advertisement
WatchGuard
®
System Manager
User Guide
Version 7.5
Firmware Version: 7.5
Part Number:
Guide Version: 7.5-2
ADDRESS:
505 Fifth Avenue South
Suite 500
Seattle, WA 98104
SUPPORT: www.watchguard.com/support [email protected]
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
SALES:
U.S. and Canada +1.800.734.9905
All Other Countries +1.206.521.8340
ABOUT WATCHGUARD
WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are robust as well as easy to buy, deploy and manage. The company’s Firebox X family of expandable integrated security appliances is designed to be fully upgradeable as an organization grows and to deliver the industry’s best combination of security, performance, intuitive interface and value. WatchGuard Intelligent Layered Security architecture protects against emerging threats effectively and efficiently and provides the flexibility to integrate additional security functionality and services offered through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity
Service subscription to help customers stay on top of the security landscape with vulnerability alerts, software updates, expert security instruction and superior customer care. For more information, please call (206) 521-8340 or visit www.watchguard.com.
ii WatchGuard System Manager
Contents
CHAPTER 1 Introduction
............................................................................................................................. 1
Welcome to WatchGuard® .................................................................................................................... 1
WatchGuard System Manager Components ................................................................................. 1
WatchGuard Firebox
............................................................................................................................ 1
Firebox System Manager
..................................................................................................................... 2
WatchGuard network security features
........................................................................................... 2
WatchGuard LiveSecurity® Service
.................................................................................................... 2
Minimum Hardware and Software .................................................................................................... 3
Software requirements
........................................................................................................................ 3
Web browser preconditions
................................................................................................................ 3
Hardware preconditions
..................................................................................................................... 3
WatchGuard Options .............................................................................................................................. 3
Firebox X 3-Port Upgrade
.................................................................................................................... 4
Firebox X Model Upgrade
.................................................................................................................... 4
VPN Manager
High Availability
........................................................................................................................................ 4
.................................................................................................................................... 4
Mobile User VPN
SpamScreen
.................................................................................................................................... 4
........................................................................................................................................... 4
BOVPN Upgrade
.................................................................................................................................... 5
Get WatchGuard Options
.................................................................................................................... 5
Controlling and Enabling License Keys ........................................................................................... 5
About this User Guide ............................................................................................................................ 6
CHAPTER 2 Service and Support
............................................................................................................ 7
LiveSecurity® Service Solutions .......................................................................................................... 7
LiveSecurity® Broadcasts ...................................................................................................................... 8
Activating the LiveSecurity® service
.................................................................................................. 9
LiveSecurity® Self Help Tools ............................................................................................................... 9
WatchGuard Users Forum ................................................................................................................... 10
WatchGuard Users Group ................................................................................................................... 11
User Guide iii
iv
Online Help .............................................................................................................................................. 11
Starting WatchGuard Online Help
.................................................................................................. 11
Searching for information
................................................................................................................ 12
Copy the Online Help system to more computers
........................................................................ 12
Software Requirements
..................................................................................................................... 12
Product Documentation ..................................................................................................................... 12
Technical Support ................................................................................................................................. 13
LiveSecurity® Technical Support
...................................................................................................... 13
LiveSecurity® Gold
.............................................................................................................................. 13
Firebox Installation Service
............................................................................................................... 14
VPN Installation Service
.................................................................................................................... 14
Training and Certification ................................................................................................................... 14
CHAPTER 3 Getting Started
..................................................................................................................... 15
Updating Your Software and Configuration
................................................................................. 16
Collecting Network Information ...................................................................................................... 16
Selecting a Firewall Configuration Mode ..................................................................................... 17
Routed configuration
......................................................................................................................... 18
Drop-in configuration
........................................................................................................................ 19
Adding secondary networks to your configuration
Dynamic IP support on the external interface
..................................................................... 20
.............................................................................. 20
Setting Up the Management Station ............................................................................................. 21
Software encryption levels
................................................................................................................ 22
If you use a serial cable
...................................................................................................................... 22
If you connect through a hub
........................................................................................................... 22
Using the Quick Setup Wizard .......................................................................................................... 23
Do a test on the connection
.............................................................................................................. 24
Enter the IP addresses
........................................................................................................................ 25
Put the Firebox into operation on your network ....................................................................... 25
After your Installation .......................................................................................................................... 26
Align your security policy
.................................................................................................................. 26
Features of the LiveSecurity® Service
.............................................................................................. 26
CHAPTER 4 Basic Firebox Configuration
........................................................................................... 27
Firebox Description ............................................................................................................................... 27
Opening a Configuration File ............................................................................................................ 28
Opening a configuration from the Firebox
.................................................................................... 29
Opening a configuration from a local hard disk
.......................................................................... 29
Saving a Configuration File ................................................................................................................ 29
Saving a configuration to the Firebox
............................................................................................ 30
Saving a configuration to the management station
.................................................................. 31
Changing the Firebox passphrases ................................................................................................. 31
Setting the Firebox Model .................................................................................................................. 31
Setting the Time Zone ......................................................................................................................... 32
Setting a Firebox Friendly Name ...................................................................................................... 32
WatchGuard System Manager
CHAPTER 5 Using Policy Manager to Configure Your Network
............................................ 33
Making a New Configuration File .................................................................................................... 33
Setting the IP Addresses of Firebox Interfaces ........................................................................... 34
Setting addresses in drop-in mode
................................................................................................. 34
Using proxy ARP
.................................................................................................................................. 35
Setting the addresses in routed mode
............................................................................................ 37
Configuring the external interface .................................................................................................. 37
Setting the external interface for DHCP
......................................................................................... 38
Setting the external interface for PPPoE
........................................................................................ 38
Using a static DHCP or static PPPoE address
................................................................................. 39
Adding external IP aliases
................................................................................................................. 39
Adding Secondary Networks ............................................................................................................ 40
Adding WINS and DNS Server Addresses ..................................................................................... 41
Configuring the Firebox as a DHCP Server ................................................................................... 42
Adding a subnet
.................................................................................................................................. 43
Changing a subnet
............................................................................................................................. 43
Removing a subnet
............................................................................................................................. 43
Adding Basic Services to Policy Manager ..................................................................................... 44
Configuring Routes ............................................................................................................................... 44
Adding a network route
.................................................................................................................... 45
Adding a host route
............................................................................................................................ 45
Firebox interface speed and duplex ............................................................................................... 46
CHAPTER 6 Managing and Monitoring the Firebox
.................................................................... 47
About Incoming and Outgoing Traffic .......................................................................................... 47
Starting the Firebox System Manager ........................................................................................... 48
Using the Security Traffic Display .................................................................................................... 49
Monitoring status information
........................................................................................................ 49
Selecting the middle of the star
....................................................................................................... 50
Basic System Manager Functionality .............................................................................................. 50
Monitoring basic indicators
............................................................................................................. 50
Firebox and VPN tunnel status
......................................................................................................... 51
Monitoring Firebox Traffic .................................................................................................................. 53
Changing the Polling Rate and the maximum number of log messages
................................ 53
Using color for log messages
Copying log messages
............................................................................................................ 55
....................................................................................................................... 55
Learning more about deny and allow messages
......................................................................... 55
Doing Basic Tasks with System Manager ...................................................................................... 56
Running the Quick Setup Wizard
.................................................................................................... 56
Rebooting the Firebox
Reboot IPSec
........................................................................................................................ 56
........................................................................................................................................ 56
Flushing the ARP cache
Connecting to a Firebox
..................................................................................................................... 57
.................................................................................................................... 57
Getting more information on the Web
Starting Firebox tools
........................................................................................... 57
......................................................................................................................... 58
User Guide v
vi
Viewing Bandwidth Usage ................................................................................................................. 59
Viewing Number of Connections by Service ............................................................................... 60
Viewing Information About Firebox Status .................................................................................. 61
Status Report
....................................................................................................................................... 61
Authentication
Blocked Sites
.................................................................................................................................... 65
........................................................................................................................................ 65
HostWatch ................................................................................................................................................ 66
HostWatch
........................................................................................................................................... 67
Connecting HostWatch to a Firebox
Showing a log file in HostWatch
............................................................................................... 67
...................................................................................................... 67
Controlling the HostWatch window
Changing HostWatch view properties
............................................................................................... 68
........................................................................................... 68
CHAPTER 7 Configuring Network Address Translation
............................................................. 69
Dynamic NAT ........................................................................................................................................... 69
Using Simple Dynamic NAT ............................................................................................................... 70
Enabling simple dynamic NAT
......................................................................................................... 70
Adding simple dynamic NAT entries
Reordering simple dynamic NAT entries
............................................................................................... 71
........................................................................................ 71
Specifying simple dynamic NAT exceptions
.................................................................................. 71
Using Service-Based Dynamic NAT ................................................................................................. 72
Enabling service-based dynamic NAT
............................................................................................ 72
Configuring service-based dynamic NAT
....................................................................................... 72
Configuring Service-Based Static NAT ........................................................................................... 73
Adding external IP addresses
........................................................................................................... 73
Setting static NAT for a service
......................................................................................................... 73
Using 1-to-1 NAT .................................................................................................................................... 74
Proxies and NAT ..................................................................................................................................... 76
CHAPTER 8 Configuring a Service
........................................................................................................ 77
Packet Filters and Proxies
.................................................................................................................. 77
Services and the Policy Manager
..................................................................................................... 77
Selecting Services for your Security Policy ................................................................................... 78
Incoming and outgoing services
..................................................................................................... 78
Incoming service guidelines
............................................................................................................. 78
Outgoing service guidelines
............................................................................................................. 79
Adding and Configuring Services .................................................................................................... 79
Changing the Policy Manager View
................................................................................................ 80
Service Parameters to Configure
Adding a service
..................................................................................................... 80
.................................................................................................................................. 82
Making a new service
........................................................................................................................ 82
Adding more than one service of the same type
.......................................................................... 84
Deleting a service
................................................................................................................................ 85
Configuring Service Properties ........................................................................................................ 85
Opening the Service Properties dialog box
Adding service properties
................................................................................... 85
.................................................................................................................. 86
Adding addresses or users to service properties
........................................................................... 86
WatchGuard System Manager
Working with wg_icons
..................................................................................................................... 87
Customizing logging and notification
........................................................................................... 87
Service Precedence ............................................................................................................................... 88
CHAPTER 9 Configuring Proxied Services
........................................................................................ 91
Protocol Anomaly Detection
............................................................................................................ 91
Customizing Logging and Notification for Proxies ................................................................... 92
Configuring an SMTP Proxy Service ................................................................................................ 92
Configuring Incoming SMTP Proxy
................................................................................................. 93
Enabling protocol anomaly detection for SMTP
Configuring the Outgoing SMTP Proxy
.......................................................................... 99
........................................................................................101
Configuring A FTP Proxy Service ....................................................................................................103
Enabling protocol anomaly detection for FTP
............................................................................104
Selecting an HTTP Service ................................................................................................................104
Adding a proxy service for HTTP
....................................................................................................105
Configuring a caching proxy server
..............................................................................................106
Configuring the DNS Proxy Service ..............................................................................................107
Adding the DNS Proxy Service
........................................................................................................107
Enabling protocol anomaly detection for DNS
...........................................................................108
DNS file descriptor limit
...................................................................................................................108
CHAPTER 10 Creating Aliases and Implementing Authentication
...................................109
Using Aliases .........................................................................................................................................109
Adding an alias
.................................................................................................................................110
How User Authentication Works ....................................................................................................111
Using external authentication
.......................................................................................................111
Enabling remote authentication
...................................................................................................112
Authenticating from optional networks
......................................................................................112
Authentication Server Types ...........................................................................................................112
Defining Firebox Users and Groups for Authentication ........................................................113
Configuring Windows 2000/2003 Server Authentication ....................................................114
Configuring RADIUS Server Authentication ..............................................................................116
Configuring CRYPTOCard Server Authentication ....................................................................117
Configuring SecurID Authentication ............................................................................................118
CHAPTER 11 Intrusion Detection and Prevention
.....................................................................121
Default Packet Handling ...................................................................................................................121
Blocking spoofing attacks
...............................................................................................................122
Blocking port space and address space attacks
.........................................................................122
Stopping IP options attacks
Stopping SYN Flood attacks
............................................................................................................123
...........................................................................................................123
Changing SYN flood settings
..........................................................................................................123
Blocking Sites ........................................................................................................................................124
Blocking a site permanently
...........................................................................................................124
Creating exceptions to the Blocked Sites list
...............................................................................125
Changing the auto-block duration
...............................................................................................125
Logging and notification for blocked sites
..................................................................................125
User Guide vii
viii
Blocking Ports .......................................................................................................................................126
Avoiding problems with approved users
.....................................................................................127
Blocking a port permanently
..........................................................................................................127
Auto-blocking sites that try to use blocked ports
.......................................................................127
Setting logging and notification for blocked ports
....................................................................128
Blocking Sites Temporarily with Service Settings ....................................................................128
Configuring a service to temporarily block sites
Viewing the Blocked Sites list
.........................................................................128
..........................................................................................................128
Integrating Intrusion Detection .....................................................................................................128
Using the fbidsmate tool
.................................................................................................................129
CHAPTER 12 Setting Up Logging and Notification
...................................................................131
Developing Logging and Notification Policies .........................................................................131
Logging policy
...................................................................................................................................131
Notification policy
............................................................................................................................132
Failover Logging ..................................................................................................................................132
WatchGuard Logging Architecture ...............................................................................................132
Designating Log Hosts for a Firebox .............................................................................................133
Adding a log host
..............................................................................................................................133
Enabling Syslog logging
..................................................................................................................133
Changing the log encryption key
..................................................................................................134
Removing a log host
Reordering log hosts
........................................................................................................................134
........................................................................................................................134
Synchronizing log hosts
..................................................................................................................134
Setting up the WatchGuard Security Event Processor ...........................................................135
Running the WSEP application on Windows 2000, Windows 2003, or Windows XP
..........135
Viewing the WSEP component
.......................................................................................................136
Starting and stopping the WSEP
Setting the log encryption key
...................................................................................................137
.......................................................................................................137
Setting Global Logging and Notification Preferences ...........................................................137
Log file size and rollover frequency
...............................................................................................137
Setting the interval for log rollover
Scheduling log reports
...............................................................................................138
.....................................................................................................................138
Controlling notification
...................................................................................................................138
Setting a unique Firebox name for log files
.................................................................................139
Customizing Logging and Notification by Service or Option .............................................139
Setting Launch Interval and Repeat Count
.................................................................................140
Setting logging and notification for a service
.............................................................................140
Setting logging and notification for default packet-handling options
Setting logging and notification for blocked sites and ports
.................................141
...................................................141
CHAPTER 13 Reviewing and Working with Log Files
...............................................................143
Log File Names and Locations ........................................................................................................143
Viewing Files with LogViewer .........................................................................................................143
Starting LogViewer and opening a log file
Setting LogViewer preferences
..................................................................................144
.......................................................................................................144
Searching for specified entries
.......................................................................................................144
WatchGuard System Manager
Copying and exporting LogViewer data
......................................................................................144
Displaying and Hiding Fields ...........................................................................................................145
Working with Log Files ......................................................................................................................147
Consolidating logs from multiple locations
................................................................................147
Copying log files
................................................................................................................................148
Forcing the rollover of log files
.......................................................................................................148
Saving log files to a new location
Setting log encryption keys
..................................................................................................148
.............................................................................................................148
Sending logs to a log host at another location
..........................................................................149
CHAPTER 14 Generating Reports of Network Activity
............................................................151
Creating and Editing Reports ..........................................................................................................151
Starting a new report
.......................................................................................................................151
Editing an existing report
Deleting a report
................................................................................................................152
...............................................................................................................................153
Viewing the reports list
....................................................................................................................153
Specifying a Report Time Interval .................................................................................................153
Specifying Report Sections ..............................................................................................................153
Consolidating Report Sections .......................................................................................................153
Setting Report Properties .................................................................................................................154
Exporting Reports ...............................................................................................................................154
Exporting reports to HTML format
................................................................................................154
Exporting reports to NetIQ format
................................................................................................155
Exporting a report to a text file
......................................................................................................155
Using Report Filters ............................................................................................................................155
Creating a new report filter
.............................................................................................................156
Editing a report filter
........................................................................................................................156
Deleting a report filter
Applying a report filter
.....................................................................................................................156
.....................................................................................................................156
Scheduling and Running Reports .................................................................................................157
Scheduling a report
..........................................................................................................................157
Manually running a report
.............................................................................................................157
Report Sections and Consolidated Sections .............................................................................157
Report sections
..................................................................................................................................157
Consolidated sections
......................................................................................................................159
CHAPTER 15 Controlling Web Site Access
......................................................................................161
Getting Started with WebBlocker ..................................................................................................161
Downloading the WebBlocker Installer
........................................................................................161
Installing the WebBlocker server
....................................................................................................161
Downloading the WebBlocker database
Installing a WebBlocker License
.....................................................................................162
.....................................................................................................162
Configuring the WatchGuard service icon
Add an HTTP Service
...................................................................................163
........................................................................................................................163
Configuring the WebBlocker Service ..........................................................................................163
Activating WebBlocker
.....................................................................................................................163
User Guide ix
x
Allowing WebBlocker server bypass
Configuring the WebBlocker Message
..............................................................................................164
..........................................................................................164
Scheduling operational and non-operational hours
Setting privileges
................................................................165
..............................................................................................................................165
Creating WebBlocker exceptions
...................................................................................................166
Managing the WebBlocker Server .................................................................................................167
Installing Multiple WebBlocker Servers .......................................................................................167
Automating WebBlocker database downloads ........................................................................168
CHAPTER 16 Connecting with Out-of-Band Management
...................................................169
Connecting a Firebox with OOB Management .........................................................................169
Enabling the Management Station ...............................................................................................169
Preparing a Windows 2000 management station for OOB
.....................................................169
Preparing a Windows XP management station for OOB
..........................................................170
Configuring the Firebox for OOB ...................................................................................................171
Establishing an OOB Connection ...................................................................................................171
CHAPTER 17 Introduction to VPN Technology
............................................................................173
Tunnels and Tunnel Protocols .........................................................................................................174
IPSec
....................................................................................................................................................174
PPTP
.....................................................................................................................................................174
Encryption ..............................................................................................................................................174
Authentication ......................................................................................................................................175
Extended authentication
................................................................................................................175
Internet Key Exchange (IKE) .............................................................................................................175
WatchGuard VPN Solutions .............................................................................................................175
Mobile User VPN
................................................................................................................................176
RUVPN with PPTP
..............................................................................................................................177
RUVPN with extended authentication
..........................................................................................178
Branch Office Virtual Private Network (BOVPN)
.........................................................................178
CHAPTER 18 Designing a VPN Environment
................................................................................181
Selecting an Authentication Method ...........................................................................................181
Selecting an Encryption and Data Integrity Method .............................................................181
IP Addressing ........................................................................................................................................182
NAT and VPNs .......................................................................................................................................182
Access Control ......................................................................................................................................183
Network Topology ...............................................................................................................................183
Meshed networks
..............................................................................................................................183
Hub-and-spoke networks
...............................................................................................................184
Tunneling Methods .............................................................................................................................185
Determining Which WatchGuard VPN Solution to Use .........................................................185
VPN Installation Services
.................................................................................................................186
VPN Scenarios .......................................................................................................................................187
Large company with branch offices: VPN Manager
..................................................................187
Medium-sized company with main office and auxiliary office: BOVPN with Basic DVCP
.187
WatchGuard System Manager
Small company with telecommuters: MUVPN
............................................................................188
Company with remote employees: MUVPN with extended authentication
.........................188
CHAPTER 19 Activating the Certificate Authority on the Firebox
.....................................191
Public Key Cryptography and Digital Certificates ....................................................................191
PKI in a WatchGuard VPN ..................................................................................................................192
Defining a Firebox as a DVCP Server and CA .............................................................................194
Managing the Certificate Authority ..............................................................................................196
Managing certificates from the CA Manager
.............................................................................197
Restarting the CA
..............................................................................................................................197
CHAPTER 20 Configuring RUVPN with PPTP
................................................................................199
Configuration Checklist .....................................................................................................................199
Encryption levels
...............................................................................................................................199
Configuring WINS and DNS Servers .............................................................................................200
Adding New Users to Authentication Groups ..........................................................................201
Configuring Services to Allow Incoming RUVPN Traffic ........................................................202
By individual service
.........................................................................................................................202
Using the Any service
.......................................................................................................................202
Activating RUVPN with PPTP ...........................................................................................................203
Enabling Extended Authentication ..............................................................................................203
Entering IP Addresses for RUVPN Sessions ................................................................................203
Configuring Debugging Options ...................................................................................................204
Preparing the Client Computers ....................................................................................................204
Installing MSDUN and Service Packs
............................................................................................205
Windows NT Platform Preparation ................................................................................................205
Windows 2000 Platform Preparation ...........................................................................................206
Windows XP Platform Preparation ................................................................................................207
Starting RUVPN with PPTP ...............................................................................................................207
Running RUVPN and Accessing the Internet .............................................................................208
Making Outbound PPTP Connections From Behind a Firebox ...........................................208
Making Outbound IPSec Connections From Behind a Firebox ..........................................208
CHAPTER 21 Configuring BOVPN with Basic DVCP
...................................................................209
Configuration Checklist .....................................................................................................................209
Creating a Tunnel to a Device .........................................................................................................210
Editing a tunnel to a device
............................................................................................................211
Removing a tunnel to a device
.......................................................................................................212
Configuring Logging for a DVCP Server ......................................................................................212
CHAPTER 22 Configuring BOVPN with Manual IPSec
..............................................................213
Configuration Checklist .....................................................................................................................213
Configuring a Gateway ......................................................................................................................214
Making a Tunnel with Manual Security .......................................................................................216
Making a Tunnel with Dynamic Key Negotiation ....................................................................218
Making a Routing Policy ...................................................................................................................219
User Guide xi
xii
Configuring routing policies for proxies over VPN tunnels
Changing IPSec policy order
.......................................................220
...........................................................................................................221
Configuring multiple policies per tunnel
Configuring services for BOVPN with IPSec
......................................................................................221
.................................................................................221
Enabling the BOVPN Upgrade ........................................................................................................222
CHAPTER 23 Configuring IPSec Tunnels with VPN Manager
...............................................223
Steps in making VPNs with VPN Manager
...................................................................................223
Configuring a Firebox as a DVCP Server and CA ......................................................................224
Starting VPN Manager .......................................................................................................................224
Giving the DVCP Server Remote Access .....................................................................................225
Configure Firebox III and Firebox X devices to allow the DVCP Server to contact them
Configure SOHO 6 and Firebox X Edge devices to allow the DVCP Server to contact them
.....226
.....
226
Adding Devices to VPN Manager ...................................................................................................226
Configuring a Firebox, Edge or SOHO 6 as a DVCP Client (Dynamic Devices Only) ....227
Configuring a dynamic Firebox III or Firebox X as a DVCP Client
............................................227
Configuring a dynamic SOHO 6 or Firebox X Edge as a DVCP Client
Reviewing and changing the device settings
.....................................228
..............................................................................228
Updating a device’s settings
...........................................................................................................229
Adding Policy Templates (Necessary for Dynamic Devices) ................................................229
Adding resources to a policy template
.........................................................................................230
Adding Security Templates ..............................................................................................................230
Making Tunnels Between Devices .................................................................................................231
Drag-and-drop tunnel procedure
.................................................................................................231
Menu-driven tunnel creation
.........................................................................................................232
Enabling a Telecommuter Tunnel ..................................................................................................233
Editing a Tunnel ...................................................................................................................................234
Removing Tunnels and Devices from VPN Manager ..............................................................234
Removing a tunnel
...........................................................................................................................234
Removing a device
...........................................................................................................................234
CHAPTER 24 Monitoring VPN Devices and Tunnels
.................................................................235
Monitoring VPN tunnels from System Manager ......................................................................235
Branch Office VPN tunnels
..............................................................................................................236
Remote VPN Tunnels
........................................................................................................................236
Monitoring VPN tunnels through VPN Manager .....................................................................236
Opening the VPN Manager Window
............................................................................................237
Device Status
.....................................................................................................................................237
Connection status
.............................................................................................................................237
Tunnel status
Log server status
.....................................................................................................................................238
...............................................................................................................................238
Making a custom view
.....................................................................................................................238
CHAPTER 25 Managing Firebox X Edge and Firebox SOHO6 Appliances
.....................241
Importing Certificates ........................................................................................................................241
Microsoft Internet Explorer 5.5 and 6.0
........................................................................................241
WatchGuard System Manager
Netscape Communicator 4.79
Netscape 6
.......................................................................................................242
.........................................................................................................................................243
Managing the Firebox X Edge or SOHO 6 ...................................................................................243
Microsoft Internet Explorer 5.5 and 6.0
........................................................................................245
Netscape Navigator 4.79
Netscape 6
.................................................................................................................245
..........................................................................................................................................246
CHAPTER 26 Troubleshooting Firebox Connectivity
................................................................247
Procedure 1: Ethernet Dongle Procedure ...................................................................................247
Procedure 2: The Flash Disk Management Utility ....................................................................249
Procedure 3: Using the Reset Button ............................................................................................250
User Guide xiii
xiv WatchGuard System Manager
CHAPTER 1
Introduction
Welcome to WatchGuard®
H istorically, it was necessary to use many tools, systems, and personnel to control the security of your network. Different computer systems control access, authentication, virtual private networking, and network control. More computers are used to monitor and report on network traffic. These expensive systems are not easy to use together or to keep the software current. WatchGuard System Manager provides an alternative with an integrated solution to control these security problems and helps you to:
• Keep the network security current
• Protect all offices with a connection to the Internet
• Encrypt the messages to and from remote offices and users
• Control all network security system from one location
WatchGuard System Manager is a stable, flexible, and inexpensive network security solution. You can quickly install the hardware and software, and the installation of the system includes many features to make it easy to protect you r ne twork. Management tools let you make a custom security policy, monitor your network traffic, and troubleshoot network errors and problems.
WatchGuard System Manager Components
WatchGuard System Manager includes hardware, software, and services to help you make a safe network for your users and electronic information. It includes:
• A Firebox — an integrated security device
• Firebox System Manager — software tools to control and monitor your system
• LiveSecurity® service — a service that sends e-mail messages with information about networks and network security
WatchGuard Firebox
The Firebox hardware is a specially made computer which puts a firewall, virtual private networking, and other network security features on one device. The Firebox X has an indicator LED and interface connectors on the forward panel. The Firebox III has indicator LEDs on the forward panel and interface
User Guide 1
Introduction connectors on the rear panel. The WatchGuard System Manager software can configure Firebox III and
Firebox X hardware devices.
Firebox System Manager
The Firebox System Manager is a group of software tools that operate from one location which we call the management station. The Firebox System Manager lets you to configure and monitor your network security policy. The Firebox System Manager includes:
Policy Manager
The Policy Manager lets you install, configure, and customize a network security policy.
Log Viewer
The Log Viewer shows a static view of a log file. It lets you:
- Apply a filter by data type
- Search for words and fields
- Print and save to a file
HostWatch
HostWatch shows the connections through a Firebox from the trusted network to the external network. It shows the current connections, or it can show the connections from a list in a log file.
Historical Reports
These HTML reports give data to use when you monitor or troubleshoot the network. The data can include:
- Type of session
- Most active hosts
- Most used services
- URLs
- Other important information
WatchGuard network security features
WatchGuard System Manager includes more than the basic configuration for your network security policy. It also gives you:
• User authentication
• Network address translation
• Remote user virtual private networking (RUVPN)
• Branch office virtual private networking (BOVPN)
• Intrusion detection and prevention
WatchGuard LiveSecurity® Service
The special LiveSecurity service makes the maintenance of network security easy. The WatchGuard
Rapid Response Team sends frequent e-mail information alerts, software updates, and security alarms to help you protect your network.
2 WatchGuard System Manager
Introduction
Minimum Hardware and Software
This section tells you about the hardware and software requirements that are necessary to install and operate WatchGuard System Manager.
Software requirements
WatchGuard System Manager software can run on Microsoft Windows 2000, Windows 2003, or Windows XP as follows:
Windows 2000
• Microsoft Windows 2000 Professional or Windows 2000 Server
Windows 2003
• Microsoft Windows 2003 Server
Windows XP
• Microsoft Windows XP
Web browser preconditions
You must have Microsoft Internet Explorer 4.0 or a subsequent version to run the installation from the
CD. WatchGuard recommends one of these HTML-based browsers to look at the WatchGuard Online
Help:
• Netscape Communicator 4.7 or a subsequent version
• Microsoft Internet Explorer 5.01 or a subsequent version
.
Hardware preconditions
The table that follows shows the necessary minimum and recommended hardware.
Hardware part
Memory
Processor
Hard disk space
Minimum
128 MB
700 MHz
100 MB
Recommended
256 MB
1.4 GHz
1 GB
WatchGuard Options
WatchGuard optional software allows WatchGuard System Manager to provide more features and services.
The options that follow are available for WatchGuard System Manager.
User Guide 3
Introduction
Firebox X 3-Port Upgrade
This option lets you operate three more network ports on your Firebox X. You can use the added ports to set up DMZs for public servers or to give protection to more internal components of your network with your Firebox. When you add this upgrade to your Firebox X, you get more functions. These functions operate with the same configuration tools and processes as your optional port.
Firebox X Model Upgrade
If you have a Firebox X500, you can use this upgrade to make your Firebox operate as a Firebox 700,
1000, or 2500.
VPN Manager
WatchGuard VPN Manager is a central module that sets up and controls the network security for organizations that do their work through the Internet. The task to set up virtual private networks (VPNs) at many different sites is not easy. But, the WatchGuard VPN Manager changes this task into an easy procedure of three steps. VPN Manager sets a new standard for Internet security. It lets you automatically set up, control, and monitor IPSec VPN tunnels between your headquarters, branch offices, telecommuters, and remote users.
High Availability
WatchGuard High Availability software lets you install a second Firebox on your network. If your primary
Firebox fails, the second Firebox automatically starts. This gives your customers, business partners, and personnel continuous access and security to your network.
Mobile User VPN
Mobile User VPN is the WatchGuard IPSec version of virtual private networking for remote users. Mobile
User VPN connects personnel who do their work at a remote location to the networks behind a Firebox.
They can do this with a standard Internet connection, without an unwanted effect on the network security. It is easy to use the WatchGuard Mobile User VPN software in the WatchGuard System Manager.
Also, Mobile User VPN lets your remote users connect safely to your network. VPN is encrypted with DES or 3DES-CBC, and authenticated through MD5 or SHA-1.
SpamScreen
SpamScreen helps to control spam. Spam is e-mail sent to you or your users without their approval.
Spam has unwanted effects on your network resources, for example:
• Bandwidth on your Internet connection
• Space on the hard disk
• CPU time of your e-mail server
• Personnel time to read and remove it.
WatchGuard SpamScreen identifies spam as it comes through the Firebox. You can stop spam at the
Firebox or tag it to easily identify it.
4 WatchGuard System Manager
Introduction
BOVPN Upgrade
The factory default Firebox III 500 or Firebox X500 do not support branch office VPN (BOVPN). But, you can install the BOVPN Upgrade option to use BOVPN on a Firebox 500.
The Firebox X700, Firebox X1000, and Firebox X2500 support BOVPN. But, you must register the device with the LiveSecurity Service to get the BOVPN feature key. BOVPN is the factory default on other models.
Get WatchGuard Options
You can get WatchGuard options from your local reseller. For more information about the sale of Watch-
Guard systems, go to: http://www.watchguard.com/sales/
Controlling and Enabling License Keys
To enable a WatchGuard option, you must add it to the Licensed Features dialog box. You can also use this dialog box to look at license key properties or remove license keys.
1 From Policy Manager, click Setup > Licensed Features .
The Licensed Features dialog box appears.
2 Click Add .
3 In the Add/Import License Keys dialog box, type your license key or click Browse and find it on your network. Click OK .
The new license appears on the Licensed Features dialog box.
4 To look at the properties of the license key, select the license key and click Properties .
To remove a license key, select the license key and click Remove .
User Guide 5
Introduction
About this User Guide
The function of this User Guide is to help the users of the WatchGuard System Manager. It tells the user how to:
• Install and configure a basic network security system
• Control the configuration of their network security system and to make it better.
• Manage and do maintenance of the system.
The users of this guide have a wide range of experience and expertise in network management and network security. The end user of the WatchGuard System Manager is usually the network administrator of a small, medium or large company.
There are references in the guide to the FAQs, which are on the online pages. To get access to the FAQs, you must have a subscription to the LiveSecurity Service.
The data in this guide obeys these rules:
• Unless described differently, the term “Firebox” and all illustrations refer to both the Firebox III and the Firebox X.
• In the procedures, the visual parts of the user interface, such as buttons, menu items, dialog boxes, text boxes, buttons, and tabs are shown in boldface.
• Menu items with arrows (>) between them show the sequence you must select them from the menus. For example, File > Open > Configuration File tells you to select Open from the File menu, and then Configuration File from the Open menu.
• Code, messages, and file names are shown in monospace font. For example, .wgl
and .idx
files.
• In command syntax, variables are shown in italics. For example: fbidsmate
import_passphrase.
• Optional command parameters are shown in square brackets.
6 WatchGuard System Manager
CHAPTER 2
Service and Support
No Internet security solution is complete without regular updates and security information. New threats appear each day — from the newest hacker to the newest bug in an operating system — and each can cause damage to your network systems. The LiveSecurity® service sends security solutions directly to you to keep your security system in the best condition. Training and technical support are available on the WatchGuard Web site to help you learn more about network security and your WatchGuard products.
LiveSecurity® Service Solutions
The number of new security problems and the volume of information about network security continue to increase. We know that a firewall is only the first component in a full security solution. The Watch-
Guard Rapid Response Team is a dedicated group of network security personnel who can help you to control this problem of too much information. They monitor the Internet security Web sites for you, to identify new security problems as they start.
Threat responses, alerts, and expert advice
After a new threat is identified, the WatchGuard Rapid Response Team sends you an e-mail to tell you about the problem. Each message gives full information about the type of security problem and the procedure you must use to make sure that your network is safe from attack.
Easy software updates
The LiveSecurity service saves you time because you receive an e-mail when we release a new version of the WatchGuard System Manager software. Installation wizards, release notes, and a link to the software update make for a fast and easy installation. These continued updates make sure that you do not have to use your time to find new software.
User Guide 7
Service and Support
Access to technical support and training
You can find information about your WatchGuard products quickly with our many online resources. You can also speak directly to one of the WatchGuard technical support personnel. Use our online training to learn more about the WatchGuard System Manager software, Firebox, and network security.
LiveSecurity® Broadcasts
The WatchGuard Rapid Response Team regularly sends messages and software information directly to your computer desktop by e-mail. We divide the messages into categories to help you to identify and make use of incoming information immediately.
Information Alert
Information Alerts give you a fast view of the newest information and threats to Internet security. The WatchGuard Rapid Response Team frequently recommends that you make a security policy change to protect against the new threat. When necessary, the Information Alert includes instructions on the procedure.
Threat Response
If a new security threat makes it necessary, the WatchGuard Rapid Response Team transmits a software update for your Firebox. The Threat Response includes information about the security threat and instructions on how to download a software update and install it on your Firebox and management station.
Software Update
When necessary, WatchGuard updates the WatchGuard System Manager software. Product upgrades can include new features and patches. When we release a software update, you get an e-mail with instructions on how to download and install your upgrade.
Editorial
Each week, top network security personnel come together with the WatchGuard Rapid
Response Team to write about network security. This continuous supply of information can help you to keep your network safe and secure.
Foundations
The WatchGuard Rapid Response Team also writes information specially for security administrators, employees and other personnel that are new to this technology.
Loopback
At the end of each month LiveSecurity sends you an e-mail with a summary of the information sent that month.
Support Flash
These short training messages can help you to operate the WatchGuard System Manager. They are an added resource to the other online resources:
- Online Help
- FAQs
- Known Issues pages on the Technical Support Web site
Virus Alert
WatchGuard has come together with antivirus vendor McAfee to give you the most current information about computer viruses. Each week, we send you a message with a summary of the
8 WatchGuard System Manager
Service and Support virus traffic on the Internet. When a hacker releases a dangerous virus on the Internet, we send a special virus alert to help you protect your network.
New from WatchGuard
When WatchGuard releases a new product, we first tell you — our customers. You can learn more about new features and services, product upgrades, hardware releases, and customer promotions.
Activating the LiveSecurity® service
You can activate the LiveSecurity service through the Quick Setup Wizard on the CD-ROM. Or, you can activate it through the activation section of the LiveSecurity Web pages. There is information about the
Quick Setup Wizard in the QuickStart Guide and in the “Getting Started” chapter of this book.
Note
To activate the LiveSecurity service, you must enable JavaScript on your browser.
To activate the LiveSecurity service through the Web:
1 Make sure that you have the LiveSecurity license key and the Firebox serial number. These are necessary during the LiveSecurity activation procedure.
- You can find the Firebox serial number in two locations. First, on a small silver label on the outer side of the Firebox package. Second, on a label on the rear side of the Firebox, below the
Universal Product Code (UPC) symbol.
- The license key number is on the WatchGuard LiveSecurity License Key certificate. Make sure that you type it the same as it is shown on the key. Include the hyphens.
2 Using your Web browser, go to: www.watchguard.com/account/register.asp
The Account page appears.
3 Complete the LiveSecurity Activation page. Use the TAB key or the mouse to move through the fields on the page.
You must complete all the fields to activate correctly. This information helps WatchGuard to send you the information and software updates that are applicable to your products.
4 Make sure that your e-mail address is correct. After you complete the procedure, you get an e-mail message that tells you that you activated the LiveSecurity service satisfactorily. All your LiveSecurity e-mail will come to this address.
5 Click Register .
LiveSecurity® Self Help Tools
Online Self Help Tools enable you to get the best performance from your WatchGuard products.
Note
You must activate the LiveSecurity service before you can access online resources.
Basic FAQs
The Basic FAQs (frequently asked questions) give general information about the Firebox and the
WatchGuard System Manager software. They are written for the customer who is new to network security and to WatchGuard products.
User Guide 9
Service and Support
Advanced FAQs
The Advanced FAQs (frequently asked questions) give you important information about configuration options and operation of systems or products. They add to the information you can find in this User Guide and in the Online Help system.
Known Issues
We know that software products can have bugs. We keep a list of Known Issues to help you find and to configure around these problems in our products until a software update repairs them.
Interactive Support Forum
The WatchGuard Technical Support team operates a Web site where our customers can send messages about WatchGuard products. Technical Support monitors this Web site and writes messages when it is necessary to answer customer problems .
Online Training
Browse to the online training section to learn more about network security and WatchGuard products. You can read training materials and get a certification in our products. The training includes links to a wide range of documents and Web sites about network security. The training is divided into parts which lets you use only the materials you feel necessary. To learn more about online training, browse to: www.watchguard.com/training/courses_online.asp
Learn About
This is a list of all resources available for a specified product or feature. It is a site map for the feature.
Online Help
There is a copy of the online help system for all WatchGuard products on our Technical Support
Web site. You install a copy of the online help when you install WatchGuard System Manager software. The version of online help on our Web site is the most current and includes corrections of errors we find.
Product Documentation
We keep a copy of each user guide we release to customers on our Web site. This includes user guides for versions of software which we do not continue to give technical support. The user guides are in PDF format.
General Firebox X Edge and Firebox SOHO Resources
This section of our Web site shows basic information and links for Firebox X Edge and Firebox
SOHO customers. It can help you to install and use the Firebox X Edge and SOHO 6 hardware.
To get access to the LiveSecurity Self Help Tools :
1 Start your Web browser. In the address bar, type: www.watchguard.com
2 Click Support .
3 Log in to the LiveSecurity service.
4 In the Self Help Tools section, click your selection.
WatchGuard Users Forum
The WatchGuard Users Forum is an online group. It lets the users of WatchGuard products interchange ideas, questions, and information about the product, for example:
10 WatchGuard System Manager
Service and Support
• Configuration
• Connecting WatchGuard products and those of other companies
• Network policies
This forum has different categories that you can use to look for information. The WatchGuard Technical
Support team controls the forum during regular work hours. Do not use the forum to tell the Watch-
Guard Technical Support team about problems you have with your Firebox. You must use the Web interface or the telephone to tell WatchGuard Technical Support directly.
Using the WatchGuard Users Forum
To use the WatchGuard Users Forum you must first create an account:
1 Browse to: www.watchguard.com
. Click Support . Log in to the LiveSecurity service.
2 Below Self Help Tools , click Interactive Support Forum .
3 Click Create a User Forum account .
4 Type your information in the page. Click Create .
You must select a user name and password. They must be different from the user name and password for your
LiveSecurity service.
WatchGuard Users Group
The WatchGuard Users Group is an e-mail discussion list. It lets the users of WatchGuard products send and receive messages from other users. Because WatchGuard does not control the group, you can not use the group to tell the WatchGuard Technical Support team about problems you have with your Firebox. You must use the Web interface or the telephone to tell WatchGuard Technical Support directly. To learn more about the WatchGuard Users Group, browse to: lists.watchguard.com/mailman/listinfo/wg-users
Online Help
WatchGuard Online Help is a Web system that can operate on most computer operating systems. We release each version of our software products with a full online help system. You can find these online help systems at: www.watchguard.com/help
A static version of the Online Help system is installed automatically with the WatchGuard System Manager software. You can find it in a subdirectory of the installation folder with the name Help . The live version of the Online Help on the Web site includes corrections to all errors found since we released the software.
Starting WatchGuard Online Help
There are two methods to start the Online Help system:
• From the WatchGuard System Manager software, press F1 . Your browser opens and an Online
Help page appears. The page has information about the feature you are using.
User Guide 11
Service and Support
• Use Windows Explorer or the Run command to open the WatchGuard installation folder. Open the Help folder. Double-click WFSHelp.htm
. Your browser opens and the Online Help home page appears. The default folder is:
C:\Program Files\WatchGuard\Help
Searching for information
There are three methods to search for information in the WatchGuard Online Help system:
Contents
The Contents tab shows a list of categories in the Online Help system. Double-click a book to expand a category. Click a page title to look at the contents of that category.
Index
The index shows a list of the words that are in the Online Help system. Type the word, and the list automatically goes to those words that start with the typed letters. Click a page title to look at the contents.
Search
The Search feature is a full text search of the Online Help system. Type a word and press ENTER.
A list shows the categories that contain the word. The Search feature does not operate with
AND, OR, or NOT operators.
Copy the Online Help system to more computers
You can copy WatchGuard Online Help from the management station to a second computer. When you do this, copy the full Online Help folder from the WatchGuard installation directory on the management station. You must include all subdirectories.
Software Requirements
• Internet Explorer 4.0 or a subsequent version
• Netscape Navigator 4.7 or a subsequent version
Operating system
• Windows 2000, Windows 2003 Server, or Windows XP
• Sun Solaris
• Linux
Product Documentation
We copy all the user guides we release to our Web site at: www.watchguard.com/help/documentation/
12 WatchGuard System Manager
Service and Support
Technical Support
Your LiveSecurity service subscription includes technical support for the WatchGuard System Manager software and Firebox hardware. To learn more about WatchGuard Technical Support, browse to the
WatchGuard Web site at: www.watchguard.com/support
Note
You must activate the LiveSecurity service before you can get technical support.
LiveSecurity® Technical Support
All new Firebox products include the WatchGuard LiveSecurity Technical Support service. You can speak with the WatchGuard Technical Support team when you have a problem with the installation, management or configuration of your Firebox.
Hours
WatchGuard LiveSecurity Technical Support operates from 6:00 AM to 6:00 PM in your local time zone, Monday through Friday.
Telephone Number
877.232.3531 in United States and Canada
+1.206.613.0456 in all other countries
Web Site
http://www.watchguard.com/support
Service Time
We try to supply a solution in a maximum time of four hours.
Type of Service
There is technical support available for special problems with the installation and continued maintenance of the Firebox and SOHO systems.
Single Incident Priority Response Upgrade (SIPRU) and Single Incident After Hours Upgrade (SIAU) are also available. For more data about these upgrades, refer to the WatchGuard Web site at: http://www.watchguard.com/support
LiveSecurity® Gold
WatchGuard Gold LiveSecurity Technical Support adds to your standard LiveSecurity service. We recommend that you buy this upgrade if your company uses the Internet or VPN tunnels for most of your work.
With WatchGuard Gold LiveSecurity Technical Support you get:
• Live technical support 24 hours a day, seven days a week.
• The Priority Technical Support Team operates our support center continuously from 7 PM Sunday to 7 PM Friday (Pacific Time).
• We try to supply a solution to your problem in a maximum time of one hour.
• If a technician is not immediately available to help you, an administrator records your problem.
The administrator gives you an incident number. The Priority Technical Support team will speak to you when they become available.
User Guide 13
Service and Support
Firebox Installation Service
WatchGuard Remote Firebox Installation Service helps you to install and configure your Firebox. You can schedule a two hour time with one of our WatchGuard Technical Support team. During this time, the technician helps you to:
• Do an analysis of your network and security policy
• Install the WatchGuard System Manager software and Firebox hardware
• Align your configuration with your company security policy
This service does not include VPN installation.
VPN Installation Service
WatchGuard Remote VPN Installation Service helps you through a full VPN installation. You can schedule a two hour time with one of the WatchGuard Technical Support team. During this time, the technician helps you to:
• Do an analysis of your VPN policy
• Configure your VPN tunnels
• Do a test of your VPN configuration
You can use this service after you correctly install and configure your Fireboxes.
Training and Certification
WatchGuard product training is available online to help you learn more about network security and
WatchGuard products. You can find training materials on our Technical Support Web site and prepare for a certification exam. The training materials include links to books and Web sites with more information about network security.
WatchGuard product training is also available at a location near you through a large group of Watch-
Guard Certified Training Partners (WCTPs). Training partners give training using certified training materials and with WatchGuard hardware. You can install and configure our products with an advanced instructor and system administrator to help you learn.
14 WatchGuard System Manager
CHAPTER 3
Getting Started
The WatchGuard System Manager includes a Firebox and a management station to protect your network from attack. You put the Firebox between the Internet and your trusted computers. You then use the software installed on the management station to configure, and to monitor your Firebox. This chapter tells you how to install WatchGuard System Manager into your network.
To install the WatchGuard System Manager software, you must:
• Collect your network addresses and information
• Select a firewall configuration mode
• Configure the management station
• Connect the Firebox Ethernet cables
• Use the Quick Setup Wizard to make a basic configuration file
• Put the Firebox into operation on your network
For a summary of this information, see the WatchGuard Firebox Quick Start Guide that is included with your Firebox.
Note
This chapter gives the default information for a Firebox with the three interface configuration. If you have the Firebox X 3-Port Upgrade, use the same configuration tools and procedures in the instructions for your optional port.
Before you install WatchGuard System Manager, make sure that you have these items:
• WatchGuard Firebox X hardware device
• The Quick Start Guide
• User documentation
• WatchGuard System Manager CD-ROM
• A serial cable (blue)
• Three crossover Ethernet cables (red)
• Three straight Ethernet cables (green)
• Power cable
• LiveSecurity service license key
User Guide 15
Getting Started
Updating Your Software and Configuration
This chapter is for new WatchGuard System Manager installations only. If you have an installed configuration, you can open the configuration file with the Policy Manager. The software tells you to change to the new version.
If there is more than one version of software between your installed configuration and the current software, you can have problems when you install the upgrade. If problems do occur, you can use the Quick
Setup Wizard to make a new configuration file. You can also install one upgrade version at a time until you get to the current version of the software.
Collecting Network Information
We recommend that you use the tables that follow to prepare for the installation procedure.
License Keys
Collect your license key certificates. WatchGuard System Manager comes with a LiveSecurity service key that enables your subscription to the LiveSecurity service. For more information about this service, see
Chapter 2, “Service and Support.” High Availability, Gateway AntiVirus, and SpamScreen are optional
products. You get the license keys for these products when you buy them. For more information about
optional products, see Chapter 1, “Introduction.”
Network addresses
We recommend that you make two tables when you configure your network. Use Table 4 for your network IP addresses before you put the Firebox into operation.
WatchGuard uses slash notation to show the subnet mask.
Table 4: Network IP Addresses Without the Firebox
Wide Area Network
Default Gateway
Local Area Network
Secondary Network
(if applicable)
Public Server(s)
(if applicable)
Remote Network Router
(if applicable)
_____._____._____._____ / ____
_____._____._____._____
_____._____._____._____ / ____
_____._____._____._____ / ____
_____._____._____._____
_____._____._____._____
_____._____._____._____
_____._____._____._____
Use Table 5 for your network IP addresses after you put the Firebox into operation.
External interface
Connects to the external network (typically the Internet) that is the security problem.
16 WatchGuard System Manager
Getting Started
Trusted interface
Connects to the private LAN or internal network that it is necessary to protect.
Optional interface(s)
Connects to the DMZ or the mixed trust area of your network. The default Firebox X and Firebox
III models have one optional interface. You can buy a 3-Port Upgrade for the Firebox X to give you a total of four optional interfaces. Use an optional interface to create zones in your network with different levels of access. Usually, you install the Web, e-mail, and FTP servers on this interface.
Table 5: Network IP Address With the Firebox
Default Gateway
External Network
Trusted Network
Optional Network
Secondary Network
(if applicable)
_____._____._____._____
_____._____._____._____ / ____
_____._____._____._____ / ____
_____._____._____._____ / ____
_____._____._____._____ / ____
Selecting a Firewall Configuration Mode
Before you install the WatchGuard System Manager, you must make a decision on how the firewall can be a part of your network. This decision controls the configuration of the Firebox interfaces. To install the Firebox into your network, select the configuration mode that is most equivalent to your current network.
There are two configuration modes: a routed configuration or a drop-in configuration. Many networks operate the best with a routed configuration. But we recommend the drop-in mode if:
• You have a large number of public IP addresses
• You have a static external IP address
• You can not configure the computers on your trusted and optional networks that have public IP addresses with private IP addresses.
Table 6 shows three conditions which can help you to select a firewall configuration mode. We then
give more information about each mode.
User Guide 17
Getting Started
Condition 1
Condition 2
Condition 3
Table 6: Selecting the Configuration Mode
Routed Configuration
All interfaces of the Firebox are on different networks. The minimum configured interfaces are external and trusted.
Trusted and optional interfaces must be on different networks.
The IP addresses be from those networks.
Use static NAT to map public addresses to private addresses behind the trusted or optional interfaces.
Drop-in Configuration
All interfaces of the Firebox are on the same network and have the same IP address (Proxy ARP).
The machines on the trusted or optional interfaces can have a public IP address.
Th e two interfaces must be have IP addresses on the same network.
The machines that have public access have a public IP addresses.
Thus, no static NAT is necessary.
Routed configuration
You use the routed configuration when you have a small number of public IP addresses or when your
vate networking.
In a routed configuration, you install the Firebox with different logical networks and network addresses on its interfaces. The public servers behind the Firebox use private IP addresses. The Firebox uses network address translation (NAT) to route traffic from the external network to the public servers.
18
Routed Configuration Mode
The requirements for a routed configuration are:
• All interfaces of the Firebox must be on different logical networks. The minimum configuration includes the external and trusted interfaces. You can also configure one or more optional interfaces.
• All devices behind the trusted and optional interfaces must have an IP address from that network. For example, a computer on the trusted interface in the following illustration can have an IP address of 10.10.10.200 but not 192.168.10.200 which is on the optional interface.
WatchGuard System Manager
Getting Started
Drop-in configuration
With a drop-in configuration, the Firebox uses the same network for all of its interfaces. You must configure all of the interfaces. When you install the Firebox between the router and the LAN, it is not necessary to configure the local computers again. The public servers behind the Firebox continue to use public IP addresses. The Firebox does not use network address translation to route traffic from the external to your public servers.
Drop-In Configuration
The properties of a drop-in configuration are:
• You use one logical network for all three interfaces.
• The Firebox uses proxy ARP. The trusted interface ARP address replaces the ARP address of the router. It then resolves Address Resolution Protocol (ARP) data for those devices behind the
Firebox that cannot receive the transmitted data.
• During installation, it is not necessary to change the TCP/IP properties of computers on the trusted and optional interfaces. Although the router cannot receive the transmitted ARP data from the trusted host, the Firebox continues to resolve this data for the router.
• Usually, the Firebox is the default gateway as an alternative to the router.
• You must flush the ARP cache of the all computers on the trusted network.
• A large part of a LAN is on the trusted interface because there is a secondary network for the LAN.
With a drop-in configuration you do not have to change the configuration of the computers on the trusted network that have a public IP address. But, a drop-in configuration is frequently not easy to manage. It can also be less easy to troubleshoot problems.
User Guide 19
Getting Started
Adding secondary networks to your configuration
A secondary network is a different network that connects to a Firebox interface with a switch or hub.
20
When you add a secondary network, you map an IP address from the secondary network to the IP address of the Firebox interface. Thus, you make (or add) an IP alias to the Firebox interface. This IP alias is the default gateway for all the devices on the secondary network. The secondary network also tells the Firebox that there is one more network on the Firebox interface.
To add a secondary network, do one of the following:
Use the Quick Setup Wizard during installation
1 Type the IP addresses for the Firebox interfaces into the Quick Setup Wizard.
2 Select the check box if you have “an additional private network behind the Firebox”.
The added private network becomes the secondary network on the trusted interface. For more information about the
Quick Setup Wizard, see “Using the Quick Setup Wizard” on page 23.
Add the secondary network after installation
Dynamic IP support on the external interface
If you use dynamic IP addressing, you must select routed configuration.
If you select the Dynamic Host Configuration Protocol (DHCP), the Firebox tells a DHCP server which is controlled by your Internet Service Provider (ISP) to give it an IP address, gateway, and netmask. The
DHCP server can also give WINS and DNS server information for your Firebox. If it does not give you that
information, you must add it manually to your configuration. Refer to “Adding WINS and DNS Server
Addresses” on page 41. If necessary, you can change the WINS and DNS values that your ISP gives you.
Point-to-Point Protocol over Ethernet (PPPoE) is also available. As with DHCP, the Firebox makes a PPPoE protocol connection to the PPPoE server of your ISP. This connection automatically configures your IP address, gateway, and netmask. But, PPPoE does not give you the DNS and WINS server information as
DHCP does.
WatchGuard System Manager
Getting Started
If you use PPPoE on the external interface, you must have the PPP user name and password to configure you r network. The user name and password each have a 256-byte capacity. Whe n y ou configure the
Firebox to receive dynamic IP addresses, the Firebox cannot use the functions for which a static IP address is necessary: High Availability, Drop-in mode, 1-to-1 NAT, and the Firebox as a DVCP server. If your ISP uses a static IP address with DHCP or PPPoE, you can enable these features because the IP
Note
BOVPN with Basic DVCP is not available on Firebox III 500 unless you have the BOVPN Upgrade. It is available on the Firebox X700, Firebox X1000, and Firebox X2500 if you register the device with
LiveSecurity Service.
External aliases and 1-to-1 NAT are not available when the Firebox is a PPPoE client. Manual IPSec tunnels are not available when the Firebox is a DHCP or PPPoE client.
Setting Up the Management Station
The management station uses the WatchGuard System Manager software. This software shows the traffic through the firewall, the connection status, and VPN tunnel status. The WatchGuard Security Event
Processor (WSEP) receives and saves the log messages.
Select one computer on your network as the management station and install the management software as follows:
1 Put the WatchGuard System Manager CD-ROM the CD-ROM drive computer. If the installation wizard does not appear automatically, double-click install.exe
in the root directory of the CD-
ROM.
2 Click Download Latest Software on the WatchGuard System Manager Installation screen. This starts your Web browser and connects your computer to the WatchGuard Web site.
If you do not have an Internet connection, install the software directly from the CD-ROM. If you use this procedure, you cannot get Technical Support, strong encryption, or VPN features until you enable the LiveSecurity service.
3 Use the instructions on the screen to activate your LiveSecurity service subscription.
4 Download the WatchGuard System Manager software. The speed of your Internet connection sets the time to download the software.
Make sure that you write down the name and the path of the file when you save it to your hard drive.
5 Open the downloaded file and use the instructions on the screens to help you through the installation.
The Setup tool includes a screen in which you select the parts of the software or the upgrades to install. An added license is necessary when you install some parts of the software.
options or upgrades, refer to the WatchGuard Web site.
6 At the end of the installation wizard, a check box appears that you can select to start the Quick
Setup Wizard. Make sure that you install the cables of the Firebox before you start the Quick Setup
Wizard.
A check box appears that you can select to download a new WebBlocker database. You can download the database at this or a different time. The database is more than 60 megabytes. For
more information about the WebBlocker database, see Chapter 15, “Controlling Web Site Access.”
User Guide 21
Getting Started
Software encryption levels
The management station software is available in two encryption levels.
• Base — Uses 40-bit encryption
• Strong — Uses 128-bit 3DES encryption.
A minimum of 56-bit encryption is necessary for the IPSec standard. To use virtual private networking with IPSec or PPTP, you must download the Strong encryption software.
There are export limits in many countries which apply to the Strong encryption software. It is possible that it is not available for download in your country. For more information, refer to the online resources at: www.watchguard.com/support/AdvancedFaqs/bovpn_ipsecgrey.asp
You must have a valid LiveSecurity user name and password to connect to this resource.
If you use a serial cable
Refer to this diagram you connect the cables for the Firebox.
22
• Use the blue serial cable to connect the Firebox serial port (CONSOLE) to the management station COM port.
• Use the red crossover cable to connect the Firebox trusted interface to the management station
Ethernet interface.
• Connect the power cable to the Firebox and to a power source.
If you connect through a hub
• Use the red crossover cable to connect the Firebox trusted interface to the management station
Ethernet interface.
• Connect the power cable to the Firebox and to a power source.
WatchGuard System Manager
Getting Started
Using the Quick Setup Wizard
After you configure the management station and connect the Firebox, use the Quick Setup Wizard to make a basic configuration file. The Firebox uses this basic configuration file when it starts for the first time. This enables the Firebox to operate as a simple firewall. This basic configuration is secure but you must do more configuration to make it applicable to your security policy.
The Quick Setup Wizard also saves a basic configuration file with the name wizard.cfg
to the hard disk of the management station. Use Policy Manager to expand or change the basic Firebox configuration. When you do this, use wizard.cfg
as the base file to which you make the changes. For more information about how to change a configuration file, see Chapter 5, “Use Policy Manager to Configure
Your Network.” You can also run the Quick Setup Wizard again at a different time to make a new, basic configuration file.
Note
When you use the Quick Setup Wizard again, it fully replaces the configuration file. Make a copy of the configuration file on the flash disk to use in an emergency. Refer to the Firebox System Area chapter in the Reference Guide .
Start the Quick Setup Wizard from the Windows desktop. Click Start > Programs > WatchGuard >
Quick Setup Wizard .
Refer to the tables and network diagrams in “Collecting Network Information” on page 16 to help you
complete the wizard.
The Quick Setup Wizard takes you through the steps that follow:
Select a configuration mode
Select a routed or a drop-in configuration mode. If High Availability is installed, we recommended that you use Policy Manager as an alternative to the Quick Setup Wizard to configure this feature. For more information about routed or drop-in configurations, see
“Selecting a Firewall Configuration Mode” on page 17. For information about High Availability,
refer to the High Availability Guide.
Configure the external interface
Enter the Firebox interface IP address or addresses
Type the IP address or addresses for the Firebox interfaces. Your selected configuration (routed or drop-in mode) controls which addresses you must type. You can also add a secondary network to your trusted interface if you select the additional private network behind the
Firebox check box.
Enter the Firebox Default Gateway
This text box is not applicable if you use DHCP or PPPoE on the external interface. Type the IP address of the default gateway, which is usually the IP address of your Internet router. This IP address must be on the same network as the Firebox external interface. If the IP address is not on the same network, a dialog box appears with a warning. Then you must make a decision to continue or not.
Configure the Public Servers
This text box is not applicable if you use DHCP or PPPoE on external interface. Select the check box and type the IP address of the public servers on your network.
User Guide 23
Getting Started
Select the Firebox Name
This text box is only applicable if you use DHCP or PPPoE. Type a name that identifies the
Firebox in management and log tools. You can use all characters but a space or a slash (/ or \).
This name does not have to be a DNS or host name.
Make a Passphrase
Passphrases are case-sensitive and must be a minimum of seven characters long. They can be a selection of letters, numbers, and special characters. You must type two passphrases, a status passphrase and a configuration passphrase. You use the status passphrase to make a read-only connection to the Firebox. You use the configuration passphrase to make a read/write connection to the Firebox.
Select a Connection Procedure
Select the procedure to use when you connect the cables. Type a temporary IP address for the
Firebox. This lets the management station transmit data to the Firebox to complete the installation procedure. The IP address must be a new IP address on the same network as the management station.
Do a test on the connection
After you complete the Quick Setup Wizard, you must do a test on the connection to the Firebox through the management station. The Firebox temporary IP address must be on the same network as the management station. If it is not, the management station and Firebox cannot connect and the management station cannot get status information for the Firebox
You can remove the blue serial cable from the management station and Firebox after the Quick Setup
Wizard is completed.
24 WatchGuard System Manager
Getting Started
Enter the IP addresses
You usually type the IP addresses in text boxes that are almost the same as the one below.
When you type the IP addresses, type the digits and periods in the correct sequence. Do not use the TAB key, arrow key, spacebar, or mouse to put your cursor after the periods. For example, if you type the IP address 172.16.1.10, do not type a space after you type “16.” Do not try to put your cursor after the subsequent period to type “1.” Type a period directly after “16,” and then type “1.10.” Push the slash (/) key to move to the netmask.
Use slash notation to type the netmask. In slash notation, one number shows how many bits of the IP address identify the network that the host is on. A netmask of 255.255.255.0 has a slash equivalent of
8+8+8=24. For example, an IP address 192.168.42.23/24 is an equivalent to an IP address of
192.168.42.23 with a related netmask of 255.255.255.0. The subsequent table shows the network masks and their slash equivalents.
Network mask
255.0.0.0
255.255.0.0
255.255.255.0
255.255.255.128
255.255.255.192
255.255.255.224
255.255.255.240
255.255.255.248
255.255.255.252
Slash equivalent
/8
/27
/28
/29
/30
/16
/24
/25
/26
Put the Firebox into operation on your network
The installation of your Firebox is done. At this time, you can use the Firebox as a basic firewall with the properties that follow. The Firebox:
• Lets through all outgoing traffic
• Stops all incoming traffic unless it is ping on the external interface
• Sends log information to the WatchGuard Security Event Processor on the management station
Complete the steps that follow to put the Firebox into operation on your network:
• Put the Firebox in its permanent location.
• Connect the Firebox to your network.
• If you use a routed configuration, change the default gateway on all computers that you connect to the Firebox trusted IP address.
User Guide 25
Getting Started
After your Installation
You have installed, configured, and put your new WatchGuard System Manager into operation on your network. Here is some more information to think about as a new customer.
Align your security policy
Your security policy controls who can get into your network, where they can go, and who can get out.
The configuration file of your Firebox makes the security policy.
The configuration file that you make with the Quick Setup Wizard is only a basic configuration. You must make a configuration file that aligns your security policy with your requirements. To do this, you can add more filtered and proxied services. These services expand the traffic you let in and out of your firewall.
Each service can have an effect on your network. The services that increase your network security can decrease the access to your network. The services that increase the access to your network can decrease your network security. When you select these services, you must select a range of balanced services.
Some services that organizations usually add are HTTP (Internet service) and SMTP (e-mail service). Usually, for a new installation, we recommended that you use only filtered services until all your systems operate correctly. Then, as necessary, you can add proxies when you know more about them.
For more information about services, see:
• Chapter 8, “Configuring a Service.”
• Chapter 9, “Configuring Proxied Services.”
Features of the LiveSecurity® Service
Your Firebox includes a subscription to the LiveSecurity Service. Your subscription:
• Makes sure that you get the newest network protection with the newest software upgrades
• Gives solutions to your problems with full technical support resources
• Provides messages and configuration help to prevent the newest network security problems
• Helps you to find out more about about network security through training resources
• Extends your network security with included software, applicable features, and other special items.
26 WatchGuard System Manager
CHAPTER 4
Basic Firebox Configuration
This chapter gives instructions for the basic Firebox configuration and maintenance tasks. It includes how to:
• Open a configuration file
• Save a configuration file to a local computer or the Firebox
• Change the Firebox passphrases
• Set the Firebox time zone
• Set a Firebox special name.
Firebox Description
A WatchGuard Firebox is a specially made computer which you use to protect a company network. The base model has three different interfaces. This lets you isolate your office network from the Internet. It also lets you use Web, e-mail, or FTP servers on an optional public interface. You can add more interfaces to the Firebox X with an additional license. The Firebox III has only three interfaces. The Firebox monitors each interface independently. It gives a visual indication of the operational status on the forward panel of the Firebox.
Note
There are no parts in the Firebox that a user can repair. If a user opens the case of a Firebox, the limited hardware warranty is cancelled.
User Guide 27
Basic Firebox Configuration
The usual and best location for a Firebox is directly behind the Internet router. See the figure that follows:
The other parts of the WatchGuard System Manager network are:
Management station
The computer on which you install and operate the WatchGuard System Manager software.
WatchGuard Security Event Processor
The computer that receives and saves the log messages and sends notifications. You can configure the management station to also operate as the event processor.
Trusted network
The network behind the firewall that must have the protection from security problems. Usually you allow no access to the trusted network.
External network
The network that is the source of your security problems, usually the Internet.
Optional network or networks
These networks have the protection of the firewall but you can allow access to them from the trusted and the external networks. You usually use the optional networks for public servers. For example, FTP or Web servers.
Opening a Configuration File
The Policy Manager is a software tool that lets you make, change, and save configuration files. A configuration file, with the extension .
cfg , contains all configuration data, options, addresses, and other information that makes your Firebox security policy. When you use the Policy Manager, you see a version of your configuration file that is easy to examine and t o ch ange.
This section tells you how to open a configuration file. You can do this only after you use the Quick
Setup Wizard and save a basic configuration file to the Firebox or to your local hard dri ve. If you have not
28 WatchGuard System Manager
Basic Firebox Configuration used the Quick Setup Wizard, refer to Chapter 5, “Use Policy Manager to Configure Your Network” for information on how to make a basic con figu ration.
1 Click Start > Programs > WatchGuard > Firebox System Manager .
2 If the software tells you to use the Quick Setup Wizard, click Continue .
3 If the software tells you to connect to the Firebox, click Cancel .
4 From the Firebox System Manager, click the Policy Manager icon.
At this time, you can open a configuration from the Firebox or from the local hard disk. Refer to the subsequent two sections.
Opening a configuration from the Firebox
From Policy Manager:
1 Click File > Open > Firebox .
The Open Firebox dialog box appears. Refer to the figure below.
2 From the Firebox drop-down list, select a Firebox.
You can also type the IP address or host name.
3 In the Passphrase text box, type the Firebox status (read-only) passphrase. Click OK .
Use the status passphrase to monitor traffic and Firebox condition. You must use the configuration passphrase to save a new configuration to the Firebox.
4 If necessary, type a value in the Timeout field. This value sets the time (in seconds) that the management station listens for data from the Firebox, before it sends a message that shows that it cannot get data from the device.
Opening a configuration from a local hard disk
1 Click File > Open > Configuration File .
2 Find and select the configuration file you want to open, and then click Open .
Saving a Configuration File
After you make a change to a configuration file, you can save it directly to the Firebox. You can also save it to a local hard disk. When you save a new configuration file directly to the Firebox, the Policy Manager possibly tells you to reboot the Firebox. If the Policy Manager tells you to reboot the Firebox, the new security policy starts only after you reboot the Firebox.
If the Policy Manager does not tell you to reboot the Firebox, the new security policy starts when the
Sav e operatio n is complete.
If the software version on the management station is different from the version on the Firebox, you must save a new flash image. For information on how to update the Firebox to a new version of the software, see the FAQ:
User Guide 29
Basic Firebox Configuration https://www.watchguard.com/support/advancedfaqs/flashdisk_update.asp
Saving a configuration to the Firebox
From Policy Manager:
1 Click File > Save > To Firebox .
You can also press CTRL-T.
2 From the Firebox drop-down list, select a Firebox.
When you type an IP addresses, type all the numbers and the dots. Do not use the TAB key or arrow key. For more
information on how to type the IP address, refer to “Enter the IP addresses” on page 25.
3 In the Passphrase text box, type the Firebox configuration (read/write) passphrase, and then click OK.
The configuration file saves to the local hard disk and then to the primary area of the Firebox flash disk. This causes the software to tell you to save the configuration file to the Firebox, which replaces the configuration that is on the
Firebox.
4 If you typed the IP address of a different Firebox, you must confirm your selection. Click Yes .
The Firebox Flash Disk dialog box appears. See the figure below.
30
5 Select the Save To Firebox check box. To make a backup flash image before you replace it with the new configuration file, click Make Backup of Current Flash Image .
Note
It is not necessary to make a backup of the current flash image each time you change the configuration file. When you back up the current flash image, you must enter an encryption key. It is important you remember this key. You must use this key to restore the Firebox if you save a defective configuration file to the device.
6 If you do not make a backup flash image, click Continue . If you do make a backup flash image, type the encryption key for the Firebox in the Encryption Key text box. In the Confirm text box, type the key again to confirm.
7 If you make a backup flash image, type the path to save the backup image in the Backup Image text box. Click Continue .
You can click Browse to select the location of the backup image.
8 In the Passphrase text box, type the Firebox status (read-only) passphrase and the Firebox configuration (read/write) passphrases. Click OK .
The new flash image saves to the Firebox.
Note
When you make regular changes to a configuration file, a new flash image is not necessary. If you clikc
Save Configuration File Only , that is usually sufficient.
WatchGuard System Manager
Basic Firebox Configuration
Saving a configuration to the management station
From Policy Manager:
1 Click File > Save As > File .
You can also use CTRL-S. The Save dialog box appears.
2 Type the name of the file.
The default procedure is to save the file to the WatchGuard directory.
3 Click Save .
The configuration file saves to the local hard drive.
Changing the Firebox passphrases
WatchGuard recommends that you change the Firebox passphrases at regular intervals. To do this, you must have the configuration passphrase. From Policy Manager:
1 Open the configuration file from the Firebox.
For more information, refer to “Opening a configuration from the Firebox” on page 29.
2 Click File > Save > To Firebox .
3 From the Firebox drop-down list, select a Firebox or type the IP address of the Firebox. Type the
Firebox configuration (read/write) passphrase. Click OK .
The Firebox Flash Disk dialog box appears.
4 Select the Save To Firebox check box. Click Save Configuration File and New Flash Image . Clear the Make Backup of Current Flash Image check box. Click Continue .
5 Type and confirm the new status (read-only) and configuration (read/write) passphrases. The status passphrase must be different from the configuration passphrase. Click OK .
The new flash image and the new passphrases save to the Firebox. The Firebox automatically starts again.
Making your passphrases safer
To create a secure passphrase, we recommend that you:
• Do not use words from standard dictionaries. Do not use them in a different sequence or in a different language. Make a new acronym that only you know.
• Do not use a name. It is easy for a hacker to find a business name, familiar name, or the name of a famous person.
• Use a selection of uppercase and lowercase characters, numbers, and special characters (for example, Im4e@tiN9).
Setting the Firebox Model
You select the Firebox model only when you start a new configuration file or when you open a configuration file. You can change the Firebox model if you save a configuration file from one Firebox to a different model Firebox.
From Policy Manager.
1 Click Setup > Firebox Model .
The New Firebox Configuration dialog box appears.
2 Select the Firebox model to which you will connect.
The Firebox model appears at the lower right corner of the Policy Manager window.
User Guide 31
Basic Firebox Configuration
Setting the Time Zone
The Firebox time zone controls the date and time that appear in the log file and on tools that include
LogViewer, Historical Reports, and WebBlocker. The default time zone is Greenwich Mean Time (Coordinated Universal Time).
From Policy Manager:
1 Click Setup > Time Zone .
2 Select a time zone from the drop-down list. Click OK .
Setting a Firebox Friendly Name
You can give the Firebox a special name to use in your log files and reports. If you do not give your Firebox a user friendly name, the IP address of the Firebox external interface is used. From Policy Manager:
1 Click Setup > Name .
The Firebox Name dialog box appears.
2 In the Name text box, type the special name you want for the Firebox. Click OK .
You can use all characters but spaces and slashes (/ or \).
You usually set this name to the external IP address of the Firebox. You can also use a Fully Qualified
Domain Name if you register such a name with the DNS system. If you do not set this name, some features can not operate correctly.
32 WatchGuard System Manager
CHAPTER 5
Using Policy Manager to Configure
Your Network
Usually, when you install the Firebox in your network you use the Quick Setup Wizard to make a basic
can use the Policy Manager to make a basic configuration file or to change one you made with the Quick
Setup Wizard.
If you are new to network security, we recommend that you do these steps in the sequence in this chapter to make sure you configure all the components of your network. In this chapter, we learn how to use the Policy Manager to:
• Make a new configuration file
• Configure the Firebox interfaces
• Add a secondary network
• Add DNS and WINS server information
• Configure the Firebox as a DHCP server
• Add basic services to Policy Manager
• Configure routes
Making a New Configuration File
To start a new configuration file:
1 From Firebox System Manager, click the Policy Manager.
2 From Policy Manager, click File > New .
User Guide 33
Using Policy Manager to Configure Your Network
3 From the New Firebox Configuration dialog box, select the model of Firebox to which you are connected.
The new configuration file contains the default parameters for the specified Firebox model. We recommend that you save the configuration file frequently. Click File > Save > As File .
Setting the IP Addresses of Firebox Interfaces
The selected configuration mode controls the procedure that you use to set the IP addresses for the
Firebox interfaces.
Note
Before you set the IP addresses for the Firebox interfaces, you must make a decision on your configuration mode. If you use an incorrect IP address, it can cause problems. For more information, refer to “Select a Firewall Configuration Mode” on page 26.
Setting addresses in drop-in mode
You use the drop-in mode when you want to put computers that use the same network on different
Firebox interfaces. Usually, you use this mode when:
- You have many servers with public IP addresses on them
- You want to “drop” the Firebox into your network.
- You do not want to change the network configuration on the public servers.
With a drop-in configuration, the Firebox uses the same IP address and subnet mask for all of its interfaces. You indicate the subnet mask using slash notation.
The subnet mask shows the range of IP addresses in the drop-in network. For example, if you give the
Firebox the IP address 1.1.1.5/24, this means IP all Firebox interfaces have IP address 1.1.1.5. The drop-in network includes IP addresses from 1.1.1.1 to 1.1.1.254. The /24 indicates subnet mask 255.255.255.0.
When you use the drop-in configuration, a computer with IP address in the drop-in network can go on any Firebox interface. When you install the Firebox between the router and the LAN, it is not necessary to configure a local computer again if it has an IP address in the drop-in network. The public servers behind the Firebox can continue to use public IP addresses in the drop-in network range.
Secondary Networks” on page 40.
The Firebox does not use network address translation to send traffic from the external network to a public server (static NAT) that has an IP address in the drop-in network.
It is possible to masquerade the IP addresses of the computers in the drop-in network when they send traffic to the
To use the Policy Manager to set the Firebox in drop-in configuration mode:
1 Click Network > Configuration .
The Network Configuration dialog box appears.
2 From the Configuration drop-down list, select Static .
34 WatchGuard System Manager
Using Policy Manager to Configure Your Network
3 Select the Configure interfaces in Drop-In mode check box.
4 In the IP Address text box, type the Firebox IP address. In the Default Gateway text box, type the default gateway for the Firebox interfaces.
When you type an IP address, type all the numbers and the dots. Do not use the TAB or arrow key. For more
information on how to type the IP address, refer to “Enter the IP addresses” on page 25.
Note
You can not use drop-in configuration if your ISP uses DHCP or PPPoE to give the Firebox its IP address.
Using proxy ARP
If you use the drop-in configuration mode, the Firebox uses proxy ARP. With proxy ARP, the Firebox replies to all ARP requests from the external network for computers on your trusted and optional networks. This helps to hide those computers from the Internet and to protect them from hackers.
User Guide 35
Using Policy Manager to Configure Your Network
From the Network Configuration dialog box, click Properties .
The Advanced dialog box appears. It shows the Drop-In tab.
36
Proxy ARP can operate in two different ways, automatic or not automatic:
Using the Automatic check box
WatchGuard recommends that you select the Automatic check box. When you select the Automatic check box, the drop-in configuration mode automatically uses proxy ARP between the external network and the trusted and optional networks. The Firebox will perform proxy ARP for any host on any interface if the host has an IP address in the drop-in network. This is the default setting for the drop-in configuration.
When the Automatic box is selected, you can move a computer from one interface to another only if you clear the ARP cache on that computer. To clear the ARP cache on a Windows computer, type the following at a command prompt: arp -d *
Clearing the Automatic check box
You can clear the Automatic box to require all computers to be on one specified Firebox interface unless you list them as Related Hosts . You use the Proxy ARP for hosts on the following network box to specify which interface all computers must be on. The Firebox locks all the other interfaces so that only specified IP addresses can go on the other interfaces.
If you clear the Automatic check box, do the following:
1 Use the Proxy ARP for hosts on the following network box to specify the Firebox interface that has the most computers in the drop-in network.
The Firebox expects that any computer in the drop-in network is on this interface.
2 Use the Related Host box to list computers in the drop-in network that can be on a different
Firebox interface.
To list a Related Host:
1 Type the IP address of the host in the small text box at the bottom.
2 From the drop-down list at the bottom of the Drop-In tab, select the interface that the host is on.
3 Click the Add button.
WatchGuard System Manager
Using Policy Manager to Configure Your Network
4 Repeat steps 1 through 3 to add computers to other interfaces.
The Firebox sees only the computers on the specified interfaces if the computers have these IP addresses.
To remove a Related Host:
1 Select the Related Host in the large box.
2 Click Remove .
Note
Proxy ARP applies only to the drop-in configuration mode. Proxy ARP applies only to computers in the drop-in network.
Proxy ARP does not apply to routed mode configurations. Proxy ARP does not apply to the computers on a Secondary Network.
Setting the addresses in routed mode
In a routed configuration, you install the Firebox with different logical networks and network addresses on its interfaces. The public servers behind the Firebox usually use private (non-routable) IP addresses. If the computers behind the Firebox use private IP addresses, the Firebox uses network address translation (static NAT) to route traffic from the external network to the public servers.
You can also use the routed mode if you have different public (routable) IP address ranges behind the
Firebox. If you use the routed mode, the interfaces must use different IP addresses. The Firebox interface
IP addresses also must be on different subnets.
For example, you can not use 192.168.1.1/16 on one Firebox interlace and 192.168.2.1/16 on another Firebox interface. The /16 give a subnet mask of 255.255.0.0. This makes those two IP addresses the same subnet.
A minimum of two interfaces must have configured IP addresses. To use the Policy Manager to set the
Firebox in routed configuration mode:
1 Click Network > Configuration .
The Network Configuration dialog box appears.
The Interfaces tab displays.
2 If necessary, clear the Configure interfaces in Drop-in mode check box.
3 If your ISP uses DHCP or PPPoE to assign your IP address, select that option from the Configuration drop-down list.
4 If you have a static IP address from your ISP, select Static from the Configuration drop-down list.
Type the static IP address you get from the ISP, and type the default gateway.
5 For each interface, type the IP address in slash notation.
When you type an IP addresses, type all the numbers and the dots. Do not use the TAB or arrow key. For more
information on how to type the IP address, refer to “Enter the IP addresses” on page 25.
Configuring the external interface
The Firebox can get a dynamic IP address for the external interface with Dynamic Host Configuration
Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE). Your ISP can also use DHCP or PPPoE
your ISP gives you a static IP address and uses DHCP or PPPoE to give you that address. With DHCP, the
Firebox uses a DHCP server which is controlled by your Internet Service Provider (ISP) to get an IP address, gateway, and subnet mask. With PPPoE, the Firebox makes a PPPoE protocol connection to the
PPPoE server of your ISP. This connection automatically configures your IP address, gateway, and subnet
User Guide 37
Using Policy Manager to Configure Your Network mask. If you use DHCP or PPPoE for the external interface, you must set the Firebox to use the routed configuration mode.
Setting the external interface for DHCP
1 Click Network > Configuration .
The Network Configuration dialog box appears.
2 From the Configuration drop-down list, select DHCP .
3 Click Properties to configure DHCP parameters.
Your ISP can tell you if it is necessary to change the timeout or device name values.
38
Setting the external interface for PPPoE
1 Click Network > Configuration .
The Network Configuration dialog box appears.
2 From the Configuration drop-down list, select PPPoE .
3 Type the PPP User Name and PPP Password . You must type the password two times.
4 Click Properties to configure PPPoE parameters.
Your ISP can tell you if it is necessary to change the timeout or LCP values. Your ISP can also give you the Service
Name and Access Concentrator Name values to use if the ISP requires them. If you have problems with PPPoE negotiations, you can change MTU size. Ask your ISP for a recommended MTU size. Usually the MTU value does not have to be changed.
WatchGuard System Manager
Using Policy Manager to Configure Your Network
Note
When you select the Enable PPPoE debugging check box, the Firebox sends a large volume of log messages to the log host. Do not use this feature unless you have problems with your connection and aid from Technical Support is necessary.
Using a static DHCP or static PPPoE address
With DHCP and PPPoE, usually the IP addresses that the ISP gives to customers can change. Some ISPs let you have a static DHCP or PPPoE address. A static IP address can help you to configure device to device network traffic. For example, you must have a static IP address to use MUVPN and RUVPN with
PPTP. Also, if you want to use the Firebox as a DVCP server. To configure a static DHCP address or a static
PPPoE address with the Policy Manager:
1 Click Setup > Network Configuration . Click the Interfaces tab.
2 From the Configuration drop-down list, select DHCP or PPPoE.
3 Click Use the following IP address . Type the static IP address.
Adding external IP aliases
The Firebox can receive traffic from the Internet and send it to a host behind the Firebox. The Firebox can use its own external IP address to receive this traffic, or it can receive traffic using another IP address that you get from the ISP. You add an Alias IP address to the Firebox external interface when these two things happen:
• The Firebox receives traffic on an IP address that is not the external interface IP address, and
• The Firebox sends this traffic to a different IP address behind the Firebox.
Note
Only use an alias for static NAT. Do not use an alias for 1-to-1 NAT. If you add an alias for 1-to-1 NAT, the 1-
to-1 NAT will not function. For more information see “Using 1-to-1 NAT” on page 74.
User Guide 39
Using Policy Manager to Configure Your Network
You can use the Aliases button on the Network Configuration dialog box to add Alias IP addresses to the Firebox external interface. You use the alias IP address when you set a service to use static NAT. You can also add the alias IP address when you set a service for static NAT from the Add Static NAT box. For
Adding Secondary Networks
When you add a secondary network to a Firebox interface, you indicate that there is another logical network on that interface. To add a secondary network to a Firebox interface, you add another IP address and subnet mask to that Firebox interface. The IP address you add to the Firebox comes from the secondary network. The IP address you use for the Secondary Network IP address must not be assigned to any other host on that network. The secondary network IP address is the default gateway for all the computers on the secondary network. The secondary network IP address tells the Firebox that there is one more network on the Firebox interface.
To use the Policy Manager to configure a secondary network:
1 Click Network > Configuration .
The Network Configuration dialog box appears.
40 WatchGuard System Manager
2 Click the Secondary Networks tab.
The Secondary Networks tab appears.
Using Policy Manager to Configure Your Network
3 Use the drop-down list in the lower part of the dialog box to select the interface to which the secondary network connects.
4 Type an IP address from the secondary network in the text box adjacent to the drop-down list. Use slash notation to show the subnet mask. Because this IP address is assigned to the Firebox interface, it must not be assigned to any other computer on the secondary network.
When you type an IP addresses, type all the numbers, the dots, and the slash. Do not use the TAB or arrow key. For more information on how to type the IP address, refer to “Enter the IP addresses” on page 38.
Note
Be careful to add secondary network addresses correctly. The Policy Manager does not tell you if the address is correct. WatchGuard recommends that you do not enter a subnet on one interface that is a component of a larger network on a different interface. If you do this, spoofing can occur and the network can not operate correctly.
Adding WINS and DNS Server Addresses
A number of the features of the Firebox share the same Windows Internet Name Server (WINS) and
Domain Name System (DNS) server addresses. These features include DHCP, Mobile User VPN with
IPSec, and Remote User VPN with PPTP.
If you have an internal private DNS server, make sure that you use your private DNS server for DHCP and
Remote User VPN. If you also use external DNS servers, make the internal DNS server the Primary DNS
User Guide 41
Using Policy Manager to Configure Your Network server. If you do not have a private internal DNS server, list the DNS servers that your ISP provides. From
Policy Manager:
1 Click Network > Configuration . Click the WINS/DNS tab.
The WINS/DNS tab appears.
2 Type the primary addresses and secondary addresses for the WINS and DNS servers. If necessary, type a domain name for the DNS server.
Configuring the Firebox as a DHCP Server
Dynamic Host Configuration Protocol (DHCP) is an Internet Protocol that makes it easier to control a large network. A computer you configure as the DHCP server automatically gives IP addresses to the computers on your network. You set the range of addresses. You can configure the Firebox as a DHCP server for networks behind the firewall.
Note
If you have a large network with a domain controller on it, WatchGuard recommends that you configure the domain controller as the DVCP server.
One parameter that you set for a DHCP server is the lease time. This is the time interval that a DHCP client can use an IP address that it receives from the DHCP server. When the time is near its limit, the client transmits data to the DHCP server to get a new lease.
Do not use the Firebox to replace a DHCP server on your network. If you have a configured DHCP server, we recommend that you continue to use that server for DHCP.
From Policy Manager:
1 Click Network > DHCP Server .
The DHCP Server dialog box appears.
42 WatchGuard System Manager
Using Policy Manager to Configure Your Network
2 Select the Enable DHCP Server check box.
3 Use the spin control to change the Default Lease Time .
You can set the lease time on the client. If you do not, the DHCP Server uses the Default Lease Time value.
4 Use the spin control to change the Maximum Lease Time .
Again, you can set the lease time on the client. If the time set on the client is larger than the Maximum Lease Time, the DHCP Server uses the value you set here.
Adding a subnet
The DHCP server assigns IP addresses to DHCP clients from a range you set. A subnet is a group of IP addresses you add to the DHCP server. For example, if you add a subnet of 10.1.1.10 to 10.1.1.19, the
DHCP server has 10 addresses to give its clients. From Policy Manager:
1 Click Network > DHCP Server.
2 Click Add .
The DHCP Subnet Properties dialog box appears.
3 In the Subnet text box, type the IP address of the subnet, for example, 10.1.1.0/24.
4 In the Start text box, type the first IP address in the range. In the End text box, type the last IP address in the range. The Firebox gives IP addresses only from this range to DHCP clients.
5 Click OK .
Changing a subnet
You can change a DHCP subnet. From Policy Manager:
1 Click Network > DHCP Server .
2 Click the subnet you want to change. Click Edit .
The DHCP Subnet Properties dialog box appears.
3 Type in new values for the Subnet , Start , or End text boxes. Click OK .
Removing a subnet
You can remove a DHCP subnet. From Policy Manager:
1 Click Network > DHCP Server .
2 Click the subnet you want to remove. Click Remove .
3 Click OK .
Note
When you change or remove a DHCP subnet, this can cause problems. When the Firebox gives a DHCP client a different IP address, some devices or software applications can possibly not operate properly.
This occurs only after the client gets a new IP address from the DHCP server.
User Guide 43
Using Policy Manager to Configure Your Network
Adding Basic Services to Policy Manager
After you have set the IP addresses, you must add four services to your security policy to give your Firebox some basic functionality. We recommend that you add:
• WatchGuard — Allows you to connect to the Firebox from the management station. You must have this service to monitor and configure the Firebox.
Note
The WatchGuard service is very important. If you do not include it in your configuration or if you configure it incorrectly, it prevents you from managing the Firebox.
• Ping — Allows you to ping the Firebox and to ping computers on the external interfaces. This is an important tool to troubleshoot your network connections.
• FTP — Allows to download files with File Transfer Protocol.
• Outgoing — Allows all network traffic which starts from the trusted or optional networks out to the external network. This lets your users send traffic to the Internet while you configure your security policy.
At this time, do not change the default configuration for these basic services. The default configuration lets all traffic out but does not let traffic in. You can make changes to these services in Policy Manager.
For more information, refer to “Adding and Configuring Services” on page 79.
1 On the Policy Manager toolbar, click the Add Services icon.
You can also click Edit > Add Service.
2 Click the plus (+) sign on the left side of the Packet Filters folders to expand it.
A list of configured filters appears.
3 Below Packet Filters , click WatchGuard .
4 At the bottom of the dialog box, click the Add button.
5 Click OK in the Add Service dialog box.
6 Click OK to close the Properties dialog box.
7 Do steps 3–6 again for the Ping , FTP , and Outgoing services.
Configuring Routes
A route is the sequence of devices through which network traffic must go to get from its source to its destination. A router is the device in a route that finds the subsequent network point through which to
44 WatchGuard System Manager
Using Policy Manager to Configure Your Network send the network traffic to its destination. Each router is connected to a minimum of two networks. A packet can go through a number of network points with routers before it gets to its destination.
The Firebox lets you create static routes to send traffic from its interfaces to a router. The router can then send the traffic to the applicable destination in the specified route.
For more information about network routes and routers, refer to: www.watchguard.com/support/AdvancedFaqs/general_routers.asp
Adding a network route
Add a network route if you have a full network behind a router on your local network. Type the network
IP address, with slash notation. From Policy Manager:
1 Click Network > Routes .
The Setup Routes dialog box appears.
2 Click Add .
The Add Route dialog box appears.
3 To the right of Route to , click Net .
4 In the Network Address text box, type the network IP address. Use slash notation.
For example, type 10.10.1.0/24. This is the 10.0.1.0 network with subnet mask 255.255.255.0.
5 In the Gateway text box, type the IP address of the router.
Make sure that you enter an IP address that is on one of the networks that you find on a Firebox interface. The
Gateway for the route can not be in the destination network.
6 Click OK to close the Add Route dialog box.
The Setup Routes dialog box shows the configured network route.
7 Click OK against to close the Setup Routes dialog box.
Adding a host route
Add a host route if there is only one host behind the router or you only want traffic to go to one host.
Type the IP address of that specified host, with no slash notation. From Policy Manager:
1 Click Network > Routes .
The Setup Routes dialog box appears.
2 Click Add .
The Add Route dialog box appears.
3 To the right of Route to , click Host .
4 In the Network Address text box, type the network IP address. Use slash notation.
5 In the Gateway text box, type the IP address of the router.
Make sure that you enter an IP address that is in one of the networks that you find on a Firebox interface.
6 Click OK to close the Add Route dialog box.
The Setup Routes dialog box shows the configured host route.
7 Click OK against to close the Setup Routes dialog box.
User Guide 45
Using Policy Manager to Configure Your Network
Firebox interface speed and duplex
You can set the speed and duplex properties for Firebox interfaces to automatic or manual configuration. WatchGuard recommends that you use the automatic configuration because it operates with most network devices. Use manual when you must override the Firebox interface parameters to operate with other devices on your network.
1 Click Network > Configuration . Click the NIC Configuration tab.
The NIC Configuration tab appears.
46
2 Click the interface you want to change. Click Edit .
3 From the drop-down lists, select Auto or Manual . If you select Manual , select the speed and halfduplex or full-duplex.
4 Click OK to close the NIC Configuration dialog box. Click OK again to close the Network
Configuration dialog box.
WatchGuard System Manager
CHAPTER 6
Managing and Monitoring the
Firebox
WatchGuard® Firebox® System Manager lets you start many different security tools in one easy to use interface. You can also use the Firebox System Manager to monitor real-time traffic through the firewall.
About Incoming and Outgoing Traffic
Network traffic has direction : incoming traffic and outgoing traffic. The figure below shows the direction of network traffic as it goes through all the possible Firebox interfaces. Incoming traffic goes to the center. Outgoing traffic goes away from the center.
Note
This figure shows a Firebox ® X and the 3-Port Upgrade to enable three more Ethernet ports. The traffic flow and trust relations between the different Firebox interfaces apply if you have the upgrade or not.
The distance to the center sets the level of security and the level of trust. You should allow fewer incoming connections for the networks closer to the center. The networks that are closer to the center are more secure because incoming connections to those networks are more limited. They are called “more trusted”. The networks farther from the center are “less trusted”.
The external interface is the source of traffic that has no security (eth0). It is usually the Internet.
The source of traffic with the most security is the trusted interface (eth1), the center of the figure.
User Guide 47
Managing and Monitoring the Firebox
All the traffic that goes out from your trusted network is outgoing. The destination network makes no difference. All the traffic that comes in to your trusted network is incoming traffic. The source in the organization makes no difference
All the traffic that comes from the external interface is incoming traffic. The destination network behind your Firebox makes no difference. All the traffic to the external interface is outgoing traffic. The source in the organization makes no difference.
Starting the Firebox System Manager
From the Windows Desktop:
1 Click Start > Programs > WatchGuard > Firebox System Manager .
2 If necessary, set up your Firebox®. Click QuickSetup to start the Quick Setup Wizard. For more information, refer to the QuickStart Guide that comes with your Firebox. If your Firebox is set up, click Continue.
The Connect to Firebox dialog box appears. You can connect to a Firebox, o r you can cancel the Connect to F ireb ox dialog box and connect to a Firebox at a different time.
3 To connect to a Firebox at this time, select a Firebox from the Firebox drop-down list.
You can also type the IP address or name of the Firebox.
4 In the Passphrase text box, type the Firebox status (read-only) passphrase.
5 Click OK .
The Front Panel tab of the Firebox System Manager appears.
48 WatchGuard System Manager
Managing and Monitoring the Firebox
Note
Do not use the configuration (read-write) passphrase to monitor the Firebox. You can not make more than one read-write connection at the same time. When you connect to the Firebox with Firebox System
Manager, the passphrase you enter is used again to get the configuration file from the Firebox and open it in Policy Manager. If you connect with the read-write passphrase, you can not open Policy Manager, because that is a second read-write connection.
Using the Security Traffic Display
The Firebox System Manager initially shows a group of indicator lights to show the direction and volume of the traffic between the Firebox® interfaces. The display can be a triangle (below left) for Fireboxes with three interfaces, or the display can be a star (below right) for Fireboxes with six interfaces.
To change the display, right-click it and select Triangle display or Star display . A Firebox with three interfaces can not use the star display
Monitoring status information
The WatchGuard® logo in the top, left corner of the star or triangle figure shows if the Firebox is connected. If the WatchGuard logo is bright, the Firebox is connected. If the logo is dim, it is not connected.
The points of the star and triangle show the traffic that flows through the interfaces. Each point shows incoming and outgoing connections with different arrows. When traffic flows between the two interfaces, the arrows come on in the direction of the traffic.
In the star figure, the location where the points come together can show one of three conditions:
• Amber (idle) — There is no more traffic than the points show.
• Red (deny) — The Firebox is denying a connection on that interface.
• Green (allow) — There is traffic between this interface and a different interface (but not the center) on the star. When there is traffic between this interface to the center, the point between these interfaces shows as green arrows.
In the triangle, the network traffic shows in the points of the triangle. The points show only the idle or deny condition.
User Guide 49
Managing and Monitoring the Firebox
Selecting the middle of the star
If you use the star figure, you can customize which interface appears in its center. Click the interface name or its point. The interface then moves to the center of the star. All the other interfaces move in a clockwise direction.
Basic System Manager Functionality
The top part of the window immediately below the title bar contains buttons to do basic operations and to start Firebox System Manager applications.
Icon Function
Open the main menu for Firebox System Manager. this is also referred to as the Main Menu button.
Start the display again. This icon only appears when you are not connected to a Firebox.
Stop the display. This icon only appears when you are connected to a Firebox.
Connect to a Firebox. This icon appears only with
HostWatch.
Start Policy Manager. Use the Policy Manager to make or change a configuration file.
Start Log Viewer.
Start HostWatch.
Open Historical Reports.
For more information, refer to “Starting Firebox tools” on page 58.
Monitoring basic indicators
Below the security traffic figure are the traffic volume indicator, processor load indicator, and basic status information.
50
The two bar graphs show the traffic volume and the Firebox® capacity. The amount of time Firebox has been operational and the log host IP address are also displayed. For more information on the front panel, refer to the FAQ:
WatchGuard System Manager
Managing and Monitoring the Firebox https://www.watchguard.com/support/advancedfaqs/fbhw_lights.asp
Firebox and VPN tunnel status
The section in Firebox System Manager to the right side of the front panel shows:
• The status of the Firebox.
• The branch office VPN tunnels.
• The remote user VPN tunnels.
• The Security Services status.
Firebox Status
Below Firebox Status, you can see:
• Status of the High Availability feature. When it has a correct configuration and is serviceable, the
IP address of the standby Firebox appears. If High Availability is installed, but there is no network connection to the secondary Firebox, the message appears with the words “Not Responding.”
The High Availability feature only shows if you have purchased and added a High Availability license.
• The IP address of each Firebox interface and the configuration mode of the External interface.
• Status of the CA (root) certificate and the IPSec (client) certificate.
The certificate information only shows if the Firebox is a DVCP Server or a DVCP Client.
If you expand the entries below Firebox Status, you can see:
• IP address and netmask of the default gateway.
• The Media Access Control (MAC) address of each interface.
• Number of packets sent and received since the last Firebox restart.
User Guide 51
Managing and Monitoring the Firebox
Branch Office VPN Tunnels
Below the Firebox Status is a section on BOVPN tunnels. There are two types of BOVPN tunnels: IPSec and DVCP.
The figure below shows an expanded entry for a BOVPN tunnel. The information that shows, from the top to the bottom, is:
• The name the tunnel got when it was made, the IP address of t he remote IPSec devi ce, and the tun nel type (IPSec or DVCP).
52
• The volume of data sent and received on the tunnel in bytes and packets.
• The time before the key expires and when the tunnel will start again with a new IPSec key. This appears as a time limit or as the volume of bytes. If you configure a tunnel to expire using time and volume limits, the two expiration values appear. The tunnel will start again with a new IPSec key when the limit of bytes is reached, or when the time limit is reached.
• Authentication and encryption data for the tunnel.
• Routing policies for the tunnel.
Remote VPN Tunnels
After the branch office VPN tunnels is an entry for remote VPN tunnels. This includes Mobile User VPN
(with IPSec) or RUVPN (with PPTP) tunnels.
If the tunnel is Mobile User VPN, the entry shows the same information as for a Branch Office VPN. This includes the tunnel name, the destination IP address and the tunnel type. Below is the packet information, the time for key expiration, authentication, and encryption data.
Each Mobile User VPN account you create will cause a tunnel to appear in this area. It does not matter if the MUVPN client is not connected. If Mobile User VPN uses Extended Authentication Groups, a tunnel will show for every address in the Virtual IP Address Pool. A Mobile User VPN account will display more than once if the Mobile User VPN account is configured to access more than one group of resources.
If the tunnel is RUVPN with PPTP, the Firebox System Manager shows only the quantity of sent and received packets. The volume of bytes and total time are not applicable to PPTP tunnels. A PPTP tunnel will only show when a remote user connects.
Security Services
Security Services shows the status is for Gateway AntiVirus and SpamScreen. For information, see the
Gateway AntiVirus Guide . Gateway AntiVirus is an optional feature you can add.
The Security Services status shows if you have a Gateway AntiVirus license or if you do not.
Expanding and closing folders
To expand a part of the display, click the plus sign ( + ) adjacent to the entry, or double-click the name of the entry. To close a part, click the minus sign ( – ) adjacent to the entry.
WatchGuard System Manager
Managing and Monitoring the Firebox
A Branch Office VPN Tunnel or a Mobile User VPN Tunnel display will have a plus sign (+) only when the tunnel construction is complete. When no plus or minus sign shows, the tunnel construction is not complete.
Red exclamation point
When a red exclamation point appears, it shows that something in the folder can not send or receive traffic. For example, a red exclamation point adjacent to the Firebox entry shows that it can not send traffic to the log host o r the m anagement station. A red exclamation point adjacent to the BOVPN icon shows there is a problem with one of the VPN tunnels.
When you expand an entry that has a red exclamation point, a second exclamation point appears adjacent to the device or tunnel with the problem. Use this feature to find connection problems in your VPN network.
Monitoring Firebox Traffic
To see Firebox® log messages, click the Traffic Monitor tab. For more information about the messages that appear, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/log_main.asp
Changing the Polling Rate and the maximum number of log messages
You can change the interval of time (in seconds) that Firebox System Manager gets the Firebox information and sends updates to the Front Panel and the Firebox and Tunnel Status panels. You must balance how frequently you get information and the load on the Firebox. A shorter time interval gives a more accurate display, but makes more load on the Firebox.
You can also change the maximum number of log messages that you can keep and see on the Traffic
Monitor. When you get to the maximum number, the new log messages replace the first entries. A high value in this field puts a large load on your system if you have a slow processor or a small quantity of
User Guide 53
Managing and Monitoring the Firebox
RAM. If it is necessary to examine a large volume of log messages, we recommend that you use the Log
Viewer. From the Firebox System Manager.
1 Click the Main Menu button. Click Settings .
The Settings dialog box appears. It shows the General tab.
2 In the Polling Rate text box, type how long between queries for Firebox status information, and then click OK .
You can also use the spin control to set the Polling Rate.
3 In the Max Log Entries text box, type how many log entries are maintained by the Traffic Monitor, and then click OK .
You can also use the spin control to set the Max Log Entries. The value you type gives the number of log messages in thousands. If you type zero (0) in this field, the maximum number of log messages is set to 3,000.
54 WatchGuard System Manager
Managing and Monitoring the Firebox
Using color for log messages
You can change the color of the data components of the log messages that the Firebox sends. You can identify a color with an information type. Thus you can set up the colors to make the log messages for denied packets are red. From the Firebox System Manager:
1 Click Main Menu > Settings . Click the Traffic Monitor tab.
2 To enable the display of colors, select the Display Logs in Color check box.
3 On the Allow , Deny , or Message tab, click the data you want to show in a color.
4 From the Text Color drop-down list, select the color you want assigned to the data.
The Text Color list includes 20 colors. The information in this field appears in the new color on Traffic Monitor. You can see the color change in the sample Traffic Monitor at the bottom of the dialog box.
5 You can also select a background color for the traffic monitor. From the Background Color dropdown list, select the color you want for the background.
The Background Color list includes 20 colors.
6 To cancel the changes you made in this dialog box since you opened it, click Reset to Defaults .
Copying log messages
To make a copy of a log message and paste it in a different tool, right-click the message and select Copy
Selection.
To select a group of entries together, select the first entry, then hold the Shift key and select the last entry. To select two or more entries that are not in the same group, hold the Ctrl key while you click the entries you want. Open the other tool and paste the message.
Learning more about deny and allow messages
To learn more about one deny or allow message, you can:
• Make a copy of the source or destination IP address of a deny or allow message so you can paste it into a different software application. To copy the source IP address, right-click the message, and click Source IP > Copy . To copy the destination IP address, right-click the message, and click
Destination IP > Copy .
User Guide 55
Managing and Monitoring the Firebox
• To ping the source or destination IP address of a deny or allow message, do as follows. Right-click the message, and click Source IP > Ping or Destination IP > Ping . With this command you must give the co nfiguration passphrase.
• To use a traceroute command to a source or destination IP address of a deny or allow message, do as follows. Right-click the message, and click Source IP > Trace Route or Destination IP > Trace
Route . With this command you must give the co nfiguration passphrase.
Doing Basic Tasks with System Manager
The basic tasks in System Manager are:
• Run the Quick Setup Wizard
• Reboot the Firebox
• Reboot IPSec
• Flush the ARP cache
• Connect to a Firebox®
• Get technical support on the Web
• Open other WatchGuard® Firebox System Manager tools.
Running the Quick Setup Wizard
Usually, you use the Quick Setup Wizard when you first install your Firebox. You can also use it from Firebox System Manager.
1 Click the Main Menu button.
You can find the button at the top right corner of Firebox System Manager.
2 Click Quick Setup Wizard .
The Quick Setup Wizard starts. For more information on how to use the Quick Setup Wizard, refer to the QuickStart
Guide that comes with your Firebox.
Rebooting the Firebox
To restart the Firebox from the Firebox System Manager:
1 Click Main Menu > Management > Reboot Firebox .
2 In the Passphrase text box, type the Firebox configuration (read/write) passphrase.
3 Click OK .
The Firebox starts again.
You can also reboot a Firebox from the Policy Manager. From the Policy Manager click File > Reboot...
Type the IP address or host name of the Firebox, and the configuration (read/write) passphrase.
Reboot IPSec
To make all IPSec VPN tunnels start again, you can reboot IPSec. You can also use this to disconnect
Mobile User VPN sessions. To reboot IPSec from the Firebox System Manager:
1 Click Main Menu > Management > .
2 In the Passphrase text box, type the Firebox configuration (read/write) passphrase.
56 WatchGuard System Manager
Managing and Monitoring the Firebox
3 Click OK .
The IPSec procedures on the Firebox start again.
Flushing the ARP cache
The ARP cache (Address Resolution Protocol cache) on the Firebox keeps a list of the hardware addresses (also known as MAC addresses) of all the TCP/IP hosts the Firebox knows about. Before an ARP request starts, the system examines if a hardware address is in the cache. If a computer changes IP address, an old entry in the Firebox ARP cache can cause problems for the next computer that uses the old IP address. “Old” is approximately five minutes for the ARP cache.
From the Firebox System Manager.
1 Click Main Menu > Management > Flush ARP Cache .
2 In the Passphrase text box, type the Firebox configuration (read/write) passphrase.
3 Click OK .
This clears the ARP cache entries.
Connecting to a Firebox
When you start Firebox System Manager, it tells you to connect to the last used Firebox. You can connect to that Firebox or any Firebox on the network.
From Firebox System Manager:
1 Click Main Menu > Connect..
.
The Connect to Firebox dialog box appears.
2 From the Firebox drop-down list, select the Firebox you want.
You can also type the IP address or DNS name of the Firebox. When you type an IP address, type all the numbers
3 Type the Firebox status (read-only) passphrase. Do not use the configuration (read-write) passphrase in the Connect to Firebox dialog box. If you use the configuration passphrase, then you can not start the Policy Manager from the Firebox System Manager.
4 Click OK .
Firebox System Manager connects to the Firebox and the real-time status appears.
Getting more information on the Web
You can get more information about the WatchGuard Firebox System Manager from the Firebox System
Manager menus. Click the Main Menu button. Click On the Web . In the menu you can select:
Home page
Click to open the WatchGuard home page in your default browser. The WatchGuard home page is: http://www.watchguard.com
LiveSecurity Service Logon
Select to log in to the LiveSecurity Service. For more information on this service, refer to Chapter
Training and Certification
Select to start the WatchGuard Training home page at: http://www.watchguard.com/training/
User Guide 57
Managing and Monitoring the Firebox
Activate LiveSecurity Service
Select to activate the LiveSecurity service . You must activate the LiveSecurity service to get
Technical Support and many Firebox product features. For more information on this service,
refer to Chapter 2, “Service and Support.”
Starting Firebox tools
Start these management tools from the toolbar at the top of Firebox System Manager:
• Policy Manager
• Log Viewer
• HostWatch
• Historical Reports
• WatchGuard Security Event Processor.
Starting Policy Manager
Use WatchGuard Policy Manager to make and change the configuration file for your Firebox. In
Policy Manager, you configure networks and policies, set up VPN, control incoming and outgoing access, and control logging and notification.
58
Starting Log Viewer
Log Viewer shows a static view of a log file. You can search by type, keywords and fields. You can also print and save log data to a different file. For more information, refer to Chapter 13,
“Reviewing and Working with Log Files.”
Starting HostWatch
HostWatch shows the connections from one interface to a second as occur on a Firebox. It can also show the connections that are in a saved log file. For more information , re
Starting Historical Reports
Historical Reports is an HTML report tool that shows: the connection types, the hosts sending the most traffic, most used services, URLs, and other da ta n ecessary to monitor and do trou-
Opening the WSEP user interface
WatchGuard Security Event Processor (WSEP) controls logging, report schedules, and notification. It also keeps time for the Firebox. The WSEP automatically runs when you start a computer with WSEP software installed on it.
Different from other WatchGuard Firebox System Manager applications, the WSEP button does not appear in Firebox System Manager.
To open the WSEP, right-click the WSEP icon in the Windows Desktop tray. Click WSEP Status/Configuration
. For more information, refer to “Setting up the WatchGuard Security Event Processor” on page 135.
WatchGuard System Manager
Managing and Monitoring the Firebox
If the WSEP icon does not show in the Windows desktop tray, click the Main Menu button. Select Tools >
Logging > Event Processor Interface .
Viewing Bandwidth Usage
Select the Bandwidth Meter tab to see the available real-time bandwidth for all the Firebox® interfaces.
Each interface that you see on the display has a different color. You can configure the colors that you use on this display. From the Firebox System Manager:
1 Select Main Menu > Settings . Click the Bandwidth Meter tab.
2 You can change the scale of the Bandwidth Meter tab. From the Graph Scale drop-down list, select the value that is the best match for the speed of your network.
3 You can also change the color of the lines in the Bandwidth Meter tab. Each line shows the traffic for one interface. In the Color Settings list, click the interface you want to change. From the Color dropdown list, select the color you want.
User Guide 59
Managing and Monitoring the Firebox
4 Click OK to close the Settings dialog box.
The Bandwidth Meter tab appears with the new settings.
Viewing Number of Connections by Service
The Service Watch tab of the Firebox System Manager makes a graph of the configured services on a network. The Y axis shows the number of connections. The X axis shows the time. Each service that you see on the display has a different color. You can configure which services appear and their color. From the Firebox System Manager:
1 Click Main Menu > Settings.
Click the Service Watch tab.
60
2 You can change the scale of the Service Watch tab. From the Graph Scale drop-down list, select the value that is the best match for the speed of your network.
WatchGuard System Manager
Adding a service to the Service Watch tab
1 To add a service to the Service Watch tab, click Add .
The Add Service dialog box appears.
Managing and Monitoring the Firebox
2 Type the Name of the service.
It is not necessary that this be the same name as the service name in the Policy Manager. This name appears only in the Service Watch tab.
3 Type the Port Number of the service.
This is the port that the Firebox monitors and for which it shows the traffic.
4 Use the Color control to select a color for the service.
We recommend that each service use a different color.
5 Click OK to close the Add Service dialog box. Click OK to close the Settings dialog box.
The Service Watch tab appears with the new settings.
Viewing Information About Firebox Status
There are four tabs that can give you information about Firebox® status and configuration: Status
Report, Authentication List, and Blocked Sites.
Status Report
The Status Report tab on Firebox System Manager gives the important information about Firebox status and configuration.
Time statistics
The first section of the Status Report tells you the current time and information about how long the Firebox has been in operation.
User Guide 61
Managing and Monitoring the Firebox
62
Sample
Current UTC time (GMT): Sun Oct 31 19:19:35 2004
+----- Time Statistics (in GMT) ----------------------
| Statistics from Sun Oct 31 19:19:30 2004 to Sun Oct 31 19:19:35 2004
| Up since Thu Oct 28 13:44:42 2004 (3 days, 05:35)
| Last network change Thu Oct 28 13:44:41 2004
+-----------------------------------------------------
Version information
You can use the System Report to learn more about the software and firmware version. You can also see which software components are installed on the Firebox.
Sample
WatchGuard, Copyright (C) 1996-2004 WGTI
Firebox Release: sparks
Driver version: 7.3.B1810
Daemon version: 7.3.B1810
Sys_B Version: 7.1.B1405
BIOS Version: 3f0e808ffc5a482eea39660d6d0fa253 Sicily
Serial Number: 808233533EB86
Product Type: Firebox X1000
Product Options:
Firebox Modular Components: boot 0 365 7.3.B1810 8f99a151acd Fri Oct 15 17:01:34 PDT 2004 root 500 5036 7.3.B1810 43e79f4f78f Fri Oct 15 17:01:29 PDT 2004
Packet counts
This is the number of packets allowed, denied, and rejected between status reports. “Rejects” are packets that the Firebox denies.
Sample
Allowed: 5832
Denied: 175
Rejects: 30
Log hosts
The IP address of the log host. If you have more than one log host, the IP addresses of all log hosts appear in the report.
Sample
Log host(s): 206.148.32.16
Network configuration
Parameters for the Firebox network interface cards. this includes: the interface name, IP addresses, and the netmask. The report also includes network route information and IP aliases.
Sample
Network Configuration: lo local 127.0.0.1 network 127.0.0.0 netmask 255.0.0.0
WatchGuard System Manager
Managing and Monitoring the Firebox eth0 local 192.168.2.2 network 192.168.2.0 netmask 255.255.255.0 outside eth1 local 192.168.253.1 network 192.168.253.0 netmask 255.255.255.0
eth2 local 10.0.1.1 network 10.0.1.0 netmask 255.255.255.0
eth3 local 10.0.2.1 network 10.0.2.0 netmask 255.255.255.0
eth4 local 10.0.3.1 network 10.0.3.0 netmask 255.255.255.0
eth5 local 10.0.4.1 network 10.0.4.0 netmask 255.255.255.0
Blocked Sites list
This section of the Status Report shows all the IP addresses that you manually add to the
Blocked Sites list. To see the temporarily blocked IP addresses, open the Firebox System
Manager Blocked Sites tab.
Sample
Blocked list network 10.0.0.0/8 permanent network 172.16.0.0/12 permanent network 192.168.0.0/16 permanent
Logging options
The Status Report shows a list of the log options you configure with the Policy Manager. You can set the Firebox to record allowed and denied packets for services, intrusion detection, and many other features.
Sample
Logging options
Outgoing traceroute
Incoming traceroute logged(warning) notifies(traceroute) hostile
Outgoing ping
Incoming ping
Authentication host information
The Status Report shows which method of authentication is enabled and the IP address of the authentication server.
Sample
Authentication
Using local authentication for Remote User VPN.
Using radius authentication from 103.123.94.22:1645.
Memory
You can use the Status Report to learn how the Firebox uses its memory. The values are shown in bytes of memory.
Sample
Memory:
total: used: free: shared: buffers: cached:
Mem: 65032192 25477120 39555072 9383936 9703424 362905
Load average
The load average is the average of the number of operations the the Firebox makes in an interval. The intervals in the Status Reports are: 1, 5, and 15 minutes. The fourth and fifth
User Guide 63
Managing and Monitoring the Firebox
64 numbers are shown as a pair: x/y. The fourth number is the number of current processes in the
“run” state and the fifth number is the number of total processes. The last number is t he Process
Identification Number (PID) for the subsequent process for the Firebox to do.
Sample
Load Average:
0.04 0.06 0.09 2/21 6282
CPU Usage
The CPU Usage is the percent usage of the Firebox CPU in the last minute, 5 minutes and 15 minutes.
Sample
CPU Usage:
3% 5% 5%
Processes
The Status Report shows the Process Identification Number (PID), name and status of current
Firebox operations. The report uses a status indicator in the “S” column:
R — Running
S — Sleeping
Z — Zombie
The other fields are as follows:
- RSS — The RAM the process uses.
- SHARE — The memory that more than one process can use at the same time.
- TIME — Total CPU time used.
- (CPU) — Percentage of CPU time used.
- PRI — Priority of process.
- (SCHED) — How the process is scheduled.
Sample
PID NAME S RSS SHARE TIME (CPU) PRI (SCHED)
1 init S 1136 564 148:41.84 ( 0) 99 (round robin)
2 kflushd S 0 0 0:00.02 ( 0) 0 (nice)
Interfaces
This section shows each Firebox interface, with information about the status and packet count and any errors or collisions on the interface. If you have the Firebox X 3-Port Upgrade, the aliases eth3, eth4, and eth5 also show.
Sample
Interfaces:
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:0
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 00:90:7F:1E:79:84
inet addr:192.168.49.4 Bcast:192.168.49.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
WatchGuard System Manager
Managing and Monitoring the Firebox
RX packets:3254358 errors:0 dropped:0 overruns:0 frame:0
TX packets:1662288 errors:0 dropped:0 overruns:0 carrier:0
Collisions:193
Routes
The Status Report also includes a table of the Firebox routes.
Sample
Routes
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window Use Iface
207.54.9.16 * 255.255.255.240 U 1500 0 58 eth0
207.54.9.48 * 255.255.255.240 U 1500 0 19 eth1
198.148.32.0 * 255.255.255.0 U 1500 0 129 eth1:0
127.0.0.0 * 255.0.0.0 U 3584 0 9 lo default 207.54.9.30 * UG 1500 0 95 eth0
ARP table
You can see the ARP table used by the Firebox.
Sample
ARP Table
Address HWtype HWaddress Flags Mask Iface
207.23.8.32 ether 00:20:AF:B6:FA:29 C * eth1
207.23.8.52 ether 00:A0:24:2B:C3:E6 C * eth1
For more information on the status report page, refer to the FAQ: www.watchguard.com/support/advancedfaqs/log_statusall.asp
Authentication
The Authentication List tab of the Firebox System Manager gives the IP addresses and user names of all the persons that are authenticated to the Firebox.
Blocked Sites
The Blocked Sites List tab of the Firebox System Manager shows the IP addresses of all the external IP addresses that are temporarily blocked. There are many causes for a Firebox to add an IP address to the
User Guide 65
Managing and Monitoring the Firebox
Blocked Sites tab: a port space probe, a n ad dress space probe, an attempt to access a Blocked Port, or a n ev ent you configure.
Adjacent to each IP address is the time when it comes off the Blocked Sites tab. You can use the Blocked
Sites dialog box in the Policy Manager to adjust the length of time that an IP address stays on th e li st.
To remove an IP address from this list, right-click it and select Remove Blocked Site .
If you open the Firebox with the status passphrase, you must type the configuration passphrase before you can remove a site from the list.
HostWatch
HostWatch is a graphic user interface that shows the network connections between the Firebox interfaces. HostWatch also gives information about users, connections, and network address translation
(NAT).
HostWatch shows all incoming and outgoing denied and allowed connections. It can show the friendly name (host name) of the inside and outside IP addresses. You can open a previous log file and use Host-
Watch to see the connections from another time.
The line that connects the source host and the destination host uses a color that shows the type of connection. You can change these colors. The default colors are:
• Red — The Firebox denies the connection.
• Blue — The connection uses a proxy.
• Green — The Firebox uses NAT for the connection.
• Black — A connection that is none of the first three.
Icons that show the type of service appear adjacent to the server entries for HTTP, Telnet, SMTP, and FTP.
Domain name resolution (DNS) does not occur immediately when you first start HostWatch. When Host-
Watch does DNS, it replaces the IP addresses with the host or user names. However some IP addresses do not have DNS entries. When the computer that uses HostWatch can not identify the host or user name, the IP addresses stay in the HostWatch window.
To start HostWatch , click the HostWatch icon on the Firebox System Manager.
66 WatchGuard System Manager
Managing and Monitoring the Firebox
HostWatch
The top part of the HostWatch window is divided into two sides, Inside and Outside. Double-click an item on one of the sides to get a pop-up window. The window shows information about the connection, and includes the IP addresses, port number, connection type, and direction.
The lower part shows the same information in a table with the ports and the time the connection was made.
Connecting HostWatch to a Firebox
From HostWatch:
1 Click File > Connect .
You can also click the Connect button on the HostWatch toolbar. The Connect to Firebox dialog box appears.
2 From the Firebox drop-down list, select a the Firebox you want.
You can also type the Firebox name or its IP address.
3 In the Passphrase text box, type the Firebox status passphrase. Click OK .
HostWatch connects to the Firebox and starts to show connections from the trusted and optional networks to the external network.
Showing a log file in HostWatch
Use HostWatch to examine a log file when you do troubleshooting or learn more about an attack. From
HostWatch:
1 Click File > Open .
The Windows Open File dialog box appears.
2 Browse to find and select the log file.
The default location for the log files is the WatchGuard installation directory at C:\Program Files\WatchGuard\logs with the extension .
Wgl . HostWatch gets the log file and starts to show the traffic.
3 To temporari ly stop the display, click Pau se .
User Guide 67
Managing and Monitoring the Firebox
4 To start the display again, click Continue .
5 To show one entry at a time in the display, first click Pause . Then click the right arrow to move a step forward through the log file. Click the left arrow to go back one step. The time between one step to the next step is controlled by the Play Back controls. See the section below.
Controlling the Play Back
Use the Log File Play Back Controls icon to control how HostWatch shows the log file. Click the
Play Back Controls icon.
1 Set the amount of time HostWatch jumps when the display is refreshed. In the Sample time size (sec) text box, type how long the sample lasts.
You can also use the spin control to set the Sample time size.
2 Click the slide bar at the bottom to select the time that HostWatch starts the display.
68
Controlling the HostWatch window
You can change the HostWatch window to show only the necessary items. You can use this feature to monitor only specified hosts, ports, or users. From HostWatch:
1 Click View > Filters .
2 Click the tab you want to monitor: Inside Hosts , Outside Hosts, Ports , or Authenticated Users .
3 Clear the Display All Hosts, Display All Ports, or Display All Authenticated Users check boxes .
4 Type the IP address, port number, or user name to monitor. Click Add .
Do this for each item that HostWatch must monitor.
5 Click OK .
Changing HostWatch view properties
You can change how the HostWatch shows information. For example, HostWatch can show host names as an alternative to IP addresses. From HostWatch:
1 Click View > Properties .
2 Use the Host Display tab to change how the hosts appear in the window and the text which appears with them.
To see the function of each control, right-click it and then select What’s this?
3 Use the Line Color tab to change the colors of the lines between denied, dynamic NAT, proxy, and usual connections.
4 Use the Misc.
tab to change the refresh rate of the real-time display and the maximum number of connections that show.
WatchGuard System Manager
CHAPTER 7
Configuring Network Address
Translation
Network Address Translation (NAT) changes all outgoing traffic to appear as if it comes from the external IP address of the Firebox. This has two advantages. NAT lets you keep private the internal structure of your network. Also, with NAT you can use a very small number of public IP addresses.
At its most basic level, NAT changes the address of a packet from one value to a different value. The type of NAT refers to how NAT changes the network address:
Dynamic NAT
Dynamic NAT is also known as IP masquerade or port address translation. The Firebox can apply its public IP address to the outgoing packets for all connections or for specified services. This hides the real IP address of the computer that is the source of the packet from the external network.
Static NAT
Static NAT is also known as port forwarding. Static NAT is a port-to-host NAT. A host sends a packet from the external network to a specified public address and port. Static NAT changes this address to an address and port behind the firewall. You must configure each service. You can use Static NAT for public services such as a Web server where authentication is not necessary.
1-to-1 NAT
The Firebox uses private and public IP ranges that you set. It does not use the IP ranges in the
Firebox configuration.
The type of NAT you use depends upon your security policy. For more information on NAT, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/nat_main.asp
Dynamic NAT
Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outgoing connection to the public IP address of the Firebox. From the external network, you only see the external
IP address of the Firebox on outgoing packets.
User Guide 69
Configuring Network Address Translation
Dynamic NAT lets you use only a small number of public IP addresses. M any computers can connect to the Internet from one public IP address. Dynamic NAT gives more security for the internal hosts that use the Internet, because they can use private addresses you cannot route.
WatchGuard System Manager has two different types of outgoing Dynamic NAT:
Simple Dynamic NAT
With host aliases or host and network IP addresses, the Firebox applies NAT to each outgoing packet. This is the most frequently used type of NAT.
Service-based dynamic NAT
You must configure each service for outgoing Dynamic NAT. Usually, you use this type of NAT only together with the drop-in mode of Firebox configuration.
Note
Computers that make an incoming connection on a VPN can connect to hosts by their correct private address.
Using Simple Dynamic NAT
In most networks, the recommended security policy is to apply NAT to all outgoing packets. With simple dynamic NAT you can quickly set up a NAT policy for all of your network. For more information on this type of NAT, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/nat_howdynamicnat.asp
Enabling simple dynamic NAT
The default configuration of simple dynamic NAT enables dynamic NAT from all private IP addresses to the external network.
From Policy Manager:
1 Click Setup > NAT .
T he NAT Setup dialog box appears ; refer to the figure that follows.
2 Select the Enable Dynamic NAT check box.
The default entries are:
• 192.168.0.0/16 - external
• 172.16.0.0/12 - external
• 10.0.0.0/8 - external.
These are the private networks given by RFC. If you use public IP addresses other than these, you must add an entry
(except when you use drop-in mode).
70 WatchGuard System Manager
Configuring Network Address Translation
Adding simple dynamic NAT entries
With default host aliases, you can quickly configure the Firebox to hide addresses from your trusted and optional networks. For the default dynamic NAT entries, refer to the section before.
For larger networks or networks with more services, you can have more entries in the From or To lists of hosts or host aliases. The Firebox applies the dynamic NAT rules in the sequence that they appear in the
Dynamic NAT Entries list. WatchGuard recommends that you put the entries in a sequence equivalent to the volume of traffic.
From the NAT Setup dialog box:
1 Click Add .
2 From the From drop-down list, select the source of the outgoing packets.
For example, use the trusted host alias to enable NAT from all the trusted network. For more information on built-in
refer to “Adding an alias” on page 110.
3 From the To drop-down list, select the destination of the outgoing packets.
4 To add a host or a network IP address, click the ...
button. From the drop-down list, select the address type. Type the IP address or the address range. You must type a network address in slash notation.
When you type an IP address, type all the numbers and the stops. Do not use the TAB or arrow key. For more
information on how to type the IP addresses, refer to “Enter the IP addresses” on page 25.
5 Click OK .
The new entry appears in the Dynamic NAT Entries list.
Reordering simple dynamic NAT entries
To change the sequence of the dynamic NAT entries, select the entry to change. Then click the Up or
Down button.
You cannot change a dynamic NAT entry. To do this, You must erase the entry with the Remove button.
Use the Add button to add the new entry.
Specifying simple dynamic NAT exceptions
You can set up ranges of addresses in dynamic NAT and make each address in that range a part of the
NAT policy. With the dynamic NAT exceptions parameter you can remove some addresses from that policy. From Policy Manager:
1 Click Setup >NAT .
2 Click Advanced .
The Advanced NAT Settings dialog box appears.
3 Click the Dynamic NAT Exceptions tab.
4 Click Add .
The Add Exception dialog box appears.
5 In the From and To boxes, select the interface you want.
The alternatives dvcp_nets and dvcp_local_nets are aliases for VPN Manager and appear if you configure your
Firebox as a DVCP client. dvcp_nets refers to networks at the other end of the VPN tunnel. dvcp_local_nets refers to networks behind the Firebox that you configure. Do not make dynamic NAT exceptions for these networks.
6 Click the button adjacent to the From box. Type the value of the host IP address, network IP address, or host range. Click OK .
User Guide 71
Configuring Network Address Translation
7 Click OK to close the Advanced NAT Settings dialog box.
Note
You can configure Dynamic NAT exceptions on the two types of dynamic NAT. You must make dynamic NAT exceptions for each 1-to-1 NAT address if it is also configured by dynamic NAT.
Using Service-Based Dynamic NAT
With service-based dynamic NAT, you can set an outgoing dynamic NAT policy for each service. Use Service-based NAT to make exceptions to a simple dynamic NAT entry that applies to all connections.
For example, you have a network with simple NAT enabled from the trusted to the optional network. A web server on the optional network must not be masqueraded to the trusted network. To do this, you use service-based NAT. Add a service icon that lets Web connections through from the trusted to the optional Web server, and make NAT inactive. In this configuration, you make all Web connections with the correct source IP from the trusted network to the Web server. All other traff ic f rom trusted to optional is masqueraded. You can also use service-based NAT as an alternative to simple dynamic NAT.
You do not apply all NAT rules to all the outgoing packets, but you select the specified services to masquerade.
Enabling service-based dynamic NAT
To enable Service-based NAT you do not have to enable simple dynamic NAT.
From Policy Manager:
1 Click Setup > NAT . Click Advanced .
2 Select the Enable Service-Based NAT check box.
3 Click OK to close the Advanced NAT Settings dialog box. Click OK to close the NAT Setup dialog box.
Configuring service-based dynamic NAT
By default, a service has the dynamic NAT properties you set for simple NAT. But, you can override this in the Properties dialog box of the service. You can select:
Use Default (Simple NAT)
Service-based NAT is not enabled for the service. The service uses the simple dynamic NAT rules that you configure in the Dynamic NAT Entries
list. For more information, refer to “Adding simple dynamic NAT entries” on page 71.
Disable NAT
Makes dynamic NAT not active for the outgoing packets that use this service. Use this to not include a service in outgoing NAT.
Enable NAT
Enables service-based dynamic NAT for outgoing packets. This service overrides the simple dynamic NAT configuration.
From Policy Manager:
1 Double-click the service icon. Click Outgoing .
72 WatchGuard System Manager
Configuring Network Address Translation
2 From the Choose Dynamic NAT Setup drop-down list, select default (simple dynamic NAT), disable , or enable . Click OK .
Configuring Service-Based Static NAT
For more information on static NAT, refer to the FAQs: https://www.watchguard.com/support/advancedfaqs/nat_whenstatic.asp
https://www.watchguard.com/support/advancedfaqs/nat_outin.asp
Adding external IP addresses
Static NAT changes a Firebox public IP and port into specified destinations on the trusted or optional networks. To use a different IP address than the external interface, you must give the new public IP address in the Add External IP dialog box .
From Policy Manager:
1 Click Network > Configuration . Click Aliases .
The Add External IP dialog box appears.
2 At the bottom of the dialog box, type the public IP address. Click Add .
3 Do this again to add all the external public IP addresses. Click OK .
Setting static NAT for a service
You must configure Static NAT for each service. Because of how static NAT operates, it is available only for services that use a specified port, which include TCP and UDP. A service that has an other protocol cannot use incoming static NAT. And the NAT button in the Properties dialog box of the service does not work. You also cannot use Static NAT with the Any service. Before you configure static NAT for a service, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/nat_outin.asp
1 Double-click the service icon in the Services Arena.
The Properties dialog box of the service shows the Incoming tab.
2 From the Incoming drop-down list, select Enabled and Allowed .
To use static NAT, the service must let incoming traffic through.
3 Below the To list, click Add .
The Add Address dialog box appears.
4 Click NAT .
The Add Static NAT dialog box appears ; refer to the figure that follows.
User Guide 73
Configuring Network Address Translation
Note
Mail servers must use the correct external address of the Firebox for incoming NAT, or 1-to-1 NAT. If not, mail problems can occur.
5 From the External IP Address drop-down list, select the “public” address to use for this service.
If the public address does not appear in the drop-down list, click Edit to open the Add External IP dialog box and add the public address.
6 Type the internal IP address.
The internal IP address is the destination on the trusted network.
7 If necessary, select the Set internal port to different port than service check box.
You usually do not use this feature. It enables you to change the packet destination not only to a specified internal host but also to a different port. If you select the check box, type the different port number in the Internal Port text box.
8 Click OK to close the Add Static NAT dialog box.
The static NAT route appears in the Members and Addresses list.
9 Click OK to close the Add Address dialog box. Click OK to close the Properties dialog box of the service.
Using 1-to-1 NAT
1-to-1 NAT uses a NAT policy that changes and routes all incoming and outgoing packets sent to one range of addresses to a different range of addresses. You can configure many different 1-to-1 NAT addresses.
You frequently use 1-to-1 NAT to route public IP addresses to internal servers. On those servers, you do not have to change the IP address. You can also use 1-to-1 NAT for VPN tunnels when the IP addresses of the remote network are the same as the local network. The local network addresses change to a range that is not the same as the remote addresses, and a VPN tunnel can connect.
For more information on 1-to-1 NAT, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/nat_onetoone.asp
In each NAT policy you can configure four items:
• The interface
• The public IP address
• The internal IP address
• The number of hosts to route.
You set a NAT policy in a “from” and “to” range of IP addresses. For example, in this policy:
210.199.6.1–192.168.69.1:254 (NAT base to real base range) all the traffic that is sent to hosts between 210.199.6.1 and 210.199.6.254 change to the related IP address between 192.168.69.1 and 192.168.69.254.
74 WatchGuard System Manager
Configuring Network Address Translation
There is a one-to-one address change from each NAT address to the destination (real) IP address:
210.199.6.0 becomes 192.168.69.0.
From Policy Manager:
1 Click Setup > NAT .
2 Click Advanced .
The Advanced NAT Settings dialog box appears.
3 Click the 1-to-1 NAT Setup tab.
4 Select the Enable 1-1 NAT check box.
5 Click Add .
The 1-1 Mapping dialog box appears ; refer to the figure that follows:
6 Select the interface you want.
7 Type the number of hosts to route.
8 In the NAT base text box, type the address for the NAT range you can see externally.
This frequently is the public IP address.
9 In the Real base text box, type the destination IP address range. Click OK .
This frequently is the IP address the server or client has.
10 Click the Dynamic NAT Exceptions tab.
You must make dynamic NAT exceptions for each internal address you use for 1-to-1 NAT. If not, the address changes with dynamic NAT as an alternative to 1-to-1 NAT.
11 Click Add.
The Add Exception dialog box appears.
12 In t he To box, select the interface interface you want. This usually is the external interface.
The alternatives dvcp_nets and dvcp_local_nets are aliases for VPN Manager and appear if you configure your
Firebox as a DVCP client. dvcp_nets refers to networks at the other end of the VPN tunnel. dvcp_local_nets refers to networks behind the Firebox that you configure. Do not make dynamic NAT exceptions for these networks.
13 Click the button adjacent to the From box. Type the IP address range you gave in step 9. Click OK .
14 Click OK to close the Advanced NAT Settings dialog box. Click OK to close the NAT Setup dialog box.
User Guide 75
Configuring Network Address Translation
Proxies and NAT
The table that follows gives each proxy and the possible types of NAT.
Simple dynamic yes
Static yes
Servicebased yes DNS
HTTP
SMTP
FTP
DCE-RPC
H323
RTSP
RealNetworks yes yes yes yes yes yes no yes yes yes no no yes no yes yes yes no no no no
1-to-1 no no no no yes yes yes yes
76 WatchGuard System Manager
CHAPTER 8
Configuring a Service
A service is a group of rules for how a firewall routes your network traffic. The parameters of a service include:
• Direction of traffic (incoming or outgoing)
• Firebox action (enabled and allowed, enabled and denied, denied)
• Source and destination
• One or more ports
• One or more protocols
• Log and notification properties
Packet Filters and Proxies
In the Policy Manager, there are two categories of services: packet filters and proxies.
A packet filter examines each packet header. A packet filter is the most basic feature of a firewall. It controls the network traffic into and out of your Firebox. If the packet header information matches the rule criteria, then the firewall allows the packet. If the packet header information does not match the rule criteria, the Firebox denies the packet. It can also record a log message or send a message to the source.
A proxy examines each packet header and the content of each packet. If the content does not match the rule criteria you set, the Firebox denies the packet. A proxy operates at the application layer, while a packet filter operates at the network layer and transport layer. When you enable a proxy, the Firebox:
• Removes all the network data
• Examines the contents for RFC data and content type matches.
• Restores the network data
• Sends the packet to its in itial destin ation
A proxy uses more resources and bandwidth then a packet filter. But, a proxy can catch dangerous content types that a packet filter cannot.
Services and the Policy Manager
In this User Guide, we refer to packet filters and proxies together as services. Unless we tell you differently, the procedures below refer to proxies and packet filters.
User Guide 77
Configuring a Service
The Policy Manager shows each packet filter and proxy as an icon. You configure the rules for outgoing traffic and incoming traffic. The traffic can be allowed or denied, and you can configure the source and destination. You can also set the rules for your log messages and notification messages, and for computer ports, protocols, and other packet properties.
Selecting Services for your Security Policy
WatchGuard System Manager denies all packets that are not specially approved. You see this policy in network security documentation as:
If you do not allow a given traffic type, it is denied.
This security policy helps to protect your network from:
• Attacks with a new service or different IP service
• Unknown services
• Configuration errors
When you configure the Firebox with the Quick Setup Wizard, you set only the basic packet filters and interface IP addresses. To allow more traffic through the Firebox, you must:
•
C
onfigure the services and protocols on the Firebox to let necessary traffic through
• Set the approved hosts and properties for each service or protocol
• Balance the requirement to protect your network against the requirements of your users to get access to external resources
Incoming and outgoing services
A connection from a less trusted segment of the network to a more trusted segment is incoming. You must configure an incoming connection on the Incoming tab for the service. A connection from a more trusted segment to a less trusted segment is outgoing. You must configure an outgoing connection on the Outgoing tab for the service.
For example, to let a Telnet connection through the Firebox from the eth5 optional network to the eth2 optional network is incoming. This is because the data flow is from a less trusted network to a more trusted network.
Or, you can allow an HTTP connection from a VPN source through the Firebox to the external interface.
Here, you use the Outgoing tab for the HTTP service, because VPN sources are more trusted than external sources.
For more information on the incoming traffic and outgoing traffic and how they apply to the different
Firebox interfaces, refer to “About Incoming and Outgoing Traffic” on page 47.
Incoming service guidelines
When you enable an incoming service, you create a small hole into your network. The guidelines below can help you to make an estimate of the security risks as you add each incoming service. Each safety precaution you add gives you a safer network. To follow three or four precautions is much safer than to follow one or none.
• Your total security is only as high as the service you allow with the lowest security properties.
• Do not trust traffic sources that you do not know.
78 WatchGuard System Manager
Configuring a Service
• If you know more about a software application and the network traffic it uses, you can configure a better security policy.
• Services with no built-in authentication and that are not created for use on the Internet are a risk.
• Services that send your password in clear text such as FTP, Telnet, POP are a high risk.
• Services with built-in strong authentication such as ssh are more safe. If the service does not have built-in authentication, you can decrease the risk if you use user authentication with that service.
• Services such as DNS, SMTP, anonymous FTP, and HTTP are safe only if you use them correctly as designed.
• You can decrease your risk if you let an incoming service connect to one trusted computer. The more internal computers you allow the service to connect to, the more you ar e at risk.
• You can decrease your risk if you let an incoming service come from only IP addresses you select.
The more external IP addresses you allow, the more you are at risk.
• To open access to the optional network is safer than to open access to the trusted network.
Outgoing service guidelines
Usually, an incoming service adds the highest risk, but there can also be a risk with an outgoing service.
For example, when you configure the outgoing FTP service, you can make it a read-only service or set a limit on the destination hosts. This prevents your users from downloading a virus or software application from an FTP site. One more example: some services (FTP, telnet, POP) send your passwords using a method in which they are easily read. If the passwords are the same as the ones you use internally, a hacker can get your password and use it to get access to your network.
Many of the guidelines shown above for an incoming service are also valid for an outgoing service. The basic rule is that “less is more.” The less services you add to your Firebox configuration, the more secure your network.
Adding and Configuring Services
You can add and configure services with Policy Manager. You can see the icons that identify the Firebox services you have configured in the Policy Manager.
For each service you can:
• Set allowed traffic sources and destinations (incoming and outgoing)
• Make filter rules and policies
• Enable or disable the service
The Policy Manager includes many pre-configured packet filters. For example, to apply a packet filter to all Telnet traffic, you can easily add a Telnet packet filter. You can also make a custom packet filter for which you set the ports, protocols and other parameters.
For more information on pre-configured services, see to Chapter 3, “Types of Services,” in the Reference
Guide . You can also refer to the Services FAQ: https://www.watchguard.com/support/advancedfaqs/svc_main.asp
User Guide 79
Configuring a Service
Changing the Policy Manager View
The Policy Manager has two views: Large Icons view and Details view . The Large Icons view shows each service as an icon. Two small dots are the status indicators. They show if the service allows or denies incoming traffic and outgoing traffic.
To change to the Large Icons view, click the Large Icons button on the toolbar.
Large Icons View of Policy
To change to the Details view, click the Details button on the toolbar. In the Details view, each service is a row. You can see configuration information such as source and destination, and log and notification properties.
Details View of Services Arena
Service Parameters to Configure
You can configure most parameters of a packet filter or proxy service. You can learn more about the
are the same for all services.
When you open a service icon, you see three tabs: Incoming, Outgoing, and Properties.
80 WatchGuard System Manager
User Guide
Configuring a Service
Incoming
Use the Incoming tab to enable traffic from the less trusted network to the more trusted network. For example, you can configure incoming traffic from the external network to the trusted network.
On the From list, you add the computers and networks that can send inco ming traffic using this ser vice. On the To list, you add the computers and networks to which the Firebox can r oute tr affi c w ith t his ser vice. Fo r exa m ple, yo u co uld configure an incoming ping packet filter to allow traffic from all computers on th e ex ternal net work to one We b se r ver on you r optio nal net work .
Outgoing
Use the Outgoing tab to enable traffic from the more trusted network to the less trusted network. For example, you can configure outgoing traffic from the trusted network to the optional network.
On the From list, you add the computers and networks that can send outgoing traff ic w ith this service. On the To list, you add the computers and networks to which the Firebox can r oute traffic usin g this service. For example, you could configure an outgoing ping packet filter to allow computers on the trusted network to ping computers on the external network.
Logging
For each service, you select the events that cause the Firebox to send a log message. You can also set the Firebox to send an e-mail message or other notification.
81
Configuring a Service
Adding a service
You use the Policy Manager to add a packet filter or proxy to your configuration. To add a service:
1 On the Policy Manager toolbar, click the Add Services button.
You can also click Edit > Add Service. The Services dialog box appears.
82
2 Click the plus (+) sign on the left side of the folder to expand the Packet Filters or Proxies folders.
A list of the packet filters or proxies appears.
3 Click the name of the service to add.
When you select a service, the service icon appears in the area below the New, Edit, and Remove buttons. Also, the
Details box shows the basic information about the service.
4 Click Add .
The Add Service dialog box appears.
5 You can change the name and information that appear when you configure the service. This information appears in the Policy Manager Details view. Click the Name or Comment text box and type the values.
6 Click OK .
The Properties dialog box of the service appears. For more information on how to configure the service properties,
refer to “Adding service properties” on page 86.
7 Click OK to close the Properties dialog box.
You can add more than one service while the Services dialog box is open.
8 Click Close .
The new service appears in the Policy Manager.
Making a new service
The Policy Manager includes many pre-configured packet filter services, but you can also make a new service. You can also change a pre-configured service. It can be necessary to do this if you add a new software application behind your firewall. Remember, each new service can increase your security risk.
1 On the Policy Manager toolbar, click the Add Services button.
WatchGuard System Manager
Configuring a Service
2 Click New .
The New Service dialog box appears.
3 In the Name text box, type the name of the service.
This name must not be the same as names in the list in the Services dialog box. The name appears in the Policy
Manager and it helps you to find the service when you must chang e or remove it.
4 In the Description text box, type a description of the service.
This appears in the Details section when you click the service name in the list of User Filters.
5 To set up the port for this service, click Add .
The Add Port dialog box appears.
6 From the Protocol drop-down list, select the protocol for this new service. For more information about network protocols, see the Reference Guide or online help system. You can select:
TCP The firewall examines TCP (IP protocol 6) packets.
UDP The firewall examines UDP (IP protocol 17) packets.
HTTP The firewall examines HTTP packets.
IP Set the firewall to examine packets for a different protocol. You select IP to create a protocol number service. The Next-level field appears in the Add Port dialog box. Type the number of the protocol.
7 From the Client Port drop-down list, select the client port for this new service. Note that you can select one port or a range of ports. For the Client Port, you can select:
Ignore The source port range is from 0–65565. Use this if you are not sure which port to use.
Secure The source port range is from 0–1024.
Port The source port must be the same as the destination port. This shows in the Port number field of the Properties dialog box of the destination service.
Client The source port range is from 1025–65565.
8 In the Port text box, type the port number.
9 To set a range of port numbers, type the lowest number of the range in the Port text box. In the To text box, type the highest number of the range.
User Guide 83
Configuring a Service
10 Click OK .
The Policy Manager adds the values to the New Service dialog box. Make sure that the name, information, and configuration of this service are correct. You can click Add to configure more ports for this service. Complete the
Add Port procedure again until you configure all ports for the service.
84
11 Click OK .
The Services dialog box appears with the new service in the User Filters folder. You can at this time add one or more services using the new service dialog box.
12 In the Services dialog box, expand the User Filters folder. Click the name of the service. Click Add .
Click OK to close the Add Service dialog box. Click OK to close the Properties dialog box. Click
Close and the Services dialog box closes.
The icon of the new service appears in the Policy Manager.
Adding more than one service of the same type
To match the requirements of your security policy, you can add the same service many times. For example, you can set a limit on the use of the Web for most users, while you give your management complete use of the Web. To do this, you make two different HTTP services with different properties for the outgoing rule:
1
Add the first service. Refer to steps 1 – 4 in “Adding a service” on page 82.
2 Change the name of the service to give its function in your security policy and add the related information.
In the first example of the different HTTP services, you can give the first HTTP service the name
“restricted_web_access.”
3 Click OK.
The Properties dialog box of the service appears. Set the outgoing properties. Refer to
“Adding service properties” on page 86.
In the example, you can add an alias “staff,” which has a range of IP addresses or a group of authenticated users.
For more information on aliases, refer to “Using Aliases” on page 109.
4 Add the second HTTP service.
In the example, you can give this second HTTP service the name “full_web_access.”
5 Click OK.
The Properties dialog box of the service appears. Set the outgoing properties. Refer to
“Adding service properties” on page 86.
In the example, you can add an alias “executives”.
Note
Do not create services that do the opposite. For example, do not create one HTTP service that lets incoming traffic through while the other denies incoming traffic. You can use the Disabled option to prevent this.
WatchGuard System Manager
Configuring a Service
Deleting a service
As your security policy changes, it could be necessary to remove one or more services. To remove a service, you must first remove it from the Policy Manager. Then you must save the new policy to the Firebox.
From Policy Manager:
1 Click the icon of the service want to remove.
2 On the toolbar, click the Delete Service button.
You can also click Edit > Delete or right-click the icon and click Delete.
3 To confirm, click Yes .
4 Save the configuration to the Firebox and start the Firebox again. Click File > Save > To Firebox .
Type the configuration passphrase. Select the Save to Firebox check box. Click Save .
Configuring Service Properties
You can use the service Properties dialog box to configure incoming and outgoing access rules for a given service.
The Incoming tab shows:
• The sources on the external network (or a less trusted network) that use this service to start a connection with the users, hosts, and networks behind the Firebox.
• The destinations behind the Firebox for the incoming traffic for this service.
The Outgoing tab shows:
• The sources behind the Firebox that use this service to start a connection with an external (or less trusted) destination.
• The destinations on the external network for the outgoing traffic for this service.
A service can be:
Disabled
The Firebox does not examine the traffic using this service. The Disabled option lets you make a service that examines traffic in only one direction.
Enabled and Denied
The Firebox denies all traffic using this service. You can configure it to record a log message when a computer tries to use this service. It can also automatically add a computer or network that tries to start a connection with this service to the Blocked Sites list.
Enabled and Allowed
The Firebox allows traffic using this service if it obeys the rules you set for source and destination.
Opening the Service Properties dialog box
When you add a service, the Properties dialog box of the service automatically appears. To show the Properties dialog box of a service, you can double-click the service icon in the Policy
Manager. Also, you can click the services icon and click the Edit Service button.
User Guide 85
Configuring a Service
Adding service properties
The procedure to add incoming and outgoing service properties is the same.
1 Double-click the service icon to open the Service Properties dialog box.
2 Click the tab with the properties you want to change.
3 Click the Add button for the From or the To member list.
4 Set the members for the service.
Tab Membe r
List
Incoming From
Incoming To
Outgoin g
Outgoin g
From
To
Users
The computers, networks, and users on the less trusted network that can send incoming traffic
The destinations on the more trusted network which can receive incoming traffic
The computers, networks, and users on the more trusted network than can send outgoing traffic
The destinations on the external network which can receive outgoing traffic
Adding addresses or users to service properties
The Incoming properties and Outgoing properties include From and To address lists. Use the Add
Address dialog box to add a network, IP address, or specified user to a service. From the Properties dialog box:
1 From the Incoming service Connections Are drop-down list, select Enabled and Allowed .
2 Click the Incoming tab or Outgoing tab. Click Add (below the From or To list).
The Add Address dialog box appears.
86
3 Click Add Other .
4 From the Choose Type drop-down list, select the address type, range, host name, or user to add.
5 In the Value text box, type the correct address, range, or name. Click OK .
The member or address appears in the Selected Members and Addresses list.
WatchGuard System Manager
Configuring a Service
6 Click OK .
The new selection appears in the Incoming or Outgoing tab below the From or To box.
Working with wg_icons
When you enable some features of the WatchGuard System Manager, the Policy Manager automatically adds a service. These WatchGuard service names start with “wg_” and include PPTP and authentication.
WatchGuard recommends that you keep the default parameters of these automatically created icons. wg_ icons appear in the Policy Manager if you click View > Hidden Services . A check mark appears adjacent to the menu selection. To hide wg_ icons, click View > Hidden Services again. The check mark clears.These are wg_ services:
wg_authentication
Appears when you enable user authentication.
wg_dhcp_server
Appears when you enable the DHCP server.
wg_pptp
Appears when you enable PPTP.
wg_dvcp
Appears when you set the Firebox as a DVCP server or DVCP client. This occurs when you use
VPN Manager.
wg_sohomgt
Appears when you set the Firebox as a DVCP server. It controls how the Firebox manages
WatchGuard Firebox SOHO6, Firebox S6, and Firebox X Edge models.
wg_ca
Appears when you set the Firebox as a DVCP server. It controls how the Firebox operates as a
Certificate Authority.
Customizing logging and notification
In WatchGuard System Manager you can set custom log properties and notification properties for each packet filter and proxy. You can also configure the log messages for other features. Use the Logging and Notification dialog box to configure the Firebox to record the usua l ne twork traffic events and to send a notification only for a very important event.
The Policy Manager uses almost the same dialog box for all services, options, and features. Thus, if you know the parameters for one service type, you can easily configure the remaining services.
1 Double-click the service icon to open the Service Properties dialog box.
1 Click the Incoming tab. Click Logging .
The Logging and Notification dialog box appears.
User Guide 87
Configuring a Service
2 Set the parameters and notification to match the requirements of your security policy.
Category
A list of the categories of traffic for which the Firebox can record a log message. This list is different for each service or selection. Click the category name to show and select the parameters.
Enter it in the log
When you enable this check box, the Firebox sends a log message when it sees a traffic type that matches the one you selected in the Category list. Domain name resolution can increase the time it takes for a log entry to be sent to the log file. The default configuration of all services is for the Firebox to send a log message when it denies a packet.
Send notification
When you enable this check box, the Firebox sends a notification when it sees a traffic type that matches the one you selected in the Category list. You set the notification parameters with
WatchGuard Security Event Processor (WSEP). For more information, refer to “Customizing
Logging and Notification by Service or Option” on page 139.
You can configure the Firebox to do one of these actions:
E-mail The Firebox sends an e-mail message when the event occurs. Set the e-mail address in the Notification tab of the WSEP user interface.
Pop-up Window The Firebox makes a dialog box appear on the management station when the event occurs.
Custom Program The Firebox starts a software application or script when the event occurs.
You must type the full path to the file, or use Browse to find and select the file.
You can control the time of the notification, together with the Repeat Interval. For more information,
refer to “Setting Launch Interval and Repeat Count” on page 140.
Service Precedence
The service precedence is the sequence in which the Firebox sorts more than one service. The Firebox gives precedence to the most tightly configured service and moves down to the most general service.
For example, a service with one source IP address to one destination IP address has a higher precedence than the sa me servi ce with a configuration from any computer to any computer.
The Firebox also gives precedence by group. There are three different precedence groups.
88 WatchGuard System Manager
Configuring a Service
•The Any service has the highest precedence. For more information about the Any service, see the Reference
Guide.
•IP and ICMP services and all TCP/UDP services that have a specified port number have the second highest precedence. This is the largest precedence group.
•The Outgoing services that do not give a port number have the lowest precedence. This group includes
Outgoing TCP, Outgoing UDP, and Proxy.
For example, because the “Any” service is in the highest precedence group, every “Any” service has precedence on the highest precedence Telnet service.
A service can contain rules from more than one precedence group. For example, the Filtered-HTTP packet filter and the Proxied-HTTP proxy contain a TCP rule for port 80 and a rule with no specified port for all other TCP connections. When there is more than one rule, the Firebox uses the one with the highest precedence first.
Because the Firebox sorts your services from the most tightly configured service to the most general service, the table below gives a general guidelines for precedence when you have two or more of the same service:
From
IP
List
IP
List
Any
IP
Any
To
IP
IP
List
List
IP
Any
List
List Any 7
Any Any 8
IP refers to one host IP address
List refers to more host IP addresses, a network address, or an alias
Any refers to the special “Any” target (not “Any” services)
3
4
1
2
5
6
Rank
0
The Firebox always examines the highest precedence service first. If it does not agree, it examines the subsequent service, and continues to examine services until one matches. If the Firebox finds no service match, it denies the packet.
For example, there are two Telnet icons:
• telnet_1: that lets traffic go from A to B.
• telnet_2: that lets traffic go from C to D.
When the Firebox receives a Telnet packet from C with a destination of E, first it examines the telnet_1 service rule. Then it examines the telnet_2 service rule. Because this packet does not match telnet_1 or telnet_2, the Firebox denies the packet.
User Guide 89
Configuring a Service
When only one icon shows a service, WatchGuard System Manager only examines that service. If the packet agrees with the service, and the source and destination, the service rule applies. If the packet agrees with the service, but does not agree on the source or destination, the packet is denied.
For example, if one Telnet icon lets traffic go from A to B, a Telnet try from A to C is blocked. System Manager does not examine the lower-precedence services for agreement, including outgoing services.
For more information on the outgoing services, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/svc_outgoing.asp
90 WatchGuard System Manager
CHAPTER 9
Configuring Proxied Services
A packet filter examines each packet header. If the packet header information matches the rule criteria, then the firewall allows the packet. A proxy examines each packet header and the content of each packet. If the content does not match the rule criteria you set, the Firebox denies the packet.
A proxy operates at the application layer, while a packet filter operates at the network layer and transport layer. When you enable a proxy, the Firebox:
• Removes all the network data
• Examines the contents for RFC data and content type matches.
• Adds the network data again
• Sends the packet to its in itial destin ation
A proxy uses more resources and bandwidth than a packet filter. But, a proxy can catch dangerous content types that a packet filter cannot.
For example, an e-mail proxy examines the header and the content of the SMTP packets. A software application in the content could be a virus. You can set the software applications and content types the e-mail proxy allows and which it denies. This is not possible with a packet filter.
refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/proxy_main.asp
Protocol Anomaly Detection
Protocol anomaly detection (PAD) is a strong technology for the protection of your network. In network security, a protocol anomaly is data, content, or network traffic that is different from usual. It includes the network traffic that does not obey RFC requirements. As the network protocols are frequently fully specified, you can make a good model of the possible packets and record the packets that are different.
You can also automatically add to the Blocked Sites list the source IP address o f a computer that sends a packet with an anomaly.
You can set the rules the Firebox uses to identify protocol anomalies. Protocol anomaly detection is available for the most frequently used traffic types such as: SMTP, FTP, HTTP, and DNS. Use a proxy to enable PAD.
User Guide 91
Configuring Proxied Services
Customizing Logging and Notification for Proxies
You can use the same procedure to customize the log and notification properties for a proxy as you do for a packet filter. For more information on Logging and Notification
From the Properties dialog box:
1 Click the Incoming tab.
2 Click Logging .
The Logging and Notification dialog box appears. Refer to the figure that follows:
3 Change the log and notification properties.
Configuring an SMTP Proxy Service
The SMTP Proxy protects you against dangerous content in e-mail messages. The proxy examines the content type and content disposition headers, and compares them with an user specified list of not approved content types. The proxy removes the not approved attachment from the e-mail message and sends it to the initial destination.
The proxy can also set a limit on how large the message can be and the number of addresses in the email. The Firebox then stops the e-mail that is larger than these limits.
The SMTP proxy also automatically removes some commands, for example, DEBUG.
These are the SMTP keywords that you can use:
DATA
RCPT
QUIT
HELO
VRFY
EXPN
HELP
RSET
ONEX
NOOP
QSND
Here are the ESMTP keywords you can use:
AUTH
BDAT
CHUNKING
EHLO
92 WatchGuard System Manager
Configuring Proxied Services
BINARYMIME
8BITMIME
ETRN
SIZE
For more information on the SMTP proxy, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/proxy_smtp.asp
Configuring Incoming SMTP Proxy
Use the Incoming SMTP Proxy dialog box to set the incoming properties of the SMTP Proxy. You must have an SMTP Proxy icon in the Services Arena.
For information on how to add a service, refer to Chapter 8, “Configuring a Service.”
From Services Arena:
1 From the Services Arena of the Policy Manager, double-click the SMTP Proxy icon to open SMTP
Properties .
2 Click the Properties tab.
3 Click Incoming .
4 Type the Idle Timeout .
Use this to set the length of time an incoming SMTP connection can idle before the connection times out. The default value is 600 seconds (10 minutes). For no time-out, set this to 0.
5 Type the Maximum Recipients .
Use this to set the maximum number of e-mail recipients to which a message can be sent. The
Firebox counts and allows the specified number of addresses through, and then drops the other addresses.
For example, if you use the default value of 50 and there is a message for 52 addresses, the first 50 addresses get the e-mail message. The last two addresses do not get a copy of the message. A distribution list appears as one SMTP e-mail address (for example, [email protected]). The
Firebox counts this as one address.
You can use this feature to decrease spam e-mail because spam usually includes a large recipient list. Be careful when you do this because you can also deny legitimate e-mail.
User Guide 93
Configuring Proxied Services
6 Set the Maximum Size .
Use this to set the maximum size of an incoming SMTP message. Note that most e-mail is sent as 7-bit ASCII text, with the exceptions of Binary MIME and 8bit MIME. 8-bit content (for example, MIME attachments) are encoded using standard algorithms (Base64 or quote-printable encoding) to enable them to be sent over 7-bit e-mail systems.
These types of encoding causes an increase in size of approximately one-third for encoded files. Therefore, if you want to allow messages of up to 1000 KB, you should set this field to a minimum of 1334 KB to make sure all mail gets through.
7 Set the Line Length .
Use this to set the maximum line length for lines in an SMTP message. Very long line lengths can cause overflow conditions on some mail systems. Most e-mail clients and systems send relatively short line lengths, but some webbased e-mail services send very long lines.
8 Type the Welcome Message .
Type a welcome message. This is displayed in the log file to show that the SMTP proxy service is woking.
9 Select whether to enable SpamScreen in this proxy.
10 Select whether to use RBLs, or Real Time Blackhole lists, to determine spam classification.
A RealTime BlackHole List (RBL) is a name server that has DNS information for IP addresses that are thought to be the source of spam, a spam relay, or Internet Service Providers that allow or support spam. If the message comes from an address on an RBL, the Firebox identifies the message as spam.
11 Select whether to use spam rules to determine spam classification.
You can configure SpamScreen to use rules about mail header information to identify spam. The Firebox examines the e-mail message and finds the probability that an e-mail message is spam. Each rule has a weight. The Firebox adds all the rules together and gives the message a score. If the total Spam Weight is larger than a limit you set, the
Firebox identifies the message as spam. The Firebox only examines the e-mail message header. It does not examine the content of the message. A message header is the component of an e-mail that includes: subject, date, sender, recipient.Each header has a title followed by a “:” and then a value. For example, you can find the date a message is sent in the “Date:” header. A message header appears at the top of a message. SpamScreen rules are special expressions that examine e-mail headers to find pattern matches. See the SpamScreen Guide for more information.
Configuring ESMTP
ESMTP (Extended Simple Mail Transfer Protocol) gives an extension to SMTP for enhanced delivery methods. On the ESMTP tab of the Incoming SMTP Proxy you can give ESMTP extensions (keywords) and AUTH types. The AUTH types give the SMTP server different authentication methods to use.
1 From the Incoming SMTP Proxy Properties dialog box, click the ESMTP tab.
The ESTMP information appears.
94
2 Select the check boxes to enable the necessary extensions.
WatchGuard System Manager
Configuring Proxied Services
3 Type the AUTH types in the text box. Click Add .
The proxy operates with all the AUTH types . The default AUTH types are DIGEST-MD5, CRAM-MD5, PLAIN, and
LOGIN. Do not type ESMTP keywords in this text box. It is only for AUTH types.
Blocking e-mail attachments
There are two methods you can use to prevent e-mail attachments:
• Only let safe content types through
• Deny specified file name patterns.
You can use the two methods at the same time.
Allowing safe content types
Multipurpose Internet Mail Extensions (MIME) give the parameters for how e-mail or HTML sends audio, video, and graphics content. The MIME format attaches a header to the content. The header identifies the multimedia content type that is in an e-mail or on a Web site.
For example, a MIME type of "application/zip" in an e-mail message shows that the e-mail contains a Zip file. The Firebox can read the MIME header of each incoming e-mail, remove specified MIME types, and let others through. You set the types of attachments that are let through and the ones that ar e de nied in the HTTP and SMTP Proxies of the Firebox.
From Incoming SMTP Proxy Properties :
1 Click the Content Types tab.
2 Select the Allow only safe content types and block file patterns check box to block specified file name patterns in e-mail attachments.
3 Click the top Add button to give the approved content types.
Select MIME Type appears. Refer to the figure that follows:
User Guide 95
Configuring Proxied Services
96
4 Select a MIME type. Click OK .
5 To add a new MIME type, click New Type . Type the MIME type and information. Click OK .
The new MIME type appears at the bottom of the Content Types drop-down list. Do this for each content type. For a list of MIME content types, refer to the Reference Guide.
You can use the special characters as follows:
To allow content types
An asterisk (*) matches all the strings, including an empty string.
To deny file name patterns:
An asterisk (*) matches all the strings, including an empty string.
A question mark (?) matches a single character.
Denying attachments based on file name patterns
The Content Types tab includes a list of file name patterns that the Firebox denies, if they appear in email attachments. To add a file name pattern to the list, type a new pattern in the text box on the left side of the Add button . Click Add .
Note that if a specified attachment is denied, protocol anomaly detection (PAD) rules do not not auto-
Specifying a denied message
In the Content Types tab, you can type a message to show when a content type is denied. This message shows to the recipient only and not the sender. A default message appears.
Use %t to add the content type to the message.
Use %f to add the file name pattern to the message.
Adding address patterns
You can add an address pattern to decrease spam.
WatchGuard System Manager
From Incoming SMTP Proxy Properties :
1 Click the Address Patterns tab.
Configuring Proxied Services
2 From the Category drop-down list, select a category.
3 Type the address pattern in the text box on the left side of the Add button.
4 Click Add .
The address pattern appears at the bottom of the pattern list.
Protecting mail servers against relaying
A hacker or spammer can try to use an open relay to send e-mail from your servers. To prevent this, set the destination to your domain only. This turns open relay on your e-mail servers off.
To increase the protection from e-mail relay, change the SMTP Proxy configuration to only let an addresses through from your domain.
From Incoming SMTP Proxy Properties :
1 Click the Address Patterns tab.
2 From the Category drop-down list, select Allowed To.
3 In the text box on the left side of the Add button, type your domain.
4 Click Add .
5 Save the new configuration to the Firebox.
Note
If your external users send e-mail through your server, they can only send e-mail to your domain.
Select headers to allow
The Firebox gives its approval to specified headers by default. There is a list on the Headers tab of
Incoming SMTP Proxy Properties . You can add more headers to this list, or remove the headers from the list. From Incoming SMTP Proxy Properties :
1 Click the Headers tab.
The headers information appears. Refer to the figure that follows:
User Guide 97
Configuring Proxied Services
2 To add a new header, type the header name in the box on the left side of the Add button. Click Add .
The new header appears at the bottom of the header list.
3 To remove a header, select the header name in header list. Click Remove .
Setting RFC compliance for the SMTP Proxy
You can configure the SMTP proxy to require adherence to RFC specifications 822 and 2231 . You can specify compliance to specific features of these RFCs on the RFC Compliance tab.
Setting address validation (RFC 822) and allowing extended foreign alphabet support (RFC 2231):
1 Click the RFC Compliance tab.
98
2 To allow special characters in e-mail addresses, type the characters in this field.
3 To allow addresses to use 8-bit characters, which are required for some languages that cannot be represented in ASCII text, select the Allow 8-bit characters check box.
4 To allow source-routed addresses, select the Allow Source-Routed Addresses check box.
Legitimate traffic that uses source-routed addresses is unlikely. In most cases, you should not enable this option.
WatchGuard System Manager
Configuring Proxied Services
5 To allow MIME encoding of extended alphabets as defined in RFC 2231, select the Enable RFC-
2231 based parsing check box.
RFC 2231 specifies a method for MIME handling of some extended language character sets that are not properly handled by standard SMTP e-mail. See the RFC for more information.
Specifying logging for the SMTP proxy
Click the Logging tab.
Select to log:
• Unknown headers that the proxy filters.
• Unknown ESMTP extensions that the proxy filters.
• Accounting and auditing information.
Enabling protocol anomaly detection for SMTP
For more information on PAD, refer to “Protocol Anomaly Detection” on page 91.
1 From SMTP Properties , click the Properties tab.
The SMTP Properties dialog box appears. Refer to the figure that follows:
User Guide 99
Configuring Proxied Services
2 Select the Enable auto-blocking of sites using protocol anomaly detection check box.
3 To set the rules for PAD, click Auto-blocking Rules .
The PAD Rules dialog box for SMTP Proxy appears. Refer to the figure that follows:
100
4 In the top box, select the rules. When a site sends a packet that matches the rules, the Firebox automatically adds the site to the auto-blocked sites list.
5 The box that follows has the denied content types that are in the Content Types tab. Refer to
“Allowing safe content types” on page 95. PAD rules start with none of these content types enabled by default. To enable PAD for these content types, select the adjacent check box.
To select or erase a group of some content types one after the other, select the first type, press and hold the Shift key and select the last type. Then select one of the types between the two selections. To select or erase some different content types as a group, press Ctr l an d select ea ch type that is necessary.
WatchGuard System Manager
Configuring Proxied Services
6 The box that follows has the list of the denied extension types that are listed on the Content Types tab. Refer to “Allowing safe content types” on page 95. PAD rules start with none of these extension types enabled by default. To enable PAD for these content types, select the adjacent check box.
Configuring the Outgoing SMTP Proxy
Use Outgoing SMTP Proxy to set the properties for outgoing traffic. To do this, you must have an icon for the SMTP Proxy service in Services Arena.
1 Double-click the SMTP proxy icon to open the Properties dialog box. Click the Properties tab.
2 Click Outgoing .
The Outgoing SMTP Proxy dialog box appears.
3 To add a new header pattern, type the pattern name in the box on the left side of the Add button.
Click Add .
4 To remove a header from the pattern list, select header pattern. Click Remove .
5 In the Idle text box, type a time-out value in seconds.
User Guide 101
Configuring Proxied Services
6 Click the Logging tab to change the log properties. The options can help you to troubleshoot problems with your e-mail security.
Note
If you send a large volume of e-mail, set outgoing to Disabled. This is a filter for outgoing e-mail that makes less work for the Firebox.
Add masquerading options
SMTP masquerading changes an address pattern behind the firewall into a public address. For example, the internal address pattern can be inside.salesdept.bigcompany.com
, which becomes the public address bigcompany.com
.
1 Click the Masquerading tab.
The SMTP masquerading information appears.
102 WatchGuard System Manager
Configuring Proxied Services
2 In the Domain Name text box, type the domain name.
This is the external name.
3 In the Substitute the above for these address patterns text box (on the left side of the Add button), type the address patterns that are behind your firewall. These will be replaced by the external domain name. Click Add .
4 In the Don’t Substitute for these address patterns text box (on the left side of the Add button), type the address patterns that will appear “as is” external to the firewall. Click Add .
5 Sel ect th e Masquerade Message IDs check box to change the messageID. The Me ssa ge-ID and
Resent-Message-ID in the header changes to a new I D. This has an encoded version of the initial ID, time, and domain name.
6 Select the Masquerade MIME boundary strings check box to change the MIME boundary strings in the messages and attachments. The firewall then changes them to a string that does not show internal host names or other information that can identify the sender.
Configuring A FTP Proxy Service
The FTP Proxy enables you to transmit data to and from a computer on a different network. You can look at the directories and copy data. If not set up correctly, the FTP Proxy can let a hacker have access to your network, and important information that includes your passwords and configuration data.
Outbound FTP traffic can also be dangerous. It enables the users on your network to copy data to a lo cati on behind your firewall. Thus, it is important to set a limit on the FTP Proxy.
You must try to isolate the incoming FTP servers to one host on your optional in terf ace or on one of the less trusted ports. Make sure that you also protect your trusted network from FTP requests from other networks. The FTP Proxy has special features that give more control for the traffic that goe s th rough your firewall.
For more information about the FTP Proxy, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/proxy_ftp.asp
For troubleshooting information for the FTP proxy, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/proxy_ftptrouble.asp
From Policy Manager:
1 To add the FTP Proxy, click the Add Service button. Expand the Proxy services and double-click the
FTP Proxy icon.
2 Click the Properties tab. Click Settings .
The Settings information appears. Refer to the figure that follows.
3 Select the necessary FTP Proxy properties.
To see the function of each control, right-click it, and then select What’s This? Also, refer to the “Field Definitions” chapter in the Reference Guide.
Note that the Make Incoming FTP Connections Read only this check box to accept files.
check box is selected by default. You must clear
4 Click OK .
User Guide 103
Configuring Proxied Services
Enabling protocol anomaly detection for FTP
For a description of PAD, refer to “Protocol Anomaly Detection” on page 91.
From FTP Properties :
1 Click the Properties tab.
2 Select the Enable auto-blocking of sites using protocol anomaly detection check box.
3 To set PAD rules, click the Auto-blocking Rules button.
The PAD Rules dialog box for FTP Proxy appears.
4 Select the rules to determine which hosts that send packets automatically add to the auto-blocked sites list.
Selecting an HTTP Service
HTTP traffic is a risk to security. You must set a maximum limit on the incoming service. Set up public
Web servers and allow incoming HTTP traffic only on the optional interface or on one of the less trusted ports of the Firebox. You can open outbound HTTP traffic from Any to Any .
WatchGuard System Manager has three types of HTTP service:
• Proxied-HTTP puts together two policies. It includes HTTP on port 80 and a rule that lets all the outgoing TCP connections go throu gh the Firebox. You can configure the log properties, safe content types, and WebBlocker from this service .
This service does the routing of all the outgoing TCP connections, which includes non-HTTP traffic. Use the HTTP Proxy if you are not sure that this is best for you.
• HTTP is almost the same as Proxied-HTTP, but it controls the incoming and outgoing traffic on port 80.
104 WatchGuard System Manager
Configuring Proxied Services
Note
This “HTTP” service is not an HTTP caching proxy. An HTTP caching proxy is a different system that caches Web data.
• Filtered-HTTP puts together HTTP on port 80 with a rule that lets all the outgoing TCP connections go throu gh.
This packet filter service is much faster than Proxied-HTTP or HTTP, but it does not give the same protection. The features of Proxied-HTTP are also not available for this service.
Adding a proxy service for HTTP
You can use the HTTP Proxy when you configure your Web traffic. You can put together the HTTP Proxy with an outgoing proxy service that you configure as Any to Any . The HTTP Proxy gives you easy control of Web traffic.
To set the content to let through the firew al l, from Policy Manager:
1 Click the Add Service icon. Expand the Proxies folder, double-click HTTP , and then click OK .
The HTTP Properties appear. The default configuration is to deny incoming traffic and let outgoing traffic through from Any to Any.
2 From the Incoming HTTP connections are drop-down list, select Enabled and Allowed .
3 Configure the service as you must.
For example, you can configure the HTTP Proxy to let incoming traffic through from Any to the optional network or to a less trusted port. Click the Add button below the To list. In Add Address , add the optional Firebox group. Click OK .
4 Click the Properties tab. Click Settings .
5 On the Settings tab, enable the necessary HTTP Proxy properties.
6 If you use the HTTP Proxy and also use WebBlocker, refer to Chapter 16, “Controlling Web Site
Access.”
To see the function of each control, right-click it, and then select What’s This? Or, refer to the Field Definitions chapter in the Reference Guide.
For more information on the HTTP proxy, refer to the online support at http://www.watchguard.com/ support .
Restricting content types for the HTTP proxy
You can configure the HTTP Proxy to let only those MIME types through that you find are satisfactory security risks. On the Safe Content tab:
1 To put a limit on the content types that can go through the HTTP Proxy, select the Allow only safe content types check box.
User Guide 105
Configuring Proxied Services
2 To select the content types to let through, click the top Add button in the dialog box.
Select MIME Type appears.
3 Select a MIME type. Click OK .
4 To make a new MIME type, click New Type.
Type the MIME type and the function. Click OK .
The new type appears at the bottom of the Content Types drop-down list. Do this for each content type. For a list of
MIME content types, refer to the Reference Guide.
5 To select path patterns that are not safe to block, type the path pattern on the left side of the Add button. Click Add .
You can set a filter on the path and not on the host name. For example, with the Web site www.testsite.com/login/ here/index.html, you can add /login/ and /here/. You cannot add *testsite*.
Note
Zip files are denied when you block Java or ActiveX applets. ZIP files frequently use these applets.
Configuring a caching proxy server
The HTTP Proxy on the Firebox does no content caching. The Firebox uses the external caching proxy servers. Because your users can look at the same Web sites frequently, a caching proxy server increases the traffic speed and decreases the traffic volume on the external Internet connections. All Firebox proxy and WebBlocker rules continue to have the same effect. The Firebox connection with a proxy server is the same as with a client.
The Firebox changes the GET function to:
GET / HTTP/1.1
to
GET www.mydomain.com / HTTP/1.1
and sends it to a caching proxy server. The proxy server moves this function to the Web server in the
GET function.
To set up an external caching proxy server:
1 Configure an external proxy server, such as Microsoft Proxy Server 2.0.
2 Open Policy Manager.
3 Double-click the icon for your HTTP proxy service.
This can be Proxy, HTTP, or Proxied-HTTP.
4 Click the Properties tab. Click the Settings button.
5 Select the Use Caching Proxy Server check box.
106 WatchGuard System Manager
Configuring Proxied Services
6 In the text boxes below the check box, type the IP address and TCP port of the caching proxy server.
Click OK .
7 Save this configuration to the Firebox.
Configuring the DNS Proxy Service
With the Domain Name System (DNS) you can get access to a Web site with an easy “dot-com” name.
DNS finds the Internet domain name (for example WatchGuard.com) and changes it to an IP address.
There is not one primary DNS, but there are many DNS lists on the internet. You can make a DNS with
Berkeley Internet Name Domain (BIND).
Some versions of BIND can be attacked and create a buffer overflow. This kills the server and can let an attacker get access to your network.
One attack a hacker can use is an error in the transaction signature (TSIG) code. When BIND gets a message with an approved transaction signature but not an approved key, some parameters are not set.
This can cause a buffer overflow, which the attacker can use to get access to your network.
One more attack uses how BIND uses NXT (or next) records. An attacker can set the value of a key parameter to crash the server and get access to your network.
The DNS Proxy protects your DNS servers from TSIG, NXT and different DNS attacks.
For more information on the DNS proxy, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/proxy_main.asp
Note
Use this proxy only if you have a DNS server for public use.
Adding the DNS Proxy Service
The DNS Proxy protects your network best when you use it for incoming traffic and outgoing traffic. You can also set up the DNS Proxy to give send a log record for each denied packet (incoming or outgoing).
You can use the LogViewer to examine your log files. Look for the entries that show that there was a DNS attack. The entries show how much and from where you were attacked.
On the toolbar:
1 Click the Add Services icon.
2 Expand the Proxies folder.
A list of configured proxies appears.
3 Click DNS-Proxy . Click Add .
Add Service appears. You can change the name or the function of the DNS proxy.
4 Click OK to stop Add Service .
DNS-Proxy Properties appears.
5 Click the Incoming tab. From the Incoming DNS-Proxy connections are drop-down list, select
Enabled and Allowed .
6 Click the Outgoing tab. From the Outgoing DNS-Proxy connections are drop-down list, select
Enabled and Allowed .
7 Click OK and the DNS Proxy Properties dialog box closes . Click Close .
The DNS-Proxy icon appears in the Services Arena.
User Guide 107
Configuring Proxied Services
Enabling protocol anomaly detection for DNS
For a description of PAD, refer to “Protocol Anomaly Detection” on page 91.
1 In the DNS Properties dialog box, click the Properties tab.
2 Select the Enable auto-blocking of sites using protocol anomaly detection check box.
3 To set PAD rules, click the Auto-blocking Rules button.
PAD Rules for DNS Proxy appears. Refer to the figure that follows:
4 By default, all rules are enabled. You can enable or remove the rules that find sites and automatically add them to th e au to-blocked sites list.
To select or erase a group of rules one after the other, select the first rule, press Shift and select the last rule. Then select one of the rules between the two selections. To select or erase some different rules as a group, press Ctrl and select each rule that is necessary.
DNS file descriptor limit
The DNS Proxy can use only 256 file descriptors. This sets a limit on the number of DNS connections in a
NAT area.
Each UDP function that uses dynamic NAT uses a header during UDP timeout. Each TCP connection that uses dynamic, static, or 1-to-1 NAT uses a header during the connection.
The file descriptor limit is not usually a problem, but some Web sites can have slow name resolution and a high number of this log message: dns-proxy[xx] dns_setup_connect_udp: Unable to create UDP socket for port: Invalid argument
You can put an end to this problem, as follows:
• Do not use dynamic NAT between your clients and your DNS server (most secure) or
• Do not use an outgoing DNS Proxy service and use a filtered DNS service.
108 WatchGuard System Manager
CHAPTER 10
Creating Aliases and Implementing
Authentication
An alias is a shortcut that identifies a group of hosts, networks, or users. When you use an alias, it can be easy to create a security policy.
With user authentication you can monitor a connection with a name and not as an IP address. The person authenticates with an user name and a password to get access to Internet tools, for example outgoing HTTP or outgoing FTP. The IP address or the computer that the person uses is not important. While the person is authenticated, all the connections that the person starts from that IP address also transmits the se ssio n name. This lets you monitor not only the computers from which the connections start, but also the person.
Note
The user name stays with the IP address. We do not recommend that you use user authentication with shar ed multi-user computers (Unix, Citrix, or NT terminal servers), because each shared server can only authenticate one user at a time.
The Firebox allows you to create policies and groups with user names. A person can use more than one computer or IP address with the same user name. It is good to monitor by user name if you use the
Dynamic Host Configuration Protocol (DHCP) because a computer can have more than one IP address in a week. It is also a good to monitor by user name in organizations where many different persons can use th e sa me IP address in a day.
For more information on authentication, refer to the FAQs: https://www.watchguard.com/support/advancedfaqs/auth_main.asp
Using Aliases
With an alias it is not necessary to know the host IP addresses, host ranges, or network IP addresses. An alias operates almost as an e-mail group name. It puts together the addresses and names into groups that are easy to identify. You can use an alias to quickly create filter rules. You cannot use an alias to configure the network.
WatchGuard automatically adds six aliases to the basic configuration:
User Guide 109
Creating Aliases and Implementing Authentication
Group firebox trusted optional external dvcp_nets dvcp_local_nets
Function
The addresses for to the three Firebox interfaces and related networks or device aliases
The hosts or networks that go through the physical trusted interface
The hosts or networks that go through the physical optional interface
The hosts or networks that go through the physical external interface. Frequently, this is the Internet
The networks at the other end of a VPN tunnel
The networks behind the Firebox that you configure
The optional Firebox X 3-Port Upgrade also adds the aliases eth3, eth4, and eth5.
A host alias overrides a Windows or RADIUS group with the same name.
Adding an alias
From Policy Manager:
1 Click Setup > Aliases .
The Aliases dialog box appears. Refer to the figure that follows:
2 Click Add .
3 In the Host Alias Name text box, type the alias you use when you configure services and authentication.
4 Click Add .
The Add Address dialog box appears. Refer to the figure that follows:
110 WatchGuard System Manager
Creating Aliases and Implementing Authentication
5 Add members to the alias. To add a member that appears in the Members list, click the name. Click
Add .
6 To configure a new member, click Add Other .
The Add Member dialog box appears.
7 From the Choose Type drop-down list, select a category. In the Value text box, type the address, range, or host name. Click OK .
8 After you add the last member, click OK .
In the Host Alias dialog box the new alias appears. Click the alias to see its members.
To change an alias, select it, click Edit , and then add or erase the members.
To remove an alias, select it, click Remove . Then you have to remove the alias from the Properties box of all the services that use the alias.
For more information, see “Configuring Service Properties” on page 85.
How User Authentication Works
A special HTTP server operates on the Firebox. To authenticate, a client must connect to the authentication server with a Web browser that can use Java. The address is: http://IP address o f a Firebox interface:4100/
A Java tool opens and the user must type a user name and password. The tool sends the name and password to the authentication server wit h a challenge and response protocol. When the server authenticates the user, the user must minimize the Java tool and the browser window. They can then use the approved network services. The users can keep their authentication while the Java tool operates and the Firebox operates. To prevent an account from authenticating, you must disable the account on the authentication server.
Using external authentication
The primary function of the authentication tool is for outgoing traffic, but you can also use it for incoming network traffic. When you have an account on the Firebox, you can always do external authentica-
User Guide 111
Creating Aliases and Implementing Authentication tion. For example, you can type this address in your browser at home: http://publ i c IP address of a Firebox interface:4100/
After authentication, you can get access to the services that are configured on the Firebox (FTP, Telnet).
Enabling remote authentication
Use this procedure to let a remote user authenticate from the external interface. This gives them access to services through the Firebox.
1 In the Services Arena in Policy Manager, double-click the wg_authentication service icon.
2 On the Incoming tab, select Enabled and Allowed .
3 Below the From box, click Add.
4 Click Add Under , and then type the IP addresses of the remote users that have approval to authenticate externally.
Authenticating from optional networks
1 In the Services Arena in Policy Manager, double-click the wg_authentication service icon.
2 On the Incoming tab, select Enabled and Allowed .
3 Below the From box, click Add .
4 Click Add Under , and then type the IP address, user, or group that can authenticate from an optional network.
Authentication Server Types
WatchGuard System Manager can authenticate users for five different authentication server types:
• The authentication server on the Firebox
• NT primary domain controllers
• RADIUS-compliant authentication servers
• CRYPTOCard authentication servers
• SecurID authentication servers.
Authentication to the different servers is almost the same for the user. For the Firebox administrator, the diff erence is that the user database can be on the Firebox or on a different server.
When you use a different server, you must configure it with the instructions that its manufacturer gives.
You must install the server with access to the Firebox and behind the Firebox for security.
To set the authentication type:
1 From Policy Manager, click Setup > Firewall Authentication .
Firewall Authentication Enabled Via dialog box appears. Refer to the figure that follows.
2 In the Authentication Enabled Via dialog box, click an authentication server.
3 In Logon Timeout text box, set the time interval (in seconds) that a user has to log in, before the time-out stops the connection.
4 In Session Timeout text box, set the time interval (in hours) that a connection can stay open, before the time-out stops the connection. This time does not change with the quan tity of traffic.
112 WatchGuard System Manager
Creating Aliases and Implementing Authentication
Defining Firebox Users and Groups for Authentication
If you do not use a third-party authentication server, you can use the Firebox as an authentication server. You can divide your company into groups and users for authentication. Assign the members to groups because of the tasks, functions, or access requirements. For example, you can have an accounting group, a marketing group, and a research and development group. You can also have a new persons group, with a limit on Internet access.
In a group, you can set the authentication procedure for the users, their system type, and the information they have access to. A user can be a network or a computer. If your company changes, you can add or remove users or systems from groups.
Note
You can only have a specified number of Firebox users. With more than 100 users, WatchGuard recommends that you use a third-party authentication server.
WatchGuard automatically adds two groups to the basic configuration for use in configuring a service for remote users:
ipsec_users
Adds the names of approved users of MUVPN.
pptp_users
Adds the names of approved users of RUVPN with PPTP.
You can use Policy Manager to:
• Add, change or erase the groups in the configuration.
• Add or change the users in a group.
From Policy Manager:
1 Click Setup > Authentication Servers .
The Authentication Servers dialog box appears. Refer to the figure that follows:
User Guide 113
Creating Aliases and Implementing Authentication
2 To add a new group, click the Add button below the Groups list.
3 Type the name of the group. Click OK .
4 To add a new user, click the Add button below the Users list.
The Setup Firebox User dialog box appears. Refer to the figure that follows:
5 Type the user name and the password.
6 To add the user to a group, select the group name in the Not Member Of list. Click the arrow that points to the left side to move the name to the Member Of list.
7 After you add the user to all the groups, click Add .
The user adds to the User list. At this time you can add a different user.
8 To close the Setup Firebox User dialog box, click Close .
The Firebox Users tab appears with a list of the new users.
9 After you add all the users and the groups, click OK .
At this time, you can use the users and groups to configure services and authentication.
Configuring Windows 2000/2003 Server Authentication
In Windows 2000/2003, there are three types of Security Groups: Domain Local , Global , and Universal groups.
When a user types a name and password in the authentication applet, the Firebox queries the domain controller for group membership. The results of that query are as follows:
If the Use Local Groups check box is selected:
• The Firebox queries the domain controller for the user membership in any Domain Local Groups.
The domain controller returns the names of Domain Local groups to which the user belongs. The domain controller also send the names of any Global or Universal groups to which the user belongs.
114 WatchGuard System Manager
Creating Aliases and Implementing Authentication
• If the user belongs to one or more Domain Local Groups , and at least one of those group names appears in a service in Policy Manager, the user is authenticated. Rules in those services are applied to the user, based on the IP address from which the user authenticated.
• If the user is a member of only Global or Universal groups, the user receives the message
“Authentication succeeded, but no access granted for user_name .” This message will also appear in the user's authentication applet if the user is a member of Domain Local groups, but none of those group names appear in any service in Policy Manager.
If the Use Local Groups check box is not selected:
• The Firebox queries the domain controller for the user membership in any Global or Universal groups. The domain controller returns to the Firebox the names of Global or Universal groups to which the user belongs. The domain controller also sends the names of any Domain Local groups to which the user belongs.
• If the user belongs to one or more Global or Universal groups, and at least one of those group names appears in a service in the Policy Manager, the user is authenticated. Then, any rules in those services are applied to the user, based on the IP address from which the user authenticated.
• If the user is a member of only Domain Local groups, the user receives a message in the authentication applet “Authentication succeeded, but no access granted for user_name.
” This message also appears in the authentication applet if the user is a member of Global or Universal groups, but none of those group names appear in any of the service in Policy Manager.
1 Click Setup > Authentication Servers .
The Authentication Servers dialog box appears.
2 Click the NT Server tab.
The NT Server authentication information appears.
3 To identify the host, type the host name and the IP address of the Windows domain controller. If you do not know the IP address of the host, click Find IP . The IP address appears automatically.
When you type the IP addresses, type the digits and periods in the correct sequence. Do not use the TAB or arrow
key. For more information on typing an IP address, see “Enter the IP addresses” on page 25.
4 If you want, select the Use Local Groups checkbox.
5 You can select the checkbox to enable Windows 2000/2003 Authentication.
User Guide 115
Creating Aliases and Implementing Authentication
6 To try the authentication connection before you save the configuration, click Test . If you do not have the correct Windows Active Directory credentials, the Active Directory Login dialog box appears. Type the correct Connect As and Password information.
The Firebox will connect to the NT server and show the result.
7 Click OK .
Configuring RADIUS Server Authentication
Remote Authentication Dial-In User Service (RADIUS) authenticates the remote users on a company network. RADIUS is a client and server system that keeps the authentication information for users, remote access serv ers, an d VPN ga tewa ys in one database. This database is available to all the users. RADIUS authenticates the full network from one location.
The authentication messages to and from the RADIUS server always have an authentication key. Without this key, a hacker cannot get to these messages. Note that the server sends the key, and not a password, during authentication. The client and the server each have the same key, or “shared secret”.
To add or remove a service for a user, you must change the RADIUS user (or group) in the service configuration on the Firebox. You must also add the IP address of the Firebox to the RADIUS server. You can use CHAP or PAP authentication, but CHAP gives better security.
From Policy Manager:
1 Click Setup > Authentication Servers .
2 Click the RADIUS Server tab.
The RADIUS information appears. Refer to the figure that follows:
116
3 In the IP Address text box, type the IP address of the RADIUS server.
4 Make sure that the port number RADIUS uses for authentication shows.
The default port number is 1645. RFC 2138 gives port number 1812, but many RADIUS servers use port number
1645.
5 In the Secret text box, type the “shared secret” between the Firebox and the RADIUS server.
The shared secret is case-sensitive and must be the same on the Firebox and the RADIUS server.
6 Type the IP address and the port of the backup RADIUS server. The shared secret must be on the primary and backup RADIUS server.
7 Click OK .
8 Get the IP address of the Firebox and the user or group aliases you must have to authenticate with
RADIUS. The aliases appear in the From and To boxes for each service.
WatchGuard System Manager
Creating Aliases and Implementing Authentication
To configure the RADIUS server
1 Add the IP address of the Firebox in the applicable fields. Refer to the RADIUS server instructions.
This is not necessary on all RADIUS servers.
2 In the RADIUS configuration, double-click the service icon.
Do this step for each service.
3 On the Incoming tab, select Incoming and Allowed.
4 Click Add and get the user and the group aliases.
5 Add them to the Filter-IDs in the RADIUS configuration.
For more information, refer to the RADIUS server information.
For example, to add the groups Sales, Marketing, and Engineering type:
Filter-Id=”Sales”
Filter-Id=”Marketing”
Filter-Id=”Engineering”.
Note
The filter rules for the RADIUS user filter-IDs are case-sensitive.
Configuring CRYPTOCard Server Authentication
CRYPTOCard is a hardware-based authen ti cation system that lets users authenticate with the CRYPTO-
Card challenge and response system. This system includes off-line hashing of passwords. It enables you to authenticate a user independently of the computer they use .
When you configure the authentication for WatchGuard CRYPTOCard server, you must first install a
CRYPTOCard server. You must also have access to the server for authentication to the Firebox.
To add or remove a service for an user, you must change the CRYPTOCard user (or group) in the service configuration on the Firebox. You must also add the IP address of the Firebox to CRYPTOCard authentication server.
From Policy Manager:
1 Click Setup > Authentication Servers .
2 Click the CRYPTOCard Server tab.
You can use the arrow keys in the top right corner of the dialog box to move th is tab into view.
3 In the IP Address text box, type the IP address of CRYPTOCard server.
4 Make sure that the port number shows that CRYPTOCard authentication uses.
The standard port number is 624.
5 In the Administrator Password text box, type the administrator password that is in the password file on CRYPTOCard server.
User Guide 117
Creating Aliases and Implementing Authentication
6 Type or accept the time-out (in seconds).
The time-out is the maximum time that a user has to authenticate on CRYPTOCard server. CRYPTOCard recommends a maximum of 60 seconds.
7 In the Secret text box, type the shared secret between the Firebox and CRYPTOCard server.
This is the key or the client key in the “Peers” file on the CRYPTOCard server. This key is case sensitive and must be the same on the Firebox and CRYPTOCard server.
8 Click OK .
9 Get the IP address of the Firebox and the user or group aliases that CRYPTOCard must authenticate.
The aliases appear in the From and To boxes for each service.
On CRYPTOCard server:
1 Add the IP address of the Firebox in the applicable fields, refer to the CRYPTOCard instructions.
2 Get the user or the group alias from the service properties. Add the aliases to the group information in the CRYPTOCard configuration file. You can only use one group with each user.
For more information, refer to the CRYPTOCard information.
Configuring SecurID Authentication
To operate SecurID authentication, you must configure RADIUS and ACE/Server servers correctly. The users must also have an approved SecurID token and a PIN. Refer to the SecurID instructions for more information.
Note
Do not use Steel Belted RADIUS with SecurID. Use RADIUS with RSA SecurID software.
From Policy Manager:
1 Click Setup > Authentication Servers .
2 Click the SecurID Server tab.
You can use the arrow keys in the top right corner of the dialog box to move th is tab into view.
118
3 In the IP Address text box, type the IP address of the SecurID server.
4 Type or accept the port number for SecurID authentication.
The default number is 1645.
5 In the Secret text box, type the shared secret between the Firebox and SecurID server.
The shared secret is case-sensitive and must be the same on the Firebox and SecurID server.
6 If you use a backup server, select the Specify backup SecurID server checkbox. Type the IP address and the port number for the backup server.
WatchGuard System Manager
Creating Aliases and Implementing Authentication
7 Click OK .
To set up the RADIUS server, refer to the “To configure the RADIUS server” on page 159.
User Guide 119
Creating Aliases and Implementing Authentication
120 WatchGuard System Manager
CHAPTER 11
Intrusion Detection and Prevention
The WatchGuard System Manager protects your network from many attack types when it applies the packet filters and proxies that you set up. For the attacks that these filters and proxies cannot prevent, the Firebox has these tools:
Default packet handling
Helps identify the incoming traffic that appear to be attacks on a network.
Blocked sites
Helps to prevent incoming traffic from computer systems you know or think are a security risk.
This tool denies an external IP address, and it cannot connect to an internal host.
Blocked ports
Helps deny use of external ports that can be attacked by a hacker. A blocked port stops all the packets that try to use a specified port, thus no incoming traffic ca n use a port to en ter you r ne twork.
Your log configuration can help you to identify the Web sites that show suspicious activity (spoofing).
You can then manually and permanently deny these Web sites or the ports they use. For more information on the log messages, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/log_main.asp
Default Packet Handling
The firewall examines the source and destination of each packet it receives. It looks at the IP address and the port number. The firewall also monitors the packets to look for patterns that can show that your network is at risk.
The packet handling can:
• Reject a packet that can be a security risk.
• Automatically denies all traffic from a source IP address.
• Add an event to the log file.
• Send a notification of possible security risks.
User Guide 121
Intrusion Detection and Prevention
Blocking spoofing attacks
One method that a hacker can use to get access to your network is to create an electronic “false identity.” With this “IP spoofing” procedure, the attacker makes a TCP/IP packet that uses a a different IP address than the host it comes from.
A router uses the destination address of a packet to forward it to its destination. Thus, the source address of the packet is not authenticated until the packet gets to its destination. If a host is a “trusted host”, authentication is not necessary. In IP spoofing, an attacker can use this information to route a packet as if it comes from a trusted host. The destination system then authenticates the IP address of the connection and gives access through your firewall.
You can enable the protection for IP spoofing on the Firebox. The Firebox denies the spoofed packets, and then sends two log messages. One log message shows that the packet of the attacker was blocked.
The Firebox sends a second log message to show that the attacker IP address is on the Blocked Sites list.
All the Web sites that the Firebox denies appear on the Blocked Sites list.
You can prevent IP spoofing attacks through the dialog box for the Default Packet Handling .
From the Policy Manager:
1 On the toolbar, click the Default Packet Handling icon, that shows on the right side.
Or, from the Policy Manager, click Setup > Intrusion Prevention > Default Packet Handling.
2 Select the Block Spoofing Attacks check box.
Blocking port space and address space attacks
An attacker can also use probes to get access to your network. A port space probes examines a host to find the filters and proxies that it uses. An address space probe examines a network to see the services that operate on the hosts in that network.
From the Policy Manager:
1 On the toolbar, click the Default Packet Handling icon.
Or, from the Policy Manager, click Setup > Intrusion Prevention > Default Packet Handling.
2 Select the Block Port Space Probes check box.
3 Select the Block Address Space Probes check box.
122 WatchGuard System Manager
Intrusion Detection and Prevention
Stopping IP options attacks
IP options are extensions of the Internet Protocol. The Firebox uses the extensions for special software applications or for advanced troubleshooting. An attacker can use the I P options in the packet header to find a path into your network. From the Policy Manager:
1 On the toolbar, select the Default Packet Handling icon.
Or, from the Policy Manager, click Setup > Intrusion Prevention > Default Packet Handling.
2 Select the Block IP Options check box.
Stopping SYN Flood attacks
A SYN Flood attack is a Denial of Service (DoS) attac k type. This attack tries to prevent access to y our public services (e-mail, Web servers) by unauthorized users. The SYN Flood attack uses a part of the usual TCP connection procedure to attack. The usual TCP procedure is as follows :
• A user tries to connect to your server using their Web browser. To do this, the browser sends a
SYN segment.
• Your Web server sends a SYN+ACK segment.
• The browser then sends an ACK segment.
• When the server sees the ACK segment, it can accept the URL from the browser.
Until the server receives the ACK segment, the server is “stuck”. Many servers can accept only a specified number of open connections at a time. The server keeps them in a backlog until they are completed or time-out. A SYN Flood attack tries to fill up the backlog of the server. It sends many SYN segments and no ACK. When the backlog if full, the server is not available to the users.
The WatchGuard System Manager can help protect your servers against a SYN Flood attack. It monitors the number of SYN segments without an ACK segment. If this number gets larger than the specified maximum, the SYN Flood protection starts and all new connections must have verification. The SYN
Flood protection tool stops when the attack stops.
From the Policy Manager:
1 On the toolbar, select the icon for Default Packet Handling.
Or from the Policy Manager, select Setup > Intrusion Prevention
>
2 Select the Block SYN Flood Attacks check box.
Default Packet Handling.
Changing SYN flood settings
When the Firebox blocks SYN Floods, it can also keep regular packets from your network. You can change the SYN Flood configuration to help prevent this. You can set the number of Maximum Incomplete Connections that the Firebox lets through before the Firebox starts to block connections. The default number is 60. When there are 61 conne ctio ns that have not received ACKs, the Firebox blocks connections. It stops when the number decreases to 59.
To see how frequently the feature starts, you can look in the log for :
SYN Validation: activated and SYN Validation: deactivated. When there are many of these messages and no attacks, the number of Maximum Incomplete Connections can be too low.
When the attacks are not being stopped, the number can be too high.
The SYN validation timeout controls how long the Firebox “remembers” clients that have validation.
The default timeout is 120 seconds, so a client can connect again in that 120 seconds with no validation.
With a timeout of zero, each connection must have validation. From the Policy Manager:
1 On the toolbar, select the icon for Default Packet Handling.
Or, from the Policy Manager, click Setup > Intrusion Prevention > Default Packet Handling.
User Guide 123
Intrusion Detection and Prevention
2 Set the SYN Validation Timeout .
3 Set the Maximum Incomplete Connections.
Blocking Sites
The Blocked Sites tool helps to prevent communication with systems you know or think are dangerous or a security risk. After you identify the site, you can block all the connections with that IP address. You can also configure logging to record all access from this source. From the log file, you can find the services that they use to attack.
A blocked site is an external IP address that can not make a connection to an internal host. If a packet comes from a system that is blocked, it does not get through the Firebox.
There are two different types of blocked sites:
• Permanently blocked sites — on a list in the configuration file that you can change only manually.
• Auto-blocked sites — The sites that t he F irebox adds or removes on a temporary blocked site list.
The Firebox uses the packet handling rules which are specified for each service.
For example, you can configure the Firebox to block the sites that try to connect to a blocked port. These sites are then blocked for a specified time.
For information on the automatic blocking of sites with the protocol anomaly detection (PAD) tool,
refer to the “Configuring Incoming SMTP Proxy” on page 93.
Auto-blocking and logging can help you make a decision about which sites to block. For example, you can add a sit e that does IP spoofing to the list of the permanently blocked sites.
Note
You can block only external IP addresses.
Blocking a site permanently
You can use the Policy Manager to permanently block a host that you know is a security risk. For example, a university computer that hackers use frequently is a good host to block. The default configuration blocks 3 private (“unconnected”) network addresses—10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
Packets from these private addresses can not go through the Firebox. Packets that come from one of these addresses can be trying to use IP spoofing. For more information on these addresses, refer to RFCs
1918, 1627, and 1597.
From the Policy Manager:
1 On the toolbar, select the Blocked Sites icon (see the figure on the right side).
Or, click Setup > Intrusion Prevention > Blocked Sites.
2 Click Add .
3 From the Choose Type drop-down list, select Host IP Address, Network IP Address, or Host
Range .
4 Type the member value.
The member type shows if this is an IP address or a range of IP addresses. When you type an IP address, type all the numbers and the stop. Do not use the TAB or the arrow key. For more information on how to enter an IP address,
refer to “Enter the IP addresses” on page 25.
5 Click OK .
The new site appears in the Blocked Sites list.
124 WatchGuard System Manager
Intrusion Detection and Prevention
Using an external list of blocked sites
You can make a list of blocked sites in an external file. This file must be a .txt
file. To add an external file to your blocked sites list:
1 In the Blocked Sites , select Import .
2 Find the file. Double-click it, or select it and select Open .
The sites in the file add to the Blocked Sites list.
Creating exceptions to the Blocked Sites list
A host that is a blocked sites exception does not add to the list of automatically blocked sites. The automatic rules do not apply for this host.
From the Policy Manager:
1 Click Setup > Intrusion Prevention > Blocked Sites Exceptions .
2 Click Add .
3 Type the IP address of the site. Select OK .
4 Click OK .
To remove an exception, select the IP address of the site to remove. Click Remove .
Changing the auto-block duration
From Blocked Sites, you can change the interval, in minutes, that the firewall automatically blocks an IP address that is a security risk. The interval can be from 1 to 32,000 minutes (about 22 days).
Logging and notification for blocked sites
From the Blocked Sites :
1 Click Logging .
2 In the Category list, select Blocked Sites .
3 Change the logging and the notification configuration.
User Guide 125
Intrusion Detection and Prevention
Blocking Ports
You can block the ports that you know can be used to attack your network. This stops specified external network services. If you block a port, you override all the service configurations.
Note
The Blocked Ports, as do the Blocked Sites, only block the packets that come through the external interface.
You can block a port, because:
• Blocked Ports protect your most sensitive services. The feature helps protect you from errors in your Firebox configuration.
• Probes against very sensitive services can make independent log entries.
• Some TCP/IP services use port numbers of more than 1024. An attack on these ports is possible if the attacker uses an approved service, with a port number of less than 1024. The attacker then makes it appear as an approved connection in the opposite direction. You can prevent this, if you b lock the port numbers of services with port numbers of less than 1024.
By default, the Firebox blocks some destination ports. This gives a basic configuration which you usually do not have to change. Make sure that you block the services that follow:
X Window System (ports 6000-6063)
The X Wi ndow System (or X-Windows) has some clear security problems that make it dangerous to use on the Internet. Although some authentication methods are available, a go od attacker can bypass most of t hem.
If an attacker can connect to an X server, they can easily record all that is typed on the computer. The attacker can collect passwords and other sensitive information.
These attacks can be hard to find by all but the best users.
The first X Window server is always on port 6000. For an X server with more than one display, each new display uses a new port number after 6000, thru 6063. This gives a maximum of 64 displays on a given host.
X Font Server (port 7100)
Many versions of X-Windows can operate X Font Servers. The X Font Servers operate as the super-user on some hosts.
NFS (port 2049)
NFS (Network File System) is a much used TCP/IP service, where many users can use the same files on a network. But, the new versions have important authentication and security problems.
To provide NFS service through the Internet can be very dangerous.
Note
The portmapper frequently uses the port 2049 for NFS. If you use NFS, make sure that NFS uses the port
2049 on all your systems.
OpenWindows (port 2000)
OpenWindows is a system from Sun Microsystems that has almost the same security risks as X-
Windows.
rlogin, rsh, rcp (ports 513, 514)
These services give remote access to other computers. They are a security risk and many attackers probe for these services.
RPC portmapper (port 111)
The RPC Services use port 111 to find which ports a given RPC server uses. The RPC services are very easy to attack through the Internet.
126 WatchGuard System Manager
Intrusion Detection and Prevention
port 0
IANA can use Port 0. Many software applications that examine ports start on port 0.
port 1
The TCPmux service uses Port 1, but not very frequently. You can block it to make it more difficult for the tools that examine ports.
Novell IPX over IP (port 213).
If you use Novell IPX over IP internally, you have to block port 213.
NetBIOS services (ports 137 through 139)
You must block these ports if you use NetBIOS internally. Although such services are blocked by the default packet handling, to block their ports gives more security.
Avoiding problems with approved users
Approved users can have a problem because of blocked ports. You must be very careful if you block the port numbers between 1000 through 1999. Client ports frequently use these numbers.
Note
Solaris uses port numbers higher than 32768 for clients.
Blocking a port permanently
From the Policy Manager:
1 On the toolbar, select the Blocked Ports icon, see the figure at right side.
Or, click Setup > Intrusion Prevention > Blocked Ports.
2 In the box on the left side of the Add button, type the port number. Click Add .
The new port number appears in the Blocked Ports list.
To remove a blocked port, select the port to remove. Click Remove .
Auto-blocking sites that try to use blocked ports
You can configure the Firebox to automatically block an external host that tries to get access to a blocked port. In the dialog box for the Blocked Ports , select the Auto-block sites check box that attempt to use blocked ports .
You can also block sites automatically if you use the protocol anomaly detection. For more information,
refer to the “Configuring Incoming SMTP Proxy” on page 93.
User Guide 127
Intrusion Detection and Prevention
Setting logging and notification for blocked ports
You can configure the Firebox to make a log entry when a host tries to use a blocked port. You can also set up notification, for when a host tries to get access to a blocked port.
From the dialog box for the Blocked Ports :
1 Click Logging .
The dialog box for the Logging and Notification appears.
2 In the Category list, select Blocked Ports .
3 Change the logging and the notification parameters.
Blocking Sites Temporarily with Service Settings
You can use the service configuration to automatically and temporarily block sites that try to us e a denied service. You can use this f eatu re to log , bl ock, and monitor each site that tries to get access to a bloc ked port.
Configuring a service to temporarily block sites
From the Policy Manager:
1 Double-click the service icon in the Services Arena.
The Properties dialog box appears.
2 From the Incoming service Connections Are drop-down list, select Enabled and Denied .
3 Select the Auto-block sites that attempt to connect via service , check box, which is is at the bottom of the dialog box.
Viewing the Blocked Sites list
The Blocked Sites list shows all the sites that the Firebox blocks. Use the Firebox Monitors to see the sites that are automatically blocked by the property configuration of a service. From the
System Manager, select the Block ed Site List t ab at the bottom of the graph. (Use the arrow keys to access this tab, if necessary ).
Integrating Intrusion Detection
A good intrusion detection system (IDS) examines the traffic that tries to get access to your networ k. I t looks at the source, the destination, and the type of traffic for a period of time. The IDS then compares the traffic against the attack configurations that are known. When the IDS finds an attack, it can tell you the type of the attack and the possible steps to do.
The primary function of your firewall is to examine and allow or deny packets. It is a basic IDS, and it stops some basic attacks including IP spoofing and port space probes. There is not much bandwidth available in the Firebox for it to look at patterns of traffic through t ime .
As part of your LiveSecurity Service subscription, you can download the Firebox System Intrusion
Detection System Mate (fbidsmate) tool. With this tool, the Firebox can communicate with most commercial and shareware IDS applications. You use the fbidsmate tool to configure your IDS to use programs that get data from the Firebox. Versions are available for the Win32 (Windows 2000, Windows
128 WatchGuard System Manager
Intrusion Detection and Prevention
2003, and Windows XP), the SunOS, and the Linux operating systems. The fbidsmate-tool can also add log messages to the log file, that you can then use in reports. And because the fbidsmate tool is external to the Firebox, you do not have to change the Firebox configuration.
An external IDS software application can automatically add sites to the Blocked Sites list of the the Firebox. These sites appear in the Blocked Sites tab of the Firebox. The tim e-out s and the blocked site exceptions features are the same as for sites blocked by the default packet handling options .
You can get the fbidsmate tool with your LiveSecurity Service account at: https://www.watchguard.com/support
Using the fbidsmate tool
The fbidsmate tool operates from the command line. You can use an IDS software application or use the commands directly against the Firebox. You give the command as follows: fbidsmate firebox_address [rwpassphrase | -f rwpassphrase_file]
[add_hostile hostile_address] | [add_log_message priority(0-7) "message"] fbidsmate import_passphrase rwpassphrase rwpassphrase_filename
add_hostile
This adds an IP address to the Auto-Blocked Site list for the time interval set by the administrator in the dialog box for the Blocked Sites in the Policy Manager.
add_log_message
This adds a log message in the log that th e Firebox makes. The Firebox uses the priority to make syslog me ssag es. The range is the standard syslog 0=Emergency to 7=Debug. There is no limit on the message length. If necessary, the Firebox divides the text in more than one message.
import_pas
sphrase
You can keep the Firebox configuration passphrase in an encrypted file, as an alternative to clear text in the program command. This command puts the passphrase in the specified file with 3DES encryption. At this time, you can use the file na me i n your software application . Ea ch
Firebox has a special passphrase.
Return value
The return value of fbidsmate is zero if the software application operated correctly; if not it is not zero.
You must examine this value if you operate fbidsmate from a third-party software application or through a different interface.
Examples
Here are some examples, where the IP address of the Firebox is 10.0.0.1, and the configuration passphrase is “secure1”.
Example 1
The IDS senses a port scan from 209.54.94.99 and tells the Firebox to block that site: fbidsmate 10.0.0.1 secure1 add_hostile 209.54.94.99
This message appears in the log file:
Temporarily blocking host 209.54.94.99
User Guide 129
Intrusion Detection and Prevention
Example 2
The IDS adds a message to the log of the Firebox: fbidsmate 10.0.0.1 secure1 add_log_message 3 "IDS system temp. blocked 209.54.94.99"
If the IDS operates on host 10.0.0.2, this message appears in the Firebox log file: msg from 10.0.0.2: IDS system temp. blocked 209.54.94.99
Example 3
You operate an external IDS application. You can encrypt the configuration pas sphr ase that you use in your IDS program.
Note
Y ou must also give the best possible security to the IDS host.
First, you must move the passphrase “secure1” to an encrypted file on the IDS host: fbidsmate import_passphrase secure1 /etc/fbidsmate.passphrase
Then you can rewrite the examples 1 and 2, as: fbidsmate 10.0.0.1 -f /etc/fbidsmate.passphrase add_hostile 209.54.94.99
fbidsmate 10.0.0.1 -f /etc/fbidsmate.passphrase add_log_message 3 "IDS system temp. blocked 209.54.94.99"
130 WatchGuard System Manager
CHAPTER 12
Setting Up Logging and Notification
The WatchGuard Firebox System includes strong, flexible tools for logging and notification. Logging and notification are important to a good network security policy. Together they can:
• Monitor your network security
• Identify the security risks
• Address the security risks.
A log message is a summary of an event that the Firebox sends to a log host. Notification occurs when the Firebox sends a message about a possible security threat to an administrator. Notification can occur as an e-mail, a pop-up window on the WatchGuard Security Event Processor (WSEP), or as a custom script.
For more information on logging, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/log_main.asp
Developing Logging and Notification Policies
A logging policy identifies:
• The events and data to record
• When to send a notification
A logging policy also lets you give more instructions for special events that include more risk.
For example, you configure the default packet handling rules to send a notification when the Firebox identifies a port space probe. When a port space probe occurs, the log host sends a notification to the network security administrator. The administrator can examine the log file and make a decision to:
• Block the ports that the probe uses.
• Block the IP address that sends the packets.
• Find the ISP that sends through the packets.
Logging policy
The logging policy contains:
• Which events to record in the log file.
User Guide 131
Setting Up Logging and Notification
• Which service events to record in the log file.
• Which servers serve as log hosts.
• How large a log file can be.
• How frequently to make a new log file.
Usually, it is necessary to record only the events that can be a security risk. You ignore the events that can fill up bandwidth and serv er capacity. This results in the logging of denied packets, spoofed packets, probes, and IP options, but not the logging of approve d pa ckets.
There are many more approved packets then denied packets, and they usually are not a risk. Logging them can slow the system and make a large log file. You can log all approved events to do troubleshooting for an installation. Or, you can log all packets when you have a special service that uses a high port number and only some personnel use it.
You do not have to log all denied events. If you create a rule that denies all FTP packets through your
Firebox, you can decide not to send log messages when the firewall blocks packets with this rule.
Notification policy
Notification is necessary for the most important events, IP options, port space probes, address space probes, and spoofing attacks. You can configure these in the Default Packet Handling dialog box, refer
to “Default Packet Handling” on page 121.
Usually, a notification policy is more complex if you have a complex Firebox configuration. For example, if you set up an easy configuration with some services that deny most of the incoming traffic, only some notifications are necessary. With a large configuration with many services, hosts, protocols, and ports, many different notifications are necessary. This type of configuration can be more of a security risk.
To create a notification policy, look at each policy in your Firebox configuration. If you have a unique service with many restrictions, you can decide to send notifications when a person uses the service. If you use a service frequently, you can use notification if the policy rejects 5 to 10 packets in 30 seconds.
Failover Logging
WatchGuard uses failover logging, where the logging moves to a different host if the primary host is not available. This is not redundant logging, where different hosts keep the same logs at the same time.
Failover logging uses a list of configured logs hosts. It sends log messages to the primary log host. If it can not connect to the primary log host, it sends logs to the secondary log host. If it can not connect to the secondary log host, it tries to connect to the subsequent log host o n th e list, until it connects to a log host that can record log messages.
You must install the WatchGuard Security Event Processor software on each log host. This is not necessary if you use SysLog.
For more information, refer to “Setting up the WatchGuard Security Event Processor” on page 135.
WatchGuard Logging Architecture
The default installation of the WatchGuard Firebox System installs the Policy Manager and the Watch-
Guard Security Event Processor (WSEP) on the same computer. For logging and notification, you can install the WSEP on more than one computer. To do this, you must do the tasks that follow:
Policy Manager
132 WatchGuard System Manager
Setting Up Logging and Notification
- Add the log hosts.
- Change the configuration of services and packet handling.
- Save the configuration file to the Firebox.
WatchGuard Security Event Processor
- Install the WSEP software on each log host.
- Select the global logging and the notification configuration for the host.
- Set the same log encryption key on each log host and on the Policy Manager.
Designating Log Hosts for a Firebox
You must have a minimum of one log host to use the WatchGuard Firebox System. By default, this is the management station that you select when you use the Quick Setup Wizard. You can select a different primary log host and more than one backup log hosts.
For log host troubleshooting information, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/log_troubleshootinghost.asp
Adding a log host
From the Policy Manager:
1 Click Setup > Logging .
The Logging Setup appears.
2 Click Add .
The Add IP Address box appears:
3 In the Enter IP Address text box, type the IP address of the log host.
When you type the IP addresses, type all the numbers and the stops. Do not use the TAB or the arrow key. For more
information on how to type an IP address, refer to “Enter the IP addresses” on page 25.
4 In the Log Encryption Key text box, type the encryption key to use for the secure connection between the Firebox and the log hosts. The default encryption key is the status passphrase as selected in the Quick Setup Wizard.
5 Click OK .
Do this procedure again until all the primary log hosts and the backup log hosts appear in the list on the WSEP.
Enabling Syslog logging
Syslog log messages do not get encrypted. Do not select a host on the external interface as the Syslog server as this is not secure. From the Policy Manager:
1 Click Setup > Logging .
The Logging Setup appears.
2 Click the Syslog tab.
The Syslog tab information appears, refer to the figure that follows.
3 Select the Enable Syslog Logging check box.
User Guide 133
Setting Up Logging and Notification
4 Type the IP address of the Syslog server.
5 Select the Syslog service from the drop-down list. You can select from LOG_LOCAL_0 through
LOG_LOCAL_7.
6 Click OK .
For more information on the Syslog logging, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/log_syslog.asp
Changing the log encryption key
From the Policy Manager:
1 Click Setup > Logging .
The Logging Setup appears.
2 Select the host name. Click Edit .
3 Type the new log encryption key. Click OK .
You must use the same log encryption key for the Firebox and the WSEP. To change the log encryption key on the
WSEP, refer to “Setting the log encryption key” on page 137.
Removing a log host
From the Policy Manager:
1 Click Setup > Logging .
The Logging Setup appears.
2 Select the host name. Click Remove .
3 Click OK .
Reordering log hosts
The log hosts appear on a list on the WSEP. The top host on the list receives the log messages ; the others are backup hosts.
Use the Up and Down keys to change the sequence of the log hosts. From the Logging Setup :
• To move a host down, select the host name. Click Down .
• To move a host up, select the host name. Click Up .
Synchronizing log hosts
You must make all the log hosts use the time from the same source. This to keep the correct time in the log if a failover occurs. A Firebox sets its clock to the log host. In an installation on one domain, set each log host to the domain controller.
134 WatchGuard System Manager
Setting Up Logging and Notification
For Windows log hosts
1 Go to each log host. Open an MS-DOS Command-Prompt window. Type: net time / domain:domainName /set wher e the domainName is the domain in which the log hosts operate.
The system gives the domain controller.
2 Type Y .
The time of the local host is set to that of the domain controller.
You can also make all the log hosts use an independent time source. Atomic clock–based servers are available on the Internet. You can get access to this service at: http://www.bldrdoc.gov/timefreq
Setting up the WatchGuard Security Event Processor
The WatchGuard Security Event Processor (WSEP) component is available as a:
• command-line program
• service on a Windows 2000, Windows 2003, or a Windows XP host.
When you install the WatchGuard Firebox System, the default WSEP installation is on the management station. You must manually install the WSEP on all the log hosts.
Running the WSEP application on Windows 2000, Windows 2003, or Windows XP
The default installation of the WSEP component is to install as a Windows service. It then starts automatically as the host computer starts.
1 To start the WSEP service:
- In Windows 2000 or 2003, click Start > Settings > Control Panel > Administrative Tools >
Services .
- In Windows XP, click Start > Control Panel > Administrative Tools > Services .
2 Double-click or right-click WG Security Event Processor . Click Start .
- Or, right-click on the WSEP icon in the system tray and click Start .
- You can also start your computer again. The service then starts automatically.
If the WSEP component intalls as a service and you use pop-up notifications, make sure that the service can work with the Desktop:
1 To make sure:
- In Windows 2000 or 2003, click Start > Settings > Control Panel > Administrative Tools >
Services .
- In Windows XP, click Start > Control Panel > Administrative Tools > Services .
2 Double-click WG Security Event Processor . Click the Log On tab.
3 Make sure that you select the Allow service to interact with desktop check box.
4 Save the changes and start the WSEP component again.
User Guide 135
Setting Up Logging and Notification
As a service, using the Command Prompt
The installation wizard of the WatchGuard System Manager installs the WSEP component. You can also do this manually:
1 Click Start > Run and type: command .
A Command prompt window appears.
2 Change the directory to the WatchGuard installation directory.
The default installation directory is C:\Program Files\WatchGuard.
3 At the command line, type: controld -nt-install
You can also give other commands for the WSEP component from the Command Prompt:
• To start the WSEP component, type at the command line:
- controld -nt-start
• T o stop the WSEP component, type at the command line:
- controld -nt-stop
• T o remove the WSEP component, type at the command line:
- controld -nt-remove
Interactive mode from a Command Prompt
You can also use the WSEP component in the interactive mode from a Command Prompt window. To do this, type: controld –NT –interactive
Note
You can minimize the Command Prompt window. If you close the window, the WSEP component stops.
Viewing the WSEP component
While the WSEP component is active, a Firebox-and-traffic icon (as shown at left side) appears in the Windows Desktop tray. To see the WSEP component, right-click the tray icon and select
WS EP Status/Configuration . The status and configuration information appears.
If the WSEP icon is not in the desktop tray, go to the Firebox System Manager . Click Tools > Logging >
Event Processor Interface . The WSEP icon appears in the desktop tray at this time.
When you run the Watchguard installation program, the program adds a shortcut to the Startup folder in the Start menu. This starts the Event Processor interface when you log in to the system.
136 WatchGuard System Manager
Setting Up Logging and Notification
Starting and stopping the WSEP
The WSEP starts automatically when you start the host with WSEP on it. You can manually stop or start the WSEP. From the WSEP component:
• To start the WSEP component, click File > Start Service .
• To stop the WSEP component, click File > Stop Service .
Setting the log encryption key
The log connection between the Firebox and a log host is encrypted for security. The log file is not encrypted. The management station and the WSEP component must have the same encryption key.
Note
You must give an encryption key for the log host to receive log messages from the Firebox.
From the WSEP component:
1 Click File > Set Log Encryption Key .
2 Type the log encryption key in the 2 text boxes. Click OK .
Setting Global Logging and Notification Preferences
The WSEP has a list of the Fireboxes that are connected and shows their status. There are 3 control areas:
Log Files tab
T o set the maximum number of records that you can keep in the log file.
Reports tab
T o schedule regular reports of log entries.
Notification tab
To control notification.
Together, these controls set the general configuration for events and notifications.
Log file size and rollover frequency
You can control the size of the log file by the number of log entries or by time. When the log file increases to the size you set, the log host creates a new file or overwrites the old file. Log rollover is the frequency at which log files overwrite. To find the maximum size of your log file, you must look at:
• The storage space that is available.
• The number of days you want available.
• The size that is best to keep, open, and view.
• The number of event types that are recorded.
For example, a small company can get 10,000 entries in two weeks, and a large company with many services enabled can easil y have 10 0,000 entries in a day.
• The traffic the Firebox processes.
• The number of reports to create.
To create a week report, it is necessary to have 8 or 9 days of data in your log file.
It is good to monitor the new log files and adjust the configuration as necessary.
User Guide 137
Setting Up Logging and Notification
Setting the interval for log rollover
You can control when the log files rollover in the Log Files tab in the WSEP interface. From the WSEP:
1 Click the Log Files tab.
Refer to the Log Files tab-figure that follows.
2 To roll the log file on a time interval, select the Roll Log Files By Time Interval check box. Set the time interval. From the Next Log Roll is Scheduled For drop-down list, select a date when the log file rolls.
3 To roll the log file on the number of log messages, select the Roll Log Files By Number of Entries check box. Type the number of log messages the file collects before the file rolls, or use the spin control to set the number.
The Approximate Size field changes to show the approximate file size of the final log file. To see the function of each control, right-click it, and then select What’s This?. Also, refer to the “Field Definitions” chapter in the Reference
Guide.
4 Click OK .
The WSEP interface closes and saves your entries. The new configuration starts immediately.
Scheduling log reports
You can schedule the WSEP component to regularly make network activity reports. For more informa-
tion, refer to “Scheduling a report” on page 157.
Controlling notification
Use the WSEP interface to control where and when to send notifications.
From the WSEP:
1 Click the Notification tab.
Refer to the the figure that follows.
138
2 Update the configuration.
To see the function of a control, right-click it, and then select What’s This? For more information, refer to the “Field
Definitions” chapter in the Reference Guide.
WatchGuard System Manager
Setting Up Logging and Notification
Setting a unique Firebox name for log files
You can give the Firebox a special name to use in the log files. If not, the name appears as the IP address of the Firebox. From the Policy Manager:
1 Click Setup > Name .
Th e Firebox Name text box appears.
2 Type a name for the Firebox. Click OK .
Yo u can use all the characters but not spaces and forward or back slashes (/ or \).
For more information on the log file names, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/log_filename.asp
Customizing Logging and Notification by Service or Option
In the WatchGuard System Manager, you can make a custom logging and notification configuration for each service and blocking selection. With this, you only have to record events that are necessary and only give notification for the events tha t are im portant.
The dialog box for the logging and the notification configuration is the same for all the services, the blocking categories , and th e packet-handling options. This makes the configuration easier for all the services. Refer to the figure of a dialog box as follows:
You can configure:
Category
The event types you can record. This list is different for each service or selection. Select the event name to show and select the configuration.
Ente
r in the log
Select this check box to record the event type. Remove the selection to stop the logging. When the Firebox does domain name resolution, there can be some time before the logs appear i n th e log file. All denied packets log automatically.
Send Notification
Select this check box to enable notification for the event type. Remove the selection to stop notification.
These objects show when you select the Send Notification check box:
E-mai
l
Sends an e-mail message when the event occurs. Set the e-mail address in the Notification tab of the WSEP user interface.
Pop-up Windo
w
Makes a pop-up window appear on the log host when the event occurs.
User Guide 139
Setting Up Logging and Notification
Custom Program
Uses a custom script when the event occurs. A custom batch file or program enables you to do different types of notification. Type the full path to the program, or use Browse to find and select the program.
Note
You can only give one type of notification per event.
Setting Launch Interval and Repeat Count
You can control the time of the notification, together with the Repeat Interval, as follows:
Launch Interval
The minimum time (in minutes) between different notifications. This parameter prevents multiple notifications in a short time for the same event.
Repeat Count
This counts how frequently an event occurs. When this gets to the selected value, a special repeat notifier starts. This notifier makes a repeat log entry about that specified notification.
Notification starts again after this number of events.
Here is an example of how to use these 2 values. The values are set up as follows:
• Launch interval = 5 minutes
• Repeat count = 4
A port space probe starts at 10:00 a.m. and continues each minute. This starts the logging and notification mechanisms. These are the times and the actions that occur:
1 10:00—Initial port space probe (first event)
2 10:01—First notification starts (one event)
3 10:06—Second notification starts (reports five events)
4 10:11—Third notification starts (reports five events)
5 10:16—Fourth notification starts (reports five events)
The launch interval controls the time intervals between the events 1, 2, 3, 4, and 5. This was set to 5 minutes.
Multiply the repeat count by the launch interval. This is the time interval an event must continue to start the repeat notifier.
Setting logging and notification for a service
For each service you can control the logging and the notification of these events:
• The incoming packets that the Firebox allows.
• The incoming packets that the Firebox denies.
• The outgoing packets that the Firebox allows.
• The outgoing packets that the Firebox denies.
From the Policy Manager:
1 Double-click a service in the Services Arena.
The Properties dialog box appears.
2 Click Logging .
The dialog box for the Logging and Notification appears. The selections for each service are the same. The primary difference is if the service is for incoming, outgoing, or bidirectional communication.
140 WatchGuard System Manager
Setting Up Logging and Notification
3 Change the logging and the notification properties to your security policy preferences. Click OK .
Setting logging and notification for default packet-handling options
You can control the logging and the notification properties for these packet-handling selections:
• Spoofing attacks
• IP options
• Port probes
• Address space probes
• Incoming packets not handled
• Outgoing packets not handled.
From the Policy Manager:
1 Click Setup > Intrusion Protection > Default Packet Handling .
The Default Packet Handling appears.
2 Click Logging .
3 Change the logging and the notification properties to your security policy preferences. Click OK .
Setting logging and notification for blocked sites and ports
You can control the logging and the notification properties for blocked sites and blocked ports. The procedure is the same for each operation. This procedure is for blocked sites.
From the Policy Manager:
1 Click Setup > Intrusion Protection > Blocked Sites .
The dialog box for the Blocked Sites appears.
2 Click Logging .
3 Change the logging and the notification properties to your security policy preferences. Click OK .
User Guide 141
Setting Up Logging and Notification
142 WatchGuard System Manager
CHAPTER 13
Reviewing and Working with Log
Files
This chapter gives instructions on how to see, search, consolidate, and copy log files.
The WatchGuard Security Event Processor (WSEP) controls logging, report schedules, and notification. It also sets the time for the Firebox.
For more information about the WatchGuard Security Event Processor and how to set up logging, refer to Chapter 12, “Setting Up Logging and Notification.” For more information on specific log messages, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/log_main.asp
Log File Names and Locations
Logs are written to a primary or backup WatchGuard Security Event Processor (WSEP). The default location for the log file is the subdirectory \logs in the WatchGuard installation directory.
You can change the name the log file as follows:
• If the Firebox has a special name, the name of the log files is FireboxName timestamp.wgl
.
(You can name your Firebox in the Policy Manager > Setup > Name ).
• If the Firebox does not have a special name, the name of the log files is FireboxIP timestamp.wgl
.
The WSEP also makes an index file with the same name as the log file, but with the extension .idx1. You can find this file in the log file directory. The .wgl and .idx1 files are necessary to use the tools to monitor or display logs. For more information on the log file name, refer to the FAQ: https://www.watchguard.com/support/advancedfaqs/log_filename.asp
Viewing Files with LogViewer
LogViewer is the WatchGuard System Manager tool you use to see the log file data. It can show the log data page by page, or search and display by key words or specified log fields.
User Guide 143
Reviewing and Working with Log Files
Starting LogViewer and opening a log file
From the Firebox System Manager:
1 Click the LogViewer icon.
LogViewer opens and the Load File appears.
2 Browse to select a log file. Click Open .
The default location of the logs is in the subdirectory: WatchGuard installation directory:
\logs .
3 The LogViewer opens and shows the selected log file.
Setting LogViewer preferences
You can adjust the content and the format of the display. From the LogViewer:
1 Click View > Preferences .
2 Change the LogViewer display preferences.
To see the function of each item on the General tab, right-click it and then click What’s This?. Also refer to the “Field
Definitions” chapter in the
Reference Guide
. For information on the Filter Data tab, see “Displaying and Hiding
Searching for specified entries
The LogViewer search tool lets you find specified log entries by a key word or data field.
By key word
From the LogViewer:
1 Click Edit > Search > by Keyphrase .
2 Type the text you want to find. Click Find .
The LogViewer looks at all the log messages in the log file. You can select if you want the LogViewer to show the log messages in the primar y wi ndow or in a filter window.
By field
From the LogViewer:
1 Click Edit > Search > By Fields .
2 Click directly below the Field column. Use the drop-down list that appears to select a field name.
3 Click the Value column. A text box or a drop-down list appears. Type a specified value or use the drop-down list to select a value.
4 Click Search.
The LogViewer looks at all the log messages in the log file. You can select if you want the LogViewer to show the log messages in the primary window or in a filter window.
Copying and exporting LogViewer data
You can move log file data from LogViewer to a different tool. The data is then changed to a text file
(.txt). Use copy to move specified log entries to a different tool. Use export to move all of the log file, or a filtered set of records, to a different tool. You can make a copy of the log entries in the LogViewer filter window, and then export it.
144 WatchGuard System Manager
Reviewing and Working with Log Files
The search tools in the filter window are the same as in the LogViewer filter window. For more information, refer to the section before. The figure that follows shows the filter window over the LogViewer window.
Copying log data
1 Select the log messages you want to copy.
Press the Shift key while clicking to select a continuous group of log messages. Press the select two or more log message that are not in a continuous group.
Ctrl key while clicking to
2 To make a copy of the entries to paste in a different tool, click Edit > Copy to clipboard .
To make a copy of the entries in a filter window before export, click Edit > Copy to Filter Window .
Exporting log data
You can export log records from the primary window (all records), or the filter window.
1 Click File > Export .
The Save Main Window appears.
2 Select a location. Type a file name. Click Save .
The LogViewer saves the selected window to a text file.
Displaying and Hiding Fields
In the figure below you can see an example of the a usual LogViewer interface. The log messages in the log file have the time stamp, the host name, the process name, and the process identification before the log summary. Use the Preferences dialog box to show or hide the columns in the LogViewer. From the
LogViewer:
1 Click View > Preferences. Click the Filter Data tab.
2 Select the check boxes of the items you want to show. Clear the check boxes of the columns to hide.
User Guide 145
Reviewing and Working with Log Files
This section gives each column and the
146 default selection: Show (appear) or Hide (not appear):
Number
The sequence number in the file. Default = Hide
Date
The date that the record enters the log file. Default = Show
Time
The time that the record enters the log file. Default = Show.
The Firebox receives the time from the log host. Make sure that the time zone is set correctly on all Fireboxes and the log hosts. The Firebox uses Greenwich Mean Time when it sends logs to the log host. The log host then uses the Firebox time zone information to calculate the local time. To change the Firebox t ime
zone, refer to “Setting the Time Zone” on page 32.
The type of event changes the way the remaining columns show in LogViewer. The most important events to know are the packet events, which display data as shown below: deny in eth0 339 udp 20 128 192.168.49.40 255.255.255.255 67 68 (bootpc)
The packet fields, in sequence from the left side to the right side, are:
Disposition
Default = Show. The disposition can be as follows:
Allow — the Packet was let through by the set of filter rules.
Deny — the Packet was denied by the set of filter rules.
Direction
The packet records if it was received by the interface (“in”) or when it was transmitted by the
Firebox (“ out”). Default = Hide
Interface
The name of the network interface of the packet.
Default = Show
Total packet length
The total length of the packet in octets. Default = Hide
WatchGuard System Manager
Reviewing and Working with Log Files
Protocol
The protocol name, or a number from 0 to 255. Default = Show
IP header length
The length of the IP header for this packet in octets. A header length that is not equal to 20 shows IP options. Default = Hide
TTL (time to live)
The value of the TTL field in the logged packet.
Default = Hide
Source address
The source IP address of the logged packet. Default = Show
Destination address
The destination IP address of the logged packet.
Default = Show
Source port
The source port of the logged packet, UDP or TCP only.
Default = Show
Destination port
The destination port of the logged packet, UDP or TCP only. Default = Show
Details
Data about IP fragmentation, TCP flag bits, IP options.
If in trace mode, also the source file and the line number.
If in debug or verbose mode, more information shows.
Also, the type of connection can show in parentheses. Default = Show
Working with Log Files
Th e Firebox constantly writes messages to log fil es on the WatchGuard Security Event Processor (WSEP).
When the log file is in use, you cannot copy, move, or consolidate with usual copy tools. If you do work with log files that are in use, you must use the WSEP utilities .
To open the WSEP Status/Configuration user interface:
• Right-click the WSEP icon (shown at right) in the Windows system tray and select WSEP Status/
Configuration. If the WSEP icon is not in the syst em tray, you can start the WSEP from the System
Manager by clicking Tools > Logging > Event Processor Interface.
Consolidating logs from multiple locations
You can put together two or more log files into one file. You can then use this file in Historical Reports,
LogViewer, HostWatch, or some other tool to examine log data for an extended time period. From the user interface of the WSEP Status/Configuration:
1 Clcik File > Copy or File > Merge log files.
2 Click Merge all files to one file.
Type the name of the file.
3 In the Files to Copy text box, type the files to consolidate.
You can also use the Browse button to select the files.
4 In the Copy to This Directory text box, type the destination for the files.
User Guide 147
Reviewing and Working with Log Files
5 Click Merge .
The log files are consolidated and saved to the new file in the specified directory.
Copying log files
You can copy a log file from one location to a different location, and you can copy the log file that is in use. From the WSEP Status/Configuration:
1 Click File > Copy or Merge Log Files .
2 Click Copy each file individually .
3 In the Files to Copy text box, type the names of the files you want to copy.
4 In the Copy to This Directory text box, type the destination for the file.
5 Click Copy .
The log file copies to the new directory with the same file name.
Forcing the rollover of log files
With a log rollover you erase or save the log file and make a new log file. Automatic rollover uses the
• From the WSEP Status/Configuration, click File > Roll Current Log File .
The log file saves as Firebox IP Time Stamp.wgl or Firebox Name Time Stamp.wgl. The Event Processor continues to write new data to Firebox IP.wgl or Firebox Name.wgl.
Saving log files to a new location
The default location of the log files is in the subdirectory of the WatchGuard installation directory: / log s . You can change this location with a text editor in the controld.wgc
file.
1 Open a text editor (Microsoft Wordpad).
2 Use the text editor to open the controld.wgc
file in the WatchGuard installation directory.
The default location is C:\Program Files\WatchGuard\controld.wgc.
3 Look for text that reads logdir: logs. Change logs to the complete or the relative path of the new destination.
For example, to change the destination to an archive directory with the subdirectory syntax is logdir: D:\Archive\WGLogs .
WGLogs on the D: drive, the
4 Save your changes and close the text editor.
5 Stop and start the WatchGuard Security Event Processor: Right-click the WatchGuard Security Event
Processor in the Windows desktop tray. Click Stop Service . Right-click the icon again and click Start
Service .
The new log files go into the specified directory. You can move the log files in the /logs directory to the new directory to keep them together.
Setting log encryption keys
For security, the log connection between the Firebox and a log server is encrypted. The log file has no encryption. The Management Station and the WatchGuard Security Event Processor must have the same encryption key. From the WSEP Status/Configuration interface:
1 Click File > Set Log Encryption Key .
The Set Log Encryption Key appears.
148 WatchGuard System Manager
Reviewing and Working with Log Files
2 Type the log encryption key in the first text box. To make sure that the key is correct, type that same key in the text box below.
Sending logs to a log host at another location
The Firebox encrypts the log connection. This makes it safe to send the log files across the Internet to a log host at a different office. This host can be behind a different Firebox.
You must configure the remote Firebox to send the log files to a specified location. You must configure the primary office Firebox to let the log messages through the firewall to the log host.
On the Firebox in the primary office:
1 Open the configuration file in the Policy Manager.
2 On the toolbar, click the Add Service icon.
You can also click Edit > Add Service. The Services dialog box appears.
3 Expand Packet Filters .
4 Select WatchGuard-Logging . Click Add . Click OK .
5 On the Incoming tab, select Enabled and Allowed .
6 Below the To list, click Add .
7 Click NAT . In the External IP Address text box, type the external IP address of the primary office
Firebox. In the Internal IP Address text box, type the IP address of the log host behind the primary office Firebox.
8 Click OK to close the Add Static NAT . Click OK to close the Add Address . Click OK to close the
WatchGuard-Logging Properties.
9 Save the new configuration to the primary office Firebox.
On the remote office Firebox:
1 Open the configuration file in the Policy Manager.
2 Click Setup > Logging . Click Add .
3 Type the external IP address of the primary office Firebox. Type the log encryption key of the log host on the network that protects the primary office Firebox.
4 Click OK to close the Add IP Address . Click OK to close the Logging Setup .
5 Save the new configuration to the remote office Firebox.
On the log host:
The log host and the Firebox must always have the same log encryption key. To change the log encryp-
tion key on the log host, refer to “Setting log encryption keys” on page 148.
If you configure the remote office Firebox correctly, the IP address appears on the log host at the time it connects.
User Guide 149
Reviewing and Working with Log Files
150 WatchGuard System Manager
CHAPTER 14
Generating Reports of Network
Activity
Historical Reports is a tool that makes summaries and reports of the Firebox log file. You can use these report to learn about Internet use. You can also measure bandwidth and see which users and software applications are using the most bandwidth. Historical Reports uses the log files that are recorded on the
WatchGuard Security Event Processor (WSEP).
With the advanced features of Historical Reports, you can:
• Set a specified time period for a report.
• Customize the report with data filters.
• Consolidate different log files to create a report for a group of Fireboxes.
• Show the report data in different formats.
Creating and Editing Reports
To start Historical Reports, from the Firebox System Manager click the Historical Reports icon
(see the figure at the right side). You can also start Historical Reports from the installation directory. The file name is WGReports.exe
.
Starting a new report
From Historical Reports:
1 Click Add .
The dialog box for the Report Properties appears:
User Guide 151
Generating Reports of Network Activity
2 Type the report name.
The report name appears in Historical Reports, the WatchGuard Security Event Processor, and the name of the output.
3 Use the text box in the Log Directory to give the location of the log files.
The default location for the log files is the \logs subdirectory of the WatchGuard installation directory.
4 Use the text box in the Output Directory to give the location of the output files.
The default location for the output files is the \reports subdirectory of the WatchGuard installation directory.
5 To select the output type, click HTML Report , NetIQ Export , or Text Export .
For more information on output types, refer to “Exporting Reports” on page 154.
6 Select the filter.
For more information on the filters, refer to “Using Report Filters” on page 155.
7 To see the first page when you use the HTML output, select the Execute Browser Upon
Completion check box.
8 Click the Firebox tab.
9 Type the Firebox IP address or a special name. Click Add .
When you type the IP addresses, type all the numbers and the stops. Do not use the TAB or the arrow key. For more
information on how to enter the IP addresses, refer to “Enter the IP addresses” on page 25.
10 Give the report preferences. You can find information about this in the subsequent sections of this chapter.
11 Complete the report configuration. Click OK.
Th e name of the report appears in the list of the Reports.
Editing an existing report
You can always change the configuration of a report. From Historical Reports:
1 Select the report to change. Click Edit .
The dialog box for the Report Properties appears.
2 Change the report configuration.
To see the function of each item, right-click it, and then click What’s This?. Also, refer to the “Field Definitions” chapter in the Reference Guide.
152 WatchGuard System Manager
Generating Reports of Network Activity
Deleting a report
To remove a report from the list of available reports, click on the report. Click Remove . This removes the
.rep
file from the reports directory.
Viewing the reports list
To see all the reports, click the Reports Page. The reports appear in your default browser. You can move through all the reports in the list.
Specifying a Report Time Interval
When you use Historical Reports, the report includes data from the full log file, unless you change the time interval. On the dialog box of the the Time Filters , use the drop-down list to select a time interval, for example “yesterday” or “today.” You can also manually configure the start and the end time. Thus the report only uses the specified time interval:
1 In the Report Properties dialog box, click the Time Filters tab.
2 Select the time-stamp to appear on your report: Local Time or GMT .
3 From the Time Span drop-down list, select the time interval for the report.
If you did not select Specify Time Filters, click OK. If you did select Specify Time Filters, click the Start and the End drop-down lists and select a start and an end time.
4 C lick OK.
Specifying Report Sections
You can select the information to show in the report using the Sections tab in the Report Properties dialog box.
From Historical Reports:
1 Click the Sections tab.
2 Select the check boxes for the sections to include in the report.
3 If necessary, select the Authentication Resolution on IP addresses check box.
You must enable user authentication to have the information in your logs resolve to IP addresses. More time is necessary to create a report with the resolution enabled.
4 To use DNS resolution on the IP addresses, select the DNS Resolution on IP addresses check box.
Consolidating Report Sections
In the Sections tab you can select which information to include in a report. You can get :
• A vertical look at the data, on each of a group of Fireboxes
• A horizontal or cumulative look at the data, consolidated for a group of Fireboxes.
User Guide 153
Generating Reports of Network Activity
To consolidate report sections:
1 In the Report Properties dialog box, select the Consolidated Sections tab.
The tab has a list of report sections that you can consolidate. For short notes on the contents of these sections, refer to “Report Sections and Consolidated Sections” at the end of this chapter.
2 Select the check boxes adjacent to the sections you want to include in the consolidated report, or clear the check boxes for the sections you do not want to include.
3 Click OK.
Setting Report Properties
Reports can have Summary sections or Detail sections. You can control the display of each section independently to best show the information that is important to you. The detail section shows only as a text file, with a user-designated number of records for each page. The summary sections can also show graphs with user-defined parameters.
To set the report properties:
1 In the Report Properties dialog box, click the Preferences tab.
2 Type the number of items to show as a graph in the report.
The default number is 10.
3 Type the number of items to put in the table.
The default number is 100.
4 Select the type of graph to use in the report.
5 Select how to sort the proxied summary: by bandwidth or by connections.
6 Type the number of records to show on each page of the detail sections.
The default number is 1,000 records. To increase this number can cause your Web browser to crash and make your report complete very slowly.
7 Click OK .
Setting a Firebox name for reports
You can give the Firebox a special name to use in the reports. If you do not give a name, the report shows the IP address of the Firebox. From the Policy Manager:
1 Click Setup > Name .
The dialog box for the Firebox Name appears.
2 Type the special name for the Firebox. Click OK .
Exporting Reports
You can export reports to three formats: HTML, NetIQ, and text. You can find all reports in the path drive:\WatchGuard Install Directory\Reports.
Exporting reports to HTML format
If you select HTML Report from the Setup tab on the dialog box for the Report Properties, the report output is in HTML. You can go to each report section through a JavaScript menu, thus you must enable
JavaScript on the browser. The figure that follows shows how the report can appear in the browser.
154 WatchGuard System Manager
Generating Reports of Network Activity
Exporting reports to NetIQ format
NetIQ supplies full reports about how the Internet is used by an organization, but measures data differently than WatchGuard Historical Reports. To calculate Internet use report data, Historical Reports counts the number of transactions that occur on Port 80. NetIQ calculates the number of URL requests.
These numbers are different because more than one URL request can use the same Port 80 connection.
Note
The WatchGuard HTTP proxy logging must be set to ON, to supply NetIQ with the information that is necessary.
You can find the report in: drive:\WatchGuard Install Directory\Reports\Report Directory
Exporting a report to a text file
If you select Text Export from the Setup tab on the dialog box for the Report Properties , the report output is in a comma-delimited format file. You can use this file in the databases and the spreadsheets.
You can find the report as a .txt
-file in: drive:\WatchGuard Install Directory\Reports\Report Directory
Using Report Filters
A report includes data from the full log file unless you create and use report filters. You can use a report filter to show only data about specified hosts, services or users. A filter can be one of two types:
Include
To make a report that includes records with the properties set in the Host , the Service , or the
User Report Filters tabs.
Exclude
To make a report that does not include records with the properties set in the Host , the Service , or the User Report Filters tabs.
User Guide 155
Generating Reports of Network Activity
You can set a filter to Include or Exclude data in a report with three properties:
Host the host IP address
Port the service name or port number
User the authenticated user name.
Creating a new report filter
From Historical Reports:
1 Click Filters . Click Add .
2 Type the name of the filter. This name appears in the Filter drop-down list on the Report
Properties Setup tab.
3 Select the filter type.
For a description of include and exclude, see above.
4 Complete the Filter tabs.
To see the function of each item, right-click it, and then click What’s This?. You can also refer to the “Field
Definitions” chapter in the Reference Guide.
5 When finished, click OK .
The name of the filter appears in the list of the Filters. You can find all filters in the WatchGuard installation directory, in the sub-directory report-defs with the file extension .ftr
.
Editing a report filter
You can always change the properties of a filter. From the dialog box for Filters in Historical Reports:
1 Select the filter to change. Click Edit .
The dialog box for the Report Filter appears.
2 Change the filter properties.
To see the function of each property, right-click it, and then click What’s This?. You can also refer to the “Field
Definitions” chapter in the Reference Guide.
Deleting a report filter
To remove a filter from the list of filters, select the filter. Click Delete . This removes the .ftrfile from the \ report-defs directory.
Applying a report filter
Each report can use only one filter. To apply a filter, open the report properties. From Historical Reports:
1 Select the report to which you want to apply a filter. Click Edit .
2 From the Filter the drop-down list, select a filter.
Only if you make a filter in the Filters dialog box will it appear in the drop-down list. For more information, refer to
“Creating a new report filter” on page 156.
3 Click OK .
Save the new report to the ReportName.rep file in the report-defs directory. If you now run the report, the filter is applied.
156 WatchGuard System Manager
Generating Reports of Network Activity
Scheduling and Running Reports
You can run reports manually or schedule reports to run automatically using the WatchGuard Security
Event Processor (WSEP).
Scheduling a report
To schedule the WSEP to automatically run reports:
1 Right-click the WSEP desktop-tray icon. Select WSEP Status/Configuration .
2 Click the Reports tab.
3 Select a report to schedule.
4 Select a time interval.
For a custom interval, select Custom and then type the interval in hours.
5 Type the first date and time the report should run.
The report runs automatically at the selected time and then at each subsequent selected interval.
6 Click OK .
Manually running a report
You can always run one or more reports with Historical Reports. From Historical Reports:
1 Select the check box adjacent to the report.
2 Click Run.
Report Sections and Consolidated Sections
You can use Historical Reports to create a report with one or more sections. Each section includes a different type of information or network activity. You can consolidate specified sections to create a summary. With consolidated sections you can create a report on the event logs of a group of Fireboxes.
Report sections
There are 2 basic types of Report sections:
• Summary — The sections that rank data by bandwidth or connections.
• Detailed — The sections that show all activity with no summary graph or rank.
A list of the different types of report sections and the consolidated sections is shown below:
Firebox Statistics
A summary of the statistics on one or more log files for one Firebox.
Authentication Detail
A list of authenticated users in the sequence of connection time. The text boxes include: the authenticated user, the host, the start date and start time of the authenticated session, the end time of the authenticated session, and the length of the session.
User Guide 157
Generating Reports of Network Activity
Time Summary — Packet Filtered
A table, and an optional graph, of all the accepted connections divided by user-defined intervals and in the sequence of the time. The default time interval is each day, but you can select a different time interval.
Host Summary — Packet Filtered
A table, and an optional graph, of the internal and the external hosts that send packet-filtered traffic through the Firebox. The hosts show in the sequence of the volume of bytes or the number of connections.
Service Summary
A table, and an optional graph, of the traffic for each service in the sequence of the connection count.
Session Summary — Packet Filtered
A table, and an optional graph, of the top incoming and outgoing sessions. The sessions show in the sequence of the volume of bytes or the number of connections. The format of the session is: client -> server : service. Hi storical Reports tries to look up the server port with a table to show the service name. If this does not work, Historical Reports shows the port number.
Time Summary — Proxied Traffic
A table, and an optional graph, of all the accepted connections divided by the user-defined intervals and in the sequence of the time. The default time interval is each day, but you can select a different time interval.
Host Summary — Proxied Traffic
A table, and an optional graph, of the internal and the external hosts that send traffic with a proxy through the Firebox. The hosts show in the sequence of the volume of bytes or the number of connections.
Proxy Summary
The Proxies in the sequence of bandwidth or connections.
Session Summary — Proxied Traffic
A table, and an optional graph, of the top incoming and outgoing sessions. The sessions show in the sequence of the volume of bytes or the number of connections. The format of the session is: client -> server : service. The service shows in all capital letters.
HTTP Summary
Tables, and an optional graph, of the top external domains and hosts that users access through the HTTP proxy. The domains and the hosts show in the sequence of the byte count or number of connections.
HTTP Detail
Tables for incoming and outgoing HTTP traffic in the sequence of the time stamp. The fields are
Date, Time, Client, URL Request, and Bytes Transferred.
SMTP Summary
A table, and an optional graph, of the top incoming and outgoing e-mail addresses in the sequence of the volume of bytes or the number of connections
SMTP Detail
A table of incoming and outgoing SMTP proxy traffic in the sequence of the time stamp. The fields are: Date, Time, Sender, Recipient(s), and Bytes Transferred.
158 WatchGuard System Manager
Generating Reports of Network Activity
FTP Detail
Tables for incoming and outgoing FTP traffic, in the sequence of the time stamp. The fields are
Date, Time, Client, Server, FTP Request, and Bandwidth.
Denied Outgoing Packet Detail
A list of denied outgoing packets, in the sequence of the time. The fields are Date, Time, Type,
Client, Client Port, Server, Server Port, Protocol, and Duration.
Denied Incoming Packet Detail
A list of denied incoming packets, in the sequence of the time. The fields are Date, Time, Type,
Client, Client Port, Server, Server Port, Protocol, and Duration.
Denied Packet Summary
In this section there are different tables. Each table sh o ws the data on the host that denied packets. The data has the time of the first and the last try, the type, the serv er, the port, the protocol, and the number of tries. If only one try is given, the last field has no data.
Denied Service Detail
A list of events where a user was denied use of a service. This list includes both incoming and outgoing requests.
WebBlocker Detail
A list of URLs denied because of WebBlocker, in the sequence of the time. The fields are Date,
Time, User, Web Site, Type, and Category.
Denied Authentication Detail
A list of each denied authentication, in the sequence of the time. The fields are Date, Time, Host, and User.
IPS Blocked Sites
A list of the IPS blocked sites.
Consolidated sections
Network Statistics
A summary of the statistics on one or more log files for all the Fireboxes that are monitored.
Time Summary — Packet Filtered
A table, and an optional graph, of all accepted connections divided by the user-defined intervals and in the sequence of the time. The default time interval is each day, but you can select a different time interval.
Time Summary — Packet Filtered
A table, and an optional graph, of the internal and the external hosts that send packet-filtered traffic through the Firebox. The hosts show in the sequence of the volume of bytes or the number of connections.
Service Summary
A table, and an optional graph, of the traffic for all the services in the sequence of the connection count.
Session Summary — Packet Filtered
A table, and an optional graph, of the top incoming and outgoing sessions. The sessions show in the sequence of the volume of bytes or the number of connections. The format of the session
User Guide 159
Generating Reports of Network Activity is: client -> server : service. Hi storical Reports tries to look up the server port with a table to show the service name. If this does not work, Historical Reports shows the port number.
Time Summary — Proxied Traffic
A table, and an optional graph, of all the accepted connections divided by the user-defined intervals and in the sequence of the time. The default time interval is each day. But you can select a different time interval.
Host Summary — Proxied Traffic
A table, and an optional graph, of the internal and the external hosts that send traffic with a proxy through the Firebox. The hosts show in the sequence of the volume of bytes or the number of connections.
Proxy Summary
The Proxies in the sequence of the bandwidth or the connections.
Session Summary — Proxied Traffic
A table, and an optional graph, of the top incoming and outgoing sessions. The sessions show in the sequence of the volume of bytes or the number of connections. The format of the session is: client -> server : service. The service shows in all capital letters.
HTTP Summary
Tables, and an optional graph, of the top external domains and hosts that the users access through the HTTP proxy. The domains and the hosts show in the sequence of the byte count or the number of connections.
160 WatchGuard System Manager
CHAPTER 15
Controlling Web Site Access
The WebBlocker feature of the WatchGuard System Manager uses the HTTP proxy to apply a filter to the
Web. You can control the access to Web sites. You can select the hours in the day that users can get access to the Web. You can also select the category of Web sites that users cannot go to. For more information on WebBlocker, refer to the FAQ at: https://www.watchguard.com/support/advancedfaqs/web_main.asp
You can also route MUVPN and RUVPN with PPTP users through the outgo ing HTTP proxy.
Getting Started with WebBlocker
You must complete these steps before you install Webblocker on the Firebox.
Downloading the WebBlocker Installer
To download the WebBlocker Installer, log in to your LiveSecurityaccount, and download the Web-
Blocker Server for WSM7.5 file WSM75_wbserver.exe
.
Installing the WebBlocker server
You install the WebBlocker server by starting the installer you downloaded in the previous procedure.
The WebBlocker Server installs as a Windows service.
1 Double-click the WSM75_wbserver.exe
file.
The WebBlocker Server installer starts.
2 Click Next on the information dialog.
3 Select Accept and click Next on the license agreement dialog.
4 Set the install location, or accept the default location, and click Next .
The installation files are installed. The Configure WatchGuard Toolbar dialog appears.
User Guide 161
Controlling Web Site Access
5 Right-click the Windows taskbar, select Toolbars, and select WatchGuard.
The WatchGuard WebBlocker toolbar appears in the Windows taskbar.
6 Click Next in the installer dialog, then click Finish .
Operating systems that are supported for the WebBlocker server are Windows 2000, Windows 2003, and
Windows XP.
Downloading the WebBlocker database
Before you configure WebBlocker, you must download the WebBlocker database.
1 Right-click the WebBlocker Server icon in the toolbar at the bottom of the screen.
2 Select Get Full Database .
The Download WebBlocker Database dialog box appears.
3 Select Download to download the new database.
Note
The WebBlocker database has more than 100 MB of data. Your connection speed sets the download speed, and the download can be more than 30 minutes. Make sure the hard disk drive has a minimum of
200 MB of free space.
4 After the database download is complete, click OK .
5 Right-click the WebBlocker icon on the WatchGuard toolbar, and select Start Service .
Y ou can use the WebBlocker utility at any time to:
• Download a new version of the database.
• Get an incremental update of the database.
• See the database status.
• Start or stop the server.
Installing a WebBlocker License
You must install aWebBlocker license on the Firebox before you can use the WebBlocker features. For
more information, see “Controlling and Enabling License Keys,” on page 5.
162 WatchGuard System Manager
Controlling Web Site Access
Configuring the WatchGuard service icon
You must set the WatchGuard service configuration to Allow Outgoing to Any.
With this configuration,
WebBlocker can make a copy of the new version of the WebBlocker database to the event pro cessor.
You can make this configuration more specific if you use the IP address of webblocker.watchguard.com.
Add an HTTP Service
To use WebBlocker, add the Proxied-HTTP, Proxy, or HTTP service. WatchGuard recommends that you use Proxied-HTTP, which puts a filter on all the ports. HTTP without the Proxy service manages only port
80. WebBlocker overrides the other configurations in the HTTP- or Proxy-services. Thus, you prevent all
Web access if you set WebBlocker to “Block All URLs”. For information on how to add an HTTP proxy ser-
vice, refer to “Adding a proxy service for HTTP” on page 105.
Configuring the WebBlocker Service
The services of WebBlocker include HTTP, Proxied HTTP, and Proxy. After you install WebBlocker, five tabs appear in the Properties dialog box:
• WebBlocker Controls
• WB: Schedule
• WB: Operational Privileges
• WB: Non-operational Privileges
• WB: Exceptions
Activating WebBlocker
From Policy Manager:
1 Double-click the service icon that you use for HTTP. Click the Properties tab. Click Settings .
The service dialog box appears.
2 Click the WebBlocker Controls tab.
The tab appears. See the figure below.
User Guide 163
Controlling Web Site Access
3 Select the Activate WebBlocker check box.
4 Adjacent to the WebBlocker Servers box, click Add .
A dialog box appears.
5 In the Value text box, type the IP address of the server. Click OK .
Allowing WebBlocker server bypass
Outbound HTTP traffic is automatically denied when the WebBlocker server does not respo nd.
To let a ll the outbound HTTP traffic through when a WebBlocker server cannot be found, select Allow Web-
Blocker Server Bypass on the WebBlocker Controls tab. This selection is global. If you set it in one HTTP service, it applies to all other HTTP proxy services.
Configuring the WebBlocker Message
You can give the text that appears when the end user tries to open a blocked Web site. You can do this in the the field Message for blocked user.
The text cannot contain HTML or the greater than (>) and less than (<) characters. You can use these metacharacters:
%u
The full URL of the denied web site.
%s
The block status, or the cause that the web site was blocked. The status can be: host , host/ directory , all web access blocked , denied , database not loaded .
164 WatchGuard System Manager
Controlling Web Site Access
%r
The WebBlocker category or categories that causes the block.
For example, this entry in the field show the URL, the status, and the category:
Request for URL %u denied by WebBlocker: %s blocked for %r.
With this entry in the Message for blocked user field, this text can appear in the browser of an user:
Re quest for URL www.badsite.com denied by WebBlocker: host blocked for violence/profanity.
Scheduling operational and non-operational hours
With WebBlocker you can configure 2 different time periods:
• Operational hours - The usual hours of operation
• Non-operational hours.
You can use these time periods to make the rules about when you block different Web sites.
For example, you can block sports Web sites in the usual hours of operation, and have access at lunch time , ev enings, and weekends.
From the proxy dialog box:
1 Click the WB: Schedule tab.
The tab appears. See the figure below:
2 Click the hour boxes to identify the time period as an Operational hour or Non-operational hour.
Note
The operational and non-operational hour periods change when you set a different time zone. The default WebBlocker configuration is GMT unless you set a Firebox time zone. For more information on
how to set the Firebox time zone, refer to “Setting the Time Zone” on page 32.
Setting privileges
The WebBlocker uses content to identify an URL. Use the Privileges tab to select the type of content access during operational and non-operational hours.
From the proxy dialog box:
1 Click the WB: Operational Privileges tab or the WB: Non-operational Privileges tab.
2 Select the content types in the Allowed Categories list that you want to block, then click the > button to add them to the Denied Categories list. To deny all categories, click the >> button.
User Guide 165
Controlling Web Site Access
To move a site from the Allowed Categories list to the Denied Categories list, click the < button.
To allow all categories, click the << button.
Creating WebBlocker exceptions
You can override a WebBlocker rule with an exception. You can add a Web site that is allowed or denied.
The recorded web sites apply only to the HTTP traffic. They are not related to the Blocked Sites list.
The exceptions tool keeps a list of IP addresses that are allowed or denied. You can give exceptions by domain name, network address, or host IP address.
You can also specify a port number, path name, or string which must be blocked for a special Web site.
For example, if it is necessary to block only www.sharedspace.com/~dave, because the site of Dave contains nude photographs, you type “~d ave ” to block that directory of sharedspace.com. This gives the users access to www.sharedspace.com/~julia, which contains a piece on increased production.
If it is necessary to block sexually explicit content that is on sharedspace.com, you can type *sex . This blocks a Web page such as www.sharedspace.com/~george/sexy.htm. If you type an asterisk (*) in front of the text, it finds that string anywhere in the URL. If you type *s ex in the pattern section, this does not block all the URLs with the word “sex.” The * character only changes the exceptions in a specified URL.
For example, if you block www.sharedspace.com/*sex, this blocks www.sharedspace/sexsite.html.
Note
This WebBlocker tool is applicable only when you get access to an external Web site. You cannot use
WebBlocker exceptions for an internal host.
From the HTTP Proxy dialog box:
1 Click the WB: Exceptions tab (if you do not see this tab, use the arrow keys at the right of the dialog box).
166 WatchGuard System Manager
Controlling Web Site Access
2 In the Allowed Exceptions section, click Add .
The Define Exceptions dialog box appears.
3 From the Select type of exception drop-down list, select host address, network address, or type the URL. You can also use the selection Lookup Domain Name to find the IP address of a domain.
If you use Lookup Domain Name, the IP addresses that the lookup finds are automatically added to the list after you clikc OK .
4 Type the port or string to let a specified port or directory pattern through.
When you type an IP addresses, type all the numbers and the stops. Do not use the TAB or arrow key. For more
information on entering the IP addresses, refer to “Enter the IP addresses” on page 25.
5 In the Denied Exceptions section, click Add . You must give the host address, network address, or
URL.
To block a specified string for a domain, select Host Address. To block a specified directory pattern, type the text (for example, “*poker”).
6 To remove an item from the Allow or the Deny list, select the address, and then click Remove .
Managing the WebBlocker Server
The WebBlocker server is installed as a Windows Service. You can start or stop the server from the Services tool in the Program Group of the Windows Control Panel.
Installing Multiple WebBlocker Servers
You can install two or more WebBlocker servers in a failover configuration. If the primary WebBlocker server fails, the Firebox automatically fails over to the first server in the WebBlocker Servers box. Refer to
“Activating WebBlocker” on page 163.
To add an more WebBlocker server:
1 On the WebBlocker Controls tab in the HTTP Proxy dialog box, click Ad d .
A dialog box appears.
2 In the Value text box, type the IP address of the server. Click OK .
You can use the Up and Down buttons to change the position of the servers in the list.
When you operate two or more WebBlocker servers in a failover mode, the time between failovers can be to two min utes.
User Guide 167
Controlling Web Site Access
Automating WebBlocker database downloads
The best procedure to keep your WebBlocker database updated is to use Windows Task Scheduler.
Before you can do this, you must download the WebBlocker database and start the WebBlocker Server.
Then, you can use Windows Task Scheduler to schedule the “updatedb.bat” process, which is created automatically for you in your WSM8/bin directory when the WebBlocker Server is started.
1 Open Scheduled Tasks . To open the Task Scheduler using Windows XP, click Start , click All
Programs , point to Accessories , point to System Tools , and then click Scheduled Tasks .
2 Click Add Scheduled Task .
3 The Scheduled Tasks wizard starts. Click Next .
4 The screen shows a list of programs. Click Browse .
5 Go to C:\Program Files\WatchGuard\wsm8\bin. Select updatedb.bat
.
6 Select the time interval at which to do this task. We recommend that you update your database each day. You can update less frequently if you have low bandwidth. Click Next .
7 Type the time and frequency to start the procedure. Because you must stop the WebBlocker Server to do the update, we recommend that you schedule updates outside of your usual hours of operation.
8 Select a start date. Click Next .
9 Type the user name and the password to use this procedure. Make sure that this user has access to the necessary files. Click Next .
10 Click Finish .
168 WatchGuard System Manager
CHAPTER 16
Connecting with Out-of-Band
Management
With the Out-Of-Band (OOB) management feature of the WatchGuard System Manager, you can connect to the Firebox with a modem (not pro vided wi th t he Firebox) and a telephone line. With OOB you can change the configuration of the Firebox from a remote location without the use of the Firebox
Ethernet interfaces.
Connecting a Firebox with OOB Management
To use the OOB feature to connect to the Firebox, you must:
• Connect a modem to the serial port of the Management Station.
• Connect a telephone line to the modem.
• Connect an external modem or a PCMCIA/PC Card modem to the Firebox. If you use an external modem, you must attach it to the Console port of the Firebox.
• Enable the Management Station for dial-up networking.
• Set the Firebox network configuration.
Enabling the Management Station
You must configure the Management Station to use a PPP connection. The Windows 2000/2003 and
Windows XP platforms each have a different procedure.
Preparing a Windows 2000 management station for OOB
Make sure that the modem is installed. If necessary, follow the procedure below. Then you can configure the dial-up connection.
Install the modem
1 From the Desktop, click Start > Settings > Control Panel > Phone and Modem Options .
User Guide 169
Connecting with Out-of-Band Management
2 Click the Modems tab.
3 Click Add .
The Add/Remove Hardware Wizard appears.
4 Follow the steps of the wizard and complete the information requests.
Make sure you have the name and model of the Firebox modem and the modem speed.
5 Click Finish to complete the modem installation.
Configure the dial-up connection
1 From the Desktop, click My Network Places > Network and Dial-up Connections > Make New
Connection .
The Network Connection wizard appears.
2 Click Next . Click Dial up to Private Network . Click Next .
3 The modem in the Firebox connects to a telephone line. Type the number of that telephone line.
Click Next .
4 Choose the designation for your connection. Click Next .
5 Type a name for your connection.
This name shows with the icon. Type a name that gives the function of the icon, for example, OOB Connection.
6 Click Finish .
7 Click Dial or Cancel .
The new icon shows in the Network and Dial-Up Connections. To use this dial-up connection, doubleclick the icon.
Preparing a Windows XP management station for OOB
Make sure that the modem is installed. If necessary, follow the procedure below. Then you can configure the dial-up connection.
Install the modem
1 Click Start > Control Panel > Phone and Modem Options .
2 Click the Modems tab.
3 Click Add .
The Add Hardware Wizard shows.
4 Follow the steps of the wizard.
You must know the name and model of the Firebox modem and the modem speed.
5 Click Finish to complete the modem installation.
Configure the dial-up connection
1 Click Start > Control Panel > Network Connections .
Click New Connection Wizard .
The New Connection Wizard appears.
2 Click Next . Click Connect to the network at my workplace . Click Next .
3 Click Dialup connection . Click Next .
4 Type a name for your connection.
This name shows with the icon. Type a name that gives the function of the icon, for example, OOB Connection.
5 The modem in the Firebox connects to a telephone line. Type the number of that telephone line.
Click Next .
6 Click Finish .
170 WatchGuard System Manager
Connecting with Out-of-Band Management
7 Click Dial or Cancel .
The new icon shows in the Network Connections. To use this dial-up connection, double-click the icon.
Configuring the Firebox for OOB
You can configure the OOB management features in the Policy Manager. In the Network Configuration dialog box, click the OOB tab:
• In the top of the dialog box, you can control the properties of an attached external modem.
• In the bottom of the dialog box, you can configure an installed PCMCIA modem.
The OOB management features are automatically enabled on the Firebox during initial configuration.
The first time you connect to a Firebox with OOB, the Firebox uses the default OOB properties.
From the Policy Manager:
1 Click Network > Configuration . Click the OOB tab.
2 Change the OOB properties to match your security preferences. Click OK .
Establishing an OOB Connection
• From the Management Station, use dial-up networking to make a connection to the Firebox modem.
• The modems connect.
• The Firebox makes a PPP connection with the Management Station to let IP traffic through.
• With the dial-up PPP address of the Firebox you can use the System Manager. The default address is 192.168.254.1.
Configuring PPP to connect to a Firebox
In the default configuration, Firebox PPP accepts a connection from a standard computer. The configuration of your management station is almost the same as for a typical Internet service provider. It is not necessary to type a user name or password.
OOB time-out disconnects
The Firebox starts the PPP session. The Policy Manager on your management station makes a secure connection to the Firebox. If the Firebox has no secure connection in a default period of 90 seconds, the
Firebox stops the session.
User Guide 171
Connecting with Out-of-Band Management
172 WatchGuard System Manager
CHAPTER 17
Introduction to VPN Technology
The Internet is a public network. On this system of computers and networks, one computer can get information from other computers. It is possible for a person to read unsecured data packets that you send on the Internet. To send secure data on the Internet between offices, networks, and users, you must use stronger security.
Virt u al Private Networks (VPNs) use encryption technology to decrease security risks, and to secure private information on the public Internet. A Virtual Private Network lets data flow safely across the Internet between two networks. VPN tunnels can also secure connections between a host and a network.
The networks and hosts at the endpoints of a VPN can be corporate headquarters, branch offices and remote users.
VPN tunnels use authentication, which examines the sender and the recipient. If the authentication information is correct, the data is decrypted. Only the sender and the recipient of the message can read it clearly.
For more information on VPN technology, see the online information at http://www.watchguard.com/ support . The WatchGuard Support Web site contains links to documentation, basic FAQs, advanced
FAQs and the WatchGuard User’s Forum. You must log in to the Support Web site to use some features.
User Guide 173
Introduction to VPN Technology
Tunnels and Tunnel Protocols
Tunnels allow users to send data in secure packets across a network that is not secure, usually the Internet. A tunnel is a group of security protocols, encryption algorithms and rules. The tunnel uses this information to send secure traffic from one endpoint to the other. A tunnel allows users to connect to resources and computers from other networks.
Tunneling protocols supply the infrastructure and set how the data transmission on the tunnel occurs.
The two tunneling protocols that WatchGuard uses are Internet Protocol Security (IPSec) and Point-to-
Point-Tunneling Protocol (PPTP).
IPSec
You use the IPSec protocol to examine IP packets and make sure they are authenticated. IPSec includes security features such as very strong authentication, to protect the privacy of the information that you transmit on the Internet. IPSec is a standard that works with many systems from different manufacturers.
IPSec includes two protocols that protect data integrity and confidentiality. The AH (Authentication
Header) protocol is the solution for data integrity. The ESP (Encapsulated Security Payload) protocol gives data integrity and confidentiality.
PPTP
PPTP is a Microsoft network technology for VPN security. You can install PPTP on computers that use
Microsoft Windows operating systems. PPTP allows tunnels to corporate networks and to other pointto-point protocol (PPP) enabled systems. Although PPTP is not as secure as IPSec, it supplies an inexpensive tunnel alternative to a corporate network.
Encryption
On a network that is not secure, hackers can find transmitted packets very easily. VPN tunnels use encryption to keep this data secure.
The length of the encryption key and the level of encryption (DES or 3DES) set the strength of encryption. A longer key gives better encryption and more security. The level of encryption is set to give the performance and security that is necessary for the organization. Stronger encryption gives a higher level of security, but it decreases performance.
Basic encryption allows sufficient security with good throughput for tunnels that do not transmit sensitive data. For administrative connections and for connections where privacy is critical, we recommend strong encryption.
The host or the IPSec device that sends a packet through the tunnel encrypts the packet. The recipient at the other end of the tunnel decrypts th e pa cket. Therefore, both sides must agree on all the tunnel parameters. This includes the encryption and authentication algorithms, the hosts or networks allowed to send data across the tunnel, the time period for calculating a new key, and other parameters.
174 WatchGuard System Manager
Introduction to VPN Technology
Authentication
An important part of security for a VPN is to make sure that the sender and recipient are authenticated.
There are two methods, passphrase authentication (also called a shared secret) and digital certificates. A shared secret is a passphrase that is the same for the two ends of the tunnel.
A session key, which is created from the shared secret, encrypts the data. The gateways can encrypt and decrypt the data correctly only if they use the same shared secret.
Digital certificates use public key cryptography to identify and authenticate the end gateways.
Extended authentication
Authentication for a remote user can occur through a database that is stored on the Firebox, or through an external authentication server. An example of an external authentication server is the Remote
Authentication Dial-In User Service (RADIUS). An authentication server is a safe third-party that authenticates other systems on a network.
You use an external authentication server for two reasons. One reason is to prevent the work that is required to maintain a list of users in the Firebox internal database. The other reason is for extra security.
When you use Extended Authentication Groups for Mobile User VPN, the remote user must type a user name and password every time a VPN is started. When you use Firebox Authenticated Users for Mobile
User VPN, the remote user does not enter a user name and password to connect using VPN.
Internet Key Exchange (IKE)
As the number of VPN tunnels between Fireboxes and other IPSec-compliant devices increases, it is not easy to manage the large number of session keys that are used by the tunnels. Keys must be replaced frequently for stronger security. Session keys can be manually configured or automatically configured.
Today, very few VPNs use manual session keys for key management.
Internet Key Exchange (IKE) is the key management protocol IPSec uses. IKE automates the procedure to negotiate and replace keys. IKE includes a security protocol, the Internet Security Association and Key
Management Protocol (ISAKMP). This protocol uses a two phase procedure to create an IPSec tunnel.
During Phase 1, two gateways create a safe, authenticated channel for communication. Phase 2 includes an interchange of keys to find out how to encrypt the data between the two.
Diffie-Hellman is an algorithm that IKE uses to make keys that are necessary for data encryption. Diffie-
Hellman groups are collections of parameters. These groups let two peer systems interchange and agree on a shared secret key. Group 1 is a 768-bit group, group 2 is a 1024-bit group. Group 2 is more secure than group 1, but uses more processor time to make the keys.
WatchGuard VPN Solutions
WatchGuard System Manager includes this software to create tunnels:
• Remote User VPN (RUVPN) with PPTP
• Mobile User VPN (MUVPN) with IPSec
• Branch Office VPN (BOVPN) with IPSec, using Manual IPSec to configure the tunnel settings
User Guide 175
Introduction to VPN Technology
• Branch Office VPN (BOVPN) with IPSec, using Basic DVCP to automatically configure the tunnel settings
• Branch Office VPN (BOVPN) with IPSec, using VPN Manager to automatically configure the tunnel settings.
Note
To use the Firebox X500 with Branch Office VPN or VPN Manager, you must purchase the BOVPN
Upgrade. The Firebox X700, Firebox X1000 and Firebox X2500 include support for BOVPN after you register the unit with LiveSecurity Service. To enable the upgrade for the Firebox X500 and allow BOVPN
tunnels, see “Enabling the BOVPN Upgrade” on page 222.
WatchGuard includes two different levels of encryption: basic and strong. Basic encryption uses a 56-bit encryption key for the Data Encryption Service (DES) algorithm to encrypt data and strong encryption uses a 168-bit key for 3DES.
Mobile User VPN
Note
For information on how to configure and use MUVPN, see the MUVPN Administrator Guide.
Mobile User VPN is an optional software component. Remote users are mobile employees who must have corporate network access. MUVPN creates an IPSec tunnel between a remote host that is not secure and the corporate network. Remote users connect to the Internet with a standard Internet dialup or broadband connection, and then they use the MUVPN software to make a secure connection to the network or networks protected by the Firebox. With MUVPN, only one Firebox is necessary to create the tunnel.
176
MUVPN tunnels
MUVPN uses IPSec with DES or 3DES to encrypt incoming traffic, and MD5 or SHA-1 to authenticate data packets. You configure a security policy and supply it along with the MUVPN software to each remote user. The security policy is an encrypted file with extension wgx. When the software is installed on the computers of the remote users, they can safely connect to the corporate network. MUVPN users can change their security policies, or you can give them read-only security policies.
WatchGuard gives support for certificate authentication for MUVPN tunnels. Configure a Firebox as a
DVCP server for this functionality. Refer to “BOVPN with DVCP” on page 178.
WatchGuard System Manager
Introduction to VPN Technology
MUVPN is available on all Firebox models. Look at the Firebox Policy Manager at Network > Remote
User > Mobile User VPN tab to see the available number of MUVPN tunnels.
MUVPN with extended authentication
When you use MUVPN with extended authentication, you can authenticate to a Windows or RADIUS authentication server. You do not have to configure user names or passwords on the Firebox. The Firebox sends authentication requests to the extended authentication server and the server grants permission or denies permission based upon its user database and policies.
When a Windows Server or RADIUS is the extended authentication server, the network administrator does not have to continuously update user information between the Firebox and the authentication server. MUVPN users log in to the corporate network from remote locations. They use the same user name and password that they use when they are at their offices.
If you do not have a Windows domain controller or a RADIUS server, the Firebox can be the extended authentication server. If the Firebox is the authentication server, you add users to the Firebox Users area of the Policy Manager.
The MUVPN user that is authenticated by the Firebox can be a Firebox Authenticated User or a member of an Extended Authentication Group. In both methods, the Firebox checks its internal database of users. With Extended Authentication Groups, the remote user must enter a user name and password every time the remote user connects. With Firebox Authenticated Users, the remote user does not enter a user name and password to use the VPN.
RUVPN with PPTP
RUVPN allows remote users or mobile users to connect to the Firebox network with PPTP.
The basic WatchGuard System Manager package includes RUVPN with PPTP. It allows 50 users, and it allows all levels of encryption.
User Guide 177
Introduction to VPN Technology
RUVPN with PPTP tunnels
RUVPN with extended authentication
The Firebox can authenticate users to a database on the Firebox. As an alternative, the Firebox can use a third-party authentication server. Users can authenticate to a RADIUS authentication server when they use RUVPN with extended authentication. You do not have to install user names or passwords on the
Firebox when you use a RADIUS server to authenticate remote PPTP users.
Branch Office Virtual Private Network (BOVPN)
Note
To use the Firebox X500 with Branch Office VPN or VPN Manager, you must purchase the BOVPN
Upgrade. The Firebox X700, Firebox X1000 and Firebox X2500 include support for BOVPN after you register the unit with LiveSecurity Service. To enable the upgrade for the Firebox X500 and allow BOVPN
tunnels, see “Enabling the BOVPN Upgrade” on page 222.
Many companies have offices in more than one location. Offices frequently use data from other locations, or have access to shared databases.
Because branch office communications can include sensitive company data, information interchanges must be secure. When you use WatchGuard Branch Office VPN (BOVPN), you can connect two or more locations across the Internet without decreasing security. WatchGuard BOVPN supplies an encrypted tunnel between two networks or between a Firebox and an IPSec-compliant device. You can use Watch-
Guard System Manager to configure BOVPN.
WatchGuard allows certificate-based authentication for BOVPN tunnels. When you use certificate-based authentication for BOVPN, both VPN endpoints must be WatchGuard Fireboxes. You can not use certificate-based authentication for BOVPN with SOHO 6 or Firebox X Edge devices. To use this functionality, you must configure a Firebox as a DVCP server and a certificate authority. See the subsequent section
and Chapter 19, “Activating the Certificate Authority on the Firebox.”.
BOVPN with DVCP
Dynamic VPN Configuration Protocol (DVCP) is a WatchGuard protocol to help you make VPNs between
WatchGuard devices. DVCP lets you create tunnels easily and does maintenance on them. When you use
DVCP, you cannot create tunnel configurations that are not correct. DVCP is used two different ways:
VPN Manager and Basic DVCP .
178 WatchGuard System Manager
Introduction to VPN Technology
Basic DVCP is a simple tool to make BOVPNs between the Firebox and remote WatchGuard devices. VPN
Manager is more powerful than Basic DVCP. VPN Manager is a tool to configure and monitor many VPNs at one time. You can also use VPN Manager to manage and monitor the remote Firebox, SOHO and Edge devices and the VPNs they have between them. You must configure a Firebox as a DVCP server to use
VPN Manager. This DVCP server is used to configure a set of DVCP clients. The DVCP clients are Fireboxes, SOHO 6 units or Firebox X Edge units.
The DVCP Firebox does the maintenance of the connections between two units and keeps all the policy information. This inclu des the network address range and the tunnel properties such as encryption, time-outs, and authentication. DVCP clients get this information from the DVCP server on the VPN Manager Firebox, or from the Firebox that uses Basic DVCP. The only information you must enter into the configuration of the remote device is an identification name, shared key and the external interface IP address of the DVCP Firebox. The Basic DVCP Firebox or VPN Manager Firebox must have a public IP address.
IPSec tunnels with VPN Manager
With VPN Manager, you can make fully authenticated and encrypted IPSec tunnels with a drag-anddrop or me nu i nterface. VPN Manager uses DVCP to safely transmit IPSec VPN configuration information between Fireboxes. When you use DVCP, you set each configuration parameter of the VPN. You keep this data on the DVCP server.
When you make a WatchGuard device a DVCP client, a software client on the device con nects with the
DVCP server. The client gets IPSec policy information.
With VPN Manager, you can configure, manage and monitor all WatchGuard devices across a company.
You can configure VPNs between two remote devices. You do not have to know about the Internet security of branch offices and remote users. Remote devices connect to the DVCP server Firebox and the VPN
Manager does all the work. If you use certificates for tunnel authentication, you can configure the Firebox as a cert ificat e authority.
Certificate creating is automatically managed by DVCP.
BOVPN w ith VPN Manager
Basic DVCP
Basic DVCP is a simplified form of VPN Manager. You do not need VPN Manager to use Basic DVCP, and you do not need to configure the Firebox as a DVCP server.
The primary mode of Basic DVCP is to easily make IPSec tunnels between your Firebox and the remote devices. You use a DVCP Client Wizard to add one or more DVCP clients. The DVCP clients are SOHO,
SOHO 6, or Firebox X Edge devices. The DVCP client device is configured to get the VPN information from the Basic DVCP Firebox. You can not manage or monitor a remote device with Basic DVCP. You can not make a VPN from a remote device to a remote device with Basic DVCP. Standard DVCP makes tunnels from remote unit to remote unit in VPN Manager. With VPN Manager you can monitor and manage
User Guide 179
Introduction to VPN Technology
a remote device. See Chapter 25, “Managing Firebox X Edge and Firebox SOHO6 Appliances.” For more
information about Basic DVCP, see the FAQ: https://www.watchguard.com/support/AdvancedFaqs/basicdvcp_whatis.asp
BOVPN with Basic DVCP
BOVPN with Manual IPSec
This BOVPN uses IPSec to make encrypted tunnels between a Firebox and an IPSec-compliant security device. This unit could be protecting a branch office, trading partner or supplier locations. BOVPN with
IPSec is available with the WatchGuard strong encryption version of the software only. The strong encryption version of the software can use DES (56-bit) or Triple DES (168-bit) encryption.
You must use Manual IPSec if the remote IPSec endpoint is not a WatchGuard device. You can also use
Manual IPSec if the remote device is a WatchGuard firewall. When you make a VPN using Manual IPsec, you must configure three main items: Gateway, Tunnel, and Routing Policy. You use the Gateway for information about the remote IPSec device and the IKE parameters. You use Tunnels to define IPSec parameters. You use routing policies to set which VPN tunnel to use for which traffic.
BOVPN with Manual IPSec
180 WatchGuard System Manager
CHAPTER 18
Designing a VPN Environment
VPN tunnels make the security of your network more difficult to control. When you set up a VPN environment, you expand your security sys tem to dangerous areas. The network security of your company is only as strong as its weakest link.
You must balance security with performance when you use VPN tunnels. Many of the most safe options that are available for VPN connections give unsatisfactory performance.
Selecting an Authentication Method
A primary part of a VPN is its method of user authentication. You can use shared keys or digital certificates to authenticate VPN users. Shared secrets are passwords that you must give to users. They make it easy to quickly set up VPN tunnels for a small number of remote employees. To use shared secrets safely, you must:
• Make users select strong passwords.
• Change passwords frequently.
• Lock out users when they do three incorrect logins.
When you use RUVPN with PPTP or MUVPN, it is very important to use strong passwords. When you put the security of VPN endpoints at risk, you can put the security of the network at risk. If, for example, a thief steals a laptop computer and finds the password, he has direct access to the network.
Digital certificates are electronic records that identify the user. (For a detailed discussion of certificates,
safe third party, manages the certificates. In the WatchGuard System Manager, you can configure a Firebox to operate as a CA. This type of authentication is safer than shared secrets.
Selecting an Encryption and Data Integrity Method
Think of security and performance when you select the encryption and data integrity method to use.
We recommend TripleDES, the strongest of the two encryption types, for sensitive data. DES uses less computer time for encrypting and decrypting. But we recommend DES only where strong security is not necessary or where export restrictions prevent the use of strong encryption.
User Guide 181
Designing a VPN Environment
Data integrity makes sure that the data a VPN endpoint receives is not changed as it is sent. We give support to two types of data authentication. The first type is the 128-bit Message Digest 5 (MD5-HMAC).
The second type is the 160-bit Secure Hash Algorithm (SHA1-HMA C). Be cause SHA1-HMAC has more bits, we think it is more safe.
IP Addressing
Correct use of the IP address is important when you make a VPN. The private IP addresses of the computers at one side of the VPN can not be the same as the private IP addresses you use at the other side of the VPN. If you have branch offices, use subnets at each location that are different from the corporate office network. If it is possible, use subnets that are similar or close to the Firebox subnet when you set up a branch office.
For example, if the main Firebox network uses 192.168.100.0/24, then for the branch offices use
192.168.101.0/24, 192.168.102.0/24, and so on. This prevents new problems if you expand your network, and it helps you to remember the IP addresses at a certain branch office.
For MUVPN and RUVPN tunnels, the Firebox gives each remote user a virtual IP address. The easiest way to give virtual IP addresses is to give virtual IP addresses that come from the main network but are not used for ahy other computer. For example, you can not use the same virtual IP address for RUVPN (PPTP) and for MUVPN (IPSec) remote users. You also can not use a virtual IP address that can be on a computer somewhere else on the main network.
If your main network does not have enough IP addresses to do this, the safest procedure is to install a
“placeholder” secondary network. Select a range of addresses for it and use an IP address from that network range for the virtual IP address.
This lets you select from a range of addresses. There is no interference from these addresses with real host addresses in use behind the Firebox. If you use this procedure for RUVPN virtual IP addresses, you must configure the RUVPN client computer to use the default gateway on the remote network, or you must manually add routes after the VPN is connected. (This is not necessary for the MUVPN client computer.)
For information on IP addresses with PPTP tunnels, see these FA Qs: https://www.watchguard.com/support/advancedfaqs/pptp_partaccess.asp
https://www.watchguard.com/support/AdvancedFaqs/pptp_usedgonremote.asp
NAT and VPNs
If you configure an IPSec VPN with a NAT device between remote gateways, some adjustments are necessary. NAT always changes the address information of an IP packet. If you use the AH protocol, the packet will then fail i ts dat a integrity check. For this protocol it is necessary that each bit in the datagram is not changed.
When you use NAT in a tunnel that uses BOVPN with Manual IPSec, do not use AH. You must use ESP as the authentication method. (Use ESP always as the authentication method with all other types of IPSec tunnels).
You can also use NAT in a VPN if you use IPSec or PPTP passthrough. Refer to “Making Outbound IPSec
Connections From Behind a Firebox” on page 208 and “Making Outbound PPTP Connections From
Behind a Firebox” on page 208.
182 WatchGuard System Manager
Designing a VPN Environment
Access Control
VPN tunnels give users access to resources on your computer network. Think which type of access is applicable for a given type of user. For example, you can give a group of contract employees access to just one network and your sales force access to all the networks.
Different VPN applications can also set your level of trust. Branch office VPNs have a firewall device at the two ends of the tunnel. They are more safe than MUVPN and RUVPN, which have protection at only one end.
Network Topology
You can configure the VPN to give support to meshed and hub-and-spoke configu r ations. The topology that you select sets the types and number of connections that occur. It also sets the flow of data and the flow of traffic.
Meshed networks
In a fully meshed topology, all servers are connected together to make a web, or mesh. Each device in the mesh is only one step from an other VPN unit. Communication can occur between each unit of the
VPN, if necessary.
This topology is the most error resistant. If a VPN unit goes down, only the connection to the trusted network of that unit is down. But, this topology requires more work to set up because each VPN unit configures a VPN to every other unit. There can also be problems if it is not done carefully, because of the possibility of routing loops.
The largest problem that you get with fully meshed networks is one of control. Because each unit in the network must connect with each other unit, the number of necessary tunnels becomes large quickly.
The number of tunnels that are necessary for this configuration is equal to the square of the number of devices:
[(number of devices)x(number of devices) = number of tunnels]
When all the VPN units are WatchGuard devices, VPN Manager can make the amount of work much less.
The DVCP Server contains all the information for all the tunnels. With VPN Manager, you make a VPN from one device to another device in three steps using a drag-and-drop method.
You can monitor the security of the full system from more than one location, each with a Firebox. Larger companies use this configuration with important branch offices, each using a higher capacity Firebox.
Smaller offices and remote users connect with MUVPN, RUVPN, Firebox X Edge, or SOHO 6 devices.
Networks that are not fully meshed have only the necessary inter-spoke tunnels. Refer to the figure below. Thus the flow through the network is better than fully meshed networks. The limits in all meshed networks are:
• The number of tunnels that the firewall CPU can operate.
• The number of VPNs allowed by the VPN license on the unit.
User Guide 183
Designing a VPN Environment
Not fully meshed network
Hub-and-spoke networks
In a hub-and-spoke configuration all VPN tunnels stop at one firewall. Smaller companies frequently use this configuration with a centra l Fi rebox. Many distributed, remote users connect with MUVPN, RUVPN,
Edge or SOHO 6 devices to this configuration. Each remote device or remote user makes a VPN only to the central Firebox.
In a normal, simple hub-and-spoke configuration, each remote site can only send and receive data over a VPN to the network behind the master server. However, a VPN to the master server, the central hub, can also be configured to send and receive data to another remote VPN location (tunnel switching). The intensity of traffic in hub-and-spoke can be quite high if the master server sends packets from one remote site to another remote site. Or the traffic intensity can be low in a simple hub-and-spoke, where the remote sites can only communicate over a VPN to the main hub location.
The master server is the one point where all VPNs can fail, so it can be a problem. If the master server goes down, you cannot connect any tunnels to the remote locations.
The flow through a simple hub-and-spoke system is far more clear than through a meshed system. You can control the number of tunnels better. Refer to the sum that follows:
[(number of devices) – 1 = number of tunnels]
If it is necessary to have more spoke capacity, you expand the hub location. But, because all traffic goes through the hub, it is necessary to have much bandwidth for this installation.
184 WatchGuard System Manager
Designing a VPN Environment
Hub-and-spoke network
Tunneling Methods
Split tunneling is when a remote user or endpoint has access to the Internet on the same computer as the VPN connection. But this user does not put the Internet traffic through the tunnel. Web browsing occurs directly thro ugh the ISP of the user. This keeps the system open to damage, because Internet traffic is not filtered or encrypted.
This dangerous configuration becomes more safe when all of the Internet traffic of the remote user goes through a VPN to the Firebox. From the Firebox, the traffic is then sent back out to the Internet (tunnel switching). With this configuration the Firebox examines all traffic and increases security.
When you use tunnel switching, a Dynamic NAT policy must include the outgoing traffic from the remote network. In the Policy Manager, add a policy at Setup=>NAT . This allows the remote users to reach the Internet when they send all traffic to the Firebox.
Note
A Firebox does not give support for t unnel switching to a SOHO 5.
Split tunneling decreases security but does increase performance. If you use split tunneling, remote users must have personal firewalls for computers behind the VPN endpoint.
Determining Which WatchGuard VPN Solution to Use
The five different WatchGuard VPN solutions are each made for special uses.
Use BOVPN with Basic DVCP if:
• You make tunnels between a Firebox at your head office and dynamically addressed Firebox X
Edge or SOHO 6 units at your branch offices.
• It is not necessary that the branch offices have communication with each other.
• Only very easy tunnels are necessary.
Use BOVPN with Manual IPSec if:
• You make tunnels between a Firebox and a non-WatchGuard, IPSec-compliant unit.
User Guide 185
Designing a VPN Environment
• You give different routing policies to different tunnels.
• Not all types of traffic go through the tunnel.
Note
Firebox 500 does not give support to BOVPN unless you get the BOVPN Upgrade. Firebox X700, Firebox
X1000 and Firebox X2500 give support to BOVPN only if you register the device with LiveSecurity
Use IPSec tunnels with VPN Manager if:
• You make tunnels between two or more Fireboxes.
• You give different routing policies to different tunnels.
• Client units are dynamically or statically addressed.
• You have a large number of tunnels to make.
Use MUVPN if:
• You have mobile users who must connect safely to a Firebox or SOHO 6.
• You want to have precise control over where the remote users can send data.
Use RUVPN with PPTP if:
• You have mobile users who connect to the Firebox with PPTP.
WatchGuard VPN Solutions
VPN Installation Services
WatchGuard Remote VPN Installation Services is a service you can buy to give you complete assistance for basic VPN installation. You can schedule a dedicated time slot of two hours with one of the Watch-
Guard technicians. The technician reviews your VPN policy, helps you configure and examines your VPN configuration. You must install and configure your Fireboxes first for this service.
186 WatchGuard System Manager
Designing a VPN Environment
VPN Scenarios
This section gives four different types of companies and the VPN solutions that best fit each one.
Large company with branch offices: VPN Manager
Gallatin Corporation has a head office with approximately 300 users in Los Angeles. It has branch offices of around 100 users each in Sacramento, San Diego and Irvine. All locations have high-speed Internet access and employees at all locations must have secure connections to all other locations.
This company uses Fireboxes at each location and VPN Manager to connect the locations to each other.
Each office connects to all other offices. All users at each office have access to the shared records at all the other locations. The Firebox at headquarters is the DVCP server and the Fireboxes at the branch offices are DVCP clients. When a service stop occurs with Gallatin’s Int erne t service provider, it makes the
Firebox at headquarters unavailable. But the tunnels in the other locations stay in position.
Medium -sized company with main office and auxiliary office: BOVPN with Basic
DVCP
Arrington Plumbing Supply has a head office in Minneapolis, Minnesota and a supply center in Topeka,
Kansas. The head office has a Firebox 700 on a T1 connection and the supply center has a SOHO 6|tc.
Each office has secure access to the other office with Basic DVCP. This lets the SOHO 6 make a VPN with the Firebox. The public IP address of the SOHO 6 unit changes from time to time. The eight employees at the supply center have access to all shared records at headquarters. Headquarters have access to the inventory computers in Topeka.
User Guide 187
Designing a VPN Environment
Small company with telecommuters: MUVPN
River Rock Press is a small publishing house in a speciality market. It h as an office with six employees in
Portland, Oregon and five editors who do work in other cities. The head office uses a Firebox X Edge as a firewall and as a VPN gateway. The five ed itor s each use a Mobile User VPN client to make a secure connection to the Information Center in Portland. The editors can always safely interchange information if their computers are connected to the Internet.
Company with remote employees: MUVPN with extended authentication
BizMentors, Inc. has 35 trainers to give courses in business-related topics at the facilities of client companies. The 75 salespeople of BizMentor must have up-to-the minute information on the schedules of the trainers, to prevent conflicts.
A database in the data center of BizMentor keeps this information up-to-date. The data center uses a
Firebox and each salesperson uses an MUVPN client to access the inventory and price database. To authenticate all remote users, BizMentor uses a Windows domain controller at the data center.
Usually, you must enter the ID and password information on the the Firebox and on the Windows server
(domain controller). But when you use extended authentication, all IDs and passwords are sent to the
Windows domain controller. You do not have to put them in the Firebox. All salespersons can login to
188 WatchGuard System Manager
Designing a VPN Environment the corporate network with the ID and password they usually use when inside the network. The Firebox sends the ID and password to the Windows domain controller, and the domain controller does the authentication of the VPN user credentials.
User Guide 189
Designing a VPN Environment
190 WatchGuard System Manager
CHAPTER 19
Activating the Certificate Authority on the Firebox
You can authenticate all IPSec tunnels with shared secrets or with digital certificates. A certificate is an electronic document that contains a public key. This key is the proof that the key is from an approved party and is not changed. The certificate authority (CA), a trusted third party, gives certificates to clients.
In WatchGuard System Manager, a Firebox that is configured as a DVCP server also operates as a CA.
Certificates give a safer procedure for authentication than shared secrets. Although many CAs are not easily to deploy, the WatchGuard CA is easily to configure. It does authentication tasks with not much input from the user.
CAs are part of a system of key generation, key management and certification with the name Public Key
Infrastructure (PKI). The PKI supplies certificate and directory services that can make, supply, keep and when necessary, cancel the certificates.
Public Key Cryptography and Digital Certificates
An important part of a PKI is an information protection procedure with the name public key cryptography. This cryptographic system includes two mathematically related keys, known as a key pair. The owner keeps one key, the private key, secret. The owner can supply the other key, known as the public key, far and wide to other users.
The keys in the key pair are complementary. Only the private key can decrypt data encrypted with the public key. Only the public key examines data made with the private key.
Digital certificates keep the integrity and identity of public keys. A root certificate, that contains the public key of the CA, makes sure that the client certificates are applicable.
Certificates have a lifetime that is given when they are supplied. But certificates are sometimes cancelled before the end date and time that was set for them. To monitor not applicable certificates, the CA keeps an online, up-to-date list of cancelled certificates, the certificate revocation list (CRL). Before a certificate is made applicable, the CRL is examined to make sure that the certificate is not cancelled.
User Guide 191
Activating the Certificate Authority on the Firebox
PKI in a WatchGuard VPN
To authenticate with certificates, you must configure the Firebox as a DVCP server. This server automatically starts the CA on the Firebox. Each DVCP client authenticates to the DVCP server. The CA makes sure that the client is authentic and then gives a certificate back to the client.
You can configure the CA in more than one procedure. A standard structure, see the figure, includes a
Firebox as a DVCP server that controls a DVCP client. The DVCP server can also control a number of
DVCP clients with the name DVCP cluster.
The CA component of the DVCP server is on, if the Firebox authenticates through certificates or not. The configuration of the DVCP clients control the authentication procedure. In the example that follows, one DVCP client authenticates with certificates. When the client has contact with the server, the CA downloads a certificate to the Firebox with DVCP.
192
DVCP server/CA with DVCP client
The figure that follows shows a Firebox that is not a part of a DVCP cluster. But the Firebox operates as a
CA for MUVPN users. In this example, one MUVPN user authenticates through certificates and the other by shared key.
Because MUVPN clients are not DVCP clients, they authenticate to the Firebox. The WatchGuard System
Manager makes a certificate necessary. After the CA supplies the certificate, System Manager makes a package of the certificate to send to the MUVPN client.
The Firebox administrator gives each MUVPN user with a collection of settings, the MUVPN end-user profile. Users who authenticate with shared keys receive one file, .
wgx . Users who authenticate with certificates receive a .
wgx file along with two other files: cacert.pem and .
p12 , the client certificate. The first file contains the root certificate.
The MUVPN user, who authenticates with certificates, opens the .wg
x file. This user then installs the root and client certificates contained in the cacert.pem
and .
p12 files automatically.
WatchGuard System Manager
Activating the Certificate Authority on the Firebox
DVCP server/CA with MUVPN clients
A different configuration, see the figure that follows, includes a DVCP server/CA at the main office of a company. It also includes a Firebox as a DVCP client at a branch office. The branch office gives support to the mobile users who authenticate with certificates. This scenario has two CAs ; a principal CA and a subordinate CA.
User Guide
DVCP server/CA, DVCP client/CA, and MUVPN clients
193
Activating the Certificate Authority on the Firebox
Defining a Firebox as a DVCP Server and CA
When you configure a Firebox as a DVCP server, you also enable it as a Certificate Authority. You can configure a DVCP server from the Policy Manager or the VPN Manager.
Note
You can only configure a Firebox with a static IP address as a DVCP server.
Using Policy Manager
1 Open System Manager and connect to the Firebox you want to configure as a DVCP server.
The Firebox must have its name set with Setup > Name for the CA to operate correctly.
2 From Policy Manager, click Network > DVCP Server .
The DVCP Server Properties window appears, see the figure that follows.
194
3 Select the Enable this Firebox as a DVCP Server check box.
4 To enable debug logging for the server, select the Enable Debug Log Messages for the DVCP
Server check box.
5 In the Domain Name text box, type the domain name for the IPSec and SOHO Management
Certificate Authority Properties.
6 To use the external interface IP address as the Certificate Revocation List (CRL) end point, click
External Interface IP Address . To use any other IP address as the CRL end point, click Custom IP
Address .
7 In the CRL Publication Period text box, type the how long the list is available.
You can also use the spin control to set the CRL Publication Period.
8 In the Client Certificate Lifetime text box, type how long the client certificate is available.
You can also use the spin control to set the Client Certificate Lifetime.
9 In the Root Certificate Lifetime text box, type how long the root (CA) certificate is available.
You can also use the spin control to set the Root Certificate Lifetime.
10 To send CA diagnostic messages to the log file, select the Enable debug log messages for CA check box.
Note
Make sure that you set the CA properties correctly. You will cancel all certificates if you change the CA properties after the initial setup.
WatchGuard System Manager
Activating the Certificate Authority on the Firebox
11 Click OK .
12 From Policy Manager, click File > Save > To Firebox . Select the configuration file or type a new name.
13 Type the configuration passphrase of the Firebox.
Using VPN Manager
1 Open VPN Manager and click File > New .
The New Server dialog box appears.
2 Type:
Display Name
A special name that you select. This becomes the name of the Firebox as the DVCP server.
Host Name or IP Address
This is the DNS name of the unit or its external IP address.
Status Pass Phrase
This is the status (read-only) passphrase.
Configuration Pass Phrase
This is the configuration (read/write) passphrase. This is also the passphrase that you use when you configure a unit that is installed in VPN Manager.
License Key
The key on your VPN Manager License Key Certificate.
3 Click OK .
A message appears that gives the DVCP server setup.
4 Click OK .
The Firebox starts again. It is configured as a DVCP server.
Note
If you configure BOVPN tunnels with certificates for authentication, you must use the WatchGuard
Security Event Processor (WSEP) to log. Because certificates use timestamps, all units in a VPN that use certificates for authentication must use the same time registration procedure.
User Guide 195
Activating the Certificate Authority on the Firebox
Managing the Certificate Authority
You can control different items of the certificate authority on the Firebox with the Web-based CA manager.
1 After you start the CA on the Firebox, get access to the Web-based Certificate Authority Settings pages. You can any of these methods:
- From the System Manager Main Menu, click Tools > Advanced > CA Manager .
- From VPN Manager, click Resources > CA Manager .
- From VPN Manager, Click the CA Manager icon (shown at the right side).
Connect the VPN Manager and System Manager to the Firebox you use as a DVCP server.
2 Type the Firebox configuration passphrase.
The main menu of the Certificate Authority Settings pages appears.
3 From the main menu, you can select the task you want to do:
Generate a New Certificate
Type a subject standard name, organizational unit, password, and certificate lifetime to make a new certificate.
- For MUVPN users, the standard name must agree with the username of the remote user.
- For Firebox users, the standard name must agree with the Firebox identifier (normally, its IP address).
- For a generic certificate, the standard name is the name of the user.
Note
Type the organizational unit specification only if you make certificates for MUVPN users. Do not use this for other types of VPN tunnels. The unit name should appear in this format:
GW:<vp n gateway name > where <v pn gateway name > is the v alue of c onfig.watchguard.id in the configuration file of the gateway
Firebox.
P
ublish a Certificate Revocation List (CRL)
Make the CA publish the CRL to all certificate-holding clients.
Publish the CA Certificate
Print a copy of the CA (root) certificate to the screen, so you can manually save it to the client.
Find and Manage Certificates
Give the serial number, standard name or organizational unit of a certificate to find in the database. Also, as an alternative of a special certificate, you can make sure that only applicable, cancelled, or expired certificates are found. The results of the search show on the List
Certificates page, refer below.
List and Manage Certificates
See a list of certificates that are in the database. Select the certificates to publish, cancel, put back or erase. For information how to do this with certificates, see the section that follows.
Upload CA Credentials
Use this page to make the certificate authority on a Firebox become the secondary to the master CA. The master CA makes a private key and certificate for the Firebox. Type the name of the record with the key and certificate for the Firebox.
196 WatchGuard System Manager
Activating the Certificate Authority on the Firebox
Upload Certificate Request
Use this page to install a certificate from a third party. Type in the name and organizational unit of the subject and select browse to find the certificate record.
Managing certificates from the CA Manager
You use the List and Manage Certificates page to publish, cancel, put back, or erase certificates:
1 From the List and Manage Certificates page, select the serial number of the certificate to change.
The certificate data appears.
2 From the Choose Action drop-down list, select one of the subsequent options, and then click GO :
Publish (PEM)
Publishes the certificate in Privacy Enhanced Mail (PEM) format, which uses a protocol for safe
Internet mail. This lets you save the certificate as a file and upload it to a third-party unit.
Publish (PKC12)
Publishes the certificate in PKCS12 format, the format that most Web browsers use. This lets you save the certificate as a file and upload it to a third-party unit.
Revoke
Cancels a certificate. This does not publish a Certificate Revocation List (CRL).
Reinstate
Puts back a previously cancelled certificate.
Destroy
Erases a certificate.
Restarting the CA
When the CA root certificate expires, you must start the CA again to make it to install a new root certificate.
From System Manager:
1 Click the Main Menu button (shown at right side). Click Management > Restart CA .
2 Click Yes to confirm.
3 Type the Firebox configuration (read/write) passphrase.
4 When prompted, click Yes .
User Guide 197
Activating the Certificate Authority on the Firebox
198 WatchGuard System Manager
CHAPTER 20
Configuring RUVPN with PPTP
Remote User Virtual Private Networking (RUVPN) uses Point-to-Point Tunneling Protocol (PPTP) to make a secure connection. It gives support to 50 users at the same time for each Firebox and operates with each type of Firebox encryption. You must configure the Firebox and the remote host computers of the
RUVPN user.
RUVPN users can authenticate to the Firebox or to a RADIUS authentication server.
Configuration Checklist
Before you configure a Firebox to use RUVPN, record this information:
• The IP addresses for the remote client during RUVPN sessions. These IP addresses cannot be addresses that the network behind the Firebox uses.
The safest procedure to give addresses for RUVPN users is to install a “placeholder” secondary network with a range of IP addresses.
Then, select an IP address from that network range. For example, create a new subnet as a secondary network on your trusted network 10.10.0.254/24. Select 10.10.0.0/27 for your range of
PPTP addresses. For more information, see “IP Addressing” on page 182 .
• The IP addresses of the DNS and WINS servers that resolve IP addresses to host alias names.
• The user names and passwords of users that are approved to connect to the Firebox with RUVPN.
Encryption levels
Because of export limits on high encryption software, WatchGuard Firebox products are put on the installation CD-ROM with only base encryption.
For RUVPN with PPTP, you can select to use 128-bit encryption or 40-bit encryption. U.S. domestic versions of Windows XP have 128-bit encryption enabled. You can get a strong encryption patch from
Microsoft for other versions of Windows. The Firebox always tries to use 128-bit encryption first. It uses
(if enabled) 40-bit encryption if the client cannot use the 128-bit encrypted connection.
more information about encryption and PPTP tunnels, see the FAQ: https://www.watchguard.com/support/AdvancedFaqs/pptp_tunnelencryp.asp
User Guide 199
Configuring RUVPN with PPTP
If you do not live in the U.S. and you must have strong encryption on your LiveSecurity Service account, send an e-mail to [email protected] and include in it:
• Your LiveSecurity Service key number
• Date of purchase
• The name of your company
• Company mailing address
• Telephone number and name
• E-mail address to reply to.
If you live in the U.S.
, you must download the strong encryption software from your archive page in the LiveSecurity Service Web site. Go to www.watchguard.com
, click Support , log into your LiveSecurity Service account, and then click Latest Software .
Then, uninstall the initial encryption software, and install the strong encryption software from the downloaded file.
Note
To keep your current Firebox configuration, do not use the Quick Setup Wizard when you install the new software. Open System Manager, connect to the Firebox, and save your configuration file.
Configurations with a different encryption version are compatible.
Configuring WINS and DNS Servers
RUVPN clients use shared Windows Internet Name Server (WINS) and Domain Name System (DNS) server addresses. DNS changes host names into IP addresses, while WINS changes NetBIOS names to IP addresses. The trusted interface of the Firebox must have access to these servers.
Make sure that you use an internal DNS server. Do not use external DNS servers.
From Policy Manager:
1 Click Network > Configuration . Click the WINS/DNS tab.
The information for the WINS and DNS servers appears. See the figure that follows.
2 In the Primary and Secondary text boxes, type the primary and secondary addresses for the WINS and DNS servers. Type a domain name for the DNS server.
200 WatchGuard System Manager
Configuring RUVPN with PPTP
Adding New Users to Authentication Groups
Put all RUVPN users in the built-in Firebox authentication group, the pptp_users. This group contains the user names and passwords of RUVPN users. Use this group to configure the services for incoming traffic.
To get access to Internet services (such as outgoing HTTP or outgoing FTP), the remote user gives a user name and password as authenticating data. The WatchGuard System Manager software uses this information to authenticate the user to the Firebox.
From Policy Manager:
1 Click Setup > Authentication Servers .
The dialog box of the Authentication Servers appears.
2 Click the Firebox Users tab.
The information on the tab appears as you can see in the figure that follows.
3 To add a new user, click the Add button below the Users list.
The dialog box of the Setup Firebox User appears.
4 Type a user name and password for the new user.
5 Select pptp_users in the Not Member Of list. Then click the arrow to move the name to the
Member Of list. Click Add .
The new user is put on the User list. The dialog box of the Setup Remote User stays open and you can add more users.
6 To close the Setup Remote User dialog box, click Close .
The Firebox Users tab appears with a list of the new configured users.
7 When all the new users are on the list, click OK .
You can use the users and groups to configure the services. Refer to the subsequent section.
User Guide 201
Configuring RUVPN with PPTP
Configuring Services to Allow Incoming RUVPN Traffic
RUVPN users have no access privileges through a Firebox. You must add user names or the full pptp_users group to service icons in the Services Arena. This gives remote users access to machines behind the Firebox.
WatchGuard recommends two procedures to configure the services for RUVPN traffic: an individual service and the Any service. The Any service “opens a hole” through the Firebox, this lets all the traffic flow between hosts without applying firewall rules.
By individual service
In the Services Arena, double-click a service to enable for your VPN users. Set the properties that follow on the service:
Incoming
- Enabled and allowed
- From: pptp_users
- To: trusted, optional, network or host IP address, or alias
Outgoing
- Enabled and allowed
- From: trusted, optional, network or host IP address, or alias
- To: pptp_users
An example of how you can set the incoming properties for a service appears on the figure that follows.
Using the Any service
Add the Any service with these properties:
Incoming
- Enabled and allowed
- From: pptp_users
- To: trusted, optional, network or host IP address, or alias
Outgoing
202 WatchGuard System Manager
Configuring RUVPN with PPTP
- Enabled and allowed
- From: trusted, optional, network or host IP address, or alias
- To: pptp_users
Make sure that you save your configuration file to the Firebox after you make these changes.
Note
To use WebBlocker to control the access of remote users, add pptp_users to a proxy service that controls
WebBlocker, such as Proxied-HTTP. Use this as an alternative to the Any service.
Activating RUVPN with PPTP
To configure RUVPN with PPTP you must enable the feature. RUVPN with PPTP adds the wg_pptp service icon to the Services Arena. This sets default properties for PPTP connections and for the traffic that flows to and from them. WatchGuard recommends you do not change the default properties of the wg_pptp service. From Policy Manager:
1 Click Network > Remote User . Click the PPTP tab.
2 Select the Activate Remote User check box.
3 If necessary, select the Enable Drop from 128-bit to 40-bit check box.
Usually, only customers outside the United States use this check box.
Enabling Extended Authentication
RUVPN with extended authentication lets users authenticate to a RADIUS authentication server as an
1 Select the Use RADIUS Authentication to authenticate remote users check box. Refer to the last figure.
2 Configure the RADIUS server with the Authentication Servers dialog box. Refer to Chapter 10,
“Creating Aliases and Implementing Authentication.”
3 On the RADIUS server, add the user to the pptp_users group.
Entering IP Addresses for RUVPN Sessions
RUVPN with PPTP gives support to 50 users at the same time, although you can configure a much larger number of client computers. The Firebox gives an open IP address to each incoming RUVPN user from a group of available addresses. This goes on until all the addresses are in use. After the user closes a session, the address is put back in the available group. The subsequent user who logs in gets this address.
User Guide 203
Configuring RUVPN with PPTP
From the PPTP tab on the dialog box of the Remote User Setup :
1 Click Add .
The Add Address dialog box appears. See below.
2 From the Choose Type drop-down list, select a host or a network.
You can configure 50 addresses. If you select a network address, RUVPN with PPTP uses the first 50 addresses in the subnet.
3 In the Value text box, type the host or network address in slash notation. Click OK .
Type IP addresses that are not in use which the Firebox can give to clients during RUVPN with PPTP sessions. The
IP address appears in the list of addresses available to remote clients.
4 Do the procedure again to configure all the addresses for use with RUVPN with PPTP.
Configuring Debugging Options
WatchGuard gives a selection of logging options you can set to collect information and aid with troubleshooting. These debugging options can increase the log message volume, which can have an effect on
Firebox performance. WatchGuard recommends you use them only to troubleshoot RUVPN problems.
1 From Policy Manager, click Network > Remote User VPN .
The Remote User Setup window appears with the Mobile User VPN tab selected.
2 Click the PPTP tab.
3 Click Logging .
The PPTP Logging dialog box appears.
4 Click the logging options to start.
To see the function of each option, right-click it, and then click What’s This? You can also refer to the “Field
Definitions” chapter in the Reference Guide.
5 Click OK . Save the configuration file to the Firebox.
Preparing the Client Computers
You must first prepare each computer that you use as an RUVPN with PPTP remote host, with this:
• Operating system software
• Device drivers
• Internet service provider (ISP) account
• Public IP address.
After you installed these items, do the procedures in this section:
• Install the necessary version of Microsoft Dial-Up Networking and the necessary service packs
• Prepare the operating system for VPN connections
• Install a VPN adapter (not necessary for all operating systems).
204 WatchGuard System Manager
Configuring RUVPN with PPTP
:
Installing MSDUN and Service Packs
It can be necessary to install these options for correct configuration of RUVPN:
• MSDUN (Microsoft Dial-Up Networking) upgrades
• other extensions
• service packs.
For RUVPN with PPTP, it is necessary to install these upgrades:
Encryption
Base
Platform
Windows NT
Application
40-bit SP4
Strong
Base
Windows NT
Windows 2000
128-bit SP4
40-bit SP2*
Strong Windows 2000 128-bit SP2
*40-bit encryption is the default for Windows 2000. If you upgrade from Windows 98, with strong encryption, Windows 2000 will automatically set strong encryption for the new installation.
To install these upgrades or service packs, go to the Microsoft Download Center Web site at: http://www.microsoft.com/downloads/search.asp
Windows NT Platform Preparation
To prepare a Windows NT remote host, you must select PPTP as your protocol. Then, select the number of VPNs and set up remote access.
From the Windows NT Desktop of the client computer:
1 Click Start > Settings > Control Panel . Double-click Network .
2 Click the Protocols tab.
3 Click Add .
4 Click Point To Point Tunneling Protocol .
5 Select the number of VPN connections.
Unless a different host connects to this computer, there is only one VPN necessary.
6 In the Remote Access Setup box, click Add .
7 Select VPN on the left. Select VPN2-RASPPTPM on the right side.
8 Click Configure for the new unit.
9 Click Dial Out Only . Click Continue .
10 Click OK .
11 Restart the computer.
Adding a domain name to a Windows NT workstation
It is frequently necessary for remote clients to connect to a domain behind the firewall. To do this, the remote client must identify the domain. To add a domain it is necessary to install the Computer Browser
Network Service. From the Windows NT Desktop:
To install a Computer Browser Service
1 Click Start > Settings > Control Panel . Double-click Network .
The Network dialog box appears.
User Guide 205
Configuring RUVPN with PPTP
2 Click the Services tab.
3 Click Add .
4 Select Computer Browser .
5 Browse to find the installation directory. Click OK .
6 Start the workstation again.
To add a new domain
1 Click Start > Settings > Control Panel . Double-click Network .
The Network dialog box appears.
2 Click the Protocols tab.
3 Select Computer Browser . Click Properties .
4 Type the domain name of the remote network.
You can add more domain names during the same configuration session.
5 Click OK .
6 Start the workstation again.
Installing a VPN adapter on Windows NT
To prepare the basic platform, you must install and configure a VPN adapter.
From the Windows NT Desktop of the remote host:
1 Double-click My Computer .
2 Double-click Dial-Up Networking .
If you did not configure an entry before, Windows helps you through the set up of a dial-up configuration. Type the host name or IP address of the Firebox in the text box for a telephone number. When ready, you must see a Dial-Up
Networking dialog box with the default button Dial.
3 Click New to make a new connection. If you are prompted to use the wizard, type a special connection name, and then select the I Know All About check box.
4 Click the Basi c tab. Configure these properties:
Phone Number : Firebox IP address
Entry Name : Connect to RUVPN (or the alternative you prefer)
Dial Using : RASPPTPM (VPN1) adapter
Use Another Port if Busy : enabled
5 Click the Server tab. Configure these properties:
PPP : Windows NT, Windows 95 Plus, Internet
TCP/IP : enabled
Enable Software Compression : enabled
6 Click the Security tab. Configure these properties:
Accept Only Microsoft Encrypted Authentication : enabled
Require Data Encryption : enabled
7 Click OK .
Windows 2000 Platform Preparation
To prepare a Windows 2000 remote host, you must configure the network connection.
206 WatchGuard System Manager
Configuring RUVPN with PPTP
From the Windows Desktop of the client computer:
1 Click Start > Settings > Dial-Up Network and Connections > Make New Connection .
The Network Connection wizard appears.
2 Click Next .
3 Select Connect to a private network through the Internet . Click Next .
4 Type the host name or IP address of the Firebox external interface. Click Next .
5 Select if the connection is for all users or only the logged-on user. Click Next .
6 Type a name for the new connection, for example, “Connect with RUVPN.” Click Finish .
Windows XP Platform Preparation
To prepare a Windows XP remote host, you must configure the network connection. (Because the PPTP functionality is built into Windows XP, you do not have to install a VPN adapter).
From the Windows Desktop of the client computer:
1 Click Start > Control Panel > Network and Internet Connections .
The Network Connection wizard appears.
2 Click Next .
3 Click Connect to the network at my workplace . Click Next .
4 Click Virtual Private Connection . Click Next .
5 Give the new connection a name, such as “Connect with RUVPN.” Click Next .
6 Click Automatically dial this initial connection . Click Next .
7 Type the host name or IP address of the Firebox external interface. Click Next .
8 Click Finish .
Starting RUVPN with PPTP
The connect procedure is the same for all Windows platforms. From the Windows Desktop:
1 Make an Internet connection through a Dial-Up Network or directly through a LAN or WAN.
2 Double-click My Computer . Double-click Dial-Up Networking .
3 Double-click the dial-up networking connection for your PPTP connection to the Firebox.
4 Enter the remote client user name and password.
5 Click Connect .
User Guide 207
Configuring RUVPN with PPTP
Running RUVPN and Accessing the Internet
You can enable remote users to get access to the Internet through a RUVPN tunnel. But this option has
an effect on security. See “Network Topology” on page 183.
1 When you set up your connection on the client computer, select the Use default gateway on remote network check box. In Windows NT, this check box is in the TCP/IP Settings dialog box. In
Windows 2000 and Windows XP, this check box is on the Advanced TCP/IP Settings dialog box.
2 On the Firebox, make a dynamic NAT entry from VPN to external. To make sure that only some PPTP users can do this, make entries from <virtual IP address> to External.
3 Configure your Outgoing service to let outgoing connections from pptp_users to the external interface. If you use WebBlocker to control remote user Web access, add pptp_users to the service that controls WebBlocker (like Proxied-HTTP).
Making Outbound PPTP Connections From Behind a Firebox
If necessary, you can make a PPTP connection to a Firebox from behind a different Firebox. For example, a remote user goes to a customer office that has a Firebox. The user can make PPTP connections to their network with PPTP. For the local Firebox to correctly use the outgoing PPTP connection, a PPTP service must be set up as follows:
1 Add the PPTP service. (For information on enabling services, see Chapter 8, “Configuring Filtered
Services.”)
2 Click Setup > NAT , and make sure the check box Enable Dynamic NAT is selected. This is the default parameter for a Firebox in routed mode.
Making Outbound IPSec Connections From Behind a Firebox
1
2 On the Incoming and Outgoing tabs, select Enabled and Allowed .
3 Click Setup > NAT , and make sure the check box marked Enable Dynamic NAT is selected. This is the default property for a Firebox in routed mode.
The Any to Any configuration of the IPSec packet fil ter is not a security risk in routed mode. Only the external IP answers IPSec incoming connections. If you use the drop-in mode, it opens these ports for all public computers. But, IPSec is a sec ure protocol. You can put a limit on the incoming IPSec connections when you add this service. If you use BOVPN, make sure that this does not cause a problem in your configuration for BOVPN IPSec traffic to get to the Firebox external IP.
208 WatchGuard System Manager
CHAPTER 21
Configuring BOVPN with Basic DVCP
Dynamic VPN Configuration Protocol (DVCP) is the WatchGuard-proprietary protocol to make IPSec tunnels. To create VPN tunnels between devices in a hub-and-spoke configuration, use Basic DVCP.
The Basic DVCP server is a Firebox at the center of a group of DVCP clients. This server controls the VPN connections between two devices. It keeps all policy information, network address ranges and tunnel properties, including encryption, timeouts and authentication. DVCP clients get this information from the server. Clients keep only a name, shared key and the IP address of the external interface of the server.
With the DVCP Client Wizard you can configure a Firebox as a DVCP server and create tunnels to a client.
The clients then connect to the server and automatically download the necessary information to safely create a VPN tunnel.
Note
The Firebox X500 does not use BOVPN unless you purchase the BOVPN Upgrade. Firebox X700, Firebox
X1000 and Firebox X2500 use BOVPN after you register the device with LiveSecurity Service. To upgrade
the Firebox 500 to use BOVPN, see “Enabling the BOVPN Upgrade” on page 222.
Configuration Checklist
You must have this information to configure BOVPN with DVCP:
• The IP address of the Firebox that is the Basic DVCP server (this must be a static public address).
• The IP network addresses for the networks to connect with VPNs.
• A shared passphrase, known as a shared secret.
User Guide 209
Configuring BOVPN with Basic DVCP
Creating a Tunnel to a Device
Note
The network address for the trusted network of a Firebox cannot be the same as another trusted Firebox network if these Fireboxes are connected in a branch office VPN configuration. If you use DVCP or if you configure the VPN tunnels manually, make sure the trusted networks have different addresses.
Create a tunnel with Policy Manager:
1 Click Network > Branch Office VPN > Basic DVCP Server .
The Basic DVCP Server Configuration dialog box appears, and shows the clients that are configured to use DVCP.
210
2 Click Add .
The DVCP Client Wizard starts.
3 Type a unique name for the DVCP client.
This client name appears in the Policy Manager Basic DVCP Server Configuration dialog box you see above. It also appears on the Front Panel tab of Firebox System Manager, in the Tunnel Status display.
4 Type the shared key to use for encryption on the client and server. Click Next .
Note
The DVCP client name and the Shared Key are case-sensitive. The DVCP Client name and Shared Key must match the values you type in the SOHO 6 or Edge configuration pages.
5 Type the IP address of the network or host to which the DVCP client can connect.
6 Select a client type, and then type the virtual network or IP address this client must use for connections. Note that this IP address or subnet must not be the same as on any other Firebox networks. Click Next .
Telecommuter IP Address
A Firebox X Edge or SOHO 6 uses one IP address. Set this as the virtual IP address for the trusted network of the Firebox to which the device connects.
Private Network
(Recommended) This gives the device a full network address range.
7 From the Type drop-down list, select an encryption type:
ESP (Encapsulated Security Payload)
Does encryption and authentication, or only encryption or authentication
AH (Authentication Header)
Does only authentication
8 From the Authentication drop-down list, select an authentication procedure:
WatchGuard System Manager
Configuring BOVPN with Basic DVCP
None
No authentication
MD5-HMAC
128-bit algorithm
SHA1-HMAC (Recommended)
160-bit algorithm
9 If you select ESP from the Type drop-down list, use the Encryption drop-down list to select an encryption method.
None
No encryption
DES-CBC (Recommended)
56-bit encryption
3DES-CBC
168-bit encryption
AES-CBC-128
128-bit AES encryption
AES-CBC-196
196-bit AES encryption
AES-CBC-256
256-bit AES encryption
10 Type an amount of time to use the key in kilobytes, hours, or kilobytes and hours.
If you use kilobytes and hours, the key stops at the time that comes first. If the VPN will pass 8 MB of traffic in a time that is much less than 24 hours, we recommend that you set hours to 24 hours and kilobytes to 0. A setting of zero is infinite.
11 Click Next . Click Finish . Save the configuration to the Firebox.
The new policy appears in the Basic DVCP Server Configuration dialog box. The WatchGuard device can at this time be connected and configured. As part of the configuration procedure, the device will automatically download the applicable tunnel information. You must give the DVCP client administrator the client name, shared key and the IP address of the DVCP Server external interface.
Editing a tunnel to a device
Note
If you change any properties of a DVCP tunnel, you must start the client again. When the client starts again, it will contact the Basic DVCP Firebox to get the updated information. If the client does not start again to get the new information the tunnel will not start at all, or the tunnel will not start again when the key expires.
From Policy Manager:
1 Click Network > Branch Office VPN > Basic DVCP Server .
The Basic DVCP Server Configuration dialog box appears.
2 Select the DVCP client to examine. Click Edit .
The DVCP Client Wizard opens and displays the tunnel properties.
3 Use the Next and Back buttons to move through the DVCP Client Wizard and configure tunnel properties again.
User Guide 211
Configuring BOVPN with Basic DVCP
4 On the page of the Wizard with the title Multiple Policy Configuration , you can add more policies.
You add policies for other networks that are behind the Firebox.
For example, you can allow access to the Optional network, or eth3 or eth4 or eth5, or any routed networks you have. Routed networks are in the Policy manager at Network>Routes .
5 When the configuration is completed, click Finish .
6 Save the configuration to the Firebox.
When the client connects to the server again, it automatically records the tunnel policy change and downloads the changes..
Removing a tunnel to a device
When you remove a tunnel, the DVCP client cannot connect with the server. When the DVCP client tries to connect to the server, the connection is denied.
From Policy Manager:
1 Click Network > Branch Office VPN > Basic DVCP .
2 Select the tunnel policy. Click Remove .
The policy is removed from the dialog box of the DVCP Configuration.
Configuring Logging for a DVCP Server
You can set different logging options for IPSec:
• Configuration dump after IKE interpretation
• IKE debugging messages
• Trace of IKE packets and their movements
• Certificate validation debugging.
• Disable VPN keepalive logging
Note, however, that when you add adding logging options you can create a high volume of traffic, especially IKE packet tracing. This can have an effect on VPN performance. Enable these options only to troubleshoot problems.
From Policy Manager:
1 Click Network > Branch Office VPN > Basic DVCP .
The Basic DVCP Server Configuration dialog box appears.
2 Click the Logging button on the right of the dialog box.
The IPSec Logging dialog box appears.
212
3 Select or clear the check boxes for the logging options you want. Save the configuration to the
Firebox.
WatchGuard System Manager
CHAPTER 22
Configuring BOVPN with Manual
IPSec
You use Branch Office VPN (BOVPN) with Manual IPSec to make encrypted tunnels between a Firebox and an IPSec-compliant security device. This device can protect a branch office, or another remote site.
BOVPN with Manual IPSec is available with the WatchGuard strong encryption version at DES (56-bit) or
TripleDES (168-bit).
Note
The Firebox X500 does not use BOVPN unless you purchase the BOVPN Upgrade. Firebox X700, Firebox
X1000, and Firebox X2500 use BOVPN only if you register the device with LiveSecurity Service. To
upgrade the Firebox X500 to use BOVPN, see “Enabling the BOVPN Upgrade” on page 222.
Note
You cannot configure a Manual IPSec tunnel with a Firebox or device that is configured as a DHCP or
PPPoE client. The two devices must have static public IP addresses. Also, Manual IPSec tunnels do not have support for incoming static NAT.
Configuration Checklist
You must have the following information to use BOVPN with Manual IPSec:
• Public IP addresses for the two ends of the tunnel
• Policy endpoints — IP addresses of special hosts or networks that operate on the tunnel
• Encryption method (the two ends of the tunnel must use the same encryption method)
• Authentication method
User Guide 213
Configuring BOVPN with Manual IPSec
Configuring a Gateway
A gateway is a connection point for one or more tunnels. The gateway standard connection method becomes the standard connection method for tunnels made with the device at the other end of the tunnel. An example is ISAKMP automated key negotiation.
Adding a gateway
To start IPSec tunnel negotiation, one peer must connect to the other. To do this, you can use an IP address or a DNS name. If the peer is dynamic, you cannot use an IP address.
Iff the peer uses dynamic DNS, you can configure the Firebox to use dynamic DNS. The Firebox can then change the DNS name into an IP address, and the negotiation can start. To configure this, set the ID type of the remote gateway to D omain Name . Set the name of the peer to the fully qualified domain name.
Set the DNS server of the Firebox to one that can identify the name, usually an internal DNS server.
From Policy Manager:
1 Click Network > Branch Office VPN > Manual IPSec .
The IPSec Configuration dialog box appears. The Manual IPSec menu option is not enabled if you have a
Firebox X500 and did not get the BOVPN Upgrade.
2 Click Gateways .
The Configure Gateways dialog box appears.
3 To add a gateway, click Add .
The Remote Gateway dialog box appears.
214
4 In the Name text box, type the gateway name.
This name identifies the gateway only in the Policy Manager.
5 From the Key Negotiation Type drop-down list, select ISAKMP (dynamic) or Manual .
6 From the Remote ID Type drop-down list, select IP Address, Domain Name, or User Name.
The Firebox uses IP Address and Domain Name to find the VPN endpoint. User name is a label that you use to identify the user at the VPN endpoint.
WatchGuard System Manager
Configuring BOVPN with Manual IPSec
Note
WatchGuard recommends that you use the default value for the IP Address in the Remote ID Type text box. This is the external IP address of the Firebox. If you must change this value, examine the applicable interoperability document. This document has the information on the values you must use in this text box.
7 In the Gateway IP Address text box, type the IP address or identification of the gateway.
Use the domain name as the identification if the Firebox X Edge or SOHO uses DHCP or PPPoE for its external IP address. This information is in the Firebox configuration.
8 Click Shared Key or Firebox Certificate to identify the authentication procedure that you want to use. If you select Shared Key , type the shared key.
These selections are available only for ISAKMP-negotiated gateways. You must use the same key at the remote device.
Note
You must start the certificate authority on the Firebox if you select to authenticate with certificates. For information on this, see Chapter 19, “Activating the Certificate Authority on the Firebox. In addition, if you use certificates, you must use the WatchGuard Security Event Processor for logging.
9 To configure Phase 1, click More .
The Phase 1 properties fields appear. Phase 1 applies to the initial phase of the IKE negotiation. It contains authentication, session negotiation, and key change information.
10 From the Local ID Type drop-down list, select IP Address , Domain Name , or User Name .
The Firebox uses IP Address and Domain Name to find the VPN endpoint. User name identifies the user at the VPN endpoint.
Note
For VPN tunnels with WatchGuard devices, WatchGuard recommends you use the default value in the
Local ID Type field. This is the external IP address of the Firebox. If you must change this value, examine the applicable interoperability document. This document has the information on the values you must use in this field.
11 From the Authentication drop-down list, select the type of authentication: SHA1-HMAC or MD5-
HMAC .
12 From the Encryption drop-down list , select the type of encryption: DES-CBC or 3DES-CBC .
13 From the Diffie-Hellman Group drop-down list, select the group. WatchGuard supports groups 1 and 2.
Diffie-Hellman refers to a mathematical procedure to safely negotatiate secret keys across a public medium. Diffie-Hellman groups are sets of properties that you use to get this. Group 2 is more safe than group 1, but takes more time to make the keys.
14 If you select Diffie-Hellman group 1, select the Enable Perfect Forward Secrecy check box
When you select this, each new key that is negotiated gets a new Diffie-Hellman interchange. This as an alternative to getting only one Diffie-Hellman interchange. Enabling this gives more security, but uses more time.
User Guide 215
Configuring BOVPN with Manual IPSec
15 If you select Diffie-Hellman group 2, select the Enable Aggressive Mode check box
This mode refers to an interchange of messages in Phase 1. The Main Mode is the default mode.
16 Type the negotiation time-outs in kilobytes, hours, or kilobytes and hours.
If you select kilobytes and hours, the time-out occurs at the time that comes first. You can type the time-out values or use the spin control to set the values.
17 When you complete the entries, click OK to get back to the IPSec Configuration dialog box .
Editing and removing a gateway
To change a gateway, from the Configure Gateways dialog box:
1 Select the gateway and click Edit .
The Remote Gateway dialog box appears.
2 Make the changes and click OK .
To remove a gateway from the Configure Gateways dialog box, select the gateway and click Remove .
Making a Tunnel with Manual Security
You can configure a tunnel that uses a gateway with the manual key negotiation type.
1 From Policy Manager, select Network > Branch Office VPN > Manual IPSec . Click Tunnels .
The Configure Tunnels dialog box appears.
2 Click Add .
The Select Gateway dialog box appears.
216 WatchGuard System Manager
Configuring BOVPN with Manual IPSec
3 Select a remote gateway with manual key negotiation type to connect with this tunnel. The Type column at the dialog box of the Configure Tunnels shows the key negotiation type. Click OK .
The Identity tab of the Configure Tunnel dialog box appears.
4 Type a tunnel name.
Policy Manager uses the tunnel name as an identifier.
5 Click the Phase 2 Settings tab.
6 Select the ESP or AH security type. Configure the selected security type.
The difference between the two is that ESP is authentication with encryption, while AH is authentication only. Also,
ESP authentication does not include the IP header, while AH does. The use of AH is rare.
For more information about configuring the security procedure, see “Using Encapsulated Security Protocol (ESP)”
on page 217 and “Using Authenticated Headers (AH)” on page 218.
7 When you finish, cl ick OK .
The Configure Gateways dialog box appears, and shows the new tunnel. Do the make tunnel procedure again until you complete all tunnels for this gateway.
8 Af ter you add all tunnels for this gateway, click OK .
The Configure Gateways dialog box appears. To configure more tunnels for a second gateway, click
Select a new gateway and do the tunnel procedure again for that gateway.
Tunnels .
9 When all the tunnels are complete, click OK .
Using Encapsulated Security Protocol (ESP)
1 From the Encryption drop-down list, select an encryption algorithm.
Select from: None (no encryption), DES-CBC (56-bit), or 3DES-CBC (168-bit), or AES Encryption at 128, 192, 0r
256 bits.
User Guide 217
Configuring BOVPN with Manual IPSec
2 From the Authentication drop-down list, select an authentication algorithm.
Select from: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC (160-bit algorithm).
3 Select whether to clear the Type of Service (TOS).
Type of Service is used in some network hardware for QoS features. The IP datagram header has a 3-bit field for TOS which can be used to prioritize traffic. You can clear this field to make all tunnel traffic the same priority.
4 If you want to force key expiration and rekeying, select the Force key expiration check box. Select the values for the kilobytes and hours between key expiration.
Using Authenticated Headers (AH)
1 Use the Authentication drop-down list to select an authentication method.
Select from: MD5-HMAC (128-bit algorithm) or SHA1-HMAC (160-bit algorithm).
2 Click Key . Enter a passphrase to create a key. Click OK .
The passphrase appears in the Authentication Key field. You cannot type a key here directly.
Note
If the two ends of the tunnel are Fireboxes, the remote administrator can also use the encryption and authentication passphrases. If the remote firewall host is an IPSec-compliant device of a different manufacturer, the remote system administrator must use the actual keys. You can see these keys in the dialog box of the Security Association Setup when you set up the remote IPSec-compliant device.
Making a Tunnel with Dynamic Key Negotiation
Use this method to configure a tunnel using a gateway with the Internet Security Association and Key
Management Protocol (ISAKMP) key negotiation type. ISAKMP is a protocol to authenticate communication between two devices. This procedure includes the information on how the devices use security services, including encryption. It also includes how to make the keys that you use to change the encrypted data into text.
From the IPSec Configuration dialog box:
1 Click Tunnels .
The Configure Tunnels dialog box appears.
2 Click Add .
3 Click a gateway with ISAKMP (dynamic) key negotiation type to connect with this tunnel. Click OK .
4 Type a tunnel name.
Policy Manager uses the tunnel name to identify it.
5 Click the Phase 2 Settings tab.
The Phase 2 fields appear.
218 WatchGuard System Manager
Configuring BOVPN with Manual IPSec
6 From the Type drop-down list, select a Security Association Proposal (SAP) type.
Select from: Encapsulated Security Payload (ESP) or Authenticated Headers (AH).
7 From the Authentication drop-down list, select an authentication procedure.
Select from: None (no authentication), authentication algorithm).
MD5-HMAC (128-bit algorithm), and SHA1-HMAC (160-bit
8 From the Encryption drop-down list, select an encryption procedure.
Select from: None (no encryption), DES-CBC (56-bit), 3DES-CBC (168-bit encryption), and AES-CBC-128 ,
AES-CBC-196 , or AES-CBC-256 (128, 192, or 256-bit).
9 To make a new key at specified intervals, select the Force Key Expiration check box.
The ISAKMP controller makes and negotiates a new key for the session. For no key expiration, type 0 (zero) here. If you select the Force Key Expiration check box, set the number of kilobytes or the number of hours in the session. Do this before you make a new key to continue the VPN session.
10 Click OK .
The Configure Tunnels tunnels for this gateway.
dialog box appears and shows the new tunnel. Create tunnels until you have finished all
11 After you add all tunnels for this gateway, click OK .
The Configure Gateways dialog box appears.
12 To configure more tunnels for a different gateway, click Tunnels . Select a new gateway and create tunnels again for that gateway.
13 When all tunnels are complete, click OK .
Making a Routing Policy
Routing policies are sets of rules for how to make outgoing IPSec packets. They also tell if incoming
IPSe c pa ckets can be accepted. Policies are specified by their endpoints. These are not the same as tunnel or gateway endpoints. Endpoints that set policies are the special hosts or networks that interface through the tunnel. The endpoints are attached to the Fireboxes of the tunnel (or other IPSec-compliant devices).
From the IPSec Configuration dialog box:
1 Click Add .
The Add Routing Policy dialog box appears.
2 From the Local drop-down list, select a local host or network.
3 Type the IP or network address in slash notation for the local host or network.
4 From the Remote drop-down list, select a remote host or network.
5 Type the IP address or network address in slash notation for the remote host or network.
6 From the Disposition drop-down list, select a bypass rule for the tunnel:
Secure
IPSec encrypts all traffic that agrees with the rule in related tunnel policies.
User Guide 219
Configuring BOVPN with Manual IPSec
Block
IPSec does not give access to traffic that agrees with the rule in related tunnel policies.
Bypass
IPSec gives access to traffic that agrees with this rule without encryption . This traffic “bypasses” the IPSec routing policy.
Note
If you make a tunnel to a drop-in device with the protection set to Bypass, you must give a host policy for the external IP addresses of the two devices. If not, traffic to and from the external IP address does not match with network policy set for the VPN. Make sure that Bypass policies are at the top of the
policy list. Refer to “Changing IPSec policy order” on page 221.
7 When you select Secure , use the Tunnel drop-down list to select a configured tunnel.
Dynamic Key Negotiation” on page 218. To show more information about the selected tunnel, select
More .
8 If necessary, create a limit on the policy to a specified source port, destination port, or protocol.
Select More .
The text boxs for ports and protocol appear.
9 Type the port number for the re mote ho st in the Dst Port text box. Do this to put a limit on the policy to one destination port.
You can select the remote host port number. The port number is the port to which WatchGuard sends traffic for the policy. To enable traffic to all ports, type zero (0).
Note
WatchGuard recommends that you put a limit on the connection ports in Policy Manager, not BOVPN.
10 From the Protocol drop-down list, select a value to put a limit on the protocol used by the policy.
Select from: * (specify ports but not protocol), TCP , and UDP .
11 To control the policy to one source port, type the local host port in the Src Port text box.
You can select the local host port number. The port number is the port from which the Firebox sends all traffic for the policy. To enable traffic from all ports, type zero (0).
Note
If you put a limit on the policy to a specified source, port, or protocol, you can accidentally stop traffic.
12 Click OK .
The IPSec Configuration dialog box appears and shows the new policy. Policies are in the sequence in which they were made. To change the sequence, see the subsequent section.
Configuring routing policies for proxies over VPN tunnels
Connections from BOVPN tunnels to the Internet, with a VPN peer as the default route, are outgoing connections and can be proxied.
From the IPSec Configuration dialog box:
1 Click Add .
The Add Routing Policy dialog box appears.
2 From the drop-down list adjacent to Local , select Network .
220 WatchGuard System Manager
Configuring BOVPN with Manual IPSec
3 Set the IP address as 0.0.0.0/0.
4 From the Remote drop-down list, select a remote host or network.
5 Type the IP address or network address in slash notation for the remote host or network.
6 From the Disposition drop-down list, select Secure .
7
From Policy Manager, add a proxy service. Refer to “Adding a service” on page 82.
8 On the Properties tab, click Outgoing .
9 Below the From list, click Add .
10 Click Network IP Address and use the address you used for Remote in step 5.
11 Below the To list, click Add .
12 In the Members dialog box, select External .
Changing IPSec policy order
The Firebox applies policies in the recorded sequence, from the top down, in the IPSec Configuration dialog box. Initially, the policies record as you make them. You must manually arrange the policies from more important to less important. This is to make sure that the routing of sensitive connections goes along the higher-security tunnels. WatchGuard recommends this policy sequence:
• Host to host
• Host to network
• Network to host
• Network to network
Set policies in the same sequence at the two ends of the tunnel.
From the IPSec Configuration dialog box:
• To move a policy up in the list, select the policy. Click Move Up .
• To move a policy down in the list, select the policy. Click Move Down .
Configuring multiple policies per tunnel
If you use two or more policies for a tunnel, the sequence must be the same on each Firebox. For example, Firebox1 and Firebox2 have a tunnel between them and have Policy A and Policy B. For the tunnel to operate, the Fireboxes must have Policy A and then Policy B. If one Firebox has Policy A first and the other has Policy B first, the tunnel will not operate.
If you have more routing policies to a device, each routing policy tunnel must have a special name. For more policies, add a new tunnel. Give it a special name with the same gateway and security adjustments. When you add this routing policy, select the second tunnel name.
Configuring services for BOVPN with IPSec
Access control is a very important part of configuring a secure VPN connection. If a hacker gets access to computers on the branch office VPN network, the attacker can get a secure tunnel to your network.
The Users on the remote Firebox are not in the trusted network. You must configure the Firebox to let traffic through the VPN connection. A fast procedure is to make a host alias that is related t o the VPN remote networks and hosts. Then, you can use th e host alias or manually type the remote VPN networks and hosts when you configure these service properties:
Incoming
User Guide 221
Configuring BOVPN with Manual IPSec
• Enabled and Allowed
• From: Remote VPN network, hosts, or host alias
• To: Trusted or selected hosts.
Outgoing
• Enabled and Allowed
• From: Trusted network or selected hosts
• To: Remote VPN network, hosts, or host alias.
For more information on configuring services, see “Configuring a Service,” on page 77
Let VPN access any service
To let all traffic through from VPN connections, add the Any service to the Services Arena and configure it.
Let VPN access specific services
To let traffic through from VPN connections only for specified services, add each service to the Services
Arena and configure them.
Enabling the BOVPN Upgrade
Although the factory default Firebox X500 does not use BOVPN, you can get a license key to enable this feature. Firebox X700, Firebox X1000, and Firebox X2500 can use BOVPN if you register the device with
LiveSecurity Service.
The BOVPN Upgrade is available from your local reseller. For more information about how to get Watch-
Guard options, go to: http://www.watchguard.com/sales/
To enable the BOVPN after you receive your license key:
1 From Policy Manager, click Setup > Firebox Model . Make sure that Firebox III/500 or Firebox
X500 is selected.
2 From Policy Manager, click Network > Branch Office VPN > Manual IPSec .
The IPSec Configuration dialog box appears.
3 Click the License button.
The IPSec Branch Office License dialog box appears.
4 Type your license key in the text box to the left of the Add button. Click Add .
222 WatchGuard System Manager
CHAPTER 23
Configuring IPSec Tunnels with VPN
Manager
With WatchGuard VPN Manager you can create secure VPN tunnels quickly with drag-and-drop tunnels, templates, and a simple wizard. With VPN Manager, you make fully authenticated and encrypted IPSec tunnels in minutes.
From the VPN Manager interface, you can control and monitor the tunnels and monitor the status of the
WatchGuard devices that are at the endpoints of the tunnels.
VPN Manager also gives you a safe method to control Firebox X Edge and Firebox SOHO 6 devices from
a distance. For more information, see “Managing the Firebox X Edge or SOHO 6” on page 243.
A VPN Manager configuration has one DVCP Server and some DVCP Clients. The DVCP Client makes an encrypted connection to the DVCP Server to look for new VPN settings. The client connects again when the DVCP lease expires.
With VPN Manager you can have a group of many Firebox III and Firebox X devices, Firebox X Edge devices, and SOHO or SOHO 6 devices that have VPN tunnels between them. The DVCP cluster uses one
DVCP Server that can manage all the DVCP Clients, an d al l the VPNs between them.
Because the DVCP Server Firebox is a device in the VPN Manager configuration, the DVCP Server is also a
DVCP Client. It is a client of itself.
For more information on how to monitor tunnels with VPN Manager, see Chapter 24, “Monitoring VPN
Note
Firebox 500 does not support BOVPN, unless you get the BOVPN Upgrade. Firebox X700, Firebox X1000, and Firebox X2500 support BOVPN only if you register the device with LiveSecurity Service. You can add a Firebox 500 to VPN Manager as a device, but you cannot make tunnels to a Firebox 500 if it does not have the BOVPN upgrade.
To upgrade the Firebox 500 to give support to BOVPN, see “Enabling the BOVPN Upgrade” on page 222.
Steps in making VPNs with VPN Manager
To configure VPN Manager, do as follows:
• Configure a Firebox as a DVCP Server and Certificate Authority (CA)
This step automatically adds the DVCP Server Firebox as a DVCP Client device. The DVCP Server Firebox is a
DVCP Client of itself.
• Configure the other DVCP Client devices to give remote access from the DVCP Server
User Guide 223
Configuring IPSec Tunnels with VPN Manager
• Add Fireboxes, Firebox X Edge devices or SOHO 6 devices to the VPN Manager device record
• (Dynamic devices only) Configure the Firebox, Edge or SOHO 6 as a DVCP Client
• Make policy templates to configure the networks that have access through the VPN tunnels
• Make security templates to set the encryption type and authentication type
• Make tunnels between the devices.
Configuring a Firebox as a DVCP Server and CA
The first step to make a VPN tunnel with VPN Manager is to add the first device to VPN Manager. The first device is the DVCP Server. To add the server, follow the procedure in Starting VPN Manager . This procedure also automatically starts the Certificate Authority (CA) on the Firebox. If you started to use a different CA on the Firebox, you can keep that CA.
You do not have to use VPN Manager to use the Firebox Certificate Authority. For example, you can use the CA only to make the certificates for MUVPN connections. For information about the Firebox as a DVCP Server and CA when you do not use VPN Manager, see Chapter 19, “Activating the Certificate Authority on the Firebox”.
Note
It does not matter if you start the DVCP Server on the Firebox from the Policy Manager by clicking
Network > DVCP Server, which is described in Chapter 19. To use the Firebox as a VPN Manager DVCP
Server, you must add the DVCP Server to the VPN Manager configuration.
Starting VPN Manager
Adding the DVCP Server
1 Click Start > Programs > WatchGuard > VPN Manager .
If VPN Manager starts for the first time, the New Server dialog box appears.
2 Complete the New Server dialog box:
- Type a display name for the DVCP Server
This is a user friendly name only. The DVCP Server Firebox shows this name as an easy method to identify it in VPN
Manager when you add many devices. The other devices you add to VPN Manager can also have user friendly names.
- Type the host name or IP address
This is the device DNS name or its external IP address. WatchGuard recommends that you use the Firebox external interface IP address.
- Type the status (read-only) and configuration (read-write) passphrases
- Type the VPN Manager License Key.
You get the VPN Manager License Key from the LiveSecurity® Web site, at Manage Products.
- Click OK
3 Click Yes to accept the End User Licensing Agreement.
- If you have activated the Certificate Authority (CA), you are prompted to keep the same CA.
Click Yes to keep the CA or click No to start a new CA. We recommend that you keep the CA.
224 WatchGuard System Manager
Configuring IPSec Tunnels with VPN Manager
- If you did not activate the CA, or if you clicked No in the previous step to start a new CA, complete the Certificate Information dialog box:
4 VPN Manager looks for the DVCP Server Firebox and adds it to the VPN Manager configuration. A message appears. Click OK .
The DVCP Server Firebox reboots.
The VPN Manager UI appears. See the figure that follows.
Giving the DVCP Server Remote Access
When the VPN Manager operates on a remote host that is not the DVCP Server, you must allow incoming access.
User Guide 225
Configuring IPSec Tunnels with VPN Manager
Configure Firebox III and Firebox X devices to allow the DVCP Server to contact them
At the DVCP Client Firebox, from Policy Manager:
1 Double-click the WatchGuard icon, shown at right, in the Services Arena.
2 On the Incoming tab, select Enabled and Allowed .
3 Below the From field, click Add .
The Add Address dialog box appears.
4 Click Add Other .
The Add Member dialog box appears.
5 From the Choose Type drop-down list, click Host IP Address .
6 In the Value text box, type the external interface IP address of the DVCP Server Firebox. Click OK .
7 Below To , click Add .
The Add Address dialog box appears.
8 Click Firebox . Click Add . Click OK .
9 Save this configuration to the Firebox. From the Policy Manager click File > Save > To Firebox.
Configure SOHO 6 and Firebox X Edge devices to allow the DVCP Server to contact them
At the SOHO 6 or the Edge, open a browser and open the Web management interface for the device.
Do the following
1 Click Administration > VPN Manager Access from the menu on the left side.
2 Select the Enable VPN Manager Access checkbox.
3 Type the status passphrase, and then type it again to confirm it. Type the configuration passphrase and type it again to confirm it.
4 Click the Submit button.
For detailed information about accessing the Web management interface of a SOHO 6 or Firebox X Edge, see the
User Guide for that product.
Adding Devices to VPN Manager
Next, you can add any device that is managed by the DVCP Server. These devices are called DVCP Clients.
The DVCP Server was added as a managed device. The DVCP Server is a DVCP Client of itself.
Note
You can add a factory default Firebox 500 to VPN Manager as a device, but you cannot make tunnels to
From VPN Manager:
1 Select the Device or the VPNs tab. Click Edit > Insert Device .
The WatchGuard Device Wizard appears.
2 Click Next .
3 Type a display name for the device.
This is a name that you select. It is not connected to the DNS name of the device.
226 WatchGuard System Manager
Configuring IPSec Tunnels with VPN Manager
4 From the Device Type drop-down list, select the model of the device and the external interface configuration mode (static or dynamic). The choices are:
- SOHO
- SOHO using Dynamic IP Address
- Edge
- Edge using Dynamic IP Address
- Firebox
- Firebox using Dynamic IP Address
5 If the device has a static external IP address, type the host name or IP address.
This is a DNS name, not the name you used in Step 3. If you do not register the device with DNS, use the external interface IP address
6 If the device has a dynamic external IP address, type the Unique Name or ID.
This must be the very same name you use when you configure the dynamic device as a DVCP Client. Refer to
sensitive. If the Edge or SOHO has dynamic DNS, use the dynamic DNS name of the device.
7 Type the status and configuration passphrases.
8 If you use a device with a dynamic IP address, type the shared secret. Click Next .
This must be the very same Shared Key you use when you configure the dynamic device as a DVCP Client. Refer to
“Configuring a Firebox, Edge or SOHO 6 as a DVCP Client (Dynamic Devices Only)” on page 227
9 Give the default procedure to authenticate tunnels with this Firebox: autogenerated shared key or
Firebox certificate (RSA signature). Click Next .
If you select SOHO or Edge in the previous step, this step does not appear.
10 Type a WINS or DNS server IP address for your configuration. Click Next .
If you use the DVCP client device to give IP addresses to DHCP clients behind it, these addresses are assigned with the DHCP address. If you do not use DNS or WINS servers, ignore this page, and click Next.
The wizard shows the Contact Information page.
11 Type the information to use to find the administrators of this Firebox. Click Next .
The information on this page is optional. It is good to have this information if this device is at a remote location and it becomes necessary to contact a person at that location
12 The wizard then shows a page that includes the tasks that the DVCP Server automatically does next.
Click Next .
When completed, the wizard shows the message New Device Successfully Changed.
13 Cli ck Close .
The wizard uploads the new configuration to the DVCP Server and exits.
Configuring a Firebox, Edge or SOHO 6 as a DVCP Client (Dynamic
Devices Only)
A device with a dynamic IP address must be configured as a DVCP Client before you can use VPN Manager to create tunnels to the device.
Configuring a dynamic Firebox III or Firebox X as a DVCP Client
From Policy Manager on the DVCP Client Firebox:
1 Click Network > DVCP Client.
2 Select the Enable this Firebox as a DVCP Client checkbox.
User Guide 227
Configuring IPSec Tunnels with VPN Manager
3 In the Firebox Name text box, type the name of the Firebox. Use the same name you see in this
Firebox Policy Manager at Setup > Name . If no name appears, type in the external interface IP address for the device name.
name is case-sensitive.
4 To send DVCP Client log messages to the Log Server, select the Enable debug log messages for the DVCP Client checkbox. (WatchGuard only recommends this option to do troubleshooting).
5 To add the DVCP Server that the client can connect to, click Add .
6 Type the IP address. This is the external interface IP address of the DVCP Server Firebox. Type the shared secret. Click OK .
7 Save this configuration to the Firebox.
This Firebox tries to connect to the DVCP Server. The DVCP Server does not allow this connection until you add this
device to the VPN Manager configuration. See “Adding Devices to VPN Manager” on page 226.
Configuring a dynamic SOHO 6 or Firebox X Edge as a DVCP Client
At the SOHO 6 or the Edge, open a browser and browse to the Web management interface for the device.
1 Click Administration > VPN Manager Access from the menu on the left side.
2 Select the Enable Managed VPN checkbox.
3 From the Configuration drop-down list, select SOHO (recommended) or Telecommuter .
4 Type the IP address of the DVCP Server Firebox external interface.
5 Type the Client Name .
name is case-sensitive. If the Edge or SOHO has dynamic DNS, use the dynamic DNS name of the device.
6 Type the Shared Key .
For more information about accessing the Web management interface of a SOHO 6 or Firebox X Edge, see the User
Guide for that product.
Reviewing and changing the device settings
After you add a DVCP Client device, you can review the settings. Click on the Device tab or the VPNs tab:
1 Click the device one time and then click Edit > Properties .
You can also right-click the device and select
The Device Properties page appears.
Properties .
2 Change the device properties.
The common properties to change are the Display Name , the Status or Configuration Passphrase , the DVCP lease time , and WINS or DNS server IP addresses.
3 When you finish changing the device settings, click OK .
lease.
Note
You can change the Status and Configuration passphrases for a Firebox when you save a new flash
image to the Firebox. See “Changing the Firebox passphrases” on page 31. If these passphrases are
228 WatchGuard System Manager
Configuring IPSec Tunnels with VPN Manager changed using Policy Manager, you must edit the Device Properties in VPN Manager and type the new passphrases.
Updating a device’s settings
You can use the Update Device dialog box to change the parameters of a selected device if necessary.
1 From the VPNs tab, right-click a device and select Update Device .
The Update Device dialog box appears. See the figure that follows.
2 Change the parameters as necessary.
- Download Trusted and Optional Network Policies
The DVCP Server gets information about the Trusted and Optional networks on the DVCP Client. The VPN Manager configuration is updated with this information.
- Reset Server Configuration
The DVCP Server gives the DVCP Client a new Shared Key and host name. The shared key encrypts DVCP traffic.
- Expire Lease
The DVCP Server issues the DVCP Client a new DVCP lease. You do this to change the how much time before the
DVCP Client contacts the DVCP Server again (the DVCP lease period).
- Issue/reissue Firebox’s IPSec Certificate
Makes a new client and root certificate. This is usually not necessary because a new certificate is downloaded each time the device starts.
Adding Policy Templates (Necessary for Dynamic Devices)
With a VPN you can configure (and put a limit on) the networks that have access through the tunnel. You can make a VPN between only two hosts, between two or more networks, or between hosts and networks. To configure the networks that are available through a given VPN device, you make policy templates.
By default, VPN Manager supplies network policy templates that give access to the networks behind the
DVCP Client device. You can see the default templates on the VPNs tab. The default templates list the
Trusted and Optional networks of the DVCP Client device. For a Firebox X with the three extra ports, there are default policies for those networks as well.
The VPN Manager gets the default policy templates when you update the device and select the Download Trusted and
Optional Network Policies checkbox.
To make a new policy template, on the VPNs tab:
1 Select the device for which to configure a policy template.
User Guide 229
Configuring IPSec Tunnels with VPN Manager
2 Right-click and select Insert Policy or click the Insert Policy Template icon (shown at right side).
The Device Policy dialog box for that device appears. See the figure that follows.
3 Type a policy name.
4 Select if the tunnel is a branch office tunnel or a telecommuter tunnel.
Refer to “Enabling a Telecommuter Tunnel” on page 233
5 To configure a policy template for a Telecommuter tunnel, type an IP address from the trusted network that is not in use. Type the IP address of the computer that is going to use this tunnel.
6 Click OK .
The policy template is configured and is available in the VPN Wizard.
Adding resources to a policy template
From the Device Policy dialog box:
1 Click Add .
The Resource dialog box appears. See the figure that follows.
2 Select the type of resource and type its IP address. Click OK .
If the resource is a network, you use slash notation. For information about slash notation for network addresses, see the FAQ: https://www.watchguard.com/support/AdvancedFaqs/general_slash.asp
3 Click OK at the Device Policy dialog box.
The new policy is added to the DVCP device. You can select it in the VPN Wizard when you make a VPN tunnel with that device.
Adding Security Templates
A security template gives the encryption type and authentication type for a tunnel.
Default security templates are supplied for the available encryption types. You can also make new templates.
230 WatchGuard System Manager
Configuring IPSec Tunnels with VPN Manager
From the VPN Manager display:
1 Click the VPN tab.
2 Right-click in the window, and select Insert Security Template or click the Insert Security
Template icon (shown at the right side).
The Security Template dialog box appears. See the figure that follows.
3 Type the template name, SAP (Security Association Proposal) type (ESP or AH), authentication, and encryption.
4 To set end dates for a key, select the related checkbox, and then give kilobytes, hours, or kilobytes and hours.
If you set kilobytes and hours, the key stops at the event that comes first. If you set kilobytes to zero, then only the number of hours causes the key to expire. If you set the number of hours to zero, then only the number of kilobytes cause the key to expire.
The security template is configured. You can select it in the VPN Wizard when you make a VPN tunnel with that device.
5 Click OK .
Making Tunnels Between Devices
You can configure a tunnel with a drag-and-drop procedure or with the VPN Manager Wizard.
Note
You can add a factory default Firebox 500 to VPN Manager as a device, but you cannot configure tunnels
Drag-and-drop tunnel procedure
The drag-and-drop tunnel procedure has two limits:
• You cannot use it to make tunnels between two dynamic devices.
• Dynamic Fireboxes must have networks that are configured before you can use this procedure.
From VPN Manager:
1 Click the Device tab.
2 Click the device name of one of the tunnel endpoints. Drag it to the device name of the other tunnel endpoint.
This starts the VPN Manager Configuration Wizard. It starts with the dialog box that shows (in two list boxes) the two endpoint devices you selected with drag-and-drop.
User Guide 231
Configuring IPSec Tunnels with VPN Manager
3 For each tunnel endpoint, select a policy template from the drop-down list.
The policy template configures the resources that are available through the tunnel. Resources can be a network or a host.
The drop-down list shows the policy templates that you added to VPN Manager.
4 Click Next .
The wizard shows the Security Policy dialog box.
5 Select the security template applicable for the type of security and authentication to use for this tunnel.
The drop-down list shows the templates you added to VPN Manager.
6 Click Next .
The wizard shows the DVCP configuration.
7 Select the Restart devices now to download VPN configuration checkbox. Click Finish to restart the devices and deploy the VPN tunnel.
Note
If you configure many devices, you can restart the devices after you make all the tunnels. To restart a device, right-click it and select Update Device . Select Expire Lease . You can also wait until the DVCP lease expires on a given device. When the lease expires, the device contacts the DVCP Server and VPN
Manager uploads the new configuration automatically.
Menu-driven tunnel creation
The menu tunnel procedure has two limits:
• You cannot use it to make tunnels between two dynamic devices.
• Dynamic Fireboxes must have networks that are configured before you can use this procedure.
From VPN Manager:
1 Click the VPNs tab.
2 Click Edit > Create a New VPN or click the Create New VPN icon (shown at right side) .
This starts the VPN Manager Wizard.
3 Click Next .
The wizard shows two drop-down lists that each list all the devices registered in VPN Manager.
4 Select a device from each drop-down list to be the endpoints of the tunnel.
5 Select the policy templates for each tunnel endpoint.
The drop-down list shows the templates added to VPN Manager.
6 Click Next .
The wizard shows the Security Template dialog box.
7 Select the applicable security template for this VPN. Click Next .
The wizard shows the DVCP configuration.
8 Select the Restart devices now to download VPN configuration checkbox. Click Finish to start the devices again and deploy the VPN tunnel.
Note
If you configure many devices, you can restart the devices after you make all the tunnels. To restart a device, right-click it and select Update Device . Select Expire Lease . You can also wait until the DVCP lease expires on a given device. When the lease expires, the device contacts the DVCP Server and VPN
Manager automatically uploads the new configuration.
232 WatchGuard System Manager
Configuring IPSec Tunnels with VPN Manager
Enabling a Telecommuter Tunnel
You can configure a Firebox X Edge or Firebox SOHO (static or dynamic) for a tunnel that lets only one host behind the device connect to a different endpoint (host or network). This tunnel, the Telecommuter tunnel, helps when an employee sets up a home office. The home network can be behind the
Firebox, but only the telecommuter computer has access to corporate resources available through the tunnel.
On the Firebox:
1 On the VPNs tab, below the Devices folder, select the device.
2 Right-click the device and select Insert Policy .
The Device Policy dialog box appears.
3 Type:
Policy Name
Type a familiar name that you select.
Type
Select Telecommuter Tunnel from the drop-down list.
Virtual IP Address Behind the Firebox
Type a free IP address on the trusted network of the remote Firebox to which the endpoint computer connects.
Private IP Allowed to Use Tunnel
Type the IP address of the trusted host behind the Firebox X Edge or SOHO (the computer of the telecommuter). Use the same address from the Edge or SOHO VPN configuration.
On the Edge or SOHO:
1 Browse to the WatchGuard Edge or SOHO Configuration menu.
The default configuration IP address is 192.168.111.1.
2 Click VPN > Managed VPN from the menu on the left side.
3 From the Configuration Mode drop-down list, select Telecommuter .
4 Click Enable Managed .
5 Type:
DVCP Server Address
Type the external interface IP address of the DVCP Server.
Client Name
Use the IP address or a name or number to identify the client. The same ID must be typed in
VPN Manager when you add the device. If the Edge or SOHO has dynamic DNS, use the dynamic DNS name of the device.
Shared Secret
Type a passphrase for use between the client and server. You must type the same secret in VPN
Manager when you add the device.
6 Click Submit .
User Guide 233
Configuring IPSec Tunnels with VPN Manager
Editing a Tunnel
You can see all your tunnels on the VPNs tab of VPN Manager. VPN Manager lets you change the tunnel name, security template, endpoints, and the policy you use.
On the VPNs tab:
1 Expand the tree to show the device and its policy.
2 Click the tunnel to change.
3 Right-click and select Properties .
The Tunnel Properties dialog box appears.
4 Click OK to save the change.
When the tunnel is renegotiated, the changes are applied.
Removing Tunnels and Devices from VPN Manager
To remove a device from VPN Manager, you must first remove the tunnels for which that device is an endpoint.
Removing a tunnel
1 From VPN Manager, click the VPNs tab.
2 Expand the Managed VPNs folder to show the tunnel to remove.
3 Right-click the tunnel.
4 Select Remove . Click Yes to confirm
5 If necessary, give a restart command to the devices you are removing. Click Yes .
Removing a device
1 From VPN Manager, click the Devices or VPNs tab.
The Devices tab (left side figure below) or the VPNs tab (right side figure below) appears.
Device tab (left side) and VPN tab (right side)
2 If you use the VPNs tab, expand the Devices folder to show the device to remove.
3 Right-click the device.
4 Click Remove . Click Yes to confirm.
234 WatchGuard System Manager
CHAPTER 24
Monitoring VPN Devices and
Tunnels
To monitor a virtual private network, you must have real-time information on all the components of the the network. The current status of all VPN devices and tunnels appear in Firebox System Manager and in the VPN Manager. You can use these tools to quickly find and troubleshoot problems with your network.
Monitoring VPN tunnels from System Manager
The Front Panel tab in System Manager shows the status of your branch office, RUVPN, and MUVPN tunnels. RUVPN and MUVPN tunnels are put in a group below the label Remote VPN Tunnels . The figure that follows shows the tunnel status information in System Manager.
Expanding and closing folders
To expand a part of the window, click the plus sign ( + ) adjacent to the entry, or double-click the name of the entry. To close a part, click the minus sign ( – ) adjacent to the entry. When no plus or minus sign shows, no more information is available.
Red exclamation point
When a red exclamation point appears, it shows that something in the folder can not send or receive traffic with the management station. For example, a red exclamation point adjacent to the Firebox entry shows that it can not send traffic to the log host or the management station. A red exclamation point adjacent to the BOVPN icon shows there is a problem with one of the VPN tunnels.
User Guide 235
Monitoring VPN Devices and Tunnels
When you expand an entry that has a red exclamation point, a second exclamation point appears adjacent to the device or tunnel with the problem. Use this feature to find connection problems in your VPN network.
Branch Office VPN tunnels
The first piece of VPN information that shows in System Manager is the status of branch office VPN tunnels. The figure below shows an expanded entry for a BOVPN tunnel. The information that appears in the VPN Manager, from top down, is:
• The name the tunnel got when it was made, the IP address of the destination IPSec device (a different Firebox, SOHO, or SOHO|tc), and the tunnel type (IPSec or DVCP). If the tunnel is DVCP, the IP address refers to the full remote network address.
• The volume of data sent and received on the tunnel in bytes and packets.
• The time before the key expires and when the tunnel must be setup again. This appears as a time limit or as the volume of bytes. If you configure a DVCP tunnel to expire using time and volume limits, the two expiration values appear.
• Authentication and encryption layers set for the tunnel.
• Routing policies for the tunnel.
Remote VPN Tunnels
After the branch office VPN tunnels is an entry for remote VPN tunnels. This includes Mobile User VPN
(with IPSec) or RUVPN with PPTP tunnels. If the tunnel is Mobile User VPN, the entry shows the same information as for the DVCP or IPSec Branch Office VPN. This includes the tunnel name, the destination
IP address and the tunnel type. Below are the packet information, the key expiration date, authentication, and encryption data.
If the tunnel is RUVPN with PPTP, the Firebox System Manager shows only the quantity of sent and received packets. The volume of bytes and total volume of bytes are not applicable to PPTP tunnels.
Monitoring VPN tunnels through VPN Manager
You use the VPN Manager to see real-time information on all devices in your virtual private network at the same time. Use this information to find and troubleshoot problems. You can also create new tunnels.
Th e VPN Manager window has four tabs:
Device
A status page for all the devices in VPN Manager. The information that appears includes the log host, MAC address, and IP address for the interfaces for each device. It also includes the status of all VPN tunnels that are configured in VPN Manager.
236 WatchGuard System Manager
Monitoring VPN Devices and Tunnels
VPNs
Shows status information on the VPN tunnels, their endpoints, and their security parameters.
Logging
Shows the log status for devices managed by VPN Manager.
Custom
Make a custom display of the devices managed by VPN Manager.
Opening the VPN Manager Window
To open VPN Manager, from the Windows interface:
1 Click Start > Programs > WatchGuard > VPN Manager . If necessary, give the configuration passphrase of the Firebox which you set as your DVCP server.
VPN Manager connects to the DVCP server. It shows the VPN and device configuration in the four tabs of the VPN
Manager.
Device Status
Click the Devices tab of the VPN Manager to see the real-time status of all devices monitored by DVCP.
An example of the information on this tab appears in the figure that follows.
All devices appear in a tree structure. When the icon adjacent to an entry contains a plus sign (+), the tree is closed. To expand it, click the plus sign. The tree expands to show the properties of that device. To close the tree, click the minus sign (–) adjacent to a device. The tree closes at that entry.
Connection status
The icon for each device can have a red or yellow exclamation point or no symbol which show the status of the device.
No exclamation point
There is a good connection between the VPN Manager and the VPN device. The device can send packets to and receive packets from the VPN Manager.
User Guide 237
Monitoring VPN Devices and Tunnels
Yellow exclamation point
There could be a problem. VPN Manager continues to try to connect to the device. The exclamation point goes out of view if the VPN Manager connects. It goes red if the it can not connect.
Red exclamation point
The VPN Manager can not send packets to or receive packets from the device. Right-click the device, and select Resume Connection . If this does not correct the problem, examine the device for other problems.
Tunnel status
Click the VPNs tab of the VPN Manager to see your IPSec tunnels. This part of the window includes information on devices and security configurations. It also includes security association type, encryption types, and authentication type.
Log server status
Click the Logging tab of the VPN Manager to see log servers. The list of servers in use is collected from the configuration files of the devices that are monitored. The window also shows devices for which log host is not configured. You can configure the log host and other options in Policy Manager. Refer to
Chapter 12, “ Setting Up Logging and Notification ”.
Making a custom view
The Custom tab of the VPN Manager lets you make a customized display. You can put each of the resources in the Devices tab on the Custom tab. You can do this by tunnel location, encryption type, or device type used. You can monitor the Firebox devices, device statistics, tunnels, and remote users for each device.
If your company is very large with many IPSec devices, you can use the custom tab to put devices into units that you can monitor. You can monitor groups based on factors including area, relation to company, or units that operate in the company.
To add devices to the Custom tab:
1 In the Device tab of the VPN Manager, right-click the device.
238 WatchGuard System Manager
Monitoring VPN Devices and Tunnels
2 Click Copy to Custom Tab .
The device appears on the Custom tab. You can select the device name and pull it to a new location in the window, or into a folder.
To add a folder on the Custom tab:
1 Right-click in the Custom tab window.
2 Click Add New Folder .
3 Double-click the name of the folder to select it. Type a name for the folder.
User Guide 239
Monitoring VPN Devices and Tunnels
240 WatchGuard System Manager
CHAPTER 25
Managing Firebox X Edge and
Firebox SOHO6 Appliances
WatchGuard System Manager lets you control and configure WatchGuard firewalls from a distance. This makes for easy configuration and management of a VPN tunnel to a Firebox X Edge, Firebox S6, or Firebox SOHO6 device. These WatchGuard hardwa re m odels a re good for small, remote offices.
You configure the WatchGuard small office hardware devices with a Web browser. To increase security while you do this, WatchGuard uses:
• a WatchGuard encrypted protocol ;
• certificate authentication; and
• Secure Sockets Layer (SSL).
Note
You must enable certificates on your Web browser. For more information, refer to the online help for your Web browser.
Importing Certificates
When you configure a Firebox as a DVCP server, the Firebox creates a certificate. This certificate is kept in the folder w here you installed the WatchGuard System Manager software. The default folder for Watch-
Guard certificates is:
C:\Program Files\WatchGuard\Certificates
WatchGuard System Manager makes a folder for each DVCP server. You must import the certificate into the Web browser on your management station to connect and configure Firebox small office devices from a distance.
Microsoft Internet Explorer 5.5 and 6.0
From the Windows desktop of the management station:
1 Start Internet Explorer. Click Tools > Internet Options .
The Internet Options window appears.
2 Click the Content tab. Click Certificates .
The Certificates window appears.
User Guide 241
Managing Firebox X Edge and Firebox SOHO6 Appliances
3 Click the Personal tab. Click Import .
The Certificate Import Wizard appears.
4 Click Next .
5 Browse to the location of the certificate. Select the certificate, and click Open .
6 Click Next .
7 Enter the configuration (read/write) passphrase of the DVCP server and click OK .
8 Click Next .
9 Select Automatically select the certificate store based on the type of certificate , and then click
Next .
10 Click Finish .
A window appears that shows that the certificate is imported correctly.
Troubleshooting ideas
Use these steps to troubleshoot Internet Explorer certificates:
• Make sure that you have the strong encryption (128-bit) version of Internet Explorer
• Internet Explorer does not always enable strong encryption during the installation. Open the
Windows registry and find this key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\
Provides\001
This must be Microsoft Enhanced Cryptographic Provider v1.0. If not, edit it manually, and start the browser again.
• Make sure that you have the correct password for the .p12
(or .pfx
) file. This must be the configuration passphrase of the Firebox DVCP server.
• Make sure that the certificate is not zero (0) length. If it is, erase the file and disconnect from VPN
Manager. Open VPN Manager and make the certificate again.
Netscape Communicator 4.79
From the Windows desktop of the management station:
1 Start Netscape Communicator. Click Communicator > Tools > Security Info .
The Security Info window appears.
2 From the navigation menu on the left side, select Certificates > Yours .
3 Click Import a Certificate .
The File to Import window appears.
4 Browse to the file location, select the certificate, and click Open .
The Password Entry Dialog box appears.
5 Type the configuration passphrase of the DVCP server and click OK .
A window appears that shows that the certificate is imported correctly.
6 Click OK to go back to the Certificates window.
The imported certificate appears in the applicable field.
7 Click OK to go back to the browser.
242 WatchGuard System Manager
Managing Firebox X Edge and Firebox SOHO6 Appliances
Netscape 6
From the Windows desktop of the management station:
1 Start Netscape. Click Tasks > Privacy and Security > Security Manager .
The Netscape Personal Security Manager window appears.
2 Click the Certificates tab.
3 From the navigation menu on the left side, click Mine .
4 Click Restore .
The File Name to Restore window appears.
5 Browse to the file location, select the certificate, and click Open .
The Password window appears.
6 Type the configuration passphrase of the DVCP server and click OK .
A window appears that shows that the certificate is correctly put back.
7 Click OK to go back to the Personal Security Manager window.
The imported certificate appears in the applicable field.
8 Click Close to go back to the browser.
Troubleshooting ideas
Use these steps to troubleshoot Netscape certificates:
• Make sure that you have the strong encryption (128-bit) version of Netscape.
• Make sure that you have the correct password for the .p12
(or .pfx
) file. This must be the configuration passphrase of the Firebox DVCP server.
• Make sure that the certificate is not zero (0) length. If it is, erase the file and disconnect from VPN
Manager. Open VPN Manager and make the certificate again.
Managing the Firebox X Edge or SOHO 6
After you import the correct certificate in your browser, you can start to use VPN Manager to connect to a Firebox X Edge or SOHO 6 to monitor and configure it.
You cannot use the same browser window to connect to the Edge or SOHO 6 management pages as the one you use to configure access to the Certificate Authority. For more information on how to get access
to the Certificate Authority, see “Managing the Certificate Authority” on page 196. You
must close the
Certificate Authority window before you try to configure an Edge or SOHO 6 from VPN Manager.
From VPN Manager:
1 Select the Edge or SOHO 6 device. Then click the SOHO Management icon.
The Client Authentication dialog box appears.
2 Select the certificate for this device. Click OK .
3 Click OK .
The SOHO System Status page appears. All management tasks that are usually available locally through a Web browser are safely availabl e at this time.
System Status
The System Status page is the configuration home page of the Edge or SOHO 6. The page shows:
• The firmware version
• Firebox features and their status as Enabled or Disabled
• Upgrade parameters and their status
User Guide 243
Managing Firebox X Edge and Firebox SOHO6 Appliances
• Configuration information for the trusted and external networks
• Firewall incoming and outgoing services
• A reboot button to start the device again.
Network
From the Navigation bar on the left side, click Network to:
• Configure the device network parameters for the external and trusted networks
• Configure static routes to let traffic through to networks on not connected segments
• Look at network statistics to help to monitor data traffic and troubleshoot problems.
Administration
From the Navigation bar on the left side, click Administration to:
• Enable System Security passphrases and Remote Management
• Enable VPN Manager access
• Update the device from an operating system other than Windows
• Upgrade the device features
• Look at the configuration file as text.
System security and remote management
Use this to enable system security, give an administrator name to the device, and set the passphrases.
You can enable the device for remote management. This lets you connect to the unit from a distance with the WatchGuard Remote Management VPN client. Set the virtual IP address for your remote computer after connection, and the authentication and encryption algorithms to make the connection secure.
Firewall
From the Navigation bar on the left side, click Firewall to:
• Configure the incoming and outgoing services.
• Configure blocked sites
• Enable firewall parameters, for example
• Configure a route to a public server on the optional network.
Logging
From the Navigation bar on the left side, click Logging to:
• See log messages
• Configure the device to send logs to a WatchGuard Security Event Processor
• Configure the device to send logs to a Syslog server
• Configure the System Time.
WebBlocker
From the Navigation bar on the left side, click WebBlocker to enable and configure this feature. Web-
Blocker controls access of your users to Web sites.
244 WatchGuard System Manager
Managing Firebox X Edge and Firebox SOHO6 Appliances
VPN
From the Navigation bar on the left side, click VPN to:
• Configure VPN tunnels between the Firebox X Edge or SOHO 6 and other IPSec devices
• Configure MUVPN clients to make Mobile User VPN tunnels to the Edge or SOHO 6
• See the statistics about active tunnels
• Configure the "Keep Alive" feature that sends a ping through a VPN tunnel to keep the tunnel from a timeout.
Removing Certificates
It could be necessary to update the certificates that VPN Manager uses. One example is when you change the configuration passphrase of the Firebox DVCP server. A second example is when you install the DVCP server again, you must update the certificates. To do this, you must erase the certificates, and then make and use new certificates.
Microsoft Internet Explorer 5.5 and 6.0
From the Windows desktop of the management station:
1 Start Internet Explorer. Click Tools > Internet Options .
The Internet Options window appears.
2 Click the Content tab. Click Certificates .
The Certificates window appears.
3 Select the certificate or certificates to erase.
4 Click Remove .
A warning window appears.
5 Click Yes .
The selected certificates are erased from the browser.
6 Click Close and then click OK to go back to the browser.
After you remove the certificates from your browser, you must erase them from your computer.
From VPN Manager:
• Click File > SOHO Management > Clean up on PC .
Netscape Navigator 4.79
From the Windows desktop of the management station:
1 Start Netscape Communicator. Click Communicator > Tools > Security Info .
The Security Info window appears.
2 From the navigation menu on the left side, click Certificates > Yours .
3 Select the certificate or certificates to erase.
4 Click Delete .
A warning window appears.
5 Click OK .
The selected certificates are erased from the browser.
6 Click OK to go back to the browser.
After you remove the certificates from your browser, you must erase them from your computer.
From VPN Manager:
• Click File > SOHO Management > Clean up on PC .
User Guide 245
Managing Firebox X Edge and Firebox SOHO6 Appliances
Netscape 6
From the Windows desktop of the management station:
1 Start the browser and click Tasks > Privacy and Security > Security Manager .
The Netscape Personal Security Manager window appears.
2 Click the Certificates tab.
3 From the navigation menu on the left side, select Mine .
4 Select the certificate or certificates to erase.
5 Click Delete .
A warning window appears.
6 Click Delete .
The selected certificates are erased from your browser.
7 Click Close to go back to the browser.
After you remove the certificates from your browser, you must erase them from your computer. From
VPN Manager:
• Click File > SOHO Management > Clean up on PC .
246 WatchGuard System Manager
CHAPTER 26
Troubleshooting Firebox
Connectivity
This chapter gives three procedures for how to get access to your Firebox if you can not make a network connection. To use these procedures you must have a configuration file on the Firebox. Use these procedures to restart the Firebox with that file. If you did not make a configuration file, use the QuickSetup
Wizard to make one. Refer to Chapter 3, “Getting Started.”
You can find it necessary to use these procedures if:
• Your passphrase is not available.
• You have a new Firebox as a replacement unit.
To connect to the Firebox again, use one of the procedures from this chapter. Although some procedures have small differences between Firebox X models and Firebox III models, the basic configuration is the same.
Procedure 1: Ethernet Dongle Procedure
This procedure uses a crossover cable.
1 Ma ke sure that the Firebox and the management station are disconnected from the network.
2 Connect one end of the crossover cable to the optional interface and the other end to the external interface (with the label “2” and “0”, respectively, on a Firebox X), and make a loop. Set the Firebox off and on again.
On a Firebox X, the LCD panel shows:
Firebox X<model number>
SysB - Loopback
On a Firebox III, this light sequence shows:
Armed light: steady
Sys A light: flickering
(It is not important that the lights on the security traffic display show traffic between interfaces).
3 Disconnect the crossover cable from the optional and external interfaces. Connect one end to the trusted interface (with the label “1” on a Firebox X) and the other end to the management station.
Do not turn off the Firebox.
4 Make sure that the management station has a static IP address. If it does not, change the TCP/IP configuration to a static IP address. The computer that is configured as the management station
User Guide 247
Troubleshooting Firebox Connectivity must be on the same network as the configuration file. We recommend that the computer be configured with an IP address on the trusted network. Thus, you do not have to give an IP address to your computer after the configuration file is uploaded.
A n example of typical IP addresses:
Management station: 192.168.0.5
Subnet mask: 255.255.255.0
Default gateway: 192.168.0.1
Trusted network: 192.168.0.1 (from the configuration file)
5 Make sure that you have the correct IP address of the management station. To do this, open a DOS prompt and type ipconfig /all .
6 Use the Ping feature to give the Firebox a temporary IP address and your management station can connect with the Firebox. At the DOS prompt, type ping 192.168.0.1
(this is the default gateway of your computer). You will then see a request timeout. Ping again. You must get 4 messages.
7 Open Policy Manager from Firebox System Manager. Do not connect to the Firebox at this time.
8 In Policy Manager, click File > Open > Configuration File . Select the configuration file to put on the Firebox and open it in the Policy Manager.
9 In Policy Manager, click File > Save > To Firebox . Give the IP address of the Firebox and the
Firebox configuration passphrase. Use the ping address from step 6 and wg for the passphrase.
10 When the Firebox Flash Disk dialog box appears, see the figure that follows, click Save
Configuration File and New Flash Image . Make sure that the checkbox Make Backup of current flash image before saving is not selected.
248
After the configuration is uploaded and the Firebox starts again, the Firebox X LCD panel shows:
Firebox X<model number>
SysB - Loopback
The Firebox III light sequence must show:
Armed light: Steady
Sys A light: Steady
You can ping the Firebox again with the same IP address you used before. At this point, you can connect to the Firebox through System Manager and install the Firebox again in the network.
WatchGuard System Manager
Troubleshooting Firebox Connectivity
Procedure 2: The Flash Disk Management Utility
For this procedure you must disconnect your management station and Firebox from the network.
1 Make sure that the management station has a static IP address. If it does not, change the TCP/IP configuration to a static IP address. The computer that is configured as the management station must be on the same network as the configuration file. We recommend that the computer be configured with an IP address on the trusted network. Thus, you do not have to give an IP address to your computer after the configuration file is uploaded.
An example of typical IP addresses:
Management station: 192.168.0.5
Subnet mask: 255.255.255.0
Default gateway: 192.168.0.1
Trusted interface: 192.168.0.1 (from the configuration file)
2 Connect the blue serial cable to the Console port of the Firebox and the other end to the open COM port of the management station.
3 Connect the crossover cable from the Trusted interface on the Firebox (with the label “1” on a
Firebox X) to the management station.
4 Get access to the Flash Disk Management utility. In System Manager, click the main menu button (refer to the right side). Click Tools > Advanced > Flash Disk Managament .
5 From the first screen in the Flash Disk Management tool, click Boot from the System Area
(Factory Default) . Click Continue .
6 Give an IP address. It is recommended that you use the address that is configured as the default gateway on your management station. Click OK .
7 Select the COM port that is open on the management station. Click OK .
This completes the Flash Disk Management utility.
8 Se t the Firebox off and on again. After the operation is completed the Firebox X LCD panel shows:
Firebox X<model number>
SysB - Loopback
On a Firebox III, the light sequence must show:
Armed light: Steady
Sys B light: Steady (Some Fireboxes can flicker but most are stable.)
(It is not important that the lights on the security traffic display show traffic between interfaces.
9 Open a DOS prompt and ping the IP address that you used for the temporary IP.
When replies appear, the Firebox is prepared to upload a configuration.
10 In Policy Manager, click File > Open > Configuration File . Select the configuration file to put on the
Firebox and open it in Policy Manager.
11 In Policy Manager, click File > Save > To Firebox . Give the IP address of the Firebox and the Firebox configuration passphrase. Use the temporary IP address from the flash disk management procedure and wg as the passphrase.
12 When the Firebox Flash Disk dialog box appears, click Save Configuration File and New Flash
Image .
After the configuration is uploaded and the Firebox is started again, the Firebox X LCD panel shows:
Firebox X<model number>
SysA - Armed
On a Firebox III, the light sequence must show:
Armed light: Steady
Sys A light: Steady
User Guide 249
Troubleshooting Firebox Connectivity
You can ping the Firebox again with the same IP address you used before. At this point, you can connect to the Firebox through System Manager and install the Firebox again in the network.
Procedure 3: Using the Reset Button
Before you start, put the IP address of your management station on the 192.168.253.0 network. Do not use the 192.168.253.1 address, which is the default IP address from the Firebox. The subnet is
255.255.255.0.
WatchGuard recommends that the default gateway of your computer be the IP address is 192.168.253.1.
1 Disconnect the Firebox from the network.
You must start with the Firebox in the off position. Hold down the Reset button behind the Firebox
(for Firebox III) or the Up arrow (for Firebox X) and set the Firebox power on. On a Firebox X, you can release the Up arrow when the LCD display shows “Booting SysB.”
On a Firebox III, do not let go of the Reset button until you see this light sequence:
External light on Triangle: Blinks
Trusted
>
Optional traffic (Activity): Flashing lights
Sys B: Flickering
Armed: Steady
2 Connect a crossover cable between the management station and the Firebox trusted interface (with the label “1” on the Firebox X).
3 Open a DOS prompt, and ping the Firebox with 192.168.253.1. You must get a message.
4 In Policy Manager, click File > Open > Configuration File . Select the configuration file to put on the
Firebox and open it in the Policy Manager.
5 In Policy Manager, click File > Save > To Firebox . Give the IP address of the Firebox, use
192.168.253.1 with wg as the passphrase.
6 When the Firebox Flash Disk dialog box appears, click Save Configuration File and New Flash
Image .
7 After the file is put back on the Firebox, you must set the correct IP address on your management station. Make sure that it is on the same network as the Firebox trusted interface in the configuration file that you used before. This enables you to connect to the Firebox again.
After the configuration is uploaded and the Firebox is started again, the Firebox X LCD panel shows:
Firebox X<model number>
SysA - Armed
On a Firebox III, the light sequence must show:
Armed light: steady
Sys A light: steady
250 WatchGuard System Manager
APPENDIX A
Copyright and Licensing
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of
WatchGuard Technologies, Inc.
WatchGuard Firebox Software End-User License Agreement
IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE:
This Firebox Software End-User License Agreement (“AGREEMENT”) is a legal agreement between you
(either an individual or a single entity) and WatchGuard Technologies, Inc. (“WATCHGUARD”) for the
WATCHGUARD Firebox software product, which includes computer software components (whether installed separately on a computer workstation or on the WATCHGUARD hardware product or included on the
WATCHGUARD hardware product) and may include associated media, printed materials, and on-line or electronic documentation, and any updates or modifications thereto, including those received through the
WatchGuard LiveSecurity Service (or its equivalent), (the “SOFTWARE PRODUCT”). WATCHGUARD is willing to license the SOFTWARE PRODUCT to you only on the condition that you accept all of the terms contained in this Agreement. Please read this Agreement carefully. By installing or using the SOFTWARE
PRODUCT you agree to be bound by the terms of this Agreement. If you do not agree to the terms of this
AGREEMENT, WATCHGUARD will not license the SOFTWARE PRODUCT to you, and you will not have any rights in the SOFTWARE PRODUCT. In that case, promptly return the SOFTWARE PRODUCT, along with proof of payment, to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid. The WATCHGUARD hardware product is subject to a separate agreement and limited hardware warranty included with the WATCHGUARD hardware product packaging and/or in the associated user documentation.
1. Ownership and License. The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This is a license agreement and
NOT an agreement for sale. All title and copyrights in and to the SOFTWARE PRODUCT (including but not limited to any images, photographs, animations, video, audio, music, text, and applets incorporated into the
SOFTWARE PRODUCT), the accompanying printed materials, and any copies of the SOFTWARE PRODUCT are owned by WATCHGUARD or its licensors. Your rights to use the SOFTWARE PRODUCT are as specified in this AGREEMENT, and WATCHGUARD retains all rights not expressly granted to you in this
AGREEMENT. Nothing in this AGREEMENT constitutes a waiver of our rights under U.S. copyright law or any other law or treaty.
2. Permitted Uses. You are granted the following rights to the SOFTWARE PRODUCT:
User Guide 251
252
(A) You may install and use the SOFTWARE PRODUCT on any single WATCHGUARD hardware product at any single location and may install and use the SOFTWARE PRODUCT on multiple workstation computers.
(B) To use the SOFTWARE PRODUCT on more than one WATCHGUARD hardware product at once, you must purchase an additional copy of the SOFTWARE PRODUCT for each additional WATCHGUARD hardware product on which you want to use it. To the extent that you install copies of the SOFTWARE
PRODUCT on additional WATCHGUARD hardware products in accordance with the prior sentence without installing the additional copies of the SOFTWARE PRODUCT included with such WATCHGUARD hardware products, you agree that use of any software provided with or included on the additional WATCHGUARD hardware products that does not require installation will be subject to the terms and conditions of this
AGREEMENT. You must also maintain a current subscription to the WatchGuard LiveSecurity Service (or its equivalent) for each additional WATCHGUARD hardware product on which you will use a copy of an updated or modified version of the SOFTWARE PRODUCT received through the WatchGuard LiveSecurity
Service (or its equivalent).
(C) In addition to the copies described in Section 2(A), you may make a single copy of the SOFTWARE
PRODUCT for backup or archival purposes only.
3. Prohibited Uses. You may not, without express written permission from WATCHGUARD:
(A) Use, copy, modify, merge or transfer copies of the SOFTWARE PRODUCT or printed materials except as provided in this AGREEMENT;
(B) Use any backup or archival copy of the SOFTWARE PRODUCT (or allow someone else to use such a copy) for any purpose other than to replace the original copy in the event it is destroyed or becomes defective;
(C) Sublicense, lend, lease or rent the SOFTWARE PRODUCT;
(D) Transfer this license to another party unless
(i) the transfer is permanent,
(ii) the third party recipient agrees to the terms of this AGREEMENT, and
(iii) you do not retain any copies of the SOFTWARE PRODUCT; or
(E) Reverse engineer, disassemble or decompile the SOFTWARE PRODUCT.
4. Limited Warranty. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer:
(A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to
WATCHGUARD with a dated proof of purchase.
(B) SOFTWARE PRODUCT. The SOFTWARE PRODUCT will materially conform to the documentation that accompanies it. If the SOFTWARE PRODUCT fails to operate in accordance with this warranty, you may, as your sole and exclusive remedy, return all of the SOFTWARE PRODUCT and the documentation to the authorized dealer from whom you obtained it, along with a dated proof of purchase, specifying the problems, and they will provide you with a new version of the SOFTWARE PRODUCT or a full refund, at their election.
Disclaimer and Release. THE WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD,
AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS 4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE
AND IN SUBSTITUTION FOR, AND YOU HEREBY WAIVE, DISCLAIM AND RELEASE ANY AND ALL
OTHER WARRANTIES, OBLIGATIONS AND LIABILITIES OF WATCHGUARD AND ITS LICENSORS
AND ALL OTHER RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE AGAINST WATCHGUARD AND
ITS LICENSORS, EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE, WITH RESPECT TO
ANY NONCONFORMANCE OR DEFECT IN THE SOFTWARE PRODUCT (INCLUDING, BUT NOT
LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE, ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF
DEALING, OR USAGE OF TRADE, ANY WARRANTY OF NONINFRINGEMENT, ANY WARRANTY
THAT THE SOFTWARE PRODUCT WILL MEET YOUR REQUIREMENTS, ANY WARRANTY OF
UNINTERRUPTED OR ERROR-FREE OPERATION, ANY OBLIGATION, LIABILITY, RIGHT, CLAIM OR
REMEDY IN TORT, WHETHER OR NOT ARISING FROM THE NEGLIGENCE (WHETHER ACTIVE,
PASSIVE OR IMPUTED) OR FAULT OF WATCHGUARD AND ITS LICENSORS AND ANY OBLIGATION,
WatchGuard System Manager
LIABILITY, RIGHT, CLAIM OR REMEDY FOR LOSS OR DAMAGE TO, OR CAUSED BY OR
CONTRIBUTED TO BY, THE SOFTWARE PRODUCT).
Limitation of Liability. WATCHGUARD'S LIABILITY (WHETHER IN CONTRACT, TORT, OR
OTHERWISE; AND NOTWITHSTANDING ANY FAULT, NEGLIGENCE, STRICT LIABILITY OR
PRODUCT LIABILITY) WITH REGARD TO THE SOFTWARE PRODUCT WILL IN NO EVENT EXCEED
THE PURCHASE PRICE PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE TRUE EVEN IN THE
EVENT OF THE FAILURE OF AN AGREED REMEDY. IN NO EVENT WILL WATCHGUARD BE
LIABLE TO YOU OR ANY THIRD PARTY, WHETHER ARISING IN CONTRACT (INCLUDING
WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE AND STRICT
LIABILITY AND FAULT), FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF OR IN CONNECTION
WITH THIS WARRANTY OR THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, EVEN
IF WATCHGUARD HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL
BE TRUE EVEN IN THE EVENT OF THE FAILURE OF AN AGREED REMEDY.
5. United States Government Restricted Rights. The SOFTWARE PRODUCT is provided with Restricted
Rights. Use, duplication or disclosure by the U.S. Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer
Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard
Technologies, Inc., 505 5th Ave. South, Suite 500, Seattle, WA 98104.
6. Export Controls. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S. Export Administration
Act and the regulations issued thereunder.
7. Termination. This license and your right to use the SOFTWARE PRODUCT will automatically terminate if you fail to comply with any provisions of this AGREEMENT, destroy all copies of the SOFTWARE
PRODUCT in your possession, or voluntarily return the SOFTWARE PRODUCT to WATCHGUARD. Upon termination you will destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession.
8. Miscellaneous Provisions. This AGREEMENT will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the
International Sale of Goods, as amended. This is the entire AGREEMENT between us relating to the
SOFTWARE PRODUCT, and supersedes any prior purchase order, communications, advertising or representations concerning the SOFTWARE PRODUCT AND BY USING THE SOFTWARE PRODUCT YOU
AGREE TO THESE TERMS. IF THE SOFTWARE PRODUCT IS BEING USED BY AN ENTITY, THE
INDIVIDUAL INDICATING AGREEMENT TO THESE TERMS REPRESENTS AND WARRANTS THAT
(A) SUCH INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON BEHALF OF THE
ENTITY AND TO BIND THE ENTITY TO THE TERMS OF THIS AGREEMENT; (B) THE ENTITY HAS
THE FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS AGREEMENT AND
PERFORM ITS OBLIGATIONS UNDER THIS AGREEMENT AND; (C) THIS AGREEMENT AND THE
PERFORMANCE OF THE ENTITY’S OBLIGATIONS UNDER THIS AGREEMENT DO NOT VIOLATE
ANY THIRD-PARTY AGREEMENT TO WHICH THE ENTITY IS A PARTY. No change or modification of this AGREEMENT will be valid unless it is in writing and is signed by WATCHGUARD.
Version: 040226
Copyright, Trademark, and Patent Information
Copyright© 1998 - 2004 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, LiveSecurity, and any other mark listed as a trademark in the
“Terms of Use” portion of the WatchGuard Web site that is used herein are either registered trademarks or trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries in the United States and/or other countries. All other trademarks are the property of their respective owners.
Printed in the United States of America.
User Guide 253
254
Part No: 1316-002
U.S. Patent Nos. 6,493,752; 6,597,661; 6,618,755; D473,879. Other Patents Pending.
© Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5016009, 5126739, and 5146221 and other patents pending.
Microsoft®, Internet Explorer®, Windows® 95, Windows® 98, Windows NT®, Windows® 2000,
Windows® 2003, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corporation in the
United States and other countries.
RealNetworks, RealAudio, and RealVideo are either a registered trademark or trademark of RealNetworks,
Inc. in the United States and/or other countries.
Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the
United States and other countries. All right reserved.
© 1995-1998 Eric Young (eay@cryptsoft). All rights reserved.
© 1998-2003 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).
© 1995-2003 Eric Young ([email protected])
All rights reserved.
This package is an SSL implementation written by Eric Young ([email protected]).
The implementation was written so as to conform with Netscapes’ SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]).
WatchGuard System Manager
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young
([email protected])" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU
Public License.]
The mod_ssl package falls under the Open-Source Software label because it's distributed under a BSD-style license. The detailed license information follows.
Copyright (c) 1998-2003 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
This product includes software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http://www.modssl.org/)."
4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without prior written permission of Ralf S. Engelschall.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Ralf S. Engelschall <[email protected]> for use in the mod_ssl project (http:// www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
User Guide 255
256
EVENT SHALL RALF S. ENGELSCHALL OR HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
The Apache Software License, Version 1.1
Copyright (c) 2000-2004 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:
"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)."
Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.
4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].
5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE
SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software
Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/
>.
Portions of this software are based upon public domain software originally written at the National Center for
Supercomputing Applications, University of Illinois, Urbana-Champaign.
PCRE LICENSE
------------
PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language.
Written by: Philip Hazel <[email protected]>
University of Cambridge Computing Service,
Cambridge, England. Phone: +44 1223 334714.
Copyright (c) 1997-2003 University of Cambridge
Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following restrictions:
WatchGuard System Manager
1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. In practice, this means that if you use PCRE in software that you distribute to others, commercially or otherwise, you must put a sentence like this:
Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England.
somewhere reasonably visible in your documentation and in any relevant files or online help data or similar. A reference to the ftp site for the source, that is, to:
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ should also be given in the documentation. However, this condition is not intended to apply to whole chains of software. If package A includes
PCRE, it must acknowledge it, but if package B is software that includes package A, the condition is not imposed on package B (unless it uses
PCRE independently).
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software.
4. If PCRE is embedded in any software that is released under the GNU General Purpose License (GPL), or
Lesser General Purpose License (LGPL), then the terms of that license shall supersede any condition above with which it is incompatible.
The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.
PLEASE NOTE: Some components of the WatchGuard WFS software incorporate source code covered under the GNU Lesser General Public License (LGPL). To obtain the source code covered under the LGPL, please contact WatchGuard Technical Support at:
877.232.3531 in the United States and Canada
+1.360.482.1083 from all other countries
This source code is free to download. There is a $35 charge to ship the CD.
This product includes software covered by the LGPL.
GNU LESSER GENERAL PUBLIC LICENSE
Version 2.1, February 1999
Copyright (C) 1991, 1999 Free Software Foundation, Inc.59 Temple Place, Suite 330, Boston, MA 02111-
1307 USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library
Public License, version 2, hence the version number 2.1.]
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software-
-to make sure the software is free for all its users.
This license, the Lesser General Public License, applies to some specially designated software packages-typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.
When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.
User Guide 257
258
To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.
For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.
We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.
To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.
Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.
Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.
When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public
License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser
General Public License permits more lax criteria for linking other code with the library.
We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public
License for many libraries. However, the Lesser license provides advantages in certain special circumstances.
For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General
Public License.
In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.
Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.
The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser
General Public License (also called "this License"). Each licensee is addressed as "you".
A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.
WatchGuard System Manager
The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the
Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library.
b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.
c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this
License.
d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.
In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.
User Guide 259
260
Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public
License applies to all subsequent copies and derivative works made from that copy.
This option is useful when you wish to copy part of the code of the Library into a program that is not a library.
4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.
If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.
5. A program that contains no derivative of any portion of the Library, but is designed to work with the
Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.
However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library.
The threshold for this to be true is not precisely defined by law.
If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the
Library will still fall under Section 6.)
Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the
Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.
You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system rather than copying library functions into the executable, and (2) operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.
c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
WatchGuard System Manager
e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.
For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the
Library together in an executable that you distribute.
7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.
b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.
8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the
Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.
10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.
11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this
License.
12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an
User Guide 261
262 explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public
License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Library specifies a version number of this
License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software
Foundation.
14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the
Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
PLEASE NOTE: Some components of the WatchGuard WFS software incorporate source code covered under the GNU General Public License (GPL). To obtain the source code covered under the GPL, please contact
WatchGuard Technical Support at:
877.232.3531 in the United States and Canada
+1.360.482.1083 from all other countries
This source code is free to download. There is a $35 charge to ship the CD.
This product includes software covered by the GPL.
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free
Software Foundation's software and to any other program whose authors commit to using it. (Some other
Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code.
And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its
WatchGuard System Manager
recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the
Program). Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the
Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this
License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
User Guide 263
264 a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code.
(This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this
License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this
License.
WatchGuard System Manager
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this
License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR
THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE
PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE,
YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL
ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER
OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
All other trademarks or trade names mentioned herein, if any, are the property of their respective owners.
User Guide 265
266 WatchGuard System Manager
Index
Symbols
.cfg file. See configuration file
.ftr files
.idx files
.p12 file
.rep files
.wgl files
.wgx files
Numerics
1-1 Mapping dialog box
3DES
A active connections on Firebox, viewing
ActiveX applets
Add Address dialog box
,
Add Exception dialog box
Add External IP Address dialog box
Add External IP dialog box
Add IP Address dialog box
Add Member dialog box
Add Route dialog box
Add Routing Policy dialog box
Add Static NAT dialog box
address space probes, blocking
Advanced dialog box
Advanced NAT Settings dialog box
Aggressive Mode
AH configuring
described
aliases adding
deleting
described
dvcp_local_nets
dvcp_nets
external
User Guide 267
firebox
host
modifying
optional
trusted
Aliases dialog box
anonymous FTP
Any service and RUVPN
precedence
ARP cache clearing a Windows computer ARP cache
flushing Firebox ARP cache
ARP table, viewing
attacks, spoofing. See spoofing attacks.
attacks, types of
AUTH types for ESMTP
Authentication viewing list of authenticated users
authentication
CRYPTOCard server
defining groups for
DES, TripleDES
described
for VPNs, viewing
from external interface
from optional interface
from outside Firebox
Java applet for
selecting method for
specifying server type
viewing types used
authentication servers
CRYPTOCard
described
RADIUS
SecurID on RADIUS server
types
types supported
viewing IP addresses of
Windows NT
Authentication Servers dialog box
auto-block duration, changing
B
Bandwidth Meter tab
bandwidth usage, viewing
Basic DVCP Server Configuration dialog box
Berkeley Internet Name Domain
(BIND)
blocked ports avoiding problems with legitimate users
default
permanent
reasons for
setting logging and notification for
Blocked Ports dialog box
Blocked Ports list
blocked services
NetBIOS
Novel IPX over IP
OpenWindows
rcp
rlogin
RPC portmapper
rsh
X Font server
X Window
blocked sites and IDS applications
auto-block duration
auto-blocked
blocking with service settings
changing auto block duration
described
dynamic
exceptions to
in System Manager
logging and notification
permanent
268 WatchGuard System Manager
removing
storing in external file
temporary
viewing list of
Blocked Sites dialog box
Blocked Sites list described
exceptions to
viewing
BOVPN and certificate-based authentication
described
monitoring tunnels
BOVPN Upgrade described
enabling
BOVPN with Basic DVCP modifying tunnels
removing tunnels
requirements for
scenario
setting encryption type
setting logging options for
specifying authentication method
specifying encryption
specifying key expiration time
when to use
BOVPN with Manual IPSec adding gateways
allowing access to services
changing IPSec policy order
configuring a gateway
configuring a tunnel with manual security
configuring AH
configuring key negotiation type
configuring services for
configuring tunnels with dynamic key negotiation
creating routing policies
described
editing, removing gateways
enabling Aggressive Mode
C enabling Perfect Forward Secrecy
encryption levels
Phase 1 settings
Phase 2 settings
requirements for
selecting bypass rule
specifying authentication method
specifying Diffie-Hellman group
specifying encryption
using certificates
using Encapsulated Security
Protocol
when to use
BOVPN with VPN Manager adding devices to
adding policy templates
adding security templates
allowing remote access to DVCP server
creating tunnels
defining Edge or SOHO 6 as DVCP client
defining Firebox as DVCP client
described
editing tunnels
enabling SOHO single-host tunnel
removing devices and tunnels
scenario
when to use
bypass rules for tunnels
cables connecting to Firebox
cacert.pem
certificate authority described
designating as subordinate
User Guide 269
designating Firebox as
enabling debug log messages for
Firebox as
Firebox as, scenarios
managing
restarting
scenarios
certificate revocation list (CRL) described
publication period for
publishing
selecting endpoint for
certificates and logging
described
destroying
generating new
importing to VPN Manager
listing current
publishing
reinstating
removing
revoking
searching for
setting lifetimes of
viewing status of
certificates, root. See root certificate
CHAP authentication
configuration file and Policy Manager
basic
customizing
opening
opening from Firebox
opening from local drive
rebooting Firebox after saving
saving
saving to Firebox
saving to local drive
starting new
using existing
configuration modes choosing
Configure Gateways dialog box
,
Configure Tunnels dialog box
Connect to Firebox dialog box
controld.wgc
CRL. See certificate revocation list
CRYPTOCard server authentication
custom program, as notification
D
DCE
DCE-RPC, and NAT
debug logging, enabling for DVCP server
default gateways entering
for Firebox interfaces
setting
viewing IP address of
default packet handling blocking address space probes
blocking IP options attacks
blocking port space probes
blocking spoofing attacks
blocking SYN Flood attacks
logging and notification for
Default Packet Handling dialog box
Define Exceptions dialog box
deny and allow messages copying
issuing ping or traceroute command for
DES
Details button
Device Policy dialog box
devices adding to VPN Manager
dynamic
dynamic, and drag-and-drop
removing from VPN Manager
270 WatchGuard System Manager
updating settings of
viewing connection status of
viewing status
DHCP
using a static address
DHCP server adding subnets
default lease time for
described
enabling
maximum lease time for
modifying subnets
not using Firebox as
removing subnets
setting up Firebox as
DHCP Server dialog box
DHCP Subnet Properties dialog box
DHCP support on external interface
dialog boxes
1-1 Mapping
Add Address
Add Exception
Add External IP
Add External IP Address
Add Member
Add Routing Policy
Advanced
Advanced NAT Settings
Aliases
Authentication Servers
,
Basic DVCP Server Configuration
Blocked Ports
Blocked Sites
Configure Gateways
Configure Tunnels
Connect to Firebox
Default Packet Handling
Define Exceptions
Device Policy
DNS-Proxy Properties
Firebox Authentication
Firebox Flash Disk
Firebox Name
Host Alias
HTTP Properties
HTTP Proxy
Incoming SMTP Proxy
Incoming SMTP Proxy Properties
IPSec Branch Office License
IPSec Configuration
,
IPSec Logging
Licensed Features
Logging and Notification
Logging Setup
Network Configuration
New Firebox Configuration
New Server
New Service
NIC Configuration
Outgoing SMTP Proxy
PAD Rules for DNS Proxy
PAD Rules for FTP Proxy
PAD Rules for SMTP Proxy
Remote Gateway
Remote User Setup
Report Properties
Resource
Security Policy
Security Template
Select Gateway
service Properties
Services
Set Log Encryption Key
Setup Firebox User
Setup Remote User
Setup Routes
SMTP Properties
SMTP Proxy Properties
Time Filters
Tunnel Properties
Update Device
WebBlocker Utility
dial-up connection, for out-of-band management
Diffie-Hellman
User Guide 271
described
groups
digital certificates. See certificates
DMZ (Demilitarized Zone)
DNS proxy adding
and file descriptor limit
and NAT
and security policy
described
enabling protocol anomaly detection for
DNS resolution
DNS server addresses
DNS servers, configuring
DNS-Proxy Properties dialog box
drop-in configuration and Related Hosts
Automatic check box
benefits and drawbacks of
characteristics
described
setting IP addresses in
setting optional properties
DVCP and certificates
and VPN Manager
basic
described
DVCP Client Wizard
DVCP clients changing settings in VPN Manager
described
SOHOs as
DVCP cluster
DVCP Lease
changing the lease time
DVCP Server as DVCP Client of itself
DVCP server allowing remote access to
as CA
described
enabling debug logging
friendly name for
setting logging options for
DVCP server, creating
dvcp_local_nets
dvcp_nets
dynamic IP support. See DHCP support, PPPoE support
dynamic security, configuring a tunnel with
Dynamic VPN Configuration Protocol.
dynamically blocked sites
E email blocking address patterns
blocking file-name patterns
denying attachments
protecting against relaying
screening with SMTP proxy
selecting headers to allow
Encapsulated Security Protocol. See
encryption
activating strong
and RUVPN with PPTP
described
levels of
encryption for VPNs, viewing
encryption key entering
ESMTP
AUTH types
configuring
keywords supported
ESP configuring
described
Ethernet dongle method for troubleshooting
event processor. See WatchGuard
Security Event Processor or log host
272 WatchGuard System Manager
extended authentication defining groups for
described
external alias
external caching proxy servers, configuring
external interface described
dynamic addressing on
external network
F failover
failover logging
FAQs
fbidsmate utility described
using
filter window in LogViewer
Filtered-HTTP
Firebox 500, and BOVPN Upgrade
firebox alias
Firebox Authentication dialog box
Firebox Flash Disk dialog box
Firebox Installation Services
Firebox interfaces and trust relationships
described
setting IP addresses of
viewing IP addresses of
Firebox kernal routing table, viewing
Firebox Name dialog box
Firebox passphrases. See passphrases
Firebox System Manager applications, launching
Firebox System Manager. See System
Firebox X Model Upgrade
Fireboxes and IDS applications
as CAs
as certificate authority
changing interface IP address
changing polling rate
configuration modes
configuring for logging
configuring for out-of-band
configuring for RUVPN with PPTP
connecting cables
connecting to
connecting via out-of-band
defining as a DHCP server
defining as DVCP server
described
designating as CA
designating as DVCP server
designating log hosts
entering encryption key for
friendly names in log files, reports
gateways for interfaces
interfaces. See Firebox interfaces
location in network
making outbound connections behind
model
network cards in
obtaining IP addresses dynamically
opening configuration file
opening configuration file from
package contents
rebooting
resetting pass phrase
saving configuration file to
setting clock to log host’s
setting time zone for
specifying model of
timeout value
viewing active connections on
viewing bandwidth usage
viewing everyone authenticated to
viewing memory usage of
viewing uptime and version
User Guide 273
Flash Disk management tool
FTP and optional network
and security policy
FTP proxy and NAT
configuring
described
enabling protocol anomaly detection
hazards of
fully meshed topology
G gateways adding
configuring
described
gateways. See also default gateways
groups assigning users to
for authentication
ipsec_users
pptp_users
groups, authentication
time zone
Host Alias dialog box
host aliases
host routes, configuring
hosts viewing in HostWatch
HostWatch choosing colors for display
connecting to a Firebox
described
display
modifying view properties
replaying a log file
setting display properties
starting
viewing authenticated users
viewing hosts
viewing ports
HTTP Properties dialog box
HTTP proxy and NAT
restricting MIME types for
HTTP Proxy dialog box
HTTP services adding
and security policy
and WebBlocker
described
Filtered-HTTP
HTTP
Proxied-HTTP
hub-and-spoke configuration
H
H323, and NAT
hardware requirements
hidden services, viewing
High Availability
Historical Reports applying a filter
creating report filter
deleting a filter
described
editing a filter
editing existing reports
manually running a report
starting
starting new reports
I
IKE and Diffie-Hellman group
and Phase 1 settings
described
logging options for
phase 1,2
incoming definition
incoming services
274 WatchGuard System Manager
Incoming SMTP Proxy dialog box
Incoming SMTP Proxy Properties dialog box
Incoming tab
installation adding basic services after
QuickSetup Wizard
via serial cable
interfaces, monitoring
internal network
Internet accessing through PPTP tunnel
Internet Explorer
Internet Key Exchange. See IKE
Internet Security Association and Key
intrusion detection and prevention
intrusion detection system (IDS) described
IP addresses adding to services
and routed configuration
and static NAT
and VPN design
changing
default gateways
entering
entering for RUVPN with PPTP
netmask
of authentication servers
of Firebox interfaces
of log hosts
WINS/DNS servers
IP alias
IP options attacks, blocking
IPSec benefits of
changing policy order
described
logging options for
making outbound connections behind a Firebox
restarting
with VPN
IPSec Branch Office License dialog box
IPSec Configuration dialog box
IPSec Logging dialog box
IPSec tunnels, and DHCP/PPPoE
ipsec_users
ISAKMP and Diffie-Hellman groups
and gateways
described
J
Java applets and Zip files
for authentication
K
Keep Alive feature
key pairs
known issues
L
Large Icons button
launch interval, setting
license key certificates
license keys enabling,managing
Licensed Features dialog box
LiveSecurity Gold Program
LiveSecurity Service activating
benefits of
broadcasts
described
Rapid Response Team
User Guide 275
local drive, opening configuration file from
log encryption key, setting
log files consolidating
copying
copying entries
copying log entries
described
displaying and hiding fields
exporting records
forcing rollover
names of
opening
packet event fields
replaying in HostWatch
saving to a new location
searching
searching by field
searing by keyphrase
sending to another office
setting Firebox names used in
viewing with LogViewer
working with
log hosts adding
as Windows 2000 service
as Windows NT service
as Windows XP service
changing priority
designating for Firebox
reordering
running on Windows 2000
running on Windows NT
running on Windows XP
scheduling reports
setting clocks
setting rollover interval
starting
stopping
synchronizing
synchronizing NT
viewing
viewing IP addresses of
log messages copying deny messages
issuing ping or traceroute on deny messages
log servers, viewing
logging architecture
enabling Syslog
failover
for blocked ports
for blocked sites
for CA
for DVCP server
setting rollover interval
specifying for SMTP proxy
synchronizing NT log hosts
logging and notification configuring Firebox for
customizing by blocking option
customizing by service
default packet handling
defining for services
described
designating log hosts
for blocked sites and ports
global preferences
setting for a service
Logging and Notification dialog box
logging options, viewing
Logging Setup dialog box
LogViewer consolidating logs
copying log data
described
displaying and hiding fields
exporting log file data
filter window
searching by field
searching by keyphrase
searching for entries
setting preferences
starting
time zone
viewing files with
276 WatchGuard System Manager
working with log files
M
MAC viewing hardware addresses of
Firebox interfaces
mail servers and NAT
protecting against relaying
main menu button
Make Backup of Current Flash Image checkbox
management station connecting with out-of-band
described
enabling for out-of-band
setting up
man-in-the-middle attacks
manual IPSec tunnels, and DHCP/
PPPoE
manual security, configuring tunnels with
masquerading, for SMTP proxy
Maximum Incomplete Connections setting
MD5-HMAC
meshed topology
MIME types creating new
described
restricting for HTTP proxy
minimum requirements
modems, installing for out-of-band management
monitoring active connections on Firebox
ARP table
Firebox activity
load average
network interfaces
processes
routes
MSDUN, and RUVPN
MUVPN and certificates, scenarios
and IP addressing
and WINS/DNS server addresses
authentication for
described
disconnect remote user
encryption levels for
monitoring tunnels
scenario
types of licenses for
virtual IP address
when to use
with extended authentication
N name resolution, fixing slow
NAT
1-to-1 and dynamic NAT exceptions
and PPPoE support described
using
and DNS proxy
and mail servers
and tunnel switching
and VPNs
described
dynamic and drop-in configuration
described
service-based dynamic configuring exceptions
described
disabling
enabling
using
simple dynamic adding entries
defining exceptions
described
enabling
reordering entries
using
User Guide 277
static adding external IP addresses
and drop-in configuration
configuring a service for
described
setting for a service
typically used for
types of
types supported by proxies
NAT Setup dialog box
NetBIOS services
netmask, viewing address of
Netscape Communicator
network address translation. See NAT
network addresses, unconnected
network cards in Firebox
Network Configuration dialog box
,
network configurations diagram
drop-in
routed
Network Connection wizard
Network File System
network interfaces, monitoring
network topology described
fully meshed
hub-and-spoke
partially meshed
networks external
internal
networks, secondary. See secondary networks
New Firebox Configuration dialog box
New Server dialog box
New Service dialog box
NIC Configuration dialog box
notation, slash
notification bringing up popup window as
developing policies for
for blocked ports
for blocked sites
setting launch interval
setting repeat count
settings for
Novel IPX over IP
NXT attacks
O
Online Help
online help software requirements
online support services accessing
described
online training
OpenWindows
optional alias
optional interface
optional network and FTP
described
Web server
optional products
3-port upgrade
BOVPN upgrade
described
Firebox X model upgrade
High Availability
Mobile User VPN
purchasing
SpamScreen
VPN Manager
outgoing definition
outgoing services
Outgoing SMTP Proxy dialog box
Outgoing tab
out-of-band management and PPP connection
278 WatchGuard System Manager
P configuring dial-up connection for
configuring Firebox for
configuring PPP
connecting Firebox using
enabling management station for
establishing connection
installing modem
preparing Windows 2000
Management Station for
preparing Windows XP
Management Station for
timeout disconnects
packet filter
packet handling, default. See default packet handling
packets viewing number allowed, denied, rejected
viewing number sent and received
PAD Rules for DNS Proxy dialog box
PAD Rules for FTP Proxy dialog box
PAD Rules for SMTP Proxy dialog box
PAD. See protocol anomaly detection
PAP authentication
partially meshed networks
passphrases changing a DVCP Client Firebox passphrases
configuration
described
resetting for Firebox
status
tips for creating
which one to use
password authentication
passwords and security of VPN endpoints
described
PEM format
Perfect Forward Secrecy
permanently blocked sites
Phase 1 described
settings
Phase 2 described
settings
ping command for source of deny and allow messages
PKCS12 format
PKI
Policy Manager as view of configuration file
described
displaying detailed view
displaying Large Icons view
opening
opening a configuration file
Services Arena
services displayed in
using to create configuration file
policy templates adding
adding resources to
polling rate, changing
POP, and security policy
popup window, as notification
port space probes and default packet handling
blocking
ports
0
1
1000-1999
111
137 through 139
2000
213
513
514
126 additional. See three-port upgrade
User Guide 279
speed and duplex settings
used for new services
viewing in HostWatch
PPP connection, and out-of-band management
PPP user name and password
PPPoE using a static address
PPPoE support on external interface
PPTP
PPTP. See also RUVPN with PPTP
pptp_users
private key, public key
private LAN
processes, viewing
processor load indicator
protocol anomaly detection described
enabling for DNS proxy
enabling for FTP
setting rules for
Proxied-HTTP
proxies and BOVPN tunnels
types of NAT supported
proxy definition
proxy ARP
proxy servers, setting up
Proxy service
proxy services
DNS
FTP
HTTP
SMTP
public key cryptography
Public Key Intrastructure (PKI)
public servers, configuring
Q
QuickSetup Wizard described
launching
rerunning
running from System Manager
steps
R
RADIUS server authentication
Rapid Response Team
rcp service
RealNetworks, and NAT
Reboot Firebox from Firebox System Manager
from Policy Manager
red exclamation point in VPN Manager display
in VPN Monitor
Related Hosts
Remote Gateway dialog box
Remote User Setup dialog box
Remote User VPN. See RUVPN with
repeat count, setting
Report Properties dialog box
reports applying a filter
authentication details
consolidated sections
consolidating sections
creating filters
deleting
deleting a filter
denied incoming/outgoing packet detail
denied packet summary
denied service detail
detail sections
DNS resolution on IP addresses
editing
editing filters
exporting to HTML
exporting to text file
Firebox statistics
280 WatchGuard System Manager
FTP detail
host summary
HTTP detail
HTTP summary
location of
NetIQ format
network statistics
proxy summary
running manually
scheduling
sections in
service summary
session summary
setting Firebox names used in
SMTP summary
specifying sections for
starting new
summary sections
time summary
viewing list of
WebBlocker detail
requirements hardware
online help
software
Resource dialog box
Restart IPSec
rlogin service
root certificate described
publishing
reissuing
setting lifetime for
routed configuration characteristics of
described
routes configuring
described
host
monitoring
network
routing policies changing order of
configuring multiple
creating
described
proxies over VPN tunnels
RPC portmapper
rsh service
RTSP, and NAT
RUVPN with PPTP accessing the Internet with
activating
adding a domain name for NT
and authentication groups
and MSDUN
and the Any service
and WINS/DNS server addresses
configuration checklist
configuring debugging options
configuring services to allow
configuring shared servers for
described
encryption levels
entering IP addresses for
IP addressing
monitoring tunnels
preparing client computers for
preparing Windows 2000 remote host
preparing Windows NT remote host
preparing Windows XP remote host
running
starting
virtual IP address
when to use
with extended authentication
S
Save dialog box
Save Main Window dialog box
secondary networks adding
User Guide 281
described
SecurID authentication
security applications
Security Parameter Index (SPI)
security policy and DNS
and FTP
and HTTP
and POP
and services
and SMTP
and telnet
customizing
described
guidelines for services
opening configuration file
Security Policy dialog box
Security Services
Gateway AntiVirus
Security Template dialog box
security templates, adding
security traffic display selecting center interface
switch between 3 port and 6 port
viewing Firebox status using
Select Gateway dialog box
Select MIME Type dialog box
service definition
service Properties dialog box
,
service properties, using to block sites
service-based dynamic NAT. See NAT, service-based dynamic
services adding
adding addresses
adding several of same type
allowing VPN access to
and your security policy
basic
blocked. See blocked services.
commonly added
configurable parameters for
configuring for BOVPN with
Manual IPSec
configuring for incoming static
NAT
configuring for Static NAT
configuring to allow RUVPN traffic
creating new
customizing logging and notification
customizing logging for
deleting
disabled
displayed in Policy Manager
enabled and allowed
enabled and denied
guidelines for incoming
guidelines for outgoing
hidden
HTTP
icons for
incoming and outgoing, defined
Novel IPX over IP
OpenWindows
overriding NAT setting
precedence
proxied-HTTP
Proxy
rcp
rlogin
RPC portmapper
rsh
setting logging and notification for
setting static NAT for
viewing number of connections by
wg_
X Font service
X Window
Services Arena described
Services dialog box
Set Log Encryption Key dialog box
282 WatchGuard System Manager
Setup Firebox User dialog box
Setup Remote User dialog box
Setup Routes dialog box
SHA1-HMAC
shared secrets
sites, blocked. See blocked sites.
slash notation
SMTP Properties dialog box
SMTP proxy adding address patterns
adding content types
adding masquerading options
allowing headers
and MIME types
and NAT
and security policy
blocking file-name patterns
blocking MIME types
configuring
configuring outgoing
denying attachments
described
email relaying
keywords supported
selecting headers to allow
specifying logging for
SMTP Proxy Properties dialog box
software requirements
SOHOs creating tunnels for dynamic
remotely accessing
single-host tunnels
SpamScreen
split tunneling with PPTP, enabling
spoofing attacks blocking
described
static DHCP
static PPPoE
Steel Belted RADIUS
subnets adding to DHCP server
modifying
removing
SYN flood attacks blocking
changing settings
described
preventing false alarms
SYN Validation Timeout setting
Syslog color
Syslog logging enabling
facilities
System Manager
ARP table
authentication host information
authentication list
basic Firebox status
Blocked Sites list
blocked sites list
changing polling rate
components of
described
Firebox uptime
front panel
interfaces
load average
log and notification hosts
logging options
memory
monitoring tunnels in
monitoring VPNs from
network configuration
packet counts
processes
routes
running QuickSetup Wizard from
ServiceWatch tab
starting
Status Report tab
version information
viewing bandwidth usage
System Manager main menu button
User Guide 283
system requirements
T
TCPmux service
Technical Support assisted support
Firebox Installation Services
LiveSecurity Gold Program
LiveSecurity Program
users forum
VPN Installation Services
telnet, and security policy
third-party authentication server. See authentication or name of thirdparty server
three-port upgrade and aliases
and network traffic
and Status Report
described
Time Filters dialog box
time zone for Firebox, setting
timeout duration for Firebox
traceroute command for source of deny and allow messages
traffic incoming and outgoing, defined
viewing using security traffic display
Traffic Monitor copying deny messages in
issuing ping and traceroute command in
limiting messages
traffic volume indicator
training online
TripleDES
trust relationships among Firebox interfaces
trusted alias
trusted interface
trusted network
TSIG attacks
Tunnel Properties dialog box
tunnel switching
tunneling protocols
tunnels and gateways
and proxies
bypass rules for
configuring with dynamic security
configuring with manual security
created to dropped-in devices
creating with VPN Manager
,
described
drag-and-drop creation
editing
menu-driven creation
Mobile User VPN
modifying Basic DVCP
monitoring
multiple policies for
removing from VPN Manager
RUVPN with PPTP
SOHO single-host
viewing
viewing status of
U unconnected network addresses
Update Device dialog box
user authentication. See authentication
users group
users, viewing in HostWatch
V virtual IP address
virus alerts
VPN Installation Services
284 WatchGuard System Manager
VPN Manager adding devices
and authentication via certificates
and DVCP
and wg_dvcp service
creating custom view
described
launching
opening UI
physical description
removing certificates
UI
viewing device status
viewing log servers
viewing tunnels
VPNs access control for
and 1-to-1 NAT
and IP addressing
and IPSec
and NAT
authentication methods for
described
design considerations
monitoring
monitoring from System Manager
monitoring with VPN Manager
network topology
scenarios
WatchGuard solutions
W
WatchGuard Certified Training
Partners
WatchGuard installation directory, and log files
WatchGuard security applications
WatchGuard Security Event Processor and certificates
and log files
and notification
and reports
described
failover logging
installing
opening user interface
running reports
starting
stopping
user interface
WatchGuard service
WatchGuard System Manager additional information on
components of
described
documentation
hardware requirements
introduction
Online Help
package contents
requirements
software requirements
Web browser requirements
WatchGuard users forum
WatchGuard Users Group
WatchGuard users group
WCSP
WCTP
Web browser, requirements for
WatchGuard System Manager
Web server, and optional network
Web sites, filtering
WebBlocker activating
automatically downloading database
configuring
creating exceptions for
described
prerequisites
required services
scheduling hours
time zone
WebBlocker server installing
User Guide 285
installing multiple
managing
WebBlocker Server Bypass
WebBlocker utility
WebBlocker Utility dialog box
wg_ services described
viewing
wg_authentication
wg_ca
wg_dhcp_server
wg_dvcp
wg_pptp
wg_sohomgt
wg_pptp service icon
WGReports.exe
Windows 2000 and WatchGuard System Manager requirements
preparing for RUVPN with PPTP
preparing Management Station for out-of-band management
running log host on
Windows 2003 and WatchGuard System Manager requirements
Windows NT adding a domain name
installing a VPN adapter on
preparing for RUVPN with PPTP
running log host on
Windows NT Server authentication
Windows XP and WatchGuard System Manager requirements
preparing for RUVPN with PPTP
preparing Management Station for out-of-band management
running log host on
WINS server addresses
WINS servers, configuring
wizard.cfg
WSEP. See WatchGuard Security Event
X
X Font server
X Window
XAUTH. See extended authentication
Y yellow exclamation point, in VPN
Manager display
Z
Zip files
286 WatchGuard System Manager
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement