WatchGuard Fireware XTM WSM v11.3 User Guide

WatchGuard Fireware XTM WSM v11.3 User Guide
WatchGuard System Manager v11.3 User Guide
Fireware XTM
WatchGuard System Manager
v11.3 User Guide
WatchGuard XTM Devices
Firebox X Peak e-Series
Firebox X Core e-Series
Firebox X Edge e-Series
About this User Guide
The Fireware XTM WatchGuard System Manager User Guide is updated with each major product release.
For minor product releases, only the Fireware XTM WatchGuard System Manager Help system is updated.
The Help system also includes specific, task-based implementation examples that are not available in the
User Guide.
For the most recent product documentation, see the Fireware XTM WatchGuard System Manager Help on
the WatchGuard web site at: http://www.watchguard.com/help/documentation/.
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission
of WatchGuard Technologies, Inc.
Guide revised: 6/23/2010
Copyright, Trademark, and Patent Information
Copyright © 1998-2010 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names
mentioned herein, if any, are the property of their respective owners.
Complete copyright, trademark, patent, and licensing information can be found in the Copyright and
Licensing Guide, available online at: http://www.watchguard.com/help/documentation/.
Note This product is for indoor use only.
About WatchGuard
WatchGuard offers affordable, all-in-one network and content
security solutions that provide defense-in-depth and help meet
regulatory compliance requirements. The WatchGuard XTM line
combines firewall, VPN, GAV, IPS, spam blocking and URL filtering
to protect your network from spam, viruses, malware, and
intrusions. The new XCS line offers email and web content
security combined with data loss prevention. WatchGuard
extensible solutions scale to offer right-sized security ranging
from small businesses to enterprises with 10,000+ employees.
WatchGuard builds simple, reliable, and robust security
appliances featuring fast implementation and comprehensive
management and reporting tools. Enterprises throughout the
world rely on our signature red boxes to maximize security
without sacrificing efficiency and productivity.
Address
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
Support
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.521.3575
Sales
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
For more information, please call 206.613.6600 or visit
www.watchguard.com.
ii
WatchGuard System Manager
Table of Contents
Introduction to Network Security
About networks and network security
1
1
About Internet connections
1
About protocols
2
About IP addresses
3
Private addresses and gateways
3
About subnet masks
3
About slash notation
3
About entering IP addresses
4
Static and dynamic IP addresses
4
About DNS (Domain Name System)
5
About firewalls
About services and policies
7
About ports
8
Introduction to Fireware XTM
About Fireware XTM
9
9
Fireware XTM Components
10
WatchGuard System Manager
10
WatchGuard Server Center
11
Fireware XTM Web UI and Command Line Interface
12
Fireware XTM with a Pro Upgrade
Service and Support
About WatchGuard Support
13
15
15
LiveSecurity Service
15
LiveSecurity Service Gold
16
Service expiration
16
Getting Started
Before you begin
User Guide
6
19
19
Verify basic components
19
Get a Firebox or XTM device feature key
20
iii
Gather network addresses
20
Select a firewall configuration mode
21
Decide where to install server software
22
Install WatchGuard System Manager software
22
Back up your previous configuration
22
Download WatchGuard System Manager
23
About software encryption levels
24
About the Quick Setup Wizard
24
Run the Web Setup Wizard
25
Run the WSM Quick Setup Wizard
28
Complete your installation
Customize your security policy
31
About LiveSecurity Service
31
Start WatchGuard System Manager
31
Connect to a Firebox or XTM device
31
Start WSM applications
33
Additional installation topics
34
Install WSM and keep an older version
34
Install WatchGuard Servers on computers with desktop firewalls
35
Dynamic IP support on the external interface
35
About connecting the Firebox or XTM device cables
36
Connect to a Firebox or XTM device with Firefox v3
36
Disable the HTTP proxy in the browser
38
Find your TCP/IP properties
39
Configuration and Management Basics
iv
30
43
About basic configuration and management tasks
43
About configuration files
43
Open a configuration file
43
Make a new configuration file
45
Save the configuration file
46
Make a backup of the Firebox or XTM device image
47
Restore a Firebox or XTM device backup image
48
WatchGuard System Manager
Use a USB drive for system backup and restore
49
About the USB drive
49
Save a backup image to a connected USB drive
49
Restore a backup image from a connected USB drive
49
Automatically restore a backup image from a USB drive
50
USB drive directory structure
52
Save a backup image to a USB drive connected to your management computer
53
Use an existing configuration for a new Firebox or XTM device model
53
Configure a replacement Firebox or XTM device
55
Save the configuration from the original Firebox or XTM device to a file
55
Get the feature key for the replacement Firebox or XTM device
56
Use the Quick Setup Wizard to configure basic settings
56
Update the feature key in the original configuration file and save to the new device
56
Reset a Firebox or XTM device to a previous or new configuration
Start a Firebox or XTM device in safe mode
Reset a Firebox X Edge e-Series or WatchGuard XTM 2 Series device to factory-default settings
Run the Quick Setup Wizard
57
57
58
58
About factory-default settings
58
About feature keys
60
When you purchase a new feature
60
See features available with the current feature key
60
Verify feature key compliance
61
Get a feature key from LiveSecurity
62
Add a feature key to your Firebox or XTM device
64
See the details of a feature key
66
Download a feature key
66
Enable NTP and add NTP servers
67
Set the time zone and basic device properties
68
About SNMP
69
User Guide
SNMP polls and traps
69
Enable SNMP polling
70
v
Enable SNMP management stations and traps
71
About Management Information Bases (MIBs)
73
About WatchGuard Passphrases, Encryption Keys, and Shared Keys
Create a secure passphrase, encryption key, or shared key
74
Firebox or XTM device Passphrases
74
User Passphrases
75
Server Passphrases
75
Encryption Keys and Shared Keys
75
Change Firebox or XTM device passphrases
77
About aliases
78
Alias members
78
Create an alias
79
Define Firebox or XTM device global settings
81
Define ICMP error handling global settings
82
Enable TCP SYN checking
83
Define TCP maximum segment size adjustment global settings
83
Enable or disable Traffic Management and QoS
83
Change the Web UI port
83
Automatic Reboot
83
External Console
84
See also
84
Manage a Firebox or XTM device from a remote location
84
Locations of WatchGuard System Manager files
87
Locations of application and user-created files
Upgrade to a new version of Fireware XTM
87
89
Install the upgrade on your management computer
89
Upgrade the Firebox or XTM device
90
Use multiple versions of Policy Manager
91
About upgrade options
vi
74
91
Subscription Services upgrades
91
Appliance and software upgrades
91
How to apply an upgrade
92
WatchGuard System Manager
Renew security subscriptions
Renew subscriptions from Firebox System Manager
92
93
Network Setup and Configuration
95
About network interface setup
95
Network modes
96
Interface types
97
About network interfaces on the Edge e-Series
97
Mixed Routing Mode
Configure an external interface
98
98
Configure DHCP in mixed routing mode
102
About the Dynamic DNS service
104
Use dynamic DNS
104
Drop-in Mode
106
Use drop-in mode for network interface configuration
106
Configure related hosts
107
Configure DHCP in drop-in mode
108
Bridge Mode
111
Common interface settings
113
Disable an interface
116
Configure DHCP Relay
118
Restrict network traffic by MAC address
118
Add WINS and DNS server addresses
119
Configure a secondary network
120
About advanced interface settings
122
Network Interface Card (NIC) settings
122
Set Outgoing Interface Bandwidth
124
Set DF bit for IPSec
124
PMTU Setting for IPSec
125
Use static MAC address binding
125
Find the MAC address of a computer
126
About LAN bridges
Create a network bridge configuration
User Guide
126
127
vii
Assign a network interface to a bridge
About routing
Add a static route
130
130
About virtual local area networks (VLANs)
131
VLAN requirements and restrictions
131
About tagging
132
About VLAN ID numbers
132
Define a new VLAN
132
Assign interfaces to a VLAN
136
Network Setup Examples
137
Example: Configure Two VLANs on the Same Interface
137
Use your Firebox or XTM device with the 3G Extend wireless bridge
141
Multi-WAN
About using multiple external interfaces
143
143
Multi-WAN requirements and conditions
143
Multi-WAN and DNS
144
Multi-WAN and FireCluster
144
About multi-WAN options
144
Round-robin order
144
Failover
145
Interface overflow
145
Routing table
146
Serial modem (Firebox X Edge only)
146
Configure Round-robin
147
Before You Begin
147
Configure the interfaces
147
Find how to assign weights to interfaces
149
Configure Failover
149
Before You Begin
149
Configure the interfaces
149
Configure Interface Overflow
150
Before You Begin
viii
128
150
WatchGuard System Manager
Configure the interfaces
151
Configure Routing Table
152
Before you begin
152
Routing Table mode and load balancing
152
Configure the interfaces
152
About the Firebox or XTM device route table
153
When to use multi-WAN methods and routing
154
Serial modem failover
155
Enable serial modem failover
155
Account settings
156
DNS settings
156
Dial-up settings
157
Advanced settings
157
Link Monitor settings
157
Advanced multi-WAN settings
159
About sticky connections
159
Set a global sticky connection duration
159
Set the failback action
160
About WAN interface status
161
Time needed for the Firebox or XTM device to update its route table
161
Define a link monitor host
161
Network Address Translation (NAT)
163
About Network Address Translation
Types of NAT
About dynamic NAT
163
164
164
Add firewall dynamic NAT entries
164
Configure policy-based dynamic NAT
167
About 1-to-1 NAT
168
About 1-to-1 NAT and VPNs
169
Configure firewall 1-to-1 NAT
170
Configure policy-based 1-to-1 NAT
172
Configure NAT loopback with static NAT
174
User Guide
ix
Add a policy for NAT loopback to the server
175
NAT loopback and 1-to-1 NAT
176
About static NAT
180
Configure Static NAT
180
Configure server load balancing
181
NAT Examples
185
1-to-1 NAT example
185
Wireless Setup
187
About wireless configuration
187
About wireless access point configuration
188
Before you begin
189
About wireless configuration settings
190
Enable/disable SSID broadcasts
190
Change the SSID
191
Log authentication events
191
Change the fragmentation threshold
191
Change the RTS threshold
193
About wireless security settings
193
Set the wireless authentication method
193
Set the encryption level
194
Enable wireless connections to the trusted or optional network
195
Enable a wireless guest network
197
Enable a wireless hotspot
200
Configure user timeout settings
201
Customize the hotspot splash screen
201
Connect to a wireless hotspot
202
See wireless hotspot connections
203
Configure your external interface as a wireless interface
204
Configure the primary external interface as a wireless interface
204
Configure a BOVPN tunnel for additional security
207
About wireless radio settings on the Firebox X Edge e-Series Wireless device
Set the operating region and channel
x
208
209
WatchGuard System Manager
Set the wireless mode of operation
About wireless radio settings on the WatchGuard XTM 2 Series Wireless device
210
211
Country is set automatically
212
Select the Band and Wireless mode
212
Select the Channel
213
Configure the wireless card on your computer
Dynamic Routing
214
215
About dynamic routing
215
About routing daemon configuration files
215
About Routing Information Protocol (RIP)
216
Routing Information Protocol (RIP) commands
216
Configure the Firebox or XTM device to use RIP v1
218
Configure the Firebox or XTM device to use RIP v2
219
Sample RIP routing configuration file
222
About Open Shortest Path First (OSPF) Protocol
OSPF commands
224
OSPF Interface Cost table
227
Configure the Firebox or XTM device to use OSPF
227
Sample OSPF routing configuration file
229
About Border Gateway Protocol (BGP)
231
BGP commands
233
Configure the Firebox or XTM device to use BGP
235
Sample BGP routing configuration file
237
FireCluster
About WatchGuard FireCluster
FireCluster status
About FireCluster failover
239
239
241
241
Events that trigger a failover
241
What happens when a failover occurs
242
FireCluster failover and server load balancing
242
Monitor the cluster during a failover
242
Features not supported with FireCluster
User Guide
223
243
xi
FireCluster network configuration limitations
243
FireCluster management limitations
243
About the Interface for management IP address
Configure the Interface for management IP address
243
Use the Management IP address to restore a backup image
244
Use the Management IP address to upgrade from an external location
244
Configure FireCluster
xii
243
245
FireCluster requirements and restrictions
245
Cluster synchronization and status monitoring
246
FireCluster device roles
247
FireCluster configuration steps
247
Before you begin
248
Connect the FireCluster hardware
249
Switch and router requirements for an active/active FireCluster
251
Use the FireCluster Setup Wizard
256
Configure FireCluster manually
261
Find the multicast MAC addresses for an active/active cluster
266
Active/Passive Cluster ID and the Virtual MAC Address
268
Monitor and control FireCluster members
269
Monitor status of FireCluster members
270
Monitor and control cluster members
270
Discover a cluster member
270
Force a failover of the cluster master
271
Reboot a cluster member
272
Shut down a cluster member
272
Connect to a cluster member
273
Make a member leave a cluster
274
Make a member join a cluster
275
Remove or add a cluster member
275
Remove a device from a FireCluster
275
Add a new device to a FireCluster
277
Update the FireCluster configuration
277
WatchGuard System Manager
Configure FireCluster logging and notification
277
About feature keys and FireCluster
278
See the feature keys and Cluster Features for a cluster
279
See or update the feature key for a cluster member
279
See the FireCluster feature key in Firebox System Manager
281
Create a FireCluster backup image
282
Restore a FireCluster backup image
283
Make the backup master leave the cluster
283
Restore the backup image to the backup master
283
Restore the backup image to the cluster master
283
Make the backup master rejoin the cluster
284
Upgrade Fireware XTM for FireCluster members
284
Disable FireCluster
286
Authentication
About user authentication
287
287
User authentication steps
288
Manage authenticated users
289
Use authentication to restrict incoming traffic
Use authentication through a gateway Firebox
Set global authentication values
289
290
291
Set global authentication timeouts
292
Allow multiple concurrent logins
293
Limit login sessions
293
Automatically redirect users to the login portal
294
Use a custom default start page
295
Set Management Session timeouts
295
Enable Single Sign-On
295
About the WatchGuard Authentication (WG-Auth) policy
295
About Single Sign-On (SSO)
296
User Guide
Before You Begin
298
Set up SSO
298
Install the WatchGuard Single Sign-On (SSO) agent
298
xiii
Install the WatchGuard Single Sign-On (SSO) client
299
Enable Single Sign-On (SSO)
300
Authentication server types
About using third-party authentication servers
302
Use a backup authentication server
302
Configure your Firebox or XTM device as an authentication server
303
Types of Firebox authentication
303
Define a new user for Firebox authentication
306
Define a new group for Firebox authentication
308
Configure RADIUS server authentication
309
Authentication key
309
RADIUS authentication methods
309
Before you begin
309
Use RADIUS server authentication with your Firebox or XTM device
309
How RADIUS server authentication works
311
Configure VASCO server authentication
314
Configure SecurID authentication
316
Configure Active Directory authentication
318
About Active Directory optional settings
320
Find your Active Directory search base
320
Change the default port for the Active Directory server
321
Configure LDAP authentication
About LDAP optional settings
Use Active Directory or LDAP Optional Settings
322
324
324
Before You Begin
324
Specify Active Directory or LDAP Optional Settings
325
Use a local user account for authentication
328
Use authorized users and groups in policies
328
Define users and groups for Firebox authentication
328
Define users and groups for third-party authentication
328
Add users and groups to policy definitions
329
Policies
xiv
302
331
WatchGuard System Manager
About policies
331
Packet filter and proxy policies
331
About adding policies to your Firebox or XTM device
332
About Policy Manager
332
Open Policy Manager
333
Change the Policy Manager view
334
Change colors used for Policy Manager text
336
Find a policy by address, port, or protocol
337
Add policies to your configuration
338
See the list of policy templates
339
Add a policy from the list of templates
340
Add more than one policy of the same type
341
See template details and modify policy templates
342
Disable or delete a policy
342
About policy precedence
343
Automatic policy order
343
Policy specificity and protocols
344
Traffic rules
344
Firewall actions
345
Schedules
345
Policy types and names
345
Set precedence manually
345
Create schedules for Firebox or XTM device actions
Set an operating schedule
About custom policies
347
348
Create or edit a custom policy template
348
Import and export custom policy templates
350
About policy properties
User Guide
345
351
Policy tab
351
Properties tab
351
Advanced tab
351
Proxy settings
352
xv
Set access rules for a policy
352
Configure policy-based routing
355
Set a custom idle timeout
357
Set ICMP error handling
357
Apply NAT rules
357
Set the sticky connection duration for a policy
358
Proxy Settings
About proxy policies and ALGs
359
Proxy configuration
360
Proxy and AV alarms
360
About rules and rulesets
361
About proxy actions
370
Use predefined content types
372
About Application Blocker Configurations
373
Intrusion prevention in proxy definitions
376
Add a proxy policy to your configuration
377
About the DNS proxy
378
Policy tab
379
Properties tab
379
Advanced tab
380
DNS proxy: General settings
380
DNS proxy: OPcodes
381
DNS proxy: Query types
382
DNS proxy: Query names
383
About MX (Mail eXchange) records
384
About the FTP proxy
xvi
359
385
Policy tab
387
Properties tab
387
Advanced tab
388
FTP proxy: General settings
388
FTP proxy: Commands
389
FTP proxy: Content
390
WatchGuard System Manager
FTP proxy: AntiVirus
About the H.323 ALG
392
VoIP components
392
ALG functions
392
Policy tab
393
Properties tab
394
Advanced tab
394
H.323 ALG: General Settings
395
H.323 ALG: Access Control
396
H.323 ALG: Denied Codecs
397
About the HTTP proxy
User Guide
391
398
Policy tab
399
Properties tab
400
Advanced tab
400
HTTP request: General settings
401
HTTP request: Request methods
402
HTTP request: URL paths
404
HTTP request: Header fields
404
HTTP request: Authorization
405
HTTP Response: General settings
407
HTTP Response: Header fields
407
HTTP Response: Content types
408
HTTP Response: Cookies
409
HTTP Response: Body content types
410
HTTP proxy exceptions
410
HTTP proxy: WebBlocker
411
HTTP proxy: Application Blocker
412
HTTP proxy: AntiVirus
412
HTTP proxy: Intrusion Prevention
412
HTTP proxy: Reputation Enabled Defense
413
HTTP proxy: Deny message
414
Enable Windows updates through the HTTP proxy
416
xvii
Use a caching proxy server
About the HTTPS proxy
417
Policy tab
417
Properties tab
418
Advanced tab
418
HTTPS proxy: Content inspection
419
HTTPS proxy: Certificate names
421
HTTPS proxy: WebBlocker
421
HTTPS proxy: General settings
422
About the POP3 proxy
423
Policy tab
423
Properties tab
424
Advanced tab
424
POP3 proxy: General settings
425
POP3 proxy: Authentication
427
POP3 proxy: Content types
428
POP3 proxy: File names
429
POP3 proxy: Headers
431
POP3 proxy: AntiVirus
432
POP3 proxy: Deny message
433
POP3 proxy: spamBlocker
434
About the SIP proxy
435
VoIP components
436
ALG functions
436
Policy tab
436
Properties tab
437
Advanced tab
437
SIP ALG: General Settings
437
SIP ALG: Access Control
439
SIP ALG: Denied Codecs
440
About the SMTP proxy
Policy tab
xviii
416
442
442
WatchGuard System Manager
Properties tab
442
Advanced tab
443
SMTP proxy: General settings
443
SMTP proxy: Greeting rules
446
SMTP proxy: ESMTP settings
447
SMTP proxy: Authentication
448
SMTP proxy: Content types
448
SMTP proxy: File names
450
SMTP proxy: Mail From/Rcpt To
450
SMTP proxy: Headers
451
SMTP proxy: AntiVirus
452
SMTP proxy: Deny message
453
SMTP proxy: spamBlocker
454
Configure the SMTP proxy to quarantine email
454
Protect your SMTP server from email relaying
454
About the TCP-UDP proxy
456
Policy tab
456
Properties tab
456
Advanced tab
457
TCP-UDP proxy: General settings
457
TCP-UDP proxy: Application blocking
457
Traffic Management and QoS
About Traffic Management and QoS
459
459
Enable traffic management and QoS
459
Guarantee bandwidth
460
Restrict bandwidth
461
QoS Marking
461
Traffic priority
461
Set Connection Rate Limits
462
About QoS Marking
462
Before you begin
462
QoS marking for interfaces and policies
463
User Guide
xix
QoS marking and IPSec traffic
463
Marking types and values
463
Enable QoS Marking for an interface
465
Enable QoS Marking or prioritization settings for a policy
466
Enable QoS Marking for a managed BOVPN tunnel
467
Traffic control and policy definitions
Define a Traffic Management action
469
Add a Traffic Management action to a policy
470
Add a Traffic Management action to a BOVPN firewall policy
471
Default Threat Protection
473
About default threat protection
473
About default packet handling options
474
Set logging and notification options
475
About spoofing attacks
475
About IP source route attacks
476
About port space and address space probes
477
About flood attacks
479
About unhandled packets
481
About distributed denial-of-service attacks
482
About blocked sites
483
Permanently blocked sites
483
Auto-blocked sites/Temporary Blocked Sites list
483
Block a site permanently
483
Create Blocked Site Exceptions
485
Import a list of blocked sites or blocked sites exceptions
486
Block sites temporarily with policy settings
486
Change the duration that sites are auto-blocked
486
About blocked ports
487
Default blocked ports
487
Block a port
489
WatchGuard Server Setup
About WatchGuard Servers
xx
469
491
491
WatchGuard System Manager
Set up WatchGuard Servers
492
Before you begin
493
Start the wizard
493
General settings
493
Management Server settings
494
Log Server and Report Server settings
494
Quarantine Server settings
494
WebBlocker Server settings
495
Review and finish
495
About the gateway Firebox
495
Find your Management Server license key
496
Monitor the status of WatchGuard servers
497
Configure your WatchGuard servers
498
Open WatchGuard Server Center
499
Stop and start your WatchGuard servers
500
Install or configure WatchGuard servers from the WatchGuard Server Center
501
Exit or open the WatchGuard Server Center application
503
Management Server Setup and Administration
505
About the WatchGuard Management Server
505
Install the Management Server
505
Set up the Management Server
506
Configure the Management Server
506
Define settings for the Management Server
506
Configure the certificate authority on the Management Server
507
Update the Management Server with a new gateway address
508
Change the IP address of a Management Server
510
Change the Administrator passphrase
512
Configure License Key and Notification settings
514
Enable and configure Active Directory authentication
515
Configure Logging settings for the Management Server
517
Back up or restore the Management Server configuration
519
Back up your configuration
User Guide
519
xxi
Restore your configuration
Move the WatchGuard Management Server to a new computer
520
Back up, move, and restore your Management Server
520
Configure other installed WatchGuard Servers
520
Use WSM to connect to a Management Server
521
Disconnect from the Management Server
522
Import or Export a Management Server configuration
522
Export a configuration
522
Import a configuration
522
Centralized Management
About WatchGuard System Manager
523
523
Device status
523
Device management
524
About the Device Management page
526
See information for managed devices
526
About Centralized Management modes
527
Change the Centralized Management mode
528
Add managed devices to the Management Server
531
If you know the current IP address of the device
533
If you do not know the IP address of the device
534
Set device management properties
535
Connection settings
535
IPSec tunnel preferences
537
Contact information
538
Schedule tasks for managed devices
538
Schedule OS Update
540
Schedule Feature Key Synchronization
541
Schedule Reboot
543
Review, cancel, or delete Scheduled Tasks
546
Update the configuration for a Fully Managed device
549
Manage Server Licenses
550
See current license key information
xxii
519
550
WatchGuard System Manager
Add or remove a license key
551
Save or discard your changes
551
Manage customer contact information
551
Add a contact to the Management Server
551
Edit a contact in the Contact List
552
See and manage the Monitored Report Servers list
553
Add a Report Server to the list
553
Edit information for a Report Server
554
Remove a Report Server from the list
554
Add and manage VPN tunnels and resources
554
See VPN tunnels
554
Add a VPN tunnel
555
Edit a VPN tunnel
555
Remove a VPN tunnel
556
Add a VPN resource
556
Configure a Firebox or XTM device as a managed device
556
Edit the WatchGuard policy
556
Set up the Managed Device
558
Configure a Firebox III or Firebox X Core running WFS as a managed device
559
About Edge (v10.x and older) and SOHO devices as managed clients
561
Prepare a Firebox X Edge (v10.x and older) for management
562
Configure a Firebox SOHO 6 as a managed device
565
Start WatchGuard System Manager tools
566
Expire the lease for a managed device
567
Configure network settings (Edge devices v10.x and older only)
About the Configuration Template section
Update or reboot a device, or remove a device from management
568
569
Update a device
569
Reboot a device
570
Remove a device from management
570
Create and subscribe to Device Configuration Templates
Configure a template for a managed Edge device
User Guide
568
570
572
xxiii
Configure a template for other Fireware XTM devices
574
Add a predefined policy to an Edge Device Configuration Template
576
Add a custom policy to an Edge Device Configuration Template
577
Clone a Device Configuration Template
579
Change the name of a Device Configuration Template
579
Subscribe managed devices to Device Configuration Templates
581
Manage aliases for Firebox X Edge devices
Change the name of an alias
584
Define aliases on a Firebox X Edge device
585
Remove a device from Fully Managed Mode
588
Role-Based Administration
About role-based administration
591
591
Roles and role policies
591
Audit trail
592
About predefined roles
592
Use role-based administration with an external Management Server
596
Define or remove users or groups
597
Use WatchGuard System Manager to configure users or groups
597
Use WatchGuard Server Center to configure users or groups
599
Remove a user or group
600
Define roles and role properties
601
Define roles in WatchGuard Server Center
601
Define roles in WatchGuard System Manager
602
Configure roles and role properties
603
Remove a role
603
Assign roles to a user or group
604
Assign roles in WatchGuard System Manager
604
Assign roles in the WatchGuard Server Center
605
Logging and Notification
About logging and log files
xxiv
583
609
609
Log Servers
609
LogViewer
610
WatchGuard System Manager
Logging and notification in applications and servers
610
About log messages
610
Log files
611
Databases
611
Performance and disk space
611
Types of log messages
612
Log message levels
613
About notification
613
Quick Start — Set up logging for your network
614
Set up a Log Server
616
Install the Log Server
616
Before you begin
617
Configure system settings
618
Configure the Log Server
618
Configure Database and Encryption Key settings
619
Configure Database Settings
620
Configure Notification settings
623
Configure Logging settings
626
Move the log data directory
628
Start and stop the Log Server
631
Configure Logging Settings for your WatchGuard servers
632
Configure logging to a WatchGuard Log Server
632
Configure logging to Windows Event Viewer
633
Save log messages in a log file
633
Define where the Firebox or XTM device sends log messages
634
Add a Log Server
635
Set Log Server priority
638
Configure syslog
639
Set up performance statistic logging
641
Set the diagnostic log level
643
Configure logging and notification for a policy
645
Set logging and notification preferences
646
User Guide
xxv
Use scripts, utilities, and third-party software with the Log Server
Back up and restore the Log Server database
648
Restore a backup log file
649
Import a log file to a Log Server
650
Use Crystal Reports with the Log Server
650
Use LogViewer to see log files
651
Open LogViewer
652
Connect to a device
652
Open logs for the Primary Log Server
654
Set LogViewer user preferences
655
Log message details
657
Use Search Manager
660
Search parameter settings
662
Filter log messages by type and time, or run a string search
663
Use Log Excerpt to filter search results
664
Run local diagnostic tasks
666
Import and export data to LogViewer
667
Email, print, or save log messages
667
Monitor Your Device
669
About Firebox System Manager (FSM)
669
Start Firebox System Manager
670
Disconnect from and reconnect to a Firebox or XTM device
670
Set the refresh interval and pause display
671
Basic Firebox or XTM device and network status (Front Panel)
672
Warnings and Notifications
672
Expand and close tree views
673
Visual display of traffic between interfaces
673
Traffic volume, processor load, and basic status
675
Firebox or XTM device status
675
Device log messages (Traffic Monitor)
xxvi
648
677
Sort and filter Traffic Monitor log messages
678
Change Traffic Monitor settings
679
WatchGuard System Manager
Copy messages to another application
681
Learn more about traffic log messages
681
Enable notification for specific messages
683
Visual display of bandwidth usage (Bandwidth Meter)
685
Change Bandwidth Meter settings
685
Change the scale
686
Add and remove lines
686
Change colors
687
Change interface appearance
687
Visual display of policy usage (Service Watch)
687
Change Service Watch settings
688
Change the scale
690
Display bandwidth used by a policy
690
Add and remove lines
690
Change colors
690
Change how policy names appear
690
Traffic and performance statistics (Status Report)
691
Change the Refresh Interval
693
Review Packet Trace information for troubleshooting
693
Authenticated users (Authentication List)
694
Use the Outbound Access List
696
Wireless hotspot connections
698
See or change the Blocked Sites list (Blocked Sites)
Change the Block Sites list
699
699
Blocked sites and Traffic Monitor
701
Subscription Services statistics (Subscription Services)
702
Gateway AntiVirus statistics
704
Intrusion Prevention Service statistics
704
spamBlocker statistics
705
Reputation Enabled Defense statistics
706
About HostWatch
DNS resolution and HostWatch
User Guide
706
707
xxvii
Open HostWatch
707
Pause and start the HostWatch display
707
Select connections and interfaces to monitor
707
Filter content of the HostWatch window
709
Change HostWatch visual properties
710
Visit or block a site from HostWatch
711
About the Performance Console
Start the Performance Console
712
Make graphs with the Performance Console
713
Types of counters
713
Stop monitoring or close the window
714
Define performance counters
714
Add charts or change polling intervals
717
About Certificates and FSM
719
Communication log
719
Use Firebox System Manager (FSM)
721
Synchronize the system time
721
Reboot or shut down your Firebox or XTM device
721
Clear the ARP cache
722
See and synchronize feature keys
722
Calculate the Fireware XTM Checksum
725
Clear alarms
725
Rekey BOVPN tunnels
726
Control FireCluster
727
Update the wireless region for an XTM 2 Series device
727
Change passphrases
727
Reporting
About the Report Server
729
729
Set up the Report Server
730
Start or stop the Report Server
750
About WatchGuard Report Manager
750
Open Report Manager
xxviii
712
751
WatchGuard System Manager
Set Report options
752
Predefined reports list
755
Select report parameters
758
Select reports to generate
761
Show a report
762
View client web usage reports
763
Filter report data
764
Select the Report format
769
Email, print, or save a report
770
Use the Web Services API to retrieve log and report data
770
Installation and documentation
770
Certificates and the Certificate Authority
773
About certificates
Use multiple certificates to establish trust
773
How the Firebox or XTM device uses certificates
774
Certificate lifetimes and CRLs
774
Certificate authorities and signing requests
775
Certificate Authorities Trusted by the Firebox or XTM device
775
See and manage Firebox or XTM device certificates
781
See and manage Management Server certificates
785
Create a certificate with FSM or the Management Server
786
Create a certificate with FSM
786
Create a self-signed certificate with CA Manager
790
Create a CSR with OpenSSL
Use OpenSSL to generate a CSR
Sign a certificate with Microsoft CA
790
790
791
Issue the certificate
791
Download the certificate
792
Use certificates for authentication
User Guide
773
792
Certificates for Mobile VPN with IPSec tunnel authentication
792
Certificates for Branch Office VPN (BOVPN) tunnel authentication
794
Configure the web server certificate for Firebox authentication
795
xxix
Use Certificates for the HTTPS Proxy
798
Protect a private HTTPS server
798
Examine content from external HTTPS servers
799
Export the HTTPS content inspection certificate
799
Import the certificates on client devices
800
Troubleshoot problems with HTTPS content inspection
800
Import a certificate on a client device
Import a PEM format certificate with Windows XP
800
Import a PEM format certificate with Windows Vista
801
Import a PEM format certificate with Mozilla Firefox 3.x
801
Import a PEM format certificate with Mac OS X 10.5
802
Virtual Private Networks (VPNs)
803
Introduction to VPNs
803
Branch Office VPN
803
Mobile VPN
804
About IPSec VPNs
804
About IPSec algorithms and protocols
804
About IPSec VPN negotiations
806
Configure Phase 1 and Phase 2 settings
809
About Mobile VPNs
810
Select a Mobile VPN
810
Internet access options for Mobile VPN users
812
Mobile VPN setup overview
813
Managed Branch Office VPN Tunnels
815
About managed Branch Office VPN tunnels
815
How to create a managed BOVPN tunnel
815
Tunnel options
816
VPN Failover
816
Global VPN settings
816
BOVPN tunnel status
816
Rekey BOVPN tunnels
817
Add VPN resources
xxx
800
817
WatchGuard System Manager
Get the current resources from a device
817
Create a new VPN resource
818
Add a host or network
819
Add VPN firewall policy templates
819
Set a schedule for the policy template
820
Use QoS marking in a policy template
821
Configure traffic management in a policy template
821
Add Security Templates
822
Make managed tunnels between devices
824
Edit a tunnel definition
825
Remove tunnels and devices
826
Remove a tunnel
826
Remove a device
826
VPN tunnel status and subscription services
827
Mobile VPN tunnel status
828
Subscription Services status
828
Manual Branch Office VPN Tunnels
829
What you need to create a manual BOVPN
829
About manual Branch Office VPN tunnels
830
What you need to create a VPN
830
How to create a manual BOVPN tunnel
831
Custom tunnel policies
831
One-way tunnels
831
VPN Failover
831
Global VPN settings
831
BOVPN tunnel status
832
Rekey BOVPN tunnels
832
Sample VPN address information table
833
Configure gateways
834
User Guide
Define gateway endpoints
836
Configure mode and transforms (Phase 1 settings)
838
Edit and delete gateways
843
xxxi
Disable automatic tunnel startup
843
If your Firebox or XTM device is behind a device that does NAT
843
Make tunnels between gateway endpoints
845
Define a tunnel
845
Add routes for a tunnel
847
Configure Phase 2 settings
848
Add a Phase 2 proposal
849
Change order of tunnels
851
About global VPN settings
851
Enable IPSec Pass-through
852
Enable TOS for IPSec
852
Enable LDAP server for certificate verification
853
BOVPN Notification
853
Define a custom tunnel policy
854
Choose a name for the policies
854
Select the policy type
854
Select the BOVPN tunnels
854
Create an alias for the tunnels
854
The BOVPN Policy Wizard has completed successfully
854
Set up outgoing dynamic NAT through a Branch Office VPN tunnel
Configure the endpoint where all traffic must appear to come from a single address (Site A)
855
Configure the endpoint that expects all traffic to come from a single IP address (Site B)
857
Use 1-to-1 NAT through a Branch Office VPN tunnel
860
1-to-1 NAT and VPNs
860
Other reasons to use 1-to-1 NAT through a VPN
860
Alternative to using NAT
860
How to set up the VPN
861
Example
861
Configure the local tunnel
862
Configure the remote tunnel
864
Define a route for all Internet-bound traffic
Configure the BOVPN tunnel on the remote Firebox or XTM device
xxxii
855
865
866
WatchGuard System Manager
Configure the BOVPN tunnel on the central Firebox or XTM device
866
Add a dynamic NAT entry on the central Firebox or XTM device
867
Enable multicast routing through a Branch Office VPN tunnel
868
Enable a Firebox or XTM device to send multicast traffic through a tunnel
869
Enable the other Firebox or XTM device to receive multicast traffic through a tunnel
871
Enable broadcast routing through a Branch Office VPN tunnel
871
Enable broadcast routing for the local Firebox or XTM device
872
Configure broadcast routing for the Firebox or XTM device at the other end of the tunnel
873
Branch Office VPN tunnel switching
874
Configure VPN Failover
875
Define multiple gateway pairs
Force a Branch Office VPNtunnel rekey
876
877
To rekey one BOVPN tunnel
878
To rekey all BOVPN tunnels
878
Related questions about Branch Office VPN set up
878
Why do I need a static external address?
878
How do I get a static external IP address?
878
How do I troubleshoot the connection?
879
Why is ping not working?
879
How do I set up more than the number of allowed VPN tunnels on my Edge?
879
Improve Branch Office VPN tunnel availability
Mobile VPN with PPTP
880
885
About Mobile VPN with PPTP
885
Mobile VPN with PPTP requirements
885
Encryption levels
Configure Mobile VPN with PPTP
User Guide
886
887
Authentication
888
Set encryption for PPTP tunnels
888
MTU and MRU
888
Define timeout settings for PPTP tunnels
888
Add to the IP Address Pool
889
Save your changes
890
xxxiii
Configure WINS and DNS servers
891
Add new users to the PPTP-Users group
891
Options for Internet access through a Mobile VPN with PPTP tunnel
893
Default-route VPN
894
Split tunnel VPN
894
Default-route VPN setup for Mobile VPN with PPTP
894
Split tunnel VPN setup for Mobile VPN with PPTP
894
Configure policies to control Mobile VPN with PPTP client access
895
Allow PPTP users to access a trusted network
895
Use other groups or users in a PPTP policy
898
Prepare client computers for PPTP
Prepare a Windows NT or 2000 client computer: Install MSDUN and service packs
899
Create and connect a PPTP Mobile VPN for Windows Vista
900
Create and connect a PPTP Mobile VPN for Windows XP
901
Create and connect a PPTP Mobile VPN for Windows 2000
901
Make outbound PPTP connections from behind a Firebox or XTM device
Mobile VPN with IPSec
About Mobile VPN with IPSec
xxxiv
899
902
903
903
Configure a Mobile VPN with IPSec connection
903
System requirements
904
Options for Internet access through a Mobile VPN with IPSec tunnel
904
About Mobile VPN client configuration files
905
Configure the Firebox or XTM device for Mobile VPN with IPSec
906
Add users to a Firebox Mobile VPN group
912
Modify an existing Mobile VPN with IPSec group profile
914
Configure WINS and DNS servers
926
Lock down an end user profile
927
Save the profile to a Firebox or XTM device
927
Mobile VPN with IPSec configuration files
927
Configure policies to filter Mobile VPN traffic
928
Distribute the software and profiles
929
Additional Mobile VPN topics
930
WatchGuard System Manager
Configure Mobile VPN with IPSec to a dynamic IP address
About the Mobile VPN with IPSec client
932
933
Client Requirements
934
Install the Mobile VPN with IPSec client software
934
Connect and disconnect the Mobile VPN client
936
See Mobile VPN log messages
939
Secure your computer with the Mobile VPN firewall
939
End-user instructions for WatchGuard Mobile VPN with IPSec client installation
946
Mobile VPN for Windows Mobile setup
951
Mobile VPN WM Configurator and Windows Mobile IPSec client requirements
951
Install the Mobile VPN WM Configurator software
952
Select a certificate and enter the PIN
952
Import an end-user profile
953
Install the Windows Mobile client software on the Windows Mobile device
953
Upload the end-user profile to the Windows Mobile device
955
Connect and disconnect the Mobile VPN for Windows Mobile client
957
Secure your Windows Mobile device with the Mobile VPN firewall
958
Stop the WatchGuard Mobile VPN Service
959
Uninstall the Configurator, Service, and Monitor
959
Mobile VPN with SSL
961
About Mobile VPN with SSL
961
Configure the Firebox or XTM device for Mobile VPN with SSL
961
Configure authentication and connection settings
962
Configure the Networking and IP Address Pool settings
963
Configure advanced settings for Mobile VPN with SSL
965
Configure user authentication for Mobile VPN with SSL
966
Configure policies to control Mobile VPN with SSL client access
967
Options for Internet access through a Mobile VPN with SSL tunnel
968
Name resolution for Mobile VPN with SSL
969
Install and connect the Mobile VPN with SSL client
User Guide
972
Client computer requirements
972
Download the client software
972
xxxv
Install the client software
973
Connect to your private network
974
Mobile VPN with SSL client controls
974
Manually distribute and install the Mobile VPN with SSL client software and configuration file
975
Uninstall the Mobile VPN with SSL client
976
WebBlocker
About WebBlocker
979
Set up the WebBlocker Server
980
Install the WebBlocker Server software
980
Manage the WebBlocker Server
980
Download the WebBlocker database
981
Keep the WebBlocker database updated
982
Change the WebBlocker Server port
984
Copy the WebBlocker database from one WebBlocker Server to another
985
Get started with WebBlocker
988
Before you begin
988
Activate WebBlocker on the Firebox or XTM device
988
Set policies for WebBlocker
988
Identify the WebBlocker Servers
989
Select categories to block
990
Use exception rules to restrict web site access
991
Configure WebBlocker
991
Configure WebBlocker settings for a policy
991
Copy WebBlocker settings from one policy to another
992
Add new WebBlocker servers or change their order
993
About WebBlocker categories
994
Change categories to block
995
See whether a site is categorized
996
Add, remove, or change a category
997
Define advanced WebBlocker options
999
Define WebBlocker alarms
About WebBlocker exceptions
xxxvi
979
1001
1001
WatchGuard System Manager
Define the action for sites that do not match exceptions
1002
Components of exception rules
1002
Exceptions with part of a URL
1002
Add WebBlocker exceptions
1003
Change the order of exception rules
1005
Import or export WebBlocker exception rules
1005
Restrict users to a specific set of web sites
1007
Use WebBlocker actions in proxy definitions
1011
Define additional WebBlocker actions
1011
Add WebBlocker actions to a policy
1011
Schedule WebBlocker actions
1012
About WebBlocker subscription services expiration
1013
Examples
1013
Use WebBlocker local override
1013
Use a WebBlocker Server protected by another Firebox or XTM device
1014
Configure WebBlocker policies for groups with Active Directory authentication
1021
Configure WebBlocker policies for groups with Firebox authentication
1036
spamBlocker
About spamBlocker
1053
spamBlocker requirements
1054
spamBlocker actions, tags, and categories
1054
Activate spamBlocker
1056
Apply spamBlocker settings to your policies
1057
Create new proxy policies
1057
Configure spamBlocker
1058
About spamBlocker exceptions
1060
Configure Virus Outbreak Detection actions for a policy
1063
Configure spamBlocker to quarantine email
1065
About using spamBlocker with multiple proxies
1065
Set global spamBlocker parameters
User Guide
1053
1065
Use an HTTP proxy server for spamBlocker
1067
Add trusted email forwarders to improve spam score accuracy
1067
xxxvii
Enable and set parameters for Virus Outbreak Detection (VOD)
1068
About spamBlocker and VOD scan limits
1069
Create rules for your email reader
Send spam or bulk email to special folders in Outlook
Send a report about false positives or false negatives
1070
1071
Use RefID record instead of message text
1071
Find the category a message is assigned to
1072
Reputation Enabled Defense
About Reputation Enabled Defense
1073
1073
Reputation Thresholds
1073
Reputation Scores
1074
Reputation Lookups
1074
Reputation Enabled Defense Feedback
1075
Configure Reputation Enabled Defense
1075
Before you begin
1075
Enable Reputation Enabled Defense
1075
Configure the reputation thresholds
1076
Configure alarm notification for RED actions
1077
Send Gateway AV scan results to WatchGuard
1077
Gateway AntiVirus and Intrusion Prevention
About Gateway AntiVirus and Intrusion Prevention
1079
1079
Install and upgrade Gateway AV/IPS
1080
About Gateway AntiVirus/Intrusion Prevention and proxy policies
1080
Activate Gateway AntiVirus
1081
Activate Gateway AntiVirus with a wizard from Policy Manager
1081
Activate Gateway AntiVirus from proxy definitions
1084
Configure Gateway AntiVirus actions
xxxviii
1069
1085
Configure Gateway AntiVirus actions for a proxy action
1087
Configure alarm notification for antivirus actions
1089
Unlock a file locked by Gateway AntiVirus
1089
Configure Gateway AntiVirus to quarantine email
1090
About Gateway AntiVirus scan limits
1090
WatchGuard System Manager
Update Gateway AntiVirus/IPS settings
1091
If you use a third-party antivirus client
1091
Configure Gateway AV decompression settings
1091
Configure the Gateway AV/IPS update server
1092
See subscription services status and update signatures manually
1094
Activate Intrusion Prevention Service (IPS)
1097
Select proxy policies to enable
1098
Create new proxy policies
1098
Select advanced Intrusion Prevention settings
1099
Configure Intrusion Prevention Service (IPS)
1100
Configure IPS actions
1100
Configure signature exceptions
1103
Copy IPS settings to other policies
1105
Activate and configure Intrusion Prevention Service for TCP-UDP
Quarantine Server
1105
1107
About the Quarantine Server
1107
Set up the Quarantine Server
1108
Install the Quarantine Server software
1108
Run the WatchGuard Server Center Setup Wizard
1108
Configure the Quarantine Server settings
1109
Configure the Firebox or XTM device to quarantine email
1109
Configure the Quarantine Server
1110
Configure Database and SMTP server settings
1111
Configure Deletion Settings and Accepted Domains
1113
Configure User Notification settings
1114
Configure Logging settings
1117
Configure Quarantine Server rules
1118
Define the Quarantine Server location on the Firebox or XTM device
1120
About the Quarantine Server Client
1121
Manage quarantined messages
1122
Manage Quarantine Server users
1125
Get statistics on Quarantine Server activity
1127
User Guide
xxxix
Examples
1128
Configure user notification with Microsoft Exchange Server 2003 or 2007
xl
1128
WatchGuard System Manager
1
Introduction to Network Security
About networks and network security
A network is a group of computers and other devices that are connected to each other. It can be two
computers in the same room, dozens of computers in an organization, or many computers around the
world connected through the Internet. Computers on the same network can work together and share data.
Although networks like the Internet give you access to a large quantity of information and business
opportunities, they can also open your network to attackers. Many people think that their computers hold
no important information, or that a hacker is not interested in their computers. This is not correct. A hacker
can use your computer as a platform to attack other computers or networks. Information from your
organization, including personal information about users, employees, or customers, is also valuable to
hackers.
Your Firebox or XTM device and LiveSecurity subscription can help you prevent these attacks. A good
network security policy, or a set of access rules for users and resources, can also help you find and prevent
attacks to your computer or network. We recommend that you configure your Firebox or XTM device to
match your security policy, and think about threats from both inside and outside your organization.
About Internet connections
ISPs (Internet service providers) are companies that give access to the Internet through network
connections. The rate at which a network connection can send data is known as bandwidth: for example, 3
megabits per second (Mbps).
A high-speed Internet connection, such as a cable modem or a DSL (Digital Subscriber Line), is known as a
broadband connection. Broadband connections are much faster than dial-up connections. The bandwidth of
a dial-up connection is less than .1 Mbps, while a cable modem can be 5 Mbps or more.
Typical speeds for cable modems are usually lower than the maximum speeds, because each computer in a
neighborhood is a member of a LAN. Each computer in that LAN uses some of the bandwidth. Because of
this shared-medium system, cable modem connections can become slow when more users are on the
network.
User Guide
1
Introduction to Network Security
DSL connections supply constant bandwidth, but they are usually slower than cable modem connections.
Also, the bandwidth is only constant between your home or office and the DSL central office. The DSL
central office cannot guarantee a good connection to a web site or network.
How information travels on the Internet
The data that you send through the Internet is cut into units, or packets. Each packet includes the Internet
address of the destination. The packets that make up a connection can use different routes through the
Internet. When they all get to their destination, they are assembled back into the original order. To make
sure that the packets get to the destination, address information is added to the packets.
About protocols
A protocol is a group of rules that allow computers to connect across a network. Protocols are the
grammar of the language that computers use when they speak to each other across a network. The
standard protocol when you connect to the Internet is the IP (Internet Protocol). This protocol is the usual
language of computers on the Internet.
A protocol also tells how data is sent through a network. The most frequently used protocols are TCP
(Transmission Control Protocol) and UDP (User Datagram Protocol). TCP/IP is the basic protocol used by
computers that connect to the Internet.
You must know some of the TCP/IP settings when you set up your Firebox or XTM device. For more
information on TCP/IP, see Find your TCP/IP properties on page 39.
2
WatchGuard System Manager
Introduction to Network Security
About IP addresses
To send ordinary mail to a person, you must know his or her street address. For one computer on the
Internet to send data to a different computer, it must know the address of that computer. A computer
address is known as an Internet Protocol (IP) address. All devices on the Internet have unique IP addresses,
which enable other devices on the Internet to find and interact with them.
An IP address consists of four octets (8-bit binary number sequences) expressed in decimal format and
separated by periods. Each number between the periods must be within the range of 0 and 255. Some
examples of IP addresses are:
n
n
n
206.253.208.100
4.2.2.2
10.0.4.1
Private addresses and gateways
Many companies create private networks that have their own address space. The addresses 10.x.x.x and
192.168.x.x are reserved for private IP addresses. Computers on the Internet cannot use these addresses. If
your computer is on a private network, you connect to the Internet through a gateway device that has a
public IP address.
Usually, the default gateway is the router that is between your network and the Internet. After you install
the Firebox or XTM device on your network, it becomes the default gateway for all computers connected to
its trusted or optional interfaces.
About subnet masks
Because of security and performance considerations, networks are often divided into smaller portions
called subnets. All devices in a subnet have similar IP addresses. For example, all devices that have IP
addresses whose first three octets are 50.50.50 would belong to the same subnet.
A network IP address’s subnet mask, or netmask, is a series of bits that mask sections of the IP address that
identify which parts of the IP address are for the network and which parts are for the host. A subnet mask
can be written in the same way as an IP address, or in slash or CIDR notation.
About slash notation
Your Firebox or XTM device uses slash notation for many purposes, including policy configuration. Slash
notation, also known as CIDR (Classless Inter-Domain Routing) notation, is a compact way to show or write a
subnet mask. When you use slash notation, you write the IP address, a forward slash (/), and the subnet
mask number.
To find the subnet mask number:
1. Convert the decimal representation of the subnet mask to a binary representation.
2. Count each “1” in the subnet mask. The total is the subnet mask number.
For example, you want to write the IP address 192.168.42.23 with a subnet mask of 255.255.255.0 in slash
notation.
User Guide
3
Introduction to Network Security
1. Convert the subnet mask to binary.
In this example, the binary representation of 255.255.255.0 is:
11111111.11111111.11111111.00000000.
2. Count each "1" in the subnet mask.
In this example, there are twenty-four (24).
3. Write the original IP address, a forward slash (/), and then the number from Step 2.
The result is 192.168.42.23/24.
This table shows common network masks and their equivalents in slash notation.
Network mask
Slash equivalent
255.0.0.0
/8
255.255.0.0
/16
255.255.255.0
/24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
About entering IP addresses
When you type IP addresses in the Quick Setup Wizard or dialog boxes, type the digits and decimals in the
correct sequence. Do not use the TAB key, arrow keys, spacebar, or mouse to put your cursor after the
decimals.
For example, if you type the IP address 172.16.1.10, do not type a space after you type 16. Do not try to put
your cursor after the subsequent decimal to type 1. Type a decimal directly after 16, and then type 1.10.
Press the slash (/) key to move to the netmask.
Static and dynamic IP addresses
ISPs (Internet service providers) assign an IP address to each device on their network. The IP address can be
static or dynamic.
Static IP addresses
A static IP address is an IP address that always stays the same. If you have a web server, FTP server, or other
Internet resource that must have an address that cannot change, you can get a static IP address from your
ISP. A static IP address is usually more expensive than a dynamic IP address, and some ISPs do not supply
static IP addresses. You must configure a static IP address manually.
4
WatchGuard System Manager
Introduction to Network Security
Dynamic IP addresses
A dynamic IP address is an IP address that an ISP lets you use temporarily. If a dynamic address is not in use,
it can be automatically assigned to a different device. Dynamic IP addresses are assigned using either DHCP
or PPPoE.
About DHCP
Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that computers on a network use to get
IP addresses and other information such as the default gateway. When you connect to the Internet, a
computer configured as a DHCP server at the ISP automatically assigns you an IP address. It could be the
same IP address you had before, or it could be a new one. When you close an Internet connection that uses
a dynamic IP address, the ISP can assign that IP address to a different customer.
You can configure your Firebox or XTM device as a DHCP server for networks behind the device. You assign
a range of addresses for the DHCP server to use.
About PPPoE
Some ISPs assign IP addresses through Point-to-Point Protocol over Ethernet (PPPoE). PPPoE adds some of
the features of Ethernet and PPP to a standard dial-up connection. This network protocol allows the ISP to
use the billing, authentication, and security systems of their dial-up infrastructure with DSL modem and
cable modem products.
About DNS (Domain Name System)
You can frequently find the address of a person you do not know in the telephone directory. On the
Internet, the equivalent to a telephone directory is the DNS(Domain Name System). DNS is a network of
servers that translate numeric IP addresses into readable Internet addresses, and vice versa. DNS takes the
friendly domain name you type when you want to see a particular web site, such as www.example.com,
and finds the equivalent IP address, such as 50.50.50.1. Network devices need the actual IP address to find
the web site, but domain names are much easier for users to type and remember than IP addresses.
A DNS server is a server that performs this translation. Many organizations have a private DNS server in their
network that responds to DNS requests. You can also use a DNS server on your external network, such as a
DNS server provided by your ISP (Internet Service Provider.)
User Guide
5
Introduction to Network Security
About firewalls
A network security device, such as a firewall, separates your internal networks from external network
connections to decrease the risk of an external attack. The figure below shows how a firewall protects the
computers on a trusted network from the Internet.
Firewalls use access policies to identify and filter different types of information. They can also control which
policies or ports the protected computers can use on the Internet (outbound access). For example, many
firewalls have sample security policies that allow only specified traffic types. Users can select the policy that
is best for them. Other firewalls, such as Firebox or XTM devices, allow the user to customize these policies.
For more information, see About services and policies on page 7 and About ports on page 8
6
WatchGuard System Manager
Introduction to Network Security
Firewalls can be in the form of hardware or software. A firewall protects private networks from
unauthorized users on the Internet. Traffic that enters or leaves the protected networks is examined by the
firewall. The firewall denies network traffic that does not match the security criteria or policies.
In some closed, or default-deny firewalls, all network connections are denied unless there is a specific rule
to allow the connection. To deploy this type of firewall, you must have detailed information about the
network applications required to meet needs of your organization . Other firewalls allow all network
connections that have not been explicitly denied. This type of open firewall is easier to deploy, but it is not
as secure.
About services and policies
You use a service to send different types of data (such as email, files, or commands) from one computer to
another across a network or to a different network. These services use protocols. Frequently used Internet
services are:
n
n
n
n
n
World Wide Web access uses Hypertext Transfer Protocol (HTTP)
Email uses Simple Mail Transfer Protocol (SMTP) or Post Office Protocol (POP3)
File transfer uses File Transfer Protocol (FTP)
Resolve a domain name to an Internet address uses Domain Name Service (DNS)
Remote terminal access uses Telnet or SSH (Secure Shell)
When you allow or deny a service, you must add a policy to your Firebox or XTM device configuration. Each
policy you add can also add a security risk. To send and receive data, you must open a door in your
computer, which puts your network at risk. We recommend that you add only the policies that are
necessary for your business.
As an example of how you can use a policy, suppose the network administrator of a company wants to
activate a Windows terminal services connection to the company’s public web server on the optional
interface of the Firebox or XTM device. He or she routinely administers the web server with a Remote
User Guide
7
Introduction to Network Security
Desktop connection. At the same time, he or she wants to make sure that no other network users can use
the Remote Desktop Protocol terminal services through the Firebox or XTM device. The network
administrator would add a policy that allows RDP connections only from the IP address of his or her own
desktop computer to the IP address of the public web server.
When you configure your Firebox or XTM device with the Quick Setup Wizard, the wizard adds only limited
outgoing connectivity. If you have more software applications and network traffic for your Firebox or XTM
device to examine, you must:
n
n
n
Configure the policies on your Firebox or XTM device to pass through necessary traffic
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to get
access to external resources
About ports
Although computers have hardware ports you use as connection points, ports are also numbers used to
map traffic to a particular process on a computer. These ports, also called TCP and UDP ports, are where
programs transmit data. If an IP address is like a street address, a port number is like an apartment unit
number or building number within that street address. When a computer sends traffic over the Internet to
a server or another computer, it uses an IP address to identify the server or remote computer, and a port
number to identify the process on the server or computer that receives the data.
For example, suppose you want to see a particular web page. Your web browser attempts to create a
connection on port 80 (the port used for HTTP traffic) for each element of the web page. When your
browser receives the data it requests from the HTTP server, such as an image, it closes the connection.
Many ports are used for only one type of traffic, such as port 25 for SMTP (Simple Mail Transfer Protocol).
Some protocols, such as SMTP, have ports with assigned numbers. Other programs are assigned port
numbers dynamically for each connection. The IANA (Internet Assigned Numbers Authority) keeps a list of
well-known ports. You can see this list at:
http://www.iana.org/assignments/port-numbers
Most policies you add to your Firebox or XTM device configuration have a port number between 0 and
1024, but possible port numbers can be from 0 to 65535.
Ports are either open or closed. If a port is open, your computer accepts information and uses the protocol
identified with that port to create connections to other computers. However, an open port is a security risk.
To protect against risks created by open ports, you can block ports used by hackers to attack your network.
For more information, see About blocked ports on page 487.
You can also block port space probes: TCP or UDP traffic that is sent by a host to a range of ports to find
information about networks and their hosts. For more information, see About port space and address space
probes on page 477.
8
WatchGuard System Manager
2
Introduction to Fireware XTM
About Fireware XTM
Fireware XTM gives you an easy and efficient way to view, manage, and monitor each Firebox or XTM
device in your network. The Fireware XTM solution includes four software applications:
n
n
n
n
WatchGuard System Manager (WSM)
Fireware XTM Web UI
Fireware XTM Command Line Interface (CLI)
WatchGuard Server Center
You can use one or more of the Fireware XTM applications to configure your network for your organization.
For example, if you have only one Firebox X Edge e-Series product, you can perform most configuration
tasks with Fireware XTM Web UI or Fireware XTM Command Line Interface. However, for more advanced
logging and reporting features, you must use WatchGuard Server Center. If you manage more than one
Firebox or XTM device, or if you have purchased Fireware XTM with a Pro upgrade, we recommend that
you use WatchGuard System Manager (WSM). If you choose to manage and monitor your configuration with
Fireware XTM Web UI, there are some features that you cannot configure.
For more information about these limitations, see the Fireware XTM Web UI Help at:
http://www.watchguard.com/help/docs/webui/11/en-US/index.html.
For more information on how to connect to your Firebox or XTM device with Fireware XTM Web UI or
Fireware XTM Command Line Interface, see the Help or User Guide for those products. You can view and
download the most current documentation for these products on the Fireware XTM Product
Documentation page:
http://www.watchguard.com/help/documentation/xtm.asp
User Guide
9
Introduction to Fireware XTM
Fireware XTM Components
To start WatchGuard System Manager or WatchGuard Server Center from your Windows desktop, select
the shortcut from the Start Menu. You can also start WatchGuard Server Center from an icon in the System
Tray. From these applications, you can launch other tools that help you manage your network. For example,
you can launch HostWatch or Policy Manager from WatchGuard System Manager (WSM).
WatchGuard System Manager
WatchGuard System Manager (WSM) is the primary application for network management with your Firebox
or XTM device. You can use WSM to manage many different Firebox or XTM devices, even those that use
different software versions. WSM includes a comprehensive suite of tools to help you monitor and control
network traffic.
Policy Manager
You can use Policy Manager to configure your firewall. Policy Manager includes a full set of preconfigured packet filters, proxy policies, and application layer gateways (ALGs). You can also make a
custom packet filter, proxy policy, or ALG in which you set the ports, protocols, and other options.
Other features of Policy Manager help you to stop network intrusion attempts, such as SYN Flood
attacks, spoofing attacks, and port or address space probes.
For more information, see About Policy Manager.
Firebox System Manager (FSM)
Firebox System Manager gives you one interface to monitor all components of your Firebox or XTM
device. From FSM, you can see the real-time status of your Firebox or XTM device and its
configuration.
For more information, see About Firebox System Manager (FSM).
10
WatchGuard System Manager
Introduction to Fireware XTM
HostWatch
HostWatch is a real-time connection monitor that shows network traffic between different Firebox
or XTM device interfaces. HostWatch also shows information about users, connections, ports, and
services.
For more information, see About HostWatch.
LogViewer
LogViewer is the WatchGuard System Manager tool you use to see log file data. It can show the log
data page by page, or search and display by key words or specified log fields.
For more information, see About logging and log files.
Report Manager
You can use Report Manager to generate reports of the data collected from your Log Servers for all
your Firebox or XTM devices. From Report Manager, you can see the available WatchGuard Reports
for you Firebox or XTM devices.
For more information, see About WatchGuard Report Manager.
CA Manager
The Certificate Authority (CA) Manager shows a complete list of security certificates installed on
your management computer with Fireware XTM. You can use this application to import, configure,
and generate certificates for use with VPN tunnels and other authentication purposes.
WatchGuard Server Center
WatchGuard Server Center is the application where you configure and monitor all your WatchGuard
servers.
For more information about WatchGuard Server Center, see Set up WatchGuard Servers.
Management Server
The Management Server operates on a Windows computer. With this server, you can manage all
firewall devices and create virtual private network (VPN) tunnels using a simple drag-and-drop
function. The basic functions of the Management Server are:
n
n
n
Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
VPN tunnel configuration management
Management for multiple Firebox or XTM devices
For more information on the Management Server, see About the WatchGuard Management Server.
Log Server
The Log Server collects log messages from each WatchGuard Firebox or XTM device. These log
messages are encrypted when they are sent to the Log Server. The log message format is XML (plain
text). The information collected from firewall devices includes these log messages: traffic, event,
alarm, debug (diagnostic), and statistic.
For more information, see Set up a Log Server.
User Guide
11
Introduction to Fireware XTM
WebBlocker Server
The WebBlocker Server operates with the Firebox or XTM device HTTP proxy to deny user access to
specified categories of web sites. During Firebox or XTM device configuration, the administrator sets
the categories of web sites to allow or block.
For more information on WebBlocker and the WebBlocker Server, see About WebBlocker.
Quarantine Server
The Quarantine Server collects and isolates email messages that spamBlocker suspects to be email
spam, or emails that are suspected to have a virus.
For more information, see About the Quarantine Server.
Report Server
The Report Server periodically consolidates data collected by your Log Servers from your Firebox or
XTM devices, and then periodically generates reports. Once the data is on the Report Server, you
can use Report Manager to generate and see reports.
For more information about reports and the Report Server, see About the Report Server.
Fireware XTM Web UI and Command Line Interface
Fireware XTM Web UI and Command Line Interface are alternative management solutions that can perform
most of the same tasks as WatchGuard System Manager and Policy Manager. Some advanced configuration
options and features, such as FireCluster or proxy policy settings, are not available in Fireware XTM Web UI
or Command Line Interface.
12
WatchGuard System Manager
Introduction to Fireware XTM
Fireware XTM with a Pro Upgrade
The Pro upgrade to Fireware XTM provides several advanced features for experienced customers, such as
server load balancing and additional SSL VPN tunnels.The features available with a Pro upgrade depend on
the type and model of your Firebox or XTM device:
Feature
Core e-Series
and XTM 5
Series
FireCluster
VLANs
Core/Peak e-Series
and XTM 5 Series, 8
Series, and 1050 (Pro)
Edge e-Series
and XTM 2
Series
Edge e-Series and
XTM 2 Series (Pro)
X
75 max.
75 max. (Core/5 Series)
200 max. (Peak/XTM 8
Series and 1050)
20 max.
50 max.
Dynamic Routing
(OSPF and BGP)
X
Policy-Based
Routing
X
Server Load
Balancing
X
Maximum SSL
VPN Tunnels
X
X
X
X
X
X
Multi-WAN
Failover
Multi-WAN Load
Balancing
X
X
To purchase Fireware XTM with a Pro upgrade, contact your local reseller.
User Guide
13
Introduction to Fireware XTM
User Guide
14
3
Service and Support
About WatchGuard Support
WatchGuard® knows just how important support is when you must secure your network with limited
resources. Our customers require greater knowledge and assistance in a world where security is critical.
LiveSecurity® Service gives you the backup you need, with a subscription that supports you as soon as you
register your Firebox or XTM device.
LiveSecurity Service
Your Firebox or XTM device includes a subscription to our ground-breaking LiveSecurity Service, which you
activate online when you register your product. As soon as you activate, your LiveSecurity Service
subscription gives you access to a support and maintenance program unmatched in the industry.
LiveSecurity Service comes with the following benefits:
Hardware Warranty with Advance Hardware Replacement
An active LiveSecurity subscription extends the one-year hardware warranty that is included with
each Firebox or XTM device. Your subscription also provides advance hardware replacement to
minimize downtime in case of a hardware failure. If you have a hardware failure, WatchGuard will
ship a replacement unit to you before you have to send back the original hardware.
Software Updates
Your LiveSecurity Service subscription gives you access to updates to current software and
functional enhancements for your WatchGuard products.
Technical Support
When you need assistance, our expert teams are ready to help:
n
n
n
User Guide
Representatives available 12 hours a day, 5 days a week in your local time zone*
Four-hour targeted maximum initial response time
Access to online user forums moderated by senior support engineers
15
Service and Support
Support Resources and Alerts
Your LiveSecurity Service subscription gives you access to a variety of professionally produced
instructional videos, interactive online training courses, and online tools specifically designed to
answer questions you may have about network security in general or the technical aspects of
installation, configuration, and maintenance of your WatchGuard products.
Our Rapid Response Team, a dedicated group of network security experts, monitors the Internet to
identify emerging threats. They then deliver LiveSecurity Broadcasts to tell you specifically what you
can do to address each new menace. You can customize your alert preferences to fine-tune the kind
of advice and alerts the LiveSecurity Service sends you.
LiveSecurity Service Gold
LiveSecurity Service Gold is available for companies that require 24-hour availability. This premium support
service gives expanded hours of coverage and faster response times for around-the-clock remote support
assistance. LiveSecurity Service Gold is required on each unit in your organization for full coverage.
Service Features
LiveSecurity Service
LiveSecurity Service Gold
Technical Support hours
6AM–6PM, Monday–Friday*
24/7
Number of support incidents
(online or by phone)
5 per year
Unlimited
Targeted initial response time
4 hours
1 hour
Interactive support forum
Yes
Yes
Software updates
Yes
Yes
Online self-help and training tools
Yes
Yes
LiveSecurity broadcasts
Yes
Yes
Installation Assistance
Optional
Optional
Three-incident support package
Optional
N/A
One-hour, single incident
priority response upgrade
Optional
N/A
Single incident after-hours upgrade
Optional
N/A
* In the Asia Pacific region, standard support hours are 9AM–9PM, Monday–Friday (GMT +8).
Service expiration
We recommend that you keep your subscription active to secure your organization. When your
LiveSecurity subscription expires, you lose access to up-to-the-minute security warnings and regular
software updates, which can put your network at risk. Damage to your network is much more expensive
than a LiveSecurity Service subscription renewal. If you renew within 30 days, there is no reinstatement
16
WatchGuard System Manager
Service and Support
fee.
User Guide
17
Service and Support
User Guide
18
4
Getting Started
Before you begin
Before you begin the installation process, make sure you complete the tasks described in the subsequent
sections.
Note In these installation instructions, we assume your Firebox or XTM device has one
trusted, one external, and one optional interface configured. To configure
additional interfaces on your device, use the configuration tools and procedures
described in the Network Setup and Configuration topics.
Verify basic components
Make sure that you have these items:
n
n
n
A computer with a 10/100BaseT Ethernet network interface card and a web browser installed
A WatchGuard Firebox or XTM device
A serial cable (blue)
Firebox X Core, Peak, and WatchGuard XTM models only
n
One crossover Ethernet cable (red)
Firebox X Core, Peak, and WatchGuard XTM models only
n
n
One straight Ethernet cable (green)
Power cable or AC power adapter
User Guide
19
Getting Started
Get a Firebox or XTM device feature key
To enable all of the features on your Firebox or XTM device, you must register the device on the
WatchGuard LiveSecurity web site and get your feature key. The Firebox or XTM device has only one user
license (seat license) until you apply your feature key.
If you register your Firebox or XTM device before you use the Quick Setup Wizard, you can paste a copy of
your feature key in the wizard. The wizard then applies it to your device. If you do not paste your feature
key into the wizard, you can still finish the wizard. Until you add your feature key, only one connection is
allowed to the Internet.
You also get a new feature key for any optional products or services when you purchase them. After you
register your Firebox or XTM device or any new feature, you can synchronize your Firebox or XTM device
feature key with the feature keys kept in your registration profile on the WatchGuard LiveSecurity site. You
can use WatchGuard System Manager (WSM) at any time to get your feature key.
To learn how to register your Firebox or XTM device and get a feature key, see Get a feature key from
LiveSecurity on page 62.
Gather network addresses
We recommend that you record your network information before and after you configure your Firebox or
XTM device. Use the first table below for your network IP addresses before you put the device into
operation.
WatchGuard uses slash notation to show the subnet mask. For more information, see About slash notation
on page 3. For more information on IP addresses, see About IP addresses on page 3.
Table 1: Network IP addresses without the Firebox or XTM device
Wide Area Network
_____._____._____._____ / ____
Default Gateway
_____._____._____._____
Local Area Network
_____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Public Server(s) (if applicable)
_____._____._____._____
_____._____._____._____
_____._____._____._____
Use the second table for your network IP addresses after you put the Firebox or XTM device into operation.
External interface
Connects to the external network (typically the Internet) that is not trusted.
Trusted interface
Connects to the private LAN (local area network) or internal network that you want to protect.
20
WatchGuard System Manager
Getting Started
Optional interface(s)
Usually connects to a mixed trust area of your network, such as servers in a DMZ (demilitarized
zone). You can use optional interfaces to create zones in the network with different levels of access.
Table 2: Network IP addresses with the Firebox or XTM device
Default Gateway
_____._____._____._____
External Interface
_____._____._____._____/ ____
Trusted Interface
_____._____._____._____ / ____
Optional Interface
_____._____._____._____ / ____
Secondary Network (if applicable) _____._____._____._____ / ____
Select a firewall configuration mode
You must decide how you want to connect the Firebox or XTM device to your network before you run the
Quick Setup Wizard. The way you connect the device controls the interface configuration. When you
connect the device, you select the configuration mode—routed or drop-in—that is best suited to your
current network.
Many networks operate best with mixed routing configuration, but we recommend the drop-in mode if:
n
n
You have already assigned a large number of static IP addresses and do not want to change your
network configuration.
You cannot configure the computers on your trusted and optional networks that have public IP
addresses with private IP addresses.
This table and the descriptions below the table show three conditions that can help you to select a firewall
configuration mode.
Mixed Routing Mode
Drop-in Mode
All of the Firebox or XTM device interfaces
All of the Firebox or XTM device interfaces are on different
are on the same network and have the
networks.
same IP address.
Trusted and optional interfaces must be on different
networks. Each interface has an IP address on its network.
The computers on the trusted or optional
interfaces can have a public IP address.
Use static NAT (network address translation) to map public
addresses to private addresses behind the trusted or
optional interfaces.
NAT is not necessary because the
computers that have public access have
public IP addresses.
For more information about drop-in mode, see Drop-in Mode on page 106.
For more information about mixed routing mode, see Mixed Routing Mode on page 98.
The Firebox or XTM device also supports a third configuration mode called bridge mode. This mode is less
commonly used. For more information about bridge mode, see Bridge Mode on page 111.
User Guide
21
Getting Started
Note You can use the Web Setup Wizard or the WSM Quick Setup Wizard to create your
initial configuration. When you run the Web Setup Wizard, the firewall
configuration is automatically set to mixed routing mode. When you run the WSM
Quick Setup Wizard, you can configure the device in mixed routing mode or dropin mode.
Decide where to install server software
When you run the WatchGuard System Manager Installer, you can install WatchGuard System Manager and
the WatchGuard servers on the same computer. You can also use the same installation procedure to install
the WatchGuard servers on different computers. This helps to distribute the server load and supply
redundancy. To ensure the Management Server operates correctly, you must install it on a computer also
has WSM installed. To decide where to install server software, you must examine the capacity of your
management computer and select the installation method that matches your environment.
If you install server software on a computer with an active desktop firewall other than Windows Firewall,
you must open the ports necessary for the servers to connect through the firewall. Windows Firewall users
do not have to change their desktop firewall configuration because the installation program opens the
necessary ports through Windows Firewall automatically.
For more information, see Install WatchGuard Servers on computers with desktop firewalls on page 35 .
To start the installation process, Install WatchGuard System Manager software.
Install WatchGuard System Manager software
You install WatchGuard System Manager (WSM) software on a computer that you designate as the
management computer. You can use tools on the management computer to get access to information on
the Firebox or XTM device, such as connection and tunnel status, statistics on traffic, and log messages.
Select one Windows-based computer on your network as the management computer and install the
management software. To install the WatchGuard System Manager software, you must have administrative
privileges on the management computer. After installation, you can operate with Windows XP or Windows
2003 Power User privileges.
You can install more than one version of WatchGuard System Manager on the same management
computer. However, you can install only one version of server software on a computer at a time. For
example, you cannot have two Management Servers on the same computer.
Back up your previous configuration
If you have a previous version of WatchGuard System Manager, make a backup of your security policy
configuration before you install a new version. For instructions to make a backup of your configuration, see
Make a backup of the Firebox or XTM device image on page 47.
22
WatchGuard System Manager
Getting Started
Download WatchGuard System Manager
You can download the most current WatchGuard System Manager software at any time from
https://www.watchguard.com/archive/softwarecenter.asp. You must log in with your LiveSecurity user
credentials. If you are a new user, before you can download the WSM software, you must create a user
profile and activate your product at http://www.watchguard.com/activate.
The management computer software is available in two encryption levels. Make sure you select the correct
encryption level. For more information, see About software encryption levels on page 24.
Note If you install one of the WSM servers on a computer with a personal firewall other
than the Microsoft Windows firewall, you must open the ports for the servers to
connect through the firewall. To allow connections to the WebBlocker Server, open
UDP port 5003. It is not necessary to change your configuration if you use the
Microsoft Windows firewall. For more information, see the Install WatchGuard
Servers on computers with desktop firewalls on page 35.
To install the Management Server:
1. On the management computer, download the latest WatchGuard System Manager (WSM) software.
2. On the same computer, download the latest Fireware XTM OS.
3. Run the Installer and follow the instructions to complete the installation.
The Installer includes a Select Components page, where you select the software components or
upgrades to install.
Make sure you select the check boxes for only the components you want to install.
Some software components require a different license.
4. Run the Quick Setup Wizard. You can run this wizard from the web or as a Windows application.
User Guide
23
Getting Started
n
n
For instructions to run the wizard from the web, see Run the Web Setup Wizard on page 25.
For instructions to run the wizard as a Windows application, see Run the WSM Quick Setup
Wizard on page 28.
About software encryption levels
WatchGuard management computer software is available in these two encryption levels:
Base
Supports 40-bit encryption for Mobile VPN with PPTP tunnels. You cannot create an IPSec VPN
tunnel with this level of encryption.
Strong
Supports 40-bit and 128-bit encryption for Mobile VPN with PPTP. Also supports 56-bit and 168-bit
DES, and 128-bit, 192-bit, and 256-bit AES.
To use virtual private networking with IPSec, you must download the strong encryption software. Strong
export limits apply to the strong encryption software. It is possible that it is not available for download in
your location.
About the Quick Setup Wizard
You can use the Quick Setup Wizard to create a basic configuration for your Firebox or XTM device. The
device uses this basic configuration file when it starts for the first time. This enables it to operate as a basic
firewall. You can use this same procedure at any time to reset the device to a new basic configuration. This
is helpful for system recovery.
When you configure your Firebox or XTM device with the Quick Setup Wizard, you set only the basic
policies (TCP and UDP outgoing, FTP packet filter, ping, and WatchGuard) and interface IP addresses. If you
have more software applications and network traffic for the device to examine, you must:
n
n
n
Configure the policies on the Firebox or XTM device to let the necessary traffic through
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to connect
to external resources
You can run the Quick Setup Wizard from a web browser or as a Windows application.
For instructions to run the wizard from a web browser, see Run the Web Setup Wizard on page 25.
For instructions to run the wizard as a Windows application, see Run the WSM Quick Setup Wizard on page 28.
24
WatchGuard System Manager
Getting Started
Run the Web Setup Wizard
Note These instructions are for the Web Setup Wizard on a Firebox or XTM device that
uses Fireware XTM v11.0 or later. If your Firebox or XTM device uses an earlier
software version, you must upgrade to Fireware XTM before you use these
instructions. See the Release Notes for upgrade instructions for your Firebox or
XTM device model.
Youcan use the WebSetup Wizardto setup abasic configurationon anyFirebox Xe-Series or WatchGuard XTM
device.The WebSetup Wizardautomatically configuresthe Fireboxor XTMdevice for mixed routingmode.
To use the Web Setup Wizard, you must make a direct network connection to the Firebox or XTM device
and use a web browser to start the wizard. When you configure your Firebox or XTM device, it uses DHCP
to send a new IP address to your management computer.
Before you start the Web Setup Wizard, make sure you:
n
n
Register your Firebox or XTM device with LiveSecurity Service
Store a copy of your Firebox or XTM device feature key in a text file on your management computer
Start the Web Setup Wizard
1. Use the red crossover Ethernet cable that ships with your Firebox or XTM device to connect the
management computer to the trusted interface of the Firebox or XTM device.
n
n
For a Firebox X Core or Peak e-Series, or XTM device, the trusted interface is interface number 1
For a Firebox X Edge e-Series, the trusted interface is LAN0
2. Connect the power cord to the Firebox or XTM device power input and to a power source.
3. Start the Firebox or XTM device in factory default mode. On the Core, Peak, and XTM models, this is
known as safe mode.
For more information,see Reseta Fireboxor XTMdevice toa previousor new configuration onpage 57.
4. Make sure your management computer is configured to accept a DHCP-assigned IP address.
If your management computer uses Windows XP:
n
n
n
n
In the Windows Start menu, select All Programs > Control Panel > Network Connections >
Local Area Connections.
Click Properties.
Select Internet Protocol (TCP/IP) and click Properties.
Make sure Obtain an IP Address Automatically is selected.
5. If your browser uses an HTTP proxy server, you must temporarily disable the HTTP proxy setting in
your browser.
For more information, see Disable the HTTP proxy in the browser on page 38.
6. Open a web browser and type the factory default IP address of interface 1.
For a Firebox X Core or Peak, or a WatchGuard XTM device the IP address is:
https://10.0.1.1:8080 .
For a Firebox X Edge, the address is: https://192.168.111.1:8080 .
If you use Internet Explorer, make sure you type https:// at the start of the IP address. This opens
User Guide
25
Getting Started
a secure HTTP connection between your management computer and the Firebox or XTM device.
The Web Setup Wizard starts automatically.
7. Log in with the default administrator account credentials:
Username: admin
Passphrase: readwrite
8. Complete the subsequent screens of the wizard.
The Web Setup Wizard includes this set of dialog boxes. Some dialog boxes appear only if you select
certain configuration methods:
Login
Log in with the default administrator account credentials. For Username, select admin. For
Passphrase, use the passphrase: readwrite.
Welcome
The first screen tells you about the wizard.
Select a configuration type
Selectwhether tocreate anew configurationor restore aconfigurationfrom asavedbackupimage.
License agreement
You must accept the license agreement to continue with the wizard.
Retrieve Feature Key, Apply Feature Key, Feature key options
If your Firebox or XTM device does not already have a feature key the wizard provides options
for you to download or import a feature key. The wizard can only download a feature key if it
has a connection to the Internet. If you have downloaded a local copy of the feature key to your
computer, you can paste that into the setup wizard.
If the Firebox or XTM device does not have an Internet connection while you run the wizard,
and you did not register the device and download the feature key to your computer before you
started the wizard, you can choose to not apply a feature key.
Note If you do not apply a feature key in the Web Setup Wizard you must register the
device and apply the feature key in the Fireware XTM Web UI. Functionality of the
device is limited until you apply a feature key.
Configure the External Interface of your Firebox
Select the method your ISP uses to assign your IP address. The choices are DHCP, PPPoE or
Static.
Configure the External Interface for DHCP
Type your DHCP identification as supplied by your ISP.
Configure the External Interface for PPPoE
Type your PPPoE information as supplied by your ISP.
Configure the External Interface with a static IP address
Type your static IP address information as supplied by your ISP.
26
WatchGuard System Manager
Getting Started
Configure the DNS and WINS Servers
Type the Domain DNS and WINS server addresses you want the Firebox or XTM device to use.
Configure the Trusted Interface of the Firebox
Type the IP address of the trusted interface. Optionally, you can enable the DHCP server for the
trusted interface.
Wireless (Firebox X Edge e-Series Wireless only)
Set the operating region, channel, and wireless mode. The list of wireless operating regions that
you can select may be different depending on where you purchased your Firebox or XTM
device.
For more information, see About wireless radio settings on the Firebox X Edge e-Series Wireless
device on page 208.
Create passphrases for your device
Type a passphrase for the status (read only) and admin (read/write) management accounts on
the Firebox or XTM device.
Enable remote management
Enable remote management if you want to manage this device from the external interface.
Add contact information for your device
You can type a device name, location, and contact information to save management
information for this device. By default, the device name is set to the model number of your
Firebox or XTM device. We recommend that you choose a unique name that you can use to
easily identify this device, especially if you use remote management.
Set the Time Zone
Select the time zone where the Firebox or XTM device is located.
The Quick Setup Wizard is complete
After you complete the wizard, the Firebox or XTM device restarts.
If you leave the Web Setup Wizard idle for 15 minutes or more, you must go back to Step 3 and start again.
Note If you change the IP address of the trusted interface, you must change your
network settings to make sure your IP address matches the subnet of the trusted
network before you connect to the Firebox or XTM device. If you use DHCP, restart
your computer.
After the wizard finishes
After you complete all screens in the wizard, the Firebox or XTM device is configured with a basic
configuration that includes four policies (TCP outgoing, FTP packet filter, ping, and WatchGuard) and the
interface IP addresses you specified. You can use Policy Manager to expand or change the configuration for
your Firebox or XTM device.
User Guide
27
Getting Started
n
n
For information about how to complete the installation of your Firebox or XTM device after the Web
Setup Wizard is finished, see Complete your installation on page 30.
For information about how to start WatchGuard System Manager, see Start WatchGuard System
Manager on page 31.
If you have problems with the wizard
If the Web Setup Wizard is unable to install the Fireware XTM appliance software on the Firebox or XTM
device, the wizard times out. If you have problems with the wizard, check these things:
n
The Fireware XTM application software file you downloaded from the LiveSecurity web site could
be corrupted. If the software image is corrupted, on a Firebox X Core, Peak, or XTM device you can
see this message on the LCD interface: File Truncate Error.
If this message appears, download the software again and try the wizard once more.
n
If you use Internet Explorer 6, clear the file cache in your web browser and try again.
To clear the cache, in Internet Explorer select Tools > Internet Options > Delete Files.
Run the WSM Quick Setup Wizard
Note These instructions are for the Quick Setup Wizard on a Firebox or XTM device that
uses Fireware XTM v11.0 or later. If your device uses an earlier software version,
you must upgrade to Fireware XTM before you use these instructions. See the
Release Notes included with your device for upgrade instructions.
The Quick Setup Wizard runs as a Windows application to help you make a basic configuration file. You can
use the Quick Setup Wizard with any Firebox X Core e-Series, Firebox X Peak e-Series, or WatchGuard XTM
device. This basic configuration file allows your device to operate as a basic firewall when you start it for the
first time. After you run the Quick Setup Wizard, you can use Policy Manager to expand or change the
configuration.
The Quick Setup Wizard uses a device discovery procedure to find the Firebox or XTM device model you
want to configure. This procedure uses UDP multicast. Software firewalls (for example, the firewall in
Microsoft Windows XP SP2) can cause problems with device discovery.
Before you begin
Before you start the Quick Setup Wizard, make sure you:
n
n
n
n
n
Register your Firebox or XTM device with LiveSecurity Service.
Store a copy of your feature key in a text file on your management computer.
Download WSM and Fireware XTM installation files from the LiveSecurity Service web site to your
management computer.
Install the WSM and Fireware XTM software on your management computer.
Configure the management computer with a static IP address on the same network as the trusted
interface of your device. Or, configure the management computer to accept an IP address assigned
with DHCP.
m
28
WatchGuard System Manager
Getting Started
Start the Quick Setup Wizard
1. Use the red, crossover Ethernet cable that ships with your Firebox or XTM device to connect the
management computer to the trusted interface of your device.
n
n
For a Firebox X Core e-Series, Firebox X Peak e-Series, or XTM device, the trusted interface is
interface number 1.
For a Firebox X Edge e-Series, the trusted interface is LAN0.
2. From the Windows Start Menu, select All Programs > WatchGuard System Manager 11.x > Quick
Setup Wizard.
Or, from WatchGuard System Manager, select Tools > Quick Setup Wizard.
The Quick Setup Wizard starts.
3. Complete the wizard to set up your Firebox or XTM device with a basic configuration. The steps
include:
Identify and discover your device
Follow the instructions for device discovery. You might need to select your Firebox or XTM
device model or reconnect the crossover Ethernet cable. After the wizard discovers the
Firebox or XTM device, you give it a name that identifies this device in WatchGuard System
Manager, log files, and reports.
Select a setup procedure
Select whether you want to install the Fireware XTM OS and create a new configuration, or if
you want to only create a new configuration for your Firebox or XTM device.
Add a feature key
Follow the instructions to download the feature key from the LiveSecurity Service web site, or
browse to the location of the feature key file you previously downloaded.
Configure the external interface
You can configure the external interface with a static IP address, or you can configure it to use
an IP address assigned with DHCP or PPPoE. You must also add an IP address for the default
gateway of the Firebox or XTM device. This is the IP address of your gateway router.
Configure the internal interfaces
Select the IP addresses to use for the trusted and optional interfaces. If you want to configure
the Firebox or XTM device in drop-in mode, you can also use the external interface IP address
for these interfaces.
For more information about drop-in mode, see Drop-in Mode on page 106.
Set passphrases
You must create two passphrases for connections to the Firebox or XTM device: a status
passphrase for read-only connections and a configuration passphrase for read-write
connections. Both passphrases must be at least 8 characters long, and they must be different
from each other.
User Guide
29
Getting Started
4. Click Finish to close the wizard.
The wizard saves the basic configuration to the Firebox or XTM device and to a local configuration file.
After the wizard finishes
If you changed the IP address of your management computer to run the Quick Setup Wizard, you might
need to change the IP address back again after you complete the wizard. You might also need to wait a
minute or so before your Firebox or XTM device is ready, especially for the Firebox X Peak models X5500e,
X6500e, X8500e, and X8500e-F.
After you finish the wizard, the Firebox or XTM device uses a basic configuration that includes five policies
(TCP and UDP outgoing, FTP packet filter, ping, WatchGuard, and WatchGuard Web UI) and the interface IP
addresses you specified. You can use Policy Manager to change this basic configuration.
n
n
For information about how to complete the installation of your Firebox or XTM device after the
Quick Setup Wizard is finished, see Complete your installation on page 30.
For information about how to start WatchGuard System Manager, see Start WatchGuard System
Manager on page 31.
Complete your installation
After you are finished with either the Web Setup Wizard or the WSM Quick Setup Wizard, you must
complete the installation of your Firebox or XTM device on your network.
1. Put the Firebox or XTM device in its permanent physical location.
2. Make sure the gateway of management computer and the rest of the trusted network is the IP
address of the trusted interface of your Firebox or XTM device.
3. To connect the management computer to your Firebox or XTM device, open WatchGuard System
Manager and select File > Connect To Device.
Note You must use the status (read-only) passphrase to connect to the Firebox or XTM
device.
4. If you use a routed configuration, make sure you change the default gateway on all the computers
that connect to your Firebox or XTM device to match the IP address of the Firebox or XTM device
trusted interface.
5. Customize your configuration as necessary for the security purposes of your business.
For more information, see the subsequent Customize your security policy section.
6. If you installed one or more WatchGuard servers, Set up WatchGuard Servers.
Note If you installed WatchGuard server software on a computer with an active desktop
firewall other than Windows Firewall, you must open the ports necessary for the
servers to connect through the firewall. Windows Firewall users do not have to
change their configuration. For more information, see Install WatchGuard Servers
on computers with desktop firewalls on page 35.
30
WatchGuard System Manager
Getting Started
Customize your security policy
Your security policy controls who can get into and out of your network, and where they can go in your
network. The configuration file of your Firebox or XTM device manages the security policies.
When you completed the Quick Setup Wizard, the configuration file that you made was only a basic
configuration. You can modify this configuration to align your security policy with the business and security
requirements of your company. You can add packet filter and proxy policies to set what you let in and out of
your network. Each policy can have an effect on your network. The policies that increase your network
security can decrease access to your network. And the policies that increase access to your network can
put the security of your network at risk. For more information on policies, see About policies on page 331.
For a new installation, we recommend that you use only packet filter policies until all your systems operate
correctly. As necessary, you can add proxy policies.
About LiveSecurity Service
Your Firebox or XTM device includes a subscription to LiveSecurity Service. Your subscription:
n
n
n
n
n
n
Makes sure that you get the newest network protection with the newest software upgrades
Gives solutions to your problems with full technical support resources
Prevents service interruptions with messages and configuration help for the newest security
problems
Helps you to find out more about network security through training resources
Extends your network security with software and other features
Extends your hardware warranty with advanced replacement
For more information about LiveSecurity Service, see About WatchGuard Support on page 15.
Start WatchGuard System Manager
On the computer where you installed WatchGuard System Manager (WSM):
Select Start > All Programs > WatchGuard System Manager 11.x > WatchGuard System Manager
11.x.
Replace 11.x in the program path with the current version of WSM you have installed.
WatchGuard System Manager appears.
For information on how to use WatchGuard System Manager (WSM), see About WatchGuard System
Manager on page 523.
Connect to a Firebox or XTM device
1. Start WatchGuard System Manager.
2. Click .
Or, select File > Connect to Device.
Or, right-click anywhere on the WSM Device Status tab and select Connect To > Device.
The Connect to Firebox dialog box appears.
User Guide
31
Getting Started
3. In the Name / IP Address drop-down list, type the name or IP address of your Firebox or XTM
device.
On subsequent connections, you can select the Firebox or XTM device name or IP address in the
Name / IP Address drop-down list.
4. In the Passphrase text box, type the Firebox or XTM device status (read-only) passphrase.
You use the status passphrase to monitor traffic and Firebox or XTM device conditions. You must
type the configuration passphrase when you save a new configuration to the device.
5. (Optional) Change the value in the Timeout field. This value sets the time (in seconds) that the
management computer listens for data from the Firebox or XTM device before it sends a message
that shows that it cannot get data from the device.
If you have a slow network or Internet connection to the device, you can increase the timeout value.
Decreasing the value decreases the time you must wait for a timeout message if you try to connect
to a Firebox or XTM device that is not available.
6. Click Login.
The Firebox or XTM device appears in WatchGuard System Manager.
Disconnect from a Firebox or XTM device
1. Select the Device Status tab.
2. Select the device.
3. Click .
Or, select File > Disconnect.
Or, right-click and select Disconnect.
Disconnect from all Firebox or XTM devices
If you are connected to more than one Firebox or XTM device, you can disconnect from them all at the
same time.
1. Select the Device Status tab.
2. Select File > Disconnect All.
Or, right-click and select Disconnect All.
32
WatchGuard System Manager
Getting Started
Start WSM applications
You can start these tools from WatchGuard System Manager.
Policy Manager
You can use Policy Manager to install, configure, and customize network security policies for your Firebox
or XTM device.
For more information on Policy Manager, see About Policy Manager on page 332.
To start Policy Manager:
Click .
Or, select Tools > Policy Manager.
Firebox System Manager
With Firebox System Manager, you can start many different security tools in one easy-to-use interface. You
can also use Firebox System Manager to monitor real-time traffic through the firewall.
For more information on Firebox System Manager, see About Firebox System Manager (FSM) on page 669.
To start Firebox System Manager:
Click .
Or, select Tools > Firebox System Manager.
HostWatch
HostWatch shows the connections through a Firebox or XTM device from the trusted network to the
external network, or from and to other interfaces or VLANs you choose. It shows the current connections,
or it can show historical connections from a log file.
For more information on HostWatch, see About HostWatch on page 706 .
To start HostWatch:
Click .
Or, select Tools > HostWatch.
LogViewer
LogViewer shows a static view of a log file. You can use LogViewer to:
n
n
n
Apply a filter by data type
Search for words and fields
Print and save to a file
For more information on LogViewer, see Use LogViewer to see log files on page 651.
To start LogViewer:
Click .
Or, select Tools > Logs > LogViewer.
User Guide
33
Getting Started
Report Manager
WatchGuard Reports are summaries of the data that you have selected to collect from the Firebox or XTM
device log files. You can use Report Manager to see the information in your WatchGuard Reports.
For more information on Report Manager, see About WatchGuard Report Manager on page 750.
To start Report Manager:
Click .
Or, select Tools > Logs > Report Manager.
Quick Setup Wizard
You can use the Quick Setup Wizard to create a basic configuration for your Firebox or XTM device. The
Firebox or XTM device uses this basic configuration file when it starts for the first time. This enables the
device to operate as a basic firewall. You can use this same procedure any time you want to reset the
Firebox or XTM device to a new basic configuration for recovery or other reasons.
For more information on the Quick Setup Wizard, see About the Quick Setup Wizard on page 24.
To start the Quick Setup Wizard:
Click .
Or, select Tools > Quick Setup Wizard.
CA Manager
In WatchGuard System Manager, the workstation that is configured as the Management Server also
operates as a certificate authority (CA). The CA gives certificates to managed Firebox or XTM device clients
when they contact the Management Server to receive configuration updates.
Before you can use the Management Server as a CA, you must Configure the certificate authority on the
Management Server.
To set up or change the parameters of the certificate authority:
Click .
Or, select Tools > CA Manager.
Additional installation topics
Install WSM and keep an older version
You can install the current version of WSM (WatchGuard System Manager) and keep the old version as long
as you do not install two versions of the WatchGuard server software (Management Server, Log Server,
Report Server, Quarantine Server, and WebBlocker Server). Because you can have only one version of the
servers installed, you must either remove the server software from the older version of WSM or install the
new version of WSM without the server software. We recommend you remove the previous version of the
server software before you install the current WSM version together with the current server software.
34
WatchGuard System Manager
Getting Started
Install WatchGuard Servers on computers with desktop
firewalls
Desktop firewalls can block the ports necessary for WatchGuard server components to operate. Before you
install the Management Server, Log Server, Report Server, Quarantine Server, or WebBlocker Server on a
computer with an active desktop firewall, you might need to open the necessary ports on the desktop
firewall. Windows Firewall users do not need to change their configuration because the installation
program opens the necessary ports in Windows Firewall automatically.
This table shows you the ports you must open on a desktop firewall.
Server Type/Appliance Software
Protocol/Port
Management Server
TCP 4109, TCP 4110, TCP 4112, TCP 4113
Log Server with Fireware appliance software
TCP 4115
Log Server with WFS appliance software
TCP 4107
WebBlocker Server
TCP 5003, UDP 5003
Quarantine Server
TCP 4119, TCP 4120
Report Server
TCP 4122
Log Server
TCP 4121
Dynamic IP support on the external interface
If you use dynamic IP addresses, you must configure your Firebox or XTM device in routed mode when you
use the Quick Setup Wizard.
If you select DHCP, your Firebox or XTM device connects to the DHCP server controlled by your Internet
service provider (ISP) to get its IP address, gateway, and netmask. This server can also give DNS server
information for your Firebox or XTM device. If it does not give you that information, you must add it
manually to your configuration. If necessary, you can change the IP addresses that your ISP gives you.
You also can use PPPoE. As with DHCP, the Firebox or XTM device makes a PPPoE protocol connection to
the PPPoE server of your ISP. This connection automatically configures your IP address, gateway, and
netmask.
If you use PPPoE on the external interface, you must have the PPP user name and password when you
configure your network. If your ISP gives you a domain name to use, type your user name in the format
[email protected] when you use the Quick Setup Wizard.
A static IP address is necessary for the Firebox or XTM device to use some functions. When you configure
the Firebox or XTM device to receive dynamic IP addresses, the device cannot use these functions:
n
n
FireCluster
Drop-in mode
User Guide
35
Getting Started
n
n
1-to-1 NAT on an external interface
Mobile VPN with PPTP
Note If your ISP uses a PPPoE connection to give a static IP address, the Firebox or XTM
device allows you to enable Mobile VPN with PPTP because the IP address is static.
About connecting the Firebox or XTM device cables
n
n
n
n
Connect the power cable to the Firebox or XTM device power input and to a power source.
Use a straight Ethernet cable (green) to connect your management computer to a hub or switch.
Use a different straight Ethernet cable to connect your Firebox or XTM device to the same hub or
switch.
Use a red crossover cable to connect the Firebox or XTM device trusted interface to the
management computer Ethernet port.
For XTM 5 Series devices, Interface 0 does not support Auto-MDIX, which automatically senses the cable
polarity. Use these guidelines to decide which type of Ethernet cable to use with Interface 0:
n
n
n
To connect Interface 0 to an interface on a switch or router that supports Auto-MDIX, you can use
either Ethernet cable.
To connect Interface 0 to an interface on an older switch or router that does not support Auto-MDIX,
use the green Ethernet cable. Your switch or router might be set to a different polarity. If the green
Ethernet cable does not work, try the red cross-over Ethernet cable.
To connect Interface 0 to a PC, use the red cross-over Ethernet cable.
Connect to a Firebox or XTM device with Firefox v3
Web browsers use certificates to ensure that the device on the other side of an HTTPS connection is the
device you expect. Users see a warning when a certificate is self-signed, or when there is a mismatch
between the requested IP address or host name and the IP address or host name in the certificate. By
default, your Firebox or XTM device uses a self-signed certificate that you can use to set up your network
quickly. However, when users connect to the Firebox or XTM device with a web browser, a Secure
Connection Failed warning message appears.
To avoid this warning message, we recommend that you add a valid certificate signed by a CA (Certificate
Authority) to your configuration. This CA certificate can also be used to improve the security of VPN
authentication. For more information on the use of certificates with Firebox or XTM devices, see About
certificates on page 773.
If you continue to use the default self-signed certificate, you can add an exception for the Firebox or XTM
device on each client computer. Current versions of most Web browsers provide a link in the warning
message that the user can click to allow the connection. If your organization uses Mozilla Firefox v3, your
users must add a permanent certificate exception before they can connect to the Firebox or XTM device.
Actions that require an exception include:
n
n
n
36
About user authentication
Install and connect the Mobile VPN with SSL client
Run the Web Setup Wizard
WatchGuard System Manager
Getting Started
n
n
Connect to Fireware XTM Web UI
About Edge (v10.x and older) and SOHO devices as managed clients
Common URLs that require an exception include:
https://IP address or host name of a Firebox or XTM device interface:8080
https://IP address or host name of a Firebox or XTM device interface:4100
https://IP address or host name of the Firebox or XTM device:4100/sslvpn.html
User Guide
37
Getting Started
Add a certificate exception to Mozilla Firefox v3
If you add an exception in Firefox v3 for the Firebox or XTM device certificate, the warning message does
not appear on subsequent connections. You must add a separate exception for each IP address, host name,
and port used to connect to the Firebox or XTM device. For example, an exception that uses a host name
does not operate properly if you connect with an IP address. Similarly, an exception that specifies port 4100
does not apply to a connection where no port is specified.
Note A certificate exception does not make your computer less secure. All network
traffic between your computer and the Firebox or XTM device remains securely
encrypted with SSL.
There are two methods to add an exception. You must be able to send traffic to the Firebox or XTM device
to add an exception.
n
n
Click the link in the Secure Connection Failed warning message.
Use the Firefox v3 Certificate Manager to add exceptions.
In the Secure Connection Failed warning message:
1. Click Or you can add an exception.
2. Click Add Exception.
The Add Security Exception dialog box appears.
3. Click Get Certificate.
4. Select the Permanently store this exception check box.
5. Click Confirm Security Exception.
To add multiple exceptions:
1. In Firefox, select Tools > Options.
The Options dialog box appears.
2. Select Advanced.
3. Click the Encryption tab, then click View Certificates.
The Certificate Manager dialog box opens.
4. Click the Servers tab, then click Add Exception.
5. In the Location text box, type the URL to connect to the Firebox or XTM device. The most common
URLs are listed above.
6. When the certificate information appears in the Certificate Status area, click Confirm Security
Exception.
7. Click OK. To add more exceptions, repeat Steps 4–6.
Disable the HTTP proxy in the browser
Many web browsers are configured to use an HTTP proxy server to increase the download speed of web
pages. To manage or configure the Firebox or XTM device with the Web UI, your browser must connect
directly to the device. If you use an HTTP proxy server, you must temporarily disable the HTTP proxy setting
in your browser. You can enable the HTTP proxy server setting in your browser again after you set up the
Firebox or XTM device.
38
WatchGuard System Manager
Getting Started
Use these instructions to disable the HTTP proxy in Firefox, Safari, or Internet Explorer. For other browsers,
use the browser Help system to find the necessary information. Many browsers automatically disable the
HTTP proxy feature.
Disable the HTTP proxy in Internet Explorer 6.x or 7.x
1. Open Internet Explorer.
2. Select Tools > Internet Options.
The Internet Options dialog box appears.
3. Select the Connections tab.
4. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
5. Clear the Use a proxy server for your LAN check box.
6. Click OK to close the Local Area Network (LAN) Settings dialog box.
7. Click OK to close the Internet Options dialog box.
Disable the HTTP proxy in Firefox 2.x
1. Open Firefox.
2. Select Tools > Options.
The Options dialog box appears.
3.
4.
5.
6.
Click Advanced.
Select the Network tab.
Click Settings.
Click Connection Settings.
The Connection Settings dialog box appears.
7. Make sure the Direct Connection to the Internet option is selected.
8. Click OK to close the Connection Settings dialog box.
9. Click OK to close the Options dialog box.
Disable the HTTP proxy in Safari 2.0
1. Open Safari.
2. Select Preferences.
The Safari preferences dialog ox appears.
3. Click Advanced.
4. Click Change Settings.
The System Preference dialog box appears.
5. Clear the Web Proxy (HTTP) check box.
6. Click Apply Now.
Find your TCP/IP properties
To learn about the properties of your network, look at the TCP/IP properties of your computer or any other
computer on the network. You must have this information to install your Firebox or XTM device:
n
n
IP address
Subnet mask
User Guide
39
Getting Started
n
n
Default gateway
Whether your computer has a static or dynamic IP address
Note If your ISP assigns your computer an IP address that starts with 10, 192.168, or
172.16 to 172.31, then your ISP uses NAT (Network Address Translation) and your
IP address is private. We recommend that you get a public IP address for your
Firebox or XTM device external IP address. If you use a private IP address, you can
have problems with some features, such as virtual private networking.
To find the TCP/IP properties for your computer operating system, use the instructions in the subsequent
sections .
Find your TCP/IP properties on Microsoft Windows Vista
1. Select Start > Programs > Accessories > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
Find your TCP/IP properties on Microsoft Windows 2000, Windows 2003,
and Windows XP
1. Select Start > All Programs > Accessories > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
Find your TCP/IP properties on Microsoft Windows NT
1. Select Start > Programs > Command Prompt.
The Command Prompt dialog box appears.
2. At the command prompt, type ipconfig /all and press Enter.
3. Write down the values that you see for the primary network adapter.
Find your TCP/IP properties on Macintosh OS 9
1. Select the Apple menu > Control Panels > TCP/IP.
The TCP/IP dialog box appears.
2. Write down the values that you see for the primary network adapter.
Find your TCP/IP properties on Macintosh OS X 10.5
1. Select the Apple menu > System Preferences, or select the icon from the Dock.
The System Preferences dialog box appears.
2. Click the Network icon.
The Network preference pane appears.
3. Select the network adapter you use to connect to the Internet.
4. Write down the values that you see for the network adapter.
40
WatchGuard System Manager
Getting Started
Find your TCP/IP properties on other operating systems (Unix, Linux)
1. Read your operating system guide to find the TCP/IP settings.
2. Write down the values that you see for the primary network adapter.
User Guide
41
Getting Started
User Guide
42
5
Configuration and Management
Basics
About basic configuration and management tasks
After your Firebox or XTM device is installed on your network and is set up with a basic configuration file,
you can start to add custom configuration settings. The topics in this section help you complete these basic
management and maintenance tasks.
About configuration files
A configuration file includes all configuration data, options, IP addresses, and other information that makes
up the security policy for your Firebox or XTM device. Configuration files have the extension .xml.
Policy Manager is a WatchGuard software tool that lets you make, change, and save configuration files. You
can use Policy Manager to easily examine and change your configuration file.
When you use Policy Manager, you can:
n
n
n
n
Open a configuration file , either the configuration file currently in use on the Firebox or XTM
device, or a local configuration file (a configuration file saved on your hard drive)
Make a new configuration file
Save the configuration file
Make changes to existing configuration files
Open a configuration file
Network administrators often need to make changes to their network security policies. Perhaps, for
example, your company purchased a new software application, and you must open a port and protocol to a
server at a vendor location. Your company might have also purchased a new feature for your Firebox or
XTM device or hired a new employee who needs access to network resources. For all of these tasks, and
many more, you must open your configuration file, use Policy Manager to modify it, and then save the
configuration file.
User Guide
43
Configuration and Management Basics
Open the configuration file with WatchGuard System Manager
1. On your Windows desktop, select Start > All Programs > WatchGuard System Manager 11.x >
WatchGuard System Manager 11.x.
WatchGuard System Manager 11.x is the default name of the folder for the Start menu icons. You cannot
change this folder name when you run the installer, but you can change it through the Windows user interface.
2. Click .
Or, select File > Connect To Device.
The Connect to Firebox dialog box appears.
3. From the Name / IP Address drop-down list, type or select the IP address for the trusted interface
of your Firebox or XTM device.
4. Type the status (read-only) passphrase. Click OK.
The device appears in the WatchGuard System Manager Device Status tab.
5. On the Device Status tab, select the Firebox or XTM device. Click .
Or, select Tools > Policy Manager.
Policy Manager opens with the configuration file that is in use on the selected device. The changes
you make to the configuration do not take effect until you save the configuration to the Firebox or
XTM device.
Open a local configuration file
You can open configuration files that are saved on any local drive or any network drive to which your
management computer can connect.
If you want to use an existing configuration file for a Firebox or XTM device in a factory-default state, we
recommend that you first run the Quick Setup Wizard to create a basic configuration and then open the
existing configuration file.
1. In WatchGuard System Manager, click
Or, select Tools > Policy Manager.
.
The Policy Manager dialog box appears.
2. Select Open configuration file and click Browse.
3. Select the configuration file.
4. Click Open.
The configuration file appears in Policy Manager.
44
WatchGuard System Manager
Configuration and Management Basics
Open the configuration file with Policy Manager
1. Select File > Open > Firebox.
The Open Firebox dialog box appears.
2. From the Firebox Address or Name drop-down list, select a Firebox or XTM device.
You can also type the IP address or host name.
3. In the Status Passphrase text box, type the status (read-only) passphrase.
You must use the configuration passphrase to save the configuration to the Firebox or XTM device.
4. Click OK.
The configuration file appears in Policy Manager.
If you cannot connect to the Firebox or XTM device, try these steps:
n
n
If the Connect to Firebox or Open Firebox dialog box immediately appears after you type the
passphrase, make sure that Caps Lock is off and that you typed the passphrase correctly. The
passphrase is case-sensitive.
If the Connect to Firebox or Open Firebox dialog box times out, make sure that you have a link on
the trusted interface and on your computer. Make sure that you typed the correct IP address for the
trusted interface of the Firebox or XTM device. Also make sure that your computer IP address is in
the same network as the trusted interface of the Firebox or XTM device.
Make a new configuration file
The Quick Setup Wizard makes a basic configuration file for your Firebox or XTM device. We recommend
that you use this as the base for each of your configuration files. You can also use Policy Manager to make a
new configuration file with only the default configuration properties.
1. In WatchGuard System Manager, before you connect to a device, click
Or, select Tools > Policy Manager.
.
The Policy Manager dialog box appears.
User Guide
45
Configuration and Management Basics
2. Select Create a new configuration file for.
3. From the Firebox drop-down list, select the type of Firebox or XTM device for which you want to
make a new configuration file.
4. Click OK.
The Select Firebox Model and Name dialog box appears.
5. In the Model drop-down lists, select your Firebox or XTM device model. Because some groups of
features are unique to specific models, select the same model as your hardware device.
6. In the Name text box, type the name for the device configuration file. This name is also used to
identify the device if it is managed by a WatchGuard Management Server, and for logging and
reporting.
7. Click OK.
Policy Manager makes a new configuration with the file name <name>.xml , where <name> is the name
you gave the device.
Save the configuration file
If you make a new configuration file or change the current configuration file and want your changes to take
effect on the Firebox or XTM device, you must save the configuration file directly to the Firebox or XTM
device.
You can also save the current configuration file to any local drive or any network drive to which your
management computer can connect . If you plan to make one or more major changes to your configuration
file, we recommend that you save a copy of the old configuration file first. If you have problems with your
new configuration, you can restore the old version.
Save a configuration directly to the device
You can use Policy Manager to save your configuration file directly to the Firebox or XTM device.
1. Select File > Save > To Firebox.
The Save to Firebox dialog box appears.
46
WatchGuard System Manager
Configuration and Management Basics
2. In the Firebox Address or Name drop-down list, select or type an IP address or name. If you use a
name, the name must resolve through DNS.
When you type an IP address, type all the numbers and the periods. Do not use the TAB key or
arrow key.
3. Type the Configuration Passphrase. You must use the configuration passphrase to save the
configuration to the Firebox or XTM device.
4. Click OK.
Save a configuration to a local or network drive
You can use Policy Manager to save your configuration file to a local or network drive.
1. Select File > Save > As File.
You can also use CTRL-S. A standard Windows save file dialog box appears.
2. Type the name of the file.
The default location is the My Documents\My WatchGuard\configs directory. You can also save
the file in any folder you can connect to from the management computer. For better security, we
recommend that you save the files in a safe folder that no other users can get access to.
3. Click Save.
The configuration file is saved to the directory you specify.
Make a backup of the Firebox or XTM device image
A Firebox or XTM device backup image is an encrypted and saved copy of the flash disk image from the
Firebox or XTM device flash disk. It includes the Firebox or XTM device OS, configuration file, licenses, and
certificates. You can save a backup image to your management computer or to a directory on your network.
The backup image for a Firebox X Edge does not include the device OS.
We recommend that you regularly make backup files of the Firebox or XTM device image. We also
recommend that you create a backup image of the Firebox or XTM device before you make significant
changes to your configuration file, or before you upgrade your Firebox or XTM device or its OS. You can use
Policy Manager to make a backup of your device image.
1. Select File > Backup.
The Backup dialog box appears.
2. Type the Configuration Passphrase for your Firebox or XTM device.
The second part of the Backup dialog box appears.
User Guide
47
Configuration and Management Basics
3. Type and confirm an encryption key. This key is used to encrypt the backup file. If you lose or forget
this encryption key, you cannot restore the backup file.
4. Click Browse to select the directory in which to save the backup file.
The default location for a backup file with an “.fxi” extension is:
C:\Documents and Settings\All Users\Shared WatchGuard\backups\<Firebox or XTM
device IP address>-<date>.<wsm_version>.fxi
5. Click OK.
Restore a Firebox or XTM device backup image
You can use Policy Manager to restore a previously created backup image to your Firebox or XTM device. If
your device is centrally managed, you must open Policy Manager for your device from your Management
Server to restore a backup image to your device.
For more information about how to update the configuration of a Fully Managed device, see Update the
configuration for a Fully Managed device on page 549.
1. Select File > Restore.
The Restore dialog box appears.
2. Type the configuration passphrase for your Firebox or XTM device. Click OK.
3. Type the encryption key you used when you created the backup image.
The Firebox or XTM device restores the backup image. It restarts and uses the backup image.
Make sure you wait two minutes before you connect to the Firebox or XTM device again.
The default location for a backup file with an “.fxi” extension is:
C:\Documents and Settings\All Users\Shared WatchGuard\backups\<Firebox or XTM
device IP address>-<date>.<wsm_version>.fxi
If you cannot successfully restore your Firebox or XTM device image, you can reset the Firebox or XTM
device. Depending on the Firebox or XTM device model you have, you can reset a Firebox or XTM device to
its factory-default settings or rerun the Quick Setup Wizard to create a new configuration.
For more information, see Reset a Firebox or XTM device to a previous or new configuration on page 57.
48
WatchGuard System Manager
Configuration and Management Basics
Use a USB drive for system backup and restore
A WatchGuard XTM device backup image is an encrypted and saved copy of the flash disk image from the
XTM device. The backup image file includes the XTM device OS, configuration file, feature key, and
certificates.
For WatchGuard XTM 2 Series, 5 Series, 8 Series or XTM 1050 devices, you can attach a USB drive or storage
device to the USB port on the XTM device for system backup and restore procedures. When you save a
system backup image to a connected USB drive, you can restore your XTM device to a known state more
quickly.
Note You cannot use this feature on an e-Series device, because e-Series devices do not
have a USB port.
About the USB drive
The USB drive must be formatted with the FAT or FAT32 file system. If the USB drive has more than one
partition, Fireware XTM only uses the first partition. Each system backup image can be as large as 30MB. We
recommend you use a USB drive large enough to store several backup images.
Save a backup image to a connected USB drive
To do this procedure, a USB drive must be connected to your XTM device.
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB drive dialog box appears.
3. In the New backup image section, type a Filename for the backup image.
Or you use the default filename provided.
4. Type and confirm an Encryption key. This key is used to encrypt the backup file. If you lose or forget
this encryption key, you cannot restore the backup file.
5. Click Save to USB Drive.
The saved image appears on the list of Available device backup images after the save is complete.
Restore a backup image from a connected USB drive
To do this procedure, a USB drive must be connected to your XTM device.
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB drive dialog box appears.
User Guide
49
Configuration and Management Basics
3.
4.
5.
6.
7.
From the Available backup images list, select a backup image file to restore.
Click Restore Selected Image.
Type the Encryption key you used when you created the backup image.
Type the configuration passphrase for your XTM device. Click OK.
Click Restore.
The XTM device restores the backup image. It restarts and uses the backup image.
Automatically restore a backup image from a USB drive
If a USB drive (storage device) is connected to a WatchGuard XTM device in recovery mode, the device can
automatically restore the previously backed up image from the USB drive. To use the auto-restore feature,
you must first select a backup image on the USB drive as the one you want to use for the restore process.
You must use Fireware XTM Web UI, Firebox System Manager, or Fireware XTM Command Line Interface to
select this backup image.
You can use the same backup image for more than one device, if all of the devices are from the same
WatchGuard XTM model family. For example, you can use a backup image saved from an XTM 560 as the
backup image for any other XTM 5 Series device.
Select the backup image to auto-restore
1. Start Firebox System Manager.
2. Select Tools > USB Drive.
The Backup/Restore to USB Drive dialog box appears.
50
WatchGuard System Manager
Configuration and Management Basics
3.
4.
5.
6.
From the Available backup images list, select a backup image file.
Click Use Selected Image for Auto-Restore.
Type the Encryption Key used to create the backup image. Click OK.
Type the configuration passphrase for your XTM device. Click OK.
The XTM device saves a copy of the selected backup image as the auto-restore image auto-restore.fxi. This
image is saved in the auto-restore directory on the USB drive, and is encrypted with a random encryption key
that can only be used by the automatic restore process.
If you had a previous auto-restore image saved, the auto-restore.fxi file is replaced with a copy of the
backup image you selected.
Warning If your XTM device has used a version of the Fireware XTM OS before v11.3, you
must update the recovery mode software image on the device to v11.3 for the
auto-restore feature to operate. See the Fireware XTM 11.3 Release Notes for
upgrade instructions.
Restore the backup image for a XTM 5 Series, 8 Series or XTM 1050 device
1.
2.
3.
4.
Attach the USB drive with the auto-restore image to a USB port on the XTM device.
Power off the XTM device.
Press the up arrow on the device front panel while you power on the device.
Keep the button depressed until "Recovery Mode starting" appears on the LCD display.
The device restores the backup image from the USB drive, and automatically uses the restored image after it
reboots.
If the USB drive does not contain a valid auto-restore image for this XTM device model family, the device
does not reboot and is instead started in recovery mode. If you restart the device again, it uses your current
configuration. When the device is in recovery mode, you can use the WSM Quick Setup Wizard to create a
new basic configuration.
For information about the WSM Quick Setup Wizard, see Run the WSM Quick Setup Wizard on page 28.
User Guide
51
Configuration and Management Basics
Restore the backup image for an XTM 2 Series device
1.
2.
3.
4.
5.
Attach the USB drive with the auto-restore image to a USB port on the XTM 2 Series device.
Disconnect the power supply.
Press and hold the Reset button on the back of the device.
Connect the power supply while you continue to hold down the Reset button.
After 10 seconds, release the Reset button.
The device restores the backup image from the USB drive, and automatically uses the restored image after it
reboots.
If the USB drive does not contain a valid 2 Series auto-restore image, the auto-restore fails and the device
does not reboot. If the auto-restore process is not successful, you must disconnect and reconnect the
power supply to start the 2 Series device with factory-default settings.
For information about factory default settings, see About factory-default settings.
USB drive directory structure
When you save a backup image to a USB drive, the file is saved in a directory on the USB drive with the
same name as the serial number of your XTM device. This means that you can store backup images for
more than one XTM device on the same USB drive. When you restore a backup image, the software
automatically retrieves the list of backup images stored in the directory associated with that device.
For each device, the directory structure on the USB device is as follows, where sn is replaced by the serial
number of the XTM device:
\sn\flash-images\
\sn\configs\
\sn\feature-keys\
\sn\certs\
The backup images for a device is saved in the \sn\flash-images directory. The backup image file saved
in the flash-images directory contains the Fireware XTM OS, the device configuration, feature keys, and
certificates. The \configs , \feature-keys and \certs subdirectories are not used for any USB drive
backup and restore operations. You can use these to store additional feature keys, configuration files, and
certificates for each device.
There is also one directory at the root level of the directory structure which is used to store the designated
auto-restore backup image.
\auto-restore\
When you designate a backup image to use for automatic restore, a copy of the selected backup image file
is encrypted and stored in the \auto-restore directory with the file name auto-restore.fxi . You can
have only one auto-restore image saved on each USB drive. You can use the same auto-restore backup
image for more than one device, if both devices are the same WatchGuard XTM model family. For example,
you can use an auto-restore image saved from an XTM 560 as the auto-restore image for any other XTM 5
Series device.
You must use the Firebox System Manager Tools > USB Drive command to create an auto-restore image. If
you manually copy and rename a backup image and store it in this directory, the automatic restore process
does not operate correctly.
52
WatchGuard System Manager
Configuration and Management Basics
Save a backup image to a USB drive connected to your
management computer
You can use Policy Manager to save a backup image to a USB drive or storage device connected to your
management computer. If you save the configuration files for multiple devices to the same USB drive, you
can attach the USB drive to any of those XTM devices for recovery.
If you use the Firebox System Manager Tools > USB Drive command to do this, the files are automatically
saved in the proper directory on the USB drive. if you use the Policy Manager File > Backup command, or if
you use Windows or another operating system to manually copy configuration files to the USB device, you
must manually create the correct serial number and flash-images directories for each device (if they do not
exist).
Before you begin
Before you begin, it important that you understand the USB drive directory structure used by the USB
backup and restore feature. If you do not save the backup image in the correct location, the device cannot
find it when you attach the USB drive to the device.
Save the backup image
To save a backup image to a USB drive connected to your management computer, use the steps described
in Make a backup of the Firebox or XTM device image. When you select the location to save the file, select
the drive letter of the USB drive attached to your computer. If you want the backup image you save to be
recognized by the XTM device when you attach the USB drive, make sure to save the backup in the
\flash-images directory under the directory that is named with the serial number of your XTM device.
For example, if your XTM device serial number is 70A10003C0A3D , save the backup image file to this
location on the USB drive:
\70A10003C0A3D\flash-images\
Designate a backup image for auto-restore
To designate a backup image for use with the auto-restore feature, you must connect the USB drive to the
device and designate the backup image to use for auto-restore as described in Use a USB drive for system
backup and restore. If you manually save a backup image to the auto-restore directory, the automatic
restore process does not operate correctly.
Use an existing configuration for a new Firebox
or XTM device model
When you upgrade your Firebox or XTM device model, you can continue to use the same configuration file.
When you import a new feature key, the Firebox or XTM device can automatically change your existing
configuration file so that it operates correctly with a new Firebox or XTM device model.
To use an existing configuration for a new Firebox or XTM device:
User Guide
53
Configuration and Management Basics
1. If you have not already done so, Get a feature key from LiveSecurity for your new Firebox or XTM
device.
2. On your existing Firebox or XTM device, Open Policy Manager.
3. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
4. Click Remove to remove the current feature key.
5. Click Import.
The Import Firebox Feature Key dialog box appears.
54
WatchGuard System Manager
Configuration and Management Basics
6. When you got a feature key for your new Firebox or XTM device, you copied the full feature key to a
text file and saved it on your computer. Open this file and paste the contents of the feature key file
for the new Firebox or XTM device into the Import Firebox Feature Key dialog box.
7. Click OK.
The model information and features from the new feature key appears in the Firebox Feature Key dialog box.
8. Click OK.
9. If your new Firebox or XTM device model has a different number of interfaces than the old device
model, Policy Manager displays a message that advises you to verify the configuration of the
network interfaces. To review the network interface configuration, select Network > Configuration.
10. Select File > Save > To Firebox to save the configuration to the new Firebox or XTM device.
Configure a replacement Firebox or XTM device
If your Firebox or XTM device hardware fails during the warranty period, WatchGuard may replace it with
an RMA (Return Merchandise Agreement) unit of the same model. When you exchange a Firebox or XTM
device for an RMA replacement, WatchGuard Customer Care transfers the licenses from the original
Firebox or XTM device serial number to the new Firebox or XTM device serial number. All the features that
were licensed to the original Firebox or XTM device are transferred to the replacement Firebox or XTM
device.
Follow the steps in the subsequent sections to set up your new Firebox or XTM device to use the
configuration from your original Firebox or XTM device.
Save the configuration from the original Firebox or XTM device
to a file
For this procedure, you must have a saved configuration file from your original Firebox or XTM device. The
configuration file is saved by default to the My Documents\My WatchGuard\configs directory.
User Guide
55
Configuration and Management Basics
For instructions to save the configuration to a local file, see Save the configuration file on page 46.
Get the feature key for the replacement Firebox or XTM device
Because your replacement Firebox or XTM device has a different serial number, you must get a new
feature key for it from the Support section of the WatchGuard web site. The replacement Firebox or XTM
device is listed in your activated products list with the same Product Name as the original Firebox or XTM
device, but has the serial number of the replacement Firebox or XTM device. For instructions to get the
feature key, see Get a feature key from LiveSecurity on page 62.
Use the Quick Setup Wizard to configure basic settings
Just as with any new Firebox or XTM device, you must use the Quick Setup Wizard to create a basic
configuration for the replacement Firebox or XTM device. The Quick Setup Wizard runs either from the
web or as a Windows application.
For information about how to run the wizard from the web, see Run the Web Setup Wizard on page 25.
For information about how to run the wizard as a Windows application, see Run the WSM Quick Setup
Wizard on page 28.
Update the feature key in the original configuration file and
save to the new device
1.
2.
3.
4.
5.
6.
7.
8.
In WatchGuard System Manager, select Tools > Policy Manager.
Select Open configuration file.
Click Browse and select the saved configuration file from the original Firebox or XTM device.
Click Open. Click OK.
In Policy Manager, select Setup > Feature Keys.
Click Remove to remove the original feature key.
Click Import to import the new feature key.
Click Browse to select the replacement feature key file you downloaded from the LiveSecurity site.
Or, click Paste to paste the contents of the feature key for the replacement unit.
9. Click OK twice to close the Firebox Feature Key dialog boxes.
10. Select File > Save > To Firebox to save the configuration to the replacement Firebox or XTM device.
Configuration of the replacement Firebox or XTM device is now complete. The replacement Firebox or XTM
device now uses all the policies and configuration settings from the original Firebox or XTM device.
56
WatchGuard System Manager
Configuration and Management Basics
Reset a Firebox or XTM device to a previous or
new configuration
If your Firebox or XTM device has a severe configuration problem, you can reset the device to its factorydefault settings. For example, if you do not know the configuration passphrase or if a power interruption
causes damage to the Fireware XTM OS, you can use the Quick Setup Wizard to build your configuration
again or restore a saved configuration.
For a description of the factory-default settings, see About factory-default settings on page 58.
Note If you have a WatchGuard XTM device, you can also use safe mode to
automatically restore a system backup image from a USB storage device. For more
information, see Automatically restore a backup image from a USB drive.
Start a Firebox or XTM device in safe mode
To restore the factory-default settings for a Firebox X Core e-Series, Peak e-Series, WatchGuard XTM 5
Series, 8 Series, or 10 Series device, you must first start the Firebox or XTM device in safe mode.
1. Power off the Firebox or XTM device.
2. Press the down arrow on the device front panel while you power on the Firebox or XTM device.
3. Keep the down arrow button depressed until the device startup message appears on the LCD
display:
n
n
For a Firebox X Core e-Series or Peak e-Series device, WatchGuard Technologies appears on
the display.
For a WatchGuard XTM device, Safe Mode Starting... appears on the display.
When the device is in safe mode, the display shows the model number followed by the word "safe".
When you start a device in safe mode:
n
n
n
The device temporarily uses the factory-default network and security settings.
The current feature key is not removed. If you run the Quick Setup Wizard to create a new
configuration, the wizard uses the feature key you previously imported.
Your current configuration is deleted only when you save a new configuration. If you restart the
Firebox or XTM device before you save a new configuration, the device uses your current
configuration again.
User Guide
57
Configuration and Management Basics
Reset a Firebox X Edge e-Series or WatchGuard XTM 2 Series
device to factory-default settings
When you reset a Firebox X Edge e-Series or an XTM 2 Series device, the original configuration settings are
replaced by the factory-default settings. To reset the device to factory-default settings:
1.
2.
3.
4.
Disconnect the power supply.
Press and hold the Reset button on the back of the device.
While you continue to hold down the Reset button, connect the power supply.
Continue to hold down the Reset button until the yellow Attn indicator stays lit. This shows that the
device successfully restored the factory-default settings.
For a Firebox X Edge e-Series, this process can take 45 seconds or more. For a 2 Series device, this process can
take 75 seconds or more.
5. Release the Reset button.
Note You must start the device again before you can connect to it. If you do not restart,
when you try to connect to the device, a web page appears with this message: Your
device is running from a backup copy of firmware. You can also see this message if
the Reset button is stuck in the depressed position. If you continue to see this
message, check the Reset button and restart the device.
6. Disconnect the power supply.
7. Connect the power supply again.
The Power Indicator lights and your device is reset.
Run the Quick Setup Wizard
After you restore the factory-default settings, you can use the Quick Setup Wizard to create a basic
configuration or restore a saved backup image.
For more information, see About the Quick Setup Wizard on page 24.
About factory-default settings
The term factory-default settings refers to the configuration on the Firebox or XTM device when you first
receive it before you make any changes. You can also reset the Firebox or XTM device to factory-default
settings as described in Reset a Firebox or XTM device to a previous or new configuration on page 57.
The default network and configuration properties for the Firebox or XTM device are:
Trusted network (Firebox X Edge e-Series)
The default IP address for the trusted network is 192.168.111.1. The subnet mask for the trusted
network is 255.255.255.0.
The default IP address and port for Fireware XTM Web UI is https://192.168.111.1:8080 .
The Firebox is configured to give IP addresses to computers on the trusted network with DHCP. By
default, these IP addresses can be from 192.168.111.2 to 192.168.111.254.
58
WatchGuard System Manager
Configuration and Management Basics
Trusted network (Firebox X Core and Peak e-Series and WatchGuard XTM devices)
The default IP address for the trusted network is 10.0.1.1. The subnet mask for the trusted network
is 255.255.255.0.
The default IP address and port for the Fireware XTM Web UI is https://10.0.1.1:8080 .
The Firebox or XTM device is configured to give IP addresses to computers on the trusted network
through DHCP. By default, these IP addresses can be from 10.0.1.2 to 10.0.1.254.
External network
The Firebox or XTM device is configured to get an IP address with DHCP.
Optional network
The optional network is disabled.
Firewall settings
All incoming traffic is denied. The outgoing policy allows all outgoing traffic. Ping requests received
from the external network are denied.
System Security
The Firebox or XTM device has the built-in administrator accounts admin (read-write access) and
status (read-only access). When you first configure the device with the Quick Setup Wizard, you set
the status and configuration passphrases. After you complete the Quick Setup Wizard, you can log in
to Fireware XTM Web UI with the either the admin or status administrator accounts. For full
administrator access, log in with the admin user name and type the configuration passphrase. For
read-only access, log in with the status user name and type the read-only passphrase.
By default, the Firebox or XTM device is set up for local management from the trusted network only.
Additional configuration changes must be made to allow administration from the external network.
Upgrade Options
To enable upgrade options such as WebBlocker, spamBlocker, and Gateway AV/IPS, you must paste
or import the feature key that enables these features into the configuration page or use the Get
Feature Key command to activate upgrade options. If you start the Firebox or XTM device in safe
mode, you do not have to import the feature key again.
User Guide
59
Configuration and Management Basics
About feature keys
A feature key is a license that enables you to use a set of features on your Firebox or XTM device. You
increase the functionality of your device when you purchase an option or upgrade and get a new feature key.
When you purchase a new feature
When you purchase a new feature for your Firebox or XTM device, you must:
n
n
Get a feature key from LiveSecurity
Add a feature key to your Firebox or XTM device
See features available with the current feature key
Your Firebox or XTM device always has one currently active feature key. To see the features available with
this feature key:
1. Open Policy Manager.
2. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
60
WatchGuard System Manager
Configuration and Management Basics
The Firebox Feature Key dialog box includes:
n
n
n
n
n
n
n
A list of available features
Whether the feature is enabled or disabled
Value assigned to the feature such as the number of VLAN interfaces allowed
Expiration date of the feature
Current status on expiration, such as how many days remain before the feature expires
The maximum number of IP addresses allowed outbound access (for Firebox X Edge XTM devices only)
Version of software to which the feature key applies
Verify feature key compliance
To make sure all features on your Firebox or XTM device are correctly enabled on your feature key:
User Guide
61
Configuration and Management Basics
1. Open Policy Manager.
2. Click .
The Feature Key Compliance dialog box appears. The Description field includes a note to indicate if a feature is
in compliance with the feature key, or if it has expired.
To get a new feature key:
1. In the Feature Key Compliance dialog box, click Add Feature Key.
The Firebox Feature Key dialog box appears.
2. Either Add a feature key to your Firebox or XTM device or Download a feature key.
Get a feature key from LiveSecurity
Before you activate a new feature, or renew a subscription service, you must have a license key certificate
from WatchGuard that is not already registered on the LiveSecurity web site. When you activate the license
key, you can get the feature key that enables the activated feature on the Firebox or XTM device. You can
also retrieve an existing feature key at a later time.
Activate the license key for a feature
To activate a license key and get the feature key for the activated feature:
1. Open a web browser and go to https://www.watchguard.com/activate.
If you have not already logged in to LiveSecurity, the LiveSecurity Log In page appears.
2. Type your LiveSecurity user name and password.
The Activate Products page appears.
3. Type the serial number or license key for the product as it appears on your printed certificate. Make
sure to include any hyphens.
Use the serial number to register a new Firebox or XTM device, and the license key to register addon features.
4. Click Continue.
The Choose Product to Upgrade page appears.
5. In the drop-down list, select the device to upgrade or renew.
If you added a device name when you registered your Firebox or XTM device, that name appears in
the list.
6. Click Activate.
The Retrieve Feature Key page appears.
62
WatchGuard System Manager
Configuration and Management Basics
7. Copy the full feature key to a text file and save it on your computer.
8. Click Finish.
Get a current feature key
You can log in to the LiveSecurity web site to get a current feature key, or you can use Firebox System
Manager to retrieve the current feature key and add it directly to your Firebox or XTM device.
When you go to the LiveSecurity web site to retrieve your feature key, you can choose to download one or
more feature keys in a compressed file. If you select multiple devices, the compressed file contains one
feature key file for each device.
To retrieve a current feature key from the LiveSecurity web site:
1. Open a web browser and go to https://www.watchguard.com/archive/manageproducts.asp.
If you have not already logged in to LiveSecurity, the LiveSecurity Log In page appears.
2. Type your LiveSecurity user name and password.
The Manage Products page appears.
3. Select Feature Keys.
The Retrieve Feature Key page appears, with a drop-down list to select a product.
4. In the drop-down list, select your Firebox or XTM device.
5. Click Get Key.
A list of all your registered devices appears. A check mark appears next to the device you selected.
6. Select Show feature keys on screen.
7. Click Get Key.
The Retrieve Feature Key page appears.
8. Copy the feature key to a text file and save it on your computer.
To use Firebox System Manager (FSM) to retrieve the current feature key:
1. Start Firebox System Manager.
2. Select Tools > Synchronize Feature Key.
The Synchronize Feature Key dialog box appears.
3. Click Yes to synchronize your feature key.
If you have connected to the device with the Status passphrase, you must also provide the Configuration
passphrase.
The Firebox or XTM devicegets the feature key from the LiveSecurity web site and updates it on the Firebox or
XTM device.
User Guide
63
Configuration and Management Basics
Add a feature key to your Firebox or XTM device
If you purchase a new option or upgrade your Firebox or XTM device, you can use Policy Manager to add a
new feature key to enable the new features. Before you install the new feature key, you must completely
remove the old feature key.
1. Select Setup > Feature Keys.
The Firebox Feature Keys dialog box appears.
The features that are available with this feature key appear in this dialog box. This dialog box also
includes:
n
n
n
n
64
Whether each feature is enabled or disabled
A value assigned to the feature, such as the number of VLAN interfaces allowed
The expiration date of the feature
The amount of time that remains before the feature expires
WatchGuard System Manager
Configuration and Management Basics
2. Click Remove to remove the current feature key.
All feature key information is cleared from the dialog box.
3. Click Import.
The Import Firebox Feature Key dialog box appears.
4. Click Browse to find the feature key file.
Or, copy the text of the feature key file and click Paste to insert it in the text box.
5. Click OK.
The Import a Firebox Feature Key dialog box closes and the new feature key information appears in the Firebox
Feature Key dialog box.
6. Click OK.
In some instances, new dialog boxes and menu commands to configure the feature appear in Policy Manager.
7. Save the configuration file.
The feature key does not operate on the Firebox or XTM device until you save the configuration file to the
device.
Remove a feature key
1. Select Setup > Feature Keys.
The Firebox Feature Keys dialog box appears.
2. Click Remove.
All feature key information is cleared from the dialog box.
3. Click OK.
4. Save the configuration file.
User Guide
65
Configuration and Management Basics
See the details of a feature key
From Policy Manager, you can review the details of your current feature key.
The available details include:
n
n
n
n
Serial number of the Firebox or XTM device to which this feature key applies
Firebox or XTM device ID and name
Device model and version number
Available features
To review the details of your feature key:
1. Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
2. Click Details.
The Feature Key Details dialog box appears.
3. Use the scroll bar to review the details of your feature key.
Download a feature key
You can download a copy of your current feature key from the Firebox or XTM device to your management
computer.
1. Select Setup > Feature Keys.
The Feature Keys dialog box appears.
2. Click Download.
The Get Firebox Feature keys dialog box appears.
3. Type the status passphrase of the device.
4. Click OK.
If you have already created a LiveSecurity user account, you can also use Firebox System Manager to
download a current feature key.
66
WatchGuard System Manager
Configuration and Management Basics
1. Start Firebox System Manager.
2. Select Tools > Synchronize Feature Key.
The Firebox or XTM device contacts the LiveSecurity web site and downloads the current feature key to your
device.
Enable NTP and add NTP servers
Network Time Protocol (NTP) synchronizes computer clock times across a network. Your Firebox or XTM
device can use NTP to get the correct time automatically from NTP servers on the Internet. Because the
Firebox or XTM device uses the time from its system clock for each log message it generates, the time must
be set correctly. You can change the NTP server that the Firebox or XTM device uses. You can also add more
NTP servers or delete existing ones, or you can set the time manually.
To use NTP, your Firebox or XTM device configuration must allow DNS. DNS is allowed in the default
configuration by the Outgoing policy. You must also configure DNS servers for the external interface before
you configure NTP.
For more information about these addresses, see Add WINS and DNS server addresses on page 119.
1. Select Setup > NTP.
The NTP Setting dialog box appears.
2. Select the Enable NTP check box.
3. To add an NTP server, type the IP address or host name of the NTP server you want to use in the text
box and click Add.
You can configure up to three NTP servers
4. To delete a server, select the server entry in the NTP Server Names/IPs list and click Remove.
5. Click OK.
User Guide
67
Configuration and Management Basics
Set the time zone and basic device properties
When you run the Web Setup Wizard, you set the time zone and other basic device properties.
To change the basic device properties:
1. Open Policy Manager.
2. Click Setup > System.
The Device Configuration dialog box appears.
3. Configure these options:
Firebox model
The Firebox or XTM device model and model number, as determined by Quick Setup Wizard.
You normally do not need to change these settings. If you add a new feature key to the Firebox
or XTM device with a model upgrade, the Firebox or XTM device model in the device
configuration is automatically updated.
Name
The friendly name of the Firebox or XTM device. You can give the Firebox or XTM device a
friendly name that appears in your log files and reports. Otherwise, the log files and reports use
the IP address of the Firebox or XTM device external interface. Many customers use a Fully
Qualified Domain Name as the friendly name if they register such a name with the DNS system.
You must give the Firebox or XTM device a friendly name if you use the Management Server to
configure VPN tunnels and certificates.
Location, Contact
Type any information that could be helpful to identify and maintain the Firebox or XTM device.
These fields are filled in by the Quick Setup Wizard if you entered this information there. This
information appears on the Front Panel tab of Firebox System Manager.
Time zone
Select the time zone for the physical location of the Firebox or XTM device. The time zone
setting controls the date and time that appear in the log file and on tools such as LogViewer,
WatchGuard Reports, and WebBlocker.
4. Click OK.
68
WatchGuard System Manager
Configuration and Management Basics
About SNMP
SNMP (Simple Network Management Protocol) is used to monitor devices on your network. SNMP uses
management information bases (MIBs) to define what information and events are monitored. You must set
up a separate software application, often called an event viewer or MIB browser, to collect and manage
SNMP data.
There are two types of MIBs: standard and enterprise. Standard MIBs are definitions of network and
hardware events used by many different devices. Enterprise MIBs are used to give information about
events that are specific to a single manufacturer. Your Firebox or XTM device supports eight standard MIBs:
IP-MIB, IF-MIB, TCP-MIB, UDP-MIB, SNMPv2-MIB, SNMPv2-SMI, RFC1213-MIB, and RFC1155 SMI-MIB. It also
supports two enterprise MIBs: WATCHGUARD-PRODUCTS-MIB and WATCHGUARD-SYSTEM-CONFIG-MIB.
SNMP polls and traps
You can configure your Firebox or XTM device to accept SNMP polls from an SNMP server. The Firebox or
XTM device reports information to the SNMP server such as the traffic count from each interface, device
uptime, the number of TCP packets received and sent, and when each network interface on the Firebox or
XTM device was last modified.
A SNMP trap is an event notification your Firebox or XTM device sends to an SNMP management station.
The trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your Firebox or XTM device can send a trap for any policy in Policy Manager.
A SNMP inform request is similar to a trap, but the receiver sends a response. If your Firebox or XTM device
does not get a response, it sends the inform request again until the SNMP manager sends a response. A trap
is sent only once, and the receiver does not send any acknowledgement when it gets the trap.
User Guide
69
Configuration and Management Basics
Enable SNMP polling
You can configure your Firebox or XTM device to accept SNMP polls from an SNMP server. Your Firebox or
XTM device reports information to the SNMP server such as the traffic count from each interface, device
uptime, the number of TCP packets received and sent, and when each network interface was last modified.
1. Select Setup > SNMP.
2. Select the version of SNMP you want to use: v1/v2c or v3.
If you chose v1/v2c, type the Community String your Firebox or XTM device must use when it
connects to the SNMP server.
If you chose v3:
n
n
n
n
n
User Name — Type the user name for SNMPv3 authentication and privacy protection.
Authentication Protocol — Select MD5 (Message Digest 5) or SHA (Secure Hash Algorithm).
Authentication Password — Type and confirm the authentication password.
Privacy Protocol — Select DES (Data Encryption Standard) to encrypt traffic or None to not
encrypt SNMP traffic.
Privacy Password — Type and confirm a password to encrypt outgoing messages and decrypt
incoming messages.
3. Click OK.
70
WatchGuard System Manager
Configuration and Management Basics
To make your Firebox or XTM device able to receive SNMP polls, you must add a SNMP policy. Policy
Manager prompts you to add a SNMP policy automatically.
In the New Policy Properties dialog box:
1. In the From section, click Add.
The Add Address dialog box appears.
2. Click Add Other.
The Add Member dialog box appears.
3. In the Choose Type drop-down list, select Host IP.
4. In the Value field, type the IP address of your SNMP server computer.
5. Click OK twice to close the Add Member and Add Address dialog boxes.
The Policy tab of the new policy appears.
6. Below the To box, click Add.
The Add Address dialog box appears.
7. In the Available Members field, select Firebox. Click Add.
Firebox or XTM device appears in the Selected Members and Addresses field.
8. Click OK twice to close the Add Address and New Policy Properties dialog boxes.
9. Click Close.
Enable SNMP management stations and traps
An SNMP trap is an event notification your Firebox or XTM device sends to an SNMP management station.
The trap identifies when a specific condition occurs, such as a value that is more than its predefined
threshold. Your Firebox or XTM device can send a trap for any policy.
An SNMP inform request is similar to a trap, but the receiver sends a response. If your Firebox or XTM device
does not get a response, it sends the inform request again until the SNMP manager sends a response. A trap is
sent only once, and the receiver does not send any acknowledgement when it gets the trap.
An inform request is more reliable than a trap because your Firebox or XTM device knows whether the
inform request was received. However, inform requests consume more resources. They are held in
memory until the sender gets a response. If an inform request must be sent more than once, the retries
increase traffic. We recommend you consider whether the receipt every SNMP notification is worth the
use of memory in the router and increase in network traffic.
To enable SNMP inform requests, you must use SNMPv2 or SNMPv3. SNMPv1 supports only traps, not
inform requests.
User Guide
71
Configuration and Management Basics
Configure SNMP Management Stations
1. Select Setup > SNMP.
The SNMP Settings window appears.
2. In the SNMP Traps drop-down list, select the version of trap or inform you want to use.
SNMPv1 supports only traps, not inform requests.
3. In the SNMP Management Stations text box, type the IP address of your SNMP management station.
Click Add.
Repeat steps 2–3 to add more SNMP management stations.
4. Click OK.
Add an SNMP policy
To enable your Firebox or XTM device to receive SNMP polls, you must also add an SNMP policy.
1. Click
.
Or, select Edit > Add Policy.
The Add Policies dialog box appears.
2. Expand Packet Filters, select SNMP, and click Add.
The New Policy Properties dialog box appears.
3. In the From section, click Add.
The Add Address dialog box appears.
72
WatchGuard System Manager
Configuration and Management Basics
4. Click Add Other.
The Add Member dialog box appears.
5. In the Choose Type drop-down list, select Host IP.
6. In the Value field, type the IP address of your SNMP server computer.
7. Click OK twice to close the Add Member and Add Address dialog boxes.
The Policy tab of the new policy appears.
8. In the To section, click Add.
The Add Address dialog box appears.
9. In the Available Members section, select Firebox. Click Add.
10. Click OK on each dialog box to close it. Click Close.
11. Save the configuration.
Send an SNMP trap for a policy
Your Firebox or XTM device can send an SNMP trap when traffic is filtered by a policy. You must have at
least one SNMP management station configured to enable SNMP traps.
1. Double-click the SNMP policy.
In the Edit Policy Properties dialog box.
2. Select the Properties tab.
3. Click Logging.
The Logging and Notification dialog box appears.
4. Select the Send SNMP Trap check box.
5. Click OK to close the Logging and Notification dialog box.
6. Click OK to close the Edit Policy Properties dialog box.
About Management Information Bases (MIBs)
Fireware XTM supports two types of Management Information Bases (MIBs).
Standard MIBs
Standard MIBs are definitions of network and hardware events used by many different devices. Your
Firebox or XTM device supports these eight standard MIBs:
n
n
n
n
n
n
n
n
IP-MIB
IF-MIB
TCP-MIB
UDP-MIB
SNMPv2-MIB
SNMPv2-SMI
RFC1213-MIB
RFC1155 SMI-MIB
These MIBs include information about standard network information, such as IP addresses and
network interface settings.
Enterprise MIBs
Enterprise MIBs are used to give information about events that are specific to a single manufacturer.
Your Firebox or XTM device supports these enterprise MIBs:
User Guide
73
Configuration and Management Basics
n
n
n
WATCHGUARD-PRODUCTS-MIB
WATCHGUARD-SYSTEM-CONFIG-MIB
UCD-SNMP-MIB
These MIBs include more specific information about device hardware.
When you install WatchGuard System Manager, MIBs are installed in the \My Documents\My
WatchGuard\Shared WatchGuard\SNMP directory.
About WatchGuard Passphrases, Encryption Keys,
and Shared Keys
As part of your network security solution, you use passphrases, encryption keys, and shared keys. This topic
includes information about most of the passphrases, encryption keys, and shared keys you use for
WatchGuard products. It does not include information about third-party passwords or passphrases.
Information about restrictions for passphrases, encryption keys, and shared keys is also included in the
related procedures.
Create a secure passphrase, encryption key, or shared key
To create a secure passphrase, encryption key, or shared key, we recommend that you:
n
n
n
Use a combination of uppercase and lowercase ASCII characters, numbers, and special characters
(for example, [email protected]).
Do not use a word from standard dictionaries, even if you use it in a different sequence or in a
different language.
Do not use a name. It is easy for an attacker to find a business name, familiar name, or the name of a
famous person.
As an additional security measure, we recommend that you change your passphrases, encryption keys, and
shared keys at regular intervals.
Firebox or XTM device Passphrases
A Firebox or XTM device uses two passphrases:
Status passphrase
The read-only password or passphrase that allows access to the Firebox or XTM device. When you
log in with this passphrase, you can review your configuration, but you cannot save changes to the
Firebox or XTM device. The status passphrase is associated with the user name status.
Configuration passphrase
The read-write password or passphrase that allows an administrator full access to the Firebox or
XTM device. You must use this passphrase to save configuration changes to the Firebox or XTM
device. This is also the passphrase you must use to change your Firebox or XTM device passphrases.
The configuration passphrase is associated with the user name admin.
Each of these Firebox or XTM device passphrases must be at least 8 characters.
74
WatchGuard System Manager
Configuration and Management Basics
User Passphrases
You can create user names and passphrases to use with Firebox authentication and role-based
administration.
User Passphrases for Firebox authentication
After you set this user passphrase, the characters are masked and it does not appear in simple text
again. If the passphrase is lost, you must set a new passphrase. The allowed range for this passphrase
is 8–32 characters.
User Passphrases for role-based administration
After you set this user passphrase, it does not appear again in the User and Group Properties dialog
box. If the passphrase is lost, you must set a new passphrase. This passphrase must be at least 8
characters.
Server Passphrases
Administrator passphrase
The Administrator passphrase is used to control access to the WatchGuard Server Center. You also
use this passphrase when you connect to your Management Server from WatchGuard System
Manager (WSM). This passphrase must be at least 8 characters. The Administrator passphrase is
associated with the user name admin.
Authentication server shared secret
The shared secret is the key the Firebox or XTM device and the authentication server use to secure
the authentication information that passes between them. The shared secret is case-sensitive and
must be the same on the Firebox or XTM device and the authentication server. RADIUS, SecurID, and
VASCO authentication servers all use a shared key.
Encryption Keys and Shared Keys
Log Server encryption key
The encryption key is used to create a secure connection between the Firebox or XTM device and
the Log Servers, and to avoid man-in-the-middle attacks. The allowed range for the encryption key is
8–32 characters. You can use all characters except spaces and slashes (/ or \).
Backup/Restore encryption key
This is the encryption key you create to encrypt a backup file of your Firebox or XTM device
configuration. When you restore a backup file, you must use the encryption key you selected when
you created the configuration backup file. If you lose or forget this encryption key, you cannot
restore the backup file. The encryption key must be at least 8 characters, and cannot be more than
15 characters.
User Guide
75
Configuration and Management Basics
VPN shared key
The shared key is a passphrase used by two devices to encrypt and decrypt the data that goes
through the tunnel. The two devices use the same passphrase. If the devices do not have the same
passphrase, they cannot encrypt and decrypt the data correctly.
76
WatchGuard System Manager
Configuration and Management Basics
Change Firebox or XTM device passphrases
A Firebox or XTM device uses two passphrases:
Status passphrase
The read-only password or passphrase that allows access to the Firebox or XTM device.
Configuration passphrase
The read-write password or passphrase that allows an administrator full access to the Firebox or
XTM device.
For more information about passphrases, see About WatchGuard Passphrases, Encryption Keys, and Shared
Keys on page 74.
To change the passphrases:
1. Open the Firebox or XTM device configuration file.
2. Click File > Change Passphrases.
The Change Passphrases dialog box appears.
3. In the Firebox Address or Name drop-down list, select a Firebox or XTM device or type the IP
address or name of the Firebox or XTM device.
4. In the Configuration Passphrase text box, type the configuration (read/write) passphrase.
5. Type and confirm the new status (read-only) and configuration (read/write) passphrases. The status
passphrase must be different from the configuration passphrase.
6. Click OK.
User Guide
77
Configuration and Management Basics
About aliases
An alias is a shortcut that identifies a group of hosts, networks, or interfaces. When you use an alias, it is easy
to create a security policy because the Firebox or XTM device allows you to use aliases when you create
policies.
Default aliases in Policy Manager include:
n
n
n
n
n
n
Any — Any source or destination aliases that correspond to Firebox or XTM device interfaces, such
as Trusted or External.
Firebox — An alias for all Firebox or XTM device interfaces.
Any-Trusted — An alias for all Firebox or XTM device interfaces configured as Trusted interfaces,
and any network you can get access to through these interfaces.
Any-External — An alias for all Firebox or XTM device interfaces configured as External, and any
network you can get access to through these interfaces.
Any-Optional — Aliases for all Firebox or XTM device interfaces configured as Optional, and any
network you can get access to through these interfaces.
Any-BOVPN — An alias for any BOVPN (IPSec) tunnel.
When you use the BOVPN Policy wizard to create a policy to allow traffic through a BOVPN tunnel,
the wizard automatically creates .in and .out aliases for the incoming and outgoing tunnels.
Alias names are different from user or group names used in user authentication. With user authentication,
you can monitor a connection with a name and not as an IP address. The person authenticates with a user
name and a password to get access to Internet protocols.
For more information about user authentication, see About user authentication on page 287.
Alias members
You can add these objects to an alias:
n
n
n
n
n
n
n
n
78
Host IP
Network IP
A range of host IP addresses
DNS name for a host
Tunnel address — defined by a user or group, address, and name of the tunnel
Custom address — defined by a user or group, address, and Firebox or XTM device interface
Another alias
An authorized user or group
WatchGuard System Manager
Configuration and Management Basics
Create an alias
To create an alias to use with your security policies:
1. Select Setup > Aliases.
The Aliases dialog box appears. Pre-defined aliases appear in blue and user-defined aliases appear in black.
2. Click Add.
The Add Alias dialog box appears.
User Guide
79
Configuration and Management Basics
3. In the Alias Name text box, type a unique name to identify the alias.
This name appears in lists when you configure a security policy.
4. In the Description text box, type a description of the alias.
5. Click OK.
Add an address, address range, DNS name, or another alias to the alias
1. In the Add Alias dialog box, click Add.
The Add Member dialog box appears.
2. From the Choose Type drop-down list, select the type of member you want to add.
3. Type the address or name in the Value text box.
4. Click OK.
The new member appears in the Alias Members section of the Add Alias dialog box.
5. To add more members, repeat Steps 1–4.
6. Click OK.
Add an authorized user or group to the alias
1. In the Add Alias dialog box, click User.
The Add Authorized Users or Groups dialog box appears.
2. In the left Type drop-down list, select whether the user or group you want to add is authorized as a
Firewall user, a PPTP user, or an SSL VPN user.
3. In the right Type drop-down list, select User to add a user, or Group to add a group.
4. If the user or group appears in the list at the bottom of the Add Authorized Users or Groups dialog
box, select the user or group and click Select.
If the user or group does not appear in the list, it is not yet defined as an authorized user or group.
You must define it as an authorized user or group before you add it to an alias.
5. Repeat Steps 1–4 to add more members as needed.
Or, use the previous procedure to add an address, address range, DNS name, or another alias to the
alias.
6. Click OK.
For information on how to define an authorized user or group, see:
n
n
n
Define a new user for Firebox authentication
Define a new group for Firebox authentication
Use authorized users and groups in policies
To remove an entry from the member list, select the entry and click Remove.
80
WatchGuard System Manager
Configuration and Management Basics
Define Firebox or XTM device global settings
From Policy Manager , you can select settings that control the actions of many Firebox and XTM device
features. You set basic parameters for:
n
n
n
n
n
ICMP error handling
TCP SYN checking
TCP maximum size adjustment
Traffic management and QoS
Web UI port
To change the global settings:
1. Select Setup > Global Settings.
The Global Settings dialog box appears.
2. Configure the different categories of global settings as described in the subsequent sections.
3. Click OK.
4. Save the configuration file to your device.
User Guide
81
Configuration and Management Basics
Define ICMP error handling global settings
Internet Control Message Protocol (ICMP) controls errors in connections. It is used for two types of
operations:
n
n
To tell client hosts about error conditions
To probe a network to find general characteristics about the network
The Firebox or XTM device sends an ICMP error message each time an event occurs that matches one of
the parameters you selected. These messages are good tools to use when you troubleshoot problems, but
can also decrease security because they expose information about your network. If you deny these ICMP
messages, you can increase security if you prevent network probes, but this can also cause timeout delays
for incomplete connections, which can cause application problems.
Settings for global ICMP error handling are:
Fragmentation Req (PMTU)
Select this check box to allow ICMP Fragmentation Req messages. The Firebox or XTM device uses
these messages to find the MTU path.
Time Exceeded
Select this check box to allow ICMP Time Exceeded messages. A router usually sends these
messages when a route loop occurs.
Network Unreachable
Select this check box to allow ICMP Network Unreachable messages. A router usually sends these
messages when a network link is broken.
Host Unreachable
Select this check box to allow ICMP Host Unreachable messages. Your network usually sends these
messages when it cannot use a host or service.
Port Unreachable
Select this check box to allow ICMP Port Unreachable messages. A host or firewall usually sends
these messages when a network service is not available or is not allowed.
Protocol Unreachable
Select this check box to allow ICMP Protocol Unreachable messages.
To override these global ICMP settings for a specific policy, from Policy Manager:
1. On the Firewall tab, select the specific policy.
2. Double-click the policy to edit it.
The Edit Policy Properties dialog box appears.
3. Select the Advanced tab.
4. In the ICMP Error Handling drop-down list, select Specify setting.
5. Click ICMP Setting.
The ICMP Error Handling Settings dialog box appears.
82
WatchGuard System Manager
Configuration and Management Basics
6. Select the check box for only the settings you want to enable.
7. Click OK.
Enable TCP SYN checking
TCP SYN checking makes sure that the TCP three-way handshake is completed before the Firebox or XTM
device allows a data connection.
Define TCP maximum segment size adjustment global settings
The TCP segment can be set to a specified size for a connection that must have more TCP/IP layer 3
overhead (for example, PPPoE, ESP, or AH). If this size is not correctly configured, users cannot get access to
some web sites. The global TCP maximum segment size adjustment settings are:
Auto Adjustment
The Firebox or XTM device examines all maximum segment size (MSS) negotiations and changes the
MSS value to the applicable one.
No Adjustment
The Firebox or XTM device does not change the MSS value.
Limit to
You set a size adjustment limit.
Enable or disable Traffic Management and QoS
For performance testing or network debugging purposes, you can disable the Traffic Management and QoS
features.
To enable these features:
Select the Enable all traffic management and QoS features check box.
To disable these features:
Clear the Enable all traffic management and QoS features check box.
Change the Web UI port
By default, Fireware XTM Web UI uses port 8080.
To change this port:
1. In the Web UI Port text box, type or select a different port number.
2. Use the new port to connect to Fireware XTM Web UI and test the connection with the new port.
Automatic Reboot
You can schedule your Firebox or XTM device to automatically reboot at the day and time you specify.
To schedule an automatic reboot for your device:
User Guide
83
Configuration and Management Basics
1. Select the Schedule time for reboot check box.
2. In the adjacent drop-down list, select Daily to reboot at the same time every day, or select a day of
the week for a weekly reboot.
3. In the adjacent text boxes, type or select the hour and minute of the day (in 24-hour time format)
that you want the reboot to start.
External Console
This option is only available for Firebox X Edge devices and configurations. Select this check box to use the
serial port for console connections, such as the Fireware XTM CLI (command line interface). You cannot use
the serial port for modem failover when this option is selected, and you must restart the device to change
this setting.
See also
Manage a Firebox or XTM device from a remote
location
When you configure a Firebox or XTM device with the Quick Setup Wizard, a policy called the WatchGuard
policy is created automatically. This policy allows you to connect to and administer the Firebox or XTM
device from any computer on the trusted or optional networks. If you want to manage the Firebox or XTM
device from a remote location (any location external to the Firebox or XTM device), then you must modify
the WatchGuard policy to allow administrative connections from the IP address of your remote location.
The WatchGuard policy controls access to the Firebox or XTM device on these four TCP ports: 4103, 4105,
4117, 4118. When you allow connections in the WatchGuard policy, you allow connections to each of these
four ports.
Before you modify the WatchGuard policy, we recommend that you consider connecting to the Firebox or
XTM device with a VPN. This greatly increases the security of the connection. If this is not possible, we
recommend that you allow access from the external network to only certain authorized users and to the
smallest number of computers possible. For example, your configuration is more secure if you allow
connections from a single computer instead of from the alias “Any-External”.
1. Double-click the WatchGuard policy.
Or, right-click the WatchGuard policy and select Edit.
The Edit Policy Properties dialog box appears.
84
WatchGuard System Manager
Configuration and Management Basics
2. In the From section, click Add.
The Add Address dialog box appears.
User Guide
85
Configuration and Management Basics
3. Add the IP address of the external computer that connects to the Firebox or XTM device: click Add
Other,
make sure Host IP is the selected type, and type the IP address.
4. To give access to an authorized user, in the Add Address dialog box, click Add User.
The Add Authorized Users or Groups dialog box appears.
For information about how to create an alias, see Create an alias on page 79.
86
WatchGuard System Manager
Configuration and Management Basics
Locations of WatchGuard System Manager files
The subsequent table gives the locations where WatchGuard System Manager keeps common data files.
Because it is possible to configure Windows to put these directories on different disk drives, you must know
the correct location of these files based on the configuration of Windows on your computer. You can also
keep log files in a different directory than other installation files. If you change the default location of log
files, these default locations do not apply.
If your OS version is not English, you must translate directory names (such as “Documents and Settings” or
“Program Files”) to match the OS language you use.
File Type
Location
User-created data (shared)
C:\Documents and Settings\All Users\Shared WatchGuard
Certificates
My Documents\My WatchGuard\certs\<IP Address of Management
Server>
WatchGuard applications
C:\Program Files\WatchGuard\wsm11.0
Shared application libraries
C:\Program Files\Common Files\WatchGuard\wsm11.0
Management Server data
C:\Documents and Settings\WatchGuard\wmserver
Quarantine Server data
C:\Documents and Settings\WatchGuard\wqserver
Certificate Authority data
C:\Documents and Settings\WatchGuard\wgca
Report Server data
C:\Documents and Settings\WatchGuard\wrserver
Log Server data
C:\Documents and Settings\WatchGuard\wlogserver
WebBlocker Server data
C:\Documents and Settings\WatchGuard\wbserver
Future product upgrade
images
C:\Program Files\Common
Files\WatchGuard\resources\FirewareXTM\11.0
Help files (Fireware XTM
WSM)
C:\Program Files\WatchGuard\wsm11.0\help\fireware
Help files (WFS)
C:\Program Files\WatchGuard\wsm11.0\help\wfs
Locations of application and user-created files
These tables give the default locations where the WatchGuard software applications and servers look for
their data files, or for data files created by users (such as Firebox or XTM device configuration files). In some
cases, the default location changes based on where the software application opened a file of a similar type.
In these cases, the software application remembers the last place the file was read/written and looks in that
location first.
User Guide
87
Configuration and Management Basics
Policy Manager for Fireware appliance software
Operation
File Type
Default Location
Read/Write Firebox or XTM device backups
C:\Documents and Settings\All Users\Shared
WatchGuard\backups
Read
Product upgrade images
C:\Program Files\Common
Files\WatchGuard\resources\FirewareXTM\11.0
Read
Blocked Sites
My Documents\My WatchGuard
Read
Blocked Sites exceptions
My Documents\My WatchGuard
Read/Write
Firebox or XTM device
configuration files
My Documents\My WatchGuard/configs
Read/Write
Firebox or XTM device license
files
My Documents\My WatchGuard/configs
Read
Initial license import
My Documents\My WatchGuard
Write
Mobile VPN.wgx and ini client
config files
C:\Documents and Settings\All Users\Shared
WatchGuard\muvpn
WFS appliance software
Operation
File Type
Default Location
Read
Logging Notification
Current working directory
Read
Spam rules import
Current working directory
Write
Saved backups
C:\Documents and Settings\All Users\Shared WatchGuard\backups
Write
MUVPN SPDs (.wgx)
C:\Documents and Settings\All Users\Shared WatchGuard\muvpn
Read
Blocked Sites imports Current working directory
Read/Write Backup image
C:\Documents and Settings\All Users\Shared WatchGuard\ backups
Report Manager
File type
Default location
Report log
C:\Documents and Settings\<user name>\Application Data\WatchGuard\wgreports
Reporting files C:\Documents and Settings\<user name>\Application Data\WatchGuard\wgreports
88
WatchGuard System Manager
Configuration and Management Basics
LogViewer
File type
Default location
LogViewer
configuration files
C:\Documents and Settings\<user name>\Application
Data\WatchGuard\enhanced_logviewer
LogViewer debug log
files
C:\Documents and Settings\<user name>\Application
Data\WatchGuard\enhanced_logviewer
LogViewer exported
files
C:\Documents and Settings\WatchGuard\logs
LogViewer saved log
files
C:\Documents and Settings\WatchGuard\reports
LogViewer search
query files
C:\Documents and Settings\<user name>\Application
Data\WatchGuard\enhanced_logviewer\searches
Upgrade to a new version of Fireware XTM
Periodically, WatchGuard makes new versions of WatchGuard System Manager (WSM) and Fireware XTM
appliance software available to Firebox or XTM device users with active LiveSecurity subscriptions. To
upgrade from one version of WSM with Fireware XTM to a new version of WSM with Fireware XTM, use
the procedures in the subsequent sections.
Install the upgrade on your management computer
1. Download the updated Fireware XTM and WatchGuard System Manager software from the Software
Downloads section of the WatchGuard web site at http://www.watchguard.com.
2. Back up your current Firebox or XTM device configuration file and Management Server
configuration files.
For more information on how to create a backup image of your Firebox or XTM device
configuration, see Make a backup of the Firebox or XTM device image on page 47.
To back up the settings on your Management Server, see Back up or restore the Management Server
configuration on page 519.
3. Use Windows Add or Remove Programs to uninstall your existing WatchGuard System Manager and
WatchGuard Fireware XTM installation. You can have more than one version of WatchGuard System
Manager client software installed on your management computer, but only one version of
WatchGuard server software.
For more information,see Install WSM and keep an older version on page 34.
4. Launch the file or files that you downloaded from the LiveSecurity web site.
5. Use the on-screen procedure to install the Fireware XTM upgrade file in the WatchGuard installation
directory on your management computer.
User Guide
89
Configuration and Management Basics
Upgrade the Firebox or XTM device
1. To save the upgrade to the Firebox or XTM device, use Policy Manager to open your Firebox or XTM
device configuration file.
WatchGuard System Manager detects that the configuration file is for an older version, and displays an
upgrade dialog box.
2. Click Yes to upgrade the configuration file. Use the on-screen instructions to convert the
configuration file to the newer version.
Note The upgrade dialog box looks different if you have multiple versions of
WatchGuard System Manager installed on your management computer. For more
information, see Use multiple versions of Policy Manager on page 91.
If you do not see the upgrade dialog box when you open Policy Manager:
1. Select File > Upgrade.
2. Type the configuration passphrase.
The Upgrade — Enter the path to the upgrade image dialog box appears.
3. The default path is automatically selected. If your installation path is different, click Browse to change
the path to the upgrade image.
4. Click OK.
The upgrade procedure can take up to 15 minutes and automatically reboots the Firebox or XTM device.
If your Firebox or XTM device has been in operation for some time before you upgrade, you might have to
restart the device before you start the upgrade to clear the temporary memory.
90
WatchGuard System Manager
Configuration and Management Basics
Use multiple versions of Policy Manager
In WatchGuard System Manager v11, if you open a configuration file created by an older version of Policy
Manager, and if the older version of WatchGuard System Manager is also installed on the management
computer, the Upgrade Available dialog box appears. You can choose to launch the older version of Policy
Manager or to upgrade the configuration file to the newer version.
If you do not want WatchGuard System Manager to display this dialog box when you open an older
configuration file, select the Do not show this message again check box.
To enable the Upgrade Available dialog box if you disabled it:
1. In WatchGuard System Manager, select Edit > Options.
The Options dialog box appears.
2. Select the Show upgrade dialog when launching Policy Manager check box.
3. Click OK.
About upgrade options
You can add upgrades to your Firebox or XTM device to enable additional subscription services, features,
and capacity.
For a list of available upgrade options, see www.watchguard.com/products/options.asp.
Subscription Services upgrades
WebBlocker
The WebBlocker upgrade enables you to control access to web content.
For more information, see About WebBlocker on page 979.
spamBlocker
The spamBlocker upgrade allows you to filter spam and bulk email.
For more information, see About spamBlocker on page 1053.
Gateway AV/IPS
The Gateway AV/IPS upgrade enables you to block viruses and prevent intrusion attempts by
hackers.
For more information, see About Gateway AntiVirus and Intrusion Prevention on page 1079.
Appliance and software upgrades
Pro
The Pro upgrade to Fireware XTM provides several advanced features for experienced customers,
such as server load balancing and additional SSL VPN tunnels. The features available with a Pro
upgrade depend on the type and model of your Firebox or XTM device.
User Guide
91
Configuration and Management Basics
For more information, see Fireware XTM with a Pro Upgrade on page 13.
Model upgrades
For some Firebox or XTM device models, you can purchase a license key to upgrade the device to a
higher model in the same product family. A model upgrade gives your Firebox or XTM device the
same functions as a higher model.
To compare the features and capabilities of different Firebox or XTM device models, go to
http://www.watchguard.com/products/compare.asp.
How to apply an upgrade
When you purchase an upgrade, you register the upgrade on the WatchGuard LiveSecurity web site. Then
you download a feature key that enables the upgrade on your Firebox or XTM device.
For information about feature keys, see About feature keys on page 60.
Renew security subscriptions
Your WatchGuard subscription services (Gateway AntiVirus, Intrusion Prevention Service, WebBlocker, and
spamBlocker) must get regular updates to operate effectively.
Your Firebox or XTM device gives you reminders to renew your subscriptions when you save changes to a
configuration file. WatchGuard System Manager reminds you that your subscription is about to expire 60
days before, 30 days before, 15 days before, and the day before the expiration date.
When your subscriptions expire, you cannot save any changes to your configuration until you either renew
or disable the expired subscription. You can use Policy Manager to update the feature key for your
subscriptions.
1. Select File > Save > To Firebox.
You see a message that tells you to update your feature key.
2. Click OK.
The Feature Key Compliance dialog box appears.
92
WatchGuard System Manager
Configuration and Management Basics
3. Select the expired subscription.
4. If you already have the new feature key, click Add Feature Key. Paste your new feature key.
You cannot right-click to paste. You must use CTRL-V or click Paste.
If you do not already have your new feature key, you must click Disable even if you plan to renew
later. You do not lose your settings if you disable the subscription. If you renew your subscription at a
later time, you can reactivate the settings and save them to the Firebox or XTM device.
3. Click OK.
Renew subscriptions from Firebox System Manager
If a subscription is to expire soon, a warning appears on the front panel of Firebox System Manager and
Renew Now appears at the upper-right corner of the window. Click Renew Now to go to the LiveSecurity
Service web site and renew the subscription.
User Guide
93
Configuration and Management Basics
User Guide
94
6
Network Setup and Configuration
About network interface setup
A primary component of your Firebox or XTM device setup is the configuration of network interface IP
addresses. When you run the Quick Setup Wizard, the external and trusted interfaces are set up so traffic
can flow from protected devices to an outside network. You can use the procedures in this section to
change the configuration after you run the Quick Setup Wizard, or to add other components of your
network to the configuration. For example, you can set up an optional interface for public servers such as a
web server.
Your Firebox or XTM device physically separates the networks on your Local Area Network (LAN) from
those on a Wide Area Network (WAN) like the Internet. Your device uses routing to send packets from
networks it protects to networks outside your organization. To do this, your device must know what
networks are connected on each interface.
We recommend that you record basic information about your network and VPN configuration in the event
that you need to contact technical support. This information can help your technician resolve your problem
quickly.
User Guide
95
Network Setup and Configuration
Network modes
Your Firebox or XTM device supports several network modes:
Mixed routing mode
In mixed routing mode, you can configure your Firebox or XTM device to send network traffic
between a wide variety of physical and virtual network interfaces. This is the default network mode,
and this mode offers the greatest amount of flexibility for different network configurations.
However, you must configure each interface separately, and you may have to change network
settings for each computer or client protected by your Firebox or XTM device. The Firebox or XTM
device uses Network Address Translation (NAT) to send information between network interfaces.
For more information, see About Network Address Translation on page 163.
The requirements for a mixed routing mode are:
n
n
All interfaces of the Firebox or XTM device must be configured on different subnets. The
minimum configuration includes the external and trusted interfaces. You also can configure one
or more optional interfaces.
All computers connected to the trusted and optional interfaces must have an IP address from
that network.
Drop-in mode
In a drop-in configuration, your Firebox or XTM device is configured with the same IP address on all
interfaces. You can put your Firebox or XTM device between the router and the LAN and not have to
change the configuration of any local computers. This configuration is known as drop-in because
your Firebox or XTM device is dropped in to an existing network. Some network features, such as
bridges and VLANs (Virtual Local Area Networks), are not available in this mode.
For drop-in configuration, you must:
n
n
n
Assign a static external IP address to the Firebox or XTM device.
Use one logical network for all interfaces.
Not configure multi-WAN in Round-robin or Failover mode.
For more information, see Drop-in Mode on page 106.
Bridge mode
Bridge mode is a feature that allows you to place your Firebox or XTM device between an existing
network and its gateway to filter or manage network traffic. When you enable this feature, your
Firebox or XTM device processes and forwards all incoming network traffic to the gateway IP
address you specify. When the traffic arrives at the gateway, it appears to have been sent from the
original device. In this configuration, your Firebox or XTM device cannot perform several functions
that require a public and unique IP address. For example, you cannot configure a Firebox or XTM
device in bridge mode to act as an endpoint for a VPN (Virtual Private Network).
For more information, see Bridge Mode on page 111.
96
WatchGuard System Manager
Network Setup and Configuration
Interface types
You use three interface types to configure your network in mixed routing or drop-in mode:
External Interfaces
An external interface is used to connect your Firebox or XTM device to a network outside your
organization. Often, an external interface is the method by which you connect your Firebox or XTM
device to the Internet. You can configure a maximum of four (4) physical external interfaces.
When you configure an external interface, you must choose the method your Internet service
provider (ISP) uses to give you an IP address for your Firebox or XTM device. If you do not know the
method, get this information from your ISP or network administrator.
Trusted Interfaces
Trusted interfaces connect to the private LAN (local area network) or internal network of your
organization. A trusted interface usually provides connections for employees and secure internal
resources.
Optional Interfaces
Optional interfaces are mixed-trust or DMZ environments that are separate from your trusted
network. Examples of computers often found on an optional interface are public web servers, FTP
servers, and mail servers.
For more information on interface types, see Common interface settings on page 113.
If you have a Firebox X Edge, you can use Fireware XTM Web UI to configure failover with an external
modem over the serial port.
For more information, see Serial modem failover on page 155.
When you configure the interfaces on your Firebox or XTM device, you must use slash notation to denote
the subnet mask. For example, you would enter the network range 192.168.0.0 subnet mask 255.255.255.0
as 192.168.0.0/24. A trusted interface with the IP address of 10.0.1.1/16 has a subnet mask of 255.255.0.0.
For more information on slash notation, see About slash notation on page 3.
About network interfaces on the Edge e-Series
When you use Fireware XTM on a Firebox X Edge e-Series, the network interface numbers that appear in
WatchGuard System Manager do not match the network interface labels printed below the physical
interfaces on the device. Use the table below to understand how the interface numbers in WatchGuard
System Manager map to the physical interfaces on the device.
Interface number in Fireware XTM Interface label on the Firebox X Edge e-Series hardware
0
WAN 1
1
LAN 0, LAN 1, LAN 2
2
WAN 2
3
Opt
User Guide
97
Network Setup and Configuration
You can consider the interfaces labeled LAN 0, LAN 1, and LAN 2 as a three interface network hub that is
connected to a single Firebox interface. In Fireware XTM, you configure these interfaces together as
Interface 1.
Mixed Routing Mode
In mixed routing mode, you can configure your Firebox or XTM device to send network traffic between
many different types of physical and virtual network interfaces. Mixed routing mode is the default network
mode. While most network and security features are available in this mode, you must carefully check the
configuration of each device connected to your Firebox or XTM device to make sure that your network
operates correctly.
A basic network configuration in mixed routing mode uses at least two interfaces. For example, you can
connect an external interface to a cable modem or other Internet connection, and a trusted interface to an
internal router that connects internal members of your organization. From that basic configuration, you can
add an optional network that protects servers but allows greater access from external networks, configure
VLANs, and other advanced features, or set additional options for security like MAC address restrictions.
You can also define how network traffic is sent between interfaces.
To get started on interface configuration in mixed routing mode, see Common interface settings on page 113.
It is easy to forget IP addresses and connection points on your network in mixed routing mode, especially if
you use VLANs (Virtual Local Area Networks), secondary networks, and other advanced features. We
recommend that you record basic information about your network and VPN configuration in the event that
you need to contact technical support. This information can help your technician resolve your problem
quickly.
Configure an external interface
An external interface is used to connect your Firebox or XTM device to a network outside your organization.
Often, an external interface is the method by which you connect your device to the Internet. You can
configure a maximum of four (4) physical external interfaces.
When you configure an external interface, you must choose the method your Internet service provider
(ISP) uses to give you an IP address for your device. If you do not know the method, get this information
from your ISP or network administrator.
For information about methods used to set and distribute IP addresses, see Static and dynamic IP addresses
on page 4.
Use a static IP address
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
The Interface Settings dialog box appears.
3. Select Use Static IP.
4. In the IP address text box, type or select the IP address of the interface.
5. In the Default Gateway text box, type or select the IP address of the default gateway.
98
WatchGuard System Manager
Network Setup and Configuration
6. Click OK.
Use PPPoE authentication
If your ISP uses PPPoE, you must configure PPPoE authentication before your device can send traffic
through the external interface.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select an external interface. Click Configure.
3. In the Interface Settings dialog box, select Use PPPoE.
4. Select an option:
n
n
Obtain an IP address automatically
Use IP address (supplied by your Internet Service Provider)
5. If you selected Use IP Address, in the adjacent text box, type or select the IP address.
6. Type the User Name and Password.Type the password again.
ISPs use the email address format for user names, such as [email protected]
7. Click Advanced Properties to configure PPPoE options.
The PPPoE Properties dialog box appears. Your ISP can tell you if you must change the timeout or LCP values.
User Guide
99
Network Setup and Configuration
8. If your ISP requires the Host-Uniq tag for PPPoE discovery packets, select the Use Host-Uniq tag in
PPPoE discovery packets check box.
9. Select when the device connects to the PPPoE server:
n
Always-on — The Firebox or XTM device keeps a constant PPPoE connection. It is not necessary
for network traffic to go through the external interface.
If you select this option, type or select a value in the PPPoE Initialization Retry Interval text box
to set the number of seconds that PPPoE tries to initialize before it times out.
n
Dial-on-Demand — The Firebox or XTM device connects to the PPPoE server only when it gets
a request to send traffic to an IP address on the external interface. If your ISP regularly resets
the connection, select this option.
If you select this option, in the Idle Timeout text box, set the length of time a client can stay
connected when no traffic is sent. If you do not select this option, you must manually restart the
Firebox or XTM device each time the connection resets.
10. In the LCP echo failure in text box, type or select the number of failed LCP echo requests allowed
before the PPPoE connection is considered inactive and closed.
11. In the LCP echo timeout in text box, type or select the length of time, in seconds, that the response
to each echo timeout must be received.
100
WatchGuard System Manager
Network Setup and Configuration
12. To configure the Firebox or XTM device to automatically restart the PPPoE connection on a daily or
weekly basis, select the Schedule time for auto restart check box.
13. In the Schedule time for auto restart drop-down list, select Daily to restart the connection at the
same time each day, or select a day of the week to restart weekly. Select the hour and minute of the
day (in 24 hour time format) to automatically restart the PPPoE connection.
14. In the Service Name text box, type a PPPoE service name.
This is either an ISP name or a class of service that is configured on the PPPoE server. Usually, this
option is not used. Select it only if there is more than one access concentrator, or you know that you
must use a specified service name.
15. In the Access Concentrator Name text box, type the name of a PPPoE access concentrator, also
known as a PPPoE server. Usually, this option is not used. Select it only if you know there is more
than one access concentrator.
16. In the Authentication retries text box, type or select the number of times that the Firebox or XTM
device can try to make a connection.
The default value is three (3) connection attempts.
17. In the Authentication timeout text box, type a value for the amount of time between retries.
The default value is 20 seconds between each connection attempt.
18. Click OK.
19. Save your configuration.
Use DHCP
1. In the Interface Settings dialog box, select Use DHCP Client.
2. If your ISP or external DHCP server requires a client identifier, such as a MAC address, in the Client
text box, type this information.
3. To specify a host name for identification, type it in the Host Name text box.
4. To enable DHCP to assign an IP address to the Firebox or XTM device, in the Host IP section, select
Obtain an IP automatically.
To manually assign an IP address and use DHCP to give this assigned address to the Firebox or XTM
device, select Use IP address and type the IP address in the adjacent text box.
IP addresses assigned by a DHCP server have a one-day lease by default, which means the address is
valid for one day.
User Guide
101
Network Setup and Configuration
5. To change the lease time, select the Leasing Time check box and select the value in the adjacent
drop-down list.
Configure DHCP in mixed routing mode
DHCP (Dynamic Host Configuration Protocol) is a method to assign IP addresses automatically to network
clients. You can configure your Firebox or XTM device as a DHCP server for the networks that it protects. If
you have a DHCP server, we recommend that you continue to use that server for DHCP.
If your Firebox or XTM device is configured in drop-in mode, see Configure DHCP in drop-in mode on page 108.
Note You cannot configure DHCP on any interface for which FireCluster is enabled.
Configure DHCP
1. Select Network > Configuration.
2. Select a trusted or an optional interface. Click Configure.
To configure DHCP for a wireless guest network, select Network > Wireless and click Configure for
the wireless guest network.
102
WatchGuard System Manager
Network Setup and Configuration
3. Select Use DHCP Server, or for the wireless guest network, select the Enable DHCP Server on
Wireless Guest Network check box.
4. To add a group of IP addresses to assign to users on this interface, in the Address Pool section, click
Add. Specify starting and ending IP addresses on the same subnet, then click OK.
The address pool must belong either to the interface’s primary or secondary IP subnet.
You can configure a maximum of six address ranges. Address groups are used from first to last. Addresses in
each group are assigned by number, from lowest to highest.
5. To change the default lease time, select a different option in the Leasing Time drop-down list.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When
the lease time is about to expire, the client sends data to the DHCP server to get a new lease.
6. By default, when it is configured as a DHCP server your Firebox or XTM device gives out the DNS and
WINS server information configured on the Network Configuration > WINS/DNS tab. To specify
different information for your device to assign when it gives out IP addresses, click Configure
DNS/WINS servers.
n
n
n
n
User Guide
Type a Domain Name to change the default DNS domain.
To create a new DNS or WINS server entry, click Add adjacent to the server type you want, type
an IP address, and click OK.
To change the IP address of the selected server, click Edit.
To remove the selected server from the adjacent list, click Delete.
103
Network Setup and Configuration
Configure DHCP reservations
To reserve a specific IP address for a client:
1. Adjacent to the Reserved Addresses field, click Add.
For a wireless guest network, click DHCP Reservations and then click Add.
2. Type a name for the reservation, the IP address you want to reserve, and the MAC address of the
client’s network card.
3. Click OK.
About the Dynamic DNS service
You can register the external IP address of your Firebox or XTM device with the dynamic Domain Name
System (DNS) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your
domain name changes when your ISP gives your device a new IP address. This feature is available in either
mixed routing or drop-in network configuration mode.
If you use this feature, your Firebox or XTM device gets the IP address of members.dyndns.org when it
starts up. It makes sure the IP address is correct every time it restarts and at an interval of every twenty
days. If you make any changes to your DynDNS configuration on your Firebox or XTM device, or if you
change the IP address of the default gateway, it updates DynDNS.com immediately.
For more information on the Dynamic DNS service or to create a DynDNS account, go to
http://www.dyndns.com.
Note WatchGuard is not affiliated with DynDNS.com.
Use dynamic DNS
You can register the external IP address of your Firebox or XTM device with the dynamic DNS (Domain
Name System) service called Dynamic Network Services (DynDNS). This is a free service for a maximum of
five hostnames. WatchGuard System Manager does not currently support other dynamic DNS providers.
A dynamic DNS service makes sure that the IP address attached to your domain name changes when your
ISP gives your Firebox or XTM device a new IP address. Your device checks the IP address of
members.dyndns.org when it starts up. It makes sure the IP address is correct every time it restarts and at
an interval of every twenty days. If you make any changes to your DynDNS configuration on your Firebox or
XTM device, or if you change the IP address of the default gateway configured for your device, your
configuration at DynDNS.com is updated immediately.
For more information on dynamic DNS, go to http://www.dyndns.com.
Note WatchGuardisnotaffiliatedwithDynDNS.com.
1. Set up a dynDNS account. Go to the DynDNS web site and follow the instructions on the site.
2. In Policy Manager, select Network > Configuration.
3. Select the WIN/DNS tab.
104
WatchGuard System Manager
Network Setup and Configuration
4. Make sure you have defined at least one DNS server. If you have not, use the procedure in Add
WINS and DNS server addresses on page 119.
5. Select the Dynamic DNS tab.
6. Select the external interface for which you want to configure dynamic DNS and click Configure.
The Per Interface Dynamic DNS dialog box appears.
7. To enable dynamic DNS, select the Enable Dynamic DNS check box.
8. Type the user name, password, and domain name you used to set up your dynamic DNS account.
9. From the Service Type drop-down list, select the system to use for this update:
n
n
dyndns — Sends updates for a Dynamic DNS host name. Use this option when you have no
control over your IP address (for example, it is not static, and it changes on a regular basis).
custom — Sends updates for a custom DNS host name. This option is frequently used by
businesses that pay to register their domain with dyndns.com.
For more information on each option, see http://www.dyndns.com/services/.
10. In the Options text box, you can type any of the subsequent options. You must type the “&”
character before and after each option you add. If you add more than one option, you must separate
the options with the “&” character.
For example:
&backmx=NO&wildcard=ON&
mx=mailexchanger
backmx=YES|NO
wildcard=ON|OFF|NOCHG
offline=YES|NO
For more information on options, see http://www.dyndns.com/developers/specs/syntax.html.
11. Use the arrows to set a time interval (in days) to force an update of the IP address.
User Guide
105
Network Setup and Configuration
Drop-in Mode
In a drop-in configuration, your Firebox or XTM device is configured with the same IP address on all
interfaces. The drop-in configuration mode distributes the network’s logical address range across all
available network interfaces. You can put your Firebox or XTM device between the router and the LAN and
not have to change the configuration of any local computers. This configuration is known as drop-in mode
because your Firebox or XTM device is dropped in to a previously configured network.
In drop-in mode:
n
n
n
n
You must assign the same primary IP address to all interfaces on your Firebox or XTM device
(external, trusted, and optional).
You can assign secondary networks on any interface.
You can keep the same IP addresses and default gateways for hosts on your trusted and optional
networks, and add a secondary network address to the primary external interface so your Firebox
or XTM device can correctly send traffic to the hosts on these networks.
The public servers behind your Firebox or XTM device can continue to use public IP addresses.
Network address translation (NAT) is not used to route traffic from outside your network to your
public servers.
The properties of a drop-in configuration are:
n
n
n
You must assign and use a static IP address on the external interface.
You use one logical network for all interfaces.
You cannot configure more than one external interface when your Firebox or XTM device is
configured in drop-in mode. Multi-WAN functionality is automatically disabled.
It is sometimes necessary to Clear the ARP cache of each computer protected by the Firebox or XTM
device, but this is not common.
Note If you move an IP address from a computer located behind one interface to a
computer located behind a different interface, it can take several minutes before
network traffic is sent to the new location. Your Firebox or XTM device must update
its internal routing table before this traffic can pass. Traffic types that are affected
include logging, SNMP, and Firebox or XTM device management connections.
You can configure your network interfaces with drop-in mode when you run the Quick Setup Wizard. If you
have already created a network configuration, you can use Policy Manager to switch to drop-in mode.
For more information, see Run the Web Setup Wizard on page 25.
Use drop-in mode for network interface configuration
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. From the Configure Interfaces in drop-down list, select Drop-In Mode.
3. In the IP Address text box, type the IP address you want to use as the primary address for all
interfaces on your Firebox or XTM device.
4. In the Gateway text box, type the IP address of the gateway. This IP address is automatically added
to the Related Hosts list.
106
WatchGuard System Manager
Network Setup and Configuration
5. Click OK.
6. Save the configuration file.
Configure related hosts
In a drop-in or bridge configuration, the Firebox or XTM device is configured with the same IP address on
each interface. Your Firebox or XTM device automatically discovers new devices that are connected to
these interfaces and adds each new MAC address to its internal routing table. If you want to configure
device connections manually, or if the Automatic Host Mapping feature does not operate correctly, you can
add a related hosts entry. A related hosts entry creates a static route between the host IP address and one
network interface. We recommend that you disable Automatic Host Mapping on interfaces for which you
create a related hosts entry.
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Configure network interfaces in drop-in or bridge mode, then click Properties.
The Drop-In Mode Properties dialog box appears.
3. Clear the check box for any interface for which you want to add a related hosts entry.
4. Click Add. Type the IP address of the device for which you want to build a static route from the
Firebox or XTM device.
5. Click the Interface Name column area to select the interface for the related hosts entry.
User Guide
107
Network Setup and Configuration
6. Click OK.
7. Save the configuration file.
Configure DHCP in drop-in mode
When you use drop-in mode for network configuration, you can use Policy Manager to optionally configure
the Firebox or XTM device as a DHCP server for networks it protects, or make the Firebox or XTM device a
DHCP relay agent. If you have a configured DHCP server, we recommend that you continue to use that
server for DHCP.
Use DHCP
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
108
WatchGuard System Manager
Network Setup and Configuration
2. Select Use DHCP Server.
3. To add an address pool from which your Firebox or XTM device can give out IP addresses, click Add
next to the Address Pool box and specify starting and ending IP addresses that are on the same
subnet as the drop-in IP address.
Do not include the drop-in IP address in the address pool. Click OK.
You can configure a maximum of six address ranges.
4. To reserve a specific IP address from an address pool for a device or client, adjacent to the Reserved
Addresses field, click Add. Type a name to identify the reservation, the IP address you want to
reserve, and the MAC address for the device. Click OK.
5. In the Leasing Time drop-down list, select the maximum amount of time that a DHCP client can use
an IP address.
6. By default, your Firebox or XTM device gives out the DNS/WINS server information configured on
the Network Configuration > WINS/DNS tab when it is configured as a DHCP server. To send
different DNS/WINS server information to DHCP clients, click the Configure DNS/WINS servers
button.
7. Click OK.
8. Save the configuration file.
Use DHCP relay
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select Use DHCP Relay.
User Guide
109
Network Setup and Configuration
3. Type the IP address of the DHCP server in the related field. Make sure to Add a static route to the
DHCP server, if necessary.
4. Click OK.
5. Save the configuration file.
Specify DHCP settings for a single interface
You can specify different DHCP settings for each trusted or optional interface in your configuration.
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Scroll to the bottom of the Network Configuration dialog box and select an interface.
3. Click Configure.
4. Update the DHCP settings:
n
n
n
To use the same DHCP settings that you configured for drop-in mode, select Use System DHCP
Setting.
To disable DHCP for clients on that network interface, select Disable DHCP.
To configure different DHCP options for clients on a secondary network, select Use DHCP
Server for Secondary Network. Complete Steps 3–6 of the Use DHCP relay procedure to add IP
address pools, set the default lease time, and manage DNS/WINS servers.
5. Click OK.
110
WatchGuard System Manager
Network Setup and Configuration
Bridge Mode
Bridge mode is a feature that allows you to install your Firebox or XTM device between an existing network
and its gateway to filter or manage network traffic. When you enable this feature, your Firebox or XTM
device processes and forwards all network traffic to other gateway devices. When the traffic arrives at a
gateway from the Firebox or XTM device, it appears to have been sent from the original device.
To use bridge mode, you must specify an IP address that is used to manage your Firebox or XTM device. The
device also uses this IP address to get Gateway AV/IPS updates and to route to internal DNS, NTP, or
WebBlocker servers as necessary. Because of this, make sure you assign an IP address that is routable on
the Internet.
When you use bridge mode, your Firebox or XTM device cannot complete some functions that require the
device to operate as a gateway. These functions include:
n
n
n
n
n
n
n
n
n
n
n
n
Multi-WAN
VLANs (Virtual Local Area Networks)
Network bridges
Static routes
FireCluster
Secondary networks
DHCP server or DHCP relay
Serial modem failover (Firebox X Edge only)
1-to-1, dynamic, or static NAT
Dynamic routing (OSPF, BGP, or RIP)
Any type of VPN for which the Firebox or XTM device is an endpoint or gateway
Some proxy functions, including HTTP Web Cache Server
If you have previously configured these features or services, they are disabled when you switch to bridge
mode. To use these features or services again, you must use a different network mode. If you return to
drop-in or mixed routing mode, you might have to configure some features again.
Note When you enable bridge mode, any interfaces with a previously configured
network bridge or VLAN are disabled. To use those interfaces, you must first
change to either drop-in or mixed routing mode, and configure the interface as
External, Optional, or Trusted, then return to bridge mode. Wireless features on
Firebox or XTM wireless devices operate correctly in bridge mode.
To enable bridge mode:
1. Click .
Or, select Network > Configuration.
The Network Configuration window appears.
2. From the Configure Interfaces In drop-down list, select Bridge Mode.
User Guide
111
Network Setup and Configuration
3. If you are prompted to disable interfaces, click Yes to disable the interfaces, or No to return to your
previous configuration.
4. Type the IP Address of your Firebox or XTM device in slash notation.
For more information on slash notation, see About slash notation on page 3.
5. Type the Gateway IP address that receives all network traffic from the device.
6. Click OK.
7. Save the configuration file.
112
WatchGuard System Manager
Network Setup and Configuration
Common interface settings
With mixed routing mode, you can configure your Firebox or XTM device to send network traffic between a
wide variety of physical and virtual network interfaces. This is the default network mode, and it offers the
greatest amount of flexibility for different network configurations. However, you must configure each
interface separately, and you may have to change network settings for each computer or client protected
by your Firebox or XTM device.
To configure your Firebox or XTM device with mixed routing mode:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface you want to configure, then click Configure. The options available depend on the
type of interface you selected.
The Interface Settings dialog box appears.
User Guide
113
Network Setup and Configuration
3. In the Interface Name (Alias) field, you can retain the default name or change it to one that more
closely reflects your own network and its own trust relationships.
Make sure the name is unique among interface names as well as all MVPN group names and tunnel
names. You can use this alias with other features, such as proxy policies, to manage network traffic
for this interface.
4. (Optional) Enter a description of the interface in the Interface Description field.
114
WatchGuard System Manager
Network Setup and Configuration
5. In the Interface Type field, you can change the interface type from its default value. Some interface
types have additional settings.
n
n
n
n
n
For more information about how to assign an IP address to an external interface, see Configure
an external interface on page 98. To set the IP address of a trusted or optional interface, type
the IP address in slash notation.
To assign IP addresses automatically to clients on a trusted or optional interface, see Configure
DHCP in mixed routing mode on page 102 or Configure DHCP Relay on page 118.
To use more than one IP address on a single physical network interface, see Configure a
secondary network on page 120.
For more information about VLAN configurations, see About virtual local area networks
(VLANs) on page 131.
To remove an interface from your configuration, see Disable an interface on page 116.
6. Configure your interface as described in one of the above topics.
7. Click OK.
User Guide
115
Network Setup and Configuration
Disable an interface
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface you want to disable. Click Configure.
The Interface Settings dialog box appears.
116
WatchGuard System Manager
Network Setup and Configuration
User Guide
117
Network Setup and Configuration
3. In the Interface Type drop-down list, select Disabled. Click OK.
In the Network Configuration dialog box, the interface now appears as type Disabled.
Configure DHCP Relay
One way to get IP addresses for the computers on the trusted or optional networks is to use a DHCP server
on a different network. You can use DHCP relay to get IP addresses for the computers on the trusted or
optional network. With this feature, the Firebox or XTM device sends DHCP requests to a server on a
different network.
If the DHCP server you want to use is not on a network protected by your Firebox or XTM device, you must
set up a VPN tunnel between your Firebox or XTM device and the DHCP server for this feature to operate
correctly.
Note You cannot use DHCP relay on any interface on which FireCluster is enabled.
To configure DHCP relay:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select a trusted or an optional interface and click Configure.
3. Select Use DHCP Relay.
4. Type the IP address of the DHCP server in the related field. Make sure to Add a static route to the
DHCP server, if necessary.
5. Click OK.
Restrict network traffic by MAC address
You can use a list of MAC addresses to manage which devices are allowed to send traffic on the network
interface you specify. When you enable this feature, your Firebox or XTM device checks the MAC address
of each computer or device that connects to the specified interface. If the MAC address of that device is not
on the MAC Access Control list for that interface, the device cannot send traffic.
This feature is especially helpful to prevent any unauthorized access to your network from a location within
your office. However, you must update the MAC Address Control list for each interface when a new,
authorized computer is added to the network.
Note If you choose to restrict access by MAC address, you must include the MAC address
for the computer you use to administer your Firebox or XTM device.
To enable MAC Access Control for a network interface:
1. Select Network > Configuration.
The Network Configuration window appears.
2. Select the interface on which you want to enable MAC Access Control, then click Configure.
The Interface Settings window appears.
3. Select the MAC Access Control tab.
118
WatchGuard System Manager
Network Setup and Configuration
4. Select the Restrict access by MAC address check box.
5. Click Add.
The Add a MAC address window appears.
6. Type the MAC address of the computer or device to give it access to the specified interface.
7. (Optional) Type a Name for the computer or device to identify it in the list.
8. Click OK.
Repeat steps 5–8 to add more computers or devices to the MAC Access Control list.
Add WINS and DNS server addresses
A number of the features of the Firebox or XTM device have shared Windows Internet Name Server (WINS)
and Domain Name System (DNS) server IP addresses. These features include DHCP and Mobile VPN. Access
to these servers must be available from the trusted interface of the Firebox or XTM device.
This information is used for two purposes:
n
n
The Firebox or XTM device uses the DNS server shown here to resolve names to IP addresses for
IPSec VPNs and for the spamBlocker, Gateway AV, and IPS features to operate correctly.
The WINS and DNS entries are used by DHCP clients on the trusted or optional networks, and by
Mobile VPN users to resolve DNS queries.
Make sure that you use only an internal WINS and DNS server for DHCP and Mobile VPN. This helps to make
sure that you do not create policies that have configuration properties that prevent users from connecting
to the DNS server.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the WINS/DNS tab.
The information on the WINS/DNS tab appears.
User Guide
119
Network Setup and Configuration
3. Type the primary and secondary addresses for the WINS and DNS servers. You can specify up to
three DNS servers. You can also type a domain suffix in the Domain Name text box for a DHCP client
to use with unqualified names such as “watchguard_mail”.
Configure a secondary network
A secondary network is a network that shares one of the same physical networks as one of the Firebox or
XTM device interfaces. When you add a secondary network, you make (or add) an IP alias to the interface.
This IP alias is the default gateway for all the computers on the secondary network. The secondary network
tells the Firebox or XTM device that there is one more network on the Firebox or XTM device interface.
For example, if you configure a Firebox or XTM device in drop-in mode, you give each Firebox or XTM
device interface the same IP address. However, you probably use a different set of IP addresses on your
trusted network. You can add this private network as a secondary network to the trusted interface of your
Firebox or XTM device. When you add a secondary network, you create a route from an IP address on the
secondary network to the IP address of the Firebox or XTM device interface.
If your Firebox or XTM device is configured with a static IP address on an external interface, you can also
add an IP address on the same subnet as your primary external interface as a secondary network. You can
then configure static NAT for more than one of the same type of server. For example, configure an external
secondary network with a second public IP address if you have two public SMTP servers and you want to
configure a static NAT rule for each.
You can add up to 2048 secondary networks per Firebox or XTM device interface. You can use secondary
networks with either a drop-in or a routed network configuration. You can also add a secondary network to
an external interface of a Firebox or XTM device if that external interface is configured to get its IP address
through PPPoE or DHCP.
120
WatchGuard System Manager
Network Setup and Configuration
To define a secondary IP address, you must have:
n
n
An unused IP address on the secondary network to assign to the Firebox or XTM device interface
An unused IP address on the same network as the Firebox or XTM device external interface
To define a secondary IP address:
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface for the secondary network and click Configure.
The Interface Settings dialog box appears.
3.
4.
5.
6.
Select the Secondary tab.
Click Add. Type an unassigned host IP address from the secondary network.
Click OK.
Click OK again.
Note Make sure to add secondary network addresses correctly. The Firebox or XTM
device does not tell you if the address is correct. We recommend that you do not
create a subnet as a secondary network on one interface that is a component of a
larger network on a different interface. If you do this, spoofing can occur and the
network cannot operate correctly.
User Guide
121
Network Setup and Configuration
About advanced interface settings
You can use several advanced settings for Firebox or XTM device interfaces:
Network Interface Card (NIC) settings
Configures the speed and duplex parameters for Firebox or XTM device interfaces to automatic or
manual configuration. We recommend you keep the link speed configured for automatic
negotiation. If you use the manual configuration option, you must make sure the device the Firebox
or XTM device connects to is also manually set to the same speed and duplex parameters as the
Firebox or XTM device. Use the manual configuration option only when you must override the
automatic Firebox or XTM device interface parameters to operate with other devices on your
network.
Set Outgoing Interface Bandwidth
When you use Traffic Management settings to guarantee bandwidth to policies, this setting makes
sure that you do not guarantee more bandwidth than actually exists for an interface. This setting also
helps you make sure the sum of guaranteed bandwidth settings does not fill the link such that nonguaranteed traffic cannot pass.
Enable QoS Marking for an interface
Creates different classifications of service for different kinds of network traffic. You can set the
default marking behavior as traffic goes out of an interface. These settings can be overridden by
settings defined for a policy.
Set DF bit for IPSec
Determines the setting of the Don’t Fragment (DF) bit for IPSec.
PMTU Setting for IPSec
(External interfaces only) Controls the length of time that the Firebox or XTM device lowers the MTU
for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a router with a
lower MTU setting on the Internet.
Use static MAC address binding
Uses computer hardware (MAC) addresses to control access to a Firebox or XTM device interface.
Network Interface Card (NIC) settings
1. Select Network > Configuration.
2. Click the interface you want to configure, and then click Configure.
3. Select the Advanced tab.
122
WatchGuard System Manager
Network Setup and Configuration
4. In the Link Speed drop-down list, select Auto Negotiate if you want the Firebox or XTM device to
select the best network speed. You can also select one of the half-duplex or full-duplex speeds that
you know is compatible with your other network equipment.
Auto Negotiate is the default setting. We strongly recommend that you do not change this setting
unless instructed to do so by Technical Support. If you set the link speed manually and other devices
on your network do not support the speed you select, this can cause a conflict that does not allow
your Firebox or XTM device interface to reconnect after failover.
5. In the Maximum Transmission Unit (MTU) text box, select the maximum packet size, in bytes, that
can be sent through the interface. We recommend that you use the default, 1500 bytes, unless your
network equipment requires a different packet size.
You can set the MTU from a minimum of 68 to a maximum of 9000.
6. To change the MAC address of the external interface, select the Override MAC Address check box
and type the new MAC address.
For more information about MAC addresses, see the subsequent section.
7. Click OK.
8. Save the configuration file.
About MAC addresses
Some ISPs use a MAC address to identify the computers on their network. Each MAC address gets one static
IP address. If your ISP uses this method to identify your computer, then you must change the MAC address
of the Firebox or XTM device external interface. Use the MAC address of the cable modem, DSL modem, or
router that connected directly to the ISP in your original configuration.
The MAC address must have these properties:
n
n
The MAC address must use 12 hexadecimal characters. Hexadecimal characters have a value
between 0 and 9 or between “a” and “f.”
The MAC address must operate with:
One or more addresses on the external network.
The MAC address of the trusted network for the device.
o The MAC address of the optional network for the device.
o
o
n
The MAC address must not be set to 000000000000 or ffffffffffff.
If the Override MAC Address check box is not selected when the Firebox or XTM device is restarted, the
device uses the default MAC address for the external network.
To decrease problems with MAC addresses, the Firebox or XTM device makes sure that the MAC address
you assign to the external interface is unique on your network. If the Firebox or XTM device finds a device
that uses the same MAC address, the Firebox or XTM device changes back to the standard MAC address for
the external interface and starts again.
User Guide
123
Network Setup and Configuration
Set Outgoing Interface Bandwidth
Some traffic management features require that you set a bandwidth limit for each network interface. For
example, you must configure the Outgoing Interface Bandwidth setting to use QoS marking and
prioritization.
After you set this limit, your Firebox or XTM device completes basic prioritization tasks on network traffic to
prevent problems with too much traffic on the specified interface. Also, a warning appears in Policy
Manager if you allocate too much bandwidth as you create or adjust traffic management actions.
If you do not change the Outgoing Interface Bandwidth setting for any interface from the default value of
0, it is set to the auto-negotiated link speed for that interface.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the interface for which you want to set bandwidth limits and click Configure.
The Interface Settings dialog box appears.
3. Click the Advanced tab.
4. In the Outgoing Interface Bandwidth field, type the amount of bandwidth provided by the network.
Use your Internet connection upload speed (in Kbps rather than KBps) as the limit for external
interfaces. Set your LAN interface bandwidth based on the minimum link speed supported by your
LAN infrastructure.
5. Click OK.
6. Click OK again.
7. Save the configuration file.
Set DF bit for IPSec
When you configure the external interface, select one of the three options to determine the setting for the
Don’t Fragment (DF) bit for IPSec section.
124
WatchGuard System Manager
Network Setup and Configuration
Copy
Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a frame
does not have the DF bits set, Fireware XTM does not set the DF bits and fragments the packet if
needed. If a frame is set to not be fragmented, Fireware XTM encapsulates the entire frame and sets
the DF bits of the encrypted packet to match the original frame.
Set
Select Set if you do not want your Firebox or XTM device to fragment the frame regardless of the
original bit setting. If a user must make IPSec connections to a Firebox or XTM device from behind a
different Firebox or XTM device, you must clear this check box to enable the IPSec pass-through
feature. For example, if mobile employees are at a customer location that has a Firebox or XTM
device, they can make IPSec connections to their network with IPSec. For your local Firebox or XTM
device to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.
Clear
Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH header,
regardless of the original bit setting.
PMTU Setting for IPSec
This advanced interface setting applies to external interfaces only.
The Path Maximum Transmission Unit (PMTU) setting controls the length of time that the Firebox or XTM
device lowers the MTU for an IPSec VPN tunnel when it gets an ICMP Request to Fragment packet from a
router with a lower MTU setting on the Internet.
We recommend that you keep the default setting. This can protect you from a router on the Internet with a
very low MTU setting.
Use static MAC address binding
You can control access to an interface on your Firebox or XTM device by computer hardware (MAC)
address. This feature can protect your network from ARP poisoning attacks, in which hackers try to change
the MAC address of their computers to match a real device on your network. To use MAC address binding,
you must associate an IP address on the specified interface with a MAC address. If this feature is enabled,
computers with a specified MAC address can only send and receive information with the associated IP
address.
You can also use this feature to restrict all network traffic to devices that match the MAC and IP addresses
on this list. This is similar to the MAC access control feature.
For more information, see Restrict network traffic by MAC address on page 118.
User Guide
125
Network Setup and Configuration
Note If you choose to restrict network access by MAC address binding, make sure that
you include the MAC address for the computer you use to administer your Firebox
or XTM device.
To configure the static MAC address binding settings:
1. Select Network > Configuration. Select an interface, then click Configure.
2. Select the Advanced tab.
3. Adjacent to the Static MAC/IP Address Binding table, click Add.
4. Adjacent to the IP Address field, click Add.
5. Type an IP address and MAC address pair. Click OK. Repeat this step to add additional pairs.
6. If you want this interface to pass only traffic that matches an entry in the Static MAC/IP Address
Binding list, select the Only allow traffic sent from or to these MAC/IP addresses check box.
If you do not want to block traffic that does not match an entry in the list, clear this check box.
Find the MAC address of a computer
A MAC address is also known as a hardware address or an Ethernet address. It is a unique identifier specific
to the network card in the computer. A MAC address is usually shown in this form: XX-XX-XX-XX-XX-XX,
where each X is a digit or letter from A to F. To find the MAC address of a computer on your network:
1. From the command line of the computer whose MAC address you want to find, type ipconfig
/all (Windows) or ifconfig (OS X or Linux).
2. Look for the entry for the computer’s “physical address.” This value is the MAC or hardware address
for the computer.
About LAN bridges
A network bridge makes a connection between multiple physical network interfaces on your Firebox or
XTM device. A bridge can be used in the same ways as a normal physical network interface. For example,
you can configure DHCP to give IP addresses to clients on a bridge, or use it as an alias in firewall policies.
To use a bridge, you must:
1. Create a network bridge configuration.
2. Assign a network interface to a bridge.
If you want to bridge all traffic between two interfaces, we recommend that you use bridge mode for your
network configuration.
126
WatchGuard System Manager
Network Setup and Configuration
Create a network bridge configuration
To use a bridge, you must create a bridge configuration and assign one or more network interfaces to the
bridge.
1. Click .
Or, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the Bridge tab.
3. Click Add.
The New Bridge Configuration dialog box appears.
4. Type a Name or Alias for the new bridge. This name is used to identify the bridge in network
interface configurations. You can also type a Description for more information.
5. From the Security Zone list, select Trusted or Optional. The bridge is added to the alias of the zone
you specify.
For example, if you choose the Optional security zone, the bridge is added to the Any-Optional
network alias.
User Guide
127
Network Setup and Configuration
6. Type an IP address in slash notation for the bridge to use.
For more information, see About slash notation on page 3.
7. Select Disable DHCP, Use DHCP Server, or Use DHCP Relay to set the method of IP address
distribution for the bridge. If necessary, configure your DHCP server, DHCP relay, and DNS/WINS
server settings.
For more information on DHCP configuration, see Configure DHCP in mixed routing mode on page
102 and Configure DHCP Relay on page 118.
8. Select the Secondary tab to create one or more secondary network IP addresses.
For more information on secondary networks, see Configure a secondary network on page 120.
9. Click OK.
Assign a network interface to a bridge
To use a bridge, you must create a bridge configuration and assign it to one or more network interfaces. You
can create the bridge configuration in the Network Configuration dialog box, or when you configure a
network interface.
1. Click .
Or, select Network > Configuration.
The Network Configuration window appears.
2. Select the interface that you want to add to the bridge, then click Configure.
The Interface Configuration - Interface # window appears.
128
WatchGuard System Manager
Network Setup and Configuration
User Guide
129
Network Setup and Configuration
3. In the Interface Type drop-down list, select Bridge.
4. Select the radio button adjacent to the network bridge configuration you created, or click New
Bridge to create a new bridge configuration.
5. Click OK.
About routing
A route is the sequence of devices through which network traffic is sent. Each device in this sequence,
usually called a router, stores information about the networks it is connected to inside a route table. This
information is used to forward the network traffic to the next router in the route.
Your Firebox or XTM device automatically updates its route table when you change network interface
settings, when a physical network connection fails, or when it is restarted. To update the route table at
other times, you must use dynamic routing or add a static route. Static routes can improve performance,
but if there is a change in the network structure or if a connection fails, network traffic cannot get to its
destination. Dynamic routing ensures that your network traffic can reach its destination, but it is more
difficult to set up.
Add a static route
A route is the sequence of devices through which network traffic must go to get from its source to its
destination. A router is the device in a route that finds the subsequent network point through which to send
the network traffic to its destination. Each router is connected to a minimum of two networks. A packet can
go through a number of network points with routers before it gets to its destination.
You can create static routes to send traffic to specific hosts or networks. The router can then send the traffic
to the correct destination from the specified route. Add a network route if you have a full network behind a
router on your local network. If you do not add a route to a remote network, all traffic to that network is
sent to the Firebox or XTM device default gateway.
Before you start, you must understand the difference between a network route and a host route. A
network route is a route to a full network behind a router located on your local network. Use a host route if
there is only one host behind the router, or if you want traffic to go to only one host.
1. Select Network > Routes.
The Setup Routes dialog box appears.
2. Click Add.
The Add Route dialog box appears.
130
WatchGuard System Manager
Network Setup and Configuration
3. In the Choose Type drop-down list, select Network IP if you have a full network behind a router on
your local network. Select Host IP if only one host is behind the router or you want traffic to go to
only one host.
4. In the Route To field, type the network address or host address. If you type a network address, use
slash notation.
For more information about slash notation, see About slash notation on page 3.
5. In the Gateway field, type the IP address of the router. Make sure that you type an IP address that is
on one of the same networks as the Firebox or XTM device.
6. Type a Metric for the route. Routes with lower metrics have higher priority.
7. Click OK to close the Add Route dialog box.
The Setup Routes dialog box shows the configured network route.
8. Click OK to close the Setup Routes dialog box.
About virtual local area networks (VLANs)
An 802.1Q VLAN (virtual local area network) is a collection of computers on a LAN or LANs that are
grouped together in a single broadcast domain independent of their physical location. This enables you to
group devices according to traffic patterns, instead of physical proximity. Members of a VLAN can share
resources as if they were connected to the same LAN. You can also use VLANs to split a switch into multiple
segments. For example, suppose your company has full-time employees and contract workers on the same
LAN. You want to restrict the contract employees to a subset of the resources used by the full-time
employees. You also want to use a more restrictive security policy for the contract workers. In this case, you
split the interface into two VLANs.
VLANs enable you to divide your network into groups with a logical, hierarchical structure or grouping
instead of a physical one. This helps free IT staff from the restrictions of their existing network design and
cable infrastructure. VLANs make it easier to design, implement, and manage your network. Because
VLANs are software-based, you can quickly and easily adapt your network to additions, relocations, and
reorganizations.
VLANs use bridges and switches, so broadcasts are more efficient because they go only to people in the
VLAN, not everyone on the wire. Consequently, traffic across your routers is reduced, which means a
reduction in router latency. You can configure your Firebox or XTM device to act as a DHCP server for
devices on the VLAN, or use DHCP relay with a separate DHCP server.
You assign a VLAN to the Trusted, Optional, or External security zone. VLAN security zones correspond to
aliases for interface security zones. For example, VLANs of type Trusted are handled by policies that use the
alias Any-Trusted as a source or destination. VLANs of type External appear in the list of external interfaces
when you configure policy-based routing.
VLAN requirements and restrictions
n
n
n
The WatchGuard VLAN implementation does not support the spanning tree link management
protocol.
If your Firebox or XTM device is configured to use drop-in network mode, you cannot use VLANs.
A physical interface can be an untagged VLAN member of only one VLAN. For example, if External-1
is an untagged member of a VLAN named VLAN-1, it cannot be an untagged member of a different
VLAN at the same time. Also, external interfaces can be a member of only one VLAN.
User Guide
131
Network Setup and Configuration
n
n
n
n
Your multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to
manage bandwidth when you use only physical interfaces in a multi-WAN configuration.
Your device model and license controls the number of VLANs you can create.
To see the number of VLANs you can add to your Firebox or XTM device, Open Policy Manager and
select Setup > Feature Keys.
Find the row labeled Total number of VLAN interfaces.
We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
All network segments you want to add to a VLAN must have IP addresses on the VLAN network.
Note If you define VLANs, you can ignore messages with the text “802.1d unknown
version”. These occur because the WatchGuard VLAN implementation does not
support spanning tree link management protocol.
About tagging
To enable VLANs, you must deploy VLAN-capable switches in each site. The switch interfaces insert tags at
layer 2 of the data frame that identify a network packet as part of a specified VLAN. These tags, which add
an extra four bytes to the Ethernet header, identify the frame as belonging to a specific VLAN. Tagging is
specified by the IEEE 802.1Q standard.
The VLAN definition includes disposition of tagged and untagged data frames. You must specify whether the
VLAN receives tagged, untagged, or no data from each interface that is enabled. Your Firebox or XTM
device can insert tags for packets that are sent to a VLAN-capable switch. Your device can also remove tags
from packets that are sent to a network segment that belongs to a VLAN that has no switch.
About VLAN ID numbers
By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because this
VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can
accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the Firebox or
XTM device.
Define a new VLAN
Before you create a new VLAN, make sure you understand the concepts about, and restrictions for VLANs,
as described in About virtual local area networks (VLANs) on page 131.
When you define a new VLAN, you add an entry in the VLAN Settings table. You can change the view of this
table:
n
n
n
n
Click a column header to sort the table based on the values in that column.
The table can be sorted in descending or ascending order.
The values in the Interface column show the physical interfaces that are members of this VLAN.
The interface number in bold is the interface that sends untagged data to that VLAN.
To create a new VLAN:
132
WatchGuard System Manager
Network Setup and Configuration
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Click the VLAN tab.
A table of existing user-defined VLANs and their settings appears.
3. Click Add.
The New VLAN Configuration dialog box appears.
User Guide
133
Network Setup and Configuration
4.
5.
6.
7.
In the Name (Alias) field, type a name for the VLAN. The name cannot contain spaces.
(Optional) In the Description field, type a description of the VLAN.
In the VLAN ID field, or type or select a value for the VLAN.
In the Security Zone field, select Trusted, Optional, or External.
Security zones correspond to aliases for interface security zones. For example, VLANs of type
Trusted are handled by policies that use the alias Any-Trusted as a source or destination.
8. In the IP Address field, type the address of the VLAN gateway.
Note that any computer in this new VLAN must use this IP address as its default gateway.
Use DHCP on a VLAN
You can configure the Firebox or XTM device as a DHCP server for the computers on your VLAN network.
134
WatchGuard System Manager
Network Setup and Configuration
1. Select the Use DHCP Server radio button to configure the Firebox or XTM device as the DHCP server
for your VLAN network. If necessary, type your domain name to supply it to the DHCP clients.
2. To add an IP address pool, click Add and type the first and last IP addresses assigned for distribution.
Click OK.
You can configure a maximum of six address pools.
3. To reserve a specific IP address for a client, click Add adjacent to the Reserved Addresses box. Type
a name for the reservation, the IP address you want to reserve, and the MAC address of the client’s
network card. Click OK.
4. To change the default lease time, click the Leasing Time arrows.
This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When
the lease time is about to expire, the client sends a request to the DHCP server to get a new lease.
5.
6.
7.
8.
To add DNS or WINS servers to your DHCP configuration, click the DNS/WINS Servers button.
If necessary, type a Domain Name for DNS information.
Click the Add button adjacent to each list to create an entry for each server you want to add.
Select a server from the list and click Edit to change the information for that server, or click Delete
to remove the selected server.
Use DHCP relay on a VLAN
1. Select Use DHCP Relay.
2. Type the IP address of the DHCP server. Make sure to add a route to the DHCP server, if necessary.
You can now take the next steps, and Assign interfaces to a VLAN.
User Guide
135
Network Setup and Configuration
Assign interfaces to a VLAN
When you create a new VLAN, you specify the type of data it receives from Firebox or XTM device
interfaces. However, you can also make an interface a member of a VLAN that is currently defined, or
remove an interface from a VLAN.
1. In the Network Configuration dialog box, select the Interfaces tab.
2. Select an interface and click Configure.
The Interface Settings dialog box appears.
3. In the Interface Type drop-down list, select VLAN.
A table that shows all current VLANs appears. You may need to increase the size of this dialog box to see all of
the options.
4. Select the Send and receive tagged traffic for selected VLANs check box to receive tagged data on
this network interface.
5. Select the Member check box for each interface you want to include in this VLAN.
To remove an interface from this VLAN, clear the adjacent Member check box.
An interface can be a member of one external VLAN, or multiple trusted or optional VLANs.
6. To configure the interface to receive untagged data, select the Send and receive untagged traffic
for selected VLAN check box at the bottom of the dialog box.
7. Select a VLAN configuration from the adjacent drop-down list, or click New VLAN to create a new
VLAN configuration.
8. Click OK.
136
WatchGuard System Manager
Network Setup and Configuration
Network Setup Examples
Example: Configure Two VLANs on the Same Interface
A network interface on a Firebox or XTM device is a member of more than one VLAN when the switch that
connects to that interface carries traffic from more than one VLAN. This example shows how to connect
one switch that is configured for two different VLANs to a single interface on the Firebox or XTM device.
The subsequent diagram shows the configuration for this example.
In this example, computers on both VLANs connect to the same 802.1Q switch, and the switch connects to
interface 3 on the Firebox or XTM device.
The subsequent instructions show you how to configure the VLAN settings in Policy Manager.
Define the two VLANs
1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
3. Click Add.
The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. For this example, type VLAN10 .
5. In the Description text box, type a description. For this example, type Accounting .
6. In the VLAN ID text box, type the VLAN number configured for the VLAN on the switch. For this
example, type 10 .
7. From the Security Zone drop-down list, select the security zone. For this example, select Trusted.
8. In the IP Address text box, type the IP address to use for the Firebox or XTM device on this VLAN.
For this example, type 192.168.10.1/24 .
9. (Optional) To configure the Firebox or XTM device to act as a DHCP server for the computers on
VLAN10:
User Guide
137
Network Setup and Configuration
n
n
n
Select Use DHCP Server.
To the right of the Address Pool list, click Add.
For this example, in the Starting address text box, type 192.168.10.10 and in the Ending
address text box type 192.168.10.20 .
The finished VLAN10 configuration for this example looks like:
10.
11.
12.
13.
14.
15.
16.
Click OK to add the new VLAN.
Click Add to add the second VLAN.
In the Name (Alias) text box, type VLAN20 .
In the Description text box, type Sales .
In the VLAN ID text box, type 20 .
From the Security Zone drop-down list, select Optional.
In the IP Address field, type the IP address to use for the Firebox or XTM device on this VLAN. For
this example, type 192.168.20.1/24 .
17. (Optional) To configure the Firebox or XTM device to act as a DHCP server for the computers on
VLAN20:
n
n
n
138
Select Use DHCP Server.
To the right of the Address Pool list, click Add.
For this example, in the Starting address text box, type 192.168.20.10 and in the Ending
address text box type 192.168.20.20 .
WatchGuard System Manager
Network Setup and Configuration
18. Click OK to add the new VLAN.
Both VLANs now appear in the VLAN tab of the Network Configuration dialog box.
Configure Interface 3 as a VLAN interface
After you define the VLANs, you can configure Interface 3 to send and receive VLAN traffic.
1. Click the Interfaces tab.
2. Select Interface 3. Click Configure.
User Guide
139
Network Setup and Configuration
3.
4.
5.
6.
From the Interface Type drop-down list, select VLAN.
Select the Send and receive tagged traffic for selected VLANs check box.
Select the check boxes for VLAN10 and VLAN20.
Click OK.
Each device on these two VLANs must set the IP address of the default gateway to be the IP address
configured for the VLAN. In this example:
n
n
140
Devices on VLAN10 must use 192.168.10.1 as their default gateway.
Devices on VLAN20 must use 192.168.20.1 as their default gateway.
WatchGuard System Manager
Network Setup and Configuration
UseyourFireboxorXTMdevicewith the3GExtend wireless
bridge
The WatchGuard 3G Extend wireless bridge adds 3G cellular connectivity to your Firebox X Edge or
WatchGuard XTM 2 Series device. When you connect the external interface of your Firebox or XTM device
to the 3G Extend wireless bridge, computers on your network can connect wirelessly to the Internet via the
3G cellular network.
The 3G Extend has two models based on technology from Top Global and Cradlepoint.
To connect your Firebox or XTM device to the 3G cellular network you need:
n
n
n
A Firebox X Edge or XTM 2 Series device
A 3G Extend wireless bridge
A 3G wireless broadband data card
Use the 3G Extend/Top Global MB5000K device
Follow these steps to use the 3G Extend wireless bridge with your Firebox X Edge or XTM 2 Series device.
1. Configure the external interface on your Firebox or XTM device to get its address with PPPoE. Make
sure to set the PPPoE user name / password to public/public. To learn more about how to configure
your external interface for PPPoE, see Configure an external interface on page 98.
2. Activate your broadband data card. See the instructions included with your broadband data card for
more information.
3. Prepare your 3G Extend wireless bridge:
n
n
n
Insert the broadband data card into the slot on the 3G Extend wireless bridge
Plug in the power to the 3G Extend wireless bridge
Verify the LED lights are active
4. Use an Ethernet cable to connect the 3G Extend wireless bridge to the external interface of your
Firebox or XTM device.
It is not necessary to change any settings on the 3G Extend device before you connect it to your Firebox or
XTM device. There are some times when it is necessary to connect to the web management interface of
the 3G Extend device. To connect to the 3G Extend web interface, connect your computer directly to the
MB5000K with an Ethernet cable and make sure your computer is configured to get its IP address with
DHCP. Open your web browser and type http://172.16.0.1 . Connect with a user name/password of
public/public.
n
n
To operate correctly with your Firebox or XTM device, the 3G Extend wireless bridge must be
configured to run in "Auto Connect" mode. All 3G Extend/MB5000K devices are pre-configured to
run in this mode by default. To verify if your 3G Extend device is configured in Auto Connect mode,
connect directly to the device and select Interfaces > Internet access. Select the WAN#0 interface.
In the Networking section, make sure the Connect mode drop-down list is set to Auto.
If your 3G wireless card runs on the GPRS cellular network, it may be necessary to add a network
login and password to our 3G Extend device configuration. To add a network login and password,
connect to the 3G Extend wireless bridge and select Services > Manageable Bridge.
User Guide
141
Network Setup and Configuration
n
To reset the MB5000K to its factory default settings, connect to the 3G Extend wireless bridge and
select System > Factory defaults. Click Yes.
For security, we recommend that you change the default PPPoE user name/password from public/public
after your network is up and running. You must change the user name and password on both your Firebox
or XTM device and your 3G Extend Wireless Bridge.
n
n
To change the PPPoE user name and password on your Firebox or XTM device, see Configure an
external interface on page 98.
To change the PPPoE user name and password on the 3G Extend device, connect to the device and
go to Services > Manageable Bridge.
The 3G Extend device supports more than 50 modem cards and ISP plan options. For detailed information
about the Top Global product, including the MB5000 User Guide, go to
http://www.topglobaluse.com/support_mb5000.htm.
Use the 3G Extend/Cradlepoint CBA250 device
Follow these steps to use the 3G Extend Cradlepoint cellular broadband adapter with your WatchGuard
Firebox X Edge or XTM 2 Series device.
1. Follow the instructions in the Cradlepoint CBA250 Quick Start Guide to set up the Cradlepoint device
and update the device firmware. If you have a newer modem that is not supported by the firmware
version that ships on the device, you must use different steps to upgrade your firmware to the latest
version:
n
n
Download the latest firmware for the CBA250 to your computer from the Cradlepoint support
site at http://www.cradlepoint.com/support/cba250.
Use these instructions to update your firmware: Updating the Firmware on your Cradlepoint
Router.
2. Configure the external interface on your Firebox or XTM device to get its address with DHCP. To
learn how to configure your external interface for PPPoE, see Configure an external interface on
page 98.
3. Use an Ethernet cable to connect the Cradlepoint device to the external interface of the Firebox or
XTM device.
4. Start (or restart) the Firebox or XTM device.
When the Firebox or XTM device starts, it gets a DHCP address from the Cradlepoint device. After an IP address
is assigned, the Firebox or XTM device can connect to the Internet via the cellular broadband network.
The Cradlepoint supports a large number of USB or ExpressCard broadband wireless devices. For a list of
supported devices, see http://www.cradlepoint.com/support./cba250.
142
WatchGuard System Manager
7
Multi-WAN
About using multiple external interfaces
You can use your Firebox or XTM device to create redundant support for the external interface. This is a
helpful option if you must have a constant Internet connection.
With the multi-WAN feature, you can configure up to four external interfaces, each on a different subnet.
This allows you to connect your Firebox or XTM device to more than one Internet Service Provider (ISP).
When you configure a second interface, the multi-WAN feature is automatically enabled.
Multi-WAN requirements and conditions
You must have a second Internet connection and more than one external interface to use most multi-WAN
configuration options.
Conditions and requirements for multi-WAN use include:
n
n
n
n
n
n
If you have a policy configured with an individual external interface alias in its configuration, you
must change the configuration to use the alias Any-External, or another alias you configure for
external interfaces. If you do not do this, some traffic could be denied by your firewall policies.
Multi-WAN settings do not apply to incoming traffic. When you configure a policy for inbound traffic,
you can ignore all multi-WAN settings.
To override the multi-WAN configuration in any individual policy, enable policy-based routing for
that policy. For more information on policy-based routing, see Configure policy-based routing on
page 355.
Map your company’s Fully Qualified Domain Name to the external interface IP address of the lowest
order. If you add a multi-WAN Firebox or XTM device to your Management Server configuration,
you must use the lowest-ordered external interface to identify it when you add the device.
To use multi-WAN, you must use mixed routing mode for your network configuration. This feature
does not operate in drop-in or bridge mode network configurations.
To use the Interface Overflow method, you must have Fireware XTM with a Pro upgrade. You must
also have a Fireware XTM Pro license if you use the Round-robin method and configure different
weights for the Firebox or XTM device external interfaces.
User Guide
143
Multi-WAN
You can use one of four multi-WAN configuration options to manage your network traffic.
For configuration details and setup procedures, see the section for each option.
Multi-WAN and DNS
Make sure that your DNS server can be reached through every WAN. Otherwise, you must modify your
DNS policies such that:
n
n
The From list includes Firebox.
The Use policy-based routing check box is selected.
If only one WAN can reach the DNS server, select that interface in the adjacent drop-down list.
If more than one WAN can reach the DNS server, select any one of them, select Failover, select
Configure, and select all the interfaces that can reach the DNS server. The order does not matter.
Note You must have Fireware XTM with a Pro upgrade to use policy-based routing.
Multi-WAN and FireCluster
You can use multi-WAN failover with the FireCluster feature, but they are configured separately. MultiWAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover.
FireCluster failover occurs only when the physical interface is down or does not respond. FireCluster
failover takes precedence over multi-WAN failover.
About multi-WAN options
When you configure multiple external interfaces, you have several options to control which interface an
outgoing packet uses. Some of these features require that you have Fireware XTM with a Pro upgrade.
Round-robin order
When you configure multi-WAN with the Round-robin method, the Firebox or XTM device looks at its
internal routing table to check for specific static or dynamic routing information for each connection. If no
specified route is found, the Firebox or XTM device distributes the traffic load among its external interfaces.
The Firebox or XTM device uses the average of sent (TX) and received (RX) traffic to balance the traffic load
across all external interfaces you specify in your round-robin configuration.
If you have Fireware XTM with a Pro upgrade, you can assign a weight to each interface used in your roundrobin configuration. By default and for all Fireware XTM users, each interface has a weight of 1. The weight
refers to the proportion of load that the Firebox or XTM device sends through an interface. If you have
Fireware XTM Pro and you assign a weight of 2 to an interface, you double the portion of traffic that will go
through that interface compared to an interface with a weight of 1.
As an example, if you have three external interfaces with 6M, 1.5M, and .075M bandwidth and want to
balance traffic across all three interfaces, you would use 8, 2, and 1 as the weights for the three interfaces.
Fireware will try to distribute connections so that 8/11, 2/11, and 1/11 of the total traffic flows through
each of the three interfaces.
For more information, see Configure Round-robin on page 147.
144
WatchGuard System Manager
Multi-WAN
Failover
When you use the failover method to route traffic through the Firebox or XTM device external interfaces,
you select one external interface to be the primary external interface. Other external interfaces are backup
interfaces, and you set the order for the Firebox or XTM device to use the backup interfaces. The Firebox or
XTM device monitors the primary external interface. If it goes down, the Firebox or XTM device sends all
traffic to the next external interface in its configuration. While the Firebox or XTM device sends all traffic to
the backup interface, it continues to monitor the primary external interface. When the primary interface is
active again, the Firebox or XTM device immediately starts to send all new connections through the primary
external interface again.
You control the action for the Firebox or XTM device to take for existing connections; these connections can
failback immediately, or continue to use the backup interface until the connection is complete. Multi-WAN
failover and FireCluster are configured separately. Multi-WAN failover caused by a failed connection to a
link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical
interface is down or does not respond. FireCluster failover takes precedence over multi-WAN failover.
For more information, see Configure Failover on page 149.
Interface overflow
When you use the Interface Overflow multi-WAN configuration method, you select the order you want the
Firebox or XTM device to send traffic through external interfaces and configure each interface with a
bandwidth threshold value. The Firebox or XTM device starts to send traffic through the first external
interface in its Interface Overflow configuration list. When the traffic through that interface reaches the
bandwidth threshold you have set for that interface, the Firebox or XTM device starts to send traffic to the
next external interface you have configured in your Interface Overflow configuration list.
This multi-WAN configuration method allows the amount of traffic sent over each WAN interface to be
restricted to a specified bandwidth limit. To determine bandwidth, the Firebox or XTM device examines the
amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the
interface bandwidth threshold for each interface, you must consider the needs of your network for this
interface and set the threshold value based on these needs. For example, if your ISP is asymmetrical and
you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a
high RX rate.
If all WAN interfaces have reached their bandwidth limit, the Firebox or XTM device uses the ECMP (Equal
Cost MultiPath Protocol) routing algorithm to find the best path.
Note You must have Fireware XTM with a Pro upgrade to use this multi-WAN routing
method.
For more information, see Configure Interface Overflow on page 150.
User Guide
145
Multi-WAN
Routing table
When you select the Routing Table option for your multi-WAN configuration, the Firebox or XTM device
uses the routes in its internal route table or routes it gets from dynamic routing processes to send packets
through the correct external interface. To see whether a specific route exists for a packet’s destination, the
Firebox or XTM device examines its route table from the top to the bottom of the list of routes. You can see
the list of routes in the route table on the Status tab of Firebox System Manager. The Routing Table option is
the default multi-WAN option.
If the Firebox or XTM device does not find a specified route, it selects the route to use based on source and
destination IP hash values of the packet, using the ECMP (Equal Cost Multipath Protocol) algorithm specified
in:
http://www.ietf.org/rfc/rfc2992.txt
With ECMP, the Firebox or XTM device uses an algorithm to decide which next-hop (path) to use to send
each packet. This algorithm does not consider current traffic load.
For more information, see When to use multi-WAN methods and routing on page 154.
Serial modem (Firebox X Edge only)
If your organization has a dial-up account with an ISP, you can connect an external modem to the serial port
on your Edge and use that connection for failover when all other external interfaces are inactive.
For more information, see Serial modem failover on page 155.
146
WatchGuard System Manager
Multi-WAN
Configure Round-robin
Before You Begin
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an external interface on page 98.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About using multiple external interfaces on page 143 and About multi-WAN
options on page 144.
Configure the interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Round-robin.
4. Click Configure.
5. In the Include column, select the check box for each interface you want to use in the round-robin
configuration. It is not necessary to include all external interfaces in your round-robin configuration.
User Guide
147
Multi-WAN
For example, you may have one interface that you want to use for policy-based routing that you do
not want to include in your round-robin configuration.
6. If you have Fireware XTM with a Pro upgrade and you want to change the weights assigned to one or
more interfaces, click Configure.
7. Click the value control to set an interface weight. The weight of an interface sets the percentage of
load through the Firebox or XTM device that will use that interface.
Note You can change the weight from its default of 1 only if you have Fireware XTM with
a Pro upgrade. Otherwise, you see an error when you try to close the Network
Configuration dialog box.
8. Click OK.
For information on changing the weight, see Find how to assign weights to interfaces on page 149.
9. To complete your configuration, you must add link monitor information as described in About WAN
interface status on page 161.
For information on advanced multi-WAN configuration options, see Advanced multi-WAN settings
on page 159.
10. Click OK.
148
WatchGuard System Manager
Multi-WAN
Find how to assign weights to interfaces
If you use Fireware XTM with a Pro upgrade, you can assign a weight to each interface used in your roundrobin multi-WAN configuration. By default, each interface has a weight of 1. The weight refers to the
proportion of load that the Firebox or XTM device sends through an interface.
You can use only whole numbers for the interface weights; no fractions or decimals are allowed. For
optimal load balancing, you might have to do a calculation to know the whole-number weight to assign for
each interface. Use a common multiplier so that the relative proportion of the bandwidth given by each
external connection is resolved to whole numbers.
For example, suppose you have three Internet connections. One ISP gives you 6 Mbps, another ISP gives
you 1.5 Mbps, and a third gives you 768 Kbps. Convert the proportion to whole numbers:
n
n
n
n
First convert the 768 Kbps to approximately .75 Mbps so that you use the same unit of
measurement for all three lines. Your three lines are rated at 6, 1.5, and .75 Mbps.
Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: [6 : 1.5 :
.75] is the same ratio as [600 : 150 : 75]
Find the greatest common divisor of the three numbers. In this case, 75 is the largest number that
evenly divides all three numbers 600, 150, and 75.
Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. You could use these numbers as weights in a round-robin multi-WAN
configuration.
Configure Failover
Before You Begin
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an external interface on page 98.
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About using multiple external interfaces on page 143 and About multi-WAN
options on page 144.
Configure the interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Failover.
User Guide
149
Multi-WAN
4. Click Configure to specify a primary external interface and select backup external interfaces for your
configuration. In the Include column, select the check box for each interface you want to use in the
failover configuration.
5. Click Move Up or Move Down to set the order for failover. The first interface in the list is the
primary interface.
6. To complete your configuration, you must add link monitor information as described in About WAN
interface status on page 161.
For information on advanced multi-WAN configuration options, see Advanced multi-WAN settings
on page 159.
7. Click OK.
Configure Interface Overflow
Before You Begin
n
150
To use the multiple WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an external interface on page 98.
WatchGuard System Manager
Multi-WAN
n
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About using multiple external interfaces on page 143 and About multi-WAN
options on page 144.
Configure the interfaces
1. Select Network > Configuration.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Interface Overflow.
4. Click Configure.
5. In the Include column, select the check box for each interface you want to include in your
configuration.
6. To configure a bandwidth threshold for an external interface, select the interface from the list and
click Configure.
The Interface Overflow Threshold dialog box appears.
7. In the drop-down list, select Mbps or Kbps as the unit of measurement for your bandwidth setting
and type the threshold value for the interface.
The Firebox or XTM device calculates bandwidth based on the higher value of sent or received
packets.
User Guide
151
Multi-WAN
8. Click OK.
9. To complete your configuration, you must add information as described in About WAN interface
status on page 161.
For information onadvanced multi-WAN configuration options,see Advancedmulti-WAN settingson page 159.
Configure Routing Table
Before you begin
n
n
n
To use the multi-WAN feature, you must have more than one external interface configured. If
necessary, use the procedure described in Configure an external interface on page 98.
You must decide whether the Routing Table method is the correct multi-WAN method for your
needs. For more information, see When to use multi-WAN methods and routing on page 154
Make sure you understand the concepts and requirements for multi-WAN and the method you
choose, as described in About using multiple external interfaces on page 143 and About multi-WAN
options on page 144.
Routing Table mode and load balancing
It is important to note that the Routing Table option does not do load balancing on connections to the
Internet. The Firebox or XTM device reads its internal route table from top to bottom. Static and dynamic
routes that specify a destination appear at the top of the route table and take precedence over default
routes. (A default route is a route with destination 0.0.0.0/0.) If there is no specific dynamic or static entry in
the route table for a destination, the traffic to that destination is routed among the external interfaces of the
Firebox or XTM device through the use of ECMP algorithms. This may or may not result in even distribution
of packets among multiple external interfaces.
Configure the interfaces
1. Select Network > Configuration.
The Network Configuration dialog box appears.
2. Click the Multi-WAN tab.
3. In the Multi-WAN Configuration section drop-down list, select Routing table.
By default, all external interface IP addresses are included in the configuration.
152
WatchGuard System Manager
Multi-WAN
4. To remove external interfaces from the multi-WAN configuration, click Configure and clear the
check box adjacent to the external interface you want to exclude from the multi-WAN
configuration.
You can have as few as one external interface included in your configuration. This is useful if you
want to use policy-based routing for specific traffic and keep only one WAN for default traffic.
5. To complete your configuration, you must add link monitor information as described in About WAN
interface status on page 161.
For information onadvanced multi-WAN configuration options,see Advancedmulti-WAN settingson page 159.
About the Firebox or XTM device route table
When you select the Routing Table configuration option, it is a good idea to know how to look at the routing
table that is on your Firebox or XTM device.
From WatchGuard System Manager:
1. Start Firebox System Manager.
2. Select the Status Report tab.
User Guide
153
Multi-WAN
3. Scroll down until you see Kernel IP routing table.
This shows the internal route table on your Firebox or XTM device. The ECMP group information
appears below the routing table.
Routes in the internal route table on the Firebox or XTM device include:
n
n
n
The routes the Firebox or XTM device learns from dynamic routing processes running on the device
(RIP, OSPF, and BGP) if you enable dynamic routing.
The permanent network routes or host routes you add.
The routes the Firebox or XTM device automatically makes when it reads the network configuration
information.
If your Firebox or XTM device detects that an external interface is down, it removes any static or dynamic
routes that use that interface. This is true if the hosts specified in the Link Monitor become unresponsive
and if the physical Ethernet link is down.
For more informationon interface status androute table updates, see About WAN interface statuson page 161.
When to use multi-WAN methods and routing
If you use dynamic routing, you can use either the Routing Table or Round-Robin multi-WAN configuration
method. Routes that use a gateway on an internal (optional or trusted) network are not affected by the
multi-WAN method you select.
When to use the Routing Table method
The Routing Table method is a good choice if:
n
n
You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network advertise
routes to the Firebox or XTM device so that the device can learn the best routes to external
locations.
You must get access to an external site or external network through a specific route on an external
network. Examples include:
n
n
You have a private circuit that uses a frame relay router on the external network.
You want all traffic to an external location to always go through a specific Firebox or XTM device
external interface.
The Routing Table method is the fastest way to load balance more than one route to the Internet. After you
enable this option, the ECMP algorithm manages all connection decisions. No additional configuration is
necessary on the Firebox or XTM device.
When to use the Round-Robin method
Load balancing traffic to the Internet using ECMP is based on connections, not bandwidth. Routes
configured statically or learned from dynamic routing are used before the ECMP algorithm. If you have
Fireware XTM with a Pro upgrade, the weighted round-robin option gives you options to send more traffic
through one external interface than another. At the same time, the round-robin algorithm distributes traffic
to each external interface based on bandwidth, not connections. This gives you more control over how
many bytes of data are sent through each ISP.
154
WatchGuard System Manager
Multi-WAN
Serial modem failover
(This topic applies only to Firebox X Edge and XTM 2 Series devices.)
You can configure your Firebox X Edge or XTM 2 Series device to send traffic through a serial modem when
it cannot send traffic with any external interface. You must have a dial-up account with an ISP (Internet
Service Provider) and an external modem connected on the serial port (Edge) or USB port (2 Series) to use
this option.
The Edge has been tested with these modems:
n
n
n
n
n
Hayes 56K V.90 serial fax modem
Zoom FaxModem 56K model 2949
U.S. Robotics 5686 external modem
Creative Modem Blaster V.92 serial modem
MultiTech 56K Data/Fax Modem International
The 2 Series has been tested with these modems:
n
n
n
n
Zoom FaxModem 56K model 2949
MultiTech 56K Data/Fax Modem International
OMRON ME5614D2 Fax/Data Modem
Hayes 56K V.90 serial fax modem
For a serial modem, use a USB to serial adapter to connect the modem to the XTM 2 Series device.
Enable serial modem failover
1. Select Network > Modem.
The Modem Configuration dialog box appears.
2. Select the Enable Modem for Failover when all external interfaces are down check box.
User Guide
155
Multi-WAN
3. Complete the Account, DNS, Dial-Up, and Link Monitor settings, as described in the subsequent
sections.
4. Click OK.
5. Save your configuration.
Account settings
1. Select the Account tab.
2. In the Telephone number text box, type the telephone number of your ISP.
3. If you have another number for your ISP, the Alternate Telephone number text box, type that
number.
4. In the Account name text box, type your dial-up account name.
5. If you log in to your account with a domain name, in the Account domain text box, type the domain
name.
An example of a domain name is msn.com.
6. In the Account password text box, type the password you use to connect to your dial-up account.
7. If you have problems with your connection, select the Enable modem and PPP debug trace check
box. When this option is selected, the Firebox or XTM device sends detailed logs for the serial
modem failover feature to the event log file.
DNS settings
If your dial-up ISP does not give DNS server information, or if you must use a different DNS server, you can
manually add the IP addresses for a DNS server to use after failover occurs.
1. Select the DNS tab.
The DNS Settings page appears.
2. Select the Manually configure DNS server IP addresses check box.
3. In the Primary DNS Server text box, type the IP address of the primary DNS server.
4. If you have a secondary DNS server, in the Secondary DNS server text box, type the IP address for
the secondary server.
5. In the MTU text box, for compatibility purposes, you can set the Maximum Transmission Unit (MTU)
to a different value. Most users can keep the default setting.
156
WatchGuard System Manager
Multi-WAN
Dial-up settings
1. Select the Dial Up tab.
The Dialing Options page appears.
2. In the Dial up timeout text box, type or select the number of seconds before a timeout occurs if
your modem does not connect. The default value is two (2) minutes.
3. In the Redial attempts text box, type or select the number of times the Firebox or XTM device tries
to redial if your modem does not connect. The default is to wait for three (3) connection attempts.
4. In the Inactivity Timeout text box, type or select the number of minutes to wait if no traffic goes
through the modem before a timeout occurs. The default value is no timeout.
5. From the Speaker volume drop-down list, select your modem speaker volume.
Advanced settings
Some ISPs require that you specify one or more ppp options in order to connect. In China, for example,
some ISPs require that you use the ppp option receive-all. The receive-all option causes ppp to accept all
control characters from the peer.
1. Select the Advanced tab.
2. In the PPP options text box, type the required ppp options. To specify more than one ppp option,
separate each option with a comma.
Link Monitor settings
You can set options to test one or more external interfaces for an active connection. When an external
interface becomes active again, the Firebox or XTM device no longer sends traffic over the serial modem
and uses the external interface or interfaces instead. You can configure the Link Monitor to ping a site or
device on the external interface, create a TCP connection with a site and port number you specify, or both.
You can also set the time interval between each connection test, and configure the number of times a test
must fail or succeed before an interface is activated or deactivated.
To configure the link monitor settings for an interface:
1. Click Link Monitor.
The Link Monitor Configuration dialog box appears.
User Guide
157
Multi-WAN
2. To modify settings for an external interface, select it in the External Interfaces list. You must
configure each interface separately. Set the link monitor configuration for each interface.
3. To ping a location or device on the external network, select the Ping check box and type an IP
address or host name in the adjacent text box.
4. To create a TCP connection to a location or device on the external network, select the TCP check
box and type an IP address or host name in the adjacent text box. You can also type or select a Port
number.
The default port number is 80 (HTTP).
5. To require successful ping and TCP connections before an interface is marked as active, select the
Both Ping and TCP must be successful check box.
6. To change the time interval between connection attempts, in the Probe interval text box, type or
select a different number.
The default setting is 15 seconds.
7. To change the number of failures that mark an interface as inactive, in the Deactivate after text box,
type or select a different number .
The default value is three (3) connection attempts.
8. To change the number of successful connections that mark an interface as active, in the Reactivate
after text box, type or select a different number.
The default value is three (3) connection attempts.
9. Click OK.
158
WatchGuard System Manager
Multi-WAN
Advanced multi-WAN settings
In your multi-WAN configuration, you can set preferences for sticky connections, failback, and notification
of multi-WAN events. Not all configuration options are available for all multi-WAN configuration options. If a
setting does not apply to the multi-WAN configuration option you selected, those fields are not active.
About sticky connections
A sticky connection is a connection that continues to use the same WAN interface for a defined period of
time. You can set sticky connection parameters if you use the Round-robin or Interface Overflow options
for multi-WAN. Sticky connections make sure that, if a packet goes out through an external interface, any
future packets between the source and destination address pair use the same external interface for a
specified period of time. By default, sticky connections use the same interface for 3 minutes.
If a policy definition contains a sticky connection setting, this setting can override any global sticky
connection duration.
Set a global sticky connection duration
Use the Advanced tab to configure a global sticky connection duration for TCP connections, UDP
connections, and connections that use other protocols.
User Guide
159
Multi-WAN
If you set a sticky connection duration in a policy, you can override the global sticky connection duration.
For more information, see Set the sticky connection duration for a policy on page 358.
Set the failback action
You can set the action you want the Firebox or XTM device to take when a failover event has occurred and
then the primary external interface becomes active again. When this occurs, all new connections
immediately fail back to the primary external interface. However, you can select the method you want to
use for connections that are in process at the time of failback. This failback setting also applies to any policybased routing configuration you set to use failover external interfaces.
1. In the Network Configuration dialog box, select the Multi-WAN tab.
2. Click the Advanced tab.
3. In the Failback for Active Connections section drop-down list select an option:
n
n
Immediate failback — The Firebox or XTM device immediately stops all existing connections.
Gradual failback — The Firebox or XTM device continues to use the failover interface for
existing connections until each connection is complete.
4. Click OK.
160
WatchGuard System Manager
Multi-WAN
About WAN interface status
You can choose the method and frequency you want the Firebox or XTM device to use to check the status
of each WAN interface. If you do not configure a specified method for the Firebox or XTM device to use, it
pings the interface default gateway to check interface status.
Timeneeded fortheFireboxorXTMdevicetoupdateitsroute
table
If a link monitor host does not respond, it can take from 40–60 seconds for the Firebox or XTM device to
update its route table. When the same Link Monitor host starts to respond again, it can take from 1–60
seconds for your Firebox or XTM device to update its route table.
The update process is much faster when your Firebox or XTM device detects a physical disconnect of the
Ethernet port. When this happens, the Firebox or XTM device updates its route table immediately. When
your Firebox or XTM device detects the Ethernet connection is back up, it updates its route table within 20
seconds.
Define a link monitor host
1. In the Network Configuration dialog box, select the Multi-WAN tab, and click the Link Monitor tab.
2. Highlight the interface in the External Interface column. The Settings information changes
dynamically to show the settings for that interface.
3. Select the check boxes for each link monitor method you want the Firebox or XTM device to use to
check status of each external interface:
n
n
n
Ping — Add an IP address or domain name for the Firebox or XTM device to ping to check for
interface status.
TCP — Add the IP address or domain name of a computer that the Firebox or XTM device can
negotiate a TCP handshake with to check the status of the WAN interface.
Both ping and TCP must be successful to define the interface as active — The interface is
considered inactive unless both a ping and TCP connection complete successfully.
If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused by a
failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover
occurs only when the physical interface is down or does not respond. If you add a domain name for
the Firebox or XTM device to ping and any one of the external interfaces has a static IP address, you
must configure a DNS server, as described in Add WINS and DNS server addresses on page 119.
User Guide
161
Multi-WAN
4. To configure the frequency you want the Firebox or XTM device to use to check the status of the
interface, type or select a Probe Interval setting.
The default setting is 15 seconds.
5. To change the number of consecutive probe failures that must occur before failover, type or select
a Deactivate after setting.
The default setting is three (3). After the selected number of failures, the Firebox or XTM device starts to send
traffic through the next specified interface in the multi-WAN failover list.
6. To change the number of consecutive successful probes through an interface before an interface
that was inactive becomes active again, type or select aReactivate aftersetting.
7. Repeat these steps for each external interface.
8. Click OK.
9. Save the configuration file.
162
WatchGuard System Manager
8
Network Address Translation
(NAT)
About Network Address Translation
Network Address Translation (NAT) is a term used to describe any of several forms of IP address and port
translation. At its most basic level, NAT changes the IP address of a packet from one value to a different value.
The primary purposes of NAT are to increase the number of computers that can operate off a single
publicly routable IP address, and to hide the private IP addresses of hosts on your LAN. When you use NAT,
the source IP address is changed on all the packets you send.
You can apply NAT as a general firewall setting, or as a setting in a policy. Firewall NAT settings do not apply
to BOVPN policies.
If you have Fireware XTM with a Pro upgrade, you can use the Server Load Balancing feature as part of a
static NAT rule. The server load balancing feature is designed to help you increase the scalability and
performance of a high-traffic network with multiple public servers protected by your Firebox or XTM
device. With server load balancing, you can have the Firebox or XTM device control the number of sessions
initiated to as many as ten servers for each firewall policy you configure. The Firebox or XTM device
controls the load based on the number of sessions in use on each server. The Firebox or XTM device does
not measure or compare the bandwidth that is used by each server.
For more information on server load balancing, see Configure server load balancing on page 181.
User Guide
163
Network Address Translation (NAT)
Types of NAT
The Firebox or XTM device supports three different types of NAT. Your configuration can use more than
one type of NAT at the same time. You apply some types of NAT to all firewall traffic, and other types as a
setting in a policy.
Dynamic NAT
Dynamic NAT is also known as IP masquerading. The Firebox or XTM device can apply its public IP
address to the outgoing packets for all connections or for specified services. This hides the real IP
address of the computer that is the source of the packet from the external network. Dynamic NAT is
generally used to hide the IP addresses of internal hosts when they get access to public services.
For more information, see About dynamic NAT on page 164.
Static NAT
Also known as port forwarding, you configure static NAT when you configure policies. Static NAT is a
port-to-host NAT. A host sends a packet from the external network to a port on an external
interface. Static NAT changes this IP address to an IP address and port behind the firewall.
For more information, see About static NAT on page 180.
1-to-1 NAT
1-to-1 NAT creates a mapping between IP addresses on one network and IP addresses on a different
network. This type of NAT is often used to give external computers access to your public, internal
servers.
For more information, see About 1-to-1 NAT on page 168.
About dynamic NAT
Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outgoing
connection to the public IP address of the Firebox or XTM device. Outside the Firebox or XTM device, you
see only the external interface IP address of the Firebox or XTM device on outgoing packets.
Many computers can connect to the Internet from one public IP address. Dynamic NAT gives more security
for internal hosts that use the Internet, because it hides the IP addresses of hosts on your network. With
dynamic NAT, all connections must start from behind the Firebox or XTM device. Malicious hosts cannot
start connections to the computers behind the Firebox or XTM device when the Firebox or XTM device is
configured for dynamic NAT.
In most networks, the recommended security policy is to apply NAT to all outgoing packets. With Fireware,
dynamic NAT is enabled by default in the Network > NAT dialog box. It is also enabled by default in each
policy you create. You can override the firewall setting for dynamic NAT in your individual policies, as
described in Apply NAT rules on page 357.
Add firewall dynamic NAT entries
The default configuration of dynamic NAT enables dynamic NAT from all private IP addresses to the external
network. The default entries are:
164
WatchGuard System Manager
Network Address Translation (NAT)
n
n
n
192.168.0.0/16 – Any-External
172.16.0.0/12 – Any-External
10.0.0.0/8 – Any-External
These three network addresses are the private networks reserved by the Internet Engineering Task Force
(IETF) and usually are used for the IP addresses on LANs. To enable dynamic NAT for private IP addresses
other than these, you must add an entry for them. The Firebox or XTM device applies the dynamic NAT
rules in the sequence that they appear in the Dynamic NAT Entries list. We recommend that you put the
rules in a sequence that matches the volume of traffic the rules apply to.
1. Select Network > NAT.
The NAT Setup dialog box appears.
2. On the Dynamic NAT tab, click Add.
The Add Dynamic NAT dialog box appears.
3. In the From drop-down list, select the source of the outgoing packets.
For example, use the trusted host alias to enable NAT from all of the trusted network.
For more information on built-in Firebox or XTM device aliases, see About aliases on page 78.
User Guide
165
Network Address Translation (NAT)
4. In the To drop-down list, select the destination of the outgoing packets.
5. To add a host or a network IP address, click
.
The Add Address dialog box appears.
6. In the Choose Type drop-down list, select the address type.
7. In the Value text box, type the IP address or range.
You must type a network address in slash notation.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow keys.
8. Click OK.
The new entry appears in the Dynamic NAT Entries list.
Delete a dynamic NAT entry
You cannot change an existing dynamic NAT entry. If you want to change an existing entry, you must delete
the entry and add a new one.
To delete a dynamic NAT entry:
1. Select the entry to delete.
2. Click Remove.
A warning message appears.
3. Click Yes.
Reorder dynamic NAT entries
To change the sequence of the dynamic NAT entries:
1. Select the entry to change.
2. Click Up or Down to move it in the list.
166
WatchGuard System Manager
Network Address Translation (NAT)
Configure policy-based dynamic NAT
In policy-based dynamic NAT, the Firebox or XTM device maps private IP addresses to public IP addresses.
Dynamic NAT is enabled in the default configuration of each policy. You do not have to enable it unless you
previously disabled it.
For policy-based dynamic NAT to work correctly, use the Policy tab of the Edit Policy Properties dialog box
to make sure the policy is configured to allow traffic out through only one Firebox or XTM device interface.
1-to-1 NAT rules have higher precedence than dynamic NAT rules.
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2. Click the Advanced tab.
3. If you want to use the dynamic NAT rules set for the Firebox or XTM device, select Use Network
NAT Settings .
If you want to apply NAT to all traffic in this policy, select All traffic in this policy.
User Guide
167
Network Address Translation (NAT)
4. If you selected All traffic in this policy, you can set a dynamic NAT source IP address for any policy
that uses dynamic NAT. Select the Set source IP check box.
When you select a source IP address, any traffic that uses this policy shows a specified address from
your public or external IP address range as the source. This is most often used to force outgoing
SMTP traffic to show the MX record address for your domain when the IP address on the Firebox
external interface is not the same as your MX record IP address. This source address must be on the
same subnet as the interface you specified for outgoing traffic.
We recommend that you do not use the Set source IP option if you have more than one external
interface configured on your Firebox or XTM device.
If you do not select the Set source IP check box, the Firebox or XTM device changes the source IP
address for each packet to the IP address of the interface from which the packet is sent.
5. Click OK.
6. Save the configuration file.
Disable policy-based dynamic NAT
Dynamic NAT is enabled in the default configuration of each policy. To disable dynamic NAT for a policy:
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2.
3.
4.
5.
Click the Advanced tab.
To disable NAT for the traffic controlled by this policy, clear the Dynamic NAT check box.
Click OK.
Save the configuration file.
About 1-to-1 NAT
When you enable 1-to-1 NAT, your Firebox or XTM device changes the routes for all incoming and outgoing
packets sent from one range of addresses to a different range of addresses. A 1-to-1 NAT rule always has
precedence over dynamic NAT.
1-to-1 NAT is frequently used when you have a group of internal servers with private IP addresses that must
be made public. You can use 1-to-1 NAT to map public IP addresses to the internal servers. You do not have
to change the IP address of your internal servers. When you have a group of similar servers (for example, a
group of email servers), 1-to-1 NAT is easier to configure than static NAT for the same group of servers.
To understand how to configure 1-to-1 NAT, we give this example:
Company ABC has a group of five privately addressed email servers behind the trusted interface of their
Firebox or XTM device. These addresses are:
10.1.1.1
10.1.1.2
10.1.1.3
10.1.1.4
10.1.1.5
168
WatchGuard System Manager
Network Address Translation (NAT)
Company ABC selects five public IP addresses from the same network address as the external interface of
their Firebox or XTM device, and creates DNS records for the email servers to resolve to.
These addresses are:
50.1.1.1
50.1.1.2
50.1.1.3
50.1.1.4
50.1.1.5
Company ABC configures a 1-to-1 NAT rule for their email servers. The 1-to-1 NAT rule builds a static, bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like this:
10.1.1.1 <--> 50.1.1.1
10.1.1.2 <--> 50.1.1.2
10.1.1.3 <--> 50.1.1.3
10.1.1.4 <--> 50.1.1.4
10.1.1.5 <--> 50.1.1.5
When the 1-to-1 NAT rule is applied, your Firebox or XTM device creates the bi-directional routing and NAT
relationship between the pool of private IP addresses and the pool of public addresses. 1-to-1 NAT also
operates on traffic sent from networks that your Firebox or XTM device protects.
About 1-to-1 NAT and VPNs
When you create a VPN tunnel, the networks at each end of the VPN tunnel must have different network
address ranges. You can use 1-to-1 NAT when you must create a VPN tunnel between two networks that
use the same private network address. If the network range on the remote network is the same as on the
local network, you can configure both gateways to use 1-to-1 NAT.
1-to-1 NAT for a VPN tunnel is configured when you configure the VPN tunnel and not in the Network >
NAT dialog box.
1. Select a range of IP addresses that your computers show as the source IP addresses when traffic
comes from your network and goes to the remote network through the BOVPN tunnel.
Consult the network administrator for the other network to select a range of IP addresses that are
not in use. Do not use any of the IP addresses from:
n
n
n
n
n
n
User Guide
The trusted, optional, or external network connected to your Firebox or XTM device
A secondary network connected to a trusted, optional, or external interface of your Firebox or
XTM device
A routed network configured in Policy Manager (Network > Routes)
Networks to which you already have a BOVPN tunnel
Mobile VPN virtual IP address pools
Networks that the remote IPSec device can reach through its interfaces, network routes, or
VPN routes
169
Network Address Translation (NAT)
2. Configure gateways for the local and remote Firebox or XTM devices.
3. Make tunnels between gateway endpoints.
In the Tunnel Route Settings dialog box for each Firebox or XTM device, select the 1:1 NAT check box
and type the masqueraded IP address range for that Firebox or XTM device in the adjacent text box.
The number of IP addresses in this text box must be exactly the same as the number of IP addresses
in the Local text box at the top of the dialog box. For example, if you use slash notation to indicate a
subnet, the value after the slash must be the same in both text boxes.
For more information, see About slash notation on page 3.
For more detailed information, and an example, see Use 1-to-1 NAT through a Branch Office VPN tunnel on
page 860.
Configure firewall 1-to-1 NAT
1. Select Network > NAT.
The NAT Setup dialog box appears.
2. Click the 1-to-1 NAT tab.
3. Click Add.
The Add 1-to-1 Mapping dialog box appears.
4. In the Map Type drop-down list, select Single IP ( to map one host), IP range (to map a range of
hosts), or IP subnet (to map a subnet).
If you select IP range or IP subnet, do not include more than 256 IP addresses in that range or
subnet. If you have more than 256 IP addresses that you want to apply 1-to-1 NAT to, you must
create more than one rule.
5. Complete all the fields in the Configuration section of the dialog box.
For more information on how to use these fields, see the subsequent Define a 1-to-1 NAT rule
section.
6. Click OK.
170
WatchGuard System Manager
Network Address Translation (NAT)
7. Add the NAT IP addresses to the appropriate policies.
For a policy that manages outgoing traffic, add the Real Base IP addresses to the From section
of the policy configuration.
o For a policy that manages incoming traffic, add the NAT Base IP addresses to the To section of
the policy configuration.
o
In the previous example, where we used 1-to-1 NAT to give access to a group of email servers described in
About 1-to-1 NAT on page 168, we must configure the SMTP policy to allow SMTP traffic. To complete this
configuration, you must change the policy settings to allow traffic from the external network to the IP
address range 10.1.1.1–10.1.1.5.
1.
2.
3.
4.
5.
Add a new policy, or modify an existing policy.
Adjacent to the From list, click Add.
Select the alias Any-External and click OK.
Adjacent to the To list, click Add. Click Add Other.
To add one IP address at a time, select Host IP from the drop-down list and type the IP address in the
adjacent text box. Click OK twice.
6. Repeat Steps 3–4 for each IP address in the NAT address range.
To add several IP addresses at once, select Host Range in the drop-down list. Type the first and last
IP addresses from the NAT Base range and click OK twice.
Note To connect to a computer located on a different interface that uses 1-to-1 NAT, you
must use that computer’s public (NAT base) IP address. If this is a problem, you can
disable 1-to-1 NAT and use static NAT.
Define a 1-to-1 NAT rule
In each 1-to-1 NAT rule, you can configure a host, a range of hosts, or a subnet. You must also configure:
Interface
The name of the Ethernet interface on which 1-to-1 NAT is applied. Your Firebox or XTM device
applies 1-to-1 NAT for packets sent in to, and out of, the interface. In our example above, the rule is
applied to the external interface.
NAT base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP
addresses. The NAT base is the first available IP address in the to range of addresses. The NAT base IP
address is the address that the real base IP address changes to when the 1-to-1 NAT is applied. You
cannot use the IP address of an existing Ethernet interface as your NAT base. In our example above,
the NAT base is 50.50.50.1.
Real base
When you configure a 1-to-1 NAT rule, you configure the rule with a from and a to range of IP
addresses. The Real base is the first available IP address in the from range of addresses. It is the IP
address assigned to the physical Ethernet interface of the computer to which you will apply the 1-to1 NAT policy. When packets from a computer with a real base address go through the specified
interface, the 1-to-1 action is applied. In the example above, the Real base is 10.0.1.50.
User Guide
171
Network Address Translation (NAT)
Number of hosts to NAT (for ranges only)
The number of IP addresses in a range to which the 1-to-1 NAT rule applies. The first real base IP
address is translated to the first NAT Base IP address when 1-to-1 NAT is applied. The second real
base IP address in the range is translated to the second NAT base IP address when 1-to-1 NAT is
applied. This is repeated until the Number of hosts to NAT is reached. In the example above, the
number of hosts to apply NAT to is 5.
You can also use 1-to-1 NAT when you must create a VPN tunnel between two networks that use the same
private network address. When you create a VPN tunnel, the networks at each end of the VPN tunnel must
have different network address ranges. If the network range on the remote network is the same as on the
local network, you can configure both gateways to use 1-to-1 NAT. Then, you can create the VPN tunnel and
not change the IP addresses of one side of the tunnel. You configure 1-to-1 NAT for a VPN tunnel when you
configure the VPN tunnel and not in the Network > NAT dialog box.
For an example of how to use 1-to-1 NAT, see 1-to-1 NAT example.
Configure policy-based 1-to-1 NAT
In policy-based 1-to-1 NAT, your Firebox or XTM device uses the private and public IP ranges that you set
when you configured global 1-to-1 NAT, but the rules are applied to an individual policy. 1-to-1 NAT is
enabled in the default configuration of each policy. If traffic matches both 1-to-1 NAT and dynamic NAT
policies, 1-to-1 NAT takes precedence.
Enable policy-based 1-to-1 NAT
Because policy-based 1-to-1 NAT is enabled by default, you do not need to do anything else to enable it. If
you have previously disabled policy-based 1-to-1 NAT, select the check box in Step 3 of the subsequent
procedure to enable it again.
Disable policy-based 1-to-1 NAT
1. Right-click a policy and select Modify Policy.
The Edit Policy Properties dialog box appears.
2. Click the Advanced tab.
172
WatchGuard System Manager
Network Address Translation (NAT)
3. Clear the 1-to-1 NAT check box to disable NAT for the traffic controlled by this policy.
4. Click OK.
5. Save the configuration file.
User Guide
173
Network Address Translation (NAT)
Configure NAT loopback with static NAT
Fireware XTM includes support for NAT loopback. NAT loopback allows a user on the trusted or optional
networks to get access to a public server that is on the same physical Firebox or XTM device interface by its
public IP address or domain name. For NAT loopback connections, the Firebox or XTM device changes the
source IP address of the connect to be the IP address of the internal Firebox or XTM device interface (the
primary IP address for the interface where the client and server both connect to the Firebox or XTM
device).
To understand how to configure NAT loopback when you use static NAT, we give this example:
Company ABC has an HTTP server on the Firebox or XTM device trusted interface. The company uses static
NAT to map the public IP address to the internal server. The company wants to allow users on the trusted
network to use the public IP address or domain name to get access to this public server.
For this example, we assume:
n
n
n
174
The trusted interface is configured with an IP address on the 10.0.1.0/24 network
The trusted interface is also configured with a secondary IP address on the 192.168.2.0/24 network
The HTTP server is physically connected to the 10.0.1.0/24 network. The Real Base address of the
HTTP server is on the trusted network.
WatchGuard System Manager
Network Address Translation (NAT)
Add a policy for NAT loopback to the server
In this example, to allow users on your trusted and optional networks to use the public IP address or domain
name to access a public server that is on the trusted network, you must add an HTTP policy that could look
like this:
The To section of the policy contains a static NAT route from the public IP address of the HTTP server to the
real IP address of that server.
For more information about static NAT, see About static NAT on page 180.
If you use 1-to-1 NAT to route traffic to servers inside your network, see NAT loopback and 1-to-1 NAT on
page 176.
User Guide
175
Network Address Translation (NAT)
NAT loopback and 1-to-1 NAT
NAT loopback allows a user on the trusted or optional networks to connect to a public server with its public
IP address or domain name if the server is on the same physical Firebox or XTM device interface. If you use
1-to-1 NAT to route traffic to servers on the internal network, use these instructions to configure NAT
loopback from internal users to those servers. If you do not use 1-to-1 NAT, see Configure NAT loopback
with static NAT on page 174.
To understand how to configure NAT loopback when you use 1-to-1 NAT, we give this example:
Company ABC has an HTTP server on the Firebox or XTM device trusted interface. The company uses a 1-to1 NAT rule to map the public IP address to the internal server. The company wants to allow users on the
trusted interface to use the public IP address or domain name to access this public server.
For this example, we assume:
n
A server with public IP address 100.100.100.5 is mapped with a 1-to-1 NAT rule to a host on the
internal network.
In the 1-to-1 NAT tab of the NAT Setup dialog box, select these options:
Interface — External, NAT Base — 100.100.100.5, Real Base — 10.0.1.5
n
n
n
The trusted interface is configured with a primary network, 10.0.1.0/24
The HTTP server is physically connected to the network on the trusted interface. The Real Base
address of that host is on the trusted interface.
The trusted interface is also configured with a secondary network, 192.168.2.0/24.
For this example, to enable NAT loopback for all users connected to the trusted interface, you must:
1. Make sure that there is a 1-to-1 NAT entry for each interface that traffic uses when internal
computers get access to the public IP address 100.100.100.5 with a NAT loopback connection.
You must add one more 1-to1 NAT mapping to apply to traffic that starts from the trusted interface.
The new 1-to-1 mapping is the same as the previous one, except that the Interface is set to Trusted
instead of External.
176
WatchGuard System Manager
Network Address Translation (NAT)
After you add the second 1-to-1 NAT entry, the 1-to-1 NAT tab on the NAT Setup dialog box shows
two 1-to-1 NAT mappings: one for External and one for Trusted.
In the 1-to-1 NAT tab of the NAT Setup dialog box, add these two entries:
Interface — External, NAT Base — 100.100.100.5, Real Base — 10.0.1.5
Interface — Trusted, NAT Base — 100.100.100.5, Real Base — 10.0.1.5
2. Add a Dynamic NAT entry for every network on the interface that the server is connected to.
The From field for the Dynamic NAT entry is the network IP address of the network from which
computers get access to the 1-to-1 NAT IP address with NAT loopback.
The To field for the Dynamic NAT entry is the NAT base address in the 1-to-1 NAT mapping.
User Guide
177
Network Address Translation (NAT)
For this example, the trusted interface has two networks defined, and we want to allow users on
both networks to get access to the HTTP server with the public IP address or host name of the
server. We must add two Dynamic NAT entries.
In the Dynamic NAT tab of the NAT Setup, add:
10.0.1.0/24 - 100.100.100.5
192.168.2.0/24 - 100.100.100.5
3. Add a policy to allow users on your trusted network to use the public IP address or domain name to
get access to the public server on the trusted network. For this example:
From
Any-Trusted
To
100.100.100.5
178
WatchGuard System Manager
Network Address Translation (NAT)
The public IP address that users want to connect to is 100.100.100.5. This IP address is configured as
a secondary IP address on the external interface.
In the To section of the policy, add 100.100.100.5 .
For more information about configuring static NAT, see About static NAT on page 180.
For more information about how to configure 1-to-1 NAT, see Configure firewall 1-to-1 NAT on page 170.
User Guide
179
Network Address Translation (NAT)
About static NAT
Static NAT, also known as port forwarding, is a port-to-host NAT. A host sends a packet from the external
network to a port on an external interface. Static NAT changes the destination IP address to an IP address
and port behind the firewall. If a software application uses more than one port and the ports are selected
dynamically, you must either use 1-to-1 NAT, or check whether a proxy on your Firebox or XTM device
manages this kind of traffic. Static NAT also operates on traffic sent from networks that your Firebox or XTM
device protects.
When you use static NAT, you use an external IP address from your Firebox instead of the IP address from a
public server. You could do this because you choose to, or because your public server does not have a
public IP address. For example, you can put your SMTP email server behind your Firebox or XTM device
with a private IP address and configure static NAT in your SMTP policy. Your Firebox or XTM device receives
connections on port 25 and makes sure that any SMTP traffic is sent to the real SMTP server behind the
Firebox.
Configure Static NAT
1. Open Policy Manager.
2. Double-click a policy to edit it.
3. In the Connections are drop-down list, select Allowed.
To use static NAT, the policy must let incoming traffic through.
4. Below the To list, click Add. Click Add NAT.
The Add Static NAT/Server Load Balancing dialog box appears.
Note Static NAT is only available for policies that use a specified port, which includes TCP
and UDP. A policy that uses a different protocol cannot use incoming static NAT.
The NAT button in the Properties dialog box of that policy is not available. You also
cannot use static NAT with the Any policy.
5. In the Type drop-down list, select Static NAT.
6. In the External IP address drop-down list, select the external IP address or alias you want to use in
this policy.
180
WatchGuard System Manager
Network Address Translation (NAT)
For example, you can use static NAT for this policy for packets received on only one external IP
address. Or, you can use static NAT for packets received on any external IP address if you select the
Any-External alias.
7. Type the Internal IP Address. This is the destination on the trusted or optional network.
8. If necessary, select the Set internal port to a different port than this policy check box. This enables
port address translation (PAT).
This feature enables you to change the packet destination not only to a specified internal host but
also to a different port. If you select this check box, type the port number or click the up or down
arrow to select the port you want to use. This feature is typically not used.
9. Click OK to close the Add Static NAT dialog box.
The static NAT route appears in the Members and Addresses list.
10. Click OK to close the Add Address dialog box.
11. Click OK to close the Policy Properties dialog box.
Configure server load balancing
Note To use the server load balancing feature you must have a Firebox X Core or Peak,
or a WatchGuard XTM device, and Fireware XTM with a Pro upgrade.
The server load balancing feature in Fireware XTM is designed to help you increase the scalability and
performance of a high-traffic network with multiple public servers. With server load balancing, you can
enable the Firebox or XTM device to control the number of sessions initiated to as many as 10 servers for
each firewall policy you configure. The Firebox or XTM device controls the load based on the number of
sessions in use on each server. The Firebox or XTM device does not measure or compare the bandwidth
that is used by each server.
You configure server load balancing as part of a static NAT rule. The Firebox or XTM device can balance
connections among your servers with two different algorithms. When you configure server load balancing,
you must choose the algorithm you want the Firebox or XTM device to apply.
Round-robin
If you select this option, the Firebox or XTM device distributes incoming sessions among the servers
you specify in the policy in round-robin order. The first connection is sent to the first server
specified in your policy. The next connection is sent to the next server in your policy, and so on.
Least Connection
If you select this option, the Firebox or XTM device sends each new session to the server in the list
that currently has the lowest number of open connections to the device. The Firebox or XTM device
cannot tell how many connections the server has open on other interfaces. You can apply weights to
your servers in the server load balancing configuration to make sure that your most powerful
servers are given the heaviest load. By default, each interface has a weight of one. The weight refers
to the proportion of load that the Firebox or XTM device sends to a server. If you assign a weight of 2
to a server, you double the number of sessions that the Firebox or XTM device sends to that server,
compared to a server with a weight of 1.
When you configure server load balancing, it is important to know:
User Guide
181
Network Address Translation (NAT)
n
n
n
n
n
You can configure server load balancing for any policy to which you can apply static NAT.
If you apply server load balancing to a policy, you cannot set policy-based routing or other NAT rules
in the same policy.
When you apply server load balancing to a policy, you can add a maximum of 10 servers to the
policy.
The Firebox or XTM device does not modify the sender, or source IP address, of traffic sent to these
devices. While the traffic is sent directly from the Firebox or XTM device, each device that is part of
your server load balancing configuration sees the original source IP address of the network traffic.
If you use server load balancing in an active/passive FireCluster configuration, real-time
synchronization does not occur between the cluster members when a failover event occurs. When
the passive backup master becomes the active cluster master, it sends connections to all servers in
the server load balancing list to see which servers are available. It then applies the server load
balancing algorithm to all available servers.
To configure server load balancing:
1. Double-click the policy to which you want to apply server load balancing.
Or, highlight the policy and select Edit > Modify Policy.
To create a new policy and enable server load balancing in that policy, select Edit > Add Policy.
182
WatchGuard System Manager
Network Address Translation (NAT)
2. In the To section, click Add.
The Add Address dialog box appears.
3. Click Add NAT.
The Add Static NAT/Server Load Balancing dialog box appears.
4. In the Type drop-down list, select Server Load Balancing.
User Guide
183
Network Address Translation (NAT)
5. In the External IP address drop-down list, select the external IP address or alias you want to use in
this policy.
For example, youcan have the Fireboxor XTMdevice applyserver loadbalancing for this policyto
packetsreceived ononly one external IPaddress. Or,you canhave the Firebox or XTM device apply
server load balancingfor packetsreceived onany externalIP addressif youselect the Any-External alias.
6. In the Method drop-down list, select the algorithm you want the Firebox or XTM device to use for
server load balancing: Round-robin or Least Connection.
7. Click Add to add the IP addresses of your internal servers for this policy.
You can add a maximum of 10 servers to a policy. You can also add a weight to the server. By default,
each server has a weight of 1. The weight refers to the proportion of load that the Firebox or XTM
device sends to a server. If you assign a weight of 2 to a server, you double the number of sessions
that the Firebox or XTM device sends to that server, compared to a server with a weight of 1.
8. To set sticky connections for your internal servers, select the Enable sticky connection check box
and set the time period in the Enable sticky connection text box and drop-down list.
A sticky connection is a connection that continues to use the same server for a defined period of
time. Stickiness makes sure that all packets between a source and destination address pair are sent
to the same server for the time period you specify.
184
WatchGuard System Manager
Network Address Translation (NAT)
9. Click OK.
10. Save the configuration file.
NAT Examples
1-to-1 NAT example
When you enable 1-to-1 NAT, the Firebox or XTM device changes and routes all incoming and outgoing
packets sent from one range of addresses to a different range of addresses.
Consider a situation in which you have a group of internal servers with private IP addresses that must each
show a different public IP address to the outside world. You can use 1-to-1 NAT to map public IP addresses
to the internal servers, and you do not have to change the IP addresses of your internal servers. To
understand how to configure 1-to-1 NAT, consider this example:
A company has a group of three privately addressed servers behind an optional interface of their Firebox.
The addresses of these servers are:
10.0.2.11
10.0.2.12
10.0.2.13
The administrator selects three public IP addresses from the same network address as the external
interface of their Firebox, and creates DNS records for the servers to resolve to. These addresses are:
50.50.50.11
50.50.50.12
50.50.50.13
User Guide
185
Network Address Translation (NAT)
Now the administrator configures a 1-to-1 NAT rule for the servers. The 1-to-1 NAT rule builds a static,
bidirectional relationship between the corresponding pairs of IP addresses. The relationship looks like this:
10.0.2.11 <--> 50.50.50.11
10.0.2.12 <--> 50.50.50.12
10.0.2.13 <--> 50.50.50.13
When the 1-to-1 NAT rule is applied, the Firebox creates the bidirectional routing and NAT relationship
between the pool of private IP addresses and the pool of public addresses.
For the instructions to define a 1-to-1 NAT rule, see Configure firewall 1-to-1 NAT.
186
WatchGuard System Manager
9
Wireless Setup
About wireless configuration
When you enable the wireless feature of the Firebox or XTM device, you can configure the external
interface to use wireless, or you can configure the Firebox or XTM device as a wireless access point for
users on the trusted, optional, or guest networks.
Before you set up wireless network access, see Before you begin on page 189.
Note Before you can enable wireless, you must get the feature key for your device.
For more information, see About feature keys on page 60.
To enable the wireless feature on your Firebox or XTM device:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. In the Wireless Configuration dialog box, select a wireless configuration option:
Enable wireless client as external interface
User Guide
187
Wireless Setup
This setting allows you to configure the external interface of the Firebox or XTM wireless device
to connect to a wireless network. This is useful in areas with limited or no existing network
infrastructure.
For information about how to configure the external interface as wireless, see Configure your
external interface as a wireless interface on page 204.
Enable wireless access points
This setting allows you to configure the Firebox or XTM wireless device as an access point for
users on the trusted, optional or guest networks.
For more information, see About wireless access point configuration on page 188.
4. In the Radio Settings section, select your wireless radio settings.
For more information, see About wireless radio settings on the Firebox X Edge e-Series Wireless
device on page 208 and About wireless radio settings on the WatchGuard XTM 2 Series Wireless
device on page 211.
5. Click OK.
About wireless access point configuration
Any Firebox or XTM wireless device can be configured as a wireless access point with three different
security zones. You can enable other wireless devices to connect to the Firebox or XTM wireless device as
part of the trusted network or part of the optional network. You can also enable a wireless guest services
network for Firebox or XTM device users. Computers that connect to the guest network connect through
the Firebox or XTM wireless device, but do not have access to computers on the trusted or optional
networks.
Before you enable the Firebox or XTM wireless device as a wireless access point, you must look carefully at
the wireless users who connect to the device and determine the level of access you want for each type of
user. There are three types of wireless access you can allow:
Allow Wireless Connections to a Trusted Interface
When you allow wireless connections through a trusted interface, wireless devices have full access
to all computers on the trusted and optional networks, and full Internet access based on the rules
you configure for outgoing access on your Firebox or XTM device. If you enable wireless access
through a trusted interface, we strongly recommend that you enable and use the MAC restriction
feature to allow access through the Firebox or XTM device only for devices you add to the Allowed
MAC Address list.
For more information about restricting access by MAC addresses, see Use static MAC address
binding on page 125.
Allow Wireless Connections to an Optional Interface
When you allow wireless connections through an optional interface, those wireless devices have full
access to all computers on the optional network, and full Internet access based on the rules you
configure for outgoing access on your Firebox or XTM wireless device.
188
WatchGuard System Manager
Wireless Setup
Allow Wireless Guest Connections Through the External Interface
Computers that connect to the wireless guest network connect through the Firebox or XTM device
to the Internet based on the rules you configure for outgoing access on your Firebox or XTM device.
These devices do not have access to computers on the trusted or optional network.
For more information about how to configure a wireless guest network, see Enable a wireless guest
network on page 197.
Before you set up wireless network access, see Before you begin on page 189.
To allow wireless connections to your trusted or optional network, see Enable wireless connections to the
trusted or optional network on page 195.
Before you begin
Firebox or XTM wireless devices adhere to 802.11n, 802.11b and 802.11g guidelines set by the Institute of
Electrical and Electronics Engineers (IEEE). When you install a Firebox or XTM wireless device:
n
n
n
n
Make sure that the wireless device is installed in a location more than 20 centimeters from all
persons. This is an FCC requirement for low power transmitters.
It is a good idea to install the wireless device away from other antennas or transmitters to decrease
interference
The default wireless authentication algorithm configured for each wireless security zone is not the
most secure authentication algorithm. If you the wireless devices that connect to your Firebox or
XTM wireless device can operate correctly with WPA2, we recommend that you increase the
authentication level to WPA2.
A wireless client that connects to the Firebox or XTM device from the trusted or optional network
can be a part of any Branch Office VPN tunnels in which the local network component of the Phase
2 settings includes optional or trusted network IP addresses. To control access to the VPN tunnel,
you can force Firebox or XTM device users to authenticate.
User Guide
189
Wireless Setup
About wireless configuration settings
When you enable wireless access to the trusted, optional, or wireless guest network, some configuration
settings are defined the same way for each of the three security zones. These can be set to different values
for each zone.
For information about the Broadcast SSID and respond to SSID queries setting, see Enable/disable SSID
broadcasts on page 190.
For information about setting the Network Name (SSID), see Change the SSID on page 191.
For information about the Log Authentication Events setting, see Log authentication events on page 191.
For information about the Fragmentation Threshold, see Change the fragmentation threshold on page 191.
For information about the RTS Threshold, see Change the RTS threshold on page 193.
For information aboutAuthentication andEncryption settings,see Aboutwireless securitysettings onpage 193.
Enable/disable SSID broadcasts
Computers with wireless network cards send requests to see whether there are wireless access points to
which they can connect.
190
WatchGuard System Manager
Wireless Setup
To configure a Firebox or XTM device wireless interface to send and answer these requests, select the
Broadcast SSID and respond to SSID queries check box. For security, enable this option only while you are
configuring computers on your network to connect to the Firebox or XTM wireless device. Disable this
option after all your clients are configured. If you use the wireless guest services feature, it can be
necessary to allow SSID broadcasts in standard operation.
Change the SSID
The SSID (Service Set Identifier) is the unique name of your wireless network. To use the wireless network
from a client computer, the wireless network card in the computer must have the same SSID as the
WatchGuard wireless network to which the computer connects.
The Fireware XTM OS automatically assigns an SSID to each wireless network. This SSID uses a format that
contains the interface name and the 5th-9th digits from the Firebox or XTM wireless device serial number.
To change the SSID, type a new name in the SSID field to uniquely identify your wireless network.
Log authentication events
An authentication event occurs when a wireless computer tries to connect to the wireless interface of a
Firebox or XTM device. To include these events in the log file, select the Log Authentication Events check box.
Change the fragmentation threshold
Fireware XTM allows you to set the maximum frame size the Firebox or XTM wireless device can send and
not fragment the frame. This is called the fragmentation threshold. This setting is rarely changed. The
default setting is the maximum frame size of 2346, which means that it will never fragment any frames that
it sends to wireless clients. This is best for most environments.
When to change the default fragmentation threshold
A collision happens when two devices that use the same medium transmit packets at exactly the same time.
The two packets can corrupt each other, and the result is a group of unreadable pieces of data. If a packet
results in a collision, the packet is discarded and it must be transmitted again. This adds to the overhead on
the network and can reduce the throughput or speed of the network.
Larger frames are more likely to collide with each other than smaller frames. To make the wireless packets
smaller, you lower the fragmentation threshold on the Firebox or XTM wireless device. If you lower the
maximum frame size, it can reduce the number of repeat transmissions caused by collisions, and lower the
overhead caused by repeat transmissions.
Smaller frames introduce more overhead on the network. This is especially true on a wireless network,
because every fragmented frame sent from one wireless device to another requires the receiving device
to acknowledge the frame. When packet error rates are high (more than five or ten percent collisions or
errors), you can help improve the performance of the wireless network if you lower the fragmentation
threshold. The time that is saved when you reduce repeat transmissions can be enough to offset the extra
overhead added with smaller packets. This can result in higher throughput.
User Guide
191
Wireless Setup
If the rate of packet error is low and you lower the fragmentation threshold, wireless network performance
decreases. This occurs because when you lower the threshold, protocol overhead is added and protocol
efficiency is reduced.
If you want to experiment, start with the default maximum 2346, and lower the threshold a small amount at
a time. To get the most benefit, you must monitor the network for packet errors at different times of the
day. Compare the effect that a lower threshold has on network performance when errors are very high
with the effect on performance when errors are moderately high.
In general, we recommend that you leave this setting at its default of 2346.
Change the fragmentation threshold
1. Select Network > Wireless.
2. Select the wireless network to configure. Adjacent to Access point 1 or Access point 2 or Wireless
Guest, click Configure.
The wireless configuration settings for that wireless network appear.
3. To change the fragmentation threshold, in the Fragmentation Threshold text box, type or select a
value between 256 and 2346.
192
WatchGuard System Manager
Wireless Setup
4. Click OK.
5. Save the configuration.
Change the RTS threshold
RTS/CTS (Request To Send / Clear To Send) helps prevent problems when wireless clients can receive
signals from more than one wireless access point on the same channel. The problem is sometimes known
as hidden node.
We do not recommend that you change the default RTS threshold. When the RTS Threshold is set to the
default of 2346, RTS/CTS is disabled.
If you must change the RTS threshold, adjust it incrementally. Lower it a small amount at a time. After each
change, allow enough time to decide whether the change in network performance is positive before you
change it again. If you lower this value too much, you can introduce more latency into the network, as
Requests to Send are increased so much that the shared medium is reserved more often than necessary.
About wireless security settings
Firebox or XTM wireless devices use three security protocol standards to protect your wireless network:
WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2. Each protocol standard can
encrypt the transmissions on the wireless LAN between the computers and the access points. They also can
prevent unauthorized access to the wireless access point.
WEP and WPA each use pre-shared keys. WPA and WPA2 use an algorithm to change the encryption key at
regular intervals, which keeps the data sent on a wireless connection more secure.
To protect privacy, you can use these features together with other LAN security mechanisms such as
password protection, VPN tunnels, and user authentication.
Set the wireless authentication method
Five authentication methods are available for Firebox or XTM wireless devices. We recommend that you
use WPA2 if possible because it is the most secure. The five available methods, from least secure to most
secure, are:
Open System
Open System authentication allows any user to authenticate to the access point. This method can be
used with no encryption or with WEP encryption.
Shared Key
In Shared Key authentication, only those wireless clients that have the shared key can connect.
Shared Key authentication can be used only with WEP encryption.
WPA ONLY (PSK)
When you use WPA (Wi-Fi Protected Access) with pre-shared keys, each wireless user is given the
same password to authenticate to the wireless access point.
User Guide
193
Wireless Setup
WPA/WPA2 (PSK)
When you select WPA/WPA2 (PSK) authentication, the Edge accepts connections from wireless
devices configured to use WPA or WPA2.
WPA2 ONLY (PSK)
WPA2 authentication with pre-shared keys implements the full 802.11i standard and is the most
secure authentication method. It does not work with some older wireless network cards.
Set the encryption level
From the Encryption drop-down list, select the level of encryption for your wireless connections. The
available selections change when you use different authentication mechanisms. The Fireware XTM OS
automatically creates a random encryption key for you when a key is required. You can use this key or
change it to a different key. Each wireless client must use this same key when they connect to the Firebox
or XTM device.
Open System and Shared Key authentication
Encryption options for Open System and Shared Key authentication are WEP 64-bit hexadecimal, WEP 40bit ASCII, WEP 128-bit hexadecimal, and WEP 128-bit ASCII. If you select Open System authentication, you
can also select No encryption.
1. If you use WEP encryption, in the Key text boxes, type hexadecimal or ASCII characters. Not all
wireless adapter drivers support ASCII characters. You can have a maximum of four keys.
n
n
n
n
A WEP 64-bit hexadecimal key must have 10 hexadecimal (0-f) characters.
A WEP 40-bit ASCII key must have 5 characters.
A WEP 128-bit hexadecimal key must have 26 hexadecimal (0-f) characters.
A WEP 128-bit ASCII key must have 13 characters.
2. If you typed more than one key, from the Key Index drop-down list, select the key to use as the
default key.
The Firebox or XTM wireless device can use only one wireless encryption key at a time. If you select
a key other than the first key in the list, you also must set your wireless client to use the same key.
WPA and WPA2 PSK authentication
The encryption options for Wi-Fi Protected Access (WPA-PSK and WPA2-PSK) authentication methods are:
n
n
n
TKIP — Use only TKIP (Temporal Key Integrity Protocol) for encryption. This option is not available
for wireless modes that support 802.11n.
AES — Use only AES (Advanced Encryption Standard) for encryption.
TKIP or AES — Use either TKIP or AES.
We recommend that you select TKIP or AES. This allows the Firebox or XTM wireless device to accept
connections from wireless clients configured to use TKIP or AES encryption. For 802.11n wireless clients,
we recommend you configure the wireless client to use AES encryption.
194
WatchGuard System Manager
Wireless Setup
Enable wireless connections to the trusted or
optional network
To allow wireless connections to your trusted or optional network:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to Access point 1 or Access point 2, click Configure.
The Wireless Access Point configuration dialog box appears.
User Guide
195
Wireless Setup
5. Select the Enable wireless bridge to a Trusted or Optional interface check box.
6. In the drop-down list adjacent to Enable wireless bridge to a Trusted or Optional interface, select a
trusted or optional interface.
Trusted
Any wireless clients on the trusted network have full access to computers on the trusted and
optional networks, and access to the Internet as defined in the outgoing firewall rules on your
Firebox or XTM device.
If the wireless client sets the IP address on its wireless network card with DHCP, the DHCP server on the
optional network of the Edge must be active and configured.
Optional
Any wireless clients on the optional network have full access to computers on the optional
network, and access to the Internet as defined in the outgoing firewall rules on your Firebox or
XTM device.
If the wireless client sets the IP address on its wireless network card with DHCP, the DHCP server on the
optional network of the Edge must be active and configured.
7. To configure the wireless interface to send and answer SSID requests, select the Broadcast SSID and
respond to SSID queries check box.
For information about this setting, see Enable/disable SSID broadcasts on page 190.
8. Select the Log Authentication Events check box if you want the Firebox or XTM device to send a log
message to the log file each time a wireless computer tries to connect to the interface.
For more information about logging, see Log authentication events on page 191.
9. To require wireless users to use the Mobile VPN with IPSec client, select the Require encrypted
Mobile VPN with IPSec connections for wireless clients check box.
When you select this check box, the only packets the Firebox or XTM device allows over the
wireless network are DHCP, ICMP, IKE (UDP port 500), ARP and IPSec (IP protocol 50). If you require
wireless users to use the Mobile VPN with IPSec client, it can increase the security for wireless
clients if you do not select WPA or WPA2 as the wireless authentication method.
10. In the Network name (SSID) text box, type a unique name for your wireless optional network or use
the default name.
For information about changing the SSID, see Change the SSID on page 191.
11. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a value:
256–2346. We do not recommend you change this setting.
For more information about this setting, see Change the fragmentation threshold on page 191.
12. In the Authentication drop-down list, select the type of authentication to enable for wireless
connections to the optional interface. We recommend that you use WPA2 if the wireless devices in
your network can support WPA2.
For more information about this setting, see Set the wireless authentication method.
13. In the Encryption drop-down list, select the type of encryption to use for the wireless connection
and add the keys or passwords required for the type of encryption you select. If you select an
196
WatchGuard System Manager
Wireless Setup
encryption option with pre-shared keys, a random pre-shared key is generated for you. You can use
this key or type your own.
For more information, see Set the encryption level on page 194.
14. Save the configuration.
Note If you enable wireless connections to the trusted interface, we recommend that you
restrict access by MAC address. This prevents users from connecting to the Firebox
or XTM wireless device from unauthorized computers that could contain viruses or
spyware. Click the MAC Access Control tab to enable MAC access control. You use
this tab the same way as when you restrict network traffic on an interface as
described in Restrict network traffic by MAC address on page 118.
To configure a wireless guest network with no access to the computers on your trusted or optional
networks, see Enable a wireless guest network on page 197.
Enable a wireless guest network
You can enable a wireless guest network to give a guest user wireless access to the Internet without access
to computers on your trusted and optional networks.
To set up a wireless guest network:
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
2. Select the Enable wireless check box.
3. Select Enable wireless access points.
4. Adjacent to Wireless guest, click Configure.
The Wireless Guest Configuration dialog box appears.
User Guide
197
Wireless Setup
5. Select the Enable Wireless Guest Network check box.
Wireless connections are allowed through the Firebox or XTM device to the Internet based on the
rules you have configured for outgoing access on your device. These computers have no access to
computers on the trusted or optional network.
6. In the IP Address text box, type the private IP Address to use for the wireless guest network. The IP
address you type must not already in use on one of your network interfaces.
7. In the Subnet Mask text box, type the subnet mask. The correct value is usually 255.255.255.0.
8. To configure the Firebox or XTM device as a DHCP server when a wireless device tries to make a
connection, select the Enable DHCP Server on Wireless Guest Network check box.
For more information about how to configure the settings for the DHCP Server, see Configure DHCP
in mixed routing mode on page 102.
9. Click the Wireless tab to see the security settings for the wireless guest network.
The Wireless settings appear.
198
WatchGuard System Manager
Wireless Setup
10. Select the Broadcast SSID and respond to SSID queries check box to make your wireless guest
network name visible to guest users.
For information about this setting, see Enable/disable SSID broadcasts on page 190.
11. To send a log message to the log file each time a wireless computer tries to connect to the guest
wireless network, select the Log Authentication Events check box.
For more information about logging, see Log authentication events on page 191.
12. To allow wireless guest users to send traffic to each other, clear the Prohibit client to client wireless
network traffic check box.
13. In the Network name (SSID)) text box, type a unique name for your wireless guest network or use
the default name.
For information about changing the SSID, see Change the SSID on page 191.
14. To change the fragmentation threshold, in the Fragmentation Threshold text box, type a value:
256–2346. We do not recommend you change this setting.
For more information about this setting, see Change the fragmentation threshold on page 191.
15. In the Authentication drop-down list, select the type of authentication to enable for connections to
the wireless guest network. The setting you choose depends on the type of guest access you want to
provide, and whether you want to require your guests to enter a passphrase to use the network.
For more information about this setting, see Set the wireless authentication method on page 193.
User Guide
199
Wireless Setup
16. In the Encryption drop-down list, select the type of encryption to use for the wireless connection
and add the keys or passwords required for the type of encryption you select. If you select an
encryption option with pre-shared keys, a random pre-shared key is generated for you. You can use
this key or type your own.
For more information, see Set the encryption level on page 194.
17. Click OK.
18. Save the configuration.
Optionally, you can configure your wireless guest network as a wireless hotspot. Click the Hotspot tab to
enable a wireless hotspot. For more information, see Enable a wireless hotspot.
You can also restrict access to the Guest network by MAC address. Click the MAC Access Control tab to
enable MAC access control. You use this tab the same way as when you restrict network traffic on an
interface as described in Restrict network traffic by MAC address on page 118.
Enable a wireless hotspot
You can configure your WatchGuard XTM 2 Series or Firebox X Edge e-Series wireless guest network as a
wireless hotspot to give wireless Internet connectivity to your visitors or customers. When you enable the
hotspot feature, you have more control over connections to your wireless guest network.
When you configure your device as a wireless hotspot you can customize:
n
n
n
A splash screen that users see when they connect
Terms and conditions that users must accept before they can browse to a web site
Maximum length of time a user can be continuously connected
When you enable the wireless hotspot feature, the Allow Hotspot-Users policy is automatically created.
This policy allows connections from the wireless guest interface to your external interfaces. This gives
wireless hotspot users wireless access to the Internet without access to computers on your trusted and
optional networks.
Before you set up a wireless hotspot, you must configure the settings for your wireless guest network as
described in Enable a wireless guest network.
To set up the wireless hotspot:
1.
2.
3.
4.
200
Select Network > Wireless.
Adjacent to Wireless guest, click Configure.
In the Wireless Guest Configuration dialog box, select the Hotspot tab.
Select the Enable hotspot check box.
WatchGuard System Manager
Wireless Setup
Configure user timeout settings
You can configure timeout settings to limit the amount of time that users can continuously use your hotspot.
When the timeout period expires, the user is disconnected. When a user is disconnected, the user loses all
Internet connectivity but is still connected to the wireless network. The hotspot splash screen reappears,
and the user must accept the Terms and Conditions again before they can continue to use the wireless
hotspot.
1. In the Session timeout text box, specify the maximum amount of time a user can remain
continuously connected to your hotspot. You can specify the unit of time with the adjacent dropdown list. If the Session timeout is set to 0 (the default value), wireless guest users are not
disconnected after a specified time interval.
2. In the Idle timeout text box, specify the amount of time that a user must be idle for the connection
to time out. You can specify the unit of time with the adjacent drop-down list. If the Idle timeout is
set to 0, users are not disconnected if they do not send or receive traffic.
Customize the hotspot splash screen
When users connect to your hotspot, they see a splash screen, or a web site they must visit before they can
browse to other web sites. You can configure the text that appears on this page, and the appearance of the
page. You can also redirect the user to a specified web page after they accept the terms and conditions.
At a minimum, you must specify the Page title and the Terms and Conditions to enable this feature.
1. In the Page title text box, type the title text you want to appear on the hotspot splash screen.
2. To include a welcome message:
User Guide
201
Wireless Setup
n
n
Select the Welcome Message check box.
In the Welcome Message text box, type the message your users see when they connect to the
hotspot.
3. (Optional) To use a custom logo in the splash screen:
n
n
Select the Use a custom logo check box.
Click Upload to upload your custom logo file.
The file must be in .jpg, .gif or .png format. We recommend that the image be no larger than 90
x 50 (width x height) pixels, or 50 kB.
4. In the Terms and Conditions text box, type or paste the text you want your users to agree to before
they can use the hotspot. The maximum length is 20,000 characters.
5. To automatically redirect users to a web site after they accept the Terms and Conditions, in the
Redirect URL text box, type the URL of the web site.
6. You can customize the fonts and colors for your Welcome page:
n
n
n
n
Font — Select the font from the Font drop-down list. If you do not specify a font, the Welcome
page uses the browser default font for each user.
Size — Select the text size from the Size drop-down list. The default text size is Medium.
Text Color — This is the color for the text on the hotspot splash screen. The default color is
#000000 (black). The configured color appears in a square adjacent to the Text Color text box.
Click the colored square to select a different color from a color palette. Or, type the HTML color
code in the Text Color text box.
Background Color — This is the color to use for the background of the hotspot splash screen.
The default color is #FFFFFF (white). The configured color appears in a square adjacent to the
Background Color text box. Click the colored square to select a different color from a color
palette. Or, type the HTML color code in the Background Color text box.
7. Click Preview Splash Screen.
The Preview Splash Screen dialog box appears. This dialog box shows the page title, welcome message, and
terms and conditions you configured.
Note In Policy Manager, the Preview Splash Screen dialog box does not show the
selected text font and size. To see the selected fonts on the splash screen, you must
save the configuration and connect to the hotspot, or use Fireware XTM Web UI to
preview it in the wireless guest hotspot configuration page.
8. Click OK to close the preview dialog box.
9. Click OK to save the settings.
Connect to a wireless hotspot
After you configure your wireless hotspot, you can connect to it to see the hotspot splash screen.
1. Use a wireless client to connect to your wireless guest network. Use the SSID and other settings that
you configured for the wireless guest network.
2. Open a web browser. Browse to any web site.
The wireless hotspot splash screen appears in the browser.
202
WatchGuard System Manager
Wireless Setup
3. Select the I have read and accept the terms and conditions check box.
4. Click Continue.
The browser displays the original URL you requested. Or, if the hotspot is configured to automatically redirect
the browser to a URL, the browser goes to the web site.
The content and appearance of the hotspot splash screen can be configured with the hotspot settings for
your wireless guest network.
The URL of the wireless hotspot splash screen is:
https://<IP address of the wireless guest network>:4100/hotspot .
See wireless hotspot connections
When you enable the wireless hotspot feature, you can see information about the number of wireless
clients that are connected. You can also disconnect wireless clients.
To see the list of connected wireless hotspot clients:
1. Start Firebox System Manager and connect to your wireless device.
2. Select the Authentication List tab.
3. Click Hotspot Clients.
For each connected wireless client, the IP address and MAC address appear.
User Guide
203
Wireless Setup
To disconnect a wireless hotspot client, from the Wireless Hotspot Clientsdialog box:
1. Select one or more connected wireless hotspot clients.
2. Click Disconnect.
3. Type the configuration passphrase.
Configure your external interface as a wireless
interface
In areas with limited or no existing network infrastructure, you can use your Firebox or XTM wireless device
to provide secure network access. You must physically connect your network devices to the Firebox or XTM
device. Then you configure your external interface to connect to a wireless access point that connects to a
larger network.
Note When the external interface is configured with a wireless connection, the Firebox
or XTM wireless device can no longer be used as a wireless access point. To provide
wireless access for users, connect a wireless access point device to the Firebox or
XTM wireless device.
Configure the primary external interface as a wireless interface
1. Select Network > Wireless.
The Wireless Configuration dialog box appears.
204
WatchGuard System Manager
Wireless Setup
2. Select the Enable wireless check box.
3. Select Enable wireless client as external interface.
4. Click Configure.
The external interface settings appear.
5. In the Configuration Mode drop-down list, select an option:
Manual Configuration
To use a static IP address, select this option. Type the IP Address, Subnet Mask, and Default
Gateway.
DHCP Client
To configure the external interface as a DHCP client, select this option. Type the DHCP
configuration settings.
User Guide
205
Wireless Setup
For more information about how to configure the external interface to use a static IP address or
DHCP, see Configure an external interface on page 98.
6. Click the Wireless tab.
The wireless client configuration settings appear.
206
WatchGuard System Manager
Wireless Setup
7. In the Network name (SSID) text box, type a unique name for your wireless external network.
8. In the Authentication drop-down list, select the type of authentication to enable for wireless
connections. We recommend that you use WPA2 if the wireless devices in your network can
support WPA2.
For more information about wireless authentication methods, see About wireless security settings
on page 193.
9. In the Encryption drop-down list, select the type of encryption to use for the wireless connection
and add the keys or passwords required for the type of encryption you select. If you select an
encryption option with pre-shared keys, a random pre-shared key is generated for you. You can use
this key or type your own.
10. Click OK.
Configure a BOVPN tunnel for additional security
To create a wireless bridge and provide additional security, add a BOVPN tunnel between your Firebox or
XTM device and the external gateway. You must set the mode to Aggressive Mode in the Phase 1 settings of
your BOVPN configuration on both devices.
For information abouthow toset upa BOVPN tunnel, see About manualBranch OfficeVPN tunnelson page 830.
User Guide
207
Wireless Setup
About wireless radio settings on the Firebox X
Edge e-Series Wireless device
Firebox X Edge Wireless devices use radio frequency signals to send and receive traffic from computers
with wireless Ethernet cards. Several settings are specific to channel selection.
To view or change the radio settings:
1. Open Policy Manager.
2. Select Network > Wireless.
The Wireless Configuration dialog box appears.
The Radio Settings appear at the bottom of this dialog box.
208
WatchGuard System Manager
Wireless Setup
Set the operating region and channel
When you enable wireless, you must set the wireless operating region.
1. In the Operating region drop-down list, select the operating region that best describes the location
of your device.
The list of wireless operating regions that you can select on your Firebox may be different
depending on where you purchased it.
2. In the Channel drop-down list, select a channel or select Auto.
If you set the channel to Auto, the Firebox wireless device automatically selects the channel with
the strongest signal available in its physical location.
Due to regulatory requirements in different parts of the world, not all wireless channels are available in
every region. This table includes the channels available for each wireless operating region supported on the
Firebox X Edge e-Series Wireless.
Center
Channel Frequency
(MHz)
Americas Asia
People's
Australia
EMEA France Israel Japan Taiwan Republic of
& N.Z.
China
1
2412
Yes
Yes
Yes
Yes
--
--
Yes
Yes
Yes
2
2417
Yes
Yes
Yes
Yes
--
--
Yes
Yes
Yes
3
2422
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
Yes
4
2427
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
Yes
5
2432
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
Yes
6
2437
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
Yes
7
2442
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
Yes
8
2447
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
Yes
9
2452
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
Yes
10
2457
Yes
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
11
2462
Yes
Yes
Yes
Yes
Yes
--
Yes
Yes
Yes
12
2467
--
--
Yes
Yes
Yes
--
Yes
--
Yes
13
2472
--
--
Yes
Yes
Yes
--
Yes
--
Yes
14
2484
--
--
--
--
--
--
Yes
--
--
User Guide
209
Wireless Setup
Set the wireless mode of operation
Most wireless cards can operate only in 802.11b (up to 11 MB/second) or 802.11g (54 MB/second) mode.
To set the operating mode for the Firebox wireless device, select an option in the Wireless Mode dropdown list. There are three wireless modes:
802.11b only
This mode restricts the Firebox wireless device to connect to devices only in 802.11b mode.
802.11g only
This mode restricts the Firebox wireless device to connect to devices only in 802.11g mode.
802.11g and 802.11b
This is the default mode and the recommended setting. This mode allows the Firebox to connect
with devices that use 802.11b or 802.11g. The Firebox operates in 802.11g mode only if all the
wireless cards connected to the device use 802.11g. If any 802.11b clients connect to the device, all
connections automatically drop to 802.11b mode.
210
WatchGuard System Manager
Wireless Setup
About wireless radio settings on the WatchGuard
XTM 2 Series Wireless device
WatchGuard XTM Wireless devices use radio frequency signals to send and receive traffic from computers
with wireless Ethernet cards. The available radio settings for the WatchGuard XTM 2 Series Wireless device
are different from those on the Firebox X Edge e-Series Wireless device.
To view or change the radio settings:
1. Open Policy Manager.
2. Select Network > Wireless.
The Wireless Configuration dialog box appears.
The Radio Settings appear at the bottom of this dialog box.
User Guide
211
Wireless Setup
Country is set automatically
Due to regulatory requirements in different parts of the world, you cannot use all wireless radio settings in
every country. Each time you power on the XTM 2 Series wireless device, the device contacts a
WatchGuard server to determine the country and the allowed wireless radio settings for that country. To do
this, the device must have an Internet connection. Once the country is determined, you can configure all
supported wireless radio settings that can be used in that country.
When you configure an XTM 2 Series wireless device for the first time, the Wireless Configuration page in
Policy Manager might not show the country. After the XTM 2 Series device connects to the Internet for the
first time, Policy Manager must connect to the XTM device to get the country setting, if it has been
determined.
To update the Policy Manager configuration with the country setting from the XTM 2 Series device:
1. Click Download.
The Download Country Information dialog box appears.
2. Type the Firebox status (readonly) passphrase.
The Country is updated to show the country on the XTM 2 Series device
In the Wireless Configuration dialog box, the Country setting shows which country the device detects it is in.
You cannot change the Country setting. The available options for the other radio settings are based on the
regulatory requirements of the country the device detects it is located in.
Note If Policy Manager has not yet connected with the XTM 2 Series device, or if the XTM
2 Series device cannot connect to the WatchGuard server, the country is unknown.
In this case, you can only select from the limited set of wireless radio settings that
are allowed in all countries. The XTM 2 Series wireless device periodically continues
to retry to connect to the WatchGuard server to determine the country and
allowed wireless radio settings.
If the 2 Series device does not have a region set yet, or if the region is not up to date, you can force the
device to update the wireless radio region.
To update the Wireless Radio Region:
1. Start Firebox System Manager
2. Select Tools > Update Wireless Radio Region.
The 2 Series device contacts a WatchGuard server to determine the current operating region.
Select the Band and Wireless mode
212
WatchGuard System Manager
Wireless Setup
The WatchGuard XTM 2 Series device supports two different wireless bands, 2.4 GHz and 5 GHz. The the
band you select and the country determine the wireless modes available. Select the Band that supports the
wireless mode you want to use. Then select the mode from the Wireless mode drop-down list.
The 2.4 GHz band supports these wireless modes:
802.11n, 802.11g and 802.11b
This is the default mode in the 2.4 GHz band, and is the recommended setting. This mode allows the
XTM device to connect with devices that use 802.11n, 802.11g, or 802.11b.
802.11g and 802.11b
This mode allows the XTM wireless device to connect to devices that use 802.11g or 802.11b.
802.11b ONLY
This mode allows the XTM wireless device to connect only to devices that use 802.11b.
The 5 GHz band supports these wireless modes:
802.11a and 802.11n
This is the default mode in 5 GHz band. This mode allows the XTM wireless device to connect to
devices that use 802.11a or 802.11n.
802.11a ONLY
This mode allows the XTM wireless device to connect only to devices that use 802.11a.
Note If you choose a wireless mode that supports multiple 802.11 standards, the overall
performance can drop considerably. This is partly because of the need to support
protection protocols for backwards compatibility when devices that use slower
modes are connected. Also, the slower devices tend to dominate the throughput
because it can take much longer to send or receive the same amount of data to
devices that use a slower mode.
The 5 GHz band provides greater performance than the 2.4 GHz band, but may not be compatible with all
wireless devices. Select the band and mode based on the wireless cards in the devices that will connect to
the XTM wireless device.
Select the Channel
The available channels depend on the country and the wireless mode you select. By default, the Channel is
set to Auto. When the channel is set to Auto, the 2-Series wireless device automatically selects a quiet
channel from the available list in the band you have selected. Or you can select a specific channel from the
Channel drop-down list.
User Guide
213
Wireless Setup
Configure the wireless card on your computer
These instructions are for the Windows XP with Service Pack 2 operating system. For installation
instructions for other operating systems, see your operating system documentation or help files.
1. Select Start > Settings > Control Panel > Network Connections.
The Network Connections dialog box appears.
2. Right-click Wireless Network Connection and select Properties.
The Wireless Network Connection dialog box appears.
3. Select the Wireless Networks tab.
4. Below Preferred Networks, click Add.
The Wireless Network Properties dialog box appears.
5. Type the SSID in the Network Name (SSID) text box.
6. Select the network authentication and data encryption methods in the drop-down lists. If necessary,
clear The key is provided for me automatically check box and type the network key two times.
7. Click OK to close the Wireless Network Properties dialog box.
8. Click View Wireless Networks.
All available wireless connections appear in the Available Networks text box.
9. Select the SSID of the wireless network and click Connect.
If the network uses encryption, type the network key twice in the Wireless Network Connection
dialog box and click Connect again.
10. Configure the wireless computer to use DHCP.
214
WatchGuard System Manager
10
Dynamic Routing
About dynamic routing
A routing protocol is the language a router speaks with other routers to share information about the status
of network routing tables. With static routing, routing tables are set and do not change. If a router on the
remote path fails, a packet cannot get to its destination. Dynamic routing makes automatic updates to route
tables as the configuration of a network changes.
Note Support for some dynamic routing protocols is available only on Fireware XTM
with a Pro upgrade. Dynamic routing is not supported on the Firebox X Edge eSeries.
Fireware XTM supports the RIP v1 and RIP v2 protocols. Fireware XTM with a Pro upgrade supports the RIP
v1, RIP v2, OSPF, and BGP v4 protocols.
About routing daemon configuration files
To use any of the dynamic routing protocols with Fireware XTM, you must import or type a dynamic routing
configuration file for the routing daemon you choose. This configuration file includes information such as a
password and log file name. To see sample configuration files for each of the routing protocols, see these
topics:
n
n
n
Sample RIP routing configuration file
Sample OSPF routing configuration file
Sample BGP routing configuration file
Notes about configuration files:
n
n
The "!" and "#" characters are placed before comments, which are lines of text in configuration files
that explain the function of subsequent commands. If the first character of a line is a comment
character, then the rest of the line is interpreted as a comment.
You can use the word "no" at the beginning of the line to disable a command. For example: "no
network 10.0.0.0/24 area 0.0.0.0" disables the backbone area on the specified network.
User Guide
215
Dynamic Routing
About Routing Information Protocol (RIP)
Routing Information Protocol (RIP) is used to manage router information in a self-contained network, such
as a corporate LAN or a private WAN. With RIP, a gateway host sends its routing table to the closest router
each 30 seconds. This router, then sends the contents of its routing tables to neighboring routers.
RIP is best for small networks. This is because the transmission of the full routing table each 30 seconds can
put a large traffic load on the network, and because RIP tables are limited to 15 hops. OSPF is a better
alternative for larger networks.
There are two versions of RIP. RIP v1 uses a UDP broadcast over port 520 to send updates to routing tables.
RIP v2 uses multicast to send routing table updates.
Routing Information Protocol (RIP) commands
The subsequent table is a catalog of supported routing commands for RIP v1 and RIP v2 that you can use to
create or modify a routing configuration file. If you use RIP v2, you must include the subnet mask with any
command that uses a network IP address or RIP v2 will not operate. The sections must appear in the
configuration file in the same order they appear in this table.
Section
Command
Description
Set simple password or MD5 authentication on an interface
interface eth [N]
Begin section to set
Authentication type for interface
ip rip authentication string
[PASSWORD]
Set RIP authentication password
key chain [KEY-CHAIN]
Set MD5 key chain name
key [INTEGER]
Set MD5 key number
key-string [AUTH-KEY]
Set MD5 authentication key
ip rip authentication mode md5
Use MD5 authentication
ip rip authentication mode keychain [KEY-CHAIN]
Set MD5 authentication key-chain
Configure RIP routing daemon
216
router rip
Enable RIP daemon
version [1/2]
Set RIP version to 1 or 2 (default version 2)
ip rip send version [1/2]
Set RIP to send version 1 or 2
ip rip receive version [1/2]
Set RIP to receive version 1 or 2
no ip split-horizon
Disable split-horizon; enabled by default
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
Configure interfaces and networks
no network eth[N]
passive-interface eth[N]
passive-interface default
network [A.B.C.D/M]
neighbor [A.B.C.D/M]
Distribute routes to RIP peers and inject OSPF or BGP routes to RIP routing table
default-information originate
Share route of last resort (default route) with RIP
peers
redistribute kernel
Redistribute firewall static routes to RIP peers
redistribute connected
Redistribute routes from all interfaces to RIP peers
redistribute connected routemap [MAPNAME]
Redistribute routes from all interfaces to RIP peers,
with a route map filter (mapname)
redistribute ospf
Redistribute routes from OSPF to RIP
redistribute ospf route-map
[MAPNAME]
Redistribute routes from OSPF to RIP, with a route
map filter (mapname)
redistribute bgp
Redistribute routes from BGP to RIP
redistribute bgp route-map
[MAPNAME]
Redistribute routes from BGP to RIP, with a route map
filter (mapname)
Configure route redistribution filters with route maps and access lists
access-list [PERMIT|DENY]
[LISTNAME] [A,B,C,D/M | ANY]
Create an access list to allow or deny redistribution of
only one IP address or for all IP addresses
route-map [MAPNAME] permit
[N]
Create a route map with a name and allow with a
priority of N
match ip address [LISTNAME]
User Guide
217
Dynamic Routing
Configure the Firebox or XTM device to use RIP v1
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Click the RIP tab.
4. Select the Enable RIP check box.
5. To import a routing daemon configuration file, click Import and select the file.
Or, copy and paste the text of your configuration file in the text box.
218
WatchGuard System Manager
Dynamic Routing
6. Click OK.
For more information, see About routing daemon configuration files on page 215.
Allow RIP v1 traffic through the Firebox or XTM device
You must add and configure a policy to allow RIP broadcasts from the router to the network broadcast IP
address. You must also add the IP address of the Firebox or XTM device interface to the To section.
1. Click
Or, select Edit > Add Policies.
2. From the list of packet filters, select RIP. Click Add.
3. In the New Policy Properties dialog box, configure the policy to allow traffic from the IP or network
address of the router that uses RIP to the Firebox or XTM device interface to which it connects. You
must also add the network broadcast IP address.
4. Click OK.
5. Set up the router you selected in Step 3.
6. After you configure the router, open the Traffic and performance statistics (Status Report) and look
at the dynamic routing section to verify that the Firebox or XTM device and the router are sending
updates to each other.
You can then add authentication and restrict the RIP policy to listen only on the correct interfaces.
Configure the Firebox or XTM device to use RIP v2
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
User Guide
219
Dynamic Routing
2. Select the Enable Dynamic Routing check box.
3. Click the RIP tab.
4. Select the Enable RIP check box.
5. To import a routing daemon configuration file, click Import and select the file.
Or, copy and paste the text of your configuration file in the text box.
220
WatchGuard System Manager
Dynamic Routing
6. Click OK.
For more information, see About routing daemon configuration files on page 215.
Allow RIP v2 traffic through the Firebox or XTM device
You must add and configure a policy to allow RIP v2 multicasts from the routers that have RIP v2 enabled to
the reserved multicast IP address for RIP v2.
1. Click
Or, select Edit > Add Policies.
2. From the list of packet filters, select RIP. Click Add.
3. In the New Policy Properties dialog box, configure the policy to allow traffic from the IP or network
address of the router that uses RIP to the multicast address 224.0.0.9.
4. Click OK.
5. Set up the router you selected in Step 3.
6. After you configure the router, open the Traffic and performance statistics (Status Report) and look
at the dynamic routing section to verify that the Firebox or XTM device and the router are sending
updates to each other.
You can then add authentication and restrict the RIP policy to listen only on the correct interfaces.
User Guide
221
Dynamic Routing
Sample RIP routing configuration file
To use any of the dynamic routing protocols with Fireware XTM, you must import or copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the RIP
routing daemon. If you want to use this configuration file as a base for your own configuration file, copy the
text into an application such as Notepad or Wordpad and save it with a new name. You can then edit the
parameters to meet the requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure MD5 authentication keychains.
! Set MD5 authentication key chain name (KEYCHAIN), key number (1),
! and authentication key string (AUTHKEY).
! key chain KEYCHAIN
! key 1 ! key-string AUTHKEY
!! SECTION 2: Configure interface properties.
! Set authentication for interface (eth1).
! interface eth1
!
! Set RIP simple authentication password (SHAREDKEY).
! ip rip authentication string SHAREDKEY
!
! Set RIP MD5 authentication and MD5 keychain (KEYCHAIN).
! ip rip authentication mode md5
! ip rip authentication key-chain KEYCHAIN
!
!! SECTION 3: Configure global RIP daemon properties.
! Enable RIP daemon. Must be enabled for all RIP configurations. router rip
!
! Set RIP version to 1; default is version 2.
! version 1
!
! Set RIP to send or received to version 1; default is version 2.
! ip rip send version 1
! ip rip receive version 1
!
! Disable split-horizon to prevent routing loop. Default is enabled.
! no ip split-horizon
!! SECTION 4: Configure interfaces and networks.
! Disable RIP send and receive on interface (eth0).
! no network eth0
!
! Set RIP to receive-only on interface (eth2).
! passive-interface eth2
!
! Set RIP to receive-only on all interfaces.
! passive-interface default
!
! Enable RIP broadcast (version 1) or multicast (version 2) on
! network (192.168.253.0/24). !network 192.168.253.0/24
!
222
WatchGuard System Manager
Dynamic Routing
! Set unicast routing table updates to neighbor (192.168.253.254).
! neighbor 192.168.253.254
!! SECTION 5: Redistribute RIP routes to peers and inject OSPF or BGP
!! routes to RIP routing table.
! Share route of last resort (default route) from kernel routing table
! with RIP peers.
! default-information originate
!
! Redistribute firewall static routes to RIP peers.
! redistribute kernel
!
! Set route maps (MAPNAME) to restrict route redistribution in Section 6.
! Redistribute routes from all interfaces to RIP peers or with a route map
! filter (MAPNAME).
! redistribute connected
! redistribute connected route-map MAPNAME
!
! Redistribute routes from OSPF to RIP or with a route map filter (MAPNAME).
! redistribute ospf !redistribute ospf route-map MAPNAME
!
! Redistribute routes from BGP to RIP or with a route map filter (MAPNAME).
! redistribute bgp !redistribute bgp route-map MAPNAME
!! SECTION 6: Configure route redistribution filters with route maps and
!! access lists.
! Create an access list to only allow redistribution of 172.16.30.0/24.
! access-list LISTNAME permit 172.16.30.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a priority of 10.
! route-map MAPNAME permit 10
! match ip address LISTNAME
About Open Shortest Path First (OSPF) Protocol
Note Support for this protocol is available only on Fireware XTM with a Pro upgrade.
OSPF (Open Shortest Path First) is an interior router protocol used in larger networks. With OSPF, a router
that sees a change to its routing table or that detects a change in the network immediately sends a multicast
update to all other routers in the network. OSPF is different from RIP because:
n
n
OSPF sends only the part of the routing table that has changed in its transmission. RIP sends the full
routing table each time.
OSPF sends a multicast only when its information has changed. RIP sends the routing table every 30
seconds.
Also, note the following about OSPF:
n
n
If you have more than one OSPF area, one area must be area 0.0.0.0 (the backbone area).
All areas must be adjacent to the backbone area. If they are not, you must configure a virtual link to
the backbone area.
User Guide
223
Dynamic Routing
OSPF commands
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of supported routing commands for OSPF. The sections must appear in the
configuration file in the same order they appear in this table. You can also use the sample text found in the
Sample OSPF routing configuration file on page 229.
Section
Command
Description
Configure Interface
ip ospf authentication-key
[PASSWORD]
Set OSPF authentication
password
interface eth[N]
Begin section to set properties
for interface
ip ospf message-digest-key
[KEY-ID] md5 [KEY]
Set MD5 authentication key ID
and key
ip ospf cost [1-65535]
Set link cost for the interface
(see OSP Interface Cost table
below)
ip ospf hello-interval [165535]
Set interval to send hello
packets; default is 10 seconds
ip ospf dead-interval [165535]
Set interval after last hello from
a neighbor before declaring it
down; default is 40 seconds
ip ospf retransmit-interval [165535]
Set interval between link-state
advertisements (LSA)
retransmissions; default is 5
seconds
ip ospf transmit-delay [13600]
Set time required to send LSA
update; default is 1 second
ip ospf priority [0-255]
Set route priority; high value
increases eligibility to become
the designated router (DR)
Configure OSPF Routing Daemon
224
router ospf
Enable OSPF daemon
ospf router-id [A.B.C.D]
set router ID for OSPF
manually; router determines its
own ID if not set
ospf rfc 1583compatibility
Enable RFC 1583 compatibility
(can lead to route loops)
WatchGuard System Manager
Dynamic Routing
Section
Command
Description
More information about this
ospf abr-type
command can be found in
[cisco|ibm|shortcut|standard]
draft-ietf-abr-o5.txt
passive-interface eth[N]
Disable OSPF announcement on
interface eth[N]
auto-cost reference
bandwidth[0-429495]
Set global cost (see OSPF cost
table below); do not use with
"ip ospf [COST]" command
timers spf [0-4294967295][04294967295]
Set OSPF schedule delay and
hold time
Enable OSPF on a Network
*The "area" variable can be typed in two
formats: [W.X.Y.Z]; or as an integer [Z].
Announce OSPF on network
network [A.B.C.D/M] area [Z]
A.B.C.D/M for area 0.0.0.Z
Configure Properties for Backbone area or Other Areas
The "area" variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
area [Z] range [A.B.C.D/M]
Create area 0.0.0.Z and set a
classful network for the area
(range and interface network
and mask setting should match)
area [Z] virtual-link [W.X.Y.Z]
Set virtual link neighbor for
area 0.0.0.Z
area [Z] stub
Set area 0.0.0.Z as a stub
area [Z] stub no-summary
area [Z] authentication
Enable simple password
authentication for area 0.0.0.Z
area [Z] authentication
message-digest
Enable MD5 authentication for
area 0.0.0.Z
Redistribute OSPF Routes
default-information originate
User Guide
Share route of last resort
(default route) with OSPF
225
Dynamic Routing
Section
Command
Description
default-information originate
metric [0-16777214]
Share route of last resort
(default route) with OSPF, and
add a metric used to generate
the default route
default-information originate
always
Always share the route of last
resort (default route)
default-information originate
always metric [0-16777214]
Always share the route of last
resort (default route), and add a
metric used to generate the
default route
redistribute connected
Redistribute routes from all
interfaces to OSPF
redistribute connected
metrics
Redistribute routes from all
interfaces to OSPF, and a metric
used for the action
Configure Route Redistribution with Access
Lists and Route Maps
access-list [LISTNAME] permit
[A.B.C.D/M]
Create an access list to allow
distribution of A.B.C.D/M
access-lists [LISTNAME] deny
any
Restrict distribution of any
route map not specified above
route-map [MAPNAME]
permit [N]
Create a route map with name
[MAPNAME] and allow with a
priority of [N]
match ip address [LISTNAME]
226
WatchGuard System Manager
Dynamic Routing
OSPF Interface Cost table
The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors such as
interface link speed, the number of hops between points, and other metrics. By default, OSPF uses the actual
link speed of a device to calculate the total cost of a route. You can set the interface cost manually to help
maximize efficiency if, for example, your gigabyte-based firewall is connected to a 100M router. Use the
numbers in this table to manually set the interface cost to a value different than the actual interface cost.
Interface Type Bandwidth in bits/second Bandwidth in bytes/second OSPF Interface Cost
Ethernet
1G
128M
1
Ethernet
100M
12.5M
10
Ethernet
10M
1.25M
100
Modem
2M
256K
500
Modem
1M
128K
1000
Modem
500K
62.5K
2000
Modem
250K
31.25K
4000
Modem
125K
15625
8000
Modem
62500
7812
16000
Serial
115200
14400
10850
Serial
57600
7200
21700
Serial
38400
4800
32550
Serial
19200
2400
61120
Serial
9600
1200
65535
Configure the Firebox or XTM device to use OSPF
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Click the OSPF tab.
User Guide
227
Dynamic Routing
4. Select the Enable OSPF check box.
5. Click Import to import a routing daemon configuration file, or copy and paste your configuration file
in the text box.
For more information, see About routing daemon configuration files on page 215.
228
WatchGuard System Manager
Dynamic Routing
To get started, you need only two commands in your OSPF configuration file. These two commands,
in this order, start the OSPF process:
router ospf
network <network IP address of the interface you want the process to listen on and distribute
through the protocol> area <area ID in x.x.x.x format, such as 0.0.0.0>
6. Click OK.
Allow OSPF traffic through the Firebox or XTM device
You must add and configure a policy to allow OSPF multicasts from the routers that have OSPF enabled, to
the reserved multicast addresses for OSPF.
1. Click
Or, select Edit > Add Policies.
2. From the list of packet filters, select RIP. Click Add.
3. In the New Policy Properties dialog box, configure the policy to allow traffic from the IP or network
address of the router using OSPF to the IP addresses 224.0.0.5 and 224.0.0.6.
For information on how to set the source and destination addresses for a policy, see Set access rules
for a policy on page 352.
4. Click OK.
5. Set up the router you selected in Step 3.
6. After you configure the router, open the Traffic and performance statistics (Status Report) and look
at the dynamic routing section to verify that the Firebox or XTM device and the router are sending
updates to each other.
You can then add authentication and restrict the OSPF policy to listen only on the correct interfaces.
Sample OSPF routing configuration file
To use any of the dynamic routing protocols with Fireware XTM, you must import or copy and paste a
configuration file for the dynamic routing daemon. This topic includes a sample configuration file for the
OSPF routing daemon. To use this configuration file as a base for your own configuration file, copy the text
into a new text file and save it with a new name. You can then edit the parameters to meet the
requirements of your organization.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Configure interface properties.
! Set properties for interface eth1.
! interface eth1
!
! Set simple authentication password (SHAREDKEY).
! ip ospf authentication-key SHAREDKEY
!
! Set MD5 authentication key ID (10) and MD5 authentication key (AUTHKEY).
! ip ospf message-digest-key 10 md5 AUTHKEY
!
! Set link cost to 1000 (1-65535) on interface eth1.
! for OSPF link cost table. !ip ospf cost 1000
User Guide
229
Dynamic Routing
!
! Set hello interval to 5 seconds (1-65535); default is 10 seconds.
! ip ospf hello-interval 5
!
! Set dead-interval to 15 seconds (1-65535); default is 40 seconds.
! ip ospf dead-interval 15
!
! Set interval between link-state advertisements (LSA) retransmissions
! to 10 seconds (1-65535); default is 5 seconds.
! ip ospf retransmit-interval 10
!
! Set LSA update interval to 3 seconds (1-3600); default is 1 second.
! ip ospf transmit-delay 3
!
! Set high priority (0-255) to increase eligibility to become the
! designated router (DR).
! ip ospf priority 255
!! SECTION 2: Start OSFP and set daemon properties.
! Enable OSPF daemon. Must be enabled for all OSPF configurations.
! router ospf
!
! Set the router ID manually to 100.100.100.20. If not set, the firewall will
! set its own ID based on an interface IP address.
! ospf router-id 100.100.100.20
!
! Enable RFC 1583 compatibility (increases probability of routing loops).
! ospf rfc1583compatibility
!
! Set area border router (ABR) type to cisco, ibm, shortcut, or standard.
! More information about ABR types is in draft-ietf-ospf-abr-alt-05.txt.
! ospf abr-type cisco
!
! Disable OSPF announcement on interface eth0.
! passive interface eth0
!
! Set global cost to 1000 (0-429495).
! auto-cost reference bandwidth 1000
!
! Set SPF schedule delay to 25 (0-4294967295) seconds and hold time to
! 20 (0-4294967295) seconds; default is 5 and 10 seconds. !timers spf 25 20
!! SECTION 3: Set network and area properties. Set areas with W.X.Y.Z
!! or Z notation.
! Announce OSPF on network 192.168.253.0/24 network for area 0.0.0.0.
! network 192.168.253.0/24 area 0.0.0.0
!
! Create area 0.0.0.1 and set a classful network range (172.16.254.0/24)
! for the area (range and interface network settings must match).
! area 0.0.0.1 range 172.16.254.0/24
!
! Set virtual link neighbor (172.16.254.1) for area 0.0.0.1.
! area 0.0.0.1 virtual-link 172.16.254.1
!
! Set area 0.0.0.1 as a stub on all routers in area 0.0.0.1.
! area 0.0.0.1 stub
230
WatchGuard System Manager
Dynamic Routing
!
! area 0.0.0.2 stub no-summary
!
! Enable simple password authentication for area 0.0.0.0.
! area 0.0.0.0 authentication
!
! Enable MD5 authentication for area 0.0.0.1.
! area 0.0.0.1 authentication message-digest
!! SECTION 4: Redistribute OSPF routes
! Share route of last resort (default route) from kernel routing table
! with OSPF peers.
! default-information originate
!
! Redistribute static routes to OSPF.
! redistribute kernel
!
! Redistribute routes from all interfaces to OSPF.
! redistribute connected
! redistribute connected route-map
! ! Redistribute routes from RIP and BGP to OSPF.
! redistribute rip !redistribute bgp
!! SECTION 5: Configure route redistribution filters with access lists
!! and route maps.
! Create an access list to only allow redistribution of 10.0.2.0/24.
! access-list LISTNAME permit 10.0.2.0/24
! access-list LISTNAME deny any
!
! Create a route map with name MAPNAME and allow with a
priority of 10 (1-199).
! route-map MAPNAME permit 10
! match ip address LISTNAME
About Border Gateway Protocol (BGP)
Note Support for this protocol is available only in Fireware XTM with a Pro upgrade on
Core e-Series, Peak e-Series, or XTM devices.
Border Gateway Protocol (BGP) is a scalable dynamic routing protocol used on the Internet by groups of
routers to share routing information. BGP uses route parameters or attributes to define routing policies and
create a stable routing environment. This protocol allows you to advertise more than one path to and from
the Internet to your network and resources, which gives you redundant paths and can increase your
uptime.
Hosts that use BGP use TCP to send updated routing table information when one host finds a change. The
host sends only the part of the routing table that has the change. BGP uses classless interdomain routing
(CIDR) to reduce the size of the Internet routing tables. The size of the BGP routing table in Fireware XTM is
set at 32K.
The size of the typical WatchGuard customer wide area network (WAN) is best suited for OSPF dynamic
routing. A WAN can also use external border gateway protocol (EBGP) when more than one gateway to the
Internet is available. EBGP allows you to take full advantage of the redundancy possible with a multi-homed
network.
User Guide
231
Dynamic Routing
To participate in BGP with an ISP you must have an autonomous system number (ASN). You must get an ASN
from one of the regional registries in the table below. After you are assigned your own ASN, you must
contact each ISP to get their ASNs and other necessary information.
Region
Registry Name Web Site
North America RIN
www.arin.net
Europe
RIPE NCC
www.ripe.net
Asia Pacific
APNIC
www.apnic.net
Latin America
LACNIC
www.lacnic.net
Africa
AfriNIC
www.afrinic.net
232
WatchGuard System Manager
Dynamic Routing
BGP commands
To create or modify a routing configuration file, you must use the correct routing commands. The
subsequent table is a catalog of supported BGP routing commands. The sections must appear in the
configuration file in the same order they appear in this table.
Do not use BGP configuration parameters that you do not get from your ISP.
Section Command
Description
Configure BGP Routing Daemon
router bgp [ASN]
Enable BGP daemon and set autonomous system number (ASN);
this is supplied by your ISP
network [A.B.C.D/M]
Announce BGP on network
A.B.C.D/M
no network [A.B.C.D/M]
Disable BGP announcements on network A.B.C.D/M
Set Neighbor Properties
neighbor [A.B.C.D] remote-as
Set neighbor as a member of remote ASN
[ASN]
neighbor [A.B.C.D] ebgpmultihop
Set neighbor on another network using EBGP multi-hop
neighbor [A.B.C.D] version 4+
Set BGP version (4, 4+,4-) for communication with neighbor;
default is 4
neighbor [A.B.C.D] updatesource [WORD]
Set the BGP session to use a specific interface for TCP
connections
neighbor [A.B.C.D] defaultoriginate
Announce default route to BGP neighbor [A,B,C,D]
neighbor [A.B.C.D] port 189
Set custom TCP port to communicate with BGP neighbor
[A,B,C,D]
neighbor [A.B.C.D] sendcommunity
Set peer send-community
neighbor [A.B.C.D] weight
1000
Set a default weight for neighbor's [A.B.C.D] routes
neighbor [A.B.C.D]
maximum-prefix [NUMBER]
Set maximum number of prefixes allowed from this neighbor
Community Lists
ip community-list [<199>|<100-199>] permit
AA:NN
User Guide
Specify community to accept autonomous system number and
network number separated by a colon
233
Dynamic Routing
Section Command
Description
Peer Filtering
neighbor [A.B.C.D] distributeSet distribute list and direction for peer
list [LISTNAME] [IN|OUT]
neighbor [A.B.C.D] prefix-list
[LISTNAME] [IN|OUT]
To apply a prefix list to be matched to incoming advertisements
or outgoing advertisements to that neighbor
neighbor [A.B.C.D] filter-list
[LISTNAME] [IN|OUT]
To match an autonomous system path access list to incoming
routes or outgoing routes
neighbor [A.B.C.D] routemap [MAPNAME] [IN|OUT]
To apply a route map to incoming or outgoing routes
Redistribute Routes to BGP
redistribute kernel
Redistribute static routes to BGP
redistribute rip
Redistribute RIP routes to BGP
redistribute ospf
Redistribute OSPF routes to BGP
Route Reflection
bgp cluster-id A.B.C.D
To configure the cluster ID if the BGP cluster has more than one
route reflector
neighbor [W.X.Y.Z] routereflector-client
To configure the router as a BGP route reflector and configure
the specified neighbor as its client
Access Lists and IP Prefix Lists
234
ip prefix-lists PRELIST permit
A.B.C.D/E
Set prefix list
access-list NAME
[deny|allow] A.B.C.D/E
Set access list
route-map [MAPNAME]
permit [N]
In conjunction with the "match" and "set" commands, this
defines the conditions and actions for redistributing routes
match ip address prefix-list
[LISTNAME]
Matches the specified access-list
set community [A:B]
Set the BGP community attribute
match community [N]
Matches the specified community_list
set local-preference [N]
Set the preference value for the autonomous system path
WatchGuard System Manager
Dynamic Routing
Configure the Firebox or XTM device to use BGP
To participate in BGP with an ISP you must have an autonomous system number (ASN). For more
information, see About Border Gateway Protocol (BGP) on page 231.
1. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2. Select the Enable Dynamic Routing check box.
3. Click the BGP tab.
4. Select the Enable BGP check box.
5. Click Import to import a routing daemon configuration file, or copy and paste your configuration file
in the text box.
User Guide
235
Dynamic Routing
For more information, see About routing daemon configuration files on page 215.
To get started, you need only three commands in your BGP configuration file. These three
commands, start the BGP process, set up a peer relationship with the ISP, and create a route for a
network to the Internet. You must use the commands in this order.
router BGP: BGP autonomous system number supplied by your ISP
network: network IP address that you want to advertise a route to from the Internet
neighbor: <IP address of neighboring BGP router> remote-as <BGP autonomous number>
6. Click OK.
Allow BGP traffic through the Firebox or XTM device
You must add and configure a policy to allow BGP traffic to the Firebox or XTM device from the approved
networks. These networks must be the same networks you defined in your BGP configuration file.
1. Click
Or, select Edit > Add Policies.
2. From the list of packet filters, select BGP. Click Add.
3. In the New Policy Properties dialog box, configure the policy to allow traffic from the IP or network
address of the router that uses BGP to the Firebox or XTM device interface it connects to. You must
also add the network broadcast IP address.
4. Click OK.
5. Set up the router you selected in Step 3.
6. After you configure the router, open the Traffic and performance statistics (Status Report) and look
at the dynamic routing section to verify that the Firebox or XTM device and the router are sending
updates to each other.
You can then add authentication and restrict the BGP policy to listen only on the correct interfaces.
236
WatchGuard System Manager
Dynamic Routing
Sample BGP routing configuration file
To use any of the dynamic routing protocols with Fireware XTM, you must import or type a configuration
file for the dynamic routing daemon. This topic includes a sample configuration file for the BGP routing
daemon. If you want to use this configuration file as a base for your own configuration file, copy the text
into an application such as Notepad or Wordpad and save it with a new name. You can then edit the
parameters to meet your own business requirements.
Optional commands are commented with the "!" character. To enable a command, delete the "!" and
modify variables as necessary.
!! SECTION 1: Start BGP daemon and announce network blocks to BGP neighbors
! Enable BGP and set local ASN to 100 router bgp 100
! Announce local network 64.74.30.0/24 to all neighbors defined in section 2
! network 64.74.30.0/24
!! SECTION 2: Neighbor properties
! Set neighbor (64.74.30.1) as member of remote ASN (200)
! neighbor 64.74.30.1 remote-as 200
! Set neighbor (208.146.43.1) on another network using EBGP multi-hop
! neighbor 208.146.43.1 remote-as 300
! neighbor 208.146.43.1 ebgp-multihop
! Set BGP version (4, 4+, 4-) for communication with a neighbor; default is 4
! neighbor 64.74.30.1 version 4+
! Announce default route to BGP neighbor (64.74.30.1)
! neighbor 64.74.30.1 default-originate
! Set custom TCP port 189 to communicate with BGP neighbor (64.74.30.1). Default
port is TCP 179
! neighbor 64.74.30.1 port 189
! Set peer send-community
! neighbor 64.74.30.1 send-community
! Set a default weight for neighbor's (64.74.30.1) routes
! neighbor 64.74.30.1 weight 1000
! Set maximum number of prefixes allowed from this neighbor
! neighbor 64.74.30.1 maximum-prefix NUMBER
!! SECTION 3: Set community lists
! ip community-list 70 permit 7000:80
!! SECTION 4: Announcement filtering
! Set distribute list and direction for peer
! neighbor 64.74.30.1 distribute-list LISTNAME [in|out]
! To apply a prefix list to be matched to incoming or outgoing advertisements
to that neighbor
! neighbor 64.74.30.1 prefix-list LISTNAME [in|out
! To match an autonomous system path access list to incoming or outgoing routes
! neighbor 64.74.30.1 filter-list LISTNAME [in|out]
! To apply a route map to incoming or outgoing routes
! neighbor 64.74.30.1 route-map MAPNAME [in|out]
!! SECTION 5: Redistribute routes to BGP
! Redistribute static routes to BGP
! Redistribute kernel
User Guide
237
Dynamic Routing
! Redistribute rip routes to BGP
! Redistribute rip
! Redistribute ospf routes to BGP
! Redistribute ospf
!! SECTION 6: Route reflection
! Set cluster ID and firewall as a client of route reflector server 51.210.0.254
! bgp cluster-id A.B.C.D
! neighbor 51.210.0.254 route-reflector-client
!! SECTION 7: Access lists and IP prefix lists
! Set prefix list
! ip prefix-list PRELIST permit 10.0.0.0/8
! Set access list!access-list NAME deny 64.74.30.128/25
! access-list NAME permit 64.74.30.0/25
! Create a route map with name MAPNAME and allow with a priority of 10
! route-map MAPNAME permit 10
! match ip address prefix-list LISTNAME
! set community 7000:80
238
WatchGuard System Manager
11
FireCluster
About WatchGuard FireCluster
You can use WatchGuard FireCluster to configure two Firebox or XTM devices as a cluster to increase
network performance and scalability.
There are two configuration options available when you configure FireCluster: active/passive and
active/active. To add redundancy, choose an active/passive cluster. To add both redundancy and load
sharing to your network, select an active/active cluster.
When you enable FireCluster, you manage and monitor the two devices in the cluster as a single virtual
device.
User Guide
239
FireCluster
To use FireCluster, your network interfaces must be configured in mixed routing mode. FireCluster does
not support drop-in or bridge network modes. For more information about network modes, see About
network interface setup.
When FireCluster is enabled, your Firebox or XTM devices continue to support:
n
n
n
Secondary networks on external, trusted, or optional interfaces
Multi-WAN connections
(Limitation: a multi-WAN failover caused by a failed connection to a link monitor host does not
trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or
does not respond.)
VLANs
When a cluster member fails, the cluster seamlessly fails over and maintains:
n
n
n
Packet filter connections
BOVPN tunnels
User sessions
These connections may be disconnected when a failover event occurs:
n
n
n
n
Proxy connections
Mobile VPN with PPTP
Mobile VPN with IPSec
Mobile VPN with SSL
Mobile VPN users may need to manually restart the VPN connection after a failover.
For more information about FireCluster failover, see About FireCluster failover on page 241.
240
WatchGuard System Manager
FireCluster
FireCluster status
To see the status of FireCluster in Firebox System Manager:
1. Start Firebox System Manager.
2. Find the FireCluster information, as described in Firebox or XTM device status.
Note You cannot use Fireware XTM Web UI to manage or monitor a device that is
configured as a FireCluster member.
About FireCluster failover
The FireCluster failover process is the same for an active/active cluster or an active/passive cluster. With
both types of clusters, each cluster member maintains state and session information at all times. When
failover occurs, the packet filter connections, BOVPN tunnels, and user sessions from the failed device fail
over automatically to the other device in the cluster.
In a FireCluster, one device is the cluster master and the other device is the backup master. The backup
master uses the primary cluster interface to synchronize connection and session information with the
cluster master. If the primary cluster interface fails or is disconnected, the backup master uses the backup
cluster interface to communicate with the cluster master. We recommend that you always configure both a
primary cluster interface and a backup cluster interface. This helps to make sure that if a failover occurs on
the cluster master, the backup master has all the necessary information to become the new cluster master,
and can transfer connections and sessions appropriately.
Events that trigger a failover
There are three types of events that can trigger a failover.
Monitored interface link down on the cluster master
A failover starts if a monitored interface on the cluster master is unable to send or receive traffic.
You can see the list of monitored interfaces in the FireCluster configuration in Policy Manager.
Cluster master device not fully functional
A failover starts if a software malfunction or hardware failure is detected on the cluster master, or if
a critical process fails on the cluster master.
Cluster receives the Failover Master command from Firebox System Manager
In Firebox System Manager, when you select Tools > Cluster > Failover Master, you force a failover
from the cluster master to the backup master.
For more information about this command, see Force a failover of the cluster master on page 271.
User Guide
241
FireCluster
What happens when a failover occurs
When a failover of the cluster master occurs, the backup master becomes the cluster master. Then the
original cluster master reboots and rejoins the cluster as the backup master. The cluster fails over and
maintains all packet filter connections, BOVPN tunnels and user sessions. This behavior is the same for an
active/active or an active/passive FireCluster.
In an active/active cluster, if the backup master fails, the cluster fails over and maintains all packet filter
connections, BOVPN tunnels, and user sessions. Proxy connections and Mobile VPN connections can be
interrupted, as described in the subsequent table. In an active/passive cluster, if the backup master fails,
there is no interruption of connections or sessions because nothing is assigned to the backup master.
Connection/Session
Impact of a failover event
type
Packet filter
connections
Connections fail over to the other cluster member.
BOVPN tunnels
Tunnels fail over to the other cluster member.
User sessions
Sessions fail over to the other cluster member.
Proxy connections
Connections assigned to the failed device (master or backup master) must be
restarted. Connections assigned to the other device are not interrupted.
Mobile VPN with
IPSec
If the cluster master fails over, all sessions must be restarted. If the backup master
fails, only the sessions assigned to the backup master must be restarted. Sessions
assigned to the cluster master are not interrupted.
Mobile VPN with
SSL
If either device fails over, all sessions must be restarted.
Mobile VPN with
PPTP
All PPTP sessions are assigned to the cluster master, even for an active/active
cluster. If the cluster master fails over, all sessions must be restarted. If the backup
master fails, PPTP sessions are not interrupted.
FireCluster failover and server load balancing
If you use server load balancing to balance connections between your internal servers, when a FireCluster
failover event occurs, real-time synchronization does not occur. After a failover, the new cluster master
sends connections to all servers in the server load balancing list to discover which servers are available. It
then applies the server load balancing algorithm to all available servers.
For information about server load balancing, see Configure server load balancing on page 181.
Monitor the cluster during a failover
The role of each device in the cluster appears after the member name on the Firebox System Manager
Front Panel tab. If you look at the Front Panel tab during a failover of the cluster master, you can see the
cluster master role move from one device to another. During a failover, you see:
242
WatchGuard System Manager
FireCluster
n
n
n
The role of the old backup master changes from "backup master" to "master".
The role of the old cluster master changes to "inactive" and then to "idle" while the device restarts.
The role of the old cluster master changes to "backup master" after the device restarts.
For more information, see Monitor and control FireCluster members on page 269
Features not supported with FireCluster
There are some Fireware XTM configuration and management features that you cannot use with
FireCluster.
FireCluster network configuration limitations
n
n
n
You cannot configure the network interfaces in bridge mode or drop-in mode.
You cannot configure the external interface to use PPPoE or DHCP.
You cannot use dynamic routing protocols (RIP, OSPF and BGP).
FireCluster management limitations
n
n
You cannot use the Web UI to manage any device that is a member of a FireCluster.
You cannot use WSM with a Management Server to schedule an OS update for any device that is a
member of a FireCluster.
About the Interface for management IP address
In a FireCluster configuration, all devices in the cluster share the same IP addresses for each enabled
interface. When you connect to the cluster in WatchGuard System Manager, you are automatically
connected to the cluster master, and see the status for all cluster members. You can use Firebox System
Manager to monitor the cluster and individual cluster members as described in Monitor and control
FireCluster members on page 269. You can also use Policy Manager to update the configuration of the
cluster, as described in Update the FireCluster configuration on page 277.
Configure the Interface for management IP address
In addition to the shared IP addresses for each interface, each cluster member also has its own unique IP
address for management. You can use this IP address to connect directly to an individual cluster member to
monitor or manage that member.
This interface you choose for individual FireCluster device management is known as the Interface for
management IP address. When you configure a FireCluster, you select the Interface for management IP
address to be used by all cluster members. This interface is not dedicated to management. You can use any
available interface, except a VLAN interface.
User Guide
243
FireCluster
For each member, you then specify the unique Management IP address to use on the selected Interface for
management IP address.
The FireCluster Management IP address can be on a different subnet for each device, and can be on a
different subnet than the IP address assigned to this interface in the Network Configuration settings.
For most daily FireCluster management tasks, you do not use the FireCluster Management IP address.
Note If you use the FireCluster Management IP address to connect to the backup master,
you cannot save configuration changes in Policy Manager.
Use the Management IP address to restore a backup image
When you restore a FireCluster backup image, you must use the Management IP address to connect
directly to a cluster member. When you use this IP address to connect to a cluster member, there are two
additional commands available in Firebox System Manager on the Tools menu: Cluster > Leave and Cluster
> Join. You use these commands when you restore a backup image to the cluster.
For more information, see Restore a FireCluster backup image on page 283.
Use the Management IP address to upgrade from an external
location
The WatchGuard System Manager software uses the Management IP address when you upgrade the OS for
the members of a cluster. If you want to update the OS from a remote location, make sure that:
n
n
The Interface for management IP address is set to an external interface
The Management IP address for each cluster member is a public IP address and is routable
For more information, see Upgrade Fireware XTM for FireCluster members on page 284.
244
WatchGuard System Manager
FireCluster
Configure FireCluster
FireCluster supports two types of cluster configurations.
Active/Passive cluster
In an active/passive cluster, one device is active, and the other is passive. The active device handles
all network traffic unless a failover event occurs. The passive device actively monitors the status of
the active device. If the active device fails, the passive device takes over the connections assigned to
the failed device. After a failover event, all traffic for existing connections is automatically routed to
the active device.
Active/Active cluster
In an active/active cluster, the cluster members share the traffic that passes through the cluster. To
distribute connections between the active devices in the cluster, configure FireCluster to use a
round-robin or least connections algorithm. If one device in a cluster fails, the other cluster member
takes over the connections assigned to the failed device. After a failover event, all traffic for existing
connections is automatically routed to the remaining active device.
FireCluster requirements and restrictions
Make sure you understand these requirements and restrictions before you begin:
n
Firebox or XTM devices in a cluster must be the same model. Supported models are Firebox X Core
e-Series, Firebox Peak e-Series, or WatchGuard XTM devices.
n
Each device in a cluster must use the same version of Fireware XTM with a Pro upgrade.
Each device in a cluster must have an active LiveSecurity Service subscription.
Your network interfaces must be configured in mixed routing mode. FireCluster does not support
drop-in or bridge network modes.
For an active/active cluster, we recommend all devices have active licenses for the same optional
subscription services such as WebBlocker or Gateway AntiVirus.
n
n
n
For more information, see About feature keys and FireCluster on page 278.
n
n
n
The external interface must be configured with a static IP address. You cannot enable FireCluster if
the external interface is configured to use DHCP or PPPoE.
You must have a network switch for each active traffic interface.
For an active/active cluster, all switches and routers in the broadcast domain must be configured to
support multicast traffic.
For more information,see Switchand router requirements for an active/activeFireCluster onpage 251.
n
For an active/active cluster, you must know the IP address and MAC address of each layer 3 switch
or router connected to the cluster. Then you can add static ARP entries for these network devices to
the FireCluster configuration.
For more information, see Add static ARP entries for an active/active FireCluster on page 252.
n
FireCluster does not support the use of dynamic routing protocols.
User Guide
245
FireCluster
Cluster synchronization and status monitoring
When you enable FireCluster, you must dedicate at least one interface to communication between the
cluster members. This is called a cluster interface. When you set up the cluster hardware, you connect the
primary cluster interfaces of each device to each other. For redundancy, we recommend you configure a
backup cluster interface. The cluster members use the cluster interfaces to continually synchronize all
information needed for load sharing and transparent failover.
246
WatchGuard System Manager
FireCluster
FireCluster device roles
When you configure devices in a cluster, it is important to understand the roles each device can play in the
cluster.
Cluster master
This cluster member assigns network traffic flows to cluster members, and responds to all requests
from external systems such as WatchGuard System Manager, SNMP, DHCP, ARP, routing protocols,
and IKE. When you configure or modify the cluster configuration, you save the cluster configuration
to the cluster master. The cluster master can be either device. The first device in a cluster to power
on becomes the cluster master.
Backup cluster master
This cluster member synchronizes all necessary information with the cluster master, so that it can
become the cluster master if the master fails. The Backup cluster master can be active or passive.
Active member
This can be any cluster member that actively handles traffic flow. In an active/active cluster, both
devices are active. In an active/passive cluster, the cluster master is the only active device
Passive member
A device in an active/passive cluster that does not handle network traffic flows unless an active
device fails over. In an active/passive cluster the passive member is the backup cluster master.
FireCluster configuration steps
To configure Firebox or XTM devices as a FireCluster, you must:
1. Plan your FireCluster configuration, as described in Before you begin.
2. Connect the FireCluster devices to the network, as described in Connect the FireCluster hardware on
page 249.
3. Configure FireCluster in Policy Manager. You can use one of these methods:
n
n
Use the FireCluster Setup Wizard
Configure FireCluster manually
For an active/active cluster, you must also complete these steps:
1. Make any necessary configuration changes to your layer 3 network routers and switches to support
the multicast MAC addresses used by the FireCluster.
For more information,see Switchand router requirements for an active/activeFireCluster onpage 251.
2. Add static ARP entries for each of the layer 3 network routers and switches that connect to the
FireCluster.
For more information, see Add static ARP entries for an active/active FireCluster on page 252
User Guide
247
FireCluster
Before you begin
Before you configure FireCluster, you must complete the tasks described in the subsequent sections.
Verify basic components
Make sure that you have these items:
n
n
n
n
n
n
n
Two Firebox X Core, Peak, or WatchGuard XTM devices of the same model
The same version of Fireware XTM with a Pro upgrade installed on each device
One crossover cable (red) for each cluster interface (If you configure a backup cluster interface, you
must use two crossover cables.)
One network switch for each active traffic interface
Ethernet cables to connect the devices to the network switches
The serial numbers for each device
Feature keys for each device
For information about feature key requirements for FireCluster, see About feature keys and
FireCluster on page 278
Configure the external interface with a static IP address
To use FireCluster, you must configure each external interface with a static IP Address. You cannot enable
FireCluster if any external interface is configured to use DHCP or PPPoE.
Configure network routers and switches
In an active/active FireCluster configuration, the network interfaces for the cluster use multicast MAC
addresses. Before you enable an active/active FireCluster, make sure your network routers and other
devices are configured to properly route traffic to and from the multicast MAC addresses.
For more information, see Switch and router requirements for an active/active FireCluster on page 251.
This step is not necessary for an active/passive cluster because an active/passive cluster does not use
multicast MAC addresses.
248
WatchGuard System Manager
FireCluster
Select IP addresses for cluster interfaces
We recommend you make a table with the network addresses you plan to use for the cluster interfaces and
interface for management IP address. The FireCluster setup wizard asks you to configure these individually
for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier to configure
these interfaces with the wizard. For example, your table could look something like this:
Interface # and IP addresses for cluster interfaces
Interface #
IP address for Member 1 IP address for Member 2
Primary cluster interface
5
10.10.5.1/24
10.10.5.2/24
Backup cluster interface
6
10.10.6.1/24
10.10.6.2/24
Interface for management IP address 1
10.10.1.1/24
10.10.1.2/24
Primary cluster interface
This is the interface on the Firebox or XTM device that you dedicate to communication between the
cluster members. This interface is not used for regular network traffic. If you have an interface
configured as a dedicated VLAN interface, do not choose that interface as a dedicated cluster
interface.
The primary interface IP addresses for both cluster members must be on the same subnet.
Backup cluster interface (optional, but recommended)
This is a second interface on the Firebox or XTM device that you dedicate to communication
between the cluster members. The cluster members use the backup cluster interface to
communicate if the primary cluster interface is not available. For redundancy, we recommend you
use two cluster interfaces.
The backup interface IP addresses for both cluster members must be on the same subnet.
Interface for management IP address
This is a Firebox or XTM device network interface you use to make a direct connection to a cluster
device from any WatchGuard management application.
The management IP addresses for each cluster member can be on different subnets.
For more information, see About the Interface for management IP address on page 243.
Connect the FireCluster hardware
Note Each device in a cluster must be the same model, and must use the same version of
Fireware XTM with a Pro upgrade.
To connect two Firebox or XTM devices in a FireCluster configuration:
1. Use a crossover Ethernet cable (red) to connect the primary cluster interface on one Firebox or
XTM device to the primary cluster interface on the other device.
User Guide
249
FireCluster
2. If you want to enable a backup cluster interface, use a second crossover Ethernet cable to connect
the backup cluster interfaces. If you have a network interface available, we recommend that you
connect and configure a backup cluster interface for redundancy.
3. Connect the external interface of each device to a network switch. If you use Multi-WAN, connect
the second external interface of each device to another network switch.
4. Connect the trusted interface of each device to an internal network switch.
5. For each device, connect the other trusted or optional network interfaces to the internal network
switch for that device.
For information about network switch requirements, see Switch and router requirements for an
active/active FireCluster on page 251.
Note You must connect each pair of network interfaces to its own dedicated switch or
hub. Do not connect more than one pair of interfaces to the same switch.
The diagram below shows connections for a simple FireCluster configuration.
In this example, the FireCluster has one external and one trusted interface connected to network switches.
The primary cluster interfaces are connected by a crossover cable.
After you connect the FireCluster devices, you are ready to configure the FireCluster in Policy Manager. You
can do this two ways:
250
WatchGuard System Manager
FireCluster
n
n
Use the FireCluster Setup Wizard
Configure FireCluster manually
Switch and router requirements for an active/active FireCluster
Note When you configure FireCluster in an active/active configuration, the cluster uses
multicast MAC addresses for all interfaces that send network traffic. Before you
enable FireCluster, make sure your network switches, routers, and other devices
are configured to route network traffic with multicast MAC addresses.
A layer 2 broadcast domain is a logical part of a computer network in which all network nodes can
communicate with each other without the use of a layer 3 routing device, such as a router or managed
switch.
An active/active FireCluster uses a single multicast MAC address. Most network routers and managed
switches ignore traffic from multicast MAC addresses by default. Before you enable an active/active
FireCluster, make sure that all the network switches and routers in the layer 2 broadcast domain meet the
requirements.
Requirements for switches and routers
All switches and routers in an active/active FireCluster broadcast domain must meet these requirements.
1. All switches and routers in the broadcast domain must not block ARP requests if the response
contains a multicast MAC address.
n
n
n
n
This requirement must be met for all switches and routers in the broadcast domain, even if the
switch or router is not connected directly to the FireCluster devices.
For unmanaged layer 2 switches, this is the default behavior, and a configuration change is not
required.
For routers and most managed switches, the default behavior is to block ARP responses that
contain a multicast MAC address. Check the documentation for your managed switch or router
to see if there is a configuration option to allow ARP responses that contain a multicast MAC
address. In some network routers you can add the multicast MAC address as a static ARP entry.
If your router supports this, add a static ARP entry to map the cluster IP address to its multicast
MAC address.
The router must not be configured to support the multicast ARP requirement in RFC 1812,
section 3.2.2.
2. The switches that you directly attach to the cluster external and internal interfaces must be
configured to forward traffic to all ports when the destination MAC address is a multicast MAC
address.
n
n
User Guide
For unmanaged layer 2 switches, this is the default behavior and a configuration change is not
required.
For routers and most managed switches, you must make a configuration change to meet this
requirement. You might need to insert a static mac-address-table entry to specify the port
destinations for the traffic destined for the cluster multicast MAC address.
251
FireCluster
One multicast MAC address is shared between the pair. The MAC address starts with 01:00:5E . You can
find the multicast MAC addresses for a cluster in the Firebox System Manager Status Report tab, or in the
FireCluster configuration dialog box in Policy Manager.
For more information, see Find the multicast MAC addresses for an active/active cluster on page 266.
For an active/active FireCluster, you must also add static ARP entries for your layer 3 routers to the
FireCluster configuration in Policy Manager.
For more information, see Add static ARP entries for an active/active FireCluster on page 252.
For an example of how to configure two switches for an active/active FireCluster, see Example switch and
static ARP configuration for an active/active FireCluster on page 253.
Add static ARP entries for an active/active FireCluster
An active/active FireCluster uses a multicast MAC address for each active interface connected to your
network. The active/active FireCluster sends this multicast MAC address across the network.
For some switches, you might need to add static ARP entries for each layer 3 network switch connected to
the FireCluster traffic interface. Otherwise, network communication might not work properly. You can use
Policy Manager to add the static ARP entries to the FireCluster.
To add static ARP entries to your Firebox or XTM device configuration:
1. In WatchGuard System Manager, use the configured cluster interface IP address to connect to the
FireCluster. Do not use the Management IP address.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select Network > ARP Entries.
The Static ARP Entries dialog box appears.
4. Click Add.
The Add ARP Entry dialog box appears.
5. In the Interface drop-down list, select the interface for the layer 3 switch.
6. In the IP Address text box, type the IP address of the network switch.
7. In the MAC Address text box, type the MAC address of the switch. Click OK.
The static ARP entry is added to the Static ARP Entries list.
8. Repeat Steps 4–7 to add static ARP entries for each switch that is directly connected to each
interface of the FireCluster.
9. Click OK.
10. Select File > Save > to Firebox to save the static ARP entries to the FireCluster.
You must also configure the network switches to work with the active/active FireCluster. For more
information, see Switch and router requirements for an active/active FireCluster on page 251.
For an example of how to configure two switches for an active/active FireCluster, see Example switch and
static ARP configuration for an active/active FireCluster on page 253.
252
WatchGuard System Manager
FireCluster
Example switch and static ARP configuration for an active/active
FireCluster
Layer 3 switches that operate in default mode do not have issues with multicast traffic, so the FireCluster
works without configuration changes. A layer 3 switch that has all ports configured in one VLAN also works
without issues. If the layer 3 switch has ports configured for different VLANs you must change the
configuration to enable the switch to operate correctly with a FireCluster.
Layer 3 switches that perform VLAN, and/or IP address routing, discard multicast traffic from the
FireCluster members. The switch discards traffic to and through the router unless you configure static MAC
and ARP entries for the FireCluster multicast MAC on the switch that receives the multicast traffic.
When you configure an active/active FireCluster, you might need to make some configuration changes on
the FireCluster and on your network switches so that the FireCluster multicast MAC addresses work
properly. For general information, see:
n
n
Switch and router requirements for an active/active FireCluster
Add static ARP entries for an active/active FireCluster
This topic includes an example of how to configure the switches and the FireCluster static ARP settings for
an active/active FireCluster. This example does not include all the other steps to configure a FireCluster. For
instructions to configure a FireCluster, see Configure FireCluster on page 245.
Before you begin, make sure you have:
n
n
The IP address and multicast MAC address of the FireCluster interface to which the switch is
connected.
For more information, see Find the multicast MAC addresses for an active/active cluster on page 266.
The IP address and MAC address of each switch or router connected to the FireCluster interfaces.
Note WatchGuard provides interoperability instructions to help our customers configure
WatchGuard products to work with products created by other organizations. If you
need more information or technical support about how to configure a nonWatchGuard product, see the documentation and support resources for that
product.
Example configuration
In this example, the FireCluster configuration has one external and one internal interface. The external
interface of each cluster member is connected to a Cisco 3750 switch. The internal interface of each cluster
member is connected to an Extreme Summit 15040 switch. For the equivalent commands to make these
configuration changes on your switch, see the documentation for your switch. The commands for two
different switches are included in this example.
IP addresses in this example:
n
FireCluster interface 0 (External) interface
IP address: 50.50.50.50/24
Multicast MAC address: 01:00:5e:32:32:32
User Guide
253
FireCluster
n
FireCluster interface 1 (Trusted) interface
IP address: 10.0.1.1/24
Multicast MAC address: 01:00:5e:00:01:01
n
Cisco 3750 switch connected to the FireCluster external interface
IP address: 50.50.50.100
VLAN interface MAC address: 00:10:20:3f:48:10
VLAN ID: 1
Interface: gi1/0/11
n
Extreme Summit 48i switch connected to the FireCluster internal interface
IP address: 10.0.1.100
MAC address: 00:01:30:f3:f1:40
VLAN ID: Border-100
Interface: 9
Configure the Cisco switch
In this example, the Cisco switch is connected to the FireCluster interface 0 (external). You must use the
Cisco command line to add static MAC and ARP entries for the multicast MAC address of the external
FireCluster interface.
1. Start the Cisco 3750 command line interface.
2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
arp <FireCluster interface IP address> <FireCluster MAC address> arpa
For this example, type:
arp 50.50.50.50 0100.5e32.3232 arpa
3. Add an entry to the MAC address table.
Type this command:
mac-address-table static <FireCluster interface MAC address> vlan <ID>
interface <#>
For this example, type:
mac-address-table static 0100.5e32.3232 vlan 1 interface gi1/0/11
Configure the Extreme switch
In this example, the Extreme Summit switch is connected to the FireCluster interface 1 (trusted). You must
use the Extreme Summit command line to add static MAC and ARP entries for the multicast MAC address of
the trusted FireCluster interface.
1. Start the Extreme Summit 48i command line.
2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
configured iparp add <ip address> <MAC Address>
For this example, type:
configured iparp add 10.0.1.1/24 01:00:5e:00:01:01
254
WatchGuard System Manager
FireCluster
3. Add an entry to the MAC address table.
Type this command:
create fdbentry <MAC> VLAN <ID> port <#>
For this example, type:
create fdbentry 01:00:5e:00:01:01 VLAN Border-100 port 9
Add static ARP entries to the FireCluster configuration for each switch
For an explanation of why this is required, see Add static ARP entries for an active/active FireCluster on
page 252.
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
FireCluster. Do not use the management IP address.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select Network > ARP Entries.
The Static ARP Entries dialog box appears.
4. Click Add.
The Add ARP Entry dialog box appears.
5. In the Interface drop-down list, select External.
6. In the IP Address text box, type the IP address of the switch interface that is connected to the
external interface.
For this example, type: 50.50.50.100
7. In the MAC Address text box, type the MAC address of the VLAN interface on the Cisco switch that is
connected to the external interface.
For this example, type: 00:10:20:3f:48:10
8. Click OK.
The static ARP entry is added to the Static ARP Entries list.
9. Click Add.
The Add ARP Entry dialog box appears.
10. In the Interface drop-down list, select Trusted.
11. In the IP Address text box, type the IP address of the switch interface that is connected to the
trusted interface.
For this example, type: 10.0.1.100
12. In the MAC Address text box, type the MAC address of the switch interface that is connected to the
trusted interface.
For this example, type: 00:01:30:f3:f1:40
13. Click OK.
The static ARP entry is added to the Static ARP Entries list.
14. Click OK to close the Static ARP Entries dialog box.
15. Select File > Save > to Firebox to save the static ARP entries to the FireCluster.
User Guide
255
FireCluster
Use the FireCluster Setup Wizard
To configure FireCluster, you can either run the FireCluster Setup Wizard or you can configure FireCluster
manually.
For more information about how to configure FireCluster manually, see Configure FireCluster manually on
page 261 .
Before you enable FireCluster:
n
n
Make sure you have everything necessary to configure your FireCluster, and have planned your
configuration settings.
For information, see Before you begin on page 248.
Connect the FireCluster devices to each other and to the network as described in Connect the
FireCluster hardware on page 249.
Note In an active/active FireCluster configuration, the network interfaces for the cluster
use multicast MAC addresses. Before you enable an active/active FireCluster, make
sure your network routers and other devices are configured to support multicast
network traffic.
For more information, see Switch and router requirements for an active/active
FireCluster on page 251.
Configure FireCluster
1. In WatchGuard System Manager, connect to the Firebox or XTM device that has the configuration
you want to use for the cluster. After you enable FireCluster, this device becomes the cluster master
the first time you save the configuration.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager opens the configuration file for the selected device.
3. Select FireCluster > Setup.
The FireCluster Setup Wizard starts.
256
WatchGuard System Manager
FireCluster
4. Click Next.
5. Select the type of cluster you want to enable:
Active/Active cluster
Enablesthe cluster for highavailabilityandloadsharing.Ifyouselectthisoption,the cluster balances
incomingconnectionrequestsacrossbothdevicesinthe cluster.Youcannotconfigure active/active
ifthe externalinterface ofyour Fireboxor XTMdevice isconfiguredfor DHCPor PPPoE.
Active/Passive cluster
Enables the cluster for high availability, but not load sharing. If you select this option, the cluster
has an active device that handles all the connections, and a passive device that handles
connections only if a failover of the first device occurs.
6. Select the Cluster ID.
The cluster ID uniquely identifies this cluster if you set up more than one cluster on the same layer 2
broadcast domain. If you only have one cluster, you can keep the default value of 1.
7. If you selected Active/Active cluster, select the Load-balance method.
The load-balance method is the method used to balance connections among active cluster
members. There are two options:
Least connection
If you select this option, each new connection is assigned to the active cluster member with the
lowest number of open connections. This is the default setting.
Round-robin
If you select this option, new connections are distributed among the active cluster members in
round-robin order. The first connection goes to one cluster member. The next connection goes
to the other cluster member, and so on.
User Guide
257
FireCluster
8. Select the Primary and Backup cluster interfaces. The cluster interfaces are dedicated to
communication between cluster members and are not used for other network traffic. You must
configure the Primary interface. For redundancy, we recommend you also configure the Backup
interface.
Primary
The interface on the Firebox or XTM device that you dedicate to primary communication
between the cluster members. Select the interface number that you used to connect the
FireCluster devices to each other.
Backup
The interface on the Firebox or XTM device that you dedicate to communication between the
cluster members if the primary interface fails. Select the second interface number that you
used to connect the FireCluster devices to each other, if any.
Note If you have an interface configured as a dedicated VLAN interface, you do not
choose that interface as a dedicated cluster interface.
9. Select the Interface for Management IP address. You use this interface to connect directly to
FireCluster member devices for maintenance operations. This is not a dedicated interface. It also is
used for other network traffic. You cannot select a VLAN interface as the Interface for Management
IP address.
For more information, see About the Interface for management IP address on page 243.
10. When prompted by the configuration wizard, add these FireCluster member properties for each
device:
Feature Key
For each device, import or download the feature key to enable all features for the device. If
you previously imported the feature key in Policy Manager, the wizard automatically uses that
feature key for the first device in the cluster.
Member Name
The name that identifies each device in the FireCluster configuration.
Serial Number
The serial number of the device. The serial number is used as the Member ID in the FireCluster
Configuration dialog box. The wizard sets this automatically when you import or download the
feature key for the device.
Primary cluster interface IP address
The IP address the cluster members use to communicate with each other over the primary
cluster interface. The primary FireCluster IP address for each cluster member must be on the
same subnet.
If both devices start at the same time, the cluster member with the highest IP address assigned
to the primary cluster interface becomes the master.
Backup cluster interface IP address
258
WatchGuard System Manager
FireCluster
The IP address the cluster members use to communicate with each other over the backup
cluster interface. The backup FireCluster IP address for each cluster member must be on the
same subnet.
Management IP address
A unique IP address that you can use to connect to an individual Firebox or XTM device while it
is configured as part of a cluster. You must specify a different management IP address for each
cluster member.
11. Review the configuration summary on the final screen of the FireCluster Setup Wizard. The
configuration summary includes the options you selected and which interfaces are monitored for
link status.
12. Click Finish.
The FireCluster Configuration dialog box appears.
User Guide
259
FireCluster
13. In the Interface Settings section, review the list of monitored interfaces.
The list of monitored interfaces does not include the interfaces you configured as the Primary and
Backup cluster interfaces. FireCluster monitors the link status for all enabled interfaces. If the cluster
master detects loss of link on a monitored interface, the cluster master starts failover for that
device.
You must disable any interfaces that are not connected to your network before you save the
FireCluster configuration to the Firebox or XTM device. To disable an interface:
n
n
In Policy Manager, select Network > Configuration.
Double-click the interface that you want to disable, and set the Interface Type to Disabled.
Note Do not save the configuration file until you start the second device in safe mode.
14. Start the second Firebox or XTM device in safe mode.
To start in safe mode, press and hold the down arrow on the device front panel while you power on
the device.
Hold down the arrow button until WatchGuard Technologies appears on the LCD display. When
the device is in safe mode, the model number followed by the word safe appears on the LCD
display.
15. Save the configuration to the cluster master.
The cluster is activated, and the cluster master automatically discovers the other configured cluster member.
260
WatchGuard System Manager
FireCluster
After the cluster is active, you can monitor the status of the cluster members on the Firebox System
Manager Front Panel tab.
For more information, see Monitor and control FireCluster members on page 269.
If the second device is not automatically discovered, you can manually trigger device discovery as described
in Discover a cluster member on page 270.
Configure FireCluster manually
You can enable FireCluster manually or use the FireCluster Setup Wizard. For more information, see Use the
FireCluster Setup Wizard on page 256 .
Before you enable FireCluster:
n
n
Make sure you have everything necessary to configure your FireCluster, and have planned your
configuration settings.
For more information, see Before you begin on page 248.
Connect the FireCluster devices to each other and to the network as described in Connect the
FireCluster hardware on page 249.
Warning In an active/active FireCluster configuration, the network interfaces for the cluster
use multicast MAC addresses. Before you enable an active/active FireCluster, make
sure your network routers and other devices are configured to support multicast
network traffic. For more information, see Switch and router requirements for an
active/active FireCluster on page 251.
Enable FireCluster
1. In WatchGuard System Manager, connect to the Firebox or XTM device that has the configuration
you want to use for the cluster. This device becomes the cluster master the first time you save the
configuration with FireCluster enabled.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
User Guide
261
FireCluster
4. Select the Enable FireCluster check box.
5. Select which type of cluster you want to enable.
Enable Active/Active cluster
Enables the cluster for high availability and load sharing. If you select this option, the cluster
balances traffic load across both devices in the cluster. Active/Active is not available if the
external interface of your Firebox or XTM device is configured for DHCP or PPPoE.
Enable Active/Passive cluster
Enables the cluster for high availability, but not load sharing. If you select this option, the cluster
has an active device that handles all the network traffic, and a passive device that handles traffic
only if a failover of the first device occurs.
6. If you selected Enable Active/Active cluster, in the Load-balance method drop-down list, select the
method to use to balance the traffic load between active cluster members.
Least connection
If you select this option, each new connection is assigned to the active cluster member that has
the lowest number of open connections.
Round-robin
262
WatchGuard System Manager
FireCluster
If you select this option, connections are distributed among the active cluster members in
round-robin order. The first connection goes to one cluster member. The next connection goes
to the other cluster member, and so on.
7. In the Cluster ID drop-down list, select a number to identify this FireCluster.
The cluster ID uniquely identifies this FireCluster if there is more than one FireCluster active on the
same network segment. If you only have one FireCluster, you can keep the default value of 1.
Configure interface settings
The FireCluster interface is the dedicated interface the cluster members use to communicate with each
other about system status. You can configure either one or two FireCluster interfaces. For redundancy, if
you have the interfaces available, we recommend you configure two FireCluster interfaces. If you have an
interface configured as a dedicated VLAN interface, do not choose that interface as a dedicated FireCluster
interface. You must disable any interfaces that are not connected to your network before you save the
FireCluster configuration to the Firebox or XTM device.
1. In the Primary cluster interface drop-down list, select an interface to use as the primary interface.
2. To use a second cluster interface, in the Backup cluster interface drop-down list, select an interface
to use as the backup interface.
3. Select a Interface for management IP address. This is the Firebox or XTM device network interface
you use to make a direct connection to a cluster device with any WatchGuard management
application. You cannot select a VLAN interface as the Interface for Management IP address.
For more information, see About the Interface for management IP address on page 243.
4. Review the list of monitored interfaces. The list of monitored interfaces does not include the
interfaces you configured as the Primary and Backup FireCluster interfaces. FireCluster monitors the
link status for all enabled interfaces. If the cluster master detects a loss of link on a monitored
interface, the cluster master starts failover for that device.
5. To disable an interface, in Policy Manager, select Network > Configuration.
6. Double-click the interface that you want to disable.
7. Set the Interface Type to Disabled.
Note FireCluster monitors the status of all enabled network interfaces. Make sure that all
interfaces in the list of monitored interfaces are connected to a network switch.
User Guide
263
FireCluster
Define the FireCluster members
1. Select the Members tab.
The FireCluster members configuration settings appear.
If you previously imported a feature key in this configuration file, that device is automatically
configured as Member 1.
If you do not have a feature key in this configuration file, a FireCluster member does not appear in
the list. In this case, you must add each device as a member, and import the configuration file for
each device as described in the subsequent steps.
2. To add a member, click Add.
The Add member dialog appears.
264
WatchGuard System Manager
FireCluster
3. In the Member Name text box, type a name. This name identifies this device in the members list.
4. Select the Feature Key tab.
5. Click Import.
The Import Firebox Feature Key dialog box appears.
6. To find the feature key file, click Browse.
Or, copy the text of the feature key file and click Paste to insert it in the dialog box.
7. Click OK.
8. Select the Configuration tab.
The Serial Number field is automatically filled with the serial number from the feature key.
9. In Interface IP Address text box, type the addresses to use for each cluster interface and the
interface for management IP address.
User Guide
265
FireCluster
n
In the Primary cluster text box, type the IP address to use for the primary cluster interface. The
IP address for the primary cluster interface must be on the same subnet for each cluster
member.
Note The cluster member with the highest IP address assigned to the primary cluster
interface becomes the master if both devices start at the same time.
n
In the Backup cluster text box, type the IP address to use for the backup cluster interface. This
option only appears if you configured a backup cluster interface. The IP address for the backup
cluster interface must be on the same subnet for each cluster member.
n
In the Interface for management IP address text box, type the IP address to use to connect to
an individual cluster member for maintenance operations. The interface for management is not
a dedicated interface. It also is used for other network traffic.This can be any address, but must
be different for each cluster member.
For more information, see About the Interface for management IP address on page 243.
10. Click OK.
The device you added appears on the Members tab as a cluster member.
11. Repeat the previous steps to add the second Firebox or XTM device to the cluster configuration.
Note Do not save the configuration to the Firebox or XTM device until you start the
second device in safe mode.
12. Start the second Firebox or XTM device in safe mode.
To start in safe mode, press and hold the down arrow on the device front panel while you power on
the device.
For a Firebox X Core or Peak device, hold down the down arrow until WatchGuard Technologies
appears on the LCD display. When the device is in safe mode, the model number followed by the
word safe appears on the LCD display.
For a WatchGuard XTM device, hold down the down arrow until Safe Mode Starting... appears
on the LCD display. When the device is in safe mode, the model number followed by the word safe
appears on the LCD display.
13. Save the configuration to the Firebox or XTM device.
The cluster is activated. The cluster master automatically discovers the other configured cluster member and
synchronizes the configuration.
After the cluster is active, you can monitor the status of the cluster members on the Firebox System
Manager Front Panel tab.
For more information, see Monitor and control FireCluster members on page 269.
If the second device is not automatically discovered, you can manually trigger device discovery as described
in Discover a cluster member on page 270.
Find the multicast MAC addresses for an active/active cluster
To configure your switch to support the FireCluster multicast MAC addresses, you might need to know the
multicast MAC addresses the cluster uses for each interface. There are two ways to find the MAC addresses
assigned to the interfaces.
266
WatchGuard System Manager
FireCluster
Find the MAC addresses in Policy Manager
1. Open Policy Manager for the active/active FireCluster.
2. Select FireCluster > Configure.
The FireCluster Configuration dialog box appears.
3. In the Interface Settings section, find the multicast MAC address for each interface.
To copy a multicast MAC address from the FireCluster configuration to your switch or router configuration:
1. In the Multicast MAC column, double click the MAC address.
The MAC address appears highlighted.
2. Click and drag to highlight the MAC address.
3. Press Ctrl+C to copy it to the clipboard
4. Paste the MAC address in your switch or router configuration.
For more information, see Switch and router requirements for an active/active FireCluster on page 251
Find the MAC address in Firebox System Manager
You can also find the multicast MAC addresses in Firebox System Manager.
1. Open Firebox System Manager.
2. Click the Front Panel tab.
3. Expand Interfaces.
The multicast MAC address is included with each interface in the cluster.
User Guide
267
FireCluster
Active/Passive Cluster ID and the Virtual MAC Address
An active/passive FireCluster uses a virtual MAC address, calculated based on the Cluster ID and the
interface numbers. If you configure more than one active/passive FireCluster on the same subnet, it is
important to know how to set the Cluster ID to avoid a possible virtual MAC address conflict.
How the virtual MAC address is calculated
The virtual MAC addresses for interfaces on an active/passive FireCluster start with 00:00:5E:00:01 . The
sixth octet of the MAC address is set to a value that is equal to the interface number plus the Cluster ID.
For example, for a FireCluster with the Cluster ID set to 1, the virtual MAC addresses are:
Interface 0: 00:00:5E:00:01:01
Interface 1: 00:00:5E:00:01:02
Interface 2: 00:00:5E:00:01:03
If you add a second FireCluster to the same subnet, you must make sure to set the Cluster ID to a number
that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC address conflict.
For example, if the first FireCluster has 5 interfaces, you must set the Cluster ID of the second FireCluster at
least 5 higher than the Cluster ID for the first FireCluster.
For example, if the second FireCluster has the Cluster ID set to 6, the virtual MAC addresses are:
Interface 0: 00:00:5E:00:01:06
Interface 1: 00:00:5E:00:01:07
268
WatchGuard System Manager
FireCluster
Interface 2: 00:00:5E:00:01:08
Monitor and control FireCluster members
Use the IP address of the trusted interface to monitor and manage the cluster. When you monitor the
cluster in Firebox System Manager, you see an aggregated view of the devices in the cluster. In FSM, you
view the status of the cluster members as if the cluster were one device.
To monitor a cluster:
1. In Policy Manager, connect to the trusted IP address of the cluster.
2. Click .
Firebox System Manager appears.
When you connect to the trusted IP address of the cluster in Firebox System Manager, the clustered
devices appear on the Front Panel tab. The other tabs include information that is combined for all devices
in the cluster.
User Guide
269
FireCluster
Monitor status of FireCluster members
When you monitor a FireCluster, the Firebox System Manager tabs include information about all devices in
the cluster. On the Front Panel tab, you can expand the cluster to view the status of each member. This
shows which device is the master, and the status of each device in the cluster. The other tabs include
information that is combined for all devices in the cluster.
Note You can also use the interface for management IP address to connect to and
monitor an individual cluster member. When you monitor only one cluster
member, you do not see all the information about the cluster. For more
information, see About the Interface for management IP address on page 243.
Monitor and control cluster members
You can also use Firebox System Manager to monitor and control individual cluster members. Although
FireCluster operations usually occur automatically, you can manually complete some of the functions in
Firebox System Manager.
To control cluster members:
1. Select Tools > Cluster.
2. Select an option:
n
n
n
n
n
n
n
Discover a cluster member
Force a failover of the cluster master
Reboot a cluster member
Shut down a cluster member
Connect to a cluster member
Make a member leave a cluster
Make a member join a cluster
Discover a cluster member
When you add a device to a FireCluster, the cluster master automatically discovers the device. You can also
use the Discover member command to trigger the cluster master to discover a device. This can be a new
device or an existing cluster member.
Before you begin, make sure that the device is:
n
n
Connected to the network correctly, as described in Connect the FireCluster hardware on page 249
Configured as a cluster member in the cluster configuration. Use one of these methods:
o
o
Use the FireCluster Setup Wizard
Configure FireCluster manually
To trigger the cluster master to discover a device:
1. If this is a new device for this cluster, start the new device in safe mode.
For more information, see the subsequent section.
2. In WatchGuard System Manager, connect to the cluster master.
3. Start Firebox System Manager.
270
WatchGuard System Manager
FireCluster
4. Select Tools > Cluster > Discover member.
The Discover member dialog box appears.
5. Type the configuration passphrase for the cluster.
A message appears to tell you the discovery process has started.
6. Click OK.
The cluster master tries to discover new devices connected to the cluster.
When the cluster master discovers a connected device, it checks the serial number of the device. If the
serial number matches the serial number of a cluster member in the FireCluster configuration, the cluster
master loads the cluster configuration on the second device. That device then becomes active in the
cluster. The second device synchronizes all cluster status with the cluster master.
After discovery and the initial synchronization is complete, the device appears on the Firebox System
Manager Front Panel tab as a member of the cluster.
Start your device in safe mode
1. Press and hold the down arrow on the device front panel while you power on the device.
2. For a Firebox X Core or Peak device, hold down the down arrow until WatchGuard Technologies
appears on the LCD display.
For a WatchGuard XTM device, hold down the down arrow until Safe Mode Starting... appears
on the LCD display.
3. Release the down arrow.
When the device is in safe mode, the model number followed by the word safe appears on the LCD display.
Force a failover of the cluster master
You can use the Firebox System Manager Failover Master command to force the cluster master to fail over.
The backup master becomes the cluster master, and the original master device becomes the backup
master.
1. Select Tools > Cluster > Failover master.
The Failover Master dialog box appears.
User Guide
271
FireCluster
2. Type the configuration passphrase.
3. Click OK.
The cluster master fails over to the backup master, and the backup master becomes the master.
Reboot a cluster member
You can use the Reboot member command in Firebox System Manager to reboot a cluster member. This is
equivalent to the File > Reboot command that you use to reboot a non-clustered device.
1. Select Tools > Cluster > Reboot member.
The Reboot member dialog box appears.
2. Select the cluster member you want to reboot.
3. Type the configuration passphrase.
4. Click OK.
The cluster member reboots, and then rejoins the cluster.
If you reboot the cluster master, this triggers failover. The backup master becomes the master. After the
reboot is complete, the original master rejoins the cluster as the backup master.
Shut down a cluster member
You can use the Shutdown member command in Firebox System Manager to shut down a member of a
cluster. This is equivalent to the File > Shutdown command that you use to shut down a non-clustered
device.
1. Select Tools > Cluster > Shutdown member.
The Shutdown member dialog box appears.
272
WatchGuard System Manager
FireCluster
2. Select the cluster member you want to shut down.
3. Type the configuration passphrase.
4. Click OK.
The cluster member shuts down. Any traffic handled by that cluster member shifts to the other cluster member.
When you shut down a cluster member, the LCD, the serial port, and all interfaces of the device are shut
down. The power indicator changes to orange, and the fans continue to run, but you cannot communicate
with the device. To restart the device after a shut down, you must press the power button to power off the
device. Then press the power button again to power on the device and restart it.
Connect to a cluster member
When you connect to a FireCluster with WatchGuard System Manager, the available information is
combined for all members of the cluster. To monitor an individual cluster member, you can connect to the
cluster member with Firebox System Manager (FSM). FSM has two available methods to connect to a
cluster member: the FSM main menu or the right-click menu.
To use the main menu:
1. Select Tools > Cluster > Connect to member.
The Connect to member dialog appears.
User Guide
273
FireCluster
2. Select the cluster member to which you want to connect.
3. Click OK.
Another Firebox System Manager window opens for the selected cluster member.
To use the right-click menu:
1. On the Front Panel tab, select a cluster member.
2. Right-click the device and select Connect to Member.
Make a member leave a cluster
If you use the FireCluster management IP address to connect to the cluster member, the Leave command is
available in Firebox System Manager. The Leave command is part of the procedure to restore a FireCluster
backup image.
When a member leaves the cluster, it is still part of the cluster configuration, but does not participate in the
cluster. The other cluster member handles all traffic in the cluster after the second member has left.
To make a member leave the cluster:
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to the
backup master.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Leave.
The backup master leaves the cluster and reboots.
For information about the Management IP address, see About the Interface for management IP address on
page 243.
For information about how to restore a backup image to members of a cluster, see Restore a FireCluster
backup image on page 283.
274
WatchGuard System Manager
FireCluster
Make a member join a cluster
The Joincommandisonlyavailable inFireboxSystem Manager ifyouconnect toacluster member withthe
interface for managementIP address,andifyoupreviouslyusedthe Leavecommandtomake the member leave
the cluster.The Leave andJoincommandsare partofthe procedure torestore aFireCluster backupimage.
1. In WatchGuard System Manager, use the FireCluster management IP address to connect to the
backup master.
If the backup image you restored has a different Management IP address for this cluster member or
a different passphrase, use the Management IP and passphrase from the backup image to reconnect
to the device in WSM.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Join.
The backup master reboots and rejoins the cluster.
For information about the Management IP address, see About the Interface for management IP address on
page 243.
For information about how to restore a backup image to members of a cluster, see Restore a FireCluster
backup image on page 283.
Remove or add a cluster member
You can use Policy Manager to remove and add devices to the FireCluster.
Remove a device from a FireCluster
To remove a device from a FireCluster:
1. In WatchGuard System Manager, open the configuration for the cluster master.
2. Click .
Or, select Tools > Policy Manager.
Policy Manager appears.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
4. Click the Members tab.
A list of cluster members appears.
User Guide
275
FireCluster
5. Select the name of the cluster member you want to delete.
6. Click Delete.
The device is removed from the member list.
7. Click OK.
8. Save the configuration file to the cluster.
The device is removed from the cluster.
Note When you save the configuration tile to the cluster, Policy Manager checks to see if
the current cluster master is in the cluster configuration. If the device you removed
from the configuration is the current cluster master, Policy Manager attempts to
force a failover, so the backup master becomes the new cluster master. If the
failover succeeds, the configuration change is saved. If the failover does not
succeed, Policy Manager does not allow you to save the configuration to the
cluster.
After you remove a Firebox or XTM device from a cluster, when you save the configuration to the cluster
the device you removed reboots and all settings on the device are reset to factory defaults. The other
member becomes the cluster master.
For information about how to see which device is the cluster master, or to manually force failover from the
cluster master to another member, see Monitor and control FireCluster members on page 269.
276
WatchGuard System Manager
FireCluster
Add a new device to a FireCluster
You can add a new cluster member on the FireCluster Configuration dialog box Members tab.
To add a new device to the cluster:
1. Click Add.
2. Configure the settings for the new cluster member as described in Configure FireCluster manually
on page 261.
When FireCluster is enabled, you must have at least one device in the cluster.
3. To remove both devices from the cluster, you must Disable FireCluster.
Update the FireCluster configuration
You update the configuration of a FireCluster in much the same way that you update the configuration for
an individual Firebox or XTM device. You can only save an updated configuration to the cluster master.
1. In WatchGuard System Manager, click
Or, select File > Connect To Device.
.
The Connect to Firebox dialog box appears.
2. Select or type the trusted IP address for the cluster. Type the status (read-only) passphrase. Click OK.
The cluster appears as a device in the WatchGuard System Manager Device Status tab.
3. On the Device Status tab, select the cluster device.
4. Click .
Or, select Tools > Policy Manager.
Policy Manager appears with the current configuration file for the cluster.
5. Make any configuration changes to the cluster.
6. Save the configuration file to the trusted IP address of the cluster.
When you save the configuration to a cluster, the cluster master automatically sends the updated
configuration to the other cluster member.
Configure FireCluster logging and notification
The Advanced tab in the FireCluster Configuration dialog box includes settings for logging and notification.
Log messages are always created for FireCluster events.
To configure notification settings for FireCluster failover and failback events:
1. Click Notification.
2. Select a notification method: SNMP trap, email message, or pop-up window.
For more information about notification settings, see Set logging and notification preferences on page 646.
To set the diagnostic log level for FireCluster events in Policy Manager:
1. Select Setup > Logging.
2. Click Diagnostic Log Level.
For more information about diagnostic logging, see Set the diagnostic log level on page 643.
User Guide
277
FireCluster
About feature keys and FireCluster
Each device in a cluster has its own feature key. When you configure a FireCluster, you import feature keys
for each cluster member. The FireCluster has a set of Cluster Features, which apply to the whole cluster.
The Cluster Features are based on the feature keys for all devices in the cluster.
For more information about how to get a feature key for a device, see Get a feature key from LiveSecurity
on page 62.
When you enable a FireCluster, the subscription services and upgrades activated for cluster members
operate as follows:
LiveSecurity Service subscription
A LiveSecurity Service subscription applies to a single device, even when that device is configured as
a member of a cluster. You must have an active LiveSecurity Service subscription for each device in
the cluster. If the LiveSecurity subscription expires for a cluster member, you cannot upgrade the
Fireware XTM OS on that device.
BOVPN and Mobile VPN upgrades
Subscription Services such as WebBlocker, spamBlocker, and Gateway AntiVirus operate differently
for an active/active cluster and an active/passive cluster.
Active/Active Licenses for Branch Office VPN and Mobile VPN are aggregated for devices
configured as a FireCluster. If you purchase additional BOVPN or Mobile VPN licenses for each
device in a cluster, that additional capacity is shared between the devices in the cluster. For
example, if you have two devices in a cluster and each device feature key has a capacity for 2000
Mobile VPN users, the effective license for the FireCluster is 4000 Mobile VPN users.
Active/Passive Licenses for Branch Office and Mobile VPN are not aggregated for devices configured
as a FireCluster. The active device uses the highest capacity Branch Office and Mobile VPN activated
for either device. If you purchase additional BOVPN or Mobile VPN licenses for either device in a
cluster, the additional capacity is used by the active device.
Subscription Services
Subscription Services such as WebBlocker, spamBlocker, and Gateway AV operate differently for an
active/active cluster and an active/passive cluster.
n
n
Active/Active You must have the same subscription services enabled in the feature keys for
both devices. Each cluster member applies the services from its own feature key.
Active/Passive You must enable the subscription services in the feature key for only one cluster
member. The active cluster member uses the subscription services that are active in the
feature key of either cluster member.
Note In an active/active cluster, it is very important to renew subscription services for
both cluster members. If a subscription service expires on one member of an
active/active cluster, the service does not function for that member. The member
with the expired license continues to pass traffic, but does not apply the service to
that traffic.
278
WatchGuard System Manager
FireCluster
See the feature keys and Cluster Features for a cluster
1. Open Policy Manager for the cluster master.
2. Select FireCluster > Configure.
3. Select the Memberstab.
4. Select the FireCluster folder.
Tabs with the cluster features, and features for each cluster member, appear at the bottom of the dialog box.
5. To see the licensed features for the cluster, select the Cluster Features tab.
n
n
The Expiration and Status columns show the latest expiration date and days remaining for that
service among the cluster members.
The Value column shows the status or capacity of the feature for the cluster as a whole.
6. Select the Member tabs to see the individual licenses for each cluster member.
Make sure to check the expiration date on any services for each cluster member.
See or update the feature key for a cluster member
You can use Policy Manager to see or update the feature key for each cluster member.
1. Select FireCluster > Configure.
2. Select the Members tab.
User Guide
279
FireCluster
3. In the FireCluster tree, select the member name. Click Edit.
The FireCluster Member Configuration dialog box appears.
4. Select the Feature Key tab.
The features that are available from this feature key appear. This tab also includes:
n
n
n
n
Whether each feature is enabled or disabled
A value assigned to the feature, such as the number of allowed VLAN interfaces
The expiration date of the feature
The amount of time that remains before the feature expires
5. Click Import.
The Import Firebox Feature Key dialog box appears.
280
WatchGuard System Manager
FireCluster
6. To find the feature key file, click Browse.
Or, copy the text of the feature key file and click Paste to insert it in the dialog box. Click OK.
7. Save the configuration file.
The feature key is not copied to the device until you save the configuration file to the cluster master.
In Policy Manager, you can also select Setup > Feature Keys to see the feature key information for the
cluster.
See the FireCluster feature key in Firebox System Manager
You can also see the feature key from Firebox System Manager:
1. Select View > Feature Keys.
The Firebox Feature Key dialog appears with a summary of all devices in the cluster. The Licensed Features
section includes the features licensed for the entire cluster.
2. Click Details to see the details about the feature key for each device in the cluster.
User Guide
281
FireCluster
3. Scroll down to see the feature key for the second device.
Create a FireCluster backup image
Because the cluster master synchronizes the configuration with the cluster members, you only have to back
up the image of the cluster master.
To create a backup of the flash image (.fxi) of the cluster master:
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
cluster master.
2. Open Policy Manager for the cluster master.
3. Make a backup of the Firebox or XTM device image.
To create a backup image of an individual cluster member:
1. In WatchGuard System Manager, use the cluster trusted interface IP address to connect to the
cluster master.
2. Open Policy Manager for the cluster member.
3. Make a backup of the Firebox or XTM device image.
Note Make sure to keep a record of the management IP addresses and passphrases in
the backup image. If you restore a FireCluster from this image, you must have this
information to connect to the cluster members.
282
WatchGuard System Manager
FireCluster
Restore a FireCluster backup image
To restore a FireCluster backup image to a cluster, you must restore the image to each cluster member one
at a time. The backup master must leave the cluster before you restore the backup image to each cluster
member. After you restore the configuration to both cluster members, the backup master must rejoin the
cluster.
When you restore a backup image, you must use the cluster Management IP address to connect to the
device. All other interfaces on the device are inactive until the final step when the backup master rejoins
the cluster.
For more information about the cluster Management IP address, see About the Interface for management
IP address.
Make the backup master leave the cluster
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to the
backup master.
2. Start Firebox System Manager for the backup master.
3. Select Tools > Cluster > Leave.
The backup master leaves the cluster and reboots.
Note Do not make configuration changes to the cluster master after the backup master
has left the cluster.
Restore the backup image to the backup master
1. In WatchGuard System Manager, use the FireCluster Management IP address to connect to the
backup master.
2. Start Policy Manager for the backup master.
3. Select File > Restore to restore the backup image.
The device restarts with the restored configuration.
For more information about the Restore command, see Restore a Firebox or XTM device backup
image on page 48.
Note After you restore the backup image to a cluster member, the device appears to be
a member of a cluster in WatchGuard System Manager and Firebox System
Manager. The cluster does not function until after the last step when the backup
master rejoins the cluster.
Restore the backup image to the cluster master
1. In WatchGuard System Manager, use the interface for management IP address to connect to the
cluster master.
2. Start Policy Manager for the cluster master.
3. Select File > Restore to restore the backup image.
The device restarts with the restored configuration.
User Guide
283
FireCluster
For more information about the Restore command, see Restore a Firebox or XTM device backup
image on page 48.
4. In WatchGuard System Manager, use the interface for management IP address to connect to the
cluster master.
If the backup image you restored has a different interface for management IP address for this
cluster member or a different passphrase, use the interface for management IP and passphrase
from the backup image to reconnect to the device.
Make the backup master rejoin the cluster
1. In WatchGuard System Manager, use the management IP address to connect to the backup master.
If the backup image you restored has a different interface for management IP address for this
cluster member or a different passphrase, use the interface for management IP and passphrase
from the backup image to reconnect to the device.
2. Start Fireware System Manager for the backup master.
3. Select Tools > Cluster > Join.
The backup master reboots and rejoins the cluster.
Upgrade Fireware XTM for FireCluster members
To upgrade the Fireware XTM software for devices in a FireCluster configuration, you use Policy Manager.
When you upgrade the software on a device, the device reboots. When the upgrade is in progress, network
traffic is handled by the other device in the cluster. When the reboot completes, the device you upgraded
automatically rejoins the cluster. Because the cluster cannot do load balancing at the time of the reboot, if
you have an active/active cluster, we recommend you schedule the upgrade at a time when the network
traffic is lightest.
To upgrade Fireware XTM for a device in a cluster:
1.
2.
3.
4.
5.
Open the cluster configuration file in Policy Manager
Select File > Upgrade.
Type the configuration passphrase.
Type or select the location of the upgrade file.
To create a backup image, select Yes.
A list of the cluster members appears.
6. Select the check box for each device you want to upgrade.
A message appears when the upgrade for each device is complete.
When the upgrade is complete, each cluster member reboots and rejoins the cluster. If you upgrade both
devices in the cluster at the same time, the devices are upgraded one at a time. This is to make sure there is
not an interruption in network access at the time of the upgrade.
Policy Manager upgrades the backup master first. When the upgrade of the first member is complete, that
device becomes the new cluster master. Then Policy Manager upgrades the second device.
Note We recommend you use the same software version on both devices. A cluster
functions best if all devices in the cluster run the same software version.
284
WatchGuard System Manager
FireCluster
If you want to upgrade the firmware from a remote location, make sure the interface for management IP
address is configured on the external interface, and the IP address is public and routable.
For more information, see About the Interface for management IP address on page 243.
User Guide
285
FireCluster
Disable FireCluster
When you disable FireCluster, both cluster members reboot at the same time. We recommend that you
plan this for a time when you can have a brief network interruption.
To disable FireCluster:
1. In WatchGuard System Manager, open the configuration for the cluster master.
2. Click .
Or, select Tools > Policy Manager.
3. Select FireCluster > Configure.
The FireCluster Cluster Configuration dialog box appears.
4. Clear the Enable FireCluster check box.
5. Click OK.
6. Save the configuration to the Firebox or XTM device.
The configuration is saved and both devices in the cluster reboot.
n
n
The cluster master starts with the same IP addresses that were assigned to the cluster.
The cluster backup master starts with the default IP addresses and configuration.
You can remove one member from the cluster and not disable the FireCluster feature. This results in a
cluster with only one member, but does not disable FireCluster or cause a network interruption.
For more information, see Remove or add a cluster member on page 275.
286
WatchGuard System Manager
12
Authentication
About user authentication
User authentication is a process that finds whether a user is who he or she is declared to be and verifies the
privileges assigned to that user. On the Firebox or XTM device, a user account has two parts: a user name
and a passphrase. Each user account is associated with an IP address. This combination of user name,
passphrase, and IP address helps the device administrator to monitor connections through the device. With
authentication, users can log in to the network from any computer, but access only the network ports and
protocols for which they are authorized. The Firebox or XTM device can then map the connections that start
from a particular IP address and also transmit the session name while the user is authenticated.
You can create firewall polices to give users and groups access to specified network resources. This is useful
in network environments where different users share a single computer or IP address.
You can configure your Firebox or XTM device as a local authentication server, or use your existing Active
Directory or LDAP authentication server, or an existing RADIUS authentication server. When you use
Firebox authentication over port 4100, account privileges can be based on user name. When you use thirdparty authentication, account privileges for users that authenticate to the third-party authentication servers
are based on group membership.
The WatchGuard user authentication feature allows a user name to be associated with a specific IP address
to help you authenticate and track user connections through the device. With the device, the fundamental
question that is asked and answered with each connection is, "Should I allow traffic from source X to go to
destination Y?" For the WatchGuard authentication feature to work correctly, the IP address of the user's
computer must not change while the user is authenticated to the device.
In most environments, the relationship between an IP address and the user computer is stable enough to
use for authentication. Environments in which the association between the user and an IP address is not
consistent, such as kiosks or networks where applications are run from a terminal server, are usually not
good candidates for the successful use of the user authentication feature.
WatchGuard supports Authentication, Accounting, and Access control (AAA) in the firewall products, based
on a stable association between IP address and person.
User Guide
287
Authentication
The WatchGuard user authentication feature also supports authentication to an Active Directory domain
with Single Sign-On (SSO), as well as other common authentication servers. In addition, it supports inactivity
settings and session time limits. These controls restrict the amount of time an IP address is allowed to pass
traffic through the Firebox or XTM device before users must supply their passwords again (reauthenticate).
If you control SSO access with a white list and manage inactivity timeouts, session timeouts, and who is
allowed to authenticate, you can improve your control of authentication, accounting, and access control.
To prevent a user from authenticating, you must disable the account for that user on the authentication
server.
User authentication steps
An HTTPS server operates on the Firebox or XTM device to accept authentication requests. To authenticate,
a user must connect to the authentication portal web page on the Firebox or XTM device.
1. Go to either:
https://[device interface IP address]:4100/
or
https://[device hostname]:4100
An authentication web page appears.
2. Type a user name and password.
3. Select the authentication server from the drop-down list, if more than one type of authentication is
configured.
The Firebox or XTM device sends the name and password to the authentication server using PAP (Password
Authentication Protocol).
When authenticated, the user is allowed to use the approved network resources.
Note Because Fireware XTM uses a self-signed certificate by default for HTTPS, you see a
security warning from your web browser when you authenticate. You can safely
ignore this security warning. If you want to remove this warning, you can use a
third-party certificate or create a custom certificate that matches the IP address or
domain name used for authentication.
For more information, see Configure the web server certificate for Firebox
authentication on page 795.
Manually close an authenticated session
Users do not have to wait for the session timeout to close their authenticated sessions. They can manually
close their sessions before the timeout occurs. The Authentication web page must be open for a user to
close a session. If it is closed, the user must authenticate again to log out.
To close an authenticated session:
1. Go to the Authentication portal web page:
https://[device interface IP address]:4100/
or
288
WatchGuard System Manager
Authentication
https://[device host name]:4100
2. Click Logout.
Note If the Authentication portal web page is configured to automatically redirect to
another web page, the portal is redirected just a few seconds after you open it.
Make sure you logout before the page redirects.
Manage authenticated users
You can use Firebox System Manager to see a list of all the users authenticated to your Firebox or XTM
device, and close sessions for those users.
See authenticated users
To see the users authenticated to your Firebox or XTM device:
1. Start Firebox System Manager.
2. Select the Authentication List tab.
A list of all users authenticated to the Firebox appears.
Close a user session
From Firebox System Manager:
1. Select the Authentication List tab.
A list of all users authenticated to the Firebox appears.
2. Select one or more user names from the list.
3. Right-click the user name(s) and select Log Off User.
For more information, see Authenticated users (Authentication List) on page 694.
Use authentication to restrict incoming traffic
One function of the authentication tool is to restrict outgoing traffic. You can also use it to restrict incoming
network traffic. When you have an account on the Firebox or XTM device and the device has a public
external IP address, you can authenticate to the device from a computer external to the device.
For example, you can type this address in your web browser: https://<IP address of Firebox or
XTM device external interface>:4100/ .
After you authenticate, you can use the policies that are configured for you on the device.
To enable a remote user to authenticate from the external network:
1. In WatchGuard System Manager, connect to a device and open Policy Manager.
2. Double-click the WatchGuard Authentication policy. This policy appears after you add a user or
group to a policy configuration.
The Edit Policy Properties dialog box appears.
3. From the WG-Auth connections are drop-down list, make sure Allowed is selected.
4. Below the From window, click Add.
The Add Address dialog box appears.
User Guide
289
Authentication
5. Select Any from the list and click Add.
6. Click OK.
Any appears in the From window.
7. Below the To box, click Add.
8. Select Firebox from the list and click Add.
9. Click OK.
Firebox appears in the To window.
10. Click OK to close the Edit Policy Properties dialog box.
Use authentication through a gateway Firebox
The gateway Firebox is the device that you place in your network to protect your Management Server from
the Internet.
For more information, see About the gateway Firebox on page 495.
290
WatchGuard System Manager
Authentication
To send an authentication request through a gateway Firebox to a different device, you must have a policy
that allows the authentication traffic on the gateway device. If authentication traffic is denied on the
gateway device, use Policy Manager to add the WG-Auth policy. This policy controls traffic on TCP port
4100. You must configure the policy to allow traffic to the IP address of the destination device.
Set global authentication values
You can the define the global authentication values (such as timeout values and authentication page
redirects) and enable Single Sign-On (SSO).
To configure authentication settings:
1. Open Policy Manager.
2. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears.
User Guide
291
Authentication
3. Configure authentication settings as described in the subsequent sections.
4. Click OK.
Set global authentication timeouts
You can set the time period that users remain authenticated after they close their last authenticated
connection. This timeout is set either in the Authentication Settings dialog box, or in the Setup Firebox
User dialog box.
For more information about user authentication settings and the Setup Firebox User dialog box, see Define
a new user for Firebox authentication on page 306.
292
WatchGuard System Manager
Authentication
For users authenticated by third-party servers, the timeouts set on those servers also override the global
authentication timeouts.
Authentication timeout values do not apply to Mobile VPN with PPTP users.
Session Timeout
The maximum length of time the user can send traffic to the external network. If you set this field to
zero (0) seconds, minutes, hours, or days, the session does not expire and the user can stay
connected for any length of time.
Idle Timeout
The maximum length of time the user can stay authenticated when idle (not passing any traffic to
the external network). If you set this field to zero (0) seconds, minutes, hours, or days, the session
does not timeout when idle and the user can stay idle for any length of time.
Allow multiple concurrent logins
You can allow more than one user to authenticate with the same user credentials at the same time, to one
authentication server. This is useful for guest accounts or in laboratory environments. When the second
user logs in with the same credentials, the first user authenticated with the credentials is automatically
logged out. If you do not allow this feature, a user cannot authenticate to the authentication server more
than once at the same time.
1. Go to the Authentication Settings dialog box.
2. Selectthe Allowmultiple concurrent firewall authenticationlogins fromthe sameaccount checkbox.
For Mobile VPN with IPSec and Mobile VPN with SSL users, concurrent logins from the same account are
always supported regardless of whether this check box is selected. These users must log in from different IP
addresses for concurrent logins, which means that they cannot use the same account to log in if they are
behind a Firebox or XTM device that uses NAT. Mobile VPN with PPTP users do not have this restriction.
Limit login sessions
From the Authentication Settings dialog box, you can limit your users to a single authenticated session. If
you select this option, your users cannot login to one authentication server from different IP addresses with
the same credentials. When a user is authenticated, and tries to authenticate again, you can select whether
the first user session is terminated when the subsequent session is authenticated, or if the subsequent
session is rejected.
1. Select Limit users to a single login session.
2. From the drop-down list, select Reject subsequent login attempts, when the user is already logged
in or Logoff first session, when user logs in the second time.
User Guide
293
Authentication
Automatically redirect users to the login portal
If you require your users to authenticate before they can get access to the Internet, you can choose to
automatically send users who are not already authenticated to the authentication portal, or have them
manually navigate to the portal. This applies only to HTTP and HTTPS connections.
Auto redirect users to authentication page for authentication
When you select this check box, all users who have not yet authenticated are automatically
redirected to the authentication login portal when they try to get access to the Internet. If you do
not select this checkbox, unauthenticated users must manually navigate to the authentication login
portal.
294
WatchGuard System Manager
Authentication
For more information about user authentication, see User authentication steps on page 288.
Use a custom default start page
When you select the Auto redirect users to authentication page for authentication check box to require
your users to authenticate before they can get access to the Internet, the Authentication portal appears
when a user opens a web browser. If you want the browser to go to a different page after your users
successfully log in, you can define a redirect.
From the Authentication Settings dialog box:
1. Select the Send a redirect to the browser after successful authentication check box.
2. In the text box, type the URL of the web site to which users are redirected.
Set Management Session timeouts
Use these fields to set the time period that a user logged in with read/write privileges remains
authenticated before the Firebox or XTM device terminates the session.
Session Timeout
The maximum length of time the user can send traffic to the external network. If you set this field to
zero (0) seconds, minutes, hours, or days, the session does not expire and the user can stay
connected for any length of time.
Idle Timeout
The maximum length of time the user can stay authenticated when idle (not passing any traffic to
the external network). If you set this field to zero (0) seconds, minutes, hours, or days, the session
does not expire when the user is idle, and the user can stay idle for any length of time.
Enable Single Sign-On
When you enable Single Sign-On (SSO), users on trusted or optional networks automatically authenticate
when they log on to their computers.
For more information, see About Single Sign-On (SSO) on page 296.
About the WatchGuard Authentication (WG-Auth)
policy
The WatchGuard Authentication (WG-Auth) policy is automatically added to your Firebox or XTM device
configuration. The first policy you add to your device configuration that has a user or group name in the
From field on the Policy tab of the policy definition, creates a WG-Auth policy. This policy controls access to
port 4100 on the device. Your users send authentication requests to the device through this port. For
example, to authenticate to a Firebox or XTM device with an IP address of 10.10.10.10, type
https://10.10.10.10:4100 in the web browser address bar.
User Guide
295
Authentication
If you want to send an authentication request through a gateway device to a different device, you might
have to add the WG-Auth policy manually. If authentication traffic is denied on the gateway device, you
must use Policy Manager to add the WG-Auth policy. Modify this policy to allow traffic to the IP address of
the destination device.
For more information on when to modify the WatchGuard Authentication policy, see Use authentication to
restrict incoming traffic on page 289.
About Single Sign-On (SSO)
When users log on to computers on your network, they must give a user name and password. If you use
Active Directory authentication on your Firebox or XTM device to restrict outgoing network traffic to
specified users or groups, they must also log on again when they manually authenticate to the device to
access network resources such as the Internet. You can use Single Sign-On (SSO) to enable users on the
trusted or optional networks to automatically authenticate to the Firebox or XTM device when they log on
to their computers.
WatchGuard SSO is a two-part solution that includes the SSO agent and SSO client services. For SSO to work,
you must install the SSO agent software on a computer in your domain. The SSO client software is optional
and is installed on each user's client computer.
The SSO agent software makes a call to the client computer over port 4116 to verify who is currently logged
in. If there is no response, the SSO agent reverts to the previous protocol from versions prior to WSM
10.2.4, and makes a NetWkstaUserEnum call to the client computer. It then uses the information it gets to
authenticate a user for Single Sign-On.
If the SSO client is not installed, the SSO agent can get more than one answer from the computer it queries.
This can occur if more than one user logs in to the same computer, or because of service or batch logons
that occur on the computer. The SSO agent uses only the first answer it gets from the computer, and
reports that user to the Firebox or XTM device as the user that is logged on. The device can then check the
user information against all the defined policies for that user and/or user group at one time. The SSO agent
caches this data for about 10 minutes by default so that a query does not have to be generated for every
connection.
When the SSO client software is installed, it receives the call from the SSO agent and returns accurate
information about the user who is currently logged in to the workstation. The SSO agent does not contact
the Active Directory server for user credentials, because it receives the correct information about who is
currently logged in to the computer, and to which Active Directory groups the user belongs, from the SSO
client.
If you work in an environment where more than one person uses a computer, we recommend that you
install the SSO client software. If you do not use the SSO client, there are access control limitations you must
be aware of. For example, for services installed on a client computer (such as a centrally administered
antivirus client) that have been deployed so that they log on with domain account credentials, the Firebox
or XTM device gives all users access rights as defined by the first user that is logged on (and the groups of
which that user is a member), and not the credentials of the individual users that log on interactively. Also,
all log messages generated from the user’s activity show the user name of the service account, and not the
individual user.
296
WatchGuard System Manager
Authentication
Note If you do not install the SSO client, we recommend you do not use SSO for
environments where users log on to computers with service or batch logons. When
more than one user is associated with an IP address, network permissions may not
operate correctly. This can be a security risk.
User Guide
297
Authentication
Before You Begin
n
n
n
n
n
n
n
n
n
You must have an Active Directory server configured on a trusted or optional network.
Your Firebox or XTM device must be configured to use Active Directory authentication.
Each user must have an account set up on the Active Directory server.
Each user must log on to a domain account for Single Sign-On (SSO) to operate correctly. If users log
on to an account that exists only on their local computers, their credentials are not checked and the
Firebox or XTM device does not recognize that they are logged in.
If you use third-party firewall software on your network computers, make sure that TCP port 445
(Samba/ Windows Networking) is open on each client.
Make sure that printing and file sharing is enabled on every computer from which users
authenticate with SSO.
Make sure that NetBIOS and SMB ports are not blocked on every computer from which users
authenticate with SSO. NetBIOS uses TCP/UDP ports 137, 138, and 139. SMB uses TCP port 445.
Make sure that port 4116 is open on the client computers.
Make sure that all computers from which users authenticate with SSO are members of the domain
with unbroken trust relationships.
Set up SSO
To use SSO, you must install the SSO agent software. We recommend that you also install the SSO client on
your user's computers. Though you can use SSO with only the SSO agent, you increase your security and
access control when you also use the SSO client.
To set up SSO, follow these steps:
1. Install the WatchGuard Single Sign-On (SSO) agent.
2. Install the WatchGuard Single Sign-On (SSO) client (optional, but recommended).
3. Enable Single Sign-On (SSO).
Install the WatchGuard Single Sign-On (SSO) agent
To use Single Sign-On (SSO), you must install the WatchGuard SSO agent. The SSO agent is a service that
receives requests for Firebox authentication and checks user status with the Active Directory server. The
service runs with the name WatchGuard Authentication Gateway on the computer on which you install the
SSO agent software. This computer must have the Microsoft .NET Framework 2.0 or later installed.
Download the SSO agent software
1.
2.
3.
4.
5.
298
Open a web browser and go to http://www.watchguard.com/.
Log in with your LiveSecurity Service user name and password.
Click the Software Downloads link.
Select your device type and model number.
Download the WatchGuard Authentication Gateway software and save the file to a convenient
location.
WatchGuard System Manager
Authentication
Before you install
The SSO agent service must run as a user account, not an administrator account. We recommend that you
create a new user account for this purpose. For the SSO agent service to operate correctly, configure the
user account with these properties:
n
n
n
n
Add the account to the Domain Admin group.
Make the Domain Admin group the primary group.
Allow the account to log on as a service.
Set the password to never expire.
Install the SSO agent service
1. Double-click WG-Authentication-Gateway.exe to start the Authentication Gateway Setup Wizard.
On some operating systems, you might need to type a local administrator password to run the
installer.
2. To install the software, use the instructions on each page and complete the wizard.
For the domain user name, you must type the user name in the form: domain\username . Do not
include the .com or .net part of the domain name.
For example, if your domain is mywatchguard.com and you use the domain account ssoagent, type
mywatchguard\ssoagent .
You can also use the UPN form of the user name: [email protected] . If you use the
UPN form of the user name then you must include the .com or .net part of the domain name.
3. Click Finish to close the wizard.
After the wizard completes, the WatchGuard Authentication Gateway service starts automatically. Each
time the computer starts, the service starts automatically.
Install the WatchGuard Single Sign-On (SSO) client
As a part of the WatchGuard Single Sign-On (SSO) solution, you can install the WatchGuard SSO client. The
SSO client installs as a Windows service that runs under the Local System account on a workstation to verify
the credentials of the user currently logged in to that computer. When a user tries to authenticate, the SSO
agent sends a request to the SSO client for the user's credentials. The SSO client then returns the
credentials of the user who is logged in to the workstation.
The SSO client listens on port 4116.
Because the SSO client installer is an MSI file, you can choose to automatically install it on your user's
computers when they log on to your domain. You can use Active Directory Group Policy to automatically
install software when users log on to your domain. For more information about software installation
deployment for Active Directory group policy objects, see the documentation for your operating system.
Download the SSO client software
1. Use your web browser to go to http://www.watchguard.com/.
2. Log in with your LiveSecurity Service user name and password.
3. Click the Software Downloads link.
User Guide
299
Authentication
4. Select your device type and model number.
5. Download the WatchGuard Authentication Client software and save the file to a convenient location.
Install the SSO client service
1. Double-click WG-Authentication-Client.msi to start the Authentication Client Setup Wizard.
On some operating systems, you might need to type a local administrator password to run the
installer.
2. To install the software, use the instructions on each page and complete the wizard.
To see which drives are available to install the client, and how much space is available on each of
these drives, click Disk Cost.
3. Click Close to exit the wizard.
After the wizard completes, the WatchGuard Authentication Client service starts automatically. Each
time the computer starts, the service starts automatically.
Enable Single Sign-On (SSO)
Before you can configure SSO, you must:
n
n
n
Configure your Active Directory server
Install the WatchGuard Single Sign-On (SSO) agent
Install the WatchGuard Single Sign-On (SSO) client (optional)
Enable and configure SSO
To enable and configure SSO from Policy Manager:
1. Select Setup > Authentication > Authentication Settings.
The Authentication Settings dialog box appears.
300
WatchGuard System Manager
Authentication
2.
3.
4.
5.
Select the Enable Single Sign-On (SSO) with Active Directory check box.
In the SSO Agent IP address text box, type the IP address of your SSO Agent.
In the Cache data for text box, type or select the amount of time the SSO Agent caches data.
In the SSO Exceptions list, add or remove the host IP addresses for which you do not want the
device to send SSO queries.
For more information about SSO exceptions, see the subsequent section.
6. Click OK to save your changes.
User Guide
301
Authentication
Define SSO exceptions
If your network includes devices with IP addresses that do not require authentication, such as network
servers, print servers, or computers that are not part of the domain, we recommend that you add their IP
addresses to the SSO Exceptions list. Each time a connection from one of these devices occurs and the IP
address for the device is not in the exceptions list, the Firebox or XTM device contacts the SSO agent to try
to associate the IP address with a user name. This takes about 10 seconds. Use the exceptions list to prevent
this delay for each connection and reduce unnecessary network traffic.
Authentication server types
The Fireware XTM OS supports six authentication methods:
n
n
n
n
n
n
Configure your Firebox or XTM device as an authentication server
Configure RADIUS server authentication
Configure VASCO server authentication
Configure SecurID authentication
Configure LDAP authentication
Configure Active Directory authentication
You can configure one or more authentication server types for a Firebox or XTM device. If you use more
than one type of authentication server, users must select the authentication server type from a drop-down
list when they authenticate.
About using third-party authentication servers
If you use a third-party authentication server, you do not have to keep a separate user database on the
Firebox or XTM device. You can configure a third-party server, install the authentication server with access
to the device, and put the server behind the device for security. You then configure the device to forward
user authentication requests to that server. If you create a user group on the device that authenticates to a
third-party server, make sure you create a group on the server that has the same name as the user group
on the device.
To configure a Firebox or XTM device for third-party authentication servers, see:
n
n
n
n
n
Configure RADIUS server authentication
Configure VASCO server authentication
Configure SecurID authentication
Configure LDAP authentication
Configure Active Directory authentication
Use a backup authentication server
You can configure a primary and a backup authentication server with any of the third-party authentication
types. If the Firebox or XTM device cannot connect to the primary authentication server after three
attempts, the primary server is marked as inactive and an alarm message is generated. The device then
connects to the backup authentication server.
302
WatchGuard System Manager
Authentication
If the Firebox or XTM device cannot connect to the backup authentication server, it waits ten minutes, and
then tries to connect to the primary authentication server again. The inactive server is marked as active
after the specified time interval is reached.
Configure your Firebox or XTM device as an
authentication server
If you do not use a third-party authentication server, you can use the Firebox or XTM device as an
authentication server. This procedure divides your company into groups and users for authentication. When
you assign users to groups, make sure to associate them by their tasks and the information they use. For
example, you can have an accounting group, a marketing group, and a research and development group.
You can also have a new employee group with more controlled access to the Internet.
When you create a group, you set the authentication procedure for the users, the system type, and the
information they can access. A user can be a network or one computer. If your company changes, you can
add or remove users from your groups.
The Firebox authentication server is enabled by default. You do not have to enable it before you add users
and groups.
Types of Firebox authentication
You can configure your Firebox or XTM device to authenticate users with four different types of
authentication:
n
n
n
n
Firewall authentication
Mobile VPN with PPTP connections
Configure the Firebox or XTM device for Mobile VPN with IPSec
Mobile VPN with SSL connections
When authentication is successful, the Firebox or XTM device links these items:
n
n
n
n
User name
Firebox User group (or groups) of which the user is a member
IP address of the computer used to authenticate
Virtual IP address of the computer used to connect with Mobile VPN
Firewall authentication
You create user accounts and groups to enable your users to authenticate. When a user authenticates with
the Firebox or XTM device, the user credentials and computer IP address are used to find whether a policy
applies to the traffic that computer sends and receives.
To create a Firebox user account:
1. Define a new user for Firebox authentication.
2. Define a new group for Firebox authentication and put the new user in that group.
3. Create a policy that allows traffic only to or from a list of Firebox user names or groups.
This policy is applied only if a packet comes from or goes to the IP address of the authenticated user.
To authenticate with an HTTPS connection to the Firebox or XTM device over port 4100:
User Guide
303
Authentication
1. Open a web browser and go to:
https://<IP address of a Firebox or XTM device interface>:4100/
2. Type the Username and Password.
3. Select the Domain from the drop-down list.
This field only appears if you can choose from more than one domain.
4. Click Login.
If the credentials are valid, the user is authenticated.
Mobile VPN with PPTP connections
When you activate Mobile VPN with PPTP on your Firebox or XTM device, users included in the Mobile VPN
with PPTP group can use the PPTP feature included in their computer operating system to make a PPTP
connection to the device.
Because the Firebox or XTM device allows the PPTP connection from any Firebox user that gives the correct
credentials, it is important that you make a policy for PPTP sessions that includes only users you want to
allow to send traffic over the PPTP session. You can also add a group or individual user to a policy that
restricts access to resources behind the Firebox or XTM device. The Firebox or XTM device creates a preconfigured group called PPTP-Users for this purpose.
To configure a Mobile VPN with PPTP connection:
1. From Policy Manager, select VPN > Mobile VPN > PPTP.
2. Select the Activate Mobile VPN with PPTP check box.
3. Make sure the Use RADIUS authentication to authenticate Mobile VPN with PPTP users check box
is not selected. If this check box is selected, the RADIUS authentication server authenticates the
PPTP session. If you clear this check box, the Firebox or XTM device authenticates the PPTP session.
The Firebox or XTM device checks to see whether the user name and password the user types in
the VPN connection dialog box match the user credentials in the Firebox User database that is a
member of the PPTP-Users group.
If the credentials supplied by the user match an account in the Firebox User database, the user is
authenticated for a PPTP session.
4. Create a policy that allows traffic only from or to a list of Firebox user names or groups.
The Firebox or XTM device does not look at this policy unless traffic comes from or goes to the IP address of
the authenticated user.
304
WatchGuard System Manager
Authentication
Mobile VPN with IPSec connections
When you configure your Firebox or XTM device to host Mobile VPN with IPSec sessions, you create
policies on your device and then use the Mobile VPN with IPSec client to enable your users to access your
network. After the Firebox or XTM device is configured, each client computer must be configured with the
Mobile VPN with IPSec client software.
When the user's computer is correctly configured, the user makes the Mobile VPN connection. If the
credentials used for authentication match an entry in the Firebox User database, and if the user is in the
Mobile VPN group you create, the Mobile VPN session is authenticated.
To set up authentication for Mobile VPN with IPSec:
1. Configure a Mobile VPN with IPSec connection.
2. Install the Mobile VPN with IPSec client software.
Mobile VPN with SSL connections
You can configure the Firebox or XTM device to host Mobile VPN with SSL sessions. When the Firebox or
XTM device is configured with a Mobile VPN with SSL connection, users included in the Mobile VPN with
SSL group can install and use the Mobile VPN with SSL client software to make an SSL connection.
Because the Firebox or XTM device allows the SSL connection from any of your users who give the correct
credentials, it is important that you make a policy for SSL VPN sessions that includes only users you want to
allow to send traffic over SSL VPN. You can also add these users to a Firebox User Group and make a policy
that allows traffic only from this group. The Firebox or XTM device creates a pre-configured group called
SSLVPN-Users for this purpose.
To configure a Mobile VPN with SSL connection:
1. From Policy Manager, select VPN > Mobile VPN > SSL.
The Mobile VPN with SSL Configuration dialog box appears.
2. Configure the Firebox or XTM device for Mobile VPN with SSL.
User Guide
305
Authentication
Define a new user for Firebox authentication
You can use Policy Manager to specify which users can authenticate to your Firebox or XTM device.
1. Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. From the Firebox tab, in the Users section, click Add.
The Setup Firebox User dialog box appears.
306
WatchGuard System Manager
Authentication
3. Type the Name and (optional) a Description of the new user.
4. Type and confirm the Passphrase you want the person to use to authenticate.
Note When you set this passphrase, the characters are masked and it does not appear in
simple text again. If you lose the passphrase, you must set a new passphrase.
5. In the Session Timeout text box, type or select the maximum length of time the user can send traffic
to the external network.
The minimum setting for this field is one (1) seconds, minutes, hours, or days. The maximum value is
365 days.
6. In the Idle Timeout text box, type or select the length of time the user can stay authenticated when
idle (not passing any traffic to the external network).
The minimum setting for this field is one (1) seconds, minutes, hours, or days. The maximum value is
365 days.
7. To add a user to a Firebox Authentication Group, select the user name in the Available list.
8. Click
to move the name to the Member list.
Or, you can double-click the user name in the Available list.
The user is added to the user list. You can then add more users.
9. To close the Setup Firebox User dialog box, click OK.
The Firebox Users tab appears with a list of the new users.
User Guide
307
Authentication
Define a new group for Firebox authentication
You can use Policy Manager to specify which user groups can authenticate to your Firebox or XTM device.
1. Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the Firebox tab.
3. In the User Groups section, click Add.
The Setup Firebox Group dialog box appears.
4. Type a name for the group.
5. (Optional) Type a description for the group.
6. To add a user to the group, select the user name in the Available list. Click
the Member list.
to move the name to
You can also double-click the user name in the Available list.
7. After you add all necessary users to the group, click OK.
You can now configure policies and authentication with these users and groups, as described in Use
authorized users and groups in policies on page 328.
308
WatchGuard System Manager
Authentication
Configure RADIUS server authentication
RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a
company network. RADIUS is a client/server system that keeps the authentication information for users,
remote access servers, VPN gateways, and other resources in one central database.
For more information on RADIUS authentication, see How RADIUS server authentication works on page 311.
Authentication key
The authentication messages to and from the RADIUS server use an authentication key, not a password. This
authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key,
there is no communication between the client and server.
RADIUS authentication methods
For web and Mobile VPN with IPSec or SSL authentication, RADIUS supports only PAP (Password
Authentication Protocol) authentication.
For authentication with PPTP, RADIUS supports only MSCHAPv2 (Microsoft Challenge-Handshake
Authentication Protocol version 2).
Before you begin
Before you configure your Firebox or XTM device to use your RADIUS authentication server, you must have
this information:
n
n
n
n
Primary RADIUS server — IP address and RADIUS port
Secondary RADIUS server (optional) — IP address and RADIUS port
Shared secret — Case-sensitive password that is the same on the Firebox or XTM device and the
RADIUS server
Authentication methods — Set your RADIUS server to allow the authentication method your Firebox
or XTM device uses: PAP or MS CHAP v2
UseRADIUS serverauthentication with yourFireboxorXTM
device
To use RADIUS server authentication with your Firebox or XTM device, you must:
n
n
n
Add the IP address of the Firebox or XTM device to the RADIUS server as described in the
documentation from your RADIUS vendor.
Enable and specify the RADIUS server in your Firebox or XTM device configuration.
Add RADIUS user names or group names to your policies.
To enable and specify the RADIUS server(s) in your configuration:
From Policy Manager:
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
User Guide
309
Authentication
2. Select the RADIUS tab.
3. To enable the RADIUS server, select the Enable RADIUSserver check box.
4. In the IP Address text box, type the IP address of the RADIUS server.
5. In the Port text box, make sure that the port number RADIUS uses for authentication appears. The
default port number is 1812. Older RADIUS servers might use port 1645.
6. In the Secret text box, type the shared secret between the Firebox or XTM device and the RADIUS
server.
The shared secret is case-sensitive, and it must be the same on the Firebox or XTM device and the
RADIUS server.
7. In the Confirm Secret text box, type the shared secret again.
8. Type or select the Timeout value.
The timeout value is the amount of time the Firebox or XTM device waits for a response from the
authentication server before it tries to connect again.
9. In the Retries text box, type or select the number of times the Firebox or XTM device tries to
connect to the authentication server (the timeout is specified above) before it reports a failed
connection for one authentication attempt.
10. In the Group Attribute text box, type or select an attribute value. The default group attribute is
FilterID, which is RADIUS attribute 11.
310
WatchGuard System Manager
Authentication
The group attribute value is used to set the attribute that carries the User Group information. You
must configure the RADIUS server to include the Filter ID string with the user authentication
message it sends to the Firebox or XTM device. For example, engineerGroup or financeGroup. This
information is then used for access control. The Firebox or XTM device matches the FilterID string to
the group name configured in the Firebox or XTM device policies.
11. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts will not try this server until it is marked as active again.
12. To add a backup RADIUS server, select the Secondary Server Settings tab, and select the Enable a
secondary RADIUS server check box.
13. Repeat Steps 4–11 to add the information in the required fields. Make sure the shared secret is the
same on the primary and backup RADIUS server.
For more information, see Use a backup authentication server on page 302.
14. Click OK.
15. Save the configuration file.
How RADIUS server authentication works
RADIUS is a protocol that was originally designed to authenticate remote users to a dial-in access server.
RADIUS is now used in a wide range of authentication scenarios. RADIUS is a client-server protocol, with the
Firebox or XTM device as the client and the RADIUS server as the server. (The RADIUS client is sometimes
called the Network Access Server or NAS.) When a user tries to authenticate, the Firebox or XTM device
sends a message to the RADIUS server. If the RADIUS server is properly configured to have the Firebox or
XTM device as a client, RADIUS sends an accept or reject message back to the Firebox or XTM device (the
Network Access Server).
When the Firebox or XTM device uses RADIUS for an authentication attempt:
1. The user tries to authenticate, either through a browser-based HTTPS connection to the Firebox or
XTM device over port 4100, or through a connection using Mobile VPN with PPTP or IPSec. The
Firebox or XTM device reads the user name and password.
2. The Firebox or XTM device creates a message called an Access-Request message and sends it to the
RADIUS server. The Firebox or XTM device uses the RADIUS shared secret in the message. The
password is always encrypted in the Access-Request message.
3. The RADIUS server makes sure that the Access-Request message is from a known client (the Firebox
or XTM device). If the RADIUS server is not configured to accept the Firebox or XTM device as a
client, the server discards the Access-Request message and does not send a message back.
4. If the Firebox or XTM device is a client known to the RADIUS server and the shared secret is correct,
the server looks at the authentication method requested in the Access-Request message.
5. If the Access-Request message uses an allowed authentication method, the RADIUS server gets the
user credentials from the message and looks for a match in a user database. If the user name and
password match an entry in the database, the RADIUS server can get additional information about
the user from the user database (such as remote access approval, group membership, logon hours,
and so on).
User Guide
311
Authentication
6. The RADIUS server checks to see whether it has an access policy or a profile in its configuration that
matches all the information it has about the user. If such a policy exists, the server sends a response.
7. If any of the previous conditions fail, or if the RADIUS server has no matching policy, it sends an
Access-Reject message that shows authentication failure. The RADIUS transaction ends and the user
is denied access.
8. If the Access-Request message meets all the previous conditions, RADIUS sends an Access-Accept
message to the Firebox or XTM device.
9. The RADIUS server uses the shared secret for any response it sends. If the shared secret does not
match, the Firebox or XTM device rejects the RADIUS response.
To see diagnostic log messages for authentication, Set the diagnostic log level and change the log
level for the Authentication category.
10. The Firebox or XTM device reads the value of any FilterID attribute in the message. It connects the
user name with the FilterID attribute to put the user in a RADIUS group.
11. The RADIUS server can put a large amount of additional information in the Access-Accept message.
The Firebox or XTM device ignores most of this information, such as the protocols the user is
allowed to use (such as PPP or SLIP), the ports the user can access, idle timeouts, and other
attributes.
12. The only attribute the Firebox or XTM device looks for in the Access-Accept message is the FilterID
attribute (RADIUS attribute number 11). The FilterID is a string of text that you configure the RADIUS
server to include in the Access-Accept message. This attribute is necessary for the Firebox or XTM
device to assign the user to a RADIUS group.
For more information on RADIUS groups, see the subsequent section.
About RADIUS groups
Whenyou configure RADIUS authentication,you canset the Group Attribute number. Fireware XTM readsthe
GroupAttribute number from PolicyManager totell whichRADIUS attribute carries RADIUSgroup information.
Fireware XTM recognizes onlyRADIUS attribute number 11,FilterID, asthe GroupAttribute. Whenyou
configure the RADIUSserver, donot change the GroupAttribute number from itsdefault value of 11.
When the Firebox or XTM device gets the Access-Accept message from RADIUS, it reads the value of the
FilterID attribute and uses this value to associate the user with a RADIUS group. (You must manually
configure the FilterID in your RADIUS configuration.) Thus, the value of the FilterID attribute is the name of
the RADIUS group where the Firebox or XTM device puts the user.
The RADIUS groups you use in Policy Manager are not the same as the Windows groups defined in your
domain controller, or any other groups that exist in your domain user database. A RADIUS group is only a
logical group of users the Firebox or XTM device uses. Make sure you carefully select the FilterID text string.
You can make the value of the FilterID match the name of a local group or domain group in your
organization, but this is not necessary. We recommend you use a descriptive name that helps you
remember how you defined your user groups.
312
WatchGuard System Manager
Authentication
Practical use of RADIUS groups
If your organization has many users to authenticate, you can make your Firebox or XTM device policies
easier to manage if you configure RADIUS to send the same FilterID value for many users. The Firebox or
XTM device puts those users into one logical group so you can easily administer user access. When you
make a policy in Policy Manager that allows only authenticated users to access a network resource, you use
the RADIUS Group name instead of adding a list of many individual users.
For example, when Mary authenticates, the FilterID string RADIUS sends is Sales, so the Firebox or XTM
device puts Mary in the Sales RADIUS group for as long as she is authenticated. If users John and Alice
subsequently authenticate, and RADIUS puts the same FilterID value Sales in the Access-Accept messages
for John and Alice, then Mary, John, and Alice are all in the Sales group. You can make a policy in Policy
Manager that allows the group Sales to access a resource.
You can configure RADIUS to return a different FilterID, such as IT Support, for the members of your
internal support organization. You can then make a different policy to allow IT Support users to access
resources.
For example, you might allow the Sales group to access the Internet using a Filtered-HTTP policy. Then you
can filter their web access with WebBlocker. A different policy in Policy Manager can allow the IT Support
users to access the Internet with the Unfiltered-HTTP policy, so that they access the web without
WebBlocker filtering. You use the RADIUS group name (or user names) in the From field of a policy to show
which group (or which users) can use the policy.
Timeout and retry values
An authentication failure occurs when no response is received from the primary RADIUS server. After
three authentication attempts fail, Fireware XTM uses the secondary RADIUS server. This process is called
failover.
Note This number of authentication attempts is not the same as the Retry number. You
cannot change the number of authentication attempts before failover occurs.
The Firebox or XTM device sends an Access-Request message to the first RADIUS server in the list. If there is
no response, the Firebox or XTM device waits the number of seconds set in the Timeout box, and then it
sends another Access-Request. This continues for the number of times indicated in the Retry box (or until
there is a valid response). If there is no valid response from the RADIUS server, or if the RADIUS shared
secret does not match, Fireware XTM counts this as one failed authentication attempt.
After three authentication attempts fail, Fireware XTM uses the secondary RADIUS server for the next
authentication attempt. If the secondary server also fails to respond after three authentication attempts,
Fireware XTM waits ten minutes for an administrator to correct the problem. After ten minutes, Fireware
XTM tries to use the primary RADIUS server again.
User Guide
313
Authentication
Configure VASCO server authentication
VASCO server authentication uses the VACMAN Middleware software to authenticate remote users on a
company network through a RADIUS or web server environment. VASCO also supports multiple
authentication server environments. The VASCO one-time password token system enables you to eliminate
the weakest link in your security infrastructure—the use of static passwords.
To use VASCO server authentication with your Firebox or XTM device, you must:
n
n
n
Add the IP address of the Firebox or XTM device to the VACMAN Middleware server, as described in
the documentation from your VASCO vendor.
Enable and specify the VACMAN Middleware server in your Firebox or XTM device configuration.
Add user names or group names to the policies in Policy Manager.
VASCO server authentication is configured using the RADIUS server settings. The Authentication Servers
dialog box does not have a separate tab for VACMAN Middleware servers.
From Policy Manager:
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the RADIUS tab.
314
WatchGuard System Manager
Authentication
3. To enable the VACMAN Middleware server and enable the fields on this dialog box, select the
Enable RADIUS server check box.
4. In the IP Address text box, type the IP address of the VACMAN Middleware server.
5. In the Port text box, make sure that the port number VASCO uses for authentication appears. The
default port number is 1812.
6. In the Secret text box, type the shared secret between the Firebox or XTM device and the VACMAN
Middleware server.
The shared secret is case-sensitive, and it must be the same on the Firebox or XTM device and the
server.
7. In the Confirm Secret text box, type the shared secret again.
8. In the Timeout text box, type or select the amount of time the Firebox or XTM device waits for a
response from the authentication server before it tries to connect again.
9. In the Retries text box, type or select the number of times the Firebox or XTM device tries to
connect to the authentication server before it reports a failed connection for one authentication
attempt.
10. Type or select the Group Attribute value. The default group attribute is FilterID, which is VASCO
attribute 11.
The group attribute value is used to set which attribute carries the user group information. You must
configure the VASCO server to include the Filter ID string with the user authentication message it
sends to the Firebox or XTM device. For example, engineerGroup or financeGroup. This information
is then used for access control. The Firebox or XTM device matches the FilterID string to the group
name configured in the Firebox or XTM device policies.
11. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try to connect to this server until it is marked as active
again.
12. To add a backup VACMAN Middleware server, select the Secondary Server Settings tab, and select
the Enable a secondary RADIUS server check box.
13. Repeat Steps 4–11 to add the information in the required fields. Make sure the shared secret is the
same on the primary and secondary VACMAN Middleware server.
For more information, see Use a backup authentication server on page 302.
14. Click OK.
15. Save the configuration file.
User Guide
315
Authentication
Configure SecurID authentication
To use SecurID authentication, you must configure the RADIUS, VASCO, and ACE/Server servers correctly.
The users must also have an approved SecurID token and a PIN (personal identification number). Refer to
the RSA SecurID documentation for more information.
From Policy Manager:
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Select the SecurID tab.
3. Select the Enable SecurID server check box to enable the SecurID server and enable the fields on
this dialog box.
4. In the IP Address text box, type the IP address of the SecurID server.
5. Click the Port field up or down arrow to set the port number to use for SecurID authentication.
The default number is 1812.
6. In the Secret text box, type the shared secret between the Firebox or XTM device and the SecurID
server. The shared secret is case-sensitive and must be the same on the Firebox or XTM device and
the SecurID server.
316
WatchGuard System Manager
Authentication
7. In the Confirm text box, type the shared secret again.
8. In the Timeout text box, type or select the amount of time that the Firebox or XTM device waits for
a response from the authentication server before it tries to connect again.
9. In the Retry text box, type or select the number of times the Firebox or XTM device tries to connect
to the authentication server before it reports a failed connection for one authentication attempt.
10. In the Group Attribute text box, type or select the group attribute value. We recommend that you
do not change this value.
The group attribute value is used to set the attribute that carries the user group information. When
the SecurID server sends a message to the Firebox or XTM device that a user is authenticated, it also
sends a user group string. For example, engineerGroup or financeGroup. This information is then
used for access control.
11. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the adjacent drop-down list to change the
duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not use this server until it is marked as active again, after the
dead time value is reached.
12. To add a backup SecurID server, select the Backup Server Settings tab, and select the Enable a
secondary SecurID server check box.
13. Repeat Steps 4–11 to add the information in the required fields. Make sure the shared secret is the
same on the primary and backup SecurID server.
For more information, see Use a backup authentication server on page 302.
14. Click OK.
15. Save the configuration file.
User Guide
317
Authentication
Configure Active Directory authentication
Active Directory is the Microsoft Windows-based application of an LDAP directory structure. Active
Directory lets you expand the concept of domain hierarchy used in DNS to an organizational level. It keeps
information and settings for an organization in a central, easy-to-access database.
You can use an Active Directory authentication server so that users can authenticate to the Firebox or XTM
device with their current network credentials. You must configure both the device and the Active Directory
server for Active Directory authentication to work correctly.
Before you begin, make sure your users can successfully authenticate to the Active Directory server. You
can then use Policy Manager to configure your Firebox or XTM device.
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
1. Select the Active Directory tab.
3. Select the Enable Active Directory server check box.
4. In the IP Address field, type the IP address of the primary Active Directory server.
318
WatchGuard System Manager
Authentication
The Active Directory server can be located on any Firebox or XTM device interface. You can also
configure the device to use an Active Directory server available through a VPN tunnel.
5. In the Port text box, type or select the TCP port number for the device to use to connect to the
Active Directory server. The default port number is 389.
If your Active Directory server is a global catalog server, it can be useful to change the default port.
For more information, see Change the default port for the Active Directory server on page 321.
6. In the Search Base text box, type the location in the directory to begin the search.
The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first part
of the distinguished server name>,dc=<any part of the distinguished server name that appears after
the dot>.
Set a search base to put limits on the directories on the authentication server the Firebox or XTM
device searches in for an authentication match. We recommend that you set the search base to the
root of the domain. This enables you to find all users and all groups to which those users belong.
For more information, see Find your Active Directory search base on page 320.
7. In the Group String text box, type the attribute string that is used to hold user group information on
the Active Directory server. If you have not changed your Active Directory schema, the group string
is always memberOf .
8. In the DN of Searching User text box, type the distinguished name (DN) for a search operation.
It is not necessary to enter anything in this text box if you keep the login attribute of
sAMAccountName . If you change the login attribute, you must add a value in the DN of Searching
User field to your configuration. You can use any user DN with the privilege to search LDAP/Active
Directory, such as Administrator. However, a weaker user DN with only the privilege to search is
usually sufficient.
9. In the Password of Searching User text box, type the password associated with the distinguished
name for a search operation.
10. In the Login Attribute text box, type an Active Directory login attribute to use for authentication.
The login attribute is the name used for the bind to the Active Directory database. The default login
attribute is sAMAccountName. If you use sAMAccountName, the DN of Searching User field and the
Password of Searching User field can be empty.
11. In the Dead Time text box, type or select a time after which an inactive server is marked as active
again. Select minutes or hours from the adjacent drop-down list to set the duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try this server until it is marked as active again.
12. To add a backup Active Directory server, select the Backup Server Settings tab, and select the
Enable a secondary Active Directory server check box.
13. Repeat Steps 4–11 to add the information in the required fields. Make sure the shared secret is the
same on the primary and backup Active Directory server.
For more information, see Use a backup authentication server on page 302.
14. Click OK.
15. Save the configuration file.
User Guide
319
Authentication
About Active Directory optional settings
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when it
reads the list of attributes in the server’s search response. This lets you use the directory server to assign
extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address
assignments. Because the data comes from LDAP attributes associated with individual user objects, you are
not limited to the global settings in Policy Manager. You can set these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings on page 324.
Find your Active Directory search base
When you configure your Firebox or XTM device to authenticate users with your Active Directory server,
you add a search base. The search base is the place the search starts in the Active Directory hierarchical
structure for user account entries. This can help to make the authentication procedure faster.
Before you begin, you must have an operational Active Directory server that contains account information
for all users for whom you want to configure authentication on the Firebox or XTM device.
From your Active Directory server:
1. Select Start > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers tree, find and select your domain name.
3. Expand the tree to find the path through your Active Directory hierarchy.
Domain name components have the format dc=domain name component, are appended to the end
of the search base string, and are also comma-delimited.
For each level in your domain name, you must include a separate domain name component in your
Active Directory search base. For example, if your domain name is prefix.example.com, the domain
name component in your search base is DC=prefix,DC=example,DC=com .
For example, if your domain name in the tree looks like this after you expand it:
The search base string to add in the Firebox or XTM device configuration is:
DC=kunstlerandsons,DC=com
320
WatchGuard System Manager
Authentication
The search string is not case-sensitive. When you type your search string, you can use either uppercase or
lowercase letters.
DN of Searching User and Password of Searching User fields
You must complete these fields only if you select an option for the Login Attribute that is different from the
default value, sAMAccountName. Most organizations that use Active Directory do not change this. When
you leave this field at the default sAMAccountName value, users supply their usual Active Directory login
names for their user names when they authenticate. This is the name you see in the User logon name text
box on the Account tab when you edit the user account in Active Directory Users and Computers.
If you use a different value for the Login Attribute, a user who tries to authenticate gives a different form of
the user name. In this case, you must add Searching User credentials to your Firebox or XTM device
configuration.
Change the default port for the Active Directory server
If your WatchGuard device is configured to authenticate users with an Active Directory (AD) authentication
server, it connects to the Active Directory server on the standard LDAP port by default, which is TCP port
389. If the Active Directory servers that you add to your WatchGuard device configuration are set up to be
Active Directory global catalog servers, you can tell the WatchGuard device to use the global catalog port—
TCP port 3268—to connect to the Active Directory server.
A global catalog server is a domain controller that stores information about all objects in the forest. This
enables the applications to search Active Directory, but not have to refer to specific domain controllers that
store the requested data. If you have only one domain, Microsoft recommends that you configure all
domain controllers as global catalog servers.
If the primary or secondary Active Directory server you use in your WatchGuard device configuration is also
configured as a global catalog server, you can change the port the WatchGuard device uses to connect to
the Active Directory server to increase the speed of authentication requests. However, we do not
recommend that you create additional Active Directory global catalog servers just to speed up
authentication requests. The replication that occurs among multiple global catalog servers can use
significant bandwidth on your network.
Configure the Firebox or XTM device to use the global catalog port
1. From Policy Manager, click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2.
3.
4.
5.
Select the Active Directory tab.
In the Port text box, clear the contents and type 3268.
Click OK.
Save the configuration file.
User Guide
321
Authentication
Findout if yourActive Directoryserveris configuredas aglobal catalog
server
1. Select Start > Administrative Tools > Active Directory Sites and Services.
2. Expand the Sites tree and find the name of your Active Directory server.
3. Right-click NTDS Settings for your Active Directory server and select Properties.
If the Global Catalog check box is selected, the Active Directory server is configured to be a global
catalog.
Configure LDAP authentication
You can use an LDAP (Lightweight Directory Access Protocol) authentication server to authenticate your
users with the Firebox or XTM device. LDAP is an open-standard protocol for using online directory
services, and it operates with Internet transport protocols, such as TCP. Before you configure your Firebox
or XTM device for LDAP authentication, make sure you check the documentation from your LDAP vendor to
see if your installation supports the memberOf (or equivalent) attribute.
From Policy Manager:
1. Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
1. Select the LDAP tab.
322
WatchGuard System Manager
Authentication
3. Select the Enable LDAP server check box to enable the LDAP server and enable the fields on this
dialog box.
4. In the IP Address text box, type the IP address of the primary LDAP server for the Firebox or XTM
device to contact with authentication requests.
The LDAP server can be located on any Firebox or XTM device interface. You can also configure your
device to use an LDAP server on a remote network through a VPN tunnel.
5. In the Port text box, select the TCP port number for the Firebox or XTM device to use to connect to
the LDAP server. The default port number is 389.
LDAP over TLS is not supported.
6. In the Search Base text box, type the search base settings.
The standard format is: ou=organizational unit,dc=first part of distinguished server name,dc=any part
of the distinguished server name that appears after the dot.
You set a search base to put limits on the authentication server directories where the Firebox or
XTM device searches for an authentication match. For example, if your user accounts are in an OU
(organizational unit) you refer to as accounts and your domain name is example.com, your search
base is ou=accounts,dc=example,dc=com
7. In the Group String text box, type the group string attribute.
This attribute string holds user group information on the LDAP server. On many LDAP servers, the
default group string is uniqueMember on other servers it is member.
User Guide
323
Authentication
8. In the DN of Searching User text box, type the distinguished name (DN) for a search operation.
You can add any user DN with the privilege to search LDAP/Active Directory, such as Administrator.
Some administrators create a new user that only has searching privileges for use in this field.
9. In the Password of Searching User text box, type the password associated with the distinguished
name for a search operation.
10. In the Login Attribute text box, type the LDAP login attribute to use for authentication.
The login attribute is the name used for the bind to the LDAP database. The default login attribute is uid.
If you use uid, the DN of Searching User field and the Password of Searching User field can be empty.
11. In the Dead Time text box, type or select the amount of time after which an inactive server is
marked as active again. Select minutes or hours from the adjacent drop-down list to set the
duration.
After an authentication server has not responded for a period of time, it is marked as inactive.
Subsequent authentication attempts do not try this server until it is marked as active again.
12. To add a backup LDAP server, select the Backup Server Settings tab, and select the Enable a
secondary LDAP server check box.
13. Repeat Steps 4–11 to add the information in the required fields. Make sure the shared secret is the
same on the primary and backup LDAP server.
For more information, see Use a backup authentication server on page 302.
14. Click OK.
15. Save the configuration file.
About LDAP optional settings
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when it
reads the list of attributes in the server’s search response. This lets you use the directory server to assign
extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address
assignments. Because the data comes from LDAP attributes associated with individual user objects, you are
not limited to the global settings in Policy Manager. You can set these parameters for each individual user.
For more information, see Use Active Directory or LDAP Optional Settings on page 324.
Use Active Directory or LDAP Optional Settings
When Fireware XTM contacts the directory server (Active Directory or LDAP) to search for information, it
can get additional information from the list of attributes in the search response returned by the server. This
lets you use the directory server to assign extra parameters to the authenticated user session, such as
timeouts and Mobile VPN address assignments. Because the data comes from LDAP attributes associated
with individual user objects, you can set these parameters for each individual user and you are not limited
to the global settings in Policy Manager.
Before You Begin
To use these optional settings you must:
324
WatchGuard System Manager
Authentication
n
n
n
Extend the directory schema to add new attributes for these items.
Make the new attributes available to the object class that user accounts belong to.
Give values to the attributes for the user objects that should use them.
Make sure you carefully plan and test your directory schema before you extend it to your directories.
Additions to the Active Directory schema, for example, are generally permanent and cannot be undone.
Use the Microsoft web site to get resources to plan, test, and implement changes to an Active Directory
schema. Consult the documentation from your LDAP vendor before you extend the schema for other
directories.
Specify Active Directory or LDAP Optional Settings
You can use Policy Manager to specify the additional attributes Fireware XTM looks for in the search
response from the directory server.
1. Select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears.
2. Click the LDAP tab or the Active Directory tab and make sure the server is enabled.
User Guide
325
Authentication
3. Click Optional Settings.
The Server Optional Settings dialog box appears.
4. Type the attributes you want to include in the directory search in the string fields.
IP Attribute String
This field applies only to Mobile VPN clients.
326
WatchGuard System Manager
Authentication
Type the name of the attribute for Fireware XTM to use to assign a virtual IP address to the
Mobile VPN client. This must be a single-valued attribute and an IP address in decimal format.
The IP address must be within the pool of virtual IP addresses you specify when you create the
Mobile VPN Group.
If the Firebox or XTM device does not see the IP attribute in the search response, or if you do
not specify an attribute in Policy Manager, it assigns the Mobile VPN client a virtual IP address
from the virtual IP address pool you create when you make the Mobile VPN Group.
Netmask Attribute String
This field applies only to Mobile VPN clients.
Type the name of the attribute for Fireware XTM to use to assign a subnet mask to the Mobile
VPN client’s virtual IP address. This must be a single-valued attribute and a subnet mask in
decimal format.
The Mobile VPN software automatically assigns a netmask if the Firebox or XTM device does not
see the netmask attribute in the search response, or if you do not specify one in Policy
Manager.
DNS Attribute String
This field applies only to Mobile VPN clients.
Type the name of the attribute Fireware XTM uses to assign the Mobile VPN client one or more
DNS addresses for the duration of the Mobile VPN session. This can be a multi-valued attribute
and must be a normal dotted-decimal IP address. If the Firebox or XTM device does not see the
DNS attribute in the search response, or if you do not specify an attribute in Policy Manager, it
uses the WINS addresses you enter when you Configure WINS and DNS servers.
WINS Attribute String
This field applies only to Mobile VPN clients.
Type the name of the attribute Fireware XTM should use to assign the Mobile VPN client one or
more WINS addresses for the duration of the Mobile VPN session. This can be a multi-valued
attribute and must be a normal dotted-decimal IP address. If the Firebox or XTM device does
not see the WINS attribute in the search response or if you do not specify an attribute in Policy
Manager, it uses the WINS addresses you enter when you Configure WINS and DNS servers.
Lease Time Attribute String
This applies to Mobile VPN clients and to clients that use Firewall Authentication.
Type the name of the attribute for Fireware XTM to use to control the maximum duration a
user can stay authenticated (session timeout). After this amount of time, the user is removed
from the list of authenticated users. This must be a single-valued attribute. Fireware XTM
interprets the attribute’s value as a decimal number of seconds. It interprets a zero value as
never time out.
Idle Timeout Attribute String
This applies to Mobile VPN clients and to clients that use Firewall Authentication.
User Guide
327
Authentication
Type the name of the attribute Fireware XTM uses to control the amount of time a user can stay
authenticated when no traffic is passed to the Firebox or XTM device from the user (idle
timeout). If no traffic passes to the device for this amount of time, the user is removed from the
list of authenticated users. This must be a single-valued attribute. Fireware XTM interprets the
attribute’s value as a decimal number of seconds. It interprets a zero value as never time out.
5. Click OK.
The attribute settings are saved.
Use a local user account for authentication
Any user can authenticate as a Firewall user, PPTP user, or Mobile VPN user, and open a PPTP or Mobile
VPN tunnel if PPTP or Mobile VPN is enabled on the Firebox or XTM device. However, after authentication
or a tunnel has been successfully established, users can send traffic through the VPN tunnel only if the
traffic is allowed by a policy on the Firebox or XTM device. For example, a Mobile VPN-only user can send
traffic through a Mobile VPN tunnel. Even though the Mobile VPN-only user can authenticate and open a
PPTP tunnel, he or she cannot send traffic through that PPTP tunnel.
If you use Active Directory authentication and the group membership for a user does not match your Mobile
VPN policy, you can see an error message that says Decrypted traffic does not match any policy. If you see
this error message, make sure that the user is in a group with the same name as your Mobile VPN group.
Use authorized users and groups in policies
You can use specified user and group names when you create policies in Policy Manager. For example, you
can define all policies to only allow connections for authenticated users. Or, you can limit connections on a
policy to particular users.
The term authorized users and groups refers to users and groups that are allowed to access network
resources.
Define users and groups for Firebox authentication
If you use your Firebox or XTM device as an authentication server and want to define users and groups that
authenticate to the Firebox or XTM device, see Define a new user for Firebox authentication on page 306
and Define a new group for Firebox authentication on page 308.
Define users and groups for third-party authentication
You can use Policy Manager to define the users and groups to use for third-party authentication.
1. Create a group on your third-party authentication server that contains all the user accounts on your
system.
2. Select Setup > Authentication > Authorized Users/Groups.
The Authorized Users and Groups dialog box appears.
328
WatchGuard System Manager
Authentication
3. Click Add.
The Define New Authorized User or Group dialog box appears.
4.
5.
6.
7.
Type a user or group name you created on the authentication server.
(Optional) Type a description for the user or group.
Select Group or User.
From the Auth Server drop-down list, select your authentication server type.
Select RADIUS for authentication through a RADIUS or VACMAN Middleware server, or Any for
authentication through any other server.
8. Click OK.
Add users and groups to policy definitions
Any user or group that you want to use in your policy definitions must be added as an authorized user. All
users and groups you create for Firebox authentication and all Mobile VPN users are automatically added to
the list of authorized users and groups on the Authorized Users and Groups dialog box. You can add any
users or groups from third-party authentication servers to the authorized user and group list with the
previous procedure. You are then ready to add users and groups to your policy configuration.
1. From Policy Manager,select the Firewall tab.
2. Double-click a policy.
The Edit Policy Properties dialog box appears.
User Guide
329
Authentication
3. On the Policy tab, below the From box, click Add.
The Add Address dialog box appears.
4. Click Add User.
The Add Authorized Users or Groups dialog box appears.
5. From the left Type drop-down list, select whether the user or group is authorized as a Firewall,
PPTP, or SSL VPN user.
For more information on these authentication types, see Types of Firebox authentication on page 303.
6. From the right Type drop-down list, select either User or Group.
7. If your user or group appears in the Groups list, select the user or group and click Select.
The Add Address dialog box reappears with the user or group in the Selected Members or Addresses box.
Click OK to close the Edit Policy Properties dialog box.
8. If your user or group does not appear in the list in the Add Authorized Users or Groups dialog box,
see Define a new user for Firebox authentication on page 306, Define a new group for Firebox
authentication on page 308, or the previous Define users and groups for third-party authentication
procedure.
After you add a user or group to a policy configuration, WatchGuard System Manager automatically adds a
WatchGuard Authentication policy to your Firebox or XTM device configuration. Use this policy to control
access to the authentication portal web page.
For instructions to edit this policy, see Use authentication to restrict incoming traffic on page 289.
330
WatchGuard System Manager
13
Policies
About policies
The security policy of your organization is a set of definitions to protect your computer network and the
information that goes through it. The Firebox or XTM device denies all packets that are not specifically
allowed. When you add a policy to your Firebox or XTM device configuration file, you add a set of rules that
tell the Firebox or XTM device to allow or deny traffic based upon factors such as source and destination of
the packet or the TCP/IP port or protocol used for the packet.
As an example of how a policy could be used, suppose the network administrator of a company wants to log
in remotely to a web server protected by the Firebox or XTM device. The network administrator manages
the web server with a Remote Desktop connection. At the same time, the network administrator wants to
make sure that no other network users can use Remote Desktop. To create this setup, the network
administrator adds a policy that allows RDP connections only from the IP address of the network
administrator's desktop computer to the IP address of the web server.
A policy can also give the Firebox or XTM device more instructions on how to handle the packet. For
example, you can define logging and notification settings that apply to the traffic, or use NAT (Network
Address Translation) to change the source IP address and port of network traffic.
Packet filter and proxy policies
The Firebox or XTM device uses two categories of policies to filter network traffic: packet filters and proxies.
A packet filter examines each packet’s IP and TCP/UDP header. If the packet header information is
legitimate, then the Firebox or XTM device allows the packet. Otherwise, the Firebox or XTM device drops
the packet.
A proxy examines both the header information and the content of each packet to make sure that
connections are secure. This is also called deep packet inspection. If the packet header information is
legitimate and the content of the packet is not considered a threat, then the Firebox or XTM device allows
the packet. Otherwise, the Firebox or XTM device drops the packet.
User Guide
331
Policies
About adding policies to your Firebox or XTM device
The Firebox or XTM device includes many pre-configured packet filters and proxies that you can add to your
configuration. For example, if you want a packet filter for all Telnet traffic, you add a pre-defined Telnet
policy that you can modify for your network configuration. You can also make a custom policy for which you
set the ports, protocols, and other parameters.
When you configure the Firebox or XTM device with the Quick Setup Wizard, the wizard adds several
packet filters: Outgoing (TCP-UDP), FTP, ping, and up to two WatchGuard management policies. If you have
more software applications and network traffic for the Firebox or XTM device to examine, you must:
n
n
n
Configure the policies on your Firebox or XTM device to let necessary traffic through
Set the approved hosts and properties for each policy
Balance the requirement to protect your network against the requirements of your users to get
access to external resources
We recommend that you set limits on outgoing access when you configure your Firebox or XTM device.
Note In all documentation, we refer to both packet filters and proxies as policies.
Information on policies refers to both packet filters and proxies unless otherwise
specified.
About Policy Manager
Fireware XTM Policy Manager is a WatchGuard software tool that lets you create, edit, and save
configuration files. When you use Policy Manager, you see a version of your configuration file that is easy to
examine and change.
For more information on how to open Policy Manager, see Open Policy Manager on page 333.
Policy Manager window
Policy Manager has two tabs: The Firewall tab and the Mobile VPN with IPSec tab.
n
n
The Firewall tab includes policies that are used for general firewall traffic on the Firebox or XTM
device. It also includes BOVPN policies so you can see the order in which the Firebox or XTM device
examines network traffic and applies a policy rule. (To change the order, see About policy
precedence on page 343.)
The Mobile VPN with IPSec tab includes policies that are used with Mobile VPN with IPSec tunnels.
The Policy Manager user interface shows a list of the policies you have configured and their basic settings by
default. You can also view the policies as a group of large icons to help you identify a policy visually. To
switch between these two views, see Change the Policy Manager view on page 334.
332
WatchGuard System Manager
Policies
Policy icons
The Policy Manager window contains icons for the policies that are defined on the Firebox or XTM device.
You can double-click the icon or its associated entry to edit the properties for that policy. The appearance of
the icons shows their status and type:
n
n
n
n
Enabled policies that allow traffic appear with a green check mark, or with a green bar and a check
mark in Large Icons view.
Enabled policies that deny traffic have a red X, or a red bar with an X in Large Icons view.
Disabled policies have a black circle with a line, or a gray bar in Large Icons view.
An icon that contains a shield symbol on the left side is a proxy policy.
The names of policies appear in color, based on policy type:
n
n
n
n
Managed policies appear in gray with a white background.
BOVPN policies (such as BOVPN-allow.out) appear in green with a white background.
Mixed BOVPN and firewall policies (such as Ping or Any-PPTP) appear in blue with a white
background.
All other policies appear in black with a white background.
To change these default colors, see Change colors used for Policy Manager text on page 336.
To find a specific policy in Policy Manager, see Find a policy by address, port, or protocol on page 337.
Open Policy Manager
You open Policy Manager from WatchGuard System Manager. You can choose to open Policy Manager for a
specific Firebox or XTM device, or you can open Policy Manager with a new configuration file.
To open Policy Manager for a specific device:
Select a Firebox or XTM device and click
.
To open Policy Manager with a new configuration file:
n
Click
.
Or
n
Select Tools > Policy Manager.
If the Firebox or XTM device you select is a managed device, Policy Manager puts a lock on the device in
WatchGuard System Manager to prevent simultaneous changes from a different user. The lock is released
when you close Policy Manager, or if you open Policy Manager for a different device.
User Guide
333
Policies
Change the Policy Manager view
Policy Manager has two views: Large Icons and Details. The default Large Icons view shows each policy as an
icon. In the Details view, each policy is a row of information divided among several columns. You can see
configuration information, including source and destination, and logging and notification parameters.
To change to the Details view:
Select View > Details.
Large Icons View
Details View
334
WatchGuard System Manager
Policies
The following information appears for each policy:
Order
The order in which the policies are sorted, and how traffic flows through the policies. Policy
Manager automatically sorts policies from the most specific to the most general. If you want to
switch to manual-order mode, select View > Auto-order mode so that the check mark disappears.
Then, select the policy whose order you want to change and drag it to its new location.
For more information on policy order, see About policy precedence.
Action
The action taken by the policy for traffic that matches the policy definition. The symbol in this
column also indicates whether the policy is a packet filter policy or a proxy policy.
n
n
n
n
n
n
Green check mark — Packet filter policy; traffic is allowed
Red X — Packet filter policy; traffic is denied
Circle with line — Packet filter policy and the action for traffic is not configured
Green shield with check mark — Proxy policy; traffic is allowed
Red shield with X — Proxy policy; traffic is denied
Gray shield — Proxy policy; the action for traffic is not configured
Policy Name
Name of the policy, as defined in the Name field in the New/Edit Policy Properties dialog box.
For more information, see Add a policy from the list of templates on page 340.
Policy Type
The protocol that the policy manages. Proxies include the protocol and "-proxy".
Traffic Type
Type of traffic the policy examines: firewall or VPN.
Log
Whether logging is enabled for the policy.
Alarm
Whether alarms are configured for the policy.
From
Addresses from which traffic for this policy applies (source addresses).
To
Addresses to which traffic for this policy applies (destination addresses).
PBR
Indicates whether the policy uses policy-based routing. If it does, and failover is not enabled, the
interface number appears. If policy-based routing and failover are enabled, a list of interface
numbers appear, with the primary interface listed first.
For more information on policy-based routing, see Configure policy-based routing on page 355.
User Guide
335
Policies
Port
Protocols and ports used by the policy.
Change colors used for Policy Manager text
The default setup for Policy Manager is for the names of policies (or the entire row in Details view) to
appear highlighted in color based on traffic type:
n
n
n
n
Managed policies appear in gray with a white background.
BOVPN policies (such as BOVPN-allow.out) appear in green with a white background.
Mixed BOVPN and firewall policies (such as Ping or Any-PPTP) appear in blue with a white
background.
All other policies (normal policies) are not highlighted. They appear in black.
You can use default colors or colors that you select. You can also disable policy highlighting.
1. Select View > Policy Highlighting.
The Policy Highlighting dialog box appears.
2. To enable policy highlighting, select the Highlight Firewall policies based on traffic type check box.
Clear this check box to disable policy highlighting.
3. To select different colors for the text or background of the policy names for normal, managed,
BOVPN, or mixed policies, click the Text Color or Background Color block.
The Select Text Color or Select Background Color dialog box appears.
336
WatchGuard System Manager
Policies
4. Click one of the three tabs, Swatches, HSB, or RGB to specify the color you want:
n
n
n
Swatches — Click one the small swatches of the available colors.
HSB — Select H (hue), S (saturation), or B (brightness) and then type or select the value for each
setting.
RGB — Type or select the value for the Red, Green, or Blue settings.
When you specify a color, a sample of the color appears in the Sample block at the bottom of
the dialog box.
5. When you are satisfied with the color, click OK.
6. Click OK on the Policy Highlighting dialog box for the changes to take effect.
Find a policy by address, port, or protocol
You can locate a policy in Policy Manager with the address, port, or protocol information for the policy.
1. Select Edit > Find.
The Find Policies dialog box appears.
User Guide
337
Policies
2. Select Address, Port Number, or Protocol to specify a policy component.
3. In the Search all configured policies for text box, type the string to search for.
For address and protocol searches, Policy Manager performs a partial string search. You can type
only a partial string. Policy Manager shows all policies that contain the string.
4. Click Find.
The policies that match the search criteria appear in the Policies found box .
5. To edit a policy that is returned for a search, double-click the policy name.
Add policies to your configuration
To add a policy, you choose from the list of policy templates in Policy Manager. A policy template contains
the policy name, a short description of the policy, and the protocol/port used by the policy.
n
n
n
n
To see the list of templates to choose from, see See the list of policy templates on page 339.
To add one of the policies in the list to your configuration, see Add a policy from the list of templates
on page 340.
To see or modify the definition of a policy template, see See template details and modify policy
templates on page 342.
To use the policy import/export function to copy policies from one Firebox or XTM device to
another, see Import and export custom policy templates on page 350. This is helpful if you manage
several Firebox or XTM devices and have custom policies for them.
The Firebox or XTM device includes a default definition for each policy included in the Firebox or XTM
device configuration. The default definition consists of settings that are appropriate for most installations.
However, you can modify them for your particular business purposes, or if you want to include special
policy properties such as Traffic Management actions and operating schedules.
After you add a policy to your configuration, you define rules to:
n
n
n
n
Set allowed traffic sources and destinations
Make filter rules
Enable or disable the policy
Configure properties such as Traffic Management, NAT, and logging
For more information on policy configuration, see About policy properties on page 351.
338
WatchGuard System Manager
Policies
See the list of policy templates
1. Click .
Or, select Edit > Add Policies.
The Add Policies dialog box appears.
2. Expand the Packet Filters or Proxies folder.
A list of templates for packet filters or proxies appears.
3. To see basic information about a policy template, select it.
The icon for the policy appears at the right side of the dialog box and basic information about the policy
appears in the Details section.
User Guide
339
Policies
Add a policy from the list of templates
The Firebox or XTM device includes a default definition for each policy included in the Firebox or XTM
device configuration. The default definition settings are appropriate for most installations, however, you can
modify them to include special policy properties such as QoS actions and operating schedules.
1. In the Add Policies dialog box, expand the Packet Filters, Proxies, or Custom folder.
A list of templates for packet filter or proxy policies appears.
2. Select the type of policy you want to create. Click Add.
The New Policy Properties dialog box appears.
340
WatchGuard System Manager
Policies
3. To change the name of the policy, type a new name in the Name field.
4. Set the access rules and other settings for the policy.
5. Click OK to close the Properties dialog box.
You can add more than one policy while the Policies dialog box is open.
6. Click Close.
The new policy appears in Policy Manager.
For more information on policy properties, see About policy properties on page 351.
Add more than one policy of the same type
If your security policy requires it, you can add the same policy more than one time. For example, you can
set a limit on web access for most users, while you give full web access to your management team. To do
this, you add two different policies with different properties:
1. Add the first policy.
2. Change the name of the policy to a name that matches your security policy and add the related
information.
In this example, you can name the first policy “restricted_web_access.”
3. Click OK.
The New Policy Properties dialog box for the policy appears.
User Guide
341
Policies
4. Add the second policy.
5. Click OK.
The New Policy Properties dialog box for the policy appears.
For more information on policy properties, see About policy properties on page 351.
See template details and modify policy templates
The relevant from the policy template appears in the Details section of the Add Policies dialog box. If you
want to see more detail, you can open the template to edit it. There are two types of policy templates:
predefined and custom. For pre-defined policies (those included in the Packet Filters and Proxies lists in the
Add Policies dialog box), you can edit only the Description information on the policy template. You cannot
edit or delete pre-defined policies. You can only change or delete a custom policy template.
For more information on custom policies, see About custom policies.
To see a policy template:
1. In the Add Policies dialog box, select a policy template.
2. Click Edit.
The Policy Template dialog box appears.
Disable or delete a policy
You can disable a policy in two places in Policy Manager: the main Firewall or Mobile VPN with IPSec tabs,
or the Edit Policy Properties dialog box.
To disable a policy on the Firewall or Mobile VPN with IPSec tab:
1. Select the Firewall or Mobile VPN with IPSec tab.
2. Right-click a policy and select Disable Policy.
The right-click menu option changes to Enable Policy.
To disable a policy in the Edit Policy Properties dialog box:
342
WatchGuard System Manager
Policies
1. Double-click a policy.
The Edit Policy Properties dialog box appears.
2. Clear the Enable check box.
3. Click OK.
Delete a policy
As your security policy changes, you sometimes have to remove one or more policies. To remove a policy,
you first remove it from Policy Manager. Then you save the new configuration to the Firebox or XTM
device.
1. Select a policy.
2. Click the Delete icon.
Or, select Edit > Delete Policy.
A confirmation dialog box appears.
3.
4.
5.
6.
7.
Click Yes.
To save the configuration to the Firebox or XTM device, select File > Save > To Firebox.
Type the configuration passphrase and select the Save to Firebox check box.
Click Save.
Restart the Firebox or XTM device.
About policy precedence
Precedence is the sequence in which the Firebox or XTM device examines network traffic and applies a
policy rule. The Firebox or XTM device automatically sorts policies from the most detailed to the most
general. It compares the information in the packet to the list of rules in the first policy. The first rule in the
list to match the conditions of the packet is applied to the packet. If the detail level in two policies is equal, a
proxy policy always takes precedence over a packet filter policy.
Automatic policy order
The Firebox or XTM device automatically givesthe highestprecedence tothe mostspecific policiesand the
lowestto the least specific.The Fireboxor XTMdevice examinesspecificity ofthe subsequentcriteria inthe
followingorder. Ifit cannotdetermine the precedence from the firstcriterion, itmoves tothe second,and soon.
1.
2.
3.
4.
5.
6.
7.
8.
Policy specificity
Protocols set for the policy type
Traffic rules of the To field
Traffic rules of the From field
Firewall action (Allowed, Denied, or Denied (send reset)) applied to the policies
Schedules applied to the policies
Alphanumeric sequence based on policy type
Alphanumeric sequence based on policy name
The subsequent sections include more details about what the Firebox or XTM device does within these
eight steps.
User Guide
343
Policies
Policy specificity and protocols
The Firebox or XTM device uses these criteria in sequence to compare two policies until it finds that the
policies are equal, or that one is more detailed than the other.
1. An Any policy always has the lowest precedence.
2. Check for the number of TCP 0 (any) or UDP 0 (any) protocols. The policy with the smaller number
has higher precedence.
3. Check for the number of unique ports for TCP and UDP protocols. The policy with the smaller
number has higher precedence.
4. Add up the number of unique TCP and UDP ports. The policy with the smaller number has higher
precedence.
5. Score the protocols based on their IP protocol value. The policy with the smaller score has higher
precedence.
If the Firebox or XTM device cannot set the precedence when it compares the policy specificity and
protocols, it examines traffic rules.
Traffic rules
The Firebox or XTM device uses these criteria in sequence to compare the most general traffic rule of one
policy with the most general traffic rule of a second policy. It assigns higher precedence to the policy with
the most detailed traffic rule.
1.
2.
3.
4.
5.
6.
7.
8.
9.
Host address
IP address range (smaller than the subnet being compared to)
Subnet
IP address range (larger than the subnet being compared to)
Authentication user name
Authentication group
Interface, Firebox or XTM device
Any-External, Any-Trusted, Any-Optional
Any
For example, compare these two policies:
(HTTP-1) From: Trusted, user1
(HTTP-2) From: 10.0.0.1, Any-Trusted
Trusted is the most general entry for HTTP-1. Any-Trusted is the most general entry for HTTP-2. Because
Trusted is included in the Any-Trusted alias, HTTP-1 is the more detailed traffic rule. This is correct despite
the fact that HTTP-2 includes an IP address, because the Firebox or XTM device compares the most general
traffic rule of one policy to the most general traffic rule of the second policy to set precedence.
If the Firebox or XTM device cannot set the precedence when it compares the traffic rules, it examines the
firewall actions.
344
WatchGuard System Manager
Policies
Firewall actions
The Firebox or XTM device compares the firewall actions of two policies to set precedence. Precedence of
firewall actions from highest to lowest is:
1. Denied or Denied (send reset)
2. Allowed proxy policy
3. Allowed packet-filter policy
If the Firebox or XTM device cannot set the precedence when it compares the firewall actions, it examines
the schedules.
Schedules
The Firebox or XTM device compares the schedules of two policies to set precedence. Precedence of
schedules from highest to lowest is:
1. Always off
2. Sometimes on
3. Always on
If the Firebox or XTM device cannot set the precedence when it compares the schedules, it examines the
policy types and names.
Policy types and names
If the two policies do not match any other precedence criteria, the Firebox or XTM device sorts the policies
in alphanumeric sequence. First, it uses the policy type. Then, it uses the policy name. Because no two
policies can be the same type and have the same name, this is the last criteria for precedence.
Set precedence manually
To switch to manual-order mode and change policy precedence:
1. Select View > Auto-Order Mode.
The checkmark disappears and a confirmation message appears.
2. Click Yes to confirm that you want to switch to manual-order mode.
When you switch to manual-order mode, the Policy Manager window changes to the Details view.
You cannot change the order of policies if you are in Large Icons view.
3. To change the order of a policy, select it and drag it to the new location.
Create schedules for Firebox or XTM device
actions
A schedule is a set of times for which a feature is active or disabled. You must use a schedule if you want a
policy or WebBlocker action to automatically become active or inactive at the times you specify. You can
apply a schedule you create to more than one policy or WebBlocker action if you want those policies or
actions to be active at the same times.
User Guide
345
Policies
For example, an organization wants to restrict certain types of network traffic during normal business hours.
The network administrator could create a schedule that is active on weekdays, and set each policy in the
configuration to use the same schedule.
To create a schedule:
1. Select Setup > Actions > Schedules.
The Schedules dialog box appears.
2. To edit a schedule, select the schedule name in the Schedule dialog box and click Edit.
To create a new schedule from an existing one, select the schedule name and click Clone.
To create a new schedule, click Add.
The New Schedule dialog box appears.
346
WatchGuard System Manager
Policies
3. Type a schedule name and description.
Make sure that the name is easy to remember.
The schedule name appears in the Schedules dialog box.
4. In the Mode drop-down list, select the time increment for the schedule: one hour, 30 minutes, or
15 minutes.
The chart on the left of the New Schedule dialog box shows your entry in the drop-down list.
5. The chart in the dialog box shows days of the week along the x-axis (horizontal) and increments of
the day on the y-axis (vertical). Click boxes in the chart to change them to operational hours (when
the policy is active) or non-operational hours (when the policy is not in effect).
6. Click OK to close the New Schedule dialog box.
7. Click Close to close the Schedules dialog box.
Set an operating schedule
You can set an operating schedule for a policy so that it runs at the times you specify. Schedules can be
shared by more than one policy.
To modify a policy schedule:
1. Select any policy and double-click it.
The Edit Policy Properties dialog box appears.
2. Click the Advanced tab.
3. In the Schedule drop-down list, select a predefined schedule.
Or, click an adjacent icon to create a custom schedule.
User Guide
347
Policies
4. Click OK.
About custom policies
If you need to allow for a protocol that is not included by default as a Firebox or XTM device configuration
option, you must define a custom traffic policy. You can add a custom policy that uses:
n
n
n
TCP ports
UDP ports
An IP protocol that is not TCP or UDP, such as GRE, AH, ESP, ICMP, IGMP, and OSPF. You identify an IP
protocol that is not TCP or UDP with the IP protocol number.
To create a custom policy, you must first create or edit a custom policy template that specifies the ports and
protocols used by policies of that type. Then, you create one or more policies from that template to set
access rules, logging, QoS, and other settings.
Create or edit a custom policy template
1. Click .
Or, select Edit > Add Policies.
The Add Policies dialog box appears.
2. Click New.
Or, select a custom policy template and click Edit.
The New Policy Template dialog box appears.
348
WatchGuard System Manager
Policies
3. In the Name text box, type the name of the custom policy. The name appears in Policy Manager as
the policy type. A unique name helps you to find the policy when you want to change or remove it.
This name must not be the same as any name in the list in the Add Policy dialog box.
4. In the Description text box, type a description of the policy.
This appears in the Details section when you click the policy name in the list of User Filters.
5. Select the type of policy: Packet Filter or Proxy.
6. If you select Proxy, choose the proxy protocol from the adjacent drop-down list.
7. To add protocols for this policy, click Add.
The Add Protocol dialog box appears.
8. From the Type drop-down list, select Single Port or Port Range.
9. From the Protocol drop-down list, select the protocol for this new policy.
If you select Single Port, you can select TCP, UDP, GRE, AH, ESP, ICMP, IGMP, OSP, IP, or Any.
If you select Port Range, you can select TCP or UDP. The options below the drop-down list change
for each protocol.
Note Fireware XTM does not pass IGMP multicast traffic through the Firebox or XTM
device, or between Firebox or XTM device interfaces. It passes IGMP multicast
traffic only between an interface and the Firebox or XTM device.
User Guide
349
Policies
10. From the Server Port drop-down list, select the port for this new policy.
If you select Port Range, select a starting server port and an ending server port.
11. Click OK.
The policy template is added to the Custom policies folder.
You can now use the policy template you created to add one or more custom policies to your configuration.
Use the same procedure as you would for a predefined policy.
Import and export custom policy templates
If you manage several Firebox or XTM devices and have custom policies for them, you can use the policy
import/export function to save time. You can define the templates on one Firebox or XTM device, export
them to an ASCII file, and then import them to another Firebox or XTM device.
The Firebox or XTM device where you created the policies must run the same version of WSM as the
version of Policy Manager you use to import the policies. You cannot import a template from a previous
version into the current version.
1. On the first Firebox or XTM device, define custom policy templates for the policies you need.
2. Click Export.
You do not need to select the custom policies. The Export function automatically exports all custom
policies regardless of which policy is actually selected.
3. In the Save dialog box, select where you want to save the policy templates file. Type a name for the
file and click Save.
The default location is My Documents > My WatchGuard.
4. From Policy Manager on a different Firebox or XTM device, on the Add Policies dialog box, click
Import.
5. Find the file you created in Step 3 and click Open.
6. If custom policy templates are already defined in the current Policy Manager, you are asked
whether you want to replace the existing templates or append the imported templates to the
existing templates. Click Replace or Append.
If you click Replace, the existing templates are deleted and replaced with the new templates.
If you click Append, both the existing and the imported templates are listed in alphabetical order
under Custom.
350
WatchGuard System Manager
Policies
About policy properties
Each policy type has a default definition, which consists of settings that are appropriate for most
organizations. However, you can modify policy settings for your particular business purposes, or add other
settings such as traffic management and operating schedules.
Mobile VPN policies are created and operate in the same way as firewall policies. However, you must
specify a Mobile VPN group to which the policy applies.
To set properties for a policy, double-click the policy icon or name in the Policy Manager window to open
the Edit Policy Properties dialog box. Or, if you have just added a policy to your configuration, the New
Policy Properties box automatically appears for you to set policy properties.
Policy tab
Use the Policy tab to set basic information about a policy, such as whether it allows or denies traffic, and
which devices it manages. You can use the Policy tab settings to create access rules for a policy, or configure
policy-based routing, static NAT, or server load balancing.
For more information on the options for this tab, see the following topics:
n
n
n
n
Set access rules for a policy on page 352
Configure policy-based routing on page 355
About static NAT on page 180
Configure server load balancing on page 181
Properties tab
The Properties tab shows the port and protocol to which the policy applies, as well as a description of the
policy that you set. You can use the settings on this tab to set logging, notification, automatic blocking, and
timeout preferences. You can also configure proxy and ALG actions on this tab, which offer different
options for each proxy policy and ALG.
For more information on the options for this tab, see the following topics:
n
n
n
n
About proxy actions on page 370 (proxy policies and ALGs only)
Set logging and notification preferences on page 646
Block sites temporarily with policy settings on page 486
Set a custom idle timeout on page 357
Advanced tab
The Advanced tab includes settings for NAT and Traffic Management (QoS), as well as multi-WAN and ICMP
options. You can also set an operating schedule for a policy and apply traffic management actions.
For more information on the options for this tab, see the following topics:
n
n
n
n
Set an operating schedule on page 347
Add a Traffic Management action to a policy on page 470
Set ICMP error handling on page 357
Apply NAT rules on page 357
User Guide
351
Policies
n
n
Enable QoS Marking or prioritization settings for a policy on page 466
Set the sticky connection duration for a policy on page 358
Proxy settings
Proxy policies have predefined rulesets that provide a good balance of security and accessibility for most
installations. If a default ruleset does not meet all of your business needs, you can add, delete, or modify rules.
To modify the settings and rulesets for a proxy action, click
list, and select a category of settings.
to the right of the Proxy action drop-down
For more information,see Aboutrules andrulesets onpage 361and the About topic for the specific policytype.
About the DNS proxy on page 378
About the FTP proxy on page 385
About the H.323 ALG on page 392
About the HTTP proxy on page 398
About the HTTPS proxy on page 417
About the POP3 proxy on page 423
About the SIP proxy on page 435
About the SMTP proxy on page 442
About the TCP-UDP proxy on page 456
Set access rules for a policy
You use the Policy tab of the Edit Policy Properties dialog box to configure access rules for a given policy.
The Connections are field defines whether traffic that matches the rules in the policy is allowed, or traffic
that matches the rules is denied. To configure how traffic is handled, use these settings:
Allowed
The Firebox or XTM device allows traffic that uses this policy if it matches the rules you set in the
policy. You can configure the policy to create a log message when network traffic matches the
policy.
Denied
The Firebox or XTM device denies all traffic that matches the rules in this policy and does not send a
notification to the device that sent the traffic. You can configure the policy to create a log message
when a computer tries to use this policy. The policy can also automatically add a computer or
network to the Blocked Sites list if it tries to start a connection with this policy.
For more information, see Block sites temporarily with policy settings on page 486.
Denied (send reset)
The Firebox or XTM device denies all traffic that matches the rules in this policy. You can configure it
to create a log message when a computer tries to use this policy. The policy can also automatically
add a computer or network to the Blocked Sites list if it tries to start a connection with this policy
For more information, see Block sites temporarily with policy settings on page 486.
With this option, the Firebox or XTM device sends a packet to tell the device which sent the network
traffic that the session is refused and the connection is closed. You can set a policy to return other
errors instead, which tell the device that the port, protocol, network, or host is unreachable. We
recommend that you use these options with caution to ensure that your network operates correctly
352
WatchGuard System Manager
Policies
with other networks.
The Policy tab also includes:
n
n
A From list (or source) that specifies who can send (or cannot send) network traffic with this policy.
A To list (or destination) that specifies who the Firebox or XTM device can route traffic to if the
traffic matches (or does not match) the policy specifications.
For example, you could configure a ping packet filter to allow ping traffic from all computers on the
external network to one web server on your optional network. However, when you open the destination
network to connections over the port or ports that the policy controls, you can make the network
vulnerable. Make sure you configure your policies carefully to avoid vulnerabilities.
1. To add members to your access specifications, click Add adjacent to the From or the To member list.
The Add Address dialog box appears.
2. The top list contains the members you can add to the From or To lists. A member can be an alias,
user, group, IP address, or range of IP addresses.
3. Select a member you want to add and click Add, or double-click an entry in this window.
If you want to add hosts, users, aliases or tunnels to the policy that do not appear in the Available
Members list, see Add new members for policy definitions on page 354.
User Guide
353
Policies
4. To add other members to the From or To field, repeat the previous steps.
5. Click OK.
The source and destination can be a host IP address, host range, host name, network address, user name,
alias, VPN tunnel, or any combination of those objects.
For more information on the aliases that appear as options on the From and To list, see About aliases on
page 78.
For more information about how to create a new alias, see Create an alias on page 79.
Add new members for policy definitions
To add hosts, aliases, or tunnels to the Available Members list:
1. Click Add Other.
The Add Member dialog box appears.
2. In the Choose Type drop-down list, select the host range, host IP address, or network IP address to add.
3. In the Value text box, type the correct network address, range, or IP address.
4. Click OK.
The member or address appears in the Selected Members and Addresses list.
To add a user or group to the Available Members list:
1. Click Add User.
The Add Authorized Users or Groups dialog box appears.
2. Select the type of user or group, select the authentication server, and whether you want to add a
user or group.
354
WatchGuard System Manager
Policies
3. Click Select.
If the user or group you want to add does not appear in the list, it is not yet defined as an authorized user or
group. To define a new authorized user or group, see Use authorized users and groups in policies on page 328.
Configure policy-based routing
To send network traffic, a router usually examines the destination address in the packet and looks at the
routing table to find the next-hop destination. In some cases, you want to send traffic to a different path
than the default route specified in the routing table. You can configure a policy with a specific external
interface to use for all outbound traffic that matches that policy. This technique is known as policy-based
routing. Policy-based routing takes precedence over other multi-WAN settings.
Policy-based routing can be used when you have more than one external interface and have configured
your Firebox or XTM device for multi-WAN. With policy-based routing, you can make sure that all traffic for
a policy always goes out through the same external interface, even if your multi-WAN configuration is set to
send traffic in a round-robin configuration. For example, if you want email to be routed through a particular
interface, you can use policy-based routing in the SMTP or POP3 proxy definition.
Note To use policy-based routing, you must have Fireware XTM with a Pro upgrade. You
must also configure at least two external interfaces.
Policy-based routing, failover, and failback
When you use policy-based routing with multi-WAN failover, you can specify whether traffic that matches
the policy uses another external interface when failover occurs. The default setting is to drop traffic until
the interface is available again.
Failback settings (defined on the Multi-WAN tab of the Network Configuration dialog box) also apply to
policy-based routing. If a failover event occurs, and the original interface later becomes available, the
Firebox or XTM device can send active connections to the failover interface, or it can fail back to the original
interface. New connections are sent to the original interface.
Restrictions on policy-based routing
n
n
n
Policy-based routing is available only if multi-WAN is enabled. If you enable multi-WAN, the Edit
Policy Properties dialog box automatically includes fields to configure policy-based routing.
By default, policy-based routing is not enabled.
Policy-based routing does not apply to IPSec traffic, or to traffic destined for the trusted or optional
network (incoming traffic).
Add policy-based routing to a policy
1. Open Policy Manager.
2. Select a policy and click
Or, double-click a policy.
.
The Edit Policy Properties dialog box appears.
User Guide
355
Policies
3. Select the Use policy-based routing check box.
4. To specify the interface to send outbound traffic that matches the policy, select the interface name
from the adjacent drop-down list. Make sure that the interface you select is a member of the alias or
network that you set in the To field of your policy.
5. (Optional) Configure policy-based routing with multi-WAN failover as described below. If you do not
select Failover and the interface you set for this policy is becomes inactive, traffic is dropped until
the interface becomes available again.
6. Click OK.
Configure policy-based routing with failover
You can set the interface you specified for this policy as the primary interface, and define other external
interfaces as backup interfaces for all non-IPSec traffic.
1. In the Edit Policy Properties dialog box, select Failover.
2. To specify backup interfaces for this policy, click Configure.
If the primary interface you set for this policy is not active, traffic is sent to the backup interface or
interfaces you specify here.
The Policy Failover Configuration dialog box appears.
3. In the Include column, select the check box for each interface you want to use in the failover
configuration. Use the Move Up and Move Down buttons to set the order for failover. The first
interface in the list is the primary interface.
4. Click OK to close the Policy Failover Configuration dialog box.
5. Click OK to close the Edit Policy Properties dialog box.
6. Save the configuration file.
356
WatchGuard System Manager
Policies
Set a custom idle timeout
Idle timeout is the maximum length of time that a connection can stay active when no traffic is sent. By
default, the Firebox or XTM device closes network connections after 180 seconds (3 minutes). When you
enable this setting for a policy, the Firebox or XTM device closes the connection after the length of time that
you specify.
1. In the Policy Properties dialog box, select the Properties tab.
2. Select the Specify Custom Idle Timeout check box.
3. In the adjacent text box, type or select the number of seconds before a timeout occurs.
Set ICMP error handling
You can set the ICMP error handling settings associated with a policy. These settings override the global
ICMP error handling settings.
To change the ICMP error handling settings for the current policy:
1. From the ICMP Error Handling drop-down list, select Specify setting.
2. Click ICMP Setting.
3. In the ICMP Error Handling Settings dialog box, select the check boxes to configure individual
settings.
4. Click OK.
For more information on global ICMP settings, see Define Firebox or XTM device global settings on page 81.
Apply NAT rules
You can apply Network Address Translation (NAT) rules to a policy. You can select 1-to-1 NAT or Dynamic NAT.
1. In the Edit Policy Properties dialog box, select the Advanced tab.
2. Select one of the options described in the subsequent sections.
1-to-1 NAT
With this type of NAT, the Firebox or XTM device uses private and public IP ranges that you set, as described
in About 1-to-1 NAT on page 168.
Dynamic NAT
With this type of NAT, the Firebox or XTM device maps private IP addresses to public IP addresses. All
policies have dynamic NAT enabled by default.
Select Use Network NAT Settings if you want to use the dynamic NAT rules set for the Firebox or XTM
device.
Select All traffic in this policy if you want to apply NAT to all traffic in this policy.
User Guide
357
Policies
In the Set Source IP field, you can select a dynamic NAT source IP address for any policy that uses dynamic
NAT. This makes sure that any traffic that uses this policy shows a specified address from your public or
external IP address range as the source. This is helpful if you want to force outgoing SMTP traffic to show
your domain’s MX record address when the IP address on the Firebox or XTM device external interface is
not the same as your MX record IP address.
1-to-1 NAT rules have higher precedence than dynamic NAT rules.
Set the sticky connection duration for a policy
The sticky connection setting for a policy overrides the global sticky connection setting. You must enable
multi-WAN to use this feature.
1. In the Policy Properties dialog box, select the Advanced tab.
2. Select the Sticky Connection tab.
3. To use the global multi-WAN sticky connection setting, clear the Override Multi-WAN sticky
connection setting check box.
4. To set a custom sticky connection value for this policy, select the Enable sticky connection check box.
5. In the Enable sticky connection text box, type the amount of time in minutes to maintain the
connection.
358
WatchGuard System Manager
14
Proxy Settings
About proxy policies and ALGs
All WatchGuard policies are important tools for network security, whether they are packet filter policies,
proxy policies, or application layer gateways (ALGs). A packet filter examines each packet’s IP and TCP/UDP
header, a proxy monitors and scans whole connections, and an ALG provides transparent connection
management in addition to proxy functionality. Proxy policies and ALGs examine the commands used in the
connection to make sure they are in the correct syntax and order, and use deep packet inspection to make
sure that connections are secure.
A proxy policy or ALG opens each packet in sequence, removes the network layer header, and examines
the packet’s payload. A proxy then rewrites the network information and sends the packet to its destination,
while an ALG restores the original network information and forwards the packet. As a result, a proxy or ALG
can find forbidden or malicious content hidden or embedded in the data payload. For example, an SMTP
proxy examines all incoming SMTP packets (email) to find forbidden content, such as executable programs
or files written in scripting languages. Attackers frequently use these methods to send computer viruses. A
proxy or ALG can enforce a policy that forbids these content types, while a packet filter cannot detect the
unauthorized content in the packet’s data payload.
If you have purchased and enabled additional subscription services (Gateway AntiVirus, Intrusion
Prevention Service, spamBlocker, WebBlocker), WatchGuard proxies can apply these services to network
traffic.
User Guide
359
Proxy Settings
Proxy configuration
Like packet filters, proxy policies include common options to manage network traffic, including traffic
management and scheduling features. However, proxy policies also include settings that are related to the
specified network protocol. These settings are configured with rulesets, or groups of options that match a
specified action. For example, you can configure rulesets to deny traffic from individual users or devices, or
allow VoIP (Voice over IP) traffic that matches the codecs you want. When you have set all of the
configuration options in a proxy, you can save that set of options as a user-defined proxy action and use it
with other proxies.
Fireware XTM supports proxy policies for many common protocols, including DNS, FTP, H.323, HTTP, HTTPS,
POP3, SIP, SMTP, and TCP-UDP. For more information on a proxy policy, see the section for that policy.
About the DNS proxy on page 378
About the FTP proxy on page 385
About the H.323 ALG on page 392
About the HTTP proxy on page 398
About the HTTPS proxy on page 417
About the POP3 proxy on page 423
About the SIP proxy on page 435
About the SMTP proxy on page 442
About the TCP-UDP proxy on page 456
Proxy and AV alarms
An alarm is an event that triggers a notification, which is a mechanism to tell a network administrator about
a condition in the network. In a proxy definition, an alarm might occur when traffic matches, or does not
match, a rule in the proxy. An alarm might also occur when the Actions to take selections are set to an
action other than Allow.
For example, the default definition of the FTP proxy has a rule that denies the download of files whose file
types match any of these patterns: .cab, .com, .dll, .exe, and .zip. You can specify that an alarm is generated
whenever the Firebox or XTM device takes the Deny action because of this rule.
For each proxy, you can define what the Firebox or XTM device does when an alarm occurs.
1. In the Categories section of the proxy definition, select Proxy and AV Alarm.
2. You can define the Firebox or XTM device to send an SNMP trap, a notification to a network
administrator, or both. The notification can either be an email message to a network administrator
or a pop-up window on the administrator's management computer.
For more information on the Proxy and AV alarm fields, see Set logging and notification preferences
on page 646.
3. If you want to change settings for one or more other categories in this proxy, go to the section in this
document on the next category you want to modify.
If you are finished with your changes to this proxy definition, click OK.
If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a
new action.
4. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
360
WatchGuard System Manager
Proxy Settings
About rules and rulesets
When you configure a proxy policy or ALG (application layer gateway) you must either create a new rule or
modify an old rule. Rules are sets of criteria to which a proxy compares traffic. A rule consists of a type of
content, pattern, or expression, and the action of the Firebox or XTM device when a component of the
packet’s content matches that content, pattern, or expression. Rules also include settings for when the
Firebox or XTM device sends alarms or creates a log entry. A ruleset is a group of rules based on one
feature of a proxy such as the content types or filenames of email attachments. The process to create and
modify rules is consistent in each WatchGuard System Manager proxy policy or ALG.
Your Firebox or XTM device includes default sets of rules for each proxy policy included in the Firebox or
XTM device configuration. Separate sets of rules are provided for clients and servers, to protect both your
trusted users and your public servers. You can use the default configuration for these rules, or you can
customize them your particular business purposes.
About working with rules and rulesets
When you configure a proxy or ALG, you can see the rulesets for that proxy in the Categories list. These
rulesets change when you change the proxy action on the Properties tab of a proxy configuration window.
For example, the rules for the FTP-Client action have different settings than the rules for the FTP-Server
action.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. If a default ruleset does not meet all of your business needs, you can Add, change, or
delete rules.
Simple and advanced views
You can see rules in proxy definitions in two ways: simple view and advanced view.
n
n
Simple view — Select this view to configure wildcard pattern matching with simple regular
expressions.
Advanced view — Shows the action for each rule. Select this view to use special buttons to edit,
clone (use an existing rule definition to start a new one), delete, or reset rules. You can also use the
advanced view to configure exact match and Perl-compatible regular expressions.
After you have used the advanced view, you can only change to the simple view if all enabled rules have
the same action, alarm, or log settings. For example, if you have five rules with four set to Allow and one set
to Deny, you must continue to use the advanced view.
Configure rulesets and change the view
To configure rulesets for a policy in Policy Manager:
1. Double-click a policy or add a new policy.
2. In the Policy Properties dialog box, click the Properties tab.
3. Click .
The Proxy Action Configuration dialog box appears.
User Guide
361
Proxy Settings
4. To change the view, click Change View.
5. Add, change, or delete rules.
Add, change, or delete rules
You can use either the simple or advanced view of the ruleset to add rules.
Use the simple view to configure wildcard pattern matching with simple regular expressions. Use the
advanced view to configure exact match and Perl-compatible regular expressions. Also, the advanced view
shows the action for each rule and has buttons you can use to edit, clone (use an existing rule definition to
start a new one), delete, or reset rules.
For more information, see About rules and rulesets on page 361 and About regular expressions on page 365.
When you configure a rule, you select the actions the proxy takes for each packet. Different actions appear
for different proxies or for different features of a particular proxy. For example, the actions Strip and Lock
apply only to signature-based intrusion prevention actions. This list includes all possible actions:
Allow
Allows the connection.
Deny
Denies a specific request but keeps the connection if possible. Sends a response to the client.
Drop
Denies the specific request and drops the connection. Does not send a response to the sender. The
Firebox or XTM device sends only a TCP reset packet to the client. The client’s browser might display
“The connection was reset” or “The page cannot be displayed” but the browser does not tell the
user why.
Block
Denies the request, drops the connection, and blocks the site. For more information on blocked
sites, see About blocked sites on page 483.
All traffic from the site's IP address is denied for the amount of time specified in Policy Manager at
Setup > Default Threat Protection > Blocked Sites, on the Auto-Blocked tab. Use this action only if
you want to stop all traffic from the offender for this time.
Strip
Removes an attachment from a packet and discards it. The other parts of the packet are sent
through the Firebox or XTM device to its destination.
Lock
Locks an attachment, and wraps it so that it cannot be opened by the user. Only the administrator
can unlock the file.
AV Scan
Scans the attachment for viruses. If you select this option, Gateway AntiVirus is enabled for the
policy.
362
WatchGuard System Manager
Proxy Settings
Add rules (simple view)
To add a new rule in simple view:
1. In the Pattern text box, type a pattern that uses simple regular expression syntax.
The wildcard for zero or more than one character is “*”. The wildcard for one character is “?”.
2. Click Add.
The new rule appears in the Rules box.
3. Select the Actions to take:
n
n
In the If matched drop-down list, set the action to take if the contents of a packet match one of
the rules in the list.
In the None matched drop-down list, set the action to take if the contents of a packet do not
match a rule in the list.
4. To configure an alarm for this event, select the Alarm check box.
An alarm notifies users when a proxy rule applies to network traffic. To set the options for the alarm,
select Proxy Alarm from the Categories list on the left side of a Proxy Configuration window. You
can send an SNMP trap, send email, or open a pop-up window.
5. To create a message for this event in the traffic log, select the Log check box.
Add rules (advanced view)
You use the advanced view to configure exact match and Perl-compatible regular expressions. For
information on how to work with regular expressions, see About regular expressions on page 365.
1. In the Proxy Action Configuration dialog box, click Add.
The New <ruletype> Rule dialog box appears.
2. In the Rule Name text box, type the name of the rule.
This text box is blank when you add a rule, can be changed when you clone a rule, and cannot be changed
when you edit a rule.
3. In the Rule Settings drop-down list, select an option:
User Guide
363
Proxy Settings
n
n
n
Exact Match — Select when the contents of the packet must match the rule text exactly.
Pattern Match — Select when the contents of the packet must match a pattern of text, can
include wildcard characters.
Regular Expression — Select when the contents of the packet must match a pattern of text
with a regular expression.
4. In the Rule Settings text box, type the text of the rule.
If you selected Pattern Match as the rule setting, use an asterisk (*), a period (.), or a question mark
(?) as wildcard characters.
5. In the Rule Actions section, in the Action drop-down list, select the action the proxy takes for this rule.
6. To create an alarm for this event, select the Alarm check box. An alarm tells users when a proxy rule
applies to network traffic.
7. To create a message for this event in the traffic log, select the Log check box.
Cut and paste rule definitions
You can copy and paste content in text boxes from one proxy definition to another. For example, suppose
you write a custom deny message for the POP3 proxy. You can select the deny message, copy it, and paste
it into the Deny Message text box for the SMTP proxy.
When you copy between proxy definitions, you must make sure the text box you copy from is compatible
with the proxy you paste it into. You can copy rulesets only between proxies or categories within these four
groups. Other combinations are not compatible.
Content Types
Filenames
Addresses
Authentication
HTTP Content Types
FTP Download
SMTP Mail From
SMTP Authentication
SMTP Content Types
FTP Upload
SMTP Mail To
POP3 Authentication
POP3 Content Types
HTTP URL Paths
SMTP Filename
POP3 Filenames
Import or export rulesets
You can import and export entire rulesets between proxy definitions. For more information, see Import
and export rulesets on page 369.
Change the order of rules
The order that rules are shown in the Rules list is the same as the order in which traffic is compared to the
rules. The proxy compares traffic to the first rule in the list and continues in sequence from top to bottom.
When traffic matches a rule, the Firebox performs the related action. It performs no other actions, even if
the traffic matches a rule later in the list. Make sure you use the advanced view of rules.
To change the sequence of rules:
364
WatchGuard System Manager
Proxy Settings
1. To see the advanced view of rules, click Change View.
2. Select the rule whose order you want to change.
3. Click Up or Down to move the rule up or down in the list.
Change the default rule
If traffic does not match any of the rules you have defined for a proxy category, the Firebox or XTM device
uses the default rule. This rule appears at the bottom of any list of rules when you use the advanced view.
To modify the default rule:
1. Select the default rule and click Edit.
The Edit Default Rule dialog box appears.
2. You can change the action for the default rule, and whether the action triggers an alarm or a log
message.
You cannot change the name “Default” or the order of the rule. It must be the last rule in the list.
3. Click OK.
About regular expressions
A regular expression is a group of letters, numbers, and special characters used to match data. You can use
Perl-compatible regular expressions (PCRE) in your Firebox or XTM device configuration to match certain
types of traffic in proxy actions. For example, you can use one regular expression to block connections to
some web sites and allow connections to other web sites. You can also deny SMTP connections when the
recipient is not a valid email address for your company. For example, if you want to block parts of a web site
that violate your company’s Internet use policy, you can use a regular expression in the URL Paths category
of the HTTP proxy configuration.
User Guide
365
Proxy Settings
General guidelines
n
n
Regular expressions in Fireware are case-sensitive — When you create a regular expression, you
must be careful to match the case of the letters in your regular expression to the letters of the text
you want to match. You can change the regular expression to not be case-sensitive when you put
the (?i) modifier at the start of a group.
Regular expressions in Fireware are different from MS-DOS and Unix wildcard characters — When
you change files using MS-DOS or the Windows Command Prompt, you can use ? or * to match one
or more characters in a file name. These simple wildcard characters do not operate the same way in
Fireware.
For more information on how wildcard characters operate in Fireware, see the subsequent
sections.
How to build a regular expression
The most simple regular expression is made from the text you want to match. Letters, numbers, and other
printable characters all match the same letter, number, or character that you type. A regular expression
made from letters and numbers can match only a character sequence that includes all of those letters and
numbers in order.
Example: fat matches fat, fatuous, and infatuated, as well as many other sequences.
Note Fireware accepts any character sequence that includes the regular expression. A
regular expression frequently matches more than one sequence. If you use a
regular expression as the source for a Deny rule, you can block some network
traffic by accident. We recommend that you fully test your regular expressions
before you save the configuration to your Firebox or XTM device.
To match different sequences of characters at the same time, you must use a special character. The most
common special character is the period (.), which is similar to a wildcard. When you put a period in a regular
expression, it matches any character, space, or tab. The period does not match line breaks (\r\n or \n).
Example: f..t matches foot, feet, f&#t, f -t, and f\t3t.
To match a special character, such as the period, you must add a backslash (\) before the character. If you
do not add a backslash to the special character, the rule may not operate correctly. It is not necessary to add
a second backslash if the character usually has a backslash, such as \t (tab stop).
You must add a backslash to each of these special characters to match the real character: ? . * | + $ \ ^ ( ) [
Example: \$9\.99 matches $9.99
Hexadecimal characters
To match hexadecimal characters, use \x or %0x%. Hexadecimal characters are not affected by the caseinsensitive modifier.
Example: \x66 or %0x66% matches f, but cannot match F.
366
WatchGuard System Manager
Proxy Settings
Repetition
To match a variable amount of characters, you must use a repetition modifier. You can apply the modifier to
a single character, or a group of characters. There are four types of repetition modifiers:
n
n
n
n
Numbers inside curly braces (such as {2,4}) match as few as the first number, or as many as the
second number.
Example: 3{2,4} matches 33, 333, or 3333. It does not match 3 or 33333.
The question mark (?) matches zero or one occurrence of the preceding character, class, or group.
Example: me?et matches met and meet.
The plus sign (+) matches one or more occurrences of the preceding character, class, or group.
Example: me+t matches met, meet, and meeeeeeeeet.
The asterisk (*) matches zero or more occurrences of the preceding character, class, or group.
Example: me*t matches mt, met, meet, and meeeeeeeeet.
To apply modifiers to many characters at once, you must make a group. To group a sequence of characters,
put parentheses around the sequence.
Example: ba(na)* matches ba, bana, banana, and banananananana.
Character classes
To match one character from a group, use square brackets instead of parentheses to create a character
class. You can apply repetition modifiers to the character class. The order of the characters inside the class
does not matter.
The only special characters inside a character class are the closing bracket (]), the backslash (\), the caret (^),
and the hyphen (-).
Example: gr[ae]y matches gray and grey.
To use a caret in the character class, do not make it the first character.
To use a hyphen in the character class, make it the first character.
A negated character class matches everything but the specified characters. Type a caret (^) at the beginning
of any character class to make it a negated character class.
Example: [Qq][^u] matches Qatar, but not question or Iraq.
Ranges
Character classes are often used with character ranges to select any letter or number. A range is two letters
or numbers, separated by a hyphen (-), that mark the start and finish of a character group. Any character in
the range can match. If you add a repetition modifier to a character class, the preceding class is repeated.
Example: [1-3][0-9]{2} matches 100 and 399, as well as any number in between.
User Guide
367
Proxy Settings
Some ranges that are used frequently have a shorthand notation. You can use shorthand character classes
inside or outside other character classes. A negated shorthand character class matches the opposite of what
the shorthand character class matches. The table below includes several common shorthand character
classes and their negated values.
ClassEquivalent to
NegatedEquivalent to
\w Any letter or number [A-Za-z0-9]
\W Not a letter or number
\s Any whitespace character [ \t\r\n] \S Not whitespace
\d Any number [0-9]
368
\D Not a number
WatchGuard System Manager
Proxy Settings
Anchors
To match the beginning or end of a line, you must use an anchor. The caret (^) matches the beginning of a
line, and the dollar sign ($) matches the end of a line.
Example: ^am.*$ matches ampere if ampere is the only word on the line. It does not match dame.
You can use \b to match a word boundary, or \B to match any position that is not a word boundary.
There are three kinds of word boundaries:
n
n
n
Before the first character in the character sequence, if the first character is a word character (\w)•
After the last character in the character sequence, if the last character is a word character (\w)•
Between a word character (\w) and a non-word character (\W)
Alternation
You can use alternation to match a single regular expression out of several possible regular expressions. The
alternation operator in a regular expression is the pipe character (|). It is similar to the boolean operator OR.
Example: m(oo|a|e)n matches the first occurrence of moon, man, or men.
Common regular expressions
Match the PDF content type (MIME type)
^%PDFMatch any valid IP address
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9] [0-9]?)\.(25[0-5]|2[0-4][09]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]? [0-9][0-9]?)
Match most email addresses
[A-Za-z0-9._-][email protected][A-Za-z0-9.-]+\.[A-Za-z]{2,4}
Import and export rulesets
If you manage several Firebox or XTM devices, you can import and export rulesets between them. This
saves time because you must define the rules only once. You define the rules once for one proxy definition,
export them to an XML file, and then import them to a new proxy definition.
1.
2.
3.
4.
Create the rulesets for one proxy or category.
If necessary, click Change View to see the advanced view of the ruleset.
Click Export.
In the Save dialog box, select where you want to save the XML file.
The default location is My Documents > My WatchGuard.
5. Type a name for the file and click Save.
6. In the new proxy definition, click Import.
7. Find the file you created in Step 2 and click Open.
User Guide
369
Proxy Settings
8. If rules are already defined in the new proxy, you are asked whether you want to clear the old
ruleset first.
n
n
Click Yes to delete the existing rules and replace them with the new ones.
Click No to include both the existing and the imported rules in the ruleset.
Copy rulesets between different proxies or categories
Some rulesets can be used in more than one proxy or category. For example, you can export the Content
Types ruleset of an HTTP proxy action, and then import it to the Content Types ruleset of an SMTP proxy
action. Or, you can export the SMTP Mail From ruleset to the SMTP Mail To ruleset.
For more information about the the groups that you can copy rulesets between, see Cut and paste rule
definitions on page 364.
About proxy actions
A proxy action is a specific group of settings, sources, or destinations for a type of proxy. Because your
configuration can include several proxy policies of the same type, each proxy policy uses a different proxy
action. Each proxy policy has predefined, or default, proxy actions for clients and servers. For example, you
can use one proxy action for packets sent to a POP3 server protected by the Firebox or XTM device, and a
different proxy action to apply to email messages retrieved by POP3 clients.
You can create many different proxy actions for either clients or servers, or for a specified type of proxy
policy. However, you can assign only one proxy action to each proxy policy. For example, a POP3 policy is
linked to a POP3-Client proxy action. If you want to create a POP3 proxy action for a POP3 server, or an
additional proxy action for POP3 clients, you must add new POP3 proxy policies to Policy Manager that use
those new proxy actions.
Set the proxy action
1. In the Add/Edit Policy Properties dialog box, select the Properties tab.
2. From the Proxy action drop-down list, select the proxy action to use with this proxy policy.
Edit, delete, or clone proxy actions
You can also edit, delete, or clone a predefined proxy action, or a proxy action you have already created:
1. Select Setup > Actions > Proxies.
2. From the Proxy Actions dialog box, select the proxy action you want to edit, delete, or clone.
3. Click Edit, Remove, or Clone.
You cannot delete predefined proxy actions, which appear in blue. You can only delete user-defined
proxy actions, which appear in black.
370
WatchGuard System Manager
Proxy Settings
For more information on the proxy action settings for each proxy, see the About topic for that proxy.
About the DNS proxy on page 378
About the FTP proxy on page 385
About the H.323 ALG on page 392
About the HTTP proxy on page 398
About the HTTPS proxy on page 417
About the POP3 proxy on page 423
About the SIP proxy on page 435
About the SMTP proxy on page 442
About the TCP-UDP proxy on page 456
Import or export proxy actions
If you manage several Firebox or XTM devices and need to add the same policies to each one, you can use
the policy import/export function to save time. You can define the proxy actions on one Firebox or XTM
device, export them to a text file, and then import the policies on another Firebox or XTM device.
For more information, see Import and export user-defined proxy actions on page 372.
About predefined and user-defined proxy actions
Fireware XTM has predefined client and server proxy actions for each proxy. These predefined actions are
configured to balance the accessibility requirements of a typical company with the need to protect your
computer assets from attacks. You cannot change the settings of predefined proxy actions. If you want to
make changes to the configuration, you must clone (copy) the existing definition and save it as a userdefined proxy action.
For example, if you want to change a setting in the HTTP-Client proxy action, you must save it with a
different name, such as HTTP-Client.1. This is necessary only when you make changes to rulesets. If you
make changes to general settings such as the allowed sources or destinations or NAT settings for a policy,
you do not need to save it under a new name.
User Guide
371
Proxy Settings
Import or export proxy actions
If you manage several Firebox or XTM devices and have proxy actions defined for them, you can use the
policy import/export function to save time. You can define the proxy actions on one Firebox or XTM device,
export them to an ASCII file, and then import them to another Firebox or XTM device.
For more information, see Import and export user-defined proxy actions on page 372.
Import and export user-defined proxy actions
If you manage several Firebox or XTM devices and have user-defined proxy actions for them, you can use
the policy action import/export function to save time. You can define custom proxy actions on one Firebox,
export them to an ASCII file, and then import them to another Firebox.
The Firebox for which you created the policies must run the same version of WSM as the version of Policy
Manager you use to import the proxy actions. You cannot import a proxy action from an old version into the
current version.
1. On the first Firebox or XTM device, create the user-defined proxy actions.
2. In the Proxy Actions dialog box, click Export.
You do not need to select the user-defined actions. The Export function automatically exports all
custom actions regardless of which proxy action is actually selected.
3. In the Save dialog box, select where you want to save the proxy actions file.
The default location is My Documents > My WatchGuard.
4. Type a name for the file and click Save.
5. In Policy Manager on a different Firebox or XTM device, in the Proxy Actions dialog box, click
Import.
6. Find the file you created in Step 3 and click Open.
7. If user-defined proxy actions are already defined in the current Policy Manager, you are asked
whether you want to replace the existing actions or append the imported actions to the existing
ones. Click Replace or Append.
n
n
Replace — The existing user-defined proxy actions are deleted and replaced with the new
actions.
Append — Both the existing and the imported actions appear in the dialog box.
Use predefined content types
You can restrict HTTP network traffic and POP3 or SMTP email attachments by content type. You can use the
Content Type categories of these proxy policies to allow or deny the content types you specify.
1. From any proxy category, click Predefined.
The Select Content Type dialog box appears.
2. Select one or more common content types that you want to add to the Content Types ruleset.
Use the Control and/or Shift keys to select multiple content types at the same time.
3. Click OK.
372
WatchGuard System Manager
Proxy Settings
About Application Blocker Configurations
You can use Application Blocker to set the actions your Firebox or XTM device takes when a TCP-UDP, HTTP,
or HTTPS proxy policy detects network activity from Instant Messaging (IM) or Peer-to-Peer (P2P)
applications.
Application Blocker identifies these IM applications:
n
n
n
n
n
n
AIM (AOL Instant Messenger)
ICQ
IRC
MSN Messenger
Skype
Yahoo! Messenger
Note Application blocker cannot block Skype sessions that are already active. For more
information, see About Skype and Application Blocker.
Application Blocker identifies these P2P applications:
n
n
n
n
n
n
BitTorrent
Ed2k (eDonkey2000)
Gnutella
Kazaa
Napster
Winny
Note The Intrusion Prevention Service is not required to use the Application Blocker
feature.
Create an Application Blocker configuration
To block common Instant Messaging (IM) and Peer-to-Peer (P2P) application traffic, you can use Policy
Manager to create an Application Blocker configuration. You can use this configuration in one or more
policies to apply consistent traffic rules.
To to create an Application Blocker configuration:
1. Select Setup > Actions > Application Blocker.
The Application Blockers dialog box appears.
2. Click Add.
The New Application Blocker Configuration dialog box appears. The IM tab is selected by default.
User Guide
373
Proxy Settings
3. In the Name text box, type a name for this Application Blocker configuration.
4. (Optional) In the Description text box, type a short description for the configuration.
5. In the drop-down list, select the action the Firebox or XTM device takes when it detects IM traffic:
n
n
Allow Allows the packet to go to the recipient, even if the content matches a signature.
Drop Drops the packet and sends a TCP reset packet to the sender.
3. Select the check box for each IM application you want to include in the proxy action.
To select all of the IM applications in the list, select the All Categories check box.
4. To set actions for P2P applications, select the P2P tab.
374
WatchGuard System Manager
Proxy Settings
5. From the drop-down list, select the action the Firebox or XTM device takes when it detects P2P
traffic:
n
n
Allow Allows the packet to go to the recipient, even if the content matches a signature.
Drop Drops the packet and sends a TCP reset packet to the sender.
3. Select the check box for each P2P application you want to include in the proxy action.
To select all of the P2P applications in the list, select the All Categories check box.
4. To configure logging and notification for this Application Blocker Configuration, click Logging and
Notification.
The Logging and Notification dialog box appears.
For more information about logging and notification settings, see Set logging and notification
preferences .
5. Click OK to create the Application Blocker configuration.
The new Application Blocker Configuration appears in the Application Blockers dialog box.
6. Click Close.
After you create the Application Blocker configuration, you can update your TCP-UDP or HTTP proxy
configurations to use the Application Blocker configuration you created.
User Guide
375
Proxy Settings
About Skype and Application Blocker
Skype is a popular peer-to-peer (P2P) network application that is used to make voice calls, send text
messages or files, or participate in videoconferences over the Internet. The Skype client uses a dynamic
combination of ports that include outbound ports 80 and 443. Skype traffic is very difficult to detect and
block because it is encrypted, and because the Skype client is able to bypass many network firewalls.
You can configure Application Blocker to block a user login to the Skype network. It is important to
understand that Application Blocker can only block the Skype login process. It cannot block traffic for a
Skype client that has already logged in and has an active connection. For example:
n
n
If a remote user logs in to Skype when the computer is not connected to your network, and then the
user connects to your network while the Skype client is still active, Application Blocker cannot block
the Skype traffic until the user logs off the Skype network or restarts their computer.
When you first configure Application Blocker to block Skype, any users that are already logged in to
the Skype network are not blocked until they log off the Skype network, or restart their computers.
When Application Blocker blocks a Skype login, it adds the IP addresses of the Skype servers to the Blocked
Sites list. For these blocked IP addresses, the Triggering Source is "admin" and the Reason is "default packet
handling". Also, a log message appears in Traffic Monitor that shows access to the Skype server was denied
because the address is in the Blocked Sites list.
Note Because the Blocked Sites list blocks traffic between the Skype servers and all users
on your network, access to Skype is blocked for all users.
The Skype server IP addresses remain on the Blocked Sites list for the amount of time you specify in the
Duration of Auto-Blocked Sites text box in the Blocked Sites configuration. The default duration is 20
minutes. If you block Skype and then change the configuration to no longer block Skype, the Skype Server IP
addresses on the Blocked Sites list remain blocked until the blocks expire, or until you manually remove
them from the Blocked Sites list.
For more information about the Duration for Auto-Blocked Sites setting, see Change the duration that sites
are auto-blocked on page 486.
Block Skype logins
To block Skype logins, you must create an Application Blocker configuration and select Skype as an
application type to block. Then, apply the configuration to your TCP/UDP proxy policy.
For more information about how to create an Application Blocker configuration, see About Application
Blocker Configurations on page 373.
Intrusion prevention in proxy definitions
An intrusion is a direct attack on your computer. These attacks can cause damage to your network, get
sensitive information, or use your computers to attack other networks.
376
WatchGuard System Manager
Proxy Settings
To help protect your network from intrusions, you can purchase the optional Intrusion Prevention Service
(IPS) for your Firebox or XTM device. IPS operates with the SMTP, POP3, HTTP, FTP, DNS, and TCP-UDP
proxies.
To activate and configure IPS, you can run the IPS wizard, or use the IPS ruleset in a proxy definition.
Run the Activate Intrusion Prevention wizard
1. Open Policy Manager.
2. Select Subscription Services > Intrusion Prevention > Activate.
The Activate Intrusion Prevention wizard appears.
3. Complete the wizard.
For more information, see Activate Intrusion Prevention Service (IPS) on page 1097.
Use the Intrusion Prevention ruleset in the proxy definition
1. Get a feature key from LiveSecurity for IPS and Add a feature key to your Firebox or XTM device.
2. Add a proxy policy to your configuration.
Or, you can edit an existing proxy.
3. In the New/Edit Policy Properties dialog box, select the Properties tab.
4. Click .
5. At the left side of the window, select the Intrusion Prevention category.
6. At the right side of the window, Configure IPS actions.
Add a proxy policy to your configuration
When you add a proxy policy or ALG (application layer gateway) to your Fireware XTM configuration, you
specify types of content that the Firebox or XTM device must find as it examines network traffic. If the
content matches (or does not match) the criteria you set in the proxy or ALG definition, the traffic is either
allowed or denied.
You can use the default settings of the proxy policy or ALG, or you can change these settings to match
network traffic in your organization. You can also create additional proxy policies or ALGs to manage
different parts of your network.
It is important to remember that a proxy policy or ALG requires more processor power than a packet filter.
If you add a large number of proxy policies or ALGs to your configuration, network traffic speeds might
decrease. However, a proxy or ALG uses methods that packet filters cannot use to catch dangerous packets.
Each proxy policy includes several settings that you can adjust to create a balance between your security
and performance requirements.
You can use Policy Manager to add a proxy policy.
1. Click
.
Or, select Edit > Add Policies.
The Add Policies dialog box appears.
2. Expand the Proxies folder.
A list of proxy policies appears.
3. Select the proxy policy type you want to create. Click Add.
The New Policy Properties dialog box appears.
User Guide
377
Proxy Settings
For more information on the basic properties of all policies, see About policy properties on page 351.
Proxy policies and ALGs have default rulesets that provide a good balance of security and accessibility for
most installations. If a default ruleset does not match the network traffic you want to examine, you can add,
delete, or modify rules. For more information, see About rules and rulesets on page 361 and the "About"
topic for the type of policy you added.
About the DNS proxy on page 378
About the FTP proxy on page 385
About the H.323 ALG on page 392
About the HTTP proxy on page 398
About the HTTPS proxy on page 417
About the POP3 proxy on page 423
About the SIP proxy on page 435
About the SMTP proxy on page 442
About the TCP-UDP proxy on page 456
About the DNS proxy
The Domain Name System (DNS) is a network system of servers that translates numeric IP addresses into
readable, hierarchical Internet addresses, and vice versa. DNS allows your computer network to
understand, for example, that you want to reach the server at 200.253.208.100 when you type a domain
name into your browser, such as www.watchguard.com. With Fireware XTM, you have two methods to
control DNS traffic: the DNS packet filter and the DNS proxy policy. The DNS proxy is useful only if DNS
requests are routed through your Firebox or XTM device.
378
WatchGuard System Manager
Proxy Settings
When you make a new configuration file, the file automatically includes an Outgoing packet filter policy that
allows all TCP and UDP connections from your trusted and optional networks to external. This allows your
users to connect to an external DNS server with the standard TCP 53 and UDP 53 ports. Because Outgoing is
a packet filter, it is unable to protect against common UDP outgoing trojans, DNS exploits, and other
problems that occur when you open all outgoing UDP traffic from your trusted networks. The DNS proxy
has features to protect your network from these threats. If you use external DNS servers for your network,
the DNS-Outgoing ruleset offers additional ways to control the services available to your network
community.
To add the DNS proxy to your Firebox or XTM device configuration, see Add a proxy policy to your
configuration on page 377.
If you must change the proxy definition, you can use the New/Edit Proxy Policies dialog box to modify the
definition. This dialog box has three tabs: Policy, Properties, and Advanced. On the Properties tab, you can
also edit the default rulesets for proxy actions.
For more information, see About proxy actions on page 370.
Policy tab
n
n
n
DNS-proxy connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). See
Set access rules for a policy on page 352.
Use policy-based routing — See Configure policy-based routing on page 355.
You can also configure static NATor configure server load balancing. See About static NAT on page
180 and Configure server load balancing on page 181.
Properties tab
n
n
n
n
In the Proxy action drop-down list, select whether you want to define an action for a client or
server. For information about proxy actions, see About proxy actions on page 370.
To define logging for a policy, click Logging and Set logging and notification preferences on page 646.
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset),
you can block sites that try to use DNS. See Block sites temporarily with policy settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or XTM device or
authentication server, Set a custom idle timeout on page 357.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary for your particular business purposes.
To modify the settings and rulesets for a proxy action:
1. Click
.
2. Select a category:
n
n
n
n
n
n
User Guide
DNS proxy: General settings
DNS proxy: OPcodes
DNS proxy: Query types
DNS proxy: Query names
Intrusion prevention in proxy definitions
Proxy and AV alarms. SNMP traps and notification are disabled by default.
379
Proxy Settings
3. Update the ruleset.
Advanced tab
You can use several other options in your proxy definition:
n
n
n
n
n
n
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
DNS proxy: General settings
On the General page, you can change the settings of two protocol anomaly detection rules. We
recommend that you do not change the default settings.
Not of class Internet
Select the action when the proxy examines DNS traffic that is not of the Internet (IN) class. The
default action is to deny this traffic. We recommend that you do not change this default action.
Badly formatted query
Select the action when the proxy examines DNS traffic that does not use the correct format.
Alarm
An alarm is a mechanism to tell users when a proxy rule applies to network traffic. Select the Alarm
check box to configure an alarm for this event. To set the options for the alarm, select Proxy Alarm
from the Categories list on the left side of a Proxy Configuration window. You can send an SNMP
trap, send email, or open a pop-up window.
Log
Select this check box to send a message to the traffic log for this event.
Enable logging for reports
Creates a traffic log message for each transaction. This option creates a large log file, but this
information is very important if your firewall is attacked. If you do not select this check box, you do
not see detailed information about DNS proxied connections in reports.
380
WatchGuard System Manager
Proxy Settings
DNS proxy: OPcodes
DNS OPcodes (operation codes) are commands given to the DNS server that tell it to do some action, such
as a query (Query), an inverse query (IQuery), or a server status request (STATUS). They operate on items
such as registers, values in memory, values stored on the stack, I/O ports, and the bus. You can add, delete,
or modify rules in the default ruleset. You can allow, deny, drop, or block specified DNS OPcodes.
1. In the Categories tree, select OPCodes.
2. To enable a rule in the list, select the adjacent Enabled check box.
To disable a rule, clear the Enabled check box.
Note If you use Active Directory and your Active Directory configuration requires
dynamic updates, you must allow DNS OPcodes in your DNS-Incoming proxy
action rules. This is a security risk, but can be necessary for Active Directory to
operate correctly.
Add a new OPcodes rule
1. Click Add.
The New OPCodes Rule dialog box appears.
2. Type a name for the rule.
Rules can have no more than 200 characters.
3. Click the arrows to set the OPCode value. DNS OPcodes have an integer value.
For more information on the integer values of DNS OPcodes, see RFC 1035.
Delete or modify rules
1. Add, delete, or modify rules, as described in Add, change, or delete rules on page 362.
2. If you want to change settings for one or more other categories in this proxy, go to the topic on the
next category you want to modify.
3. If you are finished with your changes to this proxy definition, click OK.
4. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a
new action.
5. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
User Guide
381
Proxy Settings
DNS proxy: Query types
A DNS query type can configure a resource record by type (such as a CNAME or TXT record) or as a custom
type of query operation (such as an AXFR Full zone transfer). You can add, delete, or modify rules. You can
allow, deny, drop, or block specified DNS query types.
1. In the Categories tree, select Query Types.
2. To enable a rule, select the Enabled check box adjacent to the action and name of the rule.
Add a new query types rule
1. To add a new query types rule, click Add.
The New Query Types Rule dialog box appears.
2. Type a name for the rule.
Rules can have no more than 200 characters.
3. DNS query types have a resource record (RR) value. Use the arrows to set the value.
For more information on the values of DNS query types, see RFC 1035.
4. Add, change, or delete rules.
5. If you want to change settings for one or more other categories in this proxy, go to the topic for the
next category you want to modify.
6. If you are finished with your changes to this proxy definition, click OK.
7. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a
new action.
8. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
382
WatchGuard System Manager
Proxy Settings
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
DNS proxy: Query names
A DNS query name refers to a specified DNS domain name, shown as a fully qualified domain name (FQDN).
You can add, delete, or modify rules.
1. In the Categories tree, select Query Names.
2. Add, change, or delete rules.
3. If you want to change settings for one or more other categories in this proxy, go to the topic for the
next category you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a
new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
User Guide
383
Proxy Settings
About MX (Mail eXchange) records
An MX (Mail eXchange) record is a type of DNS record that gives one or more host names of the email
servers that are responsible for and authorized to receive email for a given domain. If the MX record has
more than one host name, each name has a number that tells which is the most preferred host and which
hosts to try next if the most preferred host is not available.
MX lookup
When an email server sends email, it first does a DNS query for the MX record of the recipient’s domain.
When it gets the response, the sending email server knows the host names of authorized mail exchangers
for the recipient’s domain. To get the IP addresses associated with the MX host names, a mail server does a
second DNS lookup for the A record of the host name. The response gives the IP address associated with
the host name. This lets the sending server know what IP address to connect to for message delivery.
Reverse MX lookup
Many anti-spam solutions, including those used by most major ISP networks and web mail providers such as
AOL, MSN, and Yahoo!, use a reverse MX lookup procedure. Different variations of the reverse lookup are
used, but the goals are the same: the receiving server wants to verify that the email it receives does not
come from a spoofed or forged sending address, and that the sending server is an authorized mail
exchanger for that domain.
To verify that the sending server is an authorized email server, the receiving email server tries to find an MX
record that correlates to the sender’s domain. If it cannot find one, it assumes that the email is spam and
rejects it.
The domain name that the receiving server looks up can be:
n
n
n
n
Domain name in the email message’s From: header
Domain name in the email message’s Reply-To: header
Domain name the sending server uses as the FROM parameter of the MAIL command. (An SMTP
command is different from an email header. The sending server sends the MAIL FROM: command
to tell the receiving sender who the message is from.)
Domain name returned from a DNS query of the connection’s source IP address. The receiving
server sometimes does a lookup for a PTR record associated with the IP address. A PTR DNS record
is a record that maps an IP address to a domain name (instead of a normal A record, which maps a
domain name to an IP address).
Before the receiving server continues the transaction, it makes a DNS query to see whether a valid MX
record for the sender’s domain exists. If the domain has no valid DNS MX record, then the sender is not
valid and the receiving server rejects it as a spam source.
MX records and multi-WAN
Because outgoing connections from behind your Firebox or XTM device can show different source IP
addresses when your Firebox or XTM device uses multi-WAN, you must make sure that your DNS records
include MX records for each external IP address that can show as the source when you send email. If the list
of host names in your domain’s MX record does not include one for each external Firebox or XTM device
384
WatchGuard System Manager
Proxy Settings
interface, it is possible that some remote email servers could drop your email messages.
For example, Company XYZ has a Firebox or XTM device configured with multiple external interfaces. The
Firebox or XTM device uses the Failover multi-WAN method. Company XYZ’s MX record includes only one
host name. This host name has a DNS A record that resolves to the IP address of the Firebox or XTM device
primary external interface.
When Company XYZ sends an email to [email protected], the email goes out through the primary external
interface. The email request is received by one of Yahoo’s many email servers. That email server does a
reverse MX lookup to verify the identify of Company XYZ. The reverse MX lookup is successful, and the
email is sent.
If a WAN failover event occurs at the Firebox or XTM device, all outgoing connections from Company XYZ
start to go out the secondary, backup external interface. In this case, when the Yahoo email server does a
reverse MX lookup, it does not find an IP address in Company XYZ’s MX and A records that matches, and it
rejects the email. To solve this problem, make sure that:
n
n
The MX record has multiple host names, at least one for each external Firebox or XTM device
interface.
At least one host name in the MX record has a DNS A record that maps to the IP address assigned to
each Firebox or XTM device interface.
Add another host name to an MX record
MX records are stored as part of your domain’s DNS records. For more information on how to set up your
MX records, contact your DNS host provider (if someone else hosts your domain’s DNS service) or consult
the documentation from the vendor of your DNS server software.
About the FTP proxy
FTP (File Transfer Protocol) is used to send files from one computer to a different computer over a TCP/IP
network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the same
network or on a different network. The FTP client can be in one of two modes for data transfer: active or
passive. In active mode, the server starts a connection to the client on source port 20. In passive mode, the
client uses a previously negotiated port to connect to the server. The FTP proxy monitors and scans these
FTP connections between your users and the FTP servers they connect to.
With an FTP proxy policy, you can:
n
n
Set the maximum user name length, password length, file name length, and command line length
allowed through the proxy to help protect your network from buffer overflow attacks.
Control the type of files that the FTP proxy allows for downloads and uploads.
The TCP/UDP proxy is available for protocols on non-standard ports. When FTP uses a port other than port
20, the TCP/UDP proxy relays the traffic to the FTP proxy. For information on the TCP/UDP proxy, see About
the TCP-UDP proxy on page 456.
To add the FTP proxy to your Firebox or XTM device configuration, see Add a proxy policy to your
configuration on page 377.
User Guide
385
Proxy Settings
If you must change the proxy definition, you can use the New/Edit Proxy Policies dialog box to modify the
definition. This dialog box has three tabs: Policy, Properties, and Advanced. On the Properties tab, you can
also edit the default rulesets for proxy action.
For more information, see About proxy actions.
386
WatchGuard System Manager
Proxy Settings
Policy tab
You use the Policy tab to set access rules and other options.
n
FTP-proxy connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset). Define who appears in the From and To list (on the Policy tab of the proxy definition).
For more information, see Set access rules for a policy.
n
n
Use policy-based routing — Configure policy-based routing.
Youcanalsoconfigure static NATor configure server loadbalancing.
For more information,see Aboutstatic NATonpage 180or Configureserver loadbalancingonpage 181.
Properties tab
n
n
n
n
In the Proxy action drop-down list, select whether you want to define an action for a client or
server.
For information about proxy actions, see About proxy actions on page 370.
To define logging for a policy, click Logging and Set logging and notification preferences on page 646.
If you set the FTP-proxy connections are drop-down list (on the Policy tab) to Denied or Denied
(send reset), you can block sites that try to use FTP.
For more information, see Block sites temporarily with policy settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or XTM device or
authentication server, Set a custom idle timeout on page 357.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary for your particular business purposes.
To modify the settings and rulesets for a proxy action:
1. Click .
2. Select a category:
n
n
FTP proxy: General settings
FTP proxy: Commands — The default setting for the FTP-client proxy is to allow all commands.
The default FTP-server proxy allows these commands:
ABOR* DELE* NLST*
APPE*
n
n
n
n
PORT* REST*
HELP* NOOP* PWD*
CDUP* LIST*
PASS*
CWD*
PASV*
MKD*
QUIT*
RNTO* SYST*
XCWD*
RETR*
STAT*
TYPE*
XMKD*
RMD*
STOR*
USER*
XRMD*
RNFR* STOU*
XCUP*
FTP proxy: Content — The default settings for the FTP-client proxy is to deny these files from being
downloaded: .cab, .com., .dll, .exe., .zip. The FTP-server proxy allows all files. Both the client and
server proxies allow all files to be uploaded.
FTP proxy: AntiVirus — When Gateway AV is enabled for the FTP proxy, the default settings are to
drop connections when a virus is detected or when a scan error occurs.
Intrusion prevention in proxy definitions — When Intrusion Prevention is enabled for the FTP proxy,
the default setting is to drop traffic that matches an IPS signature.
Proxy and AV alarms — SNMP traps and notification are disabled by default.
User Guide
387
Proxy Settings
Advanced tab
You can use several other options in your proxy definition:
n
n
n
n
n
n
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
FTP proxy: General settings
On the General page, you can set basic FTP parameters including maximum user name length.
1. In the Categories tree, select General.
2. To set limits for FTP parameters, select the applicable check boxes. These settings help to protect
your network from buffer overflow attacks. Click the arrows to change the limits:
Set the maximum user name length to
Sets a maximum length for user names on FTP sites.
388
WatchGuard System Manager
Proxy Settings
Set the maximum password length to
Sets a maximum length for passwords used to log in to FTP sites.
Set the maximum file name length to
Sets the maximum file name length for files to upload or download.
Set the maximum command line length to
Sets the maximum length for command lines used on FTP sites.
Set the maximum number of failed logins per connection to
Allows you to limit the number of failed connection requests to your FTP site. This can protect
your site against brute force attacks.
3. For each setting, you can set or clear the Auto-block check box.
If someone tries to connect to an FTP site and exceeds a limit whose Auto-block check box is
selected, the computer that sent the commands is added to the temporary Blocked Sites list.
4. To create a log message for each transaction, select the Enable logging for reports check box.
You must select this option to get detailed information on FTP traffic.
5. If you want to change settings for one or more other categories in this proxy, go to the section in this
document on the next category you want to modify.
6. If you are finished with your changes to this proxy definition, click OK.
7. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a
new action.
8. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
FTP proxy: Commands
FTP has a number of commands to manage files. You can configure rules to put limits on some FTP
commands. To put limits on commands that can be used on an FTP server protected by the Firebox, you can
configure the FTP-Server proxy action.
The default configuration of the FTP-Server proxy blocks these commands:
ABOR*
HELP*
PASS*
REST*
STAT*
USER*
APPE*
LIST*
PASV* RETR*
STOR*
XCUP*
CDUP*
MKD*
PORT* RMD*
STOU* XCWD*
CWD*
NLST*
PWD*
SYST*
XMKD*
DELE*
NOOP* QUIT*
RNTO* TYPE*
XRMD*
RNFR*
Use the FTP-Client proxy action to put limits on commands that users protected by the Firebox can use
when they connect to external FTP servers. The default configuration of the FTP-Client is to allow all FTP
commands.
User Guide
389
Proxy Settings
You can add, delete, or modify rules. You usually should not block these commands, because they are
necessary for the FTP protocol to work correctly.
Protocol command
Client Command
Description
USER
n/a
Sent with login name
PASS
n/a
Sent with password
PASV
pasv
Select passive mode for data transfer
syst
Print the server's operating system and
version. FTP clients use this information to
correctly interpret and show a display of server
responses.
SYST
To add, delete, or modify rules:
1. In the Categories tree, select Commands.
2. Add, change, or delete rules.
3. If you want to change settings for one or more other categories in this proxy, go to the topic for the
next category you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a
new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
FTP proxy: Content
You can control the type of files that the FTP proxy allows for downloads and uploads. For example, because
many hackers use executable files to deploy viruses or worms on a computer, you could deny requests for
*.exe files. Or, if you do not want to let users upload Windows Media files to an FTP server, you could add
*.wma to the proxy definition and specify that these files are denied. Use the asterisk (*) as a wildcard
character.
Use the FTP-Server proxy action to control rules for an FTP server protected by the Firebox or XTM device.
Use the FTP-Client proxy action to set rules for users connecting to external FTP servers.
1. In the Categories tree, select Upload or Download.
2. Add, change, or delete rules.
3. If you want uploaded files to be scanned for viruses by Gateway AntiVirus, set one or more Actions
to take fields to AV Scan.
390
WatchGuard System Manager
Proxy Settings
4. If you want to change settings for one or more other categories in this proxy, go to the topics on the
next category you want to modify.
5. If you are finished with your changes to this proxy definition, click OK.
6. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a
new action.
7. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
FTP proxy: AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set
the actions necessary if a virus is found in a file that is uploaded or downloaded.
n
n
n
To use the proxy definition screens to activate Gateway AntiVirus, see Activate Gateway AntiVirus
from proxy definitions on page 1084.
To use the Subscription Services menu in Policy Manager to activate Gateway AntiVirus, see Activate
Gateway AntiVirus with a wizard from Policy Manager on page 1081.
Toconfigure GatewayAntiVirusfor the FTPproxy,see ConfigureGatewayAntiVirusactionsonpage 1085.
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in an
uploaded or downloaded file. The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Deny
Deny the file and send a deny message.
Drop
Drops the packet and drops the connection. No information is sent to the source of the message.
Block
Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.
Gateway AntiVirus scans each file up to a specified kilobyte count. Any additional bytes in the file are not
scanned. This allows the proxy to partially scan very large files without a large effect on performance. Enter
the file scan limit in the Limit scanning to first field.
For information about the default and maximum scan limits for each Firebox or XTM device model, see
About Gateway AntiVirus scan limits on page 1090.
User Guide
391
Proxy Settings
About the H.323 ALG
If you use Voice-over-IP (VoIP) in your organization, you can add an H.323 or SIP (Session Initiation Protocol)
ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your Firebox or XTM
device. An ALG is created in the same way as a proxy policy and offers similar configuration options. These
ALGs have been created to work in a NAT environment to maintain security for privately addressed
conferencing equipment protected by your Firebox or XTM device.
H.323 is commonly used on older videoconferencing equipment and voice installations. SIP is a newer
standard that is more common in hosted environments, where only endpoint devices such as telephones
are hosted at your business location and a VoIP provider manages the connectivity. You can use both H.323
and SIP ALGs at the same time, if necessary. To determine which ALG to add, consult the documentation for
your VoIP devices or applications.
VoIP components
It is important to understand that you usually implement VoIP by using either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device and
connects to the other directly. If both peers are behind the Firebox or XTM device, the Firebox or
XTM device can route the call traffic correctly.
Hosted connections
Connections hosted by a call management system (PBX)
With H.323, the key component of call management is known as a gatekeeper. A gatekeeper manages VoIP
calls for a group of users, and can be located on a network protected by your Firebox or XTM device or at
an external location. For example, some VoIP providers host a gatekeeper on their network that you must
connect to before you can place a VoIP call. Other solutions require you to set up and maintain a
gatekeeper on your network.
Coordinating the many components of a VoIP installation can be difficult. We recommend you make sure
that VoIP connections work successfully before you add a H.323 or SIP ALG. This can help you to
troubleshoot any problems.
ALG functions
When you enable an H.323 ALG, your Firebox or XTM device:
n
n
n
Automatically responds to VoIP applications and opens the appropriate ports
Makes sure that VoIP connections use standard H.323 protocols
Generates log messages for auditing purposes
Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports
automatically. The H.323 and SIP ALGs also perform this function. You must disable NAT on your VoIP
devices if you configure an H.323 or SIP ALG.
392
WatchGuard System Manager
Proxy Settings
Policy tab
n
n
n
H.323-ALG connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset)and define who appears in the From and To list (on the Policy tab of the ALG definition).
For more information, see Set access rules for a policy on page 352.
Use policy-based routing — If you want to use policy-based routing in your proxy definition, see
Configure policy-based routing on page 355.
You can also configure static NAT or configure server load balancing.
For more information, see About static NAT on page 180 and Configure server load balancing on
page 181.
User Guide
393
Proxy Settings
Properties tab
n
n
n
n
In the Proxy action drop-down list, select whether you want to define an action for a client or
server.
For information about proxy actions, see About proxy actions.
To define logging for a policy, click Logging and Set logging and notification preferences on page 646.
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset),
you can block sites that try to use DNS.
For more information, see Block sites temporarily with policy settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or XTM device, or
authentication server, Set a custom idle timeout.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary for your particular business purposes.
To modify the settings and rulesets for a proxy action:
1. Click
.
2. Select a category:
n
n
n
H.323 ALG: General Settings
H.323 ALG: Access Control
H.323 ALG: Denied Codecs
Advanced tab
You can also use these options in your proxy definition:
n
n
n
n
n
n
394
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
WatchGuard System Manager
Proxy Settings
H.323 ALG: General Settings
On the General Settings page, you can set security and performance options for the H.323 ALG (Application
Layer Gateway).
Enable directory harvesting protection
Select this check box to prevent attackers from stealing user information from VoIP gatekeepers
protected by your Firebox or XTM device. This option is enabled by default.
Maximum sessions
Use this feature to restrict the maximum number of audio or video sessions that can be created
with a single VoIP call. For example, If you set the number of maximum sessions to one and
participate in a VoIP call with both audio and video, the second connection is dropped. The default
value is two sessions, and the maximum value is four sessions. The Firebox or XTM device creates a
log entry when it denies a media session above this number.
User agent information
Type a new user agent string in the Rewrite user agent as text box to have outgoing H.323 traffic
identify as a client you specify. To remove the false user agent, clear the text box.
User Guide
395
Proxy Settings
Timeouts
When no data is sent for a specified amount of time on a VoIP audio, video, or data channel, your
Firebox or XTM device closes that network connection. The default value is 180 seconds (three
minutes) and the maximum value is 3600 seconds (sixty minutes). To specify a different time
interval, type the amount in seconds in the Idle media channels text box.
Enable logging for reports
Select this check box to send a log message for each connection request managed by the H.323 ALG.
This option is necessary to create accurate reports on H.323 traffic, and is enabled by default.
H.323 ALG: Access Control
On the Access Control page of the H.323 ALG (Application Layer Gateway) configuration, you can create a
list of users who are allowed to send VoIP network traffic.
Enable access control for VoIP
Select this check box to enable the access control feature. When enabled, the H.323 ALG allows or
restricts calls based on the options you set.
Default Settings
Select the Start VoIP calls check box to allow all VoIP users to start calls by default.
Select the Receive VoIP calls check box to allow all VoIP users to receive calls by default.
Select the adjacent Log check box to create a log message for each H.323 VoIP connection started or
received.
396
WatchGuard System Manager
Proxy Settings
Access Levels
To create an exception to the default settings you specified above, type a hostname, IP address, or
email address. Select an access level from the adjacent drop-down list, then click Add. You can allow
users to start calls only, receive calls only, start and receive calls, or give them no VoIP access.
These settings apply only to H.323 VoIP traffic.
If you want to delete an exception, select it from the list and click Remove.
Connections made by users who have an access level exception are logged by default. If you do not
want to log connections made by a user with an access level exception, clear the Log check box
adjacent to the exception name in the list.
H.323 ALG: Denied Codecs
On the Denied Codecs page, you can set the VoIP voice, video, and data transmission codecs that you want
to deny on your network.
User Guide
397
Proxy Settings
Denied Codecs list
Use this feature to deny one or more VoIP codecs. When an H.323 VoIP connection is opened that
uses a codec specified in this list, your Firebox or XTM device closes the connection automatically.
This list is empty by default. We recommend that you add a codec to this list if it consumes too much
bandwidth, presents a security risk, or if it is necessary to have your VoIP solution operate correctly.
For example, you may choose to deny the G.711 or G.726 codecs because they use more than 32
Kb/sec of bandwidth, or you may choose to deny the Speex codec because it is used by an
unauthorized VOIP codec.
To add a codec to the list, type the codec name or unique text pattern in the text box and click Add.
Do not use wildcard characters or regular expression syntax. The codec patterns are case sensitive.
To delete a codec from the list, select it and click Remove.
Log each transaction that matches a denied codec pattern
Select this option to have your Firebox or XTM device create a log entry when it denies H.323 traffic
that matches a codec in this list.
About the HTTP proxy
Hyper Text Transfer Protocol (HTTP) is a request/response protocol between clients and servers. The HTTP
client is usually a web browser. The HTTP server is a remote resource that stores HTML files, images, and
other content. When the HTTP client starts a request, it establishes a TCP (Transmission Control Protocol)
connection on Port 80. An HTTP server listens for requests on Port 80. When it receives the request from
the client, the server replies with the requested file, an error message, or some other information.
The HTTP proxy is a high-performance content filter. It examines Web traffic to identify suspicious content
that can be a virus or other type of intrusion. It can also protect your HTTP server from attacks.
With an HTTP proxy filter, you can:
n
n
n
n
n
Adjust timeout and length limits of HTTP requests and responses to prevent poor network
performance, as well as several attacks.
Customize the deny message that users see when they try to connect to a web site blocked by the
HTTP proxy.
Filter web content MIME types.
Block specified path patterns and URLs.
Deny cookies from specified web sites.
You can also use the HTTP proxy with the WebBlocker security subscription. For more information, see
About WebBlocker on page 979.
The TCP/UDP proxy is available for protocols on non-standard ports. When HTTP uses a port other than Port
80, the TCP/UDP proxy sends the traffic to the HTTP proxy. For more information on the TCP/UDP proxy,
see About the TCP-UDP proxy on page 456.
To add the HTTP proxy to your Firebox or XTM device configuration, see Add a proxy policy to your
configuration on page 377.
398
WatchGuard System Manager
Proxy Settings
Use the New/Edit Proxy Policies dialog box to modify a proxy policy. This dialog box has three tabs: Policy,
Properties, and Advanced. On the Properties tab, you can also edit the default rulesets for proxy actions.
For more information, see About proxy actions on page 370.
Policy tab
n
n
n
HTTP-proxy connections are Specify whether connections are Allowed, Denied, or Denied (send
reset) and select the users, computers, or networks that appear in the From and To list (on the Policy
tab of the proxy definition). For more information, see Set access rules for a policy on page 352.
Use policy-based routing To use policy-based routing in your proxy definition, see Configure policybased routing on page 355.
You can also configure static NAT or configure server load balancing.
For more information, see About static NAT on page 180 and Configure server load balancing on
page 181.
User Guide
399
Proxy Settings
Properties tab
n
n
n
n
In the Proxy action drop-down list, select whether you want to define an action for a client or
server.
For information about proxy actions, see About proxy actions on page 370.
To define logging for a policy, click Logging and Set logging and notification preferences .
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset),
you can block devices that try to connect on port 80.
For more information, see Block sites temporarily with policy settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or XTM device, or
authentication server, Set a custom idle timeout.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary.
To modify the settings and rulesets for a proxy action:
1. Click .
2. Select a category:
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
HTTP request: General settings
HTTP request: Request methods
HTTP request: URL paths
HTTP request: Header fields
HTTP request: Authorization
HTTP Response: General settings
HTTP Response: Header fields
HTTP Response: Content types
HTTP Response: Cookies
HTTP Response: Body content types
HTTP proxy exceptions
HTTP proxy: WebBlocker
HTTP proxy: Application Blocker
HTTP proxy: AntiVirus
HTTP proxy: Intrusion Prevention
HTTP proxy: Deny message
Use a caching proxy server
Advanced tab
You can use several other options in your proxy definition:
n
n
n
n
n
n
400
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
WatchGuard System Manager
Proxy Settings
HTTP request: General settings
On the General Settings page, you can set basic HTTP parameters such as idle time out and URL length.
Idle Timeout
Select this check box to close the TCP socket for the HTTP when no packets have passed through the
TCP socket in the amount of time you specify. In the adjacent field, type or select the number of
minutes before the proxy times out. This option controls performance. Because every open TCP
session uses a small amount of memory on the Firebox or XTM device, and browsers and servers do
not always close HTTP sessions cleanly, we recommend that you keep this check box selected. This
makes sure that stale TCP connections are closed and helps the Firebox or XTM device save
memory. You can lower the timeout to five minutes and not reduce performance standards.
User Guide
401
Proxy Settings
URL Path Length
Sets the maximum number of characters allowed in a URL. In this area of the proxy, URL includes
anything in the web address after the top-level-domain. This includes the slash character but not the
host name (www.myexample.com or myexample.com). For example, the URL
www.myexample.com/products counts nine characters toward this limit because /products has
nine characters.
The default value of 2048 is usually enough for any URL requested by a computer behind your
Firebox or XTM device. A URL that is very long can indicate an attempt to compromise a web server.
The minimum length is 15 bytes. We recommend that you keep this setting enabled with the default
settings. This helps protect against infected web clients on the networks that the HTTP proxy
protects.
Range Requests
Select this check box to allow range requests through the Firebox or XTM device. Range requests
allow a client to request subsets of the bytes in a web resource instead of the full content. For
example, if you want only some sections of a large Adobe file but not the whole file, the download
occurs more quickly and prevents the download of unnecessary pages if you can request only what
you need.
Range requests introduce security risks. Malicious content can hide anywhere in a file and a range
request makes it possible for any content to be split across range boundaries. The proxy can fail to
see a pattern it is looking for when the file spans two GET operations. If you have a subscription for
Gateway AntiVirus (Gateway AV) or the signature-based Intrusion Prevention Service (IPS), and you
enable either of those subscription services, Fireware denies range requests regardless of whether
this check box is selected.
We recommend that you do not select this check box if the rules you make in the Body Content
Types section of the proxy are designed to identify byte signatures deep in a file, instead of just in
the file header.
Select the Log this action check box if you want to add a traffic log message when the proxy takes
the action indicated in the check box for range requests.
Enable logging for reports
Creates a traffic log message for each transaction. This option creates a large log file, but this
information is very important if your firewall is attacked. If you do not select this check box, you do
not see detailed information about HTTP proxied connections in reports.
HTTP request: Request methods
Most browser HTTP requests are in one of two categories: GET or POST operations. Browsers usually use
GET operations to download objects such as a graphic, HTML data, or Flash data. More than one GET is
usually sent by a client computer for each page, because web pages usually contain many different
elements. The elements are put together to make a page that appears as one page to the end user.
402
WatchGuard System Manager
Proxy Settings
Browsers usually use POST operations to send data to a web site. Many web pages get information from the
end user such as location, email address, and name. If you disable the POST command, the Firebox or XTM
device denies all POST operations to web servers on the external network. This feature can prevent your
users from sending information to a web site on the external network.
Web-based Distributed Authoring and Versioning (webDAV) is a set of HTTP extensions that allows users to
edit and manage files on remote web servers. WebDAV is compatible with Outlook Web Access (OWA). If
webDAV extensions are not enabled, the HTTP proxy supports these request methods: HEAD, GET, POST,
OPTIONS, PUT, and DELETE. For HTTP-Server, the proxy supports these request methods by default: HEAD,
GET, and POST. The proxy also includes these options (disabled by default): OPTIONS, PUT, and DELETE.
1. In the Categories tree, select HTTP Request > Request Methods.
2. Selectthe EnablewebDAVcheckboxifyouwanttoallowyour userstousethese extension.
Manyextensionstothe basewebDAV protocolare alsoavailable.IfyouenablewebDAV,fromthe adjacent
checkbox,selectwhether youwanttoenable onlythe extensionsdescribedinRFC2518or ifyouwantto
includeanadditionalsetofextensionstomaximize interoperability.
3. Add, change, or delete rules.
4. If you want to change settings for one or more other categories in this proxy, go to the section in this
document on the next category you want to modify.
5. If you are finished with your changes to this proxy definition, click OK.
6. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
User Guide
403
Proxy Settings
7. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
HTTP request: URL paths
A URL (Uniform Resource Locator) identifies a resource on a remote server and gives the network location
on that server. The URL path is the string of information that comes after the top level domain name. You
can use the HTTP proxy to block web sites that contain specified text in the URL path. You can add, delete,
or modify URL path patterns. Here are examples of how to block content with HTTP request URL paths:
n
n
n
To block all pages that have the host name www.test.com, type the pattern: www.test.com*
To block all paths containing the word sex, on all web sites: *sex*
To block URL paths ending in *.test, on all web sites: *.test
Note If you filter URLs with the HTTP request URL path ruleset, you must configure a
complex pattern that uses full regular expression syntax from the advanced view of
a ruleset. It is easier and gives better results to filter based on header or body
content type than it is to filter by URL path.
To block web sites with specific text in the URL path:
1. In the Categories tree, select URL paths.
2. Add, change, or delete rules.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
HTTP request: Header fields
This ruleset supplies content filtering for the full HTTP header. By default, the HTTP proxy uses exact
matching rules to strip Via and From headers, and allows all other headers. This ruleset matches the full
header, not only the name.
404
WatchGuard System Manager
Proxy Settings
To match all values of a header, type the pattern: “[header name]:*”. To match only some values of a
header, replace the asterisk (*) wildcard with a pattern. If your pattern does not start with an asterisk (*)
wildcard, include one space between the colon and the pattern when typing in the Pattern text box. For
example, type: [header name]: [pattern] and not [header name]:[pattern].
The default rules do not strip the Referer header, but do include a disabled rule to strip this header. To
enable the rule, select Change View. Some web browsers and software applications must use the Referer
header to operate correctly.
1. In the Categories tree, select Header Fields.
2. Add, change, or delete rules.
3. If you want to change settings for one or more other categories in this proxy, go to the section in this
document on the next category you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
HTTP request: Authorization
This rule sets the criteria for content filtering of HTTP Request Header authorization fields. When a web
server starts a WWW-Authenticate challenge, it sends information about which authentication methods it
can use. The proxy puts limits on the type of authentication sent in a request. It uses only the authentication
methods that the web server accepts. With a default configuration, the Firebox or XTM device allows Basic,
Digest, NTLM, and Passport1.4 authentication, and strips all other authentication. You can add, delete, or
modify rules in the default ruleset.
1. In the Categories tree, select Authorization.
2. Add, change, or delete rules.
3. If you want to change settings for one or more other categories in this proxy, go to the section in this
document on the next category you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
User Guide
405
Proxy Settings
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
406
WatchGuard System Manager
Proxy Settings
HTTP Response: General settings
You use the General Settings fields to configure basic HTTP parameters such as idle time out and limits for
line and total length.
1. In the Categories tree, select General Settings.
2. To set limits for HTTP parameters, select the applicable check boxes. Use the arrows to set the
limits:
Set the timeout to
Controls how long the Firebox or XTM device HTTP proxy waits for the web server to send
the web page. When a user clicks a hyperlink or types a URL in a web browser, it sends an
HTTP request to a remote server to get the content. In most browsers, a message similar to
Contacting site..., appears in the status bar. If the remote server does not respond, the HTTP
client continues to send the request until it receives an answer or until the request times
out. During this time, the HTTP proxy continues to monitor the connection and uses valuable
network resources.
Set the maximum URL length to
Controls the maximum allowed length of a line of characters in HTTP response headers. Use
this property to protect your computers from buffer overflow exploits. Because URLs for
many commerce sites continue to increase in length over time, you may need to adjust this
value in the future.
Set the maximum total length to
Controls the maximum length of HTTP response headers. If the total header length is more
than this limit, the HTTP response is denied.
3. If you want to change settings for one or more other categories in this proxy, go to the section in this
document on the next category you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
HTTP Response: Header fields
This ruleset controls which HTTP response header fields the Firebox or XTM device allows. You can add,
delete, or modify rules. Many of the HTTP response headers that are allowed in the default configuration
are described in RFC 2616. For more information, see http://www.ietf.org/rfc/rfc2616.txt.
1. In the Categories tree, select Header Fields.
2. Add, change, or delete rules.
3. If you want to change settings for one or more other categories in this proxy, go to the section in this
document on the next category you want to modify.
User Guide
407
Proxy Settings
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
HTTP Response: Content types
When a web server sends HTTP traffic, it usually adds a MIME type, or content type, to the packet header
that shows what kind of content is in the packet. The HTTP header on the data stream contains this MIME
type. It is added before the data is sent.
Certain kinds of content that users request from web sites can be a security threat to your network. Other
kinds of content can decrease the productivity of your users. By default, the Firebox or XTM device allows
some safe content types, and denies MIME content that has no specified content type. The HTTP proxy
includes a list of commonly used content types that you can add to the ruleset. You can also add, delete, or
modify the definitions.
The format of a MIME type is type/subtype. For example, if you wanted to allow JPEG images, you would
add image/jpg to the proxy definition. You can also use the asterisk (*) as a wildcard. To allow any image
format, you add image/* .
For a list of current, registered MIME types, see http://www.iana.org/assignments/media-types.
Add, delete, or modify content types
1. In the Categories tree, select Content Types.
2. Add, change, or delete rules.
3. To add content types, click the Predefined button.
The Select Content Type dialog box appears.
4. Select the type or types you want to add, and click OK.
The new types appear in the Rules box.
5. If you want to change settings for one or more other categories in this proxy, go to topic on the next
category you want to modify.
6. If you are finished with your changes to this proxy definition, click OK.
7. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
8. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
408
WatchGuard System Manager
Proxy Settings
Allow web sites with a missing content type
By default, the Firebox or XTM device denies MIME content that has no specified content type. In most
cases, we recommend that you keep this default setting. Sites that do not supply legitimate MIME types in
their HTTP responses do not follow RFC recommendations and could pose a security risk. However, some
organizations need their employees to get access to web sites that do not have a specified content type.
You must make sure that you change the proxy configuration of the correct policy or policies. You can apply
the change to any policy that uses an HTTP client proxy action. This could be an HTTP proxy policy, the
Outgoing policy (which also applies an HTTP client proxy action), or the TCP-UDP policy.
1. In the Categories tree, select Content Types.
2. Click Change View.
3. In the Rules list, select the check box adjacent to the Allow (none) rule.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
HTTP Response: Cookies
HTTP cookies are small files of alphanumeric text tat web servers put on web clients. Cookies monitor the
page a web client is on to enable the web server to send more pages in the correct sequence. Web servers
also use cookies to collect information about an end user. Many web sites use cookies for authentication
and other legitimate functions, and cannot operate correctly without cookies.
The HTTP proxy gives you control of the cookies in HTTP responses. You can configure rules to strip cookies,
based on your network requirements. The default rule for the HTTP-Server and HTTP-Client proxy action
allows all cookies. You can add, delete, or modify rules.
The proxy looks for packets based on the domain associated with the cookie. The domain can be specified
in the cookie. If the cookie does not contain a domain, the proxy uses the host name in the first request. For
example, to block all cookies for nosy-adware-site.com, use the pattern: *.nosy-adware-site.com . If you
want to deny cookies from all subdomains on a web site, use the wildcard symbol (*) before and after the
domain. For example, *google.com* blocks all subdomains of google.com, such as images.google.com and
mail.google.com.
Change settings for cookies
1. In the Categories tree, select Cookies.
2. Add, change, or delete rules.
3. If you want to change settings for one or more other categories in this proxy, go to the topics on the
next category you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
User Guide
409
Proxy Settings
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
HTTP Response: Body content types
This ruleset gives you control of the content in an HTTP response. The Firebox or XTM device is configured
to deny Java bytecodes, Zip archives, Windows EXE/DLL files, and Windows CAB files. The default proxy
action for outgoing HTTP requests (HTTP-Client) allows all other response body content types. You can add,
delete, or modify rules. We recommend that you examine the file types that are used in your organization
and allow only those file types that are necessary for your network.
1. In the Categories tree, select Body Content Types.
2. Add, change, or delete rules.
3. If you want to change settings for one or more other categories in this proxy, go to the section in this
document on the next category you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Enter a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
HTTP proxy exceptions
For certain web sites, you can use HTTP proxy exceptions to bypass HTTP proxy rules, but not bypass the
proxy framework. Traffic that matches HTTP proxy exceptions still goes through the standard proxy handling
used by the HTTP proxy. However, when a match occurs, some proxy settings are not included.
Not included Proxy settings
These settings are not included:
n
n
HTTP request — range requests, URL path length, all request methods, all URL paths, request
headers*, authorization pattern matching
HTTP response — response headers*, content types, cookies, body content types
* Request headers and response headers are parsed by the HTTP proxy even when the traffic matches the
HTTP proxy exception. If a parsing error does not occur, all headers are allowed. Also, antivirus scanning, IPS
scanning, and WebBlocker are not applied to traffic that matches an HTTP proxy exception.
410
WatchGuard System Manager
Proxy Settings
Included Proxy settings
These settings are included:
n
n
HTTP request — Idle timeout
HTTP response — Idle timeout, maximum line length limit, maximum total length limit
All transfer-encoding parsing is still applied to allow the proxy to determine the encoding type. The HTTP
proxy denies all invalid or malformed transfer encoding.
Define exceptions
You can add host names or patterns as HTTP proxy exceptions. For example, if you block all web sites that
end in .test but want to allow your users to go to the site www.abc.test, you can add www.abc.test as an
HTTP proxy exception.
You specify the IP address or domain name of sites to allow. The domain (or host) name is the part of a URL
that ends with .com, .net, .org, .biz, .gov, or .edu. Domain names can also end in a country code, such as .de
(Germany) or .jp (Japan).
To add a domain name, type the URL pattern without the leading "http://". For example, to allow your users
to go to the Example web site http://www.example.com, type www.example.com . If you want to allow all
subdomains that contain example.com, you can use the asterisk (*) as a wildcard character. For example, to
allow users to go to www.example.com, and support.example.com type *.example.com .
1. In the Categories tree, select HTTP Proxy Exceptions.
2. In the field to the left of the Add button, type the host name or host name pattern. Click Add. Repeat
for additional exceptions you want to add.
3. If you want to add a traffic log message each time the HTTP proxy takes an action on a proxy
exception, select the Log each transaction that matches an HTTP proxy exception check box.
4. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
5. If you are finished with your changes to this proxy definition, click OK.
6. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
7. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
HTTP proxy: WebBlocker
You can associate a WebBlocker configuration with your HTTP proxy to apply consistent settings for web site
content blocking.
Chose an options to select a configuration:
n
n
Select a configuration in the drop-down list.
Click the adjacent button to create a new WebBlocker configuration.
For more information, see About WebBlocker on page 979 and Get started with WebBlocker on page 988.
User Guide
411
Proxy Settings
HTTP proxy: Application Blocker
You can associate an Application Blocker configuration with your HTTP proxy to apply consistent settings for
instant messaging (IM) and peer-to-peer (P2P) network traffic.
Choose an option to select a configuration:
n
n
Select a configuration in the drop-down list.
Click the adjacent button to create a new Application Blocker configuration.
For more information, see About Application Blocker Configurations on page 373.
HTTP proxy: AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set the
actions necessary if a virus is found in a web site or when the Firebox or XTM device cannot scan a web site.
n
n
n
To use the proxy definition screens to activate Gateway AntiVirus, see Activate Gateway AntiVirus
from proxy definitions on page 1084.
To use the Tasks menu in Policy Manager to activate Gateway AntiVirus, see Activate Gateway
AntiVirus with a wizard from Policy Manager on page 1081.
To configure Gateway AntiVirus for the HTTP proxy, see Configure Gateway AntiVirus actions on
page 1085.
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in a
web page.
The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Drop
Drops the packet and drops the connection. No information is sent to the source of the message.
Block
Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.
Gateway AntiVirus scans each file up to a specified kilobyte count. Any additional bytes in the file are not
scanned. This allows the proxy to partially scan very large files without a large effect on performance. Enter
the file scan limit in the Limit scanning to first field.
For information about the default and maximum scan limits for each Firebox or XTM device model, see
About Gateway AntiVirus scan limits on page 1090.
HTTP proxy: Intrusion Prevention
If you have purchased and enabled the Intrusion Prevention feature, the fields in the Intrusion Prevention
category set the actions necessary to find and stop intrusions.
412
WatchGuard System Manager
Proxy Settings
Although you can use the proxy definition screens to activate and configure IPS, it is easier to use the
Subscription Services menu in Policy Manager to do this. For more information on how to do this, see
Activate Intrusion Prevention Service (IPS) on page 1097.
To use the IPS screens in the HTTP proxy definition, see Activate and configure Intrusion Prevention Service
for TCP-UDP on page 1105.
HTTP proxy: Reputation Enabled Defense
If you have purchased and enabled Reputation Enabled Defense, the check boxes in this category set the
actions necessary to allow or block content based on the reputation score of a URL.
To configure the Reputation Enabled Defense in the HTTP proxy definition, see Configure Reputation
Enabled Defense.
User Guide
413
Proxy Settings
HTTP proxy: Deny message
When content is denied, the Firebox or XTM device sends a default deny message that replaces the denied
content. You can change the text of that deny message. You can customize the deny message with standard
HTML. You can also use Unicode (UTF-8) characters in the deny message. The first line of the deny message
is a component of the HTTP header. You must include an empty line between the first line and the body of
the message.
You get a deny message in your web browser from the Firebox or XTM device when you make a request
that the HTTP proxy does not allow. You also get a deny message when your request is allowed, but the
HTTP proxy denies the response from the remote web server. For example, if a user tries to download an
.exe file and you have blocked that file type, the user sees a deny message in the web browser. If the user
tries to download a web page that has an unknown content type and the proxy policy is configured to block
unknown MIME types, the user sees an error message in the web browser.
The default deny message appears in the Deny Message field. To change this to a custom message, use
these variables:
%(transaction)%
Select Request or Response to show which side of the transaction caused the packet to be denied.
%(reason)%
Includes the reason the Firebox or XTM device denied the content.
%(method)%
Includes the request method from the denied request.
%(url-host)%
Includes the server host name from the denied URL. If no host name was included, the IP address of
the server is included.
%(url-path)%
Includes the path component of the denied URL.
To configure the Deny Message:
1. In the Categories tree, select Deny Message.
414
WatchGuard System Manager
Proxy Settings
2. In the Deny Message text box, type the deny message.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
User Guide
415
Proxy Settings
Enable Windows updates through the HTTP proxy
Windows Update servers identify the content they deliver to a computer as a generic binary stream (such
as octet stream), which is blocked by the default HTTP proxy rules.To allow Windows updates through the
HTTP proxy, you must edit your HTTP-Client proxy ruleset to add HTTP proxy exceptions for the Windows
Update servers.
1. Make sure that your Firebox or XTM device allows outgoing connections on port 443 and port 80.
These are the ports that computers use to contact the Windows Update servers.
2. In the Categories tree, select HTTP Proxy Exceptions.
3. In the text box to the left of the Add button, type or paste each of these domains, and click Add after
each one:
windowsupdate.microsoft.com
download.windowsupdate.com
update.microsoft.com
download.microsoft.com
ntservicepack.microsoft.com
wustat.windows.com
v4.windowsupdate.microsoft.com
v5.windowsupdate.microsoft.com
4. Click OK to close each proxy and policy dialog box.
If you still cannot download Windows updates
If you have more than one HTTP proxy policy, make sure that you add the HTTP exceptions to the correct
policy and proxy action.
Microsoft does not limit updates to only these domains. Examine your logs for denied traffic to a Microsoftowned domain. If you do not have a WatchGuard Log Server, run Windows Update and then monitor the
Device log messages (Traffic Monitor). Look for any traffic denied by the HTTP proxy. The log line should
include the domain. Add any new Microsoft domain to the HTTP proxy exceptions list, and then run
Windows Update again.
Use a caching proxy server
Because your users can look at the same web sites frequently, a caching proxy server increases the traffic
speed and decreases the traffic volume on the external Internet connections. Although the HTTP proxy on
the Firebox or XTM device does not cache content, you can use the external caching proxy servers. All
Firebox or XTM device proxy and WebBlocker rules continue to have the same effect.
The Firebox or XTM device connection with a proxy server is the same as with a client. The Firebox or XTM
device changes the GET function to: GET / HTTP/1.1 to GET www.mydomain.com / HTTP/1.1 and sends it to
a caching proxy server. The proxy server moves this function to the web server in the GET function.
To set up an external caching proxy server:
1. Configure an external proxy server, such as Microsoft Proxy Server 2.0.
2. Open Policy Manager.
3. Double-click the icon for the HTTP-proxy policy.
The Edit Policy Properties dialog box appears.
416
WatchGuard System Manager
Proxy Settings
4.
5.
6.
7.
8.
9.
Click the Properties tab.
Click .
In the Categories tree, select Use Web Cache Server.
Select the Use external caching proxy server for HTTP traffic check box.
Type the IP address and port for the external caching proxy server.
If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
10. If you are finished with your changes to this proxy definition, click OK.
11. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
12. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
About the HTTPS proxy
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a request/response
protocol between clients and servers used for secure communications and transactions. You can use the
HTTPS proxy to secure a web server protected by your Firebox or XTM device, or to examine HTTPS traffic
requested by clients on your network. By default, when an HTTPS client starts a request, it establishes a TCP
(Transmission Control Protocol) connection on port 443. Most HTTPS servers listen for requests on port 443.
HTTPS is more secure than HTTP because HTTPS uses a digital certificate to encrypt and decrypt user page
requests as well as the pages that are returned by the web server. Because HTTPS traffic is encrypted, the
Firebox or XTM device must decrypt it before it can be examined. After it examines the content, the
Firebox or XTM device encrypts the traffic with a certificate and sends it to the intended destination.
You can export the default certificate created by the Firebox or XTM device for this feature, or import a
certificate for the Firebox or XTM device to use instead. If you use the HTTPS proxy to examine web traffic
requested by users on your network, we recommend that you export the default certificate and distribute
it to each user so that they do not receive browser warnings about untrusted certificates. If you use the
HTTPS proxy to secure a web server that accepts requests from an external network, we recommend that
you import the existing web server certificate for the same reason.
When an HTTPS client or server uses a port other than port 443 in your organization, you can use the
TCP/UDP proxy to relay the traffic to the HTTPS proxy. For information on the TCP/UDP proxy, see About the
TCP-UDP proxy on page 456.
To add the HTTPS proxy to your Firebox or XTM device configuration, see Add a proxy policy to your
configuration on page 377.
If you must change the proxy definition, you can use the New/Edit Proxy Policies dialog box to modify the
definition. This dialog box has three tabs: Policy, Properties, and Advanced. On the Properties tab, you can
also edit the default rulesets for proxy actions. For more information, see About proxy actions on page 370.
Policy tab
n
HTTPS-proxy connections are — Specify whether connections are Allowed, Denied, or Denied
(send reset), and define who appears in the From and To list (on the Policy tab of the proxy
definition). For more information, see Set access rules for a policy on page 352.
User Guide
417
Proxy Settings
n
n
Use policy-based routing — To use policy-based routing in your proxy definition, see Configure
policy-based routing on page 355.
You can also configure static NAT or configure server load balancing
For more information, see About static NAT on page 180 and Configure server load balancing on
page 181.
Properties tab
n
n
n
n
In the Proxy action drop-down list, select whether you want to define an action for a client or
server. For information about proxy actions, see About proxy actions on page 370.
To define logging for a policy, click Logging and Set logging and notification preferences .
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset),
you can block sites that try to use HTTPS. For more information, see Block sites temporarily with
policy settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or XTM device or
authentication server, Set a custom idle timeout.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary.
To modify the settings and rulesets for a proxy action:
1. Click .
2. Select a category:
n
n
n
n
n
HTTPS proxy: Content inspection
HTTPS proxy: Certificate names
HTTPS proxy: WebBlocker
HTTPS Proxy: Settings
Proxy and AV alarms
Advanced tab
You can use several other options in your proxy definition:
n
n
n
n
n
n
418
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
WatchGuard System Manager
Proxy Settings
HTTPS proxy: Content inspection
On the Content Inspection page, you can enable and configure deep inspection of HTTPS content.
Enable deep inspection of HTTPS content
When this check box is selected, the Firebox or XTM device decrypts HTTPS traffic, examines the
content, and encrypts the traffic again with a new certificate. The content is examined by the HTTP
proxy policy that you choose on this page.
Note If you have other traffic that uses the HTTPS port, such as SSL VPN traffic, we
recommend that you evaluate this option carefully. The HTTPS proxy attempts to
examine all traffic on TCP port 443 in the same way. To ensure that other traffic
sources operate correctly, we recommend that you add those sources to the
Bypass list. See the subsequent section for more information.
By default, the certificate used to encrypt the traffic is generated automatically by the Firebox or
XTM device. You can also upload your own certificate to use for this purpose. If the original web site
or your web server has a self-signed or invalid certificate, or if the certificate was signed by a CA the
Firebox or XTM device does not recognize, clients are presented with a browser certificate warning.
Certificates that cannot be properly re-signed appear to be issued by Fireware HTTPS Proxy:
Unrecognized Certificate or simply Invalid Certificate.
We recommend that you import the certificate you use, as well as any other certificates necessary
for the client to trust that certificate, on each client device. When a client does not automatically
trust the certificate used for the content inspection feature, the user sees a warning in their
browser, and services like Windows Update do not operate correctly.
User Guide
419
Proxy Settings
Some third-party programs store private copies of necessary certificates and do not use the
operating system certificate store, or transmit other types of data over TCP port 443. These
programs include:
n
n
n
Communications software, such as AOL Instant Messenger and Google Voice
Remote desktop and presentation software, including LiveMeeting and WebEx
Financial and business software, such as ADP, iVantage, FedEx, and UPS
If these programs do not have a method to import trusted CA certificates, they do not operate
correctly when content inspection is enabled. Contact your software vendor for more information
about certificate use or technical support, or add the IP addresses of computers that use this
software to the Bypass list.
For more information, see About certificates on page 773 or Use Certificates for the HTTPS Proxy on
page 798.
Proxy action
Select an HTTP proxy policy for the Firebox or XTM device to use when it inspects decrypted HTTPS
content.
When you enable content inspection, the HTTP proxy action WebBlocker settings override the
HTTPS proxy WebBlocker settings. If you add IP addresses to the bypass list for content inspection,
traffic from those sites is filtered with the WebBlocker settings from the HTTPS proxy.
For more information on WebBlocker configuration, see About WebBlocker on page 979.
Use OCSP to confirm the validity of certificates
Select this check box to have the Firebox or XTM device automatically check for certificate
revocations with OCSP (Online Certificate Status Protocol). When this feature is enabled, the Firebox
or XTM device uses information in the certificate to contact an OCSP server that keeps a record of
the certicate status. If the OCSP server responds that the certificate has been revoked, the Firebox
or XTM device disables the certificate.
If you select this option, there can be a delay of several seconds as the Firebox or XTM device
requests a response from the OCSP server. The Firebox or XTM device keeps between 300 and
3000 OCSP responses in a cache to improve performance for frequently visited web sites. The
number of responses stored in the cache is determined by your Firebox or XTM device model.
Treat certificates whose validity cannot be confirmed as invalid
When this option is selected and an OCSP responder does not send a response to a revocation status
request, the Firebox or XTM device considers the original certificate as invalid or revoked. This
option can cause certificates to be considered invalid if there is a routing error or a problem with
your network connection.
Bypass list
The Firebox or XTM device does not inspect content sent to or from IP addresses on this list. To add
a web site or hostname, type its IP address in the text box and click the Add button.
420
WatchGuard System Manager
Proxy Settings
When you enable content inspection, the HTTP proxy action WebBlocker settings override the
HTTPS proxy WebBlocker settings. If you add IP addresses to the bypass list for content inspection,
traffic from those sites is filtered with the WebBlocker settings from the HTTPS proxy.
For more information on WebBlocker configuration, see About WebBlocker on page 979.
You can use the DNS Lookup button to quickly find the IP address for a web site or hostname.
1. Click the DNS Lookup button.
2. Type the domain name or hostname and click Lookup. If the domain name or hostname is valid, its IP
addresses are shown in the list below.
3. Select the check box next to each IP address that you want to add and click OK.
4. To select all or none of the IP addresses, click the check box at the top of the list.
HTTPS proxy: Certificate names
Certificate names are used to filter content for an entire site. The Firebox or XTM device allows or denies
access to a site if the domain of an HTTPS certificate matches an entry in this list.
For example, if you want to deny traffic from any site in the example.com domain, add a Certificate Names
rule with the pattern *.example.com and set the If matched action to Deny.
1. In the Categories tree, select Certificate Names.
2. Add, change, or delete rules.
3. If you want to change settings for one or more other categories in this proxy, go to the topic on the
next category you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If the proxy action you have modified is a predefined one, you must clone (copy) your settings to a
new action.
6. Type a name for the new action and click OK.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
HTTPS proxy: WebBlocker
You can associate a WebBlocker configuration with your HTTPS proxy to apply consistent settings for web
site content blocking.
Chose an options to select a configuration:
n
n
Select a configuration in the drop-down list.
Click the adjacent button to create a new WebBlocker configuration.
For more information, see About WebBlocker on page 979 and Get started with WebBlocker on page 988.
User Guide
421
Proxy Settings
HTTPS proxy: General settings
You use the General Settings page to configure basic HTTP parameters such as idle time out and limits for
line and total length.
Proxy alarm
You can define the proxy to send an SNMP trap, a notification to a network administrator, or both.
The notification can either be an email message to a network administrator or a pop-up window on
the administrator's management computer.
For more information on the Proxy and AV alarm fields, see Set logging and notification preferences
on page 646.
Idle timeout
Select this check box to control how long the HTTPS proxy waits for the web client to make a
request from the external web server after it starts a TCP/IP connection, or after an earlier request
for the same connection. If the time period exceeds this setting, the HTTPS proxy closes the
connection. In the adjacent field, type or select the number of minutes before the proxy times out.
Enable logging for reports
Creates a traffic log message for each transaction. This option creates a large log file, but this
information is very important if your firewall is attacked. If you do not select this check box, you do
not see detailed information about HTTP proxied connections in reports.
422
WatchGuard System Manager
Proxy Settings
About the POP3 proxy
POP3 (Post Office Protocol v.3) is a protocol that moves email messages from an email server to an email
client on a TCP connection over port 110. Most Internet-based email accounts use POP3. With POP3, an
email client contacts the email server and checks for any new email messages. If it finds a new message, it
downloads the email message to the local email client. After the message is received by the email client,
the connection is closed.
With a POP3 proxy filter you can:
n
n
n
n
Adjust timeout and line length limits to make sure the POP3 proxy does not use too many network
resources, and to prevent some types of attacks.
Customize the deny message that users see when an email sent to them is blocked.
Filter content embedded in email with MIME types.
Block specified path patterns and URLs.
To add the POP3 proxy to your Firebox or XTM device configuration, see Add a proxy policy to your
configuration on page 377.
If you must change the proxy definition, you can use the New/Edit Proxy Policies dialog box to modify the
definition. This dialog box has three tabs: Policy, Properties, and Advanced. On the Properties tab, you can
also edit the default rulesets for proxy actions.
For more information, see About proxy actions on page 370.
Policy tab
n
n
n
POP3-proxy connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset), and define who appears in the From and To list (on the Policy tab of the proxy definition). For
more information, see Set access rules for a policy on page 352.
Use policy-based routing — To use policy-based routing in your proxy definition, see Configure
policy-based routing on page 355.
You can also configure static NAT or configure server load balancing.
For more information, see About static NAT on page 180 and Configure server load balancing on
page 181.
User Guide
423
Proxy Settings
Properties tab
n
n
n
n
In the Proxy action drop-down list, select whether you want to define an action for a client or
server. For information about proxy actions, see About proxy actions on page 370.
To define logging for a policy, click Logging and Set logging and notification preferences on page 646.
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset),
you can block sites that try to use POP3.
For more information, see Block sites temporarily with policy settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or XTM device or
authentication server, Set a custom idle timeout.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary.
To modify the settings and rulesets for a proxy action:
1. Click .
2. Select a category:
n
n
n
n
n
n
n
n
n
n
POP3 proxy: General settings
POP3 proxy: Authentication
POP3 proxy: Content types
POP3 proxy: File names
POP3 proxy: Headers
POP3 proxy: AntiVirus
POP3 proxy: Deny message
Intrusion prevention in proxy definitions
POP3 proxy: spamBlocker
Proxy and AV alarms
Advanced tab
You can use several other options in your proxy definition:
n
n
n
n
n
n
424
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
WatchGuard System Manager
Proxy Settings
POP3 proxy: General settings
On the General Settings page, you can adjust time out and line length limits as well as other general
parameters for the POP3 proxy:
Set the timeout to
Use this setting to limit the number of minutes that the email client tries to open a connection to the
email server before the connection is closed. This makes sure the proxy does not use too many
network resources when the POP3 server is slow or cannot be reached.
Set the maximum email line length to
Use this setting to prevent some types of buffer overflow attacks. Very long line lengths can cause
buffer overflows on some email systems. Most email clients and systems send relatively short lines,
but some web-based email systems send very long lines. However, it is unlikely that you will need to
change this setting unless it prevents access to legitimate mail.
User Guide
425
Proxy Settings
Hide server replies
Select this check box if you want to replace the POP3 greeting strings in email messages. These
strings can be used by hackers to identify the POP3 server vendor and version.
Allow uuencoded attachments
Select this check box if you want the POP3 proxy to allow uuencoded attachments to email
messages. Uuencode is an older program used to send binary files in ASCII text format over the
Internet. UUencoded attachments can be security risks because they appear as ASCII text files but
can actually contain executable files.
Allow BinHex attachments
Select this check box if you want the POP3 proxy to allow BinHex attachments to email messages.
BinHex, which is short for binary-to-hexadecimal, is a utility that converts a file from binary format to
ASCII.
Enable logging for reports
Select this check box if you want the POP3 proxy to send a log message for each POP3 connection
request. If you want to use WatchGuard Reports to create reports on POP3 traffic, you must select
this check box.
426
WatchGuard System Manager
Proxy Settings
POP3 proxy: Authentication
A POP3 client must authenticate to a POP3 server before they exchange information. You can set the types
of authentication for the proxy to allow and the action to take for types that do not match the criteria. You
can add, delete, or modify rules.
1. In the Categories tree, select Authentication.
2. Add, change, or delete rules.
3. If you are finished with your changes to this proxy definition, click OK.
4. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
User Guide
427
Proxy Settings
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
POP3 proxy: Content types
The headers for email messages include a Content Type header to show the MIME type of the email and of
any attachments. The content type or MIME type tells the computer the types of media the message
contains. Certain kinds of content embedded in email can be a security threat to your network. Other kinds
of content can decrease the productivity of your users.
You can add, delete, or modify rules. You can also set values for content filtering and the action to take for
content types that do not match the criteria. For the POP3-server proxy action, you set values for incoming
content filtering. For the POP3-client action, you set values for outgoing content filtering.
1. In the Categories tree, select Content Types.
2. To enable the POP3 proxy to examine content to determine the content type, select the Enable
content type auto detection check box.
If you do not select this option, the POP3 proxy uses the value stated in the email header, which
clients sometimes set incorrectly.
428
WatchGuard System Manager
Proxy Settings
Because hackers often try to disguise executable files as other content types, we recommend that
you enable content type auto detection to make your installation more secure.
For example, an attached .pdf file might have a content type stated as application/octet-stream. If
you enable content type auto detection, the POP3 proxy recognizes the .pdf file and uses the actual
content type, application/pdf. If the proxy does not recognize the content type after it examines the
content, it uses the value stated in the email header, as it would if content type auto detection were
not enabled.
3. Add, change, or delete rules.
The format of a MIME type is type/subtype. For example, if you want to allow JPEG images, you add
image/jpg. You can also use the asterisk (*) as a wildcard. To allow any image format, add image/*
to the list.
4. To add a predefined content type, click Predefined.
A list of content types appears, with short descriptions of the content types.
5. After you are finished with your changes to the ruleset, click OK.
6. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
7. If you are finished with your changes to this proxy definition, click OK.
8. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
9. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
POP3 proxy: File names
You use this ruleset in a POP3-server proxy action to put limits on file names for incoming email
attachments. You use the ruleset for the POP3-client proxy action to put limits on file names for outgoing
email attachments. If the default ruleset does not meet all of your business needs, you can add, delete, or
modify rules.
1. In the Categories tree, select Attachments > Filenames.
User Guide
429
Proxy Settings
2.
3.
4.
5.
Add, change, or delete rules.
After you are finished with your changes to the ruleset, click OK.
If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
6. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
7. If you are finished with your changes to this proxy definition, click OK.
8. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
9. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
430
WatchGuard System Manager
Proxy Settings
POP3 proxy: Headers
The POP3 proxy examines email headers to find patterns common to forged email messages as well as
those from legitimate senders. You can add, delete, or modify rules.
1. In the Categories tree, select Headers.
2. Add, change, or delete rules.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
User Guide
431
Proxy Settings
POP3 proxy: AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set
the actions necessary if a virus is found in an email message. It also sets actions for when an email message
contains an attachment that the Firebox or XTM device cannot scan.
n
n
n
To use the proxy definition screens to activate Gateway AntiVirus, see Activate Gateway AntiVirus
from proxy definitions on page 1084.
To use the Subscription Services menu in Policy Manager to activate Gateway AntiVirus, see
Activate Gateway AntiVirus with a wizard from Policy Manager on page 1081.
To configure Gateway AntiVirus for the POP3 proxy, see Configure Gateway AntiVirus actions on
page 1085.
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in an
email message or attachment. The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Lock
Locks the attachment. This is a good option for files that cannot be scanned by the Firebox or XTM
device. A file that is locked cannot be opened easily by the user. Only the administrator can unlock
the file. The administrator can use a different antivirus tool to scan the file and examine the content
of the attachment. For information about how to unlock a file locked by Gateway AntiVirus, see
Unlock a file locked by Gateway AntiVirus on page 1089.
Remove
Removes the attachment and allows the message through to the recipient.
Note If you set the configuration to allow attachments, your configuration is less secure.
Gateway AntiVirus scans each file up to a specified kilobyte count. Any additional bytes in the file are not
scanned. This allows the proxy to partially scan very large files without a large effect on performance. Enter
the file scan limit in the Limit scanning to first field.
For information about the default and maximum scan limits for each Firebox or XTM device model, see
About Gateway AntiVirus scan limits on page 1090.
432
WatchGuard System Manager
Proxy Settings
POP3 proxy: Deny message
When content is denied, the Firebox or XTM device sends a default deny message that replaces the denied
content. This message appears in a recipients email message when the proxy blocks an email. You can
change the text of that deny message. The first line of the deny message is a section of the HTTP header.
You must include an empty line between the first line and the body of the message.
The default deny message appears in the Deny Message field. To change this to a custom message, use
these variables:
%(reason)%
Includes the reason the Firebox or XTM device denied the content.
%(filename)%
Includes the file name of the denied content.
%(virus)%
Includes the name or status of a virus for Gateway AntiVirus users.
%(action)%
Includes the name of the action taken. For example: lock or strip.
%(recovery)%
Includes whether you can recover the attachment.
To configure the deny message:
1. In the Categories tree, select Deny Message.
User Guide
433
Proxy Settings
2. In the Deny Message text box, type a custom plain text message in standard HTML.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
POP3 proxy: spamBlocker
Unwanted email, also known as spam, can quickly fill your Inbox. A large volume of spam decreases
bandwidth, degrades employee productivity, and wastes network resources. The WatchGuard spamBlocker
option increases your capacity to catch spam at the edge of your network when it tries to enter your
system. If you have purchased and enabled the spamBlocker feature, the fields in the spamBlocker category
set the actions for email messages identified as spam.
434
WatchGuard System Manager
Proxy Settings
Although you can use the proxy definition screens to activate and configure spamBlocker, it is easier to use
the Subscription Services menu in Policy Manager to do this.
For more information on how to do this, or to use the spamBlocker screens in the proxy definition, see
About spamBlocker on page 1053.
About the SIP proxy
If you use Voice-over-IP (VoIP) in your organization, you can add a SIP (Session Initiation Protocol) or H.323
ALG (Application Layer Gateway) to open the ports necessary to enable VoIP through your Firebox or XTM
device. An ALG is created in the same way as a proxy policy and offers similar configuration options. These
ALGs have been created to work in a NAT environment to maintain security for privately-addressed
conferencing equipment behind the Firebox or XTM device.
H.323 is commonly used on older videoconferencing equipment and voice installations. SIP is a newer
standard that is more common in hosted environments, where only endpoint devices such as phones are
hosted at your business location and a VoIP provider manages the connectivity. You can use both H.323 and
SIP ALGs at the same time, if necessary. To determine which ALG you need to add, consult the
documentation for your VoIP devices or applications.
User Guide
435
Proxy Settings
Note The SIP proxy supports SIP connections of type friend but not of type peer.
VoIP components
It is important to understand that you usually implement VoIP with either:
Peer-to-peer connections
In a peer-to-peer connection, each of the two devices knows the IP address of the other device and
connects to the other directly. If both peers are behind the Firebox or XTM device, the Firebox or
XTM device can route the call traffic correctly.
Hosted connections
Connections hosted by a call management system (PBX)
In the SIP standard, two key components of call management are the SIP Registrar and the SIP Proxy.
Together, these components manage connections hosted by the call management system.The WatchGuard
SIP ALG opens and closes the ports necessary for SIP to operate. The WatchGuard SIP ALG can support both
the SIP Registrar and the SIP Proxy when used with a call management system that is external to the Firebox
or XTM device. In this release, we do not support SIP when your call management system is protected by
the Firebox or XTM device.
Coordinating the many components of a VoIP installation can be difficult. We recommend you make sure
that VoIP connections work successfully before you add a H.323 or SIP ALG. This can help you to
troubleshoot any problems.
ALG functions
When you enable a SIP ALG, your Firebox or XTM device:
n
n
n
Automatically responds to VoIP applications and opens the appropriate ports
Ensures that VoIP connections use standard SIP protocols
Generates log messages for auditing purposes
Many VoIP devices and servers use NAT (Network Address Translation) to open and close ports
automatically. The H.323 and SIP ALGs also perform this function. You must disable NAT on your VoIP
devices if you configure an H.323 or SIP ALG.
To add the SIP ALG to your Firebox or XTM device configuration, see Add a proxy policy to your
configuration on page 377.
If you must change the ALG definition, you can use the New/Edit Proxy Policies dialog box to modify the
definition. This dialog box has three tabs: Policy, Properties, and Advanced. On the Properties tab, you can
also edit the default rulesets for proxy actions.
For more information, see About proxy actions.
Policy tab
n
436
SIP-ALG connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset), and define who appears in the From and To list (on the Policy tab of the ALG definition). For
WatchGuard System Manager
Proxy Settings
n
n
more information, see Set access rules for a policy on page 352.
Use policy-based routing — To use policy-based routing in your ALG definition, see Configure policybased routing on page 355.
You can also configure static NAT or configure server load balancing.
For more information, see About static NAT on page 180 and Configure server load balancing on
page 181.
Properties tab
n
n
n
n
In the Proxy action drop-down list, select whether you want to define an action for a client or
server.
For information about proxy and ALG actions, see About proxy actions on page 370.
To define logging for a policy, click Logging and Set logging and notification preferences .
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset),
you can block sites that try to use SIP. For more information, see Block sites temporarily with policy
settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or XTM device, or
authentication server, see Set a custom idle timeout on page 357.
WatchGuard ALGs have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary.
To modify the settings and rulesets for a proxy action:
1. Click
.
2. Select a category:
n
n
n
SIP ALG: General Settings
SIP ALG: Access Control
SIP ALG: Denied Codecs
Advanced tab
You can use several other options in your ALG definition:
n
n
n
n
n
n
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
SIP ALG: General Settings
On the General Settings page, you can set security and performance options for the SIP ALG (Application
Layer Gateway).
User Guide
437
Proxy Settings
Enable header normalization
Select this check box to deny malformed or extremely long SIP headers. While these headers often
indicate an attack on your Firebox or XTM device, you can disable this option if necessary for your
VoIP solution to operate correctly.
Enable topology hiding
This feature rewrites SIP traffic headers to remove private network information, such as IP
addresses. We recommend that you select this option unless you have an existing VoIP gateway
device that performs topology hiding.
Enable directory harvesting protection
Select this check box to prevent attackers from stealing user information from VoIP gatekeepers
protected by your Firebox or XTM device. This option is enabled by default.
Maximum sessions
Use this feature to restrict the maximum number of audio or video sessions that can be created
with a single VoIP call.
438
WatchGuard System Manager
Proxy Settings
For example, If you set the number of maximum sessions to one and participate in a VoIP call with
both audio and video, the second connection is dropped. The default value is two sessions and the
maximum value is four sessions. The Firebox or XTM device creates a log entry when it denies a
media session above this number.
User agent information
Type a new user agent string in the Rewrite user agent as text box to identify outgoing H.323 traffic
as a client you specify. To remove the false user agent, clear the text box.
Timeouts
When no data is sent for a specified amount of time on a VoIP audio, video, or data channel, your
Firebox or XTM device closes that network connection. The default value is 180 seconds (three
minutes) and the maximum value is 600 seconds (ten minutes). To specify a different time interval,
type or select the time in seconds in the Idle media channels text box.
Enable logging for reports
Select to send a log message for each connection request managed by the SIP ALG. This option is
necessary for WatchGuard Reports to create accurate reports on SIP traffic, and is enabled by
default.
SIP ALG: Access Control
On the Access Control page, you can create a list of users who are allowed to send VoIP network traffic.
Enable access control for VoIP
Select this check box to enable the access control feature. When enabled, the SIP ALG allows or
restricts calls based on the options you set.
User Guide
439
Proxy Settings
Default Settings
Select the Start VoIP calls check box to allow all VoIP users to start calls by default.
Select the Receive VoIP calls check box to allow all VoIP users to receive calls by default.
Select the adjacent Log check boxes to create a log message for each SIP VoIP connection started or
received.
Access Levels
To create an exception to the default settings you specified above, type a hostname, IP address, or
email address. Select an access level from the adjacent drop-down list, then click Add. You can allow
users to Start calls only, Receive calls only, Start and receive calls, or give them No VoIP access.
These settings apply only to SIP VoIP traffic.
If you want to delete an exception, select it in the list and click Remove.
Connections made by users who have an access level exception are logged by default. If you do not
want to log connections made by a user with an access level exception, clear the Log check box
adjacent to the exception.
SIP ALG: Denied Codecs
On the Denied Codecs page, you can set the VoIP voice, video, and data transmission codecs that you want
to deny on your network.
440
WatchGuard System Manager
Proxy Settings
Denied Codecs list
Use this feature to deny one or more VoIP codecs. When a SIP VoIP connection is opened that uses
a codec specified in this list, your Firebox or XTM device closes the connection automatically.
This list is empty by default. We recommend that you add a codec to this list if it consumes too much
bandwidth, presents a security risk, or if it is necessary to have your VoIP solution operate correctly.
For example, you may choose to deny the G.711 or G.726 codecs because they use more than 32
Kb/sec of bandwidth, or you may choose to deny the Speex codec because it is used by an
unauthorized VOIP application.
To add a codec to the list, type the codec name or unique text pattern in the text box and click Add.
Do not use wildcard characters or regular expression syntax. The codec patterns are case sensitive.
To delete a codec from the list, select it and click Remove.
Log each transaction that matches a denied codec pattern
Select this option to create a log message when your Firebox or XTM device denies SIP traffic that
matches a codec in this list.
User Guide
441
Proxy Settings
About the SMTP proxy
SMTP (Simple Mail Transport Protocol) is a protocol used to send email messages between email servers
and also between email clients and email servers. It usually uses a TCP connection on Port 25. You can use
the SMTP proxy to control email messages and email content. The proxy scans SMTP messages for a
number of filtered parameters, and compares them against the rules in the proxy configuration.
With an SMTP proxy filter you can:
n
n
n
n
Adjust timeout, maximum email size, and line length limit to make sure the SMTP proxy does not use
too many network resources and can prevent some types of attacks.
Customize the deny message that users see when an email they try to receive is blocked.
Filter content embedded in email with MIME types and name patterns.
Limit the email addresses that email can be addressed to and automatically block email from specific
senders.
Toadd the SMTP proxyto your Firebox configuration,see Adda proxypolicy toyour configurationon page 377.
If you must change the proxy definition, you can use the New/Edit Proxy Policies dialog box to modify the
definition. This dialog box has three tabs: Policy, Properties, and Advanced. On the Properties tab, you can
also edit the default rulesets for proxy actions.
For more information, see About proxy actions on page 370.
Policy tab
n
n
n
SMTP-proxy connections are — Specify whether connections are Allowed, Denied, or Denied (send
reset), and define who appears in the From and To list (on the Policy tab of the proxy definition). For
more information, see Set access rules for a policy on page 352.
Use policy-based routing — To use policy-based routing in your proxy definition, see Configure
policy-based routing on page 355.
You can also configure static NAT or configure server load balancing.
For more information, see About static NAT on page 180 and Configure server load balancing on
page 181.
Properties tab
n
n
n
n
In the Proxy action drop-down list, select whether you want to define an action for a client or
server.
For information about proxy actions, see About proxy actions on page 370.
To define logging for a policy, click Logging and Set logging and notification preferences .
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset),
you can block sites that try to use SMTP. For more information, see Block sites temporarily with
policy settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or authentication server,
see Set a custom idle timeout on page 357.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary.
To modify the settings and rulesets for a proxy action:
442
WatchGuard System Manager
Proxy Settings
1. Click .
2. Select a category:
n
n
n
n
n
n
n
n
n
n
n
n
n
SMTP proxy: General settings
SMTP proxy: Greeting rules
SMTP proxy: ESMTP settings
SMTP proxy: Authentication
SMTP proxy: Content types
SMTP proxy: File names
SMTP proxy: Mail From/Rcpt To
SMTP proxy: Headers
SMTP proxy: AntiVirus
SMTP proxy: Deny message
Intrusion prevention in proxy definitions
SMTP proxy: spamBlocker
Proxy and AV alarms
Advanced tab
You can use several other options in your proxy definition:
n
n
n
n
n
n
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
SMTP proxy: General settings
On the General Settings page, you can set basic SMTP proxy parameters such as idle timeout and message
limits.
User Guide
443
Proxy Settings
Idle timeout
You can set the length of time an incoming SMTP connection can be idle before the connection
times out. The default value is 10 minutes.
Maximum email recipients
You can set the maximum number of email recipients to which a message can be sent.
Select the Set the maximum email recipients to check box. In the adjacent text box, type or select
the number of recipients.
444
WatchGuard System Manager
Proxy Settings
The Firebox or XTM device counts and allows the specified number of addresses through, and then
drops the other addresses. For example, if you set the value to 50 and there is a message for 52
addresses, the first 50 addresses get the email message. The last two addresses do not get a copy of
the message. The Firebox or XTM device counts a distribution list as one SMTP email address (for
example, [email protected]). You can use this feature to decrease spam email because spam
usually includes a large recipient list. When you enable this option, make sure you do not also deny
legitimate email.
Maximum address length
You can set the maximum length of email addresses. Select the Set the maximum address length to
check box. In the adjacent text box, type or select the maximum length for an email address in bytes.
Maximum email size
You can set the maximum length of an incoming SMTP message.
Most email is sent as 7-bit ASCII text. The exceptions are Binary MIME and 8-bit MIME. 8-bit MIME
content (for example, MIME attachments) is encoded with standard algorithms (Base64 or quoteprintable encoding) to enable them to be sent through 7-bit email systems. Encoding can increase
the length of files by as much as one third. To allow messages as large as 10 KB, you must set this
field to a minimum of 1334 bytes to make sure all email gets through.
Select the Set the maximum email size to check box. In the adjacent text box, type or select the
maximum size for each email in kilobytes.
Maximum email line length
You can set the maximum line length for lines in an SMTP message. Select the Set the maximum
email line length to check box. In the adjacent text box, type or select the length in bytes for each
line in an email.
Very long line lengths can cause buffer overflows on some email systems. Most email clients and
systems send short line lengths, but some web-based email systems send very long lines.
Hide Email Server
You can replace MIME boundary and SMTP greeting strings in email messages.These are used by
hackers to identify the SMTP server vendor and version.
Select the Message ID and Server Replies check boxes.
If you have an email server and use the SMTP-Incoming proxy action, you can have the SMTP proxy
replace the domain shown in your SMTP server banner with a domain name you select. To do this,
next to Rewrite Banner Domain, type the domain name you want to use in your banner in the text
box that appears. For this to occur, you must also have the Server Replies check box selected.
If you use the SMTP-Outgoing proxy action, you can have the SMTP proxy replace the domain shown
in the HELO or EHLO greetings. A HELO or EHLO greeting is the first part of an SMTP transaction,
when your email server announces itself to a receiving email server. To do this, next to Rewrite
HELO Domain, type the domain name you want to use in your HELO or EHLO greeting in the text
box that appears.
User Guide
445
Proxy Settings
Allow uuencoded attachments
Select this check box if you want the SMTP proxy to allow uuencoded attachments to email
messages. Uuencode is an older program used to send binary files in ASCII text format over the
Internet. UUencode attachments can be security risks because they appear as ASCII text files but can
actually contain executables.
Allow BinHex attachments
Selectthis checkbox ifyou wantthe SMTPproxy toallow BinHexattachments toemail messages.BinHex,
whichis shortfor binary-to-hexadecimal,is autility thatconverts afile from binary formatto ASCII.
Auto-block sources of invalid commands
Select this check box to add senders of invalid SMTP commands to the Blocked Sites list. Invalid
SMTP commands often indicate an attack on your SMTP server.
Turn on logging for reports
Select to send a log message for each connection request through SMTP. For WatchGuard Reports to
create accurate reports on SMTP traffic, you must select this check box.
SMTP proxy: Greeting rules
The proxy examines the initial HELO/EHLO responses when the SMTP session is initialized. The default rules
for the SMTP-Incoming proxy action make sure that packets with greetings that are too long, or include
characters that are not correct or expected, are denied. You can add, delete, or modify rules.
1. In the Categories tree, select Greeting Rules.
2. Add, change, or delete rules.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
446
WatchGuard System Manager
Proxy Settings
SMTP proxy: ESMTP settings
On the ESMTP Settings page, you can set the filtering for ESMTP content. Although SMTP is widely accepted
and widely used, some parts of the Internet community want more functionality in SMTP. ESMTP gives a
method for functional extensions to SMTP, and to identify servers and clients that support extended
features.
1. In the Categories tree, select ESMTP Settings.
2. Configure these options:
Enable ESMTP
Select this check box to enable all fields. If you clear this check box, all other check boxes on
this page are disabled. When the options are disabled, the settings for each options are saved. If
this option is enabled again, all the settings are restored.
Allow BDAT/CHUNKING
Select this check box to allow BDAT/CHUNKING. This enables large messages to be sent more
easily through SMTP connections.
Allow ETRN (Remote Message Queue Starting)
This is an extension to SMTP that allows an SMTP client and server to interact to start the
exchange of message queues for a given host.
Allow Binary MIME
User Guide
447
Proxy Settings
Select to allow the Binary MIME extension, if the sender and receiver accept it. Binary MIME
prevents the overhead of base64 and quoted-printable encoding of binary objects sent that use
the MIME message format with SMTP. We do not recommend you select this option as it can be
a security risk.
Log denied ESMTP options
Select this check box to create a log message for unknown ESMTP options that are stripped by
the SMTP proxy. Clear this check box to disable this option.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
SMTP proxy: Authentication
This ruleset allows these ESMTP authentication types: DIGEST- MD5, CRAM-MD5, PLAIN, LOGIN, LOGIN (old
style), NTLM, and GSSAPI. The default rule denies all other authentication types. The RFC that tells about the
SMTP authentication extension is RFC 2554.
If the default ruleset does not meet all of your business needs, you can add, delete, or modify rules:
1. In the Categories tree, select Authentication.
2. Add, change, or delete rules.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
SMTP proxy: Content types
Certain kinds of content embedded in email can be a security threat to your network. Other kinds of
content can decrease the productivity of your users. You can use the ruleset for the SMTP-Incoming proxy
action to set values for incoming SMTP content filtering. You can use the ruleset for the SMTP-Outgoing
proxy action to set values for outgoing SMTP content filtering. The SMTP proxy allows these content types:
text/*, image/*, multipart/*, and message/*. You can add, delete, or modify rules.
You can also configure the SMTP proxy to automatically examine the content of email messages to
determine the content type. If you do not enable this option, the SMTP proxy uses the value stated in the
email header, which clients sometimes set incorrectly. For example, an attached .pdf file might have a
content type stated as application/octet-stream. If you enable content type auto detection, the SMTP proxy
448
WatchGuard System Manager
Proxy Settings
recognizes the .pdf file and uses the actual content type, application/pdf. If the proxy does not recognize the
content type after it examines the content, it uses the value stated in the email header, as it would if
content type auto detection were not enabled. Because hackers often try to disguise executable files as
other content types, we recommend that you enable content type auto detection to make your installation
more secure.
1. In the Categories tree, select Content Types.
2. To enable the SMTP proxy to examine content to determine content type, select the Enable content
type auto detection check box.
3. Add, change, or delete rules.
4. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
5. If you are finished with your changes to this proxy definition, click OK.
6. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
7. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Add common content types
The proxy definition includes several content types that you can easily add to the Content Type ruleset.
To add a content type:
1. Click Predefined.
The Select Content Type dialog box appears.
2. Select one or more content types in the list.
3. Click OK.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
User Guide
449
Proxy Settings
SMTP proxy: File names
You can use the ruleset for the SMTP-Incoming proxy action to put limits on file names for incoming email
attachments. You use the ruleset for the SMTP-Outgoing proxy action to put limits on file names for
outgoing email attachments. You can add, delete, or modify rules.
1.
2.
3.
4.
In the Categories tree, select Filenames.
Add, change, or delete rules.
If you are finished with your changes to this proxy definition, click OK.
If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
SMTP proxy: Mail From/Rcpt To
You can use the Address: Mail From ruleset to put limits on email and to allow email into your network only
from specified senders. The default configuration is to allow email from all senders. You can add, delete, or
modify rules.
The Address: Rcpt To ruleset can limit the email that goes out of your network to only specified recipients.
The default configuration allows email to all recipients out of your network. On an SMTP-Incoming proxy
action, you can use the Rcpt To ruleset to make sure your email server can not be used for email relaying.
For more information, see Protect your SMTP server from email relaying on page 454.
You can also use the Rewrite As option to configure the Firebox or XTM device to change the From and To
components of your email address to a different value. This feature is also known as SMTP masquerading.
Other options available in the Mail From and Rcpt To rulesets:
Block source-routed addresses
Select this check box to block a message when the sender address or recipient address contains
source routes. A source route identifies the path a message must take when it goes from host to
host. The route can identify which mail routers or backbone sites to use. For example,
@backbone.com:[email protected] means that the host named Backbone.com must be
used as a relay host to deliver mail to [email protected] By default, this option is enabled for
incoming SMTP packets and disabled for outgoing SMTP packets.
450
WatchGuard System Manager
Proxy Settings
Block 8-bit characters
Select this check box to block a message that has 8-bit characters in the sender user name or
recipient user name. This allows an accent on an alphabet character. By default, this option is
enabled for incoming SMTP packets and disabled for outgoing SMTP packets.
To configure the SMTP proxy to put limits on the email traffic through your network:
1.
2.
3.
4.
In the Categories tree, select Address: Mail From or Address: Rcpt To.
Add, change, or delete rules.
If you are finished with your changes to this proxy definition, click OK.
If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
SMTP proxy: Headers
Header rulesets allow you to set values for incoming or outgoing SMTP header filtering. You can add, delete,
or modify rules.
1. In the Categories tree, select Headers.
2. Add, change, or delete rules.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
Import or export rulesets
You can import and export rulesets between proxy definitions. For more information, see Import and
export rulesets on page 369.
User Guide
451
Proxy Settings
SMTP proxy: AntiVirus
If you have purchased and enabled the Gateway AntiVirus feature, the fields in the AntiVirus category set
the actions necessary if a virus is found in an email message. It also sets actions for when an email message
contains an attachment that the Firebox or XTM device cannot scan.
n
n
n
To use the proxy definition screens to activate Gateway AntiVirus, see Activate Gateway AntiVirus
from proxy definitions on page 1084.
To use the Subscription Services menu in Policy Manager to activate Gateway AntiVirus, see
Activate Gateway AntiVirus with a wizard from Policy Manager on page 1081.
To configure Gateway AntiVirus for the SMTP proxy, see Configure Gateway AntiVirus actions on
page 1085.
When you enable Gateway AntiVirus, you must set the actions to be taken if a virus or error is found in an
email message or attachment. The options for antivirus actions are:
Allow
Allows the packet to go to the recipient, even if the content contains a virus.
Lock
Locks the attachment. This is a good option for files that cannot be scanned by the Firebox or XTM
device. A file that is locked cannot be opened easily by the user. Only the administrator can unlock
the file. The administrator can use a different antivirus tool to scan the file and examine the content
of the attachment. For information about how to unlock a file locked by Gateway AntiVirus, see
Unlock a file locked by Gateway AntiVirus on page 1089.
Quarantine
When you use the SMTP proxy with the spamBlocker security subscription, you can send email
messages with viruses or possible viruses to the Quarantine Server. For more information on the
Quarantine Server, see About the Quarantine Server on page 1107. For information on how to set
up Gateway AntiVirus to work with the Quarantine Server, see Configure Gateway AntiVirus to
quarantine email on page 1090.
Remove
Removes the attachment and allows the message through to the recipient.
Drop
Drops the packet and drops the connection. No information is sent to the source of the message.
Block
Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.
Note If you set the configuration to allow attachments, your configuration is less secure.
452
WatchGuard System Manager
Proxy Settings
Gateway AntiVirus scans each file up to a specified kilobyte count. Any additional bytes in the file are not
scanned. This allows the proxy to partially scan very large files without a large effect on performance. Enter
the file scan limit in the Limit scanning to first field.
For information about the default and maximum scan limits for each Firebox or XTM device model, see
About Gateway AntiVirus scan limits on page 1090.
SMTP proxy: Deny message
When content is denied, the Firebox or XTM device sends a default deny message that replaces the denied
content. This message appears in a recipients email message when the proxy blocks an email. You can
change the text of that deny message. The first line of the deny message is a section of the HTTP header.
You must include an empty line between the first line and the body of the message.
The default deny message appears in the Deny Message text box. To change this to a custom message, use
these variables:
%(reason)%
Includes the reason the Firebox or XTM device denied the content.
%(type)%
Includes the type of content that was denied.
%(filename)%
Includes the file name of the denied content.
%(virus)%
Includes the name or status of a virus for Gateway AntiVirus users.
%(action)%
Includes the name of the action taken. For example: lock or strip.
%(recovery)%
Includes whether you can recover the attachment.
To configure the deny message:
1. In the Categories tree, select Deny Message.
2. In the Deny Message text box, type a custom plain text message in standard HTML.
3. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
4. If you are finished with your changes to this proxy definition, click OK.
5. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
6. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
For more information on predefined user actions, see About predefined and user-defined proxy
actions on page 371.
User Guide
453
Proxy Settings
SMTP proxy: spamBlocker
Unwanted email, also known as spam, can quickly fill your Inbox. A large volume of spam decreases
bandwidth, degrades employee productivity, and wastes network resources. The WatchGuard spamBlocker
option increases your capacity to catch spam at the edge of your network when it tries to enter your
system. If you have purchased and enabled the spamBlocker feature, the fields in the spamBlocker category
set the actions for email messages identified as spam.
Although you can use the proxy definition screens to activate and configure spamBlocker, it is easier to use
the Subscription Services menu in Policy Manager to do this.
For more information on how to do this, or to use the spamBlocker screens in the proxy definition, see
About spamBlocker on page 1053.
Configure the SMTP proxy to quarantine email
The WatchGuard Quarantine Server provides a safe, full-featured quarantine mechanism for any email
messages suspected or known to be spam or to contain viruses. This repository receives email messages
from the SMTP proxy and filtered by spamBlocker.
To configure the SMTP proxy to quarantine email:
1. Add the SMTP proxy to your configuration and enable spamBlocker in the proxy definition.
Or, enable spamBlocker and select to enable it for the SMTP proxy.
2. When you set the actions spamBlocker applies for different categories of email (as described in
Configure spamBlocker on page 1058), make sure you select the Quarantine action for at least one
of the categories. When you select this action, you are prompted to configure the Quarantine Server
if you have not already done so.
You can also select the Quarantine action for email messages identified by Virus Outbreak Detection as
containing viruses. For more information, see Configure Virus Outbreak Detection actions for a policy on
page 1063.
Protect your SMTP server from email relaying
Email relaying, also called mail spamming or open mail relay, is an intrusion in which a person uses your
email server, address, and other resources, to send large amounts of spam email. This can cause system
crashes, equipment damage, and financial loss.
If you are not familiar with the issues involved with mail relaying, or are unsure whether your email server
is vulnerable to mail relaying, we recommend you research your own email server and learn its potential
vulnerabilities. The Firebox or XTM device can give basic mail relay protection if you are unsure of how to
configure your email server. However, you find out how to use your email server to prevent email relaying.
To protect your server, you change the configure of the SMTP proxy policy that filters traffic from the
external network to your internal SMTP server to include your domain information. When you type your
domain, you can use the wildcard * character. Then, any email address that ends with @your-domain-name
454
WatchGuard System Manager
Proxy Settings
is allowed. If your email server accepts email for more than one domain, you can add more domains. For
example, if you add both *@watchguard.com and *@*.watchguard.com to the list, your email server will
accept all email destined to the top-levelwatchguard.com domain and all email destined to sub-domains of
watchguard.com. For example, rnd.watchguard.com.
Before you start this procedure, you must know the names of all domains that your SMTP email server
receives email for.
1. Open Policy Manager.
2. Double-click the SMTP proxy policy that filters traffic from the external network to an internal SMTP
server.
The Edit Policy Properties dialog box appears.
3. Click the Properties tab.
4. Click .
The SMTP Proxy Action Configuration dialog box appears.
5. In the Categories tree, select Address > Rcpt To.
6. In the Pattern text box, type * @[your-domain-name] .
7. In the Actions to Take section, from the None Matched drop-down list, select Deny.
Any email destined to an address other than the domains in the list is denied.
8.
9.
10.
11.
12.
Click OK to close the SMTP Proxy Action Configuration dialog box.
Click OK again to close the SMTP policy definition.
Click Close to close the Edit Policy Properties dialog box.
Save the configuration file.
Click Add.
Your domain appears in the Rules list.
Another way to protect your server is to type a value in the Rewrite As text box in this dialog box. The
Firebox or XTM device then changes the From and To components of your email address to a different
value. This feature is also known as SMTP masquerading.
User Guide
455
Proxy Settings
About the TCP-UDP proxy
The TCP-UDP proxy is included for these protocols on non-standard ports: HTTP, HTTPS, SIP, and FTP. For
these protocols, the TCP-UDP proxy relays the traffic to the correct proxies for the protocols or enables you
to allow or deny traffic. For other protocols, you can select to allow or deny traffic. You can also use this
proxy policy to allow or deny IM (instant messaging) and P2P (peer-to-peer) network traffic. The TCP-UDP
proxy is intended only for outgoing connections.
To add the TCP-UDP proxy to your Firebox or XTM device configuration, see Add a proxy policy to your
configuration on page 377.
If you must change the proxy definition, you can use the New/Edit Proxy Policies dialog box to modify the
definition. This dialog box has three tabs: Policy, Properties, and Advanced. On the Properties tab, you can
also edit the default rulesets for proxy actions.
For more information, see About proxy actions on page 370.
Policy tab
n
n
n
TCP-UDP-proxy connections are — Specify whether connections are Allowed, Denied, or Denied
(send reset), and define who appears in the From and To list (on the Policy tab of the proxy
definition). Fore more information, see Set access rules for a policy on page 352.
Use policy-based routing — To use policy-based routing in your proxy definition, see Configure
policy-based routing on page 355.
You can also configure static NAT or configure server load balancing.
For more information, see About static NAT on page 180 and Configure server load balancing on
page 181.
Properties tab
n
n
n
n
In the Proxy action drop-down list, select a proxy action.
For information about proxy actions, see About proxy actions on page 370.
To define logging for a policy, click Logging and Set logging and notification preferences .
If you set the Connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you
can block sites that try to use TCP-UDP. See Block sites temporarily with policy settings on page 486.
If you want to use an idle timeout other than the one set by the Firebox or XTM device, or
authentication server, Set a custom idle timeout.
WatchGuard proxies have predefined rulesets that provide a good balance of security and accessibility for
most installations. You can add, delete, or modify rules as necessary.
To modify the settings and rulesets for a proxy action:
1. Click .
2. Select a category:
n
n
n
n
456
TCP-UDP proxy: General settings
TCP-UDP proxy: Application blocking
Intrusion prevention in proxy definitions
Proxy and AV alarms (SNMP traps and notification are disabled by default)
WatchGuard System Manager
Proxy Settings
Advanced tab
You can use several other options in your proxy definition:
n
n
n
n
n
n
Set an operating schedule
Add a Traffic Management action to a policy
Set ICMP error handling
Apply NAT rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies.)
Enable QoS Marking or prioritization settings for a policy
Set the sticky connection duration for a policy
TCP-UDP proxy: General settings
On the General page, you set basic parameters for the TCP-UDP proxy.
Proxy actions to redirect traffic
The TCP-UDP proxy can pass HTTP, HTTPS, SIP, and FTP traffic to proxy policies that you have already
created when this traffic is sent over non-standard ports. For each of these protocols, select the
proxy policy you want to manage this traffic from the adjacent drop-down list. If you do not want
your Firebox or XTM device to use a proxy policy to filter a protocol, select Allow or Deny from the
adjacent drop-down list.
Note To ensure that your Firebox or XTM device operates correctly, you cannot select the
Allow option for the FTP protocol.
Enable logging for reports
Select this check box to collect additional log information for reports.
TCP-UDP proxy: Application blocking
You can use this ruleset to define the actions the Firebox or XTM device takes when the TCP-UDP proxy
detects Instant Messaging (IM) or Peer to Peer (P2P) services. The TCP-UDP proxy finds these IM services:
AOL Instant Messenger (AIM), ICQ, IRC, MSN Messenger, and Yahoo! Messenger. It finds these types of P2P
services: BitTorrent, eDonkey2000 (Ed2k), Gnutella, Kazaa, Napster, and Phatbot.
You can use the application blocking feature if you have not purchased Intrusion Prevention Service.
1. Open Policy Manager.
2. Double-click the TCP-UDP proxy policy.
The Edit Policy Properties dialog box appears.
3. Select the Properties tab.
4. Click .
The TCP-UDP Proxy Action Configuration dialog box appears.
5. In the Categories tree, select Application Blocker.
6. Click the IM tab.
7. In the drop-down list, select the action the Firebox or XTM device takes when it detects Instant
Messaging (IM):
Allow
User Guide
457
Proxy Settings
Allows the packet to go to the recipient, even if the content matches a signature.
Deny
Drops the packet and sends a TCP reset packet to the sender.
8. Select the check box for each IM applications whose traffic you want the Firebox or XTM device to
take the actions for.
9. To select all the IM applications, select All Categories.
All the applications are automatically selected.
10. To define actions for P2P applications, click the P2P tab.
11. To select the actions and categories for P2P applications, repeat Steps 7–9.
12. Click Logging and Notification to configure logging and notification for IPS.
For more information, see Set logging and notification preferences on page 646.
13. If you want to change settings for other categories in this proxy, see the topic for the next category
you want to modify.
14. If you are finished with your changes to this proxy definition, click OK.
15. If you modified a predefined proxy action, you must clone (copy) your settings to a new action.
16. Type a name for the new action and click OK.
The New Policy Properties dialog box appears.
458
WatchGuard System Manager
15
Traffic Management and QoS
About Traffic Management and QoS
In a large network with many computers, the volume of data that moves through the firewall can be very
large. A network administrator can use Traffic Management and Quality of Service (QoS) actions to prevent
data loss for important business applications, and to make sure mission-critical applications take priority
over other traffic.
Traffic Management and QoS provide a number of benefits. You can:
n
n
n
Guarantee or limit bandwidth
Control the rate at which the Firebox or XTM device sends packets to the network
Prioritize when to send packets to the network
To apply traffic management to policies, you define a Traffic Management action, which is a collection of
settings that you can apply to one or more policy definitions. This way you do not need to configure the
traffic management settings separately in each policy. You can define additional Traffic Management actions
if you want to apply different settings to different policies.
Enable traffic management and QoS
For performance reasons, all traffic management and QoS features are disabled by default. You must enable
these features in Global Settings before you can use them.
1. Select Setup > Global Settings.
The Global Settings window appears.
User Guide
459
Traffic Management and QoS
2. Select the Enable all traffic management and QoS features check box.
3. Click OK.
4. Save the configuration file.
Guarantee bandwidth
Bandwidth reservations can prevent connection timeouts. A traffic management queue with reserved
bandwidth and low priority can give bandwidth to real-time applications with higher priority when
necessary without disconnecting. Other traffic management queues can take advantage of unused reserved
bandwidth when it becomes available.
For example, suppose your company has an FTP server on the external network and you want to guarantee
that FTP always has at least 200 kilobytes per second (KBps) through the external interface. You might also
consider setting a minimum bandwidth from the trusted interface to make sure that the connection has
end-to-end guaranteed bandwidth. To do this, you would create a Traffic Management action that defines a
minimum of 200 KBps for FTP traffic on the external interface. You would then create an FTP policy and
apply the Traffic Management action. This will allow ftp put at 200 KBps. If you want to allow ftp get at 200
KBps, you must configure the FTP traffic on the trusted interface to also have a minimum of 200 KBps.
As another example, suppose your company uses multimedia materials (streaming media) to train external
customers. This streaming media uses RTSP over port 554. You have frequent FTP uploads from the trusted
to external interface, and you do not want these uploads to compete with your customers ability to receive
the streaming media. To guarantee sufficient bandwidth, you could apply a Traffic Management action to
the external interface for the streaming media port.
460
WatchGuard System Manager
Traffic Management and QoS
Restrict bandwidth
The guaranteed bandwidth setting works with the Outgoing Interface Bandwidth setting configured for
each external interface to make sure you do not guarantee more bandwidth than actually exists. This setting
also helps you make sure the sum of your guaranteed bandwidth settings does not fill the link such that nonguaranteed traffic cannot pass. For example, suppose the link is 1 Mbps and you try to use a Traffic
Management action that guarantees 973 Kbps (0.95 Mbps) to the FTP policy on that link. With these settings,
the FTP traffic could use so much of the available bandwidth that other types of traffic cannot use the
interface. If you try to configure the Firebox or XTM device this way, Policy Manager warns you that you are
approaching the limit set for the Outgoing Interface Bandwidth setting for that interface.
QoS Marking
QoS marking creates different classes of service for different kinds of outbound network traffic. When you
mark traffic, you change up to six bits on packet header fields defined for this purpose. Other devices can
make use of this marking and provide appropriate handling of a packet as it travels from one point to
another in a network.
You can enable QoS marking for an individual interface or an individual policy. When you define QoS
marking for an interface, each packet that leaves the interface is marked. When you define QoS marking for
a policy, all traffic that uses that policy is also marked.
Traffic priority
You can assign different levels of priority either to policies or for traffic on a particular interface. Traffic
prioritization at the firewall allows you to manage multiple class of service (CoS) queues and reserve the
highest priority for real-time or streaming data. A policy with high priority can take bandwidth away from
existing low priority connections when the link is congested so traffic must compete for bandwidth.
User Guide
461
Traffic Management and QoS
Set Connection Rate Limits
To improve network security, you can create a limit on a policy so that it only filters a specified number of
connections per second. If additional connections are attempted, the traffic is denied and a log message is
created.You can also create an alarm for when this happens. You can configure the alarm to make the
Firebox or XTM device send an event notification to the SNMP management system, or to send a
notification in the form of an email message or a pop-up window on the management computer.
1. Double-click a policy to edit it.
The Edit Policy Properties dialog box appears.
2. Select the Advanced tab.
3. In the Connection Rate drop-down list, select the maximum number of connections per second.
The default configuration puts no limits on the connection rate.
4. If you want to receive a notification when the connection rate is exceeded, select the Alarm when
capacity exceeded check box.
5. Click Notification and set the notification parameters, as described in Set logging and notification
preferences on page 646.
6. Click OK.
About QoS Marking
Today’s networks often consist of many kinds of network traffic that compete for bandwidth. All traffic,
whether of prime importance or negligible importance, has an equal chance of reaching its destination in a
timely manner. Quality of Service (QoS) marking gives critical traffic preferential treatment to make sure it
is delivered quickly and reliably.
QoS functionality must be able to differentiate the various types of data streams that flow across your
network. It must then mark data packets. QoS marking creates different classifications of service for
different kinds of network traffic. When you mark traffic, you change up to six bits on packet header fields
defined for this purpose. The Firebox or XTM device and other QoS-capable devices can use this marking to
provide appropriate handling of a packet as it travels from one point to another in a network.
Fireware XTM supports two types of QoS marking: IP Precedence marking (also known as Class of Service)
and Differentiated Service Code Point (DSCP) marking. For more information on these marking types and
the values you can set, see Marking types and values on page 463.
Before you begin
n
n
462
Make sure your LAN equipment supports QoS marking and handling. You may also need to make
sure your ISP supports QoS.
The use of QoS procedures on a network requires extensive planning. You can first identify the
theoretical bandwidth available and then determine which network applications are high priority,
particularly sensitive to latency and jitter, or both.
WatchGuard System Manager
Traffic Management and QoS
QoS marking for interfaces and policies
You can enable QoS marking for an individual interface or an individual policy. When you define QoS
marking for an interface, each packet that leaves the interface is marked. When you define QoS marking for
a policy, all traffic that uses that policy is also marked. The QoS marking for a policy overrides any QoS
marking set on an interface.
For example, suppose your Firebox or XTM device receives QoS-marked traffic from a trusted network and
sends it to an external network. The trusted network already has QoS marking applied, but you want the
traffic to your executive team to be given higher priority than other network traffic from the trusted
interface. First, set the QoS marking for the trusted interface to one value. Then, add a policy with QoS
marking set for the traffic to your executive team with a higher value.
QoS marking and IPSec traffic
If you want to apply QoS to IPsec traffic, you must create a specific firewall policy for the corresponding
IPsec policy and apply QoS marking to that policy.
You can also choose whether to preserve existing marking when a marked packed is encapsulated in an
IPSec header.
To preserve marking:
1. Select VPN > VPN Settings.
The VPN Settings dialog box appears.
2. Select the Enable TOS for IPSec check box.
3. Click OK.
All existing marking is preserved when the packet is encapsulated in an IPSec header.
To remove marking:
1. Select VPN > VPN Settings.
The VPN Settings dialog box appears.
2. Clear the Enable TOS for IPSec check box.
3. Click OK.
The TOS bits are reset and marking is not preserved.
Marking types and values
Fireware XTM supports two types of QoS Marking: IP Precedence marking (also known as Class of Service)
and Differentiated Service Code Point (DSCP) marking. IP Precedence marking affects only the first three
bits in the IP type of service (TOS) octet. DSCP marking expands marking to the first six bits in the IP TOS
octet. Both methods allow you to either preserve the bits in the header, which may have been marked
previously by an external device, or change them to a new value.
DSCP values can be expressed in numeric form or by special keyword names that correspond to per-hop
behavior (PHB). Per-hop behavior is the priority applied to a packet when it travels from one point to
another in a network. Fireware DSCP marking supports three types of per-hop behavior:
User Guide
463
Traffic Management and QoS
Best-Effort
Best-Effort is the default type of service and is recommended for traffic that is not critical or realtime. All traffic falls into this class if you do not use QoS Marking.
Assured Forwarding (AF)
Assured Forwarding is recommended for traffic that needs better reliability than the best-effort
service. Within the Assured Forwarding (AF) type of per-hop behavior, traffic can be assigned to
three classes: Low, Medium, and High.
Expedited Forwarding (EF)
This type has the highest priority. It is generally reserved for mission-critical and real-time traffic.
Class-Selector (CSx) code points are defined to be backward compatible with IP Precedence values. CS1–
CS7 are identical to IP Precedence values 1–7.
The subsequent table shows the DSCP values you can select, the corresponding IP Precedence value (which
is the same as the CS value), and the description in PHB keywords.
DSCP Value Equivalent IP Precedence value (CS values) Description: Per-hop Behavior keyword
0
8
Best-Effort (same as no marking)
1
Scavenger*
10
AF Class 1 - Low
12
AF Class 1 - Medium
14
AF Class 1 - High
16
2
18
AF Class 2 - Low
20
AF Class 2 - Medium
22
AF Class 2- High
24
3
26
AF Class 3 - Low
28
AF Class 3 - Medium
30
AF Class 3 - High
32
4
34
AF Class 4 - Low
36
AF Class 4 - Medium
38
AF Class 4 - High
464
WatchGuard System Manager
Traffic Management and QoS
DSCP Value Equivalent IP Precedence value (CS values) Description: Per-hop Behavior keyword
40
5
46
EF
48
6
Internet Control
56
7
Network Control
* The Scavenger class is used for the lowest priority traffic (for example, media sharing or gaming
applications). This traffic has a lower priority than Best-Effort.
For more information on DSCP values, see this RFC: http://www.rfc-editor.org/rfc/rfc2474.txt.
Enable QoS Marking for an interface
You can set the default marking behavior as traffic goes out of an interface. These settings can be
overridden by settings defined for a policy.
1. Select Setup > Global Settings.
The Global Settings dialog box appears.
2. Select the Enable all traffic management and QoS features check box. Click OK.
You might want to disable these features at a later time if you do performance testing or network debugging.
3. Select Network > Configuration.
The Network Configuration dialog box appears.
4. Select the interface for which you want to enable QoS Marking. Click Configure.
The Interface Settings dialog box appears.
5. Select the Advanced tab.
6. In the Marking Type drop-down list, select either DSCP or IP Precedence.
7. In the Marking Method drop-down list, select the marking method:
User Guide
465
Traffic Management and QoS
n
n
n
Preserve — Do not change the current value of the bit. The Firebox or XTM device prioritizes
the traffic based on this value.
Assign — Assign the bit a new value.
Clear — Clear the bit value (set it to zero).
8. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from 0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 0–56.
For more information on these values, see Marking types and values on page 463.
9. Select the Prioritize traffic based on QoS Marking check box.
10. Click OK.
Enable QoS Marking or prioritization settings for a policy
In addition to marking the traffic that leaves a Firebox or XTM device interface, you can also mark traffic on
a per-policy basis. The marking action you select is applied to all traffic that uses the policy. Multiple policies
that use the same marking actions have no effect on each other. Firebox or XTM device interfaces can also
have their own QoS Marking settings. To use QoS Marking or prioritization settings for a policy, you must
override any per-interface QoS Marking settings.
1. Double-click the icon for the policy whose traffic you want to mark.
The Edit Policy Properties dialog box appears.
2.
3.
4.
5.
6.
7.
Select the Advanced tab.
Select the QoS tab.
Toenable the other QoSand prioritizationoption, selectthe Overrideper-interface settingscheck box.
Complete the settings as described in the subsequent sections.
Click OK.
Save the configuration file
QoS marking settings
For more information on QoS marking values, see Marking types and values on page 463.
1. From the Marking Type drop-down list, select either DSCP or IP Precedence.
2. From the Marking Method drop-down list, select the marking method:
n
466
Preserve — Do not change the current value of the bit. The Firebox or XTM device prioritizes
the traffic based on this value.
WatchGuard System Manager
Traffic Management and QoS
n
n
Assign — Assign the bit a new value.
Clear — Clear the bit value (set it to zero).
3. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from 0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 0–56.
4. From the Prioritize Traffic Based On drop-down list, select QoS Marking.
Prioritization settings
Many different algorithms can be used to prioritize network traffic. Fireware XTM uses a high performance,
class-based queuing method based on the Hierarchical Token Bucket algorithm. Prioritization in Fireware
XTM is applied per policy and is equivalent to CoS (class of service) levels 0–7, where 0 is normal priority
(default) and 7 is the highest priority. Level 5 is commonly used for streaming data such as VoIP or video
conferencing. Reserve levels 6 and 7 for policies that allow system administration connections to make sure
they are always available and avoid interference from other high priority network traffic. Use the Priority
Levels table as a guideline when you assign priorities.
1. From the Prioritize Traffic Based On drop-down list, select Custom Value.
2. From the Value drop-down list, select a priority level.
Priority Levels
We recommend that you assign a priority higher than 5 only to WatchGuard administrative policies, such as
the WatchGuard policy, the WG-Logging policy, or the WG-Mgmt-Server policy. Give high priority business
traffic a priority of 5 or lower.
Priority Description
0
Routine (HTTP, FTP)
1
Priority
2
Immediate (DNS)
3
Flash (Telnet, SSH, RDP)
4
Flash Override
5
Critical (VoIP)
6
Internetwork Control (Remote router configuration)
7
Network Control (Firewall, router, switch management)
Enable QoS Marking for a managed BOVPN tunnel
To use QoS with a managed BOVPN tunnel, you must create a VPN firewall policy template and apply that
template to the managed BOVPN tunnel. You cannot edit the default Any policy for managed BOVPN
tunnels.
User Guide
467
Traffic Management and QoS
You can use QoS marking in a VPN firewall policy template to set different priorities for managed BOVPN
tunnels that use different policy templates. The marking action you select is applied to all traffic that uses
the policy template.
1.
2.
3.
4.
5.
Open WatchGuard System Manager and connect to a Management Server.
Select the Device Management tab.
Expand Managed VPNs and expand VPN Firewall Policy Templates.
Select a VPN firewall policy template in the tree to edit it, or Add VPN firewall policy templates.
In the Settings section, click Configure.
The VPN Firewall Policy Template dialog box appears.
6. Select the Advanced tab.
7. Select the Override per-interface settings check box.
8. From the Marking Type drop-down list, select either DSCP or IP Precedence.
9. From the Marking Method drop-down list, select the marking method:
n
n
n
Preserve — Do not change the current value of the bit. The Firebox or XTM device prioritizes
the traffic based on this value.
Assign — Assign the bit a new value.
Clear — Clear the bit value (set it to zero).
10. If you selected Assign in the previous step, select a marking value.
If you selected the IP precedence marking type you can select values from 0 (normal priority)
through 7 (highest priority).
If you selected the DSCP marking type, the values are 0–56.
11. In the Prioritize Traffic Based On drop-down list, select the traffic prioritization method:
468
WatchGuard System Manager
Traffic Management and QoS
n
n
Custom Value — Use a custom value to prioritize the traffic.
QoS Marking — Prioritize traffic based on QoS marking settings for this policy template.
12. If you selected Custom Value, in the Value drop-down list, select a priority level.
For more information about traffic priority values, see the table in Enable QoS Marking or
prioritization settings for a policy.
13. Click OK.
Traffic control and policy definitions
Define a Traffic Management action
Traffic Management actions can enforce bandwidth restrictions and guarantee a minimum amount of
bandwidth for one or more policies. Each Traffic Management action can include settings for multiple
interfaces. For example, on a Traffic Management action used with an HTTP policy for a small organization,
you can set the minimum guaranteed bandwidth of a trusted interface to 250 Kbps and the maximum
bandwidth to 1000 Kbps. This limits the speeds at which users can download files, but ensures that a small
amount of bandwidth is always available for HTTP traffic. You can then set the minimum guaranteed
bandwidth of an external interface to 150 Kbps and the maximum bandwidth to 300 Kbps to manage
upload speeds at the same time.
Determine available bandwidth
Before you begin, you must determine the available bandwidth of the interface used for the policy or
policies you want to guarantee bandwidth. For external interfaces, you can contact your ISP (Internet
Service Provider) to verify the service level agreement for bandwidth. You can then use a speed test with
online tools to verify this value. These tools can produce different values depending on a number of
variables. For other interfaces, you can assume the link speed on the Firebox or XTM device interface is the
theoretical maximum bandwidth for that network. You must also consider both the sending and receiving
needs of an interface and set the threshold value based on these needs. If your Internet connection is
asymmetric, use the uplink bandwidth set by your ISP as the threshold value.
Determine the sum of your bandwidth
You must also determine the sum of the bandwidth you want to guarantee for all policies on a given
interface. For example, on a 1500 Kbps external interface, you might want to reserve 600 Kbps for all the
guaranteed bandwidth and use the remaining 900 Kbps for all other traffic.
All policies that use a given Traffic Management action share its connection rate and bandwidth settings.
When they are created, policies automatically belong to the default Traffic Management action, which
enforces no restrictions or reservations. If you create a Traffic Management action to set a maximum
bandwidth of 10 Mbps and apply it to an FTP and an HTTP policy, all connections handled by those policies
must share 10Mbps. If you later apply the same Traffic Management action to an SMTP policy, all three must
share 10 Mbps. This also applies to connection rate limits and guaranteed minimum bandwidth. Unused
guaranteed bandwidth reserved by one Traffic Management action can be used by others.
User Guide
469
Traffic Management and QoS
Create or modify a Traffic Management action
1. Double-click the policy for which you want to guarantee a minimum bandwidth. Select the
Advanced tab. Click .
Or, select Setup > Actions > Traffic Management and click Add.
The New Traffic Management Action Configuration dialog box appears.
2. In the Bandwidth configuration for outgoing traffic section, click Add.
An interface drop-down list appears.
3. In the Interface column, click the drop-down list to select the interface for which you want to set a
minimum bandwidth.
If you select an External interface, the action applies to upload speeds.
If you select a Trusted or Optional interface, the action applies to download speeds.
4. Double-click in the Minimum guaranteed bandwidth and Maximum bandwidth columns to edit the
settings. Type a number to set the minimum or maximum bandwidth in kilobytes per second.
5. Click OK.
6. If you defined the traffic action from a policy definition, the new traffic action now appears in Traffic
Management on the Advanced tab.
If you defined the traffic actions from Setup > Actions > Traffic Management, you must Add a
Traffic Management action to a policy for it to have an effect on your network.
Add a Traffic Management action to a policy
After you Define a Traffic Management action, you can add it to policy definitions. You can also add any
existing traffic management actions to policy definitions.
470
WatchGuard System Manager
Traffic Management and QoS
1.
2.
3.
4.
Double-click the policy for which you want to guarantee a minimum bandwidth.
Select the Advanced tab.
In the Traffic Management drop-down list, select a traffic management action to apply to the policy.
Click OK to close the Edit Policy Properties dialog box.
If the sum of all guaranteed bandwidths for an interface approaches or exceeds the bandwidth limit
you set for the interface, a warning message appears.
The new action appears in the Traffic Management Actions dialog box.
If you want to track the bandwidth used by a policy, go to the Service Watch tab of Firebox System Manager
and specify Bandwidth instead of Connections. For more information, see Visual display of policy usage
(Service Watch) on page 687.
Note If you have a multi-WAN configuration, bandwidth limits are applied separately to
each interface.
Add a traffic management action to multiple policies
When the same traffic management action is added to multiple policies, the maximum and minimum
bandwidth apply to each interface in your configuration. If two policies share an action that has a maximum
bandwidth of 100 kbps on a single interface, then all traffic on that interface that matches those policies is
limited to 100 kbps total.
If you have limited bandwidth on an interface used for several applications, each with unique ports, you
might need all the high priority connections to share one traffic management action. If you have lots of
bandwidth to spare, you could create separate traffic management actions for each application.
Add a Traffic Management action to a BOVPN firewall policy
To use traffic management with a managed BOVPN tunnel, you must create a VPN firewall policy template
and apply that template to the managed BOVPN tunnel. You cannot edit the default Any policy for managed
BOVPN tunnels.
You can use traffic management in a VPN firewall policy template to set different bandwidth limits for
managed BOVPN tunnels that use different policy templates. The marking action you select is applied to all
traffic that uses the policy template.
1.
2.
3.
4.
5.
Open WatchGuard System Manager and connect to a management server.
Select the Device Management tab.
Expand Managed VPNs and expand VPN Firewall Policy Templates.
Select a VPN firewall policy template in the tree to edit it, or Add VPN firewall policy templates.
In the Settings section, click Configure.
The VPN Firewall Policy Template dialog box appears.
6. Select the Traffic Management tab.
User Guide
471
Traffic Management and QoS
7. Select the Specify Custom Traffic Management Action check box.
8. Define the custom traffic management action as described in Define a Traffic Management action
on page 469.
9. Click OK.
472
WatchGuard System Manager
16
Default Threat Protection
About default threat protection
WatchGuard Fireware XTM OS and the policies you create give you strict control over access to your
network. A strict access policy helps keep hackers out of your network. But, there are other types of attacks
that a strict policy cannot defeat. Careful configuration of default threat protection options for the Firebox
or XTM device can stop threats such as SYN flood attacks, spoofing attacks, and port or address space
probes.
With default threat protection, a firewall examines the source and destination of each packet it receives. It
looks at the IP address and port number and monitors the packets to look for patterns that show your
network is at risk. If a risk exists, you can configure the Firebox or XTM device to automatically block a
possible attack. This proactive method of intrusion detection and prevention keeps attackers out of your
network.
To configure default threat protection, see:
n
n
n
About default packet handling options
About blocked sites
About blocked ports
You can also purchase an upgrade for your Firebox or XTM device to use signature-based intrusion
prevention. For more information, see About Gateway AntiVirus and Intrusion Prevention on page 1079.
User Guide
473
Default Threat Protection
About default packet handling options
When your Firebox or XTM device receives a packet, it examines the source and destination for the packet.
It looks at the IP address and the port number. The device also monitors the packets to look for patterns that
can show your network is at risk. This process is called default packet handling.
Default packet handling can:
n
n
n
n
n
Reject a packet that could be a security risk, including packets that could be part of a spoofing attack
or SYN flood attack
Automatically block all traffic to and from an IP address
Add an event to the log file
Send an SNMP trap to the SNMP management server
Send a notification of possible security risks
Most default packet handling options are enabled in the default Firebox or XTM device configuration. You
can use Policy Manager to change the thresholds at which the Firebox or XTM device takes action. You can
also change the options selected for default packet handling.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. Select the check boxes for the traffic patterns you want to take action against, as explained in these
topics:
474
WatchGuard System Manager
Default Threat Protection
n
n
n
n
n
n
About spoofing attacks on page 475
About IP source route attacks on page 476
About port space and address space probes on page 477
About flood attacks on page 479
About unhandled packets on page 481
About distributed denial-of-service attacks on page 482
Set logging and notification options
The default device configuration tells the Firebox or XTM device to send a log message when an event
occurs that is specified in the Default Packet Handing dialog box.
To configure an SNMP trap or notification:
1. Click Logging.
The Logging and Notification dialog box appears.
2. Configure notification settings as described in Set logging and notification preferences on page 646.
About spoofing attacks
One method that attackers use to enter your network is to make an electronic false identity. This is an IP
spoofing method that attackers use to send a TCP/IP packet with a different IP address than the computer
that first sent it.
When anti-spoofing is enabled, the Firebox or XTM device verifies the source IP address of a packet is from
a network on the specified interface.
The default configuration of the Firebox or XTM device is to drop spoofing attacks. From Policy Manager,
you can change the settings for this feature:
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
User Guide
475
Default Threat Protection
2. Select or clear the Drop Spoofing Attacks check box.
3. Click OK.
About IP source route attacks
To find the route that packets take through your network, attackers use IP source route attacks. The attacker
sends an IP packet and uses the response from your network to get information about the operating system
of the target computer or network device.
The default configuration of the Firebox or XTM device is to drop IP source route attacks. From Policy
Manager, you can change the settings for this feature.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
476
WatchGuard System Manager
Default Threat Protection
2. Select or clear the Drop IP Source Route check box.
3. Click OK.
About port space and address space probes
Attackers frequently look for open ports as starting points to launch network attacks. A port space probe is
TCP or UDP traffic that is sent to a range of ports. These ports can be in sequence or random, from 0 to
65535. An address space probe is TCP or UDP traffic that is sent to a range of network addresses. Port space
probes examine a computer to find the services that it uses. Address space probes examine a network to
see which network devices are on that network.
For more information about ports, see About ports on page 8.
Note The Firebox or XTM device detects port and address space probes only on
interfaces configured as type External.
How the Firebox or XTM device identifies network probes
An address space probe is identified when a computer on an external network sends a specified number of
packets to different IP addresses assigned to the external interfaces of the Firebox or XTM device. To
identify a port space probe, your Firebox or XTM device counts the number of packets sent from one IP
User Guide
477
Default Threat Protection
address to external interface IP addresses. The addresses can include the external interface IP address and
any secondary IP addresses configured on the external interface. If the number of packets sent to different
IP addresses or destination ports in one second is larger than the number you select, the source IP address
is added to the Blocked Sites list.
When the Block Port Space Probes and Block Address Space Probes check boxes are selected, all incoming
traffic on any external interface is examined by the Firebox or XTM device. You cannot disable these
features for specified IP addresses or different time periods.
To protect against port space and address space probes
The default configuration of the Firebox or XTM device blocks network probes. You can use Policy Manager
to change the settings for this feature, and change the maximum allowed number of address or port
probes per second for each source IP address (the default value is 50).
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. Select or clear the Block Port Space Probes and the Block Address Space Probescheck boxes.
3. Click the arrows to select the maximum number of address or port probes to allow per second from
the same IP address. The default for each is 10 per second. This means that a source is blocked if it
initiates connections to 10 different ports or hosts within one second.
4. Click OK.
478
WatchGuard System Manager
Default Threat Protection
To block attackers more quickly, you can set the threshold for the maximum allowed number of address or
port probes per second to a lower value. If the number is set too low, the Firebox or XTM device could also
deny legitimate network traffic . You are less likely to block legitimate network traffic if you use a higher
number, but the Firebox or XTM device must send TCP reset packets for each connection it drops. This uses
bandwidth and resources on the Firebox or XTM device and provides the attacker with information about
your firewall.
About flood attacks
In a flood attack, attackers send a very high volume of traffic to a system so it cannot examine and allow
permitted network traffic. For example, an ICMP flood attack occurs when a system receives too many
ICMP ping commands and must use all of its resources to send reply commands. The Firebox or XTM device
can protect against these types of flood attacks:
n
n
n
n
n
IPSec
IKE
ICMP
SYN
UDP
Flood attacks are also known as Denial of Service (DoS) attacks. The default configuration of the Firebox or
XTM device is to block flood attacks.
You can use Policy Manager to change the settings for this feature, or to change the maximum allowed
number of packets per second.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
User Guide
479
Default Threat Protection
2. Select or clear the Flood Attack check boxes.
3. Click the arrows to select the maximum allowed number of packets per second for each source IP
address.
For example, if the setting is 1000, the Firebox or XTM device blocks a source if it receives more
than 1000 packets per second from that source.
4. Click OK.
About the SYN flood attack setting
For SYN flood attacks, you can set the threshold at which the Firebox or XTM device reports a possible SYN
flood attack, but no packets are dropped if only the number of packets you selected are received. At twice
the selected threshold, all SYN packets are dropped. At any level between the selected threshold and twice
that level, if the src_IP, dst_IP, and total_length values of a packet are the same as the previous packet
received, then it is always dropped. Otherwise, 25% of the new packets received are dropped.
For example, you set the SYN flood attack threshold to 18 packets/sec. When the Firebox or XTM device
receives 18 packets/sec, it reports a possible SYN flood attack to you, but does not drop any packets. If the
device receives 20 packets per second, it drops 25% of the received packets (5 packets). If the device
receives 36 or more packets, the last 18 or more are dropped.
480
WatchGuard System Manager
Default Threat Protection
About unhandled packets
An unhandled packet is a packet that does not match any policy rule. By default, the Firebox or XTM device
always denies unhandled packets. From Policy Manager, you can change the device settings to further
protect your network.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. Select or clear the check boxes for these options:
Auto-block source of packets not handled
Select to automatically block the source of unhandled packets. The Firebox or XTM device adds
the IP address that sent the packet to the temporary Blocked Sites list.
Send an error message to clients whose connections are disabled
Select to send a TCP reset or ICMP error back to the client when the Firebox or XTM device
receives an unhandled packet.
User Guide
481
Default Threat Protection
See statistics on unhandled packets
You can see statistics on unhandled packets received by the Firebox or XTM device on the Visual display of
policy usage (Service Watch) in Firebox System Manager. From the Show connections by drop-down list,
you can select to show connections by rule instead of policy.
About distributed denial-of-service attacks
Distributed Denial of Service (DDoS) attacks are very similar to flood attacks. In a DDoS attack, many
different clients and servers send connections to one computer system to try to flood the system. When a
DDoS attack occurs, legitimate users cannot use the targeted system.
The default configuration of the Firebox or XTM device is to block DDoS attacks. From Policy Manager, you
can change the settings for this feature, and change the maximum allowed number of connections per
second.
1. Click .
Or, select Setup > Default Threat Protection > Default Packet Handling.
The Default Packet Handling dialog box appears.
2. Select or clear the Per Server Quota and Per Client Quota check boxes.
3. Click the arrows to set the Per Server Quota and the Per Client Quota.
Per Server Quota
482
WatchGuard System Manager
Default Threat Protection
The Per Server Quota applies a limit to the number of connections per second from any
external source to the Firebox or XTM device external interface. This includes connections to
internal servers allowed by a static NAT policy. For example, when the Per Server Quota is set
to the default value of 100, the Firebox or XTM device drops the 101st connection request
received in a one second time frame from an external IP address. The IP address is not added
to the blocked sites list.
Per Client Quota
The Per Client Quota applies a limit to the number of outbound connections per second from
any source protected by the Firebox or XTM device to any one destination. For example, when
the Per Client Quota is set to the default value of 100, the Firebox or XTM device drops the
101st connection request received in a one second time frame from an IP address on the
trusted or optional network to any one destination IP address.
About blocked sites
A blocked site is an IP address that cannot make a connection through the Firebox or XTM device. You tell
the Firebox or XTM device to block specific sites you know, or think, are a security risk. After you find the
source of suspicious traffic, you can block all connections from that IP address. You can also configure the
Firebox or XTM device to send a log message each time the source tries to connect to your network. From
the log file, you can see the services that the sources use to launch attacks.
The Firebox or XTM device denies all traffic from a blocked IP address. You can define two different types of
blocked IP addresses: permanent and auto-blocked.
Permanently blocked sites
Network traffic from permanently blocked sites is always denied. These IP addresses are stored in the
Blocked Sites list and must be added manually. For example, you can add an IP address that constantly tries
to scan your network to the Blocked Sites list to prevent port scans from that site.
To block a site, see Block a site permanently on page 483.
Auto-blocked sites/Temporary Blocked Sites list
Packets from auto-blocked sites are denied for the amount of time you specify. The Firebox or XTM device
uses the packet handling rules specified for each policy to determine whether to block a site. For example,
if you create a policy that denies all traffic on port 23 (Telnet), any IP address that tries to send Telnet traffic
through that port is automatically blocked for the amount of time you specify.
Toautomatically blocksites thatsend deniedtraffic, see Block sitestemporarily withpolicy settingson page 486.
You can also automatically block sites that are the source of packets that do not match any policy rule. For
more information, see About unhandled packets on page 481.
Block a site permanently
You can use Policy Manager to permanently add sites to the Blocked Sites list.
User Guide
483
Default Threat Protection
1. Click .
Or, select Setup > Default Threat Protection > Blocked Sites.
The Blocked Sites Configuration dialog box appears.
2. Click Add.
The Add Site dialog box appears.
3. From the Choose Type drop-down list, select a method to identify the blocked site.
Options are: Host IP, Network IP, Host Range, or Host Name (DNS lookup).
4. Type the value.
The value shows whether this is an IP address or a range of IP addresses. If you must block an
address range that includes one or more IP addresses assigned to the Firebox or XTM device, you
must first add these IP addresses to the Blocked Sites Exceptions list.
To add exceptions, see Create Blocked Site Exceptions on page 485.
5. (Optional) Type a comment to provide information about the site.
6. Select OK.
The new site appears in the Blocked Sites list.
Configure logging for blocked sites
You can configure the Firebox or XTM device to make a log entry or send a notification message if a
computer tries to use a blocked site.
484
WatchGuard System Manager
Default Threat Protection
From the Blocked Sites Configuration dialog box:
1. Click Logging.
The Logging and Notification dialog box appears.
2. Configure notification settings as described in Set logging and notification preferences on page 646.
Create Blocked Site Exceptions
When you add a site to the Blocked Site Exceptions list in Policy Manager, the traffic to that site is not
blocked by the auto-blocking feature.
1. Select Setup > Default Threat Protection > Blocked Sites.
2. Select the Blocked Sites Exceptions tab.
3. Click Add.
The Add Site dialog box appears.
4. From the Choose Type drop-down list, select a member type. Options are: Host IP, Network IP,
Host Range, or Host Name (DNS lookup).
5. Type the member value.
The member type shows whether this is an IP address or a range of IP addresses. When you type an IP address,
type all the numbers and the period. Do not use the tab or arrow keys.
6. Click OK.
User Guide
485
Default Threat Protection
Import a list of blocked sites or blocked sites exceptions
If you manage several Firebox or XTM devices and want to use the same blocked sites or blocked sites
exceptions for more than one device, you can create a list of the sites to block in a plain text (.txt) file and
import the file into each device.
The IP addresses in the text file must be separated by spaces or line breaks. Use slash notation to specify
networks. To indicate a range of addresses, separate the start and end addresses with a hyphen. An
example text import file might look like this:
2.2.2.2 5.5.5.0/24
3.3.3.3-3.3.3.8
6.6.6.6 7.7.7.7
You can use Policy Manager to import the IP addresses to the Blocked Sites or Blocked Sites Exceptions list
for the current Firebox or XTM device.
1. Select Setup > Default Threat Protection > Blocked Sites.
The Blocked Sites Configuration dialog appears.
2. To import blocked sites from a file, click the Blocked Sites tab.
Or, to import blocked sites exceptions, click the Blocked Site Exceptions tab.
3. Click Import.
The Select a File dialog box appears.
4. Browse to select the file. Click Select a File.
The sites in the file appear in the Blocked Sites or Blocked Sites Exceptions list.
5. Click OK.
Block sites temporarily with policy settings
You can use Policy Manager to temporarily block sites that try to use a denied service. IP addresses from the
denied packets are added to the Temporary Blocked sites list for 20 minutes (by default).
1. Double-click the policy for the denied service.
The Edit Policy Properties dialog box appears.
2. On the Policy tab, make sure you set the Connections Are drop-down list to Denied or Denied (send
reset).
3. On the Properties tab, select the Auto-block sites that attempt to connect check box. By default, IP
addresses from the denied packets are added to the Temporary Blocked Sites list for 20 minutes.
If you enable logging of temporary blocked sites, the log messages can help you make decisions about
which IP addresses to block permanently. To enable logging of denied packets:
1. In the policy definition, select the Properties tab
2. Click Logging.
3. Select the Send log message check box.
For more information about logging, see Set logging and notification preferences on page 646.
Change the duration that sites are auto-blocked
You can use Policy Manager to enable the auto-block feature.
Select Setup > Default Threat Protection > Default Packet Handling.
486
WatchGuard System Manager
Default Threat Protection
For more information, see About unhandled packets on page 481.
You can also use policy settings to auto-block sites that try to use a denied service. For more information,
see Block sites temporarily with policy settings on page 486.
You can use Policy Manager to set the duration that sites are blocked automatically.
1. Select Setup > Default Threat Protection > Blocked Sites.
2. Select the Auto-Blocked tab.
3. To change the amount of time a site is auto-blocked, in the Duration for Auto-Blocked Sites text box,
type or select the number of minutes to block a site. The default is 20 minutes.
4. Click OK.
About blocked ports
You can block the ports that you know can be used to attack your network. This stops specified external
network services. Blocking ports can protect your most sensitive services.
When you block a port, you override all of the rules in your policy definitions. To block a port, see Block a
port on page 489.
Default blocked ports
In the default configuration, the Firebox or XTM device blocks some destination ports. You usually do not
need to change this default configuration. TCP and UDP packets are blocked for these ports:
User Guide
487
Default Threat Protection
X Window System (ports 6000-6005)
The X Window System (or X-Windows) client connection is not encrypted and is dangerous to use on
the Internet.
X Font Server (port 7100)
Many versions of X Windows operate X Font Servers. The X Font Servers operate as the super-user
on some hosts.
NFS (port 2049)
NFS (Network File System) is a frequently used TCP/IP service where many users use the same files
on a network. New versions have important authentication and security problems. To supply NFS on
the Internet can be very dangerous.
Note The portmapper frequently uses port 2049 for NFS. If you use NFS, make sure that
NFS uses port 2049 on all your systems.
rlogin, rsh, rcp (ports 513, 514)
These services give remote access to other computers. They are a security risk and many attackers
probe for these services.
RPC portmapper (port 111)
The RPC Services use port 111 to find which ports a given RPC server uses. The RPC services are easy
to attack through the Internet.
port 8000
Many vendors use this port, and many security problems are related to it.
port 1
The TCPmux service uses Port 1, but not frequently. You can block it to make it more difficult for
tools that examine ports.
port 0
This port is always blocked by the Firebox or XTM device. You cannot allow traffic on port 0 through
the device.
Note If you must allow traffic through any of the default blocked ports to use the
associated software applications, we recommend that you allow the traffic only
through a VPN tunnel or use SSH (Secure Shell) with those ports.
488
WatchGuard System Manager
Default Threat Protection
Block a port
You can use Policy Manager to add a port number to the Blocked Ports list.
Note Be very careful if you block port numbers higher than 1023. Clients frequently use
these source port numbers.
1. Click .
Or, select Setup > Default Threat Protection > Blocked Ports.
The Blocked Ports dialog box appears.
2. In the Porttext box, type or select the port number to block.
3. Click Add.
The new port number appears in the Blocked Ports list.
Block IP addresses that try to use blocked ports
You can configure the Firebox or XTM device to automatically block an external computer that tries to use a
blocked port. In the Blocked Ports dialog box, select the Automatically block sites that try to use blocked
ports check box.
Set logging and notification for blocked ports
You can configure the Firebox or XTM device to make a log entry when a computer tries to use a blocked
port. You can also set up notification for when a computer tries to get access to a blocked port.
From the Blocked Ports dialog box:
1. Click Logging.
The Logging and Notification dialog box appears.
2. Configure notification settings as described in Set logging and notification preferences on page 646.
User Guide
489
Default Threat Protection
User Guide
490
17
WatchGuard Server Setup
About WatchGuard Servers
When you install the WatchGuard System Manager software, you can choose to install one or more of the
WatchGuard servers. You can also run the installation program and select to install only one or more of the
servers, without WatchGuard System Manager. When you install a server, the WatchGuard Server Center
program is automatically installed. WatchGuard Server Center is a single application you can use to set up,
configure, back up, and restore all your WatchGuard System Manager servers.
The five WatchGuard servers are:
n
n
n
n
n
Management Server
Log Server
Report Server
Quarantine Server
WebBlocker Server
To set up WatchGuard servers, see Set up WatchGuard Servers on page 492.
For WatchGuard System Manager installation instructions, see Install WatchGuard System Manager
software on page 22.
Each server has a specific function:
Management Server
The Management Server operates on a Windows computer. With this server, you can manage all
firewall devices and create virtual private network (VPN) tunnels with a simple drag-and-drop
function. The basic functions of the Management Server are:
n
n
n
Certificate authority to distribute certificates for Internet Protocol Security (IPSec) tunnels
VPN tunnel configuration management
Management for multiple Firebox or XTM devices
For more information about the Management Server, see About the WatchGuard Management
Server on page 505.
User Guide
491
WatchGuard Server Setup
Log Server
The Log Server collects log messages from each Firebox and XTM device and stores them in a
PostgreSQL database. The log messages are encrypted when they are sent to the Log Server. The log
message format is XML (plain text). The types of log message that the Log Server collects include
traffic log messages, event log messages, alarms, and diagnostic messages.
For more information about Log Servers, see Set up a Log Server on page 616.
Report Server
The Report Server periodically consolidates data collected by your Log Servers from your Firebox
and XTM devices, and stores them in a PostgreSQL database. The Report Server then generates the
reports you specify. When the data is on the Report Server, you can review it with Report Manager
or Reporting Web UI.
For more information about reports and the Report Server, see About the Report Server on page 729.
For more information about Report Manager, see About WatchGuard Report Manager on page 750.
For more information about how to configure Reporting Web UI, see Configure Reporting Web UI
settings on page 744.
For more information about how to use Reporting Web UI, see the Reporting Web UI Help.
Quarantine Server
The Quarantine Server collectsandisolatesemailmessagesthatspamBlocker identifiesaspossible spam.
For more information on the Quarantine Server, see About the Quarantine Server on page 1107.
WebBlocker Server
The WebBlocker Server operates with the HTTP proxy to deny user access to specified categories of
web sites. When you configure a Firebox or XTM device, you set the web site categories you want to
allow or block.
For more information about WebBlocker and the WebBlocker Server, see About WebBlocker on
page 979.
Set up WatchGuard Servers
WatchGuard Server Center is a single application you can use to set up, configure, back up, and restore all
WatchGuard servers.
After you have installed WatchGuard System Manager and the WatchGuard servers, the WatchGuard Server
Center Setup Wizard creates the WatchGuard servers you selected to install on your computer. The wizard
shows you only the screens that correspond to the components you have installed. For example, if you
installed the Log Server and the Report Server, but not the Quarantine Server, the wizard shows you only
the pages related to the Log Server and Report Server settings. The pages used to create a domain list for
the Quarantine Server do not appear in the wizard.
492
WatchGuard System Manager
WatchGuard Server Setup
If you did not install or configure some of the WatchGuard servers, you can install or configure them later.
You can launch the WatchGuard System Manager Installer from the main configuration page of each server
that is not installed. You can also launch the WatchGuard Server Center Setup Wizard from the main
configuration page of each server that is not configured.
For more information, see Install or configure WatchGuard servers from the WatchGuard Server Center on
page 501.
Before you begin
Before you run the wizard, make sure you have all of the necessary information:
n
n
n
n
If you want to use a gateway Firebox to protect the Management Server, the IP address of the
external interface for that Firebox or XTM device.
The Management Server license key.
To find the license key, see Find your Management Server license key on page 496.
If you want to set up Quarantine Server, the domain name or names for which Quarantine Server
will accept email messages.
If you want to set up Log Server, the IP address of the device you will use as a Log Server.
Start the wizard
1. In the system tray, right-click and select Open WatchGuard Server Center.
If you do not see this icon, you did not install any WatchGuard server software.
To rerun the installation process and install one or more servers, see Install WatchGuard System
Manager software on page 22.
The WatchGuard Server Center Setup Wizard starts.
2. Review the Welcome page to make sure you have all the information required to complete the
wizard.
3. Click Next.
The General Settings - Identify your organization name page appears.
General settings
1. Type your Organization name.
This name is used for the certificate authority on the Management Server, as described in Configure
the certificate authority on the Management Server on page 507.
2. Click Next.
The General Settings - Set Administrator passphrase page appears.
3. Type and confirm the Administrator passphrase.
This passphrase must be at least 8 characters.
The Administrator passphrase is used to control access to the management computer (the computer
on which WSM is installed).
4. Click Next.
User Guide
493
WatchGuard Server Setup
Management Server settings
These settings appear in the wizard only if you installed Management Server.
1. If you have a gateway Firebox for the Management Server, click Yes.
Although a gateway Firebox is optional, we recommend that you use a gateway Firebox to protect
the Management Server from the Internet.
For more information, see About the gateway Firebox on page 495.
2. Type the external IP address and passphrases for the gateway Firebox.
3. Click Next.
The Management Server - Enter a license key page appears.
4. Type the license key for Management Server and click Add.
For information to help you find the license key, see Find your Management Server license key on
page 496.
5. Click Next.
Note When an interface whose IP address is bound to the Management Server goes
down and then restarts, we recommend that you restart the Management Server.
Log Server and Report Server settings
These settings appear in the wizard only if you installed Log Server.
1. Type and confirm the Encryption key to use for the secure connection between the Firebox or XTM
device and the Log Servers.
The allowed range for the encryption key is 8–32 characters. You can use all characters but spaces
and slashes (/ or \).
2. In the Database location field, the default folder where all log files, report files, and report
definition files are kept appears:
C:\Documents and Settings\WatchGuard\logs .
We recommend that you use the default location.
To change this location, click Browse and select a new folder. Make sure you select a location that
has plenty of free disk space.
Note Select the location carefully. After you have installed the database you cannot
change the directory location through the Log Server user interface. If you must
change the location, see Move the log data directory on page 628.
3. Click Next.
Quarantine Server settings
These settings appear in the wizard only if you installed the Quarantine Server.
The domain list is the set of domain names for which the Quarantine Server accepts email messages. The
Quarantine Server only sends messages for the users in the domains that are included in the domain list.
Messages sent to users that are not in one of these domains are deleted.
494
WatchGuard System Manager
WatchGuard Server Setup
1. To add a domain, type the domain name in the top text box and click Add.
The domain name appears in the window.
To remove a domain, select the domain name from the list and click Remove.
The domain name is removed from the window.
2. Click Next.
WebBlocker Server settings
These settings appear in the wizard only if you installed WebBlocker Server.
You can choose to download the WebBlocker database now, or wait and download it later. The WebBlocker
database has more than 220 MB of data. Your connection speed controls the download speed, which can be
more than 30 minutes. Make sure the hard disk drive has a minimum of 250 MB of free space.
1. To download the database now, select Yes and click Download.
To download the database later, select No.
2. Click Next.
Review and finish
Review your settings to make sure they are correct.
To make changes to your settings:
1. Click Back until you reach the page you want to change.
2. Make any necessary changes.
3. Click Next until you return to the Review Settings page.
If your settings are correct:
1. Click Next.
The wizard shows the server configuration progress.
2. Click Next.
The WatchGuard Server Center Setup Wizard is complete page appears.
3. Click Finish.
WatchGuard Server Center appears.
From WatchGuard Server Center, you can:
n
n
n
n
n
n
n
Monitor the status of WatchGuard servers
About the WatchGuard Management Server
Set up a Log Server
Set up the Report Server
Configure the Quarantine Server
Set up the WebBlocker Server
Change the Administrator passphrase
About the gateway Firebox
User Guide
495
WatchGuard Server Setup
The gateway Firebox helps protect your Management Server from the Internet. When you set up your
Management Server, you choose whether to use a gateway Firebox. We recommend that you use a
gateway Firebox.
When you add an IP address for your gateway Firebox, the wizard does three things:
n
Uses this IP address to configure the gateway Firebox to allow connections to the Management
Server.
The Management Server policy is automatically added to the Firebox or XTM device configuration
file. This policy opens TCP ports 4110, 4112, and 4113 to allow connections to the Management
Server.
If you do not type an IP address here, you must configure a firewall between the Management
Server and the Internet to allow connections to the Management Server on TCP ports 4110, 4112,
and 4113.
n
n
If you have an earlier version of WatchGuard System Manager, and have a Firebox or XTM device
configured as a DVCP server, the wizard gets the DVCP server information from the gateway Firebox
and moves these settings to your Management Server.
The wizard sets the IP address for the Certificate Revocation List (CRL).
After the Management Server is set up, the devices you add as managed clients use this IP address to
connect to the Management Server. This IP address must be the public IP address your Management Server
shows to the Internet.
If you do not specify an IP address, the wizard uses the current IP address on your Management Server
computer for the CRL IP address. If this is not the IP address your computer shows to the Internet because it
is behind a device that does NAT (Network Address Translation), you must edit the CRL and to use the public
IP address of your Management Server. If you use a gateway Firebox that does NAT, make sure that it is the
same version as your Management Server. For example, if your Management Server is v11.0, your gateway
Firebox with NAT must be v11.0 or higher.
For more information, see Update the Management Server with a new gateway address on page 508.
Find your Management Server license key
For most Firebox X Core and Peak; and XTM 5 Series, 8 Series, or 1050 devices, WatchGuard System
Manager includes a license key that allows you to manage up to four devices. The only exceptions are the
Firebox X 500 and Firebox X 550e. If you have a VPN Manager license key from a previous Firebox or XTM
device purchase, you can use the VPN Manager license key for the WatchGuard Management Server. If you
do not have either a WatchGuard System Manager license key that includes the ability to manage more than
one Firebox or XTM device, or a VPN Manager license key, you must purchase a license key from a
WatchGuard reseller to use the WatchGuard Management Server.
To find your WatchGuard System Manager or VPN Manager license key:
1. Open a browser and go to the Manage Products area of the LiveSecurity web site:
https://www.watchguard.com/archive/manageproducts.asp
You must log in with your LiveSecurity credentials if you are not already logged in.
2. Scroll to the bottom of the page.
496
WatchGuard System Manager
WatchGuard Server Setup
3. Click the View Details link adjacent to WatchGuard System Manager or VPN Manager.
A list of available license keys appears. If more than one license key appears in the list, you can use
any of them.
The license key has one of these formats:
n
n
WSMMGR-X-000392-yyyyyyyy
VPNMGR-X-024535-yyyyyyyy
The “X” character shows how many devices you can manage with each key. The “y” characters are a
string of alphanumeric characters.
4. Use one of these keys when you run the WatchGuard Server Center Setup Wizard to set up your
Management Server.
Monitor the status of WatchGuard servers
You can see either brief or full information about your WatchGuard servers.
See which servers are running
To only see whether one or more servers are currently running:
1. Right-click in the system tray.
2. Select Server Status.
The WatchGuard Server Center Status dialog box appears with a list of the servers installed and whether each
server is currently running.
See complete information for servers
From the Management Server computer:
1. Right-click in the system tray.
2. Select Open WatchGuard Server Center.
WatchGuard Server Center appears.
User Guide
497
WatchGuard Server Setup
For each server, the Servers page shows:
n
n
n
The server IP address
Whether it is online or offline
Whether logging is enabled or disabled
Configure your WatchGuard servers
After you run the WatchGuard Server Center Setup Wizard to set up your servers, you can configure each
server in more detail.
For more information, see:
n
n
n
n
n
About the WatchGuard Management Server on page 505
Set up a Log Server on page 616
Set up the Report Server on page 730
Configure the Quarantine Server on page 1110
Set up the WebBlocker Server on page 980
You can also set up role-based administration. For more information, see About role-based administration
on page 591.
498
WatchGuard System Manager
WatchGuard Server Setup
Open WatchGuard Server Center
You can use WatchGuard Server Center to manage all your WatchGuard servers.
To open WatchGuard Server Center:
1. Right-click
in the system tray and select Open WatchGuard Server Center.
The Connect to WatchGuard Server Center dialog box appears.
2. Type your Username and Administrator passphrase.
3. Click Login.
WatchGuard Server Center appears.
4. From the Servers tree, select the server you want to configure.
n
n
n
n
n
User Guide
Management Server
Log Server
Report Server
Quarantine Server
WebBlocker Server
499
WatchGuard Server Setup
Stop and start your WatchGuard servers
You can manually stop or start WatchGuard servers at any time. You do not have to disconnect from the
servers.
To stop the service, from WatchGuard Server Center:
1. In the Servers tree, select the server you want to stop.
For example, Log Server.
2. Right-click the server and select Stop Server.
A warning message appears.
3. Click Yes to confirm you want to stop the service for the selected server.
The service stops and the Stopped message appears at the top of the server page.
For example, if you stopped Log Server, Log Server-Stopped appears.
To start the service, from WatchGuard Server Center:
1. In the Servers tree, select the server you want to start.
For example, Log Server.
2. Right-click the server and select Start Server.
The service starts and the server name appears at the top of the server page.
For example, if you started Log Server, Log Server appears.
500
WatchGuard System Manager
WatchGuard Server Setup
Install or configure WatchGuard servers from the
WatchGuard Server Center
If you have already installed and configured one or more WatchGuard servers, you can use WatchGuard
Server Center (WSC) to install or configure any of the WatchGuard servers you have not already installed or
configured.
1. Open WatchGuard Server Center.
The main Servers page appears.
2. In the Servers tree, select the server you want to install or configure.
The selected server page appears. In the examples below, you see the Log Server main page.
User Guide
501
WatchGuard Server Setup
Log Server not installed
Log Server not configured
3. To install the server, click Launch Installer.
The WatchGuard System Manager Installer appears.
To configure the server, click Launch Wizard.
The WatchGuard Server Center Setup Wizard appears.
4. If you selected to install the server, use the instructions in Install WatchGuard System Manager
software on page 22 to complete the installation wizard.
502
WatchGuard System Manager
WatchGuard Server Setup
If you selected to configure the server, use the instructions in Set up WatchGuard Servers on page
492 for the server you selected.
5. Click Refresh to update the server page.
6. If you installed the server, repeat Steps 3–5 to configure the server.
If you configured the server, you can now use WSC to Set up WatchGuard Servers.
Exit or open the WatchGuard Server Center
application
After you install any WatchGuard server, the WatchGuard Server Center icon automatically appears in the
system tray. This enables you to easily access WatchGuard Server Center. When you close WatchGuard
Server Center, the application continues to run in the background and the icon remains in your system tray.
You can choose to exit the application so it no longer runs in the background and then open it again later.
When you exit the application, the WatchGuard Server Center icon is removed from your system tray.
To exit WatchGuard Server Center and remove the icon from the system tray:
1. In the system tray, right-click
2. Select Exit.
.
A message appears to confirm you want to exit.
3. Click Yes.
disappears from the system tray.
To restore the WatchGuard Server Center the icon to the system tray and open WatchGuard Server Center:
1. Select Start > All Programs > WatchGuard System Manager 11.x > WatchGuard Server Center.
appears in the system tray.
2. Open WatchGuard Server Center.
User Guide
503
WatchGuard Server Setup
User Guide
504
18
Management Server Setup and
Administration
About the WatchGuard Management Server
The WatchGuard Management Server enables you to centrally manage multiple Firebox or XTM devices and
VPN tunnels of a distributed enterprise from one easy-to-use management interface. You can manage
different types of Firebox or XTM devices: WatchGuard XTM, Firebox X Core, Firebox X Peak, Firebox X
Edge, Firebox III, and SOHO 6.
The workstation that is configured as the Management Server also operates as a Certificate Authority (CA).
The CA gives certificates to managed Firebox or XTM devices when they contact the Management Server to
receive configuration updates.
Install the Management Server
You can install the Management Server software on any computer that uses the Windows operating system.
You do not have to install it on the computer that is your management computer (the computer on which
you install the WatchGuard System Manager software). We recommend that you install the Management
Server software on a computer with a static IP address that is behind a Firebox or XTM device with a static
external IP address. Otherwise, the Management Server may not operate correctly.
When you run the WatchGuard System Manager Setup program to Install WatchGuard System Manager
software on page 22, you choose which client and server components you want to install. In the Server
Components list, make sure you select Management Server.
If you have already installed WatchGuard System Manager (WSM) and did not install the Management
Server, you can still install the Management Server.
1. Install WatchGuard System Manager software.
2. Select only the WatchGuard Management Server check box. Do not select the check box for
components you have already installed.
3. Complete the Setup wizard.
User Guide
505
Management Server Setup and Administration
Set up the Management Server
For instructions to set up the Management Server, and other WatchGuard System Manager servers, see Set
up WatchGuard Servers on page 492.
Configure the Management Server
After you set up the server, you can:
n
n
n
n
Configure the certificate authority on the Management Server
Define settings for the Management Server
Enable and configure Active Directory authentication
Configure Logging settings for the Management Server
Define settings for the Management Server
You can use the WatchGuard Server Center to define the settings for your Management Server. You can
update the Management Server license, configure notification, and settings for logging.
On the computer that has the Management Server software installed:
1. Right-click
in the system tray and select Open WatchGuard Server Center.
The Connect to WatchGuard Server Center dialog box appears.
2. Type your Username and Administrator passphrase. Click Login.
WatchGuard Server Center appears.
3. In the Servers tree, select Management Server.
The Management Server page appears.
4. Change the default settings as appropriate for your network.
n
n
n
n
506
To change certificate authority, client, and revocation list settings, click the Certificates tab.
To add or remove a license key, or change the settings for notification setup, click the Server
Settings tab.
To enable and configure Active Directory settings, click the Active Directory tab.
To change the settings for logging, click the Logging tab.
WatchGuard System Manager
Management Server Setup and Administration
Configure the certificate authority on the Management Server
You can configure the certificate authority (CA) on the Management Server. However, administrators do not
usually change the properties of the CA certificate.
From WatchGuard Server Center on your management computer:
1. In the Servers tree, select Management Server.
The Management Server pages appear.
2. Select the Certificates tab.
Set properties for the certificate authority
In the Certificate Authority section:
1. In the Common Name text box, type the name you want to appear in the CA certificate.
2. In the Organization text box, type an organization name for the CA certificate.
3. In the Certificate Lifetime text box, type the number of days after which the CA certificate will
expire.
A longer certificate lifetime could give an attacker more time to attack it.
4. From the Key Bits drop-down list, select the strength to apply to the certificate. The higher the
number of the Key Bits setting, the stronger the cryptography that protects the key.
User Guide
507
Management Server Setup and Administration
Set properties for client certificates
In the Client section:
1. In the Certificate Lifetime text box, type the number of days after which the client certificate
expires.
A longer certificate lifetime could give an attacker more time to attack it.
2. From the Key Bits drop-down list, select the strength to apply to the certificate.
The higher the number of the Key Bits setting, the stronger the cryptography that protects the key.
Set properties for the Certification Revocation List (CRL)
In the Certificate Revocation List section:
1. From the Distribution IP Address window, select an IP address from the list, or click Add to add a
new address.
You can also select an IP address and click Remove to delete it from the list.
By default, the distribution IP address is the address of the gateway Firebox. This is also the IP
address the remote managed Firebox or XTM devices use to connect to the Management Server. If
the external IP address of your device changes, you must change this value.
2. Type the Publication Interval for the CRL in hours.
This is the period after which the CRL is automatically published.
The default setting is zero (0), which means that the CRL is published every 720 hours (30 days). The
CRL is also updated after a certificate is revoked.
Send diagnostic log messages for the certification authority
To enable the Management Server to send diagnostic log messages to Windows Event Viewer:
Select the Send CA Service log messages to Windows Event Viewer check box.
To see the log messages, open Windows Event Viewer:
1. From the Windows desktop, select Start > Run.
2. Type eventvwr .
The log messages appear in the Application section of the Event Viewer.
Update the Management Server with a new gateway address
When you use the WatchGuard Server Center Setup Wizard to set up your Management Server, you use
the IP address of the gateway Firebox that protects the Management Server from the Internet. This same IP
address is used as the Certificate Revocation List (CRL) Distribution IP address. If you want to change the IP
address on your gateway Firebox, you must first change the CRL Distribution IP address on your
Management Server, and update all managed devices with this information. If you do not do this, you
cannot keep a connection to each of your managed devices.
508
WatchGuard System Manager
Management Server Setup and Administration
Note If you have managed Branch Office VPN (BOVPN) tunnels configured on your
Management Server, and the gateway Firebox is the endpoint in any of these
tunnels, you must remove those VPN tunnels before you start this procedure. When
you are done with this procedure, you must create the VPN tunnels again.
To change the IP address on your gateway Firebox, you must update your Management Server
configuration, update each managed Firebox or XTM device, and edit the NAT configuration of the WGMgmt-Server policy.
1. From the Management Server computer, right-click
and select Open WatchGuard Server Center.
WatchGuard Server Center appears.
2. In the Servers tree, select Management Server.
The Management Server page appears.
3. Select the Certificates tab.
4. In the Certificate Revocation List section, add a new IP address for your gateway Firebox and
remove the old one.
5. Click Apply.
6. On your management computer, open WatchGuard System Manager and connect to your
Management Server.
7. Select the Device Management tab.
8. Right-click a managed device and select Update Device.
9. Below Update Client Settings, make sure that the Reset Server Configuration and Expire Lease
check boxes are selected.
Make sure the Issue/Reissue Firebox’s IPSec Certificate and CA’s Certificate check box is also
selected.
10. Repeat Steps 3–6 for each device managed by your Management Server.
11. Open the configuration of the gateway Firebox in Policy Manager.
12. Select Network > Configuration and change the IP address of the external interface of the device to
the new IP address.
13. Double-click the WG-Mgmt-Server policy.
When you configure a managed Firebox or XTM device, you give the managed device the IP address
of the gateway Firebox. The managed device uses this IP address to find the Management Server.
The WG-Mgmt-Server policy on the gateway Firebox sets up a NAT policy to make sure that any
connection from a managed Firebox or XTM device to the Management Server is sent correctly
through the external interface of the Firebox or XTM device.
14. In the To section, select the NAT entry and click Remove.
15. In the To section, click Add.
The Add Address dialog box appears.
16. Click Add NAT.
The Add Static NAT dialog box appears.
17.
18.
19.
20.
From the External IP Address drop-down list, select the new IP address for your gateway Firebox.
In the Internal IP Address text box, type the IP address of your Management Server.
Click OK.
Save the configuration file.
User Guide
509
Management Server Setup and Administration
When the Firebox or XTM device restarts, connections between the Management Server and the managed
Firebox or XTM devices start again. You can now re-create any BOVPN tunnels for which the gateway
Firebox is a VPN endpoint.
Change the IP address of a Management Server
Your managed Firebox or XTM devices must always be able to contact your Management Server. If you
change the IP address on your Management Server, or change the IP address on the external interface of
the gateway Firebox, the managed devices could lose contact with the Management Server. When you
change the IP address of your Management Server, you must also change the IP addresses for the
Certificate Revocation List (CRL) Distribution and your managed Firebox or XTM devices.
The CRL Distribution IP address is the IP address that the Management Server gives to managed Firebox or
XTM devices. The managed client devices then use this IP address to connect to the Management Server.
The CRL Distribution IP address must be the same as the external IP address that managed clients use to
connect to the Management Server.
If the Management Server uses a private IP address, the CRL Distribution IP address is the IP address on the
external interface of the gateway Firebox. If the Management Server uses a public IP address, and is not
behind a gateway Firebox, the CRL Distribution IP address is the public, external IP address of the
Management Server.
When you configure a managed Firebox or XTM device, you give the managed Firebox or XTM device the IP
address of the gateway Firebox. The managed Firebox or XTM device uses this IP address to find the
Management Server. The WG-Mgmt-Server policy on the gateway Firebox sets up a NAT policy to make
sure that any connection from a managed Firebox or XTM device to the Management Server is sent
correctly through the external interface of the Firebox or XTM device. To change the IP address on your
Management Server, you must edit the WG-Mgmt-Server policy NAT configuration.
If your Management Server is configured with a private IP address
1. From Policy Manager, open the configuration of the gateway Firebox that protects your
Management Server from the Internet.
2. Double-click the WG-Mgmt-Server policy.
The Edit Policy dialog box appears.
3. Select the NAT entry in the To dialog box of the WG-Mgmt-Server policy and click Remove.
4. Below the To dialog box, click Add.
The Add Address dialog box appears.
5. Click Add NAT.
The Add Static NAT/Server Load Balancing dialog box appears.
6. From the External IP Address drop-down list, make sure the IP address for your gateway Firebox is
selected.
7. In the Internal IP Address text box, type the new IP address of your Management Server.
8. Click OK to close the Add Static NAT/Sever Load Balancing dialog box.
9. Click OK to close the Add Address dialog box.
10. Click OK to close the Edit Policy Properties dialog box.
11. Save the configuration file.
510
WatchGuard System Manager
Management Server Setup and Administration
If your Management Server is configured with a public IP address
1. From Policy Manager, open the configuration of the gateway Firebox that protects your
Management Server from the Internet.
2. Double-click the WG-Mgmt-Server policy.
The Edit Policy dialog box appears.
3. Select the NAT entry in the To dialog box of the WG-Mgmt-Server policy. Click Remove.
4. Below the To dialog box, click Add.
The Add Address dialog box appears.
5. Click Add Other.
The Add Member dialog box appears.
6.
7.
8.
9.
10.
11.
From the Choose Type drop-down list, select Host IP.
Type the new public IP address on the Management Server.
Click OK to close the Add Member dialog box.
Click OK to close the Add Address dialog box.
Click OK to close the Edit Policy Properties dialog box.
Save the configuration file.
Update the Certificate Revocation List (CRL) Distribution IP address
Note Use this procedure only if your Management Server is configured with a public IP
address.
1. From the Management Server computer, right-click
and select Open WatchGuard Server Center.
The Connect to WatchGuard Server Center dialog box appears.
2. Type the Administrator passphrase and click Login.
The WatchGuard Server Center appears.
3. In the Servers tree, select Management Server.
4. Click the Certificates tab.
5. If there is an IP address in the Certificate Revocation List section, select the address from the
Distribution IP Address list and click Remove.
6. Click Add to add a new address.
The CRL IP Address dialog box appears.
7. Type the new IP Address. Click OK.
The IP address appears in the Distribution IP Address list.
8. Click Apply.
A dialog box appears to confirm you want to update the Management Server with your changes.
9. Click OK.
A Comments dialog box appears.
10. (Optional) Add comments for the audit logs.
11. Click OK.
The Management Server is updated with the changes.
User Guide
511
Management Server Setup and Administration
Update managed Firebox or XTM devices
You must update all of your managed client devices to finish the IP address change.
1.
2.
3.
4.
In WatchGuard System Manager, connect to your Management Server.
Select the Device Management tab.
Right-click a managed device and select Update Device.
Below Update Client Settings, make sure that the Reset Server Configuration and Expire Lease
check boxes are selected.
5. Repeat Steps 1–3 for each device connected to the Management Server.
Change the Administrator passphrase
The Administrator passphrase is the master passphrase for all of your WatchGuard servers. In previous
versions of WatchGuard System Manager, the Administrator passphrase referred to two passphrases: the
Master passphrase and the Server Management passphrase. These passphrases have been replaced by the
Administrator passphrase in the 11.x release.
The Administrator passphrase is the passphrase for the admin user. The admin user is automatically created
when you complete the WatchGuard Server Center Setup wizard. After you have set up WatchGuard
Server Center, you can change the Administrator passphrase at any time.
Note You cannot change the user name of the admin user. You can only change the
passphrase.
For more information about the WatchGuard Server Center Setup wizard, see Set up WatchGuard Servers
on page 492.
For more information about how to edit users, see Define or remove users or groups on page 597.
We recommend that you back up your Management Server configuration immediately after you change
the Administrator passphrase. When you create a backup configuration file, the current Administrator
passphrase is stored in the file. You must use this passphrase when you restore the configuration file. If you
change your Administrator passphrase, and then restore a backup configuration file with an old
Administrator passphrase, the old passphrase is restored with the server configuration.
For more information about how to restore a backup configuration file, see Back up or restore the
Management Server configuration on page 519.
Before you change the Administrator passphrase, make sure the admin user has logged out of the
Management Server.
From WatchGuard Server Center:
1. In the left navigation bar, select Users.
The Users page appears.
512
WatchGuard System Manager
Management Server Setup and Administration
2. On the Users tab, in the Name list, select admin.
3. Click Edit.
The User and Group Properties dialog box appears.
User Guide
513
Management Server Setup and Administration
4. Select the Change passphrase check box.
5. Type and confirm the new passphrase.
6. Click OK.
Configure License Key and Notification settings
From WatchGuard Server Center, you add or remove a license key, and configure logging and notification
settings for your WatchGuard Management Server.
1. In the Servers tree, select Management Server.
2. Select the Server Settings tab.
The Server Settings page appears.
3. Use the subsequent sections to configure settings for your Management Server.
4. When you are finished, click Apply to save your changes.
Add or Remove a Management Server license
To add a Management Server license:
1. In the License Keys section, in the text box, type or paste the Management Server license key.
2. Click Add.
The license key appears in the License Keys list.
514
WatchGuard System Manager
Management Server Setup and Administration
To remove a Management Server license key:
1. In the License Keys list, select the license key to remove.
2. Click Remove.
For more information on Management Server license keys, see Find your Management Server license key
on page 496.
Configure notification
Select the Send notification when the device does not contact the server check box and configure the
settings for the notification message.
n
n
n
Email — The Log Server sends an email message to the notification email recipient when the event
occurs.
To define the email recipient, see About notification on page 613.
Pop-up Window — The Firebox or XTM device opens a dialog box on the management computer
when the event occurs.
If you select this option, make sure to set the Launch Factor.
Launch factor — The minimum time (in minutes) between different notifications. This parameter
prevents more than one notification in a short time for the same event.
Control configuration change settings
You can set several global configuration parameters to control the log messages sent from the Management
Server to the Log Server.
Send Management Server service log messages to Windows Event Viewer
Select this check box to have the Management Server send diagnostic log messages to the Windows
Event Viewer. You can also control Management Server logging on the Logging tab.
Log audit information at startup
Select this check box if you want the Management Server to log information on managed devices,
VPN resources, VPN firewall policy templates, security templates or Edge Device Configuration
Templates, and managed VPN tunnels when it starts up. You must select this check box to get
accurate information in Report Manager for managed Firebox or XTM devices.
Require users to enter a comment when they save to a Fireware XTM device
Select this check box to require users to type a comment before they save configuration changes
they make in Policy Manager to a managed Firebox or XTM device.
Enable and configure Active Directory authentication
If you want to use an Active Directory server to authenticate users, you use the Active Directory tab in the
Management Server page to define connection information for the Active Directory server.
User Guide
515
Management Server Setup and Administration
Note To use Active Directory authentication with your Management Server, you must
enable LDAPS (LDAP over SSL) in the Active Directory domain. For more
information, visit the Microsoft web site or review the documentation for your
Active Directory server.,
Although the primary administrator account is always managed by the Management Server, you can use an
Active Directory server to manage other user accounts. When a user from an external authentication
server logs in to the Management Server, the server sends that information to the external Active Directory
server. The Active Directory server tells the Management Server whether the user is valid and what groups
he or she belongs to. The Management Server then compares the user and groups with its list of users and
groups and the role policies they are associated with.
To enable and configure Active Directory authentication, from WatchGuard Server Center:
1. In the Servers tree, select Management Server.
2. Select the Active Directory tab.
The Active Directory page appears.
3. Select the Enable Active Directory authentication check box.
4. To add, edit, or remove a domain in the Domain Name list, click Add / Remove. You can have
multiple domain names in this list.
The Add Domains dialog box appears.
5. To add a domain name to the list, in the Specify domain name text box, type the Active Directory
domain.
The Active Directory domain controller uses SSL to connect to the Active Directory server.
6.
7.
8.
9.
Click Add.
To add more domain names to the list, repeat Steps 4–6.
To remove a domain name from the list, select a domain name in the list and click Remove.
When you are finished, click OK to close the Add Domains dialog box.
The domain names you selected appear in the Domain Name list.
10. To verify the SSL certificate, select the Validate the domain controller's SSL certificate check box.
516
WatchGuard System Manager
Management Server Setup and Administration
11. To import a CA certificate, click Import.
12. To test your connection for Active Directory authentication, click Test.
13. Click Apply to save your changes.
Configure Logging settings for the Management Server
On the Management Server Logging page, you can configure where the Management Server sends log
message data. You can choose to send log messages to the WatchGuard Log Server, Windows Event Viewer,
and/or a log file.
From WatchGuard Server Center:
1. In the Servers tree, select Management Server.
2. Select the Logging tab.
The Logging page appears.
User Guide
517
Management Server Setup and Administration
3. Configure settings for your Management Server.
For detailed information about server configuration, see Configure Logging Settings for your
WatchGuard servers on page 632.
4. When you are finished, click Apply to save your changes.
518
WatchGuard System Manager
Management Server Setup and Administration
Back up or restore the Management Server
configuration
The Management Server contains the configuration information for all managed Firebox or XTM devices
and VPN tunnels. It is a good idea to create regular and frequent backup files for the Management Server
and keep them in a safe place. You can use these backup files to restore the Management Server in case of
hardware failure. You can also use backup files if you want to move the Management Server to a new
computer.
When you create a backup configuration file, the current Administrator passphrase is stored in the file. You
must use this passphrase to restore the configuration file. If you change your Administrator passphrase,
make sure you remember the passphrase for your backup file. When you restore a backup configuration
file with an old Administrator passphrase, that passphrase is restored with the server configuration.
Back up your configuration
From the computer where you installed the Management Server:
1. Right-click and select Backup/Restore.
Or, from WatchGuard Server Center, select File > Backup/Restore.
The WatchGuard Server Center Backup/Restore Wizard starts.
2. Click Next.
The Select an action screen appears.
3. Select Back up settings.
4. Click Next.
The Specify a backup file screen appears.
5. Click Browse to select a location for the backup file.
Make sure you save the configuration file to a location you can access later to restore the
configuration.
6. Click Next.
The WatchGuard Server Center Backup/Restore Wizard is complete screen appears.
7. Click Finish to exit the wizard.
Restore your configuration
Before you begin, make sure you have the correct Administrator passphrase for your backup file.
From the computer where you installed the Management Server:
1. Right-click
and select Backup/Restore.
The WatchGuard Server Center Backup/Restore Wizard starts.
2. Click Next.
The Select an action screen appears.
3. Select Restore settings.
4. Click Next.
The Specify a backup file screen appears.
5. Click Browse to select the backup file.
6. Type the Administrator passphrase for the backup file.
User Guide
519
Management Server Setup and Administration
7. Click Next.
The WatchGuard Server Center Backup/Restore Wizard is complete screen appears.
8. Click Finish to exit the wizard.
Move the WatchGuard Management Server to a
new computer
To move Management Server software to a new computer, you first back up the Management Server
configuration on the current computer, then you restore the configuration on the new computer. Make
sure you have the Administrator passphrase from the backup configuration. You must also make sure that
the new Management Server has the same IP address as the former Management Server.
Back up, move, and restore your Management Server
From the computer where the Management Server is installed:
1. Right-click
and select Backup/Restore.
The WatchGuard Server Center Backup/Restore Wizard starts.
2. Use the wizard to back up your Management Server configuration.
For more information, see Back up or restore the Management Server configuration on page 519.
Make sure you save the configuration file to a location you can access from the new computer.
3. On the new computer, run the WatchGuard System Manager Setup program.
4. Under the Server Components section, make sure you select Management Server.
5. Right-click on the new computer and select Backup/Restore.
The WatchGuard Server Center Backup/Restore Wizard starts.
6. Use the wizard to restore your Management Server configuration.
For more information, see Back up or restore the Management Server configuration on page 519.
Configure other installed WatchGuard Servers
When you restore a configuration to your new Management Server installation, you do not have to
complete the WatchGuard Server Center Setup Wizard when you open WatchGuard Server Center and
access your Management Server. However, if you have installed other WatchGuard servers on your new
management computer, the configuration does not restore settings for these servers. You you must run the
Server Center Setup Wizard to configure the other servers.
From WatchGuard Server Center:
1. In the Servers tree, select any server with the status Server not configured.
2. Click the Click here to launch setup wizard for [WatchGuard] Server link.
The link text specifies the name of the server you selected, but the Wizard sets up all installed
WatchGuard servers.
A dialog box appears that tells you the wizard will launch.
3. Click OK.
The WatchGuard Server Center Setup Wizard appears.
4. Click Next.
Make sure you have all the necessary information to set up the WatchGuard servers you installed.
520
WatchGuard System Manager
Management Server Setup and Administration
For more details about the information necessary to complete the Server Center Setup Wizard, see
Set up WatchGuard Servers on page 492.
5. Complete the Server Center Setup Wizard.
6. Click Refresh on the server page of the selected server.
The server information appears and the server is started.
7. In the Servers list, select another installed server.
The Click here to launch setup wizard for [WatchGuard] Server link appears on the server page. Do
not click this link. The server is already set up.
8. Click Refresh.
The server information appears and the server is started.
9. Repeat Steps 7–8 for each WatchGuard server you installed.
Use WSM to connect to a Management Server
To connect to a Management Server from WatchGuard System Manager:
1. Click .
Or, select File > Connect to Server.
Or, right-click anywhere in the WatchGuard System Manager window and select Connect to >
Server.
The Connect to Management Server dialog box appears.
2. From the Management Server drop-down list, select a server by its host name or IP address.
Or, type the IP address or host name.
When you type an IP address, type all the numbers and the periods. Do not use the Tab or arrow keys.
3. Type your user name for your user account on the Management Server.
4. Type the passphrase for your user account.
If you use the default admin account, the passphrase is the Administrator passphrase.
User Guide
521
Management Server Setup and Administration
5. If necessary, change the Timeout value.
This value sets the time (in seconds) that WatchGuard System Manager listens for data from the
Management Server before it sends a message that it cannot connect.
If you have a slow network or Internet connection to the device, you can increase the timeout value.
This value is the duration you must wait for a timeout message if you try to connect to a
Management Server that is not available.
6. Click Login.
The server appears in the WatchGuard System Manager window.
Note In some previous versions of WatchGuard security products, the WatchGuard
Management Server was called the DVCP Server.
Disconnect from the Management Server
1. Select the Management Server.
2. Click .
Or, select File > Disconnect.
Or, right-click and select Disconnect.
Import or Export a Management Server
configuration
You can use WatchGuard System Manager (WSM) to export your Management Server configuration file to a
DVCP file. You can then use a text editor to open the file and view it. You can also import a saved DVCP
configuration file to your Management Server.
A saved configuration file is not a substitute for a backup of your Management Server. For more information
about how to back up your Management Server, see Back up or restore the Management Server
configuration on page 519.
Export a configuration
1. Open WSM and connect to your Management Server.
2. Select File > Export to File.
The Save As dialog box appears. The default file name is [Management Server IP address].dvcp.
3. To select a different name for the file, type a name in the File name text box.
4. Select a location to save the file.
5. Click Save.
Import a configuration
1. Open WSM and connect to your Management Server.
2. Select File > Import from File.
The Open dialog box appears.
3. Browse to select a configuration file.
4. Click Open.
522
WatchGuard System Manager
19
Centralized Management
About WatchGuard System Manager
WatchGuard System Manager (WSM) has menus and icons you can use to start other tools. WSM also has
two tabs that you can use to monitor and manage your Firebox or XTM devices and environment: Device
Status and Device Management.
Device status
Information about a device you connect to appears in the Device Status tab. The information that appears
includes the status, IP address, and MAC address for each Ethernet interface, and the installed certificates. It
also includes the status of all virtual private network (VPN) tunnels that are configured in WSM.
Expanded information for each Firebox or XTM device includes the IP address and subnet mask of each
Firebox or XTM device interface. It also includes:
n
n
n
IP address and subnet mask of the default gateway (for external interfaces only)
MAC (Media Access Control) address of the interface
Number of packets sent and received on each interface since the last Firebox or XTM device restart
Each device can be in one of four possible states, as indicated by the device icon:
n
n
n
n
— (Normal operation) The device is successfully sending data to WatchGuard System Manager.
— The device has a dynamic IP address and has not yet contacted the Management Server.
— WatchGuard System Manager cannot make a network connection to the device at this time.
— The device is being contacted for the first time or has not been contacted yet.
The Device Status tab also includes information on Branch Office VPN tunnels and Mobile VPN tunnels.
User Guide
523
Centralized Management
Device management
Note You only see the Device Management tab when you Use WSM to connect to a
Management Server.
The Device Management tab has a navigation pane on the left and an information pane on the right. The
navigation pane shows the connected WatchGuard Management Servers and their managed devices,
Managed VPNs, VPN Firewall Policy Templates, Security Templates, Device Configuration Templates, and
Scheduled Tasks. If you expand a device list, you see the VPN resources (networks) behind the device.For
more information see, Add VPN resources on page 817.
The information pane on the right shows more detailed information for any item you select in the
navigation pane.
524
WatchGuard System Manager
Centralized Management
Management Server
To see or change information about the Management Server, click the Management Server in the
navigation pane. The available information about the Management Server appears in the right pane
and includes:
n
User name and IP address of the user logged in to WSM
This user name is also included in parentheses after the IP address of the Management Server in the left
navigation pane.
n
n
n
n
n
n
Manage aliases for Firebox X Edge devices
Manage Server Licenses
Customers — You can change the Contact List, as described in Set device management
properties
See and manage the Monitored Report Servers list
List of managed devices, VPN tunnels, and Device Configuration
For more information, see Add and manage VPN tunnels and resources on page 554 and
Create and subscribe to Device Configuration Templates on page 570.
WatchGuard Alerts — Recent LiveSecurity Broadcasts that are information alerts
If you click an alert, you must log in with your LiveSecurity Service account information to see the full text
of the alert.
n
n
Start WatchGuard System Manager tools
Review, cancel, or delete Scheduled Tasks
Devices
To see a list of managed devices for the Management Server, click the Devices list in the navigation
pane. The Devices page appears and shows information about all the devices managed by this
Management Server.
To See information for managed devices, click a device in the Devices list, or double-click a device
on the Devices page. The Device Page for the selected device appears.
Managed VPNs
To see a list of existing VPN tunnels and add new VPN tunnels, click Managed VPNs in the navigation
pane. On the Managed VPNs page, you can review basic details about your managed VPN tunnels.
Double-click a managed VPN in the list to go to the Managed VPN page for that VPN tunnel. You can
also click Add to Add and manage VPN tunnels and resources.
To see information about an existing Managed VPN tunnel, click a managed VPN in the Managed
VPNs tree. On the Managed VPN settings page, you can review the tunnel settings. Click Configure
to Add and manage VPN tunnels and resources.
User Guide
525
Centralized Management
About the Device Management page
You can use the device management page to configure management settings for your managed devices.
1. Use WSM to connect to a Management Server.
2. On the Device Management tab, select Devices.
The Devices page appears.
3. Double-click a device in the list.
Or, expand Devices, and click a device in the list.
The Device management page for the selected device appears.
From the Device Management page you can:
n
See if the device configuration file is locked
If another Management Server user account has opened the configuration file in Policy Manager,
the device configuration file is locked. An alert appears at the top of the page to indicate the file is
locked. You cannot make changes to the device configuration file until the other user unlocks the file
(closes Policy Manager for this device).
n
n
See general device information
See, add, edit, or remove VPN tunnels for the device
For more information about this section of the page, see Add and manage VPN tunnels and
resources on page 554.
n
n
See, add, edit, or remove VPN resources for the device
Launch tools you can use to monitor, define, or manage the device
See information for managed devices
In WatchGuard System Manager, you can see the list of managed devices and information for each one.
1. Use WSM to connect to a Management Server.
2. Select a device or folder in the Devices list.
Information for that device appears on the Devices page.
Name
526
WatchGuard System Manager
Centralized Management
The name of the managed device.
Type
The type of device or appliance software installed on the managed Firebox or XTM device.
Update Status
Scheduled device updates and update status appear in this column.
n
n
n
n
Never — The device has never been updated.
Pending — A change has been made but not synchronized on the device, or an update is
in progress.
Scheduled — An update has been scheduled, but has not started.
Complete — The device has been updated. The date/time of the update appears in
parenthesis.
IP Address
The IP address used to identify the Firebox or XTM device. If the Firebox or XTM device has not
reported in to the server, n/a appears in this field.
Last Modified
The time and date when the configuration file for the device was last changed on the server.
About Centralized Management modes
Centralized Management enables you to control the configurations and settings for your Firebox or XTM
devices from your WatchGuard Management Server. Centralized Management includes two modes: Basic
Managed Mode and Fully Managed Mode. Basic Managed Mode is available for all Firebox or XTM device
models that can be managed by your Management Server. Fully Managed Mode is available for Firebox X
Edge and Fireware XTM devices only.
For more information about which Firebox or XTM device models you can manage with your Management
Server, see Add managed devices to the Management Server on page 531.
In Basic Managed Mode you can use the Management Server to:
n
n
n
n
Monitor your Firebox or XTM device
Manage and monitor VPN tunnels
Synchronize your feature key
Update your Firebox or XTM device OS
In Fully Managed Mode you can use the Management Server to:
n
n
n
n
n
n
n
n
Monitor your Firebox or XTM device
Manage and monitor VPN tunnels
Synchronize your feature key
Update your Firebox or XTM device OS
Manage your Firebox or XTM device configuration with the Management Server
Schedule configuration updates to your managed devices
Manage device templates
Schedule updates to your Device Configuration Templates
User Guide
527
Centralized Management
When you use WatchGuard System Manager (WSM) to add your device to the Management Server as a
managed device, it is automatically in Basic Managed Mode. To change to Fully Managed Mode, you can
subscribe it to a Device Configuration Template, or you can use the Device Mode section on the WSM
Device page for your Firebox or XTM device.
When a Firebox or XTM device is in Basic Managed Mode, you can still connect directly to the Firebox or
XTM device and manage the configuration file locally with Policy Manager. When a Firebox or XTM device is
in Fully Managed Mode, you can only make changes to the configuration from the Management Server. If
you connect directly to the Firebox or XTM device, the connection and configuration are set to read-only,
and you cannot make changes to the configuration locally.
For more information about how to subscribe a device to a template, see Subscribe managed devices to
Device Configuration Templates on page 581.
For more information about how to change the management mode, see Change the Centralized
Management mode on page 528.
For more information about how to use WSM to manage your devices, see About WatchGuard System
Manager on page 523.
Change the Centralized Management mode
When you add your Firebox or XTM device to your Management Server as a managed device, it is added in
Basic Managed Mode. You can use WatchGuard System Manager (WSM) to change your Firebox or XTM
device to Fully Managed Mode and subscribe it to a Device Configuration Template.
For more information about management modes, see About Centralized Management modes on page 527.
For more information about Device Configuration Templates, see Create and subscribe to Device
Configuration Templates on page 570.
To change the management mode:
1. Use WSM to connect to a Management Server.
2. Expand the Devices list and select a Firebox X Edge or Fireware XTM device.
The Device page appears for the device you selected. The current Device Mode appears in the Device Mode
section.
528
WatchGuard System Manager
Centralized Management
3. In the Device Mode section, click Settings.
The Device Mode dialog box appears.
4. Follow the steps in the subsequent section for the mode you want to select.
Change to Basic Managed Mode
When you change from Fully Managed Mode to Basic Managed Mode, if your Firebox or XTM device is
subscribed to a Device Configuration Template, the template subscription expires and all the template
policies and settings are removed from the Firebox or XTM device configuration.
In the Device Mode dialog box:
1. Select Basic Managed Mode.
2. Click OK.
Basic Managed Mode appears in the Device Mode section.
User Guide
529
Centralized Management
Change to Fully Managed Mode
When you change from Basic Managed Mode to Fully Managed Mode, you can select to subscribe the
device to a configuration template.
In the Device Mode dialog box:
1. Select Fully Managed Mode.
2. To subscribe to a configuration template, select the Use Configuration Template check box and
select a template in the drop-down list.
3. Click OK.
A confirmation message appears.
4. Click Yes.
The Management Server downloads the configuration file. If you selected a configuration template, the device
is subscribed to the template.
Use the Device Mode settings to subscribe to a template
If you placed your Firebox or XTM device in Fully Managed Mode but did not subscribe it to a template, you
can use the Device Mode dialog box to select a template.
1. In the Device Mode section, click Settings.
The Device Mode dialog box appears.
2. Select the Use Configuration Template check box.
3. Select a template from the subsequent drop-down list.
4. Click OK.
A confirmation message appears.
5. If you do not want to restart the Firebox or XTM device, clear the Restart device now to expire
lease and download new configuration check box.
6. Click Yes.
The device is subscribed to the template.
530
WatchGuard System Manager
Centralized Management
Add managed devices to the Management Server
You can use the Management Server to manage Firebox devices, including Firebox X and WatchGuard XTM
devices that use Fireware XTM appliance software, Firebox X devices that use Fireware appliance software,
Firebox X Edge devices, Firebox III and Firebox X Core devices that use WFS appliance software, and Firebox
SOHO devices. You can manage a device with a dynamic IP address if you used Policy Manager to
configured it as a managed client. If your device has multiple external interfaces, do not change the
interface configuration after you add the device to the Management Server.
From WatchGuard System Manager:
1. Click to connect to the Management Server.
Or, select File > Connect to Server.
Or, right-click anywhere in the window and select Connect to > Server.
The Connect to Management Server dialog box appears.
2. Type or select the IP address of the Management Server and type the configuration passphrase.
3. Click Login.
The Management Server page appears.
User Guide
531
Centralized Management
4. Click to add a device.
Or, on the Management Server page, in the Summary section, select Add Device.
The Add Device Wizard starts.
5. Click Next.
The first configuration screen appears.
532
WatchGuard System Manager
Centralized Management
6. Select an option:
n
n
I know the device's current IP address
I don't know the device's current dynamically allocated IP address
7. Follow the instructions in the subsequent section for the option you selected.
If you know the current IP address of the device
1. Type the Hostname/IP Address, Status Passphrase, and Configuration Passphrase for the device.
If you select a device that is already managed by another server, a warning message appears. Click
Yes to overwrite the other configuration and add this device to this Management Server.
2. Click Next.
The wizard performs device discovery.
3. If you want to use a name other than the default name, type a Client Name for the device.
4. Select the Device Type from the drop-down list.
5. Type and confirm the Shared Secret.
The name and shared secret you type here must match the name and shared secret you give the
device when you enable it as a managed client.
6. Click Next.
7. Type and confirm the Status Passphrase and the Configuration Passphrase. Click Next.
8. Select the tunnel authentication method for the device. Click Next.
The Configure the Device page appears.
9. Click Next.
The Add Device Wizard is complete page appears.
10. Review the information for your device. Click Close.
The Add Device Wizard closes and the device appears in WSM in the correct device category in the Summary
list and in the Devices list.
User Guide
533
Centralized Management
If you do not know the IP address of the device
After you complete the wizard, you can manually configure the device for management. When the device
is configured for management, it contacts the Management Server.
For more information, see Configure a Firebox or XTM device as a managed device on page 556 and follow
the procedure in the Set up the Managed Client section.
1. Click Next.
The wizard does not perform device discovery and the Enter a name for the device page appears.
2. If you want to use a name other than the default name, type a Client Name for the device.
3. Select the Device Type from the drop-down list.
4. Type and confirm the Shared Secret.
The name and shared secret you type here must match the name and shared secret you give the
device when you enable it as a managed client.
5. Click Next.
6. Type and confirm the Status Passphrase and the Configuration Passphrase. Click Next.
The Select the tunnel authentication method page appears.
7. Select the tunnel authentication method for the device. Click Next.
The Configure the Device page appears.
8. Click Next.
The Add Device Wizard is complete page appears.
9. Click Close.
The Add Device Wizard closes and the device appears in WSM in the correct device category in the Summary
list and in the Devices list.
Note If there is a lot of network traffic when the wizard tries to connect to the device, the
SSL connection times out. Complete the wizard again when the network is less busy.
534
WatchGuard System Manager
Centralized Management
Set device management properties
You can configure three categories of device management properties from the Device Management page
for your Firebox or XTM device: connection settings, IPSec tunnel preferences, and contact information.
Connection settings
1. On the Device Management page, in the Device Information section, click Configure.
The Device Properties dialog box appears.
2. In the Display Name field, type the name that you want to appear in WSM for the device.
3. From the Firebox Type drop-down list, select the device hardware and, if applicable, the appliance
software installed on it.
4. If the device has a static IP address, in the Hostname/IP Address field, select or type the entry for
your device. This field contains the list of external IP addresses that WSM uses to poll the device and
to build VPN tunnels.
5. If the device has a dynamic IP address, select the Device has dynamic external IP address check box.
6. In the Client Name field, type the name of the device.
For more information about how to manually set up a device for management, see Configure a
Firebox or XTM device as a managed device on page 556.
User Guide
535
Centralized Management
7. Type the status and configuration passphrases for the Firebox or XTM device.
8. In the Shared Secret field, type the shared secret between the device and the Management Server.
9. In the Lease Time text box, type or select the Management Server lease time. This is the time
interval at which the managed device contacts the Management Server for updates. The default is
60 minutes.
536
WatchGuard System Manager
Centralized Management
IPSec tunnel preferences
1. In the Device Properties dialog box, select the IPSec Tunnel Preferences tab.
2. (Does not appear for Edge v10.0 or older) From the Tunnel Authentication drop-down list, select
either Shared Key or IPSec Firebox Certificate. The second option uses the certificate for the
Firebox or XTM device.
For more information about certificates, see Certificates for Branch Office VPN (BOVPN) tunnel
authentication on page 794.
3. If you want your managed device to get its WINS and DNS settings through the IPSec BOVPN tunnel,
type the primary and secondary addresses for the WINS and DNS servers. Otherwise, you can leave
these fields blank.
You can also type a domain suffix in the Domain Name text box for a DHCP client to use with
unqualified names such as kunstler_mail.
User Guide
537
Centralized Management
Contact information
On the Device Management page for your Firebox or XTM device, you can see the current entries in the
Contact List and edit those entries. If you want to add a new entry in the Contact List for your managed
device, you must first add it to the Management Server contact list.
For more information, see Manage customer contact information on page 551.
1. In the Device Properties dialog box, select the Contact Information tab.
A list of contact information for remote devices appears.
2. To see entries in the contact list or edit an existing entry, click Contact List.
The Contact List appears.
3. To edit an entry, double-click the entry you want to edit.
The Contact Information dialog box appears.
4. Make any changes and click OK.
The updated entry appears in the Contact List dialog box.
5. Click OK.
Schedule tasks for managed devices
You can use WatchGuard System Manager (WSM) to schedule three specific types of tasks for your
managed Firebox or XTM devices: OS (operating system) updates, feature key synchronization, and device
reboots. OS updates for Firebox or XTM devices must be installed on the Management Server. You can
download OS updates from LiveSecurity when you update the WSM software. You can also use WSM to get
the most recent feature key for each of your managed Firebox or XTM devices from LiveSecurity. With the
Schedule Reboot task, you can select to reboot one or more of your managed Firebox X Edge or XTM
devices at a specific time.
538
WatchGuard System Manager
Centralized Management
When you schedule a task, you can set it to occur immediately or at a time in the future. For example, you
can schedule an update for your Firebox or XTM device OS every Friday at midnight, schedule to
synchronize your feature key the last day of each month, and reboot specific managed devices on the first
of each month.
There are a couple of limitations for scheduled OS updates. You cannot schedule an OS update for any
device that is a member of a FireCluster. Also, do not include the Management Server gateway Firebox in a
scheduled OS update with other devices. If you want to schedule an OS update for your gateway Firebox,
make sure to schedule it as a separate task.
You can use WSM to schedule configuration updates to your fully managed Firebox or XTM devices. These
configuration updates are scheduled from Policy Manager rather than from the Scheduled Tasks page. For
more information about how to schedule these updates, see Update the configuration for a Fully Managed
device on page 549.
The current status of all scheduled tasks appears on the Device Management tab, in the Scheduled Tasks page.
To schedule a new task, from WatchGuard System Manager:
1. Select the Device Management tab.
2. In the left navigation bar, select the Management Server for the devices you want to update.
The Management Server page appears. The Scheduled Tasks section at the right side of the page shows the
number of scheduled tasks.
User Guide
539
Centralized Management
3. In the Scheduled Tasks section, select the task you want to schedule.
4. Use the instructions in the subsequent topics to complete the selected task:
n
n
n
Schedule OS Update
Schedule Feature Key Synchronization
Schedule Reboot
When the task is scheduled, the task appears on the Scheduled Tasks page with a separate Task ID for each
device included in the task. Although each device has a separate row in the list, you cannot select an
individual device for a scheduled task. Any actions you take apply to all devices in the scheduled task.
For more information about how to see details for all scheduled tasks, or to cancel or delete a scheduled
task, see Review, cancel, or delete Scheduled Tasks on page 546.
Schedule OS Update
You can use the WatchGuard System Manager Update OS Wizard to schedule an update of the OS
(operating system) for one or more of your managed devices. Before you begin, make sure that the OS
update file for the managed device you want to update is installed on your Management Server. You cannot
schedule an OS update if the update file is not installed on the Management Server. Before a scheduled OS
update for a device is complete, the device reboots.
Install an OS update
To install the automatic OS update on your Management Server:
1. Open a web browser and go to the Software Downloads page on the WatchGuard web site.
2. Download the OS update file for your Firebox or XTM device to your management computer (the
computer where your Management Server is installed).
This is an EXE file. For example, XTM_OS_1050_11_1.exe.
3. Go to the location on your management computer where you saved the EXE file, and double-click
the file to run it and install the OS on your management computer.
Schedule an OS update task
In the Scheduled Tasks section:
1. Click Schedule OS Update.
The Update OS wizard starts.
2. Read the Welcome message and click Next.
The Select the device page appears.
3. Select the Device Type from the drop-down list and click Next.
The Select the devices page appears.
4. Select the check box for each Firebox or XTM device that you want to update and click Next.
The Select the OS version page appears.
5. Select an OS Version from the drop-down list and click Next.
The Select the Time and Date page appears.
540
WatchGuard System Manager
Centralized Management
6. To update the OS immediately, select Update OS immediately.
To schedule the update for a future time, select Schedule OS update.
7. If you selected Schedule OS update, select the date from the Date drop-down list, and set the time
in the Time text box.
8. Click Next.
The Schedule the OS update page appears.
9. Click Next.
The Update OS Wizard is complete page appears.
10. Click Close to finish the wizard.
The OS is updated if you selected Update OS immediately, or scheduled if you selected Schedule OS update.
The number of scheduled tasks appears in the Scheduled Tasks section.
When the scheduled OS update occurs, the Management Server updates the Firebox or XTM device OS and
reboots the device.
Schedule Feature Key Synchronization
You can use your Management Server to schedule a Feature Key synchronization for one or more of your
managed devices.
In the Scheduled Tasks section:
User Guide
541
Centralized Management
1. Click Schedule Feature Key Synchronization.
The Synchronize Feature Keys wizard starts.
2. Read the Welcome message and click Next.
The Select the devices page appears.
3. Select the check box for each managed Firebox or XTM device with a feature key that you want to
synchronize. Click Next.
The Select the Time and Date page appears.
4. To synchronize feature keys immediately, select Synchronize Feature Keys immediately.
To schedule the feature keys to synchronize at a future time, select Schedule feature keys sync.
5. If you selected Schedule feature keys sync, select the date from the Date drop-down list, and set
the time in the Time text box.
6. Click Next.
The Schedule the Feature Keys Synchronization page appears.
7. Click Next.
The Synchronize Feature Keys Wizard is complete page appears.
8. Click Close to finish the wizard.
The feature keys are synchronized if you selected Synchronize Feature Keys immediately, or scheduled if you
selected Schedule feature keys sync. The number of scheduled tasks appears in the Scheduled Tasks section.
542
WatchGuard System Manager
Centralized Management
Schedule Reboot
You can use the WatchGuard System Manager Schedule Reboot wizard to reboot one or more of your
managed Firebox X Edge v10.x or Fireware XTM devices. You can choose to schedule a reboot for an
individual device, or you can schedule a reboot for a group of devices.
Schedule a reboot for an individual device
When you schedule a reboot for an individual device, the Schedule Reboot Wizard launches, but you cannot
select to include other devices in the scheduled reboot.
1. In the left navigation bar, expand the Devices tree.
2. Select the device for which you want to schedule a reboot.
3. Right-click the device, and select Schedule Reboot.
The Scheduled Reboot Wizard appears.
4. Read the Welcome message and click Next.
The Select the Time and Date page appears.
5. To reboot the device immediately, select Reboot the device immediately.
To schedule the device to reboot at a future time, select Schedule the reboot.
User Guide
543
Centralized Management
6. If you selected Schedule the reboot:
n
n
From the Date drop-down list, select the date.
In the Time text box, set the time.
7. Click Next.
The Schedule the Reboot page appears.
8. Click Next.
The Scheduled Reboot Wizard is complete page appears.
9. Click Close to finish the Wizard.
The device is rebooted you selected Reboot the device immediately, or scheduled if you selected Schedule the
reboot. The number of scheduled tasks appears in the Scheduled Tasks section.
Schedule a reboot for one or more devices
You can schedule a reboot for more than one device at the same time.
1. On the Management Server page, in the Scheduled Tasks section, click Schedule Reboot.
Or, in the Device Management tree, right-click Scheduled Tasks and select Schedule Reboot.
Or, on the Scheduled Tasks page, click Add and select Schedule Reboot.
The Scheduled Reboot Wizard appears.
2. Read the Welcome message and click Next.
The Select the devices page appears.
544
WatchGuard System Manager
Centralized Management
3. Select the check box for each device you want to reboot and click Next.
The Select the Time and Date page appears.
4. To reboot the device immediately, select Reboot the device immediately.
To schedule the device to reboot at a future time, select Schedule the reboot.
5. If you selected Schedule the reboot, select the date from the Date drop-down list, and set the time
in the Time text box.
User Guide
545
Centralized Management
6. Click Next.
The Schedule the Reboot page appears.
7. Click Next.
The Scheduled Reboot Wizard is complete page appears.
8. Click Close to finish the wizard.
The device is rebooted you selected Reboot the device immediately, or scheduled if you selected Schedule the
reboot. The number of scheduled tasks appears in the Scheduled Tasks section.
Review, cancel, or delete Scheduled Tasks
After you have scheduled WatchGuard System Manager (WSM) to update the OS or synchronize the feature
keys for your managed Firebox or XTM devices, you can review, cancel, or delete these Scheduled Tasks.
You cannot edit a Scheduled Task. If you want to change the properties of a task you have created, you must
delete that task and schedule a new task. When you include more than one device in a scheduled task, any
changes you make to the scheduled task affect all the devices included in the task.
For more information about how to schedule a new task, see Schedule tasks for managed devices on page 538.
546
WatchGuard System Manager
Centralized Management
Review Scheduled Tasks
1. Open WSM and connect to a Management Server.
2. On the Device Management tab, in the left navigation bar, select Scheduled Tasks.
The Scheduled Tasks page appears.
2. Review the tasks in the Scheduled Tasks list.
Each update has a unique Task ID and appears on a separate line for each device, even if more than
one device is included in the same update. For this reason, when you select a device in the
Scheduled Tasks list, all devices included in that scheduled update are selected.
3. Cancel, delete, or add a new task as necessary.
n
To delete a scheduled task, right-click a device and select Remove Scheduled Update.
The update is removed from the schedule for all devices included in that update.
n
To cancel a scheduled update, right-click a device and select Cancel Scheduled Update.
The task stays in the schedule, but the status changes to Cancelled. You can remove the task later, but
you cannot activate it again.
n
To add a scheduled OS update, click Add and select Add OS Update.
Or, right-click and select Add OS Update.
The Update OS Wizard starts.
n
To schedule Feature Key Synchronization, click Add and select Add Feature Key
Synchronization.
Or, right-click and select Add Feature Key Synchronization.
The Synchronize Feature Keys Wizard starts.
n
To schedule a device reboot, click Add and select Schedule Reboot.
The Schedule Reboot Wizard starts.
User Guide
547
Centralized Management
Clean up Scheduled Tasks
The Scheduled Tasks list shows all the OS Update, Feature Key Synchronization, and Scheduled Reboot tasks
for your Management Server. If your Scheduled Tasks list includes tasks with a status of Cancelled,
Downloaded, Installed, or Failed, you can use the procedure in the previous section to delete each task
individually. Or, you can remove them all at one time.
To clean up all outstanding Scheduled Tasks at one time:
1. Open WSM and connect to a Management Server.
2. On the Device Management tab, in the left navigation bar, select Scheduled Tasks.
The Scheduled Tasks page appears.
3. In the Scheduled Tasks window, right-click anywhere.
The right-click menu appears.
4. Select Cleanup Tasks.
A warning message appears.
5. Click Yes.
All downloaded, installed, cancelled, and failed tasks are deleted from the list. Only tasks with a status of
Scheduled remain.
548
WatchGuard System Manager
Centralized Management
Update the configuration for a Fully Managed
device
To change the configuration for any Firebox or XTM device that is fully managed by your Management
Server, you must start Policy Manager for that device from the WatchGuard System Manager (WSM) Device
Management tab.
1. Use WSM to connect to a Management Server on page 521
2. Expand the Devices list and select a Firebox X Edge or Fireware XTM device.
The Device page appears for the device you selected.
3. In the Tools section, click Policy Manager.
Policy Manager opens the configuration file for the device you selected.
4. Update the configuration file with your changes.
5. Save the configuration toa file or to the Management Server.
For more information about the options to save the configuration, see the subsequent sections.
To save the configuration to a file:
1. Click
.
The Save dialog box appears.
2. Type the File name for the configuration file.
User Guide
549
Centralized Management
3. Select the directory where you want to save the configuration file.
4. Click Save.
The configuration is saved to a file in the location you specified.
To save the configuration directly to the Management Server:
1. Click
.
The Schedule Configuration Update Wizard appears.
2. Click Next to start the wizard.
The Select the Time and Date page appears.
3. Select when to update the configuration file.
n
n
Update configuration immediately
Schedule configuration update
4. If you selected to schedule the update, select the Date and Time for the update.
5. Click Next.
The Schedule Configuration Update Wizard is complete page appears.
6. Click Finish to close the wizard.
A message that the configuration was saved to the Management Server appears. If you scheduled an update,
the date for the scheduled update appears in the Update Status field on the Device page for the device, and on
the main Devices page.
Manage Server Licenses
You can use WatchGuard System Manager (WSM) to manage the licenses for your Management Server. You
can add or delete license keys, and see the current license key information, including how many devices
your license keys allow you to manage.
See current license key information
1. Start WatchGuard System Manager and Use WSM to connect to a Management Server.
The Management Server page appears.
2. In the Server Information section, click Manage Server Licenses.
Or, select File > Manage Server Licenses.
The Management Server Licenses dialog box appears.
550
WatchGuard System Manager
Centralized Management
Add or remove a license key
To add a license key:
1. In the Management Server Licenses dialog box, click Add.
The Add License Key dialog box appears.
2. In the License Key text box, type or paste the license key.
3. Click OK.
The license key you added appears in the License Keys window and the number of licensed devices is updated.
To remove a license key:
1. In the License Keys window, select the license key you want to remove.
2. Click Remove.
The license key is deleted from the License Keys window and the number of licensed devices is updated.
Save or discard your changes
After you have added or removed any license keys, you can save or discard your changes.
In the Management Server Licenses dialog box:
n
n
To save your changes, click OK.
To close the dialog box and discard any changes, click Cancel.
Manage customer contact information
You can use WatchGuard System Manager (WSM) to manage the Contact List for your Management Server.
After you add contacts to the Contact List, you can add information for those contacts to each of your
managed Firebox or XTM devices.
For more information about how to add a contact to your managed Firebox or XTM device, see Set device
management properties on page 535.
Add a contact to the Management Server
You can add a new contact to the Management Server Contact List at any time.
1. Use WSM to connect to a Management Server.
The Management Server page appears.
2. In the Server Information section, click Manage Customers.
The Contact List dialog box appears.
User Guide
551
Centralized Management
3. To add a contact to the list, click Add.
The Contact Information dialog box appears.
4. Type the necessary information in each text box. All of the information is optional.
5. Click OK.
The new contact appears in the Contact List.
6. To add another contact, repeat Steps 3–5.
7. Click OK when you are finished.
Edit a contact in the Contact List
You can change any of the information for a current entry in the Contact List.
1. Use WSM to connect to a Management Server.
The Management Server page appears.
2. In the Server Information section, click Manage Customers.
The Contact List dialog box appears.
3. In the Contact List dialog box, select the entry you want to change.
4. Click Edit.
The Contact information dialog box appears.
5. Update the necessary information.
6. Click OK.
7. Make any necessary changes and click OK.
The updated entry appears in the Contact List dialog box.
8. To edit another contact, repeat Steps 1–5.
9. Click OK when you are finished.
552
WatchGuard System Manager
Centralized Management
See and manage the Monitored Report Servers list
The Monitored Report Servers List is used to configure the list of Report Servers that are on a different
computer than your WatchGuard Log Server. When you install the Log Server and Report Server on
different computers, your Management Server contacts the Report Servers in the Report Server List to find
the associated Log Servers. Then, when you use WatchGuard System Manager (WSM) to connect to Report
Manager, it connects to the appropriate Report Server.
You can use WSM to see and manage the connection information for your WatchGuard Report Servers. You
can add a new Report Server, change the IP address or port for an existing Report Server, or remove a
Report Server from the list.
1. Open WSM and connect to your Management Server.
The Management Server page appears.
2. In the Server Information section, click Monitored Report Servers.
The Report Server List dialog box appears.
3. Use the instructions in the subsequent sections to add, edit, or remove a Report Server.
Add a Report Server to the list
1. In the Report Server List dialog box, click Add.
The Report Server dialog box appears.
2.
3.
4.
5.
Type the IP Address of the Report Server.
Type the Port for Report Server access.
Click OK.
Repeat Steps 1–4 to add more Report Servers to the list.
User Guide
553
Centralized Management
Edit information for a Report Server
1. In the Report Server List dialog box, click Edit.
The Report Server dialog box appears.
2. Edit the IP Address or Port for the Report Server.
3. Click OK.
Remove a Report Server from the list
1. In the Report Server List dialog box, select the Report Server you want to remove.
2. Click Remove.
The Report Server is removed from the list.
Add and manage VPN tunnels and resources
You can use WatchGuard System Manager to see and manage VPN tunnels for your managed Firebox or
XTM devices. In the VPN Tunnels section of the Device page, you can see all tunnels that include the
selected Firebox or XTM device. You can also add, edit, or remove a VPN tunnel.
See VPN tunnels
From WatchGuard System Manager:
1.
2.
3.
4.
Use WSM to connect to a Management Server.
Select the Device Management tab.
Expand the Devices list.
Select a Firebox.
The Device Management page for the selected Firebox or XTM device appears.
5. Find the VPN Tunnels section.
This section shows all tunnels for which this device is a VPN endpoint.
554
WatchGuard System Manager
Centralized Management
Add a VPN tunnel
In the VPN Tunnels section:
1. Click Add to add a new VPN tunnel.
The Add VPN Wizard starts.
2. Complete the Add VPN Wizard to configure your VPN tunnel.
After you add a VPN tunnel to your configuration, the VPN tunnel appears in the list, and the
number of configured VPN tunnels appears adjacent to the VPN Tunnels section title.
Note If you add more tunnels than your license allows, a warning message that you
have exceeded your licensed number of tunnels appears. You must remove enough
VPN tunnel routes from your configuration to return to your licensed limit.
For more information about the Add VPN Wizard, see Make managed tunnels between devices on page 824.
Edit a VPN tunnel
After you have added a VPN tunnel, you can use WSM to change the tunnel configuration. You cannot
change either of the tunnel endpoints. If you want to change the Firebox or XTM device that is at one or
both ends of the VPN tunnel, you must create a new tunnel.
In the VPN Tunnels section:
User Guide
555
Centralized Management
1. In the Name list, select a VPN tunnel.
2. Click Edit.
The VPN Properties dialog box appears.
3. Make the changes to your VPN tunnel.
For more information on the changes you can make to your VPN tunnel, see Edit a tunnel definition
on page 825.
4. Click OK.
The updated VPN tunnel appears in the Name list.
Remove a VPN tunnel
In the VPN Tunnels section:
1. In the Name list, select a tunnel.
2. Click Remove.
A confirmation message appears.
3. If you do not the configuration changes to occur immediately, clear the Restart devices now to
expire leases and download new configuration check box.
4. Click Yes.
The VPN tunnel is removed from the list and the device is restarted.
Add a VPN resource
You can configure, and put a limit to, the networks that have access through your VPN tunnels. You can
make a VPN between hosts or networks. You can also define VPN resources to configure the networks that
are available through a given VPN device.
The Device Management tab lists all of your currently defined VPN resources.
For detailed instructions to add VPN resources, see Add VPN resources on page 817.
Configure a Firebox or XTM device as a managed
device
If your Firebox or XTM device has a dynamic IP address, or if the Management Server cannot connect to it
for another reason, you can configure the Firebox or XTM device as a managed device before you add it to
the Management Server. You can then Add managed devices to the Management Server.
Edit the WatchGuard policy
1. Open Policy Manager for the Firebox or XTM device you want to enable as a managed device.
2. Double-click the WatchGuard policy to open it.
The Edit Policy Properties dialog box for the WatchGuard policy appears.
556
WatchGuard System Manager
Centralized Management
3. In the WG-Firebox-Mgmt connections are drop-down list, make sure Allowed is selected.
4. In the From section, click Add.
The Add Address dialog box appears.
5. Click Add Other.
The Add Member dialog box appears.
6. In the Choose Type drop-down list, select Host IP.
7. In the Value text box, type the IP address of the external interface of the gateway Firebox.
If you do not have a gateway Firebox that protects the Management Server from the Internet, type
the static IP address of your Management Server.
8. Click OK to close the Add Member dialog box.
9. Click OK to close the Add Address dialog box.
10. Make sure the To section includes an entry of either Firebox or Any.
11. Save the configuration file.
User Guide
557
Centralized Management
You can now add the device to your Management Server configuration as described in Add managed
devices to the Management Server. When you add this Firebox or XTM device to the Management Server
configuration, the Management Server automatically connects to the static IP address and configures the
Firebox or XTM device as a managed device.
Set up the Managed Device
(Optional) If your Firebox or XTM device has a dynamic IP address, or if the Management Server cannot find
the IP address of the Firebox or XTM device for any reason, you can use this procedure to prepare your
Firebox or XTM device to be managed by the Management Server.
1. Select Setup > Managed Device Settings.
The Managed Device Settings dialog box appears.
2. Toset upa Fireboxor XTMdevice asa manageddevice, selectthe CentralizedManagement checkbox.
3. In the Managed Device Name text box, type the name you want to give the Firebox or XTM device
when you add it to the Management Server configuration.
This name is case-sensitive and must match the name you use when you add the device to the
Management Server configuration.
558
WatchGuard System Manager
Centralized Management
4. In the Management Server IP Address(es) list, select the IP address of the Management Server if it
has a public IP address.
Or, select the public IP address of the gateway Firebox for the Management Server.
5. To add an address, click Add.
The Firebox or XTM device that protects the Management Server automatically monitors all ports
used by the Management Server and forwards any connection on these ports to the configured
Management Server. When you use the Management Server Setup Wizard, the wizard adds a WGMgmt-Server policy to your configuration to handle these connections. If you did not use the
Management Server Setup Wizard on the Management Server, or, if you skipped the Gateway
Firebox step in the wizard, you must manually add the WG-Mgmt-Server policy to the configuration
of your gateway Firebox.
6. In the Shared Secret and the Confirm fields, type the shared secret.
The shared secret you type here must match the shared secret you type when you add the Firebox
or XTM device to the Management Server configuration.
7. Click Import and import the CA-Admin.pem file as your certificate. This file is in
\My Documents\My WatchGuard\certs\[firebox_ip] .
8. Click OK.
When you save the configuration to the Firebox or XTM device, the Firebox or XTM device is enabled as a
managed device. The managed Firebox or XTM device tries to connect to the IP address of the Management
Server on TCP port 4110. Management connections are allowed from the Management Server to this
managed Firebox or XTM device.
You can now add the device to your Management Server configuration, as described in Add managed
devices to the Management Server on page 531.
You can also use WSM to configure the management mode for your device, as described in About
Centralized Management modes on page 527.
Configure a Firebox III or Firebox X Core running
WFS as a managed device
You can configure your Firebox III or Firebox X Core running WFS to be managed by your Management
Server.
1. Open Policy Manager for the Firebox you want to enable as a managed device.
2. Double-click the WatchGuard policy to open it.
The Edit Service Properties dialog box for the WatchGuard policy appears.
3. On the Incoming tab, make sure that incoming WatchGuard connections are set to Enabled and
Allowed.
4. Below the From dialog box, click Add.
The Add Address dialog box appears.
5. Click Add Other.
The Add Member dialog box appears.
6. In the Choose Type drop-down list, select Host IP Address.
User Guide
559
Centralized Management
7. In the Value field, type the IP address of the external interface of the gateway Firebox that protects
the Management Server from the Internet.
If you do not have a gateway Firebox that protects the Management Server from the Internet, type
the static IP address of your Management Server.
8. Click OK to close the Add Member dialog box.
9. Click OK to close the Add Address dialog box.
10. Make sure the To dialog box includes an entry of either Firebox or Any.
Note If the Firebox you want to manage has a static IP address on its external interface,
you can stop here. Save the configuration to this Firebox. You can now add the
device to your Management Server configuration. When you add this Firebox to the
Management Server configuration, the Management Server automatically connects
to the static IP address and configures the Firebox as a managed Firebox client. If the
Firebox you want to manage has a dynamic IP address, go on to Step 11.
11. From Policy Manager, select Network > DVCP Client.
12. Select the Enable this Firebox as a DVCP Client check box.
13. In the Firebox Name field, type the name of the Firebox.
The Firebox name is case-sensitive. The name you type here must match the name you type when
you add this Firebox to the Management Server configuration.
14. To send log messages for the managed client, select the Enable debug log messages for the DVCP
Client check box.
We recommend you select this option only when troubleshooting.
15. Click Add to add the Management Server the Firebox connects to.
The DVCP Server Properties dialog box appears.
16. In the IP address field, type the IP address of the Management Server if it has a public IP address.
Or, type the public IP address of the Firebox that protects the Management Server.
The Firebox that protects the Management Server automatically monitors all ports used by the
Management Server and forwards any connections on these ports to the configured Management
Server. The Firebox protecting the Management Server is configured to do this when you run the
Management Server Setup Wizard.
560
WatchGuard System Manager
Centralized Management
If you did not use the Management Server Setup Wizard on the Management Server, or, if you
skipped the Gateway Firebox step in the wizard, configure the gateway Firebox to forward TCP ports
4110, 4112, and 4113 to the private IP address of the Management Server.
17. Type the Shared Secret to use to connect to the Firebox. The shared secret you type here must
match the shared secret you type when you add this device to the Management Server
configuration. A Firebox can be a client of only one Management Server.
18. Click OK to close the DVCP Server Properties dialog box.
19. Click OK to close the DVCP Client Setup dialog box.
20. Save the configuration file to the Firebox.
When you save the configuration to the Firebox, the Firebox is enabled as a managed client. The
managed Firebox client tries to connect to the IP address of the Management Server on TCP port
4110. Management connections are allowed from the Management Server to this managed Firebox
client.
You can now add the device to your Management Server configuration as described in Add managed
devices to the Management Server on page 531.
About Edge (v10.x and older) and SOHO devices
as managed clients
You can use the WatchGuard Management Server to configure and manage many Firebox X Edge and SOHO
devices. For Firebox X Edge devices (version 10.x and older), you can enable Fully Managed Mode with
WatchGuard System Manager (WSM), which means you can manage policies, updates, and VPNs for many
Edge devices from one location. You can use both Edge and SOHO devices as endpoints for managed
BOVPN tunnels.
To manage a Firebox X Edge device (version 10.x and older) with the Management Server, you must:
1. Install the Edge — Physically connect it to an Ethernet interface on your computer and run the Quick
Setup Wizard to configure it.
2. Add managed devices to the Management Server — You can import multiple Edge devices at the
same time.
3. Define WSM access settings on the Edge — The first three steps are covered in Prepare a Firebox X
Edge (v10.x and older) for management.
4. Configure values to identify the device to the Management Server — Add managed devices to the
Management Server.
Note To allow connections between your management computer and the Management
Server for Firebox X Edge (v10.x or older) devices, you must add the WGSmallOffice-Mgmt packet filter to the configuration on your gateway Firebox. If
you have another firewall, make sure that you have a policy to allow traffic from
managed Edge devices on TCP port 4109.
If you have added this packet filter to your configuration, and cannot connect to
User Guide
561
Centralized Management
the Edge Web Manager from WSM, you may have a certificate error in your web
browser cache. Clear the WatchGuard certificates and all cookies from your web
browser certificate store, connect to your Management Server again, and then
connect to the Edge Web Manager again.
Prepare a Firebox X Edge (v10.x and older) for management
In its default configuration, Firebox X Edge versions before 11.x cannot be added to a WatchGuard
Management Server as a managed device. Before you add a Firebox to the WatchGuard Management
Server, you must make sure the device is configured to allow the Management Server to manage it, as
described in this topic. You can then add the Firebox X Edge to the Management Server.
To prepare a Firebox X Edge with version 10.x appliance software or older installed for management with
the Management Server, you must be able to physically connect the Firebox X Edge to an Ethernet
interface on your computer. We recommend that you reset the Edge to factory default settings before you
begin this procedure.
Install the Firebox X Edge
1. On the computer that runs WatchGuard System Manager, change the IP address to
192.168.111.x/24 .
2. Start WatchGuard System Manager and select Tools > Quick Setup Wizard.
The Quick Setup Wizard starts.
3. Read the Welcome page and click Next.
4. Select Firebox X Edge as the type of Firebox and click Next.
5. Connect the network interface on your computer to any LAN port on the Firebox X Edge, and click
Next.
Use one of the green Ethernet cables included with the Firebox X Edge. (If no green cable is
included with your Firebox X Edge, try the red cable.)
6. Use the instructions on the subsequent page of the wizard to start the Firebox X Edge in safe mode.
7. Use the instructions on the wizard page, and click Next.
8. Use the instructions on the Wait for the Firebox and The Wizard found this Firebox pages. Click
Next after each page.
9. Accept the License Agreement and click Next.
10. Configure the external (WAN 1) interface of the Firebox X Edge. Select DHCP, PPPoE, or Static IP
addressing, and click Next.
For more information about how to configure the Edge interfaces, see Configure an external
interface on page 98.
11. Click Next after you configure the interface.
12. Configure the Edge internal interface and click Next.
13. Type a status passphrase and a configuration passphrase for your Edge and click Next.
You must type each passphrase two times. This is the passphrase that WatchGuard System Manager
uses to connect to and configure the device.
14. Type a user name and passphrase for the device, and click Next.
You must type the passphrase two times. This is the user name and passphrase that you can use to
connect to and configure the device with a web browser.
562
WatchGuard System Manager
Centralized Management
15. Select the time zone settings and click Next.
16. Configure the Management Server settings. Type the IP address of the gateway Firebox that protects
the Management Server, the name to identify the Firebox in the Management Server interface, and
the shared key. Click Next.
The shared key is used by the Management Server to create VPN tunnels between Firebox or XTM
devices. You do not have to remember this key.
17. Review the configuration for the Edge and click Next.
18. To set up another Edge, select the check box. Click Finish.
If you select this check box, the Quick Setup Wizard populates the fields with the same values as this
configuration, so you can easily set up similar Edge devices.
Import Firebox X Edge devices into a Management Server
You must connect from the computer and to the same Management Server from which you ran the Quick
Setup Wizard. You can import more than one Edge at a time as long as the devices have already been
installed, as in the previous step.
1. Start WatchGuard System Manager, and connect to the Management Server for which you
configured Edge devices.
2. Select File > Import Device.
The WatchGuard System Manager dialog box appears.
3. Select the check boxes in front of each Edge device you want to import.
4. Click Import.
The Firebox X Edge devices are imported into the Management Server. The devices appear in the Imported
Devices folder for the Management Server.
Define WSM access settings on the Edge
1. To connect to the Firebox X Edge System Status page, type https:// in the browser address bar,
and the IP address of the Edge trusted interface.
The default URL is: https://192.168.111.1
2. From the navigation bar, select Administration > WSM Access.
The WatchGuard Management Access page appears.
User Guide
563
Centralized Management
3. Select the Enable remote management check box.
4. From the Management Type drop-down list, select WatchGuard System Manager.
5. To enable the Edge for Fully Managed Mode, select the Use Centralized Management check box.
When the Firebox X Edge is in Fully Managed Mode, access to the Edge configuration pages is set to
read-only. The only exception is access to the WSM Access configuration page. If you disable the
remote management feature, you get read-write access to the Edge configuration again.
Note Do not select the Use Centralized Management check box if you use WatchGuard
System Manager only to manage VPN tunnels.
6. Type and confirm a Status Passphrase for your Firebox X Edge.
7. Type and confirm a Configuration Passphrase for your Firebox X Edge.
These passphrases must match the passphrases you use when you add the device to the
Management Server or the connection will fail.
Note If the Firebox X Edge you want to manage has a static IP address on its external
interface, you can stop here. Save the configuration to this Firebox. You can now
Add managed devices to the Management Server. When you add this Edge to the
Management Server configuration, the Management Server automatically
connects to the Edge and configures it as a managed device. If the Edge you want
to manage has a dynamic IP address, continue to the next step.
8. In the Management Server Address text box, type the IP address of the Management Server if it has
a public IP address. If the Management Server has a private IP address, type the public IP address of
the Firebox that protects the Management Server.
The Firebox that protects the Management Server automatically monitors all ports used by the
564
WatchGuard System Manager
Centralized Management
Management Server and will forward any connection on these ports to the configured Management
Server. No special configuration is necessary for this to occur.
9. Type the Client Name to identify the Edge in the Management Server configuration.
This name is case-sensitive and must match the name you use for the Edge when you add it to the
Management Server configuration.
10. Type the Shared Key.
The shared key is used to encrypt the connection between the Management Server and the Firebox
X Edge. This shared key must be the same on the Edge and the Management Server. You must get
the shared key from your Management Server administrator.
11. Click Submit to save this configuration to the Edge.
When you save the configuration to the Edge, the Edge is enabled as a managed client. The managed
Firebox client tries to connect to the IP address of the Management Server. Management
connections are allowed from the Management Server to this managed Firebox client.
You can now add the device to your Management Server configuration as described in Add managed
devices to the Management Server on page 531.
Configure a Firebox SOHO 6 as a managed device
1. Open a web browser and type the IP address of the SOHO 6.
2. If necessary, type the login and passphrase to connect.
3. Select Administration > VPN Manager Access.
The VPN Manager Access page appears.
4. In the left navigation pane below VPN, click Managed VPN.
5. Select the Enable VPN Manager Access check box.
6. Type the status passphrase for VPN Manager access. Type the status passphrase again to confirm the
passphrase.
7. Type the configuration passphrase for VPN Manager access. Type the configuration passphrase again
to confirm the passphrase.
Note If the Firebox SOHO you want to manage has a static IP address on its external
interface, you can stop here. Click Submit to save your configuration to the SOHO.
You can now add the device to your Management Server configuration. When you
User Guide
565
Centralized Management
add this SOHO to the Management Server configuration, the Management Server
automatically connects to the static IP address and configures the SOHO as a
managed device. If the SOHO you want to manage has a dynamic IP address,
proceed to Step 7.
8. Select the Enable Managed VPN check box.
9. From the Configuration Mode drop-down list, select SOHO.
10. In the DVCP Server Address text box, type the IP address of the Management Server if it has a public
IP address. If the Management Server has a private IP address, type the public IP address of the
Firebox that protects the Management Server.
The Firebox that protects the Management Server automatically monitors all ports used by the
Management Server and forwards any connection on these ports to the configured Management
Server. No special configuration is necessary for this to occur.
11. Type the Client Name to identify your Firebox SOHO.
This name is case-sensitive and must match the name you use for the device when you add it to the
Management Server configuration.
12. In the Shared Key text box, type the key used to encrypt the connection between the Management
Server and the Firebox SOHO. This shared key must be the same on the SOHO and the Management
Server. You must get the shared key from your Management Server administrator.
13. Click Submit.
When you save the configuration to the Firebox SOHO, the SOHO is enabled as a managed client.
The managed SOHO client tries to connect to the IP address of the Management Server.
Management connections are allowed from the Management Server to this managed SOHO client.
You can now add the device to your Management Server configuration as described in the Add
managed devices to the Management Server on page 531.
Start WatchGuard System Manager tools
From the Device Management tab, you can start other WatchGuard System Manager (WSM) tools to
configure and monitor your devices.
For the Management Server, you can start:
n
n
n
n
Quick Setup Wizard
CA Manager
LogViewer
Report Manager
For Firebox or XTM deviceand WFS devices, you can start:
n
n
n
n
n
Policy Manager
Firebox System Manager
HostWatch
Ping
Expire Lease
For more information about the Expire Lease tool, see Expire the lease for a managed device on
page 567.
For Edge devices, you can start:
566
WatchGuard System Manager
Centralized Management
n
n
n
n
n
Policy Manager (Edge versions 11.x and later)
Edge Web Manager (Edge versions before 11.0)
Firebox System Manager
HostWatch
Ping
To use WatchGuard System Manager tools:
1. Select the Device Management tab.
2. Expand the Devices tree.
3. Select the device you want to configure or monitor.
The Device Management page appears.
4. In the Tools section, click the link for the tool you want to use.
The selected tool application starts.
Note If you are logged in to the Management Server with user credentials that have
administrator privileges, when you launch a WSM tool, you are not asked for the
Status or Configuration passphrase of the Firebox or XTM device.
Expire the lease for a managed device
You can use the WSM Expire Lease tool to force your managed Firebox X Edge 10.x and Fireware XTM
devices to contact the Management Server for new DVCP tunnel information. You can choose to expire the
lease for an individual device, or for more than one device at the same time.
Expire the lease for one device
You can choose to expire the lease for an individual device from two locations: the Tools section on the
Device page, or the device context menu.
To expire the lease from the Device page:
1. Select the Device Management tab.
2. Expand the Devices tree and select a device.
The Device Management page appears.
3. In the Tools section, click Expire Lease.
The Expire Lease dialog box appears.
4. Click OK.
The Management Server lease for the managed device is automatically expired and any VPN or configuration
changes are downloaded. A confirmation dialog box does not appear.
To expire the lease from the device context menu:
1. Select the Device Management tab.
2. Expand the Devices tree and select a device.
The Device Management page appears.
3. Right-click the device and select Expire Lease.
The Expire Lease dialog box appears.
4. Click OK.
The Management Server lease for the managed device is automatically expired and any VPN or configuration
changes are downloaded. A confirmation dialog box does not appear.
User Guide
567
Centralized Management
Expire the lease for many devices
If you have more than one managed device, you can expire the lease for one or more of your devices at the
same time.
1. Select the Device Management tab.
2. In the left navigation bar, select the Management Server.
The Management Server page appears.
3. Right-click the Management Server and select Expire Lease.
The Expire Lease dialog box appears. By default, the check box for all Firebox X Edge 10.x and Fireware XTM
managed devices is selected.
4. Clear the check box for any device for which you do not want to expire the lease.
5. Click OK.
The Management Server lease for the managed device is automatically expired and any VPN or configuration
changes are downloaded. A confirmation dialog box does not appear.
Configure network settings (Edge devices v10.x
and older only)
You can use Management Server to configure unique network settings for Firebox X Edge devices (version
10.x and older only). This procedure loads the current network settings for the Edge and enables Fully
Managed Mode on the device.
Note All Firebox X Edge network settings can be configured with the Edge Web
Manager.
From WatchGuard System Manager:
1. Select the Device Management tab.
2. Expand the Devices list.
3. Select a Firebox X Edge device.
The Device Management page appears.
4. In the Network Settings section, click Configure.
The Network Settings dialog box appears.
5. To configure network settings, click each category in the left pane of the dialog box and provide
information in the fields that appear.
6. Click OK.
About the Configuration Template section
Note The management page for a SOHO 6 does not have the Policy section.
This section shows the Device Configuration Template to which this Firebox X Edge is subscribed. If the
device is not subscribed to a template, you can drag the device to one of the Device Configuration
Templates. You can also use the Configure link in this section to configure the Device Configuration
Template to which this device is subscribed.
568
WatchGuard System Manager
Centralized Management
For information about Device Configuration Templates, see Create and subscribe to Device Configuration
Templates on page 570.
Update or reboot a device, or remove a device
from management
On the Device page for your managed device, you can change the server and client settings, update the
IPSec and CA certificates for your Firebox or XTM device, or reboot your Firebox or XTM device. You can
also remove a device so it is no longer managed by the Management Server.
Update a device
From the WatchGuard System Manager Device Management page:
1. Expand the Devices list.
2. Select the device you want to update.
The Device Management page for the selected device appears.
3. In the Device Information section, click Update Device.
The Update Device dialog box appears.
4. To download the policies on the managed device to the Management Server for the trusted and
optional networks, select the Download Trusted and Optional Network Policies check box.
We recommend you do this to make sure you have the latest policies when you edit the device
configuration, particularly if you have not connected to the device in a long time.
5. To refresh the Management Server configuration on the device after an update (Management
Server IP address, hostname, shared secret, and lease time), select the Reset Server Configuration
check box.
If you have made any changes to the device properties, make sure you select this check box.
6. To expire the Management Server lease for the managed client and download any VPN or
configuration changes, select the Expire Lease check box.
User Guide
569
Centralized Management
7. (Does not appear for Edge versions before 11.0) To issue or reissue the IPSec certificate for the
Firebox or XTM device and the Certificate Authority’s certificate, select the Issue/Reissue Firebox’s
IPSec Certificate and CA’s Certificate check box.
8. Click OK.
Reboot a device
From the WatchGuard System Manager Device Management page:
1. Expand the Devices list.
2. Select the device you want to reboot.
The Device Management page for the selected device appears.
3. In the Device Information section, click Reboot.
A confirmation message appears.
4. Click Yes.
Remove a device from management
To remove a device so that it is no longer managed by the Management Server and no longer appears in the
Management Server window:
1. Expand the Devices list.
2. Select the device you want to remove.
3. Right-click the device and select Remove.
Or, select Edit > Remove.
A confirmation message appears.
4. Click Yes.
5. Open Policy Manager for this device.
6. Select Setup > Managed Device Settings, and clear the Centralized Management check box.
A confirmation message appears.
7. Click Yes to remove the device from management.
8. Save the configuration file.
Create and subscribe to Device Configuration
Templates
A Device Configuration Template is a collection of configuration settings that multiple Firebox or XTM
devices can use. When you use Firebox or XTM devices with the WatchGuard Management Server, you can
create Device Configuration Templates on the Management Server. You can then subscribe your managed
Firebox or XTM devices to the Device Configuration Templates. When you subscribe a device to a Device
Configuration Template, the policies and settings configured in the template are added to the individual
configuration file for your device. You can view these policies and settings from the device configuration
file, but they can only be changed from the Device Configuration Template.
If you have defined a policy in the individual configuration file for your device, and subscribe that device to
a template that has a policy with the same name, both policies appear in the device configuration file.
570
WatchGuard System Manager
Centralized Management
Policies with the same name do not override each other. Make sure that any such duplicate policies or
settings are not configured with settings that conflict with each other. We recommend that you delete any
policies or settings from your individual configuration file that have the same name as a policy or setting in
the Device Configuration Template to which your device is subscribed.
You can use Device Configuration Templates, to easily configure standard firewall filters, change the Blocked
Sites list, change your WebBlocker configuration, configure logging settings, or change other policy settings
for one or more managed devices.
Configuration Templates have the following restrictions:
n
n
n
n
Edge Configuration Templates can be used with the Firebox X Edge only.
Each device can subscribe to only one Device Configuration Template.
An Edge must have OS version 7.5 or later to use Edge Configuration Templates.
You must use separate templates for Edge devices that run OS versions 7.5, 8.0, 8.5, 8.6, or 10.x.
Available configuration templates include:
n
n
Firebox X Edge — versions 7.5, 8.x, 10.x
Fireware XTM — Firebox X Edge e-Series, Core e-Series, Peak e-Series, and XTM devices versions
11.x
You can use one Fireware XTM configuration template for all your v11.x devices
You can make changes to a Device Configuration Template, or to the list of devices that subscribe to that
template, at any time. The Management Server automatically updates all subscribed devices with the
changes.
1. Open WatchGuard System Manager and connect to your Management Server.
2. Select the Device Management tab.
The Management Server page appears.
3. Select Device Configuration Templates in the left navigation bar.
The Device Configuration Templates page appears with the list of currently available templates.
User Guide
571
Centralized Management
4. Expand the Device Configuration Templates list to see the available templates.
The Device Configuration Templates list includes only Edge Configuration Templates for Edge
devices of version 10.1 and older by default. You can add templates for other Firebox or XTM
devices.
5. Right-click Device Configuration Templates and select Insert Device Configuration Template.
Or, click Add at the top right of the Device Configuration Templates page.
The Product Version dialog box appears.
6. Select the product line and version from the drop-down list. Click OK.
If you selected an Edge device, the Edge Configuration: Edge Template window appears.
If you selected a Fireware XTM device, you select a name for the template and then Fireware XTM Policy
Manger opens with a blank configuration file.
7. Complete the processes in the subsequent sections to configure the template for the type of device
you selected.
Configure a template for a managed Edge device
Use the Edge Configuration: Edge Template dialog box to define the settings for your Edge configuration
template.
Note If you want to use the Edge Web Manager to connect directly to your managed
Edge device rather than follow the Edge Web Manager link in WSM, you must add
a HTTPS policy to your Edge Configuration template. This HTTPS policy must allow
incoming traffic from External to an Alias defined on the Edge over TCP port 443.
To configure a template for your Edge:
1. Type a name for the template.
572
WatchGuard System Manager
Centralized Management
2. To configure the template, click the categories in the left pane and add the necessary information
for each category.
Different categories appear in the list based on the version of the Edge you selected.
For more information on the available categories, see the corresponding section in the Help or User
Guide.
For more information about how to add Firewall Policies to the template, see Add a pre-defined
policy with the Add Policy wizard or Add a custom policy with the Add Policy wizard.
3. Click OK to close the Edge Configuration: Edge Template dialog box.
The template is saved to the Management Server, and an update is sent to all Firebox X Edge devices to which
this template is applied.
User Guide
573
Centralized Management
Configure a template for other Fireware XTM devices
When you select to create a template for a Fireware XTM device other than an Edge device, you use Policy
Manager to define the settings for your configuration template. This is a streamlined version of Policy
Manager that helps you create configuration templates.
When you configure a template, you can:
n
n
n
n
Add, modify, and delete policies
Set up Aliases and Logging
Set up Proxy actions, Application Blockers, and Schedules
Configure spamBlocker,GatewayAntiVirus,IntrusionPrevention,WebBlocker,andthe Quarantine
Server
To use Policy Manager to configure a new template for your device:
1. Click .
Or, select Edit > Add Policy.
The Add Policies dialog box appears.
2. Double-click the folder for the type of policy you want to add.
A list of the selected policies appears.
3. Select a policy.
4. Click Add.
The New Policy Properties dialog box appears.
5. Configure the policy as necessary for your network configuration.
For more information about how to configure a new policy, see Add a proxy policy to your
configuration on page 377.
574
WatchGuard System Manager
Centralized Management
6. Repeat Steps 3–5 to add the necessary policies to your configuration.
7. Click .
Or, select File > Save > To Management Server.
The Schedule Template Update Wizard appears.
8. Click Next to start the wizard.
The Select the Time and Date page appears.
9. Select to either Update the template immediately or Schedule template update.
10. Ifyou selectedSchedule templateupdate, selectthe Dateand Timethat youwant the update tooccur.
11. Click Next.
The Schedule Template Update Wizard is complete page appears.
12. Click Finish to exit the wizard.
If your Management Server configuration requires that you add a comment when you save your configuration,
the Save Comment dialog box appears.
13. If the Save Comment dialog box appears, type a comment about your configuration changes.
14. Click OK.
The new template appears in the Device Configuration Templates list.
To modify a policy in your configuration template:
1. Open your configuration template in Policy Manager.
2. Select the policy you want to modify.
3. Click .
Or, select Edit > Modify Policy.
The Edit Policy Properties dialog box appears.
4. Configure the policy as necessary for your network configuration.
For more information about how to modify a policy, see About policy properties on page 351 or Add
a proxy policy to your configuration on page 377.
5. Click .
Or, select File > Save > To Management Server.
The Schedule Template Update Wizard appears.
6. Click Next to start the wizard.
The Select the Time and Date page appears.
7. Select to either Update the template immediately or Schedule template update.
8. If you selected Schedule template update, select the Date-Time that you want the update to occur.
9. Click Next.
The Schedule Template Update Wizard is complete page appears.
10. Click Finish to exit the wizard.
If your Management Server configuration requires that you add a comment when you save your configuration,
the Save Comment dialog box appears.
11. If the Save Comment dialog box appears, type a comment about your configuration changes.
12. Click OK.
The new template appears in the Device Configuration Templates list.
User Guide
575
Centralized Management
Add a predefined policy to an Edge Device Configuration
Template
You can use the WatchGuard System Manager Add Policy Wizard to add a predefined policy to the Device
Configuration Template for your Firebox X Edge device.
1. From the Device Management tab, select Device Configuration Templates.
The Device Configuration Templates page appears.
2. Right-click Device Configuration Templates and select Insert Device Configuration Template.
Or, click Add in the upper-right corner of the page.
The Product Version dialog box appears.
3. Select the Edge device and version from the drop-down list. Click OK.
The Edge Configuration: Edge Template dialog box appears.
4. In the left navigation bar, select Firewall Policies.
The Firewall Policies page appears.
5. Click Add.
The Add Policy Wizard starts.
6. Click Next.
The Select a service for this policy page appears.
7. Select Choose a predefined service from this list and select a policy from the list.
8. Click Next.
The Select the traffic direction page appears.
9. Select the traffic direction — Outgoing, Incoming, or Optional.
10. Click Next.
The Configure the network resources page appears.
11. In the Filter drop-down list, select to Deny or Allow traffic.
12. In the From and To fields, set the sources and destinations.
To add a new resource, click Add beneath the From or To field and add the required information.
576
WatchGuard System Manager
Centralized Management
13. Click Next.
The Add Policy Wizard is complete page appears.
14. Click Finish to close the wizard.
Add a custom policy to an Edge Device Configuration Template
You can use the Add Policy Wizard to create a custom policy in the Device Configuration Template for your
Firebox X Edge device.
1. From the Device Management tab, select Device Configuration Templates.
The Device Configuration Templates page appears.
2. Right-click Device Configuration Templates and select Insert Device Configuration Template.
Or, click Add in the upper-right corner of the page.
The Product Version dialog box appears.
3. Select the Edge device and version from the drop-down list. Click OK.
The Edge Configuration: Edge Template dialog box appears.
4. In the left navigation bar, select Firewall Policies.
The Firewall Policies page appears.
5. Click Add.
The Add Policy Wizard starts.
6. Click Next.
The Select a service for this policy page appears.
7. Select Create and use a new custom service.
8. Click Next.
The Specify Protocols page appears.
User Guide
577
Centralized Management
9. Type a name for the protocol.
10. To add a protocol, click Add.
The Add protocol dialog box appears.
11.
12.
13.
14.
15.
16.
In the Type drop-down list, select whether the protocol uses a Single Port or a Port Range.
In the Protocol drop-down list, select to type of protocol to filter — TCP, UDP, or IP.
Type the Server Port number or numbers, or the IP Protocol number.
Click OK to add the protocol.
Repeat Steps 10–14 to add another protocol.
Click Next when all the protocols for this policy are added.
The Select the traffic direction page appears.
17. Select the traffic direction — Outgoing, Incoming, or Optional.
18. Click Next.
The Configure the network resources page appears.
19. In the Filter drop-down list, select to Deny or Allow traffic.
20. In the From and To fields, define the sources and destinations.
To add a new resource, click Add beneath the From or To field and add the required information.
578
WatchGuard System Manager
Centralized Management
21. Click Next.
The Add Policy Wizard is complete page appears.
22. Click Finish to close the wizard.
Clone a Device Configuration Template
If you have devices that use similar configurations, but with small differences, you can clone (copy) a
template and then customize the cloned template for each device. This enables you to make one Device
Configuration Template, make a clone for each variation, and then change the cloned templates. You cannot
edit a default template. You can, however, clone the default template and then customize the cloned
template.
From the WatchGuard System Manager Device Management tab:
1. Expand Device Configuration Templates.
2. Right-click the Device Configuration Template you want to clone, and select Clone.
A copy of the template appears in the Device Configuration Templates list with (Cloned) at the end of the
template name.
3. Open the policy in Policy Manager and configure it for the selected device.
For information on the available fields, see About policy properties on page 351.
4. Save the changes to your Device Configuration Template.
Change the name of a Device Configuration Template
When you create a new Device Configuration Templates in WatchGuard System Manager you select a name
for that template. You can change the name of each template so you can easily identify to which devices it
applies.
1. From the Device Management tab, expand the Device Configuration Templates list.
The list of Device Configuration Templates appears.
2. Expand the folder for the type of Device Configuration Templates you want to rename.
3. Select the template you want to rename.
4. Follow the steps in the subsequent sections for the type of Device Configuration Template you
selected.
Rename a Firebox X Edge template
1. Right-click the template and select Properties.
The Edge Configuration dialog box appears.
2. In the left navigation bar, select Name.
The Name page appears.
User Guide
579
Centralized Management
3. In the Name text box, type the new name for the template.
4. Click OK.
The name of the template is updated and appears in the Device Configuration Templates list.
Rename a Fireware XTM template
1. Right-click the template and select Rename.
The Change Name dialog box appears.
2. In the Name text box, type a new name for the template.
3. Click OK.
The name of the template is updated and appears in the Device Configuration Templates list.
580
WatchGuard System Manager
Centralized Management
Subscribe managed devices to Device Configuration Templates
You can use Device Configuration Templates to create a standard set of polices and rules to use for one or
more Firebox or XTM devices. You can subscribe any of your managed Firebox or XTM devices to a
corresponding Device Configuration Template. Each device can subscribe to only one template. To
subscribe to a device template, you can either drag-and-drop the template to each device, or use the
Device Configuration Template page to subscribe your device to that template. Devices can only be
subscribed to templates of the same type. For example, if you drag-and-drop an Edge Device Configuration
Template on the Devices folder, only the Edge devices in the list are subscribed to the template, not the
other Firebox or XTM devices.
Drag-and-drop to subscribe to a template
You can use drag-and-drop to subscribe any Firebox or XTM device, or folder of devices, to a Device
Configuration Template.
1. On the Device Management tab, expand the Devices list.
2. Select the device or device folder you want to add to the Device Configuration Template, and dragand-drop the selected device or folder to the selected template in the Device Configuration
Templates list.
Or, drag-and-drop the selected Device Configuration Template to the device or device folder.
The device is subscribed to the template.
User Guide
581
Centralized Management
Use the Manage Device List to subscribe a device to a template
You can use the Manage Device List dialog box to simultaneously subscribe one or more managed devices
of the same type to the selected template.
1. In the Device Configuration Templates list, select the template to which you want to subscribe a
device.
The selected device template appears.
2. In the Devices section, click Configure.
The Manage Device List appears.
582
WatchGuard System Manager
Centralized Management
3. Click Add.
The Select Devices dialog box appears.
4. Select the check box for each device you want to subscribe to this Device Configuration Template.
5. Click OK to close the Select Devices dialog box.
6. Click Close to close the Manage Device List dialog box.
The managed devices you select are subscribed to the Device Configuration Template.
Manage aliases for Firebox X Edge devices
Aliases are used with your managed Firebox X Edge devices to define a common destination for policy
configuration on the Management Server. For example, with aliases, you can create a Device Configuration
Template for a mail server, and define that policy to operate with your mail server. Because the mail server
can have a different IP address on each Firebox network, you create an alias on the Management Server
called MailServer. When you create the Device Configuration Template for the mail server, you use this alias
as the destination. Then you define that alias as either the source or destination, to match the direction of
the network traffic managed by the policy. In this example, you can configure an incoming SMTP Allow
policy with MailServer as the destination.
For the Device Configuration Template to operate correctly on devices that use the policy, you must
configure the MailServer alias in the Network Settings for each Firebox X Edge device.
The alias features that were available in WatchGuard System Manager (WSM) 10.x for your 10.x and older
Firebox X Edge devices are still available in WSM v11.x. You can use your v11.x Management Server to
configure aliases only for v10.x and older Firebox X Edge devices.
You configure an alias in two steps:
1. Change the name of an alias.
2. Define aliases on a Firebox X Edge device.
User Guide
583
Centralized Management
Change the name of an alias
Your Management Server includes a standard set of aliases that you can use with the policies for your
Firebox X Edge device (version 10.x and older only). You can add a new alias or rename an existing alias.
Before you can add an alias to a policy, you must create or edit the alias on the Management Server.
From the WatchGuard System Manager Device Management tab:
1. In the Device Management tree, select the Management Server.
The Management Server settings page appears.
2. Click .
Or, in the Server Information section, click Manage Aliases.
The Aliases dialog box appears.
584
WatchGuard System Manager
Centralized Management
3. To add a new alias, click Add.
The Add Alias dialog box appears.
To change an existing alias, select an alias and click Edit.
The Edit Alias Name dialog box appears.
4. In the Name text box, type a name for the alias and click OK.
5. Repeat Steps 3–4 to define additional aliases.
6. Click OK.
Next, you can assign IP addresses to the aliases, as described in Define aliases on a Firebox X Edge device on
page 585.
Define aliases on a Firebox X Edge device
After you have updated the list of aliases on your Management Server, you can define the aliases for use
with your Firebox X Edge devices (version 10.x or older only).
From the WatchGuard System Manager Device Management tab:
1. Expand the Devices tree and select a version 10.x or older Firebox X Edge device.
The Device page appears.
User Guide
585
Centralized Management
2. In the Network Settings section, click Configure.
The Network Settings dialog box appears.
3. Click Aliases.
The Aliases list appears. The list includes those aliases you named on the Management Server and any default
aliases.
586
WatchGuard System Manager
Centralized Management
4. Select an alias to define and click Edit.
The Local Alias Setting dialog box appears.
5.
6.
7.
8.
Type the IP Address for the local alias on the network of this Firebox X Edge.
Click OK.
Repeat Steps 4–6 for each alias you want to define.
Click OK.
User Guide
587
Centralized Management
Remove a device from Fully Managed Mode
You can remove your Firebox or XTM device from Fully Managed Mode and return it to Basic Managed
Mode. When you do this, the link to the Device Configuration Template is removed and all policies from the
Device Configuration Template are removed from the device configuration file.
If you want to completely remove a device from management by the Management Server, see Update or
reboot a device, or remove a device from management on page 569.
There are two ways to remove a Firebox or XTM device from Fully Managed Mode. You can change the
Device Management Mode for the Firebox or XTM device. Or, you can remove the Firebox or XTM device
from the Manage Devices List for the Device Configuration Template to which it is subscribed.
For instructions to change the Firebox or XTM device management mode, see Change the Centralized
Management mode on page 528.
To remove a device from the Manage Devices List:
1.
2.
3.
4.
Select the Device Management tab.
Expand the Device Configuration Templates list for your Management Server.
Expand the folder for the type of device template: Firebox X Edge or Fireware XTM.
Select the template from the list to which your device is subscribed.
The template configuration page for the template you selected appears.
5. In the Devices section, click the Configure link.
The Manage Device List appears.
6. Select the device you want to remove from Fully Managed Mode and click Remove.
7. Click Close.
The device is returned to Basic Managed Mode and all policies from the Device Configuration Template are
removed from the device configuration file.
588
WatchGuard System Manager
Centralized Management
8. Save the updated configuration file to the device.
Until you save the configuration file to the device, the device does not recognize the configuration
changes.
User Guide
589
Centralized Management
User Guide
590
20
Role-Based Administration
About role-based administration
Role-based administration enables you to share the configuration and monitoring responsibilities for your
organization among several individuals. One or more senior administrators might have full configuration
privileges for all devices, while one or more junior administrators have less configuration and monitoring
authority or different areas of jurisdiction.
For example, one administrator might have complete configuration and monitoring authority over all of the
Firebox or XTM devices in an organization's Eastern region, but could only monitor the devices deployed in
the company’s Central and Western regions. Another administrator could have full authority over the
Central region, but could only monitor Western and Eastern region devices.
You can use WatchGuard System Manager (WSM) and WatchGuard Server Center to create and implement
the different administrator roles for your organization. All the role-based administration settings you create
are stored and managed on your Management Server, so they are accessible with WSM or WatchGuard
Server Center. When you make a change to role-based administration with WSM, the change automatically
appears in WatchGuard Server Center.
Note Role-based administration is only available for Firebox or XTM devices with
Fireware XTM v11.0 or later.
Roles and role policies
A role has two parts: a set of tasks, and a set of devices on which these tasks can be performed. Every
administrator is assigned one or more roles, such as Super Administrator, Mobile User VPN Administrator,
or User Authentication Administrator.
User Guide
591
Role-Based Administration
WatchGuard System Manager (WSM) has several predefined roles you can use for your own organization.
You can also define custom roles. These roles are recognized by all the WSM tools and WatchGuard servers.
For example, if you log in to WSM with read/write permissions, and open Firebox System Manager (FSM),
you are not prompted for the configuration passphrase because FSM recognizes that you are logged in with
sufficient permissions.
Role policies combine the sets of tasks and devices with the users who have the privileges to perform those
roles.
Audit trail
To keep track of the actions performed by each administrator, WSM stores an audit trail of changes made to
a device. These changes are recorded in the Management Server log messages. WSM also has an audit trail
that shows all changes made to the entire system, the administrator who made each change, and when
each change was made.
About predefined roles
Your Firebox or XTM device has many predefined administrative roles. You can also define custom roles, as
described in Define roles and role properties on page 601.
The subsequent table shows all predefined roles and the actions they are allowed to take.
Role
Allowed actions
View folders and devices in WSM
View device log messages
Branch Office VPN
Administrator
View/create device reports
Configure device network configuration, policies, and BOVPN tunnels
Rekey BOVPN tunnels for a device
View and move folders and devices in WSM
View/modify folder and device management server properties
View device log messages
Device Administrator
Define a report of any device
Set device passphrases
Configure Reputation Enabled Defense settings
View folders and devices in WSM
View device log messages and reports
Device Monitor
View the entire configuration file for a device
View Reputation Enabled Defense settings
592
WatchGuard System Manager
Role-Based Administration
Role
Allowed actions
View and move folders in WSM
View/modify folder and device Management Server properties
View/move devices in WSM and monitoring tools
View device log messages
View/create device reports
Set the device configuration (admin) and monitoring (status) passphrase
View/modify device configuration file
Update device OS
Legacy admin
account
Backup/restore device configuration and OS
Reboot/restart device
Configure device network configuration, Firewall Policies, QoS Settings, BOVPN
tunnels, and Mobile VPN tunnels
Drop currently active device Mobile VPN user tunnels
Configure device external authentication, Firebox users and groups, WebBlocker,
spamBlocker, and Quarantine Server settings
Update Gateway AV/IPS signatures
Rekey device BOVPN tunnels and Mobile VPN tunnels
Update the device feature keys
Configure Reputation Enabled Defense settings
View folders in WSM
View folder and device Management Server properties
View devices in WSM and monitoring tools
Legacy status account
View device log messages
View device reports
View device configuration file
View Reputation Enabled Defense settings
Define devices, folders, security templates, VPN firewall policies, and customer
information
Management Server
Administrator
Has Certificate Authority access
Define a report or view audit log messages of any user
Define a report of any device
User Guide
593
Role-Based Administration
Role
Allowed actions
Configure Reputation Enabled Defense settings
View folders and devices in WSM
View role policies
View security templates
Management Server
Monitor
View VPN Firewall policies
View customer information
Access to Certificate Authority
View a report or view audit log messages of any user
View a report of any device
View folders and devices in WSM
View device log messages
View/create device reports
Mobile User VPN
Administrator
Configure device network configuration and Mobile VPN tunnels
Drop active Mobile VPN user tunnels for a device
Define users and groups for a device
Rekey BOVPN tunnels for a device
MSS Monitor
View devices in monitoring tools
View folders and devices in WSM
Network
Administrator
View device log messages
View/create device reports
Configure device network configuration
View folders and devices in WSM
View device log messages
Security
Administrator
View/create device reports
Configure device network configuration, policies, and QoS settings
Update Gateway AV/IPS signatures
594
WatchGuard System Manager
Role-Based Administration
Role
Allowed actions
Define users, role policies, devices, folders, security templates, VPN firewall
policies, and customer information
Super Administrator
Has Certificate Authority access
Define a report or view audit log messages of any user
Define a report of any device
View folders and devices in WSM
View device log messages
User Authentication
Administrator
View/create device reports
Configure device external authentication
Define users and groups for a device
View folders and devices in WSM
User Services
Administrator
View device log messages
View/create device reports
Configure WebBlocker, spamBlocker, and Quarantine Server settings for a device
User Guide
595
Role-Based Administration
Use role-based administration with an external
Management Server
If you have a WatchGuard Log Server or Report Server installed on a different computer than your
Management Server, you can use WatchGuard Server Center to set contact information for the
Management Server that you want to use for role-based administration. After you configure these settings,
the Log Server or Report Server can contact the selected Management Server for the role and credential
information for remote users.
To configure settings for an external Management Server:
1. In the left navigation bar, select Users.
The Users page appears.
2. To change the passphrase for the local administrator, select the Change Administrator Passphrase
check box.
3. Type and confirm the password for the local administrator.
4. Select the Use external Management Server check box.
5. Type the Management Server's IP address.
6. In the Management Server's CA Server public certificate field, copy and paste the content of the
certificate for the Management Server.
Or, click Load certificate from a file to select and upload the certificate.
7. Click Apply.
596
WatchGuard System Manager
Role-Based Administration
Define or remove users or groups
You can define, edit, and remove users and user groups for role-based administration in WatchGuard
System Manager (WSM) and WatchGuard Server Center. You can choose how a user or group is
authenticated and define the password for a local user.
Use WatchGuard System Manager to configure users or groups
1. Use WSM to connect to a Management Server.
2. Select File > Manage Users.
The Manage Users dialog box appears.
3. To add a new user, click Add.
To edit details for an existing user, select a user from the list and click Edit.
You cannot change the user or group name. You must remove the user or group, then add a new
user or group with the new name.
The User Properties dialog box appears.
User Guide
597
Role-Based Administration
4. On the User or Group tab, in the Name text box, type a name for the user or group.
5. To define a new user