the system will strip the PRVS tags (even if invalid) from the message and deliver it to its destination.
4. Select the Enable envelope signing check box to sign outgoing email messages (non-local) with the
Backscatter verification signature.
5. Select the Enable Verification check box to verify the sender address signature of incoming messages. This ensures that invalid addresses will either be rejected immediately or scanned by Intercept Anti-
Spam depending on your configuration.
6. Set the Message life time (in days) before the signature is expired and considered invalid.
Expired signatures will cause the Backscatter verification check to fail, and triggers the specified action.
7. Select the Reject upon verification failure check box to immediately reject any messages that fail the
Backscatter Detection signature validation, including an invalid Envelope Recipient address, syntax errors, invalid keys, and expired signatures.
When this option is disabled, the results of the Backscatter Detection scanning will be used as part of the overall
Intercept Anti-Spam score.
8. Select the Reject unsigned recipients check box to reject bounce messages that do not contain any signature to verify.
This option requires that Reject upon verification failure is also enabled. It is recommended that this option not be enabled until the system has been signing and verifying message senders for a period of time to ensure that any existing unsigned messages that are still in circulation will not be rejected.
WatchGuard XCS
Intercept Anti-Spam
9. Select the Current Key to use for Backscatter Detection email signing.
The key can be up to 1024 characters. Click Show Advanced Mode to manually configure additional keys to use. You can also change the key in the Current Key text box, and the Active Key Index will be updated automatically when you apply the settings. The previous key will be saved in the advanced settings.
You should not change the keys too frequently, as any message signed with a previous key will no longer be accepted and could be rejected. It is recommended that you do not manually edit the keys
Sender Policy Framework (SPF)
Sender Policy Framework is a sender authentication technology that prevents spammers from spoofing mail headers and impersonating a legitimate email user or domain to prevent phishing attacks. Unsuspecting users could reply to these seemingly legitimate addresses with personal and confidential information.
SPF provides a means for authenticating the source of an email by querying the sending domain’s DNS records. The SPF protocol allows server administrators to describe their email servers in their DNS records. By comparing the headers of the email with the SPF value, the receiving host can verify that the email is originating from the legitimate mail server for that domain. This prevents spammers from sending forged emails.
SPF actions only apply to incoming mail messages that have failed an SPF check (the email message does not match the corresponding published SPF record.) If a specific mail server does not have an existing SPF record then the message is processed normally. It is possible, however, that administrators may misconfigure their
DNS SPF records resulting in false positives and legitimate hosts being blocked from sending you mail.
The weight assigned to SPF in the Intercept settings will be the score used by Intercept processing if the message fails an SPF check.
SPF is an emerging anti-fraud and anti-phishing technology that is designed primarily as a mechanism to prevent forged emails rather than an anti-spam measure. It is dependent on network administrators publishing their legitimate email servers in their DNS records and ensuring these records are properly configured. WatchGuard encourages customers that use SPF in their DNS infrastructure to review their own
SPF records to ensure they are accurate.
SPF records
The SPF protocol allows you to describe your email servers in an SPF TXT record that is attached to the domain's DNS record. A typical SPF DNS record is as follows: example.com IN TXT "v=spf1 mx -all"
Administrators will add this data as a TXT record to their domain (example.com). The first part is the name part of the record, such as “example.com”, and the text in quotes is entered as your TXT record data.
ƒ v=spf1 identifies the TXT record as an SPF string.
ƒ mx specifies that mail can come from only the mail servers defined in your MX records.
ƒ -all specifies that no other servers are able to send from the specified domain.
You can set TXT records for both domains and individual hosts.
User Guide 201
Intercept Anti-Spam
Configuring SPF
To configure SPF
1. Select Security > Anti-Spam > Anti-Spam > SPF .
2. Select the Enable SPF check box.
3. Select the Strip incoming SPF headers check box to strip any “Received-SPF” header from incoming messages.
Spammers may attach their own forged SPF headers to create the impression that the email is from a legitimate source
4. Select the Add outgoing SPF header check box to add an SPF header to the outgoing message.
DomainKeys
DomainKeys is a sender authentication technology used to prevent spammers from spoofing mail headers and launching phishing attacks. The sender of an email message is authenticated by querying the sending domain’s DNS records. The DomainKeys protocol allows server administrators to add a digital signature to their outgoing messages that can be validated via DNS.
The domain owner generates a public and private key pair to use for signing all outgoing messages. The public key is published in their DNS records and the private key is used to sign outbound messages. By verifying the signature in the headers of the email using the public key, the receiving host can verify that the email is originating from the legitimate mail server for that domain. This prevents spammers from sending forged emails. The WatchGuard XCS also supports the signing of outgoing messages with DomainKeys using the
Policy engine.
DomainKeys actions only apply to incoming mail messages that have failed a DomainKeys check (such as an email message where the signature in the message header does not match the corresponding published
DomainKeys record.) If a specific mail server does not have an existing DomainKeys record then the message is processed normally. It is possible, however, that administrators may misconfigure their DNS DomainKeys records, resulting in false positives and legitimate hosts being blocked from sending you mail. The weight assigned to DomainKeys in the Intercept settings will be the score used by Intercept processing if the message fails a DomainKeys check.
202 WatchGuard XCS
Configuring DomainKeys
1. Select Security > Anti-Spam > Anti-Spam > DomainKeys Authentication .
Intercept Anti-Spam
2. Select the Enable DomainKeys Authentication check box to enable DomainKeys authentication.
3. Select the Strip incoming DK headers check box to removes Authentication-Results: headers attached to incoming messages.
This option protects against spammers who add a forged DomainKeys header to the message.
4. Select the Add Authentication Header check box to add an Authentication-Results: header to incoming messages after they have been processed and verified by DomainKeys.
5. Select the Temporary DNS Error check box to consider the message as spam in the event a DNS error prevents a DomainKeys lookup for a sender’s key.
6. Select from the following checks to apply to consider a message as spam:
ƒ No Signature When Required — Consider the message as spam when there is no signature, even if the sender says they sign all messages.
ƒ No Signature When Not Required — Consider the message as spam when there is no signature and the sender says they may not sign all messages.
ƒ Invalid Signature — Consider the message as spam when the signature is invalid.
ƒ Key Revoked — Consider the message as spam when the key used to sign the message is no longer valid.
ƒ Invalid Message Syntax — Consider the message as spam when the signature cannot be checked because the message has invalid syntax.
ƒ No Key — Consider the message as spam when the sending domain did not provide a key for the selector specified in the message.
ƒ Bad Key — Consider the message as spam when the sending domain provides an unusable key.
These checks can also be performed for messages from senders who are testing their DomainKeys implementation by inserting a test flag into their DomainKeys DNS records. It is recommended that you use the default settings which permit more lenient checks to be performed against these test messages.
DomainKeys log messages
The response codes for DomainKeys processing will appear in the Mail Log as follows:
0 - Pass
1 - Neutral
2 - Fail
3 - Soft Fail
4 - Temporary Error
5 - Permanent Error
The logs will also indicate which DomainKeys check caused the error:
DomainKeys: [email protected], result=permerror(bad key)
User Guide 203
Intercept Anti-Spam
DomainKeys outbound message signing
To enable signing of outgoing messages, the domain owner generates a public/private key pair. The private key is used by the system to digitally sign the message (added as a prefix to the header) using this key. The public key is then published in the domain’s DNS records. The receiving system can authenticate the message by querying the domain owner’s DNS records for the public key.
The WatchGuard XCS supports the signing of outgoing messages with DomainKeys using the Policy engine.
This allows administrators to allow signing for only certain domains which have been configured in DNS for use with DomainKeys.
1. Select Configuration > Mail > DomainKeys .
2. Select the Allow DomainKeys Signing check box.
3. Select Security > Policies > Policies to edit an existing policy or to add a new policy.
The DomainKeys signing section appears in the Email tab of a policy.
204
4. Enable or disable DomainKey Signing for outbound messages in this policy.
5. Select the Remove Duplicate Headers check box to remove duplicate headers, such as Subject and
To: fields, from the signature calculation.
Any headers listed with the “h=” tag in the DomainKeys header will be filtered for duplication and the corresponding headers will be removed from the message envelope. This option should only be enabled if experiencing issues with rejected messages due to duplicate headers.
6. Select the DK List Headers check box to add a list of the headers included into the DomainKey-
Signature: header.
It is recommended that this option be enabled. When enabled, only those headers listed will be used in verifying the signature. If this is option is disabled, then all headers following the signature will be used in verifying the signature. Any headers added by intermediary systems after the message is signed will cause the signature to be invalid. Disabling the option increases security, but can create a large number of invalid signatures because of headers added by intermediary systems.
7. The Canonicalization option specifies how white space characters are treated during signing.
The default is No Folding White Space which ignores these characters during signing. This option is more lenient so that messages reformatted in transit, such as spaces or lines inserted into or removed from the message by intermediate systems between the signer and the receiver, are still valid.
Selecting Simple keeps the signed message intact to include white space characters so that any lines that are reformatted in transit will fail validation.
WatchGuard XCS
Intercept Anti-Spam
8. Set the Selector Name to use for DomainKeys signing.
9. Click the Edit List button to edit the DomainKeys Selector List .
A DomainKeys selector is a tag for a DNS record that is used by others to verify your DomainKeys signature. This tag can be comprised of any characters, such as upper and lower case letters, digits, dashes, and underscores. Each selector has an associated public and private key that can be generated by the system or via external methods. The selector is stored in a DNS TXT record with the tag:
<selector>._domainkey.<your_domain>
10. Click the Add Selector button.
User Guide
11. Enter a descriptive Name for this selector.
12. In the Selector field, enter the tag name for this selector.
13. Select the Key Size for the generated key pair.
Larger keys result in a more secure implementation because it decreases the probability of the keys being compromised. It is recommended that a minimum of 1024 be selected.
14. Click Generate Key Pair to generate a private/public key pair.
The resulting keys will be displayed in the Private Key and Public Key sections.
15. Select the Testing check box to indicate that this DomainKeys DNS record is being used for testing only.
This allows the administrator to perform testing on the validity of their DomainKeys configuration. Receivers will generally be more lenient with verification errors if the sender is in testing mode.
16. In the Notes field, add any additional comments, such as listing reasons why a particular selector was revoked.
205
Intercept Anti-Spam
DomainKeys DNS record
When the private/public key pair have been created, the system automatically generates a TXT record that can be used with your DNS server for DomainKeys signing. This record contains a copy of your public key that receiving sites will use to authenticate the digital signature in your outgoing messages.
A domain using DomainKeys (such as example.com) will have a new subdomain in their DNS configured as
“_domainkey” prefixed to the domain, such as “_domainkey.example.com”.
A typical DomainKeys DNS record is as follows: selector._domainkey.example.com IN TXT "t=y; o=-; n=notes; [email protected]"
Administrators will add this data as a TXT record to their DomainKeys domain (_domainkey.example.com).
The first part is the name part of the record, and the text in quotes is entered as your TXT record data.The TXT data contains information on the DomainKeys policy, such as the following:
ƒ o= means all emails from this domain are signed
ƒ o=~ means some emails from this domain are signed
ƒ t means Test
ƒ r to enter the responsible email address
ƒ n to enter free form notes on the record
Public key records are identified by a specific Selector (which allows a domain to have more than one public key in DNS) and stored in separate TXT records for that DomainKeys domain name. For example, the previously defined "_domainkey.example.com" domain will contain name entries for each selector, such as: selector1
The corresponding TXT data consists of various options and the public key to be used, such as: g=; k=rsa; t=y; p=MEwwPQRJKoZ&ldots;
The value after “p=” is the public key. There are also other fields available for granularity (g), test (t), and notes
(n).
206 WatchGuard XCS
Intercept Anti-Spam
Intercept Decision Strategy
The Intercept Decision Strategy allows administrators to alter the way in which Intercept processes messages for spam.
User Guide
Highest Score
The Highest Score method will use the maximum score derived from all the scans that were processed. For example, if Mail Anomalies, and DNS Block List are enabled, and DNS Block List results in the highest contributing score for all the scans, then that score will be used.
Sum of Weights
The message is initially classified by taking the Token Analysis score, and the weight of any other enabled components with a spam score is then added.
The component weights should be adjusted to be lower than their default settings when using the
Sum of Weights decision strategy.
Heuristic 1
Components are divided into objective and subjective categories. Objective components are DNS
Block List, URL Block List, Mail Anomalies, ReputationAuthority Dial-up, SPF, and DomainKeys.
Subjective components are Spam Words, Token Analysis, and ReputationAuthority reputation. The message is classified initially by combining the subjective scores and the classification is then adjusted by combining the objective scores. A baseline is established with a subjective filter. If Token
Analysis scores a message at 60, a baseline of Maybe Spam is established. One additional objective filter that triggers will categorize the message as Probably Spam . Two objective filters will increase the level to Certainly Spam .
Heuristic 2
This strategy is similar to the Heuristic 1 strategy except that the subjective component scores are weighted more heavily in the final decision than in Heuristic1. In environments where there is no
Token Analysis training on outbound legitimate mail (such as some evaluation scenarios), or for new installations, Heuristic 2 may result in an increase in false positives. In this case, administrators should use the Heuristic 1 strategy, which is identical to Heuristic 2 except that Token Analysis is deemphasized and additional Anti-Spam features must be triggered for a message to be considered
Probably Spam or Certainly Spam . When using Intercept for this first time, it is recommended that
Heuristic 1 be used until a suitable amount of training has been accumulated before switching to
Heuristic 2 .
Statistical
Scans are processed independently and the resulting score represents the probability that a message is spam based on statistical computation of the results.
207
Intercept Anti-Spam
Bayesian
Scans are processed independently and the resulting score represents the probability that a message is spam based on Bayesian computation of the results.
Statistical and Bayesian strategies are experimental, and should only be used in a test environment.
Recommended strategy
It is recommended that administrators choose the Heuristic 2 decision strategy. This is a passive strategy that is effective for most environments providing an excellent spam catch rate with a very low chance of false positives.
When using Intercept for this first time, it is recommended that Heuristic 1 be used until a suitable amount of training has been accumulated before switching to Heuristic 2 .
Choosing the wrong strategy for your environment could result in false positives and a lower spam capture rate.
208 WatchGuard XCS
Intercept Anti-Spam
Intercept Component Weights
Administrators can customize the Intercept engine by configuring the weights for each Intercept component that will help determine the final spam score for a message. These values represent the scores that will be used if that component is triggered.
For example, if a mail message triggers a DNS Block List, the spam score contribution for that message will be the defined weight, such as 80.
The final result of these scores will be decided by your selected Decision Strategy, such as Highest Score or
Heuristic 2 .
Valid weights for each component are from 0 to 100. Set the weight to “0” if you want that feature to have no bearing on the final spam score of a message. Set this value to “100” if you want this component to have a strong weight on the final spam score of a message.
The default component weights are recommended, and any modifications to these weights should be performed with careful consideration.
To configure Anti-Spam component weights:
1. Select Security > Anti-Spam > Anti-Spam .
2. Set the weight for each component.
A value of 0 means that the component is a completely unreliable indicator of spam. A value of 100 means that this component is a completely reliable indicator of spam.
User Guide 209
Intercept Anti-Spam
Intercept Plug-in for Exchange
The Intercept plug-in is installed on a Microsoft Exchange server to allow processed messages from the
WatchGuard XCS to be assigned an SCL (Spam Confidence Level) rating. The SCL rating is used by Exchange to classify messages in terms of how likely they are to be spam. The rating is based on a scale from 0 to 9, where
9 indicates the message is most likely spam, and 0 indicates a legitimate message.
Each Intercept feature, if enabled, will provide information to the Intercept plug-in running on the Exchange server and map the Intercept Anti-Spam score values to an equivalent SCL rating. When the SCL rating for a message is determined, a configurable action can be taken depending on the thresholds set in the plug-in.
The Intercept Anti-Spam message header must be enabled to pass message spam information to the Exchange plug-in.
A Gateway Blocking Threshold can be set to take an action on a message before it is delivered to a user’s inbox on their Outlook client. The message can be deleted (with no notification), rejected (with notification), or no action taken. This allows administrators the ability to stop messages with very high SCL ratings from being delivered to a user’s mailbox.
It is recommended that you do not reject mail at the Exchange level. Administrators should set the action for the Gateway Blocking Threshold to be No Action , and then set an appropriate Store Threshold to allow the end users to manage their spam and legitimate mail via the Outlook mail client’s Junk Email Folder. Messages with very high spam scores should be rejected at the WatchGuard XCS level.
A separate Store Threshold can be configured which sets a specific SCL rating value where messages equal to or above this rating are automatically delivered to a user’s Junk Email folder instead of the inbox on their
Outlook client. In addition, user’s of the Outlook and OWA 2003 client can define Safe Senders and Blocked
Senders to trust and block email addresses and domains.
The Intercept Plug-in for Exchange can be downloaded via the link on the main Intercept Anti-Spam screen.
The Plug-in can also be obtained from WatchGuard’s support site.
The Intercept Plug-in for Exchange requires the following versions of software:
ƒ Microsoft Windows 2000 (or greater) Server
ƒ Microsoft Exchange 2003 (SP1 or SP2. The plug-in should be installed on the Front End or Bridge Head server, not a back end server)
Please see the Intercept Plug-in for Exchange Installation and User Guide for detailed instructions on how to install and configure the plug-in.
210 WatchGuard XCS
8
Web Scanning
Web Scanning Overview
The WatchGuard XCS incorporates a Web Proxy that allows the system to manage web traffic and control access to external web sites. The system can scan web traffic using a subset of the same scanners that examine email messages to inspect the content of web traffic and file transfers. The system’s policy features can allow web access policies to be applied to different users, groups, and domains.
The Web Proxy can analyze client requests and allow or block access to specific web sites based on the configured access policies. The Web Proxy can block or allow access to web sites using Fully Qualified Domain
Names (FQDN) such as http://www.example.com and IP addresses such as http://10.1.0.10/.
Web Content Inspection
The Web Proxy inspects downloaded and uploaded content using the following scanning features:
ƒ Kaspersky Anti-Virus — Scans for viruses in downloaded and uploaded files.
ƒ URL Block Lists — Blocks access to web sites that appear on a URL Block List.
ƒ Objectionable Content Filter (OCF) — Scans web traffic for objectionable content based on a dictionary of blocked words and phrases.
ƒ Attachment Control — Allows or blocks specific file MIME types.
ƒ Content Scanning — Allows or blocks files based on specific text content within a file.
ƒ URL Categorization — Blocks web sites based on a list of blocked web site content categories.
ƒ HTTP Blocked Sites List — Blocks web sites based on a configurable list of web sites managed by the administrator.
Content inspection is not performed on HTTPS traffic.
You can configure a different action for each scanner, such as Reject (default) to reject the request, or Just Log to allow the request and log the issue in the Web Proxy log.
User Guide 211
Web Scanning
Web Proxy authentication
Administrators can allow unauthenticated access for all users of the Web Proxy, or require authentication before access to external web sites is allowed. If authentication is enabled, all end users that use the Web Proxy must be authenticated via LDAP or have a local account to use the proxy.
Local account authentication cannot be used if the system is part of a cluster, as Local accounts are not available in a cluster.
Users must authenticate to the system using their LDAP User ID or local account credentials and password.
This denies all access unless the user has authenticated to the system. If all users are allowed access without authentication, these users can only use the default policy.
Single sign-on IP address-based authentication
The Web Proxy provides a way for users to log in only once to authenticate to the Web Proxy and browse web sites. The authenticated user will be tracked by their IP address and users will never have to re-authenticate during their browser sessions. IP-based authentication also allows authentication to be enabled when using the Web Proxy in Transparent Mode.
An IP Address Portal Authentication method is also available that presents the user with a login portal page where they will enter their local or LDAP user name and password and agree to a usage policy agreement before being allowed access to browse web sites. The Portal authentication method uses HTTPS to protect the transmission of the user’s credentials.
Single sign-on IP address and portal authentication notes
Note the following when using Proxy and Portal IP address-based authentication on the Web Proxy:
ƒ Users can log out of their authenticated sessions using the URL: http://<hostname>/portal/logout
ƒ Users will have to re-authenticate to the Web Proxy if they receive a different IP address from a DHCP server when their IP address is renewed.
ƒ Ensure that no intermediary proxies are installed before the Web Proxy, as clients must have a unique
IP address to be identified for IP-based authentication. Clients that connect via another proxy will be using the IP address of the intermediary proxy server.
TrafficAccelerator
The expansive growth of large interactive and collaborative web sites that are media intensive now requires greater bandwidth which can overload corporate networks.
The WatchGuard TrafficAccelerator solution provides several Web traffic enhancements to reduce bandwidth consumption, server loads, and network latency, resulting in better network performance and availability. The
WatchGuard TrafficAccelerator includes the following features:
ƒ Web Caching — The Web caching feature of the WatchGuard TrafficAccelerator solution enables faster retrieval of Web sites by providing temporary storage of web data. This feature reduces bandwidth consumption and improves performance for subsequent accesses of these web sites because the data and images will be read from the disk cache instead of going out to the Internet.
See “Web Cache” on page 224 for detailed information on configuring the Web Proxy cache.
ƒ Streaming Media Bypass — For managing streaming media traffic, the WatchGuard
TrafficAccelerator has the ability to bypass streaming media content to reduce the strain on bandwidth
resources. See “Web streaming Media Bypass” on page 226 for more detailed information on
configuring the system’s streaming media support.
212 WatchGuard XCS
Web Scanning
ƒ Download and Upload File Limits — The WatchGuard TrafficAccelerator’s management and policy settings for file uploads and downloads provide the ability to block or bypass files when the limits are exceeded. This prevents users from uploading or downloading large files that limits network
bandwidth. See “HTTP upload and download limit” on page 238 for more detailed information on
setting upload and download limits in web policies.
Web Proxy chaining
The Web Proxy supports proxy chaining to a remote proxy server. This allows the system to forward requests to another proxy server in an organization’s network before connecting to the Internet. This may be required in some environments where a primary proxy server must be accessed before traffic is allowed outside of the organization’s network. Basic authentication can be used with a remote proxy.
Automatic client web proxy configuration
Organizations that want to enforce the use of a proxy policy without having to manually configure each individual browser can use the following methods for automatic proxy configuration:
ƒ Proxy Auto-Config (PAC) file — A Proxy Auto-Config (PAC) file defines how a web browser can automatically choose an appropriate proxy server to connect to. The PAC file is a script file that browsers read and execute to determine which proxy to use.
ƒ Web Proxy Autodiscovery Protocol (WPAD) — The Web Proxy Autodiscovery Protocol (WPAD) is supported by most web browsers to locate a Proxy Auto-Config (PAC) file automatically and then use this information to configure the browser's web proxy settings. The protocol can use DHCP or DNS to locate the PAC file.
Web Proxy best practices
The following notes describe some best practices to follow when implementing the Web Proxy for the first time.
ƒ We recommend that you run the system for at least 24-48 hours with minimal scanning enabled before enabling threat and content control scanning on web traffic. This allows the web cache to be populated and will increase performance when accessing web content. After this initial period, enable threat and content control scanners as required.
ƒ DNS caching should be enabled to increase Web Proxy performance. This is enabled by default in
Configuration > Network > Interfaces .
ƒ Make sure that the Large MTU setting is enabled on the network interface designated for HTTP Proxy access.
ƒ When configuring the Web Proxy in Transparent Mode, make sure that the Large MTU setting is enabled on the network interface configured as the Bridge In interface. You must enable the HTTP
Proxy and reboot the system before you can enable bridging and Transparent Mode on the network interfaces.
ƒ Ensure that your local DNS server is configured and functioning. Misconfigured DNS services and domain name translation issues can significantly decrease Web Proxy performance or cause the Web
Proxy to stop functioning.
ƒ If you enable the URL Categorization feature, it may take several minutes for the initial URL
Categorization Control List to be downloaded. While the Control List is downloading, HTTP traffic will not be processed and users may receive policy error messages when web browsing. When the update is complete, HTTP traffic processing will resume. It is recommended that you do not start processing
HTTP traffic until this initial download process is complete.
User Guide 213
Web Scanning
Web Proxy support and limitations
The Web Proxy supports the following types of requests:
ƒ HTTP 1.0 and 1.1
ƒ HTTP pipelining
ƒ HTTP keep-alive messages
The following are current limitations with the Web Proxy:
ƒ HTTPS traffic will be scanned by the proxy, but the content is not decrypted, scanned, or analyzed.
ƒ FTP over HTTP is not supported when using the Web Proxy.
ƒ Clustering is not supported in Transparent Mode. A Web Proxy running in Transparent Mode can be clustered with a non-Web Proxy system, such as a WatchGuard XCS system processing email.
Deployment
The following sections describe several different deployment models for the Web Proxy.
Full proxy parallel deployment
The Web Proxy can be deployed in parallel with an existing network firewall using two network interfaces. The
HTTP ports (such as port 80) must be closed off to end clients by the network firewall to prevent them from circumventing the proxy.
Web clients must be manually reconfigured to use the system as their web proxy, such as hostname.example.com:8080. Otherwise, you must employ proxy auto-discovery or other HTTP traffic redirection using routers or traffic manager devices.
The Full Proxy Parallel Deployment is the recommended Web Proxy deployment model.
214 WatchGuard XCS
Web Scanning
Advantages
ƒ Requires no additional performance overhead on the Web Proxy as it is only processing Web traffic
ƒ Simple to deploy and troubleshoot connection issues
ƒ System is located securely outside of the internal network
ƒ System can be clustered with another WatchGuard XCS running web or email
ƒ Automated failover with no network downtime
Disadvantages
ƒ Need to set up Proxy auto-discovery using PAC Files/WPAD to point to the WatchGuard XCS
Internal network deployment
The Web Proxy can be deployed on the internal network connected with one network interface. The firewall must block HTTP traffic to prevent network clients from circumventing the proxy. These ports must be opened up for the Web Proxy only. Each internal client must be manually reconfigured to use the system as their web proxy, such as hostname.example.com:8080. Otherwise, you must employ proxy auto-discovery or other
HTTP traffic redirection using routers or traffic manager devices.
Advantages
ƒ Requires no additional performance overhead on the system
ƒ Simple to deploy and troubleshoot connection issues
Disadvantages
ƒ Need to set up proxy auto-discovery using PAC Files/WPAD to point to the WatchGuard XCS
User Guide 215
Web Scanning
Transparent mode deployment
The Web Proxy offers a Transparent Mode to integrate the system more easily into existing environments with minimal network reconfiguration. This method requires no network reconfiguration and the implementation is transparent to clients.
In a typical Transparent Mode implementation, the Web Proxy system is installed between the primary internal switch or router and an existing network firewall to act as a bridge for all non-local traffic, except selected web traffic that is examined by the Web Proxy. The system listens for web traffic on port 80 and any specific HTTP requests will be processed by the Web Proxy for security threat processing and content filtering before allowing the requests through.
When Transparent Mode is enabled, the HTTP Proxy port must use port 80.
216
The administrator must specify two network interfaces that will be used for bridging and the single IP address that will be shared for the bridge. One of these interfaces ( Bridge In ) will connect to the primary internal router or switch (LAN side), and the other interface ( Bridge Out ) will connect to the network firewall.
Traffic that is bridged through the Web Proxy is not examined or modified. Traffic examined by the Web Proxy is modified so that it appears to have come from the local IP address of the Web Proxy. This way, returning traffic will be recognized and properly processed for security threats and content filtering.
Advantages
ƒ Offers a simple and seamless deployment. No network or client system reconfiguration is required.
Disadvantages
ƒ All network traffic is sent through through the Web Proxy, which may not be preferable depending on the network environment.
ƒ Packet inspection is performed on all traffic to determine if data should be proxied or bridged, which can potentially add additional performance overhead on the Web Proxy.
ƒ The default port for HTTP traffic (port 80) cannot be modified in Transparent Mode.
ƒ Only IP-based Proxy or Portal authentication can be used when in Transparent Mode.
ƒ Clustering with other Web Proxy systems is not supported in Transparent Mode. A Web Proxy running in Transparent Mode can be clustered with a non-Web Proxy system, such as a WatchGuard XCS system processing email.
ƒ If the system fails, all network traffic is stopped.
WatchGuard XCS
Web Scanning
The following diagram illustrates the most basic Transparent Mode implementation where the Web Proxy sits inline between the primary internal router and the network firewall.
ƒ The bce0 network interface is designated the Bridge In interface and connects to the LAN side internal router. This interface must have an IP address assigned and have HTTP/HTTPS Proxy access enabled.
This interface IP address will be the address for the entire bridge.
ƒ The bce1 network interface is designated the Bridge Out interface and connects to the network firewall.
This interface does not require any IP address configuration, and will be automatically configured for use with the bridge.
ƒ The em0 network interface has been designated for admin access use to secure access to the system and prevent admin access via the bridge interfaces. The Bridge In interface can be used for admin access if required.
ƒ The network gateway for the Web Proxy will be the address of the network firewall.
ƒ Static routes must be created on the Web Proxy that point to your internal router networks. This is required as the web traffic will use the IP addresses on the bridge interfaces when proxying.
The interface will need the network addresses to be able to route the traffic back to the internal subnetworks.
User Guide 217
Web Scanning
Configure the Web Proxy
To enable and configure the Web Proxy:
1. Select Configuration > Web > HTTP/S Proxy .
218
2. Select the Enable HTTP/HTTPS Proxy check box.
The HTTP Proxy must be enabled and the system rebooted before configuring the network interfaces for bridging and Transparent Mode operation.
3. Enter the Proxy Port on which the Web Proxy will listen for messages.
The default is port 8080. If this system is running in Transparent Mode, the default port is 80 and this option is not available.
4. Select the Authentication Type .
5. Select the Session Timeout settings.
Using IP Address Proxy or Portal Authentication mode, you can set a session expiry timeout that will force the user to re-authenticate when the time out value has been exceeded.
ƒ Never — The user’s session will never expire. This is persistent even if the system is restarted.
ƒ Expire — The user’s session will expire after the specified time period (in days and hours). The user will be required to re-authenticate when the session has expired.
6. In the Allowed Networks section, enter a comma-separated list of networks (in CIDR format) that will be allowed to access the Internet via the Web Proxy, such as: 10.0.0.0/8,192.168.0.0/24.
This field cannot be left blank. If you want to allow all networks, use 0.0.0.0/0.
7. Enter an optional Remote Proxy URL of an external proxy server that the system must forward requests to.
This is required if the system connects through an intermediary proxy server before requests are sent to the Internet. Enter a URL using the form http://hostname:port, such as http://proxy.example.com:8080. Leave this field blank if the system will connect directly to the
Internet.
8. If you have configured a remote proxy that requires basic authentication, select Basic Proxy
Authentication in the Remote Proxy Auth Type drop-down field.
Enter the Remote Proxy Username and Remote Proxy Password that will be used to authenticate this system with the remote proxy. Ensure that the specified username is properly configured on the remote proxy.
WatchGuard XCS
Web Scanning
Transparent Mode
To enable the Web Proxy in Transparent Mode:
1. Select Configuration > Web > HTTP/S Proxy .
2. Select the Enable HTTP/HTTPS Proxy check box, and click Apply .
The system must then be rebooted.
The HTTP/HTTPS Proxy must be enabled and the system rebooted before configuring the network interfaces for Transparent Mode operation. If Transparent Mode is enabled and the HTTP/HTTPS
Proxy disabled, network traffic on port 80 is blocked and the Web Proxy will not log any information.
The default port for HTTP traffic (port 80) cannot be modified in Transparent Mode.
3. Select Configuration > Network > Interfaces .
4. Make sure that the Bridge In network interface is configured with an appropriate IP address, and that the HTTP/HTTPS Proxy and Large MTU options are both selected.
5. Select the Enable Bridging check box.
This option must be enabled for Transparent Mode to work properly.
User Guide
6. Select a configured network interface to be used as the Bridge In interface for Transparent Mode.
For greater security and performance, this interface should be on a dedicated, non-routable subnet.
This interface must be configured with an IP address and have the HTTP/HTTPS Proxy access and
Large MTU options enabled before selecting it as the Bridge In interface.
7. Select an unconfigured network interface to be used as the Bridge Out interface for Transparent Mode.
For greater security and performance, this interface should be on a dedicated, non-routable subnet.
This interface does not require an IP address and will be configured automatically for use with the bridge.
8. Select the Enable Transparent Mode check box.
9. Click Apply to save the network settings.
The system must be rebooted for the configuration to take effect.
219
Web Scanning
Disabling the Web Proxy in Transparent Mode
To disable the Web Proxy feature, but still allow all traffic (including HTTP port 80) to pass through the system while in Transparent Mode:
1. Select Configuration > Network > Interfaces .
2. For the Bridge In interface, disable the HTTP/HTTPS Proxy option.
3. Click Apply .
The system must be rebooted to apply the configuration.
4. When the system restarts, all network traffic will pass through the system and no Web Proxy functions will be performed or logged.
If Transparent Mode is enabled, but the HTTP/HTTPS Proxy is disabled, all port 80 HTTP traffic will be blocked, and no logging of HTTP traffic will occur.
Web Proxy network interface settings
Web Proxy access must be enabled on a specific network interface after the Web Proxy feature has been enabled globally.
The HTTP/HTTPS Proxy feature must be enabled and the system rebooted before configuring the network interfaces for bridging and Transparent Mode operation.
To enable the Web Proxy on a network interface:
1. Select Configuration > Network > Interfaces .
2. Choose a network interface and select the HTTP/HTTPS Proxy check box.
3. If IP Address Proxy or Portal Authentication is enabled, you must make sure the Admin & Web User
Login option is enabled to allow users to authenticate via the Web Proxy.
4. Make sure that the Large MTU setting is enabled on the network interface designated for HTTP Proxy access.
5. If using the Transparent Proxy feature, the Bridge In interface must have the HTTP/HTTPS Proxy access and Large MTU check boxes enabled and have an IP address assigned.
220 WatchGuard XCS
Web Scanning
Web Proxy Authentication
If Web Proxy authentication is enabled, users must authenticate to the system using a user name and password.
Authentication can be set up in one of the following ways:
ƒ Local Account — A local account (created via Administration > Accounts > Local Accounts ) can be set up on this system to authenticate Web users. Local account authentication cannot be used if the system is part of a cluster, as Local accounts are not available in a cluster.
ƒ LDAP Web Users — When users log in to the Web Proxy, they can be authenticated directly with an
LDAP server via Configuration > LDAP > Web Users . This method is described in the next section.
Configuring LDAP Web User authentication
The LDAP Web Users feature allows LDAP-authenticated clients to use the system’s Web Proxy feature. These client systems must use a login name and password to authenticate to an LDAP server before being allowed to use the Web Proxy. LDAP Authentication allows the system to authenticate the user directly to an LDAP directory server without the need to create a local account.
When a user is successfully authenticated with the LDAP server, this information is saved in an LDAP authentication cache on the system for 300 seconds. Any subsequent LDAP requests will go the cache instead of the LDAP server for faster response and to prevent the LDAP server from being overloaded with authentication requests. After 300 seconds have expired, the Web Proxy will authenticate directly with the
LDAP server and cache the results again if the authentication is successful.
To configure LDAP authentication for HTTP web users:
1. Make sure a Directory Server is configured via Configuration > LDAP > Directory Servers .
2. Select Configuration > LDAP > Web Users .
3. Select a method, and then click Add to add an entry.
You can use only one method, Bind or Query Direct , for all defined LDAP servers. You cannot use both at the same time. The Bind method will only work with Active Directory and iPlanet implementations.
The Query Direct method will only work with OpenLDAP.
ƒ Bind — The Bind method will use the User ID and password to authenticate on a successful bind.
The Query Filter must specify the User ID with a %s variable, such as (sAMAccountName=%s) for
Active Directory. The Result Attribute must be a User ID such as mail . Enter corresponding values specific to your LDAP environment. For iPlanet, use uid=%s for Query Filter, and mail for Result
Attribute.
ƒ Query Directly — The Query Direct method will query the LDAP server directly to authenticate a user ID and password. The Query Filter must specify the user ID, and the Result Attribute must specify the password. For OpenLDAP, use (&(ObjectClass=inetOrgPerson)(cn=%s)) for Query
Filter, and userPassword for Result Attribute.
For either method, access will be refused if the LDAP server direct query or bind attempt fails for any reason, such as an invalid user name or password, bad query, or if the LDAP server is not responding.
If your organization has multiple LDAP domains, or if the domain of the WatchGuard XCS is different than the LDAP domain, then the Bind method of LDAP authentication must be used for Web User authentication. For example, for Active Directory, the LDAP Query Filter should consist of the user name, such as samAccountName , and the Result Attribute should be mail . This ensures proper matching for user, domain and group policies for this LDAP user.
4. Select a Directory Server to perform the search.
User Guide 221
Web Scanning
5. The Search Base is derived from the Search Base setting in Configuration > LDAP > Directory
Servers .
You must make sure that the Search Base string includes complete information specific to your LDAP hierarchy, such as cn=users,dc=example,dc=com.
6. Enter the Scope of the search. Options are Base , One Level , and Subtree .
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects one level beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.
7. Enter the Query Filter for the LDAP lookup, such as (sAMAccountName=%s) for Active Directory implementations.
For OpenLDAP, use (&(ObjectClass=inetOrgPerson)(cn=%s)) . For iPlanet, use uid=%s .
8. Enter the Result Attribute that returns the user’s account, such as mail for Active Directory implementations.
For OpenLDAP, use userPassword . For iPlanet, use mail .
9. Enter the maximum Timeout interval, in seconds, to wait for the search to complete.
Valid values are from 1 to 100 seconds. The default is 5.
10. Use the Test button to perform a test of the LDAP Authentication configuration.
11. Click Apply .
Enabling web proxy authentication
To enable Web Proxy authentication:
1. Select Configuration > Web > HTTP/S Proxy .
222
2. Select the Authentication Type :
ƒ No Authentication — Disables authentication and allows all users access to web sites via the Web
Proxy. Note that if No Authentication is selected, these clients will always use the Default Policy.
ƒ Basic Authentication — Only allows authenticated users access to web sites via the Web Proxy.
The user must have a local account or must be authenticated directly to an LDAP server. The user will need to log in with their local or LDAP user name and password before they can connect to web sites via the Web Proxy. When you use the Basic Authentication method, the user’s credentials are sent using basic HTTP authentication in clear text mode. The user must enter their credentials for each browser session. Basic Authentication mode is not supported when using the Web Proxy in
Transparent Mode.
WatchGuard XCS
Web Scanning
ƒ IP Address Proxy Authentication — Only allows authenticated users access to web sites via the
Web Proxy. The user must have a local account or must be authenticated directly to an LDAP server.
The user will need to log in with their local or LDAP user name and password before they can connect to web sites via the Web Proxy. When you use the Proxy Authentication method, the user’s credentials are sent using basic HTTP authentication in clear text mode. The system tracks the user via their IP address and the user will never be asked again for their credentials in any current or new web browser sessions. This mode is supported when using the Web Proxy in regular proxy mode and Transparent Mode.
ƒ IP Address Portal Authentication — Only allows authenticated users access to web sites via the
Web Proxy. Users will be presented with a web proxy login portal page where they will enter their local or LDAP user name and password, and must agree to a usage policy agreement before being allowed access to browse web sites. (The usage policy agreement can be customized in the
Configuration > Miscellaneous > Customization screen.) The Portal Authentication method utilizes HTTPS to protect the transmission of the user’s credentials. The system tracks the user via their IP address and the user will never be asked again for their credentials in any current or new web browser sessions. This mode is supported when using the Web Proxy in regular proxy mode and Transparent Mode.
When using the IP Address-based Proxy and Portal Authentication methods, you must enable the
Admin & Web User Login option on the HTTP Proxy network interface to allow users to authenticate via the Web Proxy. If using IP Address-based authentication in regular proxy mode, there is additional configuration required on the client browser to route authentication requests
properly. See “IP authentication browser configuration mode” on page 228 for details.
Web Proxy authentication logout
Web Proxy Portal and Proxy authenticated users have the ability to log out of their sessions. This is useful for shared computers that are used by several different users, to ensure that each user is using their own Web
Proxy policies when browsing web sites. When the user logs into the Web Proxy Portal Authentication page, a URL is displayed which will take the user to the portal logout screen where “<my_hostname>” is the address of the WatchGuard XCS running the Web Proxy. This URL should be bookmarked in the client web browser. http://<my_hostname>/portal/logout
For Proxy authenticated users that do not use the Portal, the administrator must provide this URL to the end users.
User Guide 223
Web Scanning
Flush all web single sign-on sessions
To force a logout of all Portal and Proxy IP address-based authenticated users, you can flush all authenticated sessions via the Status & Utility screen. Web Proxy users must re-authenticate before being allowed access to web sites via the Web Proxy.
In a cluster, the Flush button will be available only on the Primary cluster system.
1. Select Activity > Status > Status & Utility .
2. Next to Flush Web Single Sign-On Sessions , click the Flush button.
3. The system will flush all Web Proxy authenticated sessions for both Proxy and Portal IP address-based authenticated users.
Web Cache
The Web Proxy utilizes a disk cache that caches data and images from web sites accessed by users of the Web
Proxy. This feature reduces bandwidth consumption and improves performance for subsequent accesses of these web sites, as the data and images will be read from the disk cache instead of going out to the Internet to retrieve the data. When a request is received, the system compares its cached data with the requested web site to make sure it has the latest data to update the disk cache with any web site updates. Any access of cached data will still be sent to the Web Proxy content scanners, as different users may have different HTTP content policies applied to them.
We recommend that the system be run for at least 24-48 hours with minimal scanning enabled before enabling Anti-Virus and deep content scanning on HTTP traffic. This allows the web cache to be populated and increases performance when accessing web content. After this initial period, enable Anti-Virus and content control scanners via policies, as required.
All file types are cached depending on the web server HTTP directive that identifies what files are allowed to be cached. For example, HTTP redirects and cookies are not cached for security reasons. There is no limit to the size of a file that can be cached. By default, the web disk cache is purged every 5 days which removes any files that are older than 5 days. Data in the cache older than 1 day is truncated to less than 5MB in size for each cached domain to ensure that cached data does not take up a large amount of disk space. These default values ensure that the cache size does not grow too large and affect system performance.
224 WatchGuard XCS
Web Scanning
To configure the advanced Web Proxy cache settings:
1. Select Configuration > Web > HTTP/S Proxy .
2. Click the Show Advanced Options link.
ƒ Cache Expiry Time — Indicates how long (in days) files will reside in the web cache until they are expired and purged. The default is 5 days, indicating that files older than 5 days will be removed from the cache.
ƒ Cache Truncate Time — Indicates the period (in days) after which data in the web cache will be truncated based on the value specified in the Cache Truncate Size option. The default is 1 day.
ƒ Cache Truncate Size — Indicates the size threshold (in MB) to which data in the web cache will be truncated for each cached domain. The default is 5 MB.
3. Click Apply .
These settings are advanced options and should only be modified with guidance from Technical
Support. Misconfiguration can negatively affect performance.
Web cache disk usage
The web disk cache is located in the local mail storage area. To view the details of this disk partition:
1. Select Activity > Status > Status & Utility .
2. In the Disk Usage section, the Mail Storage Area indicates the percentage of disk space used and the space available in the web disk cache. If you store local mailboxes on the server, this partition will also include stored local mail.
Flushing the web cache
The system is set to automatically purge the web cache every 5 days by default (configurable via
Configuration > Web > HTTP/S Proxy ) to remove all files that are older than 5 days.
The Activity > Status > Status & Utility screen provides the administrator with the ability to manually purge the web cache. Administrators may need to purge the entire web cache to resolve issues with certain web pages not updating with newer content, or issues connecting to specific web sites.
To flush the web cache:
1. Select Activity > Status > Status & Utility.
2. Go to the Utility Functions section.
User Guide 225
Web Scanning
3. Next to Flush Web Cache , click the Flush button.
This will completely empty the web cache and restart the Web Proxy services.
Flush domain web cache
The Web Cache can also be flushed for only a specific domain. The URL must be specified exactly how it is accessed, for example, www.example.com, or news.example.com. Subdomains will not be included and must be flushed separately.
To flush the cache entries for a specific domain:
1. Select Activity > Status > Status & Utility .
2. Enter the required domain in the Flush Domain Web Cache field, such as www.example.com
.
3. Click the adjacent Flush button.
Only cached entries for the www.example.com domain will be purged from the web cache.
Web streaming Media Bypass
The Web Proxy provides support for proxying and scanning embedded streaming media content, ensuring quick delivery of data to the requesting client, while the system’s threat and content control scanners check specific media content types.
You can configure a list of specific MIME content types that will bypass Web Proxy threat and content control scanners and be delivered immediately to the web client. A predefined default list of common streaming media types is configured to bypass scanning. Skipping a streaming media type will bypass all scanners, including Anti-Virus, the Objectionable Content Filter, Content Scanning, and Attachment Control.
226 WatchGuard XCS
Web Scanning
Configuring skipped MIME types
To modify the list of MIME types that bypass content and threat scanning:
1. Select Configuration > Web > HTTP/S Proxy .
2. Click the Show Advanced Options link.
3. Use the arrow icons to add or remove items from the list.
4. If the type is not listed, enter a valid MIME content type, such as video/x-flv for Flash video, and then click the Add to List button.
The new type will be immediately added to the Do Not Scan section.
MIME Type application/smil application/vnd.ms.wms-hdr.asfv
application/vnd.ms.wms-hdr.asfv1
application/x-fcs application/x-javascript application/x-mms-framed application/x-quicktimeplayer application/x-quicktime-response application/x-shockwave-flash application/x-wms-logstats audio/mp4 audio/mpeg audio/x-scpls image/x-icon video/flv video/m4v video/mp4 video/mpeg video/quicktime video/vnd.mpegurl
video/x-dv video/x-flv video/x-m4v video/x-ms-asf video/x-msvideo video/x-ms-wmv video/x-sgi-movie
Description
Synchronized Multimedia Integration Language
Windows Media
Windows Media
Flash Communication Server
Javascript
Windows Media
Quicktime Player
Quicktime Player response
Shockwave Flash
Windows Media
MP4 Audio
MP3 or other MPEG audio
Shoutcast Playlist
Website favicon format
Flash video
Video (Protected)
MP4 video
MPEG-1 video
QuickTime video
M4U format
Digital Video File
Flash Video
Video (Protected)
Windows Media
Video for Windows (AVI)
Windows Media Video
SGI Movie
User Guide 227
Web Scanning
Web Client Configuration
Depending on the deployment configuration, HTTP web clients must have their web browser proxy set to the address of this system, such as hostname.example.com:8080.
The disadvantage of this method is that it is not scalable for large user environments in which manual browser reconfiguration is not practical. Organizations may also implement proxy auto-discovery or traffic redirection methods using additional routers or traffic managers.
To avoid the need for manual web browser configuration, it is recommended that the Transparent Proxy
deployment be used. See “Transparent Mode” on page 219 for more details on the Transparent Proxy
deployment.
To manually set the proxy server setting in Internet Explorer 7.0:
1. Select Tools > Internet Options .
2. Select the Connections tab.
3. Click the LAN Settings button.
4. In the Proxy server section, enter the hostname or IP address of the gateway, such as hostname.example.com
, and set the port used by the gateway such as 8080 . Optionally, if your organization uses an automatic proxy configuration, your web client can be configured to detect automatic proxy settings.
IP authentication browser configuration mode
When using IP address-based Authentication in Web Proxy mode (not in Transparent Mode), the client web browser will attempt to route the authentication request and response via the proxy itself. This will cause a proxy loop because the proxy server will use its own IP address instead of the client. An error will be displayed in the web browser, preventing the user from authenticating to the proxy server.
To prevent this issue, you must configure the client browser to bypass the local proxy server address.
This browser configuration change is not required when using IP-based Authentication in
Transparent Mode.
For example, to bypass the proxy server address in Internet Explorer 7.0:
1. Select Tools > Internet Options on the Internet Explorer main menu.
2. Select the Connections tab.
3. Click the LAN Settings button and click the Advanced button.
4. In the Exceptions section, add the address of the proxy server, such as
192.168.1.200
. You can also add a network wildcard such as 192* .
To bypass the proxy server address in Mozilla Firefox 3.0:
1. Select Tools > Options on the Mozilla Firefox main menu.
2. Select the Advanced button.
3. Select the Network tab and click the Settings button.
4. In the No Proxy for: section, add the address of the proxy server, such as 192.168.1.200
. You can also add a network such as 192.168.1.0/24 .
228 WatchGuard XCS
Web Scanning
Automatic web proxy configuration
Organizations that want to enforce the use of a proxy policy without having to manually configure each individual browser can use the following methods for automatic proxy configuration so that web browsers can automatically discover and configure the proxy server:
ƒ Proxy Auto-Config (PAC) file — A Proxy Auto-Config (PAC) file defines how a web browser can automatically choose an appropriate proxy server to connect to. The PAC file is a script file that browsers read and execute to determine which proxy to use.
ƒ Web Proxy Autodiscovery Protocol (WPAD) — The Web Proxy Autodiscovery Protocol (WPAD) is supported by most web browsers to locate a Proxy Auto-Config (PAC) file automatically, and then use this information to configure the browser's web proxy settings. The protocol can use DHCP or DNS to locate the PAC file.
PAC file
A PAC file can be used with a web browser’s proxy settings to configure the browser with the proxy server address. The PAC file can be specified locally or be hosted on a network server. If you are using the PAC file with WPAD, the file must be called “wpad.dat”.
A simple PAC file contains text similar to the following: function FindProxyForURL(url, host){return "PROXY proxy.example.com:8080";}
More advanced proxy configurations can also be scripted, such as: function FindProxyForURL(url, host)
{
if (isInNet(host, "192.168.1.0", "255.255.255.0")) {
return "DIRECT";
}
else if (url.substring(0, 5) == "http:") {
return "PROXY 192.168.1.200:8080";
}
else if (url.substring(0, 6) == "https:") {
return "PROXY 192.168.1.200:8080";
}
else {
return "DIRECT";
}
}
In this example, 192.168.1.0 is the local network you want to bypass, and 192.168.1.200 is the address of the proxy server. A fully qualified domain name can also be used, such as proxy.example.com.
Replace these example addresses with your local network and proxy server addresses. If the server fails to respond, then the browser will attempt to contact the web server directly, without using the proxy server.
User Guide 229
Web Scanning
230
Load balancing via IP address
The following example will distribute web proxy connections by assigning even and odd IP addresses to different proxy servers: function FindProxyForURL(url, host)
{
var ipSubs = myIpAddress().split("."); if ( (ipSubs[3] % 2) == 0 ) { return "PROXY 192.168.1.200:8080 ; PROXY 192.168.1.201:8080";
} else { return "PROXY 192.168.1.201:8080 ; PROXY 192.168.1.200:8080";
}
}
Load balancing via URL address
The following example will distribute web proxy connections by assigning requested URL addresses to specific proxy servers based on the letters in the URL: function FindProxyForURL(url, host)
{ ret = URLhash(url); if ( (ret % 2) == 0 ) { return "PROXY 192.168.1.200:8080 ; PROXY 192.168.1.201:8080";
} else { return "PROXY 192.168.1.201:8080 ; PROXY 192.168.1.200:8080";
}
} function URLhash(name)
{ var cnt=0; var str=name.toLowerCase(name); if ( str.length ==0) {
return cnt;
} for(var i=0;i >= str.length ; i++) {
var ch= atoi(str.substring(i,i + 1)); cnt = cnt + ch;
} return cnt ;
} function atoi(charstring)
{ if ( charstring == "a" ) return 0x61; if ( charstring == "b" ) return 0x62; if ( charstring == "c" ) return 0x63; if ( charstring == "d" ) return 0x64; if ( charstring == "e" ) return 0x65; if ( charstring == "f" ) return 0x66; if ( charstring == "g" ) return 0x67; if ( charstring == "h" ) return 0x68; if ( charstring == "i" ) return 0x69; if ( charstring == "j" ) return 0x6a; if ( charstring == "k" ) return 0x6b; if ( charstring == "l" ) return 0x6c; if ( charstring == "m" ) return 0x6d; if ( charstring == "n" ) return 0x6e; if ( charstring == "o" ) return 0x6f; if ( charstring == "p" ) return 0x70; if ( charstring == "q" ) return 0x71; if ( charstring == "r" ) return 0x72; if ( charstring == "s" ) return 0x73; if ( charstring == "t" ) return 0x74; if ( charstring == "u" ) return 0x75; if ( charstring == "v" ) return 0x76; if ( charstring == "w" ) return 0x77; if ( charstring == "x" ) return 0x78; if ( charstring == "y" ) return 0x79; if ( charstring == "z" ) return 0x7a;
WatchGuard XCS
Web Scanning if ( charstring == "0" ) return 0x30; if ( charstring == "1" ) return 0x31; if ( charstring == "2" ) return 0x32; if ( charstring == "3" ) return 0x33; if ( charstring == "4" ) return 0x34; if ( charstring == "5" ) return 0x35; if ( charstring == "6" ) return 0x36; if ( charstring == "7" ) return 0x37; if ( charstring == "8" ) return 0x38; if ( charstring == "9" ) return 0x39; if ( charstring == "." ) return 0x2e; return 0x20;
}
Bypassing the proxy for specific URLs/domains
In certain cases, it may be necessary to specify URLs and entire web domains that should bypass the proxy, such as local Intranet traffic or problematic web sites. You can specify any URLs or web domains that should bypass the proxy in the PAC file. The specific PAC file entries for the URLs/Domains should be inserted before the proxy server specification in the PAC file.
function FindProxyForURL(url, host) {
// our local URLs from the domains below example.com don't need a proxy:
if (shExpMatch(url,"*.example.com/*")) {return "DIRECT";}
if (shExpMatch(url, "*.example.com:*/*")) {return "DIRECT";}
return "PROXY 10.1.77.200:8080; DIRECT";
}
WPAD using DNS
The DNS-based WPAD mechanism builds a series of URLs pointing to a wpad.dat PAC file, starting with the system’s full primary domain name and proceeding to progressively shorter suffixes until the base domain is used. For example, if the system’s full primary domain name is host.country.example.com, the URLs attempted would be: http://wpad.country.example.com/wpad.dat
http://wpad.example.com./wpad.dat
If the web browser is configured to automatically detect proxy settings, it will attempt to download the PAC file from each URL until it either succeeds or runs out of URLs to check. If the client cannot connect to any of the URLs, then the web browser will attempt to contact the web server directly without using the proxy server.
WPAD using DHCP
The DHCP-based WPAD mechanism passes the URL of the PAC file as option number 252 in the DHCP lease granted to the system. If the web browser is configured to automatically detect proxy settings, it will obtain the URL from the DHCP lease to download the PAC file. The DHCP Server must be configured to use option
252 (that contains the URL of PAC file) in the DHCP lease.
User Guide 231
Web Scanning
Configuring web proxy auto configuration
The Web Proxy supports the ability to upload a PAC file that client web browsers can utilize via WPAD or manual configuration to retrieve the PAC file settings.
PAC files are not replicated in a cluster or in Centralized Management. In a cluster environment, only one system in the cluster should be used to host the PAC file.
To upload a PAC file to the WatchGuard XCS:
1. Select Configuration > Web > Proxy Auto Configuration .
232
2. Click the Browse button to select the PAC file to upload to the system.
This file must be a text file. The file can have any name, but it will be made available to web clients as wpad.dat.
3. Click Apply to save the PAC file settings.
The contents of the PAC file will be displayed.
4. Web browser clients can be configured to use WPAD automatic settings, or be configured with the URL to the WatchGuard XCS PAC file, such as: http://proxy.example.com/wpad.dat
Internet Explorer client configuration
To configure proxy server settings in Internet Explorer 7.0:
1. Select Tools > Internet Options on the Internet Explorer main menu.
2. Select the Connections tab, and click the LAN Settings button.
3. Select one of the following options:
ƒ To use WPAD to automatically detect the proxy settings for the network:
Select Automatically detect settings . The web browser will utilize WPAD methods to discover the location of the configuration file via DNS or DHCP.
ƒ To manually enter the script path:
Select the Use automatic configuration script check box and enter the location of the PAC file.
The PAC file can be stored locally or at a network URL, such as: http://proxy.example.com/wpad.dat
WatchGuard XCS
Web Scanning
Mozilla Firefox client configuration
To configure proxy server settings in Mozilla Firefox 3.0:
1. Select Tools > Options on the Mozilla Firefox main menu.
2. Select the Advanced button.
3. Select the Network tab and click the Settings button.
4. Select one of the following options:
ƒ To use WPAD to automatically detect the proxy settings for the network:
Select Auto-detect proxy settings for this network . The web browser will utilize WPAD methods to discover the location of the configuration file via DNS or DHCP.
ƒ To manually enter the URL for the configuration:
Select the Automatic proxy configuration URL option and enter the location of the PAC file. The
PAC file can be stored locally or at a network URL, such as: http://proxy.example.com/wpad.dat
Client browser notifications
If an HTTP request is blocked by any security or content scanning feature, the HTTP web client will receive an error notification similar to the following:
The error message will indicate why the HTTP request was rejected. In this example, the HTTP request was blocked because the web site appeared in a blocked URL Categorization category.
The HTTP notifications can be customized in policies using the default policy.
User Guide 233
Web Scanning
Web Proxy Access with Policies
The Web Proxy uses policies to define access and content controls for different users, groups, and domains.
When a change is made to an HTTP policy, it may take up to two minutes for the policy change to take effect on the system, as the web proxy service must be restarted. Any current web sessions, such as streaming media and logged-in web sessions, will be reset.
To configure the Web Proxy settings in a policy:
1. Select Security > Policies .
2. Select which policy to configure.
3. In the policy editor, select the HTTP section.
4. In the HTTP Access and HTTPS Access fields, enable or disable the feature as required, or set to
Undefined to use the setting inherited from another policy, the default policy, or the global settings.
If the HTTP and HTTPS Access fields are “Undefined”, they will inherit the state of the global setting for the HTTP
Proxy (enabled or disabled).
234 WatchGuard XCS
Web Scanning
HTTP trusted and blocked sites
The Trusted Sites list allows the administrator to upload a list of web sites that when accessed, will bypass all scanning features, including Anti-Virus, HTTP content control features (Attachment Control, Objectionable
Content, Content Scanning), and URL filtering features (URL Blocking and URL Categorization). The Blocked
Sites list contains a list of domains and IP addresses that will be blocked to end users using the Web Proxy.
If a site appears in both the Trusted and Blocked Sites list, the Trusted Sites list takes precedence. Any web sites defined in the HTTP Trusted or Blocked Sites list will override URL Categorization blocking.
Create a trusted or blocked sites list
To create a list of domains for a Trusted or Blocked Sites list:
1. Create a list of domains and IP addresses in a text file, using one domain per line, such as: example1.com
example2.com
example3.com
192.168.1.128
2. Select Security > Content Control > Dictionaries & Lists .
3. Click Add to add a new list.
4. Browse and locate your list of trusted or blocked sites, and click Continue .
The first few lines of the list will be displayed.
5. Set the list Type to Domain to indicate this is a list of domains and IP addresses.
The “Any” list type can also be specified.
6. Click Continue .
The details of the uploaded file will be displayed.
7. Click Continue .
The final details of the uploaded list will be displayed.
8. Confirm the details, and make sure the list type is set to Domain or Any .
9. Click Save .
In the HTTP policy, you can now select the list as a Trusted or Blocked Sites list.
Configure trusted and blocked sites lists
To configure the HTTP Trusted and Blocked Sites lists:
1. Select Policies and then select an existing policy, or create a new policy.
2. Select HTTP .
3. Set Trusted Sites to None to ensure that all web sites accessed via the Web Proxy will be scanned by the Web Proxy’s scanning features, or select a predefined list of Trusted Sites from the drop-down list.
This list of web sites will bypass all HTTP scanning for users of the Web Proxy.
4. Set Blocked Sites to None to not block any specific web sites, or select a predefined list of Blocked
Sites from the drop-down list.
These sites will be blocked and cannot be accessed by users of the Web Proxy.
User Guide 235
Web Scanning
Web Proxy URL and IP address blocking
The Web Proxy will not perform PTR (Pointer record) reverse lookups for each site accessed, and blocking a specific hostname will not block the associated IP address for that hostname if it is specified.
The IP address must be added separately to a block list to prevent the web site from being accessed via its IP address.
For example, if you wanted to block www.example.com, you must ensure you block both the domain name www.example.com, and its corresponding IP address such as 192.168.1.128. Entering an IP address alone will block both the IP and domain name if the domain name resolves to that same address.
When using an address list with the Trusted and Blocked Sites feature, domain names and IP addresses can be added into the same list using a Domain or Any type list, such as: example.com
192.168.1.128
website.com
10.10.1.10
236 WatchGuard XCS
Web Scanning
URL Blocking
The URL Blocking option uses the URL Block List feature of the WatchGuard XCS Intercept Anti-Spam engine to block access to specific web sites.
Enable URL Blocking to block access to web sites that appear on a URL Block List. URL Block Lists contain a list of domains and IP addresses of URLs that have appeared previously in spam, phishing, or other malicious messages and web site content. The system will check the requested URL to see if it appears on a block list using the Intercept engine's URL Block List feature.
To enable URL Blocking:
1. Select Security > Anti-Spam > Anti-Spam .
2. Enable URL Block List .
Only the URL Block List result will be used in the computation of the spam category threshold for the Web Proxy.
Other Intercept component results will not be used.
3. To configure an action to perform when a URL is blocked, select the Anti-Spam and Anti-Virus section in the policy menu.
4. For each spam category, such as Certainly Spam , click the Edit button and select an HTTP action to perform, such as Reject to reject the message (default), or Just Log to allow the message through and log the event in the Web Proxy log.
If URL Blocking is set to Undefined in Policies, and the URL Block List is enabled globally, URL Blocking will be enabled and will trigger when detecting blocked web sites.
User Guide
5. Notifications can be enabled for the Administrator and the User.
The notifications can be customized in the default policy only. Notifications will only be sent for a
Reject action, not Just Log .
237
Web Scanning
HTTP upload and download limit
In the HTTP section of Policies, administrators can set a limit on the size of both HTTP uploads and downloads to prevent unnecessary load on network and system resources. When a file exceeds the specified threshold, the file can be blocked, or scanning can be bypassed to allow large files to be uploaded or downloaded without using a large amount of system scanning resources.
To configure the HTTP upload and download limits:
1. Select Security > Policies .
2. Select an existing policy to configure its settings or create a new policy.
3. Select HTTP .
4. In the Performance Options section, enter the largest size (in MB) allowed for an HTTP upload or download.
The default is 7 MB. Leave the field defined as blank or “0” for no limit. Select Undefined to use the inherited settings from another overriding policy or the Default policy.
238
5. Set the Download Limit Action and Upload Limit Action that will be applied when the size threshold is exceeded:
ƒ Undefined — Any limits and actions on downloads and uploads will use the inherited settings from another overriding policy or the Default policy.
ƒ Block — The file transfer will be blocked, and an error message will be sent to the web client indicating the reason the download or upload was blocked.
ƒ Bypass — The file transfer will not be blocked and will bypass any HTTP content scanning. This allows larger files to be uploaded or downloaded while preventing them without using up too many scanning resources because of their size. This is the default value.
WatchGuard XCS
Web Scanning
Web policy scanner actions
For each scanning feature that scans Web traffic, a configurable action can be set. These scanners include inbound and outbound Anti-Virus and Spyware scanning, Attachment Control, Content Scanning, and the
Objectionable Content Filter (OCF).
When using Attachment Control with Web content, setting a “Reject” HTTP action for blocked image types and other web file types will effectively stop many web sites from working properly as files required for viewing of the web site will be blocked.
To configure the Web Proxy actions in a policy:
1. Select Security > Policies .
2. Select which policy to configure.
3. In the policy editor, select the Anti-Spam and Anti-Virus section (for Anti-Spam, Anti-Virus, and
Spyware), or the Content Control section (for Attachment Control, Content Scanning, and OCF).
In this example, you can select actions for inbound and outbound Anti-Virus for HTTP.
4. Click Edit to set the Action to either Reject to reject the connection (default), or Just Log to allow the connection and log the issue in the Web Proxy log.
5. Notifications can be enabled and configured for the administrator and end user.
The notification can be customized in the default policy only. Notifications will only be sent for a Reject action, not Just Log .
User Guide 239
Web Scanning
URL Categorization
URL Categorization is a licensed option used in conjunction with the Web Proxy. This feature prevents HTTP access to web sites by using a predefined Control List of blocked web sites organized in several topic categories. By transparently blocking undesirable Internet content, URL Categorization can assist in productivity management and reduce network bandwidth consumed by Internet browsing. Web site filtering prevents clients in an organization from connecting to non-business related web sites. Protection against malicious web sites prevents viruses and malware from entering an organization and prevents users from visiting phishing sites.
URL Categorization employs a single global Control List database of millions of web sites classified into over
50 categories from hundreds of countries and in over 65 languages. The list of web sites and their categories is continuously updated, and updates to the Control List database are downloaded daily by the system.
URL Categorization will filter web sites based on the Fully Qualified Domain Names (FQDN) such as www.example.com. Each specific category of web sites can be blocked or allowed by the administrator.
URL Categorization and category selection can also be configured via policies for different users, groups, and domains.
Any web sites defined in the HTTP Trusted or Blocked Sites list (configured via policies) will override
URL Categorization blocking.
The following table lists the web site categories available with URL Categorization:
URL Categorization Categories
Adult/Sexually Explicit
Advertisements & Popups
Alcohol & Tobacco
Arts
Blogs & Forums
Business
Chat
Computing & Internet
Criminal Activity
Downloads
Education
Entertainment
Fashion & Beauty
Finance & Investment
Food & Dining
Gambling
Games
Government
Hacking
Health & Medicine
Hobbies & Recreation
Kids Sites
Motor Vehicles
News
Peer-to-Peer
Personals & Dating
Philanthropic & Professional Orgs.
Phishing & Fraud
Photo Searches
Politics
Proxies & Translators
Real Estate
Reference
Religion
Ringtones/Mobile Phone Downloads
Search Engines
Sex Education
Shopping
Society & Culture
Spam URLs
Sports
Spyware
240 WatchGuard XCS
Web Scanning
URL Categorization Categories
Hosting Sites
Illegal Drugs
Infrastructure
Intimate Apparel & Swimwear
Intolerance & Hate
Job Search & Career Development
Streaming Media
Tasteless & Offensive
Travel
Violence
Weapons
Web-based Email
Default blocked categories
The following web site categories typically contain inappropriate and offensive content, and are blocked by default:
Default Blocked Categories
Adult/Sexually Explicit
Alcohol & Tobacco
Criminal Activity
Gambling
Hacking
Illegal Drugs
Intolerance & Hate
Phishing & Fraud
Spam URLs
Spyware
Tasteless & Offensive
Violence
Weapons
Categories to block if required by an organization
The following additional web site categories should be blocked based on the requirements of an organization.
These categories include blogs, games, webmail, and streaming media sites.
Categories to Block if Required by an
Organization
Advertisements & Pop-Ups
Blogs & Forums
Chat
Downloads
Games
Hosting Sites
Intimate Apparel & Swimwear
Job Search & Career Development
Peer-to-Peer
Personals and Dating
Photo Searches
Proxies & Translators
Ringtones/Mobile Phone Downloads
Sex Education
Sports
Streaming Media
Travel
Web-based Email
User Guide 241
Web Scanning
Categories to block to enhance productivity
The following web site categories can be blocked to increase productivity in an organization, if required.
These categories include news, entertainment, and shopping web sites.
Categories to Block to Enhance Productivity
Computing & Internet
Business
Computing & Internet
Education
Entertainment
Fashion & Beauty
Finance & Investment
Food & Dining
Government
Health & Medicine
Hobbies & Recreation
Infrastructure
Kid's Sites
Motor Vehicles
News
Philanthropic & Professional Orgs.
Politics
Real Estate
Reference
Religion
Search Engines
Shopping
Society & Culture
Configuring URL Categorization
To enable and configure URL Categorization:
1. Select Configuration > Web > URL Categorization .
242
2. Select the Enable URL Categorization blocking check box.
URL Categorization will immediately start to download the latest Control List database, as displayed in the Control List Status field.
The Control List is very large, and it may take several minutes for it to download the first time. While the
Control List is downloading, HTTP messages will not be processed, and users may receive policy error messages. When the update is complete, HTTP message processing will resume. It is recommended that you do not start processing HTTP messages until this initial download process is complete.
In a cluster, the Control List will not be replicated from a cluster Primary to Secondary systems. To update the Control List on the Secondary, change the runmode to Standalone, update the Control List, and switch back to Secondary mode.
WatchGuard XCS
Web Scanning
3. Select the Enable checking of IP addresses check box (enabled by default) to also check the resolved
IP addresses of URLs against the URL Categorization Control List.
If the IP address checking feature is enabled, legitimate URLs may be blocked by URL Categorization because they originate from a shared IP address where other blocked sites also originate. A best effort is made to resolve the IP address of the URL, however, IP address blocking may not immediately take effect for an URL the first time it is accessed, as the address might not have been immediately resolved before the request was processed.
4. For each category, select the corresponding option to enable blocking of the web sites in that category, or deselect the check box to allow clients to connect to the web sites in that category.
5. Click Apply .
Control list updates
Click the Update Control List button to manually download and apply the latest URL Categorization Control
List. The Control List Status field displays the date of the latest Control List download. Updates to the Control
List are automatically downloaded every 24 hours. Control List database updates are incremental and will only take a short amount of time to complete after the initial Control List download.
URL Categorization uses TCP port 80 to download the control list. This port must be opened up for the
WatchGuard XCS if the system is located behind a network firewall.
The status of the download can also be viewed by selecting Activity > Logs > System . The log entries are similar to the following:
May 22 13:21:16 host spl: sc_download=started 16-May-2008
May 22 13:21:16 host spl: sc_download=Download in progress
The Control List is very large, and it may take several minutes for it to download the first time. While the
Control List is downloading, HTTP messages will not be processed and users may receive policy error messages. When the update is complete, HTTP message processing will resume. Further Control List updates are incremental and will only take a short amount of time to complete.
Using URL categorization in policies
URL Categorization blocking and the Control List categories can be customized for use in creating access control policies for different users, groups, and domains.
To configure URL Categorization settings in a policy:
1. Select Security > Policies .
2. Select which policy to configure.
3. In the policy editor, select the HTTP section.
User Guide 243
Web Scanning
4. In the URL Categorization section, enable or disable URL Categorization blocking for this policy, and select which categories will be allowed or blocked.
Select “Undefined” to use the inherited value from another policy, the default policy, or the global settings.
5. Select the Edit button to modify the HTTP action of the message if the URL is blocked by URL
Categorization.
6. Set the HTTP Action to either Reject to reject the connection, or Just Log to allow the connection and log the issue in the logs.
Notifications can be enabled and configured for the administrator and end user. The notification can be customized in the Default policy only.
URL reject categorization
When an HTTP message is rejected, any applicable URL categorization (if URL Blocking is enabled) is displayed in the message details:
Message: ID 09AD3C010025DBFA
Size: 44 bytes
Time: 2008-01-07 16:49:28
User: unknown_user@http
URL: http://www.example.com/image-2135993-10428815
Client: unknown [10.1.10.180]
Server: www.example.com [192.168.1.128]
Processing Journal: URL Categorization matched
Disposition: Reject
Policy: Default
Details: Forbidden Categories: Advertisements & Popups
244 WatchGuard XCS
9
User Accounts
Local User Accounts
To add new local users:
1. Select Administration > Accounts > Local Accounts .
Local users are not available on cluster systems, except for admin users.
2. Click Add .
User Guide
3. In the User ID field, enter an RFC821 compliant mail box name for the user.
4. In the Forward email to field, enter an optional address to forward all mail to.
5. Enter and confirm the user’s Password .
The user should change this password the first time they log in. If Strong Passwords are enabled, the password
6. Select a Strong Authentication method, if required.
7. Enter an optional user Disk Space Quota in megabytes (MB). Enter a value of “0” for no quota.
8. Select the Accessible IMAP/WebMail Servers that this user can access.
245
User Accounts
Upload and download user lists
You can upload lists of users using comma or tab separated text files. You can specify the login ID, password, email address, and disk quota in megabytes. Use the following format:
[login],[password],[email address],[quota]
For example: user1,ajg7rY,[email protected],0 user2,gh39ds,[email protected],100
The file ( user.csv
) should be created in csv file format using a text editor. It is recommended that you download the user list file first by clicking File Download , editing it as required, and then uploading it using the File
Upload button.
Downloading or uploading a user list does not store or restore any Tiered Admin settings. Tiered
Admin settings must be applied via the user configuration screen.
Tiered Administration
Tiered Administration allows an administrator to assign additional administrative access permissions on a peruser basis. For example, the administrator can designate another user as an alternate administrator by selecting the Full Admin option in their user profile. To distribute administrative functions, the administrator can configure more selective permissions to authorize a user only for certain tasks such as administering users and reports, configuring Anti-Spam filter patterns, or viewing the Message History database.
LDAP users cannot be assigned tiered administrative permissions.
To enable administrator permissions:
1. Select Administration > Accounts > Local Accounts .
2. Select a specific user profile.
3. Enable each administrative option as required for that user by selecting the corresponding check box.
246
Full Admin
The user has administrative privileges equivalent to the admin user.
Administer Aliases
The user can add, edit, remove, upload, and download aliases (not including LDAP aliases.)
Administer Filter Patterns
The user can add, edit, remove, upload, and download Pattern Filters and Specific Access Patterns.
WatchGuard XCS
User Accounts
Administer Mail Queue
The user can administer mail queues.
Administer Quarantine
The user can view, delete, and send quarantined files.
Administer Reports
The user can view, configure and generate reports, and view system activity.
Administer Users
The user can add, edit, and relocate user mailboxes (except the Full Admin users), including uploading and downloading user lists. User vacation notifications can also be configured.
Administer Vacations
The user can edit local user’s vacation notification settings and other global vacation parameters.
Message History
The user can view the Message History database and perform quick searches of the recent Mail and
Web activity on the Dashboard.
View Dashboard
The user can view the Dashboard screen. Tiered admins can only perform a quick search of the recent
Mail and Web activity if Message History is also enabled.
View Alarms
The user can view the Alarms in the Alarms Indicator and the Local Alarms screen, but cannot acknowledge them.
View System Logs
The user can view all system logs.
Granting full or partial admin access to one or more user accounts allows actions taken by administrators to be logged because they have an identifiable UserID that can be tracked by the system.
A user with Full Admin privileges cannot modify the profile of the Admin user, but they can edit other users with Full Admin privileges.
User Guide 247
User Accounts
Tiered Admin and WebMail access
Tiered Admin and WebMail access must be enabled on a network interface to allow Tiered Admin users to log in and administer the system.
1. Select Configuration > Network > Interfaces .
2. Select the Admin & Web User Login and Webmail check boxes on the required network interface.
3. Click Apply .
The system must be rebooted.
Log in with Tiered Admin privileges
When tiered administrative privileges have been assigned to a user, they can access them via the WebMail client interface as follows:
1. Log in to the WatchGuard XCS device.
2. Select the feature to administer via the top-left drop-down list.
248 WatchGuard XCS
User Accounts
Delegated Domain Administration
Delegated domain administration allows the primary WatchGuard XCS Administrator to delegate to specific users administrative rights to manage settings for a specific domain via domain policies.
The Delegated Domain Administrator can login to the system via the WebMail interface and configure and manage the following settings for their specific domain or domains:
ƒ Manage settings for their domain using a subset of configuration options in a Domain Policy o Anti-Virus actions and Notifications o Anti-Spam controls: Certainly, Probably, and Maybe Spam Thresholds and Actions o Intercept Component Weights o Attachment Control Inbound and Outbound Attachment Types, Actions, and Notifications o Email Annotations
ƒ Manage the Quarantine for their Delegated Domain o The Delegated Domain Administrator can view messages, delete messages, or release them from the quarantine to the end user.
The primary WatchGuard XCS administrator must create Delegated Domains and assign the Delegated
Domain Admin for each domain. Delegated Domains can be added manually or uploaded via a list of
Delegated Domains and corresponding Delegated Domain Admins. Multiple domains can be delegated to a single Delegated Domain Administrator, and multiple administrators can be assigned to a Delegated Domain.
The Delegated Domain Administration configuration is not supported using Centralized
Management.
Delegated domain administration and clustering
Delegated Domains created on the Primary system will be replicated to other systems in the cluster. To manage the Delegated Domain policy, the Delegated Domain Administrator only needs to login to the
Primary system to manage the domain settings. The configuration will be replicated to all other systems in the cluster.
In a cluster, the Delegated Domain Policies must always be configured on the Primary, and not the Secondary or other systems. The configuration will be automatically synchronized with the other systems in the cluster.
To view and manage the Quarantine for a domain, the Delegated Domain Administrator must log into each system in the cluster as required, as each system stores its own dedicated quarantine area. Delegated Domain administrators are created via the Administration > Accounts > Tiered Admin menu on the cluster Primary system.
User Guide 249
User Accounts
Creating delegated domain administrators
To create a delegated domain admin user:
1. Select Administration > Accounts > Local Accounts . (On a cluster Primary, select Administration >
Accounts > Tiered Admin ).
2. Create a new user, or modify an existing user.
3. In the Administrator Privileges section, select the Delegated Domain Admin check box.
The Full Admin and other Tiered Admin privileges will not be available and are not supported when
Delegated Domain Admin is selected.
4. If the required Delegated Domain is not yet created, administrators must create it via Administration
> Accounts > Delegated Domains .
The Delegated Domain Admin user for the domain can also be selected from that screen.
If Delegated Domains are already created, a list of Delegated Domains will appear. Select which domains this user will be able to administer. More than one Delegated Domain can be assigned to the user.
5. Click Create or Apply to save the user’s settings.
Creating delegated domains
Create a Delegated Domain and assign an administrator for the domain as follows:
1. Local users (or Tiered Admin users in a Cluster) must be created before creating a Delegated Domain so that an existing local user can be assigned the Delegated Admin for the domain.
For a large number of delegated domains, it is recommended that a list of Delegated Domains and Admin users be uploaded.
2. Select Administration > Accounts > Delegated Domains .
3. Select Create Delegated Domain .
4. Enter the domain name, such as example.com
.
250 WatchGuard XCS
User Accounts
5. Select an administrator from the drop-down list that will be the first administrative user for this domain.
To appear in this list, the user must already be created as a local user.
Full admins and Tiered Admin users cannot be assigned Delegated Domain Admin permissions, and will not appear in the drop-down list of admins.
6. Additional delegated domain administrators for the domain can be added via Administration >
Accounts > Local Accounts , (or Administration > Accounts >Tiered Admin on a cluster Primary).
7. New domain policies will be automatically created for each new Delegated Domain.
Select the Make new policies a duplicate of the default policy check box to make these new policies use the default policy values. If this option is deselected, the new domain policies will be initially
Undefined .
8. Click Finished .
When a new delegated domain is created, the system also creates new domain policies, domain policy assignments, and the domain administrator users.
For example, for the delegated domain entry: example.com, [email protected]
The following items will be created:
ƒ A new delegated domain will be created called example.com with the administrator [email protected].
ƒ The admin1 user will have delegated domain admin permissions enabled and be assigned the example.com domain.
ƒ A policy will be created on the policies screen called example.com.
ƒ A domain policy association will be created on the domain policy screen between the domain example.com, and the delegated domain policy example.com.
Deleting a delegated domain
Click the Delete link beside a specific domain to delete that delegated domain.
Deleting a delegated domain will also delete the associated domain policies and domain policy assignments for that domain. Delegated domain admin local users will not be affected if the domain they administer is deleted.
Uploading delegated domains
A list of delegated domains and associated domain administrator email addresses can be uploaded to the system. The list source can be an existing list (configured via Security > Content Control > Dictionaries &
Lists ), or a file can be uploaded on this screen.
Do not upload users who already exist as Full Admin or Tiered Admin users.
To upload a list of delegated domains and administrators:
1. Select Administration > Accounts > Delegated Domains .
2. Click Upload Delegated Domains .
3. Select an existing list from the drop-down list, or click Browse to select a file to upload.
User Guide 251
User Accounts
4. The list can be created as a text file using the following syntax: domain, admin-email
For example: example.com, [email protected]
5. Domains can be assigned multiple domain administrators using multiple entries, for example: example.com, [email protected]
example.com, [email protected]
example.com, [email protected]
Similarly, specific administrators can be a domain administrator for multiple delegated domains, for example: example1.com, [email protected]
example2.com, [email protected]
example3.com, [email protected]
6. Select the Make new policies a duplicate of the default policy check box to make these new policies use the current Default policy values.
If this option is deselected, the new domain policies will be initially undefined.
7. Click Continue to upload the list.
The list will be merged with any existing entries.
When a new delegated domain and domain administrator is uploaded, the system also creates new domain policies, domain policy assignments, and the domain administrator local user.
For example, for the delegated domain entry: example.com, [email protected]
The following items will be created:
ƒ A new delegated domain will be created called example.com with the administrator [email protected].
ƒ If the admin1 user for this domain does not yet exist, a new local account with delegated domain permissions will be created as admin1.example.com. This new account is assigned to the example.com domain. The default password is the username “admin1”.
ƒ A policy will be created on the policies screen called example.com.
ƒ A domain policy association will be created on the domain policy screen between the domain example.com, and the delegated domain policy example.com.
Uploaded delegated domain admin users
If an administrative user for a delegated domain did not exist before the upload, the user will be created automatically. For example, for the administrative user [email protected], the following local username and password will be created:
Username: admin1.example.com
Password: admin1
A local account created when uploading a user will have the domain name appended to the username. Local accounts created manually will not have the domain name appended.
This user can be managed via Administration > Accounts > Local Accounts , (or Administration > Accounts
> Tiered Admin on a cluster Primary). This user will already have the Delegated Domain Admin option and their corresponding domains selected.
252 WatchGuard XCS
User Accounts
Delegated domain policies
New domain policies and domain policy assignments will be automatically created for each new delegated domain that is created manually or uploaded. Each policy will be created using the name of the delegated domain and can be viewed via the Policies menu.
These delegated domain policies can be modified by the primary WatchGuard XCS administrator, however, they are for the primary use of the delegated domain administrator. This administrator can log in to the system via WebMail and administer a subset of the policy for their domain.
Each delegated domain policy will be automatically associated with the domain. These domain policy associations can be viewed via Security > Policies > Domain Policy .
To delete a delegated domain policy and its association, it is recommended that administrators delete the delegated domain via Administration > Accounts > Delegated Domains .
Administering delegated domains
To administer a domain, the delegated domain administrator must login to the system via WebMail where they will be presented with a subset of configuration options to customize for their domain.
As the number of delegated domain administrators that are currently logged in to the system increases, the response time for the user interface will decrease. In most cases, no performance issues will be seen for up to
50 concurrent webmail connections.
The WebMail and Admin & Web User Login options must be enabled on a network interface to allow delegated domain admin login access.
To enable WebMail and Admin & Web User Login on a network interface:
1. Select Configuration > Network > Interfaces .
User Guide
2. For the specified network interface, select the WebMail and Admin & Web User Login check boxes.
3. Click Apply .
The system must be rebooted to apply the settings.
253
User Accounts
Log in to delegated domain administration
To login to a delegated domain to administer its policies, the delegated domain administrator must log in directly to the WatchGuard XCS using their login name, such as “admin1” (or “admin1.example.com“ if the user was created using an uploaded list).
To switch to delegated domain administration, you must use the drop-down list in the top-left corner of the screen. If the delegated domain administrator is associated with multiple domains, the drop-down list will contain links to all the domains assigned to them.
ƒ To manage the delegated domain policy, select the Manage link.
ƒ To view the messages in the delegated domain quarantine area, click the Quarantine link.
Managing the delegated domain
1. Select the Manage option for the Delegated Domain to modify the configuration for the Domain policy.
This policy will only provide a subset of the full policy configuration for the Delegated Domain Admin user to manage. The primary WatchGuard XCS Administrator will still have full access to all options in the Domain Policy.
In a cluster, the Delegated Domain Policies must always be configured on the Primary system. The configuration will be automatically synchronized with the other systems in the cluster.
2. The following policy items are available:
ƒ Anti-Spam and Anti-Virus o Anti-Virus Actions and Notifications o Anti-Spam Controls — Certainly, Probably, and Maybe Spam Thresholds and Actions o Intercept Component Weights
ƒ Attachment Control — Inbound and Outbound Attachment Types, Actions, and Notifications
ƒ Email — Annotations
3. Click Apply to save the settings for this policy.
Viewing the delegated domain quarantine
Select the Quarantine option to view the Quarantined messages for this specific delegated domain. The delegated domain administrator can view messages, delete messages, or release them from the quarantine to the end user. In a cluster environment, the delegated domain administrator must log into each system in the cluster (such as the Secondary), to view and manage its quarantine area.
254 WatchGuard XCS
User Accounts
Any message security features that quarantine mail, including Anti-Virus, Anti-Spam, and Attachment Control, will place the mail messages in the quarantine area. You can view the details of a message by clicking on its
Queue ID number, or delete the message from the quarantine by clicking the Delete button. Quarantined messages can also be released from the quarantine and delivered to their original destination by clicking the
Release button.
Use the search field to look for specific messages within the quarantine. For example, you could search for the name of a specific virus so that any quarantined messages infected with that specific virus will be displayed.
The Delete All and Release All buttons are used specifically with the search function. You must enter a specific search pattern before using these controls.
Mirror Accounts
LDAP user accounts can be imported from a directory server and mirrored on the local system. This allows you to create local accounts based on the LDAP account to allow these users to login locally for the Spam
Quarantine and Trusted/Blocked Senders features.
These mirror accounts are not local accounts that can accept mail, they are only used for the Spam Quarantine
creating mirror accounts.
To display all mirrored users:
1. Select Administration > Accounts > Mirror Accounts .
User Guide
2. You can remove selected individual user mirror accounts by clicking the Remove button.
3. Click the Show Local Users button to show only the locally defined users on this system.
255
User Accounts
Strong Authentication
By default, user authentication is based on User ID and password. The WatchGuard XCS also supports strong authentication methods such as CRYPTOCard, SafeWord, and RSA SecurID. These hardware token devices provide an additional authentication key that must be entered in addition to the User ID and password.
To configure strong authentication:
1. Select Administration > Accounts > Local Accounts .
2. Select the Strong Authentication method.
CRYPTOCard
The CRYPTOCard option is supported by a local authentication server and requires no external system for authentication. When CRYPTOCard is selected, you will be prompted to program the card at that time using the token configuration wizard. Only manually programmable CryptoCard RB-1 tokens are supported.
SafeWord
SafeWord Platinum and Gold tokens are supported by a local authentication server, and require no external system for authentication. When SafeWord is selected, you will be prompted to program the card at that time using the token configuration wizard. Only manually programmable SafeWord tokens are supported.
SecurID
To configure RSA SecurID, you must set up the system as a valid client on the ACE Server, and create an sdconf.rec (ACE Agent version 4.x) file and upload it to the system. Although newer ACE servers are supported, the sdconf.rec file must be for version 4.x of the ACE Agent. Versions greater than 4.x generate a different format of this file.
1. Select Administration > Accounts > SecurID .
256 WatchGuard XCS
User Accounts
2. Click the Browse button to find and load a sdconf.rec
file.
3. Click Upload .
4. Select Configuration > Network > Interfaces to enable SecurID on a network interface.
5. Ensure that the WatchGuard XCS domain name is listed in your DNS server.
SecurID authentication may not work properly if a DNS record does not exist.
6. Click Apply .
Remote Accounts and Directory Authentication
Directory authentication allows users to be authenticated without having a local account. When an unknown user logs in, the system sends the User ID and password to the specified LDAP or RADIUS server. If the user is authenticated, the WatchGuard XCS will log them in and provide access to the specified server or servers.
LDAP and RADIUS are widely used, and provide a convenient way of allowing access to internal mail servers or webmail servers such as Outlook Web Access. Users who login locally to an Exchange server based on an
Active Directory identity can use the same identity to use Outlook Web Access with the Secure WebMail service.
If both LDAP and RADIUS services are defined, the system will try to authenticate via RADIUS first, and then
LDAP if the RADIUS authentication fails.
Configuring LDAP authentication
To use LDAP for authentication:
1. Select Administration > Accounts > Remote Authentication .
2. Click the New button in the LDAP Sources section to define a new LDAP source.
User Guide
3. In the Directory Server field, select a configured LDAP directory server for authentication.
4. In the Search Base field, enter the starting base point to start the search from, such as cn=users,dc=example,dc=com.
5. In the Scope field, enter the scope of the search.
ƒ Base — Searches the base object only.
ƒ One Level — Searches objects one level beneath the base object, but excludes the base object.
ƒ Subtree — Searches the entire subtree of which the base distinguished name is the topmost object, including that base object.
257
User Accounts
6. In the Query Filter field, enter a specific query filter to search for a user in your LDAP directory hierarchy.
For Active Directory implementations, use (ObjectClass=user).
7. In the Timeout field, enter the maximum interval, in seconds, to wait for the search to complete.
The default is 5. This value must be between 1 and 100.
8. In the Account name attribute field, enter the account name result attribute that identifies a user’s login or account name, such as sAMAccountName for Active Directory implementations.
You will need to enter the appropriate Query Filter and Account name attribute for your particular LDAP infrastructure if you use another LDAP service such as OpenLDAP and iPlanet.
RADIUS authentication
1. Select Administration > Accounts > Remote Authentication .
2. Click the New button in the RADIUS Server section to configure a RADIUS server for authentication.
3. In the Server field, enter the FQDN or IP address of the RADIUS server.
4. Enter the Shared Secret for the RADIUS server.
A shared secret is a text string that acts as a password between a RADIUS server and client. Choose a secure shared secret of at least 8 characters in length, and include a mixture of upper and lowercase alphabetic characters, numbers, and special characters such as the “@” symbol.
When you add a RADIUS server, the administrator of the RADIUS server must also list this WatchGuard
XCS as a client using the same shared secret. All listed RADIUS servers must contain the same users and credentials.
5. Enter a Timeout value, in seconds, to contact the RADIUS server.
The default is 10.
6. Enter the Retry interval to contact the RADIUS server.
The default is 3.
The other servers listed in the Accessible Servers option are configured via Configuration > WebMail >
WebMail
. See “Secure WebMail Overview” on page 275 for more detailed information on configuring this
feature.
258 WatchGuard XCS
User Accounts
POP3 and IMAP Access
Mail is delivered to local mailboxes after the same processing that applies to all other destinations. Users can use any POP3 or IMAP-based mail client to download their messages. Users can also be configured to access these mailboxes using the system’s WebMail client.
Use the secure versions of POP and IMAP to ensure passwords are not transmitted in clear text.
To configure POP3 and IMAP Access:
1. Select Configuration > Mail > POP3 and IMAP .
2. Enable POP and/or IMAP as required.
3. Select Configuration > Network > Interfaces .
User Guide
4. Enable POP3/IMAP access (and their secure versions) on an appropriate network interface.
259
User Accounts
Relocated Users
Use the Relocated Users screen to return information to the sender of a message on how to reach users that no longer have an account on the WatchGuard XCS system. A full domain can also be specified if the address has changed for a large number of users.
1. Select Administration > Accounts > Relocated Users .
2. Click the Add button to add a new relocated user.
3. Enter a user or domain name in the User field, for example, user1, [email protected], or
@example.com to specify an entire domain.
4. In the User has moved to… field, enter any appropriate contact information for the relocated user, such as their new email address, street address, or phone number.
Vacation Notification
When a user will be out of the office, they can enable Vacation Notification which sends an automated email reply to incoming messages. The reply message is fully configurable, allowing a user to personalize the vacation notification message.
Vacation Notifications are processed after mail aliases and mappings. You must create notifications for a specific end user and not for an alias or mapping. Vacation Notifications are not available on cluster systems.
The process for configuring Vacation Notification includes the following steps:
ƒ The administrator enables Vacation Notification globally.
ƒ Individual settings can be configured as follows: o The administrator configures Vacation Notification for the user via the user configuration screen.
o The user configures their own Vacation Notification via WebMail.
260 WatchGuard XCS
User Accounts
To enable Vacation Notifications:
1. Select Administration >Accounts > Vacations .
2. Enable the service globally for all users by selecting the Enable Vacation Notification check box.
3. In the Domain Part of Email Address field, enter the domain name to be appended to local user names, such as example.com.
This value will be used for all local users.
4. In the Interval Before Re-sending field, enter the number of days after a previous notification was sent to send another reply, if a new email arrives from the original sender.
5. Enter the Subject and contents for the default notification message.
Users will be able to change the subject and message from their own user profile.
6. Click the Edit Vacations button to see all Vacation Notification settings and to add arbitrary notifications for non-local users.
7. Click on an existing email address to edit the user’s vacation notification settings, or enter an address if this user has no vacations defined.
From this screen, an administrator can configure the notification settings, including the address from which incoming mail will receive a vacation response.
User vacation notification profile
An administrator can configure vacation notifications for individual users via their user profile in the Local
Accounts screen. Users can configure their own Vacation Notification settings in their profile via the WebMail client.
To configure Vacation Notification:
1. Login to the WebMail client and select User Profile .
2. Set the Vacation Start Date by selecting the required date on the left calendar.
3. Set the Return to Work Date on the right calendar. The vacation notices will be sent out automatically during this time.
User Guide 261
User Accounts
4. Modify the default subject and contents of the response message.
5. Click Save User Profile .
Vacation Notifications are not sent to bulk messages such as mailing lists and system generated messages. Vacation Notifications are also not sent to messages identified as spam.
262 WatchGuard XCS
10
Spam Quarantine and
Trusted/Blocked Senders
User Spam Quarantine
The User Spam Quarantine is used to redirect spam mail into a local storage area for all users. This allows users to view and manage their own quarantined spam by giving them the ability to view, release the message to their inbox, or delete the message.
The User Spam Quarantine cannot be used in a cluster. It is recommended that customers utilize the
Quarantine Server for large, clustered environments.
Spam Quarantine summary notifications can be sent to users notifying them of existing mail in their quarantine. The email notification itself can contain links to take action on messages without having to login to the quarantine.
To quarantine mail, the administrator must set the action for an Intercept spam level, such as Certainly Spam , to Redirect To , and set the action data to the FQDN (Fully qualified domain name) of the WatchGuard XCS system (to host the quarantine on the current system) or the FQDN of the Quarantine Server.
Local Spam Quarantine account
To access quarantined mail, a local account must exist for each user. This account can be created locally, or you can use the LDAP Mirrored Users feature to import user accounts from an LDAP compatible directory
(such as Active Directory) and mirror them on the local system.
See “Directory Users” on page 76 for more information on importing and mirroring LDAP user accounts.
User Guide 263
Spam Quarantine and Trusted/Blocked Senders
Configure the Spam Quarantine
To configure the Spam Quarantine:
1. Select Configuration > WebMail > User Spam Quarantine .
264
2. Select the Enable Spam Quarantine check box.
3. Select an Expiry Period for mail in each quarantine folder.
Any mail quarantined for longer than the specified value will be deleted.
4. Set a Folder Size Limit , in megabytes, to limit the amount of stored quarantined mail in each quarantine folder.
5. Select the Enable Summary Email check box to enable a summary email notification that alerts users to mail that has been placed in their quarantine folder.
Notifications can only be sent to accounts the WatchGuard XCS is aware of, such as local accounts or LDAP mirrored user accounts.
6. Specify the maximum number of headers to be sent in the spam summary message in the Limit # of message headers sent field.
Set to “0” for all message headers to be sent.
7. Enter the amount of days that users are allowed to access previously sent spam summaries in the
Remember # of past summary keys field.
The default is “8”.
When creating spam summaries every 12 hours, a value of 8 would result in only the last four days of spam summaries being accessible.
8. Enter the Notification Domain for which notifications are sent for.
This is typically the Fully Qualified Domain Name of the email server. The User Spam Quarantine only supports one domain.
9. Select the Notification Days to send the summary notification.
10. Select the Notification Times to send the summary notification.
The Spam Summary processing will begin at this time, but the actual delivery of the summary notifications will not be performed until the processing (which may take several minutes) is complete.
WatchGuard XCS
Spam Quarantine and Trusted/Blocked Senders
11. Indicate the Spam Folder name.
This must be an RFC821 compliant mail box name. This folder will appear in a user’s mailbox when they have received quarantined spam.
12. Enter the Mail Subject of the spam summary notification message.
The system variables can be used in the subject.
13. Select Allow Trusting Senders to insert a link in the notification summary to allow the user to add the sender to their Trusted Senders List.
14. Select Allow reading messages to insert a link in the notification summary to allow the user to read the original message.
15. Select Allow releasing of email to insert a link in the notification summary to allow the user to release the message to their inbox.
16. The Mail Content Preamble is a customizable text and HTML version of the spam summary message that is sent to end users.
This message contains the links to the user’s quarantined spam. The system variables can be used in the preamble.
Notifications for the Spam Quarantine can only be sent to local or LDAP mirrored user accounts.
Spam summary message
If enabled, a summary email notification can be sent to alert users to mail that has been placed in their quarantine folder. Additional options allow the end user to read the message, release the message from the quarantine to their inbox, or add the sender to their Trusted Senders list, via the links in the spam summary message.
User Guide 265
Spam Quarantine and Trusted/Blocked Senders
Setting spam redirect options
To quarantine spam mail to the User Spam Quarantine, you must set the Intercept action to Redirect to and set the action data to the FQDN of the spam quarantine server. To quarantine mail to the spam quarantine, use the following procedure:
1. Select Security > Anti-Spam > Anti-Spam .
2. Set the Action for the spam level (such as Certainly Spam ) to Redirect to .
3. Set the Action data to the FQDN of the spam quarantine (either this system, or another system such as the Quarantine Server): spamquarantine.example.com
.
Accessing quarantined spam
The quarantined spam folder can be viewed using the WebMail interface. Users can log in to their local or mirrored account on the WatchGuard XCS and view their own quarantine folder.
If you do not require or do not want the end users to log in locally to the WatchGuard XCS to retrieve these messages, they can simply use the linked actions contained in the spam quarantine summary notification to manage quarantined messages.
WebMail access must be enabled on a network interface in Configuration > Network > Interfaces to allow users to log into the WatchGuard XCS locally or use the linked actions in the spam quarantine summary notification.
Accessing the quarantine folder via IMAP
Users can also use IMAP to access the quarantine folders. You must enable IMAP globally and on your trusted network interfaces as required. This allows users to connect to the system via IMAP and move spam messages out of the quarantine into their own folders.
To enable access to the quarantine folder via IMAP:
1. Select Configuration > Mail > POP3 and IMAP to enable IMAP globally.
2. Select Configuration > Network > Interfaces to enable IMAP on a specific network interface.
3. Connect from a client using IMAP to view the spam_quarantine folder.
To retrieve false positives (messages that are not spam) from the quarantine, configure the client email application with two separate accounts, one for their normal account, and one for the spam quarantine. With this configuration the user can drag and drop messages from the quarantine to their mail account.
266 WatchGuard XCS
Spam Quarantine and Trusted/Blocked Senders
Enable WebMail and Spam Quarantine access
To enable WebMail and Quarantine access:
1. Select Configuration > Network > Interfaces .
2. Select the WebMail check box for the specific network interface to allow users to log in to WebMail.
3. Select Configuration > WebMail > WebMail .
4. Select the Personal Quarantine Controls check box to provide users with the spam quarantine controls in the WebMail interface.
User Guide 267
Spam Quarantine and Trusted/Blocked Senders
Use WebMail to access the quarantine folder
To access the quarantine folder via WebMail:
1. Login to your WatchGuard XCS WebMail account.
2. Select Spam Quarantine on the left menu.
3. When you are in the Spam Quarantine page, you can perform the following actions:
ƒ Click the Release link to release the message back into your inbox.
ƒ Click the Trusted Sender link to automatically add the sender to your Trusted Senders List.
ƒ Click the Blocked Sender link to automatically add the sender to your Blocked Senders List.
268 WatchGuard XCS
Spam Quarantine and Trusted/Blocked Senders
Trusted and Blocked Senders
The WatchGuard XCS allows end users to configure their own Trusted and Blocked Senders Lists to control how mail is processed depending on the sender of a message.
Trusted Senders List
The Trusted Senders List allows users to create their own lists of senders who they want to receive mail from to prevent mail from these senders from being blocked by the spam filters. Users can utilize the WebMail interface to create their own Trusted Senders List based on a sender’s email address. Trusted Senders can also be added directly via the Spam Quarantine summary email.
The Trusted Senders List overrides the following Anti-Spam actions:
ƒ Modify Subject Header
ƒ Add Header
ƒ Redirect
The following rules also apply for the Trusted Senders List:
ƒ If the message is rejected for reasons other than spam, such as viruses or attachment controls, the
Trusted Senders List will have no effect.
ƒ A Reject or Discard action will reject or drop the message regardless of the settings in the Trusted
Senders List.
ƒ If the action is set to Just Log or BCC , the trusted message will pass through, but will still be logged or
BCC’d by the system.
ƒ Pattern Filter spam actions set to Medium or High priority cannot be trusted, allowing administrators to ensure that a strong security policy is enforced.
ƒ The Trusted Senders List cannot trust items rejected by the administrator during the SMTP connection such as ReputationAuthority and DNSBL checks.
Blocked Senders List
The Blocked Senders List allows end users to specify a list of addresses from which they do not want to receive mail. These senders will be blocked from sending mail to that specific user via the WatchGuard XCS. If a sender is on the Blocked Senders List, the message can either be rejected with notification or discarded.
The Trusted Senders List is processed before the Blocked Senders List. If a Blocked Sender also appears in the Trusted Senders List, the email will be delivered.
In the event there are multiple recipients for a message and only specific recipients have blocked the sender, the message will be delivered for those recipients that did not block the sender and the message will be rejected for those who have blocked the sender.
Local users can log in and create their own list of Blocked Senders. Users do not need a local account on the system, as logins can be authenticated via LDAP to an authentication server and the user's Trusted/Blocked
Senders List is saved locally on the WatchGuard XCS.
User Guide 269
Spam Quarantine and Trusted/Blocked Senders
Enable Trusted and Blocked Senders
The Trusted and Blocked Senders List must be enabled globally by the administrator to allow users to configure their own lists.
To enable the Trusted and Blocked Senders List:
1. Select Configuration > WebMail > Trusted/Blocked Senders .
2. Select the Permit Trusted Senders or Permit Blocked Senders lists check box to enable these features.
3. Enter the Maximum # of list trusted/blocked entries per user .
The default is “100”. Valid values are from “1” to “1000000”.
4. The Internal mail server host must be set to the complete host name of the internal mail server or the specified default host name if mail is hosted on this system.
For example, if you deliver mail to your internal mail server using [email protected], enter example.com
. If your internal mail server uses [email protected], enter mail.example.com
.
5. For Blocked Senders, select the Action to perform when a user on the Blocked Senders List attempts to send mail via the WatchGuard XCS.
ƒ Reject — The message will be rejected with notification to the sender.
ƒ Discard — The message will be discarded without notification to the sender.
270 WatchGuard XCS
Spam Quarantine and Trusted/Blocked Senders
Configure WebMail Access
WebMail is required to allow users to view and edit their Trusted/Blocked Senders List.
To enable WebMail access on a network interface:
1. Select Configuration > Network > Interfaces .
2. Select the WebMail check box.
3. Click Apply .
The system must be rebooted.
4. Select Configuration > WebMail > WebMail .
5. Select the Trusted/Blocked Senders check box.
User Guide 271
Spam Quarantine and Trusted/Blocked Senders
Importing Lists
Trusted and Blocked Senders Lists can be manually or automatically updated from a global list located on an external web server or the Quarantine Server. The list update can be scheduled to occur at regular intervals or to be updated immediately.
It is recommended that organizations use either the personal Trusted/Blocked Senders List or the imported list, and not both at the same time.
To configure the Imported Trusted/Blocked Senders List:
1. Select Configuration > WebMail > Trusted/Blocked Senders .
2. Select the Enable imported list check box.
3. Enter the List source URL where the Trusted or Blocked Senders List can be retrieved from, such as: http://listserver.example.com/wblist.csv
For the WatchGuard Quarantine Server use: http://bqs.example.com/getwblist.spl
HTTPS is also support for the list source URL.
4. Select the Automatic update check box to enable scheduled updates.
5. Select the Update Interval time to schedule how often to retrieve the list.
6. Click Update imported list now to perform a manual update.
Import list file
The Trusted or Blocked Senders List file must be in CSV format and must contain comma or tab separated entries in the form:
[recipient],[sender],[block or trust]
For example: [email protected],[email protected],block [email protected],[email protected],block [email protected],[email protected],trust [email protected],[email protected],trust
The file (bwlist.csv) should be created in CSV file format using a text editor. It is recommended that you download the file first by clicking the Download File button, edit it as required, and upload it using the
Upload File button.
272 WatchGuard XCS
Spam Quarantine and Trusted/Blocked Senders
Adding Trusted and Blocked Senders
To create a Trusted or Blocked Senders List:
1. Log in to your WebMail account.
Users do not need a local account on the system. User’s logins can be authenticated via RADIUS or
LDAP to an authentication server such as Active Directory. The user’s Trusted Senders List is saved locally on the system.
2. Select Trusted Senders or Blocked Senders from the top-left drop-down menu.
3. Enter an email address and click the Add button.
User Guide 273
Spam Quarantine and Trusted/Blocked Senders
274 WatchGuard XCS
11
Secure WebMail
Secure WebMail Overview
The Secure WebMail feature provides a highly secure mechanism for accessing webmail services such as
Microsoft OWA (Outlook Web Access), Lotus iNotes, and IMAP servers. Webmail services provide a simple remote interface for users to access their mail server mailboxes remotely via a web browser.
As these webmail services are accessible from the Internet, they present a number of security challenges. The
Secure WebMail feature is designed to support the use of webmail services while protecting Webmail servers from Internet attacks. The connection is managed using a full application proxy. The WatchGuard XCS completely recreates all HTTP/HTTPS requests made by the external client to the internal webmail server.
User Guide
In a clustered environment, the Secure WebMail proxy can only be enabled on the Primary system in the cluster.
275
Secure WebMail
Configure Secure WebMail
To enable and configure Secure WebMail servers:
1. Select Configuration > Network > Interfaces .
2. Select the WebMail check box on the required network interface.
3. Select Configuration > WebMail > WebMail .
276 WatchGuard XCS
Secure WebMail
4. In the Servers section, click Add Server .
User Guide
5. In the Address field, enter the IP address, hostname, or URL of the WebMail server.
WebMail servers must be running one of the following: IMAP, Outlook Web Access (OWA), or Lotus iNotes.
6. Enter an optional Label to describe this server.
7. Select any local users who will be able to access this server.
If local users are not used on the system and Remote Authentication is used, no configuration is required.
8. Select the Automatic Server Login check box to try the user’s WebMail ID/Login first before prompting for an ID and password.
Leave this option disabled to force a login prompt for each new server. This option enables single login capabilities to allow users to login to the WatchGuard XCS and their WebMail server with only one login.
Automatic Server Login option should be disabled if the server is set to expire passwords after three failed attempts.
9. Select the Use Most Recent check box to try the most recently used credentials first when changing servers.
The Use Most Recent option only applies to users with more than one accessible WebMail server.
10. If required, select the Force Compatibility check box to ensure support for Outlook Web Access 2000 and limited support for OWA 2003.
11. If required, select the Make Invisible check box to make the server invisible to users in the Secure
WebMail server drop-down list.
12. From the Keep Alive drop-down list, select the frequency to send keep-alive messages to the WebMail server to keep the client connection alive.
13. The following additional options can be set:
ƒ Cached server passwords — This option, when enabled, will keep a copy of the user’s password until they explicitly log out. If a user switches servers, they will not need to re-enter their password.
ƒ Share cookies between servers — Enable this option to ensure that when a user moves from server to server or is redirected to another server, the user’s session cookies are also passed along.
ƒ Upload Maximum File Size — Enter the maximum file size upload allowed in megabytes.
14. Click Apply .
277
Secure WebMail
Access types
The following options enable controls in the WebMail interface for features such as the Spam Quarantine,
Trusted and Blocked Senders, and Administrative Access.
ƒ Administrative Access — Enables access to administrative functions if the user has administrative privileges, such as via Tiered Administration.
ƒ Local Mail — Enables access to IMAP servers on the local network.
ƒ Proxy Mail — Enable proxy mail access to other WebMail/IMAP servers. This is required for access to other web mail servers such as OWA for iNotes.
ƒ User Spam Quarantine — Enables the Spam Quarantine controls.
ƒ Trusted/Blocked Senders List — Enables the Trusted and Blocked Senders List controls.
For organizations that only want to use local mailboxes for the Spam Quarantine controls or Trusted Senders, it is recommended that you disable Local Mail and Proxy Mail access, while enabling Personal Quarantine
Controls and Trusted/Blocked Senders .
This displays only those functions to the end user when they log into the WebMail account. Personal
Quarantine and Trusted/Blocked Senders can be disabled if you are only using the Spam Quarantine summary email for these features and users do not need to login locally.
At least one of these options must be enabled to allow WebMail access on a specified interface in
Configuration > Network > Interfaces . If all of these access options are disabled, the WebMail access option on an interface will be disabled.
278 WatchGuard XCS
Secure WebMail
Configure Outlook Web Access
The Secure WebMail proxy provides a highly secure mechanism for accessing Microsoft OWA (Outlook Web
Access). OWA uses a very similar interface to Outlook and provides an attractive, easy to use remote interface for users to access their Exchange mailboxes remotely. With OWA, users can see all of their mail, contacts, and calendar using a web browser.
As OWA is accessible from the Internet, its use presents a number of security challenges. The Secure WebMail
Proxy feature is designed to support OWA use while protecting it from Internet attacks. The OWA connection is managed using a full application proxy. The WatchGuard XCS completely recreates all HTTP/HTTPS requests made by the external client to the internal OWA Exchange server. In a typical deployment, OWA users will connect to the OWA interface via the public interface of the WatchGuard XCS. The WatchGuard XCS will then proxy the traffic via its private interface to the OWA server. The connection is secure because the requests by the OWA clients are recreated by the WatchGuard XCS.
If the WatchGuard XCS is deployed in the DMZ of a network firewall, OWA users will first connect to the public interface of the network firewall. The traffic is forwarded to the WatchGuard XCS and then the requests will be recreated and forwarded to the OWA server. On the network firewall, incoming port 443 needs to be opened from the public interface to the DMZ to allow traffic from the Internet to the WatchGuard XCS. Port 80 from the DMZ to the private network also needs to be configured to allow the WatchGuard XCS to connect to the
OWA server.
Enable the Secure WebMail OWA proxy
To configure the OWA proxy.
1. Select Configuration > WebMail > WebMail .
2. Click the Add Server button.
User Guide
3. Specify the URL where OWA is located in the Address field, such as: http://owa.example.com/exchange/
4. In the Label field, enter an optional name to describe this server.
5. Select any local users that will be allowed to use OWA by selecting the corresponding check box.
This option can also be enabled from the user's individual mailbox properties. Users can also be authenticated to
OWA via Active Directory/LDAP.
279
Secure WebMail
6. The WatchGuard XCS sends the user account portion of the user's mail attribute (such as user in the address [email protected]) to the OWA server by default.
Enable the Try Webmail ID/login first option if the LDAP user's sAMAccountName is equivalent to the mail attribute.
If this is different from the sAMAccountName attribute, the Try Webmail ID/login first option should not be selected. If it is selected, the user will get an invalid ID error message. The user will then need to enter their user name and password again to gain access to OWA.
7. Click Apply .
8. Select Configuration > WebMail > WebMail .
9. Select the Proxy mail check box in the Access Types section.
10. Select Configuration > Network > Interfaces .
11. Select the WebMail check box on the network interface that users will be accessing WebMail from.
280 WatchGuard XCS
Secure WebMail
Integration with OWA 2003
OWA (Outlook Web Access) provides a way to access Exchange server mailboxes and folders via standard web browsers, providing the advantage of platform independence. OWA 2003 is included with Microsoft Exchange
2003 server. By default, it will allow all users access to their mailboxes and public folders immediately after installation with no additional configuration. The WatchGuard XCS uses an application proxy to allow users to access OWA via a secure channel.
OWA uses IIS (Internet Information Services) to access the Exchange server. Configuration of directory security, authentication, and access control can all be performed with the Internet Information Services Management
Console (MMC) accessed from the Administration Tools menu of the Windows server. The Exchweb folder stores most of the information required to run OWA.
User Guide 281
Secure WebMail
Secure WebMail and OWA 2003 Configuration Issues
The following sections describe certain issues that may arise when running OWA 2003 with the Secure
WebMail proxy.
Exchange Authentication
In OWA 2003, users must be authenticated before gaining access to resources on the Exchange server. There are two different folders that require configuration: Exchange and Exchweb .
1. Examine the Properties menu of the Exchange folder.
2. Select Directory Security .
3. Select Authentication and Access Control .
4. Click Edit .
5. Make sure that Basic Authentication is enabled.
282 WatchGuard XCS
Anonymous access
The Exchweb folder only requires anonymous access to allow access to webmail images.
To view the available options.
1. Examine the Properties menu of the Exchweb folder.
2. Select Directory Security .
3. Select Authentication and Access Control .
4. Click Edit .
Secure WebMail
User Guide
A common configuration issue with integrating the WatchGuard XCS and OWA 2003 is that anonymous access may be turned off for the Exchweb folder for security reasons before implementing the WatchGuard XCS. After the WatchGuard XCS is installed and the Secure WebMail proxy enabled, the OWA server will not be accessible.
If OWA is not accessible, you may see one of the following symptoms:
ƒ When logging in, icons like the Inbox , Calendars , Contacts , and Folders are not displayed.
ƒ When accessing the interface by clicking on any of the functions, the session logs out.
Enabling Anonymous access on the Exchweb Authentication Methods screen will resolve this issue.
Although enabling anonymous access may seem insecure, users have already been authenticated by the WatchGuard XCS when they log in. In this configuration, the WatchGuard XCS acts as the first point of authentication for Secure WebMail and OWA access.
283
Secure WebMail
IP Address and domain name restrictions
IIS can be used to administer access control for hosted web sites. This feature can also be used for controlling access to OWA.
To configure IP address restrictions:
1. Select the Properties menu of the Exchweb folder.
2. Select Directory Security .
3. Select IP Address and Domain Name Restrictions .
4. Click Edit .
ƒ When Granted Access is selected, all computers except the listed IP addresses, IP network ranges, or domain names will be granted access to OWA.
ƒ When Denied Access is selected, all computers except those listed will be denied access.
When the WatchGuard XCS is deployed with OWA access, it acts on the requesting client’s behalf to establish the connection. As a result, the source IP address of the connection will be the IP Address of the WatchGuard XCS system. When access control is set to deny access for the IP Address of the
WatchGuard XCS, users will not be able to access the OWA server properly and images on the screen will not be displayed.
The web server's log will show an error code of 403 for all the image files. The log files can be found in the following directory:
System root\WINNT\System32\LogFiles\W3SVC1
To enable the image files, the address of the WatchGuard XCS can be added to the list of IP addresses that are allowed access. With these types of IP address restrictions, a typical secure configuration is to only allow access from the IP address of the WatchGuard XCS system. All users should then be directed to the IP address or host name of the WatchGuard XCS for web mail access. With this configuration, all connections can be secured by the WatchGuard XCS.
284 WatchGuard XCS
Secure WebMail
User protocol settings
Each user's protocol settings can be modified to restrict or allow access to POP3, IMAP, and OWA. When there are problems accessing OWA, these settings should be examined and verified.
To view the protocol setting for each user.
1. Open Active Directory Users and Computers .
2. Right-click on the user account that needs to be modified and view its properties.
3. Navigate to the Exchange Features tab.
This menu can only be accessed after enabling the View > Advanced Features option.
User Guide
4. Make sure Outlook Web Access in the Protocols section is enabled.
If this is not enabled, logging in to the OWA server via the WatchGuard XCS will result in the “HTTP/1.0
403 Forbidden” error.
285
Secure WebMail
Local NTFS Permissions
As the WatchGuard XCS only supports anonymous access, the account that is used for anonymous access needs to have the appropriate permissions for accessing local Exchange resources.
To configure the permissions:
1. In the IIS configuration, right-click on the Exchweb folder.
2. Select Properties .
3. Select Directory Security .
4. Select Authentication and Access Control .
5. Click Edit .
286
6. The default account that is used for anonymous access should be IUSR_<computer name>.
If the computer name is OWAPC, the user account will be IUSR_OWAPC. Ensure that this user has permissions for the following directory:
System Root\Program Files\Exchsrvr\exchweb
7. Right-click on the directory and select Properties .
8. Select the Security tab.
WatchGuard XCS
Secure WebMail
9. Make sure that the Authenticated Users group has Read & Execute , List Folder Contents , and Read permissions set to Allow .
The Authenticated Users group includes the anonymous user (IUSR_<computer name>) as specified by IIS.
User Guide 287
Secure WebMail
WebMail Client
Using the WebMail client, you can access local mailboxes, IMAP Servers, administrative access, the User Spam
Quarantine, and the Trusted/Blocked Senders List. WebMail logins can be authenticated either as local users or remote LDAP and RADIUS users.
From a web browser, enter the hostname or IP address of the WatchGuard XCS system running WebMail.
Login with your local or LDAP/RADIUS User ID and password. After you have successfully logged in, the
WebMail interface will be displayed.
Configuring WebMail client options
To configure WebMail Client options:
1. Select Configuration > WebMail > WebMail .
2. Go to the WebMail Options section.
288
3. Select the New Mail Popup check box to enable a popup window for new mail notifications.
To see popup windows, your web browser must have popups enabled.
4. Select the Minimize Popups check box to minimize the use of new popup browser windows by using the main frame.
5. Select the Enable Inline HTML-mail Viewing check box to enable the viewing of HTML mail.
For security reasons, any scripts and fetches for external objects are filtered out.
6. Select the Save Sent Mail check box to enable the saving of sent mail in the user’s mailbox.
7. Enter the name of the Sent Mail-box folder, if it is enabled.
8. Enable the Editable From check box to allow a user to edit the From: field when composing mail.
9. Click Apply .
WatchGuard XCS
12
Policies
Policy Overview
Policy controls allow specific messaging security features to be customized and applied to different email domains, user groups, or individual users.
The features that can be used with Policy controls include the following:
ƒ Intercept features (Anti-Virus, Spyware, Outbreak Control, Anti-Spam actions and thresholds)
ƒ Content Controls (OCF, Attachment Scanning, Content Scanning, Document Fingerprinting, Content
Rules, Pattern Filters)
ƒ Anti-Spam options (Intercept scanners, Component weights)
ƒ Email features (Annotations, Encryption, Archiving, DomainKeys signing)
ƒ Web Proxy
Policy controls enable granular settings to be applied for each specific domain, group, or user. For example,
Intercept Anti-Spam settings can be enabled for specific domains, while turned off and disabled for other domains. Each Anti-Spam action can be customized so that one domain rejects spam messages, while another domain modifys the subject header of a spam message. Spam thresholds and Intercept component weights can also be customized for different domains, groups, and user addresses.
Content control actions for inbound and outbound messages can also be specifically defined for the requirements of each domain, group, or user. For example, you can enable inbound and outbound Content
Scanning and Attachment Control checks for some domains, while only checking inbound messages for other domains.
Specific features can be enabled or disabled independently for Email message and Web requests, and separate actions can be applied for inbound and outbound traffic.
User Guide 289
Policies
Sender and recipient policy determination
When a message arrives, the system will determine a set of policy settings for each message recipient as follows:
ƒ If the message is outbound (trusted), and is addressed to a non-local recipient, then the sender’s policy settings will be used for that recipient.
ƒ If the message is inbound (untrusted), or is trusted but addressed to a local recipient, then the recipient’s policy settings will be used for that recipient.
ƒ The recipient’s policy will take precedence if both the sender and recipient addresses match a policy.
Policy settings are processed after any mail mappings. If the final recipient is a local user or a user in a domain that the WatchGuard XCS routes mail for, then it is considered a local recipient.
Policy hierarchy
There are four types of policies that can apply to a user: the User Policy, Group Policy, Domain Policy, and
Default Policy. Recipients can belong to multiple policies. For example, the recipient [email protected] may have a user-based policy for [email protected] and a policy based on the domain example.com.
The final policy for the recipient will be the merging of any existing policies for that user, with any conflicting settings resolved in the following order of precedence:
ƒ User Policy ([email protected])
ƒ Group Policy (Sales)
ƒ Domain Policy (example.com)
ƒ Default Policy
ƒ Global settings
For example, if User and Domain policies are defined and enabled, and the Anti-Virus feature is defined and enabled in only the Domain policy but undefined in the other policies, Anti-Virus will be enabled. To override this Domain policy for a user, define the Anti-Virus feature as disabled in the User Policy.
Multiple group policies
In cases where a user belongs to multiple groups, the group order determines the precedence. In the Group
Policy configuration screen, administrators can arrange the list of groups into priority order.
For example:
ƒ A user belongs to Group1 and Group2
ƒ Group 1 Policy is set to a higher priority then Group 2 Policy
ƒ Group 1 Policy has Token Analysis enabled and defined
ƒ Group 2 Policy has Token Analysis disabled and defined
The final result is that the user’s email will be scanned by Token Analysis.
Group policies are not merged as they are with user and domain policies. If a user belongs to more than one group, only the first group policy in the specified group ordering is applied.
290 WatchGuard XCS
Policies
Pattern filter priority
When using Pattern Filters with policies, there may be situations with conflicting priorities for global Pattern
Filters and policy Pattern Filters. When processing Pattern Filter rules, the system makes the following decisions:
1. The priorities of all actions are taken into consideration. If there is only one “High” priority action, that filter will be used.
2. For Pattern Filters that have the same priority, policies are resolved in the following order:
ƒ User Policy
ƒ Group Policy
ƒ Domain Policy
ƒ Default Policy/Global settings
3. For the same priority and same policy level, actions are resolved in the following order:
ƒ Bypass
ƒ Reject
ƒ Discard
ƒ Quarantine
ƒ Certainly Spam
ƒ Redirect
ƒ Trust
ƒ Relay
ƒ Accept
ƒ Just Log
When creating pattern filters in policies, certain message parts such as Envelope-to and Envelope-from , Client
IP , and Host , are not available. Pattern Filters on these message parts can cause actions to trigger before the recipients are known, and therefore these are not available for use in policies.
BCC and Do Not Train actions will not prevent lower priority actions from being triggered. For example, a BCC action at “High” priority in the global Pattern Filter list and an Accept action at
“Medium” priority in a policy will result in an Accept and a BCC action.
User Guide 291
Policies
Create Policies
The following sections describe how to enable and define policies. The general steps are as follows:
1. Define global settings
2. Configure the Default Policy
3. Add and define new Domain, Group, and User Policies
Define global settings
Before creating specific domain and user policies, we recommend that you globally define their default settings for Intercept, Anti-Spam, Content Controls, and other features before defining more granular policies based on these global settings.
These settings will be inherited by the default policy, which is the policy used by all users that do not belong to a specific policy.
If you disable a feature globally, it cannot be enabled by a policy. The feature will be completely disabled, regardless of how a policy is configured.
Configure the Default policy
1. Select Security > Policies > Policies .
The default policy cannot be disabled or deleted.
2. Click the Configure link to configure the default policy.
3. The General tab allows the administrator to configure basic settings for this policy, such as the policy name and description.
292
ƒ Name — Enter a descriptive name for this policy. Note that special characters cannot be used.
For the default policy, the name can be changed, but the policy cannot be disabled.
ƒ Description — Enter a description for the policy.
WatchGuard XCS
Policies
4. The features for each policy are displayed in the Policy Summary section.
The display will indicate the settings for each policy feature.
5. Click the Edit link for each set of features to modify the policy as required.
Anti-Spam and Anti-Virus
Configure your settings for this policy for inbound and outbound Anti-Virus, Spyware, Outbreak Control,
Malformed Mail, and Anti-Spam. Select Enabled or Disabled for each option as required for this policy, or select Undefined to use the inherited settings from another policy, the default policy, or the global settings.
User Guide
ƒ Anti-Virus — Enable or disable inbound and outbound Anti-Virus for this policy for Email and HTTP.
The scanner must be enabled globally to be used in policies. Independent inbound and outbound actions and notifications can be set for the Email and HTTP scanners for this policy.
ƒ Spyware — Enable or disable inbound and outbound Spyware detection for this policy for Email and
HTTP. The scanner must be enabled globally to be used in policies. Independent inbound and outbound actions and notifications can be set for the Email and HTTP scanners for this policy.
ƒ Outbreak Control — Set the inbound and outbound Outbreak Control settings for this policy.
Outbreak Control must be enabled globally to use this feature in policies. The Detection Hold Period is set in hours. The default hold period is 8 hours. In most cases, the Anti-Virus pattern files will be updated within 2-4 hours of a new virus being discovered. We recommend that you set the hold period for a long enough time to allow the files to be rescanned with updated Anti-Virus pattern files as they become available.
ƒ Malformed Mail — Set the Malformed Mail settings for this policy. Malformed Mail scanning must be enabled globally to use this feature in policies.
ƒ Anti-Spam — Set the Anti-Spam settings for each spam category ( Certainly , Probably , and Maybe
Spam ) for this policy. The Threshold spam score for each category should be set between 1-100. (The default global values are: Certainly Spam: 99, Probably Spam: 90, and Maybe Spam: 60). Independent notification actions can be set for the Email and HTTP scanners for this policy. Scanner settings and component weights for each Intercept feature can also be configured.
ƒ Scanners — Enable or disable each Intercept scanner for this policy. The scanner must be enabled globally to be used in policies. For Spam Words, dictionaries for this policy can be defined by selecting
Define in the Spam Words Dictionaries section. For Weighted Dictionaries, administrators can enter a custom weight for this policy, which must be between 1 and 10000.
ƒ Intercept Global Decision Strategy — Set the Intercept Decision Strategy to use for this policy.
ƒ Intercept Global Component Weights — Set the component weights for each Intercept component for this policy. Each weight must be a number between 0 and 100.
293
Policies
Content Control policy settings
Configure your Content Control settings for this policy for inbound and outbound Attachment Control,
Content Scanning, the Objectionable Content Filter (OCF), and Pattern Filters. Select Enabled or Disabled for each option as required for this policy, or select Undefined to use the inherited settings from another policy, the default policy, or the global settings.
294
In both inbound and outbound Attachment Control, the following settings can be configured:
ƒ Attachment Control — Enable or disable Attachment Control for this policy. The scanner must be enabled globally to be used in policies.
ƒ Edit Email Types — Enable or disable the editing of the Attachment Control email types list for this policy. For email, click the Edit Types button to edit the list of attachment types for email for this policy.
If disabled, the Attachment Control types list of the default policy or other overriding policy will be used. For HTTP, click the Edit Types button to edit the list of attachment MIME types for HTTP for this policy. The Web Proxy uses the HTTP Content Header to determine the MIME type of the file, and file extensions should not be entered. If disabled, the Attachment Control types of the default policy or other overriding policy will be used.
ƒ Action — Click the Edit button to configure the action to take when a blocked attachment is detected in email traffic. Notifications can be enabled for the administrator and the user. Notifications can be customized only in the default policy. For HTTP, click the Edit button to configure the specific action to take when a blocked attachment is detected in HTTP traffic. Select Reject to reject the message, or
Just Log to accept the message and log the event in the HTTP Proxy log. Notifications can be enabled for the administrator and the user. Notifications can only be customized in the default policy.
Notifications will be sent only for a Reject action, not Just Log .
ƒ Attachment Size Limits — Enable or disable Attachment Size Limits for inbound and outbound email messages. Enter the attachment size limit (in bytes). Attachments greater than this threshold will trigger the defined Email Action . The global default is 10240000 bytes. Set to “0” to indicate no limit.
The Maximum Message Size configured in Configuration > Mail > Access is also set to 10240000 bytes, and this threshold will be exceeded if the attachment size is close to the attachment size limit.
It is recommended that the Maximum Message Size value be at least 1.5 times the value of the
Attachment Size Limit to ensure that large attachments will not exceed the Maximum Message Size.
ƒ Content Scanning — Set the inbound and outbound Content Scanning settings for email and HTTP for this policy. Content Scanning must be enabled globally to use this feature in policies. Select the
Compliance dictionaries for use with this policy. For weighted dictionaries, a weighted threshold can be set from 1-10000. Independent actions and notifications can be set for the email and HTTP scanners for this policy.
WatchGuard XCS
Policies
ƒ Objectionable Content Scanning — Set the inbound and outbound OCF Scanning settings for email and HTTP for this policy. OCF must be enabled globally to use this feature in policies. Select the OCF dictionaries for use with this policy. For weighted dictionaries, a weighted threshold can be set from 1-
10000. Independent actions and notifications can be set for the email and HTTP scanners for this policy.
Notification settings can be customized only in the default policy.
ƒ Document Fingerprinting — Enable or disable Document Fingerprinting for this policy. Document
Fingerprinting must be enabled globally to use this feature in policies. Enter a Document
Fingerprinting threshold between 0 and 100. Scores closer to “0” indicate the Allowed category.
Scores closer to 100 indicate the Forbidden category. A score greater than the threshold will trigger the specified email action. Document Fingerprinting is applicable only to email messages.
ƒ Content Rules — Enable or disable Content Rules for this policy. Content Rules must be enabled globally to use this feature in policies. Set the inbound and outbound Content Rules for this policy.
Pattern Filters must also be enabled for Content Rules to work.
ƒ Pattern Filters — Click the Edit Filters button to define email traffic pattern filters for use with this policy. Disabling Pattern Filters in a policy will not disable any globally defined Pattern Filters.
Email policy options
Configure your email settings for this policy for the Annotations, PostX Encryption, Archiving, and
DomainKeys features. Select Enabled or Disabled for each option as required for this policy, or select
Undefined to use the inherited settings from another policy, the default policy, or the global settings.
User Guide
ƒ Annotations — Enable or disable annotations for this policy.
ƒ Edit Annotations — Enable or disable a customized Annotation for this policy. A custom annotation can be used with the policy by clicking the Edit Annotations button. If this option is disabled, the default policy Annotation will be used. This annotation is applied to outgoing mail messages only.
ƒ PostX Encryption — Enable or disable PostX encryption for this policy. PostX Encryption must be enabled and configured globally to use this feature in policies.
295
Policies
ƒ Archiving Headers — Set any archive headers (for High, Medium, and Low Priority) for this policy. A proper X header must be used such as “X-Archive: high”. Archiving must be enabled globally to use this feature with policies.
ƒ DomainKeys — Set the DomainKeys configuration for this policy. DomainKeys must be enabled globally to use this feature with policies. Edit the list of Selector Names that will be used with the policy by clicking the Edit List button.
HTTP policy options
The HTTP Proxy must be enabled globally before configuring it for use in policies. Select Enabled or Disabled for each option as required for this policy, or select Undefined to use the inherited settings from another policy, the default policy, or the global settings.
If the HTTP and HTTPS Access fields are "Undefined", they will inherit the state of the global setting for the HTTP Proxy (enabled or disabled).
296
ƒ HTTP Access — Enables the Web Proxy to control and manage access to external web sites. Web clients must set their web browser proxy to the address of this system, such as server.example.com:8080. If authentication is enabled, users must authenticate to the system using their User ID and password. A local account must be set up, or HTTP users must authenticate directly to an LDAP server. If authentication is not enabled and all users are allowed to use the Web Proxy, the users will use the default policy.
ƒ HTTPS Access — Enables the Web Proxy to control and manage access to external web sites using
HTTPS. Note that content inspection cannot be performed on HTTPS traffic.
ƒ Trusted Sites — The Trusted Sites list allows the administrator to upload a list of specific web sites that when accessed, will bypass all scanning features. These include Anti-Virus, HTTP content control features (Attachment Control, Objectionable Content, Content Scanning), and URL filtering features
(URL Blocking and URL Categorization). Trusted Sites lists are configured using the Dictionaries & Lists feature. Use a domain type list that contains a list of domains such as example1.com
and IP addresses such as 192.168.1.128
.
WatchGuard XCS
Policies
ƒ Blocked Sites — Select a predefined list of Blocked Sites, or set to None to allow all sites. The Blocked
Site list is configured via the Dictionaries & Lists feature. Use a domain type list that contains a list of domains such as example1.com
and IP addresses such as 192.168.1.128
. The Web Proxy will block these sites for all users.
If a site appears in both the Trusted and Blocked Sites lists, the Trusted Sites list takes precedence
ƒ URL Blocking — Enables URL blocking to block access to web sites that appear on a URL Block List. The system will check the requested URL to see if it appears on a block list, using the Intercept Anti-Spam engine's URL Block List feature.
ƒ Upload and Download Limit — Enter the size limit (in megabytes) for HTTP downloads and uploads.
The default is 7 MB. Leave the field blank or set it to “0” for no limit. Files larger than this size will either by bypassed or blocked depending on the configured action.
ƒ Download and Upload Limit Action — Set the Download Limit Action and Upload Limit Action that will be applied when the size threshold is exceeded: o Undefined — Any limits and actions on downloads and uploads will use the inherited settings from another overriding policy or the default policy.
o Block — The file transfer will be blocked and an error message will be sent to the web client indicating the reason the download or upload was blocked.
o Bypass — The file transfer will not be blocked and will bypass any HTTP content scanning. This allows larger files to be uploaded or downloaded while preventing them from using up too many scanning resources because of their size. This is the default value.
ƒ URL Categorization — Enables URL Categorization for use with this HTTP policy. URL Categorization prevents HTTP access to web sites by using a predefined list of blocked web sites organized in several topic categories. Each web site category can be enabled or disabled in this policy by the administrator.
The HTTP action for connections blocked by URL Categorization can also be configured.
Any web sites defined in the Trusted or Blocked Sites list will override URL Categorization blocking.
Add and define domain, group, and user policies
When global settings and default policy settings are defined, administrators can then create and define policies for Domains, Groups, and Users.
Domain, Group, and User policies are described in detail in the following sections.
User Guide 297
Policies
Domain Policies
When global settings and the default policy have been defined, more granular policy settings can be configured by creating policies for specific domains, groups, and users.
Domain policies can be created to enable different policies for different domains in an organization. For example, administrators might require that different domains need separate annotations (such as a legal disclaimer) appended to their messages.
Create a policy definition for this domain as follows:
1. Select Security > Policies > Policies .
2. Click the Create New Policy link.
3. Enter a name for this policy, such as example.com
.
4. Select the Enable This Policy check box.
5. Enter a detailed Description for this policy.
6. Customize the policy as appropriate by selecting the feature tabs, such as Anti-Virus and Anti-Spam ,
Content Contorls , etc.
ƒ For example, to customize an annotation for this domain policy, select the Email section.
ƒ Select Enabled for the Annotations drop-down list.
ƒ Click the Edit Annotations button to customize the annotation that will be appended to messages for this domain.
ƒ Click Apply to save the annotation.
7. Click Apply to save the domain policy.
8. Select Security > Policies > Domain Policy to add the example.com domain.
298
9. Select the policy in the Policy drop-down list.
WatchGuard XCS
Policies
10. Enter the domain that this policy will apply to, such as: example.com
Use a leading “.” to indicate subdomains of the specified domain, such as: .example.com
This will match: a.example.com, b.example.com, c.d.example.com
but not example.com
11. Click Add .
Uploading and downloading domain policy lists
A list of domains and corresponding policies can also be uploaded in one text file. The file must contain comma or tab separated entries with one entry on each line in this format:
[Domain],[policy name]
For example: example.com,Example1Policy example2.com,Example2Policy example3.com,Example3Policy
The file (domain_policy.csv) should be created in csv file format using a text editor. It is recommended that you download the domain file first by clicking Download File , edit it as required, and upload it using the
Upload File button.
User Guide 299
Policies
Group Policies
Policies can be customized for users who belong to specific groups. For example, a Sales group might have different content scanning policies than users in the Development group. Group policies are also useful for providing different annotations or Anti-Spam features for each user group.
Enabling Group Policy
Before importing users and groups, enable Group Policy to ensure the imported groups are displayed in the group policy screen. If the Group Policy is enabled after an import, you must wait until the next scheduled import, or perform a manual import, before the list of groups appear on this screen.
In a cluster, Group Policy must be enabled first before importing users and groups.
1. Select Security > Policies > Group Policy .
2. Select the Enable Group Policy button.
300 WatchGuard XCS
Importing LDAP group information
Group membership information must be imported from an LDAP directory.
1. Select Configuration > LDAP > Directory Users .
The Directory Users screen appears.
Only the groups that the imported users belong to will be imported.
Policies
2. When you have set up your Directory Users and groups configuration, click Apply .
3. Click Import Now to import users and their corresponding group memberships from an LDAP directory.
4. Click Import Settings to set up scheduled imports.
User Guide 301
Policies
Configuring group policy
When all group and user information has been imported, configure group policies as follows:
1. Select Security > Policies > Group Policy .
2. In the Select view field, select New to show the new groups that have been imported.
New imported groups will display New as their policy category, indicating that the group has just been imported and currently has no policy.
These new groups can then either be assigned the default policy, an existing configured policy, or have the policy set as Unassigned . Groups configured as New or Unassigned do not have an active policy.
A reimport of groups will change all previously “New” groups to “Unassigned”
Re-Ordering groups
Group policies are applied in the order listed, if the user belongs to more than one group. For example, in the case of annotations, the annotation used for a user belonging to multiple groups will be the annotation for their first group listed in the group order.
Click Re-order Groups to reorder the priority of the group list.
302 WatchGuard XCS
Policies
A list of “Assigned” groups (groups assigned to a policy) will be displayed. Select a group to be moved, and then click the Up or Down buttons to move the group up and down the list order. Use the Top and Bottom buttons to move the selected group to the top or bottom of the list.
Only groups assigned to a policy will appear in the group re-order screen.
When you have finished the re-ordering of groups, click Apply .
Assigning group policies
Policies can be assigned to each group by selecting a specific policy from the drop-down box next to each group name. In this example, the sales , marketing , and dev groups have been configured to use their own separate group policies. When you are finished setting the policies for the required groups, make sure the check boxes for the groups that have been modified are selected, and then click the Apply link.
Uploading group policy lists
A list of groups and corresponding policies can also be uploaded in one text file. The file must contain comma or tab separated entries with one entry per line in this format:
[group],[policy name]
For example: sales,salespolicy marketing,marketingpolicy dev,devpolicy
The file (group_policy.csv) should be created in csv file format using a text editor. It is recommended that you download the group file first by clicking Download File , edit it as required, and upload it using the Upload
File button.
Orphaned groups
Orphaned LDAP groups are groups that have been deleted from the LDAP directory but still exist in the local group list. Any policies configured for these orphaned groups will not be processed.
Click the Delete Orphans button to remove these groups from the group policy screen.
User Guide 303
Policies
User Policies
Policies can be customized for individual user addresses. User policies take precedence over Domain and
Group policies, and are useful for creating individual exceptions to these policies.
In the following example, a user policy will be created with customized Anti-Virus settings.
Configure a user policy as follows:
1. Select Security > Policies > Policies .
2. Click the Create New Policy link.
304
3. Enter a Name for this policy.
4. Select the Enable This Policy check box.
5. Enter a detailed Description of this policy.
6. Customize the Anti-Virus settings for both inbound and outbound directions for this user policy by selecting the Anti-Spam and Anti-Virus link.
7. When finished, click Apply to save this policy.
8. Select Security > Policies > User Policy to add a user address.
9. Select the policy created in the previous steps in the Policy drop-down list.
10. Enter the user address, such as [email protected]
in the Email field.
11. Click Add to add the user address to the User Policy list.
WatchGuard XCS
Policies
Uploading and downloading user address lists
A list of users can also be uploaded in one text file. The file must contain comma or tab separated entries with one entry on each line such as:
[email],[policy name]
For example: [email protected],User1Policy [email protected],User2Policy [email protected],User3Policy
The file (email_policy.csv) should be created in csv file format using a text editor. It is recommended that you download the user file first by clicking Download File , edit it as required, and upload it using the Upload File button.
Policy Diagnostics
The Policy Diagnostics screen allows administrators to test their policy structure, to make sure the final result for a specific user is the desired result. There are several policies that can apply to a single user, including domain policies, user policies, group policies, and the default policy.
By entering the user’s email address in the diagnostic screen, the final result of each policy feature will be displayed, including information on which policies were overridden by another policy with higher priority.
To run policy diagnostics:
1. Select Security > Policies > Diagnostics .
User Guide
2. Enter a Sender address for this test if you are testing an outbound message.
This field can be left blank to indicate any sender for inbound mail.
3. Enter the test Recipient for the policy.
The final result displayed during the diagnostics will be the final policy result for this specific user.
4. Select a Direction for the message to determine policy results when the message is inbound or outbound.
5. In the Trusted option, select whether the message is considered to be from a trusted or untrusted source.
305
Policies
6. Click Lookup to start the policy diagnostics.
306
The Policy Diagnostics summary screen provides the administrator with a detailed analysis of how the various active policies combine to determine the final disposition of messages. The Policy Diagnostics screen includes a table that displays the WatchGuard XCS features that can be configured on a perpolicy basis.
Each column displays the contributions to the disposition of the message by each policy (User, Group,
Domain, and Default).
For each feature, an “X” indicates the defined policy was used to determine the final result. Any policies that were overridden by the applied policy are indicated by an “_” underscore character. An empty column indicates that a matching policy was not found by the policy resolution engine.
At the end of each feature row, the final result of the policy is indicated, such as “Disabled” for
Kaspersky Anti-Virus.
As policies are initialized with reasonable defaults, and those values may match the overall default setting, it can appear that a particular policy has been overridden, when in fact there is no apparent configuration responsible for this. For example, the default setting for Content Scanning is “disabled”.
If a user policy is defined, but Content Scanning is not part of that definition, and nothing else overrides the default, then it will appear that the contribution has come from the user policy.
WatchGuard XCS
13
Threat Prevention
Threat Prevention Overview
The Threat Prevention feature is used to detect and mitigate incoming threats. By default, the system can recognize the following threats:
ƒ Directory harvesting
ƒ Denial of Service (DoS) attacks
ƒ Connections from blocked addresses
ƒ Connections originating from addresses that send spam
ƒ Connections originating from addresses that send viruses
Historical information about connecting IP addresses and how they behave are retained, allowing a configurable set of actions, including accept or reject, that are determined at connection time based on current and historical data. This information can also be pushed to a perimeter F5 ® or Cisco ® device that can be configured to rate limit, throttle or block a given IP address for a period of time before it reaches the
WatchGuard XCS.
How Threat Prevention works
The Threat Prevention feature performs the following tasks:
ƒ Determines the threat level of connecting IP addresses and retains historical statistics about that address
ƒ Acts on the connection’s IP address based on its connection history
The Threat Prevention feature is involved in several stages of mail delivery for a specific client IP address:
1. At connection request time, the history for the IP address is provided to the rules script that determines if the connection should be allowed or rejected, and identifies how to further classify the address into a specific data group.
2. After early mail scanning, the number of known and unknown recipients and DNSBL results are added to the history of the connecting address.
3. After full mail scanning, the results of Anti-Virus, Anti-Spam, and Malformed message scanning are recorded in the history of that IP address.
4. Prior to connection, an F5 or Cisco device (if configured) may block an IP address before it reaches the
WatchGuard XCS if the system is configured to push threat prevention information to the device.
User Guide 307
Threat Prevention
Threat Prevention in a cluster
When using the Threat Prevention feature in a clustered environment, you only need to configure it on the
Primary system of the cluster. The Primary system is the only point of contact between the cluster and any configured load balancing devices.
Threat Prevention decisions are based on per system statistics, not on statistics for the entire cluster.
If you demote a Primary system, and promote a Secondary cluster system to be Primary, the cluster switches control and resynchronizes to the load balancing device. Threat Prevention runs independently on each system in the cluster, but only the Primary pushes data to the external devices.
Configure Threat Prevention
A Connection Rules script is run each time a client tries to connect to the system. This configurable script determines whether to accept or reject a connection based on its threat prevention history. The script performs an evaluation of the connection and drives the reject or accept decision. The script is also responsible for moving IP addresses into appropriate data groups.
To configure Threat Prevention:
1. Select Security > Anti-Spam > Threat Prevention > Configure .
2. Select the Enable Threat Prevention check box.
The default connection rules displayed will immediately take effect.
Examine and customize (if required) the default connection rules before you enable Threat
Prevention.
308 WatchGuard XCS
Threat Prevention
Mail relays
Administrators can trust friendly local networks or addresses of known mail servers in their environment that relay mail via the WatchGuard XCS. These specific networks and servers can be added to the relays IP/CIDR list in the Threat Prevention configuration to prevent them from being blocked by Threat Prevention and
ReputationAuthority, as well as to ensure that reputation statistics for these addresses will not be reported to
ReputationAuthority.
For example, it is possible that in environments with a backup MTA (Mail Transfer Agent) system, the backup system may be blocked by Threat Prevention rules or improperly classified by ReputationAuthority. If the system is offline, mail will be collected by the backup MTA as specified in the organization's MX records.
When the system comes back online, this mail (which may include spam, viruses, and other types of infected mail) from the backup MTA will be forwarded to the WatchGuard XCS for processing. If Threat Prevention or
ReputationAuthority is enabled, this backup system may be blocked or receive a low reputation score by
ReputationAuthority.
To add a system to the relays list:
1. Select Security > Anti-Spam > Threat Prevention > Configure .
2. Click internal hosts and friendly mail relays .
The relays static IP/CIDR list screen will appear.
3. Add the address of any internal relays and a description.
4. Click Add .
User Guide 309
Threat Prevention
Connection rules
Threat Prevention implements connection rule checking by using a scripting language to drive the decision making process. The script can reject or accept mail given various statistics available at the time of client connection. The listed default rules are processed in order.
ƒ Rule — A descriptive name for the rule.
ƒ Rule ID — The ID number associated with the rule.
ƒ Condition — Condition statement to execute. Condition statements are described in detail in the following section.
ƒ List — Defines which list to insert the IP address.
ƒ Action — Action to take if the condition is “true”, such as Accept or Reject .
ƒ Reject Code — Reply code to send to the connecting client. o For Reject , this is “450 (temporary)” or “550 (permanent)”.
o For Accept , the reply code is set to “220 (OK)”.
ƒ Move — Select the arrows as required to modify the processing order of the connection rules.
To add a new connection rule:
1. Click Add Rule .
310
2. Click Apply .
This rules are fully configurable, and the system will check the script when saved to ensure there are no syntax or execution errors.
3. Click the Advanced button to see the entire connection rules script based on the configured rules.
WatchGuard XCS
Threat Prevention
Create Threat Prevention Rules
The Threat Prevention feature runs a connection rules script each time a client tries to connect to the system.
The script determines whether to accept or reject a connection based on its threat prevention history. The script is also responsible for moving IP addresses into appropriate data groups, such as infected or spammers .
The full script itself is not editable, but it is updated with the condition statements and actions that are defined for each Threat Prevention rule. These rules are configurable, and the system checks the script when new rules are applied to ensure there are no syntax or execution errors.
Basic rule structure
The basic structure of a connection rule is as follows:
ƒ Rule Condition — A set of criteria that must be met for the rule to be triggered, such as
“stats1h.virus > 10” (10 or greater virus-infected messages sent in the last hour). The system collects over fifteen different types of data that can be used to create a rule condition.
ƒ Action — Action to take when the rule condition is met, such as Accept or Reject .
ƒ Reject code — The reject code to send back to the sending server, such as “temporary reject (450)” or
“permanent reject (550)”.
ƒ List — The data group to add this IP address to, if the condition is met. For example, a sender that triggers a spam rule can be placed in the spammers group.
Default connection rules
The default connection rules are active when the Threat Prevention feature is enabled. These rules include checks for typical conditions such as blocked clients, virus and junk mail senders, and denial of service (DoS) attempts. The default rules are also helpful for learning how to put together condition statements for customized connection rules.
Blacklisted clients
This rule checks to see if the client is already blocked by Threat Prevention. The condition statement
“is_blacklist” simply checks if the client is listed in the blacklist IP/CIDR list. If the check is true, the client will be rejected and added to the blacklisted data group.
User Guide 311
Threat Prevention
Directory harvesters
This rule checks whether the client has been involved with directory harvesting activities intended to discover valid email addresses from the WatchGuard XCS. The following condition statement is used to identify if a client is considered a directory harvester: stats30m.bad_recipients >= 50 && stats30m.good_recipients < 3 && (!is_internal &&
!is_mynetworks)
This statement checks these conditions:
ƒ the number of invalid recipients from the client in the last 30 minutes is greater than or equal to 50
ƒ the number of good recipients from the client in the last 30 minutes is less than 3
ƒ the client does not exist in the internal or mynetworks IP/CIDR lists (to trust the client)
If all the conditions are met, then the connecting system is rejected and entered into the harvesters data group
Big virus senders
This rule checks whether the client has recently sent a large number of viruses. The following condition statement is used to identify whether the client is considered a source of viruses: stats1h.virus > 10 && stats1h.perc_virus_to_messages > 50 && stats1h.perc_ham_to_messages < 25 && (!is_internal && !is_mynetworks)
This statement checks these conditions:
ƒ the number of viruses received from this client in the last hour is greater than 10
ƒ the percentage of virus infected messages received from this client in the last hour is greater than 50
ƒ the percentage of clean messages received from this client in the last hour is less than 25
ƒ the client does not exist in the internal or mynetworks IP/CIDR lists (to trust the client)
If all the conditions are met, then the connecting system is rejected and entered into the infected data group
DNSBL clients (on more than one list)
This rule checks whether the client has been listed on more than one DNS Block List of blocked clients. If the client is on more than one DNSBL, it is considered a known open-relay that may send out a large number of spam messages. The following condition statement is used to identify whether the client is on more than one
DNSBL: block_list > 1 && (!is_internal && !is_mynetworks)
This statement checks these conditions:
ƒ the client exists on more than one DNSBL
ƒ the client does not exist in the internal or mynetworks IP/CIDR lists (to trust the client)
If all the conditions are met, then the connecting system is temporarily rejected and entered into the spammers data group.
312 WatchGuard XCS
Threat Prevention
DNSBL clients
This rule checks whether the client exists on only one DNS Block List. In this case, there is the possibility that the client is on this DNSBL by mistake, and the WatchGuard XCS makes additional checks to examine its recent history of mail messages. The following condition statement is used to identify whether a client is on one
DNSBL and sends a large number of spam messages: block_list == 1 && stats30m.bad_mail > 10 && stats30m.ham < 2 && (!is_internal &&
!is_mynetworks)
This statement checks these conditions:
ƒ the client exists on only one DNSBL
ƒ the number of spam and junk messages received from this client in the last 30 minutes is greater than
10
ƒ the number of clean messages received from this client in the last 30 minutes is less than 2
ƒ the client does not exist in the internal or mynetworks IP/CIDR lists (to trust the client)
If all the conditions are met, then the connecting system is temporarily rejected and entered into the spammers data group
Junk senders
This rule checks whether the client sends out a large amount of spam or junk mail in proportion to the number of legitimate messages. The following condition statement is used to identify whether a client is sending a large amount of spam or junk messages, as compared to legitimate messages: stats1h.bad_mail > 20 && stats1h.perc_ham_to_spam < 25 && stats5m.messages > 10 &&
(!is_internal && !is_mynetworks)
This statement checks these conditions:
ƒ the number of spam and junk messages received from this client in the last hour is greater than 20
ƒ the percentage of clean messages compared to spam received from this client in the last hour is less than 25
ƒ the number of messages sent from this client in the last five minutes is greater than 10
ƒ the client does not exist in the internal or mynetworks IP/CIDR lists (to trust the client)
If all the conditions are met, then the connecting system is temporarily rejected and entered into the tarpit data group
Internal DoS
This rule checks whether the client is on an internal network and is using a lot of open connections that may result in a denial of service. The following condition statement is used to identify whether an internal client is creating a large amount of open connections: open_connections > 50 && is_internal
This statement checks these conditions:
ƒ the number of open connections from this client is greater than 50
ƒ the client is listed in the internal IP/CIDR list
If all the conditions are met, then the connecting system is temporarily rejected
User Guide 313
Threat Prevention
External DoS
This rule checks whether an external client is using a lot of open connections that may result in a denial of service. The following condition statement is used to identify whether an external client is creating a large amount of open connections: open_connections > 20 && !is_internal
This statement checks these conditions:
ƒ the number of open connections from this client is greater than 20
ƒ the client is not listed in the internal IP/CIDR list
If all the conditions are met, the connecting system is temporarily rejected
Excessive senders
This rule checks whether a client is sending too many messages that could result in a denial of service. The following condition statement is used to identify whether a client is sending an abnormal amount of messages:
!is_peers && !is_internal && stats1h.messages > 50000
This statement checks these conditions:
ƒ the client is not listed in the peers and internal IP/CIDR lists (to trust the client)
ƒ the number of messages sent from this client in the last hour is greater than 50000
If all the conditions are met, then the connecting system is temporarily rejected
Create connection rules
To create customized connection rules for the Threat Prevention feature:
1. Select Security > Anti-Spam > Threat Prevention .
2. Click Add Rule .
314
The following options can be configured:
ƒ Description — Enter a descriptive summary of the rule.
ƒ Condition — Enter a condition statement to execute, such as:
stats1h.bad_mail > 20 && (!is_internal && !is_mynetworks)
This statement checks whether the client has sent more than 20 virus-infected or spam messages in the last hour, and is not on the internal or mynetworks IP address lists.
See “Build condition statements” on page 315 for detailed information on creating these statements.
ƒ Action — Action to take if the condition is “true". Options are Accept Mail or Reject Mail .
WatchGuard XCS
Threat Prevention
ƒ Reject Code — Reply code to send to the connecting client. For Reject Mail , this is “450
(temporary)” or “550 (permanent)”. For Accept Mail , the reply code is set to “220 (OK)”.
ƒ Reject Message — A customized reject message to send to the connecting client. The %IP% variable can be used to include the IP address of the client in the message.
ƒ Add to List — Select a data group to add the client IP address to if the condition is true. These lists can be viewed and configured via Security > Anti-Spam > Threat Prevention > Data Groups .
Build condition statements
The Threat Prevention rules are based on condition statements that are used to define various criteria for the connecting clients and their historical behavior. The following tables describe the variables, parameters, and
Boolean operators available to create Threat Prevention rules.
General statistics
The following are general statistics that can be used when creating connection rules. They include items such as the IP address of the connecting client and how many open connections a client is using.
Statistic ip_address current_group open_connections block_list rule_no
Description
The IP address of the connecting client.
The name of the current data group the client IP addresses is in, if any.
The current number of open connections to this
IP address.
If DNS Block lists are enabled, this indicates the number of lists the IP address is on.
Indicates the connection rule number for ordering purposes.
For example, as part of your condition statement to prevent denial of service attacks, check that the client does not have a large amount of open connections: open_connections > 50
User Guide 315
Threat Prevention
316
IP lists
The following parameters identify whether the client IP address is listed in any of the pre-defined IP lists
(defined via Security > Anti-Spam > Threat Prevention > IP/CIDR Lists ).
This allows you to check if the client IP address is trusted, because it is identified as an internal system, a network under your control, or a peer address. The client can also be blocked if it appears in the local blacklist.
IIP/CIDR List is_internal is_mynetworks is_peers is_blacklist
Description
Checks if the client IP address is listed in the internal address list.
Checks if the client IP address is listed in the mynetworks address list.
Checks if the client IP address is listed in the peers address list.
Checks if the client IP address is listed in the blacklisted address list.
For example, to check if the connecting client is in the blacklist IP/CIDR list, use the following condition statement: is_blacklist
If the client is already listed in the blacklist IP list, the condition is true and the configured action executed.
These lists can also be used to ensure clients are trusted because they are considered internal or under an organization's control. For example, to check for a large amount of open connections, and to ensure this client is not an internal client, use the following statement: open_connections > 50 && !is_internal
This statement checks clients who have more than 50 open connections and do not belong to the internal IP/
CIDR list.
Email Statistics
The following email statistics can be used to build condition statements in the connection rules based on the types of messages received. These statistics identify the number of messages based on their classification, such as virus-infected, malformed, spam, and clean. Several statistics also indicate the percentage of one type of message to another, such as the percentage of spam messages to total messages received.
Email Statistic messages virus malformed spam ham connection_attempts bad_mail bad_recipients good_recipients
Description
Total number of messages from successful connections.
Number of virus-infected messages.
Number of malformed messages.
Number of spam messages (Intercept Certainly Spam or
Probably Spam, and Pattern Filter spam).
Number of messages that were clean (not spam, virus, or malformed).
Number of attempted connection attempts.
Number of viruses, malformed, and spam messages.
Number of unknown recipients (or 0 if the Reject on unknown recipient feature is disabled).
Number of legitimate recipients.
WatchGuard XCS
Threat Prevention
Email Statistic perc_ham_to_messages perc_virus_to_messages perc_spam_to_messages perc_malformed_to_messages perc_bad_to_messages perc_ham_to_spam
Description
Percentage of clean messages to the total amount of messages.
Percentage of virus-infected messages to the total amount of messages.
Percentage of spam messages to the total amount of messages.
Percentage of malformed messages to the total amount of messages.
Percentage of bad messages (virus, malformed, and spam) to the total amount of messages.
Percentage of clean messages to the total amount of spam messages.
These email statistics must be used in combination with a specific time period. This allows you to check for the number of certain types of email messages, such as spam messages, in a certain time period such as 24 hours.
The following table describes various time periods that can be used in conjunction with the email statistics variables.
Time Period stats1m stats5m stats15m stats30m stats1h stats24h
Description
Statistics for the last minute.
Statistics for the last 5 minutes.
Statistics for the last 15 minutes.
Statistics for the last 30 minutes.
Statistics for the last hour.
Statistics for the last 24 hours (1 day).
Specify the time period and the email statistics parameter separated by a “.” (period). For example, to check how many spam messages were received in the last 24 hours, use: stats24h.spam
To check the percentage of the number of spam messages compared to the total amount of messages in the last hour, use: stats1h.perc_spam_to_messages
User Guide 317
Threat Prevention
Boolean operators and syntax
The following are the Boolean operators that can be used when building condition statements. To combine operators, use the following syntax to ensure the order: (a && (b || c)) . This produces the result: a AND
(b OR c).
>
<
==
>=
<=
!
||
Boolean Operator
&&
Description and not or
Greater than
Less than
Equal to
Greater than or equal to
Less than or equal to
For example, to ensure a host is not listed in the internal and mynetworks IP/CIDR lists (to trust the system for
Threat Prevention) use the following:
!is_internal && !is_mynetworks
The following example shows how to use multiple Boolean operators to combine condition statements: stats30m.bad_recipients >= 50 && stats30m.good_recipients < 3
This example checks the number of good and bad recipients in the last 30 minutes. If the bad recipients are greater than or equal to 50, and the good recipients are less than 3, then the condition is true.
Connection rules script error checking
When you are finished with the changes and additions to the connection rules, click the Apply button. The results of the script test will be shown, including any syntax errors if they occur. If an error occurs, examine the rule you just applied and check the condition statement to ensure that it conforms to the proper syntax and that any variables or parameters are entered correctly.
318 WatchGuard XCS
Threat Prevention
IP/CIDR Lists
IP/CIDR address lists are used to define specific groups of IP addresses that affect Threat Prevention processing. When a client connects, the connection rules script will look up the client’s IP address in the existing IP/CIDR lists and perform any defined actions for that list. This allows you to trust, block, or provide additional classification for a specific IP address or subnet.
For example, if the address is listed in the blacklist , the connection rules script will reject the message.
Addresses in the peers or mynetworks list can be exempted from some of the checks because they are known sources or internal networks of your organization.
It is critical that administrators add any non-routable networks used locally to the internal address list and ensure any networks under an organization’s control or friendly networks are listed in the mynetworks and peers list respectively. This prevents any local addresses from being affected by Threat Prevention processing.
To configure IP/CIDR lists:
1. Select Security > Anti-Spam > Threat Prevention > IP/CIDR Lists .
User Guide
ƒ blacklist — List of any IP addresses or networks from which you will never want to receive email.
ƒ internal — List of internal non-routable IP addresses from which you will always accept mail, such as the 192.168.0.0 network.
ƒ mynetworks — A list of networks and subnets that are under your organization’s control from which you will always accept mail.
ƒ peers — A list of special sites such as peer ISP networks from which you will typically always accept mail. The peers list is not used by the default connection rules. Administrators must modify the current rules or add a new connection rule to use this list.
ƒ relays — A list of mail servers that need to relay mail via this system. This prevents these servers from being blocked by content-based Threat Prevention rules and ReputationAuthority, as well as being reported to ReputationAuthority.
319
Threat Prevention
2. Click Add .
3. Enter a Name (this field cannot be left blank, and must consist of only alphanumeric characters), a
Description for this address list, and then enter one of the following address types:
ƒ Single IP address such as
192.168.1.125
ƒ Subnet in CIDR format such as
192.168.0.1/24
ƒ Class A, B, or C subnet with trailing octets removed such as
192.168
4. Enter a comment that can be used to further describe the address in this list.
5. Click the Add button to add the address to the list.
6. Click Apply to save the list.
Uploading and downloading addresses
A list of addresses can also be uploaded in one text file. The file must contain comma or tab separated entries in the form:
[address],[description]
For example:
192.168.0.0/16,non-routable
The file (ipcidr.csv) should be created in csv file format using a text editor. It is recommended that you download the file first by clicking Download File , edit it as required, and upload it using the Upload File button.
320 WatchGuard XCS
Threat Prevention
Data Groups
The Threat Prevention feature can place IP addresses into Data Groups for a specified period of time and set the response to connection requests for clients falling into these groups. These data groups can be configured to provide a specific action (such as “450 temporary reject” or “550 permanent reject”) and a time period to execute that action.
Data groups differ from IP/CIDR lists because their contents are always changing based on the latest threat prevention data. IP/CIDR lists are used by the administrator to define trusted and blocked lists based on addresses specific to their organization. Data groups build their data from the history of connecting addresses, and assign specific rules and actions to these addresses based on that history.
IP addresses are added to these lists by the Threat Prevention connection rules script if they match a specific behavior. For example, messages from an IP address that indicate harvesting of email addresses will be put into the harvesters list.
When that same IP address tries to connect again after being added to the list, it will be rejected with a configured reject code for the list if it is configured with the reject action. For example, the harvesters list will reject with code “550 denied due to too many unknown recipients”. No further statistics will be gathered on that IP address during this early reject period and further Threat Prevention rules will not be applied. An IP address can be released from a data group after a configurable period of time. Data groups can contain tens of thousands of IP addresses.
Data groups with an action of Just Log will pass the request on to the rules processing script. The rules script can then specify its own reject or accept action. If the rules script specifies an accept action, further statistics will be gathered as the mail is received and processed.
Integration with F5 and Cisco devices
The data groups can also be pushed to an F5 or Cisco device. If this feature is configured, any IP addresses that are added to a data group by the connection rules script will be pushed to an F5 or Cisco device and added to a group list of the same name. This allows the F5 or Cisco device to process further connections from the IP address and to act accordingly without the connection reaching the WatchGuard XCS.
Configuring data groups
To configure data groups:
1. Select Security > Anti-Spam > Threat Prevention > Data Groups .
User Guide
There are five predefined data groups:
ƒ blacklisted — Addresses that have been blocked.
321
Threat Prevention
ƒ harvesters — Addresses known to be involved in email address directory harvesting.
ƒ infected — Addresses known to send virus-infected messages.
ƒ spammers — Addresses known to send large amounts of spam.
ƒ tarpit — Group used to temporarily reject connections to slow down incoming connections from an address.
2. Select a group to edit its properties, or click the Add button to add a new group.
322
ƒ Name — Enter a descriptive name for this list. If you are pushing data to an F5 or Cisco device, this list name must match the group name configured on the device.
ƒ Description — Enter a description of this list.
ƒ Action — Action to take if a connecting IP address is listed in this group. Choices are Reject Mail or Just Log .
ƒ Reject Code — If the selected action is Reject Mail , reply to the connection request with this reject code. Choose between “450” (temporary) or “550” (permanent).
ƒ Reject Message — Enter the reason provided to the client for rejecting the connection. This message is only used if the action is set to Reject Mail .
ƒ Entry Duration — Enter the duration (in seconds) for an IP address to remain in this list after it has been placed into this group by a connection rule. This duration period only applies to the groups on the WatchGuard XCS and is not pushed to an F5 or Cisco device.
ƒ Maximum Entries — If the entry is not rejected, only allow this many address entries at once in the list. This value can range from 0 to 100000. Set to 0 for unlimited.
ƒ Push to Cisco Devices — Select the check box to push data to all configured Cisco devices. The list name must be identical to the group name defined on the Cisco device. Only one data group can be assigned to push information to a Cisco device.
ƒ Push to F5 Devices — Select the check box to push data to all configured F5 devices. The Group name must be identical to the group name defined on the F5 device.
WatchGuard XCS
Threat Prevention
F5 Devices
Administrators can push Threat Prevention information to an existing F5 device. The F5 device can then be configured to rate limit, throttle, or block a given IP address.
The data groups defined with the Threat Prevention feature can be used to populate data groups on the F5 with the same name. For example, IP addresses already defined into a spammers group can be pushed to the same group name on the F5 device, allowing it to manage the response to these addresses. The F5 device will then be responsible for acting on those IP addresses. When an item is removed from a Threat Prevention data group, it is automatically removed from the F5 data group.
Note that the duration period of the IP addresses only applies to the data groups on the WatchGuard XCS. The system constantly pushes updated list information to the F5 every 30 seconds to ensure the lists are current and accurate. Any expired IP addresses will be removed and new addresses since the last update will be added to the F5 device’s list. The data group is also fully synchronized with the F5 device every hour.
Administrators must then configure iRules on the F5 device to act on the data groups as appropriate. The
Threat Prevention feature will not automatically create iRules on the F5 device.
The F5 device must be version 9.0.5 or greater.
To configure an F5 device:
1. Select Security > Anti-Spam > Threat Prevention > F5 Devices .
2. Click Add .
ƒ Name — Enter a descriptive name to refer to this specific F5 device.
ƒ URL — Enter the full URL for the F5 device, such as: https://192.168.1.100
.
ƒ User Name — Enter a valid user name to log into the F5 device.
ƒ Password — A corresponding password for the user name entered above.
3. Click the Test button to test your connection and login parameters on the F5 device.
User Guide 323
Threat Prevention
Enabling data transfer to an F5 device
The Threat Prevention feature can be configured to push items from its own defined data groups to F5 data groups of the same name on one or more F5 devices.
To enable data to be pushed to the F5 device, make sure that each data group defined on the WatchGuard
XCS in Security > Anti-Spam > Threat Prevention > Data Groups has the Push to F5 Devices check box enabled.
Configuring F5 data groups
The data group names defined on the WatchGuard XCS must be manually created on the F5 devices. These groups are not automatically created via the Threat Prevention feature.
On the F5 device, you must create the groups using “external file” address data groups, not address groups. External file address groups can be updated frequently with many IP addresses without affecting F5 performance.
To create groups on the F5 device:
1. Log in to the F5 administration interface.
2. Select Local Traffic > iRules .
3. Click the Data Group list tab.
4. Click Create .
5. Enter the same group name as the data group defined in WatchGuard XCS’s Threat Prevention feature.
6. Select External file (not Address).
A subset of options will appear.
324 WatchGuard XCS
User Guide
7. Enter the group name and select Address in the File Contents list.
Threat Prevention
8. Click Finished .
9. Repeat the steps for each data group required.
This procedure must be repeated on each F5 device.
10. Create an iRule for the data group.
325
Threat Prevention
11. An iRule for the default set of data groups provided with Threat Prevention would be similar to the following: when CLIENT_ACCEPTED {
if {[matchclass [IP::remote_addr] equals $::harvesters] } {
TCP::respond "550 Message Rejected - Too many unknown recipients\r\n"
drop
}
if {[matchclass [IP::remote_addr] equals $::spammers] } {
TCP::respond "550 Message Rejected - Too much spam\r\n"
drop
}
if {[matchclass [IP::remote_addr] equals $::blacklisted] } {
TCP::respond "550 Message Rejected - client blacklisted\r\n"
drop
}
if {[matchclass [IP::remote_addr] equals $::infected] } {
TCP::respond "550 Message Rejected - Infected\r\n"
drop
}
if {[matchclass [IP::remote_addr] equals $::tarpit] } {
pool slow_rateclass
}
}
12. Create any rate shaping classes, virtual hosts, pools, and so on, as necessary for normal configuration of an MTA.
In the previous example, a pool called “slow_rateclass” is required that would be configured with rate shaping to allow a limited rate of traffic.
13. Click the Test button in the Security > Anti-Spam > Threat Prevention > F5 Devices menu to verify that you have configured the F5 device correctly in the Threat Prevention feature.
14. The system will attempt to list the contents of the F5 data group.
If successful, the list of IP addresses which have been pushed to the F5 device will be displayed. The test feature will not interrupt mail delivery or communications with the F5 and can be used at any time.
In F5 version 9.0.5, you cannot view the contents of external file data groups from the F5 web interface. Use the Test button in the Threat Prevention menu to view the contents of external file data groups.
WatchGuard XCS and F5 integration notes
Note the following considerations when integrating the WatchGuard XCS and an F5 device:
ƒ The Threat Prevention feature updates continuously but also synchronizes with each F5 Data Group once an hour to ensure there are no discrepancies.
ƒ If the F5 device does not contain a data group, Threat Prevention will attempt to synchronize with it indefinitely, once every second. It will report the warning once every 30 seconds in the mail logs for this condition.
ƒ If there is a loss of communications between the WatchGuard XCS and the F5 device, the Threat
Prevention feature will retry the connection to the F5 up to ten times.
ƒ When using F5 integration with a cluster, only the Primary system’s data groups will get pushed to the
F5 device.
326 WatchGuard XCS
Threat Prevention
Cisco Devices
Administrators can push Threat Prevention information to an existing Cisco device. The system can update the Cisco device with information from one data group. The Cisco device can then be configured to block a given IP address by adding it to an appropriate ACL (Access Control List). When an item is removed from the
Threat Prevention list, it is automatically removed from the Cisco IP access list.
The system utilizes the IP named access control list feature to forward information to the Cisco device. Cisco IOS version 11.2 or later is required for WatchGuard XCS and Cisco integration.
To configure a Cisco device:
1. Select Security > Anti-Spam > Threat Prevention > Cisco Devices .
2. Click Add .
ƒ Name — Enter a descriptive name to refer to this specific Cisco device.
ƒ URL — Enter the full telnet URL for the Cisco device. For example: telnet://192.168.1.175
.
ƒ User Name — Enter a valid user name to log into the Cisco device.
ƒ User Password — A corresponding password for the user name entered above.
ƒ Administrative Password — Enter the administrative (enable) password for this device.
Enabling data transfer to a Cisco device
The Threat Prevention feature can be configured to push items from a defined data group to an IP access list on a Cisco device. To enable data to be pushed to the Cisco device, select a data group defined on the
WatchGuard XCS in Security > Anti-Spam > Threat Prevention > Data Groups , and ensure the Push to
Cisco Devices check box enabled.
When using Cisco integration with a cluster, only the Primary system’s data groups will get pushed to the Cisco device.
The Cisco device can only accept one data group. It is recommended that the blacklisted list be used to block clients at the Cisco device.
User Guide 327
Threat Prevention
Note that the duration period of the IP addresses only applies to the data groups on the WatchGuard XCS. The system constantly pushes updated list information to the Cisco device every 30 seconds to ensure the lists are current and accurate. Any expired IP addresses will be removed and new addresses since the last update will be added to the Cisco device’s list. The data group is also fully synchronized with the Cisco device every hour.
For IOS version 12.1 and later, Threat Prevention lists are automatically created on the Cisco device when group information is pushed, however, the IP access group must still be assigned to a specific interface.
Ensure that the Maximum Entries value is customized to the capabilities of your Cisco device. Large values may overrun a Cisco device that can only handle a certain amount of access list entries.
Cisco device configuration
Configure the Cisco device as follows to integrate with the Threat Prevention feature:
For IOS version 12.1 and later, Threat Prevention lists are automatically created on the Cisco device when group information is pushed, however, the IP access group must still be assigned to a specific interface.
1. Log in to the Cisco device with the “enable” privilege.
2. Change to configure mode:
# configure terminal
3. Change to interface mode (where x and y are the Ethernet interface):
# interface FastEthernet x/y
4. Attach the IP access group to the WatchGuard XCS data group:
# ip access-group <access_list_name> in
5. Exit from the config-if mode:
# exit
6. Perform the same steps for each Cisco interface as required.
328 WatchGuard XCS
Threat Prevention
Threat Prevention Status
The Threat Prevention Status screen displays the current state of the threat prevention feature and provides information on the current number of items in each specified list, such as the number of addresses listed as spammers .
Select Activity > Status > Threat Prevention from the menu to view the current threat status.
A summary of the entire threat prevention database is displayed, including the following:
ƒ Number of IPs in the Threat Prevention database
ƒ Number of open connections and open connections in a DNSBL
ƒ The number of items in each defined data group, such as tarpit , harvesters , spammers , infected , and blacklisted .
Administrators can search for the state of a specific IP address by entering it in the search field. A new table will appear for that specific IP address, displaying statistics on the number of messages from that IP address during a time period and the types of messages received.
To reset the status data and clear the Threat Prevention database, click Reset Threat Prevention History .
User Guide 329
Threat Prevention
330 WatchGuard XCS
14
Clustering
Clustering Overview
Clustering provides a highly scalable, redundant messaging security infrastructure that enables two or more
WatchGuard XCS systems to act as a single logical unit for processing messages while providing redundancy and high availability benefits.
There is no theoretical limit to the size of the cluster, and systems can be easily added to the cluster to increase processing and high-availability capabilities. Clustering ensures that the flow of traffic is not interrupted due to individual system failures.
A cluster can be managed from any single system in the cluster without the need for a separate management console, and all systems in the cluster can process messages. Any configuration changes, such as Anti-Spam and Policies, will be propagated to all systems in the cluster.
Cluster architecture
The WatchGuard XCS systems participating in the cluster will be grouped together by connecting an unused network interface to a separate network called the cluster network . The cluster network is a dedicated subnet that should be physically secure. The systems will communicate clustering information with each other via this network. Systems can be added or removed from the cluster network without interruption to message processing.
Cluster members must be connected together on the same network.
User Guide 331
Clustering
The WatchGuard XCS’s clustering architecture is illustrated in the following diagram.
The WatchGuard XCS can operate in one of four different modes in a cluster:
ƒ Primary — This system will be the primary master system for the cluster. All configuration will be performed via this system. Other systems in the cluster will pull configuration changes from the
Primary system automatically when these changes are applied.
ƒ Secondary — A system running in Secondary mode operates the same way as a Client cluster member except that it retains a copy of the master database replicated from the Primary system. In the event the Primary cluster member fails, the Secondary system can be promoted to Primary status.
ƒ Client — A system running in Client mode will pull its configuration from an existing Primary system.
After initial setup, no configuration is required on the Client system. A Client system can be promoted to a Secondary system. Unlike a Primary or Secondary system, a client does not contain a copy of the full configuration database.
ƒ Standalone — The system initially installs in Standalone mode. In this mode, the system does not participate as part of the cluster and will not pull configuration updates, but will still be able to process mail. This mode is primarily used to remove a cluster member for offline maintenance or software updates.
Load balancing
Although the cluster will be treated as one logical system for processing messages, network traffic is processed independently by each cluster system and requires the use of a load balancing system to distribute mail flow between the systems in the cluster.
Email load balancing via DNS
A DNS round-robin technique can be used to distribute incoming SMTP mail connections via DNS to the systems in the cluster, as shown in the following example DNS MX records: example.com IN MX 10 mail1.example.com
example.com IN MX 10 mail2.example.com
Priority can be given to specific servers by configuring different priority values. For example: example.com IN MX 5 mail1.example.com
example.com IN MX 10 mail2.example.com
Load balancing for specific types of network traffic (such as HTTP) cannot be performed via DNS round-robin techniques.
332 WatchGuard XCS
Clustering
Traffic load balancing using a load balancing device
A hardware load balancing device can also be used to send messages to different systems in a cluster. If one of the systems fails, the load balancer will distribute the load between the remaining systems. The load balancer can be configured to distribute the mail stream connections intelligently across all systems in the cluster using techniques such as distribution by system load and availability.
External load balancing devices are mandatory if an organization needs to route specific traffic (such as SMTP and HTTP) through specific hosts in the cluster. For example, SMTP mail can be processed by two cluster systems, while HTTP is handled by two different systems. The load balancer can be configured to route protocol-specific traffic as required.
Configure Clustering
The following sections describe how to install and configure a cluster:
1.
Hardware and Licensing — Ensure that all systems are running the same hardware and are running the identical, licensed versions of software.
2.
Cluster Network Configuration — Configure a network interface on each system for clustering.
3.
Select a Cluster Mode — For each system in the cluster, you must choose a mode for the system to run in (Primary, Secondary, Client, Standalone). The first system should be the Primary, the second
Secondary, and other systems Secondary or Client.
Hardware and licensing
All cluster systems must be the same level of hardware, be properly licensed, and be running the identical version of software (including patches and updates). Any feature key discrepancies will be displayed in the
Cluster Activity screen.
Cluster systems should be new installations with no changes to the default configuration. When a system is connected to the cluster, it receive’s its configuration from the Primary system.
Cluster network configuration
The following instructions describe how to configure the network settings for two systems in a cluster.
1. Connect an unused network interface from each system in the cluster to a common network switch, or connect each interface with a crossover network cable. This will form the cluster network, a control network where clustering information will be passed back and forth between the systems that form the cluster.
For security reasons, this network should be isolated and not be connected to the main network. For a cluster of two systems, a crossover network cable can be connected between the selected interfaces providing a secure connection without the need for a switch.
2. On each system, select Configuration > Network > Interfaces .
3. In the Clustering section of the Network Settings screen, select the Enable Clustering check box.
User Guide 333
Clustering
4. Select the network interface that is connected to the cluster network.
This interface should not be configured with an IP address. The interface will be automatically configured for exclusive use on the cluster network.
5. Make sure that an NTP time server is configured on each system (preferably more than one NTP server for redundancy).
Clustering cannot be enabled until an NTP server is configured. The time server is used to ensure that all cluster systems are synchronized from a common time source.
6. Click Apply .
The system must be rebooted after making changes to the networking configuration.
Select a cluster mode
When the system reboots, you must select a mode for this system within the cluster. Initially, the system will start in Standalone mode. The first system set up in the cluster should be designated as the Primary system.
1. Select Activity > Status > Cluster Activity .
334
2. Select Primary in the Local Runmode drop-down selection.
3. Click Switch to switch to the selected Primary mode.
For your other cluster systems, you will need to configure at least one system as the Secondary system, while any other systems can be configured as a Secondary or Client. When systems are added to a cluster, the configuration of the Primary system is replicated automatically to the new cluster member.
4. When finished configuring all of your clustered systems, the Cluster Activity screen will show the mode and status of the other members of the cluster.
WatchGuard XCS
Clustering
Cluster Management
All cluster configuration can be performed from the Primary system. When a system is added to the cluster for the first time, the configuration of the Primary system will be replicated to the new cluster member, except the following items:
ƒ Unique networking settings such as host name and IP address, and network interface specific settings
ƒ Performance settings and SSL Certificates
ƒ Local users
ƒ Secure WebMail configuration (in a clustered environment, the Secure WebMail proxy can only be enabled on the Primary system in the cluster)
ƒ System reporting information and logs
ƒ Token analysis databases
ƒ Web Proxy PAC files
ƒ Vacation notifications
ƒ User Spam Quarantine
Any changes to the configuration of the Primary system will result in a broadcast notifying the other members of the cluster that a change has been made. The other systems in the cluster will then pull the updated configuration from the Primary.
Cluster activity
When a system is operating as part of a cluster, the Cluster Activity screen displays processing statistics for the entire cluster.
Select Activity > Status > Local Activity to see the statistics for this specific system only.
User Guide 335
Clustering
Mail statistics
The following describes the queue statistics columns for email:
ƒ Arrived — The total number of messages processed by the cluster (messages accepted). These include messages that were spam, viruses, content filtered, and so on.
ƒ Sent — The total number of messages sent by the cluster, including mailer daemon mail, quarantine notifications, mail delivery delay notifications, local mail, alarms, and reports. If a message has multiple recipients, each delivered recipient will be added to the total.
ƒ Spam — The total number of messages classified as spam by Intercept for the cluster, including
Certainly Spam, Probably Spam, and Maybe Spam. This also includes spam messages that were rejected. This category also depends on the Spam logging configuration in Configuration >
Miscellaneous > Reports . The spam action of Just Log will be counted in the total if enabled in the spam logging configuration.
ƒ Reject — The total number of messages rejected because of the following:
ƒ Reject on unknown sender domain
ƒ Reject on missing sender MX
ƒ Reject on non FQDN sender
ƒ Reject on unauth pipelining
ƒ Reject on Unknown Recipient
ƒ Relay Access Denied
ƒ Threat Prevention Reject
ƒ ReputationAuthority Reject (Reputation, Infected, Dial-up)
ƒ DNS Block List Reject
ƒ Specific Access Pattern Reject
ƒ Pattern Filter reject
ƒ Anti-Spam Reject (will also be included in Anti-Spam statistics column)
ƒ Anti-Virus Reject (will also be included in Anti-Virus statistics column)
ƒ Attachment Control Reject
ƒ Objectionable Content Filter Reject
ƒ Content Scanning Reject
ƒ Virus — The total number of messages that contained a virus. This also includes virus messages that were rejected.
ƒ Spyware — The total number of messages that contained spyware. This also includes spyware messages that were rejected.
ƒ Clean — The total number of messages that were accepted for delivery inbound and outbound by the system and passed all security and spam/content filters. This includes messages that have been detected by these features but have an action of Just Log .
HTTP statistics
The following describes the statistics columns for the HTTP Proxy:
ƒ HTTP Requests — The total number of incoming and outgoing HTTP requests.
ƒ Reject — The total number of web requests rejected due to threat and content control scanners.
ƒ Virus — The total number of requests that contained a virus.
ƒ Spyware — The total number of requests that contained spyware.
336 WatchGuard XCS
Clustering
The following describes the information provided in the Servers section of the Cluster Activity screen:
ƒ Host — Indicates the host name of the cluster system.
ƒ Mode — Indicates which cluster mode the specific host is running in, such as Primary, Secondary, or
Client.
ƒ License — All cluster systems must have the same licensed features. This column indicates if the licensing is “OK” for this cluster system, or a “Mismatch” will appear if the licences on this host do not match the rest of the cluster systems.
ƒ Status — Indicates if the cluster system is currently “Running” and processing messages or “Stopped”.
ƒ Uptime — Indicates how long this cluster system has been running since its last reboot.
ƒ Load Averages — Indicates CPU load for this cluster system over 1 minute, 5 minutes, and 15 minutes.
ƒ Queued — Indicates how many messages are currently in the Mail Queue waiting to be delivered.
These messages can be viewed and managed via Activity > Queue/Quarantine > Mail Queue .
ƒ Deferred — Indicates the number of messages that have had their delivery deferred due to unavailability of the destination mail server. The system will attempt to deliver these messages at a later time.
ƒ Total — The total of all messages that are queued for delivery or deferred on this cluster system. Note that on a cluster system, clicking on the Stop or Start messaging button will affect message processing on all systems in the cluster.
Stop and start messaging queues
To modify an individual cluster system’s messaging status, change the system run mode to Standalone, and then click the Stop or Start messaging button as appropriate. The main menu is only fully available on the
Primary system. Secondary and Client systems will show only a subset of options because most of the configuration is replicated from the Primary.
Changing cluster run modes
If you need to change the mode of a cluster member, log in to the system you want to modify, and select a different mode from the drop-down box on the Cluster Activity screen and click Switch .
For example, in the event of a failure to the Primary system, an administrator can log in to the Secondary system and change its mode to Primary. A Client mode system must be promoted to a Secondary system first before it can be promoted to a Primary system. This is because a Client system, unlike a Secondary, does not contain a copy of the Primary’s system database.
The Standalone mode is primarily used to perform maintenance (such as software updates) on a cluster system. Switching the system to Standalone will remove it from the cluster, and it will not pull any more configuration updates from the Primary. The Standalone system, however, will still process messages.
User Guide 337
Clustering
Cluster system maintenance
The Standalone cluster mode is used when an administrator needs to perform maintenance on a system, such as updating licenses, making hardware modifications, and troubleshooting. In Standalone mode, this system will still process messages, but will not receive configuration updates. This prevents configuration misalignment between systems of different software versions or licenses features.
It is critical that a cluster system be set to Standalone mode when performing any license changes or software updates.
When the system maintenance has been performed (and the system rebooted, if required), the administrator can set the mode of the system back to its original state. The system will continue to process mail and configuration replication will resume.
A Client system does not contain a copy of the configuration database as does a Primary or Secondary system.
When switching between Client and Standalone modes, this may result in the configuration in the user interface of the Standalone system not reflecting its actual configuration as a Client system in the cluster. To make sure a Client has the latest configuration changes, before setting it to be a Standalone system, set its mode to Secondary and wait 15 minutes before changing its mode to Standalone.
Updating cluster systems
For example, in a two system cluster consisting of a Primary and a Secondary, perform a system update (such as software or license update) as follows:
1. On the Secondary system, change the run mode to Standalone mode.
2. Install the update on the Secondary system.
3. Reboot the Secondary system.
4. Change the run mode of the Primary system to Standalone mode.
5. Install the update on the Primary system.
6. Reboot the Primary system.
7. Change the run mode of the Primary system from Standalone back to Primary mode.
8. Change the run mode of the Secondary system from Standalone back to Secondary mode.
This procedure makes sure that while the systems are updated, there are no configuration changes to the cluster. If you have additional Secondary and Client systems, they should all be updated before updating the
Primary.
Cluster reporting and message history
In clustered environments, reports will generate information aggregated for the entire cluster. System and
Resource reports will display information for each host in the cluster. The message database can also be searched on a single system or on the entire cluster. The history and status of any message can be instantly retrieved regardless of which system processed the message.
Cluster system failures
If a system in a cluster fails, all traffic will still be processed by the remaining cluster systems. If you use load balancing devices or DNS round-robin techniques in your environment, traffic will be routed to the other systems in the cluster. In the event of a failure of the Primary system, all traffic will still be processed by the remaining systems, but the administrator will not be able to make configuration changes to the cluster. A
Secondary system must be promoted to Primary status to allow further configuration changes to the cluster.
338 WatchGuard XCS
Clustering
Backup and restore in a cluster
In a cluster, all Secondary and Client cluster members will pull their system configuration directly from the
Primary system, and it is critical that the Primary system be fully backed to preserve your cluster configuration.
Secondary and Client systems should also be backed up if you want to retain their mail queues, quarantined messages, and any reporting data.
Recovering a primary cluster system
In the event a Primary system fails, you must promote an existing Secondary system to Primary. When the issue with your original Primary is resolved, it should be restored (including any mail queues, quarantined messages, and reporting data) and reinserted into the cluster as a Secondary system. Operating as the
Secondary, this system will pull an updated cluster configuration from the Primary. If required, this system can be promoted back to its original Primary mode.
Recovering a Secondary and Client cluster system
If a cluster member that is a Secondary or Client system fails and cannot be recovered, it should be reinstalled and inserted back into the cluster in its original cluster mode (Secondary or Client) where it will pull its configuration information from the Primary system. Configuration items specific to this cluster system such as network settings, SSL certificates, performance settings, SNMP configuration must be reconfigured manually.
If you have backed up mail queues, quarantined messages, and reporting data for these systems, they can be restored individually without restoring the system configuration from backup.
Threat prevention and clustering
When using Threat Prevention features in a clustered environment, you only need to configure Threat
Prevention on the Primary system of the cluster.
Threat Prevention decisions are based on per system statistics, not on statistics for the entire cluster.
The Primary system will also be the only point of contact between the cluster and any configured load balancing devices. If you demote a Primary system, and promote a Secondary cluster system to be Primary, the cluster switches control and resynchronizes to the load balancing device. Threat Prevention will still run
“Threat Prevention” on page 307 for more detailed information.
Clustering and centralized management
Clusters are used for high availability and load balancing of messages for a single site, and are typically comprised of systems with identical configurations. Centralized Management allows administrators to monitor and manage multiple clusters and independent systems for an entire organization, including those with unique configuration settings.
Centralized Management is a separate function than clustering, however, Centralized Management is a complementary feature, especially for environments where individual systems and clusters are located in different geographical locations or require unique configurations.
See “Centralized Management” on page 341 for more detailed information.
User Guide 339
Clustering
340 WatchGuard XCS
15
Centralized Management
About Centralized Management
Centralized Management allows administrators to efficiently monitor and manage several WatchGuard XCS systems that are running independently or as part of a cluster, via a single management system. In large enterprise networks, there may be several WatchGuard XCS systems operating as clustered or non-clustered systems that are located in geographically distant locations. Each of these systems may have several shared configuration parameters and also require unique configurations for their particular location.
A set of clustered or non-clustered systems that are monitored and managed by Centralized Management are called a Federation . Each system within the Federation is called an Entity . The Manager system acts as the single point of management and provides the ability to add clustered and non-clustered Entities to the
Federation.
User Guide 341
Centralized Management
All communication between the Manager and Entity systems in a Federation is secured. This ensures that communication between systems cannot be intercepted or decoded by third-parties. Control messages between systems are authenticated to ensure they originate from authorized entities in the Federation.
Centralized Management and Clustering
Centralized Management is a separate function than clustering. Centralized Management, however, is a complementary feature, especially for environments where individual systems and clusters are located in different geographical locations or require unique configurations.
Clusters are used for high availability and load balancing of messages for a single site, and typically include systems with identical configurations. Centralized Management allows administrators to monitor and manage multiple clusters and independent systems with unique configurations for an entire organization.
Centralized Management allows administrators to treat each cluster as a single Entity within the Federation.
Only the Primary system of each cluster is added to the Centralized Management Federation. If the administrator synchronizes a configuration to the Primary of the cluster, the clustering configuration replication process will apply the configuration to the other systems (such as Secondary and Clients) in the cluster. For a Manager system, the Secondary system in the cluster can take over as the Manager system if the
Primary is unavailable.
Centralized Management features
Centralized Management provides the following features and benefits:
ƒ Allows a Manager system and Entity systems (including clustered and non-clustered systems) to be grouped into a single Centralized Management Federation.
ƒ Allows the administrator to monitor the activity and status of all Entities in the Federation from the
Manager system.
ƒ Allows the administrator to define a global configuration set that can be applied to all Entities in a
Federation (including independent systems and clusters). Most aspects of the system configuration are available for distribution, including message delivery settings, policies, policy mappings, and mail routes.
ƒ Entities can modify the local configuration as required for unique local requirements.
ƒ Reports from all Entities in the Federation can be viewed from the Manager system.
ƒ The Message History of all Entities in the Federation can be searched and viewed from the Manager system.
342 WatchGuard XCS
Centralized Management
Deployment
Centralized Management can be deployed on any type of WatchGuard XCS system including clustered and non-clustered systems. The system running as the Manager can still process messages and perform security processing independently or as part of an existing cluster.
Centralized Management in a Cluster
In this deployment, the Centralized Management system is running in a cluster at the main organizational site running on the Primary system. In this configuration, the Secondary cluster system can take over as the
Manager system if the Primary is not available.
The Manager system can monitor and manage other Entities in the Federation, including entire clusters (Site
B), or independent non-clustered systems (Site C).
When adding a cluster to a Federation, you only need to add the Primary system for that cluster. All configuration items that are synchronized from a Configuration Set to the Primary will be automatically replicated to the Secondary and Client systems via the clustering configuration replication process.
User Guide 343
Centralized Management
Centralized Management on a non-Clustered system
The Manager system can also be deployed on an independent non-clustered system while managing both clustered (Site B), and non-clustered sites (Site C) in other locations.
Networking ports and addresses
Centralized Management uses TCP port 10106 to communicate between systems in the Federation. This port must be opened inbound and outbound on a network firewall if the systems are located behind the firewall.
If the IP addresses are NAT (Network Address Translation) addresses, the Entities and Manager must be specified using the public address of the firewall. This is configured during the Entity configuration process when they are added to the Manager system.
344 WatchGuard XCS
Create a Centralized Management Federation
Configuring Centralized Management requires the following steps:
1. Enable Centralized Management on the Manager system.
2. Enable Centralized Management on the Entity systems.
3. Add the Entities to the Manager system.
Enable Centralized Management on the Manager system
Enable Centralized Management and configure the Manager system as follows:
1. Log in to the Manager system.
2. Select Configuration > Network > Interfaces .
3. Select the Centralized Management check box for the required interface.
Centralized Management
4. Click Apply to save the configuration.
The system must be restarted for the configuration to take effect.
5. Restart the system and log in again.
6. Select Administration > Multi-System Management > Centralized Management > Configure .
User Guide
7. Select the Enable Centralized Management check box.
8. Select the Manager mode.
This system will act as the single point of management for a Centralized Management Federation of Entities.
9. Enter a unique Name to identify this system in the CM federation.
The default is the system hostname.
10. Click Finished .
345
Centralized Management
11. Click the Show Advanced Options button to display the key used by this Manager system to authenticate to other Entities in the Federation.
If automatic key exchange is being used (this is the default behavior), there is no additional configuration required by the administrator. If manual key exchange is being used, this manager key will be manually copied to each Entity in the Federation.
Configure Manager Systems in a Cluster
If the Manager system is configured in a cluster, the Manager mode should be enabled on the Primary system.
The Secondary system in the cluster must also be enabled as a Manager system in Centralized Management.
This ensures that the Secondary system in the cluster can take over as the Manager system if the Primary is unavailable.
All systems should be switched to Standalone mode before configuring and licensing Centralized
Management.
The Secondary system should be configured first as follows:
1. Log in to the cluster Secondary system.
2. Change the cluster mode to Standalone mode.
3. Select Configuration > Network > Interfaces .
4. Select the Centralized Management check box for the required interface.
5. Click Apply to save the configuration.
The system must be restarted for the configuration to take effect.
6. Restart the system and log in again.
7. Select Administration > Multi-System Management > Centralized Management > Configure .
346
8. Select the Enable Centralized Management check box.
9. Select the Manager mode.
This Secondary system will become the Manager system if the Primary Manager system is not available.
10. Enter a unique Name to identify this system in the CM federation.
The default is the system hostname.
11. Click Finished .
To configure the Primary cluster Manager:
1. Log in to the Primary cluster Manager system.
2. Change the cluster mode to Standalone mode.
3. Select Configuration > Network > Interfaces .
4. Select the Centralized Management check box for the required interface.
5. Click Apply to save the configuration.
The system must be restarted for the configuration to take effect.
WatchGuard XCS
Centralized Management
6. Restart the system and log in again.
7. Select Administration > Multi-System Management > Centralized Management > Configure .
8. Select the Enable Centralized Management check box.
9. Select the Manager mode.
This system will act as the single point of management for a Centralized Management Federation of Entities.
10. Enter a unique Name to identify this system in the CM Federation.
The default is the system hostname.
11. Click Finished .
Now you must switch both systems back to their respective Cluster mode. This ensures that the systems are properly configured and licensed as Centralized Management Managers before the systems are clustered together and Entities are added to the Federation.
1. Log in to the Primary system and change the cluster mode of the Primary system from Standalone mode to Primary mode.
2. Log in to the Secondary system and change the cluster mode of the Secondary system from
Standalone mode to Secondary mode.
After the cluster mode is changed, the Centralized Management menu items will no longer appear on the Secondary. Any Centralized Management configuration performed on the Primary will automatically be replicated to the Secondary via clustering.
3. On the Primary system, select Administration > Multi-System Management > Centralized
Management > Configure .
4. Select the hostname of the Secondary system in the cluster and click Finished .
This system will become the Manager system if the Primary becomes unavailable.
The cluster Manager setup is now complete. Proceed to the next section to add Entity systems to the
Federation.
User Guide 347
Centralized Management
Enable Centralized Management on Entity systems
To enable Centralized Management on each Entity system in the Federation:
1. Log in to the Entity system.
2. Select Configuration > Network > Interfaces .
3. Select the Centralized Management check box for the required interface.
4. Click Apply to save the configuration.
The system must be restarted for the configuration to take effect.
5. Restart the system and log in again.
6. Select Administration > Multi-System Management > Centralized Management > Configure .
7. Select the Enable Centralized Management check box.
348
8. Select the Entity mode.
This system will act as an Entity in a Centralized Management Federation. The system can be monitored and managed via the system running in Manager mode. If this Entity system is used in a cluster, select the Secondary address from the drop-down list. The Secondary will take over for the Primary Entity if it is unavailable.
Other systems in the cluster (such as Secondary and Client systems) do not require Centralized
Management to be enabled. They will receive their CM configuration from the Primary Entity in the cluster.
9. Enter a unique Name to identify this system in the CM Federation.
The default is the system hostname.
10. Click Finished .
To add the Entity to the Centralized Management Federation, the system must be added to the Entity
WatchGuard XCS
Centralized Management
11. Click Show Advanced Options to reveal the configuration items for manual key exchange between the Manager and Entity systems.
The Manager and Entity systems in the Federation use automatic key exchange by default to authenticate to each other. Manual key exchange allows the administrator to manually copy the key values between the Manager and Entity systems to aid in troubleshooting key exchange issues.
ƒ Enable Manual Key Exchange — Select the check box to enable manual key exchange.
ƒ Primary Key — This is a static value that displays the key for this specific system. This Entity’s key will be copied to the Manager system.
ƒ Manager Name — Enter the name of the Manager system.
ƒ Primary Manager IP — Enter the IP address of the Primary Manager system.
ƒ Primary Manager Key — Copy the key from the Primary Manager system and insert it into the text box.
ƒ Secondary Manager IP — If the Manager system is clustered, enter the IP address of the
Secondary system that will take over as the Manager system if the Primary is not available.
ƒ Secondary Manager Key — Copy the key from the Secondary Manager system and insert it in the text box.
Adding Entities to a Federation via the Manager system
Use the following procedure to add new Entities to the Centralized Management Federation. Adding the
Entities to the Manager will trigger the connection to the Entity and add it to the Federation.
Entities must have Centralized Management enabled and be initialized before adding them to the
Federation via the Manager system. If Centralized Management is enabled on the Entities after adding them to the Federation, they must be added on the Manager system again.
1. Log in to the Manager system.
2. Select Administration > Multi-System Management > Centralized Management > Entities .
User Guide 349
Centralized Management
3. Click Create New Entity .
4. Enter the Primary Entity Address .
If the Entity is located behind a NAT device such as a network firewall, enter the public address of the NAT device.
5. Enter the Secondary Entity Address if the Entity is clustered.
6. Enter the Primary Entity Username .
This is the administrative user for this system.
7. Enter the Primary Entity Password for the administrative user.
8. Select the Primary Manager Address from the drop-down list.
This is the IP address of the Manager system in the Federation. If Centralized Management is used in a cluster, select the Secondary Manager address from the drop-down list. If the Manager is located behind a NAT device such as a network firewall, select Specify from the drop-down list and enter the public address of the NAT device.
9. Click Apply .
10. Click Finished to save the configuration and return to the previous screen.
11. Click Show Advanced Options to reveal the configuration items for manual key exchange. Manual key exchange allows the administrator to manually copy the key values between the Manager and Entity systems to aid in troubleshooting key exchange issues.
ƒ Enable Manual Key Exchange — Select the check box to enable manual key exchange.
ƒ Entity Name — Enter the name of the Entity system.
ƒ Primary Entity Key — Copy the key from the Primary Entity system and insert it in the text box.
ƒ Secondary Entity Key — If this Entity is configured in a cluster, copy the key from the Secondary
Entity system and insert it in the text box.
350 WatchGuard XCS
Centralized Management
Configuration Sets
Centralized Management allows administrators to create a global configuration set and apply it the systems participating in the Centralized Management Federation.
The configuration set includes most aspects of the system configuration that can be distributed to Entities in the Federation. This includes message delivery settings, policies, policy mappings, and mail routes. Items unique to each system, such as the network configuration are not included.
Only one global configuration set can be created and applied at any one time.
When the configuration set is synchronized with the Federation for the first time, the configuration set replaces the current local configuration on all Entities in the Federation. Administrators of the Entity systems can modify their local configuration as required to allow for any unique local requirements. Any subsequent configuration sets applied to the Entity will only override local values that have not been modified.
Local Entity settings can be purged and replaced by the global configuration set using the Purge
Local Settings link in the menu bar.
Configuration Set Features
The following WatchGuard XCS features can be customized and replicated using a configuration set:
Category
Configuration
Web Proxy
Configuration Item
Directory Servers and Users
LDAP Aliases, Mapping, Recipients, Relay, Routing
Alarms
Customization
SNMP
External proxy server
Mail Access
Mail Delivery
Aliases
Routing
Mapping
Virtual Mapping
Archiving
DomainKeys
External Encryption
Email Encryption
TLS Encryption
HTTP/HTTPS Proxy Server
URL Categorization
User Guide 351
Centralized Management
Category
Intercept
Content Control
Policy
User Accounts
Reports
Configuration Item
Intercept Settings
Connection Control
Threat Prevention
Anti-Spam
Anti-Virus and Spyware
Outbreak Control
Malformed Mail
Attachment Control
Content Control
Content Scanning
Document Fingerprinting
Objectionable Content Filter
Pattern Filters
Content Rules
Dictionaries and Lists
Policies (Policies are accepted as a whole and individual parts of a policy cannot be overridden locally)
User, Group, and Domain Policies
Mirror Accounts
Trusted/Blocked Senders
User Spam Quarantine
Remote Authentication
Reports
Reports and Logging configuration
352 WatchGuard XCS
Centralized Management
The following WatchGuard XCS features are unique to a specific host system and cannot be replicated using a configuration set:
Category
Configuration
Intercept
User Accounts
Management
Web Proxy
Configuration Item
Network Settings
Virtual Interfaces
Performance Settings
Static Routes
Web Server
Queue Replication
Token Analysis Advanced Settings
Admin Account
Local Accounts
Relocated Users
POP3 & IMAP
SecurID
Backup & Restore (Target names require a variable by the hostname such as %q )
Daily Backup
Proxy Auto Configuration
Create a configuration set
To create a Centralized Management configuration set:
1. Log in to the Manager system.
2. Select Administration > Multi-System Management > Centralized Management > Configuration
Set .
3. Click Create New Configuration Set or click the Configure link to edit an existing configuration set.
User Guide
4. Enter a name and description for this configuration set, and then click Finished .
The name “Global” is a reserved word and cannot be used. The name “Global” will appear as the name of the configuration set on all Entity systems.
353
Centralized Management
Define a configuration set
To select and define a configuration set:
1. Log in to the Manager system.
2. Select the configuration set to load from the drop-down list, such as ConfigSet .
The initial context in the drop-down list in the top-left corner of the screen will be “This Machine”. This context indicates the current local configuration of this system.
When the configuration set has been selected, the display will indicate the current configuration set that has been loaded.
354
When a configuration set has been loaded on the Manager system, the administrator can customize the configuration as required using the displayed menu items. This configuration will only be saved for this specific configuration set. Only a subset of the main menu will be displayed. This menu displays only configuration parameters that can be replicated to Entities in a Federation.
3. Select “This Machine” from the drop-down list to exit the configuration set and return to the original configuration menu for the Manager system.
WatchGuard XCS
Centralized Management
Apply a configuration set
To apply a configuration set to the Entities in the Federation:
Each Entity in the Federation must be running the same software level, including any applicable software updates, before synchronizing a configuration.
1. Log in to the Manager system.
2. Select the configuration set to be replicated from the top-left drop-down list, such as ConfigSet .
3. Click the Synchronize button.
The configuration set will then be synchronized with all Entities in the Federation, including the
Manager system. This process will take some time to complete, and a message will be displayed indicating that the system cannot be used until the synchronization is complete.
Viewing a configuration set on an Entity
To view the configuration settings in the Global configuration set, log in to the Entity and select Global from the top-left drop-down list.
The Global configuration set will appear as Read Only , indicating that only the Manager system can modify the Global configuration set. Administrators on the Entity machine can browse the configuration to view what settings are applied in the Global configuration set.
User Guide 355
Centralized Management
The Global configuration set can be modified for local requirements by the Entity administrator by switching the context to This Machine in the top-left drop-down list. In this context, any changes applied will affect this system only. This allows the Entity administrator to modify or extend the Global configuration set with local requirements as needed.
Purge local settings
When the Manager in the Federation initially synchronizes a configuration set to this Entity, the configuration set overrides any current local configuration. Any subsequent configuration sets applied to this Entity only override local values that have not been modified. To remove all local configuration overrides and use the current Global configuration set, click the Purge Local Settings link at the top-right of the menu bar.
A message will be displayed indicating that the system cannot be used until the purge process is complete.
356 WatchGuard XCS
Centralized Management
Centralized Management Activity
On the Manager system, select Activity > Status > CM Activity to display the Centralized Management
Activity screen. This screen displays the connectivity status and statistics for all Entities in the Federation.
ƒ Entity — Displays the Entity name.
ƒ Type — Describes the type of Entity. For example, “Cluster” or “No Cluster”.
ƒ Communication — Indicates the current status of the Entity. For example, “Connected”.
ƒ License — Indicates whether this system has an active system license and the software version.
ƒ Uptime — Displays how long the system has been running since the last restart.
ƒ Queued — Displays the number of messages currently queued for delivery on the Entity.
ƒ Deferred — Indicates the number of messages on the Entity that have had their delivery deferred due to unavailability of the destination mail server. The system will attempt to deliver these messages at a later time.
ƒ Total — Displays the total number of messages currently queued for delivery, or deferred on the Entity system.
Entity Status
On an Entity system, select Administration > Multi-System Management > Centralized Management >
Entity Status to view the status of the current system. The status will display the name of the Manager system of the Federation, the communications status of this Entity, and the time of the last communication between the Manager and Entity.
User Guide 357
Centralized Management
Centralized Management Reports
When using Centralized Management, the Manager system can view reports generated on other Entities in the Federation. This allows all reports to be viewed and managed from one central location, and the administrator does not have to login to each Entity to view its reports.
Administrators can also search the Message History of all Entities in the Federation from the Manager system and view the results without having to log in to each Entity system.
Viewing Centralized Management reports
To view Centralized Management reports:
1. Log in to the Manager system.
2. Select Activity > Reports > Centralized Management .
The CM Reports screen displays the reports that are available, and which Entities have generated the reports.
3. Click Update Report List to refresh the Entity report list with any new reports that have been generated.
4. Click a report to view the reports for each Entity that has generated that type of report. For example,
Web Summary Report .
From this screen you can view and manage the generated reports for each Entity.
You can delete reports by selecting the Entity report, and then clicking the Delete Selected Reports link.
358 WatchGuard XCS
Centralized Management
Viewing message history
From the Centralized Management Manager system, the message history can be searched across all Entities in the Federation. This allows the administrator to perform searches from a central system, and the administrator does not have to log in to each Entity to view its message history. All search criteria including advanced search parameters can be searched across the Federation.
To search the Message History of Entities in the Federation:
1. On the Manager system, select Activity > History > Message History .
A list of Entities appears in the right-side box.
2. Select which Entities you want to perform the message history search on, or select All or None .
3. Fill in your Message History search criteria, and then click Search .
4. The results will identify in the Entity column for which Entity the message appeared on.
The returned results from the Message History search will be sorted by Entity by default. The administrator can also sort by other criteria such as hostname or date.
User Guide 359
Centralized Management
360 WatchGuard XCS
16
Reports and Logs
Reports Overview
The WatchGuard XCS’s reporting functionality provides a comprehensive range of informative reports, including the following report types:
ƒ Full Email Report
ƒ Email Executive Summary
ƒ Virus Report
ƒ Spyware Report
ƒ Traffic Report
ƒ Email Analysis Report
ƒ Attachment Control Report
ƒ Per-user Attachment Report
ƒ Pattern / Filter Report
ƒ Content Control Report
ƒ Connection Control Report
ƒ User / Host Report
ƒ Session Summary
ƒ Reputation Domain Report
ƒ Rules Report
ƒ System and Resource Summary
ƒ Web Analysis Report
ƒ Web Summary Report
ƒ Web User Summary Report
Reports can be generated on demand and at scheduled times, and are derived from information written to the message logs and stored in the database. Up to a month’s reporting data can be stored and viewed online, depending on message loads for a particular environment.
The system automatically adjusts the number of days of reporting data that can be stored based on current system resources.
User Guide 361
Reports and Logs
Reports are stored on the system for online viewing, and can also be emailed automatically to the systems administrator. Reports can be generated in PDF (Adobe Portable Document Format), CSV, and HTML format.
In clustered environments, reports will generate information aggregated for the entire cluster. System and resource reports will display information for each host in the cluster. In Centralized Management environments, the Manager system can configure and view reports for all Entities in a Centralized
Management Federation.
Domain reporting
For organizations that support multiple domains, per domain information can be added to specific reports to provide the administrator with statistics for each domain hosted by the system. Domain reports that create separate reports for each domain, can also be enabled. The Domain reports can be emailed to the specific administrators of each domain.
Per Domain and Hosted Domain reports are not available for all report types. See “Report Types” on page 497 for detailed information on the data that is generated for each report type.
Inbound and outbound reporting
In most cases, inbound messages are considered untrusted, and outbound messages are considered trusted.
For any of the recipient-based reports, the inbound or outbound status is determined by the system message routes during message processing. For domain-based reports, a list containing hosted domains and their administrative email addresses (uploaded via Security > Content Control > Dictionaries & Lists ) is hosted by the WatchGuard XCS. In this case, inbound/outbound determinations are based on the sender and recipient of the message.
For example, for a list of the hosted domains example1.com and example2.com:
ƒ Inbound mail for example1.com is based on the recipient domain being example1.com
ƒ Outbound mail for example1.com is based on the sender domain being example1.com
ƒ These same rules apply for example2.com, but mail from example1.com to example2.com will be counted as outbound for example1.com and inbound for example2.com
When creating Hosted Domain outbound reports, ensure that the uploaded domain name is the domain of the Sender. Inbound reports use the domain of the Recipient.
Scheduling reports
To schedule and generate reports:
1. Select Activity > Reports > Schedule .
362
The Report Definitions screen displays any scheduled and defined reports, including the report name, report type, the reporting time period, the frequency, and the last time the report was generated.
WatchGuard XCS
Reports and Logs
2. Click the Edit link to edit an existing report, or click the Create New Report link to create a new report definition.
3. Click the Last Generated date link to view the last generated report from this report definition.
Create a new report
To create a new report:
1. Click the Create New Report link.
User Guide
2. Enter a descriptive Report Name for this report.
The name should only contain alphanumerical letters, numbers, and spaces, and should not contain any special characters.
3. Select the specific Report Type to run for this report.
4. Select a category of reports, such as Email , Web , and System , and then choose a report sub-type for that category.
5. Select the time Period for the report coverage:
ƒ Previous Day (includes up to midnight of the previous day)
ƒ Last 7 Days
ƒ Sunday - Saturday (includes 7 days from a Sunday to the next Saturday)
ƒ Monday - Friday (includes 5 days from Monday to Friday)
ƒ Previous Month (this is the previous calender month).
To report on the previous month in a report definition, the Reporting Summary Days option in
Configuration > Miscellaneous > Reports must be set to 60 days or more to have enough data to cover the previous month time period.
6. In the Run this report field, select the day and time to run the scheduled report.
7. In the Email this report section, select who to send a copy of the report to when it is generated.
Select The administrator to send it to the administrator of this system, and/or select Other and enter a comma separated list of addresses to send the report to, such as: [email protected],[email protected],[email protected]
8. Select the Table Length for each report field.
For example, in the Top Viruses list, the top 50 viruses will be displayed if this field is set to 50. The default is 25. This default value is configurable via Configuration > Miscellaneous > Reports .
363
Reports and Logs
9. Click Save and Start to save the report and generate it immediately.
Select Save or Save As (to save under a different name) to save the report and run it at the scheduled time and day.
Click Delete to remove this report definition. Any reports associated with this report definition will not be deleted and can still be viewed.
Domain reporting
The Domain Reporting option allows specific reports to be generated and customized for systems that accept messages for multiple domains. A list of hosted domains and associated domain administrator email addresses must be uploaded via Configuration > Miscellaneous > Reports .
When hosted domains are uploaded, statistics collection on these domains will begin from that point and may not be immediately available for reports.
The following options are available:
Data aggregated for all domains
This option generates reports based on all message domains hosted by this system. The reports will not break down any report statistics based on each domain, but report on all messages as a whole for this system. This is the default setting.
Include per domain tables
This option generates the system reports, but includes tables displaying a summary of the messages based on each domain hosted by the system. For example, if you run a Full Email Report, only one Full
Email Report will be generated, but it will include statistics on each domain in separate tables in the report.
Separated reports one for each host domain
This option generates the system reports, but creates a separate report for each domain hosted by the system. For example, if you run a Full Email Report, a Full Email Report will be generated separately for each domain on the system.
364 WatchGuard XCS
Reports and Logs
Email Domain Reports
Select to whom a copy of the report are sent to when the report is generated. Select Each domain administrator to send the report to the administrator of each domain, and/or select Other and enter a comma separated list of addresses where the report will be sent.
For example: [email protected],[email protected],[email protected]
If a separate report is run for each domain, the domain administrator will only receive the report for their own domain.
View reports
To view your generated reports:
1. Select Activity > Reports > View .
Reports are generated in PDF (Adobe Portable Document Format), CSV, and HTML format.
2. Click the appropriate icon to view the contents of the report in the specified format.
The report will either appear in a new browser window (for an HTML report) or the PDF and CSV versions of the report can be saved on the local computer.
HTML reports are optimized for on-screen viewing, and are not recommended for printing reports.
The PDF report type should be used for report printing.
The generated reports screen can also be filtered by report definition name or by the type of report using the drop-down list of available report names or definitions.
3. Click Search to filter the reports list.
User Guide 365
Reports and Logs
Report types
Full Email Report
Includes the highlights from all listed Email report types. Individual reports may have more detailed information that will not be found in the Full Email Report. This report does not include Web Proxy statistics. Per-domain and hosted domain reports can be generated with this report.
Email Executive Summary
The Email Executive Summary provides an overview of mail processing statistics. Hosted domain reports can be generated with this report.
ƒ ReputationAuthority — Indicates the number of messages that were rejected by
ReputationAuthority, including Reputation, Infection, and Dial-up.
ƒ Detected Spam — Indicates the number of messages that have been classified as spam, including Certainly Spam, Probably Spam, Maybe Spam, ReputationAuthority Spam, and DNS
Block List Spam. This category is displayed for inbound mail only. This category also depends on the Spam logging configuration in Configuration > Miscellaneous > Reports . The spam action of Just Log will be counted in the total if enabled in the spam logging configuration.
ƒ Content Filters — Indicates the number of messages that have had their content detected by the Content Control features (Attachment Control, Content Scanning, Pattern Filters, Content
Rules, Document Fingerprinting, and Objectionable Content Filtering).
ƒ Detected Viruses — Indicates the amount of messages that contained viruses, spyware, or were malformed.
ƒ Clean — Indicates the number of messages that have been processed by the system and passed all security, spam, and content checks. This includes messages that have been detected by these features but have an action of Just Log .
ƒ Total — The total number of messages.
Virus Report
Includes information on inbound and outbound viruses, including lists of top viruses and top virus senders. Hosted domain reports can be generated with this report.
ƒ Inbound Viruses — Displays the top inbound viruses and the amount of times they were detected, including a graph showing the thousands of viruses detected per hour.
ƒ Recent Inbound Virus Details — Displays the most recent inbound virus-infected messages, including the Queue ID, Time Received, Sender, Recipient, and Virus Name.
ƒ Outbound Viruses — Displays the top outbound viruses and the amount of times they were detected, including a graph showing the thousands of viruses detected per hour.
ƒ Recent Outbound Virus Details — Displays the most recent outbound virus-infected messages, including the Queue ID, Time Received, Sender, Recipient, and Virus Name.
ƒ All Outbound Virus Senders — Displays information on the top virus senders, including the sender email address, virus name, and the number of virus-infected messages sent.
Spyware Report
Provides a chart on the number and types of Inbound and Outbound spyware programs found in
Email messages. Hosted domain reports can be generated with this report.
ƒ Inbound and Outbound Spyware Blocking — Indicates the different types of spyware programs that were detected. A graph indicates the number of spyware programs blocked per hour.
ƒ Inbound and Outbound Spyware Summary — Provides a list of the most recent Inbound and
Outbound messages that were detected as containing spyware. Includes information on the
Queue ID of the message, the time received, the Sender and Recipient addresses, and the name of the spyware program.
366 WatchGuard XCS
User Guide
Reports and Logs
Traffic Report
Reports on message volume and connection counts. Per-domain and hosted domain reports can be generated with this report.
ƒ Total Traffic Summary — Displays the total number of inbound and outbound mail messages, including a graph showing the amount of mail in thousands of messages per hour.
ƒ Total Traffic by Domain — Indicates the number of inbound and outbound mail messages per domain.
ƒ Total Traffic Size — Indicates the total size of inbound and outbound mail messages in MB, including a graph showing the amount of mail per hour in MB per hour.
ƒ Total Size by Domain — Indicates the total size of inbound and outbound mail messages per domain in MB.
ƒ Connection Summary — Displays the number of mail connections to this system that passed or were incomplete (rejected), including a graph showing the number of connections in thousand connections per hour.
ƒ Mail Processing Times — Indicates for this server the average processing time in seconds for each message, including a graph showing the average time in the mail queue in seconds per hour.
Email Analysis Report
Provides an overview of mail traffic analysis by the system’s mail scanning features. Per-domain and hosted domain reports can be generated with this report.
ƒ Inbound and Outbound Message Summary — A pie chart displays a breakdown of inbound and outbound messages processed based on ReputationAuthority and Connection Rejects,
Detected Spam, Content Filters (Attachment Control, Content Scanning, Pattern Filters,
Content Rules, Document Fingerprinting, and Objectionable Content Filtering), Detected
Viruses (Viruses, Spyware, and Malformed), Clean, and Total Mail messages. A graph displays the thousands of messages per hour based on the type of message.
ƒ Inbound and Outbound Analysis Details and Recipient Actions — Displays a pie chart with details of the total number of inbound and outbound messages for each type of message classification (Clean, Attachment Control, Virus, Certainly Spam, Probably Spam, Maybe Spam, and Document Fingerprinting). Also displays a pie chart of the different types of applied recipient actions on inbound and outbound mail (Pass [message was Clean and no action taken], Quarantined, Subject Modified, Reject, and Just Log).
Attachment Control Report
Reports on inbound and outbound attachment types that have been blocked. Per-domain and hosted domain reports can be generated with this report.
ƒ Blocked Attachment Summary — This table and bar graph displays the Direction, Number of
Messages Blocked and Number of Attachments Blocked in both directions and the overall totals.
ƒ Blocked Attachments by Domain — If per-domain is enabled, this table displays the domain and number of Inbound and Outbound attachments blocked for the reporting period.
ƒ Top Blocked Attachments — Identifies the top blocked attachments for the reporting period.
ƒ All Outbound Attachments Blocked — This table displays information on the number of all outbound attachments blocked.
367
Reports and Logs
368
Per-User Attachment Report
The Per-User Attachment Report provides a summary of the number of received and sent attachments, their size in KB, and total number of attachments and total size in KB. These are reported for each domain and each user in the domain, including information on the file extension and detected MIME type of all sent and received attachments. Hosted domain reports can be generated with this report.
Pattern / Filter Report
Reports on the Inbound and Outbound messages that have matched a Pattern Filter. Hosted domain reports can be generated with this report.
ƒ Message Filter Rate — The bar graph will display the thousands of messages per hour that were processed and classified by a Pattern Filter.
ƒ All Message Filters — The table will display the Number of Email messages, Filter Number,
Name, Action, Pattern, and Comments for all Pattern Filters triggered during the reporting period.
Content Control Report
Reports on the system’s Content Control features indicating the number of occurrences of words found in a dictionary file and the corresponding dictionary line number containing the word. Hosted domain reports can be generated with this report.
ƒ Inbound Content Control Analysis — The chart will display the breakdown of inbound messages processed based on Pattern Filters, Attachment Control, Content Rules,
Objectionable Content, Content Scanning, Clean, and Total messages. A graph displays the thousands of messages per hour for each detected message type.
ƒ Outbound Content Control Analysis — The chart will display the breakdown of outbound messages processed based on Pattern Filters, Attachment Control, Content Rules,
Objectionable Content, Content Scanning, Document Fingerprinting, Clean, and Total messages. A graph displays the thousands of messages per hour for each detected message type.
ƒ Top Content Control Occurrences — The table will display the Number of Occurrences, the
File Name and Line Number for any content control dictionaries.
Connection Control Report
The Connection Control report provides information and statistics on inbound and outbound connections for this system. No domain reports are available for this type of report.
ƒ Connection Control Rate — A table identifies the connecting host IP addresses and names, the total number of connections from these hosts, and the number of connections that were blocked (before the connection was established). A graph will display the number of
Connections per hour to this system, classified by which connections were passed, rejected, and dropped (rejected without notification).
ƒ Inbound Connection Control — A table identifies the number of Inbound connections that were passed or were incomplete (Rejected or Dropped), and the combined total of Inbound connections.
ƒ Outbound Connection Control — A table identifies the number of Outbound connections that were passed or were incomplete (Rejected or Dropped), and the combined total of
Outbound connections.
ƒ Inbound Rejected Connections — Provides statistics on the number and types of Inbound connections that were rejected.
User/Host Report
Reports on the top sending hosts, top senders, and top recipients. Hosted domain reports can be generated with this report.
WatchGuard XCS
User Guide
Reports and Logs
ƒ Top Sending Hosts — The table will display the Host Name, Host IP, Total Messages, and Total
Message size for hosts sending mail to the system.
ƒ Top Senders — This table displays the Sender address, Total Messages and Total Size for the top senders during the reporting period.
ƒ Top Recipients — This table displays the Recipient address, Total Messages, and Total Size for the top recipients during the reporting period.
Session Summary
The Session Summary report provides a table on WebMail and IMAP logins. No domain reports are available for this type of report.
ƒ WebMail Usage — Displays the total number of connected sessions and failed login attempts for WebMail. A graph will display the number of WebMail logins per hour.
ƒ IMAP Usage — Displays the total number of connected sessions and failed login attempts for
IMAP. A graph will display the number of WebMail logins per hour.
ƒ IMAP Data Sent — The amount of IMAP data transferred per hour.
Reputation Domain Report
For each domain processed by this system, this report indicates the amount of ReputationAuthority rejects (messages rejected because the sending system has a poor ReputationAuthority reputation), the total number of messages, and the ReputationAuthority reject percentage for the domain representing the percentage total of the messages that were rejected due to ReputationAuthority.
Per-domain and hosted domain reports can be generated with this report.
Rules Report
Indicates the number of inbound and outbound messages acted upon by the Content and
Connection Rules for specific time intervals. A table of the Top Applied Rules lists the most common triggered rules, including information on the rule ID number, name, final action of the rule, condition, description, and the number of times it was triggered.
System and Resource Summary
Reports on CPU, disk, memory, mail queue, and network traffic statistics. In a cluster, separate statistics will be provided for each system in the cluster. No domain reports are available for this type of report.
ƒ CPU Load — The line graph will display the Average and Peak CPU Load during the reporting period.
ƒ Disk Capacity — The table will display the Server, Disk partition, Mount point, KB available, KB total, KB percentage used, I-nodes available, I-nodes total and I-node percentage used at the end of the reporting period.
ƒ Disk History — The graph will display the time history for Disk Capacity Percentage Used and
I-node Percentage Used for each disk partition over the reporting period.
ƒ Swap Usage — The table will display the Host, Minimum, Average, and Maximum Swap usage over the reporting period. The line graph will display the time history for this data.
ƒ Memory Paging — The graphs will display time histories for Pages Read and Pages Written over the reporting period.
ƒ Mail Queue Sizes — The graphs will display the time histories for Minimum, Average, and Peak for the Mail Queue and Deferred Queue over the reporting period.
ƒ Network Activity — A graph is displayed for each active network device on the system. Each graph will show the time history for MB transferred in and out of a specific interface.
369
Reports and Logs
Web Analysis Report
Provides a detailed analysis of Web traffic. No domain reports are available for this type of report.
ƒ Web Blocked Content — Displays statistics on each message type that was blocked, including
URL Categorization, Blocked Viruses, Blocked Spyware, Content Control (includes OCF,
Attachment Control, and Content Scanning), and Other (including URL Block Lists and HTTP
Block Sites List).
ƒ Web Cache Efficiency — Displays the efficiency of the web cache based on the number of cache hits (when content was found in the local disk cache), and the number of web server requests that did not find the data in the disk cache and had to go to the Internet web server to fetch the content.
ƒ Top Blocked Web Sites — Displays the top web sites that were blocked for any content issue, including viruses, spyware, Attachment Control, and URL Categorization.
ƒ Top Blocked Viruses — Displays the top viruses that were detected in web traffic.
ƒ Top Blocked Websites by Virus — Displays the top web sites that were blocked because the downloaded files contained viruses.
ƒ Top Blocked Spyware — Displays the top spyware programs that were detected in web traffic.
ƒ Top Blocked Websites by Spyware — Displays the top web sites that were blocked because the downloaded files contained spyware programs.
ƒ Top Blocked Attachment types — Displays the top attachment types that were blocked by
Attachment Control in web content.
ƒ Top Blocked Websites by Attachments — Displays the top web sites that were blocked because the downloaded files were blocked by Attachment Control.
ƒ Top Blocked URL Category types — Displays the top URL Categorization topic categories that were blocked in web content. This statistic will only appear if URL Categorization is enabled and licensed.
ƒ Top Blocked Websites by URL Category — Displays the top web sites that were blocked because of their URL category. This statistic will only appear if URL Categorization is enabled and licensed.
ƒ Top Blocked Client IP Addresses and Users — Displays the top client addresses and users that had web content blocked.
ƒ Top Browse Time Users and Visited Domains — Indicates the top most visited web site domains and the top users with the most browse time.
Web Summary Report
Provides a summary of Web traffic statistics based on the types of messages including connection and request information. No domain reports are available for this type of report.
ƒ Web Summary Statistics — Provides a summary of Web traffic including a breakdown of the count for each type of messages including: Total Web Requests, Blocked Viruses, Blocked
Spyware, URL Categorization, Content Control (OCF, Attachment Control, and Content
Scanning), URL Block Lists, and HTTP Blocked Sites.
ƒ Web Connection and Requests Stats — A graph of web connection statistics for the number of active server connections per hour, and the number of HTTP requests (in thousands) per hour.
Web User Summary Report
Reports on the web browsing habits of a specific user, including their total browse time, top web site domains, the number of visits and browse time for each domain, and any blocked sites or blocked categories that the user attempted to browse. Enter the user’s email address that will be reported on, such as [email protected]. If Authentication is disabled, and you know the specific IP address of the user, you can enter the IP address. For example: 192.168.1.200.
370 WatchGuard XCS
Configure Reports
To configure global report settings:
1. Select Configuration > Miscellaneous > Reports .
Reports and Logs
User Guide
2. Select the Reporting Enabled check box.
The reporting database is populated with information that is obtained by interpreting the system log files. Disabling reporting will result in no new information being saved in the reporting database, including messaging and system history information. Disabling reporting is not recommended, and should only be used if the system is extremely overloaded, or if you are testing performance levels.
3. In the Message History Days field, select the maximum number of days (between 1 and 31) of message history to retain online in the message database.
Data older than this value will be deleted as required. The default is 7 days.
4. In the Reporting Summary Days field, select the maximum number of days (between 1 and 90) of reporting summary information to retain online in the reporting database.
The system automatically adjusts the number of days of reporting data that can be stored based on current system disk resources and message loads. If the number of reporting days is changed by the system, an alarm will notify the administrator. The default is 31 days.
To report on the previous month in a report definition, the Reporting Summary Days must be set to
60 days or more. This ensures there is enough data to cover the previous month time period.
5. Select the default Table Length for each report field.
For example, in the Top Viruses list, the top 50 viruses will be displayed if this field is set to 50. This value can be changed for specific fields within the report configuration itself. The default is 25.
371
Reports and Logs
6. The Hosted Domains option allows the administrator to select a list of domains and hosted domain admin email addresses hosted by this system that will be included in the Domain reports. Domain reports can be emailed to the specified domain administrator address.
These lists are created via Security > Content Control > Dictionaries & Lists
Lists” on page 155 for more details on creating lists.
Use the List type Domain&Email and use the format domain,email . For example: example.com,[email protected]
example2.com,[email protected]
example3.com,[email protected]
A maximum of 250 domains can be uploaded. After the file is uploaded and selected here, domain reports can be generated when creating a new report definition.
Spam logging
The spam logging options modify the behavior of how the reporting engine calculates statistics for messages that have a Just Log Intercept action applied for the Certainly Spam , Probably Spam , and Maybe Spam categories.
If the option is enabled (this is the default), for each category where the Intercept action is Just Log (as configured in Security > Anti-Spam > Anti-Spam ), the message will be counted as spam for reporting purposes. If this option is disabled, messages that have the Just Log action applied will be counted as clean in reports and the Dashboard statistics.
372 WatchGuard XCS
Reports and Logs
Mail Logs
The Mail Logs are the most important and informative logs to monitor because they contain a record of all mail messages processed by the system.
To access the WatchGuard XCS’s mail logs:
1. Select Activity > Logs > Mail .
The screen will display the end of the log file.
2. Use the slider control to page through the log file, or use the right and left arrow icons. You can also jump to the start or end of the log file using the arrow icons as required.
The start of a single message log entry begins with a connect message, and ends with the disconnect message. To ensure that you are looking at the entries for a specific message, check the message ID
(such as 7FA528120033BE34 in the previous example) for each log entry to ensure they are for the same message.
3. Click Expand All to show a summary of the processing for message.
User Guide 373
Reports and Logs
Searching the mail logs
To search the mail logs:
1. Enter a text string in the Search field.
2. Click the Search button to filter the results.
Multiple searches can be added on to the original search to filter the results further.
3. Click the Remove button to remove the previous search base, or click Search Base (Original Log) to start a new search again.
By default the search will only apply to the last 24 hours of logs.
4. Use the Advanced Search to modify the specific time period for the search.
374 WatchGuard XCS
Reports and Logs
System Logs
The System Log contains all system-related messages, such as file uploads, backup status, virus pattern file updates, ReputationAuthority connections, LDAP connection status, and other types of system status messages.
To access the system log files:
1. Select Activity > Logs > System .
The screen will display the end of the log file.
2. Use the slider control to page through the log file, or use the right and left arrow icons. You can also jump to the start or end of the log file using the arrow icons as required.
Searching the system log
To search the system log:
1. Enter a text string in the Search field.
2. Click the Search button to filter the results.
Multiple searches can be added to the original search to filter the results further.
User Guide
3. Click the Remove button to remove the previous search base, or click Search Base (Original Log) to start a new search again.
By default the search will only apply to the last 24 hours of logs.
375
Reports and Logs
4. Use the Advanced Search to modify the specific time period for the search.
WatchGuard XCS Logs
Select Activity > Logs > All Logs to access all system log files.
376
ƒ Mail Logs — A log of all mail processing activity.
ƒ System Logs — A log of all system-related messages. This includes LDAP imports, backup and restore,
Anti-virus updates, and others.
ƒ Kernel Generated Messages — A log from the system kernel.
ƒ Messages From POP/IMAP Logins — Contains messages from POP, IMAP, and WebMail logins, including admin and console logins.
ƒ HTTP Access Log — A log of HTTPS access to the web server.
ƒ Error Messages From the Web Server — Contains error messages from the internal web server.
ƒ Accesses to the Web Server Made Via SSL — A log of SSL web server access. This log displays accessed web pages and the connecting IP address.
ƒ HTTP Proxy Log — Contains messages generated by the Web Proxy.
WatchGuard XCS
Reports and Logs
Previous Searches
To see a list of previous log searches that have been performed on the system:
1. Select Activity > Logs > Previous Searches .
2. In the list of previous searches, click on a specific search to apply the search query to the most recent data in the logs and view the results.
This allows you to save your favorite types of searches.
3. Use the Search box to search for a text string to find a specific search.
4. Specific searches can be deleted by selecting their corresponding check box, and then clicking the
Remove button.
User Guide 377
Reports and Logs
Configure Logs
For backup purposes and offline reporting, the system can copy log and reporting files to another system at regular intervals using FTP or SCP file copy utilities. This allows administrators to backup the log files to a separate host for analysis and storage. When enabled, the offload will occur each time a log file is rolled over and for the time period specified in the offload date and time. Logs will be saved with a timestamp such as
“maillog.200901010000”.
The Offload (Reporting) section is used for organizations requiring a separate reporting server where logs will be forwarded to for reporting purposes.
To configure your rollout and offload settings (Backup and Offload):
1. Select Configuration > Miscellaneous > Logs .
378
2. Select the Offload check box to enable offloading of rollout log files.
3. Select the Offload Days on which to offload log files.
4. Select the Offload Times when to offload load files.
5. Select the Copy application (FTP or SCP) to use for copy rollout files.
These applications must be enabled on the destination host.
When setting up the SCP server for integration with the WatchGuard XCS, ensure that PAM authentication is disabled and the built-in authentication is enabled. If the WatchGuard XCS is behind a network firewall, TCP port 22 must be opened up to your SCP server.
6. Select the TCP Port to be used by the copy application (FTP or SCP).
If this field is left blank, default port values (FTP: port 21, SCP: port 22) will be used.
7. Enter the Host to which the rollout data is copied to using the specified method. For example, ftp.example.com.
8. Select a Folder to which the rollout data will be copied to.
For clustered systems, use %q to add the name of the clustered system to the folder name. For example, backups/%q .
9. Enter a User to log in to the destination host.
10. Enter a corresponding Password for the user.
11. Select the Compress check box to enable gzip compression of the rollout files.
12. Click Update when finished.
WatchGuard XCS
Reports and Logs
13. Click Offload now to begin offloading files immediately.
14. Click the Offload Again button to reset the information of offloaded files.
This will force an offload of all files (even those offloaded before) again.You must click Offload Now , or wait for the next scheduled offload (when a log file has rolled over, or every hour) to start the offloading process after clicking Offload Again .
Logs are not removed from the system when they are offloaded.
Log search configuration
The following options configure the defaults settings for all log searches.
Page Size
Enter the amount of entries in a log file to show on one search page. The default value is 30.
Search Result Limit
Enter the default number of entries returned from a search. The default value is 200000.
User Guide 379
Reports and Logs
380 WatchGuard XCS
17
System Management
Backup and Restore
The WatchGuard XCS can back up all data, including the reporting database, quarantined items, mail queues, user mail directories, uploaded user lists, SSL certificates, feature keys, and system configuration data.
The system supports three backup methods:
ƒ FTP server (recommended for large, full backups)
ƒ SCP (Secure Copy) server
ƒ Local disk (for small size or partial configuration backups using browser download to a workstation)
It is strongly recommended that the FTP backup method be used for large backup requirements.
Local Disk backups should only be used for small, partial configuration backups. The system cannot restore a local backup file over 2GB in size.
Restore from backup
The restore feature can restore any backup items individually. The system should be backed up before performing any type of software upgrade or update. The restore operation restores the configuration and reporting data in two separate stages.
ƒ Configuration restore — The system configuration is restored first. This process takes only a short amount of time and the user can quickly return to the administrative user interface to start processing messages again. A critical alarm “Critical Restore: Complete PASSED” will be generated to alert the administrator when this first stage of the restore is complete.
ƒ Reporting data restore — The reporting data (if required) is then restored as a background process.
This can be performed while the system is processing messages. When restoring reporting data on a running system, it may take 24 to 72 hours before the restore is fully completed, depending on the amount of data being restored. The following serious alarms will be generated at different points in the reporting restore process:
ƒ “Serious: RESTORE: Reporting: Recovery Started”: This indicates that the online reporting restore process has started and data is being copied into a temporary database.
ƒ “Serious: RESTORE: Reporting: Migration Started”: This indicates the data has been fully copied into the temporary database and is being migrated to the online database.
ƒ “Serious: RESTORE: Reporting: Recovery Complete”: This indicates that the online reporting restore process has completed.
User Guide 381
System Management
Note that system performance will be negatively affected when restoring reporting data to a system that is currently processing messages. If you reboot the system during the reporting restore process, the process will continue when the system is restarted.
In certain cases, large backup files will cause the Backup screen to time out and the “Backup
Complete” button will not appear. The Backup process can still be monitored in the logs and via alarms.
The size of the reporting database or quarantined mail area can be very large. If reporting data and quarantined mail are not required, it is recommended that they not be backed up to ensure a more manageable backup file size.
Restoring a clustered system requires a different procedure than outlined in the next section. See
“Backup and restore in a cluster” on page 339 for more information on backing up and restoring
clustered systems.
Backup file naming conventions
The naming convention for backup files is as follows:
MG-BCKUP.YYMMDDHHMM
Example:
MG-BCKUP.0902152245
This indicates that the backup file is from Feb 15th, 2009 at 10:45PM. When purging old backup files during routine maintenance, ensure that you examine the timestamps before deleting them.
Starting a backup
To start a backup:
1. Select Administration > Backup/Restore > Backup & Restore .
2. Select the required type of backup destination and click Next >> .
382 WatchGuard XCS
System Management
FTP backup options
The following options are for backing up to an FTP server:
When configuring backups and restores to use an FTP server, it is recommended that the idle timeout value on the FTP server be set to a minimum of 1800 to 3600 seconds to ensure the connection does not timeout while the WatchGuard XCS is performing the backup or restore process.
User Guide
ƒ Encrypt Backup — Select this check box to store the back up file in encrypted form.
ƒ Backup System Configuration — Select this check box to back up all system configuration data, including mailboxes, licenses, and keys. This option must be enabled if you need to restore system functionality.
ƒ Backup Quarantine Mail — Select this check box to back up all quarantined mail. Backing up quarantined mail may greatly increase the size of the backup file.
ƒ Backup Token Analysis Data — Select this check box to back up the Token Analysis database.
ƒ Backup Reporting Data — Select this check box to back up the entire reporting database. Backing up the reporting database will greatly increase the size of the backup file.
ƒ FTP server — Enter the host name or IP address of the destination FTP server.
ƒ Username — Enter the username for the FTP server.
ƒ Password — Enter the password for the FTP server.
ƒ Directory — Enter the directory on the FTP server for the backup files.
ƒ Use PASV mode — Set FTP to use passive mode if you are having problems connecting to the FTP server.
383
System Management
When you have set your options, click Next >> to continue.
Verify that your options are correct, and then click Create backup now to start the backup.
You can also click Create scheduled backup which will take you to the Daily Backup menu to create a scheduled FTP backup.
SCP backup options
The following options are for backing up to an SCP (Secure Copy) server:
384
ƒ Encrypt Backup — Select this check box to store the backup file in encrypted form.
ƒ Backup System Configuration — Select this check box to back up all system configuration data, including mailboxes, licenses, and keys. This option must be enabled if you need to restore system functionality.
ƒ Backup Quarantine mail — Select this check box to back up all quarantined mail. Backing up quarantined mail may greatly increase the size of the backup file.
ƒ Backup Token Analysis Data — Select this check box to back up the Token Analysis database.
ƒ Backup Reporting Data — Select this check box to back up the entire reporting database. Backing up the reporting database may greatly increase the size of the backup file.
ƒ SCP server — Enter the host name or IP address of the destination SCP server.
When setting up the SCP server for integration with the WatchGuard XCS, ensure that PAM authentication is disabled and the built-in authentication is enabled. If the WatchGuard XCS is behind a network firewall, TCP port 22 must be opened up to your SCP server.
WatchGuard XCS
ƒ Username — Enter the username for the SCP server.
ƒ Password — Enter the password for the SCP server.
ƒ Directory — Enter the directory on the SCP server for the backup files.
When you have set your options, click Next >> to continue.
System Management
Verify that your options are correct, and then click Create backup now to start the backup.
You can also click Create scheduled backup which will take you to the Daily Backup menu to create a scheduled SCP backup.
Local disk options
The following options are for backing up to the local disk:
It is strongly recommended that the FTP backup method be used for large backup requirements.
Local Disk backups should only be used for small, partial configuration backups. The system cannot restore a local backup file over 2GB in size.
User Guide
ƒ Encrypt Backup — Select this check box to store the backup file in encrypted form.
ƒ Backup System Configuration — Select this check box to back up all system configuration data, including mailboxes, licenses, and keys. This option must be enabled if you need to restore system functionality.
ƒ Backup Quarantine Mail — Select this check box to back up all quarantined mail. Backing up quarantined mail may greatly increase the size of the backup file.
ƒ Backup Token Analysis Data — Select this check box to back up the Token Analysis database.
ƒ Backup Reporting Data — Select this check box to back up the entire reporting database. Backing up the reporting database may greatly increase the size of the backup file. It is recommended that FTP for
SCP methods be used for very large backup files.
385
System Management
When you have set your options, click Next >> to continue.
Verify that your options are correct, and then click Create backup now to start the backup.
The system will prompt you for a location to download the file (backup.gz). The backup file is saved in a gzip compressed archive.
Restoring from backup
Select the required type of restore and click the Next >> button.
FTP restore options
Enter the following information to restore from an FTP server:
When configuring backups and restores to use an FTP server, it is recommended that the idle timeout value on the FTP server be set to a minimum of 1800 to 3600 seconds to ensure the connection does not time out while the WatchGuard XCS is performing the backup or restore process.
386
ƒ FTP server — Enter the host name or IP address of the FTP server where the backup file is stored.
ƒ Username — Enter the user name for the FTP server.
ƒ Password — Enter the password for the FTP server.
ƒ Directory — Enter the directory on the FTP server for the backup files.
ƒ Use PASV mode — Set FTP to use passive mode if you are having problems connecting to the FTP server.
Click Next >> to connect with the FTP server and restore the backup file.
In certain cases, large backup files will cause the backup screen to time out and the “Backup
Complete” button will not appear. The backup process can still be monitored in the logs and via alarms. A critical alarm will appear when the configuration restore operation is completed. A serious alarm will be generated when the background reporting restore process is completed.
WatchGuard XCS
System Management
When the backup file has been successfully retrieved, you can choose which aspects of the system you want to restore. When finished selecting the restore items, click Restore Now .
Restore from SCP
Enter the following information to restore from an SCP server:
ƒ SCP server — Enter the host name or IP address of the SCP server.
ƒ Username — Enter the user name for the SCP server.
ƒ Password — Enter the password for the SCP server.
ƒ Directory — Enter the directory on the SCP server where the backup file is located.
When setting up the SCP server for integration with the WatchGuard XCS, ensure that PAM authentication is disabled and the built-in authentication is enabled. If the WatchGuard XCS is behind a network firewall, TCP port 22 must be opened up to your SCP server.
Click Next >> to connect with the SCP server and restore the backup file.
In certain cases, large backup files will cause the backup screen to time out and the “Backup
Complete” button will not appear. The backup process can still be monitored in the logs and via alarms. A critical alarm will appear when the configuration restore operation is completed. A serious alarm will be generated when the background reporting restore process is completed.
User Guide 387
System Management
When the backup file has been successfully retrieved, you can choose which aspects of the system you want to restore. When finished selecting the restore items, click Restore Now .
Restore from local disk
Enter the local filename that contains your server’s backup data, or click Browse to select the file from the local drive directory listing. Click Next >> to upload and restore the backup file.
388
You can view the current status of the restore process in the Status section of the Administration >
Backup/Restore > Backup and Restore screen.
In certain cases, large backup files will cause the backup screen to time out and the “Backup
Complete” button will not appear. The backup process can still be monitored in the logs and via alarms. A critical alarm will appear when the configuration restore operation is completed. A serious alarm will be generated when the background reporting restore process is completed.
WatchGuard XCS
System Management
When the backup file has been successfully retrieved, you can choose which aspects of the system you want to restore. When finished selecting the restore items, click Restore Now .
When the restore is complete, you should review and edit your network configuration in the Configuration
> Network > Interfaces screen as required, and click Apply to reboot. This ensures that all restored network settings have been applied.
Backup and restore errors
The following table describes the types of errors that can occur (displayed in the System Log) when restoring a backup file:
7
8
9
5
6
3
4
1
2
Error Code
0
Description
No error
Form data missing
MIME data missing boundary
Invalid form data
Unsupported encoding method
Unsupported header in MIME data
File open error
Filename not specified
Error writing file
Data is incomplete
User Guide 389
System Management
Reset the WatchGuard XCS
The system can be returned to its factory defaults at any time. You may need to reinitialize the system if unrecoverable disk errors are found or if you wish to perform a full restore.
This procedure should only be used after consultation with WatchGuard Technical Support. You will lose ALL your configuration data and stored messages if you have not performed a backup.
To reset and re-initialize the system:
1. Select Administration > System > Reboot & Shutdown .
2. Click the Reboot button.
The system will reboot.
3. When the system restarts, go to the system console and press F1 Install .
4. Press Enter to select graphics mode when prompted.
5. An informational screen will appear. Select OK to continue.
6. Select a keyboard type.
7. Select Auto (to auto partition your drives) or select Custom and press Enter .
8. Select OK to confirm.
9. Select OK to choose a CD-ROM, Hard Drive, or Network install.
10. Select Hard Drive then press Enter .
11. Select OK to restart the system when the software image installation is complete.
The system will now be rebooted with the factory default configuration, and you can proceed with the installation and configuration of the system.
See the WatchGuard XCS Installation Guide for detailed information on the installation procedure.
390 WatchGuard XCS
System Management
Daily Backup
Configured FTP and SCP backups can be scheduled to occur each day at a specific time. The FTP or SCP configuration must be completed first (via Administration > Backup/Restore > Backup and Restore ) before enabling scheduled daily backups.
The results of any daily backups can be viewed via Activity > Logs > System .
To configure Daily Backups:
1. Select Administration > Backup/Restore > Daily Backup .
2. Select the FTP Backup check box to use the configured FTP backup configuration for this scheduled backup.
3. Select the SCP Backup check box to use the configured SCP backup configuration for this scheduled backup.
4. Set the Start Time for the backup in 24-hour format using the syntax HH:MM, such as 02:00 for 2:00AM.
Because system reporting and log file maintenance start at 00:00 midnight, it is strongly recommended that you do not schedule daily backups between midnight and 1:00 AM.
User Guide 391
System Management
Feature Key
A feature key is a license that enables you to activate your purchased feature set on your WatchGuard XCS.
You must register the device serial number on the WatchGuard LiveSecurity web site and retrieve your feature key before adding it to the WatchGuard XCS.
Get a feature key from LiveSecurity
To retrieve a feature key from the LiveSecurity web site:
1. Open a web browser and go to https://www.watchguard.com/activate .
2. If you have not already logged in to LiveSecurity.
The LiveSecurity Log In page appears.
3. Enter your LiveSecurity user name and password.
The Activate Products page appears.
4. Enter the serial number for the product as it appears on your hardware device, including the hyphens.
5. Click Continue .
The Choose Product to Upgrade page appears.
6. In the drop-down list, select the WatchGuard XCS device.
7. Click Activate .
The Retrieve Feature Key page appears.
8. Copy the full feature key to a text file and save it on your computer.
9. Click Finish .
392 WatchGuard XCS
Adding a feature key to your WatchGuard XCS
To install a new feature key:
1. Select Administration > System > Feature Key .
The Feature Key page appears.
System Management
User Guide
2. Click Update .
The Update Feature Key page appears.
3. Copy the text of the feature key file and paste it in the text box.
393
System Management
4. Click Update Key .
The Feature Key page reappears with the new feature key information.
Updating a feature key
If you already have a LiveSecurity login and your WatchGuard device serial number is registered, you can update your feature key automatically from the LiveSecurity site.
To update a feature key:
1. Select Administration > System > Feature Key .
The Feature Key page appears.
394
2. Click Get Feature Key .
3. Your feature key is downloaded from the LiveSecurity site and automatically updated on your system.
WatchGuard XCS
System Management
Removing a feature key
You may need to remove a feature key after a system evaluation or to troubleshoot licensing issues.
Removing a feature key will disable all security features and the system will stop processing messages.
To remove an existing feature key:
1. Select Administration > System > Feature Key .
The Feature Key page appears.
2. Click Remove .
A confirmation dialog box appears.
3. Click OK to confirm.
Feature key expiration
When a feature key expires, the WatchGuard XCS continues to process and deliver mail, but the expired feature does not scan or perform actions on messages.
For example, if the Anti-Virus scanning feature key expires, the WatchGuard XCS continues to process mail, but the messages are not scanned for viruses.
The following features do not have associated expiration periods because they are required for normal system operations and management:
ƒ Email
ƒ Clustering
ƒ Queue Replication
ƒ Centralized Management
The WatchGuard XCS sends notifications to the administrator at 90, 60, 30, 7, 2, and 1 days before a feature key expires.
User Guide 395
System Management
Reboot and Shutdown
To safely reboot or shut down the system:
1. Select Administration > System > Reboot & Shutdown .
2. Click Reboot to shut down the system and reboot.
3. Click Shutdown to shut down the system completely.
Before shutting down, remove any media from the CD-ROM drive.
it to factory default settings.
396 WatchGuard XCS
System Management
Security Connection
The Security Connection is a service that polls WatchGuard’s support servers for new updates, security alerts, and Anti-Spam database updates. When new information and updates are received, a notification can be sent to the administrator.
WatchGuard recommends that you enable Security Connection to make sure you automatically receive notifications for the latest software updates. Security Connection should be run immediately after the initial installation of the product.
For security purposes, all Security Connection files are encrypted and contain an MD5-based digital signature which is verified after the file is decrypted.
To enable and configure Security Connection:
1. Select Administration > Software Updates > Security Connection .
User Guide
2. Select the Enabled check box.
3. Specify the Frequency for how often to run the Security Connection service.
Choices are daily, weekly, and monthly.
4. Select the Auto Download check box to allow software updates to be downloaded automatically.
These updates will not be automatically installed. They must be installed manually via Administration >
Software Updates > Updates .
5. Select the Display Alerts check box to display any Security Connection alert messages on the system console.
6. Select the Send Email check box to send an email to the address specified in the Send Emails To field.
7. In the Send Emails To field, enter an email address to receive notifications.
8. Click Apply .
9. Click the Connect Now button to run Security Connection immediately and check for new software updates.
397
System Management
Software Updates
To make sure your system software is up to date with the latest patches and upgrades, you must install any updates released for your version of software. The Security Connection, if enabled, will download any required software updates automatically.
WatchGuard recommends that you back up the current system before performing an update. See
“Backup and Restore” on page 381 for detailed information on the backup and restore procedure.
To upload and install software updates:
1. Select Administration > Software Updates > Updates .
The Software Updates screen shows updates that are Available Updates (loaded onto the system, but not applied) and Installed Updates (applied and active.) You can install an available update or uninstall a previously installed update. Software updates downloaded from Security Connection will appear in the Available Updates section.
2. If you downloaded your software update manually:
ƒ Click Browse .
ƒ Navigate to the downloaded software update on your local system.
ƒ Click Upload . The software update now appears in the Available Updates section.
3. Select the software update in the Available Updates section.
4. Click Install .
After applying any updates, you must restart the system.
398 WatchGuard XCS
System Management
Problem Reporting
Problem reporting allows you to send important configuration and logging information to WatchGuard
Technical Support for help with troubleshooting system issues. This feature is intended for use in conjunction with an existing support request with technical support.
To configure problem reporting:
1. Select Support > Problem Reporting .
2. In the Send To field, enter an email address to send the reports.
The default is WatchGuard Technical Support, but you can also put in your own email address so that you can view them before you send them to WatchGuard.
3. Select the Mail Log check box to send the latest hourly mail log.
4. Select the Mail Configuration check box to send your current mail configuration file.
5. Select the Mail Queue Starts check box to send a snapshot of the latest current mail queue statistics.
6. Select the System Messages check box to send the latest hourly system log.
7. Select the System Configuration check box to send a text version of the system configuration.
8. Click Apply to save the configuration.
9. Click Send Now to send the information to the configured email address.
User Guide 399
System Management
Performance Tuning
There are several factors that can affect the performance of the WatchGuard XCS system:
ƒ Network bandwidth
ƒ Number of concurrent Mail and Web connections
ƒ Number of background processes running such as Reporting and WebMail
ƒ Internet unpredictability: Mail can often arrive in bursts of activity, with only a few messages arriving one minute, and several hundred the next. In the event of a network outage, such as a failed router, the amount of queued mail that arrives after the router is back online can be very large
ƒ Internet performance: Mail and Web clients can be very slow at connecting, and the connection may be disconnected before it is complete
ƒ The time to process a message is also affected by the size of the email and its attachments.
ƒ Amount of system resources (Processing power, RAM, and disk space)
These factors must be carefully considered when tuning a system for optimal performance. If a system is optimized for throughput to handle high mail loads, other aspects of the system may suffer from increased latency issues, such as reporting, WebMail access, and the possibility of dropped connections by clients that cannot connect to a busy system. Similarly, allocating too many resources to resolve latency issues will affect mail throughput performance.
Modifying certain parameters may affect the performance of other aspects of the system, and it is recommended that you only change these settings to resolve specific performance issues with guidance from WatchGuard Technical Support. Do not experiment with these settings.
Selecting performance settings
To configure performance settings:
1. Select Configuration > Network > Performance .
2. Select the type of performance profile to apply to the system:
ƒ Email Scanning
ƒ Email Scanning with WebMail
ƒ Web Scanning
ƒ Web and Email Scanning
ƒ Web and Email Scanning with WebMail
ƒ Custom
3. Click the Advanced button if you need to adjust any of the individual parameters to create a custom setting.
400 WatchGuard XCS
User Guide
System Management
Maximum Number of Processes
This parameter specifies the maximum number of concurrent processes that use mail services.
This setting limits the number of connections accepted by smtpd, and the number of outgoing
SMTP connections. If this number is set too large, you may run out of swap space.
Maximum Number of Parallel Deliveries
This parameter specifies the maximum number of outgoing SMTP connections to the same destination. This setting helps limit the number of outgoing connections. The value must be less than the maximum number of processes, or performance will be degraded.
Maximum Number of Mail Scanners
This parameter specifies the maximum number of mail scanners that can run simultaneously.
This setting limits the overall mail processing and memory footprint. Setting this value too high or too low may result in reduced performance. Valid settings are from 2 - 20.
Raise Priority of Heavy Weight Processes
Increasing the priority of heavyweight processes can increase performance and WebMail response times, but it can reduce the processing resources for other mail processes if it is set too high. Valid settings are from a default priority of 0 to a maximum priority of 20.
Number of Heavy Weight Processes
This parameter specifies the maximum number of heavy weight mail scanning processes that can be run simultaneously. Valid settings are: 1 (Default) to 6 (maximum processes). Setting a value greater than 2 will not improve performance, and changing this value from the default setting is not recommended.
Number of DB Proxies
This parameter specifies the maximum number of database proxies that can be used by the mail scanning processes. This value is relative to the Maximum Number of Processes setting, and should be increased in conjunction with the number of maximum processes. Valid settings are from 2 (Default) to 12 (maximum processes), however, setting this value above 8 will result in diminishing performance returns.
SMTP Connect Timeout
This SMTP parameter specifies the amount of time, in seconds, for an SMTP client to complete a
TCP connection before the connection is dropped. This value defines how long the system will wait for a response before timing out. The default is 0, but there is an overall system timeout of 5 minutes for SMTP connections. Increasing this value may help with sites which have a slow
Internet connection.
SMTP HELO Timeout
This SMTP parameter specifies the amount of time, in seconds, for receiving the SMTP greeting banner before we drop the connection. The default is 300 seconds, which means that the system will wait 5 minutes to receive the initial SMTP HELO message before timing out. Using a lower timeout value may increase performance by freeing up more connections. Increasing this value may help with sites which have a slow Internet connection.
SMTPD Timeout
This SMTP parameter specifies the amount of time, in seconds, to send an SMTP server response and to receive an SMTP client request before dropping the connection. The default is 300 seconds. When the system connects to another mail server to deliver mail, it will drop the connection if it takes more than 5 minutes to receive a response. A lower value may increase performance by freeing up connections. Increasing this value may help with sites which have a slow Internet connection.
401
System Management
SMTPD Minimum Receive Rate
The minimum rate, in bytes per second, at which a client must send data. The limit will be enforced after the SMTPD minimum receive rate interval has elapsed. Set this to a higher value when excessively slow clients are tying up system resources. A value of 0 indicates no minimum rate. Default is 0.
SMTPD Receive Rate Interval
The time interval, in seconds, which must elapse before the SMTPD minimum receive rate restriction is enforced for a newly connected client. Set this to a higher value to give clients more time to establish an acceptable data flow rate. A value of 0 means that the limit is enforced immediately. Default is 0.
SMTP Tarpit Time
The amount of time, in seconds, to wait before replying to an SMTP client with a 4xx or 5xx error message (such as the message content was rejected.) The default is 5 seconds. A lower value may increase performance by freeing up connections. A higher value may deter senders from sending invalid content such as spam and viruses. The tarpit time should be set to 0 for environments that reject a high number of SMTP connections.
Service Throttle Time
The amount of time, in seconds, to wait before re-starting a messaging service that exits unexpectedly. The default is 60 seconds, and must be 1 second at minimum.
Enable SMTP Connection Cache
Connection caching can improve delivery performance, primarily in deliveries to destinations with multiple mail servers where some of the servers are not responding. The system will cache the responding servers and use those servers in the next delivery attempt. This option is enabled by default. In some cases, connection caching may introduce additional processing overhead and reduce performance. Disable this option if performance issues occur.
Number of Concurrent Web Proxies
Increasing the number of web proxy processes on the system results in increased parallel processing of web requests and reduced client latency. Too many parallel requests may overload the scanning engine resulting in various user requests blocking each other and contending for access. The preconfigured defaults are optimized based on the CPU and memory of the hardware platform. This value can be set from 1 to 32.
Number of Concurrent Web Scanners
Increasing the number of concurrent web scanners on the system results in increased parallel processing in the web scanning engine. However, too many parallel scanners may overload the system and use too many resources. It is recommended that this value match the Number of
Concurrent Web Proxies setting. The preconfigured defaults are optimized based on the CPU and memory of the hardware platform. This value can be set from 1 to 32.
Maximum Number of Web Content Scanners
Sets the maximum number of web content scanners that can run simultaneously. This setting limits the overall proxy processing and memory footprint. This value can be set from 1 to 50.
Queue Threshold for Web Requests Per Proxy Instance
This setting limits the number of queued HTTP requests a single instance of the web proxy can have. In conjunction with the Number of Concurrent Web Proxies value, this setting determines the maximum number of concurrent web requests that can be handled by the system. Very high values for thresholds may adversely affect system resources, while low values may not be sufficient to handle the web traffic load for your environment. Error messages will occur in the logs when a given proxy instance exceeds the configured limit. This value can be set from 1 to 20000. The default is 1000.
402 WatchGuard XCS
User Guide
System Management
In-Memory Web Cache Size Mark
The following are advanced settings for the web cache and should be modified with caution. The
In-memory Web Cache sizes represent the thresholds used for cleaning up the memory cache.
The low mark represents the memory level (in MB) after which the process starts cleaning up its entries. The critical mark represents the memory level (in MB) after which the process starts aggressively cleaning up its entries. The high mark represents the maximum memory (in MB) the in-memory web cache will utilize.
Mark
Low
Critical
High
Default Recommended Value
64 MB
128 MB
256 MB
Size of Temporary Files Filesystem
Specify the size of the /tmp filesystem at system startup. This setting affects the maximum size of attachments that may be scanned, and should only be used if you are having problems with scanning large files. If you increase this setting beyond the amount of physical RAM, system performance will be degraded due to excessive swapping. You must monitor your system performance if this setting is used.
Size of Shared Memory block Allocated to Database
Specify the size of the shared memory block to make available to the database. Increasing this value increases the speed of database operations at the cost of having less memory available for other purposes. Increase this value if you are increasing the number of messages that will be stored in the email database. If you change the size of the temp file system or shared memory block, the system will need to be restarted before these settings takes effect.
403
System Management
404 WatchGuard XCS
18
Monitor your WatchGuard
XCS
Dashboard
The WatchGuard XCS system Dashboard provides administrators with a brief statistical and graphical summary of current inbound and outbound email and web activity, allowing rapid assessment of the current status of the WatchGuard XCS. The Dashboard contains links to the following components:
ƒ Mail Summary — Displays information on mail resources such as current incoming and outgoing connections, and the number of messages in the Mail, Deferred, and Quarantined queues. The Mail
Summary screen also provides a traffic summary of inbound and outbound mail traffic separated by category (such as Virus, Spam, and Clean mail).
ƒ Web Summary — Displays a web traffic summary separated by category (such as URL Categorization and Spyware). The Web Summary screen also provides information on the number of current active web connections, the web cache efficiency, the top five blocked web sites and IP Addresses/Users, and top five browsing users and visited domains.
ƒ Recent Mail Activity — Displays the most recent mail messages that have been processed by the system, including the Message ID, Sender and Recipient information, the message Status, and the final
Action taken on the message.
ƒ Recent Web Activity — Displays the most recent blocked web messages that have been processed by the system, including the Request ID, Request To and From information, the message Status, and the final Action taken on the request.
In a cluster, the Dashboard only shows activity for the local system, and not for the entire cluster. For information and statistics for the entire cluster, see the Cluster Activity screen.
User Guide 405
Monitor your WatchGuard XCS
The Dashboard is accessed via Activity > Status > Dashboard .
The Dashboard can be set to display its information based on the time period selected by the administrator.
( Last 60 Minutes , Last 24 Hours , Last 7 Days , and Last 31 Days ). Information on the Dashboard is updated every 60 seconds when the default, Last 60 Minutes , is selected. The screen will be updated hourly if set to
Last 24 Hours , and updated every 24 hours if set to Last 7 Days and Last 31 Days .
Messages processed by the system will not be reflected in the statistics until the required time frame is summarized, such as 60 seconds for “Last 60 Minutes”, or one hour for “Last 24 Hours”. The “Last
Generated” time will indicate when the statistics were last refreshed.
Mail summary
The Mail Summary statistics screen displays information on mail traffic passing through the system and contains statistics on Mail Resources and a Mail Traffic Summary.
Mail resources
The following Mail Resource statistics are updated every 60 seconds:
ƒ Incoming Connections — Displays the current amount of incoming mail connections to this system.
ƒ Outgoing Connections — Displays the current amount of outgoing mail connections from this system.
ƒ Mail Queue — Indicates how many messages are currently in the Mail Queue waiting to be delivered.
These messages can be viewed and managed via Activity > Queue/Quarantine > Mail Queue .
ƒ Deferred Queue — Indicates the number of messages that have had their delivery deferred due to unavailability of the destination mail server. The system will attempt to deliver these messages at a later time. This is configurable in via Configuration > Mail > Delivery .
ƒ Quarantined Mail — Indicates the number of messages that have been sent to the administrative quarantine area. These messages can be viewed and managed via Activity > Queue/Quarantine >
Message Quarantine .
406 WatchGuard XCS
Monitor your WatchGuard XCS
Mail traffic summary
The Traffic Summary section displays a graph showing how many inbound and outbound email messages have been processed by the system.
The Traffic Summary display can be customized to display statistics for the last 60 minutes, 24 hours, 7 days, or 31 days by using the drop-down list. Information on the Dashboard is updated every 60 seconds when the default, Last 60 Minutes , is selected. The screen will be updated hourly if set to Last 24 Hours , and updated every 24 hours if set to Last 7 Days and Last 31 Days .
The following statistics are displayed:
ƒ ReputationAuthority — Indicates the number of messages that were rejected by
ReputationAuthority and other features that reject a message before the SMTP connection is complete. This category is displayed for inbound mail only. This statistic includes the following connection rejects:
ƒ ReputationAuthority Connection Reject (Reputation, Infection, and Dial-up)
ƒ DNS Block List Reject
ƒ Threat Prevention Reject
ƒ Specific Access Pattern Reject
ƒ Pattern Filter reject
ƒ Connection Rule reject
ƒ Reject on unauthorized SMTP pipelining
ƒ Reject on unknown sender domain
ƒ Reject on missing reverse DNS
ƒ Reject on missing sender MX
ƒ Reject on non FQDN sender
ƒ Reject on Unknown Recipient
ƒ Reject on missing addresses
ƒ Reject if number of recipients exceeds maximum
ƒ Reject if message size exceeds maximum
ƒ Virus + Spyware — Indicates the amount of messages that contained viruses, spyware, or were malformed.
ƒ Spam — Indicates the number of messages that have been classified as spam, including Certainly
Spam, Probably Spam, Maybe Spam, ReputationAuthority spam, and DNS Block List Spam. This category is displayed for inbound mail only. This category also depends on the Spam logging configuration in Configuration > Miscellaneous > Reports . The spam action of Just Log will be counted in the total if enabled in the spam logging configuration.
ƒ Content Control — Indicates the number of messages that have had their content classified by the
Content Control features such as Attachment Control, Content Scanning, Pattern Filters, Content
Rules, Document Fingerprinting, and Objectionable Content Filtering.
ƒ Clean — Indicates the number of messages that have been processed by the system that have passed all security, spam, and content checks. This includes messages that have been detected by these features but have an action of Just Log .
User Guide 407
Monitor your WatchGuard XCS
Recent mail activity
The Recent Mail Activity screen displays information on the most recent mail messages that have passed through the system. The data updates every 60 seconds and will also update when the screen is refreshed.
ƒ Time — The timestamp indicating when the message was processed by the system.
ƒ Queue ID — Each message that passes through the system is identified by a unique message identification number. Click the Queue ID of the message to view the details of the message processing.
ƒ Sender — Indicates the email address of the sender of the mail message.
ƒ Recipient — Indicates the email address of the recipient of the mail message.
ƒ Status — Indicates which feature acted upon the message if a security or content check was triggered.
For example, “OCF” indicates that the message was acted upon by the Objectionable Content Filtering feature.
ƒ Action — Indicates the final action that was performed on the message after processing, such as
“Reject”.
408 WatchGuard XCS
Monitor your WatchGuard XCS
Web summary
The Web Summary statistics screen displays information on web traffic passing through the system and contains statistics on the types of Blocked Content, Connections, Web Cache Efficiency, Top 5 Blocked Web
Sites and IP Addresses/Users, and Top 5 Browsed Web Sites and Browsing Users.
Web traffic
The Web Traffic section contains information on the number of web requests and downloaded files that were blocked due to URL and content issues, including the current number of active connections utilizing the Web
Proxy.
The Web Traffic Summary display can be customized to display statistics for the last 60 minutes, 24 hours,
7 days, or 31 days by using the drop-down list. Information on the Dashboard is updated every 60 seconds when the default, Last 60 Minutes , is selected. The screen will be updated hourly if set to Last 24 Hours , and updated every 24 hours if set to Last 7 Days and Last 31 Days .
Blocked content
ƒ URL Categorization — Indicates the number of web connections that were blocked because the URL accessed was listed in a URL Categorization list of blocked web sites.
ƒ Virus — Indicates the number of web downloads and uploads that contained a virus.
ƒ Spyware — Indicates the number of web downloads and uploads that contained spyware.
ƒ Content Control — Indicates the number of web request uploads and downloads that were blocked due to content control issues detected by Attachment Control, Content Scanning, and Objectionable
Content Filtering.
ƒ Other — Indicates the number of web messages that were blocked due to other reasons that are not covered in the listed categories, including URL Block Lists and the HTTP Block Sites List.
Connections
Indicates the number of active connections between the Web Proxy and external web servers, including a graph of the number of connections over the selected time period. This statistic is the average number of connections in the selected reporting period. For example, when Last 60 Minutes is selected, this indicates the average number of active connections every minute. If Last 24 Hours is selected, this indicates the average number of active connections per hour. If Last 7 Days or Last 31 Days is selected, this indicates the average number of active connections per day.
User Guide 409
Monitor your WatchGuard XCS
Web Cache Efficiency
The system contains a web cache that caches data and images from web sites accessed by users of the Web
Proxy. This improves performance and reduces bandwidth for subsequent accesses of these web sites, as the data and images will be read from the disk cache instead of retrieving data over the Internet. When a request is received, the system will compare its cached data with the requested web site to ensure it has the latest data, and new web site updates will be reflected in the disk cache.
The Web Cache Efficiency counter indicates the percentage success (from 1 to 100) of retrieving data from the cache (a cache “hit”). Any requests that did not find the object in the web cache are going out to the Internet to retrieve the content. The value will increase after your system has been running at least 24-48 hours. When it reaches a baseline level (typically between 15 to 20%), you will be able to recognize changes in efficiency. If your efficiency gradually decreases, it may indicate your cache is corrupted and needs to be flushed (via
Activity > Status > Status/Utility ). The Web Cache Efficiency percentage reflects information collected from the previous two weeks.
410
Top 5 Blocked Web Sites
This list indicates the top five web sites that have had been blocked due to security and content issues such as viruses, spyware, content controls, URL block lists, HTTP blocked sites, and URL Categorization. The top five blocked web sites are updated every 60 seconds, and reflects information collected from the previous week.
Top 5 Blocked IPs/Users
This list indicates the top five IP addresses or Users (if authentication is enabled) that have been blocked due to security and content issues such as viruses, spyware, content controls, URL Block Lists, HTTP Blocked Sites, and URL Categorization. The top five blocked IPs/Users are updated every 60 seconds, and reflects information collected from the previous week.
Top 5 Browsed Web Sites
Indicates the top five most browsed web sites. The Browsed Websites value indicates specific web site “visits”.
This statistic does not count each individual web site “hit” that results in hit counts for each retrieved image, subdomain files, and so on. A single web site visit may include several “hits” to the same web site domain in a specific period of time. This list is updated every 60 seconds, and reflects information collected from the previous week.
WatchGuard XCS
Monitor your WatchGuard XCS
Top 5 Browsing Users
Indicates the top five users with the most browse time. This value represents the total amount of browse time for the specific user from all of their browse time sessions. If authentication is enabled, the user’s email address will be displayed. If authentication is disabled, the user’s IP address will be displayed. This list is updated every
60 seconds, and reflects information collected from the previous week.
Recent web activity
The Recent Web Activity screen displays information on the most recent blocked web requests that have passed through the system. The data updates every 60 seconds and will also update when the screen is refreshed.
ƒ Time — The timestamp indicating when the request was processed by the system.
ƒ Request ID — Each web request that passes through the system is identified by a unique Request ID.
Click the Request ID of the web request to view the details of the request processing.
ƒ Request From — The source of the web request displayed as the user name and the IP address of the client. If authentication is not enabled, the user name will display “unknown user”.
ƒ Request To — Indicates the destination URL of the web request.
For example: http://www.example.com.
ƒ Status — Indicates which feature acted upon the request if a security or content check was triggered.
For example, a status of OCF indicates that the request was acted upon by the Objectionable Content
Filtering feature.
ƒ Action — Indicates the final action that was performed on the request after processing, such as
“Reject”.
In the default Web Proxy configuration, only rejected requests or requests that are matched in a content control feature will be logged in the Recent Web Activity screen. To view the activity of all Web requests, including those that passed all security and content checks, enable Verbose Logging in Configuration >
Web > HTTP/S Proxy advanced settings.
The Verbose Logging option should only be enabled for troubleshooting purposes for a short duration of time. Performance will be negatively affected when Verbose Logging is enabled and the system is processing web requests.
User Guide 411
Monitor your WatchGuard XCS
Status and actions
The following tables describe the different types of messages that can appear in the Status and Action columns on the Recent Mail Activity and Recent Web Activity screens.
Status
TDR
Very Malformed
Invalid Sender EHLO
Invalid Sender HELO
Invalid Sender Domain
Non-FQDN
Missing reverse DNS
Unknown sender domain
Missing MX
Unknown recipient
Virus - McAfee
Virus - Kaspersky
PBMF
Rules
Malformed
Threat Outbreak Control
Mail Access Control
Attachment Control
OCF
Trusted Sender
ACS
DFP
SAP
PostX Encrypt
Certainly Spam
Probably Spam
Maybe Spam
HAM
DomainKeys
SPF
ReputationAuthority
Dialup
DNSBL matches above threshold
Description
Message was acted upon by the Threat Prevention feature
Message was considered very malformed
Message sender does not have a valid sender EHLO
Message sender does not have a valid sender HELO
Message sender domain does not have a valid DNS A or MX record
Message sender is not in proper FQDN (Fully Qualified Domain
Name) form
Message sender does not have a corresponding PTR record for reverse lookups
Message sender domain does not have a valid DNS A or MX record
Message sender domain does not have a valid DNS MX record
Message included an unknown recipient
Message was acted upon by McAfee Anti-Virus
Message was acted upon by Kaspersky Anti-Virus
Message was acted upon by a Pattern Filter
Message was acted upon by Content/Connection Rules
Message was classified as malformed
Message was acted upon by the Outbreak Control feature
Message was acted upon by Mail Access controls
Message was acted upon by the Attachment Control feature
Message was acted upon by the Objectionable Content Filter
Message contained a Trusted Sender that bypassed all spam filters
Message was acted upon by the Content Scanning feature
Message was acted upon by Document Fingerprinting
Message was acted upon by a Specific Access Pattern
Message was encrypted by PostX encryption
Message was classified as Certainly Spam by Intercept
Message was classified as Probably Spam by Intercept
Message was classified as Maybe Spam by Intercept
Message was trained as legitimate mail by Token Analysis
Message was acted upon by DomainKeys
Message was acted upon by Sender Policy Framework (SPF)
Message was classified by ReputationAuthority as a dial-up connection
Message was acted upon by the DNS Block List feature and exceeded the DNS Block List threshold
412 WatchGuard XCS
User Guide
Monitor your WatchGuard XCS
Action
Discard
Quarantined
Subject Modified
Header Added
Reject
Temporary Reject
Undeliverable
Bounce
Incomplete
Failed
Release
Relay
Soft Bounce
Sent
Forwarded
Status
ReputationAuthority
Reputation above threshold
Mail Anomalies
ReputationAuthority
Infected
Relay
UBL Matches above threshold
Clean
Blocked Sender
URL Categorization
HTTP Blocked
TLS Failure
TLS Used
TLS Refused
TLS Not Offered
Attachment Size
Description
Message was classified by ReputationAuthority as above the configured reputation threshold
Message was acted upon by the Mail Anomalies feature
Message was considered to be sent from a recently virus-infected source by ReputationAuthority
Message was relayed to another system
Message was acted upon by the URL Block List feature and exceeded the URL Block List threshold
Message passed all threat and content checks
Message contained senders on a Blocked Sender list
Web request was acted upon by the URL Categorization feature
Web request was acted upon by the HTTP Blocked Sites list
Message failed to connect via TLS
Message was delivered via TLS
Attempt to deliver message via TLS was refused
TLS was not offered when message was delivered
Attachment size of a message was greater than the size threshold
Description
The message was discarded without notification to the sender
The message was sent to the administrative quarantine area
The message subject was modified before being delivered
A message header was added before being delivered
The message was rejected with notification to the sender
The message was temporarily rejected and the system will attempt to deliver the message at a later time
The message is considered permanently undeliverable after multiple attempts to deliver the message
The message has been bounced back to the sender by the destination mail server and is permanently undeliverable
The SMTP connection to deliver the message was not completed
The attempted message delivery failed
The message was released from the quarantine
The message has been relayed to another system
The message was bounced back by the destination mail server before it reached the intended recipient
The message has been sent but there is not yet confirmation of its delivery
The message has been forwarded to another recipient
413
Monitor your WatchGuard XCS
Action
Deferred
Delayed
Redirect
BCC
Bypass
PostX Encrypt
Trust
Accept
Archive Copy
Pass
Do Not Train
Not Trained
Just Log
Trained
Description
The message delivery has been deferred and will be attempted at a later time
The message delivery has been delayed and will be attempted at a later time
The message has been redirected to another system, such as a quarantine or encryption server
A Blind Carbon Copy was created for the message and sent to the
BCC contact
The message bypassed all spam and content controls
The message was encrypted by the integrated PostX encryption engine
The message was considered trusted for scanning purposes
The message was accepted for scanning and delivery
The message was copied to an archive server
The message passed all threat and content scanners and was delivered to its destination
The message will not be used as training for Token Analysis
The message was not used as training by Token Analysis
The action on the message was only logged, and the message delivered to its destination
The message was used for training by Token Analysis
414 WatchGuard XCS
Monitor your WatchGuard XCS
System Status and Utilities
The Status & Utility screen (accessed via Activity > Status > Status & Utility ) provides the following information:
ƒ A snapshot of the system status, including information on uptime, load average, amount of swap space, current date and time, disk usage, RAID status, NTP status, and Anti-Virus pattern file status.
ƒ Controls to start and stop the message processing and flush the message queues.
ƒ Diagnostic tools such as a Hostname Lookup function, SMTP Probe, Ping, and Traceroute utilities that are useful for resolving message and networking problems.
ƒ System hardware configuration information.
System status
The System Status section contains system statistics such as the total system uptime, load average, the amount of used swap and disk partition space, RAID status, NTP server status, and Anti-Virus pattern update status.
User Guide 415
Monitor your WatchGuard XCS
Utility functions
The Utility Functions section allows you to control the following system services:
416
ƒ Messaging System Control — You can stop or start all email and web messaging services by clicking on the Stop or Start Messaging System Control button.
The Stop and Start messaging controls are replicated in a cluster environment. Stopping message processing on the Primary will stop message processing on all systems in the cluster.
ƒ Disable/Enable Sending and Receiving — Alternately, you can also enable or disable only the receiving or sending of messages by clicking the appropriate button. This is useful if you only want to stop the processing of messages in one direction. For example, you may want to turn off the sending of messages to troubleshoot errors with SMTP delivery, while still being able to receive incoming messages.
ƒ Flush Mail Queue — The Flush button is used to reprocess any queued mail in the system. Only click this button once. If the mail queue does not process, you may be having other types of delivery problems, and reprocessing the mail queue will only add additional load to the system.
ƒ Flush DNS Cache — Click the Flush button to remote all entries from the current DNS cache. Use this option to clear the entries in the DNS cache if you are having issues resolving host names because of cached DNS queries.
ƒ Flush Web Cache — Click the Flush button to manually purge the HTTP Proxy web disk cache.
Administrators may need to purge the entire web cache if there are issues with certain web pages not updating with newer content, or issues connecting to specific web sites.
ƒ Flush Domain Web Cache — The Web Cache can be flushed for a specific domain only. The URL must be specified exactly the way it will be accessed, such as www.example.com, or news.example.com.
Subdomains will not be included and must be separately flushed. When the domain has been entered, click the Flush button.
ƒ Policy Trace — Click the Enable Policy Trace button to enable more detailed logging of policy resolution in the messaging logs.
ƒ Flush Web Single Sign-on Sessions — Flushes all Web Proxy authenticated single sign-on sessions for both Proxy and Portal IP address-based authenticated users. Current Web Proxy users must reauthenticate before being allowed access via the Web Proxy.
WatchGuard XCS
Monitor your WatchGuard XCS
Diagnostics
The Diagnostics section contains networking and SMTP utilities to help troubleshoot network and message
these diagnostic tools for troubleshooting.
ƒ Hostname Lookup — Allows you to verify host name resolution by looking up a host on a DNS name server.
ƒ SMTP Probe — Allows you to send a test email to a remote SMTP server.
ƒ Ping — Ensures network connectivity via ICMP ping.
ƒ Traceroute — Ensures routing connectivity by tracing the routes of network data from the source to the destination server.
Current admin and WebMail users
The Current Admin and WebMail Users section allows you to see who is logged in via the web admin interface or through a WebMail session.
Configuration information
The Configuration Info section shows you important system information such as the current version of the system software, the time it was installed, and licensing and hardware information.
User Guide 417
Monitor your WatchGuard XCS
Mail Queue
The Mail Queue page contains information on mail waiting to be delivered. Mail may be deferred because the destination mail system cannot be contacted.
If a message is deferred, the following schedule is used to attempt another mail delivery:
ƒ 1000 seconds (first retry)
ƒ 2000 seconds (second retry)
ƒ 4000 seconds (third and subsequent retries until the message is delivered or the message expires in the queue)
The Maximum Time in Mail Queue setting is configured via Configuration > Mail > Delivery . The default is 5 days.
To view and manage the mail queue:
1. Select Activity > Queue/Quarantine > Mail Queue .
2. You can perform the following actions:
ƒ You can search for a specific mail message using the Search field.
ƒ Messages that appear to be undeliverable can be removed by selecting them and then clicking the
Remove link.
ƒ Select Remove All to remove all messages in the queue.
ƒ Any mail messages in the mail queue can be processed out of the queue by clicking the Flush Mail
Queue button. Only click this button once. If the mail queue does not process, you may be having other types of delivery problems and reprocessing the mail queue will only add additional load to the system.
418 WatchGuard XCS
Monitor your WatchGuard XCS
Message Quarantine
The Message Quarantine contains messages that have been quarantined because of a virus, malformed message, content violation, an illegal attachment, or attachments over the size limit.
To view and manage the message quarantine:
1. Select Activity > Queue/Quarantine > Message Quarantine .
2. You can perform the following actions:
ƒ Click a Message ID number to view the message details
ƒ Click the Delete button to delete the message from the quarantine
ƒ Click the Release button to release messages from the quarantine and deliver them to their original destination
The Delete All and Release All buttons are used specifically with the search function. You must enter a specific search pattern before using these controls. It is recommended that you use the Expiry
Options button to clear the quarantine area of all messages beyond a certain date.
3. Use the Search field to look for specific messages within the quarantine.
For example, you could search for the name of a specific virus so that any quarantined messages infected with that specific virus will be displayed.
The following message fields are searchable:
ƒ Sender, Recipient, or QueueID
ƒ Type (such as attachment , attachment size , malformed , virus , spyware , objectionable , compliance , antispam , pbmf , content rules , dfp , or possible virus to restrict the search to those types of messages.). You can combine the specified message type and include an attachment, virus, or spyware name, such as attachment file.exe
)
ƒ Date and time (such as 2009-09-14, 20:27:34, or both 2009-09-14 20:27:34)
ƒ Filename
ƒ Virus or spyware name
ƒ File Size
User Guide 419
Monitor your WatchGuard XCS
Quarantine expiry options
An expiry term can be set so that quarantined messages will be deleted after a certain period of time. You can use this feature to flush all messages from the quarantine area on a regular basis.
To set the expiry options:
1. Click Expiry Options .
2. Choose the Expire Options mode:
ƒ Expire only on disk full — The Quarantine will expire messages from the quarantine when the disk is 90% full.
ƒ Expire per settings — The Quarantine will expire messages based on the administrator's configured settings.
ƒ Days — Enter how many days to keep a quarantined message before deleting it.
ƒ Disk usage (percentage) — Enter a percentage of disk usage that can be used by the quarantine storage area. Valid values are between 10% and 90%. The disk partition used by the quarantine is the “System Data Storage Area” partition. If the disk partition usage grows beyond this size, messages will be expired starting with the oldest message until the percentage is below the limit.
The Delete All and Release All buttons are used specifically with the search function. You must enter a specific search pattern before using these controls. It is recommended that you use the Expiry
Options button to clear the quarantine area of all messages beyond a certain date.
3. Click the Apply button to apply these settings for new quarantined messages, or click the Apply and
Expire Now button to apply these settings and expire currently quarantined messages immediately.
420 WatchGuard XCS
Monitor your WatchGuard XCS
Message History
Every message that passes through the system generates a database entry that records information about how it was processed, filtered, and delivered. To see how the message was processed, you can examine the message history database to see the disposition of the message.
Messages can be searched and displayed based on the type of message (email and web) and the message part. For example, you can search for partial or specific text in the subject header of all email messages in the database.
To view the message history:
1. Select Activity > History > Message History .
2. Examine the Status column for full information on how a message was processed and its final disposition.
3. Use the search fields to filter the message history results.
All simple search fields default to exact matches, except for “Subject” which accepts partial matches, and “Domain part” that matches the ending of a domain part. For more detailed and flexible searches, use the Advanced Search option.
You can also perform the following actions:
ƒ Click the Download these results link to save the search results as a local file
ƒ Click on a Message ID to view the details of the message
ƒ Click the Show Log button to see the corresponding log entry for this message
User Guide 421
Monitor your WatchGuard XCS
Email history search
Email messages can be searched using the following message fields:
ƒ FROM/Sender — Searching on FROM/Sender includes the following message fields. These specific message fields can also be searched individually:
ƒ Envelope Address — The Envelope From address in the SMTP envelope.
ƒ Header Address — The From address in the message header.
ƒ Display Name — The name displayed with the email address, such as John Smith .
ƒ TO/CC/BCC/Recipients — Searching on TO/CC/BCC/Recipients includes the following message fields.
These specific message fields can also be searched individually:
ƒ Account/Mailbox Part (such as user1 in the email address [email protected]
)
ƒ Domain Part (such as example.com
)
ƒ Subject — Searches the subject field of a message. The subject field search will additionally check for variations on the subject specified in any part of the subject. For example, if you search on spam message
, the system will match on spam message
, message spam
, this message is spam
and also plurals such as spam messages
.
ƒ SMTP HELO message — Searches on text within the SMTP HELO message that identifies the SMTP client to the server.
ƒ Client IP — Searches on the client IP address, such as 10.0.l.100
.
ƒ Client Host — Searches on the Client hostname, such as hostname
in the fully qualified domain name hostname.example.com
.
ƒ Message ID — Searches on the Message ID that is added by a mail server, such as
.
ƒ Queue ID — Searches on the Queue ID of a message, such as CE9D0C23183D8E2B .
ƒ Prior Queue ID — Searches on the prior Queue ID of a message. If a message is forwarded because of alias expansion, vacation notification, or because it was bounced, a new message in the queue will be created.
ƒ Virus — Searches for messages that contained a specific virus.
ƒ Spyware — Searches for messages that contained a specific type of spyware.
ƒ Attachment Type — Searches messages for specific attachment types.
ƒ Authentication — Searches messages based on their SMTP authentication status.
422 WatchGuard XCS
Monitor your WatchGuard XCS
HTTP history search
Web requests and sessions can be searched using the following fields:
There is no message details for successful web sessions. However, the browse time for successful sessions is indicated in the status column of the search results.
ƒ Client IP — Searches web requests and sessions based on the IP address of the web client, such as
10.0.1.100
.
ƒ Request ID — Searches on the Request ID that is the unique identifier added to the request by the system, such as
8290352619373D0
. This field can also be used to search web sessions.
ƒ URL — Searches on the URL of the HTTP request, such as www.example.com
. This field can also be used to search web sessions.
ƒ Request From — Searches on the user name of the originating client request if authentication is enabled for the Web Proxy. If authentication is not enabled, use the Client IP option to search requests for specific client IP addresses. This field can also be used to search web sessions.
ƒ Virus — Searches for messages that contain the specified virus.
ƒ Spyware — Searches for messages that contain the specified spyware name.
ƒ Attachment Type — Searches on the attachment type of any attachments filtered by the Attachment
Control and Content Scanning features. The specified search term must match the Content-type for the attachment, as displayed in the HTTP log. For example, to match a .exe attachment, you must enter a partial or exact search on the Content-Type name of application/x-msdos-program
.
Advanced search
Click the Advanced Search link to expand the number of options to use for searching the database. The advanced search includes additional parameters such as advanced date ranges, message direction, TLS status, and the final action taken on messages.
User Guide 423
Monitor your WatchGuard XCS
Message history search tips
The message history search methods have been optimized to work most efficiently when attempting to locate messages using specific criteria within a narrow time period. Try to narrow your searches to the smallest time period possible, and avoid searching for all time periods (Anytime). This is especially important for systems processing a large volume of messages, as narrowing your search to a single daily time period is the most efficient way to retrieve results.
On the Simple Search page, the default search criteria option is exactly matches (case sensitive) for all search items except for the following:
ƒ Subject — Defaults to contains . Subject contains searches are indexed by keywords, and common
English words such as “we”, “the”, “and”, or “all” are ignored.
ƒ Recipient Domain Part — Defaults to ends with .
For all other search items, the contains option is the least-efficient possible search method. If possible, narrow your search using the options exactly matches , starts with or ends with which are more efficient for message searching. For more detailed and flexible searches, use the Advanced Search page.
Specifying the following search fields in your query will allow for the most efficient searches:
ƒ Queue ID
ƒ Sender Envelope Address
ƒ Sender Header Address
ƒ Sender Display Name
ƒ Recipient Account/Mailbox Part
ƒ Recipient Domain Part
ƒ Subject
System history
The System History is a log of system-related information and events such as processes, message queue sizes, admin and login activity, network/disk space usage, swap file, and disk paging statistics.
To access the system history:
1. Select Activity > History > System History .
424 WatchGuard XCS
User Guide
Monitor your WatchGuard XCS
2. Set the Search Criteria to limit the search to a specific range of dates or number of days.
Search results can be filtered based on the type of system activity/process, or a specific hardware device.
See the following table for a description of the search fields.
System Activity
Admin Actions
Avg. Waiting Processes
DNS Lookup Performance
Disk Loading (Other)
Disk Loading (SCSI)
Disk Usage
Disk Usage Inodes
Login Failures
Login Success
Logout
Logout Expiry
Network Usage
Paging
Pattern File Download
Queue size
Swap
Description
Displays a list of actions taken by an administrative user, including commands and logins.
The average number of waiting CPU processes for the past 1,
5, and 15 minutes.
Displays performance information for DNS lookups.
Displays the MB per second, KB per transfer, and transfer per second, for each non-SCSI disk.
Displays the MB per second, KB per transfer, and transfer per second, for each SCSI disk.
Amount (in KB) of used disk space, total available disk space, and percentage used for each disk slice.
Amount of used inodes, available inodes, and percentage inodes used for each disk slice.
Displays information on failed web admin or WebMail logins to the system.
Displays information on successful web admin or WebMail logins to the system.
Displays information on web admin or WebMail logouts from the system.
Displays information on logins that expired and were automatically logged out of the system.
Amount of data inbound and outbound (in bytes) on the network interface.
The number of disk pages in and out.
Status of Anti-Virus pattern file downloads.
Amount of mail waiting in the Mail or Deferred Queue.
Used and available swap space in megabytes.
425
Monitor your WatchGuard XCS
Connection History
The Connection History is a log history of connections to the system from other systems. The history shows the time of the connection, the server name and IP address, the action taken on the connection and its source, properties (trusted or untrusted), and the reject details if the message was rejected.
To view the connection history:
1. Select Activity > History > Connection History .
2. Set the Search Criteria to limit the search to a specific range of dates or number of days.
3. Search results can be filtered based on the actions taken on that connection and the action source, such as a connection refused because of a low reputation by ReputationAuthority.
See the following table for a description of the search fields.
The Sender and Recipient fields will be empty for connections that are rejected before that information is received, such as in the case of an IP address that was blocked.
Action
Accept
Just Log
Pass
Reject
Relay
Temporary Reject
Description
Connection passed the initial connection checks and was accepted by the system.
Connection and its processing was logged only.
Connection was accepted by the system and the messages passed all content and security checks.
Connection was rejected with notification to the connecting system.
Connection was relayed via this system.
Connection was temporarily rejected. The connection can be retried at a later time.
426 WatchGuard XCS
User Guide
Monitor your WatchGuard XCS
Source
Reputation Dialup
Reputation Infected
Reputation above threshold
Blocked Sender
Clean
DNSBL matches above threshold
Invalid Sender Domain
Mail Access Control
PBMF
Relay
SAP
TDR
Trusted Sender
UBL Matches above threshold
Very Malformed
Rule Match
Description
Connection was detected as a dialup source by
ReputationAuthority.
Connection was considered to be a source of virus infections by ReputationAuthority.
The connection’s ReputationAuthority reputation exceeded the reputation reject threshold.
Sender of a message in the connection was on the
Blocked Senders List.
Connection was allowed and messages were processed as clean.
Connection was rejected by a DNS Block List because the number of DNSBL matches exceeded the threshold.
Connection contained an invalid sender domain address.
Connection violated a threshold in the Mail Access settings (such as message too large).
Connection matched a Pattern Filter rule.
Connection was allowed to Relay via this system.
Connection matched a Specific Access Pattern.
Connection was acted upon by the Threat Prevention feature.
Sender of a message in the connection was on a
Trusted Senders List.
Connection contained a URL that was matched on a
URL Block List.
Connection contained very malformed messages.
Connection information was matched in a Connection
Rule.
427
Monitor your WatchGuard XCS
Configure a Syslog Host
All of the system’s log files can be forwarded to a syslog server, which is a host that collects and stores log files from many sources. The syslog files can then be analyzed by a separate logging and reporting program.
To define a syslog host:
1. Select Configuration > Network > Interfaces .
2. In the Host Settings section, enter the address of the syslog server in the Syslog Host field.
428 WatchGuard XCS
Monitor your WatchGuard XCS
SNMP (Simple Network Management Protocol)
Simple Network Management Protocol (SNMP) is the standard protocol for network management. When enabled on the WatchGuard XCS, this feature allows standard SNMP monitoring tools to connect to the SNMP agent running on the system and extract real-time system information.
The information available from the SNMP agent is organized into objects which are described by the MIB
(Management Information Base) files. The information available includes disk, memory, and CPU statistics, mail queue information, and statistics on the number of spam or virus-infected emails. An SNMP trap can be sent when the system reboots.
The SNMP MIB files are based on SNMP version 2 and are backwards compatible with version 1.
The SNMP agent service is installed and running by default, but it must be enabled specifically to monitor a network interface as required.
To add SNMP access to a network interface:
1. Select Configuration > Network > Interfaces .
2. Select the SNMP Agent check box on the required interface.
It is strongly advised that the agent only be configured for the internal (trusted) network.
3. Click Apply .
The system must be restarted.
User Guide 429
Monitor your WatchGuard XCS
Configure SNMP
To configure SNMP:
1. Select Configuration > Network > SNMP .
2. Select the Send Trap on Reboot check box to send a trap message to your SNMP trap host whenever the system reboots.
A trap will be sent when the system shuts down, and another trap will be sent when the system starts up again.
3. Enter the email address of the System Contact for this WatchGuard XCS.
4. Enter the System Location for this WatchGuard XCS.
5. Enter the Read-Only Community string (case-sensitive) for this system.
By default, the system does not allow read/write access to the SNMP agent. For read access, you must set up a read-only community string on both the agent and your SNMP management application for authentication. It is recommended that you change the default community string “public” to a more secure value.
6. Click Apply .
Permitted clients
To allow access to the system’s SNMP agent, you must specifically add the client system to the list of SNMP permitted clients.
To add permitted clients:
1. Enter the address of your SNMP management station.
The clients can be specified using a host name, IP address, or CIDR network address (192.168.128.0/24).
2. Click Add to add the permitted client.
3. Click Apply .
430 WatchGuard XCS
Monitor your WatchGuard XCS
Trap hosts
A trap host is an SNMP management station that will be receiving system traps from the WatchGuard XCS. The system will send an SNMP trap when the system is shut down or restarts.
To add trap hosts:
1. Enter a list of hosts that will receive trap messages.
The hosts can be specified using a host name or IP address.
2. Click Add to add the trap host.
3. Click Apply .
MIB files
The SMNP MIB files can be downloaded by clicking the Download MIBs button. These files must be imported into your SNMP management program. The MIB file contains a list of objects representing the information that can be extracted from the system’s SNMP agent.
User Guide 431
Monitor your WatchGuard XCS
Alarms
The WatchGuard XCS implements a variety of system alarms to notify the administrator of exceptional system conditions. Alarms are generated from the Queue Replication, LDAP, DNS Intercept queries, and Backup subsystems. For example, you can receive an alarm notification if the daily FTP backup fails, or if queue replication fails. Errors with LDAP user imports will also trigger an alarm.
You can select the type of alarm notifications to receive, such as Critical , Serious , and Warning events.
These notifications can be sent via:
ƒ Alarms Indicator
ƒ Email notification
ƒ Console Alert
The following example shows the Alarms Indicator appearing on the administrative user interface screen.
The indicator will display how many new alarms have occurred. Click the Alarms Indicator to see a summary of the most recent alarms.
Click View all alarms in the alarms indicator, or select Activity > Status > Alarms to be taken to the local alarms page where all alarms and their full details can be viewed and acknowledged if required.
432 WatchGuard XCS
Monitor your WatchGuard XCS
You must click Acknowledge to remove the alarm notification.
Tiered administrators will only have a read-only view of the Alarms indicator if the “View Alarms” permission is assigned. Alarms and the local alarms screen can be viewed, but tiered admins will not be able to acknowledge an alarm. Delegated Domain administrators will not have access to the alarms.
Alarms in a cluster
In a cluster of systems, local alarms can be viewed and acknowledged on each individual system in the cluster
(Primary, Secondary, or Client). The alarms indicator on any cluster system will only show local alarms for the specific system, and acknowledging a local alarm will not clear its status for the cluster.
Alarms generated by the cluster are only available on the Cluster Primary system via Activity > Status >
Cluster Alarms . The Cluster Alarms screen indicates alarms that appear on individual systems in the cluster and they can be viewed and acknowledged on the Primary system. The alarm will indicate the specific host in the cluster from where the alarm generated.
In certain cases, a cluster alarm will appear on a Primary, Secondary, and Client. The alarms need to be acknowledged on all systems before the cluster alarm is cleared on the Primary.
Configuring alarms
To configure alarms and notifications:
1. Select Configuration > Miscellaneous > Alarms .
User Guide
2. In the Send Escalation Mail section, select the types of alarms that will trigger an email to be sent to the Escalation Mail Address specified below.
433
Monitor your WatchGuard XCS
3. In the Send Alarm Mail section, select the types of alarms that will trigger an email to be sent to the
Alarm Mail Address specified below.
The alarm will only trigger once for a specific alarm. You will not receive another email alert for the alarm unless you acknowledge the alarm on the Dashboard and it occurs again.
You must have a valid address specified in the Email Addresses section for the alarm email notification to be sent.
4. In the Alert to Console section, select the types of alarms that will display an alert on the system console screen.
5. In the Alert to Alarms Indicator section, select the types of alarms that will display an alert on the main administrative user interface screen in the alarms indicator.
6. Enter the Escalation Mail Address to send escalation messages to.
7. Enter an Alarm Mail Address to send alarm messages to.
You should use SNMP for monitoring of system resources such as disk space and memory usage. See
“SNMP (Simple Network Management Protocol)” on page 429 for more information.
Alarms list
The following table describes the types of alarms that can be triggered.
Severity
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Serious
Alarm
LDAP Lookup: LDAP lookup failed during delivery
LDAP Lookup: LDAP lookup: Unable to bind to server
LDAP Lookup: LDAP lookup: Search error 81: Can't contact LDAP server
Queue Replication: Cannot connect to mirror kav_pattern_update: No available update servers
QueueMonitor: Incoming queue size exceeded the upper limit. SMTPDs reject new requests temporarily.
Restore: Finished: (indicates if restore successfully PASSED)
DNS status check (DNSBL, UBL, ReputationAuthority)
Restore: Reporting: Finished: (indicates if reporting restore was completed)
FTP Backup: FTP Backup Failed
SFTP Backup: SFTP Backup Failed
SCP Backup: SCP Backup Failed
LDAP Import: LDAP import, Import of groups failed
LDAP Import: LDAP import, Import of users failed
LDAP Import: LDAP failed to download users, groups mxlogging: could not rollover/offload some files. Please see details in Systems
Log (messages).
mxlogging: [error message]
434 WatchGuard XCS
19
Troubleshoot your
WatchGuard XCS
Troubleshoot Message Delivery
When experiencing message delivery problems, the first step is to examine if the problem is affecting only incoming messages, outgoing, or both. For example, if you are receiving messages, but not sending outgoing messages, it is certain that your Internet connection is working properly, or you would not be receiving messages. In this scenario, you may have issues with the firewall blocking your outbound connections, or some other problem preventing message delivery.
Problems affecting both inbound and outbound delivery include the following scenarios:
ƒ Network Infrastructure and Communications — The most common scenario in which you are not receiving or sending messages is if your Internet connection is down. This can include upstream communications with your ISP, your connection to the Internet, or your external router. You should also check your internal network infrastructure to ensure you can contact the WatchGuard XCS from your router or firewall.
ƒ DNS — If your DNS is not working or configured properly, messages will not be forwarded to your
WatchGuard XCS or you will not be able to lookup external messaging or web servers. Check the DNS service itself to see if it is running, and check your DNS records for any misconfiguration for your messaging services. Ensure that your MX mail records are set up properly to direct messages to the
WatchGuard XCS system.
ƒ Firewall — If you are having issues with your firewall, or if it is misconfigured, it may inadvertently block message access to and from the WatchGuard XCS. For example, SMTP port 25 must be opened between the Internet and the WatchGuard XCS and internally to allow inbound and outbound message connections. Port 80 is required for HTTP web communications between the WatchGuard
XCS and external web servers.
ƒ Internal Messaging Systems — You may be receiving incoming messages to the WatchGuard XCS, but the messages are not being forwarded to the appropriate internal servers. Also, outgoing messages from the internal servers may not be forwarded to the WatchGuard XCS for delivery. In these scenarios, examine your internal messaging server to ensure it is working properly. Check communications between the two systems to ensure there are no network, DNS, or routing issues. Also check that your internal servers and web clients are configured to send outgoing messages and requests to the WatchGuard XCS.
User Guide 435
Troubleshoot your WatchGuard XCS
ƒ External Messaging and Web Servers — If you have a large amount of messages or requests to a particular destination, and that server is currently down, these messages will queue up in the deferred queue to be retried after a period of time. You can view the log files to see the relevant messages that may indicate why you cannot connect to that particular server. The server could be down, too busy, or not currently accepting connections.
Troubleshooting Tools
The following sections describe the built-in tools that can be used on the system to help troubleshoot message and web request issues.
Monitoring the Dashboard
The Dashboard provides a summary view that allows administrators to examine critical statistics for email and web traffic all on one screen. When checking email and web activity, examine the following items:
436
Check the Mail Resources section to view the number of messages in the Mail Queue and Deferred queue. This is a quick indicator of how your email messages are processing.
Ensure that the queues are not building up too high. This may indicate a message delivery issue. Also, check the number of incoming and outgoing connections, because you may experience system processing latency when a large number of concurrent connections are active.
WatchGuard XCS
Troubleshoot your WatchGuard XCS
In the Recent Mail Activity and Recent Web Activity portions of the Dashboard , check the timestamps of your most recent incoming and outgoing messages or web requests. If no messages or requests have been processed in a certain period of time, this may indicate that the inbound, outbound, or both directions are not working.
Check the mail and web traffic summaries regularly, because you may notice messaging system latency if you are receiving a lot of viruses, spam, or message rejects.
In the Web Summary , examine the web cache efficiency to ensure it is not at a low level compared to your typical cache efficiency baseline. Also, check the number of web connections, because you may experience system processing latency when a large number of connections are active.
User Guide 437
Troubleshoot your WatchGuard XCS
Examine Log Files
The logs files for each messaging protocol (email and HTTP, accessed via Activity > Logs ) are the most important logs to monitor for message processing as they provide a detailed description of each message that passes through the system.
The start of a single message log entry begins with a “connect” message, and ends with the “disconnect” message. To ensure that you are looking at the entries for a specific message, check the Request ID (for web) or Message ID (for mail, such as 7FA528120033BE34 in the previous example) for each log entry to ensure they are for the same message.
Click the [+] or [-] to expand or collapse the log details for the specific Message or Request ID.
When more than one recipient is found within a message, only the first recipient is included in the log for the overall message summary.
438 WatchGuard XCS
Troubleshoot your WatchGuard XCS
Network and Message Diagnostics
On the Activity > Status > Status & Utility screen, there are messaging tools and networking diagnostic tools to help you troubleshoot possible networking problems and connectivity issues with other messaging servers. Examples of messaging tools include Hostname Lookups, SMTP Probe, Ping, and Traceroute.
Flush mail queue
The Flush Mail Queue option is used to flush and reprocess all queued email. You should only use this utility if you have a high amount of deferred mail that you would like to try and deliver. In environments with a high amount of deferred mail, this process can take a very long time.
If the deferred mail queue continues to grow, there are other problems that are preventing the delivery of mail and the Flush button should not be used again.
This button should only be clicked once because it will reprocess all queued mail.
Flush DNS cache
Click the Flush button to remote all entries from the current DNS cache. This option is used to clear the entries in the DNS cache if you are having issues resolving host names because of cached DNS queries.
Flush web cache
Click the Flush button to manually purge the Web Proxy disk cache. Administrators may need to purge the entire web cache if there are issues with certain web pages not updating with newer content, or issues connecting to specific web sites.
Flush domain web cache
The Web Cache can be flushed for a specific domain only. The URL must be specified exactly how it will be accessed, such as www.example.com, or news.example.com. Subdomains will not be included and must be flushed separately. When the domain has been entered, click the Flush button.
User Guide 439
Troubleshoot your WatchGuard XCS
Policy trace
Click the Policy Trace button to enable more detailed logging of policy resolution in the messaging logs. The log entry will contain information similar to the following: policy_recipient=<[email protected]>, policy_user=<[email protected]>
(remote=F), domain_policy=<2:Antispam enabled>, group_policy=<0:>, group_name=<>, user_policy=<4:OCF enabled> default_policy=<1:Default>
Flush web single sign-on sessions
This utility flushes all Web Proxy authenticated single sign-on sessions for both Proxy and Portal IP addressbased authenticated users. After the sessions have been flushed, current Web Proxy users must authenticate again before being allowed access to web sites using the Web Proxy.
Hostname lookup
The Hostname Lookup utility is used to perform DNS host lookups. This ensures that hostnames are being properly resolved by the DNS server.
To perform a hostname lookup:
1. In the Name field, enter the FQDN (Fully Qualified Domain Name) of the host you would like to lookup on a name server. For example: host.example.com
.
2. In the Query type field, select the type of DNS record, such as a typical A name host record, or MX for a mail server lookup.
3. Click the Lookup button when ready to test.
The name server should provide you with the IP address for the name you entered. If the result displayed shows “Unknown host”, then the name you entered is not listed in the DNS records.
440
If the name server cannot be contacted, check your DNS configuration in Configuration > Network >
Interfaces . To ensure you have network connectivity use the ping and traceroute commands in the
Status & Utility screen to ensure you have a connection to the network and to the DNS server.
WatchGuard XCS
Troubleshoot your WatchGuard XCS
SMTP probe
The SMTP (Simple Mail Transport Protocol) Probe is used to test email connectivity with a remote SMTP server.
This allows you to verify that the SMTP server is responding to connection requests and returning a valid response.
To perform an SMTP probe:
1. In the SMTP Server field, enter the domain name or IP address of the destination SMTP server that you want to test.
User Guide
2. Enter the envelope-from (MAIL FROM) address to identify the sender of the email message.
3. Enter the envelope-to (RCPT TO) address to identify the recipient of the email message.
4. Enter the HELO parameter that is used to identify the SMTP Client to the SMTP Server.
You can enter any value here, but the sending domain name of the server is usually specified.
5. In the Message to Send (DATA command) field, enter the text to include in the test email message.
You can enter an optional subject to ensure a blank subject field is not sent.
6. Click the Send Message button to send the test message to the destination SMTP server.
The response field displays the result of the SMTP diagnostic probe, including the response for each
SMTP command sent:
Sending mail...
<<< 220 ESMTP Postfix (2.1.0)
HELO example.com
<<< 250 mail.example.com
MAIL FROM:[email protected]
<<< 250 Ok
RCPT TO:[email protected]
<<< 250 Ok
DATA
<<< 354 End data with <CR><LF>.<CR><LF> sending /tmp/smtpdata
.
<<< 250 Ok: queued as F130F33EA6
QUIT
<<< 221 Bye
441
Troubleshoot your WatchGuard XCS
Ping utility
The ping utility sends ICMP packets to a host and then listens for a return packet. From the WatchGuard XCS, this utility can be used to ping hosts both on the internal and external networks. You should also try to ping the firewall, DNS server, and external router as well as the WatchGuard XCS from these locations to ensure you have connectivity. For more detailed information on routing connectivity between the two hosts, use the traceroute utility.
To test connectivity using ping:
1. Enter the IP address or hostname of the system you want to test connectivity to.
2. Click Ping .
442 WatchGuard XCS
Troubleshoot your WatchGuard XCS
Traceroute utility
Traceroute is used to see the routing steps between two hosts. If you are losing connectivity somewhere between the system and a receiving host, you can use traceroute to see where exactly the packet is losing the connection.
The traceroute utility will show each network hop as it passes through each router to the destination. If you are experiencing routing issues, you will be able to see in the trace where exactly the communication is failing.
To test connectivity using traceroute:
1. Enter the IP address or hostname of the system you want to test connectivity to.
2. Click Traceroute .
The traceroute to the destination is displayed.
User Guide 443
Troubleshoot your WatchGuard XCS
Troubleshoot Connection Issues
In many cases, a connection is blocked by the system before any messages are transferred. These connectionlevel rejects can be triggered by the following features:
ƒ ReputationAuthority
ƒ DNS Block Lists
ƒ Specific Access Patterns
ƒ Pattern Filters
ƒ Threat Prevention
ƒ URL Block Lists
ƒ Very Malformed messages
ƒ Trusted/Blocked Senders Lists
To view a history of connections to the WatchGuard XCS from other systems:
1. Select Activity > History > Connection History .
2. Set the Search Criteria to limit the search to a specific range of dates or number of days.
Search results can be filtered based on the actions taken on that connection and the action source, such as a connection refused because of a low reputation by ReputationAuthority.
See “Connection History” on page 426 for more information on searching the connection history
database.
444 WatchGuard XCS
Troubleshoot your WatchGuard XCS
Troubleshoot Content Issues
If a message has been delivered to the WatchGuard XCS successfully, it will undergo security processing before delivery to its final destination. Many of the security tools used by the system, such as Intercept Anti-
Spam, Content Filtering, Anti-Virus scanning, and Attachment Control, will cause the message to be rejected, discarded, and quarantined, without the message being delivered to the recipient. These tools can often be misconfigured allowing legitimate messages and requests to be incorrectly rejected or quarantined. If you find that certain messages are being blocked when they should not be, check the following:
ƒ Is there a Specific Access Pattern, Pattern Filter, or Content rule that applies to the message?
ƒ Is the attachment type or content filtered via Attachment Control or Content Scanning?
ƒ Are any of the Intercept Anti-Spam features blocking the message?
ƒ Do words from the Objectionable Content Filter (OCF) or Spam Dictionaries appear in the message?
ƒ Is the message or its attachments over the maximum size limit?
ƒ Does the user belong to a policy that may block the message?
Message history
Every email message and web request that passes through the system generates a database entry that records information about how it was processed, filtered, and delivered. To see how the message was processed, you can check the message history to see the disposition of the message. Using this information, you can find out which security process is blocking the message, and then check the configuration and rules to ensure that they are set properly.
To view the message history:
1. Select Activity > History > Message History .
2. Examine the Status column for full information on how a message was processed and its final disposition.
User Guide 445
Troubleshoot your WatchGuard XCS
3. Click on the Message ID to view the details of a message.
Dispositions and the final Intercept score, if any, are listed below the details table in the Message
Disposition section.
446 WatchGuard XCS
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement